Search Ocorian

Highway to draw a curve

The DFSA’s revised Conduct Principles: key actions for regulated firms

02 July, 2026

From 1 July, the DFSA’s revised Conduct Principles framework came into effect, introducing clearer expectations for how regulated firms in the DIFC evidence governance, accountability and individual conduct in practice.

This is not a wholesale restructuring of the existing regime. The DFSA has retained the Licensed Functions framework, meaning compliance officers, finance officers and senior managers will continue to require DFSA authorisation, and firms do not need to submit new applications solely because of the revised framework.

The more important shift is one of precision and accountability. The DFSA is sharpening expectations around how firms assess individuals, allocate responsibility, escalate issues and demonstrate that governance arrangements work in practice. For compliance officers, MLROs, risk leaders and senior management, this means the framework should not be viewed as a policy update only. It requires a practical review of roles, reporting lines, training, evidence and escalation processes.
 

What is changing?

There are several areas that warrant immediate attention.

First, the disclosure obligation has been separated and assigned as a standalone Conduct Principle. Firms need to be clear on who owns that obligation, how issues are escalated internally, and when a matter becomes reportable to the DFSA. This is likely to require a review of internal escalation procedures, breach reporting processes and committee governance.

Second, firms must carry out annual fitness and propriety reviews of authorised individuals. These reviews need to be robust, documented and repeatable. The expectation is not simply that firms know their authorised individuals remain suitable, but that they can evidence the assessment process if challenged by the regulator.

Third, the Compliance Officer role has been clarified as responsible for overseeing the implementation and application of compliance arrangements. This has direct implications for role descriptions, reporting lines, governance packs and board reporting. Firms should check that what is written down accurately reflects what the compliance officer does in practice.

Finally, Conduct Principles training should be role-specific, not generic. Senior management, front-office staff, control functions and authorised individuals will not all engage with the framework in the same way. Training should reflect the responsibilities and risk profile of each group.
 

What regulated firms should do now

For senior compliance and risk professionals, the impact will be felt in day-to-day governance. Policies alone will not be enough. Firms will need to show how decisions are escalated, how responsibilities are allocated, how fitness and propriety is assessed, and how conduct expectations are embedded across relevant staff populations.

This also increases the importance of evidence. Minutes, compliance reports, role descriptions, training records, escalation logs and annual assessment files will all become more important in demonstrating that the firm’s framework is operating effectively.

Firms should now prioritise the following steps:

  • Map the revised Conduct Principles against existing policies, procedures and governance frameworks.
  • Confirm ownership of the disclosure obligation, including escalation routes and decision-making thresholds.
  • Review authorised individual files and ensure annual fitness and propriety assessments are documented and repeatable.
  • Update compliance officer role descriptions, reporting lines and governance materials where needed.
  • Deliver role-specific training and retain clear evidence of completion.

Where gaps are identified, firms should implement a remediation plan with clear ownership, deadlines and senior oversight. If no readiness review has been completed, that should now be treated as a priority.

How Ocorian can help

Ocorian supports DFSA-regulated firms with outsourced compliance officers, MLROs and wider regulatory compliance support. Our team can assist with readiness reviews, gap analysis, remediation planning, governance documentation, role-specific training and ongoing compliance oversight.

For firms operating in the DIFC, the revised framework is a timely reminder that effective compliance is not only about having the right policies in place. It is about being able to demonstrate that those policies are understood, owned and applied in practice.

To discuss how the revised Conduct Principles could impact your firm, contact our team.

About the author

Veena Karuthasen is the consulting lead for UAE Regulatory & Compliance Services at Ocorian. She advises asset managers, financial institutions and founders on regulatory strategy, licensing, governance and compliance across the DIFC, ADGM and wider UAE, translating complex requirements into practical, commercially aligned solutions.