UAE Actions Signal Continuing Commitment to Combat Money Laundering

Since April 2020, when the Financial Action Task Force reported that the United Arab Emirates (UAE) was failing to do enough to combat money laundering, the UAE has embarked on a series of actions that indicate the seriousness of its commitment to dealing with money laundering.  In November 2020, the UAE announced the development of a strategic plan to support efforts to combat money laundering, established an Anti-Money Laundering Department within the Ministry of Economy, set up a series of special federal courts across the UAE to address the issue of money laundering, temporarily suspended 100 law firms in the UAE from practicing, and fined seven other law firms AED 100,000 ($27,229) each for anti-money laundering violations.

Soon thereafter, in December 2020, the UAE Cabinet approved the creation of the Executive Office of the Anti-Money Laundering and Countering the Financing of Terrorism (Executive Office).  That office is established to track the UAE’s performance with reference to international anti-money laundering (AML) requirements, and to ensure the UAE’s active collaboration with companies and partners across the world.

Three recent developments in the UAE indicates that the UAE continues to demonstrate its commitment to its AML obligations.  First, on March 17, Gulf Business reported that the Anti-Money Laundering and Tax Evasion Court within the Abu Dhabi Judicial Department (ADJD) convicted four individuals, all Filipino nationals, and a UAE jewelry company of committing money laundering and fraud against 4,000 people.  The court sentenced each of the individual defendants to five years’ imprisonment, deportation, and a fine of AED 10 million ($2.7 million), and fined the jewelry company AED 50 million ($13.6 million).  In addition, the court ordered the confiscation from the company of approximately 7,430 grams of 18 Karat gold, worth more than AED 1.37 million ($372,900).

According to the official UAE news agency WAM, the four individuals conducted an Internet fraud and pyramid scheme, in which they established a website labeled “Gold Empire Management” and used advertisements, videos, and contests posted on the site and social media to attract prospective investors in their company.  The defendants charged each would-be investor a fee of AED 2,000 ($544), but reportedly encouraged victims to persuade others to participate in the spurious investment and offered them AED 1,000 ($272) for each new investor they brought in.

Second, on March 17, the UAE Financial Intelligence Unit (FIU) and the Israeli Money Laundering and Terror Financing Prohibition Authority signed a Memorandum of Understanding to promote the exchange of financial intelligence between the two agencies and strengthen the cooperation between those agencies, the UAE, and Israel to improve the joint activity against money laundering and terrorism financing.

Third, on March 24, the Executive Office announced a number of new AML measures and tools, including new restrictions on the movement of cash and precious metals.  Those measures and tools include:

  • (1) a “goAML: tool to submit and analyze suspicious banking reports for authorities to take legal action;
  • (2) an “IEMS” platform to exchange messages between the UAE FIU, the private sector, and law enforcement entities in the UAE;
  • (3) a “Fawri Tech” program to facilitate immediate action on financial issues that relate to combating the proliferation of weapons of mass destruction;
  • (4) a unified e-customs platform that is directed, in the long term to controlling illicit trafficking and smuggling operations in the UAE; and
  • (5) a “Declare” program to restrict the movement of cash, precious stones, and metals before and after their arrival in the UAE in connection with the movement of passengers across customs borders.

The Executive Office stated that through the adoption of these technical controls, it “hopes to strengthen the UAE’s efforts to curb illicit flows of funds, promote asset recovery, and combat all forms of transnational financial crime.”

National Security Agency and Cybersecurity & Infrastructure Security Agency Release Joint Guidance on Using Protective Domain Name System (PDNS) Service

On any given day, some five billion people worldwide use the Internet.  Only a vanishingly small fraction of those people is even aware of, let alone understands the importance of, a critical component of Internet use: the Domain Name System (DNS).  The DNS system has been defined as “a hierarchy of duplicated database servers worldwide” that begin with so-called “root servers” for top-level domains such as .com, .net, .and org and converts alphabetic names into numeric Internet Protocol (IP) addresses.

Because the DNS system is so critical to the effective operation of the Internet and Internet communications, DNS has become “an increasingly targeted threat vector for attackers.”  Cyberattackers routinely use a variety of techniques to exploit the DNS system and gain unauthorized access to command-and-control systems and exfiltrate large volumes of sensitive data. 

On March 4, the U.S. National Security Agency (NSA) and the U.S. Cybersecurity & Infrastructure Security Agency (CISA) released a joint information sheet that provides guidance on selecting a protective Domain Name System (PDNS) service “as a key defense against malicious cyber activity.”  As the information sheet explains, the DNS “is central to the operation of modern networks”, but “was not built to withstand abuse from bad actors intent on causing harm.”  It explains that a PDNS is “different from earlier security-related changes to DNS in that it is envisioned as a security service – not a protocol – that analyzes DNS queries and takes action to mitigate threats, leveraging the existing DNS protocol and architecture.”

The information sheet makes clear that it provides an assessment of several commercial PDNS providers based on reported capabilities, but that that assessment “is meant to serve as information for organizations, not as recommendations for provider selection.”  It advises that users of these services “must evaluate their architectures and specific needs when choosing a service for PDNS and then validate that a provider meets those needs.”

Chief Information Security Officers at companies and government agencies need to peruse the NSA-CISA guidance closely and give serious consideration to acquiring some form of PDNS.  Because DNS-based attacks are highly likely to increase during 2021, particularly from hostile state actors and professional cybercrime organizations, every enterprise must take seriously the need to protect itself from such attacks.