How Zena helps UAE financial institutions
use WhatsApp compliantly under CBUAE 2026/2058

The first two articles in this series covered the supervisory direction: what CBUAE Notice 2026/2058 says, and where the permitted perimeter sits. This article covers the architecture — what a compliant WhatsApp channel actually looks like in production, and how Zena fits into it.

A note on framing before we start. Zena is a WhatsApp Business platform built for UAE & GCC businesses by Fictora Labs. We are not a CBUAE-licensed entity, and no BSP is "CBUAE-certified" — that's not a category that exists. The regulated entity in any deployment is the financial institution itself; Zena is a tool the institution configures inside its own compliance framework.

What we can do is build the platform to support compliant configurations. That's what this article is about.

The architectural shift required

The notice forces a specific architectural pattern on UAE financial institutions:

• WhatsApp becomes a front-of-house channel — marketing, lead capture, FAQs, routing.
• Regulated activity moves to controlled channels — the institution's mobile app, online banking, recorded call centre, or branch.
• The two are joined by a clean handoff — a deep link, a one-time tokenised URL, or an app push approval.

This pattern needs to hold up under three pressure tests:

1. Data residency — the WhatsApp platform layer must keep customer data inside the UAE.
2. Behavioural enforcement — the AI agents and chatbots must refuse to collect prohibited data, even if the customer volunteers it.
3. Auditability — every conversation must be captured to an immutable, exportable log that satisfies CBUAE record-keeping requirements.

The rest of this article walks through how Zena supports each of these.

1UAE data residency

Zena stores all tenant data on UAE-region infrastructure. Conversations, contacts, lead records, knowledge base content, AI conversation summaries, audit logs, and template metadata all sit on UAE servers. The platform is TDRA-aligned in its data-handling posture, with AES-256 encryption for sensitive fields and PostgreSQL row-level security ensuring strict tenant isolation — one institution can never access another's data.

For deployments that require dedicated infrastructure, Zena offers an Enterprise tier with single-tenant deployment options. We work with each FI's procurement and information security team to align the deployment to their internal standards (ISO 27001, NESA controls, internal DPIA outcomes).

2AI guardrails: building the permitted perimeter into the bot

The most operationally important control for an FI is the AI chatbot itself. The notice prohibits requesting, receiving, or sharing customer data via WhatsApp. The institution needs a chatbot that cannot cross that line, even when prompted to.

Zena's AI agents support three classes of guardrail relevant to FIs:

Refuse-to-collect

The AI is configured against your knowledge base. For an FI deployment, the knowledge base is built around the permitted perimeter — product information, branch locations, FAQ-level answers, eligibility criteria. The agent is configured to not request Emirates ID, account numbers, policy numbers, salary figures, claim details, or any other prohibited data point. If a customer's natural conversational flow approaches this territory, the agent acknowledges and routes them to a controlled channel.

Echo-block on inbound sensitive data

Sometimes customers volunteer sensitive information without being asked. They paste an Emirates ID number, send a photo of their bank statement, or type out their PIN. Zena's agents are configured to recognise these patterns, refuse to process or echo the data, and respond with a routing message: "For your security, please don't share this information here. I'm sending you a secure link to our app where you can complete this safely."

Auto-handoff on prohibited intent

Lead Capture flows in Zena are designed around structured fields — name, contact preference, product interest, appointment time. When a conversation drifts into prohibited intent (transaction execution, document submission, dispute handling), the agent triggers a templated handoff message containing a deep link to the institution's authenticated channel. The customer stays on one thread of conversation. The compliance boundary holds.

These guardrails are configured at the tenant level, with sample knowledge bases and chatflow templates we provide for FI deployments. The institution's compliance team reviews and signs off on the configuration before go-live.

3Deep-link handoff to controlled channels

The handoff is the single most important moment in a compliant FI WhatsApp journey. It is where the customer's intent moves from "I'd like to apply for a credit card" to "I am authenticating into my bank's app to actually do it." If the handoff is clunky, customers drop off. If it's invisible, the channel works.

Zena supports deep-link handoffs natively through its Visual Chatflow Builder:

• Deep link nodes — a chatflow node that sends a one-time tokenised URL to the customer, opening their authenticated session in your app, portal, or hosted secure form.
• Conditional handoff — handoff triggered when a customer crosses an intent threshold (e.g., they've asked about a specific account-level question, or they've completed the lead-capture stage).
• Templated handoff messages — pre-approved Meta template messages that pair a CTA with the deep link, supporting both Arabic and English natively.
• Round-robin agent assignment — for handoffs that require a human at the other end (RM call, branch advisor), Zena assigns the conversation to the right team member with full context.

For FIs that have already invested in mobile app authentication, push approvals, or biometric SCA — which is increasingly the case after the May 2025 OTP phase-out — Zena's deep links plug straight into existing flows.

4Audit logs and record-keeping

Every conversation in Zena is logged to a tamper-resistant audit trail. Audit logs on Business plans capture:

• Every inbound and outbound message, with sender, timestamp, and channel
• Every AI response, including the model used and the knowledge sources consulted
• Every chatflow execution, including which nodes fired and which branches were taken
• Every agent action, including assignments, status changes, and notes
• Every API call to and from external systems

These logs are exportable to compliance archival systems (Smarsh, Global Relay, LeapXpert, etc.) for institutions that need to feed conversation records into a centralised supervision tool. For institutions that retain records inside their own platform, Zena's logs satisfy CBUAE record-keeping expectations on their own.

Retention windows are configurable to match your institution's record-keeping policy — at a minimum, five years for consumer records per Article 6 of the Consumer Protection Regulation (Circular 8/2020), with longer windows where internal policy or AML supervisory expectations require them.

5Number management for multi-brand and multi-branch FIs

Many UAE financial institutions run multiple WhatsApp numbers — one per business unit, branch, or product line. A bank might have separate numbers for retail banking, business banking, wealth management, and customer service. An insurer might run separate numbers for motor, health, and corporate lines.

Zena supports multiple connected WhatsApp numbers under a single tenant, with:

• Per-number AI configuration and knowledge bases
• Per-number chatflows and templates
• Per-number agent teams and routing rules
• Unified analytics across all numbers
• Centralised audit logs

This matters for compliance because it lets an institution apply different governance configurations to different lines of business — a wealth management number might have stricter handoff thresholds than a retail product enquiries line, even though both are inside the same tenant.

6Internal controls and vendor governance

The notice requires institutions to implement internal controls — policies, training, monitoring — and to govern third-party providers under their outsourcing framework. Zena supports this in three ways:

Role-based access control. Four roles (Superadmin, Admin, Agent, Viewer) with route-level permissions across the platform. SSO and AD integration available on Business and Enterprise tiers.

Material outsourcing documentation. Zena provides the standard documentation pack required for vendor due diligence — DPA, information security questionnaire, sub-processor list, business continuity plan — and supports prior non-objection processes for material outsourcing relationships (for banks, CBUAE Outsourcing Regulation 14/2021 Article 8; for non-bank LFIs, the analogous sectoral outsourcing requirements).

Configurability for compliance review. Every tenant configuration — knowledge bases, AI prompts, chatflows, templates, broadcast lists — is editable and exportable, allowing your compliance team to review and approve before go-live, and re-review at audit checkpoints.

What a real deployment looks like

A typical Zena deployment for a UAE financial institution moves through five stages:

1. Permitted-perimeter design. A workshop with the institution's compliance, marketing, and digital teams to map intended customer journeys against the prohibited perimeter. Output: a journey map, a knowledge base scope document, a chatbot conversation tree, and a list of handoff points.
2. Configuration. Knowledge base loaded, AI guardrails configured, chatflows built, templates submitted for Meta approval, deep links connected to the institution's controlled channels. Compliance review and sign-off at the end of this stage.
3. Internal pilot. A small group of staff acting as test customers, validating the perimeter from the inside. Issues surfaced and fixed.
4. Soft launch. Limited rollout — one product line, one geography, or one customer segment — with active monitoring of every conversation by the institution's compliance team. Adjustments made.
5. Full deployment. Channel goes live, with quarterly compliance reviews and rolling DLP testing.

A typical FI deployment runs in 6 to 10 weeks end-to-end, depending on internal procurement and security review timelines.

What Zena is not claiming

A short list of things we do not claim, because the credibility of compliance work depends on the precision of the claims:

We think being precise about what we do and don't do is the only way to be useful to a Compliance Officer reading this with a procurement framework open in another tab.

Why FIs work with Zena specifically

There are global BSPs serving the UAE market. There is a strong case for choosing one of them — established compliance teams, multi-region infrastructure, large support footprints. There is also a case for working with Zena, especially for institutions that want to move quickly:

UAE-built, UAE-hosted. Zena was designed for the UAE & GCC market from day one — UAE data residency on every plan, AED billing, native Arabic AI (not translated Arabic), and a product team based in the same time zone as your compliance team.

Configurable AI agents. Zena's bilingual AI handles Gulf dialect, MSA, and Arabizi natively, and the guardrails described in this article are configurable per-tenant rather than baked into a one-size-fits-all template.

Multi-tenant architecture suited to financial groups. For a banking group with multiple licensed entities, or an insurer with multiple lines, Zena's multi-number, multi-tenant architecture is built for the use case.

Founder access. Zena is operated by Fictora Labs, a UAE FZ-LLC. For deployments with non-standard requirements — dedicated infrastructure, custom audit log formats, integration with internal supervision tooling — there is a direct line to the engineering team.

n8n native integration. For institutions with existing internal automation stacks running on n8n, Zena ships an official n8n community node — making it possible to integrate WhatsApp lead flows directly into your CRM, core banking systems, or workflow engines without custom integration work.

Pricing in AED. Plans for SMB use cases start from AED 199/month (introductory Founder 50 rate; rises to AED 249/month after the first 50 paying customers, with today's signups locked for life). FI deployments are typically Enterprise-tier with custom pricing reflecting the dedicated configuration, support, and DPA work involved.

Where to start

If you are a UAE financial institution evaluating WhatsApp platforms in light of CBUAE Notice 2026/2058, the first step is mapping your intended customer journeys against the prohibited perimeter. The output of that exercise tells you what your WhatsApp channel can do, where the handoffs sit, and what configuration you need from your platform vendor.

We're happy to run that workshop with you — no commitment, no procurement process required at the start. The output is yours regardless of whether you choose Zena.

The work in front of UAE FIs is real, but it isn't existential. WhatsApp remains the most-used consumer channel in the country. The question isn't whether to use it — it's how to design the channel so it sits cleanly inside the supervisory perimeter while still doing the engagement work it does well. That's what we built Zena for.