The UAE’s Central Bank has instructed all licensed financial institutions to stop using instant messaging platforms for financial services or customer data collection.
A compliance deadline of 30 April 2026 has been set, with non-compliant entities potentially facing supervisory action or financial sanctions.
The directive is applicable to all institutions governed under the Consumer Protection Regulation and Standards, encompassing banking transactions, customer communications, and data management.
Risks Driving the Prohibition
The CBUAE has identified a growing reliance on consumer messaging applications as service channels. Risks associated with this practice include fraud, impersonation, account takeovers, and social engineering attacks. There are also concerns about the confidentiality of sensitive customer data.
A specific concern is related to data residency. The regulator points out that information transmitted via these platforms may be processed or stored outside the UAE, which could violate regulations requiring all consumer and transaction data to remain within the country. The directive explicitly states that the use of VPNs or similar tools does not relieve institutions from adhering to these requirements.
Scope of the Ban
Under the directive, financial institutions are barred from using messaging applications for requesting or sharing customer data, initiating or confirming transactions (such as transfers, payments, credit or loan instructions, and account changes), sending authentication details such as passwords, PINs, or one-time passwords, or exchanging documents containing personal or financial information.
Institutions must cease any existing use cases, discontinue new services launched via messaging platforms, and migrate customers to regulated and controlled channels. Approved alternatives include mobile banking applications, online platforms, call centres, and physical branches.
Internal controls need to be strengthened, including staff training and monitoring systems to prevent the continued use of non-approved messaging channels.
Compliance Timeline and Enforcement
All banks and licensed financial institutions must confirm compliance by 30 April 2026, outlining any corrective measures taken. The CBUAE warns that failure to comply may result in supervisory action or financial sanctions.
This move aligns with broader efforts by regulators to maintain a safe, secure, and confidential environment for customers within the UAE’s financial sector. As digital banking adoption has increased across the Gulf region, there has been growing pressure on regulators to formalize data governance and channel security standards in line with international norms.
