Regulated UAE builds are a different evaluation problem from unregulated ones. The selection criteria that work for a retail platform or a logistics dashboard do not work for a CBUAE-supervised reporting system, an IFRS 17 insurance build, or a Civil Defence NOC submission platform. The reason is not that the technical bar is higher, though it usually is. It is that the boundary between what the software supports and what the licensed entity owns is the actual decisive variable, and most selection processes do not test for it. Buyers compare partners on capability when they should be comparing partners on how precisely they hold the line.
This piece is a perspective on how to evaluate a software partner for a regulated UAE build. The argument is opinionated. We have a stake, BY BANKS does regulated work in the UAE and the argument is for the criteria we are strong on. We are not arguing that capability and price are irrelevant; they matter and they are testable on the proposal. We are arguing that on a regulated build they are necessary and not sufficient, and the sufficient criterion, the one that decides whether the engagement holds under supervision, is whether the partner is precise about its own scope. The right partner is self-limiting; it builds the instrumentation and explicitly does not own the determinations. The wrong partner is over-claiming; it offers to handle compliance, manage the NOC, set up IFRS 17, run the AML alerts, and collapses the line between itself and the licensed entity in the proposal. The first builds a system that holds. The second creates supervisory exposure the licensed entity cannot insure against.
The audience for this analysis is CIOs, CROs, MLROs, chief actuaries, chief medical officers, technical leads, and procurement officers at UAE banks, insurers, healthcare providers, fire safety consultancies, and government entities choosing a software partner for a build that sits in regulated territory. The useful diagnostic question is not "is this partner capable" but "is this partner precise about the boundary between what it builds and what we own, in concrete terms, for the specific regulated decisions in this build".
The Same Regulated Decisions, Two Ways the Line Can Sit
Below are five regulated decisions a UAE build commonly touches. Toggle between the line in the wrong place (partner over-claims, client ownership of the determination muddled) and the line in the right place (partner builds, client owns). Tap any decision to see how a partner signals where it sits, how to test that in selection, and what fails when the line is wrong.
Where does the line sit? The same decisions, evaluated two ways
Toggle the line, tap any decision to see how to test in selection
Why the Boundary Is the Test, Not the Capability
The reason the boundary is decisive is the nature of UAE regulated supervision. A licensed entity, the bank, the insurer, the healthcare provider, the fire consultancy, is the party the regulator supervises, and the obligations and exposures attach to it. Software supports the entity's discharge of those obligations; software does not substitute for it. A partner that proposes to take on the determinations themselves, to "handle the reporting", "manage the AML decisions", "set up the IFRS 17", "manage the NOC", "make the clinic compliant", is proposing something a partner cannot actually do, because the obligation is non-transferable. What the partner is really offering is for the licensed entity to behave as if the obligation has been transferred, while it has not. The supervisory consequence of that gap arrives the first time a regulator asks for the determination's basis, and the licensed entity discovers it cannot answer because the basis lives somewhere outside it.
The UAE supervisory framework makes the boundary concrete in each domain. Federal Decree-Law No. (6) of 2025 sets the CBUAE administrative fine ceiling at up to AED 1 billion on a violating licensed financial institution; the violation attaches to the institution. The AML/CFT regime under Federal Decree-Law No. (20) of 2018 sets the suspicious-transaction reporting obligation on the institution's MLRO; the determination is the MLRO's, no matter who built the platform. IFRS 17, effective from 1 January 2023, and the CBUAE Financial Reporting and External Audit Regulation C 5/2023 effective from 30 April 2024, require methodology and disclosures the insurer must defend; the insurer's actuaries own the methodology. Cabinet Resolution No. (24) of 2012 and the UAE Fire and Life Safety Code put the submission and code compliance responsibility on the submitting party; the licensed fire engineer or contractor stamps the work. In every case, the regulator's counterparty is the licensed entity, and the determination is the entity's to make and defend. A partner that proposes to fold that determination into the contract is proposing fiction.
This is why capability is necessary but not sufficient. A capable partner that over-claims produces a sophisticated platform with a structural problem: the licensed entity cannot demonstrate ownership of the decisions the regulator will ask about, because the decisions were not designed as the entity's. A capable partner that holds the line correctly produces the same platform with the determinations sitting in the right place, and the entity defends them naturally because they are its own. The capability is the same; the structural fitness is the difference, and the only way to see it in selection is to test the boundary directly rather than infer it from the proposal.
The shift in one observation
A regulated UAE build is widely evaluated as a capability question and is in practice a boundary question. Capable partners come in both shapes: those who hold the line precisely and those who collapse it for sales clarity. The shape that holds under supervision is the one whose proposal explicitly states what it does not do, on each regulated decision, and the boundary test is the activity that distinguishes them.
Where the Capability-Only Evaluation Breaks
"We will handle your compliance"
An over-claiming partner offers to take on regulated determinations the licensed entity owns. The proposal reads as comprehensive and creates a structural gap that surfaces the first time a supervisor asks for the basis of a decision the entity did not actually own.
Regulator named, role not stated
The proposal mentions CBUAE, IFRS 17, DHA, Civil Defence, by name but does not state the partner's scope versus the entity's. Vague positioning is the characteristic shape of a partner that has not thought through the line, or hopes the buyer will not test it.
Capability impressive, instrumentation thin
Strong technical proposal, but the platform does not produce the lineage, evidence, and reconstructability the entity will need to defend its determinations. Capability built without supervisory instrumentation creates the same exposure differently.
Selection on price across different boundaries
Two proposals at very different prices for ostensibly the same build are often pricing different boundaries. The cheaper proposal scoped the build and assumed the entity already had the evidence and lineage layer; the expensive one priced it in. The headline comparison hides what was actually included.
The Decision in Plain Terms
Side by Side: Partner Holds the Line vs Partner Collapses It
| Behaviour | Line in the right place | Line collapsed |
|---|---|---|
| Reporting | Builds the instrumentation; entity produces and signs off | Offers to handle the reporting on the entity's behalf |
| AML decisions | Platform records every disposition; MLRO owns the suspicion | Offers AML decisioning as a service |
| IFRS 17 | Builds to the methodology the actuaries set | Offers to configure IFRS 17 for the insurer |
| NOC submission | Builds the dependency-web platform; consultancy submits | Offers to manage the NOC submission itself |
| Clinical compliance | Builds the platform; licensed provider owns determinations | Offers software that "makes you compliant" |
A partner that collapses the boundary in the proposal collapses it again in the build, and the licensed entity discovers it the first time a regulator asks for the basis of a determination. The capability is the same; the structural fitness is the difference, and the only way to see it in selection is to test the boundary directly.
What Holding the Line Looks Like in Selection
The pattern in buyers who select regulated partners well is recognisable. Each regulated decision the build touches is named individually in selection, not aggregated into "compliance", and the partner is asked to state, in concrete terms, what it does and what the licensed entity owns for each. Vagueness on the boundary, "we will help you with that", "we cover compliance", "we manage the regulator-facing piece", is treated as a signal, not a reassurance. The partner is asked to describe how its proposed platform records the basis of every regulated decision so the entity can reconstruct it under supervision; an answer that focuses only on the feature and not on the reconstructability is incomplete. Where the partner names a UAE instrument (Federal Decree-Law No. (6) of 2025, IFRS 17, Cabinet Resolution No. (24) of 2012), the buyer asks who in the engagement is responsible for what under that instrument, and the answer is expected to be self-limiting on the partner side. The partner that holds the line precisely will not flinch at these questions because the precision is part of how it builds; the partner that collapses the line will deflect or generalise.
How This Sits With BY BANKS, Honestly
We have a clear stake here and we should name it. BY BANKS does regulated software work in the UAE across banking, insurance, healthcare, fire safety, and government. The criteria above are the ones we ask buyers to evaluate us on, and we are confident on them because precision about the boundary is a deliberate part of how we engage. We lose proposals to partners that over-claim because the over-claim sometimes reads as more comprehensive to a buyer who has not tested it. We accept that and continue to argue for the criteria because the alternative, telling buyers what they want to hear about regulated obligations, would put them in exposure they cannot insure against.
The boundary stays clear throughout the engagement, not only at signing. BY BANKS is an independent software engineering company based in the UAE. We do not act for or on behalf of the CBUAE, the Insurance Authority, the SCA, the DFSA, ADGM, the MOHAP, the DHA, the DoH, Civil Defence, NCEMA, Dubai Customs, the UAE Pass, the IFRS Foundation, or any other authority. We are not a regulated entity in any sector we serve. We do not prepare or submit returns, make accounting, actuarial, clinical, or fire-engineering determinations, adjudicate suspicions, or accept supervisory responsibility on behalf of a licensed entity. The entity owns its submissions, its methodology, its determinations, its compliance, and its supervisory relationships; we build the software that lets it discharge them well, with the lineage and evidence the supervision will eventually ask for.
Where This Analysis Is Useful
The conversations where this perspective is most useful tend to be at three moments: a regulated entity comparing proposals that read as similarly capable and unsure how to discriminate between them; a CRO or chief compliance officer reviewing a partner who has offered to "handle" a regulated function the entity should be holding; or a buyer whose existing engagement is producing supervisory exposure the original proposal seemed to insulate against. The honest answer is usually the same: capability is necessary and the boundary is decisive, and the boundary is testable in selection if it is treated as a discrete evaluation criterion rather than left for the build.
For broader related work, see our perspective on how to choose a software engineering partner, our perspective on why CBUAE enforcement attaches to controls, not intent, and our perspective on what IFRS 17 demands of insurance data. The applied work sits across our banking, insurance, healthcare, fire safety, and operational platforms capabilities, with technical consultancy for the upfront work. Get in touch if a 45-minute conversation about a specific regulated selection would be useful.
Frequently Asked Questions
No. We are an independent software engineering company. We do not act for or on behalf of any UAE authority, we are not a regulated entity in any sector we serve, and we do not accept supervisory responsibility on behalf of a licensed entity. The licensed entity owns its submissions, its determinations, its methodology, and its compliance. We build the software that supports the entity's discharge of those obligations; the entity discharges them.
They are summarised from publicly available official sources as published, not reproduced and not legal advice. The authoritative requirements, fees, conditions, and any updates are those in the instruments and the issuing authorities' publications themselves. Buyers should rely on the official sources and qualified legal, regulatory, actuarial, clinical, or fire-engineering advice for their specific obligations, not on this summary.
That is the signal to ask, concretely, what they mean by "handle". A partner that explains they mean providing the instrumentation, the records, and the workflow while the licensed entity makes the determination is on the right side of the line. A partner that means making the determination itself is on the wrong side of a non-transferable obligation, regardless of intent or capability. The clarification usually settles which it is in a single exchange.
It is the regular criteria (scoping, seniority, structure) plus a boundary criterion that is decisive specifically for regulated work and not for unregulated work. For an unregulated retail platform, a partner offering to "handle the whole thing" is a sales position. For a regulated UAE build, the same offer creates structural exposure that capability alone does not fix. The difference is supervisory, not technical.
No, the boundary is structural to what software can and cannot do under supervision, not to the engagement model. An embedded BY BANKS engineer works inside the client team, contributes to the system, and helps the client own its determinations. The engineer does not become the licensed entity, does not make regulated determinations on the entity's behalf, and does not absorb supervisory responsibility, regardless of how integrated the working relationship is. The model changes how we work; it does not change what we are.
Evaluating a software partner for a regulated UAE build is widely treated as a capability comparison and is in practice a boundary test. Capability is necessary and the partner that holds the line precisely between what it builds and what the licensed entity owns is the partner the build can survive supervision with. The right partner is self-limiting; the wrong one is over-claiming, and the over-claim collapses an obligation that is not transferable to the partner. The UAE supervisory framework makes the stakes concrete, an AED 1 billion CBUAE fine ceiling under Federal Decree-Law No. (6) of 2025, IFRS 17 in force, Cabinet Resolution No. (24) of 2012 putting submission responsibility on the licensed party, and in each case the regulator's counterparty is the licensed entity. We have a stake in this argument and the argument stands anyway; we are arguing for the criteria we are strong on and the alternative would put buyers in exposure they cannot insure against. The boundary is testable in selection if it is treated as a discrete evaluation criterion rather than left to discover later.
References to the CBUAE rulebook, Federal Decree-Law No. (6) of 2025, Federal Decree-Law No. (20) of 2018 on AML/CFT, the IFRS 17 standard, the CBUAE Financial Reporting and External Audit Regulation C 5/2023, Cabinet Resolution No. (24) of 2012, the UAE Fire and Life Safety Code, and UAE health authority regulations are descriptive of publicly available official sources and are summarised, not reproduced. Figures cited (administrative fine ceiling up to AED 1,000,000,000 under Federal Decree-Law No. (6) of 2025; 11 banks subject to CBUAE enforcement action in 2024, 6 in connection with AML/CFT and sanctions-framework weaknesses; IFRS 17 effective 1 January 2023; CBUAE C 5/2023 effective 30 April 2024; Cabinet Resolution No. (24) of 2012 governing civil defence services) are drawn from public sources listed on our Sources and Data page; the boundary model is an observational evaluation aid rather than a procurement methodology, scoring rubric, or specific regulatory or legal advice. BY BANKS is an independent software engineering company; we design and build software and hand it over, we do not act for or on behalf of any UAE authority, we are not a regulated entity in any sector we serve, we do not provide recruitment, staffing, payroll, or employment services, and we are not affiliated with or endorsed by the CBUAE, the Insurance Authority, the SCA, the DFSA, ADGM, the MOHAP, the DHA, the DoH, Civil Defence, NCEMA, Dubai Customs, the UAE Pass, the IFRS Foundation, or any other authority. On any regulated engagement, the licensed entity owns its submissions, its determinations, its methodology, and responsibility for its own compliance. This article is not procurement, regulatory, actuarial, clinical, fire-engineering, or legal advice; buyers should obtain qualified advice for their specific obligations. Public sources used in this piece are listed on our Sources and Data page.
Ready to Build Something?
If this resonated, let's talk about how we can apply these ideas to your business.
Start a Conversation