From Idea to Licence: The DFSA AFN Playbook Every Crypto Firm in DIFC Should Master

This article distils the DFSA’s Application Forms & Notices Sourcebook (AFN/VER52/11-22) into a practical roadmap for founders, compliance leads, and counsel. It is general information, not legal advice.

Why AFN matters (and what it really is)

Before the first line of code ships or the first order is matched, a DIFC crypto business has to pass the authorization gate – and the AFN is the admin backbone of that journey. It’s the DFSA’s consolidated pack of forms, notices, and “how to file” instructions, arranged by chapter (AUT, SUP, GEN, AMI, MKT, DNFBP, AML, AUD, FPR). In short, AFN tells you which form to file, when, and how, and points to the live rule modules (GEN, PIB, etc.) you must satisfy.

Crypto note: AFN is technology-neutral – there are no crypto-specific forms. Your crypto perimeter, promotions constraints, and token recognition sit in GEN, but you still file the same AFN forms to get authorised.

The map: AFN’s chapters you’ll actually touch

AUT forms (authorisation) – the starting line

• AUT NOTES (how to complete the pack)
• AUT CORE (Core Information)
• AUT STS (Sales & Trading – for dealing, arranging, advising, custody)
• AUT AMS (Asset Management)
• AUT MS (Money Services)

Several legacy PDFs are replaced by online workflows – “go to the ePortal” is a recurring instruction.

SUP forms (post-authorisation changes)

• SUP4 (vary a Licence) and SUP5 (add/remove endorsements) are your workhorses; SUP6 (withdraw a licence) is ePortal-only.

GEN, AMI, MKT, DNFBP, AML, AUD, FPR

• GEN1 (waiver/mod) and GEN2 (auditor changes).
• AMI3 (change in control for AMIs).
• MKT1/MKT3 (Official List & sponsor).
• DNFBP/AML/AUD/FPR processes largely moved onto the DFSA ePortal.

What “good” looks like: the AUT NOTES (your build spec)

The AUT NOTES embedded in AFN are the DFSA’s practical guide to filing – exactly what belongs in each section, how long your Regulatory Business Plan (RBP) should be, and the compulsory supporting documents you must deliver.

1) Core Information (AUT CORE): governance, people, prudentials

• Declare your structure (DIFC entity vs branch), controllers, client types, systems, premises, and auditor.
• File Authorised Individual applications for each Licensed Function – the DFSA does not expect the same person to hold both business and control roles (e.g., SEO and CO).
• Provide three-year quarterly projections (B/S, P&L, cash) plus a Capital Resources vs Capital Requirement bridge in DFSA return format; explain key assumptions and stress tests.
• Source of start-up funds (bank reference, origin of funds) is mandatory for new firms.
• Map prudential and accounting standards: PIB 1.3 for category; GEN 8.2 for IFRS/AAOIFI (waiver needed if different).

2) Compulsory supporting documents (the fast way to a DFSA query)

CF32 – Compliance Manual (critical)

DFSA calls this document “critical” and it will be reviewed post-authorisation. Your manual should consolidate:

• compliance governance & reporting;
• client classification, promotions, suitability, fee/inducement disclosures, and segregation of Client Assets;
• breach detection/escalation, rule-change tracking, complaints (GEN ch. 9);
• outsourcing oversight; client verification; training & competence; conflicts and PA dealing; financial reporting & capital compliance.

CF34 – Compliance Monitoring Programme: how monitoring works within business units.

CF35 – Risk Management Policy: how you identify, assess, mitigate, control, and monitor risks; include risk-function org, reporting lines, committee terms, and links to Group risk.

Cross-checking with GEN: these CF34/CF35 expectations mirror GEN 5.3 obligations to maintain risk, compliance, and (where required) internal audit systems. Use the Manual to show you meet them.

3) Regulatory Business Plan (RBP): a 50-page ceiling, not a target

Your RBP should “set out the strategy and rationale for establishing in the DIFC” and “demonstrate how the business will be managed and controlled.” DFSA recommends ≤ ~50 pages, proportionate to complexity. Explain services, client types, resources, risk factors, and controls at a high level.

Crypto overlay: how AFN fits with GEN (and what GEN expects of you)

AFN is the formwork; GEN is your legal test. For any licence application, GEN requires you to submit AFN forms and pay fees, and then prove you have adequate resources, fitness and propriety, and adequate compliance arrangements.

If your model involves Crypto Tokens, the specific perimeter (who may be authorised, token recognition, promotions) is in GEN and related rule modules. Even for non-crypto models, GEN 5.3 sets baseline expectations for risk, compliance, and internal audit – so your CF32/CF34/CF35 should read like a working operating system, not a policy museum.

Branch applicants: GEN also lays down specific pre-conditions for branches (e.g., cyber insurance; PII if advising on Crypto Tokens). Check these early if you intended a branch route.

Picking the right forms for common crypto models

Broker / OTC desk / Advisory with custody

• AUT CORE + AUT STS (dealing/arranging/advising; providing/arranging custody).
• SUP5 if you later add endorsements (e.g., Retail Client or Client Assets).

Asset manager investing in (tokenised) instruments

• AUT CORE + AUT AMS (managing assets; arranging/advising; custody as applicable).

Payment-adjacent rails

• AUT MS if you genuinely provide Money Services (AFN offers the form; your RBP must address use-cases and controls).

Market infrastructure (ATS/Exchange)

• Use the AUT STS (for ATS permissions) or the AMI suite for AMI authorisation; for changes, SUP4 (vary licence) / AMI3 (control changes).

“File once, run forever”: build artefacts the DFSA can supervise the next day

The AFN repeatedly warns that the Compliance Manual is “critical” and will be inspected by supervision after authorisation. That’s a signal to engineer (not just write) the following into your controls from day one:

• Client-asset segregation and reconciliations;
• Promotions workflow (approvals, legends, retail gating);
• Outsourcing governance (wallet providers, analytics, cloud);
• Breaches & complaints recording and closure;
• Training & competence for front office and ops;
• Risk reporting cadence and committee terms;
• Capital/PIB monitoring and stress-testing.

These themes line up with GEN 5.3 on risk, compliance, internal audit, and business planning – your AFN pack should demonstrate how you meet those rules in practice.

The “ePortal shift”: don’t chase dead PDFs

AFN flags many legacy forms as “Deleted – go to the ePortal” – including representative office, DNFBP, AML returns, and several Authorised Individual forms. Save time by staging your application on the DFSA ePortal from the outset (and by emailing the DFSA Authorisation team where AFN instructs).

A founder’s checklist (crypto-savvy edition)

1. Scope & structure – Decide DIFC entity vs branch; if branch, verify GEN branch pre-conditions early (e.g., cyber/PII for crypto advice).
2. Forms – AUT CORE + the right supplement(s): STS/AMS/MS; pencil in SUP4/SUP5 for post-authorisation changes.
3. RBP (≤ ~50 pages) – Strategy, business model, services, clients, risks, resources, and controls.
4. CF32/CF34/CF35 – Build a critical Compliance Manual, monitoring programme, and risk policy that actually runs your shop.
5. Financials – Three-year quarterly projections + capital bridge; stress tests and source-of-funds for start-ups.
6. GEN alignment – Be ready to show adequate resources, fitness & propriety, and adequate compliance arrangements when the DFSA tests your file under GEN 7.2 and GEN 5.3.

Common pitfalls that slow crypto applications

• Policy museums. Manuals that describe intent but not workflows, owners, or evidence pull the DFSA into extended Q&A. CF32 asks for operational detail – give it.
• Dual-hatting controls. Expect pushback if the same person carries business and control roles; the NOTES flag this explicitly.
• Under-modelled prudentials. Projections must tie to PIB categorisation and capital monitoring, with assumptions and stress-tests declared.
• Papering the wrong form. Variations or endorsements post-authorisation go through SUP4/SUP5, not a re-filed AUT.

AFN is the DFSA’s how-to for authorisation: it tells you which forms to file and what artefacts (RBP, CF32/34/35, projections, source-of-funds) to include. GEN is the why-you-qualify: adequate resources, fitness and propriety, and robust compliance systems. If you build your AFN pack to operate the business the day after the licence grant, you’ll be speaking the DFSA’s language from page one.

Disclaimer: 

This article summarises AFN/VER52/11-22 and selected GEN provisions and does not constitute legal advice. Always verify positions against the current DFSA Rulebook and ePortal guidance before filing.

FAQs: