The CBUAE has ordered all licensed financial institutions to stop using consumer-grade messaging platforms, citing fraud, data residency and customer protection risks
The Central Bank of the UAE (CBUAE) has ordered all licensed financial institutions to stop using WhatsApp and other instant messaging platforms for financial services and customer communications, in a directive seen by Khaleej Times.
Issued on 17 April under reference CBUAE/MCS/2026/2058, the circular covers banks, insurers, exchange houses and finance companies, and requires full compliance by 30 April (today). Non-compliance could result in supervisory action or financial sanctions.
Under the directive, institutions are prohibited from using messaging apps to request or share customer data, initiate or confirm transactions, send authentication credentials including passwords, PINs or one-time passwords, or exchange documents containing personal or financial information. The CBUAE confirmed that VPN use does not exempt institutions from the requirements.
UAE: Addressing a mounting fraud problem?
The directive lands against a backdrop of sharply rising fraud losses across UAE financial institutions. A survey published by BioCatch in April 2026 found that 58% of fraud management, AML and compliance leaders at UAE banks reported increasing fraud losses at their institution, while 62% estimated their organisation’s annual fraud losses exceeded AED18.3m ($5m).
Nearly all – 95% – of those surveyed identified social media micro-scams as a growing detection and reporting challenge, representing a particular concern for cases involving expatriate customers without long local banking histories.
The CBUAE said it had identified that messaging platforms were increasingly being used as informal service channels, exposing customers to fraud, impersonation, account takeovers and social engineering attacks.
It also flagged data residency concerns, noting that information transmitted via such platforms could be processed or stored outside the UAE in breach of data localisation requirements.
Part of a broader regulatory push
The messaging ban is not the CBUAE’s first move in this direction. In May 2025, the regulator issued a separate directive requiring all licensed financial institutions to phase out SMS and email one-time passwords by March 2026, replacing them with biometric and app-based authentication.
By 2025, the UAE had become the second most targeted country in the Middle East for cyberattacks, accounting for 12% of all attacks in the region.
The April directive goes further, closing off consumer-grade messaging platforms entirely as a channel for regulated financial activity. The CBUAE has maintained a strong enforcement posture throughout this period, issuing significant financial penalties totalling AED339m in the first half of 2025 alone, including a AED200m fine on an exchange house for AML compliance failures.
Institutions told to migrate customers
Institutions have already been instructed to halt new deployments, shut down existing use cases and migrate customers to approved channels including mobile banking apps, online portals, call centres and physical branches, while strengthening internal controls and staff training.
Marie Chowdhry, Partner at Pinsent Masons in Dubai, said the directive reinforced rather than introduced regulatory expectations. “The CBUAE’s notice is a decisive reminder that informal communication channels are fundamentally incompatible with regulated financial services,” she said.
“Financial institutions should treat this as a signal that long-standing regulatory expectations are now being actively tested in practice.”
Associate at Pinsent Masons, Lana Akkad, added that the operational challenge for some institutions would be considerable. “This will require banks to move quickly to audit behaviours, retrain staff and ensure that customer communications are routed through channels that meet regulatory standards for confidentiality, auditability and data localisation,” she said.
“Firms that have already invested in controlled digital channels will be better placed to comply, while others may face a more challenging transition within a short timeframe.”
