On 17 April 2026, the Central Bank of the UAE issued Notice CBUAE/MCS/2026/2058, instructing every Licensed Financial Institution in the country to immediately discontinue the use of WhatsApp and similar instant messaging applications as a channel for delivering financial services or sharing customer data.
Confirmation of remediation was due by 30 April 2026. A 13-day window. Non-compliance can trigger supervisory action, administrative measures, and financial sanctions.
This article is the first in a three-part briefing for UAE financial institutions on what the directive means, what it doesn't, and how to operate compliantly going forward. We start with the basics: what the notice actually says.
The notice at a glance
| Reference | CBUAE/MCS/2026/2058 |
|---|---|
| Date | 17 April 2026 |
| Title | Instant Messaging Applications |
| Signed by | Ahmed Saeed Al Qamzi, Assistant Governor for Banking and Insurance Supervision |
| Classification | Restricted |
| Addressees | All Licensed Financial Institutions |
| Compliance deadline | 30 April 2026 |
| Reporting channel | marketconductsupervision@cbuae.gov.ae |
Who is in scope
The notice is addressed to all CBUAE-Licensed Financial Institutions. In practice that covers:
- Commercial banks and Islamic banks
- Foreign bank branches operating in the UAE
- Insurance companies, takaful operators and insurance brokers (the Insurance Authority merged into the CBUAE in 2020, bringing all licensed insurers under direct CBUAE supervision)
- Finance companies and microfinance providers
- Exchange houses
- Payment service providers and stored-value facility operators
- Any other entity operating under a CBUAE licence
DIFC and ADGM-licensed firms are regulated by DFSA and FSRA respectively and are therefore outside the direct scope of this notice — but the supervisory direction it signals is consistent with what financial-conduct regulators globally are pushing toward.
What "instant messaging applications" means
The notice defines instant messaging applications broadly: platforms primarily designed for real-time chat and exchange of content by text, voice, video, or files. This includes:
- WhatsApp Messenger (the consumer app and WhatsApp Business app on personal phones)
- Telegram, Signal, Viber, Facebook Messenger, Instagram Direct
- iMessage and other consumer-grade messaging services
The prohibition applies regardless of how the application is accessed — mobile app, desktop app, web version, or via VPN. The CBUAE specifically closes the VPN loophole: routing traffic through a VPN does not change the regulatory obligations.
What is prohibited
The notice prohibits Licensed Financial Institutions from using instant messaging applications for the following activities.
1. Handling customer data and information
Request, receive, share, or transmit any customer data — including Emirates ID copies, account numbers, policy numbers, claims documents, banking details, medical information, or any other personal data.
2. Initiating or processing transactions
Initiate, process, execute, or confirm transactions through messaging apps. This explicitly covers:
- Payments and transfers
- Beneficiary set-up
- Bill payments
- Card instructions (activation, blocking, replacement)
- Account opening or closure
- Credit and loan instructions
- Dispute handling
3. Authentication and security
Use messaging apps for authentication or security steps, including:
- One-time passwords (OTPs)
- Passwords, PINs, verification codes
- Security questions or approvals
- Sending screenshots, statements, IDs, forms, or any attachments containing customer information
The prohibition is broad and unambiguous. If a customer interaction involves their personal data, money, or identity, it cannot happen on WhatsApp.
The risks the CBUAE identified
The notice cites four risk clusters that drove the directive:
Fraud and impersonation. Account takeover, social engineering, and SIM-swap attacks. The channel itself is not a strong authentication factor — phone numbers can be hijacked, devices cloned, and accounts impersonated.
Confidentiality breaches. Unauthorised disclosure, message forwarding, screen capture, and uncontrolled storage of customer information. These risks are endemic to consumer messaging apps and cannot be controlled at the regulated entity's level.
Data residency. Customer data routed, processed, backed up, or stored outside the UAE — which directly conflicts with the requirement that all consumer and transaction data must be held within the country.
Account monitoring and audit gaps. Limited record-keeping, weak auditability, and incident response challenges that prevent financial institutions from meeting their governance and supervisory obligations.
This is not a new rule
What's striking about the notice is that it doesn't create new regulatory concepts. It enforces obligations that have been on the books since 2021.
The Consumer Protection Standards (Notice CBUAE/BSD/N/2021/1158), issued in February 2021, already required:
Article 6.1.1.4: "Licensed Financial Institution must provide a safe, secure and confidential environment in all of its delivery channels to ensure a high level of confidentiality and privacy of Personal Data."
Article 6.1.6.3: "All Licensed Financial Institutions must hold and store all Consumer and transaction Data within the UAE as prescribed by the Central Bank."
These standards form part of the Consumer Protection Regulation (Circular 8/2020) — the foundational consumer-protection framework for the UAE financial sector.
The April 2026 notice is, in effect, a supervisory clarification: WhatsApp and similar consumer messaging apps cannot satisfy these existing obligations, and therefore cannot be used as a delivery channel for regulated activities. The standards haven't changed. The enforcement intensity has.
This pattern — reinforcing existing rules rather than introducing new ones — is consistent with what UAE financial regulation experts have noted publicly:
"The CBUAE's notice is a decisive reminder that informal communication channels are fundamentally incompatible with regulated financial services."
Marie Chowdhry, Partner at Pinsent Masons in Dubai, writing in Out-LawWhere this sits in CBUAE's enforcement arc
The April 2026 notice is the latest move in a clearly tightening posture:
- May 2025 — OTP phase-out: CBUAE Notice 2025/3057 mandated the phase-out of SMS and email OTPs by 31 March 2026, replacing them with biometric and app-based authentication. The UAE's mandate is the most far-reaching action of its kind globally on consumer-grade authentication for financial services.
- 2025 — record fines: AED 339 million in penalties levied by the CBUAE in 2025, including a single AED 200 million fine on an exchange house for AML/CFT failures.
- September 2025 — new CBUAE Law: Federal Decree-Law No. 6 of 2025 raised the maximum administrative fine to AED 1 billion, raised individual fines to AED 5 million, introduced explicit fraud-prevention obligations, and extended the licensing perimeter to technology service providers facilitating financial activities.
- April 2026 — this notice: the instant-messaging prohibition.
Read together, these moves describe a CBUAE that is moving from prudential oversight toward active conduct supervision — closing channels that cannot be governed and raising the cost of non-compliance.
What financial institutions must do
The notice sets out a minimum set of actions:
- Cease new launches. Stop launching any new customer interactions, services, or transaction flows that rely on instant messaging.
- Identify and stop existing prohibited use cases. Audit current usage, disable prohibited interactions, and migrate customers to controlled channels — the institution's mobile app, online banking, recorded call centre, or branch.
- Implement internal controls. Policies, training, and monitoring designed to prevent re-introduction of prohibited use cases.
- Align governance. Ensure outsourcing, data management, consumer protection, and fraud governance frameworks reflect the new perimeter.
- Confirm to CBUAE. Each institution must report the actions taken to marketconductsupervision@cbuae.gov.ae by 30 April 2026.
The deadline has passed. Institutions that have not yet reported should do so now and document the gap.
What the notice does not do
The notice does not prohibit WhatsApp entirely.
It prohibits the use of WhatsApp as a channel for the activities listed above — customer data exchange, transactions, authentication, document handling. Activities that fall outside the prohibited perimeter remain available, with appropriate controls in place. We will cover the permitted perimeter in detail in the second part of this series.
In other words: WhatsApp is no longer a banking channel in the UAE, but it remains a marketing, lead-capture, and routing channel — provided the architecture is right.
The global direction
The UAE is not alone in this direction. The US Securities and Exchange Commission and Commodity Futures Trading Commission have collected over US$3 billion in fines from over 100 financial firms since 2021 for off-channel communication failures. The UK FCA, EU regulators under MiFID II, Singapore's MAS, and Hong Kong's HKMA have all moved in parallel directions through different mechanisms — recordkeeping rules, consumer-liability shifts, supervisory reviews.
What makes the UAE's approach distinctive is the combination of two things at once:
- A prohibition on the channel for in-scope activities (most jurisdictions require recordkeeping but allow the channel)
- A strict in-country data residency overlay (most jurisdictions do not require this)
This combination makes the UAE notice one of the most stringent regulatory stances globally on consumer messaging in financial services — and it sets the supervisory tone for the rest of the GCC.
What comes next
The 30 April 2026 deadline has passed. Most major UAE banks and insurers have already issued customer notices and migrated their visible WhatsApp interactions to compliant channels. But the operational reality is messier — relationship managers using personal WhatsApp, broker channels for claim documents, lead-capture flows that quietly collect Emirates IDs, and chatbot integrations that were never designed with the new perimeter in mind.
The next two articles in this series cover:
- The permitted perimeter: what UAE financial institutions can still do on WhatsApp, where the line sits, and how to design customer journeys that respect it.
- The compliant architecture: what a properly governed WhatsApp channel for an FI looks like in practice — BSP selection, data residency, archival, DLP, and the handoff patterns that route regulated activity into controlled channels.
Summary
CBUAE Notice 2026/2058 is the most consequential supervisory directive on customer communications in the UAE financial sector since the Consumer Protection Regulation itself. It does not invent new obligations — it enforces existing ones with immediate effect.
For institutions that have already invested in controlled digital channels, compliance is largely an audit and documentation exercise. For institutions that built customer journeys on top of consumer WhatsApp, the work ahead is more substantial — and the cost of getting it wrong has just been raised to AED 1 billion.
The notice draws a clear line. Whether your institution sits comfortably on the right side of it depends on choices made before 17 April 2026, and choices to be made in the coming months.
Need a compliant WhatsApp architecture for your FI?
Zena is a Meta Business Solution Partner with UAE data residency, configurable controls for regulated industries, and handoff patterns built for the post-2058 perimeter. Part 3 of this series unpacks the architecture in detail.
Talk to the team →