Ongoing Compliance requirements for DFSA Regulated Firms
The quality and independence of DIFC’s regulator, the prevailing common law framework, excellent infrastructure and tax efficiencies make it the perfect base to take advantage of the rapidly growing demand for financial and business services in the Middle East, Africa and South Asia region, which comprises 73 countries with an approximate population of 2.9 billion and a nominal GDP of US$ 9 trillion.
DIFC fills the time-zone gap for a global financial centre between the leading financial centres of London and New York in the West and Hong Kong and Tokyo in the East.
DIFC is home to the region’s largest financial ecosystem of more than 29,900 professionals working across over 4,200 active registered companies.
This makes up the largest and most diverse pool of industry talent in the region.
What is the role of the DFSA?
The DFSA is the independent regulator that authorises and supervises all financial service firms in the DIFC. It administers the various laws that form the legal framework, and has powers to enforce these Laws and the associated Rules that apply to all regulated participants within the centre.
In addition to regulating financial and ancillary services, the DFSA is responsible for supervising and enforcing anti-money laundering (AML) and counter-terrorist financing (CTF) requirements applicable in the DIFC.
In fulfilling its mandate as the sole independent financial services regulator for the DIFC, the DFSA performs a number of functions.
- Policy and Rulemaking.
- International Co-operation.
To summarise, the DFSA:
- has Power to enforce the Law and Rules that apply to all regulated participants within the DIFC;
- Strives to detect and prevent money laundering activities within the DIFC; and
- Works closely with the UAE Central Bank for the prevention of money laundering activities.
What is an Authorised Firm?
An Authorised Firm is an entity that has Financial Service Permissions from the DFSA to conduct financial services from the DIFC.
And what is an Authorised Individual?
They are Individuals who carry out defined Licensed Functions within an Authorised Firm. They are usually linked to an Authorised Firm’s management, and/or the provision of its Financial Services. They are required to meet Fit and Proper criteria and expected to continue to meet Fit and Proper critera throughout the period of being authorised by the DFSA.
The list of Authorised Individuals include the Senior Executive Officer, the Finance Officer, the Compliance officer, the Money laundering reporting officer and the risk officer. There may also be senior managers such as portfolio managers, investment managers and chief technology Officers, who are considered critical to the functioning of the Firm, and hence are authorised by the DFSA by undergoing a process of submission and vetting of their qualifications and experience.
What is the DFSA’s approach to supervision?
The DFSA is an integrated principles-based regulator that follows a risk-based approach in the supervision of regulated Firms engaged in provision of financial services. The DFSA’s risk-based approach to the supervision of a firm may vary depending upon the nature, scale, complexity, size and circumstances of each individual firm and the scope of activities that it has permissions to conduct.
For instance, a Firm that engages in advisory activities will have a lower risk than a firm that handles client monies, and hence the DFSA’s approach will be proportionally lesser in case of the former.
DFSA Supervision Framework:
The DFSA expects the Firm to interact with it in an open, transparent and cooperative manner, and keep the regulator up-to-date on the Firm’s business position, any significant events and other matters where the DFSA would have to be identified.
Communication from the DFSA
1. The DFSA adopts a multi-channel approach to communication with Firms that are authorised and operate from the DIFC.
2. Relationship managers are the primary contact point with regulated firms, through regular visits and on-site risk assessments. These may be dedicated relationship managers, or in cases of low-risk entities, pooled supervision.
3. The DFSA also issues letters addressed to Senior Executive Officers (SEOs) regarding specific issues.
4. They host periodic outreach sessions to discuss specific regulatory issues in an open forum, and issue Alerts regarding possible fraud issues and other regulatory warnings.
5. The DFSA also reviews its regulatory regime on an ongoing basis and updates its Rulebook as and when required. These changes are made after consultation papers on the relevant subject are issued and commented upon.
6. Authorised Firms are also required to complete regular reports through the Electronic Prudential Reporting System, or EPRS. They are also required to file Suspicious Transaction Reports immediately, both with the UAE Central Bank and the DFSA.
7. There are two general types of supervisory engagement under which all regulated Firms are supervised. The types of supervision are “Team Supervision” and “Relationship Management.” The type of supervision that is applied to a Firm is determined according to a risk-based assessment of each Firm.
8. Authorised Firms that the DFSA deems to present lower risk to the DFSA’s objectives are assigned to Team Supervision. Under this method, a Firm will engage with the DFSA via the “Supervised Firm Contact Form.” A Relationship Manager from Team Supervision will then be assigned to engage with the Firm. Firms are subject to thematic reviews; desk-based and onsite risk assessments; senior management meetings; and quarterly, annual, and periodic reporting requirements.
9. Authorised Firms that the DFSA deems to present higher risk to the DFSA’s objectives are assigned a dedicated Relationship Manager.
Inherent Risk Assessment
The DFSA reviews the following operational elements to calculate the inherent risk exposure of the regulated firm.
1. Business Model, Strategy, and Corporate Governance – The risks associated with the business model of the firm and it’s revenue streams, and the Firm’s strategy to counter such risks and work on a sustainable business model. The DFSA also reviews the corporate governance structure in the Firm, reporting lines and whether the Directors and senior management continue to be fit and proper. The Firm is also expected to conduct at least four Board meetings per quarter, in addition to Annual general Meetings of the shareholders and meetings of the various Board Committees, if any. These meetings are to be documented and form part of the corporate governance obligations of the regulated firm.
2. Financial Risk – The DFSA assesses the Firm’s unmitigated risk exposure to credit, liquidity, and market risk.
3. Operational Risk – The Firm’s exposure to people, processes (manual or automated) systems and response to external events. Also reviewed is the presence of legacy systems and technological complexity, competencies of key staff and the level of outsourcing employed during operations.
4. Conduct of Business Risk – Here, the DFSA checks for potential market abuse, the culture of the firm, method of delivery of services and how the Firm engages with it’s clients.
5. AML/Financial Crime Risk – The DFSA reviews the Firm’s country of origin, the location of it’s clients and risk profiles, distribution channels and third-party providers.
In checking the above, the DFSA will review the role and effectiveness of the governance framework in mitigating the risk, including internal controls. Based on this review, a determination of the Firm’s residual risk will be made.
Cyber Risk Supervision – DFSA’s approach
The increased vulnerability associated with targeted cyber-attacks on financial firms, coupled with the responsibility for protecting customer and investor assets establishes the need for Authorised Firms to establish and maintain robust Information Technology (IT) systems, internal controls and governance arrangements to ensure effective management and preparedness.
The DFSA mandates that firms have in place an appropriate framework for the governance and management of cyber risks. Firms of all sizes are expected to take cyber risks into consideration and implement adequate measures to become more resilient to cyber attacks.
The DFSA also expects all regulated firms to implement an appropriate framework to identify and mitigate cyber risks and to detect, respond to, and recover from cyber-related incidents. The Board and senior management are expected to be aware of their Firm’s cyber vulnerabilities, and accordingly, provide the necessary resources, control and oversight to manage the risk.
The regulator does not mandate any particular cyber framework or standard. Some of the standards that may be implemented include NIST, CIS, CSA or ISO/IEC 27000 cyber governance standards.
The DFSA requires all regulated firms to identify, assess, monitor, report and control or mitigate operational risks that they may be exposed to on an ongoing basis. Again, this framework should be in line with the firm’s risk appetite and the nature, scale and complexity of it’s regulated activities from the DIFC.
The framework would have to be approved by the Board and subject to regular view and updation. The DFSA assesses the Firm’s Operational Risk Management Framework against eleven principles, than have been adopted from the Basel Committee on Banking Supervision’s Principles for the Sound Management of Operational Risk.
Periodic Reporting Obligations
Here are some of the mandatory reports that have to be submitted to the DFSA.
1. Prudential Returns – Quarterly, one month after the quarter ends.
2. Prudential Returns – Annually, four months after the financial year ends.
3. Internal Risk Assessment Process (IRAP) - Annually, four months after the financial year ends. This is not applicable to Cat 3D and Cat 4 firms as of now.
4. Internal Capital Adequacy Assessment Process (ICAAP) - Annually, four months after the financial year ends. This is applicable to Cat 1, Cat 2, Cat 3A and Cat 5 firms as of now.
5. Professional Indemnity Insurance - Annual, on the anniversary of the Policy.
6. Audit Report - Annually, four months after the financial year ends.
The above is a non-exhaustive list – we would recommend that you get in touch with us to discuss your reporting requirements and how we can assist you through these processes.
Compliances with the DIFC Registrar of Companies
In addition to the above, the DFSA-regulated firm is also expected to comply with the requirements of the DIFC ROC, given that the legal structure is regulated by them. These compliances largely comprise annual filings, regular corporate actions such as shareholding and directorship changes, alterations in share capital and annual confirmation statements.
We provide turnkey services for regulated firms in the DIFC.
Our post-authorisation services include compliance, finance and risk outsourcing, company secretarial services and accounting/bookkeeping services. We also engage in VAT and corporate tax reporting as part of the finance function.
Our training arm – 10 Academy, assists members of the Board and the senior management of authorised firms to familiarize themselves with the DFSA and DIFC regulatory framework and with their Continuing Professional Development requirements as set out by the DFSA.
Our services include assistance in:
1.Reviewing the business model and advice on the applicable regulatory framework;
2. Updation of the Regulatory Business Plan and comprehensive financial projections;
3. Updation of all policies, processes and manuals required;
4. Provision of Outsourced Compliance Officer, Outsourced Risk Officer and Outsourced Finance Officer services;
5. Provision of Company Secretary and advice on sound Corporate Governance;
6. Assistance in Corporate Actions, including customisation of Memorandums; and
7. Assistance in variance of Financial Services Permissions (license upgrades/enorsements/additional activities).
Get in touch today! For More Information On Ongoing Compliance Requirements For DFSA Regulated Firms