A fintech operating in the DIFC or ADGM, or an NBFC operating under CBUAE regulation, faces a risk governance question that the established banks in the same jurisdictions do not. The regulatory frameworks the institution must meet have been built primarily with traditional bank balance sheets in mind. The operational reality of the institution is closer to a software product than to a balance sheet.

The temptation, when establishing risk policies, is to adopt the structure used by a comparable bank — sometimes by copying the policy text directly, more often by working with advisors whose template library is built on bank frameworks. The resulting document satisfies the regulator’s checklist requirement. It also tends to be substantively inappropriate for the business it is meant to govern. Credit policy thresholds that make sense for a bank with a hundred billion dirhams in assets do not transfer to an institution with three hundred million. Operational risk frameworks that assume an established control environment do not transfer to an organisation whose control environment is being built in real time.

The opposite temptation — to defer rigorous risk policy until the institution reaches a size that demands it — is also widely available, and is the more dangerous of the two. Risk policy that does not exist when the institution is small is rarely retrofittable when the institution scales. The discipline that the policy is meant to install is harder to install over an established culture than to build into one that is still forming.

The institutions that have navigated this well — and there is now a substantial enough population of mature fintechs and NBFCs in the GCC to draw observations from — have done so by accepting that right-sized risk governance is not a smaller version of a bank’s risk governance. It is a structurally different exercise.

What right-sized actually means

A right-sized risk policy is not a shorter version of a bank policy with sections deleted. It is a policy whose specific provisions are calibrated to the institution’s actual risk profile, with structure and depth proportionate to the materiality of each risk dimension for the business.

For a fintech operating primarily in retail payments, credit risk policy needs less depth than operational and cyber risk policy. For an NBFC operating in SME lending, credit risk policy needs the depth a comparable bank’s policy would have, but operational risk policy can be substantially leaner because the operational complexity is lower. For a digital bank operating across multiple product lines, both need depth, but in a structure that reflects the institution’s actual concentration risks rather than a generic enterprise template.

This calibration requires the institution to understand its own risk profile in operational detail before drafting policy. The risk profile drives the policy structure, not the other way around. An advisor or template that imposes a structure first and then asks the institution to populate it tends to produce policy that is administratively complete and substantively misaligned.

Risk appetite — the statement that does the work

The risk appetite statement is the single document that most distinguishes a risk policy framework that informs decisions from one that exists for compliance. For a fintech or NBFC, the substance of risk appetite tends to differ from a bank’s appetite in three specific ways.

The risk appetite for capital adequacy is rarely expressed in terms of regulatory minimum buffers alone. For a fintech, the binding constraint is more often the equity runway against business plan rather than the regulatory capital ratio. The appetite should reflect that — with metrics around equity headroom against operational losses, against credit losses for institutions taking credit risk, and against the working capital required for product expansion.

The risk appetite for operational risk is rarely usefully expressed in terms of operational risk capital. For a fintech operating digital channels, the appetite is better expressed in terms of system availability, transaction error rates, fraud loss tolerance, and customer complaint volumes. These are the operational metrics that map to the actual risk profile, and they are the metrics that operational risk management can act on.

The risk appetite for strategic and concentration risk tends to require more attention in a fintech than in a bank. A fintech with three large corporate customers representing forty percent of revenue has a concentration risk that has no clean analogue in a bank’s risk taxonomy. A fintech with a single payment scheme partner has a concentration risk that a bank would describe as a vendor risk but that, for the fintech, is closer to existential. The risk appetite needs to surface these dependencies as primary risks, not as footnotes to a more conventional risk framework.

Underwriting policy — calibrating to the digital reality

For fintechs and NBFCs that take credit risk, the underwriting policy is the document where the gap between traditional bank policy and digital reality shows up most acutely. A traditional bank’s underwriting policy assumes a relationship-based decisioning process, with multiple human touchpoints in the customer journey. A digital lender’s underwriting is an automated decisioning chain with a single application, an algorithmic decision, and a disbursement window measured in hours rather than days.

The policy that governs the digital chain needs to specify different things than the policy that governs the relationship-based chain. The data sources used in the decision need to be enumerated and their reliability assessed. The decisioning rules need to be documented as rules, not as factors. The override governance needs to specify what manual interventions are permitted, in what circumstances, with what authority — and crucially, what the monitoring is for the rate at which overrides occur. A digital underwriting policy that does not address override governance has missed one of the most operationally important parts of the process.

The CBUAE has, in recent regulatory dialogue with NBFCs and fintech-adjacent institutions, expressed interest in the substantive quality of digital underwriting decisions in a way that goes beyond the policy document. The supervisor’s question — increasingly common — is not whether the underwriting policy exists but whether the institution can demonstrate that the policy is being applied as written, with monitoring that surfaces drift between policy and practice.

Operational risk in a digital-first environment

The operational risk framework for a fintech sits at the intersection of conventional operational risk, technology risk, cyber risk, and third-party risk. The conventional operational risk taxonomy — Basel categories of internal fraud, external fraud, employment practices, clients and products, damage to physical assets, business disruption, and execution failures — captures parts of the digital risk profile but not the whole of it.

The framework that works for a fintech tends to extend the conventional taxonomy in directions the institution’s actual exposures require. Cyber events as a category. API and integration failure as a sub-category. Third-party platform dependency as a category. Data event response as a discipline that bridges operational and reputational risk. Regulatory technology change as a category that captures the risk of being unable to keep pace with regulatory updates.

For institutions operating under DFSA or FSRA in the DIFC and ADGM respectively, the operational resilience expectations are increasingly aligned with the broader international supervisory direction — the Basel principles for operational resilience, the FSB direction on third-party risk, and the supervisory focus on impact tolerance for critical business services. The fintech’s operational risk framework needs to engage with these expectations directly, not by reference to bank templates that predate them.

A closing observation

In recent engagements with fintechs and NBFCs across the GCC, the most consistent observation has not been that the institutions take risk governance lightly. Most leadership teams are highly aware of the regulatory expectations and committed to meeting them. The challenge has more often been navigating the gap between what the available policy templates offer and what the institution’s actual risk profile requires.

The answer is rarely to write less policy. It is to write policy that is specific to the institution. The risk appetite that reflects the institution’s actual concentration. The underwriting policy that addresses the actual decisioning chain. The operational risk framework that engages with the actual exposure profile. The investment in specificity at the policy stage tends to be the investment that makes the policy useful in operation, and that makes supervisory dialogue substantive rather than ceremonial.

For institutions building or refreshing this framework, the discipline worth applying is to start with the risk profile, draft the policy that fits it, and treat the regulatory template as the structural anchor rather than as the source of substance. The framework can be both regulator-aligned and institution-appropriate. The two are not in tension when the work is done in that order.