UAE Open Finance: CBUAE Requirements, Timelines & Compliance Guide (2025–26)
- Akhil Rao
- Dec 10
- 5 min read
The UAE is building one of the most ambitious open finance ecosystems in the world. Instead of limiting the scope to “open banking”, the country is creating a unified, API-driven environment that covers banking, payments, finance companies, exchange houses, insurance providers, and fintechs under a single national framework.
This shift is driven by the Central Bank of the UAE (CBUAE), supported by a new national Open Finance platform operated through Nebras, and aligned with the country’s broader Financial Infrastructure Transformation (FIT) programme.
For banks, insurers, fintechs, and payment companies, the next two years are decisive. Compliance is mandatory, timelines are aggressive, and the strategic opportunities are significant.
This article provides a clear, original, and brand-safe overview of everything you need to know.
1. What Open Finance Means in the UAE
Open finance in the UAE is the regulated ability for customers to securely share their financial data and initiate transactions through accredited third-party providers, using standardised APIs. What makes the UAE model unique is:
1.1 The Scope Is Broader Than Traditional Open Banking
It covers:
Banks (conventional and Islamic)
Finance companies
Payment service providers
Stored value facilities
Exchange houses
Insurance companies and brokers
This integrates open banking + open finance + open insurance into one regulatory framework.
1.2 Centralised Infrastructure
Instead of bilateral integrations, the UAE uses:
A national API Hub
A central Trust Framework
A single consent and authorisation system
A unified onboarding and governance model
This reduces complexity and ensures that every participant—banks, insurers, and TPPs—operates within the same technical and security standards.
1.3 Customer Control and Strong Consent Rules
Data sharing is permission-based, time-bound, purpose-bound, and transparent.Screen scraping is not permitted, and only regulated APIs can be used.
2. Regulatory Foundation
The CBUAE has issued a comprehensive Open Finance Regulation that sets out:
Who must participate
Licensing categories
Data-sharing rules
API requirements
Governance, risk, and compliance expectations
Privacy, security, and consent policies
Interactions with the Trust Framework and the national API Hub
Every in-scope institution must comply with the Regulation for relevant products and services.
3. Key UAE Open Finance Timelines (2024–2026)
2024: Foundation Phase
Open Finance Regulation comes into force.
Initial versions of the open finance technical standards become available.
Early banks and insurers start integration work with the national API platform.
2025: Integration and Scaling
Open Finance requirements are embedded into the supervisory rulebook.
More financial institutions onboard to the API Hub.
Widening of API coverage for banking, payments, and insurance.
Initial production flows and early TPP integrations begin.
2026: Full Rollout and Operationalisation
All in-scope entities expected to be connected to the API Hub.
Open finance becomes part of business-as-usual operations.
The broader FIT programme (instant payments, domestic card scheme, CBDC platform) aligns with open finance capabilities.
Institutions must align open finance with the new CBUAE supervisory law, which has a transition period ending in 2026.
This sequencing makes 2025–2026 the critical execution window.
4. Who Must Comply
Participation is mandatory for:
Banks (local and foreign branches)
Islamic banks
Finance companies
Payment service providers
Retail payment service providers
Stored value facility providers
Exchange houses
Insurance companies
Insurance brokers
Certain crowdfunding and financing providers
Entities in DIFC/ADGM that wish to operate onshore must obtain the appropriate approval or licence.
5. Licensing Model: Open Finance Provider and Deemed Licensees
The Regulation introduces an Open Finance Provider licence for companies that wish to access and use API-based data or initiate services.
Two categories exist:
5.1 Deemed Licensees
Institutions already licensed by the CBUAE (for example, banks or PSPs) are eligible, but must obtain explicit approval before conducting open finance activities.
5.2 New Open Finance Providers (Fintechs)
Fintechs, aggregators, and technology companies must apply for an Open Finance Provider licence and satisfy requirements related to:
Governance
Capital
Security
Data protection
Insurance coverage
Localisation and operational presence
6. Core Components of the UAE Open Finance Framework
6.1 Trust Framework
A national system that sets:
Identity and certificate management
API security requirements
Accreditation rules
Participant directory
Operational governance
This framework ensures trust and interoperability.
6.2 API Hub
A single gateway through which third-party providers connect to all participating institutions. It standardises:
API specifications
Consent flows
Callback and notification structures
Monitoring, logging, and throttling
Error codes and version control
6.3 Common Infrastructural Services
These include:
The central consent manager
Directory services
Logging and audit trails
Performance monitoring tools
7. What the CBUAE Requires from Institutions
Below is a simplified breakdown suitable for a public-facing blog.
7.1 Technical and API Readiness
Institutions must:
Implement the national open finance API standards
Provide secure, consistent endpoints for in-scope products
Integrate with the API Hub using approved connectors
Maintain high availability, performance, and error handling
Support secure customer journeys for consent and authorisation
7.2 Customer Experience and Consent
Institutions must ensure:
Clear explanation of what data is shared and why
Time-bound, purpose-bound consent
Ability for customers to revoke access instantly
A consistent mobile and web experience
7.3 Data Governance
Rules include:
Data minimisation
Purpose limitation
No further sharing of data obtained from another provider
Detailed logs and audit trails
Strong customer authentication
7.4 Security and Operational Resilience
Institutions need:
MTLS connections
PKI and certificate management
API-level security and throttling
Incident detection and reporting
Continuous monitoring
8. Strategic Opportunities for Banks and Fintechs
Aside from compliance, open finance unlocks new capabilities.
8.1 Real-Time Data Products
Customer 360 views
Open finance-powered credit scoring
Cash flow forecasting
SME financial health monitoring
8.2 Payment Initiation and Embedded Finance
Account-to-account payments
Subscription management
Retail and SME payment orchestration
8.3 Insurance Innovation
Personalised coverage
Data-driven underwriting
Real-time claims assistance
8.4 AI-Driven Financial Copilots
With reliable API data, institutions can launch:
RM copilot tools
PFM and BFM dashboards
Risk engines
Fraud and anomaly detection
Open finance becomes the data layer that powers AI.
9. Readiness Checklist for 2025–2026
A concise list for quick assessment:
Regulatory
Confirm licensing path (deemed or new licence).
Map in-scope products and services.
Align open finance with AML, cyber, and data laws.
Technology
Implement API Hub connectivity.
Deploy consent flows into digital channels.
Ensure ISO 20022 alignment for payments where relevant.
Data & Security
Set up audit logs, monitoring, and revocation controls.
Apply strict data minimisation practices.
Integrate SCA and MTLS.
Operations
Create an open finance operations team.
Set internal SLAs for API reliability.
Train staff and build TPP partnership processes.
How PaymentLabs Supports UAE Open Finance
PaymentLabs provides banks, insurers, PSPs, and fintechs with:
Architecture blueprints for Open Finance compliance
API readiness assessments
ISO 20022-native data models
Sandbox modules for consent flows, analytics, fraud scoring, and RM copilots
Testing harnesses for API Hub integrations
AI-driven customer intelligence tools
We help institutions move beyond minimum compliance and unlock the revenue potential of Open Finance.
