Contributors:
Rayan Zbib, Senior Manager, Financial Services Consulting, PwC Middle East
Osama AlSaad, Manager, Financial Services Consulting, PwC Middle East
Financial regulatory priorities in the region are shifting from crisis response to anticipatory resilience. The focus is no longer only on preserving stability during periods of uncertainty, but on building trust, enabling innovation and strengthening the financial ecosystem before future risks fully materialise.
In a region where geopolitical uncertainty can shift quickly, GCC financial regulators are moving beyond a traditional focus on financial stability towards a broader model of resilience. Historically, regulatory intervention has centred on safeguarding markets during periods of disruption. Today, however, the Middle East risk environment requires a more proactive and forward-looking approach, one that anticipates shocks, strengthens system-wide preparedness and supports confidence before risks fully materialise.
The period of uncertainty in the region illustrates how quickly risks can spread across financial systems, requiring regulators to manage not only liquidity and market stability, but also sanctions compliance, cyber security, operational continuity and investor confidence. Traditional prudential measures remain essential, but they are no longer sufficient on their own.
Strong supervision remains the foundation of resilience. Over the past decade, GCC regulators have strengthened capital adequacy requirements, liquidity buffers, stress-testing frameworks and asset quality oversight, helping financial institutions withstand periods of economic and market stress. The COVID-19 pandemic demonstrated the value of these safeguards. Regulators responded with liquidity support, payment deferrals, financing programmes and temporary prudential relief measures that helped preserve confidence and maintain the functioning of financial systems during a period of unprecedented disruption.1
The more significant change today is how regulators are increasingly looking beyond individual institutions to the broader financial ecosystem. Across the GCC, they are supporting digital onboarding, electronic Know Your Customer (eKYC) capabilities and remote banking services, while encouraging the use of advanced analytics, artificial intelligence and data-driven supervision to strengthen risk monitoring, fraud detection and resilience testing. At the same time, cyber resilience, operational continuity and financial crime prevention are becoming increasingly important supervisory priorities.
This marks a shift from crisis response towards resilience by design. As financial systems become more interconnected, digital and dependent on third-party providers, regulators are increasingly focused on ensuring that resilience is embedded across the financial ecosystem rather than confined to individual institutions.
Protecting financial stability during periods of uncertainty
During the Middle East conflict, several GCC regulators have acted more pre-emptively, introducing resilience measures before material stress fully crystallised across the banking system. The Central Bank of the UAE, for example, approved a proactive Financial Institution Resilience Package while noting that the banking sector and payment systems had not experienced material impact. The package covered enhanced access to liquidity, temporary liquidity and funding relief, capital buffer relief, and flexibility in credit-risk classification for affected customers.2
Qatar Central Bank also announced pre-emptive support measures while confirming that liquidity, capital, and provisioning levels remained strong, including unlimited QAR repo facilities, a new term repo facility, lower reserve requirements, and borrower payment deferral options.3
This marks an important shift from post-crisis intervention toward anticipatory supervision, where regulators seek to preserve confidence, liquidity, and operational continuity before risks fully transmit into the financial system.
Short-term considerations during the period of recovery:
Regulators across the GCC should continue to build on these strong foundations, and strengthen their ability to anticipate, monitor, and mitigate emerging risks across four key areas.
1. Geopolitical and market volatility.
The recent uncertainty has served as a reminder that rising uncertainty can trigger energy price volatility, shifts in capital allocation and changes in investor sentiment, creating pressures that extend well beyond the immediate area of conflict. As a result, financial institutions may face heightened market volatility, liquidity constraints and a more complex risk environment.
In response, regulators should:
Incorporate geopolitical disruption scenarios into supervisory stress-testing frameworks
Strengthen monitoring of liquidity, market exposures, and cross-border risk concentrations
Enhance contingency planning for periods of market stress and volatility
Increase supervisory engagement with systemically important institutions to assess preparedness for adverse scenarios
2. Sanctions and financial crime exposure.
Regional geopolitical uncertainty has increased the complexity of sanctions compliance and financial crime risks. Financial institutions face growing exposure to sanctions breaches, trade-based money laundering, beneficial ownership risks, and the potential misuse of digital assets.
Regulators should:
Strengthen supervisory expectations for sanctions compliance and financial crime controls
Enhance oversight of transaction monitoring, customer due diligence, and beneficial ownership transparency
Encourage the adoption of advanced analytics and AI-enabled monitoring capabilities
Develop risk-based supervisory approaches for emerging channels, including digital assets and cross-border payment networks
3. Cyber and operational resilience.
There have been heightened concerns around cyber threats in the region, including attacks targeting financial institutions and critical infrastructure.4 At the same time, increasing reliance on digital platforms, cloud providers, and third-party service providers is creating new operational vulnerabilities.
Regulators should:
Establish robust cyber and operational resilience frameworks focused on maintaining critical financial services during disruption
Require regular resilience testing, scenario exercises, and recovery planning
Strengthen oversight of third-party technology and outsourcing risks
Promote sector-wide information sharing and coordination on cyber threats and incidents
4. Payment and trade infrastructure resilience.
Regional tensions can disrupt critical trade and payment corridors, affecting trade finance, cross-border payments, and broader economic activity. As financial systems become increasingly interconnected, the resilience of payment infrastructure is becoming a strategic priority.
Regulators should:
Strengthen resilience requirements for payment systems and financial market infrastructures
Develop contingency plans for disruptions to key trade and payment corridors
Enhance cross-border coordination to support continuity of payments and settlement activities
Encourage financial institutions to establish alternative settlement arrangements and operational recovery capabilities
Collectively, these priorities highlight the evolving role of GCC financial regulators. Beyond safeguarding stability, regulators must increasingly build the capabilities, frameworks, and supervisory models required to ensure the financial system remains resilient in an environment characterised by persistent geopolitical uncertainty.
Beyond immediate measures – enhancing the financial ecosystem for a more resilient future
GCC regulators now have an opportunity to look at longer-term structural transformation aimed at strengthening the resilience, competitiveness, and sustainability of the region’s financial systems. As financial ecosystems become increasingly interconnected, digital, and globally integrated, supervisory approaches will need to evolve beyond institution-level oversight toward ecosystem-wide supervision and resilience. Increasingly, efforts are moving towards a more proactive resilience model, one where regulators are no longer only guardians of stability, but also strategic enablers of innovation, digital transformation, and predictive supervision.
Longer-term considerations:
The focus is now on four core areas.
1. Geopolitical fragmentation and economic uncertainty
Rising geopolitical fragmentation, sanctions complexity, trade corridor disruptions, and capital flow volatility are creating a more unpredictable operating environment for financial institutions.
In response, regulators should:
Incorporate geopolitical and macroeconomic disruption scenarios into supervisory stress-testing frameworks
Strengthen the resilience of payment systems and financial market infrastructure
Enhance cross-border regulatory coordination
Establish more robust supervisory expectations around sanctions compliance, financial crime controls, and geopolitical risk management
2. Increasing ecosystem interconnectedness
Across the GCC, regulators are fostering greater collaboration between banks, fintechs, telecom providers, and other market participants, accelerating the shift from traditional bank-centric models to more integrated financial ecosystems. Initiatives such as Qatar’s National Network System for ATMs and Points of Sale (NAPS) and Electronic Payment Gateway (QPAY) platforms5 and Saudi Arabia’s global wallet partnerships6 reflect the growing adoption of open banking and ecosystem-based financial services.
However, greater interconnectedness also introduces new systemic risks. Financial institutions are becoming increasingly dependent on fintech partners, cloud providers, and third-party technology platforms, creating operational dependencies that can amplify disruptions and cyber risks across the financial sector.
Regulators should:
Adopt ecosystem-wide supervisory approaches
Strengthen third-party risk management requirements
Establish clear operational resilience standards
Enhance oversight of critical service providers and concentration risks that could threaten the continuity of financial services
3. Digital, cyber and operational resilience
The rapid growth of digital banking, instant payments, digital assets, cloud adoption, and data-driven business models is transforming the financial sector while introducing new supervisory challenges. As financial institutions become increasingly dependent on digital infrastructure, third-party technology providers, and interconnected platforms, they face greater exposure to cyber threats, technology failures, operational disruptions, and emerging risks that may not be easily identified through traditional supervisory approaches.
Regulators should:
Invest in supervisory technology (SupTech) capabilities and AI-enabled supervisory tools to support more intelligence-led and predictive supervision
Modernise regulatory reporting frameworks to improve data quality, timeliness, and risk visibility
Develop advanced monitoring capabilities to identify emerging cyber, operational, and technology-related risks
Establish comprehensive cyber and operational resilience frameworks focused on maintaining critical financial services during periods of disruption
Require regular resilience testing, scenario exercises, and recovery planning for financial institutions and critical service providers
Strengthen oversight of technology, cloud, outsourcing, and third-party risks
Promote sector-wide information sharing and coordination to enhance preparedness and response to cyber and operational incidents
4. Financial innovation and future market evolution
The emergence of digital assets, tokenised finance, open finance ecosystems, and next-generation payment infrastructure presents both opportunities and new sources of risk for the financial system.
Regulators should:
Develop clear, risk-based regulatory frameworks for emerging technologies
Modernise payment infrastructure and cross-border interoperability
Support responsible innovation through regulatory sandboxes
Ensure that governance, consumer protection, and market integrity standards evolve alongside new business models
Collectively, these priorities reflect a fundamental evolution in the role of GCC financial regulators – from safeguarding stability at the institutional level to building resilience across increasingly interconnected, technology-enabled, and globally integrated financial ecosystems. In doing so, regulators can help ensure that the region’s financial sector remains resilient, competitive, and adaptable in the face of future geopolitical, economic, and technological disruption.
The next regulatory mandate
The period of uncertainty has created a window for GCC regulators to turn resilience from a crisis capability into a permanent feature of financial supervision. The task now is to make the system more adaptive, connected and intelligence-led.
This means using lessons from the last few months to strengthen early-warning capabilities, improve coordination across the financial ecosystem and ensure that critical services can continue through future shocks. It also means balancing resilience with ambition – enabling innovation and market development while maintaining trust in the system.
This is a strategic opportunity for GCC regulators to move beyond reacting effectively to disruption and set a regional benchmark for financial systems that are stable, competitive and ready for what comes next.
Authors
