In relation to general financial services, the United Arab Emirates (UAE) operates three independent jurisdictions:

(i) Mainland/onshore UAE (i.e. outside of the Dubai International Financial Centre (DIFC) and Abu Dhabi Global Market (ADGM) financial free zones (see below)) – The national services regulator for mainland UAE is the Central Bank of UAE (the Central Bank) established pursuant to the Decretal Federal Law No. (14) of 2018 Regarding the Central Bank and Organization of Finan-cial Institutions and Activities as repealed by Federal Decree-Law No. (6) of 2025 Regarding the Central Bank, Regulation of Financial Institutions and Activities, and Insurance Business (Bank-ing Law). Any bank (subsidiary, branch, representative office) is required to obtain a license from the Central Bank to operate in mainland UAE. Banks listed on any of the mainland ex-changes in the UAE are also required to comply with the regulations framed by the Capital Markets Authority (the CMA).

(ii) Financial free zones – UAE has two financial free zones (established under the provisions of the Federal Law No (8) of 2004, Regarding Financial Free Zones, and amending laws) being:

a. the DIFC, where financial activities are regulated by the Dubai Financial Services Au-thority (DFSA), and

b. the ADGM, where financial activities are regulated by the Financial Services Regulatory Authority (FSRA).

Each of the DIFC and the ADGM are considered separate legal jurisdictions (modelled on the English common law legal system) with their own laws, courts and financial services regulators. To operate in DIFC or ADGM, banks have to obtain activity-based licenses from DFSA or FSRA, as the case may be, after fulfilling the requirements specified (capitalization, prudential, operational). Our discussion is limited to DIFC and ADGM entities involved in general banking activities of accepting deposits and providing credit (Regulated Entity).

As per the Banking Law, the following activities trigger the requirement of a banking license:

(i) Taking deposits of all types, including Shari’ah-compliant deposits;

(ii) Providing credit facilities of all types;

(iii) Providing funding facilities of all types, including Shari’ah-compliant funding facilities;

(iv) Providing open finance services;

(v) Providing currency exchange and money transfer services, including instant money transfer services;

(vi) Providing payment services using virtual assets;

(vii) Providing stored values services, electronic retail payments and digital money services;

(viii) Providing virtual banking services;

(ix) Arranging, promoting and marketing for licensed financial activities;

(x) Acting as a principal in financial products that affect the financial position of the licensed finan-cial institution, including but not limited to foreign exchange, financial derivatives, bonds and sukuk, equities, commodities, and any other financial products approved by the Central Bank; and

(xi) Providing insurance, reinsurance, and insurance-related professions business and services, in-cluding takaful and re-takaful insurance business and services.

The board of directors of the Central Bank has the power to add or delete activities from the list.

Any person carrying on, offering, issuing, or facilitating, whether directly or indirectly, any licensed fi-nancial activity mentioned above (regardless of the medium, technology, or form employed) shall be subject to the licensing, regulatory, and oversight jurisdiction of the Central Bank. This includes (i) virtu-al assets payment tokens, decentralized finance (DeFi), other emerging technology, or other digital or physical instruments used in connection with the licensed financial activities and (ii) offering or operation of platforms, decentralized applications (dApps), protocols, or technological infrastructure that facilitate, intermediate, or enable the provision of financial services, such as payments, credit, deposits, money exchange, remittances, or investment services.

The DFSA and the FSRA provide activity-based licensing with various categories of licenses depending upon the type of activity that a Regulated Entity seeks to undertake in the DIFC / ADGM as applicable. These licenses range from Category 1 licenses which are the highest category of licenses through Cat-egory 4. Category 5 is specifically for Islamic business. To accept deposits, a Category 1 license is required and to provide credit a Category 2 license is required from the DFSA or the FSRA as applica-ble. As with the Central Bank, regulated activities in the ADGM and DIFC would include the marketing and sale of securities, providing investment advice, dealing in products and investments (either as prin-cipal or agent), underwriting and placing financial products, offering and providing discretionary invest-ment management services, marketing or selling funds (including the provision of investment advice), accepting deposits, providing credit, providing money services, arranging deals in investments, manag-ing assets, managing a collective investment fund and advising on financial products.

The Central Bank provides licensing for conventional and Islamic banking. These are further licensed as retail, wholesale and specialized banks. For banks intending to perform limited activities only, the Cen-tral Bank may grant special licenses as Specialized Banks with Low Risk Regulation or Restricted Li-cense Banks. Further, entities (other than licensed banks) intending to provide other types of financial products and/or services such as factoring and lease financing will also require separate licenses and approvals from the Central Bank.

As mentioned above, as per DFSA and FSRA, different financial activities have different licensing re-quirements. Please refer to our responses to Query 2 above.

Please see our responses to Query 3 above. If an activity falls within the regulatory purview of another regulator, then approval from that regulator will also be required. Broker-dealer activities are regulated by the CMA and therefore a bank will require prior approval from the CMA to undertake broker-dealer activities.

Within the DIFC and the ADGM, a Regulated Entity holding Category 1 license can, after obtaining endorsement(s) from DFSA/FSRA as the case may be for specific activities on its license, undertake activities permitted under Categories 2, 3A, 3, 3C, 3D and 4 (but not Category 5 i.e. Islamic financial institution managing an unrestricted profit-sharing investment account).

A Central Bank regulatory “sandbox” for the Central Bank licensed financial institutions is available as per the Central Bank Sandbox Conditions Regulation provided however that the following activities are not permitted to be undertaken under the regulatory sandbox: (i) taking deposits of all types; (ii) carrying out insurance activities in UAE; and (iii) acting as principal in financial products that affect the financial position of the person, as determined by the Central Bank. The Central Bank exercises wide supervisory powers over the regulatory sandbox.

The DFSA has the Innovation Testing License Programme which is a regulatory sandbox for testing new products. The ADGM has the ADGM RegLab, a regulatory sandbox that allows fintechs to test their innovation in a controlled environment under the guidance of FSRA.

Issuance, custody or provision of services relating to crypto assets or other digital assets by banks require to be approved by the Central Bank. Please refer to our discussion under Query 1 above re-garding licensing, regulatory, and oversight jurisdiction of the Central Bank inter alia for use of virtual assets and for offering or operation of platforms, decentralized applications (dApps), protocols, or technological infrastructure that facilitate, intermediate, or enable the provision of financial services, such as payments, credit, deposits, money exchange, remittances, or investment services.

In September 2020, the Central Bank issued the Stored Value Facilities Regulation (the SVF Regula-tion) which applies to all companies seeking to conduct stored value facility (SVF) activities in mainland UAE or a free zone, but not the DIFC or ADGM. According to the SVF Regulations, an SVF is a facility (other than cash) for which users pay consideration in exchange for the storage of value of that consid-eration and subsequent usage as payment for goods or services. The SVF itself might be made up of virtual or digital assets, points from rewards programmes, top-up payments, online transfers or other values. SVFs must be licensed by the Central Bank (although there are certain categories that may be exempt, such as where the ability to make payments is confined to “closed loop” schemes). Further the Central Bank has also issued the Retail Payment Systems Regulations (the RPS Regulations) regulat-ing retail payment systems. Any person intending to operate a retail payment system facilitating trans-actions using crypto assets for payments is required to obtain license from the Central Bank for such activity.

In June 2024, the Central Bank issued Circular 2 of 2024 on Payment Token Services Regulations (the Token Regulation), laying out requirements for the grant of licences for the provision and manage-ment of payment token services in mainland UAE (excluding ADGM and DIFC) under three categories: Payment Token Issuance; Payment Token Conversion; and Payment Token Custody and Transfer. The Token Regulation applies to all providers of the aforementioned activ¬ities.

The Central Bank, CMA, DFSA and FSRA have jointly issued the Guidelines for Financial Institutions Adopting Enabling Technologies (the Guidelines). The Guidelines outline cross-sectoral principles and best practices for financial insti¬tutions to follow when implementing enabling technologies for the devel-opment or offering of innovative products and services. Regardless of the financial activities carried out, the Guidelines will apply to all financial institutions that use the enabling technologies and are regulated and overseen by any of the regulators mentioned above.

On 9 March 2022, Dubai Law No 4 of 2022 Concerning the Regulation of Virtual Assets (the Virtual Asset Law) established the Dubai Virtual Asset Regulatory Authority (VARA). VARA’s authority inclu-des regulating and licensing issuers, exchanges and custodial and management services providers. VARA has issued a number of rulebooks, in particular the Compliance and Risk Management Rulebook (the CRM), which sets out the regula¬tory framework for virtual asset service providers (the VASPs) operating in Dubai. The CRM covers a wide range of issues, including licensing, customer due dili-gence, risk manage¬ment, compliance and reporting. To obtain a licence from VARA, VASPs must meet a number of requirements including, but not limited to, demonstrating that they have adequate finan¬cial resources to operate their business and having effective governance and internal control. The Vitrual Asset Law requires licensing from VARA in order to undertake any activity relating to, amongst other things, crypto currencies, including the provision of (i) virtual asset platform operation and management services, (ii) services for the exchange between virtual assets and national or foreign currencies, (iii) services for the exchange between one or more forms of virtual assets, (iv) virtual asset transfer ser-vices, (v) virtual asset safekeeping, management or control services, (vi) services related to virtual asset wallets and (vii) services related to offering, and trading in, virtual tokens.

In order to undertake activities related to crypto token / crypto assets (including custody/provision of services) in the DIFC, Regulated Entities have to obtain approval from the DFSA for such activity. Regulated Entities may only engage with crypto tokens that they have assessed as being suitable in accordance with the suitability criteria specified by the DFSA.

In order to be authorised to conduct a virtual asset regulated activity in the ADGM, Regulated Entities must satisfy the FSRA that all applicable requirements under the FSRA’s rules and regulations have been, and will continue to be, complied with. Under the FSRA’s conduct of business rules, virtual asset regulated activity shall only be conducted with an ‘Accepted Virtual Asset’. It is the responsibility of the Regulated Entity to assess and ensure that the relevant virtual asset meets the FSRA’s requirements for an Accepted Virtual Asset.

To be able to provide custody of crypto currency in the DIFC or the ADGM, prior permission from the DFSA or the FSRA as the case may be is required for the financial activity of ‘providing custody’. Fur-ther, depending upon the type of service being provided by the bank, additional approvals may be re-quired from the DFSA or the FSRA as the case may be.

Virtual assets (which include crypto assets or digital assets) are not considered as deposits. They are not capable of benefiting from depositor protection, client asset safeguarding or segregation regimes. Currently there is no deposit insurance in the UAE.

The Central Bank requires custodians and services providers of crypto assets to hold capital based on the monthly average value of transactions undertaken. For payment token transfers transactions:

(i) AED 10 million or above – regulatory capital required is minimum AED 3 million.

(ii) Below AED 10 million – regulatory capital required is minimum AED 1.5 million.

Further, the following would apply to crypto assets held by banks: (a) common equity tier 1 must be at least 7% of the risk weighted assets (RWA), (b) Tier 1 capital must be at least 8.5% of RWA, and (c) Total capital, calculated as the sum of tier 1 capital and tier 2 capital, must be at least 10.5% of RWA.

For DFSA and FSRA, a Regulated Entity’s capital requirement is 10% of its RWA. RWA are calculated as 12.5 multiplied by the sum of credit risk capital requirement, market risk capital requirement, opera-tional risk capital requirement and if applicable the displaced commercial risk capital requirement (CVA risk capital requirement is added in case of FSRA regulated entities).

The process to obtain a bank license from the Central Bank commences with a preliminary meeting with the Central Bank where an applicant’s proposed business model, proposed business plan, and a short summary of proposed actions and activities are discussed. After successful review, the Central Bank allows the applicant access to its online system to make an application to its the Licensing Division under the Banking Supervision Department. The applicant should be in the appropriate legal form and meet the criteria stipulated by the Central Bank such as having in place a 3-year business plan and meeting the minimum capital requirements. Upon satisfaction of the Central Bank, an in-principle approval is granted and the applicant is required to fulfill the conditions in the in-principle approval letter within a year of the date of the letter. Upon fulfillment to the satisfaction of the Central Bank of the conditions set out in the in-principle approval letter, the final approval is granted.

A definite timeline cannot be given regarding the Central Bank approval. Usually, the process takes a few of months or longer. Further, please note that bank licenses are very rarely issued to foreign banks.

To obtain Category 1 and Category 2 licenses from the DFSA, an applicant has to file the Core Information Form along with the Banking and Lending Supplement, regulatory business plan, forms for authorized individuals, other prescribed information (accounts, financial projections, ISAE 3400 – The Examination of Prospective Financial Information) and policies (compliance, anti-money laundering). To obtain Category 1 and Category 2 licenses from the FSRA, the comprehensive General Information for Regulated Activities form, the Banking Business Supplement, and other information specified therein have to be filed with the FSRA (similar to what is filed with the DFSA). The application process with DFSA and FSRA typically takes a few months with multiple rounds of discussions with the regulators.

As per the Banking Law, licensed financial activities may only be carried on, in or from within the UAE as permitted under the Banking Law. In practice, cross-border activity from outside the UAE is often undertaken in the UAE such as lending to UAE based entities from outside the UAE and there have been no restriction on such activities to date. However, the marketing or promotion of any licensed financial activities and/or financial products may only be carried on from within the State, in accordance with the provisions of the Banking Law and the rules and regulations framed thereunder.

Foreign banks may face some restrictions in connection with taking direct security over certain category of assets, including real estate and security over shares of a company established in mainland UAE and in most freezones (other than DIFC and ADGM), as such security can only be created in favour of a local bank licensed by the Central Bank. In such cases, the foreign bank must engage a local bank as its security agent. This is an expensive and time-consuming process (as only a few local banks offer such agency services).

In the context of the DIFC and the ADGM, similar rules apply i.e. the marketing or promotion of any licensed financial activities and/or financial products may require the permission from DFSA or FSRA as applicable.

In the mainland UAE, banks should be in the form of public joint-stock companies. Branches of foreign banks operating in UAE are exempt from this requirement.

Most requirements that are applicable to banks are also applicable to branches of foreign banks in par-ticular those relating to capital adequacy, liquidity, and risk management. However, there are different minimum eligible capital standards for banks, specialized banks and for branches:

(i) Banks – at least two billion Dirham (AED 2,000,000,000);

(ii) Specialised banks – at least three hundred million Dirham (AED 300,000,000); and

(iii) Branches of foreign banks – at least one hundred million Dirham (AED 100,000,000) at the level of the branch and at least two billion Dirham (AED 2,000,000,000) (or equivalent) at the entity level.

Further, as per regulations specified by the Central Bank, the local banks are permitted to issue additi-onal tier 1 or tier 2 instruments. Foreign branches, however, are permitted to issue tier 2 subordinated term loans from their head offices restricted to a maximum of 3% of their risk-weighted assets.

Within the DIFC and ADGM, any body corporate, including limited liability partnership and a body corpo-rate constituted under the law of a country or territory outside of the DIFC/ADGM, or a partnership may apply to become a Regulated Entity and undertake the permitted financial activity. A Regulated Entity must carry out their activities from a place of business within the DIFC or ADGM as the case may be. Regulated Entities operating in the DIFC or ADGM as the case may be are subject to detailed regulato-ry, conduct of business and prudential requirements specified by the DFSA or FSRA, respectively.

Any bank with an Islamic finance window is required under the Central Bank rules and regulations to ring-fence and segregate its assets and liabilities from the assets and liabilities of the rest of the bank. The segregation must include having separate product codes for Shari’ah compliant products mapped with specific general ledger accounts.

In the DIFC and the ADGM, the DFSA and the FSRA, as applicable, the Islamic window of a Regulated Entity must be segregated from its other business operations. Further, depending upon the type of activity that a Regulated Entity undertakes in the DIFC/ADGM, there may be requirements to segregate client assets/funds from that of the bank.

Governance:

The Central Bank requires the following:

(i) Board of directors with minimum 7 and maximum 11 members, each with a maximum three year renewable term. All members should be non-executive, of which at least one third must be independent members. The chair and the majority of the Members of the Board must be UAE nationals. A no-objection of the Central Bank must be obtained prior to the appointment, nomination or renewal of any board member or member of the senior ma-nagement. The members of the board must also meet the independence criteria set out by the Central Bank.

(ii) The board must meet at least six times a year and appoint a secretary to the board of di-rectors who is not a member of the board.

(iii) The board structure must include committees with responsibilities for audit, risk, nomination and compensation. The board may also establish other specialized committees (e.g. ethics, assets and liabilities, etc). The board, or the board nomination committee, must carry out at least annually, an assessment of the board as a whole, its committees, and individual members.

(iv) A member of senior management may not hold a staff position in any other entity. A mem-ber of senior management may hold memberships in the boards of up to 2 non-bank enti-ties outside the banking group.

(v) In case of Islamic banking there are additional requirements such as internal Shari`ah re-view and Shari`ah governance reporting, internal Shari`ah control committee, compliance with any direction or guidance issued by the Higher Shari`ah Authority with respect to its Shari`ah governance framework.

(vi) Members of the board must establish the “tone from the top” approach as prescribed under the Central Bank regulations. A bank must have a written code of conduct that defines ac-ceptable and unacceptable behaviors.

In addition to the above, banks will also be required to comply with additional requirements of the CMA as applicable to public joint stock companies.

Internal Control:

The Central Bank requires the following:

(i) the bank’s board and senior management have to establish an internal control framework to establish an adequate operating environment for the conduct of its business, taking into account its risk profile;

(ii) internal controls must, at a minimum, address issues including (but not limited to) organiza-tional structure – duties and responsibilities including clear delegation of authority, decision-making policies and processes, separation of critical functions and appropriate checks and balances (including segregation of duties, cross-checking, dual control of assets, double signatures); and

(iii) the bank’s organizational structures should incorporate a “three lines of defence” approach comprising (a) the business units (assess and control risks relating to their businesses lines), (b) the support and control functions (including risk management, compliance, legal, human resources, finance, operations, and technology ensuring risks have been appropria-tely identified and managed) and (c) an independent internal audit function to independently assesses the effectiveness of the processes created in the first and second lines of de-fence.

Risk Management:

The Central Bank requires the following:

(i) banks must establish, implement and maintain a risk governance framework that enables it to identify, assess, monitor, mitigate and control risk. A bank’s risk governance framework must address all material risks, which, at a minimum, must include credit risk, market risk, liquidity risk, operational risk, risks arising from its strategic objectives and business plans and other risks that singly, or in combination with different risks, may have a material im-pact on the bank; and

(ii) bank’s board approved risk governance framework must incorporate a “three lines of de-fense” approach including senior management of the business lines, the control functions of risk management and compliance, and an independent and effective internal audit function. Banks must incorporate the elements into their risk governance framework as mandated by the Central Bank such as board approved risk governance framework, oversight by board, implementation by senior management, oversight by board audit committee, etc.

As per the applicable DFSA and FSRA regulations, corporate governance functions have to be appor-tioned between the governing body and the senior management. There are various requirements to be met with respect to the organisation structure, risk management, compliance, internal audit, require-ments for the governing body and the senior management. Further there are licensed functions for which there must be functionaries. Certain functions are mandatory i.e. Senior Executive Officer, Fi-nance Officer, Compliance Officer, and Money Laundering Reporting Officer. Both the DFSA and the FSRA require Regulated Entities in DIFC and ADGM respectively to establish and maintain a strong control environment that uses policies, processes and systems, appropriate internal controls and ap-propriate risk mitigation strategies. Regulated Entities are also required to have in place internal risk assessment processes that are reviewed by the DFSA/FSRA as the case may be. Further, the DFSA and the FSRA have specified detailed requirements for risk management of various types of risk such as credit risk, liquidity risk etc.

In line with its obligation to order to promote management of operational risk, the Central Bank has issued the Operational Risk Regulation (Central Bank Circular No. 163 of 2018) and accompanying standards (together the Operational Regulation). The Operational Regulations requires banks to:

(i) adopt an appropriate operational risk governance framework (the Framework) with appropriate policies, processes, procedures, systems and controls to identify, monitor and mitigate opera-tional risks in a timely manner;

(ii) the Framework must clearly identify (amongst other things) governance structures used to manage operational risk, operational risk reporting and management information systems, and establish periodic review (including internal audits) and assessment of the Framework; and

(iii) the Framework will be established, implemented and monitored by the management of the bank. In the case of large or complex banks, they must have an Operational Risk Committee or other designated committee that addresses operational risk.

The Operational Regulation also requires banks to have appropriate disaster recovery and business continuity planning, to identify, assess and mitigate potential business continuity risks and ensure that the Bank is able to meet its financial and service obligations in the event of business disruptions. Banks should also conduct ongoing business impact analysis (BIA), in order to understand the impact of a disruption event on the bank’s critical business operations, which, if disrupted, may have a material adverse impact on the bank’s business functions. Any BIA should consider disruption scenarios over varying periods of time, the period of time for which the bank could not operate without each of its criti-cal business operations, the extent to which a disruption to the critical business operations might have a material impact on customers of the bank and the financial, legal, regulatory and reputational impact of a disruption to the bank.

Banks must also maintain business continuity plan (BCP) that meets the objectives of the bank’s busi-ness continuity management policy. The BCP should identify (amongst other things) critical business operations, recovery levels and time targets for each critical business operation, recovery strategies for each critical business operation and infrastructure and resources required to implement the BCP.

The DFSA and the FSRA have specified detailed rules in respect of a Regulated Entity’s obligation to manage effectively its exposures to operational risk. Operational risk refers to the risk of incurring los-ses due to the failure of systems, processes, and personnel to perform expected tasks. The DFSA and the FSRA require that a Regulated Entity opertaing in the DIFC / ADGM, as the case may be, have a robust operational risk management framework commensurate with the nature, scale and complexity of its operations and that it holds sufficient regulatory capital against operational risk exposures. Further, the DFSA / FSRA require a Regulated Entity to (i) design and implement an effective operational risk management system complete with appropriate systems and controls, (ii) calculate the operational risk capital requirement and hold the same, and (iii) hold adequate professional indemnity insurance cover. There are detailed specifications (including activity based specifications) including among others, spe-cific requirements for IT systems, information security, outsourcing, business continuity and disaster recovery, and the management of operational risks in trading rooms. The DFSA and the FSRA also specify detailed requirements, parameters, calculation methodologies and formulae for calculating the operational risk capital requirements.

In order to promote the effective and efficient functioning of the banking system, the Central Bank has issued the Outsourcing Regulation for Banks (Circular No. 14 of 2021) and accompanying standards (together the Outsourcing Regulation) to ensure that any outsourcing arrangements entered into by banks are subject to appropriate due diligence, approvals and ongoing monitoring, in order to ensure that any risks associated with such arrangements are effectively identified and managed. The Out-sourcing Regulation apply to all banks operating in the UAE. Banks established in the UAE with group relationships, including subsidiaries, affiliates, or international branches, must ensure that the Outsourc-ing Regulation are implemented to on a solo and group-wide basis.

The Outsourcing Regulation establishes the minimum standards for banks (the Central Bank has the sole discretion to introduce additional requirements, as deemed necessary) entering onto outsourcing arrangements, including (but not limited to):

(i) the bank’s risk governance framework must include policies and procedures for accessing all outsourcing arrangements and identifying, measuring, monitoring and reporting associated risks;

(ii) the maintenance of an outsourcing register which records details of all outsourcing arrange-ments, including the details of the service provider, nature of the service and if the service in-volves any confidential customer/bank data;

(iii) ensure compliance with all applicable UAE laws and regulations in managing and processing da-ta and ensure that the bank’s customers retain ownership and all rights in their data;

(iv) all confidential data held by the bank must be maintained and stored in the UAE, unless the Central Bank approves otherwise; and

(v) banks offering Islamic financial services must ensure that the outsourcing arrangements relat-ing to such services are in compliance with applicable principles of Shari’ah.

The UAE Sustainable Finance Working Group (SFWG), which includes the Central Bank, was establis-hed in 2019 to enable the UAE’s economic transition and encourage the adoption of sustainable finance at the national level by developing standards for the financial sector to integrate ESG aspects into cor-porate governance, strategy and risk management. This was in line with the UAE’s decision to ratify the Paris Agreement, followed by a number of key initiatives, including the UAE Green Agenda 2015-2030, the National Climate Change Plan of the UAE 2017-2050 and the UAE Net Zero by 2050 Strategic Initi-ative. In 2020, the SFWG committed to developing standards for the financial sector (including banks) to integrate ESG factors into corporate governance, strategy and risk management.

Building on the Principles for Sustainability‑Related Disclosures and Principles for Effective Manage-ment of Climate‑Related Financial Risk issued by SFWG in November 2023 and June 2024 respec-tively, the Central Bank issued the Climate-related Financial Risk Management Regulation (Circular No. 8 of 2025) (the Risk Regulation) on 8 July 2025. The Risk Regulation mandates banks to adopt mea-sures to identify, measure and manage climate risk across governance, capital, solvency, and recovery planning. It also requires transition planning, risk appetite integration, and data management proce-dures. This is a significant departure from the earlier voluntary framework for accessing and managing climate risk, as part of the overall governance and management of banks. The Risk Regulation requires (amongst other things):

(i) the bank’s management to have/maintain adequate knowledge and understanding of the clima-te related financial risks (CRFR) impacting the bank and the broader financial sector;

(ii) ensure CRFR are embedded in the bank’s governance and risk appetite framework;

(iii) the bank has adequate structures, including human and financial resources, to monitor and manage CRFR;

(iv) bank must develop a robust governance framework for assets and liabilities that are labelled green/sustainable/ESG-linked or equivalent “green”;

(v) strategy to monitor the impact of CRFR on their business environment, business model and ac-tivities;

(vi) banks must develop processes to evaluate the capital and solvency impact of CRFR that may manifest within relevant planning timeframes; and

(vii) banks must incorporate CRFR in their risk management framework within established risk cate-gories or as a stand-alone risk category. CRFR must be managed with a structured process covering its identification, data gathering, measurement, reporting, control and mitigation.

The Central Bank has specified the following remuneration norms:

(i) Board members should get annual fixed compensation and the reimbursements of costs di-rectly related to discharge of their responsibilities.

(ii) For staff in control functions the compensation must be predominantly fixed with variable compensation based on performance but independent of the business lines. Annual total bonus for all staff must not exceed 5% of the bank’s net profit and anything above that will require prior shareholder approval.

(iii) For senior management and material risk takers:

a. A proportion of the total compensation must be performance-based with provision for reversal/claw back on realized risks and violations of laws or other policies, before compensation vests. A substantial portion of the variable compensation must be payab-le under deferral arrangements over at least three (3) years. These proportions should increase significantly along with the level of seniority and/or responsibility.

b. Annual individual bonus – must not exceed 100% of the fixed proportion of total com-pensation. A bonus of up to 150% would require approval by the bank’s board. A bonus up to 200% would require approval by the bank’s shareholders.

A Regulated Entity must have a remuneration structure and strategies which are well aligned with the long term interests of the bank, and are appropriate to the nature, scale and complexity of its business. As per the applicable DFSA and FSRA regulations, the governing body of a Regulated Entity must en-sure that the remuneration structure and strategy is (i) consistent with the business objectives, strate-gies and the risk parameters, and (ii) provides for effective alignment of risk outcomes and the roles and functions of the employees. The governing body must provide to DFSA/FSRA as applicable and to the relevant stakeholders details of its remuneration structure and strategies to ensure they meet the regulatory requirements on an on-going basis. Regulated Entities must provide to the DFSA / FSRA as the case may be, notice of any significant changes to its corporate governance framework or the remu-neration structure or strategy as soon as practicable. Under their respective conduct of business rules, the DFSA and the FSRA have provided detailed mechanisms to be taken into consideration while pre-paring remuneration strategies.

Yes, UAE has implemented the Basel III framework with respect to regulatory capital. Banks that are classified as domestically systemically important banks (D-SIB) are required to hold additional capital buffers as notified to them. Further, the Central Bank’s minimum capital requirements are not applicable to locally incorporated restricted license banks.

Regulated Entities operating in the DIFC and ADGM also have to comply with Basel III requirements.

All banks must maintain a leverage ratio of at least 3%. Designated D-SIBs must maintain a leverage ratio of at least 3.5%. Within the DFSA a global systemically important bank must maintain a leverage ratio of atleast three percent plus 50% of the higher loss absorbency ratio as determined by the DFSA. The FSRA may at its discretion set a leverage ratio for D-SIBs that are higher than 3%.

Yes, UAE has implemented the Basel III liquidity requirements, including regarding LCR and NSFR. The Central Bank requires banks to maintain a minimum level of liquid assets to ensure their ability to sus-tain a short-term liquidity stress (both bank specific and market wide). Further, banks are also required to structure their funding profile to limit the impact of long-term market disruptions and avoid cliff ef-fects. the Central Bank requires banks to comply with the following ratios at all times:

(i) Eligible Liquid Assets Ratio;

(ii) Liquidity Coverage Ratio; and

(iii) Net Stable Funding Ratio.

DFSA and FSRA mandate LCR and NSFR of at least 100% at all times.

The Banking Law provides for standing facilities made available by the Central Bank to licensed financial institutions to enable them to manage liquidity in accordance with the directions issued by the Central Bank. The Central Bank introduced the Dirham Monetary Framework following which the Central Bank provides standing credit facilities being the Marginal Lending Facility and the Collateralized Murabaha Facility and liquidity insurance facility being the Contingent Liquidity Insurance Facility. When a (deposit-taking) bank is exposed to liquidity pressures or is subject to crisis management procedures, the Cen-tral Bank may provide loans to that bank, in order to stabilise and protect it. The Central Bank has the discretion to provide additional funding into the banking system in case of emergency.

Banks shall provide the following reports: (i) interim financial reports (quarterly and semi-annual) revie-wed by the external auditor to be provided within 45 days from the end of the quarter, (ii) annual finan-cial reports audited by the external auditor within 90 days from the end of the financial year, and (iii) progressive quarterly and annual reports within the timelines mentioned above. These reports are to be signed by the authorized signatories of the bank.

As per the DFSA and the FSRA, a Regulated Entity must submit audited financial statements annually within four months of the financial year end.

Yes, consolidated supervision of a bank exists in UAE. The Central Bank specifies a standard of corpo-rate governance at the group level where the bank is a controlling shareholder. This covers amongst others establishing group level corporate governance framework, management structure, internal con-trol framework, sharing of information and compliance.

The DFSA and FSRA specify a framework for managing group level risk of their Regulated Entities. They specify systems and controls inter alia for monitoring relationship within the group, compliance, funding, maintaining group capital requirements and group capital resources, and risk concentration limits.

Prior written approval from the Central Bank will be required where there is a direct or indirect change in the shareholding of a bank of 5% or more of the bank’s issued ordinary shares and financial instru-ments convertible into ordinary shares. This includes the situation where a person’s shareholding in a bank crosses the 5% thereshold specified above. Prior written notification to the Central Bank will be required in certain instances such as where a person acquires a shareholding of 1% or more in the bank or in relation to acquisition / divesture of voting rights in relation to significant or controlling share-holding as specified by the Central Bank.

Where a person seeks to increase control in a DFSA Regulated Entity such that the control exceeds 30% or 50% of the shareholding of the Regulated Entity, prior approval from DFSA will be required for such change. Where a person seeks to increase its control in a FSRA Regulated Entity such that the control exceeds 20% or 30% or 50% of the shareholding of the Regulated Entity, prior approval from FSRA will be required for such change.

In all cases, the national shareholding percentage should not be less than 60% of the capital of the banks incorporated in UAE. Natural persons owning this percentage must be citizens of UAE. The per-centage of ownership of the UAE citizens in a juridical person is calculated as per their shareholding in it.

There are no such restrictions on Regulated Entities operating in the DIFC or the ADGM however plea-se refer to our reponses in Query 24 regarding control related approvals from DFSA / FSRA as the case may be.

Persons who are foreign nationals cannot own more than 40% of the capital of the banks incorporated in mainland UAE.

There are no such restrictions on Regulated Entities operating in the DIFC or the ADGM however plea-se refer to our reponses in Query 24 regarding control related approvals from DFSA / FSRA as the case may be.

Yes. Please consider our responses to Queries 18 and 19 above.

The Central Bank has broad discretion under the Banking Law to impose a broad range of fines and penalties for breaches of its rules, regulations, circulars, guidelines and standards. These may include imposing fines, imposing restrictions and conditions on activities, requiring the violating bank to deposit funds with the Central Bank, or prohibiting designated individuals at banks from undertaking certain activities, and cancellation of license. There are a number of sanctions and penalties prescribed under the Banking Law that the Central Bank can impose on persons violating the Banking Law and the regu-lations framed thereunder.

For violations of its regulations, the DFSA and the FSRA may impose fines, censures, and penalties. The DFSA may also impose restrictions and conditions on a Regulated Entity’s license and operations.

Given the unprecedented pace of legal and regulatory reforms in the past 10 years, regulators (like the Central Bank) had been principally focused on adapting, and in some instances, establishing new en-forcement frameworks. However, this position seems to have shifted in the last couple of years and we have seen the Central Bank and other regulators in the DIFC and ADGM, implement a more aggressive enforcement agenda. The Central Bank has been particularly active in 2025, where in the first six months it issued penalties of over AED 340 million including an AED 10.7 million financial sanction on an exchange house, revoking the license of Gomti Exchange and imposed an AED 200 million fine on an unnamed exchange house for significant failures in its compliance with the AML laws. In the same mat-ter an unnamed branch manager also faced a fine of AED 500,000, and a prohibition on holding any position within any licensed financial institution in the UAE.

The DFSA and FSRA have also concluded a number of investigations in 2025, with more in the pipeline for 2026, involving a broad range of misconduct including (i) unlicensed financial service activities, of-fering shares without an approved prospectus, (ii) AML systems and controls failures, and controls for the prevention of market manipulation and (iii) misleading investors, potential investors, and the general public.

In recent years, the government and regulatory authorities have issued a number of new laws, regulati-ons and guidelines on a board range of issues including metal trading, terrorist financing, AML, fraud and cyber crimes (including cyber financial crimes), giving regulators and the Financial Intelligence Unit (the UAE’s financial crime regulator) a board range of powers to investigate crime and assist with pro-secuting perpitrators. It is expected that these powers will be exercise with an increased vigur in the coming years.

Under the Banking Law, the Central Bank requires disclosure of transactions with bank’s related parties. If the Central Bank is if the view that such transactions may adversely affect the depositors, it may direct the bank to allocate provisions or reduce exposure / prohibit further credit facilities. The Central Bank also mandates banks to have in place a resolution plan to address deficiency in financial position. Further the Central Bank has prescribed the Consumer Protection Regulations and the Consumer Pro-tection Standards that are to be followed by banks such as having strict internal controls, fraud detec-tion and prevention measures, adequate security systems.

The DFSA and the FSRA have specified Principles for Authorised Firms (Customer assets and money) which require a Regulated Entity to arrange proper protection for clients’ assets when the Regulated Entity is responsible for them. An essential part of that protection is that a Regulated Entity must pro-perly safeguard client money and client investments held or controlled on behalf of a client in the course of, or in connection with, the carrying on of business in or from the DIFC/ADGM as applicable. Further, a Regulated Entity is required to have in place adequate organisational arrangements to minimise the risk of the loss or diminution of client assets, or of rights in connection with client assets, as a result of, insolvency, fraud, poor administration, inadequate record-keeping or negligence.

In its ongoing efforts to modernize and further safeguard the banking system, the Central Bank issued the Recovery Plan Regulation (the Recovery Regulation) on 30 October 2023. The Recovery Regula-tion requires all Central Bank regulated banks, insurance companies, branches of foreign banks and insurance companies, and any other financial institution designated by the Central Bank; to have a credible recovery plan which can be quickly implemented in order to stabilize its financial position and overall viability in times of severe financial stress. The Recovery Regulation requires a recovery plan to include certain minimum information, including (but not limited to):

(i) executive summary setting out the key elements of the plan and a summary assessment of the overall recovery capacity;

(ii) governance aspects of the recovery plan and how it is integrated into the broader corporate governance, policies and processes of the bank;

(iii) range of recovery options that can be implemented to restore the viability of the bank;

(iv) overview of the preparatory arrangements the bank has taken or intends to take to improve their access to recovery options; and

(v) communication plan catered to all relevant stakeholders, internal and external, to deploy when implementing recovery options.

The Central Bank advises banks to view recovery plans as a key practical tool for crisis management and financial preparedness, and not merely as a compliance exercise. Banks are required to identify their potential recovery capacity taking into account appropriate scenario testing to evaluate the effec-tiveness of the recovery plan and introduce ongoing review and improvements. The Recovery Regula-tion emphasizes good corporate governance and recovery mechanisms such as capital issuances, restructuring, liquidity facilities and other measures that can be adopted at times of financial distress. In addition to internal systemic risks the recovery plan should also evaluate external vulnerabilities, includ-ing counterparty failure, general market and economic shocks, impact on key recourses and technolog-ical exposure.

Banks must undertake a comprehensive review of the recovery plan, particularly the recovery capacity, recovery indicators and their thresholds and scenario testing on (i) an annual basis for systemically important banks (as determined by the Central Bank), (ii) every two years for other banks and financial institutions, except where annual review is required by the Central Bank and (iii) upon the change in the bank’s legal or organisational structure, business model or financial condition, which could have a mate-rial effect on the recovery plan. The recovery plan must be submitted to the Central Bank on an annual basis and if the Central Bank concludes that the recovery plan has not undergone a comprehensive review as contemplated above, the bank must demonstrate that such review was not required. The Central Bank has the discretion to require a bank to revise its recovery plan in accordance with the instructions and timeframes required by the Central Bank. Breaches of the Recovery Regulation can result in the bank being subject to administrative / financial sanctions and supervisory action, including the Central Bank withdrawing, replacing or restricting the powers of senior management / board, ap-pointing interim management, imposing fines or barring individuals from the banking sector.

Regulated Entities operating in the DIFC are required to prepare and submit to the DFSA for review a recovery plan if it is authorised under its licence to carry on either or both of the following financial ser-vices (a) accepting deposits; or (b) managing a profit-sharing investment account where that account is received on an unrestricted basis (a PSIAu). The Regulated Entity shall designate a senior manager who will be responsible for leading, formulating and overseeing the recovery planning process, including providing to the DFSA any information relevant for the review of the recovery plan. The recovery plan shall be commensurate with the nature, complexity, interconnectedness, size and substitutability of the Regulated Entity’s DIFC operations, and set out the recovery measures the bank can take, as well as how and when it can take them. The DFSA has specified detailed requirements to be included in a recovery plan and similar requirements are placed on banks with respect to resolution plan.

The FSRA may require a Regulated Entity to prepare and submit to it for review an individual recovery plan and resolution plan for the Regulated Entity. In exercising this discretion, the FSRA will consider the risk profile of the Regulated Entity and the impact of its failure on the financial system. The recovery plan and the resolution plan shall include the information specified by the FSRA in the relevant regulati-ons and shall set out measures that would be taken by the Regulated Entity for the restoration of its financial position. The management of the Regulated Entity shall assess and approve the recovery plan and resolution plan before submitting it to the FSRA. A Regulated Entity shall update it recovery plans and resolution plans annually and after any change having a material effect.

The Banking Law gives the Central Bank new powers to intervene and implement recovery measures for banks, thus avoiding any localised or systemic failures in the banking system. In particular, the Cen-tral Bank has broad powers to require implementation (with our without the resolution of the sharehold-ers and creditors) of recovery measures (in theory these could include any recovery plans established under the Recovery Resolution), transfer of assets and liabilities, temporary stay and moratoria on legal and enforcement proceedings, impose capital and liquidity add-ons, terminate/replacing agreements and security interests (similar to the powers given to the bankruptcy court under the UAE Bankruptcy Law (Federal Law No. 51 of 2023)), a forced merger (with or without shareholder approval), mandate strategic and structural changes, replacing management and establish interim governance arrange-ments.

The DFSA and the FSRA provide for bail-in tools which apply to Regulated Entities as the case may be (but not to branches) including (i) the right to convert to shares, or (ii) reduce the principal amount of claims or debt instruments that are transferred under the sale of business tool. In our view, the DFSA or the FSRA will apply the bail-in tool based on the severity of the liquidity crisis and the impact such a liquidity crisis would have on the overall system.

The Central Bank mandates banks to maintain additional tier 1 capital and tier 2 capital for the purpose of loss absorbency. These capital instruments have to meet the criteria stated by the Central Bank inter alia under the capital instruments standards. Specialized banks with low-risk regulation and restricted licence banks may have different requirements with respect to capital for loss absorption.

The DFSA mandates Regulated Entity firms within its regulatory purview to hold and maintain a mini-mum amount of loss absorbing capacity (LAC). The amount of capital to be held for LAC by a Regula-ted Entity will be notified by the DFSA after considering the business model and other relevant parame-ters of the Regulated Entity. The FSRA prescribes that one of the criteria for including capital instru-ments as common equity tier 1, additional tier 2 or tier 2, should be their ability to absorb losses thereby including LAC within the overall capital framework.

A senior manager would qualify as an authorized individual for the purposes of the Banking Law. For the violation of CBAUE rules and regulations, the Central Bank may impose fines, conditions and re-strictions on the authorized individual at its discretion. The fines may be between AED 100,000 and AED 2 million. The Central Bank may prohibit the violating authorized individual from undertaking any designated function at the bank he works for, or any other bank.

At the time of writing, the UAE (and other Gulf nations) is subject to unprecedented security disruptions resulting from the US-Iran war. It is not clear when the current security situation will subside or the last-ing impact from the same, particularly on Dubai’s established banking and financial sector. As in previ-ous disruptions, the UAE government has been quick to respond. For example, in response to a down-turn in bank liquidity, on 17 March 2026, the Central Bank’s board approved a Financial Institutional Resilience Package (the Package) underpinned by record foreign exchange reserves exceeding AED 1 trillion and a monetary base cover ratio of 119%, with system-wide bank liquidity of close to AED 920 billion. The Package draws parallel the COVID-era Targeted Economic Support Scheme, and includes the following key highlights:

(i) Monetary policy measures: access reserve balances of up to 30% of the cash reserve require-ment, with term liquidity facilities available in both dirhams and US dollars;

(ii) Capital buffer relief: a temporary release of both the Countercyclical Capital Buffer (CCyB) and the Capital Conservation Buffer (CCB);

(iii) Liquidity and funding relief: a temporary relief has been granted on liquidity and stable funding ratios such as CCyB and CCB, giving banks greater operational flexibility to continue serving businesses and individuals without breaching regulatory thresholds;

(iv) Credit risk management: allowing bank the flexibility to postpone classification of loans to af-fected individual and corporate customers, thus preventing a cascade of NPL classifications;

(v) Additional support: the Central Bank has explicitly affirmed that banks must continue providing financing services to customers and the national economy.

Given the unpredictability of the ongoing security disruptions and their consequences (particularly for key sectors such as tourism, hospitality, air travel, logistics and real estate) it is likely that we will see a number of laws, regulations and other initiatives, which, like the Package, will be tailored to support the recovery of the business and wider national economy.