LuLu Exchange Loader
Lulu exchange blog
September 16, 2022

Impact of UAE Central Bank’s New Consumer Protection Regulations and its accompanying Standards


Ms. Deepthi Azad

Manager Legal, Lulu International Exchange

Post-Covid 19 pandemic, the laws governing consumer protection in UAE are gaining much prominence and are continuously evolving. While the free zones of DIFC and ADGM have their own sector-specific Consumer Protection Regulations (“CPR’s”), there is a pressing need to adopt CPR’s within the financial services sector as an important step toward safeguarding the rights of the consumers.
Accordingly, the Central Bank of the UAE issued the Consumer Protection Regulation (Circular No. 08 of 2020) on 31st December 2020. The CPR’s and its associated standards set out the basic requirements for a Licensed Financial Institution to apply the necessary protocols or safeguards while dealing with sensitive consumer data. Since Companies in the financial sector are required to handle diversified and most sensitive consumer protection data, it is very much imperative for such to analyze and understand the intricacies of CPRs and its accompanying standards.
Licensed Financial Institutions are mandated to comply with the new regulations and standards maximum by 31st December 2022.

Why Consumer Protection Regulations and how it can be effectively implemented:
The Pandemic has drastically impacted the consumer’s financial health and therefore regaining and rebuilding the confidence and trust of the consumers is one of the competitive and paramount challenges faced by any Licensed Financial institutions. Further, the technological advancements in the digital landscape necessitated the need to process consumer data effectively, which emphasized the need for CPR’s and its associated standards. Below are the key highlights of CPR’s:

⦁ Ensure the quality and timing of effective disclosure to the consumers by Licensed Financial Institutions concerning the matters or risks that may affect a consumer’s decision to purchase a financial product or service.

⦁ Providing consumers with the access to the right information at the right time to enable them the opportunity to make informed decisions.

⦁ Addressing unreasonable barriers and limits to fair competition and giving importance to consumer choice.

⦁ Implementing a proper forum and mechanism for redress of consumer complaints including the need to establish a department dedicated to managing consumer protection data.

⦁ Licensed Financial Institutions should report in a timely manner consumer data breaches to the UAE Central Bank. A proper mechanism and protocol to be put in place in the event of the occurrence of a consumer data breach. Adequate training programs need to be conducted by the Company for the employees, to ensure adequate data protection for the consumers. UAE Federal Data Protection Laws require organizations to adopt an organized and collaborative approach to conducting data privacy programs that aim to uphold the privacy rights of individuals in the UAE.
Paradigm Shift while dealing with the Consumers:
⦁ All Licensed Financial Institutions, prior to providing information to the consumers must independently assess and seek only the relevant data required for the financial product and services. The Consumer Protection policies should be framed in such a manner so as to minimize data collection and retention (presently for a period of five years) and consumers should be made aware of the Company’s retention policies. The formats and templates of consumer protection policies should be framed to suit the best needs of the consumers.

⦁ Disclosure documents of a financial product and service must necessarily contain ‘Warning Statements’ and should clearly intimate to the consumer the consequences in the event of the Consumer’s failure to meet the Licensed Financial Institution’s terms and conditions. Also, use ‘Warning boxes’ to highlight key risks related to the purchase of financial products and services.

⦁ Disclosure to the third parties or related parties of the consumers shall be made only after obtaining written consent from the consumers. The forms should necessarily contain a clause pertaining to this condition.

It is very much imperative for the Licensed Financial institutions to comply with the disclosure obligations seriously as the UAE Central Bank may impose huge fines and penalties in the event of non -compliance of the same.


When the UAE Central Bank issued the CPR’s on 31.12.2020, it was welcoming news for the consumers. It was aimed at better protection for the consumers, intended to cut red tape, and put in place a simpler and clearer consumer protection law that would be easier to interpret and enforce. The parameters contained in CPR’s are in tune with the changing times and is comparable with the standards of the European Union General Data Protection Regulation (EU GDPR). The UAE Federal Data Protection Law also combines the leading practices from global data protection laws including EU GDPR and other forward-looking technological concepts.
As consumers remain more wary, while sharing sensitive data with Licensed Financial Institutions, proper protocols and data security policies are to be framed by the Fintech firms, which will be further explored in the coming articles.

Ms. Deepthi Azad

Enquire Now