Central Bank of UAE Consumer Protection Regulation
Financial services companies handle a vast amount, and some of the most sensitive, of consumer personal data.
This data therefore requires proper protection. Whilst free zones AGDM and DIFC have largely adopted the EU General Data Protection Regulation (GDPR), mainland UAE does not have any federal data protection law. The introduction of a new consumer data regulation within the financial services sector is a significant step towards improving consumer data protection in the UAE.
What is the new regulation and when was it introduced?
The Central Bank of the UAE (Central Bank) issued the Consumer Protection Regulation (Circular No. 8/2020) (CPR) on 31 December 2020. The CPR and the associated Consumer Protection Standards (CPS) set out requirements for licensed financial institutions regulated by the Central Bank (Financial Institutions) to comply with when dealing with consumer data.
Financial Institutions have until 31 December 2021 to comply with the new regulation and standards, following expiry of a one-year grace period afforded by the CPR.
What does the new regulation say and how can it be implemented?
The CPR and CPS impose requirements that will affect how Financial Institutions operate internally and how they deal with consumers.
Changes to process and ways of working
- Financial Institutions must establish a department dedicated to managing consumer data protection. They will need to allocate extra resources, for example, having employees whose sole responsibility is to work on ensuring processes are best suited to protecting consumer data.
- The CPR requires Financial Institutions to report significant consumer data breaches to the Central Bank and (if there is a risk to financial and personal security) to the relevant consumer. Financial Institutions should establish processes for instances of breach, for example, identifying who should report the breach and providing template forms for staff to explain the situation.
- Financial Institutions are responsible for having effective security measures to protect the consumer data they hold. The CPR requires them to invest in the latest technology to obtain the best protection possible. This is therefore an area that Financial Institutions will need to assess and improve upon, particularly during the grace period.
Changes to dealings with consumers
- Financial Institutions must be transparent with consumers regarding the purpose for collecting their personal data and its subsequent use. This must be communicated to consumers in writing and Financial Institutions should make this information readily available to consumers in a policy.
- Financial Institutions should limit the amount of data collected from consumers, only use data for the purposes communicated and only hold the data for so long as is necessary to provide the financial services. Existing processes should be reviewed to minimise data collection and retention as far as possible and consumers should be made aware of the retention policy.
- Direct marketing to consumers or disclosure of consumer personal data to third parties can only be carried out with the express consent of the consumer. Financial Institutions should consider incorporating a request form into their sign-up processes to obtain such consent if they intend to work in this way.
Financial Institutions will need to take their increased obligations seriously as the Central Bank can impose sanctions for non-compliance. Sanctions can include the issuing of fines against Financial Institutions or the Central Bank replacing or restricting the controls of the senior management or the Board of a Financial Institution.
What impact will the new regulation have?
Prior to the CPR and CPS, Financial Institutions operated under the principle of consumer data confidentiality. However, the new regulation and standards significantly increase the responsibilities of Financial Institutions and changes will be visible to consumers and third parties that work with Financial Institutions.
Consumers will benefit from the new regulation with more resources being dedicated to consumer data protection and better security measures being put in place. The credibility of the UAE's financial services sector is also likely to improve. The new regulation brings UAE data protection law in line with international standards as many of the underlying principles mirror those in the GDPR. The regulation will increase the integrity and stability of the sector.
Now that the CPR and CPS have been introduced, there are strong suggestions that further data protection laws will be introduced in the UAE.