UAE Central Bank Bans WhatsApp for Banking Services Over Security Concerns
The Central Bank of the UAE (CBUAE) has instructed banks and licensed financial institutions across the country to stop using WhatsApp and other instant messaging platforms for delivering financial services or collecting customer information.
According to reporting cited by Khaleej Times, the regulator’s directive is intended to strengthen consumer protection and uphold data security standards across the UAE’s financial system. The measure applies to institutions regulated under the Consumer Protection Regulation and Standards, including their banking transactions, customer communications, and data handling practices.
The central bank said the growing use of messaging applications as service channels has introduced a range of risks. These include fraud, impersonation, account takeover attempts, and social engineering attacks. The regulator also highlighted the potential for confidentiality breaches, unauthorized storage or disclosure of sensitive customer data, and data residency concerns, particularly where third-party service providers may process or store information outside the UAE.
What Banks Are No Longer Allowed to Do
Under the directive, financial institutions must not request or share customer information through messaging apps. They are also prohibited from initiating or confirming transactions through these platforms, including transfers, payments, credit or loan instructions, dispute handling, and account changes.
The ban further extends to the exchange of authentication details such as passwords, PINs, and one-time passwords. Institutions are also barred from sharing documents that contain personal or financial information via messaging applications.
The CBUAE stated that the use of VPNs or similar tools does not exempt institutions from compliance. Banks and financial institutions must also refrain from launching new services through messaging platforms.
Transition to Approved Communication Channels
The directive requires institutions to review existing use cases and discontinue any current reliance on instant messaging platforms for banking-related activity. Customers must be moved to approved channels such as mobile banking applications, online banking platforms, call centres, or branch services.
In addition, the central bank has called for stronger internal controls, including employee training and monitoring, to ensure messaging apps are no longer used for prohibited activities. Institutions must confirm compliance and submit corrective action plans by 30 April 2026. Non-compliance may result in supervisory measures or financial penalties.
Industry Analysis
The decision reflects a broader regulatory shift toward tighter control of customer communication in financial services, especially as digital channels expand. While messaging apps offer convenience, they can also create vulnerabilities if used outside secure, controlled environments. For banks in the UAE, the directive is likely to accelerate investment in regulated digital banking channels, customer service infrastructure, and staff compliance training. It also signals that regulators are placing greater emphasis on data protection, operational discipline, and the secure handling of customer information in an increasingly digital financial landscape.
