UAE Financial Crime and Investigations Pulse Check

Independent of the latest developments in the UAE regulatory enforcement landscape, financial crime prevention, investigation and response is highly complex and challenging for institutions based in, or operating in, the UAE. While international banks based in the U.S. and Europe have long had to adhere to the obligations of many regulatory frameworks and sanctions policies across numerous jurisdictions, the domestic banks are now put under pressure to build robust preparedness programmes or full-scale compliance technology and controls to compete on the international stage against global peers that apply a stringent international benchmark.

Still, institutions across the spectrum of scale and maturity are subject to many of the same risks and investigation challenges, all of which are set to intensify against the backdrop of the UAE’s current intensification efforts to sincerely strengthen the national ecosystem to better detect, disrupt and take judicial action against financial crime. This article will share the key issues organisations can expect in financial crime compliance, based on current trends in the courts and real-world scenarios FTI Consulting has handled for clients in the Middle East region.

Anatomy of a Modern Investigation

As a consequence of the changes in the domestic regime, authorities are becoming more urgent and aggressive about data requirements. To achieve more efficient investigations under the new national agenda, organisations will need to address a number of issues and incorporate new tools and tactics into their approaches to compliance and responding to prosecution.

Importantly, changes in the creation, use and storage of data and new ways of communicating have introduced unique challenges into the process of conducting financial investigations. Many of these challenges are further complicated by new requirements in the UAE.

These include:

• Massive growth of emerging data sources and offchannel communications. Recent years have ushered in an explosion in the use of cloud-based applications and collaboration tools. The exponential growth in data volume, variety and velocity, and this proliferation of emerging data sources (e.g., cloud-based platforms and chat applications) and off-channel communications (e.g., messaging via mobile devices and ephemeral messaging tools), have fundamentally transformed how data is created, shared, stored and relied upon. Subsequently, there are an array of new challenges in investigations, spanning how communications are monitored for regulatory compliance, identifying the full range of data sources that may be in scope in an investigation, and technical challenges in collecting and analysing data from these dynamic platforms.

  Additionally, monitoring and collecting messages and other data from personal devices creates requires sophisticated and robust governance tools and policies, including acceptable use terms that define how business data is handled in bring-your-own-device environments. Failure to monitor all messaging channels can leave an organisation unaware of instances of financial crime or non-compliant behaviour, consequently resulting in enforcement actions.

• Increased co-mingling of communications data and financial/trade data. As an extension of the challenges with emerging data sources, and the nature of modern financial operations and transactions, trade and other financial data is increasingly co-mingled with communications data within many institutions’ IT environments. As a result, investigators must often unravel intermixed data and then methodically and defensibly piece it all back together to understand the facts of a matter. Without the ability to do so, organisations will likely struggle to understand the full extent of a potential violation or suspicious activity, and therefore risk running afoul of regulatory requirements to prevent and mitigate financial crime.

• Insufficient data preservation policies and processes. Many organisations do not maintain data retention processes correspondent to their regulatory requirements, especially for emerging data sources and off-channel communications. Designing effective data preservation strategies can be a time-consuming and laborious process, especially for companies that do not have a strong information governance framework in place to inventory, manage and retain critical information. While establishing such programmes requires substantial effort, not doing so has a direct impact on the severity of downstream issues during a financial crime investigation or other regulatory matter.

  Specifically, when data is not retained in accordance with regulatory requirements organisations can face significant penalties for record-keeping failures; or, when more data is retained than needed (a common issue) investigations are more expensive and higher risk, due to larger than necessary volumes of data and the possibility of an unrelated violation coming to light during the investigation.

• Multi-jurisdiction requirements. The UAE is a hub for international finance and trade. Many domestic banks operate across the Middle East region and numerous jurisdictions, leaving them subject to a range of regulatory frameworks and agencies to which they may need to produce information. Likewise, institutions based in the U.S. and Europe with a presence in the UAE must attend to a patchwork of global rules and investigative requirements and processes. Notably, any UAE entities that have already established compliance with international regulations would typically be ahead of the curve in domestic regulatory changes that are designed to align to stricter global standards.

  When a single violation extends to numerous regulatory bodies, it often triggers multiple concurrent investigations, all with unique data disclosure requirements and timelines. Agencies may have conflicting guidelines (such as data privacy rules that prohibit transfer of certain information to agencies in other jurisdictions) and they may also share information about their investigations with international counterparts. Any of these factors may increase the risk, cost and complexity of investigation and disclosure processes.

• Compressed timelines. Most regulatory inquiries are under strict and short timeframes. Typically, agencies want as much time as possible to review the data and make decisions about their approach to prosecution and/or penalties. To this end, the UAE has improved the agility and functions of the Financial Intelligence Unit, creating an environment in which the timelines for prosecution are more demanding and the consequences for failure to meet deadlines are more severe.

  Simultaneously, organisations require adequate time to collect, review, understand and produce large volumes of complex data. While deadlines can be negotiated in certain circumstances, there is often limited flexibility, and even when deadline extensions are awarded, they typically only provide a few additional days or weeks. The more prepared an organisation is with an understanding of its data and the key facts around issues of potential concern, the more equipped it will be to manage regulatory deadlines.

• Complexities resulting from mergers between financial institutions. The UAE’s financial sector has seen a number of mergers in recent years, some among systemically large and complex organisations. These mergers naturally result in a convergence of historical data, technology and disparate operational processes. In building out a fully merged institution, it becomes critical to rationalize technology solutions and bring operations and data into harmony. With the heightened regulatory expectations and guidance that financial institutions must have full visibility of client profiles and associated risk exposure, regulatory inspections are focused on the quality of an institution’s data and its ability to retrieve it for authorities in a timely manner. Likewise, when data is not properly integrated following a merger, it can raise questions about alternative data sources — in a regulatory enforcement action, this may require an organisation to provide details about data migration processes and what happened to certain data as a result, adding further time and cost to data scoping and collection exercises.

Expecting the Unexpected

In one recent engagement, global teams across FTI Consulting helped the client navigate many of the challenges outlined above. The client, a large, global bank, was under multiple, cross-continental regulatory inquiries. In response, the organisation needed to conduct an in-depth investigation across jurisdictions, under tight timelines. Due to the nature of the investigation, large volumes of documents and information from complex data sources were in scope. Additionally, the documents contained information and communication in 11 different languages, including English and a rare European language, requiring involvement of a specialised team with financial industry experience and extensive language fluency.

The concurrent investigations required defensible collection of current and historical data from multiple nontraditional sources, for specific periods of time. The client’s organisation had many systems in place across different functions of the business, all which needed to be evaluated and potentially preserved for relevance to the matter. Doing so required a lengthy exercise of identifying the right people within the institution who had the knowledge to guide the investigatory team to the right data sources effectively and efficiently.

Once a clear understanding of the target data sources — which spanned communications platforms, regulated chat applications and information from financial systems — was established, digital forensics experts conducted data preservation, collection and processing. A set of 14 million documents were identified as in scope for review. The team then established workflows to enable visualisation and review of all the different forms of structured and unstructured data simultaneously in one platform. Ultimately, a thorough and defensible investigation was completed, with a critical mass of documents reviewed in advance of the client’s deadline to present findings to regulatory agencies.

Another ongoing matter involving a UAE bank required e-discovery and data analytics in response to a U.S. regulatory investigation into market manipulation. Information pertinent to the investigation was spread across multiple data sources, both structured (e.g., deal documentation and transactions systems) and unstructured (email, audio files and chat records). FTI Consulting provided extensive experience with early case assessment, forensic defensibility for handling non-traditional unstructured data types, and analysis of financial data. The team coordinated with the client’s IT and database teams to identify the relevant data sources, reduce the collection and analysis by culling at the source before migrating the data to the analysis platform, and enable a single, unified view of the information. Additional workflows were implemented to mitigate data privacy risks, identify personally identifiable information in the data set, and document for the UAE government that private information of Emiratis was removed before data was transferred to the U.S.

Conclusion

As the number of relevant data sources grows, overall data volumes continue to increase, and the time to collect this data shrinks, risk surrounding financial crime and regulatory enforcement will continue to intensify. Organisations must understand the enforcement trends and data challenges that can impact their risk profile. Without visibility into where critical data exists across the organisation, exposure cannot be fully understood.

Financial institutions in this environment should take these risks seriously and work to establish readiness for common investigations challenges. Working with data and investigations experts who know what to expect and how to navigate complex data issues under pressure will help to reduce risk and improve overall regulatory response over the long term.

The views expressed herein are those of the author(s) and not necessarily the views of FTI Consulting, its management, its subsidiaries, its affiliates, or its other professionals.