.png)
WHAT THE NOTICE SAYS
Notice No. CBUAE/MCS/2026/2058, dated 17 April 2026 and signed by the Assistant Governor for Banking and Insurance Supervision, directs all Licensed Financial Institutions to stop using instant messaging for any communication involving customer data. The legal basis is CPS Article 6.1.1.4 (secure environment in all delivery channels) and Article 6.1.6.3 (consumer data stored within the UAE). WhatsApp fails both tests: data transits Meta's servers outside the UAE, and the insurer has no audit trail, no access control, and no retention.
PROHIBITED (I)
Requesting, receiving, sharing, or transmitting customer data and information
PROHIBITED (II)
Initiating, processing, or confirming transactions involving customer data
PROHIBITED (III)
Authentication details, OTPs, passwords, IDs, forms, screenshots, statements, or any attachment containing customer information — plus a catch-all covering anything that causes data to be stored outside the UAE
VPN workarounds are explicitly excluded. Approved alternatives: mobile apps, online platforms, call centers, and branches. The notice uses "advises" rather than "directs," but a compliance confirmation requirement, a hard deadline, and references to supervisory action and financial sanctions leave little room for reading it as optional.
The obligation extends beyond the insurer's own staff. The CPR defines "Staff" to include third parties acting on behalf of a Licensed Financial Institution (Article 1(54)), and the notice explicitly requires governance alignment with outsourcing expectations (required action 3). Claims handlers, TPAs, and service providers handling policyholder data on behalf of an insurer fall within scope. If the outsourced claims operation is still running on WhatsApp, the insurer carries the regulatory exposure under CPS 5.1.1.81.
WHAT REMAINS UNCLEAR
TPA classification
Federal Decree-Law 48/2023 gives the CBUAE direct enforcement powers over "Insurance-Related Professionals" (fines up to AED100M, license suspension). Motor TPAs are not named explicitly, but a catch-all covers "any other profession related to insurance as determined by the Board." The contractual cascade from the insurer is certain. Whether the CBUAE can also come directly is the open question.
Notification-only messages
The notice enumerates prohibited content in detail — customer data, transactions, OTPs, IDs, forms, attachments. A message containing none of those items (a plain link with no personal data) is not on the list. Whether the regulator intended the enumeration as exhaustive or illustrative determines whether WhatsApp can remain as a notification channel.
A PRACTICAL FIX
The question is not whether WhatsApp leaves the claims workflow. It is what replaces it without breaking the workflow.
FNOL photos, Emirates IDs, driving licenses, repair estimates, workshop coordination — in the UAE, all of it runs on WhatsApp because WhatsApp is the path of least friction. Removing it without a workable replacement does not create compliance; it creates a gap between the formal process and the actual process.
PORTAL-LINK MODEL
1Document upload. Claim photo, ID, or estimate uploaded to a secure portal on UAE infrastructure.
↓
2Notification sent. WhatsApp or SMS delivers a time-limited link. No claim number, no name, no data — just "a document is ready."
↓
3Authenticate and access. Recipient clicks through, verifies via SMS OTP, views or uploads documents on the portal. Logged, retained, audit-ready.
The model maps directly to the notice's prohibitions. A notification link contains no customer data (i), no transaction details (ii), no IDs, forms, or attachments (iii), and does not cause data to be stored outside the UAE (catch-all). The portal qualifies as an "online platform" — an approved channel. Banks have operated this way for years, sending SMS notifications with app links. The same logic applies to claims.
FROM THE DESK OF AXXION
Axxion is building the portal.
The secure document exchange is part of the claims infrastructure Axxion operates for its insurer clients, integrated into the FNOL and repair management workflow. Claims submitted through the portal carry structured data from the first touchpoint — authenticated, logged, stored on UAE infrastructure, and audit-ready from day one.
For a walkthrough of how the compliant claims intake channel works, or to talk about how Axxion handles FNOL, repair management, and claims communication for its insurer partners, reach out to Frederik Bisbjerg or Stijn Venrooij on LinkedIn, or email hi@axxion.co.
Sources: CBUAE Notice No. CBUAE/MCS/2026/2058, 17 April 2026; Consumer Protection Regulation (Circular 8/2020); Consumer Protection Standards (CBUAE/BSD/N/2021/1158); Federal Decree-Law No. 48/2023; Federal Decree-Law No. 6/2025.
