03

The regulatory landscape

Compliance is not a constraint applied at the end of design, it is the substrate on which a UAE bank stands. The sooner you can name the rules, the sooner you can design with them rather than around them.

A senior designer joining ENBD will hear three letters often, CBUAE, the Central Bank of the United Arab Emirates. The CBUAE is the prudential and conduct regulator for banks, finance companies, exchange houses, payment service providers, and increasingly the technology that underpins them. Its remit covers safety and soundness, market conduct, consumer protection, anti-money laundering, payment systems, and the licensing of new categories like stored value facilities and retail payment services.

The CBUAE is not the only authority that touches the work. Federal laws on data protection and anti-money laundering apply across the Emirates. Free-zone regulators (the DFSA in DIFC and the FSRA in ADGM) cover institutions licensed there. Securities regulators (the SCA federally, and the financial-services authorities in the free zones) oversee parts of the wealth shelf. Identity infrastructure, like UAE Pass, is run separately again. The map is not complicated once you draw it, but the first month of work usually involves drawing it.

Where regulation actually shows up in design

It is tempting to treat regulation as a list of disclosures buried at the bottom of a screen. The reality is more interesting. Regulation governs the structure of journeys, not only their copy. The order in which you ask for consent, the way you confirm a beneficiary, the time you make a customer wait before a first transfer, the language a customer uses to read their statement, the channel used for one-time passwords: each of these is an answer to a regulatory expectation. Good design absorbs the rule into the experience until a reviewer cannot tell the seam.

The UAE regulatory map 1 / 8
01 / 08

Primary law

CBUAE Law 2025

Tap to flip

01 / 08

The current banking framework, anchored in Federal Decree Law No. 14 of 2018 and updated through Decretal Federal Law No. 23 of 2022. Sets the perimeter for licensed banks, payment service providers, and stored value facilities, with a phased application that the industry refers to as the 2025 framework.

02 / 08

Conduct rules

CPR and CPS

Tap to flip

02 / 08

The Consumer Protection Regulation and Standards (CPR/CPS) issued by the CBUAE in 2021. They cover disclosure, fair treatment, complaints, vulnerability, charges, suitability, marketing, and electronic banking. Most of the visible UX rules in the app trace back to this document.

03 / 08

Financial crime

AML Decree 20 / 2018

Tap to flip

03 / 08

Federal Decree Law No. 20 of 2018 on Anti-Money Laundering and Combating the Financing of Terrorism. Underpins know-your-customer rules, sanctions screening, transaction monitoring, beneficial ownership disclosures, and reporting obligations to the FIU.

04 / 08

Digital identity

UAE Pass

Tap to flip

04 / 08

The federal digital identity, jointly run by ICA, TDRA, and Smart Dubai. Used for sign-on, document signing, and identity verification in onboarding flows. A growing share of customer-facing journeys lean on it; expect that share to grow further.

05 / 08

Instant payments

Aani

Tap to flip

05 / 08

The CBUAE-led instant payment platform launched in 2023, run by Al Etihad Payments. Mobile and Emirates ID-based addressing, twenty-four-hour settlement, request-to-pay, and a clear path to a richer payments experience over the coming years.

06 / 08

Data sharing

Open Finance

Tap to flip

06 / 08

The CBUAE Open Finance regulation establishes a federal framework for account data and payment initiation across banks and licensed third parties. Phased rollout, with consent management, dispute handling, and dashboards required of every participant.

07 / 08

Data protection

PDPL

Tap to flip

07 / 08

Federal Decree Law No. 45 of 2021 on the Protection of Personal Data. Defines lawful bases, consent quality, subject rights, breach notification, and data transfers. Free zones run their own regimes, but PDPL is the federal floor.

08 / 08

Virtual assets

VARA

Tap to flip

08 / 08

The Virtual Assets Regulatory Authority of Dubai. Licenses crypto-related activity in the emirate. Banks generally do not deal in regulated virtual assets directly but their customers do, and that intersection drives screening, communications, and risk-disclosure work.

  • CBUAE Law 2025

    Banking framework, Federal Decree Law No. 14 of 2018 as updated.

  • CPR and CPS

    Consumer Protection Regulation and Standards, 2021.

  • AML Decree 20 / 2018

    Anti-money laundering law and KYC backbone.

  • UAE Pass

    Federal digital identity used in onboarding and signing.

  • Aani

    The CBUAE instant payment platform launched in 2023.

  • Open Finance

    Federal framework for account data sharing and payment initiation.

  • PDPL

    Federal Decree Law No. 45 of 2021 on personal data protection.

  • VARA

    Dubai's virtual asset regulator, with which banks intersect indirectly.

Consumer protection in everyday detail

The CBUAE Consumer Protection Regulation and Standards, often referred to inside the bank as CPR and CPS, is the document that touches design most directly. It requires plain-language disclosures of charges, fees, and rates. It governs how marketing claims must be substantiated. It defines vulnerable customers and the additional care owed to them. It sets expectations for complaints handling, including timeframes and channels. It mandates clear, prominent disclosure for cooling-off periods on certain products. As a designer, the CPR is your friend: it gives you the ammunition to argue for clarity over cleverness in almost any review.

Anti-money laundering and the shape of onboarding

AML is why onboarding looks the way it looks. The bank must verify identity, screen against sanctions and politically exposed persons lists, understand the source of funds for many products, and document beneficial ownership for entities. None of that is optional. The design challenge is to keep the friction proportionate: a simple savings account does not need the same documentation as a non-resident wealth account, but the difference must be drawn carefully. The Financial Action Task Force grey list assessment of the UAE in recent years has heightened expectations, and designers should expect more, not fewer, controls in the years ahead.

Open Finance changes the equation

The CBUAE Open Finance regulation, rolling out in phases, gives customers the right to share their data with licensed third parties and to initiate payments through them. It is the single most consequential rule for the bank's app strategy in this decade. The work it implies is large: a consent dashboard that customers can read and control, dispute flows that work across firm boundaries, fraud telemetry that holds up across delegation, and a coherent voice that explains the new rights without sounding like a press release. Open Finance is the rare regulatory shift that creates as much design work as it does compliance work.

The map of regulation in the UAE is not static. New circulars land regularly, often with quiet effective dates and serious teeth. The right reflex for a designer is to subscribe to the CBUAE bulletins and to ask, before scoping any new initiative, what circular has shipped in the last quarter that touches it.

Reflections

  1. Pick one CPR/CPS article and design a single screen that absorbs it without referencing the article number. What do you remove, what do you reorder?
  2. Imagine an Aani-first transfer flow. What does it replace and how does it explain itself to a customer who has been using IBAN-based transfers for years?
  3. How would you communicate Open Finance consent to a customer in a way that is honest about scope without being frightening?