UAE Business Portal
Brent 82.4 ▲0.6% Gold $2 415 USD/AED 3.6725
Banks

New UAE Central Bank Law: Compliance Deadline 16 Sep 2026

Federal Decree-Law No. 6 of 2025 consolidates banking, insurance, payments and virtual-asset supervision under a single CBUAE framework. Fines rise five-fold, tech-enablers enter the perimeter, and the reconciliation deadline for regulated entities is 16 September 2026. What C-suite and compliance teams should do next.

Stylised image of a financial regulator and Abu Dhabi cityscape — visualising the UAE's new Central Bank Law and the 16 September 2026 compliance deadline

Common questions on this topic

What is Federal Decree-Law No. 6 of 2025 and when did it come into force?

Federal Decree-Law No. 6 of 2025 is the new UAE Central Bank Law. It was signed on 8 September 2025, published in the Official Gazette on 15 September 2025 and entered into force on 16 September 2025. It repeals and replaces Federal Decree-Law No. 14 of 2018 (the former Central Bank Law) and Federal Decree-Law No. 48 of 2023 (the Insurance Decree-Law), consolidating banking, insurance, payments and financial market infrastructures under a single framework.

Who exactly needs to comply by 16 September 2026?

Any entity carrying out a Licensed Financial Activity under CBUAE supervision — banks, insurance companies, payment service providers, exchange houses, finance companies, digital banks, VASPs, stablecoin issuers. Article 62 also brings emerging-technology providers into scope: DeFi platforms, DEXs, digital wallets, supporting blockchain infrastructure, API providers and technology enablers whose activity meets the Licensed Financial Activity criteria. The "function over form" principle means the technology used does not change the licensing analysis.

What are the penalties for non-compliance?

Two separate tracks. Licensed financial institutions in breach face administrative fines up to AED 1 billion (~USD 272.3 million), a five-fold increase from the AED 200 million ceiling under the 2018 law. Unlicensed activity — promoting or carrying out financial activity without a licence — carries an administrative fine starting at AED 1 million, and can be prosecuted criminally with fines from AED 50,000 up to AED 500 million and/or imprisonment.

We work with virtual assets / DeFi — what should we check before the deadline?

Three things. First, confirm whether your activity qualifies as a Licensed Financial Activity under the new definitions, especially payment services carried out via virtual assets (now a standalone activity aligned with the Payment Token Services Regulations). Second, review Article 62 scope — DeFi protocols, stablecoins, tokenised real-world assets, wallets and supporting infrastructure are covered when they cross into regulated territory. Third, if you provide technology or APIs to a licensed institution, verify whether you now sit inside the perimeter yourself and update contractual arrangements accordingly.

What if we can't meet the 16 September 2026 deadline?

Article 184 gives the CBUAE discretion to extend the reconciliation period for individual entities. That discretion is not automatic — an extension needs to be requested and substantiated with a credible remediation plan. The safer path is to engage early: the CBUAE's 60-day SLA on licensing decisions lets regulated and prospective-regulated businesses plan around a defined clock rather than an open-ended one.

Since 16 September 2025 the UAE financial sector operates under a rewritten rulebook. Federal Decree-Law No. 6 of 2025 replaced the 2018 Central Bank Law and the 2023 Insurance Decree-Law in one move. The one-year transition window closes on 16 September 2026 — just under two months away — and the perimeter of who counts as a "financial institution" is now materially wider than most compliance teams assumed.

What Federal Decree-Law No. 6 of 2025 changed

The President of the UAE signed the decree on 8 September 2025. It was published in the Official Gazette on 15 September and entered into force the next day, with Article 184 granting a one-year reconciliation period. On paper this looks like a housekeeping update. In practice it consolidates banking, insurance, payments and financial market infrastructures under a single supervisory framework — and it shifts the analytical starting point of Central Bank of the UAE (CBUAE) oversight. Full text is on the UAE Legislation Portal.

The new starting point is a "function over form" principle. If an activity qualifies as a Licensed Financial Activity, it falls under CBUAE supervision — regardless of the technology, medium or corporate wrapper carrying it out. Article 62 spells this out explicitly for emerging technologies: virtual assets, stablecoins, tokenised real-world assets, DeFi protocols and decentralised exchanges, digital wallets, cross-chain bridges, supporting blockchain infrastructure, technology providers and API layers are all in scope where their activity crosses into regulated territory.

As Norton Rose Fulbright notes in its overview, the law is less a rewrite of the 2018 framework than a full reset of how the UAE thinks about financial supervision — with a deliberate pivot toward technology-neutral rules.

Who's affected — and how deeply

The obvious list is long. Licensed banks, insurance companies, payment service providers, exchange houses, finance companies, digital banks, Virtual Asset Service Providers (VASPs) and stablecoin issuers all sit squarely within scope. Insurance companies are worth flagging separately — the repeal of Federal Decree-Law No. 48 of 2023 folds them into the same consolidated regime.

The less obvious list matters more. Under Article 62, providers of the infrastructure supporting Licensed Financial Activities — API vendors serving PSPs, wallet-layer technology firms, custody-adjacent tech providers, node operators, DEX front-end operators — need to check whether they now sit inside the perimeter. Companies that treated themselves as pure technology vendors under the previous framework should not assume the same conclusion holds.

Payment services carried out via virtual assets are now flagged as a standalone Licensed Financial Activity, aligned with the CBUAE's Payment Token Services Regulations. That closes a specific gap that had been the source of most "are we regulated?" debates over the past 18 months.

The penalty regime: two tracks, both sharper

Enforcement risk under the new law splits into two distinct tracks, and the distinction is worth internalising early. Addleshaw Goddard summarises the split clearly.

Track one — licensed institutions in breach. The maximum administrative fine rises from AED 200 million (~USD 54.5 million) under the 2018 law to AED 1 billion (~USD 272.3 million). A five-fold increase in the headline ceiling, matched by a risk-based approach to capital and prudential requirements.

Track two — unlicensed activity. Here the change is structural, not just numerical. Promoting or carrying out financial activity without a licence carries an administrative fine starting at AED 1 million, and can be prosecuted criminally with fines from AED 50,000 up to AED 500 million and/or imprisonment. The CBUAE's 60-day service-level commitment on licensing decisions cuts the other way too: it removes the "we couldn't get an answer" defence.

For tech-enablers who had operated in a grey zone, the second track is where the practical risk sits.

Compliance checklist before 16 September 2026

Two months is enough to close the perimeter question, but not enough to do it lazily. Six items belong on the C-suite agenda now.

1. Reassess the licensing perimeter. Map every revenue-generating activity against the Licensed Financial Activity definitions in the new law and the CBUAE Rulebook. The consolidated CBUAE Rulebook entry for Federal Decree-Law 6/2025 is the authoritative reference.

2. Refresh the governance framework. Board composition, risk committees, related-party rules and outsourcing policies should be re-checked against the new consolidated standards — not against 2018 muscle memory.

3. Update AML/CFT policies. The consolidation with the insurance regime and the express inclusion of virtual assets shifts the practical scope of financial-crime controls.

4. Review tech-provider and API contracts. If a counterparty now sits inside the perimeter but is not licensed, contractual risk allocation, service continuity and audit-rights clauses need to be revisited on both sides.

5. Align virtual-asset activities with the Payment Token Services Regulations. Anyone offering payment services via VAs should treat that alignment as a hard prerequisite, not a nice-to-have.

6. Book a pre-application meeting with the CBUAE if perimeter status is genuinely unclear. The 60-day licensing SLA lets regulated entities plan around a defined clock. Article 184 also gives the CBUAE discretion to extend individual reconciliation timelines where warranted — but that discretion is not a default position; a request needs to be substantiated.

What the new law means for businesses setting up in the UAE

For founders looking at the UAE as a base for a regulated financial business — a digital bank, a PSP, a VASP, an insurtech, a stablecoin issuer — the consolidation reads as good news. The map is cleaner. The lines between the CBUAE, the DFSA (Dubai International Financial Centre), the FSRA (Abu Dhabi Global Market) and VARA (Dubai's Virtual Asset Regulatory Authority) still matter, but the internal logic of what triggers a CBUAE licence is now more predictable than it was.

As Ashurst observes, the framework rewards operators who engage with the regulator early and structure their activities around defined Licensed Financial Activities rather than around technology labels.

Garant Business Consultancy DMCC advises regulated and prospective-regulated businesses on perimeter analysis, licensing strategy and compliance planning under Federal Decree-Law No. 6 of 2025. If the 16 September 2026 date is on your calendar and the checklist above surfaces open questions, that's the right conversation to have now — not in September.

Topics:BanksFinancial RegulationCBUAECompliance