Consumer

Protection
Regulation
A brief summary of
Article 6 requirements on
data protection

March 2021

kpmg.ae
2 Consumer Protection Regulation
Contents
Introduction 04

To whom is the Regulation applicable? 06

What is the primary objective of the Regulation? 06

What is covered in the Regulation? 07

Accelerate compliance with KPMG’s Data 13

Protection and Privacy Framework

Consumer Protection Regulation 3

Introduction

The digital landscape is evolving rapidly, accompanied

by the increased usage of advanced technologies to
process consumer data. This has emphasized the
need for consumer protection and associated rights.

The Central Bank of the UAE (CBUAE) has issued the

Consumer Protection Regulation (the Regulation),
acting as an overarching regulatory framework for
licensed financial institutions (LFIs). The Regulation
ensures consumers’ interests are protected when
using any financial product and/or service or when a
relationship with an LFI exists.

By introducing this regulation and the accompanying

standards, the CBUAE seeks to ensure that LFIs’
approach to consumer protection is in line with
international standards. The Regulation focuses on
developing a variety of capabilities to understand,
manage and protect consumers’ data and associated
complaints/inquiries.

4 Consumer Protection Regulation

Consumer Protection Regulation 5
To whom is
the Regulation
applicable?
This regulation and accompanying standards apply
to all LFIs licensed by the CBUAE, in relation to
activities specified in Article 65 of the Decretal Law
No. 14 of 2018.

What is
the primary
objective of
the Regulation?
The primary objective of the Regulation is to protect
consumers and contribute to the overall stability of
the financial services industry. The Regulation aims
to strengthen governance and promote responsible
financing practices and protect consumer rights.

6 Consumer Protection Regulation

What is covered in
the Regulation?

The Regulation comprises 15 articles, providing information about the

minimum measures all financial institutions are required to take in order to
protect customers’ data.

Disclosure and Institutional Market Business

Definition Conduct
Transparency Oversight Conduct
Article 1 Article 5
Article 2 Article 3 Article 4

Protection of Responsible Complaint Consumer

Consumer Data Financing Management Education and Financial
and Assets Practice and Complaint Awareness Inclusion
Resolution
Article 6 Article 7 Article 9 Article 10
Article 8

Shari’ah Conflict Publication

Compliance Enforcement Interpretation and Effective
with Other and Sanctions of Regulation
for Financial Regulations Date
Services Article 13 Article 14
Article 12 Article 15
Article 11

Consumer Protection Regulation 7

Many organizations struggle to manage a sprawling Assets) emphasizes protection of consumer data and
data footprint, which continues to grow in size and rights. This paper will focus on the data privacy elements
complexity. To enable risk-based data protection and of the Article.
compliance, Article 6 (Protection of Consumer Data and

Sub-Article KPMG’s cybersecurity and Mapping with

Article no. Article description
no. privacy analysis KPMG framework

Article 6: Protection of Consumer Data and Assets

6.1 6.1.1 Licensed Financial Confidentiality of consumer data and – Security
Consumer Institutions are purpose limitation: for privacy
Data required by the Article
– Clearly identify, document and – Policies, notice
Protection 120 of the Decretal
communicate the purpose or purposes and consent
Federal Law No. (14)
for processing consumer data
– Inventory/data
– Regularly review the processing purposes mapping
and, where necessary, update the
documentation
– Limit access to consumer information
by implementing access control
mechanisms
– Implement security and monitoring
measures to detect and track
unauthorized internal access or use of
consumer information

6.1.2.1 Licensed Financial Data management function: – Governance and

Institutions must operating model
– Establish a function that is responsible
establish a function
for data management as well as data – Data strategy
in their organization
protection and privacy of consumer data
that is responsible for
Data Management and – Define responsibility for maintaining
Protection including data protection and privacy policies,
responsibility for procedures, systems and controls to
maintaining policies, protect consumers’ personal data
procedures, systems
and controls to protect
Consumers’ Personal
Data and information
against misuse,
unauthorized access
and undue processing
and analysis

6.1.2.2 Licensed Financial Data retention management: – Information

Institutions must lifecycle
– Establish data retention policies in
have policies that management
line with the regulatory/standard
specify duration
requirements
of record keeping
and Data retention – Ensure the data retention policies are
in accordance with enforced for digital and non-digital
the applicable laws, consumer data
regulations
and business

8 Consumer Protection Regulation

6.1.2.3 Licensed Financial Logging and monitoring for access – Security in privacy
Institutions must have management:
– Processes,
appropriate security
– Implement capabilities that can identify procedures
and monitoring
unauthorized access by systems and and technology
measures in place
resources in real time
to detect and track
unauthorized internal – Implement capabilities for logging and
access or use of monitoring of all activities performed
Consumer information. on consumer data
Any breach of
access, misuse or
unauthorized release
must be recorded
including any harm
done by such breach
for future reporting
to and review by the
Central Bank

6.1.2.4 Licensed Financial Breach notification: – Incident

Institutions must notify management
– Document breach communication plan
the Central Bank of all
and assign respective roles within the
significant breaches
function that is responsible for data
of Consumer Data
protection and privacy of consumer
and information and
data (as well as who will communicate
notify any Personal
the breach notification to the Central
Data breach to
Bank and the consumer)
Consumers where a
breach may pose a – Document indemnification clauses in
risk to the financial the contract with consumer
and personal security
of the Consumer
without undue delay.
Licensed Financial
Institutions are liable
for reimbursing any
direct costs incurred
by the consumer for
actual harm done as a
result of the breach

6.1.2.5 Licensed Financial Consent management: – Policies, notice

Institutions must and consent
– Below mentioned practices shall be
ensure that
followed while seeking consent
Consumers are able
from consumer:
to make informed
choices with – Outline why their personal data is
respect to providing being collected
expressed consent – Ensure consumers know how their
as to their Data personal data will be used
being collected,
used and shared – Be certain your organization has
with third parties clear policies and procedures
and within regarding the collection, use or
the Licensed disclosure of personal data
Financial Institution – Ensure consent forms are time
limited and capture all necessary
requirements that should be known
by the consumer

Consumer Protection Regulation 9

 6.1.2.6 Licensed Financial Data handling and awareness: – Training
Institutions must prevent and awareness
– Implement security awareness and
the misuse of Consumer
training programs
information and Data

6.2 Protection 6.2.2.1 Without prejudice Confidentiality: – Risk, control

of Consumer to other laws and and monitoring
– Ensure the users processing
Assets, regulations, Licensed
consumer personal data are
Information and Financial Institutions
obliged to confidentiality and non-
Data against must treat Consumers
disclosure clauses
Financial Crimes, information relationships
Misappropriation and business affairs as
and Misuse private and confidential

6.2.2.2 Licensed Financial Regulatory compliance: – Regulatory

Institutions must put management
– Ensure compliance with Stored Value
in place strict internal
Facilities Regulation issued on 30
controls to effectively
September 2020, the CBUAE for SVF
protect Consumers’
providers or entities carrying out any
deposits, savings,
SVF business functions
funds held
by stored value – Implement adequate internal and
facilities and other access controls and logging of
assets as well as IT systems to protect consumer
Consumer information information and data against
and Data, against internal fraud
internal frauds.

6.2.2.3 Licensed Financial Security monitoring: – Security

Institutions must for privacy
– Implement proactive security measures
apply sufficient
such as vulnerability assessment, pen – Processes,
resources to be
testing, red-teaming exercises, etc. procedures
able to detect both
external and internal and technology
frauds quickly and
ensure they are fully
addressed with future
prevention measures

6.2.2.4 Licensed Financial Breach management: – Risk, control and

Institutions must monitoring
– Document indemnification clauses in
compensate
the contract with the consumer – Incident
Consumers in a
timely manner for management
financial losses and – Third-party
expenses resulting
management
from Financial Crimes,
misappropriation,
cyber-attacks and
misuse of assets and
information unless it
can be proven that the
loss was due to the
gross negligence or
fraudulent behavior of
the Consumers

10 Consumer Protection Regulation

6.2.2.5 Licensed Financial Continuous improvement: – Security for privacy
Institutions must
– Demonstrate processes and – Processes,
ensure their security
technologies are up to date with the procedures
and protection
newest approaches and technology
systems are updated
and have the capacity – Implement leading design and
to develop and adopt technologies to enhance the data
new approaches to protection and privacy measures of
cyber security consumer data
as required

6.2.2.6 Licensed Financial Consumer awareness and training: – Training

Institutions must and awareness
– Develop customer awareness training
demonstrate they have
plans which focusses on data
carried out sufficient
security, privacy, financial frauds on
Consumer awareness
frequent basis
activities related to
educating Consumers – Utilize statistics to communicate the
of the need to protect importance of security and privacy to
themselves from the consumer
Financial Crime
– Keep consumers informed about
current threats to personal data
– Encourage consumers to share
potential errors/issues immediately

Consumer Protection Regulation 11

12 Consumer Protection Regulation
How can
KPMG assist?
Our global data privacy footprint
KPMG’s cyber security and privacy practice is present in major markets
around the world – 29 countries in total. We assist organizations in
transforming their security, privacy, and continuity controls while
maintaining the confidentiality, integrity and availability of critical
business functions.

Pakistan Japan
Hong Kong
Cayman
Thailand
Dom. Rep. Vietnam
Saudi Arabia UAE Cambodia
Costa Rica Bangladesh
Panama Barbados Philippines
Colombia
Nigeria Uganda
Singapore
Venezuela
Peru Mauritius Papua New Guinea
Uruguay
Tanzania
Mozambique

Consumer Protection Regulation 13

Data strategy and governance
KPMG utilizes proven frameworks, such as advanced data Our goal is to assist organizations in developing a data
management (ADM), to support organizations. Our teams management practice that is built on the right foundation and
conduct assessments and provide insight into the current state has a clear data strategy, target operating model and roadmap
in order to identify gaps and translate insights into next steps to drive the best value from data assets.
and implementation roadmaps.

Data strategy

Data governance framework

Data management
maturity assessment

Solution Data quality strategy

capabilities

Big data strategy

Artificial intelligence strategy

The information contained herein is of a general nature and is not intended to address the specific
circumstances of any particular individual or entity. Some or all of the services described herein may not be
permissible for KPMG audit clients and their affiliates or related entities.

14 Consumer Protection Regulation

Consumer Protection Regulation 15
Contact us

Timothy Wood Maliha Rashid

Partner | Cyber Security Director | Data Privacy Lead
and Privacy Digital & Innovation
m: +971 56 409 6842 m: +971 50 608 2013
e: [email protected] e: [email protected]

kpmg.com/ae
Follow us on:

The information contained herein is of a general nature and is not intended to address the © 2021 KPMG Lower Gulf Limited, licensed in the United Arab Emirates, and a member firm of
circumstances of any particular individual or entity. Although we endeavor to provide accurate the KPMG global organization of independent member firms affiliated with KPMG International
and timely information, there can be no guarantee that such information is accurate as of the Limited, a private English company limited by guarantee. All rights reserved.
date it is received or that it will continue to be accurate in the future. No one should act on
such information without appropriate professional advice after a thorough examination of the The KPMG name and logo are registered trademarks or trademarks of KPMG International.
particular situation. Designed by KPMG Lower Gulf Creative team.
Publication number: 3391
Publication date: March 2021