UAE Central Bank Sets Responsible-AI Duties | TLY

AI Regulation Tracker  /  Regulator guidance

UAE Central Bank issues responsible-AI guidance setting five principles for licensed financial firms

The CBUAE told every UAE-licensed bank, insurer, and finance firm to deploy AI and machine learning under a documented governance framework built on five core principles. It is guidance, not a binding regulation, but it sets the supervisory expectation firms will be measured against.

UAE Central Bank issues responsible-AI guidance setting five principles for licensed financial firms regulation briefing
The Leveraged Years AI Regulation Tracker

The Central Bank of the United Arab Emirates has told every licensed bank, insurer, and finance firm in the country to put artificial intelligence and machine learning under a documented governance framework. In a guidance note dated February 23, 2026, the CBUAE set out five core principles for the responsible adoption and use of these technologies and said the guidance applies to all licensed financial institutions within its supervisory ecosystem.

What the guidance requires

The note, titled the Guidance Note on the Consumer Protection and Responsible Adoption and Use of Artificial Intelligence and Machine Learning by Licensed Financial Institutions, sets five principles that the CBUAE describes as a reference for the optimal use of these technologies. They are governance and accountability, fairness and non-discrimination, transparency and explainability, effective human oversight, and requirements relating to data management and privacy. The Central Bank frames the guidance as a way to safeguard consumer rights, strengthen governance and transparency, and promote fair and sustainable practices.

The practical center of gravity is governance and accountability. As reported in coverage of the note, licensed institutions are expected to establish a documented AI governance framework proportionate to their size, integrate AI risk into enterprise-wide risk management, and hold boards and senior management directly accountable for AI outcomes. The word proportionate matters. A large retail bank running credit-scoring and fraud models will be held to a heavier standard of documentation and control than a small finance company using a single vendor tool, but neither is exempt. The Central Bank also positions human oversight as a standing principle rather than a one-time control, with supervisory expectations spanning procurement, development, deployment, and post-implementation monitoring. In practice that reaches third-party and vendor models as well as those built in-house, because the accountability sits with the licensed institution regardless of who wrote the code.

Consumer protection and human oversight

The consumer-protection framing is explicit in the title and the stated aims. The effective-human-oversight principle requires that a person, not a model alone, remains answerable for decisions that affect a customer. In the Central Bank's own words, Governor H.E. Khaled Mohamed Balama said the note "aims to establish a clear framework for the responsible use of artificial intelligence and machine learning in the financial sector, in a way that enhances consumer protection, reinforces governance and transparency principles, and emphasises the importance of human oversight and data protection requirements." For compliance teams, the operational reading is that a customer affected by an AI-driven decision should be able to reach meaningful human review, and firms should be able to explain how a model reached its result.

What it does not do

The note is guidance, not a binding regulation. It states supervisory expectations and a reference standard rather than creating a new licensing condition or a fixed penalty schedule on its own. It does not set a numeric compliance deadline in the announcement, and it does not replace existing consumer-protection, data, and risk obligations that already bind licensed institutions. Firms should read it as the standard against which supervisors will assess AI use, not as a safe harbor or a checklist that ends at launch. The absence of a hard deadline is not an invitation to wait, because the expectations attach to systems that are already live.

Why this matters beyond the UAE

For a US firm, the direct legal reach is limited to entities licensed by the CBUAE, including UAE branches and subsidiaries of foreign banks and insurers. The wider significance is directional. The UAE is aligning financial-sector AI supervision with the same five themes appearing in other regimes, from governance and human oversight to explainability and data protection. A US institution with a UAE presence will need to meet this standard locally, and a US compliance team can read the note as a preview of where principle-based AI supervision is converging across major markets.

The through-line is that AI in UAE financial services is now a supervised activity with a named accountability chain. The firms best placed under this guidance are the ones that can show a documented framework, a clear human owner for AI-driven decisions, and evidence that the five principles are applied across the model lifecycle rather than asserted at the point of launch. The reasonable planning assumption is that supervisors will ask to see that evidence at the next examination, so the useful work is to close the gap between systems already in production and the governance record that now sits behind them.

Frequently Asked Questions

What did the CBUAE change?

On February 23, 2026, the CBUAE issued a guidance note setting five core principles for how licensed financial institutions adopt and use AI and machine learning: governance and accountability, fairness and non-discrimination, transparency and explainability, effective human oversight, and data management and privacy. It states supervisory expectations across the AI lifecycle.

Who is affected?

All CBUAE-licensed financial institutions in the UAE, including banks, insurers, and finance companies, along with their compliance, model-risk, data, and technology functions. UAE branches and subsidiaries of foreign firms fall within scope where they hold a CBUAE license.

Is the guidance binding, and is there a deadline?

It is guidance, not a binding regulation, and the announcement does not set a fixed compliance deadline. It states the standard supervisors are expected to apply, so firms should treat it as the operating expectation for AI use rather than an optional framework.

Do consumers get a right to human review of AI decisions?

The guidance makes effective human oversight one of its five principles and centers consumer protection. In practice this points toward keeping a human answerable for AI-driven decisions that affect customers. The specific mechanics of any consumer request for human review should be confirmed against the full text on the CBUAE rulebook.

What should a firm do first?

Inventory the AI and ML systems already in use, then build or document a governance framework proportionate to the firm's size that assigns board and senior-management accountability and preserves human oversight, checking each system against the five principles.

Browse the full AI Regulation News tracker

Informational analysis for working professionals, not legal advice. Confirm how any rule applies to your situation with qualified counsel.