You trust financial institutions to look after your money, but can you trust them to safeguard your personal financial information? By reviewing the data privacy practices of several of the major banks in the UAE, we investigate how UAE personal financial data privacy policies can be improved to offer consumers more control over their personal data.
As the internet continues to expand as a convenient way for UAE consumers to shop for financial services, we focused on understanding the personal financial data privacy practices of 14 of the UAE’s domestic and foreign banks from their websites. Nowadays safe banking involves making good choices particularly surrounding protecting your personal financial information to avoid costly surprises and even scams.
View Our Other Work on National Data Regulations and Standards in the GCC
Banks know a great deal about consumers – they know how much you earn, how much you spend, where you spend your hard earned Dirhams, where you work, what your title is, your address, your phone number, your e-mail address, the languages you speak etc. How do financial institutions use this personal data?
As we discovered, many of the banks in the UAE use this personal data to market services to you directly or through third party affiliates. This is why you are receiving SMS messages on a Wednesday at 3 PM from your bank promoting a 40% discount on Japanese cultured pearl necklaces even though you are not in the market for pearls. There appears to be no easy way for consumers to compare UAE financial institutions’ personal financial data privacy policies. Because you likely haven’t read your bank’s data privacy policies, we analyze them for you in this blog post.
Are Some Banks Better (or Worse) Than Others?
According to the UAE Banks Federation Code of Conduct, banks must use reasonable care to prevent unauthorized disclosure of client information and can only release confidential information when permitted by law. By law, UAE banks require consumer authorization to share private financial information with affiliated companies and third parties that market products or services to customers. However, there are no laws in the UAE that specify how financial institutions should notify consumers of their institutional data sharing practices or which extend consumers the right to limit or opt out of sharing their private data. In some countries specific laws contain financial privacy provisions which give consumers the right to opt out of sharing their personal information with affiliates and third parties for marketing solicitations via telemarketing, SMS, direct mail marketing, or electronic mail.
Since institutional data sharing polices in the UAE are devolved to individual financial institutions, there are significant differences in financial institutions’ privacy practices. For example, there is significant variance in the provisions of online privacy policies of UAE financial institutions with several institutions failing to offer online privacy policies in Arabic. Institutional data sharing practices are also commonly buried in 50+ page terms and conditions documents which are not consumer friendly.
In the absence of standardized disclosure of institutional privacy practices, there is significant opportunity for UAE financial institutions to distinguish themselves by adopting more consumer friendly privacy practices. In a recent study Tahseen Consulting conducted on data sharing practices of financial institutions in the UAE, we found that only three of the UAE’s 10 largest banks allowed consumers to opt out of sharing their information for marketing solicitation. However, even these institutions failed to offer clear processes on how consumers could opt out of sharing their private data.
Mandated annual privacy disclosures in a standardized format which would explain with whom data is shared, what data is collected, how data is collected, why data is shared, and explain opt-out rights would significantly improve industry data privacy practices. Until the UAE mandates such disclosures, it is extremely difficult for consumers to distinguish between the data sharing practices of financial institutions. The only way for consumers to fully understand how their private information will be treated by a particular financial institution is to read their bank’s standard terms and conditions. Unfortunately, banks don’t make this easy for consumers, and consumers will have to search through a lengthy document to locate the bank’s data sharing provisions. However, the majority of UAE banks do not offer consumers the right to opt out of sharing their personal information with affiliates or third parties. UAE financial institutions generally make the holding of an account contingent upon consumers agreeing to the sharing of their personal information for marketing purposes. The only way to avoid having your information shared for marketing purposes is to cease to be a customer.
I Never Agreed to This. Did Your Read the Fine Print?
While there is no federal law that protects personal information in the UAE, a number of laws have broad protections that prevent the sharing of information about an individual’s private or family life without consent. For example, the UAE Credit Information Protection Law contains provisions which require written approval to share confidential consumer credit information. However, many consumers in the UAE don’t realize that they provide written authorization to their bank to share credit, financial, and personal information with affiliates and third parties when they complete account opening procedures. After a consumer opens an account, banks continue to gather personal information, including data such as postal and e-mail address, phone numbers, employment, financial status, and credit history, from transactions and applications for services such as funds transfers and loans.
When consumers complete account opening application forms, they must agree to a declaration that indicates they have read and agree with the financial institution’s general terms and conditions for holding an account and using internet banking services. Within these documents, which are often difficult for consumers to read and understand, financial institutions retain the right to share a consumers’ private information with affiliates, companies related by common ownership or control, and third parties, nonaffiliated financial companies with a formal agreement with the financial institution to market products or services to the bank’s customers. Several banks also retain the right to share private information with affiliates and third-parties in countries outside the UAE.
Since UAE laws do not contain provisions restricting information sharing among companies related by common ownership or control, personal information (such as name, address, and account number) and account information (such as type of accounts, account balances, and transaction history) can be shared for marketing purposes. For example, if a large bank has affiliated subsidiaries that offer private banking, financial management, or insurance services, all of the consumer’s information can be freely shared for cross selling additional services. The UAE’s approach is similar to the United States in which the Gramm-Leach-Bliley Act allows companies to share personal data with affiliated entities with the exception of information on creditworthiness. However, in Europe, the European Union Data Directive prevents banks from sharing personal data between affiliated entities to cross sell services unless the information was specifically collected for marketing a particular service.
When consumers complete account opening application forms and agree to a financial institution’s general terms and conditions, they also typically authorize the financial institution to share their information with third parties which have formal agreements to market products and services to consumers via telemarketing, SMS, direct mail marketing, or electronic mail. Generally, third-party service providers have access to Personal information (name, address and account number), Account information (type of accounts, account balances and transaction history), and Transaction information (dates, amounts, locations and type of transaction) but not account numbers.
Because the UAE has residents from so many countries, reactions to telemarketing, SMS, direct mail marketing, or electronic mail marketing solicitations range from apathy to consumers becoming extremely irate because they do not know how a particular entity received their private information and are unable to remove themselves from a marketer’s database. The marketing departments of financial institutions use personal data to market directly to existing clients, cross sell products of affiliated companies, and form joint marketing partnerships that allow third parties to target customers with solicitations for other products and services. Financial institutions and third parties who have entered into formal agreements with a particular financial institution do not need to purchase databases to sell into their existing client base since they already have substantial private information about consumers already.
What Could Regulators Do to Prevent This Issue?
- Mandate annual privacy disclosures in a standardized format in Arabic and English which would explain with whom data is shared, what data is collected, how data is collected, why data is shared, and explain opt-out rights would significantly improve transparency of industry data privacy practices;
- Similar to Europe, the UAE could enact a law which would mandate that data must be collected for specified, explicit purposes and not further processed in a way incompatible with those purposes;
- Enact federal laws which would compel financial institutions to implement simple opt-out processes so that consumers canlimit the transfer and use of personal information;
- Require financial institutions to provide easy access to privacy policies at branch offices and online through a single web site with opt-out information;
- Financial institutions could be required to provide simply stated and clear privacy policies following common standards for readability to stop the current practice of banks including data sharing provisions in general terms and conditions that must be agreed to in order to hold an account;
- Clarify the rights of individuals to protect their privacy and seek remedies if their privacy rights are violated and stop the practice of allowing banks to indemnify themselves from damages which might result from the sharing of personal information with third parties;
- Regulate the sharing of private information to countries outside the UAE;
- Give individuals the right to review information that is disclosed or to correct inaccurate or incomplete data.