GCC Open Finance Divergence: Three Regulatory Models for Financial Data Sharing

The Gulf Cooperation Council states are building the regulatory infrastructure for open finance in parallel but with strikingly different architectural choices. Saudi Arabia, Bahrain, and the UAE - the three GCC economies most advanced in financial data sharing - have each designed frameworks that reflect their broader regulatory philosophies, market structures, and strategic priorities. For payment practitioners and fintechs evaluating the Gulf market, understanding these differences is not academic: the framework you build for determines how you integrate, what data you can access, and how quickly you can launch.

Bahrain: The First Mover

Bahrain was the first country in the MENA region to embed open banking requirements into regulation, beginning in 2018 when the Central Bank of Bahrain (CBB) published Module OB in Volume 5 of the CBB Rulebook. The framework established rules for Account Information Service Providers (AISPs) and Payment Initiation Service Providers (PISPs), drawing heavily on the UK's Open Banking model and the EU's PSD2.

Bahrain's approach is decentralised by design. There is no central API hub - licensed third-party providers connect directly to individual banks through APIs that conform to the Bahrain Open Banking Framework (Bahrain OBF) standards. The CBB publishes technical specifications and governance rules, but the actual API implementation and hosting sits with each bank.

The results after seven years are instructive. The CBB's regulatory sandbox, which has hosted 21 companies as of December 2024, has served as the primary channel for fintech onboarding. Multiple account aggregation and payment initiation providers are licensed and operational. But adoption metrics remain modest relative to Bahrain's ambitions, in part because the decentralised model means each fintech must integrate with each bank separately - a friction that multiplies with every new bank connection.

Bahrain's first-mover advantage is real but narrowing. The knowledge and regulatory expertise accumulated since 2018 have positioned Bahrain's CBB as a regional advisor on open banking design, but the lack of a centralised infrastructure layer means that fintechs in Bahrain face higher integration costs than their counterparts in the UAE.

Saudi Arabia: The Sandbox-First Model

SAMA launched its Open Banking Framework in 2022 as part of Vision 2030's financial sector modernisation programme. The approach is phased and controlled: account information services came first, payment initiation services followed with the September 2024 second release of the framework.

Saudi Arabia's model is distinctive in several ways. First, SAMA operates a centralised Open Banking Lab that functions as both a testing environment and a standards body. Fintechs must pass through the SAMA Regulatory Sandbox before receiving a licence, and the lab provides a controlled environment for API testing against real bank infrastructure.

Second, the framework is explicitly sequenced. The first release covered account information - letting licensed TPPs read account balances and transaction histories with customer consent. The second release, issued in September 2024, standardised Payment Initiation Services (PIS), establishing procedures for TPPs to initiate payments directly from customer bank accounts. Each phase has clear entry criteria, compliance requirements, and licensing gates.

Third, SAMA has been deliberately selective in licensing. The number of authorised open banking providers is small by design, reflecting a regulatory preference for controlled quality over rapid volume. This contrasts with Bahrain's broader sandbox approach and the UAE's infrastructure-led model.

The Saudi approach mirrors its broader regulatory style: highly centralised control, phased rollout, and deep institutional oversight. For fintechs, this means longer time-to-market but clearer regulatory certainty once licensed.

UAE: The Centralised Infrastructure Model

The UAE has taken the most architecturally ambitious approach. Rather than publishing standards and letting banks and fintechs sort out connectivity (Bahrain's model) or operating a sandbox with phased licensing (Saudi's model), the CBUAE has built a centralised infrastructure layer that all participants must use.

The Open Finance Regulation, issued in June 2024, created a mandatory framework: all CBUAE-licensed financial institutions must participate and connect to a centralised API hub operated by Nebras Open Finance LLC, a CBUAE subsidiary established in 2024 specifically to manage this infrastructure. Nebras is not a regulator - it is an infrastructure operator, analogous to what Open Banking Limited (OBL) was designed to be in the UK but with direct central bank ownership.

The Nebras API Hub standardises how banks, fintechs, insurance companies, and third-party providers interact. Rather than building bilateral API connections with each bank, a TPP connects once to Nebras and gains access to all participating institutions. The hub handles identity verification, authentication, data security, and consent management through a unified trust framework.

The scope is notably broader than open banking: the CBUAE's framework is explicitly "open finance," extending beyond bank accounts to include insurance, pensions, and other financial products. This positions the UAE ahead of most global implementations in ambition, though the phased rollout means insurance and pension data sharing will follow banking data.

Participation is mandatory for all Licensed Financial Institutions (LFIs). Banks must maintain dedicated interfaces to provide access to account and product information through the API hub. Version 2.0 of the API Hub launched toward the end of 2025, with banks and insurers going live.

The UAE's approach is the most capital-intensive but also the most scalable. By centralising connectivity, the CBUAE has removed the bilateral integration burden that slows adoption in Bahrain and reduced the sandbox-gating friction of the Saudi model.

Three Models Compared

The divergence reveals different assumptions about how financial data sharing should work:

Bahrain assumes that market-driven API development, guided by regulatory standards, will produce the best outcomes. The CBB sets rules; the market builds connections. This works in a small, concentrated banking market (22 retail banks) but scales poorly.

Saudi Arabia assumes that controlled, phased introduction under central bank supervision produces safer outcomes. SAMA licenses carefully, sequences capabilities, and maintains direct oversight through the Open Banking Lab. This works for building institutional trust but limits the pace of innovation.

UAE assumes that infrastructure-led implementation - building the highway before letting cars on it - produces the fastest and most interoperable outcomes. The CBUAE has invested heavily in Nebras as a utility layer, accepting higher upfront costs for lower long-term friction.

The Interoperability Gap

Notably absent from all three frameworks is cross-border interoperability. A fintech licensed in Bahrain cannot use its CBB authorisation to access Saudi bank data, and a Nebras-connected provider in the UAE has no automatic pathway to Bahrain's open banking APIs. Each framework is designed for domestic use.

This fragmentation is the GCC's biggest open finance challenge. Unlike the EU, where PSD2 created a single regulatory framework across 27 member states, the GCC has no equivalent harmonisation mechanism for financial data sharing. The Gulf Common Market agreements cover goods and labour mobility but do not extend to API-level financial infrastructure standards.

For fintechs seeking to operate across the Gulf, this means maintaining three separate regulatory relationships, three different technical integrations, and three compliance frameworks. The aggregate cost of pan-GCC open finance operations is significantly higher than operating in a single harmonised market.

What Practitioners Should Watch

The GCC open finance landscape will evolve rapidly through 2026 and 2027. Key developments to monitor:

UAE FIT Programme completion: The CBUAE's Financial Infrastructure Transformation Programme, reported as 85 percent complete in early 2025, targets full integration in 2026. This includes not just open finance but also the Jaywan domestic card scheme, Aani instant payments, the Digital Dirham CBDC, and a sovereign financial cloud - creating an integrated digital financial infrastructure.

SAMA payment initiation adoption: With the PIS framework now published, the key metric is how many live payment initiation transactions are flowing through Saudi open banking APIs. Early adoption data will indicate whether the framework is generating real market activity or remaining a regulatory compliance exercise.

GCC harmonisation signals: Any moves toward mutual recognition of open banking licences or common API standards across GCC states would materially change the economics of operating in the region.

The Gulf's open finance experiment offers global lessons. Three neighbouring economies with similar banking structures, comparable GDP per capita, and shared membership in a common market have produced three fundamentally different regulatory architectures for the same problem. The outcomes - measured in fintech adoption, consumer benefit, and financial innovation - will take years to fully materialise, but the architectural choices being made now will be difficult to reverse.

Sources: SAMA - Second Release of Open Banking Framework; CBUAE - Open Finance Regulation; CBB - Fintech and Innovation Unit; Global Government Fintech - UAE FIT Programme 85% Complete; SAMA - Open Banking Portal.