UAE Central Bank bans WhatsApp and instant messaging for customer communications
UAE Central Bank orders financial firms to stop using WhatsApp and messaging apps for customer communications; firms must report changes by April 30, 2026.
The UAE Central Bank has ordered all licensed financial institutions to cease using WhatsApp and other instant messaging platforms for communications with customers, citing consumer protection and data-security concerns. The directive, issued in circular 2058/2026, affects banks, insurers, exchange houses and finance companies and requires firms to submit updates on remedial actions by April 30, 2026. Financial institutions have already begun notifying clients by SMS, email and app alerts about the change and the move to regulated channels.
Scope of the Central Bank directive
The circular applies to every licensed financial entity operating under the UAE’s consumer protection framework, including commercial banks, insurance firms, money exchanges and finance companies. The Central Bank explicitly characterises WhatsApp and similar platforms as instant-messaging services that are now prohibited as channels for delivering financial services or for sharing customer data. All interactions that initiate, process, confirm or execute financial transactions via these apps are included in the ban.
Regulatory intent and data residency requirements
The Central Bank said the step aims to strengthen consumer protection and safeguard the reputation of the UAE financial sector. Institutions must provide secure, confidential service channels and retain all customer and transaction data within the UAE in accordance with existing laws and notifications. The rule underscores that data processing, storage or backup outside UAE borders, or routing through foreign jurisdictions, is unacceptable when it compromises control over records or access by local authorities.
Prohibited uses of messaging platforms
The regulator set out a wide range of prohibited activities on instant-messaging platforms, including requesting, receiving, sharing or sending customer data. Financial firms may not use these apps to initiate or complete payments, set up beneficiaries, pay bills, send card instructions, open or close accounts, or process loan and credit instructions. Authentication and security actions, such as one-time passwords, PINs, verification codes and approvals, are also banned from being delivered through these channels.
Risks cited by the Central Bank
The Central Bank highlighted multiple risks associated with using unsecured messaging platforms for financial services. These include fraud, identity theft, account takeover, social-engineering attacks and weak customer authentication. The regulator also pointed to potential unauthorised disclosures, screen captures, uncontrolled storage, and the risk that service providers or foreign authorities might access customer information if data are held or routed outside the UAE.
Operational requirements and immediate actions for firms
Firms are required to immediately stop launching any new engagements, services or transactions that rely on instant-messaging platforms for customer interactions. The circular clarifies that the use of virtual private networks (VPNs) or similar tools does not remove the regulator’s obligations. Each financial institution must identify any existing use that conflicts with the notice, halt it immediately, and submit a remedial update to the Central Bank by April 30, 2026 detailing the corrective steps taken.
Supervisory measures and possible penalties
The Central Bank warned that failure to comply could result in supervisory, administrative or financial penalties at the regulator’s discretion. The notice makes clear that institutions must migrate customers to approved, monitored channels that meet governance, record-keeping and incident-response standards. The regulator also emphasised that firms must maintain adequate audit trails and be prepared to demonstrate compliance during supervision or investigations.
Customer notifications and what consumers should expect
Several banks have already sent messages through SMS, email and mobile-app notifications informing customers of the ban and directing them to official channels for services. Customers should expect routine communications to shift to bank-authorised digital platforms, branches, official call centres or other regulated interfaces. The Central Bank urged firms to ensure smooth transitions for consumers and to provide clear guidance about which channels are official and safe.
The move signals a tightening of operational and data-protection expectations across the UAE financial sector, and it will require firms to accelerate migration to approved platforms and strengthen internal controls. Customers are advised to follow official communications from their bank or insurer and to avoid sharing sensitive financial information through informal messaging services.
