.png)
Part 1: The law
A single frameworfi replaces two
On 8 September 2025, the UAE enacted Federal Decree-Law No. 6 of 2025 Regarding the Central Bank, Regulation of Financial Institutions and Activities, and Insurance Business. The title matters. For the first time, one piece of legislation covers the Central Bank's mandate, the regulation of all financial institutions, and the insurance industry under a single consolidated framework.1
Article 185 of the new law explicitly repeals both Decretal Federal Law No. 14 of 2018 (the previous Central Bank law) and Federal Decree-Law No. 48 of 2023 (the dedicated insurance activities law that had only been in force for two years). Regulations, decisions, and circulars issued under those earlier laws remain valid until the CBUAE issues replacements (Article 183), but the governing legislative architecture is now unified.
This is not a cosmetic reshuffle. The consolidation gives the CBUAE a single enforcement toolkit that applies uniformly across banking, insurance, and all licensed financial activities. The practical consequence for insurers is that the regulator no longer operates parallel frameworks with different enforcement mechanisms. One set of rules. One set of sanctions. One supervisory approach.
Insurance-related professions are inside the perimeter
The new law classifies "Insurance-Related Professions" as Licensed Financial Activities under Article 61(j). This category includes insurance brokers, loss adjusters, actuaries, and — critically for motor claims — third-party administrators and claims management entities. Article 60 establishes the foundational rule: no entity may carry on any Licensed Financial Activity in the UAE without a license from the CBUAE.
The licensing requirements under Article 63 are substantive. They include minimum capital, solvency margins, professional qualifications for key personnel, corporate governance structures, and operational controls. Article 66 lists fifteen separate grounds on which the CBUAE may suspend or revoke a license, ranging from failure to meet ongoing conditions (an operational standard, not just an entry barrier) to actions that undermine market stability.
What this means in practice: every entity involved in the insurance claims chain now operates under direct CBUAE oversight. The days of claims-adjacent services operating in regulatory grey areas are ending.
The designated functions regime
Articles 107 through 112 introduce a regime that reaches beyond institutional licensing to regulate specific individuals. A "Designated Function" is defined as any function within a Licensed Financial Institution that requires CBUAE authorization for the person performing it. The CBUAE determines which functions qualify, can impose conditions on the authorization, and can revoke it if the individual no longer meets the requirements.
For insurance operations, this means that key claims personnel (heads of claims, senior adjusters, compliance officers, risk managers) may require individual CBUAE authorization depending on their role's designation. Article 109 mandates that Licensed Financial Institutions notify the CBUAE when an individual ceases to hold a Designated Function, and Article 112 empowers the CBUAE to remove a person from a Designated Function directly if they no longer satisfy the criteria.
The regime creates personal regulatory accountability. A compliance failure is no longer just the institution's problem; it can trigger consequences for the named individuals responsible.
Governance, reporting, and supervision
Three articles establish the ongoing compliance architecture that sits on top of the licensing framework.
Article 130 requires every Licensed Financial Institution to maintain a governance framework that is "consistent with its nature, scale, complexity, and risk profile." The CBUAE may issue detailed governance standards and require their adoption. Article 128 grants the CBUAE broad prudential supervision powers over all licensed entities and their groups. And Articles 122 through 124 establish comprehensive reporting obligations, including periodic financial reports, immediate notification of material changes, and ad hoc data requests.
Article 133 gives the CBUAE examination powers that are worth understanding precisely. The CBUAE may appoint examiners to inspect any Licensed Financial Institution, examine its books and records, require any director or employee to provide information, and access any premises. Obstruction of an examination is a criminal offence under Article 179.
Article 106 adds a structural requirement: mandatory membership in the Emirates Insurance Federation for all insurance companies and insurance-related professions. This is not optional and not merely ceremonial.
Early intervention: fifteen powers before sanctions
Article 142 grants the CBUAE fifteen early intervention powers that can be exercised when a Licensed Financial Institution's financial position deteriorates or its governance, risk management, or internal controls are inadequate. These powers range from requiring a specific action plan, through restricting activities and imposing enhanced reporting, to requiring changes in management or business strategy.
The critical provision is Article 142(3): early intervention powers apply to Insurance-Related Professions. A motor claims TPA or loss adjuster that fails to meet governance or internal control standards is subject to the same intervention framework as the insurer itself. The CBUAE does not need to wait for a financial crisis to act; inadequate controls are sufficient.
Customer protection and fraud prevention
Article 148 requires Licensed Financial Institutions to treat customers fairly and establishes a dispute resolution mechanism for customer complaints. The CBUAE Rulebook supplements this with a fifteen-day complaint resolution requirement (Article 10 of the Rulebook's Consumer Protection provisions), after which unresolved complaints escalate to Sanadak, the CBUAE's Banking and Insurance Dispute Settlement Unit.
Article 149 imposes fraud prevention obligations, requiring entities to implement systems and controls to prevent, detect, and report fraudulent activities. The CBUAE Circular No. 25/2022 (Article 13) expands on this, requiring a complete fraud risk management system covering strategy, structure, policies, and procedures, with Board and Senior Management bearing ultimate responsibility.
The enforcement architecture
Article 168 is the enforcement backbone. It grants the CBUAE twenty-one distinct administrative and financial sanctions, from a caution at one end to license revocation at the other. The range in between includes requiring corrective measures, prohibiting specific operations, removing authorized individuals from their functions, restricting investment activities, requiring deposits with the CBUAE, and imposing financial penalties.
The financial penalties merit specific attention. The CBUAE can impose fines of up to AED 1,000,000,000 (one billion dirhams) on Licensed Financial Institutions. Fines on authorized individuals range from AED 100,000 to AED 5,000,000. Conducting a licensed financial activity without authorization carries a minimum fine of AED 1,000,000. These are not theoretical ceilings; Article 168(4) authorizes the CBUAE to enforce sanctions immediately and to debit fines directly from the violator's accounts held at banks in the UAE.
Article 168(7) adds a reputational dimension: the CBUAE may publish its decisions, including the violator's name, on its official website.
Beyond administrative sanctions, the law establishes criminal penalties for the most serious violations. Article 170 prescribes imprisonment and fines of up to AED 500,000,000 for conducting licensed financial activities without authorization. Article 175 imposes imprisonment and fines of up to AED 100,000,000 for violating license conditions. Article 176 prescribes imprisonment and fines of up to AED 10,000,000 for contravening early intervention or resolution measures. And Article 178 targets Designated Function violations with a minimum of one year's imprisonment, a fine of AED 500,000, and a continuing daily fine of AED 50,000 for each day the breach persists (capped at AED 10,000,000).
Article 181 extends personal liability to the official in charge of management at any juridical person, applying the same penalties if they knew of the violation or if it resulted from their negligence.
The compliance timeline
Article 184 gives all entities subject to the law one year from its entry into force to reconcile their positions with the new requirements. The Board of Directors of the CBUAE may extend this period. Article 188 states the law comes into force the day following its publication in the Official Gazette.
Given the issuance date of 8 September 2025, the compliance reconciliation window closes approximately in September 2026. For insurers with motor claims portfolios running on manual processes, legacy systems, and informal controls, that timeline is not generous.
Key dates. Federal Decree-Law No. 6 of 2025 was issued on 8 September 2025 and enters force the day following Official Gazette publication. All regulated entities have one year from entry into force to reconcile their positions (Article 184). Existing regulations under the repealed laws remain in force until replaced (Article 183).
Part 2: The impact
Seven requirements that change motor claims operations
The legislation described in Part 1 creates a governance framework. The CBUAE's implementing circulars — particularly Circular No. 25/2022 on Risk Management and Internal Controls — translate that framework into operational requirements. When applied to motor claims, seven specific obligations emerge that most insurers are not currently equipped to satisfy.
1.Immutable audit trails on every claim
The requirement: every action, decision, and cost must be traceable from first notification of loss through final settlement. Circular 25/2022 (Article 11) mandates internal controls that include record maintenance with "properly referenced audit trails."2
The current state at most carriers: claims processes run on a combination of email threads, spreadsheets, and disconnected systems. There is no single, structured audit trail. When a CBUAE examiner requests the decision history on a settled claim, the response involves manual reconstruction from multiple sources — slow, incomplete, and difficult to defend. This is the same root cause behind claims leakage: if costs are not systematically traceable, leakage is structurally invisible.
2.System-enforced segregation of duties
The requirement: the person who assesses a claim cannot be the same person who authorizes payment. Circular 25/2022 (Article 11(a)) requires "adequate independence and clear separation of duties and reporting lines," and the accompanying Standards mandate a "four eyes" principle for key business processes.3
Current industry state: many insurers rely on organizational charts to demonstrate role separation, while the claims system permits the same individual to perform conflicting functions. Segregation exists on paper but not in the system. Adding manual checkpoints to enforce separation increases cost per claim, creating a direct tension with expense ratio targets.
3.Decision provenance on every claims decision
The requirement: every claims decision must record who made it, when, on what basis, and under what delegated authority. Circular 25/2022 (Article 11(b)) requires "adequate controls for all key business processes, including processes for taking major business decisions and approving transactions," and Article 11(d) requires that "necessary information for decision making must be made available to decision makers."4
Current industry state: decisions are made verbally, through unstructured email approvals, or by handlers with no systematic record of the reasoning, authority, or evidence behind the decision. This compounds reserving problems: if the basis for each reserve is not documented, reserve strengthening exercises rely on guesswork rather than auditable data.
4.Structured, reportable claims data
The requirement: the CBUAE expects insurers to produce reliable operational data on claims, not just financial summaries. Federal Decree-Law No. 6 of 2025 establishes broad data collection and reporting powers for the CBUAE across all licensed entities (Articles 122-124), and the CBUAE Rulebook's reporting requirements (Article 10 across multiple modules) anticipate structured data submissions.5
The current state: claims data quality is among the most commonly cited frustrations across UAE insurers. Conflicting numbers between departments, inconsistent coding, and fragmented source systems mean most carriers cannot produce the structured operational reporting the CBUAE's evolving framework anticipates. The data exists in fragments; it does not exist as a governed, reconcilable dataset.
5.Complaint resolution within fifteen days
The requirement: unresolved policyholder complaints escalate to Sanadak (the CBUAE's dispute settlement unit) and become visible to the regulator. The CBUAE Rulebook (Article 10, Consumer Protection) requires investigation and resolution within fifteen days of submission. Circular 25/2022 requires documented procedures for "the receipt, acknowledgment, verification, and resolution of complaints within defined timeframes."6
Current industry state: slow cycle times, poor communication with policyholders during the repair process, and unresolved workshop disputes are the primary drivers of complaints. Under the new framework, the same customer experience failures that historically caused renewal losses now also trigger regulatory scrutiny. A complaint is no longer a commercial problem; it is a compliance event.
6.Documented outsourcing governance
The requirement: material outsourcing of business activities must be approved by the CBUAE, with clear accountability, written contracts, and ongoing oversight. Circular 25/2022 (Article 12) requires a comprehensive register of outsourcing arrangements, Board-approved outsourcing policies, and CBUAE "no objection" for material business activity outsourcing. The Master System of Record must be maintained in the State.7
Current industry state: many insurers outsource portions of their claims operations informally — to repair coordinators, independent surveyors, or service providers — with limited documentation of the governance framework. Contracts are often commercial agreements without the compliance infrastructure that the CBUAE's outsourcing governance framework requires. Insurers that cannot demonstrate formal oversight of their outsourced claims functions will face approval requirements they are not prepared for.
7. Fraud and anomaly controls embedded in systems
The requirement: fraud detection must be proactive and system-driven, not reactive and manual. Circular 25/2022 (Article 13) requires "effective measures to deter, prevent, detect, report and remedy" fraud, including a complete fraud risk management system. Board and Senior Management bear ultimate responsibility.8
Current industry state: fraud detection at most UAE insurers is reactive. Anomalies are identified after they occur, often months later during year-end reviews or ad hoc audits. Without real-time cost benchmarking, estimate variance analysis, or systematic cross-claim pattern detection, cost anomalies go unnoticed until the damage is already settled and paid.
The compounding problem
These seven requirements are not seven independent challenges. They are symptoms of a single structural gap: the absence of governed, system-enforced claims processing. An insurer that tries to address each requirement independently — building audit trail capability here, adding a segregation checkpoint there, layering fraud detection on top — will create an expensive, fragile compliance structure that requires constant maintenance and generates its own operational overhead.
The expense ratio pressure makes this worse. Every manual compliance layer adds cost. Insurers already face claims ratios exceeding 65% across the motor portfolio; adding governance overhead without redesigning the underlying claims operation creates a cost escalation that is difficult to justify at Board level. The result, in practice, is that compliance projects are scoped minimally, implemented partially, and maintained inconsistently.
The enforcement timeline compounds the urgency. Article 184 gives entities one year from the law's entry into force to reconcile their positions. September 2026 is not a target date for project completion; it is the deadline by which the CBUAE expects regulated entities to comply. For insurers that have not yet started, the compliance pathway is not a matter of building seven separate capabilities from scratch. It is a matter of finding (or building) a single operational architecture that delivers compliance across all seven dimensions simultaneously.
Part 3: The compliance pathway
Compliance by design, not compliance by project
There are two approaches to satisfying the seven requirements described in Part 2. The first is compliance as a project: seven workstreams, seven solution designs, seven implementation timelines, seven ongoing maintenance burdens. The second is compliance by design: a single governed claims operating architecture where compliance is a structural byproduct of processing claims, not a separate activity layered on top.
The difference is architectural. A compliance project asks: "how do we add audit trail capability to our existing process?" Compliance by design asks: "how do we build a process where every claim automatically produces an audit trail, because that is how the system works?"
The same logic applies to each of the seven requirements. Segregation of duties does not require a manual checkpoint if the system physically prevents the same individual from performing conflicting functions. Decision provenance does not require a separate documentation exercise if every decision is recorded with who, when, what, and why as a structural element of the workflow. Fraud detection does not require a retrospective audit if every estimate is benchmarked against a cost database in real time, at the point of submission.
This section describes what a compliance-by-design claims architecture looks like in practice. It is structured around three design principles: seven compliance gates, an append-only evidence architecture, and a single integrated data model.
Seven compliance gates
A governed claims operation segments the claims lifecycle into mandatory checkpoints (gates) that a claim must pass through before advancing to the next stage. The concept is straightforward: at each gate, specific requirements must be satisfied, specific evidence must be present, and a specific person must confirm clearance. The claim does not advance until the gate conditions are met. There is no override. There is no manual bypass. There are documented exceptions, where a named supervisor authorizes a conditional advance with their identity, timestamp, and rationale recorded — but a conditional advance is a documented, accountable decision by a named person, not the absence of one.
Seven gates map to the seven stages of a motor claim's lifecycle, from first notification through settlement:
The cumulative output of this architecture is that every settled claim carries a structured evidence package: seven gate clearances, each recording the specific requirements verified, the identity of the person who verified them, the timestamp, and the supporting documentation. When a CBUAE examiner opens a claim file, the audit trail is not a retrospective reconstruction. It is the natural output of a process that cannot function without producing it.
How the seven gates address each regulatory requirement
The seven compliance gates and the seven CBUAE regulatory requirements are not separate frameworks applied in parallel. The gates are the mechanism through which the regulatory requirements are satisfied. Each gate produces evidence that addresses multiple requirements simultaneously.
Immutable audit trails (Requirement 1). The gate architecture generates an append-only audit trail as a structural byproduct. Once a record is written, it cannot be modified or deleted. Corrections are new entries that reference and supersede the original, with the original preserved. The entire claims history is a permanent, unalterable record — not because someone built an audit log, but because the data architecture does not permit modification of historical records.
Segregation of duties (Requirement 2). The system enforces segregation through role-based access controls configured as system constraints. Every decision is documented with three mandatory elements: prepared by, reviewed by, and approved by. The workflow engine blocks actions that violate segregation rules. Segregation is achieved without adding manual checkpoints or headcount; the compliance cost is embedded in the architecture rather than layered on top of operations.
Decision provenance (Requirement 3). At each gate, the system captures what was decided, who decided it, when, and the evidence supporting the decision. Where AI provides decision support (damage classification at Gate 2, estimate benchmarking at Gate 4), the AI's recommendation is recorded alongside the human decision. If the human overrides the AI, the reason is mandatory. At no point does an algorithm approve a payment, authorize a repair, or close a claim. Every consequential decision has a named person accountable for it in the audit trail.
Structured, reportable data (Requirement 4). The gate architecture enforces structured data capture at the relevant stage as a mandatory precondition for advancement. A claim file is not considered complete for settlement until all required data fields are present. Twelve critical data fields are captured for every claim: initial estimate amount, approved estimate amount, final invoice amount, parts cost breakdown, labor hours, repair method decisions, cycle time per stage, rental duration, recovery identification, fraud indicator flags, quality inspection result, and customer satisfaction score. Regulatory reporting can be generated from the same operational dataset that drives claims processing.
Complaint resolution (Requirement 5). Gate 6 verifies that all mandatory policyholder communications were sent before the claim can advance to settlement. Milestone tracking across all seven stages triggers automated alerts when any stage exceeds its configured time limit. A customer satisfaction survey dispatched within 48 hours of vehicle hand-back catches dissatisfaction before it escalates. If a Sanadak complaint does arise, the insurer has a timestamped communication log produced automatically by the system.
Outsourcing governance (Requirement 6). For insurers that outsource claims management, the gate architecture provides the governance infrastructure that makes the arrangement demonstrably compliant. The insurer retains all claims decision authority through configurable authority matrices enforced at Gate 4. Real-time dashboards provide continuous oversight. SLA performance is measured against contractual commitments with documented remedies. The audit trail, compliance gates, and structured data capture collectively produce the documentary evidence base that supports a CBUAE outsourcing approval application.
Fraud and anomaly controls (Requirement 7). Fraud detection is embedded at multiple gates rather than applied retrospectively. Gate 1 includes duplicate claim detection, vehicle history checks, and incident consistency analysis. Gate 4 benchmarks every estimate against a cost database, automatically flagging outliers and triggering a competitive challenge mechanism (independent estimates from alternative workshops) when variance exceeds acceptable thresholds. As claims volume grows across multiple portfolios, structured data across all seven stages supports cross- claim pattern detection at levels not possible in unstructured operations.
The cost containment co-benefit
A governed claims architecture does not merely satisfy regulatory requirements. The same mechanisms that produce compliance also produce measurable cost reduction — because the root causes of leakage and the root causes of compliance gaps are the same: absence of systematic controls, absence of structured data, and absence of accountability at each decision point.
Six cost containment mechanisms are embedded in the compliance architecture described above:
Estimate governance. Every repair estimate is benchmarked against a structured cost database at Gate 4, comparing submitted costs to reference prices for the same vehicle type, damage classification, and repair method. Variances above a configured threshold trigger automatic review. This is not a post-hoc audit; it is a pre-approval check that prevents inflated costs from entering the settlement pipeline.
Repair-versus-replace discipline. Repair is the default where technically sound. The decision between repair and replacement is documented at Gate 4 with specific justification, preventing the systematic bias toward replacement that inflates parts costs across the motor portfolio.
Parts pricing control. OEM versus aftermarket decisions are documented with insurer-specific rules applied at the estimate stage. Parts pricing is validated against supplier databases rather than accepted at face value.
Fraud and leafiage detection. The same benchmarking and pattern detection that satisfies Requirement 7 also captures cost leakage that is not technically fraudulent but structurally expensive — inflated labour hours, unnecessary parts markups, duplicated line items, and estimates padded with work that does not correspond to the documented damage.
Cycle time reduction. Milestone tracking and automated escalation at each gate compress the claims lifecycle. Shorter cycle times reduce rental car costs, minimize customer dissatisfaction, and reduce the administrative cost per claim.
Recovery identification at FNOL. Subrogation and recovery opportunities are flagged at Gate 1, when the evidence is freshest and the recovery probability is highest, rather than identified retrospectively after settlement.
The financial impact of these mechanisms depends on portfolio composition, current cost baselines, and the maturity of existing controls. The point is not any specific percentage; it is the structural relationship between compliance and cost. A governed operation is a less expensive operation, because the controls that satisfy the regulator also eliminate the inefficiencies that inflate claims cost. Every estimate that is benchmarked before approval, every repair decision that is documented with rationale, every fraud indicator that is flagged at the point of occurrence rather than discovered months later in an audit, reduces both regulatory risk and claims cost simultaneously.
The structural observation
The seven regulatory requirements described in Part 2 are not seven independent compliance problems requiring seven separate solutions. They are facets of a single structural gap: the absence of governed, system-enforced claims processing. An insurer that addresses the audit trail requirement through an architectural solution — rather than a procedural patch — will simultaneously address decision provenance, segregation of duties, and data quality, because these capabilities are produced by the same infrastructure.
This is the distinction that matters for any insurer evaluating its compliance pathway. Building seven separate capabilities to satisfy seven requirements is expensive, fragile, and difficult to maintain. Building one governed operating architecture that satisfies all seven, as a byproduct of how claims are processed, is embedded in the infrastructure and improves with every claim.
The compliance deadline is September 2026. The question for insurers is not whether to comply — the enforcement architecture described in Part 1 makes that a given. The question is whether to comply through a series of point solutions layered onto existing operations, or through an operating model where compliance is structural. The first path adds cost. The second path reduces it.
Note on article numbering. The regulatory citations in this paper reference the CBUAE Circulars (24/2022 and
25/2022) by their article and section numbers as published. Primary law references cite Federal Decree-Law No. 6 of 2025 directly. Where CBUAE Rulebook provisions are cited, these refer to the consolidated rulebook as published on
the CBUAE's official website. Readers should verify all citations against current enacted texts, as the CBUAE may issue amendments or implementing circulars subsequent to publication.
About Axxion
Axxion Claims Settlement Services is a Dubai-based end-to-end motor claims management company and the UAE's first dedicated motor TPA.
Axxion manages the full claims lifecycle for insurance partners, from first notification of loss through repair coordination, quality control, and settlement, operating on a six-layer claims architecture designed around regulatory compliance, data integrity, and AI-augmented decision- making.
Axxion is part of the Skelmore Group, a diversified automotive and insurance services group founded in Toronto in 1994. The group operates across North America and the Middle East with approximately $650 million in revenue and 4,000 employees, spanning multi-brand automotive aftermarket services, retail and wholesale distribution, and luxury automotive.
About the Author
Frederik Bisbjerg is Co-founder and Managing Director of Axxion Claims Settlement Services LLC, the UAE's first dedicated motor claims third-party administrator, where he is building a compliance- by-design claims operating system with AI governance at its core.
His career spans almost two decades of insurance leadership across the MENA region, including roles as CEO of Al Wathba Insurance, Chief Transformation Officer at AXA Global Healthcare, Senior Vice President of Digital Transformation and Innovation at Daman National Health Insurance Company, and Executive Vice President at Qatar Insurance Group.
Before moving into executive roles, he spent several years at a top- tier management consulting firm, where he developed the habit of building alliances between business partners that had not previously thought to work together.
He also serves as Head of MENA and Digital Transformation specialist at The Digital Insurer, where he is a founding member of the world's first mini-MBA in Digital Insurance and lectures on strategy, transformation, big data, and technology architectures.
Bisbjerg is the author of the best-selling Insurance_Next, a practical guide to transforming incumbent insurers into flexible, resilient organizations ready for the post-COVID, generative-AI era.
