UAE Central Bank Consumer Protection Regulation: A new era in personal data protection for UAE banks

Middle East, UAE

This briefing summarises the comprehensive data protection requirements which now apply to all Central Bank-licensed financial institutions operating in the UAE.

The UAE Central Bank Consumer Protection Regulation (Circular 8/2020) (CPR) aims to protect financial services consumers and to contribute to the stability of the finance sector in the UAE. The CPR impose various standards in relation to conduct, governance and oversight, responsible lending practices, information and transparency, barriers to competition and to access to services, complaints handling and public awareness. These standards are further defined in the Consumer Protection Standards (CPS), a separate document but forming part of the CPR.

General oversight requirements under Article 3 of the CPR include the obligation to establish an appropriate organisation structure, a supportive and constructive corporate culture, engaging well-qualified staff, defining clear policies and procedures and creating proper monitoring and controls supported by proper overall governance.

The CPR builds out the high-level obligations found in Federal Law No. (14) of 2018, including the requirement at Article 120 of that law for all data and information relating to customers' accounts, deposits, safe deposit boxes and trusts to be kept confidential and not accessed by, or directly or indirectly disclosed to, any third party without the written permission of the customer or his/her legal representative or authorised agent, or unless authorised by law.

One of the significant introductions of the CPR is the imposition of a number of data protection requirements to supplement the overriding confidentiality obligation. This briefing looks at these data protection obligations only; there are numerous other obligations found within the CPR which are outside the scope of this briefing.

CPR data protection requirements at-a-glance

  • Applies to: all financial institutions licensed by the UAE Central Bank. Institutions must also ensure their authorised agents comply with the CPR.
  • Protects: all natural persons and sole proprietors in their use of financial products and services or other relationship with licensed institutions.
  • Personal data: any information relating to an identified or identifiable natural person. The definition is almost exactly the same as the definition of personal data in the General Data Protection Regulation (Regulation EU 2016/679).
  • High-level key requirements:
    • Data management office: Establish a data management and protection function
    • Policies: Have a data retention policy
    • Security measures: Have appropriate security and monitoring measures in place to detect and track unauthorised access to data
    • Record keeping: Maintain a log of unauthorised access, including identifying any harm done
    • Breach reporting: Notify the Central Bank of significant data breaches and notify consumers where a data breach may pose a risk to the financial and personal security of the consumer without undue delay
    • Financial liability: Institutions are responsible for reimbursing the direct costs of actual harm incurred by consumers from a data breach
    • Consent for third party disclosure: consumers must be given the ability to make informed choices about whether to consent to their data being shared with third parties

The Consumer Protection Standards – a deeper dive

The CPS provide more detailed requirements within the context of the CPR requirements. These include:

  • Processing Information: consumers must be told in writing how their personal data will be used, including disclosures and profiling activities, informed of their rights and told what the consequences will be if it is mandatory to provide personal data and the consumer does not provide such data
  • Multi-channel security: all delivery channels must be within a safe, secure and confidential environment
  • Control Frameworks: a data management control framework of policies, procedures, system controls, and checks and balances must be in place
  • Compliance training: institutions must implement employee training and awareness programs on their control framework and must ensure staff are reminded of data protection requirements on at least an annual basis
  • Access permissioning and logging: access to customer data should be limited to authorised staff ad business lines and a log of access to customer data must be maintained and made available to the central bank when requested; the log must identify which staff accessed customer data and when
  • Senior accountability: the data management function must be headed by a senior manager, delegated by the board and reporting directly into the board
  • Data management function: the data management function must ensure that adequate monitoring and controls are in place to detect unauthorised processing, loss, breach etc. and must carry out regular internal verification that the processes in place are ensuring that collection, access and security of data remains compliant. Controls must be proportional to the sensitivity of the data and records of detailed monitoring and actions taken must be kept for five years.
  • Purpose and scope limitation: personal data must be collected for a lawful purpose directly related to the licensed activities of the business and must be adequate and not excessive for such purposes
  • Informed consent to disclosure and use in direct marketing: informed and express consent must be obtained before consumer data is disclosed to a third party or used for direct marketing. The record of consent must be retained for 5 years from termination of the consumer relationship where the consent is for direct marketing
  • Controls over third parties: where the institution will share personal data with authorised agents, it must only do so under a written authorisation with such agent and outsourcing contracts must contain appropriate provisions for safeguarding data. Such third parties must report data breaches to the licensed institution. Encryption methods must be used for the transfer of data to third parties.
  • Retention periods: customer data must be retained for at least 5 years from termination of the business relationship or, where the relationship is a casual transactional relationship, completion of one-off transaction. The data must be permanently deleted at the end of the retention period if no longer needed to be processed for the purpose for which it was collected.

Next steps – six months to get ready

Although the principle of customer data confidentiality has long been understood by licensed institutions, the level of detail set out in the CPR and CPS represents a significant strengthening of the consumer protection regime in the UAE and requires institutions to design and implement a compliance programme with organisational, technical, procedural and documentary aspects and to ensure that it is communicated to, and followed by, staff.

Existing practices, such as how data is collected and the information available, along with the use of data for marketing purposes, will need to be re-evaluated.

Article 13 of the CPR grants the Central Bank broad powers to impose sanctions on licensed entities that do not comply, including fines and controls on powers of the senior management or the board.

Article 15 of the CPR provides for a one-year grace period from the date of publication of the CPR for institutions to bring themselves into compliance. The CPR were published in the Official Gazette on 31 December 2020, meaning licensees must be compliant from the start of 2022, so have approximately six months remaining to implement all necessary business processes.

We expect the UAE to continue to strengthen the consumer rights landscape and, indeed, implementing regulations for the revised federal consumer rights law (of broader application than just the banking industry) are expected imminently.