Skip to content

DFSA Category 3D - Gap Analysis

Simpaisa Technologies LTD | DIFC Authorised Firm Application

Version: 0.1 (Draft for Review)
Date: April 2026
Prepared by: Chief Digital Officer
Classification: Confidential - Executive and Legal Counsel Distribution Only

Purpose. This gap analysis cross-references the DFSA Category 3D licence requirements against the governance and compliance framework documented in Section 04-11-12 of the Simpaisa Group Operating Model (Version 0.1, April 2026). It identifies requirements that are fully addressed in the current documentation and operating model, those that are partially addressed but require further development, and those that represent material gaps requiring immediate action prior to or concurrent with the DFSA application submission. Priorities are rated High / Medium / Low relative to their likely significance to the DFSA's assessment of the application.

Gap Analysis Table

# Requirement Status Evidence (OpModel Reference) Action Required Priority Owner
1 Non-Executive Chairperson Met Section 4.1.1: Nadeem Hussain confirmed as Non-Executive Chairman. Role responsibilities documented at Section 4.1.2. Board composition table confirms NEC classification. Ensure DFSA-prescribed fit and proper assessment is formally completed and documented for the Chair. Confirm Chair is UAE/DIFC-resident or comfortable with DFSA interview requirements. High GH Regulatory Affairs / CEO
2 Senior Executive Officer (SEO) - UAE resident Gap Section 11.4.3 (DFSA licence roadmap) identifies SEO appointment as a key milestone. Section 4.3.1 notes the CDO is based in Dubai (GMT+4). No named, formally designated SEO for Simpaisa Technologies LTD is confirmed in the OpModel. Formally designate the SEO for Simpaisa Technologies LTD. The CDO (Daniel O'Reilly, Dubai-based) is the natural candidate given his DIFC remit. Complete DFSA approved person application for the SEO. Confirm UAE residency documentation. The DFSA requires the SEO to be ordinarily resident in the UAE. High CEO / CDO / GH Regulatory Affairs
3 Money Laundering Reporting Officer (MLRO) Partially Met Section 11.4.3 identifies MLRO appointment as a key milestone. Section 12.5.2 references "UAE MLRO (to be appointed)" for post-authorisation STR reporting via goAML. Section 12.1.3 notes the Group CCO structure is under development. Eastnets sanctions screening platform is in place (Section 12.6.2). AML/CFT programme architecture is documented (Section 12.2). UAE-specific AML addendum flagged as required but not yet drafted (Section 12.2.1). Appoint a named, DFSA-approved MLRO for Simpaisa Technologies LTD. The MLRO must be UAE-resident, an approved person under the DFSA Authorised Individuals regime, and possess demonstrable AML/CFT expertise. Draft UAE-specific AML/CFT policy addendum compliant with DFSA AML Module. Register MLRO on goAML portal post-authorisation. High GH Regulatory Affairs / Group CCO
4 Compliance Officer Partially Met Group CCO role is flagged as required but not yet filled (Section 12.1.3: "[to be appointed - TBC]"). CRC terms of reference reference Group CCO as a standing invitee (Section 4.2.2). Compliance programme structure (3LoD) is well-documented (Section 12.1). Compliance monitoring framework is documented (Section 12.10). Appoint a named, DFSA-approved Compliance Officer for Simpaisa Technologies LTD. May be the same person as the Group CCO or a separate UAE-based appointee - confirm with DFSA and legal counsel. The Compliance Officer must be an approved individual under the DFSA framework. High CEO / GH Regulatory Affairs
5 Finance Officer Gap No Finance Officer for Simpaisa Technologies LTD is identified in the OpModel. The Global CFO (Mohammad Mustafa) is referenced in the ELT structure (Section 4.3.1) but is not designated as a DFSA-approved Finance Officer for the DIFC entity specifically. Designate and formally appoint a Finance Officer for Simpaisa Technologies LTD. Confirm whether the Global CFO can fulfil this role under DFSA approved individual requirements, or whether a separate UAE-resident Finance Officer is required. Submit approved individual application to DFSA. High CFO / GH Regulatory Affairs
6 Adequate Capital (USD 300K–500K minimum) Partially Met Section 11.4.3 confirms the capital requirement: "USD 300,000–500,000 minimum regulatory capital (to be confirmed at application assessment)." Section 11.3, Step 5 documents the requirement to seed capital into the licensed entity. Section 12.8.2 confirms client funds safeguarding principles (segregation, designated accounts). No confirmation of capital injection into Simpaisa Technologies LTD or evidence of funds available is referenced. Confirm quantum of required capital with DFSA (Category 3D capital requirement will be determined at assessment; budget for USD 500K). Arrange capital injection into Simpaisa Technologies LTD from HoldCo. Prepare source of funds documentation for regulatory submission. Ensure ongoing capital adequacy monitoring is embedded into Finance Officer's responsibilities. High CFO / CEO / Board
7 Systems and Controls Documentation Partially Met Section 12.1 documents the three lines of defence framework. Section 12.2–12.10 documents AML/CFT, KYC/KYB, transaction monitoring, SAR/STR, sanctions, ABC, client safeguarding, anti-fraud, and compliance monitoring programmes in detail. Section 4.4 documents the Delegation of Authority Matrix. Technology controls are referenced via ISO 27001 and PCI DSS compliance (Section 4.2.4 TISCo; Section 4.5.3 audit calendar). UAE-specific systems and controls addendum and the DFSA-specific MLRO/Compliance Officer procedures have not been drafted. Compile a DFSA Regulatory Business Plan that consolidates systems and controls documentation into a DFSA-format submission. Draft UAE/DIFC-specific procedures for AML/CFT, client money, and complaints. Prepare Technology and Operational Description for the DFSA application. High CDO / GH Regulatory Affairs
8 Business Plan Partially Met Section 11.4.3 references preparation of a "Regulatory Business Plan approved by Board" as a key milestone. Section 11.3, Step 4 and Step 6 describe the business plan content requirements. Section 11.1.1 describes the strategic rationale for the DFSA licence. Financial projections are referenced as part of the application pack (Section 11.3, Step 6) but are not included in the OpModel document. Prepare and finalise the DFSA Regulatory Business Plan. Must include: ownership and corporate structure; business model and products; target markets and corridors; three-year financial projections; governance structure; AML/CFT programme summary; technology description; risk management approach. Requires Board approval before submission. High CFO / CDO / GH Regulatory Affairs / CEO
9 Operational Resilience Partially Met Section 4.2.1 (ARC terms of reference) includes oversight of business continuity and disaster recovery planning. Section 11.3, Step 8 references Business Continuity Plan preparation as part of pre-launch operational build. ISO 27001 certification is in progress (referenced at Section 4.5.3 audit calendar). PCI DSS compliance is documented. A dedicated Operational Resilience Policy for the DIFC entity has not been specifically identified. Draft an Operational Resilience Policy and Business Continuity Plan specific to Simpaisa Technologies LTD and its DIFC operations. Include recovery time objectives (RTOs) and recovery point objectives (RPOs). Demonstrate tested BCP/DR. Map critical business services. This is increasingly a DFSA focus area - treat as a standalone deliverable. High CDO / CISO / COO
10 Outsourcing Governance Partially Met Section 4.2.1 (ARC) references oversight of third-party and outsourcing risk management. Section 11.3, Steps 5 and 6 reference intercompany agreements and third-party documentation as part of the application. Section 12.7.2 documents third-party due diligence for ABC purposes. No dedicated Outsourcing Policy or Group Outsourcing Register is referenced. The DFSA has specific requirements for outsourcing arrangements by Authorised Firms, including material outsourcing notifications. Draft a DFSA-compliant Outsourcing Policy for Simpaisa Technologies LTD. Prepare an Outsourcing Register covering all material outsourced functions (technology infrastructure, compliance technology, payment processing). Assess whether any outsourcing arrangements require DFSA prior notification. Intragroup outsourcing (e.g., technology services from Simpaisa Group entities to the DIFC entity) requires specific governance. Medium CDO / COO / GH Regulatory Affairs
11 Data Protection - DIFC DPL 2020 Partially Met Section 4.2.4 (TISCo terms of reference) references data governance and privacy compliance, listing UAE data protection law alongside PDPA, PECA, Bangladesh ICT Act, and Nepal Privacy Act. The DIFC Data Protection Law 2020 (DPL 2020) is not specifically named but "UAE data protection law" is referenced. Section 12.3.3 documents record-keeping standards. No Data Protection Policy or designated DIFC Data Protection Officer is referenced. Confirm that "UAE data protection law" coverage in TISCo scope encompasses specifically the DIFC DPL 2020. Draft or adapt the Group Data Protection / Privacy Policy to be DPL 2020 compliant. Assess requirement for a DIFC Data Protection Officer (DPO). Register with the DIFC Commissioner of Data Protection. Conduct data mapping exercise for Simpaisa Technologies LTD data flows. Medium CDO / GH Regulatory Affairs
12 Client Money Protection Partially Met Section 12.8 documents the Group Client Funds Safeguarding Policy (existing Tier 1 document, approved Q4 2024). Section 12.8.2 specifies segregation, designated accounts, daily reconciliation, and insolvency protection principles. Section 12.8.3 explicitly references DFSA Client Money Rules: "DFSA Client Money Rules apply; full client money segregation required; DFSA annual client money audit." No confirmation that a DIFC-specific segregated client account has been established. Open a designated DIFC client money account at a DFSA-accepted bank. Engage legal counsel to confirm that Simpaisa Technologies LTD's safeguarding structure satisfies DFSA Client Money Rules specifically. Prepare for DFSA annual client money audit requirement from Day 1 of authorisation. Update treasury procedures to reflect DIFC entity. High CFO / GH Regulatory Affairs
13 Fit and Proper Assessments - All Approved Individuals Partially Met Section 4.1.4 references the Group Fit and Proper Policy "[to be drafted - see Section 27.4]." Section 4.2.3 (RemNom) assigns oversight of Fit and Proper Policy and confirmation that all directors and senior managers meet requirements. Section 4.2.2 (CRC) assigns oversight of fit and proper assessments for approved persons across regulated entities. Section 11.3, Step 4 identifies the requirement to assess fitness and propriety of all controlled function holders. The Group Fit and Proper Policy has not yet been drafted. Draft the Group Fit and Proper Policy (identified as Section 27.4 - listed as TBC). Conduct formal fit and proper assessments for all proposed DFSA approved individuals: SEO, MLRO, Compliance Officer, Finance Officer, and any other controlled function holders. Compile supporting documentation packages for each DFSA approved individual application (CVs, criminal record checks, regulatory references, financial soundness declarations). High GH Regulatory Affairs / RemNom / CEO
14 AML/CFT Programme - DFSA AML Module Compliant Partially Met Section 12.2 documents a comprehensive Group AML/CFT/CPF programme with FATF alignment. Eastnets sanctions screening is in place (Section 12.6.2). Transaction monitoring programme is documented (Section 12.4). SAR/STR reporting is documented with UAE/goAML requirement noted (Section 12.5.2). However, Section 12.2.1 explicitly flags: "UAE - Simpaisa Technologies (DFSA AML/CFT requirements upon authorisation)" as a required addendum not yet drafted. The Group programme is designed to FATF standard; DFSA AML Module has specific additional requirements. Draft the UAE/DIFC-specific AML/CFT addendum for Simpaisa Technologies LTD, aligned to the DFSA AML Module. Areas requiring specific DFSA-specific treatment include: Customer Risk Assessment methodology per DFSA guidance; Correspondent banking controls; DFSA reporting obligations post-authorisation; goAML registration; UAE National Risk Assessment alignment. This is a prerequisite for the MLRO appointment and DFSA application. High Group CCO / GH Regulatory Affairs / MLRO (designate)
15 Risk Management Framework Partially Met Section 4.2.1 (ARC) provides Board-level oversight of the Enterprise Risk Management framework and Group Risk Appetite Statement. Section 12.1 documents the 3LoD framework. Section 12.2.4 documents the annual Financial Crime Risk Assessment. Section 12.9 documents the anti-fraud programme with fraud typology risk mapping. A Group CRO / Risk function is flagged as pending formalisation: "Group Risk function [CRO/Risk function to be formally structured - TBC]" (Section 12.1.3). The Group Risk Appetite Statement is referenced but not reproduced in the OpModel. Formally establish the Group Risk function and CRO role (currently vacant per OpModel). Draft and Board-approve the Group Risk Appetite Statement. Prepare an Enterprise Risk Management framework document suitable for DFSA submission. Ensure the DIFC entity has its own risk register and risk reporting cadence. The DFSA will scrutinise the risk framework for the Authorised Firm specifically. High CEO / Board / GH Regulatory Affairs
16 Governance Structure with Adequate Board Oversight Met Section 4.1 documents the Board composition, roles, and meeting cadence. Section 4.2 documents four standing Board committees: ARC, CRC, RemNom, and TISCo. Section 4.3 documents the ELT structure. Section 4.4 documents the Delegation of Authority Matrix. Section 4.5 documents the Governance Calendar. The Non-Executive Chairman is confirmed (Nadeem Hussain). The Board has the requisite NED representation. One gap: an Independent Non-Executive Director (INED) has not yet been formally appointed (Section 4.1.1: "[INED appointment required - TBC]"), which the DFSA expects for the ARC chair role. Appoint at least one INED to the Board, with demonstrable financial services or payments regulatory expertise, to chair the ARC. This is expressly noted in the OpModel as a pending Board resolution. Formalise and adopt the Board Charter (referenced as "[Full Board Charter to be drafted and adopted - TBC]" at Section 4.1.4). Provide Board Committee Terms of Reference to the DFSA as part of the governance submission. High Board / RemNom
17 Complaint Handling Procedures Gap No complaint handling policy or procedures are referenced anywhere in the OpModel (Sections 4, 11, or 12). The DFSA requires Authorised Firms to maintain a formal complaints management process, including defined response timeframes, escalation procedures, reporting to the DFSA on complaints data, and root cause analysis. Draft a DFSA-compliant Complaints Handling Policy and Procedures for Simpaisa Technologies LTD. Must address: complaint receipt and logging; acknowledgement timeframes (DFSA requires acknowledgement within 5 business days; resolution within 30 business days); escalation to senior management; DFSA reportable complaints; annual complaints data analysis; root cause analysis and remediation. High GH Regulatory Affairs / COO / CDO
18 Professional Indemnity Insurance Gap No reference to professional indemnity insurance, errors and omissions (E&O) cover, or any insurance programme is made in the OpModel (Sections 4, 11, or 12). The DFSA requires Category 3D firms to maintain adequate professional indemnity insurance commensurate with the scope of regulated activities. Engage an insurance broker to arrange professional indemnity / errors and omissions insurance for Simpaisa Technologies LTD, sized appropriately for a DFSA Category 3D firm providing money services. Obtain confirmation from legal counsel / DFSA on minimum coverage thresholds (the DFSA does not prescribe a fixed minimum but expects cover proportionate to the business). Provide evidence of cover to the DFSA as part of the application. High CFO / GH Regulatory Affairs

Summary Dashboard

Status Count Requirements
Met 2 Non-Executive Chairperson; Governance Structure
Partially Met 11 SEO, MLRO, Compliance Officer, Finance Officer, Capital, Systems & Controls, Business Plan, Operational Resilience, Outsourcing Governance, Data Protection, Client Money, Fit & Proper, AML/CFT Programme, Risk Management Framework
Gap 3 Complaint Handling Procedures; Professional Indemnity Insurance; Finance Officer (no designation)

Note: Two items appear in both "Partially Met" and "Gap" categories in the detail above, reflecting their dual nature (partially addressed in the Group framework, but with a specific DIFC-entity gap). The dashboard treats items with any OpModel reference as Partially Met; items with no OpModel reference whatsoever as Gap.

Priority Action Plan

Immediate Actions (Prior to Application Submission)

The following items are prerequisites for a complete DFSA application and should be resolved before the formal application pack is submitted:

  1. Designate SEO - Formally designate and prepare the DFSA approved individual application for the SEO. Recommended: CDO (Daniel O'Reilly) given Dubai residency and executive remit.
  2. Appoint MLRO - Identify, appoint, and prepare DFSA approved individual application for a UAE-resident MLRO with DFSA-relevant AML/CFT expertise.
  3. Appoint Compliance Officer - Identify, appoint (or confirm as same person as Group CCO), and prepare DFSA approved individual application.
  4. Designate Finance Officer - Confirm whether Global CFO can fulfil this role or whether a separate UAE appointee is required.
  5. Draft Fit and Proper Policy - Group Fit and Proper Policy is a prerequisite for all approved individual applications. Currently flagged as a TBC/to-be-drafted item.
  6. Draft DFSA-specific AML/CFT addendum - Required for MLRO appointment and DFSA application.
  7. Draft Complaint Handling Procedures - No reference in any current OpModel section; start from scratch.
  8. Arrange Professional Indemnity Insurance - No existing reference; engage broker immediately.
  9. Confirm and inject minimum capital - Arrange USD 300K–500K capital injection into Simpaisa Technologies LTD with source of funds documentation.
  10. Board Charter adoption - Formalise and adopt the Board Charter before DFSA application submission.
  11. INED appointment - Required for ARC independence; DFSA will scrutinise Board composition.

Near-Term Actions (Concurrent with Application Process)

  1. DFSA Regulatory Business Plan - Consolidate all documentation into a DFSA-format regulatory business plan. Requires Board approval.
  2. Operational Resilience Policy and BCP - DIFC-entity-specific document, distinct from Group-level BCP.
  3. Outsourcing Policy and Register - Identify all material outsourcing arrangements; assess DFSA notification requirements.
  4. DIFC DPL 2020 compliance - Data mapping, DPO assessment, DIFC Data Protection Commissioner registration.
  5. Client money account - Open designated DIFC segregated client account at a DFSA-accepted bank.
  6. Group Risk Appetite Statement - Board approval required; input to DFSA governance submission.
  7. CRO / Risk function formalisation - Appoint or designate a CRO.

Ownership Summary

Owner Actions
CEO SEO designation; Board Charter; INED appointment; Business Plan sign-off; Risk Appetite Statement
CDO (Daniel O'Reilly) Systems & Controls documentation; Operational Resilience; Outsourcing Governance; DIFC DPL 2020; Business Plan (technology sections); Regulatory Business Plan co-ordination
GH Regulatory Affairs (Shoukat Bizinjo) All DFSA approved individual applications; AML/CFT addendum; Complaints Handling Policy; application submission and DFSA dialogue; Outsourcing register
CFO (Mohammad Mustafa) Capital injection; Finance Officer designation; Client money account; Professional Indemnity Insurance; Financial projections for Business Plan
Group CCO (TBC) AML/CFT addendum; Fit and Proper Policy; Compliance monitoring; Risk framework
Board / RemNom INED appointment; Board Charter adoption; Fit and Proper Policy approval

Document: DFSA Category 3D Gap Analysis Version: 0.1 | April 2026 | Prepared by: Chief Digital Officer Classification: Confidential - Executive and Legal Counsel Distribution Only Cross-reference: Section 04-11-12 - Governance, Regulatory and Compliance (Version 0.1, April 2026)