Regulator review puts DIFC fintech compliance arrangements under spotlight

The Dubai Financial Services Authority (DFSA) found that 53% of fintech companies operating in the DIFC have just no more than three staff managing compliance issues – with several relying on just one to oversee all compliance requirements.

A further one in five fintechs do not have a deputy money laundering reporting officer, despite it being a requirement of DIFC rules.

The findings come as the DFSA publishes a new review (pdf, 21pp/4.3mb) looking at how fintechs operating in the DIFC handle their compliance arrangements. Its report highlights weaknesses in monitoring, governance, resourcing and independence of compliance officers.

The DFSA also found that nearly 58% of firms outsourced key compliance activities, and flagged concerns where compliance ownership and independence were weakened. This includes cases where compliance surveys were completed by senior executive officers or group teams rather than compliance officers.

The regulator also raised concerns about weak regulatory engagement at some fintechs, including failures to notify the DFSA of material matters in a timely way and delayed or missed responses to regulatory requests.

Marie Chowdhry, a fintech expert with Pinsent Masons in Dubai, said the results highlighted how much some fintechs had underestimated the risks they faced.

“The DFSA’s thematic review sends a clear message that compliance arrangements must be robust, properly resourced, and embedded within firms’ governance frameworks, particularly as fintech firms scale and business models become more complex,” she said.

“A key takeaway is the disconnect identified between firms’ confidence in their compliance frameworks and the DFSA’s supervisory findings, with nearly all firms believing their resources were adequate despite observable weaknesses in capacity, independence and oversight.

“From a commercial perspective, firms that underestimate compliance risks may face increased regulatory scrutiny, delayed approvals, remediation programmes, or reputational harm.”

The review warned that despite the weaknesses highlighted by the regulator, 95% of fintechs operating in the DIFC felt that their current compliance resourcing was adequate.

While the industry is maturing, with many firms showing active oversight of compliance issues at board and senior management level, the regulator warned that it found some limited their role or maintained mainly procedural involvement.

“The review also reinforces the DFSA’s expectations that compliance functions are proactive, not reactive, and that boards and senior management maintain active oversight rather than treating compliance as a procedural exercise,” added Chowdhry.

Despite the warnings, however, the DFSA said that the industry was “generally moving in the right direction” with steady improvements in compliance and regulatory engagement from companies working in the DIFC’s burgeoning fintech sector, with indications this would continue to move in a positive direction going forward.

Jessica White, a financial regulation and fintech expert with Pinsent Masons in Dubai, explained that while the review was focused on the fintech sector, it gave an indication for other companies operating in the region what they should also be looking out for – and what actions they needed to implement.

“For regulated firms operating in the DIFC, the review provides a practical roadmap of where regulatory attention is likely to focus in the near term,” she said.

“Firms should reassess how their compliance function is resourced, review the effectiveness of outsourcing arrangements and compliance monitoring plans, ensure clear escalation and reporting structures, and confirm that compliance officers are openly engaging with the regulator.

“Taking action now can help firms mitigate enforcement risk and demonstrate alignment with DFSA supervisory expectations.”