Federal Decree-Law No. (30) of 2024
Regarding the "Know Your Customer" Digital Platform
We, Mohamed bin Zayed Al Nahyan, President of the United Arab Emirates,
Having reviewed the Constitution,
- And Federal Law No. (1) of 1972 concerning the Competencies of Ministries and Powers of Ministers, and its amendments,
- And Federal Law No. (8) of 2004 concerning Financial Free Zones,
- And Federal Law No. (6) of 2010 concerning Credit Information, and its amendments,
- And Federal Decree-Law No. (14) of 2018 concerning the Central Bank and the Regulation of Financial Institutions and Activities, and its amendments,
- And Federal Decree-Law No. (20) of 2018 on Anti-Money Laundering and Combating the Financing of Terrorism and Financing of Illegal Organisations, and its amendments,
- And Federal Decree-Law No. (32) of 2021 concerning Commercial Companies,
- And Federal Decree-Law No. (45) of 2021 concerning the Protection of Personal Data,
- And based on the proposal of the Minister of Finance, and the approval of the Cabinet,
Have issued the following Decree-Law:
Article (1)
Definitions
In the application of the provisions of this Decree-Law, the following words and phrases shall have the meanings assigned to each of them, unless the context otherwise requires:
| The State |
: The United Arab Emirates. |
| The Cabinet |
: The Cabinet of the United Arab Emirates. |
| The Ministry |
: The Ministry of Finance. |
| The Minister |
: The Minister of Finance. |
| The Central Bank |
: The Central Bank of the United Arab Emirates. |
| The Governor |
: The Governor of the Central Bank. |
| The Concerned Authorities |
: The authorities specified by the Executive Regulations of this Decree-Law. |
| The Platform |
: The "Know Your Customer" digital platform. |
| The Company |
: The company established in implementation of the provisions of this Decree-Law with the aim of establishing and managing the Platform to carry out the collection, analysis, use, trading, and exchange of "Know Your Customer" data and issuing "Know Your Customer" reports. |
| Data Provider |
: Any entity that provides the necessary data to the Platform in accordance with the provisions of this Decree-Law and its Executive Regulations, including federal and local government entities and institutions, private sector companies and establishments operating in the State or in free zones, financial institutions, insurance companies, and insurance-related professions licensed by the Central Bank, or any other entity considered by the Company as a potential data provider. |
| The Customer |
: Any natural or legal person who agrees to the issuance of a "Know Your Customer" report about them. |
| The User |
: The entity entitled to obtain a "Know Your Customer" report in accordance with the provisions of this Decree-Law and its Executive Regulations. |
| "Know Your Customer" Data |
: The data, information, documents, and official records related to the Customer, which are required to be provided to the User to enable them to conduct prior verification of the Customer as specified by the Executive Regulations of this Decree-Law. |
| "Know Your Customer" Report |
: A report issued by the Company based on the Customer's consent and the User's request, which includes "Know Your Customer" data. |
| Customer's Consent |
: The prior consent of the Customer, whether in writing, digitally, or by any other legally acceptable means, for the purposes specified in this Decree-Law and its Executive Regulations. |
| Code of Conduct |
: A binding set of regulations applicable to the Data Provider and the User to govern the process of requesting, collecting, storing, analysing, classifying, using, trading, and exchanging "Know Your Customer" data, the dispute resolution mechanism, and the determination of operational policies and procedures for such data. |
Article (2)
Objectives
This Decree-Law aims to:
1. Develop the financial infrastructure and promote digital transformation in the State.
2. Verify the identity of the Customer and their compliance with the financial and other regulations and legislation in force in the State.
3. Provide the necessary data and information to the User to enhance transparency in financial transactions.
4. Regulate the collection, analysis, classification, and use of "Know Your Customer" data in the State.
5. Facilitate the exchange of information and cooperation in combating financial crimes.
Article (3)
Scope of Application
The provisions of this Decree-Law shall apply to the following:
1. The Company, the Data Provider, the Customer, and the User.
2. Anyone related to "Know Your Customer" data as specified by the Executive Regulations of this Decree-Law.
Article (4)
Establishment of the Company
1. In implementation of the provisions of this Decree-Law, a company shall be established to create and manage the "Know Your Customer" platform. The Company shall have a legal personality and the legal capacity necessary to conduct its activities, and shall be subject to the provisions of Federal Decree-Law No. (32) of 2021 concerning Commercial Companies, and its amendments, or any other law that replaces it, in matters not specifically provided for in this Decree-Law and the Company's Articles of Association.
2. The Company shall have a Board of Directors composed of no less than (7) seven members and no more than (11) eleven members, including the Chairman of the Board. The Board shall be chaired by one of the Assistant Governors of the Central Bank. The Central Bank shall prepare the Company's Articles of Association in coordination with the Ministry, and it shall be issued by a decision of the Cabinet based on the Minister's proposal. The Articles shall include all provisions regulating the Company, including the following:
a. The name and legal form of the Company.
b. The ownership, head office, and branches of the Company.
c. The purposes of the Company, its issued and authorized capital, and the method of payment thereof.
d. The procedures and provisions for increasing or decreasing the Company's capital.
e. The formation of the Board of Directors, the method of appointing its members, and the determination of their competencies, powers, and remuneration.
f. The composition, competencies, and powers of the General Assembly.
g. The Company's operating system.
h. The dissolution and liquidation of the Company.
i. The minimum ownership of the Federal Government in the Company's capital, the nature of the shares it owns, and the rights these shares grant to the Federal Government in voting on the decisions of the General Assembly.
Article (5)
Activities of the Company
In addition to the activities prescribed for the Company under its Articles of Association, the Company shall carry out the following activities:
1. Establishing and managing the Platform.
2. Regulating the processes of collecting, storing, analysing, classifying, using, trading, and exchanging "Know Your Customer" data in compliance with the cybersecurity policies, standards, and guidelines in the State.
3. Issuing the "Know Your Customer" report and any other related reports and products in accordance with the regulations specified by the Executive Regulations of this Decree-Law.
4. Agreeing with the Data Provider to regulate the process of obtaining "Know Your Customer" data.
5. Preparing and developing risk tools and standards and related matters.
Article (6)
Obligations of the Company
Without prejudice to the provisions of the Company's Articles of Association and the regulations and decisions issued by the Central Bank in accordance with Article (12) of this Decree-Law, the Company shall be committed to the following:
1. Not to disclose or reveal the "Know Your Customer" data in its possession to third parties except in accordance with the provisions of this Decree-Law and its Executive Regulations.
2. Establishing modern systems for processing "Know Your Customer" data and "Know Your Customer" reports in accordance with the regulations and specifications determined by the Executive Regulations of this Decree-Law.
3. Protecting "Know Your Customer" data transmitted through the Platform from loss, damage, unauthorised or insecure access, use, or modification, including developing tools and means to handle emergency situations.
4. Adhering to the use of "Know Your Customer" data in accordance with the provisions stipulated in this Decree-Law, its Executive Regulations, and the decisions of the Central Bank.
5. Notifying the Central Bank of any violations of the provisions of this Decree-Law and its Executive Regulations.
Article (7)
Access to Data
1. The Customer may access the details of their "Know Your Customer" report in accordance with the regulations determined by the Executive Regulations or approved by the Central Bank.
2. The Company shall not be liable for any error in the "Know Your Customer" data provided by the Data Provider, unless it is a result of negligence on the part of the Company or one of its employees.
3. The Executive Regulations of this Decree-Law shall specify the procedures and provisions for processing requests to amend the "Know Your Customer" report at the Customer's request.
Article (8)
Relationship with the Data Provider
1. The Company shall conclude an agreement with the Data Provider to regulate the mechanism for providing, using, and exchanging "Know Your Customer" data, and the related terms, conditions, and special forms for protecting and ensuring the confidentiality of "Know Your Customer" data.
2. The Data Provider shall provide the Company with the "Know Your Customer" data it requests in accordance with the agreement concluded between them, without imposing any financial burdens on the Company.
3. The Executive Regulations of this Decree-Law shall specify the Customer data necessary for the Platform that the Data Provider is permitted to provide to the Company.
Article (9)
Prohibition of Use and Trading of "Know Your Customer" Data
The Company is prohibited from using, trading, or exchanging "Know Your Customer" data for purposes other than those stipulated in this Decree-Law and its Executive Regulations.
Article (10)
Controls for Issuing the "Know Your Customer" Report
1. The User must obtain the Customer's consent before requesting to obtain a "Know Your Customer" report, and the Company must develop the necessary procedures or systems to ensure the availability of the Customer's consent for any report requested by the User in this regard.
2. Notwithstanding clause (1) of this Article, the User may, based on an order from a summary matters judge, request the Company to issue a "Know Your Customer" report on any of their debtors, in accordance with the regulations determined by the Executive Regulations of this Decree-Law.
Article (11)
Confidentiality of "Know Your Customer" Data
Subject to the provisions of Article (10) of this Decree-Law, "Know Your Customer" data is considered confidential by nature and shall only be used among the parties stipulated in this Decree-Law and its Executive Regulations. It may not be accessed or disclosed, directly or indirectly, to any user except with the consent of the Customer, their heirs, legal representative, or authorised agent, or upon request from the competent judicial authorities to the extent necessary for investigations and cases pending before them.
Article (12)
Competencies of the Central Bank
The Central Bank, in its capacity as the competent regulatory authority over the Company's activities, shall assume the following competencies under the provisions of this Decree-Law and its Executive Regulations:
1. Regulating and supervising the proper performance of the tasks entrusted to the Company.
2. Setting the regulations under which the Company shall conduct its activities and provide services and related matters.
3. Establishing and issuing the Code of Conduct applicable to the Data Provider and the User.
4. Determining the data and information related to the Customer that the Company may request from Data Providers.
5. Issuing any instructions or decisions to the Company in compliance with the provisions of this Decree-Law, its Executive Regulations, and the legislation in force in the State.
Article (13)
"Know Your Customer" Database
The "Know Your Customer" database shall be linked in accordance with what is determined by the Executive Regulations of this Decree-Law.
Article (14)
Penalties
1. Whoever commits any of the following acts shall be punished by imprisonment for a period of not less than (2) two years and a fine of not less than (50,000) fifty thousand dirhams, or by one of these two penalties:
a. Discloses "Know Your Customer" data or the "Know Your Customer" report in cases other than those authorised in accordance with the provisions of this Decree-Law and its Executive Regulations.
b. Obtains or accesses a "Know Your Customer" report without obtaining the required approvals in accordance with the provisions of this Decree-Law and its Executive Regulations, or by using fraudulent methods or incorrect information.
c. Breaches the established confidentiality of "Know Your Customer" data or the "Know Your Customer" report.
d. In bad faith, falsifies data or provides incorrect information to the Company.
2. The commission of any of the crimes stipulated in this Decree-Law and its Executive Regulations by a public employee or any of the Company's employees shall be considered an aggravating circumstance.
3. The imposition of the penalties stipulated in this Decree-Law shall not prejudice any more severe penalty provided for in any other law, nor the civil liability of the offender.
Article (15)
Violations and Administrative Penalties
The Cabinet shall, upon the proposal of the Minister and after coordination with the Governor, issue regulations on violations and administrative penalties for acts committed in contravention of the provisions of this Decree-Law and its Executive Regulations, the mechanism for appealing them, and how to collect administrative fines.
Article (16)
Executive Regulations
The Central Bank shall prepare the Executive Regulations for this Decree-Law in consultation with the concerned authorities in the State, and they shall be issued by a decision of the Cabinet upon the proposal of the Minister, and shall include, at a minimum, the following:
1. Defining the nature and description of Data Providers.
2. The mechanism for providing the Platform with data, its type, and nature.
3. The rights and obligations of all related parties.
4. The regulations and specifications for the systems used to store, process, protect, and issue everything related to "Know Your Customer" data and "Know Your Customer" reports.
5. The regulations under which the Customer may access the details of their "Know Your Customer" report.
6. The regulations for issuing a "Know Your Customer" report on any of the User's debtors.
7. The mechanism for submitting, examining, and processing data-related complaints.
Article (17)
Financial Consideration
The Board of Directors of the Central Bank shall, upon the proposal of the Company's Board of Directors and after coordination with the Ministry, issue a decision determining the financial consideration the Company shall receive in return for providing its services to users.
Article (18)
Judicial Seizure
The employees of the Company, who shall be designated by a decision from the Minister of Justice in agreement with the Governor, shall have the capacity of judicial seizure officers in establishing violations of the provisions of this Decree-Law, its Executive Regulations, and the decisions issued in implementation thereof, each within their scope of competence.
Article (19)
Repeals
Any provision that violates or contradicts the provisions of this Decree-Law shall be repealed.
Article (20)
Publication and Entry into Force of the Decree-Law
This Decree-Law shall be published in the Official Gazette and shall come into force from the date of its publication.
Mohamed bin Zayed Al Nahyan
President of the United Arab Emirates
Issued by us at the Presidential Palace - Abu Dhabi:
On: 28 / Rabi' al-Awwal / 1446 H
Corresponding to: 1 / October / 2024 AD