The Riffle
The Dubai Financial Services Authority (DFSA) has issued its long-awaited Feedback Statement on Consultation Paper 165 (CP165), bringing clarity on the future regulation of Licensed Functions and Authorised Individuals in the DIFC.
In a notable reversal of its original proposal, the DFSA has decided to retain prior authorisation requirements for Compliance Officers, Finance Officers, and Senior Managers. However, the regulator has simultaneously reinforced the principle of firm-led accountability, introducing mandatory annual fitness and propriety reviews and expanding conduct obligations across a broader employee base.
The final rules strike a balance between regulatory oversight and internal responsibility, reshaping how firms assess, monitor, and govern key individuals within their organisations .
Key Highlights
The most significant outcome of CP165 is the DFSA’s decision not to proceed with de-authorising Compliance Officers, Finance Officers, and Senior Managers.
These roles remain Licensed Functions, requiring DFSA approval.
The proposed concepts of “Designated Functions” and “Designated Individuals” have been abandoned.
Stakeholders strongly argued that removing DFSA authorisation could weaken internal authority and remove a critical regulatory deterrent — feedback the DFSA explicitly acknowledged .
2. Mandatory Annual Fitness & Propriety Reviews Introduced
While DFSA authorisation remains intact, firms now face enhanced ongoing responsibilities.
Firms must conduct at least one fitness and propriety review annually for all Authorised Individuals.
Annual attestations to the DFSA are not required, but:
Records must be maintained for a minimum of six years
Documentation must be available upon DFSA request
The DFSA has made it clear that it will actively scrutinise the robustness of firms’ assessment frameworks during supervision .
3. Conduct Principles Expanded to a Wider Employee Base
The Principles for Authorised Individuals have been renamed Conduct Principles, with a significant expansion in scope.
Principles 1–4 now apply to all “Relevant Employees” involved in financial services activities.
This includes staff influencing regulated activities — not just DFSA-approved individuals.
Employees performing purely ancillary or support roles remain outside scope.
Principles 5 and 6 continue to apply only to senior individuals in Licensed Functions, reflecting heightened responsibility.
This change embeds individual accountability deeper into firm culture, extending conduct expectations beyond the senior layer .
4. Refinement of Regulatory Interaction Obligations
The DFSA has recalibrated how openness and cooperation obligations apply:
The proactive duty to disclose information to the DFSA has been removed for Relevant Employees.
A new Principle 7 introduces this higher disclosure standard exclusively for Authorised Individuals.
This distinction recognises differing levels of responsibility while preserving regulatory transparency where it matters most .
5. Fitness & Propriety Guidance Consolidated
To improve clarity and usability:
Assessment guidance has been moved out of the RPP Sourcebook into a standalone DFSA Policy Statement.
The DFSA rejected calls for rigid templates, emphasising that firms should tailor assessments to their size, complexity, and risk profile.
Financial soundness assessments have been softened to focus on material indicators, rather than minor personal financial issues .
6. Clarifications to Licensed Function Definitions
The DFSA has refined definitions to remove ambiguity:
Compliance Officer
Remains a Licensed Function
Explicitly responsible for overseeing compliance arrangements in line with the Three Lines of Defence
AML competency requirements remain unchanged
Finance Officer
Remains mandatory for all Authorised Firms, regardless of size
Explicit responsibility for compliance with financial resources requirements under the IFR module
Senior Manager
Continues as a Licensed Function (not mandatory by default)
Includes roles such as CRO, CIO, COO, Head of Internal Audit, or business unit heads
Firms must assess applicability based on actual authority and seniority, not just job titles .
Conclusion
The DFSA’s final position on CP165 sends a clear message: regulatory approval remains critical, but firms cannot rely on authorisation alone as a compliance safeguard.
With mandatory annual reviews, broader conduct obligations, and heightened supervisory scrutiny, the regulatory focus has shifted decisively toward continuous governance, documentation, and accountability at the firm level.
Next Steps for DIFC Firms
With the rules coming into force on 1 July 2026, firms should use the six-month transition period to:
Update fitness and propriety assessment frameworks
Implement and document annual review processes
Train staff impacted by the expanded Conduct Principles
Re-evaluate role definitions and DFSA approval requirements
Ensure record-keeping systems meet the new supervisory expectations
Early preparation will be key as the DFSA sharpens its focus on how firms govern the people behind regulated activities.
