Customer Data Protection in the UAE Banking Sector: A Practical Guide to the CBUAE Framework

Introduction

The UAE banking sector follows a sectoral, layered approach to data protection rather than a single omnibus statute. Licensed Financial Institutions (LFIs) fall under the supervisory remit of the Central Bank of the UAE (CBUAE) and face overlapping obligations covering banking secrecy, consumer protection, outsourcing controls, and financial crime compliance. This article is intended for legal, compliance, risk and data governance professionals at UAE LFIs, it provides a practical overview of the CBUAE framework governing customer data, structured around three pillars: (i) federal CBUAE legislation, (ii) the consumer protection regime, and (iii) the outsourcing and AML/CFT standards. This is followed by a set of key operational obligations and practical implementation takeaways.

Scope and carve-outs

This analysis focuses on the federal mainland banking sector and excludes the financial free zones. In this context, personal data processing is primarily governed by the CBUAE framework, as the federal Personal Data Protection Law No. 45 of 2021 does not apply to banking and credit data where specific sectoral legislation already exists. For practitioners, this means compliance efforts for customer data protection should focus primarily on the CBUAE framework. For non-banking financial services, other CBUAE instruments (e.g., for Stored Value Facilities) also contain relevant provisions.

The framework can be understood across three pillars that together set the confidentiality, security, and governance baseline for customer data.

Pillar 1 – Federal CBUAE Legislation (2025 Decree-Law)

• • The 2025 CBUAE decree-law, which supersedes the 2018 enactment, reaffirms and further elaborates on banking and credit secrecy. As a baseline:
  • All data and information relating to customers and their transactions at LFIs are confidential by default and may not be disclosed without the customer’s consent or in legally authorised cases.
  • The duty of confidentiality continues after the termination of the customer relationship and applies to a wide range of persons (e.g., board members, authorised individuals, employees, consultants, technicians) who gain access by virtue of their roles.
  • The decree-law also strengthens consumer protection and introduces explicit provisions on fraud prevention and breach notification, requiring robust fraud controls and prompt notification to affected customers where security incidents occur.
  • The Central Bank retains broad supervisory access powers and sets conditions for data exchange and confidentiality consistent with its oversight role, alongside requiring cooperation from LFIs during incidents.

Pillar 2 – Consumer Protection Regulation and Standards (CPR/CPS)

• • Consumer Protection Regulation (Circular No. 8 of 2020) (CPR) and Consumer Protection Standards(CPS). The CPR and CPS establish a comprehensive conduct and data protection regime for LFIs, including:
  • Definitions and data minimisation. The CPR/CPS use broad definitions of “Data” and “Personal Data” and require LFIs to collect only the minimum data necessary for licensed activities and to treat customer information as confidential.
  • Data Management Control Framework and accountability. LFIs must establish a comprehensive framework with policies, controls, and systems for the data lifecycle, and to designate senior management accountability for data management and protection.
  • Expressed consent and withdrawal. LFIs must provide clear, written disclosures before seeking consent to use or share personal data and must retain evidence of that consent. Customers must be able to withdraw consent at any time, subject to legal or regulatory processing needs.
  • Security and access controls. This includes secure digital processing, access rights management, monitoring for unauthorised access, and employee training. Online identity verification must use multi-factor authentication, and LFIs must warn customers about fraud attempts.
  • Breach management and notifications. LFIs must notify the CBUAE without delay of material breaches of personal data and inform customers without undue delay where there is a risk to their financial or personal security.
  • Record retention. Personal data, documents, and records must be securely retained for at least five years, with secure destruction thereafter when no longer required by law or for a specified purpose.
  • Outsourcing and conflicts of interest. The regime includes specific requirements addressing outsourcing, authorised agents, and data handling across business lines and connected parties to prevent the misuse of personal data.

Pillar 3 – Outsourcing Regime and AML/CFT Standards

• • Outsourcing Regulation for Banks (Circular No. 14 of 2021) and Outsourcing Standards
  • The outsourcing framework imposes strict data ownership, access, localisation-controls, and third-party oversight requirements:
  • LFIs must comply with all applicable UAE laws when managing and processing data in outsourced arrangements and retain ownership of all data provided to service providers; customers retain ownership of their data, including confidential data.
  • Outsourcing agreements must ensure unfettered access for the bank to its data during the term and at termination, and must provide for CBUAE and its agents’ access, including the right to on-site inspections at the service provider.
  • Agreements must include robust data protection obligations (confidentiality, access control, integrity, audit trails, incident detection/response/recovery, and breach notification to the bank without undue delay).
  • Unauthorised disclosure or third-party access to confidential data is prohibited; subcontracting must be strictly controlled, and where subcontracting involves confidential data, subcontractors must fully comply with the applicable requirements.
  • Cross-border controls. Banks may not share confidential customer data outside the UAE without both CBUAE approval and the customer’s prior written consent, which must acknowledge the possibility of access in foreign legal proceedings. Banks must avoid outsourcing arrangements in jurisdictions that do not provide equivalent protection for confidential data or that might restrict CBUAE’s supervisory access.
  • LFIs must ensure third parties maintain appropriate information security, and that internal audit and compliance cover outsourced activities on a risk basis.
  • Banks must maintain an outsourcing register, classify materiality and data sensitivity, and obtain CBUAE non-objection for material outsourcing.
  • AML/CFT Guidelines for Financial Institutions (July 2023) –
  • The AML/CFT Guidelines overlay specific confidentiality and data handling duties in the financial crime context:
  • LFIs must maintain confidentiality of suspicious transaction reporting (STRs) and related information and implement access controls and secure handling protocols, especially for first-line staff.
  • The well-established prohibition on “tipping-off” requires LFIs to ensure that staff do not disclose the existence of an STR or related investigations to the customer or third parties. Policies, training, and system access controls should be designed to prevent inadvertent disclosure.
  • The regime provides protections for reporters acting in good faith and requires robust record-keeping for at least five years, aligned to CDD, monitoring, and transaction records.

Key Operational Obligations

• • Confidentiality-by-design. Embed the sector’s secrecy obligations across processes, access controls, and audit logs, limiting access to customer data on a need-to-know basis.
  • Data governance and accountability. Implement a Data Management Control Framework with senior accountability, formal policies, role-based access, training, and periodic effectiveness reviews.
  • Lawful basis and consent. Provide plain-language disclosures, obtain and document expressed consent before using or sharing personal data, and enable withdrawal of consent in line with legal requirements.
  • Security controls. Maintain multi-factor controls for online identity verification, robust access rights management, physical and cyber protections, integrity controls, audit trails, and tested incident response procedures.
  • Breach readiness and notifications. Establish playbooks for breach detection, containment, and notification. Notify the CBUAE immediately of significant personal data breaches and inform affected customers without undue delay.
  • Outsourcing diligence and contract hygiene. Maintain an outsourcing register, conduct thorough due diligence, and ensure agreements include all required clauses for ownership, access, audit, breach notification, and CBUAE access.
  • Cross-border controls and supervisory access. Do not transfer confidential customer data outside the UAE without CBUAE approval and prior customer consent; avoid jurisdictions that impede supervisory access or lack equivalent protection.
  • AML/CFT confidentiality and STR handling. Maintain strict confidentiality around STRs, implement secure case-management access, and train staff to avoid tipping-off.
  • Record-keeping. Securely retain personal data and AML/CFT records for at least five years and ensure their retrievability for supervisory purposes. These obligations align with and complement AML/CFT requirements.

Practical Implementation Takeaways

The following takeaways focus on how LFIs can operationalise the above obligations.

• • Governance and culture. Establish a Board-approved data and outsourcing governance framework and assign a senior executive accountable for data management and protection.
  • Controls and monitoring. Implement segregation of duties and role-based access for all customer data, with periodic privilege reviews. Integrate data protection KPIs into compliance and operational risk dashboards.
  • Third-party oversight. Standardise outsourcing due diligence criteria and require robust breach notification obligations and audit rights in all third-party contracts.
  • Cross-border data management. Pre-clear with the CBUAE where confidential customer data must be processed from outside the UAE and obtain prior written customer consent. Maintain robust mapping of cross-border data flows.
  • Incident response and remediation. Maintain an incident register, execute timely notifications to the CBUAE and customers, document corrective actions, and provide compensation for direct losses where required.
  • AML/CFT integration. Embed confidential handling of STR-related data in policies, access models, and staff training. Monitor adherence and document controls for higher-risk scenarios.

Regulatory Update

• • This article reflects the 2025 CBUAE decree-law, which reaffirms confidentiality obligations and introduces explicit provisions on fraud prevention and customer breach notification, while preserving the continuity of existing regulations and standards until replaced.
  • Tightened assertions on data localisation to match the outsourcing regime as provided (approval and consent for cross-border sharing of confidential data; equivalent safeguards; supervisory access). Language that implied a prescriptive “master system of record” localisation requirement has been moderated to reflect the permissions-and-controls model evidenced in the sources.
  • Expanded the CPR/CPS discussion to include consent mechanics, breach notification, the data management control framework and record retention.
  • Strengthened the AML/CFT section to reflect the “tipping-off” prohibition, confidentiality of STRs, protections for reporters, and integration with governance, training and record-keeping.
  • Harmonised terminology (e.g., “LFIs”, “confidential data”, “expressed consent”) and UK English spelling, and improved structure, logic and readability throughout.

Conclusion

The UAE’s sectoral model for banking data protection is both comprehensive and operationally prescriptive. LFIs that embed confidentiality-by-design, demonstrate clear data ownership and control across their supply chains, and maintain robust breach readiness will be better positioned to meet CBUAE supervisory expectations, reduce regulatory risk, and sustain customer trust. As the CBUAE continues to refine its framework, LFIs should periodically reassess their practices to ensure alignment with evolving expectations.

How Can We Help?

GLA & Co helps UAE banks and financial institutions translate the CBUAE’s data protection and confidentiality requirements into clear, workable solutions. We advise on regulatory alignment, data governance frameworks, outsourcing and cross-border data arrangements, and breach readiness—ensuring compliance that stands up to supervisory scrutiny.

Whether you are assessing gaps, responding to regulatory change, or strengthening your data controls, our team can support you with practical, regulator-ready advice. For further information or to discuss how these requirements apply to your institution, please contact Ashraf Hendi at ([email protected]) and Asad Ahmad ([email protected])

Authors: Ashraf Hendi, Partner and Head of Banking and Finance, Asad Ahmad, Legal Director and Maryam Tarek, Associate.