Oman’s Digital Banking Regulatory Framework

5 min 34 sec

As part of Oman’s banking sector modernization efforts that were brought about at the start of 2025, Oman’s new regulatory framework for digital banks sets out a clear, risk‑sensitive pathway for licensing, operating, and supervising fully digital banking institutions, aiming to balance innovation with financial stability and customer protection. It introduces different categories of digital banks, calibrated business limitations, robust technology and governance requirements, a defined application timeline, and exit preparation requirements to manage failure risk.

What’s in the Framework: objectives and key provisions

The framework’s objective is to establish technology‑driven banking models that expand access, efficiency, and innovation while safeguarding system integrity and depositor interests. It should be read together with the Banking Law (Royal Decree 2/2025), the Central Bank of Oman Law (Royal Decree 3/2025), and the National Payment Systems Law (Royal Decree 8/2018), together with their regulations, circulars, and instructions. A “digital bank” is simply a licensed bank that operates through digital channels using modern technology.

Licenses are available to locally incorporated joint‑stock companies (SAOC/SAOG) and to branches of foreign banks subject to effective home supervision and joint supervision arrangements with the Central Bank of Oman (“CBO”). There are two license categories: Category 1 (a digital banking license to conduct banking business without limitations) with minimum paid‑up capital of OMR 30 million, and Category 2 (a digital banking license to conduct banking business with certain specified limitations) with minimum paid-up capital of OMR 10 million. Capital requirements for foreign branches is set by the Governor at their discretion. Category 2 limitations include concentration caps on single‑customer deposits and government‑related deposits, a ceiling on lending to large corporates at 40% of the portfolio, and a prohibition on proprietary trading; the first two years exempt certain limits to support ramp‑up. Digital banks must meet capital and liquidity requirements applicable to licensed banks, and observe progressive Omanisation targets reaching 90% by Year 5.

Shareholding is constrained by existing banking rules, including 15% caps for individuals and related parties, 25% for incorporated bodies, and 35% for joint stock/holding companies, with cross‑ownership limits across banks. Fit‑and‑proper standards apply to shareholders, boards, and senior management, with proven financial and technology expertise required. Applicants must maintain a principal or registered office in Oman and may maintain physical offices for administration and customer engagement, but not transactional branches; agent banking requires prior approval.

A comprehensive business plan is required, covering financial inclusion, technology architecture, scalability, data protection, cloud/outsourcing governance, cyber resilience, risk management, ICAAP, talent planning, consumer complaint handling, and a clear path to profitability. Applicants must also submit ownership transparency, sanctions screening, and audited financials for significant shareholders or parent groups. The CBO assesses capital strength, innovation, risk and compliance capability, transformative technology, analytics, financial support, and Shariah expertise for Islamic models.

How it works and enforcement

The CBO will decide on a complete application within 90 days, with deemed approval if no decision is issued, while reserving rights to demand further information or reject incomplete or unsuitable submissions. Post in‑principle approval, applicants must complete establishment within one year unless extended.

Supervision and enforcement rely on the Banking Law, the National Payment Services Law, the laws on Anti-Money Laundering and Counter Terrorism Financing, and their implementing regulations, circulars, and instructions, and matters relating to enforcement can include financial consumer protection, cybersecurity, digital onboarding and e‑KYC, anti‑fraud, outsourcing and cloud rules; applicants may be required to appoint third‑party assessors for penetration testing, cybersecurity, and AML/CFT reviews. A distinctive feature is the mandatory exit plan, pre‑endorsed by the board, with quantitative triggers, customer continuity measures, funding sources, and periodic updates, enabling orderly wind‑down or transfer without CBO support. Non‑compliance may lead to compelled exit or license revocation.

Who’s affected

The framework directly affects prospective digital bank sponsors, shareholders, boards, and executives, who must satisfy fit‑and‑proper, capital, and governance criteria. Incumbent banks and foreign banking groups are impacted where they seek digital subsidiaries or branches, given capital calibration, cross‑ownership constraints, and joint supervision requirements. Vendors and fintech partners are implicated through stringent requirements for IT architecture, cloud, outsourcing, cyber readiness, and independent assessments. Customers and the broader market are stakeholders through financial inclusion objectives and consumer protection safeguards.

What it means in practice—and where disputes may arise

For businesses, the two‑tier model means choosing between faster market entry under Category 2 with portfolio constraints, and Category 1 with higher capital but broader scope; the two‑year exemption from selected Category 2 limits can inform phased growth plans. Corporate structures must account for shareholding caps and cross‑bank ownership limits, requiring careful syndication and investor alignment. Operating models must embed cloud and cybersecurity controls, zero‑trust principles, penetration testing, robust fraud defenses, and end‑to‑end digital onboarding compliant with e‑KYC. Physical presence without transactional branches necessitates strong digital service and a customer support hub capability.

Investors should expect rigorous CBO due diligence on capital sufficiency, technology readiness, ICS/ICAAP, and path‑to‑profitability; failure to reach sustainable thresholds may trigger exit plans, with potential value erosion or forced transfers. Dispute risks may arise over license denials or withdrawals, supervisory findings, enforcement actions, or obligations to implement exit plans, particularly where information accuracy, sanctions screening, or stakeholder suitability are contested. Contractual disputes with vendors may also intensify under stringent outsourcing and cloud compliance requirements and third‑party testing mandates.

What should businesses do now

Prospective applicants who are interested in tapping into the Oman market should align their capital strategy to the chosen license category, evidencing paid‑up capital and ongoing capital funds capacity consistent with prudential ratios and growth plans. They should finalize a robust business plan that demonstrably advances financial inclusion, defines target segments, product sets, and a credible profitability trajectory over five years, underpinned by ICAAP, risk appetite, and analytics‑driven customer insights. Technology programs should be audited against the framework’s expectations for scalable architecture, data protection, zero‑trust controls, PCI‑DSS or equivalent certifications, cyber threat detection and response, and business continuity and disaster recovery. Governance and people planning should document fit‑and‑proper compliance, board and management technology literacy, and workforce localization plans.

Applicants should map shareholding to regulatory caps, verify ultimate beneficial owners, complete sanctions due diligence, and collect five‑year audited financials for significant shareholders or parent groups. They should design a customer support model centered on the principal or registered office and any permitted physical offices for inquiries and complaints, avoiding transactional branches, and seek prior approval for agent arrangements as needed. Finally, they should prepare a board‑endorsed exit plan with quantitative triggers, customer continuity, funding sources, and annual review procedures, to ensure orderly resolution if business viability falls below thresholds.