Open navigation
Search
Search
All expertise
Explore our breadth of expertise.
Sectors View all
Practice Areas View all
Offices
Discover the scope of our presence in the jurisdiction.
Global Reach
Learn about our capabilities beyond borders.
CMS United Arab Emirates
All insights
Leverage our expert analysis, intelligence and thought leadership for your strategic advantage.
Personalised updates
Receive tailored insights and intelligence that apply directly to your business.
Topics in focus View all
Insights by type
CMS News
Stay up to date with our growth, evolution and our many successes.
Contact us
For all general enquiries.
About CMS
CMS Careers

Select your region

International Europe Africa Asia-Pacific The Americas Middle East
Legal Update

New SME Customer Protection Regulation marks a shift in UAE Central Bank Approach

10 Apr 2026 UAE 10 min read

On 17 February 2026, the Central Bank of the UAE issued Circular No. 2/2026, introducing a new SME Customer Protection Regulation (the “SME CPR”), which replaces SME Market Conduct Regulation (Circular No. 1/2021, dated 26 January 2021) (the previous “SME MCR”). The new regulation represents a significant expansion of the rules governing how licenced banks and finance companies (collectively known within the SME CPR as “financial institutions”) interact with their SME customers, moving away from a narrower market conduct framework towards a more comprehensive customer protection regime, with its primary objective being to protect customers. It will come into effect six months from the date of its publication in the Official Gazette, giving financial institutions a longer runway period to prepare than the 30-day window allowed under the previous SME MCR.  

In this article, we explore some of the key changes introduced by the SME CPR which aims to safeguard SME customers and foster a culture where financial institutions act in their clients’ best interest. This signals a change in the Central Bank’s approach, with placed emphasis on SMEs now being recognised as a class requiring active protection, rather than simply beneficiaries of improved market conduct. 

Key developments 

1. New governance and institutional oversight requirements

The SME CPR introduces a new Article (2), requiring financial institutions to maintain a strong governance framework for the design, development, promotion, sale and distribution of financial products underpinned by robust policies, procedures, and monitoring.  Treating customers honestly and fairly is now required to be embedded within the business conduct and corporate culture of all financial institutions driven from board level down. In a similar vein, the SME CPR also expands the previous SME MCR’s provisions on the anti-competitive and discriminatory practices provisions in Article (4) to include a specific requirement that financial institutions must not collude to fix pricing and anti-discrimination principles must now be incorporated into the internal code of conduct. Crucially, this key shift in onus, now recognises that the board is ultimately responsible for ensuring that business is conducted with due skill and care at all stages of the customer relationship which is made explicit under Article 4.1 of the new SME CPR. 

Additionally, the SME CPR now requires financial institutions to adopt remuneration and staff evaluation policies aiming to prevent mis-selling, unjustified risk-taking, and conflicts of interest under Article 4.20. The SME CPR also introduces more detailed staff qualification, training and professional development requirements to ensure a consistency in approach when dealing with customers and advising on the suitability of financial products/services offered.

2. Expansion of disclosure obligations

While the previous SME MCR contained general disclosure and monitoring requirements, the SME CPR consolidates this and introduces more prescriptive rules, particularly in relation to pre-contractual disclosures in Article (3). Key additions include:

  • a new requirement for financial institutions to provide the customer with all relevant documents and information on the pricing, benefits, risks, fees, customer rights and obligations of a particular financial product/service, including providing customers with a ‘Key Facts Statement’ outlining the key features and risks of a financial product/service before the contract is entered into; 
  • a minimum 60 calendar days' written notice before any changes to T&Cs (including fees) can take effect.  The previous SME MCR simply required customers to be made aware in advance of changes;
  • a new 30 calendar day notice requirement before automatic annual renewal of contracts, explaining how and when the renewal can be cancelled; and 
  • requirement to present advantages of products/services without exaggeration or misleading information and not to deliberately withhold or conceal existence of products/services more suitable for customers; 
  • disclosure requirements now explicitly extend to all communication channels including digital platforms, mobile applications, internet banking and ATMs. Information available on all channels must not include misleading statements with disclaimers clearly displayed; and 
  • establishment of a formal governance structure for approval and ongoing monitoring of disclosures, with responsibility extending to the board and senior management to ensure implementation good disclosure practices. In particular, financial institutions must not withhold or conceal alternative products/services which may be more suitable to customers.

Separately the new SME CPR also requires that financial institutions must have the necessary controls in place to disclose any inherent conflicts of interests to customers prior to them entering into any agreements in Article (4). 

3. Prohibition on tied selling and product bundling

The SME CPR introduces a new prohibition on the conditioning the sale of one financial product/service on the purchase of another, including tied selling and bundling of financial products/services. There was no equivalent prohibition in the previous SME MCR. This is a significant change for financial institutions that may have previously bundled products as part of their SME offerings.

4. Suitability assessments and tailored approach by SME category

Financial institutions are now required to implement a framework to robustly assess the suitability of products/services offered to customers, with a particular focus on customers’ specific needs and the nature and scale of their businesses. Furthermore, financial institutions must adapt their approach and offerings depending on customers’ SME category.  This may require financial institutions to segment their SME client base and differentiate products, disclosures and services offered to each category.

5. New rules on support and communication with customers in financial difficulty

Building on the previous SME MCR’s requirements to provide impartial credit counselling and prohibit excessive pressure in debt collection, the SME CPR goes further and requires financial institutions to proactively assist customers upon initial payment irregularities and to establish a framework for supporting customers facing financial difficulties, including mechanisms for financial restructuring, credit product modification, or adjusted payment plans. Customers must be informed in writing of the possible consequences of arrears and all communications with customers in arrears must be proportionate and not excessive and recorded and retained for five years after settlement or write-off. Where an authorised agent is appointed for debt collection purposes, the agent's identity, the amount, and the authority granted must be disclosed to the customer. 

6. Enhanced customer fee requirements and new Central Bank reporting 

The SME CPR provides that fees must now remain consistent throughout a customer’s lifecycle and comply the Central Bank’s directions on charging fees for financial products/services. Fees cannot exceed the maximum fee limits or increase in fee caps imposed by the Central Bank. Significantly, the SME CPR now provides that no fee can be charged for customers’ original paper statements, and no closing or penalty fee can be charged where a customer bank account has been open for more than 6 months. In a related development, financial institutions must now also provide the Central Bank with reports on customer protection issues including an up-to-date fee schedule, list of products/services offered in UAE and customer complaint data report. The frequency of which and submission deadlines are due to be determined by the Central Bank. 

7. New customer mobility protections

The SME CPR now introduces a new regime governing customers' ability to switch financial institutions. While the previous SME MCR included a general prohibition on barriers to switching, the SME CPR adds several specific requirements including: financial institutions must facilitate transfers of customer accounts, products and financial data without additional fees, enforce strict customer-data and privacy protocols on transfers, and must not require customers to explain their decision to switch or disclose competing offers from other institutions. Additionally, no closing fee or penalty can be charged where a customer bank account has been open for over 6 months. If a customer requests a transfer or closure, financial institutions must complete the process within the initially determined timeframe, unless the customer withdraws the request. 

8. New customer data protection regime

Article (7) of the SME CPR introduces requirements for financial institutions to establish a dedicated function responsible for data management and protection. This function must maintain, review and improve policies, procedures, systems and controls to protect customer data against misuse and unauthorised access. Significant data management and protection breaches must be reported immediately to the board and senior management and notified to both the Central Bank and the affected customer without undue delay in the event of major customer data and information breaches. Crucially, financial institutions are now liable for reimbursing any direct and verifiable costs incurred by the customer resulting from the breach. All customer data must be retained for a minimum of 5 years, and only minimal and necessary data may be collected for their licensed activities.  

9. Enhanced complaint management framework

The previous SME MCR required fair and transparent complaint handling but was less prescriptive about process and timelines. The SME CPR now introduces a clear deadline: financial institutions must provide written acknowledgement of receipt of a complaint within 2 business days and must issue a final written response to a complaint within 30 business days of receipt. Final responses must clearly accept or reject the complaint in writing and, where appropriate, inform the customer of available escalation routes including the Ombudsman Unit (Sanadak). Complaint records must be retained for at least 5 years from resolution or closure, and the quality of staff complaint handling must be monitored on an ongoing basis with standards set as key performance indicators. 

10. Stronger enforcement powers and sanctions rules 

Article (11) of the SME CPR introduces new enforcement and sanction powers, which provides that violations may result in supervisory, administrative action and/or financial sanctions as the Central Bank deems appropriate. Sanctions may include:

  • withdrawing, replacing or restricting the powers of senior management or members of the board;
  • the Central Bank providing interim management; or 
  • barring individuals from the UAE financial sector altogether. 

Looking forward

The launch of the SME CPR marks a change in the Central Bank's expectations regarding the treatment of SME customers by financial institutions. Financial institutions that are currently operating under the previous SME MCR should use the 6-month implementation window to conduct a thorough gap analysis against the new SME CPR requirements.

Operationally, the most demanding changes are likely to be the introduction of a dedicated customer data protection function, the requirement to segment SME customers and tailor products and services by category, the explicit prohibition on product bundling and tied selling, and the establishment of a compliant complaints management function with binding response deadlines. Institutions should also review their standard form contracts and fee schedules, particularly around account closure penalties and automatic renewal clauses, to ensure these are consistent with the new SME CPR provisions. Boards and senior management should be briefed on their enhanced responsibilities under the new framework, including the potential personal exposure to enforcement action.

Co-authored by Olivia Christie-Miller and Dionne Abadoo 

More insights
Banking & Finance

Explore more

Publication United Arab Emirates

CMS toolkit series

02 Jul 2025 1 min read
Expert Guide International

Law and regulation of Covid-19 loan moratoriums in the UAE

3 min read
Event United Arab Emirates

IP Insights webinar series 2026

28 Apr 2026
Back to top Back to top
You will now find all Law-Now content on CMS.law
Explore more
Law-Now, RegZone, LEXplicite and Blogtt have moved to CMS.law. Law-Now has moved to CMS.law. RegZone has moved to CMS.law. LEXplicite has moved to CMS.law. Blogtt has moved to CMS.law.
Learn more Learn more Learn more Learn more
If you want to use third party tools, please enable personalisation cookies as part of your cookie preferences. You can change this setting at any time via the button below or in our Cookie Notice.