The UAE's Central Bank has directed all licensed financial institutions to cease using instant messaging platforms for financial services or customer data collection.
The regulator has set a compliance deadline of 30 April 2026, after which non-compliant institutions may face supervisory action or financial sanctions.
The directive applies to all institutions governed under the Consumer Protection Regulation and Standards, covering banking transactions, customer communications, and data handling.
Risks driving the prohibition
The CBUAE identified a pattern of increasing reliance on consumer messaging applications as service channels, citing several categories of risk that prompted the ban. These include fraud, impersonation, account takeovers, and social engineering attacks, as well as concerns over the confidentiality of sensitive customer data.
A particular concern is data residency. The regulator noted that customer information transmitted via these platforms may be processed or stored outside the UAE, in potential violation of regulations requiring all consumer and transaction data to remain within the country. The directive explicitly states that the use of VPNs or similar tools does not exempt institutions from these requirements.
Scope of the ban
Under the directive, financial institutions are prohibited from using messaging applications to request or share customer data, initiate or confirm transactions (including transfers, payments, credit or loan instructions, and account changes), send authentication details such as passwords, PINs, or one-time passwords, or exchange documents containing personal or financial information.
Institutions are required to identify and shut down all existing use cases, halt any new services launched via messaging platforms, and migrate customers to regulated and controlled channels. Approved alternatives include mobile banking applications, online platforms, call centres, and physical branches.
Internal controls must also be reinforced, including staff training and monitoring systems to prevent further use of non-approved messaging channels.
Compliance timeline and enforcement
All banks and licensed financial institutions must confirm compliance and outline corrective measures taken by 30 April 2026. The CBUAE indicated that failure to comply may result in supervisory action or financial sanctions, underscoring the regulatory seriousness with which it regards the use of informal communication tools in financial services.
The move reflects a broader regulatory effort to ensure that the UAE's financial sector maintains what the central bank described as a safe, secure, and confidential environment for customers. As digital banking adoption has grown across the Gulf region, regulators have faced mounting pressure to formalise data governance and channel security standards in line with international norms. The UAE's directive follows similar efforts globally to draw clearer boundaries between consumer-facing communication tools and regulated financial infrastructure.
