Introduction

Recent studies by the Federal Competitiveness and Statistics Authority conclude that 90% of the people in the UAE use digital banking, while 100% has access to ATMs. While the digital market payments are seeing a year on year rise, Cash on Delivery payments (CoD) has reduced substantially and account for only a measly 21%.

As time progresses, banking institutions are increasingly moving away from traditional banking services towards more technologically capable solutions for their clients. The UAE Central Bank’s Regulatory Framework for Stored Values and Electronic Payment Systems (“Regulations”) is legislation which recognizes the significance of regulation in the rapidly growing payments ecosystem. It aspires to bolster financial inclusion, customer protection, as well as financial innovation.

Applicability

The Regulations define a Payment Service Provider (“PSP”) as an institution which has been licensed or authorized to provide payment services digitally under the Regulatory Framework. Digital Payment Services include the optionality of the following:

• Cash-in services, that is the deposit of cash into a digital payment account;
• Cash-out services, that is the withdrawal of cash from a digital payment account;
• Retail Credit/Debit digital payment transactions;
• Governmental Credit/Debit digital payment transactions;
• Peer to Peer digital payment transactions; and
• Money Remittances.

By assessing the current market trends of demand and supply in the UAE, the Central Bank has also specified four different categories of Payment Service Providers, namely,

• Retail PSP – This category includes commercial banking institutions, as well as other licensed entities providing retail, government, peer-to-peer digital payment services or money remittances;
• Micropayment PSP – The Micropayment category includes institutions which offer micropayment solutions for demographics which are underserved by traditional banking services (namely, transport companies, or telecommunications companies);
• Government PSP – This category includes any governmental (Federal or Local) entity offering digital payment services;
• Non-issuing PSP – This category consists of any entity which by itself takes no deposits, nor issues any digital money, but offers retail, government and peer-to-peer digital payment services.

Along with the PSPs, the Regulatory Framework also requires Payment System Operators (“PSO”) to obtain licenses for their operations. PSOs are entities operating fund transfers or any other system which facilitates the circulation of digital money. The licensing requirements for PSOs are yet to be clearly delineated by the Central Bank through notifications which are expected in the future.

Specific organizations and services are exempted from the application of the Regulations. Transactions involving payments through credit or debit card are exempted, as they are governed by the Regulations by the Central Bank. Another example of exemption is “Closed-loop payments”, which are payments occurring within a single store, or set of stores.

The Regulations do not apply where –

• Payment transactions are being made in cash, without the involvement of an intermediary;
• Payment transactions done through paper cheques;
• Payment transactions within a payment/settlement system between settlement institutions;
• Payment transactions related to the transfer of securities/assets or rights accruing from them such as dividends, etc.;
• Payment transactions carried out between PSPs for their own accounts.

The Regulations also designates entities facilitating the provision of payment services to PSPs without any access to the funds of users of the services, as Technical Service Providers, who are made exempt from the Regulations as well. Such designation includes telecom companies, IT professionals etc.

Interestingly, the Regulations also define “virtual currencies” as digital units employed for means of exchange, or as stored values. Such definition while including tokens such as Bitcoin, Ethereum, etc., could also cover reward points programs. The Regulation states that these currencies are not recognized under the Central Bank’s Framework, and transactions with virtual currencies are prohibited. While the Central Bank has qualified such provision to mean that virtual currencies would be regulated by other policies instead. However, no amendment or separate law, regulation or formal guidance has been implemented till date. There is apparent ambiguity regarding whether such a provision merely restricts PSP providers from investing in virtual currencies, or from implementing any features that employ virtual currencies or are merely a general blanket ban against virtual currencies.

Obligations

All PSPs are required to submit an application to receive a suitable license pertaining to its operations (namely within the four categories of PSPs) by the Central Bank. Commercial Banks are exempted from obtaining a license, however, are still required to obtain approval from the Central Bank before providing digital payment services. It is pertinent to note that the Licensing Manual, which clarifies the procedures involving the procurement of a license from the Central Bank, has not yet been introduced by way of notification. However, the expected timeframe for the Central Bank’s approval for such applications should be within 4 to 6 months. Licensed PSPs are also required to comply with the end-user registration requirements, as well as create dispute resolution and support provisions for customers.

The Regulations envisage the Central Bank as a supervisor over PSP operations. PSPs must obtain the approval of the Central Bank before introducing any significant change in their payment systems, or outsourcing any of its functions to another entity. PSPs seeking to outsource any of their operations must also be aware that outsourcing is permitted only to other UAE entities. The PSP is also obligated to ensure that despite such outsourcing, all of its obligations under the Regulations are fulfilled, as well as the fact that the Central Bank’s vigilance over the PSP should not be compromised by such structure.

PSPs must also ensure that its systems can monitor transactions (to comply with anti-laundering, counter-terrorism financing laws), and also have the functionality for blocking suspicious accounts or purchases. All transactions conducted through a PSP are required to be settled through UAE settlement institutions and must conform to account funding limits, transactional limits as well as spending limits as prescribed by the Appropriate Authority. PSPs must also employ systems that are interoperable with other payment systems in the UAE

Amongst other obligations, the Regulations impose a data localization requirement on all PSPs, that is that all digital payments services providers must store and process data obtained through any digital payment services offered in UAE within the territory of the UAE itself. Service providers must thus adequately acquire the provision of data storage farms within the national limits, and ensure that their data handling conforms with the requirements under the Regulatory Framework.

The Central Bank is the key enforcement agency behind the Regulations. It can impose a wide array of orders over PSPs, such as accessing confidential data where necessitated, imposing fines, or cancelling the licenses of a PSP.

Conclusion

The Regulatory Framework has been released in recognition of the increased demand for digital payments by consumers, which has been reflected in the growing models of both new FinTech startups, as well as those of incumbents in the banking sector. The implementation of the Regulatory Framework is an indication of the near future, and service providers seeking to avoid liabilities (such as financial penalties, or worse, a cancellation of their licenses) should acquaint themselves with the obligations on them, specifically the ones which require them to implement changes in the organization of their resources in a manner which is compliant with the Regulations.