Financial Crime World

Central Bank Issues Regulations to Protect Consumer Data

In a move to safeguard consumer data and align the UAE’s financial regulation with international standards, the Central Bank (CB) has introduced new regulations aimed at protecting personal data processed by licensed financial institutions.

Protecting Personal Data

The regulations, which came into effect yesterday, require banks and other licensed financial institutions to implement robust measures to ensure the confidentiality, integrity, and availability of consumer data. The CB has introduced several key provisions to achieve this goal:

  • Express Written Consent Required: Licensed financial institutions must obtain express written consent from consumers before processing their personal data for purposes such as outsourcing, sales, or marketing.
  • Minimum Retention Period Set at 5 Years: A minimum retention period of five years is set for all personal data processed by licensed financial institutions. After this period, the institutions must ensure that the data is either destroyed if no longer required for its initial purpose or no longer required by law.

Data Localization and Cybersecurity

  • Data Localization Requirement Introduced: Licensed financial institutions are required to store transactional and consumer data “within the UAE, as prescribed by” the CB.
  • Strengthened IT and Cybersecurity Infrastructure Required: The regulations emphasize the importance of operational resilience and cybersecurity in financial services. Licensed financial institutions must:
    • Have a proper data management control framework
    • Conduct regular training and workshops for employees
    • Report any apparent vulnerabilities in their security and online systems to the CB on a quarterly basis

Online Identity Verification

  • Strengthened Online Identity Verification: The regulations provide that where consumer identity verification is conducted online, licensed financial institutions must apply more than one evidence of identity verification for electronic services.

State-of-the-Art Security Measures

  • State-of-the-Art Security Required: Licensed financial institutions are required to integrate operational resilience and cybersecurity into their technical and organizational processes, ensuring that they can identify and resolve information security incidents as soon as they occur.

Conclusion

The new regulations aim to bring financial regulation in the UAE closer to international data protection standards, while also recognizing the unique needs of the financial services industry. The CB has issued a comprehensive guide to help licensed financial institutions comply with the regulations.

Contact Us

For more information on this story, please contact our editorial team at [insert contact details].