Skip to content

UAE Consumer AI

UAE Consumer AI illustration

The CBUAE Guidance Note on the Consumer Protection and Responsible Adoption and Use of Artificial Intelligence and Machine Learning by Licensed Financial Institutions in the U.A.E. is the supervisory instrument this framework operationalizes. It was issued by the Central Bank of the UAE (CBUAE) on 23 February 2026. It sets out how onshore UAE licensed financial institutions (LFIs) are expected to govern and operate AI and ML that can affect consumers — from board accountability and model governance through fairness, transparency, human oversight, monitoring, and consumer redress.

Modulos models the guidance note as two paired framework templates: OFF-21 for institution-wide governance and MFF-21 for per-use-case execution. This page orients you on what the note covers, how the templates are structured, and where to go next.

Quick decision — is this framework for you?

  • You are a CBUAE-supervised, onshore UAE LFI using or planning AI/ML that touches consumers → this is your framework. Start with Scope and governance to confirm the perimeter and stand up the governance foundation.
  • You operate in the DIFC or ADGM free zone → this framework does not apply to you; those are separate DFSA and FSRA regimes. See the note in Scope and governance.
  • You already run ISO/IEC 42001 or an EU AI Act programme → treat UAE Consumer AI as the CBUAE consumer-protection overlay. Its control substance reuses controls you may already operate; the UAE-exclusive controls are what is new.
  • You have no structured AI governance yet → many UAE LFIs run no ISO 42001 today, so OFF-21 / MFF-21 may be your first structured AI programme in Modulos. The operationalizing playbook is the fastest route in.
  • You need to record which conditional duties apply → third-party AI and consumer-redress duties are conditional; see Consumer redress and third-party AI.

TL;DR

  • The CBUAE Guidance Note (CBUAE, 23 February 2026) is supervisory guidance for onshore UAE LFIs, anchored to CBUAE's existing Model Management Standards (MMS). It supplements — it does not replace — applicable UAE law and CBUAE directives.
  • Scope: CBUAE-supervised licensed financial institutions in the onshore (federal) UAE, for AI/ML uses that can affect consumers. DIFC (DFSA) and ADGM (FSRA) free zones are out of scope.
  • The note runs ten sections — definitions; governance and accountability; fairness and non-discrimination; transparency and explainability; data quality, privacy and security; continuous monitoring and review; human oversight and consumer protection; integration with existing frameworks; outsourcing and third-party risk; and ethical collaboration and innovation.
  • Modulos models it as two templates: OFF-21 (org, 16 requirements, ORF-423ORF-438) and MFF-21 (app, 10 requirements, MRF-397MRF-406) — 26 requirements in total. It adds 22 UAE-exclusive controls (MCF-637MCF-642, OCF-340OCF-355) and reuses a large body of shared controls.
  • Applicability is not tag-driven and has no dedicated questionnaire: the perimeter is set by ORF-423, and a few conditional duties carry explicit Applicability sections in their requirement text.

Primary source

CBUAE, Guidance Note on the Consumer Protection and Responsible Adoption and Use of Artificial Intelligence and Machine Learning by Licensed Financial Institutions in the U.A.E., published 23 February 2026, Central Bank of the United Arab Emirates. Official text: rulebook.centralbank.ae. Always verify claims against the current published edition.

Key facts
Publisher
CBUAE (Central Bank of the UAE)
Published
23 February 2026
Type
Supervisory guidance note (financial sector)
Scope
Onshore UAE licensed financial institutions using AI/ML in consumer-affecting contexts
Structure
10 sections, governance through redress, anchored to MMS
Modulos templates
OFF-21 (org) + MFF-21 (app)

What is the CBUAE Guidance Note?

The CBUAE issued the guidance note to address a specific problem: LFIs are adopting AI and ML in ways that reach consumers — credit and insurance decisions, chatbots, pricing, profiling, fraud detection — while existing consumer-protection and model-governance rules were written before these techniques were widespread. Rather than create a new legal regime, the note extends CBUAE's existing framework. It repeatedly references the Model Management Standards (MMS) — CBUAE's model-governance standard — as the anchor for validation, monitoring, and challenge, and it ties consumer duties back to the Consumer Protection Regulation and its Standards. Its closing position is explicit: the note supplements, and does not replace, applicable UAE laws and CBUAE directives, and LFIs remain fully responsible for their legal and regulatory compliance.

The note is proportionate rather than one-size-fits-all: obligations scale with the materiality and consumer impact of each AI use. A back-office model with no consumer effect carries a lighter load than one that makes or informs a high-impact decision — defined in the note as a determination that materially affects a customer's access to a financial product or service, such as a loan application or an insurance claim.

For institutions with an existing AI governance programme, the note maps onto familiar structures (board accountability, model inventory, risk rating, monitoring). For institutions without one, it functions as a first structured AI programme, which is why Modulos ships it as a full org-plus-app template pair.

What counts as in scope

The scope is set by two boundaries, both drawn tightly.

BoundaryIn scopeOut of scope
Supervisory perimeterCBUAE-supervised licensed financial institutions operating in the onshore (federal) UAEDIFC (regulated by the DFSA) and ADGM (regulated by the FSRA) financial free zones
AI/ML useAI and ML uses that can affect consumers — decisions, treatment, or the operational processes behind themUses with no plausible consumer effect (still governed generally, but outside the note's consumer-protection focus)

The free-zone exclusion is deliberate and material. The DIFC and ADGM are not minor local variations of the CBUAE regime — they are separate supervisory authorities with their own data-protection and conduct rules. Modelling them behind the same templates would misrepresent both. The note's own definitions section fixes the vocabulary the rest of the framework uses:

TermMeaning in the note
AIArtificial intelligence — systems performing tasks that would otherwise require human intelligence.
GenAIGenerative AI — models that understand and generate content such as text, audio, and images.
MLMachine learning — systems that learn patterns from data rather than being explicitly programmed.
High-impact decisionA determination materially affecting a customer's access to financial products or services (e.g. a loan or an insurance claim).
MMSCBUAE's Model Management Standards — the existing model-governance standard the note is anchored to.
LFILicensed financial institution supervised by the CBUAE.

→ Deep dive: Scope and governance — the perimeter, the governance foundation, accountability, the AI/ML inventory and risk rating, consumer-impact governance, the model-governance anchor, and industry engagement.

How the framework is structured in Modulos

Modulos splits the note into institution-wide governance (OFF-21) and per-use-case execution (MFF-21).

TemplateProject typeHoldsRequirements
OFF-21 — UAE Consumer AI (org)OrganisationScope, accountability, inventory and risk rating, consumer-impact governance, the principle families, data/model/monitoring/incident governance, third-party governance, consumer redress, supervisory readiness, proactive fraud detection, and industry collaboration16 (ORF-423ORF-438)
MFF-21 — UAE Consumer AI (app)AI applicationDeployment validation and risk rating, data handling, fairness testing, explainability, oversight execution, logging, monitoring, incident response, third-party assurance, and consumer communication support10 (MRF-397MRF-406)

The 26 requirements group into four coverage domains, each with its own topic page. Every org requirement (ORF-423ORF-438) and app requirement (MRF-397MRF-406) has a home below.

1. Scope and governance

The foundation: confirming the CBUAE onshore perimeter and in-scope uses (ORF-423), the documented governance framework and board/senior-management accountability (ORF-424), the AI/ML inventory and risk-rating process including third-party-hosted models (ORF-425), consumer-protection impact governance (ORF-426), the model-governance and independent-challenge anchor (ORF-431), and the encouraged industry-collaboration duty (ORF-438). On the app side, the use-case deployment validation, update testing, and risk rating live in MRF-397.

→ Deep dive: Scope and governance.

2. Fairness, transparency, and oversight

The three consumer-protection principle families, each split across an org governance requirement and an app execution requirement: fairness and non-discrimination (ORF-427 / MRF-399), transparency and explainability (ORF-428 / MRF-400), and human oversight and escalation (ORF-429 / MRF-401).

→ Deep dive: Fairness, transparency, and oversight.

3. Data, models, monitoring, and remediation

The operational backbone: data quality, privacy, and security (ORF-430 / MRF-398), model validation and the deployment boundary (ORF-431 / MRF-397), logging and traceability (ORF-436 / MRF-402), continuous monitoring and outcome review (ORF-433 / MRF-403), incident and remediation response (ORF-434 / MRF-404), and the proactive use of AI to detect fraud and financial crime (ORF-437).

→ Deep dive: Data, models, monitoring, and remediation.

4. Consumer redress and third-party AI

The conditional duties: third-party and outsourced AI dependency governance and assurance (ORF-432 / MRF-405), and consumer human review, complaints, redress, and communication support (ORF-435 / MRF-406) — plus how the platform records applicability without a scoping questionnaire.

→ Deep dive: Consumer redress and third-party AI.

How UAE Consumer AI compares to other frameworks

Cross-framework mapping (preview)

A detailed control-by-control mapping is in preparation. At a high level, UAE Consumer AI sits alongside — rather than duplicates — the frameworks LFIs commonly run:

  • UAE AI Ethics — the UAE's general, federal, principle-based responsible-AI guidance. UAE Consumer AI is the narrower, sectoral supervisory layer for CBUAE-supervised institutions. Run the ethics principles as the general posture and this note as the concrete financial-sector expectations. See UAE AI Ethics.
  • MAS FEAT — the Monetary Authority of Singapore's fairness, ethics, accountability, and transparency principles for financial-sector AI. Comparable in intent; the CBUAE note is more prescriptive and ties to MMS and the Consumer Protection Regulation. See MAS FEAT.
  • ISO/IEC 42001 — a certifiable AI management system. UAE Consumer AI can act as the CBUAE consumer-protection overlay inside an ISO 42001 AIMS. See ISO 42001.
  • EU AI Act — product-safety-style obligations. Overlaps at the control level (fairness, transparency, oversight, logging), not at the article level; the CBUAE note is a supervisory guidance instrument, not a regulation with tiered prohibitions.

In Modulos this reuse is realised at the control layer: the same control objects behind OFF-21 / MFF-21 are reused by other framework templates, so evidence recorded once can serve multiple frameworks. This preview does not assert clause-by-clause equivalence to any instrument.

Full side-by-side: AI governance frameworks comparison.

How Modulos operationalizes UAE Consumer AI

The two templates are designed to run together: OFF-21 sets institution-wide policy and posture once, and each MFF-21 project produces the per-use-case execution evidence that shows the policy is actually met for a given AI system.

  • OFF-21 — UAE Consumer AI (org) — one organisation project. 16 requirements (ORF-423ORF-438), each mapped one-to-one to a UAE-exclusive org control (OCF-340OCF-355) plus reused shared controls.
  • MFF-21 — UAE Consumer AI (app) — one AI-application project per in-scope use case. 10 requirements (MRF-397MRF-406); six carry a UAE-exclusive app control (MCF-637MCF-642), and the fairness, explainability, oversight, and logging requirements run on shared controls.

Each requirement is evidenced through a readiness signal plus owner-attested fulfilment — not through reviews, which are reserved for control status changes. All binding CBUAE language is anchored in the requirement text; the reused shared controls carry no UAE-specific wording.

→ Full rollout: Operationalizing UAE Consumer AI in Modulos — project structure, the requirement-to-pillar mapping table, the control library banding, the rollout sequence, and the evidence model.

Getting started

Frequently asked questions about UAE Consumer AI

What is the CBUAE Guidance Note on AI and ML for licensed financial institutions?

It is a guidance note issued by the Central Bank of the UAE (CBUAE) on 23 February 2026, titled Consumer Protection and Responsible Adoption and Use of Artificial Intelligence and Machine Learning by Licensed Financial Institutions in the U.A.E. It sets out CBUAE's supervisory expectations for how onshore UAE LFIs govern and operate consumer-affecting AI and ML: governance and accountability, fairness and non-discrimination, transparency and explainability, data quality and privacy, continuous monitoring, human oversight, integration with existing risk frameworks, third-party and outsourcing risk, and ethical collaboration. It is anchored to CBUAE's Model Management Standards (MMS) and supplements — it does not replace — applicable UAE law and CBUAE directives.

Who is in scope for the framework, and are DIFC and ADGM covered?

In scope are CBUAE-supervised licensed financial institutions operating within the onshore (federal) UAE perimeter, for AI and ML uses that can affect consumers. The DIFC (regulated by the DFSA) and ADGM (regulated by the FSRA) financial free zones are out of scope for this framework version — they are separate supervisory and data-protection regimes. Modulos scopes the framework to the CBUAE onshore perimeter through ORF-423 and does not model DIFC or ADGM behind the same templates.

Is the CBUAE guidance mandatory?

The instrument is a CBUAE guidance note, not a standalone law; in the Modulos catalogue the templates carry the Guidance label, reflecting the instrument type. It is issued by the prudential regulator to its supervised population and states supervisory expectations. It supplements, and does not replace, applicable UAE laws and CBUAE directives, and LFIs remain fully responsible for their legal and regulatory compliance. Treat it as regulator guidance for supervised entities rather than voluntary best practice.

How does Modulos model the framework — as one template or two?

As two paired templates. OFF-21 (org) holds the institution-wide governance obligations as 16 requirements, ORF-423 through ORF-438; MFF-21 (app) holds the per-use-case execution obligations as 10 requirements, MRF-397 through MRF-406 — 26 in total. The recommended structure is one OFF-21 organisation project plus one MFF-21 application project per in-scope AI use case. The framework adds 22 UAE-exclusive controls (MCF-637MCF-642 app, OCF-340OCF-355 org) and reuses shared controls already in the platform's EU AI Act, GDPR, and ISO estates.

What is a high-impact decision under the guidance note?

The note defines a high-impact decision as a determination that materially affects a customer's access to financial products or services — for example a loan application or an insurance claim. High-impact decisions raise the bar on transparency and disclosure, the ability to explain how the decision was reached, consideration of opt-out rights, and the availability of human review. Modulos records the consumer-impact profile of each use case through the risk-rating control MCF-639 and the consumer-communication control MCF-638.

How is applicability handled without a dedicated questionnaire?

Most obligations apply to every in-scope LFI once the perimeter is established through ORF-423. A few duties are conditional — third-party AI governance and assurance (ORF-432, MRF-405) and consumer human review, complaints, and communication support (ORF-435, MRF-406) — and each carries an explicit Applicability section in its requirement text. There is no separate scoping questionnaire and no framework-specific scope tag; the team reads the Applicability section, decides whether the condition is met, and records the decision on the requirement. Proactive fraud and financial-crime detection (ORF-437) is an assess-and-use-where-feasible duty that applies broadly; ethical collaboration (ORF-438) is encouraged.

How does UAE Consumer AI relate to UAE AI Ethics and to MAS FEAT?

UAE AI Ethics is the UAE's general, federal, principle-based responsible-AI guidance; UAE Consumer AI is the narrower, sectoral supervisory layer for CBUAE-supervised financial institutions with a consumer-protection focus. An LFI can adopt both. It is comparable in intent to MAS FEAT, the Monetary Authority of Singapore's fairness, ethics, accountability, and transparency principles for financial-sector AI, but the CBUAE note is more prescriptive and ties explicitly to CBUAE's Model Management Standards and Consumer Protection Regulation. Cross-framework reuse in Modulos happens at the control layer, not as any assertion of clause-level equivalence.

Source attribution

This page summarises the CBUAE Guidance Note on the Consumer Protection and Responsible Adoption and Use of Artificial Intelligence and Machine Learning by Licensed Financial Institutions in the U.A.E., published 23 February 2026 by the Central Bank of the United Arab Emirates (official text: rulebook.centralbank.ae). The note anchors to CBUAE's Model Management Standards (MMS), the Consumer Protection Regulation and its Standards, the Outsourcing Regulation for Banks, the UAE Personal Data Protection Law (PDPL), and the Information Assurance Regulation. Requirement and control codes (OFF-21, MFF-21, ORF-, MRF-, OCF-, MCF-) are Modulos template identifiers, not CBUAE references.

Disclaimer

This page is for general informational purposes and does not constitute legal advice. The CBUAE guidance note is a supervisory instrument that supplements — it does not replace — applicable UAE law and CBUAE directives; the Guidance label on the Modulos templates reflects the instrument type and is not a statement that compliance is optional. Always verify against the current published edition and consult qualified advisers.