Federal Decree-Law No. (6) of 2025 regarding the Central Bank, Regulation of Financial Institutions and Activities, and Insurance Business contains one of the most important perimeter provisions now sitting in UAE financial services law.

For banks, fintechs, payment businesses, tokenised product builders, wallet providers, embedded finance players and Web3 infrastructure providers, the real question is not whether the law mentions technology. It plainly does. The more important question is where the line now sits between a pure technology provider and a business that is, in substance, facilitating a regulated financial activity.

That line matters. A great many modern business models are built on the idea that the operator is not itself the bank, the payment provider, the lender or the issuer of value, but instead provides the software, user interface, API layer, protocol, infrastructure or orchestration stack through which the service is delivered. Article 62 is aimed directly at that kind of structuring.

The statutory starting point

Article 61 sets out the financial activities that require a Central Bank licence. These include, among other things, taking deposits, providing credit and funding facilities, providing open finance services, currency exchange and remittance, payment services using virtual assets, stored value services, retail payments and digital money services, and arranging, promoting or marketing licensed financial activities.

Article 62 then makes the critical move. It provides that, without prejudice to Article 61, any person carrying on, offering, issuing or facilitating, whether directly or indirectly, any licensed financial activity falls within the Central Bank’s licensing, regulatory and oversight jurisdiction, regardless of the medium, technology or form used.

That is a deliberately broad provision. It is written to stop regulatory perimeter arguments based purely on delivery model, technical architecture or product labelling.

What makes Article 62 different

The significance of Article 62 is that it is not limited to traditional financial institutions, nor is it drafted by reference to old-world delivery channels.

Instead, it focuses on function. If the business model is carrying on, offering, issuing or facilitating a regulated financial activity, the use of decentralised systems, tokenised architecture, blockchain rails, distributed infrastructure, smart contracts or other emerging technology does not, by itself, take the model outside the Central Bank’s reach.

This is particularly important in sectors where businesses often describe themselves as being only the technology layer, only the interface, only the protocol or only the infrastructure.

The CBUAE’s FAQ gives useful clarification

The CBUAE has now published an FAQ on the decree-law, and the FAQ is particularly helpful on Article 62.

First, the CBUAE makes clear that Article 62 does not create a new category of financial activity. Instead, it confirms that where an existing Article 61 regulated activity is carried out by any technological means, technique, form or model, directly or indirectly, it remains subject to the Central Bank’s jurisdiction. That is an important clarification. The point is not that technology itself is being licensed. The point is that regulated financial activity does not stop being regulated merely because it is being delivered through new technology.

Secondly, the FAQ confirms that the law is intended to be activity-based, not technology-based. The Central Bank states that its jurisdiction extends to the performance of Article 61 activities whether implemented through traditional centralised infrastructure or through decentralised or distributed technology, including blockchain-based systems, tokenised platforms and other forms of Web3 infrastructure.

Thirdly, and most importantly, the FAQ gives concrete examples of the sort of conduct that may be caught. It says Article 62 includes activities involving virtual asset payment tokens, decentralised finance and the introduction or operation of decentralised platforms, protocols or technological infrastructure that facilitate, enable or allow the provision of financial services such as accepting deposits, providing payment services, issuing stored value, providing lending or other regulated financial services.

That wording is strikingly wide. The emphasis is not only on direct provision, but on whether the platform or infrastructure materially enables the regulated service to be made available.

So what does ‘facilitation’ mean in practice?

The decree-law does not contain a neat, self-contained definition of facilitation. Instead, it uses facilitation as a broad capture concept and illustrates it by reference to the kinds of technology, platforms and operational models that may fall within scope.

Taken together, the law and the FAQ suggest that a business is at greater risk of being treated as facilitating a regulated activity where it does one or more of the following:

• makes the regulated service functionally available to end users or counterparties;

• operates the interface, flow, process or mechanism through which users obtain the service;

• stands in the transactional chain in a way that enables execution, access or settlement;

• introduces or runs a platform, protocol, dApp or other infrastructure specifically designed for the regulated activity; or

• materially enables the regulated outcome, even if another licensed entity sits elsewhere in the structure.

This is why the language matters. The law does not only capture the entity that is visibly branded as the provider. It is broad enough to reach a business whose real role is to make the regulated activity possible in substance.

The important narrowing point: pure technology providers are not automatically in scope

This is where the FAQ is especially valuable.

The Central Bank expressly says that Article 62 is not intended to regulate, license or prohibit technology service providers simply in that capacity. It states that providers of software, infrastructure, purely technical solutions or other emerging technologies fall outside the Central Bank’s licensing, regulatory and supervisory jurisdiction unless they themselves engage in, present themselves as engaging in, or offer, issue or facilitate a regulated activity under Article 61.

The FAQ then gives examples of where that line may be crossed, including operating a payment service, wallet service, stored-value facility or other regulated financial service on a professional basis, whether directly or indirectly. This is a critical distinction. A pure software vendor is not automatically regulated merely because its product is used in finance. But a business cannot rely on the label ‘technology provider’ if, in substance, it is operating or enabling the regulated financial service itself.

A practical safe harbour of sorts

The FAQ contains another useful statement. It indicates that where a technology service provider supplies software, infrastructure, technological solutions or other emerging technologies exclusively for the benefit of a licensed financial institution, that provision alone is not to be treated as the carrying on, offering, issuance or facilitation of a regulated financial activity.

That does not amount to a statutory exemption, and each model still needs to be assessed on its facts. However, it is a meaningful indication of regulatory intent. It suggests that ordinary B2B technology outsourcing, vendor support and institutional enablement are not, without more, the target of Article 62.

Where the difficult cases will sit

The hardest cases will usually be the hybrid models. Examples may include:

• wallet or app providers that do not hold customer funds but control user access and transactional execution;

• embedded finance businesses that present the financial product to the user while relying on a licensed partner in the background;

• DeFi frontends that claim to be only interfaces, but are actively involved in enabling user participation in payments, lending or value storage;

• tokenised payment or value-transfer systems structured as technology networks but designed for real-world payment functionality; and

• infrastructure providers whose role goes beyond generic technical support and becomes integral to the delivery of the regulated service.

In these models, legal analysis will turn less on the marketing description and more on the actual allocation of functions, control points, user-facing conduct, revenue model and operational involvement.

Why this matters for UAE market entry and structuring

For businesses operating in or from the UAE outside the financial free zones, Article 62 materially reduces the usefulness of arguments based purely on technological form.

It also means that structuring around a licensed institution may not be enough if the unlicensed party still performs the core enabling role. Equally, it means that genuine B2B technology vendors should be careful to preserve the facts that support that characterisation. Contracting, branding, customer-facing disclosures, allocation of decision-making, control of wallets or payment flows, and the practical operation of the product will all matter.

In short, the question is no longer just who holds the licence. It is also who is making the regulated activity possible.

What businesses should be doing now

Businesses with payment, stored-value, wallet, remittance, open finance, tokenised payment, embedded finance or DeFi-adjacent models should review their structures against Article 61 and Article 62 now.

That review should look beyond legal labels and focus on substance. Key questions include:

• What regulated activity is being performed?

• Who controls the customer journey?

• Who controls execution or operational access?

• Is the business merely supplying tools to a licensed institution, or is it making the service available itself?

• How is the model presented to customers, counterparties and the market?

• Does the business sit inside the commercial and technical chain in a way that enables the regulated outcome?

Where the model is close to the line, businesses should consider restructuring, clearer role allocation, contractual refinements, enhanced disclosures and, where necessary, direct regulatory engagement.

The broader lesson

Article 62 is best understood as an anti-circumvention provision. It is designed to ensure that the regulatory treatment of a financial activity follows the substance of what is being done, rather than the language chosen to describe it or the technology used to deliver it.

The CBUAE’s FAQ does provide a useful limitation: pure technology service providers are not, merely by being technology service providers, automatically within scope. But the line is not drawn by the word ‘technology’. It is drawn by function.

That is the real message of the new law. In the UAE, outside the financial free zones, the question is no longer whether a business is ‘just tech’. The question is whether that tech is, in reality, facilitating finance.

How Septten Advisors can help

Businesses operating at the edge of regulated finance and technology should not assume that older perimeter analyses will still hold under the new decree-law.

Septten Advisors advises on UAE financial regulatory perimeter questions, fintech and payments structuring, virtual asset and tokenised product analysis, licensing strategy, regulatory engagement and contractual allocation of regulated functions.

If your model involves payment flows, stored value, wallets, embedded finance, open finance, tokenised payment infrastructure or DeFi-adjacent functionality, a fresh review under Federal Decree-Law No. (6) of 2025 is likely to be worthwhile.