UAE Legal Insights & Expert Commentary

Category: Banking

  • Federal Decree-Law No. 6/2025: A Comprehensive Analysis of the UAE Central Bank Law Reform and Strategic Financial Regulatory Overhaul

      EXECUTIVE SUMMARY: Strategic Implications of the Regulatory Overhaul
      Federal Decree-Law No. 6 of 2025, concerning the Central Bank and the Regulation of Financial Institutions, Activities, and Insurance Business (the “New CBUAE Law”), represents a landmark legislative milestone for the United Arab Emirates’ financial sector. Effective September 16, 2025, this law fundamentally restructures the supervisory framework, shifting from a segmented approach to a globally aligned, consolidated, and future-proofed regulatory model. The core conclusion for multinational financial groups and FinTech firms is that the regulatory jurisdiction of the Central Bank of the UAE (CBUAE) has been radically expanded in scope and depth. 

      Read more: Federal Decree-Law No. 6/2025: A Comprehensive Analysis of the UAE Central Bank Law Reform and Strategic Financial Regulatory Overhaul

      The strategic overhaul is anchored by three critical pillars: regulatory consolidation, perimeter expansion, and the implementation of a modern, executable resolution regime. First, the law consolidates the supervision of banking, payments, and insurance activities under the singular authority of the CBUAE. Second, the introduction of Article 62 significantly expands the regulatory perimeter, bringing technology enablers, Open Finance services, and Virtual Asset payment infrastructure into mandatory CBUAE licensing. Third, the CBUAE is granted comprehensive crisis management powers, including the statutory authority to implement bail-in mechanisms and establish bridge institutions, aligning the UAE with global financial stability standards. 
      For entities operating or intending to operate within the UAE, especially those in the FinTech sector now captured by Article 62, immediate strategic review is mandatory. All newly captured entities must regularize licensing and compliance efforts before the critical deadline of September 16, 2026. Failure to comply will invite the CBUAE’s vastly enhanced enforcement powers, which include maximum administrative fines up to AED 1 billion. 
      SECTION 1: Legislative Foundation and Institutional Governance
      1.1. Context and Legislative Mandate: Consolidation of Supervisory Authority
      The Federal Decree-Law No. 6/2025, issued on September 8, 2025, and effective eight days later, fundamentally replaces the prior legal framework governing the UAE financial system. Specifically, the New CBUAE Law repeals and replaces Federal Decree-Law No. 14 of 2018 (the “2018 Law”), which previously governed the CBUAE and financial institutions, and Federal Decree-Law No. 48 of 2023, which regulated insurance activities across the UAE. 
      This legislative merger achieves a singular regulatory objective: the consolidation of prudential and conduct supervision for banks, other financial institutions, payment providers, and insurers/reinsurers under the unified oversight of the CBUAE. This centralized approach ensures that the CBUAE maintains a comprehensive, holistic view of systemic risk and regulatory compliance across what were previously disparate financial sectors, promoting regulatory clarity and consistency throughout the mainland UAE financial market. 
      1.2. Scope of Application and Financial Free Zone Exclusion
      The provisions of the New CBUAE Law apply broadly to the Central Bank itself, all financial institutions, insurance businesses, financial activities, and any Persons subject to its dictates. Licensed Financial Institutions (LFIs) covered under this new regime include traditional banks, insurance and reinsurance companies, and other financial institutions licensed to carry on one or more Licensed Financial Activity, encompassing both locally incorporated entities and branches or subsidiaries of foreign entities, including those operating in compliance with Islamic Shari’ah principles. 
      However, consistent with the foundational legislation of the UAE’s offshore jurisdictions, the Decree-Law explicitly states that its provisions shall not apply within the Financial Free Zones (FFZs) in the State, such as the Dubai International Financial Centre (DIFC) and the Abu Dhabi Global Market (ADGM), nor to the financial institutions regulated by the authorities of those zones. 
      1.3. CBUAE Governance and Enhanced Institutional Independence
      The Decree-Law strengthens the institutional structure and autonomy of the CBUAE, formally establishing it as an autonomous entity designed for effective governance in economic management and crisis resolution. The Central Bank is formally positioned to report directly to the President of the State. 
      Furthermore, the New CBUAE Law grants the CBUAE significant operational autonomy by exempting it from the provisions of laws relating to public finance, tenders and auctions, public accounts, and ‘Federal Human Resources’. This deliberate legal separation, coupled with direct reporting to the highest executive authority, formally enhances the institution’s agility and operational independence. Central banks require swift, apolitical mechanisms to respond effectively to financial instability or economic shocks, and the removal of typical administrative bureaucracy associated with public finance and HR laws ensures the CBUAE can act decisively, aligning its structure with the best practices for central bank autonomy observed internationally. The functions of the UAE Accountability Authority are specifically confined to post-audit, explicitly prohibiting interference in the running of CBUAE business or challenging its policies. 
      The Board of Directors is vested with extensive regulatory authority, including the power to approve regulations, standards, instructions, and business controls necessary to enforce the Decree-Law. Critically, the Board is explicitly mandated to approve the monetary management framework, oversee the implementation of policies for managing the Central Bank’s Foreign Reserves, and approve policies and regulations specifically designed to mitigate systemic risk in the financial system as a whole. The legal mechanism of consolidating supervision over banking, payments, and insurance provides the CBUAE with a panoramic view of the entire financial ecosystem. When combined with the explicit mandate to mitigate systemic risk, this centralization ensures that risks originating in the previously separated insurance market or emerging payment systems are captured and addressed comprehensively within a cohesive national stability architecture. 
      SECTION 2: Expanding the Regulatory Perimeter in the Digital Age
      The New CBUAE Law signals a strategic shift toward regulating the technological infrastructure that underpins financial services, reflecting the CBUAE’s commitment to future-proofing the sector and integrating the country’s digital-first strategy. 
      2.1. Defining New Licensed Financial Activities
      The scope of “Licensed Financial Activities” has been significantly expanded to explicitly include activities driven by digitalization and emerging technology:

      1.  Open Finance Services: This is now an expressly captured activity, formalizing the regulatory framework necessary for data sharing and API-driven financial services. 
2.  Providing Payment Services using Virtual Assets (VA): This explicitly brings payment services that rely on Virtual Assets into the CBUAE's licensing and supervisory perimeter.
3.  Insurance and related professions: These are formally captured under the CBUAE, reflecting the consolidation of supervision. 

       2.2. Critical Analysis of Article 62: Technology Enablement and Intermediaries
      Article 62 represents the most profound change for the FinTech and technology sector, extending the CBUAE’s authority beyond traditional financial principals to encompass technological intermediaries. This article mandates licensing and regulation for “Any person who carries on, offers, issues, or facilitates any Licensed Financial Activity,” regardless of the technology or medium employed. 
      The “Facilitation” Test and Scope
      The drafting of Article 62 is intentionally broad and technology-neutral, targeting entities whose technology or platform enables or facilitates a Licensed Financial Activity, even if the entity itself is not a traditional bank or payment institution. 
      Specifically, Article 62 explicitly includes, but is not limited to:
      1. Virtual Assets payment tokens, decentralized finance (DeFi), other emerging technology, or other digital or physical instruments used in connection with Licensed Financial Activities.
      2. The offering or operation of platforms, decentralized applications (dApps), protocols, or technological infrastructure that facilitate, intermediate, or enable core financial services, such as payments, credit, deposits, money exchange, remittances, or investment services. 
      The expansive reach of this provision serves as a crucial mechanism for preventing regulatory arbitrage in the FinTech space. Traditionally, technology companies have sought to avoid central bank regulation by asserting they are merely technology providers rather than financial principals holding customer assets. By specifically targeting the facilitation and enabling infrastructure—such as APIs, dApps, and protocols—the New Law compels B2B technology vendors, payment gateways, and even decentralized governance structures that underpin financial services into the CBUAE’s oversight. This action mitigates systemic operational risk and enhances consumer protection by subjecting the entire technology stack supporting financial operations to prudential supervision. 
      Compliance and Transition
      Entities newly falling within the ambit of CBUAE supervision, particularly technology providers under Article 62, are granted a one-year transition period. They must achieve full compliance, including securing the necessary licenses, by September 16, 2026. This deadline imposes an immediate commercial imperative for FinTech firms. Given that the specific licensing procedures, capital requirements, and exemptions for these novel technology service providers are pending the issuance of implementing regulations , affected firms must prioritize self-assessment and begin preparations now. This regulatory shift necessitates significant capital allocation toward compliance infrastructure and restructuring, inevitably leading to a consolidation within the FinTech sector that favors established, well-funded organizations capable of meeting central bank mandates. 
      2.3. The Digital Dirham and CBDC Framework
      The CBUAE Law formally introduces statutory clarity for the UAE’s Central Bank Digital Currency (CBDC) initiative, the Digital Dirham. The law codifies a digital money and payments framework that expressly includes the Dirham in digital form within the legal definition of “Currency”. 
      This codification provides a clear statutory footing for the Digital Dirham, eliminating any legal ambiguity regarding its status as sovereign currency and integral part of the CBUAE’s Financial Infrastructure Transformation (FIT) programme. This legal clarity is a powerful assertion of monetary sovereignty. By granting the CBDC clear legal tender status and regulatory separation, the CBUAE protects its monopoly on currency issuance and reinforces the effectiveness of its monetary policy tools in the evolving digital economy. Crucially, the law explicitly defines “virtual assets” distinctly from “currency,” ensuring that while Virtual Asset payment services are now licensed, they remain separate from the sovereign currency issued and controlled by the Central Bank. 
      SECTION 3: The CBUAE as State Resolution Authority: Crisis Management and Stability
      The Federal Decree-Law No. 6/2025 significantly modernizes the UAE’s framework for managing financial distress by implementing a comprehensive statutory resolution regime, elevating the CBUAE to the status of the State Resolution Authority. 
      3.1. Implementation of the Early Intervention and Resolution Regime
      The new framework fundamentally shifts the CBUAE’s powers from pre-existing administrative mechanisms under the Old Law, which were often difficult to execute rapidly, to a detailed suite of statutory powers covering intervention and decisive resolution. This enables the CBUAE to intervene proactively well before an institution reaches the point of failure. 
      The Early Intervention Protocol allows the CBUAE to impose mandatory requirements such as implementing recovery measures, mandating strategic or structural changes, ordering capital and liquidity add-ons, removing senior management, establishing interim governance arrangements, and forcing a merger or acquisition. 
      3.2. Detailed Resolution Toolkit: Powers to Preserve Financial Stability
      Where decisive resolution is necessary to preserve critical functions and financial stability, the CBUAE is vested with an exhaustive toolkit aligned with international resolution standards, such as the Financial Stability Board’s (FSB) Key Attributes of Effective Resolution Regimes. The inclusion of these specific, modern resolution mechanisms—which were a core global financial reform following the 2008 crisis—demonstrates the UAE’s strong commitment to global regulatory alignment, which enhances the stability rating necessary to attract and retain major internationally active financial institutions.
      The primary resolution tools include:
      1. Statutory Bail-in Mechanism: The CBUAE is empowered to write down or convert liabilities (e.g., specific debt instruments) into equity. This power ensures that losses are absorbed internally by shareholders and creditors, maintaining the codified creditor hierarchy and minimizing the need for taxpayer-funded bailouts.
      2. Bridge Institutions (Bridge Entities): The authority to establish bridge institutions (temporary, CBUAE-controlled entities) and asset management vehicles. This allows the seamless transfer of critical shares, assets, rights, and liabilities from the failing entity to the bridge entity , thereby maintaining the continuity of essential financial services while the rest of the institution is wound down or restructured.
      3. Asset and Liability Transfer: The CBUAE holds the statutory authority to transfer or sell assets and liabilities without requiring the consent of the shareholder or creditor. 
      4. Governance Override: To ensure swift and decisive action during a crisis, the CBUAE is granted the power to override shareholder approvals and established contractual agreements to implement the necessary resolution actions. 
      5. Temporary Stays and Moratoria: Authority to impose temporary stays and moratoria on creditor claims, with necessary protections afforded to central counterparties and settlement systems. The CBUAE may also restrict secured enforcement in specific circumstances. 
      6. Tailored Insurance Resolution: The law’s consolidation mandate includes specific resolution powers tailored to insurers, such as provisions for portfolio transfer and continuity measures. 
      The introduction of statutory bail-in fundamentally alters the risk calculus for creditors of UAE Licensed Financial Institutions (LFIs). Investors must now fully price the risk that their debt instruments may be written down or converted into equity during a resolution event. This shift is expected to impact the cost of capital for UAE banks and necessitates an immediate review of contractual documentation, including subordination clauses and governing law provisions, for existing LFI debt instruments. Furthermore, the explicit review of the law concerning the Financial Stability Council suggests a highly coordinated approach, where the CBUAE executes the micro- and crisis-level resolution powers guided by the macro-prudential strategy set forth by the Council, forming a cohesive national stability architecture. 
      SECTION 4: Enforcement, Penalties, and Consumer Protection
      4.1. Enhanced Administrative Fine Structure and Accountability
      To complement its expanded supervisory perimeter, the New CBUAE Law introduces a drastically enhanced enforcement and sanctions regime. This move is designed to ensure compliance across the newly regulated technological and financial landscapes.
      The maximum administrative fine that the CBUAE can impose has been substantially increased to an unprecedented AED 1 billion. This punitive level establishes the CBUAE as one of the most stringent financial regulators globally, reflecting the high stakes associated with systemic risk and major compliance failures. Penalties are also designed for proportionality, allowing fines up to ten times the value of the violation. 
      Crucially, the law strengthens accountability by granting the CBUAE new direct recovery powers. These include the automatic deduction of fines from institutional accounts and the authority for direct recovery from responsible individuals. The combination of severe institutional fines and direct personal recovery powers fundamentally shifts the responsibility onto senior executives and board members of LFIs. This increased personal regulatory risk for serious breaches enforces a more rigorous risk management culture and compliance commitment from the highest levels of governance. Furthermore, the introduction of new minimum penalties for unlicensed or promotional activity targets emerging actors in the FinTech space, preventing minor non-compliance from escalating without meaningful sanction. 
      4.2. New Provisions for Fraud Prevention and Digital Security
      Recognizing the shift to digital platforms (including those captured by Article 62), the New CBUAE Law grants the Central Bank explicit authority to establish minimum security standards for digital and traditional banking services. These standards cover core areas such as authentication protocols, transaction monitoring, and comprehensive reporting obligations. 
      Licensed Financial Institutions are now required to promptly notify customers of breaches, cooperate fully with CBUAE investigations, and, where necessary, share limited information with other LFIs to verify suspicious activity. This mandatory digital security uplift extends implicitly to the newly regulated technology infrastructure providers, compelling FinTechs and platforms that facilitate financial services to adopt robust CBUAE-approved cyber and data protection measures. This comprehensive approach raises the baseline security posture of the entire financial ecosystem against sophisticated digital threats. 
      4.3. Consumer Protection Mandate
      Consumer confidence and protection are prioritized through new mandatory measures. The law establishes specialized judicial committees and confirms the creation of the Sanadak unified complaints system. Sanadak is mandated to operate as an independent entity responsible for receiving and settling disputes and complaints from customers of both banks and insurance companies. 
      This unified complaint mechanism achieves regulatory consistency for customer conduct issues across the newly consolidated supervisory scope. By integrating complaints for both banks and insurers, Sanadak simplifies access to redress for consumers and simultaneously provides the CBUAE with consolidated data that is essential for analyzing and addressing systemic conduct risk trends across the financial market. Additionally, in alignment with the national digital agenda, LFIs are now required to provide all community members with access to education on banking and financial services to promote financial inclusion. 
      SECTION 5: Transition Roadmap and Compliance Recommendations
      5.1. Transition Period for Newly Captured Entities
      The New CBUAE Law provides clarity regarding the transition timeline for compliance. Entities whose activities are newly captured under the expanded licensing perimeter, particularly technology providers now subject to Article 62, have been granted a one-year transition period. They must regularize their licensing and overall compliance status by September 16, 2026. 
      While this deadline is firm, regulatory uncertainty remains concerning the exact requirements for FinTech and enabling technology service providers, pending the issuance of detailed implementing regulations. 
      5.2. Strategic Recommendations for Licensed Financial Institutions (LFIs)
      1. Resolution and Recovery Planning: LFIs must immediately review and significantly update their Recovery Plans, initially mandated by the 2023 Recovery Planning Regulation. These plans must incorporate the CBUAE’s new statutory resolution powers, particularly the mechanisms for internal bail-in, the possibility of being placed into a bridge institution, and the codified creditor hierarchy.
      2. Technology Governance and Vendor Risk: Banks and traditional LFIs must conduct a comprehensive mapping of all third-party technology vendor relationships, particularly those utilizing APIs, protocols, or aggregation tools that facilitate licensed financial services. It must be determined which vendors fall under the expanded Article 62 perimeter and necessitate CBUAE licensing. Contracts must be proactively adjusted to ensure continuity and to manage third-party compliance failure risk ahead of the 2026 deadline.
      5.3. Compliance Advisory for Technology and Virtual Asset Providers
      ◦ Urgent Self-Assessment: FinTechs, digital platforms (dApps, protocols), and payment service providers utilizing Virtual Assets must undertake an urgent legal self-assessment to determine whether their services constitute “facilitation” or “enablement” under the expansive definition of Article 62. 
      ◦ Proactive Licensing Preparation: Given the limited transition period expiring in September 2026, technology providers should not wait for the implementing regulations. Instead, they must proactively begin preparing the necessary corporate and compliance infrastructure (including robust AML/CFT programs, cyber controls, and governance frameworks) required for CBUAE licensing, as the licensing process itself is anticipated to be detailed and protracted. 
      CONCLUSIONS AND ACTIONS
      The Federal Decree-Law No. 6/2025 represents a comprehensive legislative re-engineering of the UAE’s financial infrastructure. The legislation is characterized by global regulatory alignment, a strategic focus on digital resilience, and a firm commitment to institutional stability.
      Key Nuanced Conclusions:
      1. Systemic Risk Coverage: By consolidating the regulation of banking, insurance, and payments, and empowering the CBUAE Board to mitigate systemic risk across all these domains , the UAE has implemented a structural framework designed to prevent the propagation of crises between previously separated sectors.
      2. Regulatory Arbitrage Eliminated: Article 62’s aggressive expansion to capture technology facilitators, protocols, and dApps effectively eliminates opportunities for regulatory arbitrage in the FinTech space. This mandates a high bar for operational resilience and compliance among all technological enablers, thus securing the financial ecosystem from technical failures or misconduct originating outside the traditional LFI structure.
      3. Heightened Personal Liability: The dramatic increase in fine magnitude (up to AED 1 billion) and the mechanism for direct recovery from responsible individuals establish a clear principle of personal accountability in the UAE financial sector. This dictates that compliance and risk oversight must become a fundamental, non-delegable priority for senior management and board governance. 

      Actionable Recommendations:
      For all entities subject to CBUAE jurisdiction, the focus must shift immediately from understanding the new law to executing strategic and compliance restructuring. Non-traditional financial service providers must treat the September 16, 2026, deadline as imminent and prepare robust governance structures, capital plans, and licensing materials without delay. LFIs must prioritize the integration of the statutory resolution tools into their internal recovery and resolution planning processes to ensure preparedness for any future crisis intervention by the State Resolution Authority.

    • Regulating the Future: How the UAE Governs Banking Innovation Through FinTech


        The UAE has cemented its position as a global financial hub, not by resisting the tidal wave of financial technology (FinTech), but by actively embracing it. The nation’s regulatory bodies, led by the Central Bank of the UAE (CBUAE), recognize that FinTech is a powerful tool for enhancing financial inclusion, market efficiency, and customer experience. Instead of imposing static rules, the UAE regulates banking innovation by creating proactive, innovation-centric frameworks that guide disruption rather than restrict it. 
        Here is a breakdown of how the UAE actively governs the banking sector through regulatory innovation:

        Read more: Regulating the Future: How the UAE Governs Banking Innovation Through FinTech

        The Central Bank’s Approach: Guided Disruption
        The Central Bank of the UAE (CBUAE) has moved beyond traditional oversight to become an enabler of digital finance, focusing its strategy on infrastructure and open standards.

         
        A. Mandating Open Finance and Interoperability
        The most significant move has been the introduction of regulations that mandate openness. The Open Finance Regulation (Circular No. C 7/2023) is a game-changer. It requires licensed financial institutions to create secure interfaces (APIs) for sharing customer data (with explicit consent) with approved third-party providers (TPPs). 

        Impact on Consumers: This regulation drives competition, forcing banks to integrate with FinTechs to offer better, personalized services.

        Impact on Businesses: It allows FinTechs to build innovative products like real-time working capital solutions (e.g., invoice financing) using up-to-the-minute business data, leading to faster credit decisions and less friction.


        B. Modernizing Core Infrastructure
        Innovation in regulation also means modernizing the rails upon which money moves. The CBUAE’s Financial Infrastructure Transformation (FIT) program aims to create a highly efficient, future-proof financial ecosystem. Key projects include: 

        Instant Payments: Developing a domestic instant payment platform to allow real-time movement of funds between banks and payment providers. 

        Digital Currency: Exploring and piloting a Digital Dirham to enhance wholesale and cross-border payments efficiency using distributed ledger technology (DLT). 


        C. Governing New Payment Methods
        To ensure safety in the shift to a cashless society, the CBUAE actively regulates digital assets used for payment. The Payment Token Services Regulation ensures that digital wallets and stored value facilities operate within a clear, secure legal framework, protecting consumer funds and maintaining stability. 

          Impact: This approach encourages foreign FinTech firms to choose the UAE by significantly reducing the cost and risk of launching groundbreaking technologies, accelerating the time to market.


          D. Dedicated Virtual Asset Regulation
          The free zones have pioneered clear frameworks for digital assets that were previously unregulated. ADGM was an early mover in issuing comprehensive rules for Virtual Asset Service Providers (VASPs). Similarly, the establishment of the Virtual Assets Regulatory Authority (VARA) in Dubai (under Law No. 4 of 2022) provides a dedicated, specialized license for firms dealing with cryptocurrencies, NFTs, and other digital assets, signaling a commitment to integrating this asset class into the formal economy securely. 
          Conclusion: A Framework for Economic Diversification
          The UAE’s regulatory strategy is clear: FinTech is not just a technological change; it is an economic growth driver. By embedding open banking standards, modernizing national payment systems, and providing dedicated testing grounds for innovation, the regulators are successfully shifting the banking sector from reactive compliance to proactive innovation. This balanced approach ensures that consumers and businesses benefit from world-class financial convenience, while the system remains stable, secure, and compliant with international standards for anti-money laundering (AML) and consumer protection.