Entire Section

  • GEN 5 GEN 5 Management, Systems and Controls

    • GEN 5.1 GEN 5.1 Application

      • GEN 5.1.1 GEN 5.1.1

        (1) Subject to (5), this chapter applies to every Authorised Person with respect to the Financial Services carried on in or from the DIFC.
        (2) It also applies in a Prudential Context to a Domestic Firm with respect to all its activities wherever they are carried on.
        (3) GEN Section 5.3 also applies to an Authorised Firm in a Prudential Context with respect to its entire DIFC branch's activities wherever they are carried on.
        (4) This chapter also applies to an Authorised Market Institution, if it has an endorsed Licence authorising it to maintain an Official List of Securities, with respect to such maintenance.
        (5) GEN Rules 5.3.13, 5.3.14, 5.3.15, 5.3.23, 5.3.24, 5.3.30 and 5.3.31 do not apply to an Authorised ISPV.
        (6) This chapter does not apply to a Representative Office.
        Derived from DFSA RM01/2004 (Made 16th September 2004). [VER1/09-04]
        [Amended] DFSA RM19/2005 (as from 19th April 2005). [VER3/04-05]
        [Amended] DFSA RM48/2007 (Made 1st October 2007). [VER16/10-07]
        [Amended] DFSA RM68/2009 (Made 3rd January 2010). [VER24/01-10]
        [Amended] DFSA RM95/2012 (Made 14th June 2012). [VER29/06-12]

        • GEN 5.1.1 Guidance

          1. The purpose of this chapter is to set out the requirements for the Governing Body and the senior management within an Authorised Person who are to take direct responsibility for the Authorised Person's arrangements on matters likely to be of interest to the DFSA wherever they may give rise to risks to the DFSA's objectives or they affect the DFSA's functions under the legislation applicable in the DIFC. See also the requirements relating to organisation in Rules 5.3.2 and 5.3.3.
          2. In relation to an Authorised Market Institution, this chapter should be read in conjunction with the AMI module.
          3. In relation to an Authorised Firm which is a Fund Manager or the Trustee, this chapter should be read in conjunction with the CIR module and construed to take into account any Fund which the Authorised Firm operates or for which it acts as the Trustee.
          4. In relation to an Authorised Person which carries on Islamic Financial Business in or from the DIFC, this chapter should be read in conjunction with the IFR module.
          Derived from DFSA RM01/2004 (Made 16th September 2004). [VER1/09-04]
          [Amended] DFSA RM19/2005 (as from 19th April 2005). [VER3/04-05]
          [Amended][VER8/04-06]
          [Amended]DFSA RM34/2006[VER11/08-06]
          [Amended] DFSA RM72/2010 (Made 11th July 2010) [VER26/07-10]
          [Amended] DFSA RM95/2012 (Made 14th June 2012). [VER29/06-12]
          [Amended] DFSA RM105/2012 (Made 23rd December 2012). [VER32/12-12]

    • GEN 5.2 GEN 5.2 Allocation of significant responsibilities

      • Apportionment of significant responsibilities

        • GEN 5.2.1

          An Authorised Person must apportion significant responsibilities between the members of its Governing Body and its senior management and maintain such apportionment in such a way that:

          (a) it meets the corporate governance requirements in Rule 5.3.30;
          (b) it is appropriate with regard to:
          (i) the nature, scale and complexity of the business of the Authorised Person; and
          (ii) the ability and qualifications of the responsible individuals;
          (c) it is clear who is responsible for which matters; and
          (d) the business of the Authorised Person can be adequately monitored and controlled by the Authorised Person's Governing Body and senior management.

          [Amended]DFSA RM43/2007 (Made 1st June 2007). [VER14/06-07]
          Derived from DFSA RM01/2004 (Made 16th September 2004). [VER1/09-04]
          [Amended] DFSA RM95/2012 (Made 14th June 2012). [VER29/06-12]

        • GEN 5.2.2 GEN 5.2.2

          An Authorised Person must allocate to the Senior Executive Officer or to the individual holding equivalent responsibility for the conduct for the Authorised Person's business or the Governing Body, the functions of:

          (a) dealing with the apportionment of responsibilities; and
          (b) overseeing the establishment and maintenance of systems and controls.

          Derived from DFSA RM01/2004 (Made 16th September 2004). [VER1/09-04]

          • GEN 5.2.2 Guidance

            Rules 5.2.1 and 5.2.2 do not derogate from the overall responsibility of the Governing Body in Rule 5.3.30(2).

            [Added]DFSA RM43/2007 (Made 1st June 2007). [VER14/06-07]
            [Amended] DFSA RM95/2012 (Made 14th June 2012). [VER29/06-12]

      • Recording of apportionment

        • GEN 5.2.3

          (1) An Authorised Person must establish and maintain an up-to-date record of the arrangements it has made to comply with Rules GEN 5.2.1 and GEN 5.2.2.
          (2) The record must show that the members of the Governing Body and the senior management are aware of and have accepted the responsibilities apportioned in accordance with GEN Rule 5.2.1.
          (3) Where a responsibility has been allocated to more than one individual, the record must show clearly how that responsibility is allocated between the individuals.
          (4) The record must be retained for six years from the date on which it was established or superseded by a more up-to-date record.

          Derived from DFSA RM01/2004 (Made 16th September 2004). [VER1/09-04]
          [Amended] DFSA RM95/2012 (Made 14th June 2012). [VER29/06-12]

    • GEN 5.3 GEN 5.3 Systems and controls

      • General requirement

        • GEN 5.3.1 GEN 5.3.1

          (1) An Authorised Person must establish and maintain systems and controls, including but not limited to financial and risk systems and controls, that ensure that its affairs are managed effectively and responsibly by its senior management.
          (2) An Authorised Person must undertake regular reviews of its systems and controls.
          Derived from DFSA RM01/2004 (Made 16th September 2004). [VER1/09-04]
          [Amended] DFSA RM43/2007 (Made 1st June 2007). [VER14/06-07]

          • GEN 5.3.1 Guidance

            The nature and extent of the systems and controls of an Authorised Person will depend upon a variety of factors including the nature, scale and complexity of its business. While all Authorised Persons, irrespective of the nature, scale, and complexity of their business and legal structure or organisation need to comply with this chapter, the DFSA will take into account these factors and the differences that exist between Authorised Persons when assessing the adequacy of an Authorised Person's systems and controls. Nevertheless, neither these factors nor the differences relieve an Authorised Person from compliance with its regulatory obligations.


            Derived from DFSA RM01/2004 (Made 16th September 2004). [VER1/09-04]
            [Amended] DFSA RM95/2012 (Made 14th June 2012). [VER29/06-12]

      • Organisation

        • GEN 5.3.2 GEN 5.3.2

          (1) An Authorised Person must establish and implement, taking due account of the nature, scale and complexity of its business and structure, adequate measures to ensure that:
          (a) the roles and responsibilities assigned to its Governing Body and the members of that body, senior management and Persons Undertaking Key Control Functions are clearly defined;
          (b) there are clear reporting lines applicable to the individuals undertaking those functions; and
          (c) the roles, responsibilities and reporting lines referred to in (a) and (b), are documented and communicated to all relevant Employees.
          (2) An Authorised Firm must ensure that any Employee who will be delivering Financial Services to its customers is clearly identified, together with his respective lines of accountability and supervision.
          (3) An Authorised Firm which is conducting Investment Business or the Financial Services of Providing Fund Administration or Providing Trust Services, must ensure it makes publically available details of any Employee who delivers Financial Services to its customers, by including such information:
          (a) in a register, maintained by the Authorised Firm at its place of business and open for inspection during business hours; or
          (b) on the website of the Authorised Firm.
          (4) An Authorised Firm referred to in (3), must have complete and up to date information on its register or website, including:
          (a) the date on which the relevant Employee commenced delivering of Financial Services to customers; and
          (b) the Financial Services which that Employee is permitted by the Authorised Firm to deliver to customers.
          Derived from DFSA RM01/2004 (Made 16th September 2004). [VER1/09-04]
          [Amended][VER10/06-06]
          [Amended] DFSA RM95/2012 (Made 14th June 2012). [VER29/06-12]
          [Amended] DFSA RM96/2012 (Made 24th July 2012) [VER30/07-12]

          • GEN 5.3.2 Guidance

            1. The term Employee is defined in the GLO widely and includes members of the Governing Body or directors and senior managers of the Authorised Firm. Therefore, the requirements relating to Employees in Rules 5.3.3 and 5.3.6 apply to all Employees including those across the organisation.
            2. The division of responsibilities between the Governing Body and the senior management should be clearly established and set out in writing. In assigning duties, the Governing Body should take care that no one individual has unfettered powers in making material decisions.
            3. Members of the Governing Body may include individuals undertaking senior management functions (such as the chief executive of the firm) and Persons Undertaking Key Control Functions. In assigning specific functions to such individuals, care should be taken to ensure that the integrity and effectiveness of the functions they are to perform are not compromised. For example, if the Chairperson of the Governing Body is also the chief executive officer of the Authorised Person, the Governing Body should ensure that the performance assessment of that individual in his roles should be undertaken by a senior non-executive member of the Governing Body or an independent external consultant.
            4. Persons Undertaking Key Control Functions are defined in GLO in an inclusive manner to encompass Persons such as the heads of risk control, compliance and internal audit functions. In the case of an Insurer, the actuary also is a Person who Undertakes a Key Control Function.
            5. An example of an Employee providing Financial Services to a customer is a client relationship manager employed by an Authorised Firm providing wealth management services. In contrast, an Employee who may be employed in the back office of an Authorised Firm with responsibility for setting up client accounts would not be client facing.
            [Added] DFSA RM95/2012 (Made 14th June 2012). [VER29/06-12]
            [Amended] DFSA RM96/2012 (Made 24th July 2012) [VER30/07-12]

        • GEN 5.3.3

          An Authorised Person must ensure that key duties and functions are segregated. Such segregation must ensure that the duties and functions to be performed by the same individual do not conflict with each other, thereby impairing the effective discharge of those functions by the relevant individuals (such as undetected errors or any abuse of positions) and thus exposing the Authorised Person or its customers or users to inappropriate risks.

          [Added] DFSA RM96/2012 (Made 24th July 2012) [VER30/07-12]

      • Risk management

        • GEN 5.3.4

          An Authorised Person must establish and maintain risk management systems and controls to enable it to identify, assess, mitigate, control and monitor its risks.


          Derived from DFSA RM01/2004 (Made 16th September 2004). [VER1/09-04]

        • GEN 5.3.5

          An Authorised Person must develop, implement and maintain policies and procedures to manage the risks to which the Authorised Person and where applicable, its customers or users, are exposed.


          Derived from DFSA RM01/2004 (Made 16th September 2004). [VER1/09-04]

        • GEN 5.3.6

          (1) An Authorised Person must appoint an individual to advise its Governing Body and senior management of such risks.
          (2) An Authorised Person which is part of a Group should be aware of the implications of any Group wide risk policy and systems and controls regime.

          Derived from DFSA RM01/2004 (Made 16th September 2004). [VER1/09-04]

      • Compliance

        • GEN 5.3.7

          An Authorised Person must establish and maintain compliance arrangements, including processes and procedures that ensure and evidence, as far as reasonably practicable, that the Authorised Person complies with all legislation applicable in the DIFC.


          Derived from DFSA RM01/2004 (Made 16th September 2004). [VER1/09-04]
          [Amended] DFSA RM119/2013 (Made 14th July 2013). [VER33/07-13]
          [Amended] DFSA RM211/2018 (Made 22nd February 2018). [VER41/04-18]

        • GEN 5.3.8

          An Authorised Person must document the organisation, responsibilities and procedures of the compliance function.


          Derived from DFSA RM01/2004 (Made 16th September 2004). [VER1/09-04]
          [Amended] DFSA RM119/2013 (Made 14th July 2013). [VER33/07-13]

        • GEN 5.3.9

          An Authorised Person must ensure that the Compliance Officer has access to sufficient resources, including an adequate number of competent staff, to perform his duties objectively and independently of operational and business functions.


          Derived from DFSA RM01/2004 (Made 16th September 2004). [VER1/09-04]
          [Amended] DFSA RM119/2013 (Made 14th July 2013). [VER33/07-13]

        • GEN 5.3.10

          An Authorised Person must ensure that the Compliance Officer has unrestricted access to relevant records and to the Authorised Person's Governing Body and senior management.


          Derived from DFSA RM01/2004 (Made 16th September 2004). [VER1/09-04]
          [Amended] DFSA RM119/2013 (Made 14th July 2013). [VER33/07-13]

        • GEN 5.3.11

          An Authorised Person must establish and maintain monitoring and reporting processes and procedures to ensure that any compliance breaches are readily identified, reported and promptly acted upon.


          Derived from DFSA RM01/2004 (Made 16th September 2004). [VER1/09-04]
          [Amended] DFSA RM119/2013 (Made 14th July 2013). [VER33/07-13]

        • GEN 5.3.12 GEN 5.3.12

          An Authorised Person must document the monitoring and reporting processes and procedures as well as keep records of breaches of any of legislation applicable in the DIFC.

          Derived from DFSA RM01/2004 (Made 16th September 2004). [VER1/09-04]
          [Amended] DFSA RM119/2013 (Made 14th July 2013). [VER33/07-13]

          • [Deleted]

            [Deleted] DFSA RM119/2013 (Made 14th July 2013). [VER33/07-13]

      • Internal audit

        • GEN 5.3.13 GEN 5.3.13

          (1) An Authorised Person must establish and maintain an internal audit function with responsibility for monitoring the appropriateness and effectiveness of its systems and controls.
          (2) The internal audit function must be independent from operational and business functions.
          (3) An Authorised Firm is not required to have an internal audit function if the only Financial Service it carries on is Managing a Venture Capital Fund.

           

          Derived from DFSA RM01/2004 (Made 16th September 2004). [VER1/09-04]
          [Amended] DFSA RM278/2020 (Made 28th October 2020) [VER49/11-20].

           

          • GEN 5.3.13 Guidance

            The Person appointed as the Internal Auditor of an Authorised Market Institution is a Key Individual pursuant to AMI Rule 5.3.1.

            [Added] DFSA RM119/2013 (Made 14th July 2013). [VER33/07-13]

        • GEN 5.3.14

          An Authorised Person must ensure that its internal audit function has unrestricted access to all relevant records and recourse when needed to the Authorised Person's Governing Body or the relevant committee, established by its Governing Body for this purpose.


          Derived from DFSA RM01/2004 (Made 16th September 2004). [VER1/09-04]

        • GEN 5.3.15

          An Authorised Person must document the organisation, responsibilities and procedures of the internal audit function.


          Derived from DFSA RM01/2004 (Made 16th September 2004). [VER1/09-04]

      • Business plan and strategy

        • GEN 5.3.16

          (1) An Authorised Person must produce a business plan which enables it, amongst other things, to manage the risks to which it and its customers are exposed.
          (2) The business plan must take into account the Authorised Person's current business activities and the business activities forecast for the next twelve months.
          (3) The business plan must be documented and updated as appropriate to take account of changes in the business environment and to reflect changes in the business of the Authorised Person.

          Derived from DFSA RM01/2004 (Made 16th September 2004). [VER1/09-04]

      • Management information

        • GEN 5.3.17

          An Authorised Person must establish and maintain arrangements to provide its Governing Body and senior management with the information necessary to organise, monitor and control its activities, to comply with legislation applicable in the DIFC and to manage risks. The information must be relevant, accurate, comprehensive, timely and reliable.


          Derived from DFSA RM01/2004 (Made 16th September 2004). [VER1/09-04]
          [Amended] DFSA RM95/2012 (Made 14th June 2012). [VER29/06-12]

      • Staff and agents

        • GEN 5.3.18

          An Authorised Person must establish and maintain systems and controls that enable it to satisfy itself of the suitability of anyone who acts for it.

          Derived from DFSA RM01/2004 (Made 16th September 2004). [VER1/09-04]

        • GEN 5.3.19 GEN 5.3.19

          (1) An Authorised Firm must ensure, as far as reasonably practical, that its Employees are:
          (a) fit and proper;
          (b) competent and capable of performing the functions which are to be assigned to those Employees; and
          (c) trained in the requirements of the legislation applicable in the DIFC.
          (2) An Authorised Firm must establish and maintain systems and controls to comply with (1). An Authorised Firm must be able to demonstrate that it has complied with these requirements through appropriate measures, including the maintenance of relevant records.
          Derived from DFSA RM01/2004 (Made 16th September 2004). [VER1/09-04]
          [Amended] [VER10/06-06]
          [Amended] DFSA RM56/2008 (Made 1st July 2008). [VER19/07-08]

          • GEN 5.3.19 Guidance

            1.  When considering whether an Employee is fit and proper, competent and capable, an Authorised Firm should consider any training undertaken or required by an Employee, the nature of the Clients to whom an Employee provides Financial Services, and the type of activities performed by an Employee in the provision of such Financial Services including any interface with Clients.
            2.  When assessing the fitness and propriety of Employees, an Authorised Firm should be guided by the matters set out in section 2.3 of the RPP Sourcebook and should also monitor conflicts or potential conflicts of interest arising from all of the individual's links and activities.
            3.  When assessing the competence and capability of an Authorised Firm should:
            a.  obtain details of the skills, knowledge and experience of the Employee relevant to the nature and requirements of the role;
            b.  take reasonable steps to verify the relevance, accuracy and authenticity of any information obtained;
            c.  determine, in light of the Employee's relevant skills, knowledge and experience, that the Employee is competent and capable of fulfilling the duties of the role; and
            d.  consider the level of responsibility that the Employee will assume within the Authorised Firm, including whether the Employee will be providing Financial Services to Retail Clients in an interfacing role.
            4.  An Authorised Firm should also satisfy itself that an Employee:
            a.  continues to be competent and capable of performing its the role;
            b.  has kept abreast of market, product, technology, legislative and regulatory developments that are relevant to the role, through training or other means; and
            c.  is able to apply his knowledge.
            5. Refer to section 2.2.13 of the RPP Sourcebook for criteria for suitability of members of the Governing Body of the Authorised Firm.
            Derived from DFSA RM01/2004 (Made 16th September 2004). [VER1/09-04]
            [Amended] [VER10/06-06]
            [Amended] DFSA RM56/2008 (Made 1st July 2008). [VER19/07-08]
            Amended in accordance with Notice of Amendments to Legislation April 2011 [VER27/02-11]
            [Amended] DFSA RM95/2012 (Made 14th June 2012). [VER29/06-12]

      • Continuing Professional Development

        • GEN 5.3.19A GEN 5.3.19A

          (1) An Authorised Firm must ensure that an Employee who falls within a category specified in (2) remains competent by completing a minimum of 15 hours of continuing professional development (CPD) in each calendar year.
          (2) The categories of Employees specified for the purposes of (1) are:
          (a) the Senior Executive Officer;
          (b) the Compliance Officer; and
          (c) the Money Laundering Reporting Officer.
          (3) An Authorised Firm must ensure that:
          (a) the CPD in (1) is relevant to the Employee’s:
          (i) current role and any anticipated change in that role; and
          (ii) professional skill and knowledge;
          (b) the CPD consists of structured activities; and
          (c) the Employee keeps adequate records of CPD activities to be able to demonstrate that the requirements in this Rule have been met.
          (4) In (3), “structured activities” means courses, seminars, lectures, conferences, workshops, web-based seminars or e-learning which require a commitment of thirty minutes or more.

          • GEN 5.3.19A Guidance

            (1) The requirement in Rule 5.3.19A does not derogate from the requirement in Rule 5.3.19 for an Authorised Firm to ensure that Employees generally are competent and capable of performing their functions. This requires the Authorised Firm to consider what training is undertaken or required for all Employees, including Employees not covered by this Rule.
            (2) The structured activities that are completed as CPD may consist of activities conducted internally or externally, and may include activities conducted by a professional body.

      • Conduct

        • GEN 5.3.20 GEN 5.3.20

          An Authorised Person must establish and maintain systems and controls that ensure, as far as reasonably practical, that the Authorised Person and its Employees do not engage in conduct, or facilitate others to engage in conduct, which may constitute:

          (a) market abuse, whether in the DIFC or elsewhere; or
          (b) a financial crime under any applicable U.A.E. laws.
          Derived from DFSA RM01/2004 (Made 16th September 2004). [VER1/09-04]
          [Amended] DFSA RM119/2013 (Made 14th July 2013). [VER33/07-13]
          [Amended] DFSA RM184/2016 (Made 7th December 2016). [VER38/02-17]

          • GEN 5.3.20 Guidance [Deleted]

            [Deleted] DFSA RM95/2012 (Made 14th June 2012). [VER29/06-12]

      • Outsourcing

        • GEN 5.3.21 GEN 5.3.21

          (1) An Authorised Person which outsources any of its functions or activities directly related to Financial Services to service providers (including within its Group) is not relieved of its regulatory obligations and remains responsible for compliance with legislation applicable in the DIFC.
          (2) The outsourced function under this Rule shall be deemed as being carried out by the Authorised Person itself.
          (3) An Authorised Person which uses such third party providers must ensure that it:
          (a) has undertaken due diligence in choosing suitable service providers;
          (b) effectively supervises the outsourced functions or activities; and
          (c) deals effectively with any act or failure to act by the service provider that leads, or might lead, to a breach of any legislation applicable in the DIFC.

          Derived from DFSA RM01/2004 (Made 16th September 2004). [VER1/09-04]
          Amended in accordance with Notice of Amendments to Legislation April 2011 [VER27/02-11]

        • GEN 5.3.22 GEN 5.3.22

          (1) An Authorised Person must inform the DFSA about any material outsourcing arrangements.
          (2) An Authorised Person which has a material outsourcing arrangement must:
          (a) establish and maintain comprehensive outsourcing policies, contingency plans and outsourcing risk management programmes;
          (b) enter into an appropriate and written outsourcing contract; and
          (c) ensure that the outsourcing arrangements neither reduce its ability to fulfil its obligations to customers and the DFSA, nor hinder supervision of the Authorised Person by the DFSA.
          (3) An Authorised Person must ensure that the terms of its outsourcing contract with each service provider under a material outsourcing arrangement require the service provider to:
          (a) provide for the provision of information under section 11.1 in relation to the Authorised Person and access to their business premises; and
          (b) deal in an open and co-operative way with the DFSA.
          Derived from DFSA RM01/2004 (Made 16th September 2004). [VER1/09-04]
          Amended in accordance with Notice of Amendments to Legislation April 2011 [VER27/02-11]

          • GEN 5.3.22 Guidance

            1. An Authorised Person's outsourcing arrangements should include consideration of:
            a. applicable guiding principles for outsourcing in financial services issued by the Joint Forum; or
            b. any equivalent principles or regulations the Authorised Person is subject to in its home country jurisdiction.
            2. An outsourcing arrangement would be considered to be material if it is a service of such importance that weakness or failure of that service would cast serious doubt on the Authorised Person's continuing ability to remain fit and proper or to comply with DFSA administered Laws and Rules.

      • Business continuity and disaster recovery

        • GEN 5.3.23 GEN 5.3.23

          (1) An Authorised Person must have in place adequate arrangements to ensure that it can continue to function and meet its obligations under the legislation applicable in the DIFC in the event of an unforeseen interruption.
          (2) These arrangements must be kept up to date and regularly tested to ensure their effectiveness.
          Derived from DFSA RM01/2004 (Made 16th September 2004). [VER1/09-04]

          • GEN 5.3.23 Guidance

            1. In considering the adequacy of an Authorised Person's business continuity arrangements, the DFSA will have regard to the Authorised Person's management of the specific risks arising from interruptions to its business including its crisis management and disaster recovery plans.
            2. The DFSA expects an Authorised Person to have:
            a. arrangements which establish and maintain the Authorised Person's physical security and protection for its information systems for business continuity purposes in the event of planned or unplanned information system interruption or other events that impact on its operations;
            b. considered its primary data centres' and business operations' reliance on infrastructure components, for example transportation, telecommunications networks and utilities and made the necessary arrangements to minimise the risk of interruption to its operations by arranging backup of infrastructure components and service providers; and
            c. considered, in its plans for dealing with a major interruption to its primary data centre or business operations, its alternative data centres' and business operations' reliance on infrastructure components and made the necessary arrangements such that these do not rely on the same infrastructure components and the same service provider as the primary data centres and operations.

            Derived from DFSA RM01/2004 (Made 16th September 2004). [VER1/09-04]

      • [Deleted]

        [Deleted] DFSA RM56/2008 (Made 1st July 2008). [VER19/07-08]

        • GEN 5.3.24 GEN 5.3.24 [Deleted]

          [Deleted] DFSA RM56/2008 (Made 1st July 2008). [VER19/07-08]

          • [Deleted]

            [Deleted] DFSA RM56/2008 (Made 1st July 2008). [VER19/07-08]

      • Records

        • GEN 5.3.24

          (1) An Authorised Person must make and retain records of matters and dealings, including Accounting Records and corporate governance practices which are the subject of requirements and standards under the legislation applicable in the DIFC.
          (2) Such records, however stored, must be capable of reproduction on paper within a reasonable period not exceeding 3 business days.
          Derived from DFSA RM01/2004 (Made 16th September 2004). [VER1/09-04]
          [Amended] DFSA RM42/2007 (Made 15th February 2007). [VER13/02-07]
          Amended in accordance with Notice of Amendments to Legislation April 2011 [VER27/02-11]
          [Amended] DFSA RM119/2013 (Made 14th July 2013). [VER33/07-13]

        • GEN 5.3.26

          If an Authorised Person's records relate to business carried on from an establishment in a territory outside the DIFC, an official language of that territory may be used instead of the English language as required by GEN Rule 5.3.25.


          Derived from DFSA RM01/2004 (Made 16th September 2004). [VER1/09-04]
          Amended in accordance with Notice of Amendments to Legislation April 2011 [VER27/02-11]

        • GEN 5.3.27

          An Authorised Person must have systems and controls to fulfil the Authorised Person's legal and regulatory obligations with respect to adequacy, access, period of retention and security of records.


          Derived from DFSA RM01/2004 (Made 16th September 2004). [VER1/09-04]
          Amended in accordance with Notice of Amendments to Legislation April 2011 [VER27/02-11]

      • Fraud

        • GEN 5.3.28

          An Authorised Person must establish and maintain effective systems and controls to:

          (a) deter and prevent suspected fraud against the Authorised Person; and
          (b) report suspected fraud and other financial crimes to the relevant authorities.
          [Added]DFSA RM43/2007 (Made 1st June 2007). [VER14/06-07]
          Amended in accordance with Notice of Amendments to Legislation April 2011 [VER27/02-11]

      • [Deleted]

        [Deleted] DFSA RM119/2013 (Made 14th July 2013). [VER33/07-13]

        • GEN 5.3.29 GEN 5.3.29 [Deleted]

          [Deleted] DFSA RM119/2013 (Made 14th July 2013). [VER33/07-13]

          • GEN 5.3.29 Guidance [Deleted]

            [Deleted] DFSA RM119/2013 (Made 14th July 2013). [VER33/07-13]

      • Corporate Governance

        • GEN 5.3.30 GEN 5.3.30

          (1) An Authorised Person must have a Governing Body and senior management that meet the requirements in (2) and (3) respectively.
          (2) The Governing Body of the Authorised Person must:
          (a) be clearly responsible for setting or approving (or both) the business objectives of the firm and the strategies for achieving those objectives and for providing effective oversight of the management of the firm;
          (b) comprise an adequate number and mix of individuals who have, among them, the relevant knowledge, skills, expertise and time commitment necessary to effectively carry out the duties and functions of the Governing Body; and
          (c) have adequate powers and resources, including its own governance practices and procedures, to enable it to discharge those duties and functions effectively.
          (3) The senior management of the Authorised Person must be clearly responsible for the day-to-day management of the firm's business in accordance with the business objectives and strategies approved or set by the Governing Body.
          [Added] DFSA RM95/2012 (Made 14th June 2012). [VER29/06-12]

          • GEN 5.3.30 Guidance

            Scope of corporate governance

            1. Corporate governance is a framework of systems, policies, procedures and controls through which an entity:
            a. promotes the sound and prudent management of its business;
            b. protects the interests of its customers and stakeholders; and
            c. places clear responsibility for achieving (a) and (b) on the Governing Body and its members and the senior management of the Authorised Person.
            2. Many requirements designed to ensure sound corporate governance of companies, such as those relating to shareholder and minority protection and responsibilities of the Board of Directors of companies, are found in the company laws and apply to Authorised Persons. Additional disclosure requirements also apply if they are listed companies. The requirements in this Module are tailored to Authorised Persons and are designed to augment and not to exclude the application of those requirements.
            3. Whilst Rule 5.3.30 deals with two aspects of corporate governance, the requirements included in other provisions under sections 5.2 and 5.3 also go to the heart of sound corporate governance by promoting prudent and sound management of the Authorised Person's business in the interest of its customers and stakeholders. These requirements together are designed to promote sound corporate governance practices in Authorised Persons whilst also providing a greater degree of flexibility for Authorised Persons in establishing and implementing a corporate governance framework that are both appropriate and practicable to suit their operations.
            4. Stakeholder groups of an Authorised Person, who would benefit from the sound and prudent management of firms, can be varied but generally encompass its owners (shareholders), customers (in the case of an AMI, its members and investors), creditors, counterparties and employees, whose interests may not necessarily be mutually coextensive. A key objective in enhancing corporate governance standards applicable to Authorised Persons is to ensure that firms are soundly and prudently managed, with the primary regard being had to its customers.

            Proportionate application to firms depending on the nature of their business

            5. One of the key considerations that underpins how the corporate governance requirements set out in Rule 5.3.30 apply to an Authorised Person is the nature, scale and complexity of the Authorised Person's business, and its organisational structure.
            6. While requiring banks, insurers and dealers to have more detailed and complex corporate governance systems and controls, simpler systems and procedures could be required for other firms, depending on the nature and scale of their Financial Services. For example, in the case of certain types of Category 4 Financial Service providers such as arranging or advising only firms, less extensive and simpler corporate governance systems and procedures may be sufficient to meet their corporate governance obligations.
            7. For example, an Authorised Person which is a small scale operation with a tightly held ownership structure may not have a Governing Body which comprises members who are fully independent of the firm's business and from each other, nor be sufficiently large to be able to form numerous committees of the Governing Body to undertake various functions such as nomination and remuneration. In such cases, whilst strict adherence to such aspects of best practice would not be required, overall measures as appropriate to achieve the sound and prudent management of the business would be needed. For example, a firm with no regulatory track record would be expected to have additional corporate governance controls in place to ensure the sound and prudent management of its business, such as the appointment of an independent director (who has relevant regulatory experience) to its Governing Body.

            Application to Branches and Groups

            8. As part of the flexible and proportionate application of corporate governance standards to firms, whether a firm is a Branch or a subsidiary within a Group is also taken into account. An Authorised Person which is a member of a Group may, instead of developing its own corporate governance policies, adopt group-wide corporate governance standards. However, the Governing Body of the Authorised Person should consider whether those standards are appropriate for the firm, and to the extent possible, make any changes as necessary.
            9. In the case of a Branch, corporate governance practices adopted at the head office would generally apply to the Branch and are expected to be adequate. The DFSA considers, as part of its authorisation of a Branch and on-going supervision, the adequacy of regulatory and supervisory arrangements applicable in the home jurisdiction, including a corporate governance framework adopted and implemented by the head office (see section 3.2.15 of the RPP Sourcebook).

            Best practice relating to corporate governance

            10. In addition to the considerations noted above, best practice that an Authorised Person may adopt to achieve compliance with the applicable corporate governance standards is set out in Guidance at Appendix 3.1. An Authorised Person may, where the best practice set out in App3.1 is not suited to its particular business or structure, deviate from such best practice or any aspects thereof. The DFSA will expect the Authorised Person to demonstrate to the DFSA, upon request, what the deviations are and why such deviations are considered by the Authorised Person to be appropriate.
            [Added] DFSA RM95/2012 (Made 14th June 2012). [VER29/06-12]

      • Remuneration structure and strategies

        • GEN 5.3.31 GEN 5.3.31

          (1) The Governing Body of an Authorised Person must ensure that the remuneration structure and strategy of the firm:
          (a) are consistent with the business objectives and strategies and the identified risk parameters within which the firm's business is to be conducted;
          (b) provide for effective alignment of risk outcomes and the roles and functions of the Employees, taking account of:
          (i) the nature of the roles and functions of the relevant Employees; and
          (ii) whether the actions of the Employees may expose the firm to unacceptable financial, reputational and other risks;
          (c) at a minimum, include the members of its Governing Body, the senior management, Persons Undertaking Key Control Functions and any major risk-taking Employees; and
          (d) are implemented and monitored to ensure that they operate, on an on-going basis, effectively and as intended.
          (2) The Governing Body must provide to the DFSA and relevant stakeholders sufficient information about its remuneration structure and strategies to demonstrate that such structure and strategies meet the requirements in (1) on an on-going basis.
          (3) For the purposes of this Rule, "major risk-taking Employees" are Employees whose actions have a material impact on the risk exposure of the Authorised Person.
          [Added] DFSA RM95/2012 (Made 14th June 2012). [VER29/06-12]

          • GEN 5.3.31 Guidance

            Proportionate application to firms depending on the nature of their business

            1. Those considerations set out in Guidance items 5 – 7 under Rule 5.3.30 apply equally to the way in which the remuneration structure and strategies related requirement in Rule 5.3.31 is designed to apply to an Authorised Person. Accordingly, whilst most Category 4 firms may have simple arrangements to achieve the outcome of aligning performance outcomes and risks associated with remuneration structure and strategies, banks, insurers and dealers are expected to have more stringent measures to address such risks.

            Application to Branches and Groups

            2. As part of the flexible and proportionate application of corporate governance standards to firms, whether a firm is a Branch or a subsidiary within a Group is also taken into account. As such, the considerations noted in Guidance items 8 – 9 under Rule 5.3.30 apply equally to the application of the remuneration related requirements for Branches and Groups. For example, where an Authorised Person is a member of a Group, its Governing Body should consider whether the Group wide policies, such as those relating to the Employees covered under the remuneration strategy and the disclosure relating to remuneration made at the Group level are adequate to meet its obligations under Rule 5.3.31.

            Best practice relating to corporate governance

            3. In addition to the considerations noted above, best practice that an Authorised Person may adopt to promote sound remuneration structure and strategies within the firm is set out as Guidance at Appendix 3.2. Where such best practice or any aspects thereof are not suited to a particular Authorised Person's business or structure, it may deviate from such best practice. The DFSA will expect the Authorised Person to demonstrate, upon request, what the deviations are and why such deviations are considered appropriate.

            Disclosure of information relating to remuneration structure and strategy

            4. The information which an Authorised Person provides to the DFSA relating to its remuneration structure and strategies should be included in the annual report or accounting statements. The DFSA expects the annual report of Authorised Persons to include, at a minimum, information relating to:
            a. the decision making process used to determine the firm-wide remuneration policy (such as by a remuneration committee or an external consultant if any, or by the Governing Body):
            b. the most important elements of its remuneration structure (such as, in the case of performance based remuneration, the link between pay and performance and the relevant assessment criteria); and
            c. aggregate quantitative information on remuneration of its Governing Body, the senior management, Persons Undertaking Key Control Functions and any major risk taking Employees.
            5. The DFSA may, pursuant to its supervisory powers, require additional information relating to the remuneration structure and strategy of an Authorised Firm to assess whether the general elements relating to remuneration under Rule 5.3.31(1) are met by the firm. Any significant changes to the remuneration structure and strategy should also be notified to the DFSA before being implemented. See Rule 11.10.20.
            6. The information included in the annual report is made available to the DFSA and the shareholders, and in the case of a listed company, to the public. The Governing Body of the Authorised Person should also consider what additional information should be included in the annual report. In the case of banks, insurers and dealers, more detailed disclosure of remuneration structure and strategy and its impact on the financial soundness of the firm would be required. When providing disclosure relating to remuneration in its annual report, Authorised Persons should take account of the legal obligations that apply to the firm including the confidentiality of information obligations.
            [Added] DFSA RM95/2012 (Made 14th June 2012). [VER29/06-12]

    • GEN 5.4 Whistleblowing

      • GEN 5.4.1

        In this section:

        (a) “money laundering” has the meaning given in Article 70(2)(b) of the Regulatory Law;
        (b) “regulatory concern”, in relation to an Authorised Person, means a concern held by any person that the Authorised Person, an officer or employee of the Authorised Person, an Affiliate of the Authorised Person or an officer or employee of an Affiliate of the Authorised Person has or may have:
        (i) contravened a provision of legislation administered by the DFSA; or
        (ii) engaged in money laundering, fraud or any other financial crime;
        (c) “whistleblower” means a person who reports a regulatory concern to a person specified in Article 68A(3) of the Regulatory Law.

         

        Derived from DFSA RMI318/2021 (Made 27th October 2021). [VER54/04-22]

      • Policies and procedures

        • GEN 5.4.2

          (1) An Authorised Person must have appropriate and effective policies and procedures in place:
          (a) to facilitate the reporting of regulatory concerns by whistleblowers; and
          (b) to assess and, where appropriate, escalate regulatory concerns reported to it.
          (2) The policies and procedures required under (1) must be in writing.
          (3) An Authorised Person must periodically review the policies and procedures to ensure they are appropriate, effective and up to date.

           

          Derived from DFSA RMI318/2021 (Made 27th October 2021). [VER54/04-22]

      • Record of whistleblowing reports

        • GEN 5.4.3 GEN 5.4.3

          An Authorised Person must maintain a written record of each regulatory concern reported to it by a whistleblower, including appropriate details of the regulatory concern and the outcome of its assessment of the reported concern.

           

          Derived from DFSA RMI318/2021 (Made 27th October 2021). [VER54/04-22]

          • GEN 5.4.3 Guidance

            1. The DFSA expects an Authorised Person to implement policies and procedures under GEN Rule 5.4.2 that are appropriate based on the nature, scale and complexity of the Authorised Person’s business. For example, a larger or more complex firm is expected to have more detailed and comprehensive policies and procedures in place.
            2. The policies and procedures should:
            a. include internal arrangements to allow for reports to be made by whistleblowers;
            b. include adequate procedures to deal with, assess and, where appropriate, escalate reports to the senior management of the Authorised Person or, if necessary, to the DFSA or to any other relevant authority;
            c. include reasonable measures to protect the identity and confidentiality of whistleblowers;
            d. include reasonable measures to protect the whistleblower from suffering any detriment, as a result of the report;
            e. ensure that, where appropriate and feasible, feedback is provided to the whistleblower; and
            f. include reasonable measures to manage any conflicts of interest and ensure the fair treatment of any person who is the subject of an allegation in a report.
            3. An Authorised Person’s whistleblowing policies and procedures should generally encourage reporting of concerns first to the Authorised Person itself. However, the policies and procedures should also take into account that there may be circumstances where it is appropriate, or a whistleblower may prefer, to report the concerns directly to the DFSA or to another relevant authority.
            4. The records under GEN Rule 5.4.3 should include:
            a. the date the report was received;
            b. a summary of the concerns raised;
            c. steps taken by the Authorised Person in relation to the report until the matter is resolved;
            d. any steps taken to maintain the confidentiality of the whistleblower and to ensure fair treatment of the whistleblower;
            e. the list of persons who have knowledge of the report;
            f. the outcome of the assessment of the report including the rationale for the outcome and any decision on whether or not to disclose the report to the DFSA or any other relevant authority; and
            g. references or links to all documentation and review papers in relation to the report.
            5. An Authorised Person may be required to make its records of whistleblowing reports available to the DFSA for inspection.
            6. In addition to the requirements in these Rules, Article 68A of the Regulatory Law provides legal protection to a whistleblower who discloses information about suspected misconduct in good faith to a specified person, such as the relevant Authorised Person, the auditor of the Authorised Person, the DFSA or other relevant authorities.
            7. The protection under the Regulatory Law applies to any person who makes such a disclosure. For example, the disclosure may be made by a person who is or has been an officer, employee or agent of the Authorised Person, a Person who provides services or products to the Authorised Person or a person who has no formal connection with the Authorised Person.
            8. The protection under the Regulatory Law is from liability, dismissal or detriment for making that disclosure. However, it does not, for example, prevent an Authorised Person from taking action against an employee for other legitimate reasons, such as if the employee has engaged in misconduct.
            9. An Authorised Person should, as part of its whistleblowing policies and procedures, inform its officers and employees of the protection under Article 68A of the Regulatory Law.

             

            Derived from DFSA RMI318/2021 (Made 27th October 2021). [VER54/04-22]