In relation to general financial services, the United Arab Emirates (UAE) operates three independent jurisdictions:

1. Mainland/onshore UAE (i.e. outside of the Dubai International Financial Centre (DIFC) and Abu Dhabi Global Market (ADGM) financial free zones (see below)) – The national services regulator for mainland UAE is the Central Bank of UAE (the Central Bank) established pursuant to the Decretal Federal Law No. (14) of 2018 Regarding the Central Bank and Organization of Financial Institutions and Activities (Banking Law). Any bank (subsidiary, branch, representative office) is required to obtain a license from the Central Bank to operate in mainland UAE. Banks listed on any of the mainland exchanges in the UAE are also required to comply with the regulations framed by the Securities and Commodities Authority (SCA).
2. Financial free zones – UAE has two financial free zones (established under the provisions of the Federal Law No (8) of 2004, Regarding Financial Free Zones, and amending laws) being:
   1. the DIFC, where financial activities are regulated by the Dubai Financial Services Authority (DFSA), and
   2. the ADGM, where financial activities are regulated by the Financial Services Regulatory Authority (FSRA).

Each of the DIFC and the ADGM are considered separate legal jurisdictions (modelled on the English common law legal system) with their own laws, courts and financial services regulators. To operate in DIFC or ADGM, banks have to obtain activity-based licenses from DFSA or FSRA, as the case may be, after fulfilling the requirements specified (capitalization, prudential, operational). Our discussion is limited to DIFC and ADGM entities involved in general banking activities of accepting deposits and providing credit (Regulated Entity).

As per the Banking Law, the following activities trigger the requirement of a banking license:

1. Taking deposits of all types, including Shari’ah-compliant deposits;
2. Providing credit facilities of all types;
3. Providing funding facilities of all types, including Shari’ah-compliant funding facilities;
4. Providing currency exchange and money transfer services;
5. Providing monetary intermediating services;
6. Providing stored values services, electronic retail payments and digital money services;
7. Providing virtual banking services;
8. Arranging and/or marketing for licensed financial activities; and
9. Acting as a principal in financial products that affect the financial position of the licensed financial institution.

The board of directors of the Central Bank has the power to add or delete activities from the list.

The DFSA and the FSRA provide activity-based licensing with various categories of licenses depending upon the type of activity that a Regulated Entity seeks to undertake in the DIFC / ADGM as applicable. These licenses range from Category 1 licenses, which are the highest category of licenses through Category 4. Category 5 is specifically for Islamic business. To accept deposits, a Category 1 license is required and to provide credit, a Category 2 license is required from the DFSA or the FSRA as applicable. As with the Central Bank, regulated activities in the ADGM and DIFC would include the marketing and sale of securities, providing investment advice, dealing in products and investments (either as principal or agent), underwriting and placing financial products, offering and providing discretionary investment management services, marketing or selling funds (including the provision of investment advice), accepting deposits, providing credit, providing money services, arranging deals in investments, managing assets, managing a collective investment fund and advising on financial products.

The Central Bank provides licensing for conventional and Islamic banking. These are further licensed as retail, wholesale and specialized banks. For banks intending to perform limited activities only, the Central Bank may grant special licenses as Specialized Banks with Low-Risk Regulation or Restricted License Banks. Further, entities (other than licensed banks) intending to provide other types of financial products and/or services such as factoring and lease financing, will also require separate licenses and approvals from the Central Bank.

As mentioned above, as per DFSA and FSRA, different financial activities have different licensing requirements. Please refer to our responses to Query 2 above.

Please see our responses to Query 3 above. If an activity falls within the regulatory purview of another regulator, then approval from that regulator will also be required. Broker-dealer activities are regulated by the SCA and therefore a bank will require prior approval from the SCA to undertake broker-dealer activities.

Within the DIFC and the ADGM, a Regulated Entity holding a Category 1 license can, after obtaining endorsement(s) from DFSA/FSRA as the case may be for specific activities on its license, undertake activities permitted under Categories 2, 3A, 3, 3C, 3D and 4 (but not Category 5 i.e. Islamic financial institution managing an unrestricted profit-sharing investment account).

A Central Bank regulatory “sandbox” for the Central Bank licensed financial institutions is available as per the Central Bank Sandbox Conditions Regulation provided however that the following activities are not permitted to be undertaken under the regulatory sandbox: (i) taking deposits of all types; (ii) carrying out insurance activities in UAE; and (iii) acting as principal in financial products that affect the financial position of the person, as determined by the Central Bank. The Central Bank exercises wide supervisory powers over the regulatory sandbox.

The DFSA has the Innovation Testing License Programme, which is a regulatory sandbox for testing new products. The ADGM has the ADGM RegLab, a regulatory sandbox that allows fintechs to test their innovation in a controlled environment under the guidance of FSRA.

Issuance of crypto currencies (including algorithmic stable coins) within the UAE or to persons within the UAE requires prior approval from the Central Bank. Further, a licensed issuer may only issue Dirham Payment Tokens (as specified by the Central Bank) to persons resident in the UAE. A bank may not act as a crypto currency issuer, but may, subject to the licensing and other requirements, set up a subsidiary, affiliate or other related entity to perform this activity. The exclusive business of a crypto currency issuer who has been granted a license from the Central Bank shall be the performance of the crypto curency issuance.

Providing custody for crypto currencies within the UAE or to persons within the UAE requires prior approval from the Central Bank and the SCA.

On 9 March 2022, Dubai Law No 4 of 2022 Concerning the Regulation of Virtual Assets (the Virtual Asset Law) established the Dubai Virtual Asset Regulatory Authority (VARA). VARA’s authority includes regulating and licensing issuers, exchanges and custodial and management services providers. The Vitrual Asset Law requires licensing from VARA in order to undertake any activity relating to, amongst other things, crypto currencies, including the provision of (i) virtual asset platform operation and management services, (ii) services for the exchange between virtual assets and national or foreign currencies, (iii) services for the exchange between one or more forms of virtual assets, (iv) virtual asset transfer services, (v) virtual asset safekeeping, management or control services, (vi) services related to virtual asset wallets and (vii) services related to offering, and trading in, virtual tokens. There is still some ambiguity regarding the overlap between the authority of the Central Bank, the SCA and VARA, in connection with activities relating to crypto currencies and crypto assets generally.

To be able to offer a crypto currency in the DIFC, the crypto currency (defined by the DFSA as a Crypto Token) has to be recognized by the DFSA. The issuer of such crypto currency has to make an application to the DFSA for the recognition of the crypto currency. In the ADGM, FSRA permits only those crypto currencies (defined by the FSRA as Virtual Assets) which are accepted crypto currencies. A Regulated Entity seeking to use a crypto currency requires prior permission from the FSRA. The FSRA will provide permission to a Regulated Entity for each accepted crypto currency that it can use.

To be able to provide custody of crypto currency in the DIFC or the ADGM, prior permission from the DFSA or the FSRA as the case may be is required for the financial activity of ‘providing custody’.

Crypto assets are not considered as deposits. Currently there is no deposit insurance in the UAE.

The Central Bank requires custodians and services providers of crypto assets to hold capital based on the monthly average value of transactions undertaken. For payment token transfers transactions:

1. AED 10 million or above – regulatory capital required is minimum AED 3 million.
2. Below AED 10 million – regulatory capital required is minimum AED 1.5 million.

Further, the following would apply to crypto assets held by banks: (a) common equity tier 1 must be at least 7% of the risk weighted assets (RWA), (b) Tier 1 capital must be at least 8.5% of RWA, and (c) Total capital, calculated as the sum of tier 1 capital and tier 2 capital, must be at least 10.5% of RWA.

For DFSA and FSRA, a Regulated Entity’s capital requirement is 10% of its RWA. RWA are calculated as 12.5 multiplied by the sum of credit risk capital requirement, market risk capital requirement, operational risk capital requirement and if applicable the displaced commercial risk capital requirement (CVA risk capital requirement is added in case of FSRA regulated entities).

The process to obtain a bank license from the Central Bank commences with a preliminary meeting with the Central Bank, where an applicant’s proposed business model, proposed business plan, and a short summary of proposed actions and activities are discussed. After successful review, the Central Bank allows the applicant access to its online system to make an application to its the Licensing Division under the Banking Supervision Department. The applicant should be in the appropriate legal form and meet the criteria stipulated by the Central Bank, such as having in place a 3-year business plan and meeting the minimum capital requirements. Upon satisfaction of the Central Bank, an in-principle approval is granted and the applicant is required to fulfil the conditions in the in-principle approval letter within a year of the date of the letter. Upon fulfillment to the satisfaction of the Central Bank of the conditions set out in the in-principle approval letter, the final approval is granted.

A definite timeline cannot be given regarding the Central Bank approval. Usually, the process takes a few of months or longer. Further, please note that bank licenses are very rarely issued to foreign banks.

To obtain Category 1 and Category 2 licenses from the DFSA, an applicant has to file the Core Information Form along with the Banking and Lending Supplement, regulatory business plan, forms for authorized individuals, other prescribed information (accounts, financial projections, ISAE 3400 – The Examination of Prospective Financial Information) and policies (compliance, anti-money laundering). To obtain Category 1 and Category 2 licenses from the FSRA, the comprehensive General Information for Regulated Activities form, the Banking Business Supplement, and other information specified therein have to be filed with the FSRA (similar to what is filed with the DFSA). The application process with DFSA and FSRA typically takes a few months with multiple rounds of discussions with the regulators.

As per the Banking Law, licensed financial activities may only be carried on, in or from within the UAE as permitted under the Banking Law. In practice, cross-border activity from outside the UAE is often undertaken in the UAE such as lending to UAE based entities from outside the UAE and there have been no restrictions on such activities to date. However, the marketing or promotion of any licensed financial activities and/or financial products may only be carried on from within the State, in accordance with the provisions of the Banking Law and the rules and regulations framed thereunder.

In the mainland UAE, banks should be in the form of public joint-stock companies. Branches of foreign banks operating in the UAE are exempt from this requirement.

Within the DIFC and ADGM, any body corporate, including a limited liability partnership and a body corporate constituted under the law of a country or territory outside of the DIFC/ADGM, or a partnership may apply to become a Regulated Entity and undertake banking operations. A Regulated Entity must carry out their activities from a place of business within the DIFC or ADGM as the case may be.

The Central Bank requires the following:

1. Board of directors with a minimum of 7 and a maximum of 11 members, each with a maximum three-year renewable term. All members should be non-executive, of which at least one third must be independent members. A no-objection of the Central Bank must be obtained prior to the appointment, nomination or renewal of any board member or member of the senior management.
2. The board must meet at least six times a year and appoint a secretary to the board of directors who is not a member of the board.
3. A member of senior management may not hold a staff position in any other entity. A member of senior management may hold memberships in the boards of up to 2 non-bank entities outside the banking group.
4. In case of Islamic banking, there are additional requirements such as internal Shari`ah review and Shari`ah governance reporting, internal Shari`ah control committee, compliance with any direction or guidance issued by the Higher Shari`ah Authority with respect to its Shari`ah governance framework.

In addition to the above, banks will also be required to comply with additional requirements of the SCA as applicable to public joint stock companies.

As per the applicable DFSA and FSRA regulations, corporate governance functions have to be apportioned between the governing body and the senior management. There are various requirements to be met with respect to the organisation structure, risk management, compliance, internal audit, requirements for the governing body and the senior management. Further, there are licensed functions for which there must be functionaries. Certain functions are mandatory i.e. Senior Executive Officer, Finance Officer, Compliance Officer, and Money Laundering Reporting Officer.

The Central Bank has specified the following remuneration norms:

1. Board members should get annual fixed compensation and reimbursements of costs directly related to the discharge of their responsibilities.
2. For staff in control functions, the compensation must be predominantly fixed with variable compensation based on performance, but independent of the business lines. Annual total bonus for all staff must not exceed 5% of the bank’s net profit, and anything above that will require prior shareholder approval.
3. For senior management and material risk takers:
   1. A proportion of the total compensation must be performance-based with provision for reversal/claw back on realized risks and violations of laws or other policies, before compensation vests.
   2. Annual individual bonus – must not exceed 100% of the fixed proportion of total compensation. A bonus of up to 150% would require approval by the bank’s board. A bonus up to 200% would require approval by the bank’s shareholders.

As per the applicable DFSA and FSRA regulations, the governing body of a Regulated Entity must ensure that the remuneration structure and strategy are (i) consistent with the business objectives, strategies and the risk parameters, and (ii) the roles and functions of the employees. The governing body must provide to DFSA/FSRA, as applicable and relevant stakeholders, details of its remuneration structure and strategies to ensure they meet the regulatory requirements on an ongoing basis.

Yes, the UAE has implemented the Basel III framework with respect to regulatory capital. Banks that are classified as domestically systemically important banks (D-SIB) are required to hold additional capital buffers as notified to them. Further, the Central Bank’s minimum capital requirements are not applicable to locally incorporated restricted license banks.

Regulated Entities operating in the DIFC and ADGM also have to comply with Basel III requirements.

All banks must maintain a leverage ratio of at least 3%. Designated D-SIBs must maintain a leverage ratio of at least 3.5%. Within the DFSA, a global systemically important bank must maintain a leverage ratio of at least three percent plus 50% of the higher loss absorbency ratio as determined by the DFSA. The FSRA may at its discretion set a leverage ratio for D-SIBs that is higher than 3%.

Yes, the UAE has implemented the Basel III liquidity requirements, including LCR and NSFR. The Central Bank requires banks to maintain a minimum level of liquid assets to ensure their ability to sustain a short-term liquidity stress (both bank specific and market wide). Further, banks are also required to structure their funding profile to limit the impact of long-term market disruptions and avoid cliff effects. the Central Bank requires banks to comply with the following ratios at all times:

1. Eligible Liquid Assets Ratio
2. Liquidity Coverage Ratio; and
3. Net Stable Funding Ratio.

DFSA and FSRA mandate LCR and NSFR of at least 100% at all times.

The Banking Law provides for standing facilities made available by the Central Bank to licensed financial institutions to enable them to manage liquidity in accordance with the directions issued by the Central Bank. The Central Bank introduced the Dirham Monetary Framework following which the Central Bank provides standing credit facilities, being the Marginal Lending Facility and the Collateralized Murabaha Facility and liquidity insurance facility being the Contingent Liquidity Insurance Facility. When a (deposit-taking) bank is exposed to liquidity pressures or is subject to crisis management procedures, the Central Bank may provide loans to that bank, in order to stabilise and protect it. The Central Bank has the discretion to provide additional funding to the banking system in case of an emergency.

Banks shall provide the following reports: (i) interim financial reports (quarterly and semi-annual) reviewed by the external auditor to be provided within 45 days from the end of the quarter, (ii) annual financial reports audited by the external auditor within 90 days from the end of the financial year, and (iii) progressive quarterly and annual reports within the timelines mentioned above. These reports are to be signed by the authorized signatories of the bank.

As per the DFSA and the FSRA, a Regulated Entity must submit audited financial statements annually within four months of the financial year end.

Yes, consolidated supervision of a bank exists in the UAE. The Central Bank specifies a standard of corporate governance at the group level where the bank is a controlling shareholder. This covers, amongst others, establishing group level corporate governance framework, management structure, internal control framework, sharing of information and compliance.

The DFSA and FSRA specify a framework for managing group level risk of their Regulated Entities. They specify systems and controls inter alia for monitoring relationships within the group, compliance, funding, maintaining group capital requirements and group capital resources, and risk concentration limits.

Prior written approval from the Central Bank will be required where there is a direct or indirect change in the shareholding of a bank of 5% or more of the bank’s issued ordinary shares and financial instruments convertible into ordinary shares. This includes the situation where a person’s shareholding in a bank crosses the 5% threshold specified above. Prior written notification to the Central Bank will be required in certain instances, such as where a person acquires a shareholding of 1% or more in the bank or in relation to acquisition / divesture of voting rights in relation to significant or controlling shareholding as specified by the Central Bank.

Where a person seeks to increase control in a DFSA Regulated Entity such that the control exceeds 30% or 50% of the shareholding of the Regulated Entity, prior approval from the DFSA will be required for such a change. Where a person seeks to increase their control in a FSRA Regulated Entity such that the control exceeds 20% or 30%, or 50% of the shareholding of the Regulated Entity, prior approval from FSRA will be required for such change.

In all cases, the national shareholding percentage should not be less than 60% of the capital of the banks incorporated in the UAE. Natural persons owning this percentage must be citizens of the UAE. The percentage of ownership of the UAE citizens in a juridical person is calculated as on their shareholding in it.

There are no such restrictions on Regulated Entities operating in the DIFC or the ADGM; however, please refer to our responses in Query 20 regarding control related approvals from DFSA / FSRA as the case may be.

Persons who are foreign nationals cannot own more than 40% of the capital of banks incorporated in the mainland UAE.

There are no such restrictions on Regulated Entities operating in the DIFC or the ADGM; however, please refer to our responses in Query 20 regarding control related approvals from DFSA / FSRA, as the case may be.

Yes. Please consider our responses to Queries 14 and 15 above.

The Central Bank has broad discretion under the Banking Law to impose a broad range of fines and penalties for breaches of its rules and regulations. These may include imposing fines, imposing restrictions and conditions on activities, requiring the violating bank to deposit funds with the Central Bank, or prohibiting designated individuals at banks from undertaking certain activities, and cancellation of the license. There are a number of sanctions and penalties prescribed under the Banking Law that the Central Bank can impose on persons violating the Banking Law and the regulations framed thereunder.

For violations of its regulations, the DFSA and the FSRA may impose fines, censures, and penalties. The DFSA may also impose restrictions and conditions on a Regulated Entity’s license and operations.

Under the Cabinet Resolution No. (4) of 2018 Forming the Financial Restructuring Committee (Resolution), any financial institution may submit an application for financial restructuring to the financial restructuring committee formed under the Resolution subject to the satisfaction of the conditions mentioned under Article 6 of the Resolution such as current or projected financial difficulties, no cessation in payment or indebtedness for 30 days prior to the application, no ongoing preventive settlement/bankruptcy procedures and no financial restructuring in the past year. Thereafter, the restructuring will be undertaken as per the terms of the Resolution.

The UAE promulgated the Cabinet Resolution No. 94 of 2024 Concerning the Executive Regulation of the Financial Restructuring and Bankruptcy Law Promulgated by Federal Decree-Law No. (51) of 2023 (together, the Bankruptcy Law). A bank can submit an application for bankruptcy proceedings (including preventive settlement, restructuring or bankruptcy) to the Bankruptcy Department if it is unable to pay a debt of AED 5 million on the due date. Creditors of a bank can file an application with the Bankruptcy Department to initiate bankruptcy proceedings, provided the total debt that the bank is unable to pay is AED 10 million. The Bankruptcy Law provides that the Central Bank (not the Bankruptcy Court) shall be responsible for implementing the Bankruptcy Law for entities that are subject to its supervision (this would include banks, financial services providers and insurance companies).

Similar in scope to the Central Bank, the DFSA and the FSRA have regulations dealing with the resolution of Regulated Entities, including preparing a management approved resolution plan as per the regulations prescribed by the DFSA and the FSRA, respectively.

Under the Banking Law, the Central Bank requires disclosure of transactions with bank’s related parties. If the Central Bank is if the view that such transactions may adversely affect the depositors, it may direct the bank to allocate provisions or reduce exposure / prohibit further credit facilities. The Central Bank also mandates banks to have in place a resolution plan to address deficiencies in their financial position. Further, the Central Bank has prescribed the Consumer Protection Regulations and the Consumer Protection Standards that are to be followed by banks, such as having strict internal controls, fraud detection and prevention measures, and adequate security systems.

The DFSA and the FSRA have specified Principles for Authorised Firms (Customer assets and money) which require a Regulated Entity to arrange proper protection for clients’ assets when the Regulated Entity is responsible for them. An essential part of that protection is that a Regulated Entity must properly safeguard client money and client investments held or controlled on behalf of a client in the course of, or in connection with, the carrying on of business in or from the DIFC/ADGM as applicable. Further, a Regulated Entity is required to have in place adequate organisational arrangements to minimise the risk of the loss or diminution of client assets, or of rights in connection with client assets, as a result of insolvency, fraud, poor administration, inadequate record-keeping or negligence.

The DFSA and the FSRA provide for bail-in tools which apply to Regulated Entities as the case may be (but not to branches), including (i) the right to convert to shares, or (ii) reduce the principal amount of claims or debt instruments that are transferred under the sale of business tool. In our view, the DFSA or the FSRA will apply the bail-in tool based on the severity of the liquidity crisis and the impact such a liquidity crisis would have on the overall system.

In addition, please refer to our responses to Query 25 on the financial restructuring of banks.

The Central Bank mandates banks to maintain additional tier 1 capital and tier 2 capital for the purpose of loss absorption. These capital instruments have to meet the criteria stated by the Central Bank inter alia, under the capital instruments standards. Specialized banks with low-risk regulation and restricted licence banks may have different requirements with respect to capital for loss absorption.

The DFSA mandates Regulated Entity firms within its regulatory purview to hold and maintain a minimum amount of loss absorbing capacity (LAC). The amount of capital to be held for LAC by a Regulated Entity will be notified by the DFSA after considering the business model and other relevant parameters of the Regulated Entity. The FSRA prescribes that one of the criteria for including capital instruments as common equity tier 1, additional tier 2 or tier 2, should be their ability to absorb losses, thereby including LAC within the overall capital framework.

A senior manager would qualify as an authorized individual for the purposes of the Banking Law. For the violation of CBAUE rules and regulations, the Central Bank may impose fines, conditions and restrictions on the authorized individual at its discretion. The fines may be between AED 100,000 and AED 2 million. The Central Bank may prohibit the authorized individual from undertaking any designated function at the bank he works for, or any other bank.

The UAE is witnessing the increasing modernization of its banking regulation. Recently, the UAE introduced the Open Finance Framework, mandating the banks in the UAE to provide secure, standardized access to customer financial data and enable transaction initiation by third-party providers, all with the explicit consent of the customer. In 2025, the Central Bank proposes to launch the Digital Dirham aimed at modernizing payments and enhancing financial infrastructure. Recently, the Central Bank permitted the launch of Zand Bank, UAE’s first fully licensed, all-digital bank.

The Central Bank has taken various measures to ensure the sustained growth of fintech in UAE. In particular, the Central Bank introduced the Regulatory Sandbox regime for financial innovation and recently signed two separate MOUs with ADGM and DIFC to introduce a co-sandbox programme to enable fintech companies to test their innovative solutions under the existing sandbox programme.

​One of the biggest threats faced by the banking sector in the UAE is a significant rise in cybersecurity threats, driven by rapid digital transformation and the increasing sophistication of cybercriminals. The UAE Cyber Security Council reports intercepting over 200,000 cyberattacks daily, many targeting the financial sector. The Central Bank and the government of the UAE are taking steps to ensure the security of the banking system from cyber threats.​

Further, given the rapid pace of development, especially in the financial technologies area, the banking sector is undergoing a substantial shift, with a growing demand for skilled IT professionals. However, there is a significant shortage of skilled technical professionals in its banking and fintech sectors, which poses challenges to the rapid digital transformation and modernization efforts.