UAE ushers in new era of financial regulation with Central Bank Law overhaul

The United Arab Emirates has enacted a sweeping reform of its financial regulatory landscape with the introduction of Federal Decree-Law No. (6) of 2025 (the New CBUAE Law), a comprehensive new legal framework governing the Central Bank and its regulation of financial institutions and activities, including insurance activities. The New CBUAE Law, which repeals Federal Law No. (14) of 2018 (the Previous CBUAE Law) and Federal Decree-Law No (48) of 2023 (the Previous Insurance Law), signifies a pivotal moment in the nation's ongoing efforts to fortify its financial system, enhance consumer protection and align with international best practices.

The New CBUAE Law introduces a host of significant changes, including the consolidation of banking and insurance regulation, the expansion of the Central Bank's enforcement powers, and the introduction of new provisions to address the evolving complexities of the global financial ecosystem. This article highlights some of the key changes made by the New CBUAE Law.

Expansion of licensed financial activities: A digital shift

One of the most notable changes introduced by the New CBUAE Law is the expansion of the scope of licensed financial activities, reflecting the UAE's strategic pivot toward a digitally-enabled financial ecosystem. The New CBUAE Law now explicitly includes the following two activities:

• providing open finance services; and
• providing payment services using virtual assets.

Notably, the New CBUAE Law broadens the regulatory scope of the Central Bank significantly by bringing technology service providers within the Central Bank’s regulatory perimeter. Such service providers may include persons offering or operating digital platforms, decentralised applications, protocols, and technological infrastructure that either facilitate, intermediate or enable the provision of financial services.

This marks a strategic shift in the Central Bank’s regulatory philosophy; the Central Bank has moved beyond regulating only financial institutions to also regulating the technological service providers that power and support the delivery of financial services in the new digital economy.

A broadened mandate and enhanced powers for the Central Bank

The New CBUAE Law grants the Central Bank enhanced supervisory and enforcement powers. Notably, it introduces the concept of "early intervention", empowering the Central Bank to take pre-emptive measures to address emerging capital or liquidity risks within financial institutions before they escalate. 

The New CBUAE Law also strengthens enforcement mechanisms, raising the maximum administrative fine from AED 200 million to AED 1 billion. It also provides the Central Bank with a wider array of administrative and financial sanctions, including the ability in severe cases to revoke licences and appoint administrators.

A key introduction in the New CBUAE Law is the establishment of a "Grievances and Appeals Committee". This independent body will handle complaints against the Central Bank's decisions, providing a formal and transparent mechanism for recourse for financial institutions. Appeals from the Grievances and Appeals Committee can also be challenged at the Higher Federal Court.

In light of the Central Bank’s heightened enforcement activity recently, these changes, which are designed to establish an effective appeals process, will be welcomed by financial institutions and fintech providers operating within the UAE that are subject to the New CBUAE Law. 

The New CBUAE Law also grants the Central Bank the power to publish details of its enforcement actions, including the names of the institutions and individuals involved. This increased transparency is expected to act as a powerful deterrent against misconduct.

Enhanced consumer protection 

In line with its expanded mandate, the New CBUAE Law places a strong emphasis on consumer protection. This emphasis is most clearly seen through the introduction of specific fraud prevention obligations which are described below.

The Previous CBUAE Law and Previous Insurance Law were silent on fraud prevention.  Notably, the New CBUAE Law introduces specific obligations on licensed financial institutions, including insurance companies, to implement robust fraud prevention and detection mechanisms to safeguard customers against fraudulent activities, including social engineering and identity theft. The introduction of specific obligations reflects an acknowledgement by the Central Bank that fraudulent activities are an increasing threat that warrants regulatory intervention to ensure that financial institutions implement effective measures to protect consumers.

The New CBUAE Law also requires licensed financial institutions to notify affected customers promptly of any security breaches or fraudulent incidents and take immediate corrective actions to mitigate damage. We recommend firms that are subject to the New CBUAE Law consider reviewing their existing cyber-security policies to confirm they are compliant with the updated requirements. 

A new chapter for UAE's financial sector

The enactment of the New CBUAE Law marks a transformative moment for the UAE's financial sector and is a clear testament to the UAE's commitment to maintaining its position as a leading global financial hub, and to ensuring the long-term stability and prosperity of the UAE economy. 

The New CBUAE Law provides a one-year transition period. Therefore, persons subject to the New CBUAE Law have until September 16, 2026 to reconcile their positions. The CBUAE retains the discretion to extend the one-year transitional period as it deems appropriate. 

This article has been written by Middle East Partner and Head of Financial Services Regulatory Matthew Shanahan, Counsel Karl Masi, Senior Associate Ratul Roshan, Associates Jack Abrehart and Hasanali Pirbhai and International Trainee Owen Greaves.