Important disclaimer. This article is based on the official DFSA Rulebook modules. All regulatory references, capital requirements, and compliance obligations are subject to change. Always consult the most current version of the DFSA Rulebook and seek professional advice before making any decisions regarding DFSA licensing or compliance matters.
Key takeaways
- Category 3C covers asset management, fund management, non-crypto custody, restricted PSIAs, trust services, and stored-value money services β and explicitly excludes Categories 1, 2, 3A, and 3B activities.
- Capital Resources must exceed the higher of the Base Capital Requirement or Expenditure Based Capital Minimum (EBCM) at all times.
- Six mandatory governance appointments are required: Board, SEO, Finance Officer, Compliance Officer, MLRO, and Risk Officer.
- The MLRO must be UAE-resident, have sufficient seniority and independence, and have unfettered access to all business lines.
The Dubai Financial Services Authority (DFSA) is the independent regulator of financial services conducted in or from the Dubai International Financial Centre (DIFC), employing a risk-based approach that categorises firms based on the nature and complexity of their activities.
Category 3C is a specific authorisation class within the DFSA's prudential framework, designed for firms providing certain financial services with risk profiles that warrant a distinct regulatory approach. This guide is specifically tailored for MLROs and Compliance Officers who need to understand the regulatory requirements and compliance obligations associated with this licence category.
Regulatory framework
The DFSA's framework for Category 3C firms is established across four key Rulebook modules. The General Module (GEN) defines financial service activities and the overall authorisation framework. The Prudential β Investment, Insurance Intermediation and Banking Business Module (PIB) establishes prudential requirements including capital adequacy. The Conduct of Business Module (COB) sets standards of conduct for financial services activities. The AML Module specifies AML/CTF requirements.
Under PIB Rule 1.3.5, an Authorised Firm is in Category 3C if its licence authorises one or more of: Managing Assets; Managing a Collective Investment Fund; Providing Custody (other than for a Fund and other than in relation to Crypto Assets); Managing a PSIA which is a PSIAr (a restricted Profit Sharing Investment Account); Providing Trust Services (where acting as trustee in respect of at least one express trust); or Providing Money Services (where it issues Stored Value) β and it does not meet the criteria of Categories 1, 2, 3A, 3B, or 5.
Scope of activities
A Category 3C firm may carry out the six activities listed above. It may also be authorised to conduct Category 4 activities (such as Arranging Deals in Investments or Advising on Financial Products), but it cannot provide Financial Services in Categories 1, 2, 3A, or 3B. It is the authorisation for the Category 3C-specific activities β and the absence of authorisation for 3A and 3B activities β that is determinative of belonging to Category 3C.
Capital requirements
Category 3C firms must maintain Capital Resources that exceed the higher of two figures at all times: the Base Capital Requirement (the amount of permanent share capital that must be maintained), and the Expenditure Based Capital Minimum (EBCM) (a calculation based on the firm's operating expenses). The precise figures and calculation methods are set out in the current PIB Module and firms should consult it directly for up-to-date requirements.
In addition to the base requirements, firms must calculate and monitor risk capital covering Credit Risk, Market Risk, and Operational Risk Capital Requirements. The total Risk Capital Requirement is the sum of these components, and Capital Resources must exceed this figure at all times. The PIB Module also establishes specific liquidity requirements β including maintaining adequate liquidity resources to meet liabilities as they fall due and specific liquidity coverage ratio requirements.
Compliance obligations
AML/CTF requirements
Category 3C firms must comply with the comprehensive requirements set out in the DFSA's AML Module, covering: appointment of an MLRO; development and implementation of AML policies, procedures, systems, and controls; customer due diligence; enhanced due diligence for higher-risk customers; ongoing monitoring of customer relationships; suspicious activity reporting; AML training for employees; and record-keeping. The MLRO must be resident in the UAE, have sufficient seniority and independence, and have unfettered access to all business lines and support functions.
Client classification
Under the COB Module, firms must classify clients as Retail Clients, Professional Clients (Service-based or Assessed), or Market Counterparties. This classification determines the level of regulatory protection and the corresponding obligations on the firm. Professional Client classification requires meeting specific net asset thresholds or knowledge and experience criteria as outlined in the COB Module β and must be reviewed regularly.
Record-keeping obligations
The GEN Module sets out comprehensive record-keeping requirements. Firms must maintain records for the period specified in the Rulebook, covering all business transactions, client identification and classification documentation, client agreements and instructions, financial instruments held for clients, compliance reviews and audits, staff training records, and communications with clients.
Reporting requirements
Category 3C firms must submit to the DFSA: prudential returns, an AML return, quarterly regulatory returns, notifications of material events, and annual financial statements.
Governance requirements
Six mandatory appointments are required under the DFSA Rulebook: a Board of Directors with appropriate expertise; a Senior Executive Officer (SEO) responsible for day-to-day operations; a Finance Officer (FO) responsible for financial affairs; a Compliance Officer (CO) responsible for compliance matters; a Money Laundering Reporting Officer (MLRO) responsible for AML/CTF compliance; and a Risk Officer responsible for risk management. Some functions may be outsourced under the DFSA's outsourcing requirements, but the firm remains responsible for compliance.
The GEN Module requires three independent control functions: a Compliance Function to monitor compliance with applicable laws; a Risk Management Function to identify, measure, monitor, and control risks; and an Internal Audit Function to examine and evaluate the adequacy and effectiveness of systems and controls. Each must be independent of operational functions and have sufficient authority, resources, and direct access to the Board.
All individuals performing Licensed Functions must satisfy the DFSA's fit-and-proper criteria: integrity, competence and capability, and financial soundness.
Application process
The application involves several stages. An Initial Assessment confirms that Category 3C is the appropriate licence class for the intended activities, followed by a Pre-application meeting with the DFSA to discuss the application. Documentation preparation covers a Regulatory Business Plan, financial model and projections, policies and procedures, and application forms. Following Formal Application Submission, the DFSA reviews the application and conducts interviews with proposed senior management. If satisfied, the DFSA grants In-principle Approval. The firm then establishes a physical presence in the DIFC and implements systems and controls. Final Approval and licence grant follows confirmation of operational readiness and capital deposit.
Required documentation typically includes: Regulatory Business Plan; financial projections; AML/CTF policies and procedures; compliance manual; risk management framework; personal questionnaires for Controllers and proposed Authorised Individuals; corporate structure diagrams; and evidence of capital.
Ongoing obligations
Firms must submit regular reports to the DFSA (prudential returns, annual audited financials, annual AML return, reports on material changes) and notify the DFSA of specified events under the GEN Module β including changes to Controllers or Authorised Individuals, breaches of Rules, significant business changes, and matters that could materially affect the firm's reputation or financial position. Annual fees are payable as specified in the Fees Module (FER), based on authorised activities. Firms must conduct regular compliance reviews including review of AML systems and controls, periodic review of conduct of business rules compliance, independent audit of financial statements, and periodic capital adequacy assessment.
Comparison with other licence categories
Category 3C vs. Category 3B: Category 3B focuses on Providing Custody for a Fund or of Crypto Assets, acting as Trustee of a Fund, and operating or administering an Employee Money Purchase Scheme. Category 3C focuses on asset management, fund management, non-crypto/non-fund custody, restricted PSIAs, express trust services, and stored-value money services.
Category 3C vs. Category 3A: Category 3A focuses on Dealing in Investments as Principal (matched principal only) or as Agent. Category 3C has no dealing authorisation but focuses on asset management, custody, and trust services as described above.
Category 3C vs. Category 4: Category 4 is limited to arranging and advisory activities β Arranging Deals in Investments, Advising on Financial Products, Arranging Custody, Insurance Intermediation, Insurance Management, and similar. Category 3C involves more direct management of assets and provision of services carrying greater responsibility for client assets.
Common compliance pitfalls
- Misunderstanding permissions. Confusion about what activities are permitted under Category 3C versus other categories β particularly the boundary with 3B (crypto/fund custody) and 3A (dealing).
- Inadequate capital planning. Not accounting for future business growth in capital projections or failing to maintain continuous monitoring against the Base Capital Requirement and EBCM.
- Inadequate client asset segregation. Failure to properly segregate client assets from firm assets β among the most heavily scrutinised areas for Category 3C firms.
- Insufficient documentation. Particularly around client classification and suitability assessments, and around the commercial rationale for complex ownership or fund structures.
- Inadequate governance arrangements. Especially around control function independence β audit, compliance, and risk functions must be demonstrably independent from operational lines.
- Delayed notifications. Failing to notify the DFSA of material events, controller changes, or breaches in a timely manner is a standalone compliance failure.
π‘ Best practice for MLROs. Implement a risk-based approach to AML/CTF that reflects the specific risks of Category 3C activities β asset managers, custodians, and trust service providers have distinct exposure profiles. Conduct regular independent testing of your AML/CTF framework and maintain awareness of DFSA notices and AML updates. Maintain a comprehensive regulatory calendar, implement daily capital monitoring, and ensure robust client-classification procedures are subject to periodic review.
The Category 3C framework is designed to ensure that firms engaged in asset management, fund management, custody, restricted PSIAs, trust services, and certain money services maintain appropriate systems, controls, and capital to manage the risks of these activities. The DFSA's risk-based supervision focuses on custody arrangements, client asset protection, and governance β making robust compliance frameworks in these areas the foundation of a successful Category 3C authorisation. ComplyFactor provides AML advisory, outsourced MLRO services, and independent AML review for regulated entities across multiple jurisdictions, including UAE-authorised firms.
ComplyFactor is a specialist AML and regulatory compliance advisory firm working with asset managers, PSPs, fintechs, and VASPs across multiple jurisdictions. Our advisors hold CAMS certification and bring direct DFSA and UAE regulatory experience to every engagement.
