Why GRC Matters in the UAE Insurance Sector
The insurance industry in the UAE is one of the fastest-evolving financial sectors in the Middle East. With a gross written premium (GWP) exceeding AED 65 billion in 2024 (CBUAE Insurance Sector Report, 2024) and a market projected to grow at a CAGR of over 7% through 2028, the stakes for governance, risk, and compliance have never been higher.
Yet despite this growth, many insurers, brokers, and corporate policyholders still treat compliance as a checkbox exercise rather than a strategic imperative. In a landscape governed by the Central Bank of the UAE (CBUAE), shaped by Federal Decree-Law No. 6 of 2025 on the Central Bank, Regulation of Financial Institutions and Activities, and Insurance Business (which repealed Federal Decree-Law No. 48 of 2023 with effect from 16 September 2025, with a transition period to 16 September 2026), and increasingly aligned with global standards such as IFRS 17, the cost of GRC negligence whether in fines, license revocations, or reputational damage can be catastrophic.
This article examines the UAE insurance sector through a pure GRC (Governance, Risk, and Compliance) lens: what regulators expect, where risk exposure lies, and how businesses operating in this space can build resilient, compliant frameworks. Whether you are an insurer, a licensed broker, a Takaful operator, or a large corporate seeking structured insurance programs, this guide is written for you.
The UAE Insurance Sector Regulatory Landscape: Who Governs What?
1. Central Bank of the UAE (CBUAE) as the Primary Regulator
A landmark shift occurred in 2020 when the Insurance Authority (IA) was officially merged into the Central Bank of the UAE via Federal Decree-Law No. 25 of 2020. This consolidation placed insurance supervision under the same umbrella as banking and financial services regulation signalling a clear move toward integrated financial sector oversight.
CBUAE’s Insurance Supervision Department, operating under the consolidated CBUAE structure following the merger of the former Insurance Authority (IA) under Federal Decree-Law No. 25 of 2020, is responsible for:
- Licensing insurers, reinsurers, brokers, agents, and loss adjusters
- Setting capital adequacy and solvency requirements
- Monitoring market conduct and consumer protection
- Issuing circulars, directions, and prudential standards
From a governance standpoint, this integration means that insurance firms in the UAE must now align their internal governance structures with broader financial sector expectations — including board composition rules, internal audit mandates, and risk committee requirements that mirror CBUAE’s banking sector standards.
2. Federal Decree-Law No. 6 of 2025 – The New Consolidated Insurance and Financial Regulation Law
Federal Decree-Law No. 6 of 2025 (the New CBUAE Law, in force 16 September 2025) is the current cornerstone legislation governing insurance activities in the UAE. It repealed both the 2018 Central Bank Law and Federal Decree-Law No. 48 of 2023, consolidating insurance under a unified financial regulatory framework. A one-year transition period runs to 16 September 2026, during which existing CBUAE regulations and standards issued under prior law remain in force until replaced. Key GRC-relevant provisions include:
- Mandatory licensing for all insurance activities, with clear penalties for unlicensed operations (Article 6)
- Corporate governance obligations for insurers, including requirements for independent directors, audit committees, and internal control functions
- Solvency and capital adequacy requirements that insurers must maintain on an ongoing basis
- Policyholder protection mechanisms, including mandatory reserve funds
- Conflict of interest disclosures for brokers and intermediaries
- Penalties framework significantly expanded enforcement powers including higher administrative fines, potential publication of enforcement decisions, early intervention and resolution powers, and criminalisation of unlicensed financial activities
Governance Framework: Building the First Line of Defense
Board-Level Accountability in UAE Insurance
Effective corporate governance begins at the board. Under CBUAE’s insurance governance standards, insurers are required to establish:
- A Board of Directors with a minimum ratio of independent non-executive directors
- A dedicated Risk Committee tasked with overseeing the enterprise risk management (ERM) framework
- An Audit Committee independent of management, with direct access to external auditors
- A Remuneration Committee to prevent incentive structures that encourage excessive risk-taking
These governance obligations are formalised in the CBUAE’s Corporate Governance Regulation for Insurance Companies and its accompanying Standards the binding prudential framework published on the CBUAE Rulebook covering board composition ratios, committee mandates, code of conduct requirements, conflict of interest disclosure, and remuneration governance. This Regulation operates alongside separate CBUAE instruments on risk management, internal controls, and outsourcing.
For Takaful operators those offering Sharia-compliant insurance products an additional layer of governance is mandatory: the Sharia Supervisory Board (SSB). The SSB ensures all products, investments, and operational processes are compliant with Islamic principles, creating a dual governance responsibility that demands specialized GRC competency.
Risk Management in UAE Insurance Sector: The Regulatory Imperative
- Enterprise Risk Management (ERM) Requirements
The CBUAE expects all licensed insurance entities to maintain a robust Enterprise Risk Management (ERM) framework, as formally mandated under the CBUAE’s Risk Management and Internal Controls Regulation for Insurance Companies. This Regulation requires four independent control functions risk management, internal audit, compliance, and actuarial each with direct board access and responsibility independent of business lines. This is not optional guidance; it is a binding prudential requirement.
CBUAE’s Risk Management and Internal Controls Regulation for Insurance Companies operationalises these obligations. It mandates four independent control functions risk management, internal audit, compliance, and actuarial each with direct board access and responsibility independent of business lines.
Key risk categories that UAE insurers must formally manage include:
1. Underwriting Risk The risk that premiums collected are insufficient to cover claims and expenses. Governance controls include actuarial sign-off, reinsurance treaties, and portfolio concentration limits.
2. Reserving Risk The risk of inadequate technical provisions (claim reserves). With the mandatory adoption of IFRS 17 Insurance Contracts (effective from January 2023 for UAE entities following IFRS), reserve methodologies have become significantly more complex, requiring robust actuarial governance.
3. Market and Investment Risk Insurers invest policyholder premiums. CBUAE mandates investment guidelines that restrict exposure to high-risk asset classes, protecting solvency margins. A GRC-aligned investment policy must be board-approved and regularly reviewed.
4. Operational Risk Includes IT failures, fraud, mis-selling, process breakdowns, and outsourcing risks. Under the CBUAE Insurance Brokers Regulation 2024 (effective 15 February 2025), insurers and brokers must maintain board-approved policies to identify, assess, and treat cybercrime risk events. Outsourcing of any material business activity requires prior CBUAE no-objection, outsourcing outside the UAE is prohibited, and all client data must be stored within the UAE with a secure backup retained in a separate location for a minimum of 10 years. Cyber risk is now a codified standalone compliance obligation, not merely a best-practice recommendation.
5. Concentration Risk Especially relevant for single-line insurers (e.g., medical-only or motor-only), regulators monitor whether a portfolio is dangerously concentrated in one geography, segment, or product line.
6. Reinsurance Counterparty Risk UAE insurers must vet the credit quality and financial strength of reinsurance partners. CBUAE has issued guidance on minimum credit rating requirements for reinsurers. Specifically, CBUAE requires reinsurance counterparties to hold a minimum financial strength rating of BBB (Standard & Poor’s) or equivalent from an approved rating agency, with enhanced board-level due diligence required where this threshold cannot be met.
- The Role of the Chief Risk Officer (CRO)
Under CBUAE governance standards, insurance companies meeting the materiality and size thresholds set under the Insurance Regulatory Framework are required to appoint a Chief Risk Officer (CRO) a designated second-line function independent from business lines. The CRO must have direct access to the board’s Risk Committee, present independent risk assessments, challenge management assumptions, and maintain a Board-approved Risk Appetite Statement (RAS) which under CBUAE’s Insurance Risk Management Standards must be reviewed at minimum annually, with material breaches reported to the CBUAE.
Compliance Obligations: The Expanding Regulatory Perimeter
- AML/CFT Compliance for Insurance Entities
Insurance companies, Takaful operators, and brokers are regulated as Licensed Financial Institutions (LFIs) under the UAE’s AML/CFT framework, supervised directly by CBUAE. They are not classified as DNFBPs under Federal Decree-Law No. 10 of 2025 and Cabinet Resolution No. 134 of 2025, the six designated DNFBP categories are commercial gaming operators, real estate brokers, dealers in precious metals and stones, lawyers and notaries, independent accountants and auditors, and company and trust service providers. The AML/CFT framework for the insurance sector is governed by:
- Federal Decree-Law No. 10 of 2025 on Anti-Money Laundering and Combating the Financing of Terrorism and Illegal Organisations
- Cabinet Resolution No. 134 of 2025 (AML/CFT Executive Regulations)
- CBUAE’s AML/CFT Standards for the Insurance Sector (issued 2021, updated periodically, on the CBUAE Rulebook)
It is critical to note that AML/CFT obligations do not apply to all insurance products equally. Under the AML-CFT Decision, the framework applies specifically to life insurance and other investment-related insurance products. General (non-life) lines such as motor, property, and medical indemnity fall outside the scope of the AML/CFT legal framework. Each licensed insurer, reinsurer, agent, and broker must assess its own product portfolio to determine which lines are in scope.
Key AML compliance obligations for insurers and brokers include:
- Customer Due Diligence (CDD) and Enhanced Due Diligence (EDD) for high-risk policyholders
- Sanctions screening against UAE, UN, OFAC, and EU sanctions lists on an ongoing basis, not only at onboarding
- Suspicious Transaction Reporting (STR) to the UAE’s Financial Intelligence Unit (FIU) via the goAML platform
- Ultimate Beneficial Ownership (UBO) verification for corporate policyholders
- Record retention for a minimum of 5 years post-relationship termination
- AML/CFT training for all relevant staff annual mandatory training is an industry standard
The FATF Mutual Evaluation of the UAE (2020) led to the UAE’s placement on the FATF grey list in 2022. Following extensive national AML/CFT reforms, the UAE was successfully removed from the grey list in February 2024, reflecting substantial improvements in supervisory effectiveness across the financial sector including insurance. Ongoing compliance remains essential under FATF follow-up obligations. Non-compliance can result in administrative fines ranging from AED 50,000 to AED 5,000,000 per violation under Article 14 of Federal Decree-Law No. 20 of 2018, alongside additional CBUAE supervisory sanctions applicable to licensed insurance entities, and criminal liability for senior management.
- Data Protection Compliance
With the enactment of Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (UAE PDPL), insurers handling personal health data, financial records, and policyholder information must implement:
- Privacy notices and consent mechanisms at policyholder onboarding
- Data processing agreements with third-party service providers and TPAs (Third-Party Administrators)
- Data breach notification protocols material breaches must be reported to the UAE Data Office
- Data minimization and purpose limitation principles embedded in product design
The Cabinet Decision No. 33 of 2024 (PDPL Executive Regulations), now in force, significantly expands compliance obligations for insurance entities. Key additions include: mandatory appointment of a Data Protection Officer (DPO) for insurers processing sensitive personal data at scale; a 72-hour breach notification window to the UAE Data Office for breaches likely to cause harm to data subjects; and explicit cross-border data transfer restrictions requiring either UAE Data Office approval or adequacy determination for the recipient country. Health insurers and life insurers given the volume of sensitive medical data they process must treat PDPL Executive Regulations compliance as a priority GRC obligation for 2025–2026.
For health insurers and life insurance companies, data protection stakes are particularly high due to the sensitivity of medical records under both the UAE Personal Data Protection Law and the regulatory frameworks of the Dubai Health Authority (DHA) and the Department of Health Abu Dhabi (DoH), formerly known as HAAD.
- Market Conduct and Consumer Protection
CBUAE’s Consumer Protection Regulation and the insurance sector’s Conduct of Business Standards impose obligations around:
- Fair and transparent product disclosure policy wordings must be clear, not misleading
- Claims handling timelines insurers are regulated on response and settlement timeframes
- Complaints management a formal internal complaints mechanism is mandatory, with escalation paths to CBUAE
- Treating Customers Fairly (TCF) principles embedded in sales, servicing, and claims
- Technology, Outsourcing and Information Security Compliance
The CBUAE’s Insurance Brokers Regulation 2024 (effective 15 February 2025) formally codifies technology governance as a regulatory obligation for the insurance sector. Insurers and brokers must: implement adequate cybersecurity policies and procedures to prevent, identify, and treat data security breaches; ensure all policyholder and client data is stored within the UAE with a secure backup in a separate location retained for a minimum of 10 years; and obtain CBUAE no-objection prior to outsourcing any material business activity. Outsourcing outside the UAE is no longer permitted. These requirements align with CBUAE’s broader IT Risk and Information Security standards applicable across the financial sector and should be embedded within each entity’s board-approved risk governance framework.
Takaful Insurance: Unique GRC Dimensions
The UAE hosts a significant Takaful (Islamic insurance) market. From a GRC perspective, Takaful operators carry unique compliance dimensions beyond conventional insurance regulation:
- Sharia compliance governance dual accountability to CBUAE and the Sharia Supervisory Board
- Segregation of funds participant funds (Tabarru’) must be strictly separated from shareholders’ funds
- Qard Hasan obligations if participant funds are in deficit, the operator must provide an interest-free loan, creating specific capital management governance needs
- Wakala and Mudaraba fee governance management fee structures must be Sharia-compliant and transparently disclosed
The UAE’s Higher Sharia Authority (HSA) at CBUAE plays an overarching supervisory role for all Sharia-related financial matters, including Takaful. Boards of Takaful operators must ensure their SSB resolutions are documented, followed, and reported appropriately.
IFRS 17: The Compliance Transformation for UAE Insurers
IFRS 17 – Insurance Contracts, effective January 1, 2023, represents the most significant accounting change for the insurance sector in decades. For UAE insurers reporting under IFRS (which includes all publicly listed insurers and most large private entities), the compliance implications are profound:
- New measurement models (BBA, PAA, VFA) require actuarial-finance collaboration at a level many UAE insurers had not previously established
- Contractual Service Margin (CSM) tracking demands robust data governance and actuarial systems
- Disclosure requirements are significantly expanded — board and audit committees must understand the new reporting framework
- System implementations (upgrading from IFRS 4) represent significant operational risk during transition
From a GRC standpoint, IFRS 17 compliance is not solely a finance function task it requires board-level understanding, risk committee oversight of methodology assumptions, and internal audit validation of key judgements.
Key GRC Risks and Red Flags in the UAE Insurance Market
Based on regulatory trends and CBUAE enforcement patterns, the following are the highest-priority GRC risk areas for UAE insurance entities in 2025–2026:
| Risk Area | GRC Concern | Regulatory Reference |
|---|---|---|
| Unlicensed intermediary activities | Brokers operating without CBUAE license | Federal Decree-Law 48/2023, Article 6 |
| Inadequate AML controls at onboarding | Failure to verify UBO and conduct EDD | Federal Decree-Law 20/2018 |
| Weak claims governance | Unjustified claim delays and mis-handling | CBUAE Consumer Protection Standards |
| IFRS 17 non-compliance | Incorrect measurement methodology | IFRS 17 (IASB) |
| Cybersecurity gaps in InsurTech | Data breaches, system outages | UAE PDPL, CBUAE IT Risk Standards |
| Related-party transactions | Undisclosed conflicts in reinsurance placement | CBUAE Corporate Governance Standards |
Practical GRC Recommendations for UAE Insurance Entities
- Conduct a GRC Gap Assessment: Map your current governance, risk, and compliance posture against CBUAE’s Insurance Regulatory Standards to identify critical gaps before regulators do.
- Establish a Three Lines of Defense model: Ensure clear delineation between business functions (1st line), Risk & Compliance (2nd line), and Internal Audit (3rd line) a model explicitly endorsed by CBUAE.
- Implement a Regulatory Change Management process: The UAE insurance regulatory environment is actively evolving. A formal process to monitor, assess, and implement regulatory changes is non-negotiable.
- Build AML/CFT into product design: For life insurance and savings products particularly, embed CDD and sanctions checks at the product architecture stage, not as an afterthought.
- Invest in Board-Level GRC Training: Directors must understand their fiduciary responsibilities under UAE law not just the business. CBUAE expects board members to be demonstrably competent in risk and governance matters.
- Prepare for Regulatory Inspections: CBUAE conducts both scheduled and unannounced examinations. Maintaining an “always inspection-ready” posture through continuous compliance monitoring is the modern standard.
Conclusion: Turning Compliance Into Competitive Advantage
In the UAE insurance market, GRC is not a burden it is a business differentiator. Insurers and brokers that embed robust governance, disciplined risk management, and proactive compliance frameworks earn the trust of regulators, corporate clients, and policyholders alike. In a competitive market, that trust translates directly to commercial advantage.
The regulatory environment will only grow more demanding: CBUAE continues to raise the bar with enhanced prudential standards, stricter AML expectations, and growing data protection obligations. The question is not whether UAE insurance entities need a strong GRC foundation it is whether they build it proactively or reactively.
GRC Advisors works with insurance companies, Takaful operators, brokers, and corporate policyholders across the UAE to design, implement, and mature their GRC frameworks aligned with CBUAE regulations, international best practices, and your organization’s specific risk profile. From governance design and AML program development to IFRS 17 compliance readiness and regulatory inspection preparation, we are your specialist GRC partner in the UAE insurance sector.
FAQs: GRC for Insurance Sector in UAE
Which regulatory authority oversees insurance companies in the UAE?
The Central Bank of the UAE (CBUAE), through its Insurance Supervision Department, is the primary regulator for all insurance and reinsurance activities in the UAE. This follows the merger of the former Insurance Authority into CBUAE via Federal Decree-Law No. 25 of 2020. All insurers, reinsurers, brokers, agents, and loss adjusters must hold a valid CBUAE license.
What is the key insurance law currently in force in the UAE?
Federal Decree-Law No. 6 of 2025 on the Central Bank, Regulation of Financial Institutions and Activities, and Insurance Business is the current primary legislation governing the insurance sector in the UAE. It came into force on 16 September 2025, repealing Federal Decree-Law No. 48 of 2023 (which had itself replaced Federal Law No. 6 of 2007). A one-year transition period extends to 16 September 2026. Existing CBUAE regulations, standards, and circulars issued under prior law remain operative until replaced.
Are insurance companies in the UAE required to comply with AML/CFT regulations?
Yes, in part. UAE insurance companies, Takaful operators, and brokers are regulated as Licensed Financial Institutions (LFIs) directly supervised by CBUAE under Federal Decree-Law No. 10 of 2025 on AML/CFT/CPF they are not classified as DNFBPs. However, AML/CFT obligations apply specifically to life insurance and other investment-related insurance products only; general (non-life) lines such as motor, property, and medical indemnity fall outside the AML/CFT scope. In-scope entities must conduct Customer Due Diligence, perform ongoing sanctions screening, report suspicious transactions via the goAML platform, and maintain a full AML/CFT compliance programme.
What does IFRS 17 mean for UAE insurance companies from a compliance perspective?
IFRS 17, effective from January 2023, fundamentally changes how insurance contracts are measured and reported. UAE insurers reporting under IFRS must adopt new measurement models (BBA, PAA, or VFA), track the Contractual Service Margin (CSM), and significantly expand their financial disclosures. Non-compliance or inadequate implementation creates both audit and regulatory risk, and requires strong governance between finance, actuarial, and risk functions.
What is the difference between conventional insurance and Takaful from a GRC perspective?
Both are regulated by CBUAE, but Takaful operators carry additional GRC obligations: they must maintain a Sharia Supervisory Board (SSB), ensure strict segregation of participant and shareholder funds, comply with rulings from CBUAE’s Higher Sharia Authority (HSA), and operate under Sharia-compliant management fee structures. This creates a dual compliance framework regulatory compliance and Sharia compliance requiring specialized governance expertise.
Can foreign insurance companies operate in the UAE without a local license?
No. Federal Decree-Law No. 6 of 2025 prohibits any entity from conducting insurance activities in the UAE without a valid CBUAE license. Operating without a licence now carries expanded enforcement consequences under the 2025 Law including potential criminalisation of unlicensed activities. Foreign insurers wishing to operate in the UAE must either establish a locally incorporated company or apply for a branch license, subject to CBUAE approval and ongoing supervisory requirements. Operating without a license carries significant penalties including fines and criminal liability.
