Chapter 2 · Licensed Bodies

The "Regulations Manual of Financial Activities" (Decision 13/2021) is the master rulebook for SCA-licensed bodies. It spans the entire lifecycle: application, fit-and-proper, ongoing governance, supervision, sanctions, cancellation.

Reports directly to the CEO, with right of access to the Board of Directors. This protects the function from being filtered or blocked by middle management. Reporting only via trading or finance heads is forbidden (creates conflict).

Internal audit must be independent of the activities it audits. Cannot be combined with compliance (those are different control functions). Cannot be the external auditor. CAN be outsourced — but not to the same firm that does the external audit.

Ultimate responsibility for the risk management framework sits with the Board of Directors. Day-to-day execution may sit with a CRO or risk committee, but framework, risk appetite, and supervisory oversight remain Board-level. The SCA supervises but does NOT set risk appetite for the firm.

When a conflict cannot be avoided, the licensed body must:

1. Disclose the conflict in writing to the affected client
2. Obtain consent where required
3. Disclose BEFORE acting (not after)

Internal record-only is insufficient — client-facing transparency is the test.

The maximum administrative fine the SCA may impose per violation under Decision 13/2021 is AED 100,000. Repeated or compound violations stack as separate counts.

Note: bigger AML / criminal fines exist under Ch 5 (legal-person AED 500k–50m for ML offences). The 100k figure is the standard ADMINISTRATIVE cap.

A licensed body that doesn't commence its activities has its licence cancelled if no activity occurs within 6 months of licensing. Force-majeure exceptions can extend, but require written justification.

When a licence is cancelled, the cancellation must be published in 2 daily newspapers, at least one of which is in Arabic. Online publication is supplementary, not a substitute.

Base retention: ≥ 10 years for licensed-body records. Some categories have specific rules (AML records 5 years per Ch 5, CSD 15 years per Ch 7).

Records held in archives (on-prem or cloud) must be recoverable within 3 business days of an SCA request. This drives the firm's backup/restore architecture.

Personal employment data must be retained for 10 years from the date of LAST UPDATE. The "last update" anchor is important — it means every new entry resets the clock. This matters for long-tenured employees whose records sit decades after first hire.

The procedures must specify access powers based on the competence, responsibilities and legal duties of the role — NOT seniority alone. This is a classic wording trap.

When a licensed body outsources a function, ultimate responsibility remains with the licensed body — not the third-party provider. Outsourcing transfers operations, not regulatory accountability. The firm is accountable to the SCA and clients for the outsourced function's performance, including provider breaches.

The compliance, risk, and internal audit functions cannot be FULLY outsourced — the firm must retain meaningful internal oversight. Partial outsourcing (e.g. specialised support to a compliance team) is permitted, but the senior officer roles must sit inside.

If a complaint isn't responded to within 10 business days, it can be referred upward. This is the "non-response" trigger — distinct from the time to resolve the complaint substantively.

The whistleblowing policy must protect against dismissal, demotion, harassment, OR any detrimental treatment connected to the disclosure. Limiting protection to dismissal would leave informal retaliation unaddressed and chill reporting.

Client confidentiality applies — but is overridden where the law mandates disclosure (e.g. STR to FIU, regulator inquiries, court orders). Marketing or commercial expedience are NOT recognised exceptions.

A new branch requires prior SCA approval, not mere notification. Branches inherit the parent's licence but add operational risk — the SCA wants advance visibility.

Providing services to overseas clients requires advance SCA notification PLUS compliance with the host jurisdiction's rules. The UAE supervisory regime doesn't exempt itself just because the client is offshore.

Reporting cadence: at each material change AND periodically (typically quarterly). Waiting for breach defeats supervisory purpose; annual-only is too sparse for a risk-sensitive metric.