DFSA proposes new operational resilience regime for DIFC firms

The proposed operational resilience framework set out in a consultation paper (8 pages / 375KB PDF) is centred around five elements: identifying critical business services; setting impact tolerances; mapping the resources and dependencies that support those services; testing resilience through severe, but plausible, scenarios; and notifying the DFSA of material disruptions immediately where a disruption to a critical business service has breached, or is reasonably close to breaching, the firm’s pre-defined impact tolerance.

These five interlinked elements will require DFSA regulated firms to identify critical business services, set impact tolerances, map critical resources, conduct scenario testing and notify the DFSA of material disruptions. The proposed approach marks a distinctive shift away from process-driven operational risk management towards an outcome focused assessment of how disruption could cause harm to clients or the wider financial system.

As the paper notes, the framework aligns closely with international standards, including Basel Core Principle 25 and the Basel Principles for Operational Resilience. These themselves draw on approaches adopted by the UK’s primary financial regulators – the Financial Conduct Authority (FCA) in 2021 and the Prudential Regulation Authority (PRA) in 2022 – as well as other leading regulators including the Monetary Authority of Singapore (MSA) and the Hong Kong Monetary Authority (MSA) in 2022, and the Qatar Financial Centre Regulatory Authority more recently in 2024.

The changes will apply to all DFSA regulated firms including banks, investment firms, insurers, financial advisers and fintechs, as well as the DIFC branches of international financial service groups. The public consultation on the proposals is open until 26 May, and the proposed operational resilience framework is expected to be implemented by the end of 2026.

All DFSA regulated firms will be required to assess whether they provide critical business services, although only firms that identify such services will be subject to the full operational resilience requirements.

Marie Chowdhry, a financial regulation and fintech expert at Pinsent Masons, said the proposals signalled a “a shift away from traditional operational risk management toward a service focused resilience framework, with increased board accountability and regulatory scrutiny”.

Chowdhry said the DFSA’s operational resilience proposals also marked a significant evolution in regulatory expectations for firms operating across the DIFC. “Rather than focusing solely on preventing operational failures, the proposed regime requires firms to assume that disruptions will occur and to demonstrate their ability to continue delivering critical business services within defined impact tolerances,” she said.

Jessa White, an expert in fintech at Pinsent Masons, said many DFSA regulated firms will need to reassess how they should approach operational risk and business continuity in light of the new proposed regime. “Firms will need to identify which services are genuinely critical, set clear thresholds for tolerable disruption, map the people, processes, systems and third party dependencies that support those services, and test their resilience through severe but plausible scenarios,” she said. “Importantly, the proposals also place responsibility firmly with governing bodies to approve key outcomes, reinforcing board level accountability.”

The DFSA expects businesses to be “be well advanced in their preparations” to comply with the new the new regime within 12 months of it coming into effect, alongside a 24-month implementation period following enactment of the rules to allow firms sufficient time to adjust to the new rules.

Chowdhry said that although the DFSA appeared to be taking a proportionate and risk-based approach, she warned that firms should not underestimate the time and effort required to embed to adapt their businesses to comply with the new regime’s requirements. “With a proposed 24-month implementation period, firms should consider beginning preparatory work early, including gap analysis, governance planning, and engagement with group wide resilience frameworks where applicable,” she added. “The consultation paper also provides an important opportunity for firms and businesses seeking to become licensed by the DFSA to shape how the regime is finalised and applied in practice.”