The Riffle
The Dubai Financial Services Authority (DFSA) has finalized amendments to its Rulebook under Consultation Paper No. 167 (CP 167), aligning the DIFC regulatory framework with the Basel Core Principles for Effective Banking Supervision issued by the Basel Committee on Banking Supervision (BCBS).
The updates focus on strengthening risk management, credit risk oversight, concentration risk monitoring, and governance around related-party transactions. The implementation date has also been shifted to 1 January 2027, giving firms additional time to prepare following the April 2026 enactment of the rules.
Key Highlights
Strengthened Risk Management Expectations
The DFSA has introduced enhanced governance standards for risk management frameworks, particularly for large and complex firms, generally covering Domestic Firms in Categories 1, 2, and 5. These firms will now be required to maintain an independent and dedicated risk management function headed by a Senior Manager, Director, or Partner. Removal of the individual leading the function must receive Governing Body approval.
Matched Principal firms reclassified as Category 2 entities are exempt from certain requirements, including dedicated risk management functions and specific risk data aggregation obligations.
The Governing Body is also expected to play a more active role in embedding risk culture, overseeing emerging risks such as climate change and digitalisation, approving major business model changes, and supervising material product modifications and acquisitions.
Enhanced Risk Data Aggregation and MIS Requirements
Categories 1, 2, and 5 firms will need to strengthen their Management Information Systems (MIS) to support effective risk data aggregation and reporting capabilities. These systems must be subject to periodic Governing Body review.
The DFSA has also encouraged firms to reference BCBS guidance on effective risk data aggregation and reporting practices.
IFRS 9 Alignment for Credit Risk and Provisions
The DFSA is modernising its provisioning framework by removing outdated minimum provisioning requirements based purely on “past due days” and replacing them with the Expected Credit Loss (ECL) framework under IFRS 9.
Under the revised framework:
Only Stage 1 IFRS 9 provisions will qualify for Tier 2 capital inclusion.
Inclusion will be capped at 1.25% of credit risk-weighted assets.
Firms using internal provisioning models must implement minimum governance standards, including validation, data quality controls, and senior management oversight.
The DFSA has also expanded exposure classification requirements by introducing a dual classification framework to support Governing Body oversight.
Expanded Concentration Risk Definition
The definition of concentration risk has been broadened beyond traditional “Large Exposures” concepts. Firms are now expected to monitor excessive exposures across:
Specific asset classes and products
Collateral types or currencies
Funding sources
Sectors and geographic regions
This signals a more holistic supervisory approach toward concentration and interconnected risk exposures.
The DFSA has introduced stricter governance requirements for transactions involving Related Persons. A new “Affiliate” definition now captures entities where a firm holds between 20% and 50% ownership or voting rights, bringing them within the Related Persons framework under the PIB module.
The arm’s length requirement has also been expanded to apply to all Related Person transactions, not just credit exposures.
Importantly, Governing Bodies can no longer delegate approvals for material Related Person exposures or write-offs. Firms must establish their own materiality thresholds, but direct Governing Body approval will now be mandatory above those thresholds.
Why This Matters
These amendments reflect the DFSA’s continued focus on aligning DIFC prudential standards with evolving international supervisory expectations under the Basel framework. The changes place greater emphasis on:
Active Governing Body oversight
Stronger independent risk functions
Better risk data aggregation and reporting
Forward-looking provisioning practices
Enhanced governance of related-party exposures
For regulated firms, this will likely require a reassessment of governance frameworks, internal controls, MIS capabilities, credit risk methodologies, and board-level approval structures ahead of the January 2027 implementation deadline.
Implementation Timeline
Milestone | Date |
|---|
CP 167 Issued | 4 July 2025 |
Rule Enactment | April 2026 |
Feedback Statement Published | 11 May 2026 |
Rules Come into Force | 1 January 2027 |
Conclusion
The DFSA’s CP 167 amendments represent a significant enhancement of the DIFC prudential framework, particularly in the areas of governance, risk oversight, provisioning standards, and related-party controls.
With implementation now scheduled for January 2027, firms have additional preparation time but the breadth of the changes means early gap assessments and implementation planning will be critical, especially for larger and more complex institutions operating within the DIFC ecosystem.
