The Central Bank of the United Arab Emirates cited fraud and data security risks, giving banks and licensed financial institutions until April 30 to comply.
The Central Bank of the United Arab Emirates (CBUAE) has directed all banks and licensed financial institutions in the country to immediately stop using instant messaging platforms such as WhatsApp to deliver financial services or collect customer information.
In a notice issued to the sector and seen by Khaleej Times, the regulator said the move is aimed at strengthening consumer protection and maintaining high standards of data security across the UAE’s financial system.
The directive applies to all licensed institutions governed under the Consumer Protection Regulation and Standards and covers a wide range of services, including banking transactions, customer communication, and customer data handling.
According to the Central Bank of the United Arab Emirates, instant messaging applications were increasingly being used as service channels, creating multiple risks. These include fraud, impersonation, account takeovers, and social engineering attacks, along with concerns over confidentiality and the potential for unauthorised disclosure or storage of sensitive customer data.
The regulator also flagged data residency risks, noting that customer information transmitted through such platforms could be processed or stored outside the United Arab Emirates, potentially violating regulations that require all consumer and transaction data to remain within the country.
Immediate compliance
Under the new directive, financial institutions are barred from using messaging apps such as WhatsApp to:
- Request or share customer data and information
- Initiate or confirm transactions such as transfers, payments, credit or loan instructions, disputes, or account changes
- Send authentication details including passwords, PINs, or one-time passwords
- Exchange documents containing customers’ personal or financial information
The Central Bank stressed that the use of VPNs or similar tools does not exempt institutions from these requirements.
Banks and financial institutions have been instructed to:
- Stop launching any new services using messaging apps
- Identify and shut down existing use cases
- Shift customers to approved, controlled channels such as mobile banking apps, online platforms, call centres, or branches
- Strengthen internal controls, including staff training and monitoring, to prevent further misuse of messaging systems
Institutions must confirm compliance and outline corrective measures taken by April 30, 2026. Non-compliance could lead to supervisory action or financial sanctions.
The Central Bank of the United Arab Emirates said these measures are necessary to ensure financial institutions provide a safe, secure, and confidential environment for customers and to protect the integrity of the UAE’s financial sector.
