DFSA supervision and AI in the DIFC.
The Dubai Financial Services Authority supervises how DIFC financial firms govern technology — and AI now sits squarely inside its expectations on governance, resilience and senior accountability.
Prudential expectations for AI in regulated business.
The DFSA co-issued the UAE's joint Guidelines for Financial Institutions Adopting Enabling Technologies and supervises DIFC firms against established rules on governance, systems and controls, outsourcing and operational resilience. When AI drives regulated activity — credit decisions, advice, surveillance, AML monitoring — the DFSA expects it governed like any other material system: owned by accountable senior management, risk-assessed, tested and recoverable. For DIFC firms, DFSA expectations run alongside Regulation 10's data protection duties on the same systems.
Who is in scope
- DFSA-authorised firms using AI/ML in regulated activities
- Firms deploying AI in AML/CFT monitoring and client screening
- Authorised firms outsourcing AI capability to vendors or group entities
- Senior managers accountable for systems and controls under DFSA rules
At a glance
What the DFSA looks for.
Senior management accountability
AI used in regulated business needs a named accountable owner within the firm's governance structure — not a diffuse committee.
Systems & controls
AI must sit inside the firm's documented control environment: approval, monitoring, change control and review.
Operational resilience
AI-dependent processes need continuity arrangements — if the model fails, the regulated service must still stand.
Outsourcing rules
AI sourced from vendors or group platforms engages outsourcing requirements: due diligence, oversight, audit access and exit plans.
Market conduct & client outcomes
AI-driven advice, pricing and execution must deliver fair client outcomes that the firm can evidence.
Coordination with Regulation 10
Where AI processes personal data, DFSA expectations and DIFC data protection duties apply together — one control set should answer both.
Supervision-ready AI governance for DIFC firms.
Readiness review
AI use mapped against DFSA expectations on governance, resilience and outsourcing — gaps rated and owned.
Integrated control mapping
One control framework answering the DFSA and Regulation 10 together, built from ex-DIFC GRC leadership experience.
Thematic review preparation
Evidence packs and briefings that prepare management for supervisory visits and information requests.
This page summarises DFSA supervisory expectations for general information — it is not legal advice. Verify obligations against the current DFSA Rulebook and guidance.
Dubai Financial Services AuthorityBe ready before the thematic review lands.
We held the GRC seat inside the DIFC. We know what good looks like to the regulator next door.
Book a consultation