Skip to content

Fairness, Transparency, and Oversight

These are the three principle families at the centre of the CBUAE guidance note, and the ones that draw the most scrutiny in consumer-facing financial AI. Each is split across an organisation-level governance requirement in OFF-21 and a use-case-level execution requirement in MFF-21: the org layer sets the expectations and thresholds, and the app layer shows how they are met for a specific AI system. This page covers fairness and non-discrimination (ORF-427 / MRF-399), transparency and explainability (ORF-428 / MRF-400), and human oversight and escalation (ORF-429 / MRF-401).

Primary source

CBUAE, Guidance Note on the Consumer Protection and Responsible Adoption and Use of Artificial Intelligence and Machine Learning by Licensed Financial Institutions in the U.A.E., 23 February 2026. This page draws on Section 3 (Fairness/Non-Discrimination and Ethics), Section 4 (Transparency and Explainability), and Section 7 (Human Oversight and Consumer Protection). The consumer-facing disclosure and complaints elements of Section 7 are covered under Consumer redress and third-party AI.

The principle families across OFF-21 and MFF-21

Governance (OFF-21)Execution (MFF-21)FamilyUAE-exclusive control (org)
ORF-427MRF-399Fairness and non-discriminationOCF-344
ORF-428MRF-400Transparency and explainabilityOCF-345
ORF-429MRF-401Human oversight and escalationOCF-346

The app-side fairness, explainability, and oversight requirements run largely on shared controls already in the platform — bias and fairness testing (for example MCF-42/MCF-43/MCF-44), explainability (MCF-40/MCF-420), and human-in-the-loop oversight (MCF-178/MCF-179/MCF-419) — rather than on UAE-exclusive app controls. The binding CBUAE language lives in the requirement text; the shared controls carry no UAE-specific wording.

Fairness and non-discrimination

Section 3 sets a two-sided test: AI and ML should not produce discriminatory or manipulative outcomes, either before or after deployment. Fairness is not a launch gate that is passed once — it is a property the institution has to keep demonstrating in operation.

ORF-427 governs the institution-wide stance: the fairness and non-discrimination policy, the definition of fair and equitable treatment, escalation thresholds, and the review mechanism. It also carries the note's data expectation — that training data is accurate, relevant, and representative of the applicable customer population — as a fairness precondition, not only a data-quality one.

MRF-399 is where that policy becomes evidence for a specific use case:

  • fairness metrics chosen for the use case and its affected population;
  • bias assessment and periodic bias testing — at least annually, or on any material change or new model;
  • bias-mitigation actions where testing surfaces a problem;
  • testing of automatic model updates for bias before they are implemented.

This split closes a common failure mode where fairness is asserted in policy language but never evidenced in operation. The note also ties fairness to the institution's ethics and its duty to act in consumers' best interests — the reason fairness sits inside a consumer-protection instrument rather than a purely technical one.

Transparency and explainability

The framework separates three things that are easy to conflate:

  • governance of transparency and explainabilityORF-428;
  • internal explanation artefactsMRF-400;
  • consumer-facing communicationMRF-406, covered under Consumer redress and third-party AI.

ORF-428 carries Section 4's disclosure standard. LFIs should be transparent about AI use — especially for high-impact decisions and when a customer interacts with an AI application — and able to explain how the system decides. The note is specific about the form disclosure takes:

  • plain-language and accurate, with understandability checked rather than assumed;
  • bilingual — Arabic and English;
  • backed by telephone support in major UAE languages;
  • with opt-out rights considered, particularly for high-impact decisions.

MRF-400 holds the internal side: the explanation artefacts on how the AI operates and reaches its outputs, disclosable to reviewers and — for material decisions — to customers. This is deliberately distinct from the consumer-facing notice. An internal model-explanation record satisfies a reviewer or supervisor; a consumer disclosure has to satisfy the plain-language, bilingual standard above. The two are evidenced separately, which is why explainability (MRF-400) and consumer communication support (MRF-406) are different requirements.

Human oversight and escalation

Section 7 expects meaningful human oversight scaled to consumer risk. The note names three oversight models, and the institution chooses the one appropriate to each use:

Oversight modelWhat it meansWhen it fits
Human-in-the-loopA human reviews or approves before the AI action takes effectCommensurate with consumer risk
Human-on-the-loopA human monitors the AI and can interveneCommensurate with consumer risk
Human-out-of-the-loopNo routine human involvementOnly low-risk, non-material processes

ORF-429 governs the oversight model itself: which model applies to which use, when intervention is required, when escalation is mandatory, and how override and manual-fallback expectations are set. Two note-specific duties sit here — the institution retains an always-available, human-triggered ability to cease use of any AI system, and it considers opt-out rights for high-impact decisions (so a consumer is not forced to accept a purely automated determination).

MRF-401 is the execution side for a use case:

  • the human review points in the live workflow;
  • the override capability and how it is triggered;
  • the intervention steps available to the overseer;
  • the escalation behaviour when the AI produces an outlier or contested result.

The consumer's ability to request human review or an explanation of an AI decision, and to an alternative arrangement if they do not want an AI decision, is introduced in Section 7 and carried operationally under consumer redress (ORF-435 / MRF-406).

How these concepts drive requirement scoping in Modulos

All three families apply to every in-scope consumer-affecting use — none is conditional — but the depth of each obligation scales with the use case's risk rating and consumer impact, set on the org side under ORF-425/ORF-426 and recorded per use case under MRF-397. A high-impact decision draws the fuller transparency and disclosure treatment (bilingual notices, opt-out, human review); a low-risk, non-material process may justify human-out-of-the-loop oversight. Scoping is not tag-driven and there is no separate questionnaire; the risk rating and consumer-impact profile are the inputs that calibrate how much each principle family demands.

Cross-framework mapping (preview)

Preview

The fairness, transparency, and oversight duties sit adjacent to frameworks UAE LFIs commonly run, at a high level only:

  • MAS FEAT — the fairness, ethics, accountability, and transparency principles are the closest sectoral analogue; the CBUAE note is more prescriptive.
  • EU AI Act — bias testing, disclosure of AI use, and human oversight overlap at the control level, not the article level.
  • ISO/IEC 42001:2023 — fairness and transparency correspond to the AIMS operational-control and impact-assessment clauses.

These are framework-level adjacencies; cross-framework reuse is realised at the control layer, not as clause-by-clause equivalence.

Source attribution

The authoritative source is the CBUAE Guidance Note on the Consumer Protection and Responsible Adoption and Use of Artificial Intelligence and Machine Learning by Licensed Financial Institutions in the U.A.E., published 23 February 2026 by the Central Bank of the United Arab Emirates. This page draws on Section 3 (Fairness/Non-Discrimination and Ethics), Section 4 (Transparency and Explainability), and Section 7 (Human Oversight and Consumer Protection). Requirement and control codes are Modulos template identifiers, not CBUAE references.

Disclaimer

This page is for general informational purposes and does not constitute legal advice. The CBUAE guidance note supplements — it does not replace — applicable UAE law and CBUAE directives; the institution remains fully responsible for its own compliance. Verify against the current published edition and consult qualified advisers.