Raising the Bar: How the UAE Is Redefining SME Banking Protection

Transcript

SPEAKER_00 0:00

The central bank of the UAE, the central bank, has issued a significant regulatory instrument that materially rebuilds the conduct architecture governing how licensed financial institutions, LFIs, engage with their customers. Circular No. 2-2026, dated 17 February 2026, introduces the SME Customer Protection Regulation, the SME Regulation, replacing the 2021 SME Market Conduct Regulation. Together, these developments signal a decisive shift in the central bank's supervisory priorities from rulebook compliance to outcomes-based customer protection, with governance accountability running from the boardroom to the front line. The SME regulation applies to all banks and finance companies licensed by the central bank for the provision of financial products and services to SMEs, including sole proprietors. It comes into effect six months from publication in the official Gazette, giving institutions a structured but finite window to align their frameworks. From market conduct to customer protection. A conceptual reorientation. The most significant change introduced by the SME regulation is not technical, but conceptual. The 2021 predecessor was framed as a market conduct regulation. The 2026 SME regulation is expressly a customer protection regulation, and that distinction carries real regulatory weight. The stated objective is reoriented towards promoting a culture of acting in the best interests of SMEs as customers. A new standalone article on institutional and governance oversight makes plain that the board and senior management are expected to set the tone from the top, establishing a strong governance framework that spans the design, development, promotion, sales, and distribution of financial products and services, as well as their ongoing review and amendment. This is not merely a procedural requirement. It is a signal that the central bank expects conduct risk to be owned at the highest levels of an institution, not delegated downward or siloed within compliance teams. Importantly, the SME regulation forms part of the central bank's broader consumer protection framework and is expected to be complemented by forthcoming amendments to the finance companies regulation, which are anticipated to introduce an additional licensing category targeting SME-focused lenders. The central bank's support for alternative financing tools for SMEs, including government-backed credit guarantee schemes, reflects an ambition to deepen their access to the financial system, tighten disclosure and transparency obligations. ESM e-regulation substantially raises the bar on disclosure. The key facts statement requirement, which existed under the 2021 regime, is now supplemented by an express obligation that the customer acknowledged receipt of that statement before entering into the contract. LFIs must present all reasonable options and comparisons and are prohibited from concealing suitable alternatives with lower costs, lower financing rates, lower fees, or different loan structures. The prohibition on steering customers away from better value products is a direct response to miss selling concerns and aligns the SME framework more closely with retail consumer protection standards. Changes to terms and conditions, including fees, require a minimum of 60 calendar days' written notice. Where contracts contain annual automatic renewal clauses, institutions must provide 30 calendar days' notice before the renewal date. Additionally, rejection of a financing application must now be communicated in writing, with reasons provided, subject only to financial crime sensitivities or where disclosure is prohibited by applicable laws and regulations. These requirements impose meaningful discipline on the product lifecycle and on the manner in which institutions communicate adverse decisions. Financial institutions are also required to provide clear, plain language disclosures in both Arabic and English across the full customer life cycle, ensuring that accessibility of information is not undermined by language barriers. Responsible Conduct. 52 paragraphs of new substance. The responsible conduct article has grown from 24 paragraphs in 2021 to 52 in 2026, and the additions are substantive. Tide selling and bundling are expressly prohibited. The sale of a financial product or service may not be conditioned on the purchase of another product or service, eliminating a practice that has long raised competition and consumer fairness concerns. Error rectification is now governed by a dedicated regime. LFIs must not benefit from their own errors, must rectify errors without undue delay, and must immediately inform affected customers in writing of the cause, impact, and rectification measures. This imposes a proactive obligation. Institutions cannot simply correct an error silently. They must communicate with customers and account for the impact. Qualifications, training, and remuneration attract new requirements. Institutions must verify staff qualifications, conduct background checks confirming the absence of fraud or financial crime convictions, and the absence of prior termination for misconduct, and must design remuneration policies to prevent misselling. The linkage between remuneration structure and conduct risk is an area of growing regulatory focus globally, and this provision embeds that principle into the UAE's SME framework. Customers in financial difficulty are afforded a comprehensive new set of protections. LFIs must proactively reach out at the first signs of irregularity, offer financial restructuring, credit product modification, and adjusted payment plans, and facilitate access to independent and impartial credit counselling. Collection communications are subject to limits on frequency and manner. All customer communications must be retained for five years following settlement or write-off of the debt. This reflects the central bank's broader concern with over-indebtedness and responsible lending, and mirrors the credit assessment requirements that mandate extension of credit in a manner consistent with the SME's repayment capacity, supported by robust solvency assessments. Anti-competitive and discriminatory practices are addressed by a requirement to integrate anti-discrimination principles into the internal code of conduct, explicitly including the context of bank account opening decisions. Customer mobility provisions require institutions to facilitate the transfer of accounts, products, services, and payment information to another institution without imposing additional fees. Complaints handling and customer data protection. Complaints handling is recast around a two-business day acknowledgement with a unique reference number and a final written response within 30 business days. Critically, the customer's right to escalate unresolved matters to the Ombudsman Unit Saladac must be mandatorily disclosed, ensuring SMEs are aware of their recourse options. The complaints process must be free and independent. A wholly new article on customer data protection introduces obligations that are particularly timely, given the increasing digitalization of financial services. The central bank must be notified of significant data breaches. Affected customers must be directly notified of any customer data breach without undue delay. These requirements bring the SME regulatory framework into closer alignment with modern data governance standards and reflect growing central bank attention to the operational and reputational risks associated with data security failures. Enforcement. The enforcement article is new in express form and its scope is notably broad. Noncompliance may result in supervisory action, administrative action, and financial sanctions. At the more severe end, the central bank is empowered to withdraw, replace or restrict the powers of senior management or members of the board, impose interim management of the institution, and bar individuals from participating in the UAE financial sector. The inclusion of individual accountability measures, particularly board-level sanctions, reinforces the message delivered by the governance article. Responsibility for SME customer protection sits at the top of the institution, not only within operational or compliance functions. Conclusion. Implications for financial institutions. The SME regulation represents a material strengthening of the conduct and consumer protection framework applicable to SME banking in the UAE. It closes significant gaps in the 2021 regime, imports tools from the retail consumer protection framework, and introduces entirely new obligations across governance, disclosure, responsible lending, data protection, and enforcement, financial institutions would be well advised to undertake a comprehensive review of their SME onboarding processes, consumer protection frameworks, client agreements, disclosures, and complaints handling mechanisms to ensure full alignment with the SME regulation before it enters into force. Given the breadth of the changes and the central bank's expanded enforcement toolkit, the six month implementation window should be treated as an active remediation period rather than a period of observation.