AI Outbound Calling Compliance in the GCC: TDRA, CITC, and What Brokers Actually Need to Know

A single call to a number on the UAE Do Not Call Registry can cost you AED 50,000. A second offence: AED 75,000. Third time: AED 150,000 and potential suspension of your telecom service. That's the stakes for GCC outbound calling compliance as of August 2024.

For forex and CFD brokers running outbound campaigns in the Gulf, this isn't theoretical. The UAE's Cabinet Resolutions 56 and 57 of 2024 took effect on 27 August 2024. Saudi Arabia's CITC has active anti-spam enforcement. The rules differ by jurisdiction, and cross-GCC campaigns get complicated fast.

This guide breaks down the specific regulations you need to know, country by country, with a pre-launch compliance checklist at the end.

1. UAE: The Strictest GCC Outbound Calling Compliance Framework

The UAE has the most developed telemarketing compliance framework in the region. Cabinet Resolution No. 56 of 2024 governs telemarketing activities. Cabinet Resolution No. 57 of 2024 sets the penalty schedule. Both took effect 27 August 2024 and apply to any business making outbound calls to UAE numbers.

Here's what the rules actually require:

Prior approval from TDRA. You can't start telemarketing in the UAE without TDRA registration. This isn't a formality; it requires a commercial license and documented internal policies. Fine for starting without approval: AED 75,000 first offence, AED 150,000 third offence.

DNCR mandatory checking. The Do Not Call Registry (DNCR) is managed by TDRA and administered through Etisalat and du. Before calling any UAE number, you must check it against the registry. No exceptions. Calling a DNCR number costs AED 50,000 the first time.

Calling hours: 9 AM to 6 PM. Calls outside those hours are a compliance violation. If you're running AI-powered campaigns, the system must be configured to the UAE timezone and can't autodial outside that window.

Frequency cap. Maximum 1 call per day to any number. If unanswered: maximum 2 attempts per week. Most AI dialers retry aggressively by default. That behavior violates UAE rules.

Call recording. All telemarketing calls must be recorded and stored. AI voice calls are fully recorded by default, which actually gives you an advantage here over human call centers that sometimes miss recordings.

Registered local phone numbers. You must use UAE local numbers registered under your commercial license. Calling from foreign numbers or spoofed numbers violates the registration requirement.

Staff training. Anyone involved in telemarketing must receive documented DNCR ethics training. For AI campaigns, this means your team who builds and monitors the campaigns, not the AI itself.

2. UAE Fine Schedule (Cabinet Resolution 57 of 2024)

Calling a DNCR-registered number: AED 50,000 (1st), AED 75,000 (2nd), AED 150,000 (3rd+). This resets annually.

Starting without TDRA approval: AED 75,000 (1st), AED 100,000 (2nd), AED 150,000 (3rd+).

Record-keeping failures: AED 10,000 (1st), AED 25,000 (2nd), AED 50,000 (3rd+).

Individuals (not just companies): AED 5,000-50,000 in personal fines plus 3-12 month service bans. This is personal liability, not just corporate risk.

3. Saudi Arabia: CITC Anti-Spam Regulations (Regulation 469)

Saudi Arabia's Communications, Space and Technology Commission (CITC) governs telemarketing under Regulation 469: the Regulation for Curbing SPAM Messages and Calls. The framework is primarily SMS-focused but covers voice calls too.

Short code requirement. All promotional outbound messages must originate from a unique, registered short code. If you're sending SMS alongside voice, both must comply. This means getting a dedicated short code from a Saudi telecom provider, which requires a commercial registration in Saudi Arabia.

Promotional marking. All promotional messages must be clearly labelled as promotional. For voice calls, this typically means the AI agent must identify itself and the commercial nature of the call within the first 10 seconds.

Registered senders only. Telecom providers in Saudi Arabia are required to verify and maintain records of all promotional message senders. CITC can request that information at any time. If your sender isn't registered, the carrier is required to block the traffic.

The fine structure in Saudi Arabia is less publicly detailed than UAE's, but CITC has authority to mandate infrastructure changes, block senders, and take additional enforcement action. For financial services firms operating under SAMA (Saudi Central Bank) oversight, there are additional consumer protection expectations layered on top.

4. Qatar and Bahrain: What We Know

Qatar's Communications Regulatory Authority (CRA) operates under a consumer protection framework. Unsolicited electronic communications are defined as spam. The CRA is developing a formal marketing and advertising code of conduct, but as of 2026 it's not yet finalized. Current guidance emphasizes consumer right to opt-out via a simple process.

For Bahrain, the Telecommunications Regulatory Authority (TRA) has a telecommunications law in place but hasn't published detailed telemarketing-specific regulations publicly. If you're running outbound campaigns to Bahrain numbers, the safe approach is to contact the TRA directly for current guidance before launching.

Oman and Kuwait have similar fragmented frameworks. Neither has published a comprehensive telemarketing regulation equivalent to UAE's Cabinet Resolution 56. General consumer protection laws apply. The practical guidance for cross-GCC campaigns: apply UAE TDRA standards as your floor, since they're the most specific and most enforced.

5. What Makes GCC Compliance Harder for Financial Services

Telemarketing law is one layer. For forex and CFD brokers, you're also operating under financial services regulation, which adds requirements specific to the sector. In the UAE, that's DFSA (Dubai Financial Services Authority) or SCA (Securities and Commodities Authority). In Saudi Arabia, it's the Capital Market Authority. See our guide on AI calling compliance for financial services for the full regulatory picture.

The practical implication: your AI caller script can't make investment recommendations or discuss specific positions without triggering different requirements. Scripts for broker account reactivation should focus on account access, fee status, and platform updates, not trading signals or market commentary.

Also worth noting: GDPR applies to GCC residents who are EU citizens, and some GCC countries have their own data protection laws. The UAE's Personal Data Protection Law (Federal Decree-Law No. 45 of 2021) has provisions relevant to recording and storing call data. For the EU angle, see our GDPR and AI outbound calling guide.

6. How AI Calling Platforms Reduce GCC Compliance Risk

Properly configured AI calling systems actually reduce compliance risk in several ways. Our secure infrastructure includes built-in controls that address several TDRA requirements directly:

Automated DNCR checking. Before dialing any UAE number, the system can check against a maintained DNCR list. This eliminates the human error risk of an SDR forgetting to scrub a list.

Timezone-enforced calling hours. The campaign is configured with UAE timezone and the 9 AM-6 PM window hard-enforced. No call goes out at 7 PM because someone forgot to account for the Gulf Standard Time offset.

Frequency cap enforcement. 1 call per day per number, 2 unanswered attempts per week. The system tracks contact history per number and stops automatically. No manual tracking required.

Complete call recording. Every call is recorded and stored. TDRA's record-keeping requirement is satisfied by default. If an audit happens, you have the records.

If you're planning an outbound calling campaign in the GCC and want to review your compliance setup before launch, book a 30-minute call with our team. We've run GCC campaigns and can tell you exactly what to configure.

7. Pre-Launch Compliance Checklist for GCC Outbound Campaigns

Use this before you run any outbound campaign into UAE or Saudi Arabia:

UAE checklist:

• TDRA registration complete (prior approval received)
• Lead list scrubbed against current DNCR (Etisalat/du registry)
• Calling hours restricted to 9 AM-6 PM GST in campaign settings
• Frequency cap set: max 1 call/day, 2 attempts/week if unanswered
• Call recording enabled and storage confirmed
• Outbound numbers registered as UAE local numbers under your commercial license
• Campaign team trained on DNCR ethics requirements (document this)

Saudi Arabia checklist:

• Registered short code obtained from Saudi telecom provider (for SMS components)
• Voice AI script identifies call as commercial within first 10 seconds
• Sender registration confirmed with telecom provider
• SAMA consumer protection requirements reviewed if you're a licensed financial services firm

8. Where the Rules Don't Cover You

Following the telemarketing regulations doesn't mean you've covered everything. A few gaps worth knowing:

Cross-border campaigns from outside the GCC. TDRA regulations apply to calls made to UAE numbers regardless of where the call originates. A broker calling UAE clients from a European operation is still subject to Cabinet Resolution 56.

Expat clients under other jurisdictions' rules. Many GCC residents are EU or UK citizens. Their data rights under GDPR or UK data protection law follow them. A call to a German national in Dubai still has GDPR implications for data handling.

Internal DNC lists vs regulatory DNCR. The UAE DNCR is the regulatory requirement. Your own internal do-not-contact lists are a separate best practice. Both need to be scrubbed before dialing. See the full do-not-call list compliance guide for AI dialers for how to manage both.

9. The Practical Bottom Line for GCC Brokers

The UAE has a real enforcement framework with real fines. Saudi Arabia is less published but actively enforced. Qatar and Bahrain are developing frameworks. The safest path for a GCC-wide campaign is to apply UAE TDRA standards everywhere, get CITC registration sorted for Saudi, and get local legal sign-off before you dial.

For dormant account reactivation campaigns specifically, AI voice agents that enforce compliance controls by default are worth the setup time. The alternative is a human team that occasionally misconfigures a retry schedule or forgets to scrub a list. See also: how AI voice agents run GCC dormant account reactivation campaigns.

If you want to walk through your specific GCC compliance setup before launching a campaign, book a 30-minute strategy call. We've run compliant GCC campaigns and can review your configuration against the current TDRA and CITC requirements.