DIFC Regulation 10: What It Requires and How to Comply

DIFC Regulation 10 is an appendix to the DIFC Data Protection Law 2020, added in late 2023 and entering enforcement in January 2026. It governs the processing of personal data by autonomous and semi-autonomous systems — any system that uses automated processing to make or influence decisions about individuals with limited or no human intervention.

The DFSA began actively examining for Regulation 10 compliance in early 2026. With 661 licensed firms in DIFC, 52% actively using AI, and 21% without adequate accountability mechanisms according to the DFSA's own 2025 survey, enforcement exposure is significant.

Regulation 10 applies to all entities licensed by the DFSA that process personal data using autonomous or semi-autonomous systems. In practice this covers the majority of fintechs and financial institutions in DIFC deploying AI in credit scoring, fraud detection, KYC classification, customer service, or compliance monitoring.

The key test: does your system process personal data and make or influence decisions about individuals? If yes to both, Regulation 10 applies.

1. Pre-deployment risk assessment

Before any High or Medium risk autonomous system goes live, you must complete a documented risk assessment covering the system's decision scope, the population affected, data inputs and their quality, known failure modes, and the human oversight mechanism in place. The assessment must be signed off by a technical reviewer and a business approver before the model touches production data.

2. Human oversight mechanism

You must configure and document a mechanism for human review of model decisions. This means defining: under what conditions a human must review an output before it is acted on, who conducts that review, the maximum review time before escalation, and how reviews are logged.

3. Explainability for consequential decisions

For any decision that materially affects an individual — a credit decline, a fraud block, a KYC rejection — you must be able to produce a plain-language explanation of why that decision was made, comprehensible to a non-specialist. Technical feature attribution alone does not satisfy this requirement.

4. Immutable audit trail

A tamper-evident log of every decision made by each covered system — including the input data, model version, output, confidence score, and whether a human reviewed the decision. The trail must be searchable by customer ID and exportable for regulatory examination within a reasonable timeframe.

5. Ongoing monitoring and review

Models must be monitored in production for performance drift, volume anomalies, and override rates. Models must be reviewed on a defined cadence and revalidated when performance deteriorates or when a significant model update is deployed.

A consequential decision is one that materially affects an individual's financial position, access to services, or legal rights. In the DIFC financial context this covers: credit approvals and declines, fraud blocks on customer accounts, KYC rejections preventing account opening, and compliance flags that restrict transactions.

A customer segmentation model used for internal analytics is unlikely to be consequential. A credit scoring model that determines whether someone receives a personal loan is consequential. When in doubt, treat it as consequential — the cost of over-governing a low-stakes model is administration; the cost of under-governing a high-stakes model is enforcement.

Based on DFSA supervisory signals, examiners typically request these six documents first:

• The complete model inventory with risk tier assignments
• The pre-deployment risk assessment for each High-risk model, with sign-off evidence
• The human oversight configuration documentation per model
• A sample of the audit log for a specified date range
• Override rate data for the last 90 days
• The board-level AI risk report from the most recent quarter

If any of these cannot be produced within two hours of a request, that gap is itself a finding.

Incomplete model inventories — the KYC classifier and fraud pre-screening model are not registered, only the primary credit scoring model. Regulators expect every system, not just the most visible one.

No pre-deployment documentation for models live before January 2026. The model is in production but no formal assessment exists on file.

Audit trails that cannot be searched by customer. Server logs exist but responding to a regulator's request for "all decisions about customer X in the last 90 days" takes days rather than minutes.

Human oversight practised but not documented. Analysts review flagged decisions, but there is no formal log attributing each review to a named reviewer with a timestamp and outcome.

Days 1–14: Complete the model inventory. Register every AI system in production, assign risk tiers, confirm ownership.

Days 15–35: Complete pre-deployment assessments for all High-risk models. Get multi-party sign-offs. Produce PDF artifacts for each.

Days 36–55: Instrument the audit trail. Ensure every High and Medium risk model's decisions are logged with the required fields. Test searchability by customer ID.

Days 56–70: Configure human oversight triggers per model. Document the mechanism. Begin logging human reviews with named reviewers and outcomes.

Days 71–85: Produce the first board-level AI risk report. Review override rates. Identify any models requiring revalidation.

Days 86–90: Run a dry examination exercise — attempt to produce all six documents an examiner would request, within two hours. Identify remaining gaps.