New UAE regulations for payments providers and card scheme operators

15 July 2021 marks the coming into force date of the Retail Payment Services and Card Schemes  Regulation (the "RPSCS Regulation"). The RPSCS Regulation is the fourth instalment in the Central Bank of the UAE's ("CBUAE") journey to overhaul the digital payments regulatory regime as the UAE emerges as a global leader in the industry.

Background

The CBUAE began its digital payments reform by repealing the Regulatory Framework for Stored Value and Electronic Payment Systems (the "SVF Framework") and replacing it with the Stored Value Facilities Regulation (the "SVF Regulation"). The SVF Regulation replaced the four distinct categories of payment service provider ("PSP") previously laid out by the SVF Framework with a single licensing category: the SVF License. Earlier this year, following the issuance of the SVF Regulation, the CBUAE also issued the Large Value Payment Systems Regulations (the "LPS Regulation") and the Retail Payment Systems Regulation (the "RPS Regulation") which set standards for financial infrastructure systems that support whole sale payment activities and regulates retail payment systems that provide fund transfer, clearing and settlement services in the retail context, respectively.

Following the blueprint set by the three abovementioned digital payments regulations, the RPSCS Regulation sets out the rules and conditions established by the CBUAE for acquiring and maintaining a license for the provision of retail payment services and operating a card scheme. Under the RPSCS Regulation, the term "retail payment services" comprises of nine defined categories of retail payments services: payment account issuance services, payment instrument issuance services, merchant acquiring services, payment aggregation services, domestic and cross-border fund transfer services, payment token services, payment initiation services and payment account information services.

Licensing

The CBUAE has opted for a four category licensing scheme for retail payment services (each a "Payments License") under the RPSCS Regulation. PSPs must now apply for one of Categories I , II, III or IV Payments Licenses. Banks, however, do not need a Payment License insofar as they engage in the provision of payment account issuance services, payment instrument issuance services and domestic and cross-border fund transfer services. For all other retail payments services, a bank must obtain a no objection letter from the CBUAE prior to commencing the provision of such services.

Licensing categories

Each of the four categories of Payments License will allow a PSP to provide a prescribed number of the nine retail payment services, with lower categories of Payments Licenses permitting more regulated activities. For example, a PSP that intends to provide payment account issuance services, merchant acquiring services, payment aggregation services, payment instrument services or domestic fund transfer services may apply for either a Category I, II or III Payments License. Practically speaking, this means PSPs who engage solely in one or more of the four aforementioned retail payments services will likely seek to obtain the most efficient and economical of the three Payments Licenses available. The initial capital requirements for each Payments License will likely be a major factor in this decision.  

Initial capital requirements

Similar to the SVF Regulation, a licensee must meet strict financial resourcing requirements as a condition of obtaining and maintaining its Payments License. These initial capital requirements differ across the different Payments License categories and range from AED100,000 under a Category IV Payments License to AED 3M under Category I Payments License. The PSP's aggregate capital funds may not fall below the prescribed initial capital requirement.

It is noteworthy that although the prescribed initial capital requirements for the various Payments Licenses are far more modest than those required to maintain a SVF License, the CBUAE expressly reserves the right to impose higher aggregate capital fund requirements if it considers it essential to ensuring that the PSP can meet its regulatory obligations. Further, a PSP will be automatically subject to a higher aggregate capital fund requirement once the value of payment transactions exceed AED 10M for three consecutive months. This new amount will be determined by the CBUAE.

Ancillary services

The regime for Payments Licenses under the RPSCS Regulation will require a considerable amount of organisational foreplaning as the principal business of the payments provider must align with the retail payments service for which it was granted a Payments License. If the PSP intends to provide ancillary services beyond the scope of its Payments License, it must obtain CBUAE's approval to do so, in which case, the CBUAE may require that the PSP create a separate entity for the provision of such services. Practically speaking, we may see PSPs forgo the provision of certain ancillary services altogether due to costs associated with the creation of an entirely separate entity as required by the CBUAE.

Card Scheme license

In contrast with the Payments Licenses, the licensing regime for card scheme operators is quite straightforward with a single license without any exceptions (a "CS License"). The CBUAE, however, expressly reserves the right to issue a CS License with or without conditions or restrictions, and may refuse to grant a CS License at its discretion. The high level of discretion the CBUAE has over the issuance of CS Licenses is perhaps driven by an expectation that there will be only a handful of licences issued for major payment card networks in the UAE.

Ongoing requirements

While each of the four digital payments regulations takes a nuanced approach to regulating the different players and services in the digital payments ecosystem, there are notable similarities with respect to the ongoing requirements. Indeed, robust corporate governance and internal control frameworks are imperative under each of the four regulations, and in some cases this includes a requirement to establish an independent internal audit function. Further, similar to settlement institutions and systems operators licensed under the RPS Regulation and LVP Regulation, PSPs must be prepared to submit an audit report in the prescribed form to the CBUAE at its request.

Additional requirements for card schemes and payment token service

In addition to the provisions applicable to payments providers generally, those who provide payment token services (which is only permissible under a Category I Payments License) will need to comply with additional rules which include the requirement to regularly assess cybersecurity risk and perform penetration and cyberattack simulations tests and maintain a reserve of Fiat currencies that are legal tender backing the value of each category. The CBUAE will also now have the right to receive information about and regulate the fees charged by card scheme operators, which includes the ability to publicly disclose such fees. As is often the case, we can expect that this new level of transparency will result in a convergence of fees and across the different card schemes.

Closing remarks

The coming into force of the RPSCS Regulation also marks the commencement of the one year transition period. Over this period, we can expect to see many PSPs reorganizing their business and service offering in response to the new requirements under the RPSCS Regulation. We may see a host of new corporate entities pop-up to facilitate the provision of ancillary services as required by the CBUAE. Alternatively, we may see PSPs abandon certain service offerings all together where the CBUAE requires a separate entity be set up for the provision thereof. One thing is certain, however, we can expect industry players to spend considerable amounts of time and effort looking inward; assessing their internal policies, procedures and governance framework to ensure compliance with the new digital payments regime.

In the interim, if you have any questions on the RPSCS Regulation or how it fits into the wider reforms in the region on digital payments, please do not hesitate to get in touch with Raza Rizvi, Nick Roudev or Olivia McKenzie.