Points to note from the UAE’s Stored Value Facilities Regulation

Summary

The Central Bank of the United Arab Emirates (CBUAE) issued the Stored Value Facilities Regulation (the Regulation) on 30 September 2020. This repeals and replaces the Regulatory Framework for Stored Values and Electronic Payment Systems issued on 13/12/2016 (the 'Framework').

The term 'stored value facilities' (SVF) covers any non-cash facility through which a customer pre-pays money (or 'money's worth') so that they may subsequently use that payment method to pay for goods or services.

The Regulation covers the licensing, supervisory and enforcement requirements around SVF in the UAE, as well as non-UAE entities which promote SVF in the UAE on a cross-border basis.

The Regulation came into effect on 15 November 2020, which started a one-year transition period for licensees under the Framework to achieve compliance. Licensees under the Framework are required to submit independent assessment reports before the end of the transition period.

The Regulation demonstrates the continuation of the CBUAE to embrace novel payments sector realities without diluting its focus on resilience across the sector to protect consumers.

Here are five points to note about the Regulations:

1. Four to one

The Framework had carefully laid out the details of four distinct categories of payment service provider ('PSP'). These have gone. Although there are a variety of SVF activities mentioned in the Regulations, there is now just a single licencing category: an SVF Licence.

Having been closely involved in each category of the previous PSP categories, this streamlining is welcomed, as is the administrative pragmatism which is part of the rationale for this change.

2. Serious players only, please

Although the requirement in the Framework to have a regulated bank as a majority shareholder has been removed, the SVF requirements are certainly not light. Those who apply for an SVF Licence cannot assume that they can have it as an ancillary part of a different core business. Licensees will also need to give careful consideration to the Regulation's corporate governance requirements, general risk management and controls as well as financial resources requirements which require a minimum paid up capital of at least AED 15m and an aggregate capital of funds of at least 5% of the total float received by the SVF from customers. It's also noteworthy that, amongst the list of documentary requirements, an applicant is required to provide three years of audited financials in addition to a suite of internal and customer facing documents for review. An application under the Regulation will need to be expertly put together to not only meet the stated requirements, but also the policy considerations which underpin the requirements.

3. Hello Crypto

Although the CBUAE has been clear that crypto and virtual assets are not legal tender in the UAE, the international institutional adoption of such assets cannot be ignored. The Regulation takes a step forward in this regard by providing that such assets may be used as a stored value when purchasing other goods and services.

Beyond the Regulations, 'payment tokens' are on the horizon whereby the crypto assets backed by fiat currency will be usable for payments. In addition to the CBUAE, the UAE's other financial services regulators will play a key role (both directly and indirectly) in bringing about more mainstream adoption of such assets in the UAE and wider region.

4. Overseas SVF schemes, a risky business

Without a licence, an overseas SVF provider will be unable to lawfully advertise or market in the UAE. The Regulation lists a set of non-exhaustive factors to determine whether the relevant overseas SVF scheme is presented in a manner to appear as if it is issued in the UAE. These include the delivery location of the facility and subsequent customer support, the location of channels for top up, and the extent to which the promotional material is 'targeted' via 'push techniques'. Those looking to avoid getting caught in this should carefully review these factors, the accessibility of the digital materials relating to the overseas scheme and whether the issuer has systems in place to avoid the provision of services to a UAE resident.

5. Best in class expectations on technology risk management and InfoSec

By far the most voluminous provisions in the Regulation concern Technology and Specific Risk management.

As well as quite prescriptive expectations around technology governance, and ongoing system development obligations and practices, there are extensive obligations around cyber resilience and the licensee is expected to follow a data classification process.

Other data-related obligations in the Regulations are seemingly inspired by emerging international regimes centred around data subject rights, for example, there is a principle of 'information minimalization'. However, unlike data minimisation principles seen in personal data protection laws, the Regulation ties this principle more to data security.

There is of course plenty more in the 85 pages of the Regulations and the approach taken by CBUAE on its application and enforcement will be interesting to watch. If you have any questions on the Regulation or how it fits into the wider reforms in the region on digital payments, please do not hesitate to get in touch with Muneer Khan or Raza Rizvi.