Entire Section

  • AML 15.3A Whistleblowing

    • Interpretation

      • AML 15.3A.1

        In this section:

        (a) “regulatory concern”, in relation to a DNFBP, means a concern held by any person that the DNFBP or an officer or employee of the DNFBP has or may have:
        (i) contravened a provision of legislation administered by the DFSA; or
        (ii) engaged in money laundering, fraud or any other financial crime;
        (b) “whistleblower” means a person who reports a regulatory concern to a person specified in Article 68A(3) of the Regulatory Law.


        Derived from DFSA RMI321/2021 (Made 27th October 2021). [VER19/04-22]

    • Policies and procedures

      • AML 15.3A.2

        (1) A DNFBP must have appropriate and effective policies and procedures in place:
        (a) to facilitate the reporting of regulatory concerns made by whistleblowers; and
        (b) to assess and, where appropriate, escalate regulatory concerns reported to it.
        (2) The policies and procedures required under (1) must be in writing.
        (3) A DNFBP must periodically review the policies and procedures to ensure they are appropriate, effective and up to date.


        Derived from DFSA RMI321/2021 (Made 27th October 2021). [VER19/04-22]

    • Record of whistleblowing reports

      • AML 15.3A.3 AML 15.3A.3

        A DNFBP must maintain a written record of each regulatory concern reported to it by a whistleblower, including appropriate details of the regulatory concern and the outcome of its assessment of the reported concern.


        Derived from DFSA RMI321/2021 (Made 27th October 2021). [VER19/04-22]

        • AML 15.3A.3 Guidance

          1. The requirements in this section apply only to a DNFBP, as other Relevant Persons are subject to similar requirements in other parts of the Rulebook – see, for example, GEN 5.4 and AUD 4.11.
          2. The DFSA expects a DNFBP to implement policies and procedures under AML Rule 15.3A.2 that are appropriate based on the nature, scale and complexity of the DNFBP’s business. For example, a larger or more complex DNFBP is expected to have more detailed and comprehensive policies and procedures in place.
          3. The policies and procedures should:
          a. include internal arrangements to allow for reports to be made by whistleblowers;
          b. include adequate procedures to deal with, assess and, where appropriate, escalate reports to the senior management of the DNFBP or, if necessary, to the DFSA or to any other relevant authority;
          c. include reasonable measures to protect the identity and confidentiality of whistleblowers;
          d. include reasonable measures to protect the whistleblower from suffering any detriment, as a result of the report;
          e. ensure that, where appropriate and feasible, feedback is provided to the whistleblower; and
          f. include reasonable measures to manage any conflicts of interest and ensure the fair treatment of any person who is the subject of an allegation in a report.
          4. A DNFBP’s whistleblowing policies and procedures should generally encourage reporting of concerns first to the DNFBP itself. However, the policies and procedures should also take into account that there may be circumstances where it is appropriate, or a whistleblower may prefer, to report the concerns directly to the DFSA or to another relevant authority.
          5. The records under Rule 15.3A.3 should include:
          a. the date the report was received;
          b. a summary of the concerns raised;
          c. the steps taken by the DNFBP in relation to the report until the matter is resolved;
          d. any steps taken to maintain the confidentiality of the whistleblower and to ensure fair treatment of the whistleblower;
          e. the list of persons who have knowledge of the report;
          f. the outcome of the assessment of the report including the rationale for the outcome and any decision on whether or not to disclose the report to the DFSA or any other relevant authority; and
          g. references or links to all documentation and review papers in relation to the report.
          6. A DNFBP may be required to make its records of whistleblowing reports available to the DFSA for inspection.
          7. In addition to the requirements in these Rules, Article 68A of the Regulatory Law provides legal protection to a whistleblower who discloses information about suspected misconduct in good faith to a specified person, such as the relevant DNFBP, the auditor of the DNFBP, the DFSA or other relevant authorities.
          8. The protection under the Regulatory Law applies to any person who makes such a disclosure. For example, the disclosure may be made by a person who is or has been an officer, employee or agent of a DNFBP, a Person who provides services or products to a DNFBP or a person who has no formal connection with the DNFBP.
          9. The protection under the Regulatory Law is from liability, dismissal or detriment for making that disclosure. However, it does not, for example, prevent a DNFBP from taking action against an employee for other legitimate reasons, such as if the employee has engaged in misconduct.
          10. A DNFBP should, as part of its policies and procedures, inform its officers and employees of the protection under Article 68A of the Regulatory Law.


          Derived from DFSA RMI321/2021 (Made 27th October 2021). [VER19/04-22]