The Central Bank of the UAE (CBUAE) has issued a sweeping directive instructing all banks and licensed financial institutions to cease using instant messaging platforms like WhatsApp for providing financial services or collecting customer data. The move is a significant step to reinforce consumer protection and heighten data security standards across the country’s financial ecosystem.
Quick Facts
- Ban on instant messaging for all financial services.
- Targets fraud, impersonation, and data security risks.
- Institutions must ensure full compliance by April 30, 2026.
A Proactive Move Against Rising Digital Threats
The CBUAE’s decision comes as banks and financial institutions increasingly adopted messaging apps as convenient service channels. However, the regulator identified that this practice exposed customers to substantial risks, including fraud, impersonation, account takeovers, and sophisticated social engineering attacks.
Beyond direct fraud, the central bank highlighted critical concerns around confidentiality breaches and the unauthorized disclosure of sensitive customer data. A key issue addressed is data residency, where third-party messaging platforms might process or store customer information on servers located outside the UAE, creating regulatory and privacy complications.
What’s Off-Limits for Financial Institutions?
The directive is comprehensive, outlining specific prohibited activities on messaging platforms. Institutions are now barred from requesting or sharing any customer information. Furthermore, they cannot initiate or confirm any transactions, such as fund transfers, payments, or credit instructions.
The ban also extends to sending authentication details like passwords, PINs, or one-time passwords (OTPs). The exchange of any documents containing personal or financial data is strictly forbidden. The CBUAE clarified that using VPNs or similar tools does not exempt any institution from these compliance requirements.
The Path to Compliance and a 2026 Deadline
Financial institutions must immediately halt the launch of any new services via messaging platforms. The directive mandates that they identify and systematically discontinue all existing use cases, actively migrating customers to approved and secure channels. These include official mobile banking applications, online banking platforms, call centres, and physical branches.
To ensure the new rules are followed, institutions are required to strengthen internal controls, which includes comprehensive staff training and active monitoring. The CBUAE has set a deadline of April 30, 2026, for all institutions to confirm compliance and submit their corrective action plans. Non-compliance could result in supervisory action or significant financial penalties.
About the Central Bank of the UAE
The Central Bank of the UAE (CBUAE) is the primary regulatory authority for the country’s banking and financial sector. It is responsible for promoting monetary and financial stability, managing foreign reserves, and overseeing the licensing and supervision of all financial institutions operating within the UAE to ensure a secure and efficient financial system.
Source: Fintech News AE
