Skip to content

Scope and Governance

This page establishes the foundation of the CBUAE Consumer AI framework in Modulos: who and what is in scope, and the governance structure the guidance note expects before any principle-level or execution-level work begins. It covers the onshore-LFI perimeter, board and senior-management accountability, the AI/ML inventory and risk-rating process, consumer-protection impact governance, the model-governance anchor, and the encouraged industry-engagement duty — the org requirements ORF-423, ORF-424, ORF-425, ORF-426, ORF-431, and ORF-438, plus the app-side execution anchor MRF-397.

The guidance note is a CBUAE supervisory instrument for its supervised population, not voluntary best practice. It supplements — it does not replace — applicable UAE law and CBUAE directives, and the institution remains fully responsible for its own legal and regulatory compliance.

Primary source

CBUAE, Guidance Note on the Consumer Protection and Responsible Adoption and Use of Artificial Intelligence and Machine Learning by Licensed Financial Institutions in the U.A.E., 23 February 2026. This page draws on Section 1 (Definitions), Section 2 (Governance and Accountability), Section 8 (Integration with Existing Frameworks), and Section 10 (Ethical Collaboration and Innovation), with the model-governance material anchored to CBUAE's Model Management Standards (MMS). Official text: rulebook.centralbank.ae.

The governance foundation at a glance

RequirementTopicSource anchorUAE-exclusive control
ORF-423UAE scope and AI-use applicability§1 definitions; onshore CBUAE perimeter; §8 (note supplements, does not replace, existing obligations)OCF-340
ORF-424AI governance and accountability§2 (governance following MMS principles; board/senior-management accountability; reporting; risk integration)OCF-341
ORF-425AI and ML inventory and risk rating§2(f) inventory metadata; §8(d) risk-rating process; §9(c) third-party inventory parityOCF-342
ORF-426Consumer-protection impact governance§7 (fair treatment, no unsuitable targeting/pressure-selling); §8 (AI consumer risk as conduct risk)OCF-343
ORF-431Model governance, validation, and independent challenge§8 (independent review of internally built AI); MMS validation and challengeOCF-348
ORF-438Ethical AI collaboration and industry engagement§10 (industry peers, UAE AI sandboxes/Innovation Hub, academia, CBUAE; publish case studies)OCF-355

Each org requirement maps one-to-one to its UAE-exclusive control and reuses shared governance controls (for example OCF-1 and OCF-52 for the governance structure) that carry no UAE-specific text.

What scope means in practice

ORF-423 resolves two questions before any other requirement matters.

Is the institution in scope? The perimeter is a CBUAE-supervised licensed financial institution operating within the onshore (federal) UAE. Institutions supervised solely by the DFSA in the DIFC or the FSRA in the ADGM are out of scope — the framework does not attempt to model those free-zone regimes behind the same templates. They are separate supervisory authorities with their own data-protection and conduct rules, not local variations of the CBUAE regime.

Is the AI use in scope? The note's focus is AI and ML that can affect consumers — a use that makes or informs a consumer decision, shapes consumer treatment, or drives the operational processes behind them. A model with no plausible consumer effect is still subject to the institution's general governance, but sits outside the note's consumer-protection focus. The vocabulary for this determination is fixed by the note's definitions (AI, GenAI, ML, high-impact decision, MMS), summarised on the overview page.

Both determinations are recorded on ORF-423 (OCF-340) with rationale. Because the note supplements rather than replaces existing obligations, an out-of-scope AI use may still fall under other UAE law or CBUAE directives.

Accountability and the governance framework

ORF-424 carries Section 2's core demand: a documented, proportionate AI/ML governance framework following MMS principles, with the board and senior management accountable for AI systems and outcomes. The note is direct on one point — an institution should not deploy models it does not control or understand. Accountability is retained by the institution; it does not transfer to a model vendor.

The requirement expects three things to be in place and evidenced:

  • Named accountability and reporting. Regular board and senior-management reporting on AI performance and risk, so accountability is exercised rather than nominal.
  • Cohesive risk integration. AI risk integrated into the existing governance structure — the Audit and Risk Committee, Risk Management, Internal Audit, and IT functions — rather than run as a parallel, disconnected process. Section 8 reinforces this by treating AI-driven consumer risk as part of the enterprise conduct-risk framework.
  • Proportionality. The depth of governance scales with the materiality and consumer impact of the institution's AI uses; a lighter footprint is appropriate where consumer effect is limited.

The AI/ML inventory and risk rating

ORF-425 is inventory and risk rating — not a use-case approval workflow. It requires a maintained AI/ML model inventory carrying, at minimum, each model's name, purpose, and risk rating, and an operating risk-rating process. Two features distinguish it from a generic asset register:

  • Third-party reach. The inventory must include third-party-hosted models, and those models are held to the same fairness, explainability, and robustness standard as in-house models. A model being external is not a reason to hold it to a lower bar.
  • A defined risk-rating process. Section 8 sets out the dimensions each AI system is scored against: data quality and sensitivity, AI capability, controls, impact, and third-party dependence. That score is what makes proportionality operable — it is the input to how much validation, monitoring, and oversight a given system attracts.

The risk rating produced here on the org side is the same rating the app-side use case records under MRF-397 (control MCF-639); the inventory holds the institution-wide view, the application project holds the per-use-case detail.

Why consumer-protection impact is governed separately

ORF-426 is deliberately separate from general governance because it forces a distinct decision for each consumer-affecting use:

  • how consumers may be affected, and whether they are treated fairly and equitably;
  • whether the use case should proceed at all;
  • what additional safeguards or escalation are needed;
  • whether the use should be limited, redesigned, or not deployed.

Section 7 draws the hard lines the impact assessment must respect: no unsuitable-product targeting, no pressure-selling, and no misleading marketing, with chatbots and promotional materials meeting disclosure rules. Section 8 treats AI-driven consumer risk as conduct risk, reportable to the board and the regulator. Keeping this as its own requirement (OCF-343) prevents the consumer-protection decision point from disappearing into a generic "responsible AI" checkbox.

The model-governance anchor

The entire guidance note is anchored to CBUAE's Model Management Standards (MMS), and ORF-431 keeps a dedicated model-governance requirement rather than collapsing validation into general AI governance. It covers:

  • MMS-aligned validation proportionate to model materiality and risk;
  • periodic review of deployed models;
  • independent challenge by external experts or third parties, with third-party independent review recommended for internally built AI;
  • renewed scrutiny on material change — a new model or a material change re-opens validation.

This lets an institution show which models are material enough to warrant stronger validation, how review and challenge are performed, and when independence is expected. ORF-431 is the org-side anchor; its app-side counterpart is MRF-397, covered below and in Data, models, monitoring, and remediation.

Industry engagement (encouraged)

ORF-438 carries Section 10, which is encouraged rather than mandatory. The note invites LFIs to collaborate with industry peers, the UAE AI sandboxes and Innovation Hub, academia, the CBUAE, and other stakeholders on trustworthy-AI best practices, and to publish responsible-AI case studies — anonymised where appropriate. Modelling it as its own requirement (OCF-355) keeps the encouraged duty visible without inflating the mandatory core. Evidence here is light: participation records, contributions to industry work, or published case studies where the institution chooses to engage.

The app-side execution anchor

The governance foundation flows most directly into a single app requirement:

RequirementTopicUAE-exclusive control
MRF-397AI use-case deployment validation, update testing, and risk ratingMCF-639

MRF-397 is where org-level approval and impact logic becomes per-use-case execution evidence: pre-deployment robustness, stress, and safety testing for the use case; testing of automatic model updates for bias before implementation; and the use-case risk rating scored on the five dimensions (MCF-639). It is covered in full alongside model governance in Data, models, monitoring, and remediation.

How applicability works here

At the governance layer, applicability is mostly settled once. ORF-423 fixes the perimeter; the governance, inventory, consumer-impact, and model-governance duties (ORF-424ORF-426, ORF-431) then apply to every in-scope institution, scaled by proportionality rather than switched on or off. The conditional duties — third-party AI and consumer redress — arrive later and carry their own Applicability sections, covered in Consumer redress and third-party AI. ORF-438 is the one governance-layer duty that is encouraged rather than required.

There is no dedicated UAE Consumer AI questionnaire and no framework-specific scope tag; scoping decisions are recorded as rationale on the requirements, which keeps the perimeter reviewable without implying an automated descoping engine that does not exist.

Cross-framework mapping (preview)

Preview

The scope-and-governance obligations sit adjacent to frameworks UAE LFIs commonly run, at a high level only:

  • UAE AI Ethics — the federal, principle-based responsible-AI posture; UAE Consumer AI is the CBUAE sectoral supervisory layer.
  • ISO/IEC 42001:2023 — board accountability, the model inventory, and risk rating correspond to the management-system leadership and operational-control clauses.
  • MAS FEAT — comparable financial-sector accountability intent; the CBUAE note is more prescriptive and anchors to the MMS.

These are framework-level adjacencies; cross-framework reuse is realised at the control layer, not as clause-by-clause equivalence.

Source attribution

The authoritative source is the CBUAE Guidance Note on the Consumer Protection and Responsible Adoption and Use of Artificial Intelligence and Machine Learning by Licensed Financial Institutions in the U.A.E., published 23 February 2026 by the Central Bank of the United Arab Emirates. This page draws on Section 1 (Definitions), Section 2 (Governance and Accountability), Section 8 (Integration with Existing Frameworks), and Section 10 (Ethical Collaboration and Innovation), and on CBUAE's Model Management Standards (MMS). Requirement and control codes are Modulos template identifiers, not CBUAE references.

Disclaimer

This page is for general informational purposes and does not constitute legal advice. The CBUAE guidance note supplements — it does not replace — applicable UAE law and CBUAE directives; the institution remains fully responsible for its own compliance. Verify against the current published edition and consult qualified advisers.