Consumer Protection: Are You Ready?

Financial Consumer Protection Regulatory Framework

As announced last year, the Central Bank of Oman’s (“CBO”) Financial Consumer Protection Regulatory Framework (“FCPRF”) comes into force next year and licensed banks and finance and leasing companies (“Licensed Entities”) will be required to disclose the status of financial consumer protection in their 2023 annual reports.

Actions to be Taken

Under the FCPRF, Licensed Entities must conduct an impact analysis and submit a board-approved plan of action to ensure its structures, policies, procedures, practices and systems comply with the FCPRF to the CBO. Subject to the outcome of the analysis, the Licensed Entities are subsequently required to ensure compliance within eighteen months of the FCPRF’s issuance (i.e., by 29 June 2023).

Since the application of, and compliance with, the FCPRF is the responsibility of the board of directors of Licensed Entities, Licensed Entities are encouraged to form separate board-level committees to oversee the application of the FCPRF and, at a minimum, include the FCPRF in the terms of reference of existing board-level committees.

Failure to Comply

The CBO will take any necessary regulatory actions where the standards of the FCPRF are not being met. Violations may be subject to penalties and other measures the CBO deems appropriate.

Key Learnings from the UAE

While every jurisdiction within the GCC has its own particular considerations, one cannot ignore the recent implementation of a very similar consumer protection regime in the UAE. It marked a fundamental change to the financial industry in the UAE and can provide useful lessons during the transition in Oman.

The UAE Consumer Protection Regulation (“CPR”) was issued on 31 December 2020 and became ‘live’ on 1 January 2022 after a 12 month transitional period. Al Tamimi & Company has been instrumental in working with many financial institutions in the UAE to ensure compliance with the CPR. Key learnings during the course of overhauling the documentation and internal processes include the following:

1. Gap Analysis: it is important to first analyse the gap between current documentation, internal and operational processes and policies and the FCPRF.
2. Documentation: determine whether a full revamp or minimal compliance approach will be taken. This includes how language will be simplified to be better understood by consumers.
3. Consent Management: express consent is required for a variety of areas, and financial institutions must determine how consent from existing and new customers will be obtained and recorded.
   1. Data Collection: express consent is required before collecting data (also required by the Personal Data Protection Law (“PDPL”), which will also come into force in 2023) and the purpose of collecting data and to whom the data will be transferred or shared must be disclosed.
   2. Changes to the terms and conditions, interest rates, fees and charges, etc.: customers must be given prior notice and express consent must be obtained before imposing any changes or for any amendments to be applicable to the customers.
   3. Solicitation: under the FCPRF and PDPL, consent is required and an opt-out option must be provided to customers for marketing materials.
4. Internal and Operational Policies: to implement the requirements, internal operational policies must be updated accordingly, which we note is a time-consuming process.
5. Disclosures, warnings and transparency: at each stage of the consumers’ journey, transparency and disclosure of the risks associated with the products and services and the consequences of not complying with the terms and conditions of such products and services are required.

How can we help?

Al Tamimi & Company’s Banking & Finance team can help clients navigate compliance requirements and the actions required under the FCPRF. For any queries in Oman, please don’t hesitate to contact the lawyers below.