Insurance Compliance Failures in the UAE: Enforcement Trends and Regulatory Shifts After Federal Decree-Law No. 6 of 2025

The Central Bank of the UAE issued penalties totaling AED 2.6 million to two insurance companies in March 2025 for CRS and FATCA reporting violations. Seven additional insurers were fined in the first half of 2025 for AML control deficiencies. These enforcement actions follow the introduction of Federal Decree-Law No. 6 of 2025, which consolidated banking and insurance regulation under the Central Bank and increased maximum administrative penalties from AED 200 million to AED 1 billion.

The law took effect September 16, 2025, with a one-year transition period ending September 16, 2026. Insurance companies operating in mainland UAE and non-financial free zones must ensure their compliance frameworks align with the new requirements before that deadline.

Federal Decree-Law No. 6 of 2025: Key Changes for Insurance

The new law replaces Federal Decree-Law No. 14 of 2018 (financial institutions) and Federal Decree-Law No. 48 of 2023 (insurance activities), bringing both sectors under unified CBUAE oversight.

Article 61 explicitly includes insurance, reinsurance, and insurance-related professional services within the CBUAE's regulatory perimeter. This covers traditional insurance, takaful operations, brokerage, consultancy, and claims management.

Article 62 introduces technology-neutral licensing requirements. Any person who "carries on, offers, issues, or facilitates" a licensed financial activity—regardless of platform, technology, or delivery method—requires CBUAE authorization. This affects digital insurance platforms, comparison websites, and technology providers that enable insurance transactions.

Article 149 mandates fraud prevention systems, customer notification requirements for security breaches, and cooperation with CBUAE investigations.

Enhanced penalties:

• Criminal offenses: Imprisonment and/or fines between AED 50,000 and AED 500 million for unlicensed activity
• Administrative fines: Maximum increased to AED 1 billion for institutions, AED 5 million for authorized individuals
• Promotional violations: Minimum AED 1 million fine

Recent CBUAE Enforcement Actions

March 2025: CRS and FATCA Violations

The CBUAE imposed financial sanctions totaling AED 2.6 million on two insurance companies and five banks for non-compliance with Common Reporting Standard and Foreign Account Tax Compliance Act obligations. The violations involved deficiencies in customer due diligence processes and inaccuracies in tax reporting.

Life insurance products with investment components—including whole life, universal life, and variable life policies—constitute financial accounts under CRS and FATCA. Insurance companies issuing these products must collect appropriate tax documentation (W-8/W-9 forms or self-certifications) from policyholders.

First Half 2025: AML Control Deficiencies

Seven insurers paid penalties for AML compliance failures. Regulators cited weak risk management systems and failure to identify unusual transaction patterns. Common deficiencies included inadequate customer screening processes and insufficient ongoing monitoring.

Common Compliance Gaps

Customer Screening and Monitoring

Insurance companies typically screen customers against sanctions lists at policy inception. Ongoing monitoring—particularly rescreening when sanctions lists are updated—is less consistently implemented.

Sanctions designations occur continuously. A policyholder compliant at onboarding may be sanctioned months or years later. Without automated rescreening processes, companies remain exposed. Claims paid to sanctioned individuals or entities after designation create regulatory violations even if the policy was issued before sanctions were imposed.

The operational challenge scales with portfolio size. Manual rescreening processes that function for several hundred policies become unworkable for portfolios of several thousand.

Tax Reporting for Investment-Linked Insurance Products

Insurance companies issuing life policies with cash value or investment features must comply with CRS and FATCA reporting requirements. These products meet the definition of "financial accounts" under both regimes.

Compliance requires:

• Identification of reportable persons at policy inception
• Collection of appropriate tax documentation
• Annual reporting to the Federal Tax Authority
• Maintenance of documentation supporting due diligence processes

Companies that launched investment-linked products without implementing tax reporting procedures face both regulatory penalties and the operational challenge of retroactively collecting documentation from existing policyholders.

Capital Adequacy Monitoring

Regulatory capital requirements apply continuously, not solely at fiscal year-end. Companies that calculate capital adequacy annually may experience periods of non-compliance between calculations due to:

• Investment losses reducing capital
• Business growth increasing risk exposure and capital requirements
• Claims experience affecting reserves

Quarterly capital calculations enable earlier identification of trends toward non-compliance and provide more time to implement corrective measures—either raising additional capital or adjusting risk exposure.

For DIFC-regulated insurance firms, quarterly prudential returns already require capital position reporting. The DFSA monitors capital adequacy on an ongoing basis through these filings.

Licensing for Expanded Activities

Insurance companies that expand into adjacent services may not recognize that new activities require separate licensing. Claims management, insurance consultancy, and certain technology-enabled services constitute distinct regulated activities under CBUAE rules.

The regulatory definition of insurance-related activities is broader than commercial descriptions of business lines. Companies should assess licensing requirements before launching new services rather than during or after implementation.

Under Federal Decree-Law No. 6 of 2025, unlicensed activity carries minimum penalties of AED 1 million, with potential criminal liability including imprisonment and fines up to AED 500 million.

Professional Indemnity Insurance Continuity

Insurance intermediaries authorized by the DFSA must maintain professional indemnity insurance meeting specified standards. Coverage must be continuous—gaps due to policy renewals or carrier changes create regulatory breaches.

Coverage lapses typically occur during renewal negotiations or when switching carriers. Companies should initiate renewal or carrier transition processes 90-120 days before policy expiry to ensure continuous coverage.

The DFSA requires annual confirmation of PI insurance. Companies unable to confirm continuous coverage during the reporting period face regulatory action.

Regulatory Reporting Timelines

Late submission of regulatory reports—even by brief periods—indicates control deficiencies to regulators. Late filings often trigger enhanced supervisory attention, including more frequent inspections and detailed information requests.

For DFSA-regulated firms, prudential returns are due:

• Quarterly: One month after quarter end
• Annually: Four months after fiscal year end

Establishing internal deadlines in advance of regulatory deadlines provides buffer time to address compilation issues before submissions are due.

Non-Financial Free Zones: Licensing Requirements

Federal Decree-Law No. 6 of 2025 explicitly confirms that insurance activities in non-financial free zones (including DMCC, JAFZA, RAKEZ, and others) require CBUAE authorization. Financial free zones (DIFC and ADGM) operate under separate regulatory regimes administered by the DFSA and FSRA respectively.

On July 1, 2024, DMCC issued a circular requiring entities conducting insurance-related activities to obtain CBUAE No Objection Certificates by December 31, 2025. According to Al Tamimi & Company, entities operating without proper authorization after that deadline are conducting unlicensed activities subject to the enhanced penalty regime under the new law.

Insurance companies and intermediaries in non-financial free zones have three options:

1. Obtain CBUAE authorization (subject to 51% UAE national ownership requirement for insurance activities classified as strategic sectors)
2. Migrate to DIFC or ADGM (permits 100% foreign ownership)
3. Wind down insurance-related operations

License application and migration processes typically require 4-6 months. Entities should not defer these decisions given the September 16, 2026 compliance deadline.

DIFC Insurance Regulation: Compliance Framework

Regulatory Capital Requirements

DIFC insurance firms are subject to either the Prudential—Investment, Insurance Intermediation and Banking Module (PIB) or the Prudential—Insurance Business Module (PIN), depending on the nature of their activities.

Insurance intermediaries and managers (Category 4 firms) operate under the PIB Module and must maintain expenditure-based capital minimums. Insurers, reinsurers, and captives operate under the PIN Module and must maintain risk-based regulatory capital.

Authorized Individuals

The DFSA requires individual authorization for certain key functions:

• Senior Executive Officer
• Finance Officer
• Compliance Officer
• Money Laundering Reporting Officer (MLRO)
• Risk Officer

Authorized Individuals must meet and continuously maintain "Fit and Proper" criteria. Authorization applications typically require 4-6 weeks for processing. Individuals performing licensed functions before authorization is granted create regulatory violations from the commencement of their duties.

Reporting Requirements

DFSA-regulated insurance firms must submit:

• Prudential returns (quarterly and annual)
• Audited financial statements (annual)
• Professional indemnity insurance confirmations (annual)
• Notifications of material changes (as they occur)

Operational Risk Management

Insurance firms must establish operational risk management frameworks aligned with Basel Committee principles. Frameworks must be:

• Board-approved
• Proportionate to the firm's activities
• Subject to regular review and updating
• Documented with clear governance structures

September 2026 Compliance Deadline

Article 184 of Federal Decree-Law No. 6 of 2025 provides a one-year transition period from the law's effective date (September 16, 2025) for affected entities to regularize their position. After September 16, 2026, the full penalty regime applies.

For licensed insurance companies, key compliance considerations include:

Article 62 technology-neutral licensing: Review all platforms, applications, and systems to determine whether they facilitate licensed activities requiring authorization.

Article 149 consumer protection requirements: Implement fraud detection systems, customer notification processes for security breaches, and enhanced disclosure frameworks.

Capital and licensing scope: Confirm all activities being conducted are covered by existing licenses and that capital adequacy is monitored continuously rather than annually.

Non-financial free zone operations: Entities in DMCC, JAFZA, or similar zones must obtain CBUAE authorization or migrate to regulated jurisdictions.

External compliance reviews can identify gaps and provide implementation timelines for remediation before the deadline.

Legal Support for Insurance Companies

Kayrouz & Associates advises insurance companies on regulatory compliance, licensing, and corporate structuring. Our services include:

Compliance audits: Review of current operations against CBUAE and DFSA requirements, identification of regulatory gaps, and prioritized remediation plans.

Licensing applications: Preparation and submission of CBUAE and DFSA license applications, including supporting documentation and management of regulatory review processes.

Entity migration: Support for insurance companies migrating from non-financial free zones to DIFC or mainland UAE, including entity setup, license applications, and business transfer.

Ongoing compliance management: Compliance calendar management, regulatory reporting, policy and procedure development, and liaison with regulators.

Response to regulatory inquiries: Support for companies responding to CBUAE or DFSA information requests, inspections, or enforcement actions.

For DIFC entities where we handled initial setup, we provide integrated compliance support including tracking of reporting deadlines, authorized individual renewals, and regulatory changes affecting operations.

Insurance compliance intersects with AML requirements, corporate tax obligations, and UAE corporate law. We handle these areas together to ensure consistent compliance frameworks.

Contact us to discuss compliance requirements, licensing applications, or migration options for insurance operations.

‍