Central Bank of UAE – Financial Consumer Protection Regulatory Framework & Data Protection


The UAE Financial sector is growing and is now expanding into diverse products and services which are increasingly being embedded into technology such as artificial intelligence making the said services all the more susceptible to data breaches.

Therefore, in light of the various international standards that have been set in the recent past on data protection, security and risk management, the Central Bank of UAE (“CBUAE”) has taken various steps to ensure the effective regulation of Licensed Financial Institutions (“LFIs”).

Among the various roles and functions of the Central Bank enumerated in Federal Law No 14 of 2018 Regarding the Central Bank and Organisation of Financial Institutions and Activities (“CB Regulation”), the Central Bank has also the undertaken to ensure fair treatment and protection of customers of Licensed Financial Institutions.[1]

In pursuance of the powers vested in the CBUAE under Article 121 of the CB Regulation, same the Central Bank of UAE enacted the Consumer Protection Regulation in December 2020[2] (“CPR”) and the Central Bank Consumer Protection Standards (“CPS”) in January 2021[3] thereby establishing the CBUAE’s Financial Consumer Protection Regulatory Framework (“Framework”) that is aspired to be in line with Shari’a and international standards.

While the Framework covers a host of issues and regulatory aspects, this article will specifically look at the Data Protection aspect of the Framework.


To whom does the Framework apply to? 

The Framework and the CPS apply to LFIs and Consumers who are using any financial service and/or products provided by LFIs. LFIs includes banks and other financial institutions that are licensed to carry out Licensed Financial Activities as per the CB Regulation. 

Who are Consumers? 

A Customer is any natural person or sole proprietor who obtains or may prospectively obtain paid or unpaid Financial Services and/or Products.

Compliance Requirements for LFIs under the Framework / Data Protection

The LFIs have until 31st December 2021 to comply with the Framework. The following are some of the key compliance requirements as stipulated in Article 6 of the CPS:

  • Establish a framework, policy detailing the procedure regarding the collection, protection, confidentiality and authorized use of Consumers’ Data.[4]
  • Establish a Data Protection and Control Framework to identify and resolve any incidents of information security breaches.
  • Appoint a person in senior management responsible for overseeing compliance with the Data Management Control Framework and any related requirements for Data protection and privacy laws of the UAE and the Central Bank.
  • To provide adequate information about the product, financial service etc. to all Customers about how their data will be collected, stored, used, disclosed, mined and profiled.
  • Have multiple online identity verification methods when a transaction is initiated through electronic devices.
  • Have an established mechanism to send notifications of potential breaches to the Consumer.
  • Ensure that the Consumer makes informed choices and consent in relation to the use of their personal data and the sharing of the same with third parties.
  • Prior to obtaining explicit, freely given consent the LFI shall provide the Consumer with written information regarding the prospective use and/or share Personal Data and with whom the Consumer’s Personal Data will be shared with any third party.
  • Restrict access to Consumer’s data and maintain records and logs of Staff who have accessed Consumer databases and the timing for audit and supervisory purposes.

What must a Consumer know and be aware of? 

  • Consumer should be aware that any and all collection, storage, use and transfer of their data cannot be done without their freely given “explicit consent”.
  • The Consumer is entitled to know the type of product, the risks involved, the type of data that is being collected and other information of how it is going to used and shared (if allowed).
  • The Consumer also retains the right to withdraw consent in certain circumstances and the LFI will have to comply with such request within 30 calendar days of such request.

How can LFIs protect themselves in this situation?

  • Set in place an internal data protection department that would address the management, protection and regulation of the use and processing of personal data.
  • Review their existing data protection and privacy policy.
  • Update their terms & conditions of service; their agreements with third parties to ensure compliance with the standards set through the Framework.
  • Update the present mechanism of obtaining consent to the terms of service including data collection storage use and transfer to meet the explicit consent requirement. This may include having opt-in ticks instead of opt out pre-conditioned boxes in relation to the acceptance of privacy policies etc.


CBUAE, by coming out with the Framework have done great service to the customers of FLIs to ensure their protection most importantly protection of data they share with such fiscal institutions.

For more details and assistance please feel free to contact us at info@bestwinslaw.com

[1]CBUAE 20 issues 20 new 20 Consumer 20 Protection 20 Regulation; Article 4, Federal Law No. 14 of 2018.

Decretal 20 Federal 20 Law 20No. 20 2814 29 20 of 2020 18 20 Regarding 20 the 20 Central 20 Bank Notice issued by the Central Bank on the Central Bank Consumer Protection Framework.

[2] Consumer Protection Regulation, Central Bank of UAE, Circular No. 8/2020.

[3] Gazette No. 694, Central Bank Consumer Protection Standards.

[4] Article 6 of the Consumer Protection Standards;

Article 120 of the Decretal Federal Law No. (14) of 2018, Regarding the Central Bank & Organization of Financial Institutions and Activities, Licensed Financial Institutions.