Category 3C Authorised Firms: Complete DFSA Regulatory Compliance Guide for DIFC Operations

By /

This handbook outlines the consolidated rules, procedures, and ongoing compliance obligations mandated by the Dubai Financial Services Authority (DFSA) for any entity seeking to become or currently operating as a Category 3C Authorised Firm (Institution).

I. INITIAL AUTHORISATION AND LICENSING REQUIREMENTS

The application process requires demonstrating capacity to comply with licensing, corporate, and personnel standards.

A. Corporate Structure and Legal Form

A Category 3C Authorised Firm (A/F) must generally be established as a Body Corporate or a Partnership.

  1. Application Submission: An applicant must apply for a Licence by completing and submitting the appropriate form(s) in AFN, along with the required fee.
  2. Demonstration of Adequacy: The applicant must satisfy the DFSA that it has adequate resources (including financial resources), is fit and proper, and possesses clear and comprehensive compliance arrangements.
  3. Jurisdiction: The Head Office and Registered Office of a Domestic Firm must be in the DIFC. The A/F must have a physical presence, including Employees, in the DIFC, as “brass plate” operations are not permitted.

Scope of Activity for a Category 3C Authorised Firm

The license for a Category 3C firm authorizes it to carry on one or more of the following activities as PIB 1.3.5:

1. Managing Assets.

2. Managing a Collective Investment Fund.

3. Providing Custody, provided this activity is carried on other than for a Fund and other than in relation to Crypto Assets.

4. Managing a Profit Sharing Investment Account (PSIA), specifically where the PSIA is a Restricted PSIA (PSIAr​).

5. Providing Trust Services, where the firm is acting as a trustee in respect of at least one express trust.

6. Providing Money Services, specifically where the firm issues Stored Value.

If the firm were authorized to undertake any activities listed under Categories 1 (Accepting Deposits or Managing a PSIAu​), 2 (Providing Credit or Dealing in Investments as Principal), 3A (Dealing in Investments as Agent), 3B (Providing Custody for a Fund/Crypto Assets, Acting as Trustee of a Fund, or operating an Employee Money Purchase Scheme), or 5 (Islamic Financial Institution Managing a PSIAu​), it would fall into the highest relevant category instead of 3C.

The full framework of prudential rules (PIB) applies to Category 3C firms, excluding specific sections reserved for different firm types, such as the rules related to the Capital Conservation Buffer (PIB 3.9), Countercyclical Capital Buffer (PIB 3.9A), and the HLA Capital Buffer (PIB 3.9B). These exclusions reflect that Categories 3C and 3D are generally subject to financial requirements based on their base capital and expenditure, rather than a full risk-weighted approach (RWA) applied to Category 1, 2, and 5 firms.

B. Core Licensed Functions and Key Individuals (KIs)

Every A/F, regardless of category, must ensure that key Licensed Functions are filled by individuals who have been granted Authorised Individual (AI) status.

Licensed FunctionRequirement & Appointment StatusResidency Requirement
Senior Executive Officer (SEO)Ultimate responsibility for day-to-day management.Must be resident in the U.A.E.
Finance Officer (FO)Responsibility for compliance with financial resources requirements (PIB/PIN Rules).Must be resident in the U.A.E.
Compliance Officer (CO)Responsibility for compliance with Rules and applicable legislation relating to the firm’s Financial Services (FS).Must be resident in the U.A.E.
Money Laundering Reporting Officer (MLRO)Responsibility for implementing AML policies, procedures, systems, and day-to-day oversight of AML/CTF compliance.Must be resident in the U.A.E.

C. Fitness and Propriety Standards

  1. Initial Assessment: Individuals applying for AI status must satisfy the DFSA that they are fit and proper for the role, considering integrity, competence, capability, financial soundness, and proposed role.
  2. Ongoing Competence: The A/F must ensure that AIs remain competent, capable of performing their functions, and keep abreast of relevant legislative and regulatory developments.
  3. Mandatory Training/CPD: SEOs, COs, and MLROs must complete a minimum of 15 hours of Continuing Professional Development (CPD) annually (structured activities). They must also demonstrate knowledge of relevant anti-money laundering requirements.

II. PRUDENTIAL AND FINANCIAL OBLIGATIONS (PIB)

Category 3C firms are governed by specific capital and liquidity standards designed to reflect the risk of managing client assets/funds or operating services that require strong capitalization.

A. Capital Requirements (PIB Chapter 3)

  1. Core Obligation: The A/F must maintain Capital Resources that at all times exceed its Capital Requirement.
  2. Capital Requirement Determination (PIB Rule 3.5.2): The Capital Requirement (CR) for a Category 3C firm is the highest of:
    • The Base Capital Requirement (BCR) of US $500,000. (Note: Lower BCRs apply if authorized only for specific activities like managing certain Funds).
    • The Expenditure Based Capital Minimum (EBCM).
    • The Stored Value Capital Requirement (SVCR) (if issuing Stored Value).
  3. Capital Composition (PIB Rule 3.2.7, 3.6.3):
    • Must maintain Common Equity Tier 1 (CET1) Capital of at least the Base Capital Requirement.
    • CET1 Capital must equate to at least 80% of the total CR, and Tier 1 (T1) Capital must equate to at least 80% of the total CR.
  4. Capital Calculation (EBCM): The EBCM is calculated by multiplying the firm’s Annual Audited Expenditure by a ratio. For a Category 3C firm, the ratio generally ranges from 13/52 to 18/52, depending on the specific activity and whether client assets are held.

B. Liquidity Requirement (PIB Rule 3.5.3)

A Category 3C firm must maintain an amount in the form of liquid assets that, at all times, exceeds the higher of its Base Capital Requirement or its Expenditure Based Capital Minimum.

  1. Eligible Liquid Assets: Liquid assets include cash, demand deposits, time deposits (with early redemption option), and other readily marketable instruments.
  2. Exclusions: Liquid assets must explicitly exclude any asset that has been pledged as security/collateral for obligations or liabilities, or cash held in Client Money or Insurance Monies accounts.

C. Supervisory Review and Evaluation Process (SREP)

Category 3C firms are subject to the risk management and capital adequacy assessment process, which requires:

  1. Internal Risk Assessment Process (IRAP): Must establish an IRAP to identify, assess, aggregate, and monitor all risks faced. This assessment must be conducted at least annually, approved by the Governing Body, and submitted to the DFSA within four months of the financial year end.
  2. Internal Capital Adequacy Assessment Process (ICAAP): Must implement an ICAAP to assess and maintain adequate Capital Resources relative to identified risks. This must also be conducted and submitted annually.
  3. Individual Capital Requirement (ICR): Following the DFSA’s review (SREP), the DFSA may impose an ICR if it finds the firm’s regulatory capital insufficient to cover its overall risk profile.

III. GOVERNANCE, RISK MANAGEMENT, AND CONDUCT

A. Corporate Governance and Responsibility (GEN Chapter 5)

  1. Governing Body Oversight: The Governing Body is responsible for setting business objectives, approving strategies, and providing effective oversight.
  2. Allocation of Responsibility: Significant responsibilities must be clearly apportioned between the Governing Body and senior management, ensuring clarity and consistency. A written record of this apportionment must be maintained for six years.
  3. Segregation of Functions: Key duties and functions must be segregated to prevent conflicts of interest (e.g., credit initiation independent of approval).
  4. Professional Indemnity Insurance (PII): Must maintain PII appropriate to the business risk.

B. Client Asset Handling (COB 6.11-6.14)

The Category 3C firm is authorized to hold client assets, placing stringent requirements on safeguarding these assets.

  1. Client Asset Segregation: Client Assets (Money, Investments, Crypto Tokens) must be clearly identifiable and secure at all times.
  2. Money Handling (Client Money Provisions): Client Money must be paid into one or more separate Client Accounts, identified as such, and segregated from the firm’s own money.
  3. Asset Custody (Safe Custody Provisions): Client Investments/Crypto Tokens must be held separately from the firm’s own assets and registered in a Client Account. The firm must obtain prior written permission from a client before using their assets for its own purposes or that of another person.
  4. Reconciliation (Money and Assets):
    • Client Money accounts must be reconciled at least every 25 days (daily for Money Services Providers).
    • Client Investment accounts must be reconciled with Third Party Agents at least every 25 business days.
    • Client Crypto Token balances must be reconciled daily.
  5. Audit Requirement: Must arrange for a Client Money Auditor’s Report and, if applicable, a Safe Custody Auditor’s Report and/or a Money Services Auditor’s Report to be submitted annually.

C. Conduct of Business (COB General)

  1. Communication: All communications and marketing material must be clear, fair, and not misleading. If targeted at Professional Clients, it must state clearly that no other Person should act upon it.
  2. Client Agreements: Must have a written Client Agreement containing key information for each client before providing any FS, unless impracticable.
  3. Conflicts of Interest: Must take all reasonable steps to identify, prevent, manage, or disclose conflicts between itself and clients, ensuring clients are not adversely affected.

IV. ONGOING OBLIGATIONS AND REGULATORY REPORTING

A. Anti-Money Laundering (AML) Compliance

The AML Module applies in full to a Category 3C firm.

  1. AML Risk Management: Must apply a Risk-Based Approach (RBA) to assessing and mitigating money laundering risks, documenting the assessment and ensuring controls are objective and proportionate.
  2. New Products/Technologies: Must assess AML risks associated with any new products, practices, or technologies before implementing them.
  3. Customer Due Diligence (CDD): Must obtain and verify identity for all customers and Beneficial Owners (BOs) based on reliable and independent documents. Must not establish a relationship if BO identity cannot be ascertained due to ownership structure.
  4. Politically Exposed Persons (PEPs): Must take measures to identify if a customer or BO is a PEP. If so, requires senior management approval to commence/continue the relationship and must take reasonable measures to establish the source of wealth and source of funds.
  5. Suspicious Activity Reporting (SAR): Any Employee who knows or suspects money laundering must promptly notify the MLRO. The MLRO must then determine if an SAR must be made to the FIU and notify the DFSA immediately following submission.

B. Regulatory Notification Requirements (GEN Chapter 11)

The A/F must maintain an open and cooperative relationship with the DFSA and promptly disclose information.

  1. Breach/Failure: Must immediately advise the DFSA of any expected or actual significant breach of a Rule, failure to satisfy fitness/propriety, or significant failure in systems or controls.
  2. Fraud/Crime: Must immediately notify the DFSA of any serious fraud committed against it, or if an Employee may have committed fraud or serious misconduct related to honesty or integrity.
  3. Change in Control/Acquisition: Proposed major acquisitions must be notified to the DFSA in writing at least 45 days in advance. Changes to Controllers must be monitored and significant changes notified to the DFSA.
  4. Winding Up/Insolvency: Must immediately notify the DFSA of the calling of a meeting for winding up, dissolution application, or commencement of insolvency proceedings.

C. Record Keeping

All records relating to customer dealings, client classification, suitability, contracts, AML checks, and prudential compliance must be retained for a minimum period.

  • General Records: Most books, accounts, and mandatory records (Accounting Records, business plans, internal reports) must be kept for at least six years.
  • Availability: Records must be capable of reproduction in hard copy and English within a reasonable period not exceeding 3 business days.
  • AML Records: CDD, transaction records, and SAR files must be kept for at least six years from the end of the business relationship or the date the report was made.

Additional Resources

For complete regulatory details, refer to the official DFSA Rulebook modules:

  • General Module (GEN)
  • Prudential – Investment, Insurance Intermediation and Banking Module (PIB)
  • Conduct of Business Module (COB)
  • Anti-Money Laundering, Counter-Terrorist Financing and Sanctions Module (AML)

Visit the DFSA website at www.dfsa.ae for the most current regulations and guidance.

Related Posts

Scroll to Top