UAE: Data protection requirements in the CBUAE Consumer Protection Regulations and Standards
The Central Bank of the United Arab Emirates ('CBUAE') announced1, on 1 February 2021, that it had issued the Consumer Protection Regulation ('CPR')2, as part of its Financial Consumer Protection Regulatory Framework and under its mandate to establish regulations for the protection of customers of all licensed financial institutions ('LFIs') under the Decretal Federal Law No. 14 of 2018 Regarding the Central Bank and Organisation of Financial Institutions and Activities. The CPR is supported by the Consumer Protection Standards3 ('the Standards') which define regulatory requirements to ensure consistent interpretation and implementation of the CPR principles.
This Insight will outline some of the data protection and privacy related requirements included within the CPR and the Standards which LFIs will need to comply with before 31 December 2021.
The CPR aims to protect consumers' interests in their use of any financial product and/or service or relationship with LFIs and bring the conduct of LFIs regarding consumer protection in line with international standards.
LFIs include a variety of national banks, foreign banks, financial companies, exchange businesses, payment services providers, investment banks, wholesale banks, and monetary intermediaries, among others. The Register of LFIs can be found here on the CBUAE website.
As part of its scope of consumer protection, the CPR is a very wide-reaching document with regard for security and data protection.
By way of introduction, Section 21 of the CPR defines 'personal data' as, 'any information relating to an identified natural person or identifiable natural person', where an 'identifiable natural person' is defined as, 'a natural person who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to their biological, physical, biometric, physiological, mental, economic, cultural or social identity'.
The CPR is principles based which means that LFIs will need to consider the principles which it lays out and apply them to their situation and the manner in which they will conduct related activities.
The CPR covers the following areas, among others:
- disclosure and transparency (Article 2);
- institutional oversight (Article 3);
- market conduct (Article 4);
- business conduct (Article 5);
- protection of consumer data and assets (Article 6);
- responsible financing practice (Article 7);
- complaint management and complaint resolution (Article 8);
- consumer education and awareness (Article 9); and
- financial inclusion (Article 10).
Consumer data protection
Generally, LFIs must ensure consumer financial assets, information, and all data are secure and protected (Article 3.2 of the CPR).
Providing further detail, Article 6 of the CPR is dedicated to consumer data protection and the protection of consumer assets, information, and data against financial crimes, misappropriation, and misuse. The CPR builds upon Article 120 of the Decretal Federal Law No. 14 2018, which requires LFIs to protect consumer data and confidentiality. It expands on obliging LFIs to collect the minimal amount of data required in respect of activities for which they are licensed.
LFIs must ensure personal data is (Article 18.104.22.168 of the Standards):
- collected for a lawful purpose directly related to the LFI's licensed activities;
- adequate and not excessive in relation to the stated purpose; and
- collected with appropriate security and protection measures against unauthorised or unlawful processing and accidental loss, destruction, or damage.
Further requirements include:
- establishing a function for data management and protection to maintain policies, procedures, systems, and controls to protection consumer data against misuse, unauthorised access, and undue processing and analysis (Article 22.214.171.124 of the CPR); and
- creating a data recordkeeping and retention policy (Article 126.96.36.199 of the CPR).
Article 6.1.3 of the Standards expands upon specific conditions for expressed consent to use of consumer personal data. Among other things, consent must be informed, and freely and explicitly given. Requests for consent must be in clear and plain language and inform the consumer of the right to refuse to consent. Consumers reserve a right to withdraw consent at any time.
Consent must be provided prior to using or sharing personal data for direct marketing or transferring to authorised agents for direct marketing purposes.
A copy of expressed consent must be retained for five years after the consumer relationships has terminated.
Unless consumers have given expressed consent to opt-in, they are regarded as having opted out from receiving promotional communication of any kind. Consumers who have opted out of receiving promotional communications must not be contacted by the LFI with regards to future sales, advertising, or financial promotional activities (Article 188.8.131.52 of the CPR).
Responsible advertising and marketing
In line with the above on expressed consent, Article 2.3 of the CPR addresses advertising and marketing issued through any and all channels, spotlighting a few examples, including television, radio, apps, telephone banking, and social media. All such marketing must be designed, delivered, and clearly identified as a financial promotion and it must be in plain and understandable language.
Additionally, LFIs must ensure data protection with respect to any profiling, data mining, and marketing or sale of financial services through use of new tech and social media (Article 184.108.40.206 of the Standards).
Ethical corporate governance and culture
The CPR repeats the importance of treating consumers fairly and having strong governance to ensure compliance with its principles. For instance, Article 3.1 of the CPR explicitly requires LFIs to establish an 'appropriate organizational structure' which is responsible for overall governance activities related to treating consumers fairly.
Governance of retail operations
In addition, as part of Article 3.2 on governance of retail operations, LFIs must ensure compliance with Shari'ah governance (where applicable), have strong security, maintain up to date policies and procedures, and be able to demonstrate a corporate culture of consumer service, fairness, transparency, ethical business conduct, and effective disclosure.
Responsible business conduct
Article 5 on responsible business conduct reiterates the importance of the internal culture and behaviour of LFIs, supported by effective policies, procedures, systems, and controls to avoid any potential, perceived, or actual conflict of interest.
Training and awareness
The CPR requires LFIs to conduct sufficient awareness activities in relation to consumers, as well as the training of its staff in relevant areas.
Generally, Article 5 of the CPR on responsible business conduct continues with requirements for staff management. LFIs must ensure ethical behaviour of staff towards consumers by developing an internal code of conduct for the staff, providing regular training, and monitoring complaints (Article 220.127.116.11 of the CPR).
Accordingly, LFIs must provide employee training programs on, among other things, identifying vulnerable persons, complaint identification, complaint handling, complaint resolution, consumer education, and ethical behaviour towards consumers, as well as the data control framework for accessing and handling consumer data and reporting security and policy breaches. This includes reminders for on consumer data protection to be repeated on annual basis (Article 18.104.22.168 of the Standards).
Disclosure and transparency
Consumers must be proactively provided with all the information necessary to make an informed decision regarding financial products and/or services (Article 2 of the CPR). Such information must be provided under certain conditions regarding content and format, for example, that it must be disclosed in plain language that is accessible and easily understandable, in both English and Arabic.
LFIs must proactively provide useful information and advice in the market in order to comply with the principle of transparency.
The CPR refers to LFI responsibilities in relation to both authorised agents, outsourced services, and third parties.
Authorised agents are defined as, 'a commercial representation by a contract pursuant to which the authorized agent undertakes to enter into transaction in the name and for the account of the Licensed Financial Institution and the Licensed Financial Institution shall be liable for any transactions and contracts entered into by the authorized agent within the limits of the authority conferred to the authorized agent by the Licensed Financial Institution'.
LFIs must ensure that all authorised agents comply with the CPR and the Standards (Article 22.214.171.124 of the CPR).
Where personal data is shared to third parties, LFIs must ensure that informed consent is provided (Article 126.96.36.199 of the CPR).
LFIs are responsible for accepting and addressing all complaints involving activities of authorised agents or anything sold, marketed, or advertised by the agent on behalf of the LFI (Article 188.8.131.52 of the CPR).
Article 6.1.4 of the Standards provides further conditions for sharing personal data with authorised agents.
LFIs must record any breach of access, misuse, or unauthorised release of consumer information, including any harm done by such breach, and report it to the CBUAE to review (Article 184.108.40.206 of the CPR).
Furthermore, LFIs must notify, without undue delay, the CBUAE of all significant consumer data breaches. Consumers must be notified where it may pose a risk to their financial and personal security. In turn, the LFI is liable for reimbursing any direct costs incurred by the consumer for actual harm done as a result of the breach (Article 6 of the CPR).
Required data security measures include limiting access to personal data to authorised business lines and staff, maintain access logs for audit and supervisory purposes, record names and times of access, and applying more than one evidence of identity verification for electronic services.
In addition, more generally, LFIs must ensure their security and protection systems are updated with the capacity to develop and adopt new approaches to cybersecurity as may be required (Article 220.127.116.11 of the CPR).
Penalties and compliance
Violations of any provision of the CPR or the Standards may be subject to supervisory action, sanctions, and penalties as deemed appropriate by the CBUAE, which may include fines, or the replacement or restricting of the powers of Senior Management or Members of the Board (Article 13 of the CPR).
The CBUAE's Financial Consumer Protection Department may issue further guidance relating to the CPR and the Standards.
LFIs have until 31 December 2021 to comply.
Amelia Williams Privacy Analyst
1. See: https://www.centralbank.ae/sites/default/files/2021-02/CBUAE%20issues%20new%20Consumer%20Protection%20Regulation_EN.pdf
2. See: https://www.centralbank.ae/sites/default/files/2021-03/Consumer%20Protection%20Regulation_0.pdf
3. See: https://www.centralbank.ae/sites/default/files/2021-03/CP%20Standards%20PDF.pdf