Telemarketing rules set for UAE financial institutions

The new rules focus on the increasing use by UAE financial institutions of AI and automated dialling technologies – robocalling – for telemarketing. Where financial institutions use automated dialling equipment, they must ensure customers are connected to calls within two seconds of a customer answering. They must also disconnect unanswered calls within 15 seconds or four rings and only use equipment capable of generating relevant statistics for monitoring and compliance purposes.

The regulations identify the increasing use of AI and note that the use of AI for telemarketing will be subject to applicable laws and regulations governing the use of AI in the UAE. The regulations specifically require that customers have the choice between speaking with ‘natural’ – human – agents, robocalls or contact via AI-based agents.

The rules are contained in a telemarketing regulation issued by the UAE Central Bank in February and published in the UAE’s Official Gazette on 31 March. While the rules took effect on that date, financial institutions licensed to operate in the UAE have until 29 June 2026 to “implement all necessary measures and arrangements to comply” with the new requirements before they are enforced.

The telemarketing regulation applies to all marketing, advertising or promotion of products or services that licensed financial institutions in the UAE might wish to undertake, whether via calls, text messages or social media. The regulation’s scope extends to group companies of UAE financial institutions that are located outside the UAE, which gives the regulation a degree of extra-territorial effect.

The regulation requires institutions to obtain board-level written approval for telemarketing activities and ensure that their telemarketers complete at least 15 hours’ worth of training on matters including ethical principles, data protection and privacy.

Telemarketing to customers is only permitted where those customers have given their prior express consent to being contacted. The rules require a degree of granularity to what institutions ask for consent to.         Consent needs to indicate what language the customer prefers to receive marketing messages in and what channels they give permission to be contacted via, as well as the types of products and/or services they wish to receive telemarketing about.

The rules further require institutions to ensure that the terms and conditions customers are asked to agree to in relation to consent are “clear, direct, unambiguous, readily understandable, and provided in the customer’s preferred language”.

Customers have a right to withdraw consent they have given and can add their numbers to a ‘do not call’ registry, to which telemarketers must cross-refer to avoid contacting customers listed.

Dubai-based technology law expert Martin Hayward of Pinsent Masons said: “Telemarketing consent requirements have long existed, under the Central Bank consumer protection regulations and elsewhere, but this regulation fundamentally raises the bar. Financial institutions now need granular consent, down to language, channel, product type and whether AI agents are used, and need to be able to report on meeting these consent requirements. That’s a significant step forward.”

The rules further restrict how often financial institutions can call customers and the times of day they can do so. Telemarketing calls are restricted to between 9am and 6pm and to no more than once per day and twice per week per customer.

Marie Chowdhry, who specialises in financial regulation and fintech at Pinsent Masons in Dubai, said: “Under the old regime, telemarketing was largely regulated through general consumer protection and data rules. What’s changed now is explicit regulatory recognition of AI-driven marketing; with clear constraints around speed of connection, abandoned calls and monitoring.”

“Automation may be efficient, but the Central Bank is making it clear that the use of technology cannot come at the expense of customer experience or accountability,” she added.

Among other requirements, the regulation stipulates requirements around customer disclosures, complaint-handling, regulatory reporting, and record-keeping – with financial institutions obliged to maintain a comprehensive log of their telemarketing activities and store the information for at least five years. Financial institutions must undertake annual audits on their regulatory compliance and ensure that all data use complies with applicable data protection laws.

The new telemarketing regulatory framework also makes clear that institutions cannot use outsourcing arrangements to dilute their regulatory obligations. Financial institutions remain responsible for any outsourced telemarketing activities and third-party telemarketers also need to comply with the telemarketing regulatory requirements.