Menu
undefined undefined
My dashboard
My Content
My products (0) My insights (0) My events (0) My contacts (0)

Digital payments in the UAE - a new Framework

On 01 January 2017, the UAE Central Bank published a “Regulatory Framework for Stored Values and Electronic Payment Systems” (the Framework).

12 January 2017

Publication

The Framework is intended to further the Central Bank’s stated vision of the “pervasive adoption of secure, customer-centric and innovative digital payments for all stakeholders in the UAE”.

There are far reaching consequences for businesses who provide digital payment services. So, Merchant Account Providers, Third Party Payment Gateways, Integrated Payment Providers and those who trade in cryptocurrency, should all consider implications of the Framework based on the specific functions of their business.

Here are ten initial points of interest:

  • The Framework establishes a licensing regime administered by the Central Bank for four types of payment service provider (PSP):
    • Retail PSPs: primarily commercial banks which offer retail, government and peer-to-peer digital payment services and remittance services.
    • Micropayment PSPs: those who offer micropayments solutions and facilitate digital payments for the unbanked and under-banked market segment in the UAE. These PSPs will include licensed operators, money exchange businesses, and public transportation providers.
    • Government PSPs: federal and local government bodies offering digital payment services
    • Non-issuing PSPs: non-deposit taking institutions which do not issue digital money and which offer retail, government and peer-to-peer digital payment services.

If a business falling within any of the above categories was operational at the beginning of the new year, they will have a year-long grace period after which, if not compliant, they will have to cease services in the UAE.

  • By way of an exception, Technical Service Providers are not required to be licensed under the Framework. Technical Service Providers are organisations facilitating the provision of payment services to PSPs, including by providing communications networks, privacy protection services, pure authentication services or data hosting services. The extent to which a PSP is actually a pure technical intermediary will need to be considered.
  • The Framework covers the provision of payment systems referred to as Stored Value Facilities, which include systems enabling payments into and withdrawals from payment accounts, retail credit and debit payment transactions, government credit and debit payment transactions, peer-to-peer transactions and remittances. These systems may be accessed through digital applications or physical cards.
  • The Central Bank will maintain a list of licensed PSPs, approved Agents and approved outsourced service providers. Agents are entities providing limited digital payment services on behalf of PSPs, such as registering users for services.
  • The Framework prohibits Virtual Currencies and any transactions thereof, however, the exception in the definition includes a digital unit which can be redeemed for goods, services and discounts as part of a user loyalty programme with the Issuer provided that it cannot be converted into a flat/virtual currency.
  • PSPs may outsource certain operational functions for the provision of digital payment services, but only if such services are carried out on-shore in the UAE (other than in the Dubai International Financial Centre or the Abu Dhabi Global Market) and written approval is sought from the Central Bank not less than three months before the execution of the outsourcing contract. As drafted, there are no minimum thresholds to help determine materiality but it is interesting to note the on-shoring principle which underpins this.
  • The Central Bank has the right to impose access regimes on payment systems designated as being systemically important. The access regime will determine conditions for access to the payment system and may be imposed if considered to be in the interests of the public or competition amongst market participants.
  • The Framework requires each PSP to enter into a Customer Service Agreement with each user which includes certain minimum terms, including a detailed description of the PSP’s services and the PSP’s privacy policy.
  • PSPs are required to maintain records of user identification data and transaction data. The Framework establishes a data localisation obligation by requiring such data to be hosted in the UAE (but not in the DIFC or the ADGM). Users’ “personal information” must be stored for five years “from the data the user relationship is terminated” and transaction data for five years “from the date of the original transaction”.
  • PSPs are required to ensure interoperability between their systems and the systems of other PSPs, including by entering into an “interoperability agreement” and sharing relevant technical information. The extent to which this requirement will dilute a PSP’s competitive advantage through an advanced technical solution will be interesting.

View a copy of the Framework here. To discuss the implications of Framework, please contact Raza Rizvi or Neil Westwood.

This document (and any information accessed through links in this document) is provided for information purposes only and does not constitute legal advice. Professional legal advice should be obtained before taking or refraining from any action as a result of the contents of this document.

Related insights

This website uses cookies and other similar technologies to ensure you get the best experience on our website. Please review our cookie policy and our data protection privacy notice for more information on how the data that is collected is used.