UAE bans banks from using WhatsApp for financial services, customer data
The Central Bank of UAE (CBUAE) has instructed directed all banks and licensed financial institutions in the country to immediately stop using instant messaging platforms such as Whatsapp to deliver financial services or collect customer information.
In a notice issued to the sector seen by Khaleej Times, the regulator said the move is aimed at strengthening consumer protection and maintaining high standards of data security across the UAE’s financial system.
The directive applies to all licensed institutions governed under the Consumer Protection Regulation and Standards, and covers a wide range of services including banking transactions, customer communication and data handling.
Stay up to date with the latest news. Follow KT on WhatsApp Channels
According to the Central Bank, it had identified that instant messaging applications were increasingly being used as service channels, raising multiple risks. These include fraud, impersonation, account takeovers and social engineering attacks, as well as concerns over confidentiality and the potential for “unauthorised discolusure” or storage of sensitive customer data.
It also flagged risks related to “data residency”, noting that customer information transmitted such platforms could be processed or stored outside the UAE, in violation of regulations requiring all consumer and transaction data to remain within the country.
Immediate compliance
Under the new directive, financial institutions are barred from using messaging apps to:
Request or share customer data and information
Initiate or confirm transactions such as transfers, payments, credit or loan instructions, disputes or account changes
Send authentication details including passwords, PINs or one-time passwords
Exchange documents containing customers’ personal or financial information.
The central bank stressed that the use of VPNs or similar tools does not exempt institutions from these requirements. Banks and financial institutions have been instructed to:
Stop launching any new services using messaging apps
Identify and shut down existing use cases
Shift customers to approved, controlled channels such as mobile banking apps, online platforms, call centres or branches
Strengthen internal controls, including staff training and monitoring to stop further such use of messaging systems.
Institutions must confirm compliance and outline corrective measures taken by April 30, 2026. Non compliance can leader to supervisory action or financial sanctions.
The Central Bank said the measures are necessary to ensure financial institutions provide a “safe, secure and confidential environment” for customers and to safeguard the integrity of the UAE’s financial sector.
