On 9th October 2024, the Dubai Financial Services Authority (DFSA) published the findings of its Thematic Review on Money Services Providers (MSPs) operating within the Dubai International Financial Centre (DIFC).
What was the focus of the DFSA’s 2024 Thematic Review on MSPs?
The Thematic Review assessed MSPs regulatory compliance and vulnerabilities with a specific focus on operational risks, including fraud prevention and detection.
What are the key findings of the Thematic Review?
The DFSA’s findings revolve around four areas which we consider in turn below. One overarching theme stemming from this report is the need for MSPs to improve their documentation processes.
Risk management framework and governance: MSPs often had not retained evidence of the review and approval of their Operational Risk policy by their Governing Body, as required by PIB 6.2.2. The DFSA emphasised that such approval should be documented for audit purposes and that the purpose of PIB 6.2.2 is to ensure there is an appropriate level of oversight of the firm’s systems and controls.
Strong customer authentication and user security measures: While a majority of MSPs demonstrated Strong Customer Authentication with User Security Credentials, relevant security measures and related processes were not sufficiently documented.
Technical standards: A number of MSPs’ Operational Risk management policies failed to address how and where the technical standards in PIB 6.13.5 were documented.
Systems and controls to detect fraud: Since 2021, the DIFC has seen a significant growth in the number of MSPs. To mitigate the risk of unauthorised or fraudulent transactions being processed by MSPs, MSPs must implement transaction monitoring systems and controls. The DFSA identified deficiencies in MSP’s documentation evidencing their transaction monitoring systems and controls and whether they had been designed with relevant risk factors in mind.
Which actions should MSPs take next?
MSPs should review the findings of the Thematic Review and implement enhancements, where appropriate. Particular attention should be paid to documenting the MSPs’ systems and controls and retaining sufficient evidence of the firms’ compliance with applicable regulatory requirements.
The regulator also reminds MSPs of their obligations to promptly inform the DFSA of any significant event or other matter relating to them of which the DFSA would reasonably expect to be notified.
A copy of the DFSA's Thematic Review can be found here. For more insights and personalised advice, feel free to reach out to Eugénie Levy.
This material is provided for general information only. It should not be relied upon for the provision of or as a substitute for legal or other professional advice.
Comments