US Compliance in the UAE: Update from Dubai

I just returned from a business trip to Qatar and the United Arab Emirates (UAE), which shed a great bit of light on compliance trends in the Gulf Cooperation Council (GCC) region, particularly the UAE.  In conversations with numerous experts across different points in the compliance spectrum, the takeaway was that there is an evident trend of increased attention and care towards US (and increasingly regional/domestic) compliance directives. These indeed appear to be setting the tone of financial institutions in the Gulf region.  This of course begs the question of where do they stand vis-a-vis compliance?

Foreign Account Tax Compliance Act (FATCA)

FATCA is the word on the street. There is increased interest and awareness of this law in the Middle East North Africa (MENA) region, but particularly in the Gulf.  For those who don’t recall,

Compliance in the Gulf

FATCA (largely codified in Chapter 26 of the Code of Federal Regulations) is the new U.S. regulation which requires foreign banks to report accounts they maintain for U.S. taxpayers to the U.S. Internal Revenue Service (IRS), America’s federal taxation authority.  Banks that do not comply with FATCA regulations can run the risk of substantial (up to 30%) withholding on certain payments.  Given the high number of US taxpayers maintaining accounts in the Gulf (due to residence, convenience, or whatever other reason), this is quite significant.  There do not appear to be any banks refusing to take US taxpayers as a result, although this decision has been reportedly taken by some banks in Switzerland, for example.

Office of Foreign Assets Control (OFAC) and Anti-Money Laundering (AML)

Eyes are indeed on Iran and Syria, particularly the former. While many are awaiting any deal between the P5+1 negotiations involving Iran’s nuclear program, compliance with OFAC is of significant concern.  Formal banking with Iran is almost non-existent and banks are vigilant, having received a directive from the UAE Central Bank.  What was quite impressed was the depth of knowledge regarding OFAC and US regulations, though this is arguably not at the level of what US banks know, naturally.  (Interestingly, one compliance person from a large European bank told me something to the effect of “in a few years we’ll all be doing RMB transactions, so these things won’t really be important”!)

In Summary

The bottom line is that US compliance is a critical step that is only starting to be fully appreciated in the MENA region. With Dubai’s increasing role as a banking center, the need to have robust compliance practices in place will only be more heightened.  This is accentuated by the Emirate’s geographic positioning in a generally troubled region and close to high exposure points.  Indeed the reputation of turning a blind eye to financial crimes is arguably becoming more obsolete.

Given the trends in the United States’ regulatory landscape and the increasing extraterritorial reach of its laws, GCC banks are well-suited to adopt rigorous compliance programs that are mindful not only of sanctioned countries, but sanctioned entities, and of cognizant of the use of front companies and individuals. This means more Know Your Customer (KYC), heightened screening, better documentation and reporting, and expanded training to lower levels of bank management, particularly the “frontline” in the retail banking sector.  Over time, a financial institution in the Gulf may find itself more needing of programs that are more closely aligned to those found in their US counterparts.




Cybersecurity and Data Privacy Compliance: Looking Forward

The world of legal accountability in cyber space and data privacy is continually evolving. The United Nations is on the horizon of applying international law to cyber space based on sovereign principals that countries are responsible for actions and harms that occur within their borders as a result of data breaches.  Hackers today widely vary from bored rudimentary teenagers to rogue governments with surprisingly successful tactics, yet over ninety percent of hackers are successful. Iran has posed one of the biggest hacker threats in suspected retaliation against banks and financial institutions in response to Stuxnet. The bulk of critical infrastructure (i.e., energy, telecommunication, transportation, financial services, food and water, public health) and private corporate networks remain nevertheless particularly vulnerable to internal and external cyber attacks and data breaches of Personally Identifiable Information (PII), proprietary information, intellectual property, business intelligence, and customer information. Universities and non-profit organizations are particularly vulnerable targets as well.

Most companies have no strategic plan in place to deal with attacks, insider threats, or data privacy breaches, including law firms. Companies must have a framework for protection that goes beyond mere technological filters. Lawyers now have an additional duty technologically to protect against such attacks and breaches internally, and to also advise clients on strategic plans and compliance that effectively address cyber attacks and data protection in effort to mitigate potential liability and damage stemming from such attacks. Law firms have to be as well-informed as any other organization and must have a model in place to address attacks. Law firms are persistently targeted by insidious hackers. Financial institutions are now auditing law firms to see if they have such protections in place to secure their clients’ data.

Passwords and Supervisory Control and Data Acquisition (“SCADA”, used to collect real time data) systems with default passwords are easily available through forums such as Russian hacker chatter. Yet the most commonly used employee password remains “password.” Mobile devices remain big targets, and many employees charge these devices at work thereby opening the door to another avenue of attack. Many computer networks are easily defeated by malware.  Malware is available for sale on the internet and is easily available for purchase to carry out cyber attacks. Firewalls and similar technological protection software are too often easy to hack, and therefore due diligence requires companies to go beyond technological protections. Many companies who have experienced attacks or have had data breaches remain completely unaware and unprepared. In fact, it is more probable that the only reason a company may not have yet been attacked would be a lack of intent or interest by hackers or insiders with access, and would not be because the data is not available or the networks are not accessible.

Unpatched programs pose a serious, major threat, but this is not merely a technical issue as it is really a business risk issue. Companies need to ask where their critical information is located. Most company Information Technology personnel and service companies cannot respond to this question easily. A company’s critical information is usually scattered across the company, and identifying and finding the location of that information is an ongoing process requiring continuous high-level conversations.

Data retention is a key issue for corporations. The usual cost to remediate a data breach is roughly $200 per file. Customer lists containing 10,000 or more persons can therefore be very expensive.  Adherence to data retention policies by destruction of information and records when this information is no longer needed is good policy. Regular risk assessments in different business lines is also good policy given that business lines have different types of valuable data and therefore have different targets; different targets equates to different methods of targeting by internal and external threats. Good data hygiene requires that data security policies and procedures are up to date and regularly checked by a third party. This should be an ongoing process.  All corporate stakeholders must be involved to have a full business view of the risks, as opposed to merely a technical view of the risks. Effective data security and compliance therefore mandates that corporations work across business lines and together with high-level management and the C-suite, and finance, legal, and IT departments. It is also prudent for corporations to involve the Board, set up a high-level Risk Committee, and develop an external audit system with major assessments to identify threats and the most valuable corporate information. Corporations need more than just one or two solutions, but require a series of interventions at every possible level to effectuate due diligence and compliance.

Soon due diligence will not be optional, but in the foreseeable future will involve liability for attacks and tighter regulation beyond mere voluntary frameworks.  Privacy laws are complex and directly related to cyber security. Protection of PII, such as credit card information, health care information, and corporate secrets are at risk by phishing emails. Insidious tweets or false social media postings can cause immediate harm to a corporation’s bottom line and net worth. A filibuster of cyber legislation does not mean that corporations can ignore and escape due diligence responsibility or liability concerning data protection.  Data protection concerns public safety on every level and the complexity of legal issues are only mounting.

More legislation and regulations are surely looming in the near future.  Potential initial investigative steps following a data breach can be difficult and daunting tasks for a corporation, such as responding to a Foreign Intelligence Surveillance Act (“FISA”) subpoena, determining whether any protected personal and private information has in fact been shared, and determining whether a corporation has therefore triggered mandated notification requirements. Over time litigation will end up shaping corporate guidance governing data breaches beyond the current voluntary suggestions. It is therefore imperative that corporations begin now to learn how to monetize various potential data breaches of differing information and how to conclude what constitutes a material breach requiring notification. Corporations often have no way of predicting how or when information might be exploited following a breach. These exercises are vital for corporations doing international business, particularly in Europe given the European Union’s intent to tighten requirements governing data protection within two years and that will affect aid.

Data protection is a never-ending process. Corporations can no longer be static or concerned solely with defense should a breach occur; corporations must be proactive.  Hackers have been successfully hacking for many years. Corporations who are unaware of who is operating the network place their money at risk and stand to lose huge amounts of money daily should a breach happen. All corporations and states in the United States have theft of data despite data privacy laws. How corporations share data about these breaches, and how they overcome information sharing hurdles, such as how to address breaches involving national security and secret information that cannot be conveyed to other members of board or company, is imperative to mitigation. Cyber space is now a global network that has become a global problem.  No country or corporation, no matter how big or small, is exempt from these risks, the loss of data, or the resulting damage.

Lessons from last week’s US-Saudi Business Opportunities Forum

I was in Los Angeles last week, in large part to attend the annual US-Saudi Business Opportunities Forum. This yearly event brings together a wide range of top tier speakers along with business people and government officials from around the world (mainly the USA and Saudi) for 3 days of panels, discussions, and networking meals.  If I had to underscore a single theme, it was that there is a lot more to the Kingdom of Saudi Arabia (KSA) than most in the US probably know.

Ambassador James Smith, the US’ chief diplomat in KSA delivered a very interesting speech outlining the many different facets (and geography) of the Kingdom. Why is this relevant?  Beyond giving us non-Saudis in the audience a better understanding of the country, it highlights the fact that KSA has a very unique economy. Beyond being the largest market in the Gulf Cooperation Council (GCC), I was interested to see that KSA has a significant industrial base and an impressive number of qualified nationals who can help the country move into the new milenium. 

Key areas of interest appeared to be energy, oil & gas (no surprise there) but also health care. I was impressed to see that the country is planning over 100 hospitals in the next few years and will have a shortage of about 80,000 physicians by some measures. How they will make up for this, I do not know. Given that one Saudi legal professional at the conference told me, the country also only has about 2,000 lawyers. This leaves the door wide open to not only skilled experts (more broadly) but also individuals with the bandwidth and capacity to help get big projects running.

This leads me to my next point – the legal landscape. Not surprising, this is often overlooked. It’s amazing how many people still do not know the difference between a branch and a subsidiary, or the type of rights they need to guarantee in a joint venture or franchise agreement.  Often simply wanting to get a deal quick, businessmen commonly overlook these legal implications, even though they can be significant.  Making sure you have the right local partner, do not run afoul of US laws and have recourse locally (and the US arguably) are just among the most basic of concerns one should consider addressing before entering any foreign market, but especially one like that of the KSA. Just another reason why not only contracts should be used but should also be solid.

Data Privacy, Cyber Security, and GCC Countries

President Obama’s recent Executive Order No. 13636, issued February 12, 2013, places data privacy and cyber security as lead initiatives for critical infrastructure sectors, such as financial services, health services, and energy. Data privacy and cyber security are hot topics globally. In the U.S., data privacy and cyber security regulations are challenging and vast. The EU has stringent privacy laws as well. Today, nearly every industry sector is touched by data privacy regulations, threats, and demands, and is therefore also liable for breaches or other non-compliance when things go awry.

Many companies fail to routinely audit their compliance situation or Information Technology operations. Many do not have a breach or notification plan in place. Further, high-level executives and boards often fail to review cyber security, privacy, and risk management as part of corporate good governance operations or policies. Because financial services and energy are two prime critical infrastructure sectors that attackers target, Gulf Cooperation Council (GCC) countries and those companies operating in the region are particularly vulnerable. A Gulf Business Machine (GBM) survey of regional IT professionals revealed that 35 percent of all cyber crime and breaches were from the result of an organization’s own internal employees. Social media was noted as a primary source for attack. Other attacks come from external hackers. In 2012, hackers linked to the government of Iran attacked data and disabled 30,000 computers, thereby causing millions in damages at Aramco

In the U.S., civil and criminal liability is on the rise as class actions have mounted for breaches involving Personally Identifiable Information (PII). State and federal investigations and prosecutions are on the rise for noncompliance in nearly every industry, including financial services, health services, manufacturing, and energy. Energy companies and financial institutions are particularly vulnerable for cyber attacks, and the targets may vary from customer information to company secrets. Energy companies are routinely targeted by insiders, foreign governments, organized crime, or competitors seeking corporate secrets and intelligence, control over critical industrial control systems, or other data or intellectual property. The most widely known attack against U.S. oil and gas companies was by China through use of its Night Dragon. Night Dragon was launched to steal confidential information from major U.S. energy companies, of whom at least one company said it was not aware of any successful attacks.

Because the energy and financial sectors are prime targets for data and cyber attacks, a strong compliance program and breach plan is crucial to prevention, mitigation of losses, and protection of a company’s reputation. Billions of dollar a year are routinely lost by companies simply in stolen intellectual property. Mitigating exposure to liability as a result of data security breaches can save millions per year in lost assets or reputation, intellectual property, customer information, fines, or other damages. The risks are even direr for energy companies where an attack could result in an oil spill or other environmental damage, prolonged power outages, and loss of life.

Threats and attacks from outside hackers are usually what comes to mind when one thinks of data and cyber protection, however, what most are not aware of is that the bulk of threats actually come from inside a company by either disgruntled employees, poorly trained employees, poor compliance controls, poor oversight of employees with access to sensitive information, and employees who are interested in selling competitive corporate intelligence for whatever reason. The actual amount of breaches and other cyber crime by insiders is actually much higher than the GBM survey, and most incidents are unreported, confidential, or undiscovered.

Information technology personnel cannot front the risks alone and are not equipped to conduct assessments and analysis as are regulatory attorneys. Even the best IT personnel and management need legal guidance and assistance with investigating breaches and attacks. Legal representation at every level of compliance activities and investigation is the best insurance to successful mitigation and management of risks. It is imperative that outside counsel be involved in routine audits and assessments of compliance review and development, training, and in development of a solid breach plan. Cyber and privacy insurance rarely covers liability or damages for breaches in all scenarios. Compliance will always remain cheaper than the losses a company may suffer in stolen property or loss of reputation.

Teresa N. Taylor is Of Counsel at Akrivis Law Group, PLLC in Washington and is an Adjunct Faculty member at Georgetown University Law Center.  Her professional biography is available here.

Farhad Alavi Quoted in Abu Dhabi’s The National

I was quoted in Abu Dhabi-based The National, the leading English-language daily, with quotes in the United Arab Emirates on Wednesday, July 3. More specifically, the quotes are in two articles addressing the latest round of U.S. sanctions that went into effect against Iran on July 1 and their impact on trade between the UAE and Iran.

The two articles are and can be accessed by clicking the below links.

(1) UAE businesses to feel effect of fresh US sanctions on Iran
(2) Is trade with Iran worth the risk for UAE companies?

Anti-Corruption in the GCC – Where is Compliance Headed?

Dubai-based Gulf Business published an short interview with Imelda Dunlop of the Pearl Initiative and Michael Adlem of Ernst & Young in the UAE regarding the spread of Anti-Corruption measures in the Persian Gulf region.  For me, the fact that such a topic was getting press and the content of the interview itself presented a significant milestone of sorts.  Working on sanctions compliance and fielding calls and clients alike in that part of the world, it’s very necessary to keep a finger on the region’s pulse when it comes to matters regarding trade and anti-corruption.  As such, I see that the arguments made forth by the two interviewees made sense.  Surely, the importance of compliance is rising.

It is unclear if strict local laws will be adopted.  Until then the de facto standards for trade compliance may likely be guided by US and UK benchmarks. With respect to US practices, the need for robust compliance programs on sanctions, export controls, anti-money laundering, and foreign corrupt practices is increasingly recognized.  Gulf operations of US companies often do not work in a vacuum, and with the imposition of secondary sanctions and wide-ranging grounds for jurisdiction of US law, the issue is becoming more tangible.

For American companies, the significance is quite clear – even many companies that have little business in the Gulf may use that region as a transit point for Africa, other points in MENA and South Asia. For local companies, as the Gulf Business interview hints, going global is increasingly on the minds of some. As such, compliance programs featuring preemptive measures (such as screening and reporting procedures) will be increasingly commonplace.

In the realm of sanctions, the impact is very much evident. On my most recent visit to the UAE earlier this year, my general impression was that the topic was much more salient than it was when I first started going to the region years ago.

New Legal Frontiers as GCC Health Care Infrastructure Expands

As I have alluded on this blog before, the GCC states are pouring more and more money into health care infrastructure. It was only a matter of time before medical tourism became high on these countries’ agenda, and now plans are increasingly starting to take shape. There has been much in the news for the past years over the Cleveland Clinic Abu Dhabi which will soon be opened.  But this center will have an increasing number of competitors in the market, with a slate of new facilities being introduced such as the new AED 3 billion Rashid Hospital development in Dubai which was announced in recent days..  What are the legal and business challenges to this new landscape for those seeking to take their wares into the region?

Here are two critical factors that come into mind for those who manufacture medical technologies seeking to sell in the region.

1. Exclusivity of Technologies and Brand Penetration. In a relatively small region flush with cash, it is to be expected that there is a high probability that there will be an overlap or redundancy of technologies and services.  Companies bringing in foreign technologies (such as advanced medical devices) into the GCC may feel compelled to demand exclusivity rights for whatever they import, particularly pricey technologies that require high margins to be viable. For the foreign manufacturer or seller, the question becomes – if you have one bite at the apple (meaning the market) you should surely make sure your contract enables you to get out of a contract if the local partner is not up to par.  Establishing benchmarks for sales, etc. can be one way to do this.

2. Service and Parts.  Manufacturers and distributors should be very cautious to ensure that their equipment is serviced adequately. Otherwise, the probability of legal issues regarding warranties, etc. can be come problematic.  Having trained local technicians can be a good first step – if you simply have a service arrangement with a local company, the chances of poor repair may increase, and this can increase liability, not to mention diminish the appeal of the product.

These are only a sampling of concerns that one may have. As with entering any market, healthcare is dicey and the MENA / GCC regions bring their own unique concerns.


A review of MENA Region Legal and Business Affairs.