UAE SME Customer Protection Regulation C 2/2026 — A Complete Compliance Guide for Financial Institutions
What is Regulation C 2/2026?
The Central Bank of the UAE (CBUAE) has issued the Small to Medium Sized Enterprises (SME) Customer Protection Regulation, formally designated C 2/2026, establishing a comprehensive framework governing how Financial Institutions must treat SME customers across the entire lifecycle of their financial relationship.
The Regulation derives its legal authority from Federal Decree-Law No. (6) of 2025 on the Central Bank, Regulation of Financial Institutions and Activities, and Insurance Business. It was circulated via Circular No. 2/2026 dated 17 February 2026, and supersedes the prior SME Market Conduct Regulation (Circular No. 1/2021). It applies to all CBUAE-licensed Banks and Finance Companies — including Islamic Financial Institutions.
Who qualifies as an SME?
The SME definition follows Cabinet Resolution No. 22 of 2016. Classification covers three tiers — Micro, Small, and Medium — across Trading, Manufacturing, and Service sectors. Sole proprietors are explicitly included. Financial Institutions must correctly classify customers to determine the applicable level of protection and calibrate fee structures accordingly.
| Category | Trading | Manufacturing | Service |
|---|---|---|---|
| Micro | ≤5 employees or revenue ≤ AED 3M | ≤9 employees or revenue ≤ AED 3M | ≤5 employees or revenue ≤ AED 2M |
| Small | 6–50 employees or revenue ≤ AED 50M | 10–100 employees or revenue ≤ AED 50M | 6–50 employees or revenue ≤ AED 20M |
| Medium | 51–200 employees or revenue ≤ AED 250M | 101–250 employees or revenue ≤ AED 250M | 51–200 employees or revenue ≤ AED 200M |
Governance and institutional oversight
The Board and Senior Management sit at the centre of customer protection governance. Financial Institutions must build a robust framework covering the entire lifecycle of Financial Products and Services — from design and development through promotion, sales, distribution, and ongoing review — underpinned by documented policies, effective monitoring and controls, and active management oversight.
Treating customers honestly and fairly must be embedded as a core element of the institution’s corporate culture. The Board and Senior Management are explicitly required to set the tone from the top.
Disclosure and transparency obligations
Disclosure obligations apply across all communication channels — branches, telephone banking, mobile applications, internet banking, ATMs, and POS terminals. All disclosures must be proactive, accurate, consistent, and available in both English and Arabic in plain language.
Required before entering any contract. Customers must acknowledge receipt in writing.
Minimum written notice before any change to terms, conditions, or fees takes effect.
Required before any automatic annual renewal, explaining how the contract can be cancelled.
Reason for rejection must be disclosed in writing, except where Financial Crime risks apply.
Financial Institutions are prohibited from partial or biased disclosures, and must not withhold the existence of alternative products that may be more appropriate or cost-effective for the customer.
Responsible conduct, fee governance, and customer mobility
Financial Institutions must develop an internal code of conduct for staff, prohibit abusive sales and marketing practices, and ban tied selling and bundling of products. A formal suitability assessment framework is required, adapted to the specific SME category of each customer. Anti-competitive and discriminatory practices — including discrimination based on size, nationality of ownership, or type of business activities — are explicitly prohibited.
All fees charged must be fair, reasonable, and proportionate. No fees may be charged for activities required by law. Original paper statements must be provided free of charge. Financial Institutions must not impose barriers that prevent customers from switching relationships, and must facilitate the transfer of accounts, products, and financial data without additional fees.
- Account opening:Low-risk customers with standard CDD documentation must have accounts opened within 3 business days. Any valid delay must not exceed 2 weeks.
- No closing fee:No penalty where a Bank Account has been open for 6 months or more.
- Annual operations review:Institutions must annually identify and eliminate unreasonable barriers to the use of Financial Products and Services.
Complaint management and resolution
Financial Institutions must establish an independent Complaints Management Function reporting directly to Senior Management, empowered to resolve complaints independently of other business operations. The complaint process must be accessible, transparent, and free of charge.
- 2 business days:Written acknowledgement of any complaint with a unique reference number.
- Staff and Authorized Agents must be trained in complaint handling procedures.
- The institution is responsible for complaints arising from the activities of Authorized Agents.
Customer data protection
A data minimisation principle applies — Financial Institutions may only collect the minimum data necessary for their licensed activities. A dedicated data management and protection function must be established with direct reporting lines to Senior Management and the Board.
- All customer data, documents, records, and files must be securely retained for a minimum of 5 years.
- The CBUAE must be notified of significant data breaches; affected customers must be notified without undue delay.
- Financial Institutions are liable for reimbursing direct and verifiable costs incurred by customers as a result of any breach.
- Customers must be able to provide informed, expressed consent for data collection, use, and sharing with third parties.
Enforcement and sanctions
Violation of any provision may subject the Financial Institution to supervisory action, administrative action, and financial sanctions as deemed appropriate by the CBUAE.
The CBUAE’s enforcement powers include withdrawing, replacing, or restricting the powers of Senior Management or Board members, providing for interim management, or barring individuals from the UAE financial sector entirely. These personal liability consequences underscore the importance of Board-level ownership of compliance.
Recommended compliance workstreams
There is no phased implementation. Financial Institutions should structure their programme around five parallel workstreams:
Regulations to consider in parallel
Go deeper — instantly, with Neurasix
Explore any article, obligation, or timeline in granular detail — with source citations.
Generate staff training decks, quizzes, and role-specific guidance — tailored to your institution.
Draft compliant internal policies, procedures, and codes of conduct — ready for Board review.
Run structured compliance gap assessments against every article of C 2/2026 — instantly.
