The Riffle
The Dubai Financial Services Authority (DFSA) has issued supervisory guidelines (March 2026) under GEN 5.6, strengthening its operational resilience framework for Authorised Persons in the DIFC.At its core, the regime shifts focus from theoretical risk management to practical service continuity—requiring firms to identify critical services, define disruption thresholds, map dependencies, and continuously test resilience.
This is not a one-time compliance exercise, but an ongoing, dynamic process aligned with the scale and complexity of each firm.
Key Highlights
1. Identification of Critical Business Services (CBS)
Firms must move beyond broad business lines and identify specific services critical to clients and financial stability.
A service is considered critical based on:
Client impact and vulnerability
Time-sensitivity of the service
Market substitutability
Systemic importance
Risk of regulatory breach
Importantly, the DFSA requires an end-to-end view, from service initiation to final delivery.
2. Impact Tolerances: Defining “Intolerable Disruption”
For each CBS, firms must establish a measurable Impact Tolerance—the maximum level of disruption they can withstand.
Common metrics include:
Downtime (outage duration)
Transaction volume affected
Number of users impacted
Financial or data loss
These tolerances must be:
Approved by the Governing Body
Communicated across operational teams
3. Resource Mapping & Vulnerability Identification
Firms must map all resources required to deliver critical services, including:
People
Processes
Technology
Third-party dependencies
This exercise is intended to uncover vulnerabilities such as:
Single points of failure
Concentration risks
Limited substitutability
Operational complexity
Firms are expected to actively remediate these gaps, not just identify them.
4. Scenario Testing: Proving Resilience in Practice
Operational resilience must be validated through regular scenario testing.
Testing should:
Cover severe but plausible disruptions
Include varying durations and intensities
Assess interdependencies across services
The focus is clear: Can your firm stay within impact tolerance under stress?
5. Review Cycles Based on Firm Type
The DFSA introduces a tiered review frequency based on firm activity:
Annually → High-impact firms (e.g., deposit takers, custodians, money services)
Every 2 years → Medium-impact firms (e.g., asset managers, crowdfunding platforms)
Every 3 years → Lower-impact firms
Additionally, immediate reassessment is required when:
New client segments are onboarded
Technology or resource structures change
Outsourcing arrangements evolve
New services are introduced
6. Activity-Based Criticality Classification
The guidelines also provide clarity on which activities are more likely to be critical:
Highly likely CBS activities include:
Accepting deposits
Providing custody or money services
Operating exchanges or clearing houses
Insurance-related activities
Potential CBS activities (depending on scale):
Asset/fund management
Crowdfunding platforms
Advisory and intermediation services
Why This Matters
The DFSA’s approach reflects a broader global regulatory shift—from risk identification to operational preparedness.
For firms in the DIFC, this means:
Embedding resilience into day-to-day operations
Strengthening governance oversight
Enhancing visibility across internal and third-party dependencies
Moving towards quantifiable resilience frameworks
Ultimately, the expectation is simple but demanding:
critical services must remain operational—even during disruption.
Actions to Consider
Firms should proactively:
Identify and document all Critical Business Services
Define clear, measurable Impact Tolerances
Map end-to-end service dependencies
Conduct regular, realistic scenario testing
Establish governance frameworks for ongoing monitoring
Align review cycles with DFSA expectations
Conclusion
The DFSA’s operational resilience guidelines mark a significant step toward strengthening the stability and reliability of financial services in the DIFC.By focusing on critical services, measurable thresholds, and continuous testing, the regulator is pushing firms to move beyond compliance—towards true operational robustness.
For firms, the message is clear:
Resilience is no longer optional—it is measurable, testable, and expected.
