The Central Bank of the United Arab Emirates (CBUAE) has issued new mandatory guidance requiring all Licensed Financial Institutions (LFIs) in the UAE to strengthen defenses against brand impersonation, phishing, fake advertisements, and digital fraud campaigns targeting consumers.
This initiative responds to the increasing misuse of financial institution brands, domains, social media profiles, and communication channels by cybercriminals seeking to deceive customers and facilitate fraud.
Why This Guidance Matters
Digital impersonation attacks have increased significantly across the banking and financial sector. Fraudsters are now leveraging:
- Fake banking websites
- Lookalike domains and Phishing emails
- Fraudulent social media accounts
- Deepfake videos and voice scams
- Fake mobile applications
- Sponsored scam advertisements
Recognizing the growing threat, CBUAE now requires regulated institutions to implement a formal Brand Protection and Digital Impersonation Risk Management Program.
Who Must Comply?
The guidance applies to all Licensed Financial Institutions operating in the UAE, including:
- Banks
- Digital banks
- Exchange houses
- Finance companies
- Retail payment service providers
- Stored value facilities
The scope covers institutions that offer retail banking, payment, and card-issuance services.
Key Compliance Requirements
- Establish a Formal Brand Protection Program
LFIs must implement a structured and documented program. Institutions are also required to conduct annual digital impersonation risk assessments.
- Mandatory Monitoring Across Digital Channels
The guidance requires continuous monitoring of all digital channels, including:
- Domains and DNS records
- Websites and hosting infrastructure
- Email spoofing
- Social media platforms
- Paid advertisements
- Mobile app stores
- Messaging platforms and OTT applications
- Fake card offers and payment scams
Monitoring must be continuous for high-risk channels and adaptive to emerging threats.
Domain and Email Security Expectations
CBUAE expects institutions to implement preventive controls across the organization’s entire digital footprint. A key expectation is implementation and enforcement of SPF, DKIM, and DMARC controls for customer-facing domains.
- Social Media and Deepfake Monitoring
Given the rise of AI-enabled fraud, institutions must monitor and respond to:
- Fake social media accounts
- Fraudulent customer support profiles
- Scam messages
- Deepfake voice and video content
- AI-generated impersonation attempts
Formal escalation and takedown processes with platform providers are expected.
- Consumer Protection Requirements
To strengthen customer trust and fraud prevention, institutions must establish dedicated fraud-reporting channels, implement official communication verification mechanisms, run scam-awareness campaigns, and launch customer education initiatives. Annual employee awareness training is also expected.
- Incident Response and Regulatory Reporting
LFIs must establish documented incident-handling processes that cover all phases of incident response, from detection through post-incident review (PIR). Material impersonation incidents must be reported to the CBUAE. The guidance also mandates KPI/KRI tracking and record retention for at least 7 years.
Compliance Timeline
CBUAE requires all LFIs to conduct a digital impersonation risk assessment by 30th June 2026. Institutions are expected to prioritize high-risk channels and accelerate implementation efforts ahead of the deadline.
Non-compliance may result in supervisory actions or administrative penalties.
How We Can Help
As experts in cybersecurity and regulatory compliance, we assist financial institutions in aligning with regulatory expectations through a structured, risk-based approach. Our services help organizations strengthen governance, improve visibility across digital channels, and enhance their ability to detect and respond to impersonation threats.
We can support organizations through:
- Regulatory Gap assessments
- Brand Protection Strategy Development
- Brand Monitoring Framework
- Digital Impersonation Risk Assessments
- Email Security Enhancement
- Domain and DNS Security Reviews
- Takedown and Response Procedures
- Incident Response Enhancement
- Third-party Risk and Outsourcing Reviews
- Governance and Compliance Advisory
- Awareness and Training Programs
With digital impersonation and AI-enabled fraud tactics continuing to evolve, proactive brand protection requires a combination of governance, technology, monitoring, and regulatory alignment. Our approach helps institutions build sustainable capabilities while strengthening consumer trust and meeting regulatory expectations.
