This article was first published in the October 2021 edition of The Oath Middle East Law Journal for Corporates.
Rosalind Rayman and Ahmed Thabet’s expert insight on how the new licensing regime for payment service providers takes a step towards supporting UAE’s digital economy objectives.
The Fourth Industrial Revolution Strategy of UAE aims to increase economic security through adoption of the digital economy and blockchain technology in financial transactions and services; and has been adopted to implement the digital economy in UAE. The Central Bank UAE Regulations for Retail Payment Systems endorse His Highness Sheikh Mohammed bin Rashid Al Maktoum, Vice President and Prime Minister of the UAE and Ruler of Dubai’s vision of a digital economy.
In 2017, I wrote an article on “The Future of Fintech in the Region”, when Fintech in the UAE was in its nascency with the launch of DFSA’s Innovation Testing License and Abu Dhabi Global Market sandbox. The Central Bank had at that time just issued the Regulatory Framework for Stored Values and Electronic Payment Systems (Regulations), subsequently amended in November 2020 to cover Stored Value facilities to support the development of e-wallets issued by financial institutions and fintech firms. At that time one of the challenges faced by Fintechs was the regulatory gap and I recall Peter Smith telling me, “Regulations surrounding Fintech operating models are in their infancy and regulators are trying to come up with approaches that balance innovation and consumer protection while keeping the overall system stable. This is a tough balance to deliver considering the variety of business models and risks inherent in these models.”
Fast forward to 2021, and the UAE is the largest Fintech hub for start-ups across the Middle East region, housing almost 50 per cent of the region’s FinTech companies. Forbes Middle East reported that Fintech startups have raised over USD100 million in the last five years. With 70 per cent of the population not having a bank account, investment in the Fintech industry remains an attractive option. We have seen an explosion of FinTechs and ecommerce businesses in the region, with success stories of Sarwa, Mumzworld, Paytabs, CASHU, Souqalmal and noon and the emergence of newcomers such as Mamo Pay and Tabby.
PAVING THE WAY FOR INNOVATION
The UAE Central Bank Regulations for Retail Payment Systems (RPS) continue the move away from licenses based on the traditional bricks-and-mortar style banking, and this ongoing approach will allow for innovative players to enter the market and help build the digital economy. These new regulations are aligned with the changes seen in regulations in Europe by way of the Payment Services Directives (PSD). In Europe PSD has enabled Fintechs to partner with banks and utilise the banks’ APIs (open banking) to develop apps and services for the banks. Open banking has the ability to transform how banks interact with consumers.
SCOPE OF RPS REGULATIONS
The RPS regulations came into force on July 15, 2021 and a one-year transitional period has been granted to existing payment service providers and card schemes.
The RPS regulations introduce a licensing regime for payment service providers operating or seeking to provide one or more of nine payment services or payment card schemes in the UAE. These services include payment account issuance, payment instrument issuance, merchant acquiring, payment aggregation, domestic and cross border fund transfers, payment tokens, payment initiation and payment account information services.
The RPS regulations provide for four categories of license (Category I, II, III and IV), and each license category allows retail payment services providers to offer certain retail payment services depending on the license category granted by the Central Bank. Category “I” license, being the broadest category, offers licensees the ability to provide one or more of the following services: payment account issuance, payment instrument issuance, merchant acquiring, payment aggregation, domestic and cross border fund transfers, and payment tokens services. Licensees with Category “II” license may provide one or more of the services licensed under Category “I” except for payment token services which are strictly allowed under category “I” license only. Licensees with Category “III” license may provide payment account issuance, payment instrument issuance, merchant acquiring, payment aggregation, and domestic fund transfers services. Licensees with Category “IV” license may provide payment initiation and payment account information services only.
Licensed banks are exempt from the licensing requirement under the RPS regulations and may offer any of the nine retail payment services without an additional license from the Central Bank. However, before a licensed bank can offer merchant acquiring, payment aggregation, payment token, payment Initiation, or payment account information services, it must obtain a non-objection letter from the Central Bank. Finance companies licensed under the Central Bank’s finance companies’ regulations are also exempt from the licensing requirement, but only for the purpose of issuing credit cards.
The RPS regulations set out certain prerequisite conditions which must be observed and maintained by those applicants seeking to be licensed under the RPS regulations. Among these conditions; the applicant must (a) be a juridical person taking the legal form of a Joint Stock Company or Limited liability company, which is subject to the rules issued by the Central Bank’s board of directors; (b) meet the minimum capital requirement depending on the category license it is seeking, (these capital requirements, range between AED3m for a category “I” license to AED100,000 for category “IV” license, and are lower than those required for a banking license); and (c) provide supporting documentation specified in the license application form. In addition to these prerequisite requirements, licensed retail payment services providers must observe certain ongoing requirements, which include; compliance with the corporate governance requirements specified in the regulations, maintaining a robust and comprehensive risk management framework, policies and risk reporting standards, appointment of an auditor on an annual basis who shall prepare annual financial statements in accordance with acceptable standards, records retention of personal and payment data for five years, observe the regulatory notification requirement upon the occurrence of certain events specified in the regulations and maintaining a professional indemnity insurance policy which is applicable to payment initiation and payment account information services providers only.
Card schemes The RPS regulations also introduce a licensing requirement for cards schemes operating within the UAE, and the Central Bank reserves the sole discretion to decide whether to grant such license (with or without conditions or restrictions) or to refuse to grant such license. Applicants for a card scheme license must meet the fit and proper criteria for its management and provide necessary supporting documents and information to the Central Bank for the application to be considered. These supporting documents, and information include the business model, and business strategy, ownership structure of the applicant, corporate governance structure and description of key risks associated with the conduct of business, money laundering and terrorist financing.
THE ‘FULL DIGITAL EXPERIENCE’
It is clear that the RPS regulations allow for a wider group of players to enter the UAE payment services market and with the advent of these new regulations we expect to see new digital services being offered in the UAE, which are ancillary to digital banking and digital payments (such as payment initiation and payment account information services), as seen with the roll out of the PSD across Europe. As UAE retail payment service providers will now be able to offer payment services in an adequately regulated ecosystem, this in turn should promote open banking services, thus enhancing the customer experience by giving consumers more control over their own banking and payment data. As seen in Europe, we also expect to see retailers partnering with Fintechs to take advantage of open APIs to allow consumers an easier payment process and also to allow ecommerce customers more payment options at checkout, such as “Buy Now Pay Later”. Whilst some banks have previously offered digital banking, based on legacy platforms, the new regulations will allow UAE banks to partner with Fintechs in order to offer bank customers a “full digital experience”.
It is clear that the RPS regulations, together with the Stored Values Facility regulations, are an important step forward in supporting the UAE’s strategic objective of a digital economy, built on trust. The regulations are also a step forward in financial inclusion and it is hoped that the unbanked population will now have more options available for transferring funds home to family. The success of the digital economy continues to rest on the participation of Government, individual authorities and private sector as well as the availability of a pool of qualified IT professionals. The regulations detailed in this article indeed outline the ongoing support of the Government and the Central Bank and with the Government’s recent changes in visa requirements allowing for easier inflow of IT professionals this further paves the way for the success of a digital economy.
Rosalind Rayman, Legal Director, FICO
Ahmed Thabet, Legal Director, The Bench
 Peter Smith joined the DFSA in June 2012, as Head of Policy, to lead the further development of the DFSA’s policy framework. He joined the Executive Committee as Head of Policy and Strategy in early 2015 and was appointed a Managing Director in early 2016. He is responsible for the DFSA’s strategic planning.  Payment Services Directives 1 and 2 provides the legal framework within which all payment service providers must operate. PSD’s purpose was to increase pan-European competition with participation from non-banks and to provide for a level playing field by harmonising consumer protections and rights and obligations for payment providers and users.