As the Dubai Financial Services Authority (DFSA) ushers in a new era of more intrusive supervision in the DIFC, the on-site visit is proving to be one of its more frequently used supervisory tools. When a Firm is notified about its "periodic risk assessment", a significant amount of documentation will be requested in advance of the DFSA on-site visit at which the DFSA will expect access to all relevant employees and files. No two Firms will have the same risk profile but thinking about the answers to the high level questions set out below should enhance your ability to satisfy the DFSA that you are conducting your business activities within the spirit of the DFSA Principles and letter of the DFSA Rules.
Consider what the regulator is looking for
Take some time, in advance, to step back from the detail of the documentation prepared for submission to consider fundamentally what the regulator is looking for. Typically, this falls within one or more of the following broad categories in the Regulatory Business Plan you prepared to obtain authorisation.
Business strategy
Has this changed since authorisation (in the case of the first risk assessment visit) or since the last on-site visit (in the case of subsequent risk assessment visits)? The DFSA will wish to understand your current strategy and business model. They will also wish to be reassured that your business activities remain within the scope of your DFSA licence.
Clients
Are there any new sources of risk flowing from your client base? The DFSA is especially concerned that your customers are treated fairly. They will wish to see a well documented suitability analysis for each customer, where relevant, in relation to products and services offered. The DFSA is also interested in client identity verification procedures. They will wish to verify that these are being followed as these are the cornerstone of adequate risk-based Anti - Money Laundering Counter Terrorist Financing (AML/CTF) controls.
Human resources and management controls
Are these still adequate for the nature and scale of business activities including future business plans? Related to this are the specific issues of clear reporting lines, segregation of duties, staff turnover, training records in relation to AML/CTF (both initial and ongoing) and a disaster recovery plan.
Control environment: policies and procedures
Are all policies and procedures in place and up-to-date? The DFSA expects all documentation and manuals to be updated as and when change occurs. As in the case of AML, it is prudent to undertake an annual review of the policies and procedures which relate to the key elements of the control environment: compliance (including AML/CTF), risk management and internal audit.
An integrated view of risk
How does the SEO form an integrated view on the overall risks to which your Firm is exposed? Reports to the Board or reports/minutes of other key committees are often a useful vehicle for demonstrating this. These include:
- Risk management reports covering market, credit and/or operational risk
- Compliance reports: be sure that the log of breaches and customer complaints is up to date
- Annual AML report and
- Internal audit reports including the current and proposed monitoring plan.
Financial resources
Does the Budget for next year demonstrate that financial resources will be adequate? The DFSA should already have a clear view on capital adequacy from its desk-based reviews of the regular reporting it receives. They will be interested in the sources of regulatory capital to support your future plans, however, and also in observing first hand the systems and controls in place to ensure the accuracy and integrity of the data which underlies your regulatory and other financial reporting.
Other pointers
The letter to your Firm requesting documentation in advance may provide specific pointers as to the focus of the risk assessment visit. You should also review recent Dear SEO Letters which highlight where the DFSA currently sees the greatest risks to its objectives. The DFSA has indicated recently that all Category 4 firms will now be subject to on-site risk assessment. Other Dear SEO Letters issued in 2009 include: suitability and the fair treatment of customers, customer due diligence in relation to AML and UN Security Council Sanctions, outsourcing arrangements and compliance with the Federal Laws which restrict financial services business conducted in the DIFC.
Summary
The overriding guiding principle is the engagement of the SEO and other Senior Management with the spirit of DFSA Principle 10 (Relations with Regulators): to deal with the DFSA in an open and co-operative manner and to keep the DFSA promptly informed of all significant events. The best way to avoid surprises arising at or from an on-site visit is to nurture an ongoing and constructive dialogue with your regulator in the spirit of Principle 10... and to supplement this with good preparation, as outlined.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
