Why Open Finance Matters for Insurance

R Philip • November 13, 2025

Key Points


  • Research suggests Open Finance in the UAE is advancing, with regulations including open insurance, impacting the sector significantly.
  • It seems likely that insurance will participate by sharing data via APIs, enhancing innovation and customer services.
  • The evidence leans toward new ventures, customers, brokers, and insurers facing both opportunities and challenges, like data security and competition.


Overview of Open Finance in the UAE


Open Finance in the UAE is part of the Central Bank's Financial Infrastructure Transformation Programme, launched to enhance digital financial inclusion. The Open Finance Regulation, issued in 2024, establishes a framework for cross-sectoral data sharing and transaction initiation, including both open banking and open insurance. This positions the UAE as the first globally to implement a consolidated trust framework and centralized API hub, with implementation phased and majority customer access expected by 2024, fully integrated by 2026 .


Insurance Industry Participation


The insurance industry is required to participate by providing API access and sharing data with accredited third parties, as part of the first implementation phase by June 2024. Insurance companies and brokers are deemed licensees, needing UAE Central Bank approval, which could lead to innovative digital products and enhanced customer control over finances .


Survey Note: Comprehensive Analysis of Open Finance in the UAE Insurance Market


Introduction


Open Finance represents a transformative shift in the financial services landscape, enabling secure data sharing across sectors with customer consent. In the UAE, the Central Bank's Open Finance Framework, launched in 2024, encompasses both open banking and open insurance, positioning the country as a global leader. This note provides a detailed analysis of the current state of Open Finance in the UAE, its implications for the insurance industry, and actionable insights for mid-size insurance brokers, drawing on international examples from the UK and EU.


Regulatory and Market Context in the UAE


The UAE Central Bank's Open Finance Regulation, issued on June 27, 2024, is part of the Financial Infrastructure Transformation Programme, one of nine initiatives to drive digital transformation in the finance sector . This framework includes a consolidated trust framework and centralized API hub, facilitating a single secure connection for banking and insurance markets, with customer consent and CBUAE-regulated third parties . The phased implementation began with Open Banking, followed by Open Insurance, aiming to reach the majority of customers by 2024 and fully integrate by 2026.

The regulation mandates that financial institutions, including banks, insurance companies, and payment service providers, allow accredited third-party providers access to financial data, requiring all CBUAE licensees to comply with data sharing and service initiation requirements . Insurance companies and brokers are deemed licensees, needing UAE Central Bank approval, with entities in financial freezones like Abu Dhabi Global Market and Dubai International Financial Centre exempt unless conducting onshore services, then requiring an Open Finance Licence.


Insurance Industry Participation


The Open Finance Framework incorporates open insurance, requiring insurance companies (national and foreign branches) to provide API access by June 2024 as part of the first phase . This involves integrating with the central platform, Nebras Open Finance, approved in December 2024, which supports consent management, support, analysis, and dispute resolution . The participation is expected to enhance digital financial inclusion, provide innovative and safer digital products, and ensure consumer control over finances, as stated by Fatma Al Jabri, Assistant Governor for Financial Crime, Market Conduct and Consumer Protection at the CBUAE .


Implications for the Insurance Value Chain


The Open Finance Framework has profound implications for various stakeholders:


  • New Ventures: Startups and fintech companies can leverage open insurance to develop innovative products, such as embedded insurance or data-driven risk assessment tools, by accessing insurance data through APIs. This aligns with global trends, such as the Open Insurance Initiative Network (OPIN) with 61 companies involved . However, they must navigate regulatory compliance and build trust with customers.
  • Customers: Customers gain greater control over their insurance data, enabling sharing with third parties for tailored services, better pricing, and improved experiences. Open finance facilitates easier comparison and switching, potentially reducing costs, but requires education on data privacy and consent management to ensure informed decisions .
  • Brokers: Mid-size insurance brokers can offer more comprehensive services by aggregating data from multiple insurers, enhancing advice and personalized recommendations. Partnerships with fintechs can improve digital capabilities, but compliance with the framework requires investment in API integration and data security .
  • Insurance Companies: Insurers must invest in technology to comply, potentially leading to operational efficiencies like faster processes and improved risk underwriting. New business models, such as insurance-as-a-service or platform strategies, can emerge, but there is a risk of losing direct customer relationships to third-party providers .
  • Other Participants: Third-party providers, including fintechs and Big Tech, can enter the market more easily, potentially disrupting traditional players. Big Tech, like Tesla planning to become an insurer, may leverage product data, posing competition risks .


International Insights: UK and EU Examples


The UK and EU provide valuable lessons for the UAE:


  • UK: Open finance has been under consideration since 2019, with the FCA and government working on frameworks including insurance under the Data Protection and Digital Information Bill . Impacts include potential for tailored services, but challenges include consumer protection and regulatory clarity. The pro-competition stance suggests data sharing could drive new offerings, with risks of marginalization for traditional firms .
  • EU: The Financial Data Access (FIDA) framework, proposed in June 2023, covers non-life insurance data, excluding life, sickness, health, and creditworthiness data, with permission dashboards and standardized infrastructure . This can enhance innovation but is limited in scope, with additional safeguards for data protection. Research suggests operational efficiencies and customer experiences improve, but risks include data sensitivity and Big Tech dominance .


Detailed Implications and Challenges


The research highlights key dimensions of openness, including data (proprietary, risk-related, third-party), product (insurance, risk-related services, beyond insurance), and ecosystem (channels, embedded insurance, platform strategies) . Performance impacts include:

  • Operational Efficiencies: Faster process cycle times, improved risk underwriting, reduced claims costs, better coordination across 30 European countries for large insurers.
  • Customer Experiences: Integrated experiences, new revenue streams, easier comparison/switching, personalized services, potentially transforming insurer-customer touch points.
  • Third Parties: Tailored products/pricing for intermediaries, Big Tech, InsurTech; partnerships as competitive advantage, but risks of commoditization and winner-take-all dynamics.



Challenges include sensitivity of risk data, ethics/norms for data exchange, powerful insurers impeding progress, lack of data reciprocity, and potential loss of customer interface, with time horizons varying from 5 years (innovation phase) to 25 years (due to industry inertia) .


Actionable Recommendations for Mid-Size Insurance Brokers


Given the current state as of May 29, 2025, mid-size insurance brokers in the UAE should:

  1. Assess Current Capabilities: Evaluate technology and data management systems for open finance compliance, investing in API integration and data security .
  2. Develop Partnerships: Collaborate with fintechs and insurtechs to enhance digital offerings, exploring embedded insurance or data analytics .
  3. Enhance Data Security: Ensure compliance with UAE data protection regulations, implementing robust cybersecurity measures .
  4. Educate Clients: Inform clients about open insurance benefits, such as personalized products, and provide transparency on data usage .
  5. Stay Informed: Monitor regulatory developments and participate in industry forums to stay ahead .
  6. Leverage Open Data: Use data for personalized offerings, improving underwriting and claims processes .
  7. Explore New Business Models: Consider embedded insurance, partnerships with non-traditional players, and new revenue streams like data analytics .


Conclusion


The Open Finance Framework in the UAE offers significant opportunities for the insurance industry, enhancing innovation and customer empowerment, but also poses challenges related to compliance, data security, and competition. By learning from the UK and EU, and implementing strategic actions, mid-size insurance brokers can navigate this landscape, delivering value to clients and staying competitive in a rapidly evolving market.


Key Citations



By R Philip May 26, 2026
Why Enterprise ChatGPT Wrappers Are Failing ...And Why the Next Market Belongs to AI Operating Layers A quiet problem is spreading through enterprise technology. Nearly half of enterprise GenAI users are reportedly accessing AI tools through personal or unmanaged accounts. Netskope’s 2026 Cloud and Threat Report puts the figure at 47% . For boards, CIOs, CISOs, regulators, and M&A advisors, that number should land hard. It means a large share of AI activity inside companies is invisible to IT. It is outside approved governance and may be bypassing data controls. And in regulated sectors, it may already be creating liabilities that have not been priced. This is a cybersecurity issue and it is an architecture issue. Over the past two years, many companies have tried to solve enterprise AI adoption with what is effectively a ChatGPT wrapper . Take a consumer-style AI interface. Put enterprise login on top. Add a usage policy. Maybe connect it to a few internal documents. Call it a secure enterprise AI platform. That approach has been useful as a first step. But it is now reaching its limit. The problem is clearest in industries where governance is not optional: banking, wealth management, insurance, law, healthcare, government, sovereign entities, and M&A-heavy sectors . These firms do not just need access to AI. They need controlled AI execution. They need audit trails. They need role-based access. They need data residency. They need workflow governance. They need defensible records of who asked what, what data was used, what output was produced, and what decision followed. A generic AI chat interface cannot carry that burden. The next phase of enterprise AI is not about better wrappers. It is about the rise of the AI operating layer . The Three Structural Failures of Enterprise ChatGPT Wrappers 1. AI adoption is moving faster than governance Employees are not waiting for enterprise AI strategy documents. They are already using ChatGPT, Claude, Gemini, Perplexity, Copilot, vertical AI tools, meeting assistants, coding agents, research agents, and document automation tools. Lenovo’s 2026 research reportedly found that 70% of employees use AI tools at least a few times a week , while 80% expect their AI usage to increase over the next year. At the same time, Salesforce’s 2026 Workforce AI Survey reportedly found that only 18% of organizations have formal AI security policies . That gap is the real story. Enterprise AI usage is becoming normal but enterprise AI governance is still catching up. Productiv’s 2026 analysis reportedly found that the average enterprise discovers 14 distinct AI tools in active use during audits, while IT is aware of only four or five. This is how shadow AI becomes institutional. Not because employees are malicious and not because IT is asleep. But because AI solves immediate work problems faster than enterprise policy can respond. People use the tool that helps them finish the work. If the approved path is slower, weaker, or harder to access, they route around it. That is the core governance failure. You do not stop shadow AI with a policy PDF. You stop it by making the sanctioned AI environment better than the workaround. 2. Wrappers do not understand the operating environment ChatGPT-style tools are powerful for individual productivity. They are less useful when the enterprise problem is not “generate an answer,” but “execute a controlled workflow.” That distinction matters. A banker does not simply need an AI model to summarize a document. They need AI that respects deal-team permissions, data-room boundaries, approval chains, MNPI restrictions, and audit requirements. A law firm does not simply need AI to draft a clause. It needs AI that knows the client, matter, jurisdiction, precedent bank, privilege boundaries, and review workflow. A healthcare provider does not simply need AI to answer clinical questions. It needs AI that operates within patient privacy rules, escalation protocols, clinical governance, and defensible record-keeping. An insurance broker does not simply need AI to write an email. It needs AI that can handle quotations, renewals, endorsements, claims documentation, compliance checks, carrier communication, and client servicing workflows. This is where enterprise wrappers break down. They may provide a safer chat box. But they often do not provide a governed operating system for work. They struggle with: Role-based access at team, client, function, or transaction level Full audit trails for regulated workflows Workflow-specific approvals Data residency and sovereign cloud requirements Integration with systems of record Clear ownership of AI-generated outputs Evidence trails for regulators, auditors, and deal diligence teams Separation between casual productivity use and controlled business execution In regulated environments, this is not a minor limitation. It is the difference between a productivity tool and enterprise-grade infrastructure. A chat interface was not designed to run banking operations, legal workflows, healthcare decisions, insurance processes, or M&A diligence. It was designed to converse and that is not enough. 3. The regulatory floor is rising Enterprise AI risk is no longer theoretical. Gartner has estimated that a large share of enterprise AI projects fail to move beyond pilots. The reasons are usually familiar: weak governance, unclear ownership, poor integration, lack of measurable ROI, and limited trust in outputs. The regulatory pressure is also increasing. The EU AI Act introduces higher obligations for high-risk AI systems, with enforcement milestones beginning in 2026. Penalties can reach material levels for large companies. IBM’s Cost of a Data Breach research has also highlighted the financial cost of breaches involving shadow AI and unmanaged technology environments. For the GCC, this matters even more. The UAE, Saudi Arabia, Qatar, and other Gulf markets are investing heavily in AI infrastructure, sovereign cloud, digital government, open finance, data governance, and national AI strategies. That creates a different kind of enterprise AI market. The region is not simply asking: “How do we give employees access to AI?” It is asking: “How do we deploy AI in a way that is secure, sovereign, auditable, compliant, and economically useful?” That question cannot be answered with another wrapper. It requires an AI operating layer. What Comes Next: The AI Operating Layer The next wave of enterprise AI will not be defined by prettier chat interfaces. It will be defined by infrastructure. An AI operating layer sits between employees, enterprise systems, data sources, foundation models, and business workflows. Its role is to manage how AI is used inside the organization. Not just who can access it. But what it can see. What it can do. Which workflow it is part of. Which approvals are required. Which systems it can touch. Which records must be kept. Which data must never leave the environment. A proper AI operating layer includes: Identity and access management Role-based and context-based permissions Data residency controls Enterprise knowledge retrieval Workflow routing Human approval checkpoints Audit logging Model governance Usage monitoring Cost controls Prompt and output records Integration with systems of record Policy enforcement by design This is where the enterprise AI market is heading. The winning question is no longer: “Which model are we using?” The better question is: “What operating layer governs how AI works across the business?” Why Shadow AI Is a Design Problem Most companies treat shadow AI as a compliance problem. That is incomplete. Shadow AI is usually a design problem. Employees use unapproved AI tools because the approved tools are either unavailable, clumsy, too restricted, or disconnected from real work. This is why bans rarely work for long. The Samsung case is instructive. After a reported data leakage incident involving ChatGPT use, the company initially restricted access. But the more durable answer was not just prohibition. It was the development of internal AI capability. That is the lesson for every enterprise. If the official AI environment is worse than the unofficial one, users will find a workaround. If the official AI environment is faster, safer, easier, and more useful, governance becomes natural. The goal is not to scare employees away from AI but it is to make the governed path the obvious path. The GCC Enterprise AI Opportunity The Gulf is not behind on AI. In many areas, it is ahead on capital allocation, infrastructure ambition, and executive urgency. McKinsey’s 2025 GCC AI research reportedly shows enterprise AI adoption rising sharply across the region. BCG’s 2025 AI maturity work also points to a growing class of GCC organizations that are moving beyond experimentation. The UAE and Saudi Arabia are especially important markets because they combine four forces: Strong national AI agendas Significant investment in digital infrastructure Regulated sectors with high compliance requirements Large enterprise and government buyers willing to modernize That combination creates a serious opportunity for AI operating infrastructure. The next GCC AI winners will not be the companies that run the most pilots. They will be the companies that turn AI into governed execution. This applies across: Banks Wealth managers Insurers Brokers Law firms Healthcare groups Logistics companies Government entities Family offices Investment firms M&A advisory environments Regulated technology businesses In these sectors, AI value does not come from giving everyone a chatbot. It comes from redesigning workflows around secure, auditable AI execution. Why This Matters for M&A and Enterprise Value AI governance is becoming a diligence issue. In M&A, buyers already assess revenue quality, customer concentration, cybersecurity, data privacy, software architecture, regulatory exposure, and operational maturity. AI exposure is becoming part of that same diligence map. A target company using unmanaged AI tools across sales, finance, legal, HR, product, and customer data may carry hidden risk. Questions buyers will increasingly ask include: What AI tools are used across the business? Which tools are approved? Which tools are unmanaged? What company data has been entered into external AI systems? Are prompts and outputs logged? Are regulated workflows using AI? Is there a human approval process? Are AI outputs used in customer-facing decisions? Is sensitive data protected? Are there data residency issues? Does the company have an AI governance policy? Is AI usage creating legal, regulatory, or contractual exposure? This matters because unmanaged AI can affect valuation. It can increase diligence friction. It can create indemnity demands. It can delay transactions. It can reduce buyer confidence. It can expose weak management controls. The inverse is also true. A company with a governed AI operating layer can present a stronger story: Better productivity Lower operating cost Stronger compliance Cleaner auditability Better data discipline More scalable workflows Reduced key-person dependency Higher confidence in operational maturity That is why AI governance is not just a technology issue. It is becoming an enterprise value issue. The Real AI Strategy Question The question for boards and leadership teams is no longer: “Should we allow AI?” That decision has already been made by employees. The better question is: “Do we have the architecture to govern AI at enterprise scale?” For regulated industries, the follow-up questions are even sharper: Can we prove what data AI accessed? Can we show who approved an AI-assisted decision? Can we enforce data residency requirements? Can we separate general productivity use from regulated workflows? Can we audit AI activity during a regulatory review or transaction diligence process? Can we prevent employees from using unmanaged AI when the official tool is not good enough? These are operating questions. Not model questions. Not chatbot questions. Not innovation theatre questions. The Bottom Line Enterprise ChatGPT wrappers helped companies start the AI journey. But they are not the destination. They are too shallow for regulated workflows. Too generic for enterprise operations. Too weak for audit-heavy environments. Too disconnected from systems of record. Too limited for sovereign data requirements. The next phase belongs to AI operating layers. Infrastructure that governs how AI interacts with people, data, systems, workflows, and decisions. For the GCC, this is a major opening. The region has capital, ambition, infrastructure, and executive urgency. What it now needs is disciplined AI deployment architecture. The winners will not be the firms with the most AI tools. They will be the firms that make AI usable, governed, auditable, and embedded into the way work actually gets done. That is where real enterprise value will be created.
By Futureu Strategy Group May 4, 2026
PRISM by Futureu Strategy Group is an enterprise AI platform with zero prompt engineering, full audit trails, and no vendor lock-in. See how it transforms every department.