Open navigation
Search
Search
All expertise
Explore our breadth of expertise.
Sectors View all
Practice Areas View all
All insights
Leverage our expert analysis, intelligence and thought leadership for your strategic advantage.
Personalised updates
Receive tailored insights and intelligence that apply directly to your business.
Topics in focus View all
Insights by type
CMS News
Stay up to date with our growth, evolution and our many successes.
Global Press Room
Contact us
For all general enquiries.
About CMS
CMS Careers

Select your region

International Europe Africa Asia-Pacific The Americas Middle East
Legal Update

New telemarketing rules: what the CBUAE's latest regulation means for licensed financial institutions in the UAE

22 Apr 2026 UAE 12 min read

On 19 February 2026, the Central Bank of the UAE (the “CBUAE”) introduced a new Telemarketing Regulation (link) pursuant to circular (Circular 3/2026) (the “Telemarketing Regulation”). The Telemarketing Regulation establishes a comprehensive regulatory framework designed to protect customers of banks, insurance companies, reinsurance companies, and other financial institutions licensed in accordance with the CBUAE Law (link) (collectively, “Licensed Financial Institutions”). 

The Telemarketing Regulation comes into effect from the date of its publication in the Official Gazette. Licensed Financial Institutions will then have a 90 day implementation window within which to take all necessary measures to ensure compliance with its provisions.

We explore in this article some of the key provisions introduced by the Telemarketing Regulation.  

A. Overview

The Telemarketing Regulation is divided into three main parts: 

  • Telemarketing Requirements;
  • Telemarketing Controls; and 
  • General Provisions. 

We discuss the key obligations under each of these parts below. Under the Telemarketing Regulation, "Telemarketing" carries a broad definition. In essence, it covers any communication by telemarketers to customers that is aimed at selling, offering, promoting, marketing, or advertising financial products and services, regardless of the communication channel used. This can range from landlines and mobile phones to calls, texts, chat boxes, emails, digital platforms, websites, social media, and other applications.

B. Key Telemarketing Requirements

1. Board Approval as a Precondition to Telemarketing

Article (2) provides that Licensed Financial Institutions must obtain written board approval before conducting any Telemarketing. Further, Article 2 provides that the CBUAE also reserves the right to request that prior approval from the CBUAE be obtained from a Licensed Financial Institution or a class of Licensed Financial Institutions. In such cases, Licensed Financial Institutions will be advised directly by the CBUAE of this requirement.  By requiring Licensed Financial Institutions to obtain written board approval before conducting any telemarketing, the CBUAE has effectively elevated what was previously treated as a routine operational activity to a board-level governance matter. These provisions underscore the CBUAE's commitment to strengthening consumer protection in the context of financial product distribution. 

2. Telemarketer training

Article (3) provides that telemarketers must complete a minimum of fifteen (15) hours of training in ethical and professional conduct, customer privacy and data handling, and the use of the Do Not Call Registry ("DNCR").  The DNCR is a unified national agency registry protecting customers against unwanted Telemarketing communications, as defined in Article 1.10.  This training must be completed prior to conducting any and all Telemarketing. Annual refresher training is mandatory and must cover recent updates to applicable laws, including data protection legislation and comprehensive training must also be provided whenever new or updated products or services are introduced. 

Article (4) requires Licensed Financial Institutions to establish internal procedures and policies governing telemarketers, including clear controls for Telemarketing activities. Article (5) also introduces a requirement for standardised scripts for telemarketers, which must be provided in relevant languages and drafted in simple and accurate terms, with particular emphasis on products and service risks. Taken together, these provisions reflect a regulatory push toward greater consumer protection and institutional accountability in Telemarketing. Institutions that already have robust Telemarketing controls may face a lighter adjustment, while those with more informal practices may need to undertake a significant remediation exercise.

Separately, Article (6) imposes several obligations on Licensed Financial Institutions, including: maintaining an updated list of telemarketers and the authorised channels through which they operate; using the complete registered business name in all Telemarketing communications (which must not be concealed), with the word Telemarketing displayed alongside it; and ensuring that any landline or mobile numbers used are issued by a UAE licensed telecommunications company and registered in the name of the Licensed Financial Institution. Licensed Financial Institution will likely need to review and update their telemarketing policies, vendor contracts, and internal controls to ensure full alignment with these requirements.

3. Consent

The Telemarketing Regulation places significant emphasis on consent as a precondition to any Telemarketing activity. Under Articles (7) and (8), Licensed Financial Institutions must obtain prior express consent from customers before initiating any Telemarketing contact. Such consent may be obtained through a variety of channels, including online sign up processes (such as app alerts, email services, websites, and chat boxes), physical forms bearing the customer's signature, direct customer requests (for example, by text message), or opt ins. In each case, the consent mechanism must clearly capture the customer's preferred language, chosen communication channels, preferred method of contact (whether by a human agent, an AI based agent, or a robocall), and the categories of products or services about which the customer wishes to be contacted. Any terms and conditions ("T&Cs") to which the customer consents must also be made available in their preferred language.

The Telemarketing Regulation sets out a number of important safeguards in relation to consent including the following:

  • Consent must be given voluntarily and free from any form of pressure, and agreement to receive Telemarketing communications must not be made a condition of purchasing a product or service. 
  • Customers must be informed at the outset that they may withdraw their consent at any time, without cost or adverse consequence. 
  • Licensed Financial Institutions are required to provide a clear and accessible opt out mechanism, together with instructions on how customers can access support and exercise their opt out rights. 
  • Robust age verification processes must also be implemented at the point of obtaining consent.

Upon withdrawal of consent, the Licensed Financial Institution must immediately cease all Telemarketing contact with the customer and remove their details from its Telemarketing lists. The same obligation to cease contact applies where a customer makes a request to that effect, whether verbally or in writing.

4. Do Not Call Registry

Article (9) introduces a mandatory DNCR regime. Licensed Financial Institutions must ensure that telemarketers have access to the DNCR at all times and must not direct Telemarketing communications at any individual whose number appears on the registry, who has previously opted out of Telemarketing in any form, or who has not answered a prior Telemarketing attempt. Licensed Financial Institutions are also required to publish an accessible guide on their official platforms explaining how customers can register on the DNCR and submit complaints.

The most striking element is the prohibition on contacting individuals who have not answered a previous call. This represents a significant departure from the approach taken in other jurisdictions, where restrictions are generally confined to individuals who have actively registered on a do-not-call list or expressly opted out. The CBUAE's approach effectively creates a presumption of non-consent from silence.   The operational implications to comply with this will be burdensome for Licensed Financial Institutions as they will need to invest in robust call-tracking infrastructure capable of logging and cross-referencing unanswered calls in real time.  Licensed Financial Institutions should also consider how this rule interacts with broader customer relationship management practices, as legitimate follow-up calls may inadvertently fall foul of the restriction if not carefully ringfenced. 

5. Record keeping and reporting

Articles (10) and (11) impose detailed record keeping and reporting obligations including the requirement to maintain comprehensive Telemarketing logs recording, at a minimum, the date, time, duration, identity of the telemarketer (or automated system), customer name, and purpose of each communication. A mechanism must be established to regularly monitor the Telemarketing logs and records must be retained in the format prescribed by the CBUAE for a minimum of five (5) years, unless otherwise determined. In addition, Licensed Financial Institutions are required to submit annual Telemarketing reports to the CBUAE within 30 days of the report’s year end.

The cumulative compliance burden, spanning data capture, storage, monitoring, and reporting creates multiple points of regulatory exposure and may lead some institutions to scale back Telemarketing in favour of less burdensome channels.

C. Telemarketing Controls

Part 2 of the Telemarketing Regulation sets out the Telemarketing controls that should be implemented by Licensed Financial Institutions. The key requirements are summarised below.

1. Conduct and ethical standards

Articles (12) and (13) of the Telemarketing Regulation impose a range of conduct obligations on telemarketers.  These include:

  • Telemarketers are required to act honestly and must not make false or misleading claims to customers, employ deceptive practices, or apply unjustified pressure to convince customers to buy a product or service; and 
  • At the outset of each Telemarketing communication, the telemarketer must provide the following information to the customer; the name of the initiating party, the name and nature of the Licensed Financial Institution, the purpose of the call, and the customer’s right to complain or register on the DNCR. The telemarketer must also ask whether it is a convenient time to call, state the likely duration of the call, and confirm whether the customer wishes to proceed before commencing any sales pitch. 

Firms must ensure that their communications are tailored to the identified target market for a product. A communication that might be fair, clear, and not misleading to a sophisticated institutional investor may fall short of that standard when directed at a retail customer with limited financial literacy. This means that in practice firms must segment their communications strategies and ensure that telephone scripts, marketing materials, and disclosure documents are appropriate for the audience to which they are directed.

2. Timing and frequency restrictions

Article (15) restricts Telemarketing calls to the hours of 9:00 AM and 6:00 PM UAE time. Any contact is limited to once per day and a maximum of twice per week for the same customer, except where follow up communication has been expressly requested. 

From a compliance perspective, the firm quantitative limits are helpful as they are clear and measurable, however, there is little room for interpretive ambiguity.  Strategically, from a business perspective, the restrictions compress the available window for outbound sales activity and limit the number of touchpoints per prospect. 

3. Automated systems and AI

Article (16) introduces specific technical requirements where Licensed Financial Institutions deploy automated dialling equipment or Artificial Intelligence (“AI”) generated communications. These include: 

  • Unanswered calls must be disconnected within 15 seconds or four rings;
  • Customers must be connected to a telemarketer within two seconds of answering the call; 
  • Automated equipment deployed must be capable of generating compliance and monitoring statistics; and
  • The use of AI is subject to applicable laws and regulations.

As AI driven customer engagement becomes increasingly prevalent across the financial services sector, this provision is likely to attract significant attention, particularly given the rapid pace of regulatory developments around AI governance in the UAE.

D. General Provisions

1. Data protection and data privacy

Article (18) requires that Licensed Financial Institutions implement robust security measures and IT controls to protect customer personal data. Customer data must not be shared with, transferred to, or disclosed to any third party except with the customer's explicit consent and in accordance with applicable laws. This dovetails with the broader UAE data protection framework and reflects a trend seen across major financial centres, including the UK, where the FCA's expectations around data protection have become increasingly stringent.  

2. Use of Third Party Providers

Both Licensed Financial Institutions and any third party providers they engage must be fully compliant with the Telemarketing Regulation and with any additional controls or requirements issued by the CBUAE. 

3. Enforcement

Article (20) makes clear that violations of any provision of the Telemarketing Regulation may result in supervisory action, administrative action, and/or financial sanctions. This is reinforced by Cabinet Resolution No. 57 of 2024, which establishes a specific administrative violations and penalties framework for breaches of the Telemarketing rules. In the event of any conflict with other regulatory requirements or earlier CBUAE regulations, the provisions of the Telemarketing Regulation prevail.

E. Looking Forward 

The Telemarketing Regulation represents a significant tightening of the rules governing outbound customer engagement by UAE Licensed Financial Institutions. The deliberately broad definition of "Telemarketing", extending beyond voice calls to encompass text messages, emails, social media outreach and other digital communications means that many activities which Licensed Financial Institutions may not traditionally have considered to be Telemarketing will now fall within scope. As a result, many institutions will need to reassess practices that have historically sat outside traditional Telemarketing frameworks.  

The consent regime is particularly detailed, requiring granular customer preferences on channels, language, contact methods, and product types. By requiring granular, channel specific and product specific preferences (including language and method of contact), the Telemarketing Regulation moves beyond a simple opt in model towards a more sophisticated, customer centric consent architecture. This reflects a broader global regulatory shift towards enhanced consumer protection and outcomes based conduct standards, where the focus is not only on whether contact is permitted, but whether it is appropriate in the context. For example, in the UK the FCA’s Consumer Duty now requires firms to ensure that any outbound calling practices are consistent with acting in good faith and avoiding foreseeable harm. This means that calls should genuinely serve the customer's interests rather than being purely sales driven, and the manner and frequency of contact should not cause distress or pressure.

From a practical perspective, Licensed Financial Institutions and their third party service providers should prioritise a structured remediation programme. This should include; (i) a review of existing marketing practices against the expanded scope of Telemarketing and enhanced consent requirements; (ii) updates to policies, procedures and scripts to align with the Telemarketing Regulation’s detailed conduct, disclosure and timing rules; (iii) implementation or validation of DNCR screening to ensure real time compliance; (iv) a reassessment of outsourcing arrangements to ensure appropriate contractual protections and oversight; (v) enhancement of training frameworks to meet prescribed requirements; and (vi) upgrades to record keeping and reporting systems to support regulatory obligations.

The 90 day implementation window is not generous. Licensed Financial Institutions would be well advised to begin their gap analysis and remediation work without delay.

Co-authored by Olivia Christie-Miller

More insights

Explore more

Expert Guide International

CMS Expert Guide to Foreign Investment Screening Laws

2 min read
Event International

IP Insights webinar series 2026

28 Apr 2026
Publication International

The Mobile Century 2026

08 Apr 2026 6 min read
Back to top Back to top
Warning: Fraudulent emails and messages
Find out more
Law-Now, RegZone, LEXplicite and Blogtt have moved to CMS.law. Law-Now has moved to CMS.law. RegZone has moved to CMS.law. LEXplicite has moved to CMS.law. Blogtt has moved to CMS.law.
Learn more Learn more Learn more Learn more
If you want to use third party tools, please enable personalisation cookies as part of your cookie preferences. You can change this setting at any time via the button below or in our Cookie Notice.