In April, the UAE Central Bank told banks and other licensed financial institutions to stop using WhatsApp and similar consumer messaging apps for financial services and customer communications. The instruction covered activities such as sharing customer information, confirming transactions and handling account-related requests, with firms asked to submit compliance updates by 30 April 2026.

The move lands in a market where WhatsApp is one of the main ways people communicate. Statista has described WhatsApp as the most-used social media platform among UAE internet users aged 16 and above, while 2025 market data put usage at around 87.4 per cent of internet users. That makes the Central Bank’s directive more than a narrow compliance update; it tests how financial institutions manage risk on channels customers already use every day.

For Dima Gutzeit, CEO and founder of LeapXpert, which helps financial institutions govern, record and monitor client communications across digital messaging channels, the regulator’s concerns are understandable. The issue is whether removing WhatsApp from approved use gives firms more control, or simply pushes conversations into less visible places.

A ban does not change behaviour

“The CBUAE’s reasoning is sound,” Gutzeit says. “Fraud, impersonation, social engineering, account takeover and cross-border data leakage are real risks, not hypothetical ones. When customer data flows through channels that sit outside an institution’s security perimeter, regulators are right to be concerned.”

But he argues that banning a channel and solving the underlying problem are two very different things.

“WhatsApp has roughly 90 per cent penetration in the UAE,” he says. “Across the broader Gulf region, it is the default way people communicate – with friends, with family and with the businesses they rely on. A regulatory directive does not delete the app from anyone’s phone.”

That, Gutzeit suggests, is where the practical challenge begins. If customers and relationship managers are used to fast, conversational communication, removing one approved channel may not remove the demand for that kind of interaction.

“A ban does not change behaviour,” he says. “Employees continue to use the tools that make their work easier and their clients more responsive. When a ban collides with deeply embedded behaviour, the behaviour tends to win.”

The risk, in his view, is that the conversations do not stop. They simply move.

“Push WhatsApp out of the front door, and the conversations migrate to personal devices, unmonitored channels and shadow IT,” Gutzeit says. “The regulator loses the very thing it was trying to gain: visibility.”

A global off-channel problem

Gutzeit sees the UAE decision as part of a wider regulatory pattern, not an isolated intervention. Across major financial markets, regulators have become increasingly concerned about client communications taking place through channels that firms cannot properly record, supervise or retrieve.

“In the US, the SEC’s off-channel enforcement campaign rewrote the compliance playbook for Wall Street,” he says. “In the UK, the Financial Conduct Authority’s August 2025 multi-firm review found 178 breaches of internal communications policies across 11 wholesale banks, with 41 per cent involving directors or senior managers. In Singapore, the Monetary Authority has tightened governance expectations across digital communication channels.”

The approaches differ by market. The US has leaned heavily on fines. The UK has used supervisory pressure. The UAE has taken the more direct step of prohibition. But Gutzeit says the underlying concern is the same.

“Consumer messaging channels are now embedded in financial services, and the absence of governance around them is an unacceptable risk,” he says. “The question is which approach will actually work.”

Governance over prohibition

For Gutzeit, the answer is not to push financial institutions back towards older channels such as email, SMS or app alerts. Those may be easier to control, but they do not replicate the responsiveness of messaging apps.

“The CBUAE’s approved alternatives – SMS notifications, email and mobile app alerts — are functional but limited,” he says. “They are broadcast channels, not conversation channels. They do not replicate the responsiveness that made WhatsApp valuable to both customers and relationship managers in the first place.”

Instead, he argues that the industry needs to focus on governance: giving firms the ability to capture, archive, monitor and secure conversations while keeping communication close to the way customers already behave.

“Every concern the CBUAE cited in its directive – data residency, fraud prevention, recordkeeping, identity verification — can be addressed without removing the channel entirely,” Gutzeit says.

That could include verified business identities rather than personal phone numbers, encrypted records stored within national borders, real-time monitoring for suspicious patterns and automatic archiving from the moment a message is sent.

“Data residency is a solvable problem,” he says. “Impersonation risk drops significantly when messages are sent through verified business identities rather than personal phone numbers. Social engineering becomes far harder when conversations are monitored in real time and flagged for anomalous patterns. And recordkeeping becomes automatic when every message is archived from the moment it is sent.”

For Gutzeit, that is the real distinction. The problem is not that financial services customers want to use modern communication tools. The problem is that firms have often allowed those conversations to happen outside proper controls.

“The channel is not the problem,” he says. “The absence of oversight is.”