A summary of Article 6 requirements for Consumer Protection Regulation (CPR) by the Central Bank of UAE (CBUAE)
With the ever-evolving digital landscape and advancements in technologies that process consumer data, the need for consumer protection and associated rights has grown exponentially.
Case in point, the Central Bank of the UAE (CBUAE) has issued the Consumer Protection Regulation (CPR), acting as an overarching regulatory framework for Licensed Financial Institutions (LFIs).
CPR is supported by Consumer Protection Standards, which define regulatory requirements to ensure consistent interpretation and implementation of the CPR principles.
By introducing this regulation and the accompanying standards, the CBUAE seeks to ensure that LFIs’ approach to consumer protection aligns with international standards. The Regulation focuses on developing various capabilities to understand, manage and protect consumers’ data and associated complaints/inquiries.
What is the objective of this regulation?
The primary objective of the regulation is to protect consumers and contribute to the overall stability of the financial services industry. The law aims to strengthen governance, promote responsible financing practices, and protect consumer rights.
Whom shall it be applicable to?
This regulation and supporting standards apply to all LFIs licensed by the CBUAE concerning activities specified in Article 65 of the Decretal Law No. 14 of 2018.
What are LFIs?
LFIs include banks and other financial institutions licensed to carry out Licensed Financial Activities as per the Central Bank Regulation. This regulation ensures consumers’ interests are protected when using any financial product and/or service or when a relationship with an LFI exists.
- National Bank
- Foreign Bank
- Financial Companies
- Exchange Businesses
- Payment Service Providers
- Investment Banks
- Wholesale Banks
- Monetary Intermediaries
What will be covered in the Regulation?
The Regulation comprises 15 articles, providing information about the minimum measures all financial institutions are required to take to protect customers’ data.
|Article 1||Definition||For the purposes of this Regulation, words and expressions shall have the usual meaning assigned to, unless the context requires otherwise, as mentioned below and/or defined in other Laws and Regulations.|
|Article 2||Disclosure and Transparency||Consumers must be proactively provided with all the information necessary to make an informed decision regarding Financial Products and/or Services. Transparency is positive conduct, which complements Disclosure.|
|Article 3||Institutional Oversight||The principle is to promote positive institutional conduct in serving all Consumers fairly.|
|Article 4||Market Conduct||Licensed Financial Institutions must sell and provide Consumers with appropriate products and/or services in accordance with the principles of this Regulation.|
|Article 5||Business Conduct||Responsible business conduct is based on the internal culture and behaviour of Licensed Financial Institutions.|
|Article 6||Protection of Consumer Data and Assets||Licensed Financial Institutions must continually make appropriate efforts and investments to stay on top of the risks and make use of the latest technology and solutions to protect Consumer assets and Data.|
|Article 7||Responsible Financing Practice||Financing must be provided in a responsible manner to protect Consumers, prevent over-indebtedness, and support economic stability.|
|Article 8||Complaint Management and Complaint Resolution||Licensed Financial Institutions must have in place a fair, accessible and transparent process provided without charge for addressing Complaints with Consumers and that are resolved in a timely manner.|
|Article 9||Consumer Education and Awareness||The Central Bank and Licensed Financial Institutions shall work together to raise public awareness of the types of banking services and financial products and their inherent risk.|
|Article 10||Financial Inclusion||The Board of Directors shall establish necessary regulations and mechanisms to ensure that every natural Person shall have the right to access all or part of the banking and financial services and products from Licensed Financial Institutions suited to his/her need.|
|Article 11||Shari’ah Compliance for Financial Services||Given the critical significance of Shari’ah compliance in the Islamic finance business, Islamic Institutions the State must strive for the best international standards by incorporating Shari’ah principles.|
|Article 12||Conflict with Other Regulation||In case of any conflict with any requirement of any other regulatory authority as applicable to LFI, the provision of this Regulation and accompanying Standards will prevail.|
|Article 13||Enforcement and Sanctions||Violation of any provision of this Regulation and the accompanying Standards may be subject to supervisory action, sanctions and penalties as deemed appropriate by the Central Bank|
|Article 14||Interpretation of Regulation||The Regulatory Development Division of the Central Bank shall be the reference for interpretation of the provisions of this Regulation.|
|Article 15||Publication and Effective Date||This Regulation and the accompanying Standards shall be published in the Official Gazette and shall be considered effective one month from the date of publication.|
Following are some of the Key compliance requirements as stipulated in Article 6 of the CPR
- LFI must establish a function and maintain policies, procedures, systems and controls for data management and protection.
- LFI must have policies for record-keeping and data retention.
- LFI must have security and monitoring measures to detect and monitor unauthorized access or use of consumer information.
- LFI must notify the CB and consumers about the consumer data breach.
- LFI are liable for reimbursing any direct cost due to data breach harm.
- LFI must ensure that consumers know about the data collected, used, and shared with third parties.
- LFI must prevent the misuse of consumer information and data.
How can Network Intelligence assist?
Our Cybersecurity and Data Privacy practice is present in major markets around the world. We assist organizations in transforming their security, privacy, and continuity controls while maintaining the confidentiality, integrity and availability of critical business functions.
We utilize proven frameworks to support organizations. Our teams conduct assessments and provide insight into the current state to identify gaps and translate insights into next steps and implementation roadmaps. Our goal is to assist organizations in developing a data management practice that is built on the right foundation and has a clear data strategy, target operating model and roadmap to drive the best value from data assets.
Following are the activities that will be carried out by our expert Cybersecurity veterans to help you achieve your CPR goals.
- Implementation of CBUAE CPR
- Gap Assessment and Compliance Check
- Creation of Policy/Procedure Framework
- Review and Update of Policy/Procedure Framework
- Identity and Access Management
- Incident Management
Network Intelligence invites you to join our upcoming webinar on Consumer Protection Regulation – UAE.
The views given are that of the author. All names used above are owned by their respective owners.
Please feel free to reach out to book a quick call with our expert to know more.
Pratik Samant- Vice President, Americas & EMEA, Network Intelligence | Email: [email protected] | Call: +971 56 118 1669
Pratik heads business in the EMEA and North America regions. Having single-handedly grown our Middle East business from the first client in 2012 to contributing nearly 40% of our global revenues, he loves nothing more than closing deals and chasing targets, while sustaining relationships. His 20 years of experience in the IT industry includes an extensive 18 years of Cybersecurity experience with previous stints in sales roles at MTech and Allied Digital among other firms.