UAE Bars Banks From Using WhatsApp For Financial Services, Customer Data Exchange
Central Bank sets April 30 deadline, citing rising fraud, data security and cross-border storage risks.
Staff WriterApr 22, 2026, 11:48 AMThe Central Bank of the UAE (CBUAE) has directed all banks and licensed financial institutions to immediately stop using instant messaging platforms such as WhatsApp to offer financial services or collect customer information.
In a notice circulated to the sector, the regulator said the move is aimed at strengthening consumer protection and ensuring robust data security standards across the country’s financial system.
The directive applies to all institutions governed under the Consumer Protection Regulation and Standards, covering services ranging from customer communication to transactions and data handling.
The Central Bank flagged growing concerns over the use of messaging apps as service channels, highlighting risks such as fraud, impersonation, account takeovers and social engineering attacks. It also raised issues around confidentiality and the potential unauthorised disclosure or storage of sensitive customer data.
A key concern relates to data residency, with the regulator noting that information shared عبر such platforms could be processed or stored outside the UAE, breaching rules that require customer and transaction data to remain within the country.
Immediate Compliance Required
Under the directive, financial institutions are prohibited from using messaging apps to:
- Request or share customer information
- Initiate or confirm transactions, including transfers, payments, loans or account changes
- Send authentication details such as passwords, PINs or one-time passwords
- Exchange documents containing personal or financial data
The Central Bank clarified that the use of VPNs or similar tools does not exempt institutions from compliance.
Banks have been instructed to halt any new services on such platforms, shut down existing use cases, and migrate customers to approved channels such as mobile banking apps, online platforms, call centres or physical branches.
They must also strengthen internal controls, including staff training and monitoring, to prevent further use of unauthorised communication channels.
All institutions are required to confirm compliance and detail corrective measures by April 30, 2026. Failure to comply could result in supervisory action or financial penalties.
The Central Bank said the directive is essential to ensure a “safe, secure and confidential environment” for customers and to protect the integrity of the UAE’s financial sector.
For any enquiries or information, contact ask@tlr.ae or call us on +971 52 644 3004. Follow The Law Reporters on WhatsApp Channels.