Gulf Cooperation Council (GCC) countries have implemented many monitoring, regulatory and legal initiatives to address the risks of criminal exploitation during the pandemic while dealing with ever-changing technologies and winning the trust of overseas investors. These initiatives have presented many challenges and opportunities for corporate investigators. This article discusses the details of some of the changes and their likely impact on regional investigations.
• Current regulatory and legal landscape in the GCC
• The impact of data privacy laws
• Stricter counterterrorism and anti-money laundering (AML) controls
• The impact of bankruptcy and insolvency laws
• The change in the cybercrime landscape
• The advent of cryptocurrency and the need for investigation
Referenced in this article
• GCC economic vision
• Data privacy laws
• AML and FATF
• Bankruptcy and insolvency laws
• Cybercrime laws
• Crypto investigations
The Gulf Cooperation Council, comprising the Kingdom of Saudi Arabia (KSA), the United Arab Emirates (UAE), Qatar, Bahrain, Oman and Kuwait, has seen strong economic growth over several decades. Most GCC countries are continuing to seek outside investment to support their ambitious development plans (e.g., Saudi Vision 2030, Dubai 2040 Urban Master Plan, Abu Dhabi 2030 Economic Vision, Qatar National Vision 2030 and Kuwait Vision 2035).
Although the GCC has managed sustained economic growth, the corporate investigations landscape has struggled for many years to keep up with the demands of companies faced with numerous risks owing to underdeveloped regulatory and legal frameworks in GCC countries. Those who wish to prey on individuals and corporations through fraud, cybercrime and misconduct have exploited the regulatory and legal gaps, and there is also significant regional exposure to sanctions-related issues and money laundering threats from organised crime.
Recognising these risks, GCC governments have worked to adapt both their regulatory and legal frameworks in recent years to make their economies more attractive to outside investors, including by investing heavily in initiatives to counter the threat of crimes and regulatory breaches and to reduce criminal activity. For example, authorities in the GCC have sought to modernise their regulatory regimes through, among other things, enhanced regulatory monitoring and harsher penalties relating to cybersecurity, digital identity, digital currencies, fintech, anti-money laundering (AML), data protection and privacy, and terrorist financing.
These initiatives are in addition to guidance issued in response to the covid-19 pandemic and increased international cooperation on transparency, extradition and money laundering targets. These modernisation efforts, although sometimes slow, have also seen the establishment of new regulators.
Data privacy laws
As of March 2022, five countries in the GCC have enacted new data privacy laws to strictly monitor and control the use of
• KSA Royal Decree M/19 of 9/2/1443H;1
• UAE Federal Decree-Law No. 45 of 2021;2
• Qatar’s Data Protection Law No. 13 of 2016;
• Bahrain’s Law No. 30 2018;3
• Oman’s Royal Decree 6/2022;4 and
• Law No. 5 of 2020 of the Dubai International Finance Centre (DIFC).
The GCC countries join more than 130 jurisdictions with comprehensive privacy laws intended to safeguard individuals against the misuse of their personal data by organisations that receive or use such data. The GCC regulations bring regional laws in line with international standards, and there are strict penalties for the misuse of data or breaches of the law, with fines reaching up to US$800,000 in KSA and two years’ imprisonment for the misuse of sensitive data.5
These regulations potentially impact global organisations as the territorial scope encompasses any organisation that carries out processing activities about data subjects6 in the GCC, regardless of where they are established.
In this sense, the regulations are similar to the EU General Data Protection Regulation (GDPR), under which the authorities have issued more than 900 fines since its inception in 2018 across the European Economic Area and the United Kingdom, punishing organisations such as Amazon (US$877 million)7 and WhatsApp (US$255 million).8 Properly implemented and enforced, the GCC regulations could be similarly punitive to organisations that fail to prepare and change adequately.
The impact on corporate investigators is twofold: the first impact is when a breach is suspected and needs to be investigated and reported by the organisation. Many of the regulations require a reporting mechanism (typically through a commissioner or a data office). To respond to such a situation, organisations should work closely with their investigators and compliance officers to put in place and implement appropriate policies and procedures.
The second impact is how investigators gather and process information to pursue an investigation. Consideration must be given to receiving a data subject’s consent to handle the data or confirm that there is a lawful circumstance for its processing. In the context of an investigation that may include gathering and processing personal data, a lawful purpose could comprise any of the following:
• where the data subject has made the personal data public;
• protection of the interests of the data subject;
• being part of a judicial or security procedure; or
• medical purposes or matters of public health.
Terrorism and AML
The global community has made AML and combating the financing of terrorism (CFT) a priority. These efforts aim to guard the integrity of the international financial system, cut off the assets accessible to terrorists and make it harder for those engaged in wrongdoing to profit from their felonious activities.
Money laundering is secondary to a primary crime, such as corruption, drug trafficking, human trafficking, fraud and cybercrime. The original crime is called a predicate offence, and it is how bad actors acquire ‘dirty money’. Stopping money laundering can help stop primary offences and further help prevent the diversion of money away from financially productive uses. These diversions can have damaging impacts on businesses and the financial sector.9
The Financial Action Task Force (FATF) on money laundering, a 39-member intergovernmental body established by the 1989 G7 Summit in Paris,10 has primary responsibility for developing the global standards for AML and CFT (AML/CFT). It works in close cooperation with other key international organisations, including the IMF.
Certain GCC and neighbouring countries have sought the assistance of the FATF in assessing their AML regulatory regimes. Saudi Arabia, the UAE, Bahrain, Egypt and Jordan have completed the fourth round of mutual evaluations by the FATF, with Qatar currently going through the process. As of March 2022, the UAE, Jordan and Yemen are listed in the FATF’s grey list, meaning they are listed as high-risk countries, which can negatively impact investments.11
The UAE is taking steps to shed its reputation as a financial crime hotspot. In 2021, the UAE’s central bank fined 11 banks a total of US$12.5 million for having inadequate AML and sanctions controls at the end of 2019.12 It has also stepped up its AML/CFT enforcement efforts, with new extradition deals planned with several countries and several cross-border training operations.
Further, changes in the UAE’s legislation and the development of enforcement guidelines have advanced money laundering investigations and prosecutions.13 For instance, the UAE has updated key legal instruments, such as Federal Decree-Law No. 20 of 2018 on AML/CFT, which has been further enhanced and amended through Federal Decree No. 26 of 2021.
The UAE’s grey list placement initially led to increased investigations prior to the covid-19 pandemic, particularly regarding shareholder disputes as companies were more sensitive to the risk and therefore conducted more internal investigations. Some of this increase in investigations also resulted from, for example, the change in company law in the UAE14 and regulatory investigations in the pharmaceutical industry.
However, inquiries and reviews stalled as companies looked to control costs while having to rapidly revise policies and procedures as remote working became the norm. There has not yet been a spike in the number of investigations in the wake of the covid-19 pandemic; however, with global indicators showing a massive increase in fraud and corruption,15 it is highly likely that there will be an increase in investigations (along the lines of the exponential growth in investigations that occurred in the aftermath of the financial crisis in 2008).
Bankruptcy and insolvency regulations
GCC countries have also sought to become a more attractive home for investment by creating more modern, recognisable insolvency regimes that contain modern restructuring tools for businesses facing distress. The KSA, Bahrain, Oman, Kuwait and the UAE have either brought in new laws or updated existing laws to make them more investor-friendly and, in some cases, to decriminalise certain aspects related to personal insolvency. The World Bank sees these creditor rights and insolvency systems as being of key importance in providing investor confidence in these countries.16
Given these updated insolvency laws, liquidation is no longer the last resort for companies in those jurisdictions. As a result, companies are now conducting more internal investigations to understand if fraud or management errors may be leading the companies to insolvency or bankruptcy rather than just bad business practices or market pressure; in the past, companies and individuals ran the risk of imprisonment for non-payment of debts, which led to companies trying to delay liquidation.
As an example, one of the first companies to utilise the new KSA bankruptcy law in the past year was Ahmad Hamad Al Gosaibi & Brothers (AHAB) after a global dispute with Maan Al-Sanea and the Saad Group. Prior to the new law, AHAB had few options to restructure its debt other than to go into liquidation. This would likely have led to the break-up of the family partnership businesses (most of which were operating at a profit), the loss of all the partners’ personal assets and possible imprisonment for the partners.
In 2021, the KSA court ratified AHAB’s efforts to restructure US$7.5 billion of obligations with over 100 local and international financial institutions, thus bringing an end to a prolonged investigation and litigation that extended for more than 12 years.17 The applicable recent regulations are: • the UAE Bankruptcy Law No. 9 of 2016, which was later amended by Law No. 21 of 2020;
• the KSA Bankruptcy Law, introduced in 2018;
• the Bahrain Reorganisation and Bankruptcy Law No. 22/2018;
• Kuwait’s Law No 71. Of 2020; and
• Oman’s Royal Decree 53/2019.
Cybercrime laws and regulations
The global cost of cybercrime is expected to hit US$10 trillion in 2025, according to a 2021 cyberwarfare report by Cybersecurity Ventures.18 These figures showcase the enormity of the threat of cyber-attacks and breaches.
At the regulatory level, the most potent deterrents for this type of crime are strict regulations and penalties for using technology to commit or facilitate a crime, and several GCC countries have recently adopted laws in this space. For instance, the UAE’s latest Cybercrime Law19 addresses hacking, fake news, impersonation, internet bots and cryptocurrency and provides a framework for harsher penalties for breaches of the law.
The KSA’s Anti-Cybercrime Law of 2007,20 the Qatar Cybercrime Prevention Law,21 the Oman Cybercrime Law22 and Kuwait’s Combating Information Technology Crimes23 all address cybercrime to varying degrees, although they require updating to be in line with the latest technologies used to undertake cybercrime, such as the misuse of cryptocurrencies and non-fungible tokens.
As of April 2022, the DIFC and the Abu Dhabi Global Market have announced plans for the regulation of crypto assets and have already established that crypto exchanges will be regulated under these authorities going forward.24
With these new laws and regulations in place, criminals are moving to new methods of making profit. Many illegal gains are now obtained or laundered through deregulated cryptocurrencies. Cryptocurrencies pose unique challenges to investigators charged with identifying, tracing or seizing illicitly gained funds and assets.
Blockchain-based cryptocurrencies allow individuals to engage in peer-to-peer financial transactions or enter into contracts as decentralised platforms. In either case, there is no need for trusted third-party intermediaries.
A cryptocurrency is generally defined as digital tokens or ‘coins’ on a distributed and decentralised ledger called a blockchain. Since the launch of bitcoin in 2008, different types of cryptocurrency have expanded dramatically.25 Bitcoin continues to lead the pack of cryptocurrencies in terms of market capitalisation, user base and popularity.
Other virtual currencies, such as Ethereum, are helping to create decentralised financial (DeFi) systems. Some ‘altcoins’ have features that bitcoin does not, such as handling more transactions per second or using different algorithms (e.g., proof of stake).26
Several cryptocurrencies have built-in privacy features or preferences that users can use for more private online commerce.
The two key ways in which criminals obtain cryptocurrency are:
• stealing the funds directly; or
• using a scam to trick individuals and organisations into parting with it.
In 2021, crypto criminals stole a record US$3.2 billion-worth of cryptocurrency, according to Chainalysis. That is a fivefold increase on the year before.
Scams continue to surpass outright theft, enabling criminals to swindle US$7.8 billion-worth of cryptocurrency from victims.27
There are several different theft-related trends that investigators should be concerned about. First, most scam-related thefts are ‘rug pull’ scams. Rug pull scams are a relatively new modus operandi in which the crypto criminals ‘pump’ the value of their coins before vanishing with the coffers, leaving their investors with zero-valued assets.28 These scams are not always illegal, but they are always unethical.29
Another new scam targets people online, with victims persuaded to invest in fake cryptocurrency schemes. The scam often combines romance fraud with crypto cons, as victims are promised a ‘happily ever after’ and big crypto gains. The cybercriminals operating this long con spend months gaining online daters’ trust, using romance and the lure of fast crypto returns to trick victims out of their savings. Once the crypto criminal has drained their victim, or when the victim realises they cannot withdraw any of the funds they believe they have invested in the scheme, the perpetrator will disappear.
These facts make crypto crime a fast-growing business, giving criminals an incentive to invest time and money to make money. The rise of the crypto economy and DeFi, coupled with record cryptocurrency prices in 2021,30 has provided criminals with profitable openings. Former US federal prosecutor Jessie Liu emphasised this point when she stated earlier this year: ‘The DOJ has seen cryptocurrency used to “professionalize” cybercrime because bad actors are using digital assets to purchase illicit services such as computer hackers or ransomware software.’31
Prosecutors, investigators and regulators are right to be concerned about these current trends and the impending ability for criminals to use cryptocurrency as part of their arsenal of tools to commit crimes. Buyers risk losing all their money invested in crypto assets and could fall prey to fraud. The European Union’s securities, banking and insurance watchdogs said: ‘Consumers face the very real possibility of losing all their invested money if they buy these assets.’32
Regulators are increasingly worried that more consumers are buying different crypto assets (17,000 by one count),33 including bitcoin and ether, which account for 60 per cent of the market, without being fully aware of the risks. They are also working hard to develop crypto asset regulations that will help make this type of investment safer for consumers. This initiative could herald more widespread adoption once markets in multiple jurisdictions recognise that it is possible to regulate crypto asset service providers and protect crypto asset investors.
In February 2022, the US Department of Justice (DOJ) declared a milestone seizure of 94,000 bitcoin estimated to be worth over US$3.6 billion – the DOJ’s largest-ever haul of cryptocurrency and the largest single financial seizure in the department’s history.34
Will there be more seizures of this magnitude? Crypto firms in times of financial adversity may receive requests to liquidate large sums of virtual currency as individuals and companies seek a safe (government-backed) refuge for their fortunes. Some exchange clients use cryptocurrency to invest in real estate, while others want businesses in countries such as the UAE to turn their virtual money into hard currency and store it away from harm’s way.
Dubai, the GCC’s financial and business centre and a growing crypto hub, has long been a magnet for the rich. This has also resulted in it being a destination for illicit money. As mentioned, this has resulted in the financial crime and money laundering watchdog, the FATF, putting the UAE on its grey list in March 2022 for increased monitoring.35 The UAE responded by asserting its commitment to strengthening AML/CFT efforts.36
Some businesses in the UAE are already accepting cryptocurrency payments following new laws to regulate virtual assets.37 The United Kingdom recently announced that it plans to make a cryptocurrency, stablecoins,38 a recognised form of payment. Other countries, including those in the GCC, will likely follow suit.
The growing focus on cryptocurrencies will likely lead to multiple attempts to seize such assets, which means seizing illicit funds and helping to prevent the underlying crimes.
Crypto-related crime may be at an all-time high, but legitimate cryptocurrency use far outstrips illegal use.
How much cryptocurrency are crypto criminals holding?
Nevertheless, there are legitimate questions relating to how extensive the use of cryptocurrency is in criminal enterprises. Although the answer is impossible to know, an estimate can be made based on the up-to-date list of known addresses that the likes of Chainalysis have identified as being associated with illicit activity.
As of early 2022, criminal addresses possess at least $10 billion-worth of cryptocurrency. The vast majority is held by wallets related to cryptocurrency theft. Addresses associated with darknet39 markets and scams also contribute to this number. Much of this figure comes not from the initial amount derived from criminal activity but from the ensuing value growth of the crypto assets.
In November 2021, the US Federal Bureau of Investigation (FBI) warned of an increase in bitcoin ATM scams.40
The FBI highlighted in an alert that it had seen a rise in scams that involved fraudsters directing victims to make payments using bitcoin ATMs and digital QR codes that were popularised during the pandemic. There are static versions of QR codes, meaning that once created, the QR code is permanent and will always bring users to that content as long as anyone can physically scan it with a smartphone. Static QR codes are best for one-time use because they cannot be edited or tracked. The FBI noted that it had seen a proliferation of fraud schemes involving payment through bitcoin ATMs, including scams related to online impersonation fraud and romance scams, which continue to develop. The latter is in today’s top five crypto scams, as reported in March 2022 by US News.41
There are bitcoin ATMs in the UAE and the KSA that service many cryptocurrencies, potentially making these scams a key regional consideration.
Blockchain analysis and computer forensics are not stand-alone offerings: several layers of association are needed to identify bad actors.
Initial successes in pursuing crypto crimes have been because of new regulations and the narrowing of know-your-customer standards among entities that deal with traditional currencies. Converting traditional currency to cryptocurrency dramatically dilutes the anonymity of crypto wallets as identification is required at the point of entry. There are also other sources of intelligence and evidence, such as forensically gathering data from seized mobile phones and computers.
Understanding of the blockchain, with its in-built cryptography, the ability to carve addresses from electronic media and the extraction of private keys from wallets, is not typically found among financial investigators. Digital forensic analysts have a different skill set that is more appropriate; however, they may not necessarily understand financial matters associated with money laundering and fraud. This poses the question of whether hybrid crypto investigators are needed.
Regional investigators and stakeholders must develop tools to ensure that interested parties can request GCC authorities to seize digital assets held by cryptocurrency exchanges without issuing mutual legal assistance treaty (MLAT) requests. The seizures will be vital to keep up with the speed of cryptocurrency investigations since MLAT requests (e.g., those agreed between the UAE and the United States) are usually lengthy, and cryptocurrency moves almost instantaneously.42
One certainty about the future is that any new cryptocurrencies that start to gain traction among clientele, in particular criminals, need to be understood by investigators, where possible, before they form part of an investigation.
The particular features of virtual currency systems operating on significantly DeFi systems present new challenges for investigators, both globally and in the GCC. Many of the benefits that cryptocurrency systems promise legitimate consumers, such as increased privacy in transactions and the ability to send funds without an intermediary, serve as obstacles to investigators when the systems are exploited for illegal purposes.
Key challenges identified by investigators dealing with cryptocurrency include regulatory and compliance disparities, transaction obfuscation and anonymity, and the global nature of the systems.
Investigators must standardise and constantly review cybercrime investigative techniques in digital investigations involving DeFi virtual currencies. They may have difficulty getting the information necessary to trace the transaction, especially if the victim uses a wallet service provider or exchanger in an uncooperative foreign jurisdiction or a privacy-orientated cryptocurrency.
GCC countries are seeking to create regulatory regimes covering data privacy, AML/CFT and cybercrime that match the complex environment in which the companies operating in those countries find themselves. The changes to these regimes create both challenges and opportunities for corporate investigators.
The heightened use of cryptocurrency by both genuine investors and criminals illustrates the challenges that both corporate and government investigators will face in this evolving landscape. Investigators must stay up to date or bring in the expertise required to future-proof their effectiveness.