Dubai & UAE Calling Compliance for Financial Services

Understanding the UAE's Multi-Layered Regulatory Framework

The United Arab Emirates presents a unique regulatory challenge for financial services firms: three distinct regulatory frameworks operate simultaneously, each with its own rules governing telephone communications, call recording, data protection, and consumer conduct.

1. Onshore UAE — regulated by the Central Bank of the UAE (CBUAE) and the Securities and Commodities Authority (SCA)
2. Dubai International Financial Centre (DIFC) — regulated by the Dubai Financial Services Authority (DFSA)
3. Abu Dhabi Global Market (ADGM) — regulated by the Financial Services Regulatory Authority (FSRA)

Each framework has distinct data protection legislation, financial services regulations, and enforcement mechanisms. A financial institution operating across all three environments must comply with each applicable framework simultaneously.

In 2025, combined regulatory enforcement across these three frameworks totaled AED 187 million in fines, with communication compliance failures — particularly inadequate call recording and consent management — cited in 28% of enforcement actions.

Onshore UAE: CBUAE and SCA Requirements

Federal Decree-Law No. 45 of 2021 (Personal Data Protection)

The UAE's federal data protection law, effective since January 2022 with enforcement beginning in 2023, establishes the baseline for call recording consent:

• Consent requirement: Personal data (including voice recordings) may only be processed with the data subject's consent or under a specified lawful basis
• Purpose limitation: Recordings may only be used for the purposes disclosed at the time of collection
• Data minimization: Only record what is necessary for the stated purpose
• Storage limitation: Recordings must be deleted when no longer necessary
• Cross-border transfer: Personal data may only be transferred outside the UAE to countries with adequate protection or with appropriate safeguards

Penalties: Up to AED 5 million per violation; repeat violations can result in doubled penalties.

CBUAE Consumer Protection Standards

The CBUAE's Consumer Protection Standards (effective 2023) impose specific requirements on telephone interactions:

• Transparency: Financial institutions must clearly disclose all fees, charges, risks, and terms during telephone conversations
• Recording disclosure: Customers must be informed at the start of each call that it is being recorded
• Language requirements: Disclosures must be provided in Arabic and English (or the customer's preferred language)
• Cooling-off period: Certain financial products sold by telephone are subject to a 5-business-day cooling-off period
• Complaint handling: Telephone complaints must be acknowledged within 2 business days and resolved within 30 business days

SCA Regulations for Capital Markets

The SCA regulates securities and commodities markets onshore. Key communication requirements:

• Recording of all communications relating to securities transactions
• Retention for minimum 5 years
• Records must be produced to SCA upon request within 10 business days

DIFC: DFSA Regulatory Framework

DFSA Conduct of Business Module (COB)

The DFSA's Conduct of Business Module establishes comprehensive requirements for client communications:

COB Rule 3.2 — Communication with Clients:

• All communications must be clear, fair, and not misleading
• Financial promotions delivered by telephone must comply with the same standards as written promotions
• Material risks must be given appropriate prominence during telephone discussions

COB Rule 6.11 — Recording of Telephone Conversations:

• Authorized firms conducting investment business must record all telephone conversations relating to:
  • Receiving, transmitting, or executing orders
  • Dealing in investments as principal or agent
  • Managing investments
  • Advising on financial products
• Recordings must be retained for a minimum of 6 years from the date of recording
• Firms must maintain systems capable of retrieving specific recordings upon DFSA request

DIFC Data Protection Law (Law No. 5 of 2020)

The DIFC has its own data protection framework, modeled closely on GDPR:

• Lawful basis required: Consent, contractual necessity, legal obligation, vital interests, public interest, or legitimate interests
• Data Protection Impact Assessment (DPIA): Required for high-risk processing including systematic call recording
• Data Protection Officer (DPO): Mandatory appointment for firms conducting large-scale monitoring of individuals
• Data subject rights: Access, rectification, erasure, restriction, portability, and objection rights apply to call recordings
• Cross-border transfers: Transfers outside DIFC require adequate safeguards (Standard Contractual Clauses or adequacy determination)
• Breach notification: 72-hour notification requirement to the Commissioner of Data Protection for data breaches affecting call recordings

Penalties: Up to USD $100,000 per violation by the Commissioner of Data Protection; DFSA can impose additional regulatory penalties.

DFSA Thematic Review Findings (2024)

In its 2024 thematic review of communication surveillance practices, the DFSA identified several common deficiencies:

• 37% of firms had gaps in mobile phone recording coverage
• 52% of firms had inadequate monitoring sampling rates (reviewing less than 3% of recorded calls)
• 28% of firms could not retrieve specific recordings within 5 business days of a DFSA request
• 44% of firms had not conducted a DPIA for their call recording program despite it being mandatory under the DIFC Data Protection Law

ADGM: FSRA Regulatory Framework

FSRA Conduct of Business Rulebook (COBS)

The ADGM's FSRA imposes communication requirements similar to the DFSA but with specific ADGM nuances:

COBS Rule 3.3 — Recording of Telephone Communications:

• Authorized persons conducting regulated activities must record all telephone communications relating to those activities
• Retention period: minimum 6 years (aligned with DFSA)
• Systems must be resilient with documented failover procedures
• Recording quality must allow clear playback and transcription

COBS Rule 2.6 — Fair Treatment of Customers:

• Telephone interactions must demonstrate fair treatment principles
• Sales practices must not exploit information asymmetries
• Vulnerable customers must receive additional protections during telephone interactions

ADGM Data Protection Regulations 2021

The ADGM data protection framework (separate from both onshore UAE and DIFC):

• Closely aligned with GDPR principles
• Registration requirement: Data controllers must register with the ADGM Office of Data Protection
• DPO requirement: Mandatory for firms processing personal data on a large scale
• Consent standard: Freely given, specific, informed, and unambiguous — consistent with GDPR
• Data localization: No strict data localization requirement, but transfers outside ADGM require appropriate safeguards

Penalties: Up to USD $28 million per violation by the ADGM Office of Data Protection.

Navigating the Overlap: Multi-Framework Compliance

The Challenge

A financial group operating in the UAE may simultaneously hold:

• A CBUAE banking license (onshore)
• A DFSA authorization (DIFC)
• An FSRA authorization (ADGM)

Each entity within the group is subject to its respective framework's call recording, data protection, and conduct requirements. Client calls may involve participants in different jurisdictions within the UAE itself.

Recommended Approach

Step 1: Unified Recording Standard Apply the most stringent recording requirement across all frameworks:

• Record all client-facing calls (covers all three regulators' requirements)
• Retain for 6 years minimum (the DFSA and FSRA standard, which exceeds the SCA's 5-year minimum)
• Apply DIFC Data Protection Law standards for consent and data subject rights (the most comprehensive of the three data protection frameworks)

Step 2: Jurisdiction-Aware Consent Management Tailor consent notifications based on the regulatory framework applicable to the specific interaction:

• DIFC interactions: GDPR-equivalent consent with full data subject rights notification
• ADGM interactions: Similar to DIFC but with ADGM-specific registration references
• Onshore interactions: Federal data protection law consent with bilingual (Arabic/English) notification

Step 3: Centralized Recording Infrastructure with Logical Separation Maintain a single recording platform with logical separation by regulatory entity:

• Separate access controls per regulatory entity
• Separate retention policies if needed
• Unified search and retrieval capability for regulatory requests
• Separate audit trails per entity

CallSphere provides multi-entity, multi-jurisdiction recording infrastructure that supports the UAE's unique regulatory landscape, with configurable consent flows, retention policies, and access controls per regulatory framework.

Data Residency and Cross-Border Transfer

UAE Data Residency Requirements

The UAE's federal data protection law does not impose strict data localization, but several practical considerations apply:

• CBUAE guidance: The CBUAE has expressed a strong preference for customer data (including call recordings) to be stored within the UAE or in jurisdictions with adequate data protection
• DIFC: No strict data localization, but cross-border transfers require safeguards under the DIFC Data Protection Law
• ADGM: Similar to DIFC — adequate safeguards required for transfers outside ADGM
• National security considerations: The UAE Cybersecurity Council has issued guidance recommending that sensitive data be stored domestically

Cloud Storage Options in the UAE

Major cloud providers have established UAE data center regions:

• AWS: Middle East (UAE) Region — Abu Dhabi (launched 2022)
• Microsoft Azure: UAE North (Dubai) and UAE Central (Abu Dhabi) regions
• Google Cloud: Doha region serves UAE customers; direct UAE region under consideration
• Oracle Cloud: Abu Dhabi and Dubai regions

These local cloud regions enable firms to satisfy data residency preferences while leveraging cloud scalability and compliance certifications.

Arabic Language Requirements

Bilingual Communication Obligations

The UAE's consumer protection framework requires that financial communications be available in both Arabic and English:

• Onshore: CBUAE requires all consumer-facing communications in Arabic and English
• DIFC: English is the official language, but Arabic must be available upon request for retail clients
• ADGM: English is the official language; Arabic availability recommended for retail interactions

Implications for Call Recording and Monitoring

• Recording systems must support Arabic audio capture without quality degradation
• Monitoring and transcription systems must accurately process Arabic (including Gulf Arabic dialect variations)
• Compliance reviewers must include Arabic-language-proficient personnel
• AI-powered analysis tools must support Arabic natural language processing

CallSphere's platform supports Arabic language processing with Gulf Arabic dialect optimization, enabling accurate transcription and compliance monitoring for Arabic-language calls.

Frequently Asked Questions

Which UAE regulator's rules apply to my financial services calls?

The applicable regulator depends on your license and the location of your operations. If you hold a CBUAE or SCA license, onshore UAE rules apply. If you operate from the DIFC, the DFSA framework applies. If you operate from the ADGM, the FSRA framework applies. Many financial groups hold multiple licenses and must comply with each applicable framework for the respective entity's activities.

How long must call recordings be retained in the UAE?

The minimum retention period varies by regulator: SCA requires 5 years, DFSA requires 6 years, and FSRA requires 6 years. If you operate under multiple frameworks, apply the longest applicable period (6 years). Some firms voluntarily retain for 7 years to provide an additional margin of safety.

Do I need to store call recordings physically in the UAE?

There is no absolute legal requirement for data localization in the UAE, but strong regulatory preferences favor domestic storage. The CBUAE has expressed preference for customer data remaining in the UAE. The DIFC and ADGM allow cross-border transfers with appropriate safeguards. Given the availability of UAE-based cloud regions from major providers, domestic storage is both practical and advisable.

Can I use a single call recording system across DIFC, ADGM, and onshore operations?

Yes, but the system must support logical separation between regulatory entities, with separate access controls, audit trails, and potentially different retention policies per entity. Each regulator may request recordings only for the entity it supervises, and your system must be able to isolate and produce recordings on a per-entity basis. CallSphere supports multi-entity deployments with configurable separation and unified administration.

What consent language is required for call recording in the UAE?

For onshore operations, consent notification must be provided in both Arabic and English. For DIFC and ADGM operations, English is sufficient but Arabic availability is recommended for retail clients. The notification should clearly state that the call is being recorded, the purposes of recording, the retention period, and the data subject's rights regarding the recording.