The Central Bank of the UAE has issued Circular No. 2058/2026, introducing significant regulatory measures governing the use of instant messaging applications, including WhatsApp, within the financial services sector. These circular forms part of the Central Bank’s ongoing efforts to enhance consumer protection, safeguard data privacy, and uphold the integrity and reputation of the financial system in the United Arab Emirates.
Scope of Application:
The circular mandates that all licensed financial institutions, including banks, insurance companies, exchange houses, and finance companies, must cease the use of instant messaging platforms as channels for communicating with customers in relation to financial services. This prohibition extends to any interaction involving the provision of financial services, the execution or confirmation of transactions, or the exchange of customer data and information. The directive reflects the regulator’s position that such platforms do not meet the required standards of security, control, and auditability necessary for regulated financial activities.
Prohibited Activities and Use Cases:
In particular, the Central Bank has expressly prohibited the use of instant messaging applications for requesting, receiving, transmitting, or sharing customer data or information, as well as for initiating, processing, executing, or confirming financial transactions. This includes, but is not limited to, payments, transfers, beneficiary setup, bill payments, card instructions, account opening or closure, credit or loan instructions, and the handling of disputes involving customer data. Furthermore, such platforms may not be used for authentication or security-related purposes, including the transmission of one-time passwords, personal identification numbers, verification codes, security questions, approvals, or any supporting documentation such as identification records, account statements, or forms.
Application Across Technologies and Access Methods:
The Central Bank has clarified that these restrictions apply irrespective of the method of access to such applications, including mobile devices, desktop applications, web-based platforms, or the use of virtual private networks or similar technologies. The use of such tools does not mitigate or alter the regulatory obligations imposed under the circular.
Regulatory Rationale and Risk Considerations:
The rationale for these measures is grounded in the material risks identified by the Central Bank in connection with the use of instant messaging platforms. These risks include, among others, fraud, identity theft, account takeover, and social engineering, as well as challenges relating to the robustness of customer authentication and the non-repudiation of transactions. Additional concerns relate to the confidentiality and protection of customer data, including unauthorized disclosure, uncontrolled forwarding, screen capturing, and unregulated storage of sensitive information. The Central Bank has also emphasized risks associated with data localization, including the potential for customer data to be processed, routed, backed up, or stored outside the United Arab Emirates, as well as issues relating to foreign jurisdictional access, record-keeping, auditability, and incident response capabilities, all of which may impair an institution’s ability to comply with governance and regulatory requirements.
Compliance Obligations and Timeline:
Licensed financial institutions are required to take immediate action to identify and discontinue any existing use of instant messaging applications that contravenes the provisions of the circular. They must refrain from initiating any new customer interactions or services through such platforms and are obligated to provide the Central Bank with updates regarding the remedial actions undertaken to achieve compliance. The deadline for full compliance and submission of updates has been set as 30 April 2026.
Enforcement and Regulatory Consequences:
Failure to comply with the requirements of Circular No. 2058/2026 may result in supervisory or administrative measures being imposed by the Central Bank, including the application of financial penalties, in accordance with applicable laws and regulations.
Implications for Customers and General Public:
It is important to note that this circular is directed exclusively at licensed financial institutions and does not impose any restrictions on the personal use of instant messaging applications by individuals. Customers may continue to use such applications for personal communication; however, they should expect that financial institutions will no longer engage with them through these platforms for regulated financial activities.
Conclusion
This regulatory development underscores the Central Bank’s commitment to ensuring that all financial communications and transactions are conducted through secure, controlled, and auditable channels, thereby reinforcing trust, stability, and compliance within the UAE financial sector.
Note: This Legal Update / Newsletter is intended for general informational purposes only and should not be construed as legal advice. It is based on laws and legal interpretations in effect as of the date of publication. Laws and regulations may change over time, and their application can vary depending on individual circumstances. Readers are strongly encouraged to seek specific legal counsel before acting on any of the information provided herein.
Note: This Legal Update / Newsletter is intended for general informational purposes only and should not be construed as legal advice. It is based on laws and legal interpretations in effect as of the date of publication. Laws and regulations may change over time, and their application can vary depending on individual circumstances. Readers are strongly encouraged to seek specific legal counsel before acting on any of the information provided herein.