Home      White Paper     Fintech-related regulations in the UAE

Fintech-related regulations in the UAE

Published On : September 23, 2022

Adv. Ashna

When it comes to Fintech, the various activities that businesses in the field could potentially pursue are far and wide. Generally, the following activities are regulated in the DIFC, ADGM and the remainder of the UAE (onshore companies) – this is not an exhaustive list:

·  Providing credit,
·  Providing money services,
·  Accepting deposits,
·  Marketing and sale of securities (or similar products),
·  Managing assets,
·  Advising on financial products,
·  Digital banking,
·  Digital money exchange,
·  Digital payments and payment processing,
·  Crowdfunding, and
·  Dealings in cryptocurrencies and tokens.

No fintech business is prohibited as such (unless the underlying subject matter itself is prohibited under the laws of the UAE, such as gambling or explicit media), but most are subject to significant regulatory requirements and barriers to entry because they tend to constitute activities that are subject to the UAE’s banking, insurance, financial services, or securities regulations, all of which are regulated.

In 2017, the Central Bank of the UAE issued the Electronic Payment Regulation, which is the governing regulation for payment service providers (PSPs) in the UAE. This regulation mandates that entities seeking to be licensed as PSPs must obtain approval and received the relevant licence before dealing with payment systems. There are two categories of PSPs that must obtain the requisite licences under the Regulation – PSPs and Payment Service Operators.

ADGM open banking framework

Open banking, which gives third-party financial service providers open access to consumer banking, transaction and other financial data through application programming interfaces, is set to reshape the industry. Prior to the COVID-19 pandemic, 88% of banks anticipated deploying open banking in the following year. In April, the Abu Dhabi Global Market introduced a framework to supervise third party fintech companies that provide these services. Specifically, there are data privacy concerns around open banking, since open banking allows lending parties to share detailed customer data like spending patterns and transaction histories. The framework regulates how third party fintech companies obtain access, transfer and process data alongside including requirements of privacy, AML, counter terrorist financing and data protection.

Holistic overview of the latest legal & regulatory changes impacting FinTech in the UAE (BSA Ahmad Bin Hezeem & Associates LLP):

1. Central Bank Circular No. 15/2021 regarding Retail Payment Services and Card Schemes Regulation (RPSCS)

The RPSCS Regulation was published in the official gazette on 15 July 2021 and is effective within 1 month of its publication. As per the Regulation, it is prohibited to conduct a retail payment service without obtaining a prior license from the Central Bank.The Regulation sets out the requirement and the conditions for obtaining a license for the provision of retail payment services and operating a card scheme. Payment Service Providers (PSP) are given 1 year to comply with the licensing requirements.

What does this change?

The Regulation divided the retail payment services into 4 licensing categories. PSPs must now apply for one of the categories. Any PSP applying for a license must meet the initial capital requirement. The initial capital requirement will depend on the licensing category and can reach AED 3M for some categories.Any PSP is expected to comply as well with other hefty requirements relating to corporate governance and Risk Management (i.e., PSP must establish a risk management function, an internal audit function and a compliance function).

What is the impact on business owners?

Any PSP wishing to offer ancillary services, which are not included under its license, must obtain the approval of the Central Bank. The Central Bank may require that the PSP create a separate entity for the provision of such services. Companies wishing to set up PSP services must consider the substantial costs associated with the regulatory requirements.

2. Central Bank Circular No. 9/2020 regarding Large Value Payment Systems Regulations

This Regulation focuses on Large-value Payment Systems (LVPS) which are Financial Infrastructure Systems that support the financial and wholesale activities in the UAE. The Regulation covers the licensing requirements in relation to LVPS as well as the obligations and ongoing requirements in relation to a designated LVPS.The Regulation applies to:

1. LVPS that are operated in the UAE; or
2. LVPS that accept the clearing or settlement of transfer orders denominated in the AED currency both in the UAE or outside the UAE.

We note that the Regulation does not apply to LVPS incorporated in financial free zones, unless when expressly provided in the Regulation.

What does this change?

Operating an LVPS in the UAE requires a prior license from the Central Bank. LVPS must ensure compliance with the Central Bank’s instructions and request for information.The LVPS operator is also required to comply with the Principles of Financial Market Infrastructures (PFMI), which are key standards that the international community considers essential to strengthening and preserving financial stability. By way of example, the PFMI includes compliance with safety and efficiency requirements, submission of information or documents, and allow the Central Bank to examine at any time, with a short prior notice, any books, accounts or transaction of the LVPS operator.

What is the impact on business owners?

Any LVPS operator should expect a high supervision from the Central Bank, and an obligation to efficiently cooperate with the latter.

3. DFSA- Consultation Paper No. 138 – Regulation of Security Tokens

The Dubai Financial Services Authority (DFSA) has launched its regulatory framework for “Investment Tokens” based on its Consultation Paper No. 138 – Regulation of Security Tokens, published in March 2021.

“Investment Token” is defined to include:

  1. a security (which includes, for example, a share, debenture or warrant) or derivative (an option or future) in the form of a cryptographically secured digital representation of rights and obligations that is issued, transferred and stored using Distributed Ledger Technology (“DLT”) or other similar technology; or

  2. a cryptographically secured digital representation of rights and obligations that is issued, transferred and stored using DLT or other similar technology and: (i) confers rights and obligations that are substantially similar in nature to those conferred by a security or derivative; or (ii) has a substantially similar purpose or effect to a security or derivative.

This means that key cryptocurrencies (i.e., bitcoin, ETH) will not be subject to this regulatory framework, given that they are not securities, nor are considered substantially similar in nature or purpose to a security or derivative.

What does this change?

Firms who wish to undertake financial services relating to Investment Tokens in or from the DIFC (i.e., issuing, trading, holding, dealing in, advising on, managing portfolios etc.) must meet certain licensing and technological requirements set by the DFSA.

What is the impact on business owners?

Businesses conducting financial services in relation to Investment Tokens will need to obtain DFSA approval. We note that it is prohibited to promote and advertise Investment Tokens.The new rules impose a technology audit requirement on all firms that operate a facility for Investment Tokens.

4. The new Stored Value Facilities (SVF) Regulation

The new Stored Value Facilities (SVF) Regulation, which was issued in September 2020 but has had ramifications across 2021, repeals and replaces the Regulatory Framework for Stored Value and Electronic Payment Systems. The Regulation defines an SVF as a facility whereby a customer can pay a sum of money to the SVF issuer in exchange for the storage of that money on the facility. The Regulation applies to companies wishing to undertake an SVF activity, with certain exceptions. For instances, the Regulation does not apply to the below SFVs:

  • SVFs used for certain cash reward schemes;

  • SVFs used for purchasing certain digital products;

  • SVF used for certain bonus point schemes;

  • SVFs that can only be used within a limited group of products or services providers; and

  • Those within which (subject to being accepted by the UAECB) the aggregate amount of the float of the facilities does not exceed AED 500,000 and the aggregate number of customers is not more than 100.

SVF are given 1 year period to comply with the Regulation’s requirements. 

What does this change?

The most important change we note is that the requirement to have a regulated bank as a majority shareholder has been removed. However, other technical and capital requirements are put in place. Moreover, the Regulation introduces an express prohibition on the marketing of overseas SVF in the UAE.

What is the impact on business owners?

SVF must comply with the technical and capital requirements of the Regulation. For example, SVF are required to have a minimum paid up capital of at least AED 15m and an aggregate capital of funds of at least 5% of the total float received by the SVF from customers.The Regulation is highly focused on Technology and Risk Management and includes extensive obligations around cyber security and technology governance that businesses will need to consider when setting up a SVF activity in the UAE. This is seen by many as a step towards the adoption of crypto and virtual assets.

5. Federal Decree-Law No. 45 of 2021 regarding Personal Data Protection (the Law)

The long-awaited Data Protection Law was finally issued on 27 November 2021 and it took effect on 2 January 2022.

The Law applies to:

  1. Organizations incorporated in the UAE that process data of subjects inside or outside the UAE; and

  2. Organization outside of the UAE that process data of subject inside the UAE.

Some organizations are excluded from the scope of application of this Law such as governmental entities. Furthermore, certain industries will not be subject to the Law and will have their separate data protection regulations such as health personal data and banking personal data.We note that this Law will not replace data protection laws issued in some free zones (DIFC and ADGM) but will be applied concurrently. 

What does this change?

The Law provides for the establishment of a national data privacy regulator who will be overviewing the implementation of the Law and issuing guidelines relating to data privacy.Organizations processing personal data must comply with the Law requirements and protect the privacy of data collected. Organizations are granted a period of 6 months to re-consider their data operation and comply with the Law.

What is the impact on business owners?

The law includes several principles found in the General Data Protection Law (GDPR). For example, organizations that process personal data must:

  • Have a legal base for the processing of personal data;

  • Obtain clear consent of the data subject prior to processing their data;

  • Provide the data subject with a range of rights relating to its personal data such as the right to erase or correct the data, request its transfer, object to certain types of data processing;

  • Limit the purpose of collecting the data to what is necessary; and

  • Conduct an impact assessment when using modern technologies.