CBUAE prohibits regulated financial institutions from using instant messaging platforms for customer transactions

The Central Bank of the UAE (CBUAE) has ordered all licenced financial institutions in the country to stop using WhatsApp, Telegram and similar platforms over concerns consumer-grade messaging systems offer unacceptable risks to customer security.

Financial institutions operating in the UAE must move customers from consumer-grade platforms onto more compliant communication networks, including mobile banking apps, online banking portals, recorded call centres and physical branches. They must also confirm what remediation and governance improvements they have made.

Marie Chowdhry, a financial regulation expert with Pinsent Masons in Dubai, said the warning highlighted the CBUAE's efforts to improve security and record-keeping for consumers in the UAE.

"The CBUAE's notice is a decisive reminder that informal communication channels are fundamentally incompatible with regulated financial services," she said.

"While instant messaging has become operationally convenient, particularly in relationship based banking models, it raises serious issues around data residency, record keeping and supervisory oversight.

"What is significant about this intervention is that it does not introduce new regulatory concepts. Instead, it reinforces existing consumer protection and governance standards more strictly and with immediate effect. Financial institutions should treat this as a signal that long standing regulatory expectations are now being actively tested in practice."

The ruling means financial institutions operating across the UAE will no longer be able to use the platforms for sending or receiving customer information - including statements and security verifications such as one-time passwords or PIN numbers - even if they are employing VPNs while doing so.

Failure to comply with these requirements after the end of the month could result in enforcement action, the CBUAE has warned, as it looks to move towards stricter supervisory enforcement of consumer protection, data residency and record keeping expectations.

Lana Akkad, who specialises in financial regulation with Pinsent Masons in Dubai, added that licenced financial institutions in the UAE need to act quickly to avoid breaching the new instructions.

"From an organisational perspective, this will require banks to move quickly to audit behaviours, retrain staff and ensure that customer communications are routed through channels that meet regulatory standards for confidentiality, auditability and data localisation." she explained.

"Firms that have already invested in controlled digital channels will be better placed to comply, while others may face a more challenging transition within a short timeframe."