DFSA announces proposed changes to client asset regime

24 March 2025 | Dubai, UK & Europe | Articles

The DFSA’s consultation paper on the client asset regime, first issued last August, has received further amendments last week. Prompted by the regulator’s focus to protect users of the financial services industry in the Dubai International Financial Centre, or DIFC, firms have just nine months to prepare for the new rules ahead of January 2026.

Safeguarding has been in the spotlight cross territorially with the UK suggesting amendments and the MFSA requirements issuing results from its thematic review across the payments and e-money sector. Sparked by regulator’s aim to strengthen customer protection and reduce risk, Dubai’s is also introducing further changes to its client asset regime for investment firms.

While firms are already required to safeguard and arrange proper protection for assets or money belonging to their customers, these rules strengthen the regime on multiple fronts.

Controlling client money

The DFSA highlights instances where firms hold a mandate through a power of attorney or a similar arrangement, however, not as part of managing assets on discretionary basis. Many firms therefore get caught within the client asset regime without the need to.

Going forward the DFSA will interpret “control” as the ability for firms to bind clients in transactions without the need for clients’ further instructions, involvement or transaction confirmations. This broadens the circumstances in which firms are considered to control rather than hold client assets.

Some of the provisions within the current regime will no longer apply for firms who go into the scope of “controlling” assets in the above manner, easing the regulatory burden on them. This is driven by the reduced risk to clients in these circumstances due to them being the beneficial owners, as accounts where these are held are in the client’s name. In the event of firm failure, these assets won’t form part of the distribution pool.

As firms still can control client assets, it’s important for them to introduce adequate controls ensuring that:

• transactions executed meet the terms as per agreements with the client
• transactions executed are in the client’s best interest
• transactions don’t contradict the mandate obtained by the client, accounting for any conditions placed on the firm’s ability to control client assets.

Fund property

To avoid duplication and over-regulation, the DFSA proposes that any assets that are Fund Property (including money, investments and crypto tokens and those of a foreign fund) don’t fall in scope of the client asset regime. Fund property already benefits from a separate protection within the CIL and CIR, which specifically relate to custody and segregation.

This is the case for firms who only exclusively provide investment and portfolio management services to a fund under a delegation from a fund manager, regardless of the number of layers of delegation. The DFSA highlights that fund property of a foreign fund will not be subject to the DFSA’s client asset rules, as the expectation is that there are appropriate legal protections in the jurisdiction where the fund or the fund manager is.

However, firms that provide investment management delegated by the fund manager or provide pure wealth or asset management services will still be subject to the client asset rules. Therefore, these firms need to obtain the client asset endorsement for the non-fund related part of their business.

Client asset crisis preparedness pack

Going forward, firms will be required to have a client asset crisis preparedness pack. The aim of the pack is to assist insolvency practitioners, accountants, lawyers and regulators with the prompt identification, retrieval and return of client assets in a crisis, such as insolvency or resolution action. The pack will need to contain vital information such as a master list of client accounts, third party agents’ details and reconciliations.

The pack should be maintained, ensuring completeness and reflecting any changes within five business days of them taking place. Initially, the DFSA had extended this rule only to material changes. Upon reflection, it has determined that all elements of the pack must be kept up to date and any inaccuracies are corrected, if the pack is to be useful in a crisis. As such, it has removed the reference to “material effect”.

There’s flexibility over the form the pack takes. Firms who already have the information required by COB 6.14.2 included within their existing business continuity and disaster recovery plans won’t be required to have a separate document duplicating this information.

Auditor’s reports

Firms are required to have annual client asset audits carried out by skilled person. They will be required to contact the DFSA in relation to material non-compliance with the client asset rules highlighted within the auditor’s report and explain how breaches are remediated. The report should account of the aggregate value and not on the extent of safe custody assets held or controlled by the firm.

For those who provide custody or hold or control both client investments and client crypto tokens, the DFSA will require auditors to submit two distinct safe custody auditor’s reports. An appendix specifying the content of the safe custody crypto token auditor’s reports will be added to the rules.

Initially the DFSA wanted to require auditors to update them within the report on the actions being undertaken to remediate the findings of significant non-compliance. This information was considered vital to the DFSA in ensuring compliance with the client asset rules. However, this would require auditors to make judgements on whether firms have taken appropriate actions and as such is beyond the scope of ISRS 4400. The DFSA has rolled back this proposed change and instead will continue to follow up with firms on the remedial actions undertaken and their progress to date.

The DFSA also clarified in March 2025 that firms should submit the report within 30 days. However, it is not the DFSA’s expectation that firms will have been able to remediate all report findings in this timeline. The expectation is instead that firms would have agreed an action plan to rectify the findings of non-compliance and include an update on the ones already taken.

As with all findings, there are some bearing higher risk than others, and some that can be fixed easier and quicker than others. Firms should always aim for prompt remediation but also do so in a way that addresses the root cause.

Third party agent suitability assessment

The regulator is proposing converting the suitability assessment criteria from a guidance to rules, as firms are failing to appropriately consider these. Under the proposals, firms will also be required to consider these criteria prior to opening an account or transferring client assets to third party agents. Specifically, the DFSA will focus on the following areas.

Creditworthiness

It’s not always possible to obtain credit scores for all third-party agents. The approach of taking a rating tends to be mechanistic and risks the suitability assessment becoming a tick-box exercise. The regulator is therefore proposing to apply a wider view of what creditworthiness means, allowing firms to form a view of the third party’s credit profile by obtaining further information. Once this information is received, firms will need to interrogate it and arrive at a view of the creditworthiness of the third party and what it means for safeguarding client assets.

Diversification

Moneys deposited with third party agents will appear as deposits within their balance sheets, which are unsecured liabilities, and exposed to loss in the event of the third party’s failure. To meet the requirements under IOSCO Principle 3, firms need to consider diversifying client assets across different third parties.

The rules are principles based to allow firms to apply the best solution for their specific circumstances. This acknowledges that some smaller firms may find diversification operationally or commercially challenging. It’s essential that firms document the analysis and rationale behind their diversification decisions when deciding to place client assets with one or more third parties.

Depositor protection

There are some jurisdictions that provide further protection to clients in the event of third-party agent insolvency, such as depositor preference or deposit guarantee scheme. These would minimise the risk of loss to clients. It’s important for firms to understand the precise insolvency regime of the jurisdiction where client assets are placed with a third party, as this will inform their wider risk assessment of that third party.

There are always concerns that the unavailability of some information could limit firms’ ability to comply with these rules. However, the focus of this requirement is on the assessment made and the considerations within it. This makes the process less of an evidence-gathering tick-box activity and transitions it into a more risk-based approach. Firms should still be equipped with answers upon the DFSA’s request on why specific matters are not assessed or not applicable. This includes how these are considered when deciding whether to deposit client assets with a third party.

Acknowledgement letters and account naming convention

Firms are required to obtain an acknowledgement letter from their third parties that stipulates that there’s no right of set off on the money placed with the third party in respects of moneys owed to it by the firm and that the title of the account is sufficiently different from the name of the accounts where the firm holds its own moneys. The DFSA is considering changing the timing by which the written acknowledgement needs to be received from third parties. Currently, the rules state that this needs to be completed within a “reasonable period”, which historically has been around 20 days. The rules will be enhanced to require this acknowledgement prior to the firm placing any money with the third-party agent. This means client assets placed in these accounts won’t be exposed to a risk of loss or diminution due to the contractual arrangements or in instances of third-party insolvency prior to acknowledgement, enhancing client protection.

Acknowledging that there are system and operational limitations within third party agents, the DFSA will allow flexibility around the naming of client accounts. Instead of requiring the title to include the wording “client account”, firms will have discretion on the naming of the account, so long as it’s sufficiently different from any other account the firm holds with the third party in relation to the firm’s own moneys.

Improvements to client money disclosure rules

If client assets are held in a jurisdiction outside the DIFC, they’ll be exposed to different risks in the event of third-party insolvency. Firms will need to disclose this to the client, alongside market practices, the specific legal requirements within an insolvency scenario in the jurisdiction where client assets are held and how they differ from the legal framework in the DIFC.

The client should be aware that they can request this information, and that the information is relevant to the client and allows them to understand how assets held with the third party be treated in the event of their insolvency. In the case of client money, this should also account of any depositor guarantee scheme or depositor preference available in the jurisdiction where the third party operates.

Currently firms are also not required to disclose how client assets are held within the third-party agent. This leads to a heightened risk of incorrect understanding of the reach of DFSA’s protections. The disclosure needs to highlight the risks facing these client assets, for example that these can be treated as an unsecured liability. The rules will also require such disclosures to be made to the client before money and assets are placed with third parties. Firms need to be aware of these circumstances as part of their suitability checks and clients need to be aware of the particulars before their moneys and assets are exposed to these risks.

Reconciliation frequency

The current regulation requires firms to perform reconciliations on settlement date basis with the following frequencies:

• Client accounts reconciliations – at least 25 days.
• Client account balances with individual client ledger balances – every six months.

The DFSA suggests that all reconciliations should be performed at least every 25 days and within five business days from their initiation.

It’s proposed that the reconciliations frequency should be determined by the firm considering an assessment of the frequency, number and value of transactions, as well as the risk client money is exposed to. This means that some firms may determine that more frequent reconciliations are needed, and can transition to these arrangements following the assessment made. Other firms may still determine that the minimum requirements placed by the client asset rules are sufficient and proportionate in relation to their business. It’s important to note that, even though this may seem like a big change, it’s industry practice in other jurisdictions to perform such reconciliations daily.

Client reporting

Similarly to reconciliations, the DFSA is suggesting an alignment in the frequency of client money and asset reporting to retail clients by requiring firms to report monthly on a durable medium. As most professional clients opt out of such reporting and rely on platform access, the DFSA won’t place similar requirements on this client group.

It’s highlighted that despite the use of an online approach for providing information to clients through platform portals, there’s a risk that should that platform experience outages or become unavailable for any reason, clients won’t have access to reports. The regulator has made it clear that separate reporting through a statement will still be required even if firms have online platforms where clients can access this information as and when needed. Lastly, as part of best industry practice firms should also confirm that any client reporting sent to clients is reaching clients through monitoring bouncing emails.

Requirements applicable to firms only arranging custody

As part of a previous consultation paper, the DFSA has removed most of the safe custody provisions for firms who only arrange custody and has kept the requirements in relation to record keeping, disclosure and the suitability assessment for non-DIFC custodians. These firms will not be required to submit auditor’s reports, given that they do not hold or control client assets.

How can Bovill-Newgate help you?

Our team of safeguarding specialists is made up of ICAEW chartered accountants with CASS and safeguarding audit experience across several large audit firms. We also have a presence in Dubai, which allows us to advise firms whilst appreciating the wider regulatory climate in Dubai.

We can support you with:

• helping you implement the changes suggested by the DFSA
• creation of bespoke policies, procedures and controls
• remediation of auditor breaches
• safeguarding health checks
• change management advice and support
• pre-audit preparation and audit support, including auditor report review.