COMPREHENSIVE REGULATORY HANDBOOK FOR CATEGORY 3D AUTHORISED FIRMS

By /

This handbook consolidates the rules, procedures, and ongoing compliance obligations mandated by the Dubai Financial Services Authority (DFSA) for any entity seeking to become or currently operating as a Category 3D Authorised Firm (A/F). Category 3D firms are primarily defined by their activity in providing certain types of Money Services. This document is intended to guide compliance officers and senior management through the entire regulatory lifecycle.

I. CATEGORISATION AND SCOPE OF ACTIVITY

A. Category Definition (PIB 1.3.5A)

An Authorised Firm is designated as being in Category 3D if its Licence authorizes it to Provide Money Services and it:

  1. Provides or operates a Payment Account; or
  2. Executes a Payment Transaction on a Payment Account provided or operated by another Person; or
  3. Issues a Payment Instrument; and
  4. It does not meet the criteria of Categories 1, 2, 3A, 3B, 3C, or 5.

B. Permitted and Restricted Activities

The defining activities for a Category 3D firm are Operating a Payment Account, executing Payment Transactions on a third-party account, or issuing Payment Instruments.

Core Services Provided (Money Services):

  • Providing or operating a Payment Account.
  • Executing Payment Transactions on a Payment Account operated by another Person.
  • Issuing Payment Instruments.

General Restrictions:

  • Currency Restrictions: An Authorised Firm must not, in connection with providing Money Services, receive or provide physical notes or coins, except for the conversion of Stored Value to physical notes or coins in the UAE.
  • Dirham Transactions: Any Dirham transactions related to the provision of Money Services must be settled through the accounts of a financial institution licensed by the Central Bank to accept deposits.
  • Crypto Tokens: A Money Services Provider is generally prohibited from using a Crypto Token in connection with providing Money Services, except in limited circumstances: a Fiat Crypto Token may be used for Money Transmission or executing a Payment Transaction if it is a Recognised Crypto Token, used only for those specific purposes, and sent, held, or received in the name of the Money Services Provider (not the client’s name).
  • Client Accounts: An A/F providing a Payment Account may only provide it to a Professional Client or Market Counterparty, or a Retail Client only if that client is an Undertaking and the Payment Account is provided for a business purpose.

<a name=”initial-authorisation”></a>

II. INITIAL AUTHORISATION AND GOVERNANCE

A. Legal Form and Licensing

An applicant for a Licence to be an Authorised Firm must generally be a Body Corporate or a Partnership.

Mandatory Licensed Functions (LFs): A Category 3D Firm must appoint individuals to perform the following Licensed Functions:

  1. Senior Executive Officer (SEO).
  2. Finance Officer (FO) (Responsible for compliance with financial resources rules in PIB).
  3. Compliance Officer (CO) (Responsible for compliance with Rules and applicable legislation).
  4. Money Laundering Reporting Officer (MLRO) (Responsible for implementing AML policies and systems).

Residency Requirements: The SEO, CO, and MLRO must be resident in the U.A.E.

Fitness and Propriety (F&P) Standards: Individuals applying for AI status must demonstrate F&P, considering their integrity, competence, capability, financial soundness, and proposed role. The firm itself must assess that its Employees are fit and proper, competent, capable, and trained in DIFC legislation.

B. Systems and Controls (GEN Chapter 5)

An A/F must establish and maintain effective systems and controls to manage its affairs responsibly and comply with all applicable legislation.

  • Segregation: Key duties and functions must be segregated to prevent conflicts of interest.
  • Documentation: An A/F must produce a business plan covering current and next 12 months’ activities, updating it as appropriate.
  • Outsourcing: If the firm outsources any functions directly related to Financial Services, it remains fully responsible for compliance with regulatory obligations. The firm must inform the DFSA of material outsourcing arrangements.
  • Business Continuity: Adequate arrangements must be in place and regularly tested to ensure the firm can continue to function and meet obligations in the event of an unforeseen interruption.
  • Cyber Risk Management: The firm must establish a comprehensive Cyber Risk Management Framework approved by the Governing Body to identify, assess, manage, and monitor Cyber Risk, addressing risks to ICT Assets and managing Third-Party Cyber Risk effectively.

<a name=”prudential-obligations”></a>

III. PRUDENTIAL AND FINANCIAL OBLIGATIONS (PIB)

A. Capital Requirement (PIB 3.5.2)

A Category 3D Authorised Firm must calculate its Capital Requirement as the highest of:

  1. Base Capital Requirement (BCR): US $200,000.
  2. Expenditure Based Capital Minimum (EBCM): Applicable if the firm provides or operates a Payment Account, calculated as the firm’s Annual Audited Expenditure multiplied by a ratio of 9/52 (if the firm does not hold Client Money) or 18/52 (if the firm holds Client Money in circumstances specified in COB Rule 6.11.4(a) to (c)).
  3. Money Services Capital Requirement: The Transaction Based Capital Requirement (calculated under PIB 3.8B.1), or the Stored Value Capital Requirement (if it issues Stored Value), or the aggregate of both if applicable.

Capital Composition: The firm must maintain CET1 Capital equating to at least 60% of its Capital Requirement, and T1 Capital equating to at least 80% of its Capital Requirement.

B. Liquidity Requirements (PIB 3.5.3)

A Category 3D A/F must, at all times, maintain an amount in the form of liquid assets which exceeds its Base Capital Requirement.

  • Exclusions: Liquid assets do not include any asset pledged as security or cash held in Client Money or Insurance Monies accounts.

C. Financial Reporting and Returns

A Category 3D firm must submit quarterly and annual regulatory returns. Specific forms relevant to all categories include B10A (Assets), B10B (Liabilities), B10C (Equity), B40A (P&L), B40B (Comprehensive Income), B100 (Declaration), B410 (Advisory), B420 (Asset Management), B440 (Dealing/Arranging), B450 (Staffing/Conduct).

Specific Money Services Forms: It must submit Form B460 (Money Services) and Form B180 (EBCM) (if applicable).

<a name=”conduct-business”></a>

IV. CONDUCT OF BUSINESS AND CLIENT ASSET RULES (COB)

A. Money Services Conduct (COB Chapter 13)

The firm must comply with specific rules relating to Payment Services:

  • Risk Management: The firm must have transaction monitoring systems to detect and prevent unauthorised or fraudulent Payment Transactions, accounting for factors such as transaction amount, known fraud scenarios, and abnormal activity logs.
  • Transaction Execution: The firm must execute Payment Transactions in the specific currency agreed with the User.
  • Strong Customer Authentication (SCA): SCA must be applied when a User:
    • Accesses a Payment Account online (unless the firm is accessing its own payment account information for the first time or after 90 days of inactivity).
    • Initiates an electronic Payment Transaction.
    • Carries out any remote action implying risk of fraud.
  • Dynamic Linking (SCA): If a payer initiates a Payment Transaction, SCA must dynamically link the transaction to a specific amount and a specific payee.
  • Liability: If the A/F is responsible for an unauthorized or incorrectly executed Payment Transaction, it must promptly (within 3 business days) put the User’s Payment Account back in the position it would have been if the transaction had been correct.

B. Client Assets and Money (COB 6.11, 6.12)

If the firm holds or controls Client Assets in connection with Providing Money Services, it must comply with Client Asset rules.

  • Client Money: All Money received from, or for the benefit of, a User in connection with Providing Money Services (including Stored Value) is Client Money.
  • Segregation: The firm must comply with Client Money Provisions by paying all Client Money into one or more separate Client Accounts.
    • Client Accounts must be segregated from the firm’s own money.
    • Client Accounts for Money Services Providers must be reconciled at least daily.
    • The firm must not use Client Money belonging to one Client to satisfy an obligation of another Client.

C. Disclosure and Agreements

  • Client Agreement: The firm must enter into a Client Agreement containing key information, including:
    • Terms for unilateral variation or termination.
    • Applicable currency, rates, fees, and charges.
    • Clear procedures for unauthorized or incorrectly executed transactions, including the requirement for the client to notify the firm no later than six months after the transaction.
  • Complaints: The firm must resolve complaints (including requests for redress) no later than 15 business days after receiving the complaint, unless reasons for delay are provided. The firm must ensure Clients have access to an independent complaints handling service.

<a name=”aml-obligations”></a>

V. ANTI-MONEY LAUNDERING (AML) OBLIGATIONS

A Category 3D A/F is a Relevant Person and must comply with the full AML module.

A. Risk-Based Approach (RBA) and Assessment

The firm must adopt an RBA to assess and address money laundering risks based on its business, customers, products, and services. This requires establishing and maintaining effective AML policies, procedures, systems, and controls.

  • Risk Identification: When launching new products, business practices, or technologies, the firm must assess the associated money laundering risks before use and take steps to manage them.
  • Sanctions and UN Resolutions: The firm must establish and maintain systems to comply with United Nations Security Council resolutions and sanctions, and promptly notify the DFSA of relevant findings or non-compliance.

B. Customer Due Diligence (CDD) and Monitoring

The firm must undertake CDD for each customer.

  • Identification and Verification: Must identify the customer and verify identity based on reliable and independent source documents/information. If the customer is a body corporate, it must obtain its name, registered office, incorporation details, governing documents, and the names of its senior management.
  • Beneficial Owners (BOs): Must identify BOs and take reasonable measures to verify their identity. If reasonable means are exhausted and no BO can be identified, the firm must treat the senior management as the BOs and keep a record of all attempts made. The firm must not establish a relationship if ownership arrangements prevent the identification of BOs.
  • Politically Exposed Persons (PEPs): The firm must take reasonable measures to determine if a customer or BO is a PEP. If a PEP relationship is established, it requires:
    • Senior management approval.
    • Reasonable measures to establish the source of wealth and source of funds.
    • Increased monitoring of the business relationship.
  • Ongoing CDD: The firm must continuously monitor transactions to ensure they are consistent with knowledge of the customer and their risk rating.

C. Suspicious Activity Reporting (SAR)

  • Internal Reporting: Any Employee who knows or suspects money laundering must promptly notify the MLRO.
  • External Reporting: The MLRO must inquire into the notification, determine if an SAR must be made to the FIU, and immediately notify the DFSA following submission of the SAR.
  • Tipping Off: The A/F and its Employees must not disclose to the customer or any other person that an SAR has been made or is intended to be made.

<a name=”record-keeping”></a>

VI. RECORD KEEPING AND AUDIT

A. Record Retention

The firm must maintain records for at least six years from the date the business relationship ends or the transaction is completed. This includes:

  • All documents related to CDD and ongoing CDD.
  • Records of all transactions to enable reconstruction.
  • SARs, notifications, and associated internal documentation.
  • Written records of its business and customer risk assessments.
  • Records of whistleblowing reports.

B. Audit Requirements

The firm must ensure that its internal audit function conducts regular reviews and assessments of the effectiveness of the AML policies, procedures, systems, and controls.

For external audit, the firm must require its Auditor to produce a Regulatory Returns Auditor’s Report, which must verify whether the Expenditure Based Capital Minimum (if applicable) and Liquidity requirements under PIB 3.5.3 are met.

If the firm holds or controls Client Money, it must arrange for a Client Money Auditor’s Report and a Money Services Auditor’s Report to be submitted annually.

Additional Resources

For complete regulatory details, refer to the official DFSA Rulebook modules:

  • General Module (GEN)
  • Prudential – Investment, Insurance Intermediation and Banking Module (PIB)
  • Conduct of Business Module (COB)
  • Anti-Money Laundering, Counter-Terrorist Financing and Sanctions Module (AML)

Visit the DFSA website at www.dfsa.ae for the most current regulations and guidance.

Related Posts

Scroll to Top