CBUAE Notice 2026/2058 prohibits Licensed Financial Institutions from using WhatsApp and other instant messaging applications to deliver financial services or share customer data. It does not, however, prohibit WhatsApp entirely.
This is the part most internal compliance briefings underweight, and the part most operating teams need most. The notice draws a line — not a wall. On one side of the line, regulated activity. On the other side, communication that does not touch customer data, transactions, or authentication.
This article maps the line in practice. We cover what is prohibited, what is permitted, and where the boundary cases sit — drawn directly from the text of the notice, the underlying Consumer Protection Standards, and the operational reality of running a customer-facing messaging channel.
The two perimeters
There are two perimeters to understand:
The Prohibited Perimeter — activities the notice explicitly forbids. Any WhatsApp interaction that crosses into this perimeter is a regulatory breach.
The Permitted Perimeter — activities that fall outside the prohibition and remain available, provided they are governed by appropriate controls.
The line between them runs through three triggers: customer data, transactions, and authentication. The moment a conversation requires any of these, it must move off WhatsApp and into a CBUAE-controlled channel.
What is prohibited
Three categories of activity are out of bounds, drawn directly from the notice.
1. Customer data and information
- Request Emirates ID, passport, residency visa, or any government ID
- Receive scans, screenshots, or photos of any identity document
- Share or transmit account numbers, IBANs, card numbers, policy numbers, claim numbers
- Discuss medical conditions, claim details, or any sensitive personal information
- Send statements, contracts, schedules, or any document containing customer information
- Receive completed forms (KYC, claim forms, application forms)
2. Transactions
- Initiate, process, execute, or confirm any payment or transfer
- Set up beneficiaries or update payment instructions
- Process bill payments
- Issue card instructions (block, replace, activate, change PIN)
- Open or close accounts
- Issue credit or loan instructions, including approvals or rejections
- Handle disputes, chargebacks, or claim outcomes
3. Authentication and security
- Send OTPs, passwords, PINs, verification codes
- Ask security questions or seek security approvals via WhatsApp
- Send screenshots of OTPs, security tokens, or any authentication artefact
- Send any attachments containing customer information
- Use any pattern that, in effect, treats WhatsApp as an authentication factor
The prohibition is comprehensive. If the substance of the interaction requires customer data, money, or identity verification, WhatsApp is not the channel.
What is permitted
The notice prohibits use of instant messaging for the listed activities. It does not prohibit WhatsApp as a marketing, engagement, or routing channel. The following remain available.
Marketing broadcasts
Opt-in marketing broadcasts to customers and prospects who have given consent. New product launches, generic awareness campaigns, branch openings, customer education, financial literacy content, market updates.
Consent must be granular, withdrawable, and audit-logged. No personalised account information. No "your balance is..." messages. Generic only.
Top-of-funnel lead capture
Capture name, contact details, and product interest from prospective customers. A customer messages your WhatsApp asking about a credit card, a savings account, or a motor insurance quote. The chatbot can ask:
- Their name
- Preferred language
- Product they are interested in
- General preference (e.g., "Are you looking for a credit card or a debit card?")
- Whether they would like to receive a callback
The chatbot must not request Emirates ID, account numbers, salary, policy numbers, medical history, or any sensitive data. The handoff to a regulated channel must happen before any of these are needed.
Appointment booking
Book appointments at branches, with relationship managers, brokers, or in-branch advisors. Date, time, branch location, RM name, brief topic ("renewal", "new loan", "claims advisory") — all permitted.
The booking must not collect or confirm any account-specific information.
General product information and FAQs
Non-personalised information about products, services, branches, ATMs, working hours, contact numbers, fees, eligibility criteria, general process steps. A chatbot answering "what documents do I need to apply for a personal loan" or "what is the minimum balance for the savings account" is permitted, provided the answer is generic.
The FAQ chatbot must not provide account-specific answers ("your minimum balance is...") and must not personalise responses based on customer-supplied identification.
Routing and deep-linking to controlled channels
Hand off the customer from WhatsApp to a CBUAE-controlled channel — the institution's mobile app, online banking portal, secure web journey, recorded call centre, or branch.
The right pattern: a deep link or one-time-tokenised URL that opens the customer's authenticated session in the institution's app or portal. The customer never has to copy account numbers, OTPs, or any sensitive data into WhatsApp.
The link must lead to a controlled channel. The handoff must happen before any sensitive data is exchanged.
Brand awareness, PR, and customer education
Content marketing, financial literacy posts, festive greetings, sponsorship announcements. Treat WhatsApp the same way you would treat your Instagram or LinkedIn — a brand channel with no operational role.
Click-to-WhatsApp ads
Meta and Instagram ads that route to a WhatsApp conversation are permitted, provided the conversation flow respects the prohibited perimeter. The chatbot at the other end must be designed to capture only what is permitted, then hand off cleanly.
Service-level notifications (with care)
Generic outage alerts, system-maintenance notifications, branch-closure announcements. Anything that does not require customer-specific data.
- Transaction confirmations
- Balance alerts
- Statement delivery
- Payment reminders that include account numbers or specific amounts
The permitted vs. prohibited comparison
| Activity | WhatsApp? |
|---|---|
| New product announcement (opt-in) | ✓ Permitted |
| "Your balance is AED 3,200" | ✗ Prohibited |
| Lead capture: name, phone, interest | ✓ Permitted |
| Lead capture: Emirates ID, salary | ✗ Prohibited |
| Branch appointment booking | ✓ Permitted |
| Account opening on WhatsApp | ✗ Prohibited |
| FAQ: "What is your minimum balance?" | ✓ Permitted |
| FAQ: "What is my minimum balance?" | ✗ Prohibited |
| Sending an OTP | ✗ Prohibited |
| Deep link to mobile app for OTP-free login | ✓ Permitted |
| Marketing broadcast (with consent) | ✓ Permitted |
| Sending a customer's bank statement | ✗ Prohibited |
| Document collection (KYC forms, claims) | ✗ Prohibited |
| Branch outage notification | ✓ Permitted |
| Transaction dispute handling | ✗ Prohibited |
| RM personal WhatsApp for client servicing | ✗ Prohibited |
| Click-to-WhatsApp ad → controlled handoff | ✓ Permitted |
The hardest cases
Three patterns generate most of the operational confusion. Each deserves a specific answer.
The Relationship Manager on personal WhatsApp
A relationship manager handling a high-net-worth client uses their personal WhatsApp to update the client on portfolio movements, share investment briefs, or coordinate transactions. This is the most widespread practice — and the most clearly prohibited.
The rule: RMs cannot use personal WhatsApp for client servicing. The notice does not distinguish between corporate and personal devices, between inbound and outbound, or between text and voice. Any servicing interaction on a personal device is out of bounds.
The fix: RMs must move servicing interactions to recorded call centre lines, the institution's authenticated mobile app, or a governed corporate WhatsApp channel that captures every message in a compliant archive.
The Insurance Broker handling claim documents
A broker receives photos of accident damage, medical reports, or claim forms via WhatsApp from policyholders. The broker forwards these to the insurer's claims team, also via WhatsApp.
The rule: all of this is prohibited. The documents contain customer information, the activity is claims handling (a regulated activity), and the storage trail is uncontrolled.
The fix: brokers must collect documents via the insurer's authenticated portal or mobile upload journey. The WhatsApp channel can be used to send the customer the link — nothing more. The insurer is responsible for ensuring its broker network is using compliant channels.
The lead-capture chatbot that asks for Emirates ID
A bank's marketing team built a WhatsApp chatbot that captures lead enquiries for credit cards. The bot asks for name, mobile, and Emirates ID — because the credit team wanted to pre-screen leads against the credit bureau before scheduling a callback.
The rule: the moment Emirates ID is requested, the chatbot has crossed the prohibited perimeter. Pre-screening is a regulated activity that requires the customer's data to be handled in a controlled channel.
The fix: redesign the flow. The chatbot captures only name, mobile, and product interest. The handoff message contains a deep link to the bank's secure portal where the customer can complete the credit application — including consent, KYC, and Emirates ID upload — in an authenticated session.
What "controlled and approved channels" actually means
The notice instructs institutions to migrate customer interactions to approved, controlled channels. In practice those are:
- The Financial Institution's mobile app or online banking portal
- A call centre (recorded, consistent with standard CBUAE practice for customer-facing voice channels)
- A branch
A compliant WhatsApp channel — one designed to respect the prohibited perimeter — is not a substitute for these. It is a marketing and routing layer that sits in front of them. The deeper, regulated work happens inside the institution's controlled channels.
This is the architectural shift the notice is forcing: WhatsApp moves from being a banking channel to being a front-of-house channel. The substance of the relationship — onboarding, transactions, servicing — moves into the institution's owned, controlled, auditable infrastructure.
Internal controls you need
Migrating customer journeys is the visible part of the work. The less visible, more important part is internal controls. The notice explicitly requires:
Policies. A WhatsApp Acceptable Use Policy that defines what staff can and cannot do, covering personal devices, corporate WhatsApp, RM behaviour, document handling, and customer escalation paths.
Training. Mandatory, attestation-tracked staff training. Every customer-facing role needs to understand the prohibited perimeter and how to redirect customers cleanly when they cross it.
Monitoring. Active monitoring of corporate WhatsApp channels for prohibited content. DLP rules that block outbound messages containing Emirates ID patterns, account numbers, or OTPs. Periodic sampling of conversations by Compliance.
Vendor governance. If a third-party BSP or messaging platform sits in the stack, it must be governed under the institution's outsourcing framework. For banks, CBUAE Outsourcing Regulation 14/2021 applies — material outsourcing requires CBUAE prior non-objection under Article 8. Non-bank Licensed Financial Institutions have analogous outsourcing requirements in their sectoral regulations.
Audit logs. Immutable, exportable, time-stamped conversation logs retained for at least five years — the consumer-records minimum under Article 6 of the Consumer Protection Regulation (Circular 8/2020).
Board-level oversight. Best practice — drawing on the Corporate Governance Regulation for Banks and the board-approval requirement for material outsourcing — is to fold messaging-channel risk into the operational and conduct risk reporting that already reaches the board. A quarterly cadence on remediation status keeps the topic visible until the perimeter is fully implemented.
What this looks like in practice
A correctly designed compliant flow for a UAE bank:
- A prospect sees an Instagram ad for a credit card. They click "message us on WhatsApp."
- The chatbot greets them in their preferred language and answers FAQ-level questions about the card (rewards, eligibility, fees).
- The customer says they want to apply.
- The chatbot collects only their name, mobile, and confirms their interest.
- The chatbot sends a deep link to the bank's authenticated mobile app or web portal.
- The customer completes the application — KYC, Emirates ID upload, income verification, consent — inside the controlled channel.
- The bank's underwriting and authentication happens entirely inside the controlled channel.
- Decision communications happen inside the app, not on WhatsApp.
- The WhatsApp conversation log — which contains only marketing-perimeter content — is captured to the institution's compliant archive.
What the customer experiences is a single WhatsApp conversation. What actually happens, behind the scenes, is two channels — a marketing channel and a controlled regulated channel — joined by a single deep link.
This is what compliance looks like when it's done well. It is invisible to the customer.
What comes next
Drawing the line is one part of the work. Implementing it — designing the chatbot guardrails, building the deep-link handoffs, configuring the DLP rules, putting the right BSP in the stack, and getting the data residency right — is the other.
The third article in this series covers the architecture: what a CBUAE-respecting WhatsApp channel actually looks like in technology terms, and how Zena helps UAE financial institutions build it without rewriting their stack from scratch.
Summary
The CBUAE notice does not end WhatsApp for UAE financial institutions. It re-defines its role.
WhatsApp is no longer the place where banking happens. It is the place where the customer journey begins, then hands off to a controlled channel where the regulated work is done.
Institutions that adapt to this new design — front-of-house on WhatsApp, regulated activity in the controlled channels — will keep the engagement and conversion benefits of WhatsApp while staying clearly inside the supervisory perimeter. Institutions that try to keep doing what they did before, just with extra disclaimers, will find the supervisory tone has moved on.
The line is clear. The work is in the design.
Designing the compliant architecture?
Part 3 of this series covers what a CBUAE-respecting WhatsApp channel looks like in technology terms — BSP selection, data residency, archival, DLP, and the handoff patterns. Or talk to the team directly.
Talk to the team →