The central bank also flagged data residency concerns, noting that information shared via such platforms could be stored or processed outside the UAE, potentially breaching local regulations.
The Central Bank of the UAE has directed all banks and licensed financial institutions in the country to immediately stop using instant messaging platforms such as WhatsApp for financial services and customer data handling, in a move aimed at strengthening consumer protection and tightening data security standards.
Several local media reported that the directive, issued through a supervisory notice circulated to the sector, requires institutions to comply by April 30, 2026, or face potential regulatory action.
Under the new rules, banks are prohibited from using messaging platforms for a wide range of activities, including customer communication, transaction processing and data exchange. Specifically, institutions must not use such apps to request or share customer information, initiate or confirm transactions, or transmit authentication credentials such as passwords or one-time passwords.
The directive also extends to the exchange of documents containing personal or financial data, effectively shutting down any operational use of consumer messaging apps in banking workflows.
The regulator said the move follows growing concerns over the increasing use of messaging applications as informal service channels, which expose customers and institutions to multiple risks.
These include fraud, impersonation, account takeovers and social engineering attacks, as well as the potential unauthorised disclosure of sensitive information.
The central bank also flagged data residency concerns, noting that information shared via such platforms could be stored or processed outside the UAE, potentially breaching local regulations that require customer and transaction data to remain within the country.
As part of the directive, financial institutions have been instructed to discontinue existing use cases involving messaging apps and transition customers to approved channels, including mobile banking applications, online platforms, call centres and physical branches.
Banks must also strengthen internal controls, including staff training and monitoring mechanisms, to prevent further use of unregulated communication channels.
Institutions are required to confirm compliance and outline corrective actions by the end of April 2026. Failure to comply could result in supervisory action, financial penalties or other regulatory measures.
