The Riffle
In March 2026, the DFSA issued detailed FAQs clarifying expectations under the AML, Counter-Terrorist Financing (CTF), and Countering Proliferation Financing (CPF) regime.
While positioned as “FAQs,” the document functions as a practical interpretive guide for Relevant Persons in the DIFC — reinforcing that compliance is not procedural, but structural.
The key message?
Risk cannot be bundled. Responsibility cannot be delegated. Technology cannot replace governance.
Key Highlights
1. Risk Must Be Decoupled — Not Assumed
Under AML Rule 3.1.1, “money laundering” may be used broadly but firms must assess ML, TF, and PF risks independently.
A lower ML risk does not automatically mean lower terrorist financing or proliferation financing risk.
Similarly, high ML risk factors (e.g., private banking) do not always equate to elevated TF/PF exposure.
The DFSA is clear:
Your risk framework must be granular, not generic.
2. Risk Appetite Must Be Documented & Cascaded
The risk-based approach must begin at senior management level and cascade across the organisation.
Firms must maintain documented Customer Acceptance Policies that:
Define a clear risk appetite
Establish onboarding tolerance thresholds
Align customer risk with the firm’s broader Business Risk Assessment (BRA)
Importantly, Customer Risk Assessments (CRAs) must be methodologically consistent with the BRA and aligned with the UAE’s National Risk Assessment.
If your BRA flags a sector as high risk, your CRA cannot dilute that rating.
Consistency is now supervisory expectation — not best practice.
3. Senior Management Must Approve High-Risk Relationships
The DFSA has raised the bar on accountability.
“Senior Management” means an executive with significant AML responsibility — not merely the MLRO or Compliance function.
Approval is required for:
Politically Exposed Persons (PEPs)
Enhanced CDD relationships
Correspondent banking arrangements
Trigger events (material updates, unusual transactions, periodic reviews)
Even if a committee reviews cases, final approval must sit with a responsible senior executive.
Compliance supports.
Senior management owns.
4. Articles of Association Are Mandatory — Databases Are Not Enough
For legal persons, retrieval of Articles of Association (or equivalent governing documents) is mandatory under Cabinet Resolution No. 134 of 2025 and AML Rule 7.3.2(3)(e).
Commercial registry extracts or database screenshots are insufficient substitutes.
This clarification removes ambiguity:
CDD documentation must be primary-source compliant, not convenience-driven.
5. Digital Onboarding Is Permitted — But With Guardrails
The DFSA recognises digital identity evolution but imposes strict controls.
For Emirates ID verification, firms must use government-authorised systems such as:
UAE Pass
Online Validation Gateway
Emirates Facial Recognition (EFR)
Copies of the Emirates ID and digital verification records must be retained.
Automated transaction monitoring tools are permitted — but only if firms:
Test them thoroughly
Understand their limitations
Apply mitigation controls and conduct periodic reviews
Technology may assist compliance.
It does not transfer liability.
6. Outsourcing Does Not Transfer Responsibility
Whether AML functions are outsourced to third parties or intra-group entities:
The Relevant Person remains fully liable
A formal outsourcing agreement is mandatory
Regulatory accountability cannot be outsourced — even internally.
7. Independent Audit Now Extends Wider
Under Article 21 of Cabinet Decision No. 134 of 2025, independent AML audit functions are mandatory not just for Financial Institutions — but also for:
DNFBPs
Virtual Asset Service Providers (VASPs)
Audit scope must cover:
Policies & CDD effectiveness
Training adequacy
Outsourcing arrangements
Reporting systems & SAR frameworks
The DFSA is emphasising effectiveness testing — not checkbox auditing.
8. Sanctions Monitoring & Immediate Notification
Firms must remain “properly informed” of sanctions issued by:
United Nations Security Council
UAE Government
Under AML Rule 10.3.1(5), firms must immediately notify the DFSA of any sanctions non-compliance.
They must also consider guidance from:
Executive Office for Control and Non-Proliferation (EOCN)
Financial Intelligence Unit (FIU)
Central Bank of the UAE (CBUAE)
The National Committee
Sanctions compliance is a real-time obligation — not a retrospective review.
Why This Matters
The March 2026 FAQs are not introducing entirely new rules — they are tightening interpretation.
The DFSA is signalling three priorities:
Precision in risk assessment
Accountability at senior executive level
Verifiable, primary-source documentation
In short, governance must be demonstrable — not declarative.
For DIFC firms, this is the moment to:
Revisit risk appetite statements
Reassess senior management approval workflows
Review CDD documentation standards
Stress-test digital onboarding systems
Confirm audit independence and scope
The Riffle Take
The regulatory environment is moving from “Have you done AML?” to:
“Can you evidence effectiveness at executive level across ML, TF, and PF independently?”
The FAQs reinforce that AML compliance in the DIFC is now deeply integrated with governance, documentation discipline, and technological oversight. Firms that treat this as an operational update will miss the point. This is a structural recalibration.
