Findings from DFSA risk assessments of DIFC Private Banks

Findings from DFSA risk assessments of DIFC Private Banks

On 23 February 2024 the DFSA released a “Dear SEO letter” presenting its key findings following its 2023 on-site risk assessments of Authorised Firms (firms) operating private banking businesses in the DIFC. The Dear SEO letter shares the DFSA’s key themes and findings, and is designed to promote best practice, high standards of regulatory compliance, and wider improvements across firms in the DIFC.

The DFSA risk assessments of private banks looked at firms’ compliance with the following DFSA rulebooks:

• General (GEN)
• Conduct of Business (COB)
• Anti-Money Laundering (AML)

This article provides an overview of the DFSA findings.

Compliance with the GEN and COB rules

The DFSA identified the following six (6) weaknesses in relation to firms’ compliance with the GEN and COB modules.

1. Firms’ governance arrangements (GEN 4.2.11/5.2/5.3.2/5.3.3): Firms failed to display strong corporate governance framework arrangements. This was identified by a lack of clarity on the roles, responsibilities, and reporting lines of senior management. In particular, the DFSA highlighted the example of the Senior Executive Officer not having the required level of ultimate responsibility and accountability for key business lines and functions of the firm.
2. Resourcing of the compliance function (GEN 5.3.7/5.3.9): Several firms were found to have inadequate resourcing levels which also extended to the capacity of the compliance function of the business. This is a key risk for firms, particularly given recent enforcement action from the DFSA. Compliance resourcing should be adequate not just for the nature, scale and complexity of the business, but also for the risks that the business faces.
3. Compliance with the client suitability requirements (COB 3.4): Firms’ suitability assessments were found to be generic and lacking in detail. The DFSA identified a lack of documented rationale as to why a particular product had been recommended over another.
4. Client classification processes and procedures (COB 2): Certain firms displayed deficiencies in their approach to client classification. This included unsatisfactory assessments of clients’ knowledge and experience, and a lack of supporting rationale and verifiable information to evidence the assessment. In addition, the DFSA found that there was often limited challenge from the firms’ compliance functions and/or a lack of observation of the effectiveness of the firm’s client classification framework. The DFSA expects deficiencies to be addressed as a priority. 
5. Outsourcing and reliance on Head Office/other Group entities (GEN 5.3.21): Certain firms failed to adequately consider the DIFC and DFSA requirements in their policies and procedures, relying instead on group outsourcing. Where firms’ functions were being performed by group entities, the DFSA observed examples of individuals with responsibility and oversight for the function being unable to demonstrate sufficient understanding of the function.
6. Handling of staff related misconduct (GEN 5.3.18/19): Some firms failed to carry out sufficient background checks or due diligence during the recruitment process to identify whether applicants have a record of previous misconduct or issues that could impact their employment. Further, firms had delays when taking action on employee misconduct, and in some cases, failed to take any appropriate disciplinary action. The DFSA expects firms to have effecting systems for “consequence management”. 

Compliance with the AML rules

The DFSA identified the following eight (8) weaknesses in relation to firms’ compliance with the AML module.

1. Assessing business AML risks (AML 5.1): Certain firms lacked a clear business risk assessment and scoring methodology. Business AML risk assessments (BARAs) were lacking sufficient detail and excluded inherent risk factors and residual risk ratings that can arise from the use of new or developing technologies, products, or practices. BARAs omitted a detailed assessment of Targeted Financial Sanctions and failed to evidence the outcomes of the UAE National Risk Assessment.
2. Assessing customer AML risks (AML 6.1): Various firms were found to have inadequate or unclear customer risk assessment scoring methodology. This is one area of the rules where assessments must be thought, and documented.
3. AML systems and controls (AML 5.2): Certain firms’ AML policies and procedures were not adequately customised to the firm’s business activities and processes. Deficiencies were found across procedures for roles and responsibilities, screening standards, turnaround times, funds freezing procedures and reporting, and partial name match reporting. Further, DFSA considered there to be insufficient detail in management information / metrics covering key AML processes. This finding reflects the fact that many firms adopt a generic AML policy that is insufficiently tailored to the firm’s business. 
4. Enhanced Customer Due Diligence (EDD) (AML 7.4): Most firms were found to have reasonably adequate EDD procedures. However, DFSA found deficiencies in the corroboration of source of funds (SOF) and source of wealth (SOW) for high-risk clients, including limited SOW journey narratives, lack of supporting evidence or documents, over-reliance on benchmarking, or inappropriate application of benchmarking.
5. Ongoing Customer Due Diligence (AML 7.6): The DFSA identified instances where firms failed to conduct periodic reviews in accordance with their established cycle for standard risk clients. At times, ongoing due diligence measures were not properly applied, leading to incomplete and outdated KYC documents in client files and a lack of recent or meaningful review of the client’s transactional activity patterns.
6. Suspicious Activity Reports (AML 13.2/13.3): 2023 marked a 74% yearly increase on the number of internal AML Returns notifications reported to the MLRO. The DFSA also observed a 35% increase in the number of suspicious activity reports (SARs) from the private banking sector. However, the DFSA found instances of concern where the notifications/SARs lacked detailed context and information which could lead to potential breaches of both Federal AML legislation and DFSA administered legislation.
7. Outsourcing (AML 8.2): The DFSA found that certain firms did not have clearly defined service level agreements with relevant Group entities to set out the roles and responsibilities, quality standards and reporting for internally outsourced AML processes. As a result, there was no evidence of MLRO and local senior management oversight of these processes.
8. AML Training and Awareness (AML 12.1):  The DFSA observed that certain firms provided high-level training on financial sanctions risks and failed to provide adequate detail or address key aspects such as applicable UAE legislation, circulars and guidance. Further shortcomings were found in screening systems and controls; red flags; evasion techniques, funds freezing and related reporting mechanisms. The DFSA also found that some AML training was generic across employees and lacked the necessary detail for staff involved in client onboarding and ongoing customer due diligence processes.

The DFSA expects all firms operating private banking business models in or from the DIFC to consider these key findings and shortcomings in the context of their specific activities and obligations, including across other business models. The DFSA expects all firms to consider further enhancements to their systems and controls (where appropriate) to minimise these weaknesses, and to demonstrate how they did so in future interactions with the DFSA. 

Firms which cannot demonstrate that they have reviewed the findings of the Dear SEO letter against their own systems and controls and policies and procedures expose themselves to potential regulatory risks, including the risk of DFSA enforcement action if failings are identified in their business in future. The DFSA’s Dear SEO letter is a clear warning, which firms would be best-advised to heed.