AML 15.3A.3 Guidance

1. The requirements in this section apply only to a DNFBP, as other Relevant Persons are subject to similar requirements in other parts of the Rulebook – see, for example, GEN 5.4 and AUD 4.11.
2. The DFSA expects a DNFBP to implement policies and procedures under AML Rule 15.3A.2 that are appropriate based on the nature, scale and complexity of the DNFBP’s business. For example, a larger or more complex DNFBP is expected to have more detailed and comprehensive policies and procedures in place.
3. The policies and procedures should:
a. include internal arrangements to allow for reports to be made by whistleblowers;
b. include adequate procedures to deal with, assess and, where appropriate, escalate reports to the senior management of the DNFBP or, if necessary, to the DFSA or to any other relevant authority;
c. include reasonable measures to protect the identity and confidentiality of whistleblowers;
d. include reasonable measures to protect the whistleblower from suffering any detriment, as a result of the report;
e. ensure that, where appropriate and feasible, feedback is provided to the whistleblower; and
f. include reasonable measures to manage any conflicts of interest and ensure the fair treatment of any person who is the subject of an allegation in a report.
4. A DNFBP’s whistleblowing policies and procedures should generally encourage reporting of concerns first to the DNFBP itself. However, the policies and procedures should also take into account that there may be circumstances where it is appropriate, or a whistleblower may prefer, to report the concerns directly to the DFSA or to another relevant authority.
5. The records under Rule 15.3A.3 should include:
a. the date the report was received;
b. a summary of the concerns raised;
c. the steps taken by the DNFBP in relation to the report until the matter is resolved;
d. any steps taken to maintain the confidentiality of the whistleblower and to ensure fair treatment of the whistleblower;
e. the list of persons who have knowledge of the report;
f. the outcome of the assessment of the report including the rationale for the outcome and any decision on whether or not to disclose the report to the DFSA or any other relevant authority; and
g. references or links to all documentation and review papers in relation to the report.
6. A DNFBP may be required to make its records of whistleblowing reports available to the DFSA for inspection.
7. In addition to the requirements in these Rules, Article 68A of the Regulatory Law provides legal protection to a whistleblower who discloses information about suspected misconduct in good faith to a specified person, such as the relevant DNFBP, the auditor of the DNFBP, the DFSA or other relevant authorities.
8. The protection under the Regulatory Law applies to any person who makes such a disclosure. For example, the disclosure may be made by a person who is or has been an officer, employee or agent of a DNFBP, a Person who provides services or products to a DNFBP or a person who has no formal connection with the DNFBP.
9. The protection under the Regulatory Law is from liability, dismissal or detriment for making that disclosure. However, it does not, for example, prevent a DNFBP from taking action against an employee for other legitimate reasons, such as if the employee has engaged in misconduct.
10. A DNFBP should, as part of its policies and procedures, inform its officers and employees of the protection under Article 68A of the Regulatory Law.


Derived from DFSA RMI321/2021 (Made 27th October 2021). [VER19/04-22]