London +44 20 7184 7687
Dubai +971 4 425 6300
The Dubai Financial Services Authority’s ("DFSA") Business Plan 2023–2024, published last week, marks the continuing maturity of the Dubai International Financial Centre ("DIFC") as a leading global centre for finance and commerce.1 In this OnPoint, we discuss the key DFSA financial crime and enforcement priorities that will be of interest to DFSA-regulated firms. To continue meeting the DFSA’s regulatory expectations, firms should consider:
The DFSA is prioritising investigations and enforcement actions towards activities for which it has "little tolerance"—including all forms of financial crime, market abuse, and unauthorised financial services—and is focussed on enhancing the “deterrent effect" of its enforcement actions. In that regard, the DFSA will seek to impose "substantial" financial penalties for "significant violations" of its regulations, including anti-money laundering ("AML") and counter-terrorism financing ("CTF") rules, to encourage the integrity of the DIFC financial services market.
As a harbinger of this resolve, in November 2022, the DFSA imposed a fine of US$ 1,120,000 on the DIFC branch of a foreign bank. The DFSA identified that the bank had failed to implement and maintain adequate AML/CTF systems and controls between November 2017 and November 2022. In particular, the DFSA identified weaknesses in the bank’s processes for: conducting business and customer risk assessments; record creation, retention, and production to the DFSA; establishing and corroborating customers' source of income and wealth; and reporting suspicious activity.
Combatting money laundering, terrorism financing, sanctions evasion, and other forms of financial crime remains a key supervisory priority for the DFSA as it supports the UAE federal authorities’ implementation of the recommendations from the 2020 Mutual Evaluation by the Financial Action Task Force ("FATF") that precipitated the UAE’s inclusion on the FATF "grey" list of countries under increased monitoring in March 2022.
As part of a risk-based, proactive approach to financial crime related supervision, the DFSA will continue to conduct financial crime risk assessments of specific financial institutions and designated non-financial businesses and professions. The DFSA will also continue to use firms’ annual AML returns to analyse trends and inform its supervision strategy. Just last week, the DFSA fined two firms for "repeated failure to submit AML Returns", reminding all firms of this strict reporting obligation.2 In addition, over the next two years, the DFSA will also continue to focus on firms’ compliance with financial sanctions and suspicious activity reporting obligations, and will work with other UAE regulators and enforcement authorities and cooperate with its regional and international partners to ensure the integrity of the UAE’s financial system.
The DFSA will continue to conduct ongoing monitoring of trading activity to identify abusive behaviour and take enforcement action where needed. As part of this, the DFSA will enhance its surveillance capabilities to supervise existing and new types of financial products and trading activity. The DFSA will continue to make use of firms’ suspicious transaction and order reports and engage with market participants to identify market abuse trends.
In 2022, to enhance detection of misconduct within the DIFC, the DFSA established a whistleblowing email, brought in whistleblowing protections, and enacted obligations on firms to implement internal whistleblowing programmes.3 The DFSA will continue to review how this regime operates over the course of the next two years.
The DFSA is prioritising cyber resilience of firms operating in the DIFC. Over the course of 2023, the DFSA expects to translate the governance and resilience sections of its Cyber Risk Management Guidelines4 into rules. The DFSA will also continue to hold firms to account for the quality of their cyber security. In this regard, in addition to its periodic cyber risk focused onsite risk assessments of firms’ controls, the DFSA expects to conduct an industry-level cyber incident simulation involving 20–25 firms.
The DFSA has been at the forefront of designing a regulatory framework for digital assets, focussing on innovation, investor protection, and market integrity. In 2021, the DFSA introduced a regulatory framework for investment tokens and, in 2022, it unveiled a regime for crypto tokens. Following these legislative changes certain issuers and service providers in the digital assets sector became subject to anti-money laundering DFSA's AML and CTF supervision. Now, perhaps unsurprisingly given the recent turmoil in the digital assets space, the DFSA is turning its sights on the financial crime risk of digital assets to apply proportionate measures to manage and mitigate the risk of financial crime.
In the run up to Dubai’s hosting of the COP28 climate summit in November 2023, the DFSA will continue to be heavily involved in shaping UAE’s domestic approach to ESG. Over the course of 2023 and 2024, the DFSA expects to introduce requirements for DFSA-regulated firms and reporting entities on ESG considerations in corporate governance and risk management, corporate ESG disclosures and reporting, and (potentially) an ESG taxonomy. The DFSA will also be looking at ways to foster an environment for ESG investing and, consistent with peer regulators in other jurisdictions, take action to prevent greenwashing.
In the Business Plan, the DFSA reiterates its aspirations to be an internationally respected, strong, and fair regulator. It also reaffirms its role in demonstrating the resolve of the UAE authorities to combat financial crime from a supervisory and enforcement perspective. As the DIFC continues to grow, firms should expect the DFSA to continue its development into a more assertive, adaptive, and innovative financial crime compliance regulator and enforcement authority.
1) DFSA, ‘Business Plan 2023/2024’ (16 January 2023), accessed here.
2) DFSA, ‘Two firms fined for their repeated failure to submit AML Returns to the DFSA by the set deadlines’ (19 January 2023), accessed here.
3) DFSA, ‘The DFSA’s Whistleblowing Regime’ (7 April 2022), accessed here.
4) DFSA, ‘Cyber Risk Management Guidelines’ (20 December 2020), accessed here.