ServicesGovern & AssureFinance & TransactionsTransform & DigitizeOperate & Scale
FrameworkAI Policy DevelopmentResponsible AIData Governance
RegulationsGCC regulationsRegulations & standardsResearch & benchmarks
Insights
About
Contact
Book a consultation
GCC regulation

DFSA supervision and AI in the DIFC.

The Dubai Financial Services Authority supervises how DIFC financial firms govern technology — and AI now sits squarely inside its expectations on governance, resilience and senior accountability.

DFSA

Prudential expectations for AI in regulated business.

The DFSA co-issued the UAE's joint Guidelines for Financial Institutions Adopting Enabling Technologies and supervises DIFC firms against established rules on governance, systems and controls, outsourcing and operational resilience. When AI drives regulated activity — credit decisions, advice, surveillance, AML monitoring — the DFSA expects it governed like any other material system: owned by accountable senior management, risk-assessed, tested and recoverable. For DIFC firms, DFSA expectations run alongside Regulation 10's data protection duties on the same systems.

Who is in scope

  • DFSA-authorised firms using AI/ML in regulated activities
  • Firms deploying AI in AML/CFT monitoring and client screening
  • Authorised firms outsourcing AI capability to vendors or group entities
  • Senior managers accountable for systems and controls under DFSA rules
At a glance
RegulatorDubai Financial Services Authority
SupervisesFinancial services in or from the DIFC
Key instrumentEnabling Technologies Guidelines (co-issuer)
Interacts withDIFC DP Law · Regulation 10
Request a readiness review
Key expectations

What the DFSA looks for.

Senior management accountability

AI used in regulated business needs a named accountable owner within the firm's governance structure — not a diffuse committee.

Systems & controls

AI must sit inside the firm's documented control environment: approval, monitoring, change control and review.

Operational resilience

AI-dependent processes need continuity arrangements — if the model fails, the regulated service must still stand.

Outsourcing rules

AI sourced from vendors or group platforms engages outsourcing requirements: due diligence, oversight, audit access and exit plans.

Market conduct & client outcomes

AI-driven advice, pricing and execution must deliver fair client outcomes that the firm can evidence.

Coordination with Regulation 10

Where AI processes personal data, DFSA expectations and DIFC data protection duties apply together — one control set should answer both.

How we help

Supervision-ready AI governance for DIFC firms.

Readiness review

AI use mapped against DFSA expectations on governance, resilience and outsourcing — gaps rated and owned.

Integrated control mapping

One control framework answering the DFSA and Regulation 10 together, built from ex-DIFC GRC leadership experience.

Thematic review preparation

Evidence packs and briefings that prepare management for supervisory visits and information requests.

Source & disclaimer

This page summarises DFSA supervisory expectations for general information — it is not legal advice. Verify obligations against the current DFSA Rulebook and guidance.

Dubai Financial Services Authority

Be ready before the thematic review lands.

We held the GRC seat inside the DIFC. We know what good looks like to the regulator next door.

Book a consultation