.svg)
The Dubai Financial Service Authority (DFSA), the regulator of financial services conducted in or from the Dubai International Financial Centre (DIFC), a financial free zone, has conducted a review of regulatory compliance and vulnerabilities at money service providers (MSPs) in the DIFC.
The goal of the review was to identify and act on areas of non-compliance with existing regulation, including mitigating the risk of fraudulent online transactions.
It assessed a number of key areas, including MSPs’ operational policies and procedures; strong customer authentication (SCA) and user security measures; exceptions applied to SCA measures and the implementation of technical standards; systems and controls to detect fraud; and the reporting of information about transactions and rates of fraud.
Key findings
Most of the MSPs the DFSA assessed could provide evidence of operational risk information, although often without being able to evidence either the document or policy being reviewed and approved by their governing body or compliance function.
The regulator reminded MSPs that they must ensure that their governing body approves their operational risk policy in accordance with Prudential - Investment, Insurance Intermediation and Banking Module (PIB) 6.2.2.
Similarly, most MSPs were able to discuss and evidence SCA with user security credentials (USC), yet their implementation of the specific security measures and the associated processes were not documented.
In response, the DFSA stated that, per PIB 6.13.3(4), MSPs must maintain adequate security measures to protect the confidentiality and integrity of users’ personal security credentials, maintaining and documenting these security measures in their policies and procedures.
Some of the MSPs had operational risk management policies that did not specify how and where technical standards are documented, including appropriate measures to demonstrate compliance with PIB 6.13.5.
The regulator told MSPs that they must develop, implement, and document in their operational risk policy the technical standards that address all four requirements mandated by PIB 6.13.5.
Finally, not all MSPs included in the review could demonstrate their transaction monitoring systems and controls, or that they had considered all the required risk factors.
The regulator affirmed that MPSs must have appropriate transaction monitoring systems and controls in place, and ensure that these are designed with the relevant risk factors in mind.
Why should you care?
The DIFC is intended to connect the fast-growing markets of the Middle East, Africa and South Asia (MEASA) region with the economies of Asia, Europe and the Americas through its strategic location and independent legal framework, both of which should appeal to international organisations.
The fact that the DFSA considered it appropriate to review MSPs’ regulatory compliance suggests a level of concern regarding potential integrity issues in the zone.
The Financial Action Task Force (FATF) recently removed the UAE from its greylist and the country has taken steps to ensure that it stays off, establishing two new agencies to combat money laundering.
Dubai will want to emphasise that it offers a robust and effective compliance regime under which businesses can feel comfortable operating, and the DFSA’s review of operational risk sends a message to MSPs that it expects them to adhere to its guidance.
The regulator said in its report that it “expects all MSPs in the DIFC to consider the key themes and findings in this review in the context of their specific activities and obligations, and, where appropriate, consider further enhancements to their systems and controls.”
The DFSA noted that it had addressed specific areas of non-compliance with MSPs on a bilateral basis, but it made clear the areas where it expects to see an improvement in the overall level of compliance.
MSPs operating in the DIFC — or considering doing so — will need to take this on board and ensure that their operational policies and procedures are up to standard. Chances are, the DFSA will be less accommodating of non-compliance in the future.
