Book traversal links for Article 6: Protection of Consumer Data and Assets
Article 6: Protection of Consumer Data and Assets
N 1158/20216.1 Consumer Data Protection
6.1.1 Policies, Procedures and Systems
6.1.1.1 Pursuant to Article (120) in Decretal Federal Law No. (14) of 2018, Regarding the Central Bank & Organization of Financial Institutions and Activities, Licensed Financial Institutions must have policies, procedures and control frameworks regarding the collection, protection, confidentiality and authorized use of Consumers’ Data. Consumers must be informed in Writing with respect to how their personal information will be processed, e.g. collected, used, disclosed, Data mined and profiled.
6.1.1.2 Licensed Financial Institutions must protect Consumer Data and maintain the confidentiality of the Data, including when it is held, accessed or used by Authorized Agents.
6.1.1.3 Licensed Financial Institutions are responsible for ensuring Data protection and individual Consumer confidentiality with respect to any profiling, Data mining, marketing and sale of financial services through use of new technologies and social media.
6.1.1.4 Licensed Financial Institution must provide a safe, secure and confidential environment in all of its delivery channels to ensure a high level of confidentiality and privacy of Personal Data.
6.1.1.5 Licensed Financial Institutions have a legal obligation of confidentiality towards a Consumer except:
a. When disclosure of Consumer Data is properly imposed by a legal authority; or
b. When disclosure is made with the expressed consent of the Consumer, or through a representative nominated by the Consumer.
6.1.1.6 Licensed Financial Institutions must have a proper Data Management Control Framework with policies, procedures, system controls, and checks and balances to protect Consumer Data and to identify and resolve any incidents of information security breaches, when they may occur.
6.1.1.7 Where the Consumer’s identity verification is conducted online, the Licensed Financial Institution must apply more than one evidence of identity verification for electronic services. Licensed Financial Institutions must advise Consumers regarding any directed and repeated attempts of online fraud on their accounts for the Consumers to take additional precautions.
6.1.1.8 Licensed Financial Institutions must secure digital transaction processing and controls, implement detailed activity monitoring and enhance Consumer identification methods in accordance with the Central Bank’s requirements for strengthening Digital Channels.
6.1.1.9 Licensed Financial Institutions must provide employee training and awareness programs on their Data control framework for accessing and handling Consumer Data and reporting security and policy breaches. The Licensed Financial Institution must promote the importance of protecting Consumer’s Data as an ongoing responsibility of Staff with reminders sent on an annual basis.
6.1.1.10 Licensed Financial Institutions must ensure that access to personal information and Personal Data of Consumers is limited to authorized business lines and their Staff only. Licensed Financial Institutions must maintain logs for audit and supervisory purposes, recording the names of Staff who have accessed Consumer databases and the timing. Such records must be provided to the Central Bank as and when requested.
6.1.2 Data Management of Data Protection
6.1.2.1 The Board must designate responsibility and accountability for the Data Management and Protection function to a senior position in management who reports directly to Senior Management. The function is responsible for ensuring oversight of and compliance with the Data Management Control Framework and any related requirements for Data protection and privacy laws of the UAE and the Central Bank.
6.1.2.2 The Data Management and Protection function must ensure that:
a. Adequate monitoring and preventive controls are in place to detect any unauthorized or accidental loss, misuse, modification, access, disclosure or destruction of Personal Data;
b. Verifications are regularly carried out on the legitimacy of Data collection, access to Data, Data integrity and the electronic procedures and address any issues identified;
c. Controls are commensurate with the criticality and sensitivity of the relevant systems and Data handled; and
d. Detailed monitoring of records and the actions taken are maintained for 5 years.
6.1.2.3 The Data Management and Protection Function must:
a. Annually review and improve the adequacy of the Data Management Control Framework for the collection, classification, storage, usage, transfer, protection, correction and destruction of Personal Data;
b. Monitor, investigate and report to Senior Management any material incidents of accidental or unauthorized access, loss, alteration, transfer, destruction, use, modification or disclosure of Data; and
c. Participate in the handling and investigation of privacy related Consumer Complaints and must report the conclusion of the investigation to the head of the Complaint Management function, who will then correspond with the Consumer and provide the Institution’s findings in Writing.
6.1.2.4 The Data Management and Protection function must issue reports to the Senior Management and the Board on significant Data management violations and breaches immediately. Senior Management must ensure proactive measures are taken to address the violation / breach and to improve Data management systems and safeguard the confidentiality and privacy of Consumers’ Personal Data.
6.1.2.5 Licensed Financial Institutions must, without delay, inform their Consumers of unauthorized access to, and/or loss, destruction or alteration of Consumers’ Personal Data where it may reasonably pose a risk to the Consumer’s financial and personal security and/or where it may pose reputational harm to a Consumer.
6.1.2.6 Licensed Financial Institutions must notify the Central Bank immediately of all significant breaches of Personal Data.
6.1.3 Expressed Consent by Consumers
6.1.3.1 Licensed Financial Institutions must ensure Personal Data is:
a. Collected for a lawful purpose directly related to the Licensed Financial Activities of the Licensed Financial Institution;
b. Adequate and not excessive in relation to the stated purpose; and
c. Collected with appropriate security and protection measures against unauthorized or unlawful processing and accidental loss, destruction, or damage.
6.1.3.2 Before requesting the consent of a Consumer to share Personal Data, the Licensed Financial Institution must proactively disclose in Writing to a Consumer its intent to use and/or share Personal Data and with whom the Consumer’s Personal Data will be shared.
6.1.3.3 The Consumer must give his/her expressed consent freely and explicitly to a request for the use and/or sharing of Personal Data by the Licensed Financial Institution. The request for consent must be expressed in clear and plain language and inform the Consumer of his/ her right to refuse to provide expressed consent.
6.1.3.4 Licensed Financial Institutions must obtain informed and expressed consent before using and sharing a Consumer’s Personal Data for direct marketing or transferring the Personal Data to Authorized Agents for direct marketing. A copy of the expressed consent must be retained for 5 years after the relationship with the Consumer has terminated.
6.1.3.5 The Consumer shall have the right to withdraw expressed consent for the following at any time:
a. The processing of Personal Data by the Licensed Financial Institution except where Persona Data is required for business operations related to the Consumer’s Products and Services; and
b. Personal Data sharing with Authorized Agents and other third parties for purposes such as but not limited to sales and marketing.
6.1.3.6 Prior to a Consumer entering any contract with a Licensed Financial Institution, the Licensed Financial Institution must provide the following disclosures to the Consumer:
a. That Licensed Financial Institutions will only collect Data / Personal Data for a lawful purpose directly related to a function or activity of the Consumer;
b. Whether the collection is obligatory or voluntary for the Consumer to provide the Data / Personal Data;
c. Where it is obligatory for the Consumer to provide the Data / Personal Data, the consequences for the Consumer for failing to provide the Data / Personal Data as required;
d. A future withdrawal of expressed consent by a Consumer shall not affect the lawfulness of Data processing based on the prior expressed consent. Unless specified otherwise, the withdrawal must take effect within complete 30 calendar days of the Consumer requesting the withdrawal with the Licensed Financial Institution;
e. When Data / Personal Data of the Consumer is being processed by or on behalf of the Licensed Financial Institution, provide a description of the Data / Personal Data being processed;
f. When other external information on the Consumer is collected by the Licensed Financial Institution and the source of that Data / Personal Data; g. The Consumer’s right and means to request access to and to request correction of the Data / Personal Data and how to contact the Licensed Financial Institution with any inquiries or Complaints in respect of the Data / Personal Data; and
h. The choices and means the Licensed Financial Institution offers the Consumer for limiting the processing of Data / Personal Data.
6.1.4 Sharing with Authorized Agents
6.1.4.1 Licensed Financial Institutions must ensure that any Authorized Agent to whom some part or the entire delivery of the Financial Product and/or Service is outsourced meet the fit and proper policy regarding Data management and protection including secure handling procedures and applying proper controls.
6.1.4.2 Licensed Financial Institutions must ensure that access to a Consumer’s Personal Data by Authorized Agents is properly authorized in Writing by the Licensed Financial Institution, regularly monitored, and appropriately restricted in line with the purpose of the access given. All legal contracts with Authorized Agents relating to the Outsourcing of functions and services must include appropriate provisions for safeguarding confidentiality of Personal Data and must prohibit the unauthorized disclosure of confidential Personal Data by Authorized Agents. The Authorized Agents must report to the Licensed Financial Institutions Data Management and Protection function significant breaches of Personal Data. The Licensed Financial Institution’s obligation to protect all Consumer Data extends to the actions of all Authorized Agents.
6.1.4.3 Where Personal Data is shared and retained outside of a Licensed Financial Institution’s own network such as with Authorized Agents, Licensed Financial Institutions and Authorized Agents must use encryption techniques to suitably encrypt Consumer Data and take measures for the secure transfer of Data.
6.1.4.4 Licensed Financial Institutions are responsible for ensuring any outsourced technology using or retaining Personal Data meets the highest standards of security, encryption and protection and are regularly audited and verified for vulnerabilities.
6.1.4.5 In the event of a termination of an Outsourcing contract with a Third Party, Licensed Financial Institutions must ensure and be able to demonstrate that all Personal Data is either retrieved from the Third Party and/ or is destroyed.
6.1.4.6 Where the Consumer provided expressed consent to the Licensed Financial Institution for sharing Data to a Third Party, the Licensed Financial Institution must confirm in any contract with a Third Party that the Third Party has no further right to share the Data or use it for other unauthorized purposes unless required by the laws in UAE.
6.1.5 Sharing With Authorized Credit Information Agencies
6.1.5.1 Licensed Financial Institutions are required to provide Consumer Data to government- authorized Credit Information Agencies as may be prescribed. Consumers must be informed of this requirement and be advised as to the possible limitations of accessing future Financial Products and/or Services based on the Consumer records provided to these agencies.
6.1.5.2 Correction of Reported Credit Information:
a. With respect to any Errors, omissions or inaccuracies of Consumer information and Personal Data provided to the Credit Information Agencies by a Licensed Financial Institution, the Licensed Financial Institution must correct any Errors, omissions and inaccuracies within 7 complete business days of becoming aware of it;
b. For Personal Data unlawfully collected and reported by Licensed Financial Institutions, the Licensed Financial Institution must request the deletion of such Data in order to reduce the permanence of erroneous Personal Data in the Credit Information Agencies; and
c. When Consumers notify and request a Licensed Financial Institution to make updates or corrections to their Data reported to Credit Information Agencies, the Licensed Financial Institution must acknowledge receipt and verify if the request is accurate. If an update or correction is required, the Licensed Financial Institutions must report the update or correction to the Credit Information Agencies within 7 complete business days of the Licensed Financial Institution having been notified by the Consumer.
6.1.6 Standards for Retention of Consumer Records
6.1.6.1 All Personal Data, documents, records and files must be securely retained for a minimum of 5 years. The retention period begins, depending on the circumstances, from the date of the most recent of any of the following events:
a. Termination of the Business Relationship or the closing of a Consumer’s account with the Licensed Financial Institution; and
b. Completion of a casual transaction (in respect of a Consumer with whom no Business Relationship is established).
All Standards related to confidentiality and security must be maintained after the termination of the relationship until the Personal Data is destroyed.
6.1.6.2 Licensed Financial Institutions must not process or use Personal Data for any period longer than is necessary for the fulfillment of the purpose for which that Personal Data is required. After the lapse of the mandatory retention period for retaining Consumer records, Licensed Financial Institutions must take all reasonable steps to ensure that all Data / Personal Data is destroyed or permanently deleted if it is no longer required for the purpose for which it was collected and processed or no longer required by law.
6.1.6.3 All Licensed Financial Institutions must hold and store all Consumer and transaction Data within the UAE as prescribed by the Central Bank.
At a minimum, Licensed Financial Institutions must also establish a safe and secure backup of all the Consumer Data and transactions in a separate location for the required period of retention specified in Section 6.1.6.
6.1.6.4 Licensed Financial Institutions must ensure there is secure retention of Consumer Data that would prevent any unauthorized or accidental loss, misuse, modification, access, disclosure or destruction. Licensed Financial Institutions must review their procedures and methods for retention of Consumer Data on an annual basis.
6.1.7 Notification to the Central Bank
6.1.7.1 Where breaches of the Data Management Control Framework occur regarding the unauthorized access or release of Consumer Personal Data, the Licensed Financial Institution must record any disciplinary actions taken against any Staff, agents or contractors responsible for the breach. The Licensed Financial Institution must maintain records of such events for 5 years after the event being recorded. The records must be made available to Central Bank upon request.
6.1.7.2 Licensed Financial Institutions must notify the Central Bank of any material Data breaches, losses, destruction or alteration when they occur, in a manner, as may be prescribed by the Central Bank.
6.2 Protection of Consumer Assets, Information and Data against Fraud, Misappropriation and Misuse
6.2.1 Protection of Assets
6.2.1.1 Licensed Financial Institutions must ensure that they have clearly assigned responsibility and accountability for security of assets to Senior Management who must ensure internal control structures are in place and monitored including:
a. The proper segregation of duties, roles and responsibilities of management and Staff within the Licensed Financial Institution;
b. Operational risk mitigation;
c. Application of logistical access security;
d. Access rights and security on electronic Data and to assets;
e. Physical security of the Consumer assets and records; and
f. Completeness of documentation relating to business processes, policies, controls, and technical requirements in accordance with UAE’s anti-money laundering and terrorism financing guidelines.
6.2.1.2 Licensed Financial Institutions must implement stringent safeguards and verifications in order to protect unclaimed assets including the assets in the form of Stored Value Facilities, digital money, and dormant accounts and to ensure effective monitoring and reporting of any attempts to access them.
6.2.1.3 Collateral provided by the Consumer / guarantor must be properly secured and protected by the Licensed Financial Institution. The Licensed Financial Institution must act honestly, fairly and professionally and take into account the best interests of Consumer, while managing the collateralized assets.
6.2.1.4 Unclaimed Funds: Exchange Houses must ensure that unclaimed funds are assessed, documented, monitored and disclosed on a monthly basis as prescribed by the Central Bank.
6.2.1.5 Licensed Financial Institutions must have a robust internal risk based policy to update Consumers’ KYC documents, including expired identification documentation. Where Consumers have failed to respond to the Licensed Financial Institution’s written notices requesting the Consumer to provide required identification details to update the Licensed Financial Institution’s records, banks must after a notice period of 90 calendar days or after such period as may be prescribed by the Central Bank, temporarily block Debit & Credit Cards for all types of transactions, including ATM withdrawals. However, all other operations in the accounts of the Consumers are permitted through the branch. Licensed Financial Institutions must not levy any charges on such temporary blockage of the Consumers’ use of their cards.
6.2.1.6 Licensed Financial Institutions must undertake Consumer education initiatives and undertake fraud awareness campaigns every year and more frequently if there is evidence of heightened fraudulent activity.
6.2.1.7 Licensed Financial Institutions have an ongoing duty to educate and advise Consumers in Writing as to the security precautions that need to be taken to access their financial services including:
a. Avoidance of using simple passwords or numbers associated with personal dates;
b. The financial liability on the Consumers if they provide their password or personal identification number (PIN) to anyone or leave them written down and accessible to others to observe;
c. Advising Consumers on how they should and can change passwords and PINs periodically;
d. Cautiously entering the PIN at an ATM or POS Terminal to ensure they are not being observed; and
e. Protecting access to their cheque book.
6.2.1.8 Payment instruments/terminals (such as ATMs) and online banking channels must be progressively upgraded with the latest technology, particularly to prevent the use of counterfeit cards, and inspected regularly in accordance with the Central Bank’s guideline on preventing ATM Card frauds.
6.2.1.9 Licensed Financial Institutions must ensure ATMs are secure. They must:
a. Install and maintain pin pad shields to prevent the recording of Consumer PINs while using ATMs or POS terminals;
b. Install Anti-Skimming devices to prevent the magnetic stripe being read. Operators must immediately withdraw from service any ATM that has been compromised;
c. Install sensors to detect the presence of skimming devices and to send alerts to the operator and/or shutdown the ATM;
d. Ensure digital security cameras are within the ATM;
e. Apply any other advances in security as deemed necessary to protect Consumers; and
f. Monitor and investigate reported ATM issues from Consumers.
6.2.1.10 Licensed Financial Institutions must conduct periodic maintenance of all ATMs including verification of its proper functionality and ensuring security has not been breached (e.g. illegal keypad replicators and cameras). A record of the verifications on each machine must be maintained for a period of one year and made available for inspection by the Central Bank.
6.2.1.11 Licensed Financial Institutions may be liable for any direct losses incurred as a result of any breaches of the Licensed Financial Institutions’ security controls.
6.2.1.12 Licensed Financial Institutions must effectively perform and document their due diligence measures when verifying the background and competence of any Third Party that will represent the Licensed Financial Institution and/or have access to or possession of the Consumer’s assets, information and Data.
6.2.1.13 Licensed Financial Institutions must ensure their Authorized Agents have equivalent level of fraud control, coordination and monitoring for all activities performed by their Staff on behalf of the Licensed Financial Institution.
6.2.1.14 Licensed Financial Institutions must perform due diligence before hiring Staff and ensure verification of all fit and proper requirements are fully commensurate with responsibilities and functions of the positions.
6.2.1.15 Licensed Financial Institutions must provide adequate and up to date Staff training on its control framework to ensure Consumers’ assets are securely handled.
6.2.2 Fraud Detection
6.2.2.1 Licensed Financial Institutions must have adequate systems and processes in place to monitor and respond to external fraud activities commensurate with the type of risk associated with the Financial Product or Service and the frequency of Consumer transactions.
6.2.2.2 Licensed Financial Institutions must inform the Consumer of the procedures for reporting cases of theft, loss and fraud.
6.2.2.3 Licensed Financial Institutions must monitor and document trends on the number and type of incidents for fraud, attempted frauds and Consumer Complaints in order to determine if there is any evidence of weakness in the security and detection measures. Licensed Financial Institutions must report significant fraud events immediately to the Central Bank in a manner as it may be prescribed.
6.2.3 Fraud Investigation and Reporting
6.2.3.1 Licensed Financial Institutions must have a fraud reporting function to investigate Financial Crime Compliance.
6.2.3.2 When a specific pattern of frauds or deception is identified, a Licensed Financial Institution shall issue timely notifications to Consumers to promote awareness and preventative measures. The Licensed Financial Institution’s notice must provide a contact method for Consumers to report fraud incidents or make inquiries.
6.2.3.3 Licensed Financial Institutions must report all Consumer Complaints arising from external, internal and attempted frauds, as well as any apparent vulnerabilities in the security and online systems to the Central Bank on a quarterly basis.
6.2.3.4 Licensed Financial Institutions must file a summary annual report by January 31st to the Central Bank on the trends and significant incidents of fraud and attempted frauds including a description of the preventative measures taken.