DFSA Conduct Principles from 1 July 2026: What Firms Should Be Doing Now
The overall licensing framework remains broadly unchanged. The DFSA has retained Compliance Officers, Finance Officers, and Senior Managers as licensed functions, meaning most firms will not need to redesign their licensing structures or senior appointments.
However, the expectations around conduct, oversight, and evidencing compliance have become more precise. Firms remain responsible for ensuring that individuals are fit and proper on an ongoing basis and, importantly, for demonstrating that their governance arrangements are effective in practice.
One of the most significant changes is the expansion of the Conduct Principles beyond Authorised Individuals.
From July 2026:
- principles 1 to 4 will apply to a broader population, including employees involved in financial services, related activities, or the management of the firm
- the principles extend beyond senior roles to include front-office staff and key control functions such as compliance and finance
- individuals provided via third-party or outsourcing arrangements may also fall within scope where they operate under the firm’s direction and control.
This shift makes it clear that conduct is no longer solely a senior management issue; it is a firm-wide obligation.
There is an important point here that firms should not overlook. The disclosure obligation has now been separated and assigned its own standalone requirement. Under the previous framework, the duty to deal with the DFSA in an open and cooperative manner was combined with the duty to notify; however, from 1 July 2026, disclosure to the DFSA will constitute an independent principle. In real terms, that means firms should be clear on who carries the obligation to make disclosures, how issues are escalated internally, and how the firm decides that a matter has crossed the line from “internal issue” to “something the regulator would reasonably expect to hear about.”
Another area that deserves proper attention is the annual review of Authorised Individuals. The DFSA has clarified that firms must be satisfied that an Authorised Individual remains fit and proper, stays competent, keeps up with relevant developments, and can apply that knowledge in their role. This review must happen at least annually, and the assessment records must be retained for a minimum of six years and made available upon request.
For many firms, this is the part that needs the most work, not because the principle is new, but because the evidence behind it is often lighter than it should be.
There is a useful reminder in the final wording around the Compliance Officer function as well. The role has been clarified as being responsible for overseeing the implementation and application of the firm’s compliance arrangements. This has implications for role descriptions, governance packs, reporting lines and annual assessments. It also aligns with the DFSA requirement that individuals seeking to perform the Senior Executive Officer, MLRO and Compliance Officer functions must be able to demonstrate sufficient knowledge of relevant AML requirements.
In practice, before the rules come into force in July 2026 firms should take the following steps:
- first, identifying the population that will sit inside the framework. That means not only your Authorised Individuals, but also the wider set of staff whose roles bring them within the Conduct Principles. In a simple structure that exercise may be quick. In a group model, or where functions are outsourced, it usually takes longer than expected
- second, checking whether role documents still match reality. Job descriptions, reporting lines, committee terms of reference, outsourcing schedules and internal escalation wording should reflect how the firm actually operates today, not how it operated two years ago
- third, separating policy ownership from policy evidence. A firm may already have conduct, compliance and HR documents in place. That does not always mean it can show how the framework is applied, monitored and refreshed in practice
- fourth, reviewing how firm’s annual fitness and propriety process really works. If the review is little more than a short declaration and a training log, it is worth tightening it now.
A short self-check for firms
A simple way to test readiness is to ask six straight questions:
- has the firm identified who falls within scope from 1 July 2026?
That should include Authorised Individuals, relevant employees, and any group or outsourced personnel supporting regulated activity where the rules may reach them. - does the role descriptions match the work people actually do?
This matters most for control functions, oversight roles and anyone involved in escalation or challenge. - can the firm show how the Conduct Principles are translated into role-based training?
A single generic training deck for everyone is unlikely to be enough. - is the firm’s annual fitness and propriety review process robust, documented and repeatable?
This is where many firms will need a sharper process and a better file. - are DFSA escalation and notification decisions clear in practice?
The separate disclosure principle makes this worth revisiting. - if the DFSA asked for evidence, could the firm produce it quickly?
Registers, training records, annual assessments, governance papers and oversight records should not be scattered across the business.
If the honest answer is “not yet” to more than one or two of those, the firm probably has a useful piece of implementation work to do before July 2026.
How can Waystone help?
This is an appropriate juncture for firms to pause and assess whether their conduct framework accurately reflects their operational realities.
For some firms, this may require only a minor refresh. For others, particularly firms with shared resources, outsourced support or more stretched governance structures, it may necessitate a more detailed review of scope, documentation, training and evidence.
Conducting this review at this stage allows firms sufficient time to implement any necessary changes effectively, rather than deferring the work until June, when the pressure to demonstrate full readiness will be considerably greater.
Waystone supports firms with gap analysis of the DFSA rules against current systems and controls, delivering targeted training, drafting or reviewing policies and procedures, and performing assurance reviews focused on whether the framework is effective in practice.
For further details, please contact our Middle East Compliance Solutions Team.