Skip to main content
  • Regulated Products

    • Crowdfunding

      • Dormant accounts

        • Loan-Based Crowdfunding Activities Regulation

          C 7/2020 Effective from 14/11/2020
          • Dormant Accounts Regulation

            C 1/2020 Effective from 15/2/2020
            • Introduction

              The Central Bank shall regulate and license Loan-based Crowdfunding Activities (“LCAs”) in the United Arab Emirates (“UAE”). By issuing this Regulation, the Central Bank aims to set out the minimum standards required of LCAs. Companies providing LCAs are encouraged to strive to meet higher standards than the minimum requirements set out in this Regulation.

              • Objective

                The objective of introducing this Regulation is to put in place a framework for licensing, regulating and monitoring LCAs and to set out the standards that the Central Bank expects in this regard. The purpose of both the framework and the requirements is to:

                1. Safeguard the financial system from the risks posed by LCAs; and
                   
                2. Safeguard the interests of consumers in the UAE.
                • Scope:

                  All Banks must comply with the provisions of this Regulation at all times

                • Application

                  This Regulation is issued pursuant to the powers vested in the Central Bank by the Decretal Federal Law No (14) of 2018 regarding the Central Bank and Organization of Financial Institutions and Activities.

                  • Objective:

                    The purpose of this Regulation is to establish a general framework for the control and protection of dormant accounts in Banks and seek to enable customers (or legal owners) to receive the available balances on these accounts.

                  • Scope

                    This Regulation shall apply to crowdfunding companies, wherever their platforms hosted, engaging in LCAs in the UAE, except in the Financial Free Zones.

                    A company is considered to be engaging in LCAs in the UAE if it meets one of the following conditions:

                    1. If the company carrying out LCAs is incorporated in, or the crowdfunding platform is hosted in the UAE; or
                    2. The crowdfunding platform uses a company’s address situated in the UAE for correspondence; or
                    3. It provides LCAs to clients residing in the UAE.
                    • Article (1): Definitions

                      1. Bank/Banks: Any juridical person licensed in accordance with the provisions of the Central Bank Law, to primarily carry on the activity of taking deposits, and any other licensed financial activities;
                         
                      2. Board: The Bank’s board of directors;
                         
                      3. Central Bank: The Central Bank of the United Arab Emirates;
                         
                      4. Central Bank Law: Decretal Federal Law No. (14) of 2018 Regarding the Central Bank & Organization of Financial Institutions and Activities;
                         
                      5. Customer Communication: Any communication by the customer whether written or electronic in response to contact attempts initiated by Banks;
                         
                      6. Demand Deposit Accounts: All customer deposit accounts, payable on demand, including but not limited to current, call, savings, asset based liability accounts or any account with similar balance sheet treatment;
                         
                      7. Dividend: Dividends declared by the Bank to its shareholders and held in trust in Bank’s books for shareholders to claim;
                         
                      8. Dormant Customer: A customer (individual or corporate) who holds account(s) with a Bank, where all held accounts are individually eligible for dormancy and who holds no outstanding facilities with the same Bank in accordance with Article 2 of this Regulation
                         
                      9. Fixed Term Deposit Accounts: All customer deposits placed with a Bank for a fixed term period, with or without an early repayment option or any account with similar balance sheet treatment;
                         
                      10. Investment Accounts: An Investment Account is a portfolio account where a Bank invests the funds in assets (equity, mutual funds, bonds, structured products etc.) on behalf of a Customer;
                         
                      11. Joint Account: A jointly held account which has a distinct identity as a customer, separate from its individual joint owners;
                         
                      12. Outstanding Facilities: Any financing facilities due from customers, including but not limited to Credit Card balances, loan products, overdrafts etc. and off balance sheet products, also due from customers, such as Bank Guarantees, etc.;
                         
                      13. Safe Deposit Boxes: An individually secured container, in a Bank’s vaults, hired out to Bank’s customers for the safekeeping of their belongings;
                         
                      14. Senior Management: The executive management of the Bank responsible and accountable to the Board for the sound and prudent day-to-day management of the Bank, generally including, but not limited to, the Chief Executive Officer, chief financial officer, chief risk officer, and heads of the compliance and internal audit functions.
                    • Article (1): Definitions

                      1. Borrower: A UAE registered company (including sole proprietors) seeking a loan from one or more persons.
                         
                      2. Central Bank: Shall mean the Central Bank of the UAE.
                         
                      3. Client: Either a Borrower or a Lender on the Crowdfunding Platform (“CFP”).
                         
                      4. Client money: Money belonging to either the Borrower or the Lender of a CFP that is controlled by the CFP relating to loan-based crowdfunding activity.
                         
                      5. Pricing Platform: A type of Crowdfunding model whereby the platform is responsible for pricing borrower loans and administering the loans. The platform may not give any form of advice or place Lenders funds at its own discretion.
                         
                      6. Commitment period: the period specified by the CFP during which Lenders may commit to lending money to a particular Borrower.
                         
                      7. Controlling interest: The holding, directly or indirectly, of voting rights in another entity, or of the power to direct or cause the direction of the management of another entity.
                         
                      8. “Cooling-off” period: The period of at least two full business days starting at the end of the commitment period1
                         
                      9. Crowdfunding platform (‘CFP’): A web-based platform, social networking site or similar means used for the purpose of Crowdfunding activities.
                         
                      10. Crowdfunding: Crowdfunding is solicitation of funds from persons through a platform for a specific purpose.
                         
                      11. Funding goal: The amount that a borrower aims to raise on the CFP within a set time limit.
                         
                      12. Lender: A person for whom a CFP conducts / provides or intends to conduct / provide Regulated Activities under this Regulation. There are two types of clients who may participate in a CFP:
                         
                        1. Retail Lender: a Client that is not a Market Counterparty; and
                           
                        2. Market Counterparty: a Client that can evidence net assets of over AED 2,000,000 outside of their primary residence and self-attests to being treated as a Market Counterparty. Such self-attestation appropriately reviewed and verified by the CFP.
                           
                      13. Loan: any funds provided to borrowers under a loan-based crowdfunding agreement through a CFP.
                         
                      14. Loan-based Crowdfunding Company: Whereby a company duly incorporated under the Federal Law No. 2 of 2015 Concerning Commercial Companies and its amendments (excluding Partnership and Limited Partnership companies), with the business objectives including E-Finance or similar activities, conducts its activity through a platform intermediating between lenders and borrowers engaging in loan-based crowdfunding activities which operates using only the pricing business model whereby lenders pick investment opportunities and the pricing of the loan is decided by the CFP.
                         
                      15. On-Boarding: the process of evaluating new clients, ensuring understanding and agreement of legal terms and opening of a new account.
                         
                      16. Person: natural or juridical person.
                         
                      17. Personal loan: a loan that is given to individual borrowers, where repayments are made from a verifiable regular income from a well-defined source, as defined under the Central Bank Regulations No. (29/2011) – Regulations Regarding Bank Loans & Other Services Offered to Individual Customers (as amended), or subsequent regulations issued in this regard.
                         
                      18. Regulated activities: Any activity that requires licensing by the Central Bank in order to be conducted legally in the UAE.

                      1 The CFP may choose to provide a longer period

                      • Article (2): Criteria for Determining Dormant Accounts and Unclaimed Balances

                        • First: Dormant Accounts

                          Dormancy is defined at customer level. For dormancy to apply, the customer should not have another active liability account with the same Bank, the current address of the customer is not known and the account does not have any litigations or requirements from other regulatory authorities.

                          Any correspondence from the customer or activity in relation to other accounts held with the same Bank shall be considered as evidence that the customer is still active and does not meet the definition of “dormant customer”.

                          Customers with asset accounts will be excluded from the purview of dormancy definition.

                          Joint accounts should be treated distinctly from individual accounts of their holders (individual/entities). Any activity in joint accounts does not impact dormancy classification in individual accounts held by the joint account holders and vice versa.

                          1. An Individual/Corporate savings or call or current account where there has been no transactions (withdrawals or deposits) or non-financial actions (service requests, due diligence, particulars update, etc.) for a period of 3 years from the date of the last transaction on the account, other than transactions initiated by the Bank (such as interest and charges posted by the system or manually), and there has been no communication from the customer (whether written or electronic).
                             
                          2. A Fixed Term Deposit Account where there is no automatic renewable clause and where the deposit has matured, but neither renewal nor claim request has been made in the past 3 years since the deposit matured (or) where there is an automatic renewable clause, but there is no communication (whether written, electronic or verbal) from the customer within a period of 3 years from the date of first maturity.
                             
                          3. A closed ended Investment Account or a redeemable Investment Account where there is no communication from the customer for a period of 3 years from final maturity or redemption date, whichever is earlier. An open-ended Investment Account will be treated as Dormant, when the customer’s other accounts have been classified as dormant in accordance with this Regulation. However, the Bank shall liquidate or dispose of assets in the open-ended Investment Account only as per stated terms & conditions of the account.
                        • Second: Unclaimed Balances

                          • Unclaimed Bankers Cheques, Bank Drafts or Cashiers Orders

                            1. Bankers cheques, bank drafts, or cashiers orders, which have been issued at the request of a customer by debit to his/her account, that have not been claimed by the beneficiary and remain unclaimed by the beneficiary or the customer for a period of 1 year (despite the efforts of the Bank to contact the customer).
                          • Unclaimed Dividends

                            1. Wherever, unclaimed dividend balances are held, the market regulator’s guidelines will govern the unclaimed dividend maintenance and re-claim process.
                          • Unclaimed Contents of Safe Deposit Boxes

                            1. Notwithstanding the provision of Article 474 of Federal Law No. 18 of 1993 on Commercial Transactions, the dormancy definition shall apply as follows:

                              Where charges for a safe deposit box remain outstanding for a period of more than 3 years and the Bank has not received a reply from the Safe Deposit Box tenant, or the tenant has not made alternative arrangements in relation to the Safe Deposit Box.
                               
                            2. To comply with the above, the customer does not have another active account with the same Bank (liability or assets). Safe Deposit Box operations by nominees is not sufficient for maintaining them as active in status.
                      • Article 2: Categories

                        1. LCAs are categorised according to lending volume:
                           
                          1. Category 1 (Large): Cumulative loans facilitated in a calendar year AED 5,000,000 and above; or
                             
                          2. Category 2 (Small): Cumulative loans facilitated in a calendar year below AED 5,000,000.
                             
                        2. For the purpose of the above, the references to lending volume shall mean either:
                           
                          1. Cumulative loans in the preceding year(s); or
                             
                          2. In the case of new applicants, the projected / forecasted volume for the current year(s).
                             
                        3. The company wishing to undertake LCAs must apply to the Central Bank for an LCAs license. Such a license will be issued either as a Category 1 or Category 2 as per the definitions in Article 2 (1).
                           
                        4. A crowdfunding company that is licensed to operate as Category 2 and wishes to upgrade its license to Category 1 status, must evidence that it meets all regulatory requirements for a Category 1 license before any application to upgrade can be considered.
                           
                        5. Once a crowdfunding company is deemed to be Category 1 it cannot be deemed Category 2 again without prior written approval from the Central Bank.
                        • Article (3): Required Action when an Account Becomes Dormant

                          1. The Bank must attempt to contact the Dormant Customer through written, electronic or verbal (recorded) channels for re-activation of the account
                             
                          2. A communication must be initiated to issuers of unclaimed bankers cheques, bank drafts, or cashier orders; notifying them of non-encashment of the issued instruments
                             
                          3. A final notice must be sent to the dormant Safe Deposit Box tenant’s last known address.
                             
                          4. The Bank must wait for a period of 3 months for a response, from the Dormant Customers, beneficiaries of unclaimed bankers cheques, bank drafts, cashier orders Unclaimed Balances”, and Safe Deposit Box tenants.
                             
                          5. After expiry of the 3 months period mentioned above, the Bank must transfer the money in the dormant account to the “dormant accounts ledger”.
                             
                          6. The balances in unclaimed bankers cheques, bank drafts and cashier orders must be transferred to the “unclaimed balances account” within the Bank.
                             
                          7. For Safe Deposit Boxes, if there is no response, the Bank should apply to the Court to appoint a person to supervise the opening of the box and provide direction regarding disposal of contents found in the box or the appointment of a Court receiver.
                             
                          8. Non-interest bearing dormant accounts may be closed at the discretion of the Bank and balances preserved in the “unclaimed balances account”.
                             
                          9. Access to the Dormant Customer’s documents, including specimen signatures, should be controlled and monitored with a display message clearly denoting “Dormant Account” whenever accessed, to prevent unauthorized operations in these accounts. Wherever Banks continue to maintain physical copies of documents, they must be segregated physically and placed under dual control until the account balances are transferred to the Central Bank. Post transfer of balances to the Central Bank. Banks, may maintain, for perpetuity, only digital/scanned copies of customer documents.
                          • Communication to the Central Bank

                            1. The report of all transferred accounts/amounts in a quarter must be provided to the Central Bank through the banking return forms (BRF) filed for that quarter, with a copy each to the Banking Operations Department and the Banking Supervision Department at the Central Bank.
                               
                            2. Banks must report Dormant Accounts separately in local and foreign currency under appropriate fields in the BRF reporting system.
                               
                            3. The detailed list of contents of all opened Safe Deposit Boxes in the quarter must be provided to the Central Bank through the BRF filed for that quarter.
                        • Article 3: Licensing Requirements

                          Application for License:

                          1. A crowdfunding company shall apply to the Central Bank for a licence in the form prescribed by the Central Bank’s licensing manual.
                             
                          2. The application and all supporting documents shall be in either Arabic or English. Documents in any other language shall be accompanied by a certified English or Arabic translation. Any financial figures should be presented in UAE Dirham (AED).
                             

                          Category:

                          1. The crowdfunding company shall stipulate which Category of license it is applying for and provide reasoning for such a decision, which includes how that Category fits into its wider strategy.
                             
                          2. The crowdfunding company shall provide details of any plans it may have to move to a different Category license over time.
                             

                          Core Information:

                          1. The core information required as part of an initial application for an LCAs license is set out in further detail in Appendix 1 and in the Central Bank’s Licensing manual which will be provided to the applicant on request.
                             
                          2. A CFP that is regulated in another jurisdiction and is applying for a license to set-up a subsidiary in the UAE shall obtain a No-Objection Letter from its home-jurisdiction regulator that is addressed to the Central Bank by its home regulator.
                             
                          3. The Central Bank as a condition of the license may require the crowdfunding company to appoint a skilled person(s) to carry out a 3rd party assessment of any aspect of the company’s proposed business model/systems. The findings and reports of the 3rd party assessment will form part of the core licensing information required to be submitted by an applicant to the Central Bank.
                             
                          4. The Central Bank shall communicate its decision considering the merits of the application and:
                             
                            1. Grant the licence with or without conditions and limitations; or
                               
                            2. Reject the application, stating the reasons for rejecting the application
                               
                          5. Drafts may be accepted for certain documents required for the application but their content may not be changed substantially once pre-approval is provided.
                             

                          Validity of License:

                          1. The licence shall be valid for a period of twelve (12) months and shall renew subject to Central Bank’s approval.
                             
                          2. A crowdfunding company shall pay the relevant application fee at the time of submitting its application to the Central Bank and shall also annually pay a license fee to the Central Bank when it renews its licence.
                             

                          Cancellation and Modification of License:

                          1. The Central Bank may cancel or modify a licence if the crowdfunding company:
                             
                            1. Has not commenced to operate the business within one (1) year of the date Central Bank granting the LCAs licence;
                               
                            2. Ceases to operate for a period exceeding six (6) months;
                               
                            3. Failed to fulfil its obligations under this regulation; or
                               
                            4. Posed undue risk to consumers or the financial system.
                               
                          2. The Central Bank will give a notice, including its reasons, to a crowdfunding company within twenty (20) days of implementing the action.
                             
                          3. Where a crowdfunding company voluntarily submits a request to surrender its licence, the Central Bank will evaluate and consider such a request, including the adequacy of arrangements made by the crowdfunding company for an orderly wind down and/or otherwise impose such conditions as it deems fit to ensure that continuing obligations are satisfactorily addressed.
                             

                          Ongoing Obligations:

                          1. A crowdfunding company shall ensure criteria set out in this Article are met on an ongoing basis and comply with any conditions or limitations set forth on an ongoing basis.
                             
                          2. The Central Bank may undertake site inspections or instruct crowdfunding companies to conduct independent assessments at periodic intervals confirming that the criteria and conditions under this Article are being satisfied on an ongoing basis.
                             

                          Bank Guarantee:

                          1. Should the application be approved, crowdfunding companies must undertake to provide a bank guarantee drawn in favour of the Central Bank and issued by a locally incorporated UAE bank of value equal to the required paid-up capital as per Article 4.
                             

                          Further Information:

                          1. The Central Bank may seek any additional information from a crowdfunding company as it deems necessary throughout the application process.
                             
                          • Article (4): Claim of Funds from a Dormant Account

                            1. If a customer has reason to believe that he/she has funds in a dormant account, he/she should personally, or through a legal representative, approach the Bank concerned and submit a claim with all relevant documentation to prove his/her identity.
                               
                            2. If the customer wants to reactivate a dormant account, the Bank may allow it after taking a photocopy of his/her current ID, verifying them with the originals and updating other details of his/her profile. Banks may also utilize alternate channels of authentication for Dormant Accounts re-activation.
                               
                            3. The Bank, after verifying with the original ID and being satisfied with all other details received, should pay the amount with accrued interest, where applicable (before transfer to the Central Bank), to the customer and maintain a record with following details:

                            Payments Made Against a Dormant Account

                            Date of Payment of AmountFinal Amount PaidAmount (as in Register/
                            ledger)
                            Account No & Type of AccountFull name of the customer (as recorded)
                                 
                                 
                                 

                            (In any case the Bank should settle claims within a period of one month unless there are valid reasons for delay)

                            1. The accounts of such customers should be monitored closely to ensure such accounts have not and are not being used for the purposes of money laundering or fraudulent purposes.
                               
                            2. Unclaimed bankers cheques, bank drafts and cashier orders’ claims are to be settled in accordance with the applicable UAE legal framework and Banks’ policies and procedures in relation to these instruments.
                          • Article 4: Prudential Requirements

                            Capital Requirement:

                            1. The minimum capital for a crowdfunding company shall be:
                               
                              1. Category 1: AED 1,000,000; or
                                 
                              2. Category 2: AED 300,000.
                                 
                            2. The crowdfunding company must hold the higher of:
                               
                              1. The capital as stated under Article 4.1; or
                                 
                              2. Capital equivalent to 5% of the outstanding lending volume
                                 

                               
                            • Article (5): Responsibilities of Banks

                              1. Banks must ensure that customers’ profiles are always updated, as instructed via the UAE’s Anti-Money Laundering framework; Decree Federal Law No. 20 of 2018 on AML/CFT and Illegal Organizations, Cabinet Resolution No. 10 of 2019 regarding the implementing Regulation of the Decree Federal Law No. 20 of 2018 on AML/CFT and Illegal Organizations, Notice 74/2019 regarding Procedures for AML/CFT and Illicit Organizations and Notice 79/2019 regarding Guidelines on AML/CFT and Illegal Organizations. Banks must also periodically advise their customers through letters, emails and SMS alerts to update their IDs, address and telephone numbers. Banks may introduce “inactive” status for accounts, with transaction restrictions as necessary before the account becomes dormant for their enhanced monitoring.
                                 
                              2. In order to reduce the number of dormant accounts, Banks must carry out an annual review of such accounts and contact the customers through letters, telephone calls, SMS alerts and emails as feasible, and advise them of the dormancy and the need to activate the account.
                                 
                              3. Banks must evolve suitable systems so that the customers do not face difficulty in closing a dormant account or re-activating it for normal operations. No fee or charges should be levied for re-activation or closing such accounts.
                                 
                              4. All dormant accounts and unclaimed balances accounts must be fully reconciled on a monthly basis (at least) and be subject to review by the external auditor annually.
                            • Article 5: Governance

                              1. A crowdfunding company shall have adequate staff who possess the requisite qualifications, competencies and skills to individually and collectively provide the range of skills and experience to manage its affairs in a sound and prudent manner.
                                 
                              2. A crowdfunding company shall ensure that the following relevant functions/persons are ‘fit and proper’:
                                 
                                1. Members of the Board of Directors;
                                   
                                2. Chief Executive Officer or General Manager;
                                   
                                3. Chief Financial Officer or equivalent;
                                   
                                4. Chief Risk Officer or equivalent;
                                   
                                5. Head of Compliance or equivalent;
                                   
                                6. Money Laundering Reporting Officer; and
                                   
                                7. Sharia advisor, as appropriate when offering Islamic products.
                                   
                              3. To be considered ‘fit and proper’, the relevant person shall demonstrate personal integrity, honesty and good reputation, shall be competent to undertake the role assigned and shall be financially sound. The relevant person must not have:
                                 
                                1. Served as an auditor of a crowdfunding company while concurrently serving in the board of directors of the same crowdfunding company.
                                   
                                2. Been terminated from any senior executive position in a company engaged in financial activities on the basis of disciplinary matters or on the basis of a disciplinary action based on a court judgement.
                                   
                                3. Been found guilty of any crime that violates honour or ethics, or that involves violence.
                                   
                                4. Failed to honour financial liabilities to any bank or creditor.
                                   
                                5. Declared bankruptcy or failed to reach a settlement agreement with creditors.
                                   
                                6. Had properties confiscated; or
                                   
                                7. Been placed under court receivership, unless he had been rehabilitated or pardoned by the relevant authorities.
                                   
                              4. All licensed crowdfunding companies must comply with applicable Emiratization requirements issued by the National Human Resources Development and Employment Authority, or any other UAE government ministry and subsequent Central Bank requirements.
                                 
                              • Article (6): Responsibilities of the Bank to the Customer

                                1. Banks must inform customers of their following responsibilities:
                                   
                                  1. If the customer changes his/her address or contact numbers, he/she should inform the Bank through relevant channels.
                                     
                                  2. The customer should keep all correspondence relating to the account between themselves and the Bank in a secure place for future reference.
                                     
                                  3. The customer should check the statements sent to him/her and acknowledge receipt where required by the Bank to do so.
                              • Article 6: Risk Governance Framework

                                1. The crowdfunding company must have an appropriate risk governance framework in place that identifies all material risks. This includes policies, processes, procedures, systems and controls to identify, measure, evaluate, monitor, report and control or mitigate material sources of risk on a timely basis.
                                   
                                2. A crowdfunding company’s definition and assessment of material risks must take into account its risk profile, nature, size and complexity of its business and structure.
                                   
                                3. The crowdfunding company must have in place mitigating action plans for key material risks and monitor these on an ongoing basis.
                                   
                                4. The risk governance framework shall address, amongst other key risks, the following areas:
                                   
                                  1. Operational risk;
                                  2. Conduct risk;
                                  3. Fraud by employees;
                                  4. Cybercrime and attacks;
                                  5. Money laundering;
                                  6. Managing defaults;
                                  7. Miss-selling risk;2 and
                                  8. Terrorist financing
                                     
                                5. The board of the crowdfunding company is ultimately accountable for the risk governance framework.
                                   
                                6. The crowdfunding company shall have appropriate governance arrangements in place that include a sufficient focus on risk management and ensure that the Chief Risk Officer, or equivalent, reports directly to the Board with an appropriate reporting line to the Chief Executive Officer or General Manager.
                                   
                                7. The crowdfunding company must have a detailed exit plan to provide for the orderly wind down of the crowdfunding company business. The exit plan must also assume that in the event of failure of the crowdfunding company, loans will continue to be administered and lender funds protected.
                                   

                                2 e.g. how the CFP advertises and how it sells to clients and the appropriateness of messages, among others.

                                • Article (7): Consumer Protection

                                  1. It must be clearly understood that the money in a dormant account will remain the property of the account holder, or his/her legal heirs, if the account holder has died.
                                     
                                  2. Where it is an interest bearing account, interest will continue to accrue at prevailing rates depending on the terms of the contract between the Bank and the customer until the time the balance is transferred to the Central Bank. No fees other than those agreed, during the lifecycle of account activity, should be levied on such dormant accounts.
                                     
                                  3. Once an account has been classified as dormant, physical and electronic statement generation should be suppressed. However, the account/customer should not be precluded from other routine Bank communication lists on account of dormancy.
                                     
                                  4. No debits or system based charges must be levied on dormant accounts. However, credits received, if any, are allowed to be deposited in the account. Such credits will not however interfere with the criteria for dormant accounts as set out in Article 2.
                                     
                                  5. Banks must ensure that important terms relating to dormant accounts are included in the terms and conditions for account opening and hiring of Safe Deposit Boxes to ensure transparency for the customer, including the condition that the Central Bank is not taking any responsibility as a result of transferring the amounts available in the Dormant Accounts or Unclaimed Balances to the Central Bank in accordance with this regulation.
                                • Article 7: Internal Controls

                                  Systems & controls

                                  1. A crowdfunding company shall ensure that it has instituted adequate internal controls, ensured proper segregation of duties within the organisational structure and that its operations are undertaken within the boundaries of clearly documented policies, authorities and procedures
                                     

                                  Outsourcing

                                  1. A crowdfunding company shall seek prior approval from the Central Bank wherever it proposes to enter into a material outsourcing arrangement with other parties. The systems and controls established in relation to the crowdfunding company’s operation shall at the minimum meet the standards set by this regulation. All outsourcing arrangements shall meet the Central Bank requirements.
                                     
                                  2. For the purpose of the above, an outsourcing contract is material if its failure would pose significant risk of disruption, or insolvency or detrimental impact on its ability to provide services to clients.
                                     

                                  External Audit

                                  1. A crowdfunding company shall appoint external auditors.
                                     
                                  2. A crowdfunding company shall seek approval from the Central Bank before appointing or re-appointing its external auditors.
                                     
                                  3. A crowdfunding company shall ensure that the external audit firm responsible for their audit does not undertake that function for more than six (6) successive years and that the Partner in charge of the audit is rotated every three (3) years.
                                     
                                  • Article (8): Transfer of Funds in Dormant Accounts or Unclaimed Balances to the Central Bank and Reclaim Procedures

                                    1. If an account remains dormant for a period of 5 years from the date of the last transaction on the account, the Bank must transfer the net amount to “Unclaimed Balances Account - Dormant Accounts” at the Central Bank. This is provided the customer has no other active accounts with the same Bank and provided the current address of the owner of the account is unknown.
                                       
                                    2. If a bankers cheque, bank draft or cashier order remains unclaimed for a period of 5 years from date of issue, the Bank must transfer net amounts pertaining to these instruments to “Unclaimed Balances Account - Dormant Accounts” at the Central Bank.
                                       
                                    3. Banks must close dormant accounts after transfer to Central Bank, however account related documents must be preserved in accordance with Article (3) of this Regulation.
                                       
                                    4. If receivables of a dormant Safe Deposit Box remain unclaimed for a period of 5 years from the date of the last transaction on the account, the Bank must transfer the net amount (after deducting charges, if any, in accordance with Article 3) to “Unclaimed Balances Account - Dormant Accounts” at the Central Bank.
                                       
                                    5. Any unclaimed balances in foreign currencies must be converted as of date of transfer at the Bank’s published customer rates, before transfer to the Central Bank. Customers will be reimbursed this AED equivalent amount on reclaim.
                                       
                                    6. Banks must transfer all dormant account funds balances to the Central Bank in accordance with this article, irrespective of the size of the residual fund balance.
                                       
                                    7. Banks should use the following form titled “Movement in Dormant Accounts - Deposits and Withdrawals” to record fund movements to and from “Unclaimed Balances Account – Dormant Accounts”. Banks should use the formats provided in guidelines from the Central Bank for withdrawing funds from the said account at the Central Bank, if the customer approaches the Bank for withdrawal/re-activation of the account.

                                    Movement in Dormant Accounts – Deposits and Withdrawals

                                    BalanceWithdrawalsDepositsAccount NumberName of Customer and his ID DetailsName of the Bank & Branch
                                    DateAmountDateAmountRef. NoDateAmountRef No.   
                                    1. The settlement of customer claims on dormant accounts shall be carried out post receipt of relevant funds from Central Bank.
                                       
                                    2. Direct debits, manager’s cheques and cashier orders transferred to the Central Bank, when presented for clearing must be put on hold, pending receipt of such funds from the Central Bank. The process of verification of such instruments must be in accordance with the UAE legal framework and Banks’ policies and processes in relation to these instruments.
                                  • Article 8: Conduct of Business

                                    Lender selection and suitability

                                    1. A crowdfunding company must take reasonable care in on-boarding Lenders, assessing the suitability of the Lender and ensuring the Lender has a clear understanding of the risks they are undertaking. This process shall be documented and relevant employees shall have appropriate training.
                                       
                                    2. In addition to other checks (e.g. for money laundering), a crowdfunding company shall verify and document the identity of a Lender and confirm their address. Such measures include (but are not limited to) the following:
                                       
                                      1. Call the client on their home or business contact numbers;
                                         
                                      2. Contact an employer to confirm employment, after gaining the client’s consent;
                                         
                                      3. Review bank statements for details of salary and other income; or
                                         
                                      4. Requesting documents confirming their identity
                                         
                                    3. A crowdfunding company shall obtain sufficient information from Lenders about their financial circumstances and objectives through self-declared assessment questionnaire forms, or by any other equivalent means.
                                       
                                    4. Based on the information provided and independently reviewed by the crowdfunding company, the CFP shall classify all Lenders as a Retail or Market Counterparty. The classification shall be shared with the Lender.
                                       

                                    Lending structure

                                    1. A crowdfunding company shall structure its activities in a clear, transparent format using plain language that shall be stipulated within an enforceable (lending) contract, taking into account Appendix 2 of this Regulation.
                                       
                                    2. A crowdfunding company must ensure that, when a loan is made using its platform, there is a written loan agreement in place between the Borrower and Lender that is legally enforceable and sets out sufficient details of the loan, the terms of repayment and the rights and obligations of the Borrower and Lender.
                                       

                                    Borrower Risk Scoring, Loan Pricing and Due Diligence

                                    1. A crowdfunding company shall be responsible to:
                                       
                                      1. Ensure there is a sufficient and transparent risk scoring and loan pricing system in place. The basis and methodology of risk scoring, loan pricing and due diligence shall be made publically available.
                                         
                                      2. Obtain self-declared risk assessment questionnaire forms from their Borrowers.
                                         
                                      3. Take reasonable steps to confirm the information provided in the risk assessment questionnaire.
                                         
                                      4. Take adequate measures to prevent Borrowers from seeking loans for personal use.
                                         
                                      5. Requiring a range of information, including Al-Etihad Credit Bureau reports, to enable the risk scoring and loan pricing, including cash flow forecasts.
                                         
                                      6. Carry out a risk assessment on prospective Borrowers based on the information required.
                                         
                                      7. Taking reasonable care to undertake thorough anti-money laundering (AML) checks and establishing the ultimate beneficial owner of the Borrower.
                                         
                                      8. Ensure what is treated as a default is in accordance with the Central Bank definition and methodology. Default rates on projects/borrowers listed on the platform must be made publically available.
                                         
                                      9. Implement policies to manage disputes / conflicts of interest.

                                       
                                    2. A crowdfunding company shall conduct reasonable due diligence and risk assessment on a Borrower and communicate the result of the due diligence to the Lenders within the risk scoring process.
                                       
                                    3. A crowdfunding company shall review the financial situation of Borrowers at least annually and in the event of any material change, communicate its assessment to clients.
                                       
                                    4. In the event that a crowdfunding company identifies any issues with the Borrower that increase the risk score of that Borrower, the crowdfunding company shall communicate its findings with the relevant Lenders and develop an action plan for how outstanding balances on any loans related to that borrower will be managed.
                                       
                                    5. A crowdfunding company shall require Borrowers to declare its current and intended borrowing from other CFPs and other sources in a calendar year. A crowdfunding company should take reasonable steps to monitor whether Borrowers are accessing loans through any other sources, including regularly checking with Al Etihad Credit Bureau.
                                       

                                    Ceilings on lending

                                    1. A crowdfunding company shall impose a limit on lending per person per project (per calendar year) to:
                                       
                                      1. Retail Client: AED 20,000; and
                                      2. Market counterparty: AED 50,000
                                    2. A crowdfunding company shall impose a limit on total lending per person (per calendar year) to:
                                       
                                      1. Retail Client: AED 200,000; and
                                      2. Market counterparty: AED 500,000

                                    Ceilings on borrowing

                                    1. The borrowing limit for Borrowers in any calendar year is AED 10,000,000.
                                       
                                    2. Borrowers may only list themselves on one CFP per project. The crowdfunding company and its management shall be responsible for ensuring, as part of the due diligence of Borrowers, that the borrower is not listed on any other CFP for the same project.
                                       

                                    Loan release

                                    1. Crowdfunding companies shall prevent borrowers from gaining access to:
                                       
                                      1. Any amounts raised unless the borrowers raised 100% of its funding goal.
                                      2. Any amount exceeding the funding goal.

                                    Client information confidentiality

                                    1. A crowdfunding company shall maintain the strictest standards of client information confidentiality including implementing the necessary systems and controls to ensure such standards are met.
                                       

                                    Client money

                                    1. A crowdfunding company shall not accept, take, or receive the transfer of full ownership of money from clients.
                                       
                                    2. A crowdfunding company shall ensure adequate protection of Client Money.
                                       
                                    3. Where a crowdfunding company makes arrangements on behalf of a client to receive and disburse funds, such monies shall be maintained in segregated/ escrow accounts in the name of the client as per the agreed arrangements.
                                       
                                    4. The segregated/escrow accounts holding clients’ money must be externally audited:
                                       
                                      1. on a monthly basis for Category 1 CFPs; and
                                      2. on a quarterly basis for Category 2 CFPs
                                         
                                    5. Client funds shall only be held with local retail banks who are licensed and regulated by the Central Bank.
                                       

                                    Information disclosures

                                    1. All crowdfunding companies shall disclose the terms and conditions of their business to their Clients and any subsequent updates to these terms and conditions.
                                       
                                    2. All crowdfunding companies shall provide necessary (written) warnings of material risks to Clients.
                                       
                                    3. A crowdfunding company shall collaborate and coordinate with Al Etihad Credit Bureau and share information concerning both its Lender(s) and Borrower(s).
                                       
                                    4. Further to the above, all crowdfunding companies shall also make Clients aware of the relevant information as set out in Appendix 3.
                                       

                                    Disclosures to Lender

                                    1. For the purposes of the above, a crowdfunding company shall disclose comprehensive information about the Borrowers linked to a specific project directly to Lenders. The information expected shall include (at a minimum) the following:
                                       
                                      1. Information on the business model or operation of the Borrower, both historical and projected.
                                         
                                      2. Critical success factors and important dependencies.
                                         
                                      3. Information on the financial condition of the Borrower.
                                         
                                      4. Risks relevant to the Borrower based on due diligence undertaken by the CFP including expected default rates.
                                         
                                      5. Other borrowing and repayment terms.
                                         
                                      6. CFP’s fees and charges on the specific project.
                                         
                                      7. Terms of repayment and controls and precautionary measures taken, and
                                         
                                      8. Right of cancellation of contracts and lawful jurisdiction applicable for any disputes.

                                    Conflicts of interest

                                    1. A crowdfunding company and the key personnel shall take steps to identify/disclose and prevent or manage conflicts of interest. Examples of conflicts of interest include (but not limited to) the following:
                                       
                                      1. A crowdfunding company lists a Borrower who is a related party to a CFP (or its significant shareholders / directors / employees);
                                         
                                      2. A crowdfunding company has an interest in the outcome of a service provided to the Client, which is distinct from the Client's interest in that outcome;
                                         
                                      3. A crowdfunding company has a financial or other incentive to favour the interest of another Client or group of Clients over the interests of the Client;
                                         
                                      4. A crowdfunding company receives or will receive from a person other than the Client an inducement in relation to a service provided to the Client, in the form of money, goods or services, or
                                         
                                      5. A crowdfunding company (or its significant shareholders / directors / employees) has financial interest in a Borrower.
                                         
                                    2. A crowdfunding company shall not allow any of its shareholders, directors or employees to borrow on the platform.
                                       
                                    3. A crowdfunding company shall not provide advice to Clients relating to any crowdfunding available through its CFP.
                                       
                                    4. A crowdfunding company may not directly market any offer, Borrower or project available on the CFP to any current or prospective Client.
                                       

                                    Dispute management

                                    1. A crowdfunding company shall:
                                       
                                      1. Establish dispute handling and grievance redress mechanisms to deal with complaints from clients or other parties and include in client agreements the details of these mechanisms.
                                         
                                      2. Develop an adequate collections policy and procedures, setting out actions to be taken against borrowers who fail to make timely payments.
                                         
                                      3. Maintain records demonstrating to the Central Bank that it has control mechanisms in place to address complaints and grievances.

                                    Contingency Portfolio Administration Arrangements

                                    1. In the event that a crowdfunding company fails or is wound up (either voluntarily or involuntarily), the crowdfunding company must have in place documented arrangements to ensure that the loan portfolio continues to be administered.
                                       
                                    2. The board of the crowdfunding company bears ultimate responsibility for ensuring that contingency portfolio administration arrangements are in place.
                                       
                                    3. The Central Bank will periodically review the contingency portfolio administration arrangements and may take supervisory or enforcement actions if such plans are found to be inadequate.
                                       
                                    • Article (9): Retention of Dormant Account Balances with the Central Bank

                                      1. Funds transferred to the “Unclaimed Balances Account - Dormant Accounts” will be retained by the Central Bank from the date of transfer to the said account until claimed by the beneficiary.
                                         
                                      2. Funds transferred to the Central Bank will no longer generate interest payments by the Bank.
                                        For avoidance of doubt, the Central Bank shall not be liable for any interest payments on the transferred funds.
                                         
                                      3. Furthermore, the Central Bank is not legally responsible or obligated in any manner, with any claim whatsoever, related to interest, returns, and/or profits, or other, on funds transferred to the Central Bank.
                                    • Article 9: Reporting and Record Keeping

                                      Reporting to the Central Bank

                                      1. A crowdfunding company shall submit reports to the Central Bank in the prescribed form within thirty (30) days of the period specified below:
                                         
                                        1. Category 1: Quarterly (as of the end of 31 March, 30 June, 30 September and 31 December);
                                           
                                        2. Category 2: Semi-annually (as of the end of 30 June and 31 December); and
                                           
                                        3. A crowdfunding company shall file its annual audited financial statements with the Central Bank.
                                           
                                      2. The crowdfunding company shall report the following (at a minimum) to the Central Bank:
                                         
                                        1. Financial position;
                                        2. Client money held;
                                        3. Description of complaints received and resolution status of these complaints;
                                        4. Details of loans arranged each quarter; and
                                        5. Defaults and near-defaults.

                                      Record keeping

                                      1. A crowdfunding company shall maintain adequate books and records at all times.
                                         
                                      2. All records and materials must be made available for inspection by the Central Bank from time to time.
                                         
                                      3. Records of Client Money and completed transactions shall be kept for a minimum period of ten (10) years.
                                         
                                      4. The records maintained shall include:
                                         
                                        1. Historical records of information displayed online (websites / social media / any other media) and any print copies, if applicable, displaying the crowdfunding company’s promotional communication, advertisements or online banners and tag lines;
                                           
                                        2. Internal policies, procedures and operating documents;
                                           
                                        3. Corporate and financial records and general ledger and sub-ledgers;
                                           
                                        4. Reports and statements issued to Clients and regulators;
                                           
                                        5. Any communications related to Clients, including confirmations related to risk understanding, classification documents and confirmation related to classification, amongst others;
                                           
                                        6. All suitability assessments of Clients, including any clients (both Lenders and Borrowers) that were deemed not suitable by the crowdfunding company.
                                           
                                        7. Management information, accounts and communications.
                                           
                                        8. HR records; and
                                           
                                        9. IT architecture and security related documents.
                                           
                                      5. The board of the crowdfunding company is directly responsible to the Central Bank in relation to reporting breaches.
                                         
                                      • Article (10): Cancellation of Previous Circulars

                                        This Regulation repeals and replaces the Dormant Accounts Regulation, issued under Circular No. 106/2018 in April 2018.

                                      • Article 10: Interpretation

                                        1. The Regulatory Development Division of the Central Bank shall be the reference for interpretation of the provisions of this Regulation.
                                           
                                        • Article (11): Interpretation of this Regulation

                                          The Regulatory Development Division of the Central Bank is the sole interpreter to the provisions of this Regulation, and its interpretations shall be considered final.

                                        • Article 11: Publication and Application

                                          1. This Regulation shall be published in the Official Gazette in both Arabic and English and shall come into effect one (1) month from the date of its publication.
                                             
                                          • Article (12): Enforcement and Sanctions

                                            Violation of any provision of this Regulation may be subject to supervisory action and sanctions as deemed appropriate by the Central Bank.

                                          • Appendix 1: Detailed Licensing Requirements

                                            1. When applying for a crowdfunding company license, the application must include the following information/documents. The Central Bank may request further information as part of the process.
                                               
                                              1. Completed application form
                                              2. Strategy overview
                                              3. Business plan, including;
                                                 
                                                1. Background to the business and history
                                                2. Corporate governance system and organization structure, including:
                                                   
                                              4. Committee structures and responsibilities;
                                              5. Conflict of interest policy; and
                                              6. Reporting lines
                                                1. Group structure, if applicable;
                                                2. Financial position (if applicable) and projected income and expenditure operation for the next three (3) years, including;
                                              7. Opening balance sheet
                                              8. Monthly forecasts of profit and loss
                                              9. Cash flow forecast
                                              10. Targeted clients, products and services, including:
                                                1. Opportunities identified in the UAE and expected volume of clients
                                                2. International opportunities and expected volume of customers
                                                3. Client segments to be served
                                                4. Fees structure payable by clients and borrower 
                                              11. Marketing approach and delivery channels;
                                              12. Information and cyber security arrangements;
                                              13. Technology infrastructure, outsourcing arrangements, data warehousing arrangements, webhosting;
                                                 
                                              14. Constitutional documents (such as board resolution) or draft (if available);
                                                 
                                              15. Ownership details;
                                                1. Shareholder or partners’ details;
                                                2. Proof of identity for shareholders who are natural persons (a minimum of two separate documents); and
                                                3. Details and proof of identity (as above) for the ultimate beneficial owner
                                                   
                                              16. The background and experience of senior management, including CVs of senior management1;
                                              17. An assessment of key risks and mitigants, including risks relating to;
                                                1. Client asset handling arrangements;
                                                2. Inadequate systems and controls;
                                                3. Economic factors; and
                                                4. Competitors
                                              18. Audited financial statements (for the past three years, if available);
                                              19. Exit strategy and plan which includes, at a minimum;
                                                1. Identification of key risks and business disruptors
                                                2. Effects of key risks on CFP including reverse stress test and contingency planning arrangements
                                                3. Identification of key risks and business disruptors
                                              20. Application fee (if applicable) 

                                            1 Senior management is understood to mean Chief Executive Officer (CEO), Chief Financial Officer (CFO), Chief Risk Officer (CRO), Head of Compliance and Head of Internal Audit (or their equivalents) at a minimum

                                             

                                            • Article (13): Application and Publication

                                              This Regulation shall be published in the Official Gazette in both Arabic and English and shall come into effect one month from the date of publication.

                                            • Appendix 2: Additional Terms for Crowdfunding Platforms

                                              1. 2.The following terms must be included in a Client Agreement between a crowdfunding company and a Lender:
                                              1. the crowdfunding company’s obligations to administer the loan, including:
                                                1. how payments made by the Borrower will be transferred to the Lender
                                                2. steps that will be taken if payments by a Borrower are overdue or the Borrower is in default; and
                                                3. Clear guidelines on what is considered to be a default 
                                              2. if the Lender is a Market Counterparty, the steps that will be taken by the CFP and Lender to ensure that the Lender complies with any applicable limits relating to the amounts of loans that may be made using the platform;
                                              3. the contingency arrangements that the crowdfunding company will put in place to deal with a platform failure or if the CFP ceases to carry on its business.
                                              1. 3.The following terms must be included in a Client Agreement between a crowdfunding company and a Borrower:
                                              1. a restriction on the Borrower using any other Crowdfunding service to raise funds during the commitment period;
                                              2. a restriction on the Borrower or any Person that is connected to the Borrower, lending or financing, or arranging lending or finance for a Lender using the service;
                                              3. a restriction on the Borrower advertising its proposal, or soliciting potential lenders or investors, outside the platform during the commitment period;
                                              4. a requirement on the Borrower to give reasonable advance notice to the operator of any material change affecting the Borrower, its business or the carrying out of its proposal;
                                              5. the obligations of the Borrower to disclose if there is any material change after funds have been provided; and
                                                 
                                              6. An obligation on the Borrower to produce financial statements, including bank statements at least annually.
                                                 
                                            • Appendix 3: Required Crowdfunding Company Disclosures

                                              1. A crowdfunding company must prominently disclose on its website key information about how its service operates, including:
                                                 
                                                1. Details of how the CFP functions;
                                                2. Details of how and by whom the crowdfunding company is remunerated for the service it provides, including fees and charges it imposes;
                                                3. Any financial interest of the crowdfunding company or significant shareholders, directors or employees of the crowdfunding company, that may create a conflict of interest;
                                                4. The eligibility criteria for Borrowers that use the CFP;
                                                5. The minimum and maximum amounts of loans that may be sought by a Borrower;
                                                6. What, if any, security is usually sought from Borrowers, when it might be exercised and any limitations on its use;
                                                7. The eligibility criteria for Lenders that use the service;
                                                8. Any limits on the amounts a Lender may lend using the CFP, including limits for individual loans and limits that apply over any twelve (12) month period;
                                                9. When a Lender may withdraw a commitment to provide funding (‘cooling–off period’) and the procedure for exercising such a right;
                                                10. What will happen to funds raised if Loans sought by a Borrower either fail to meet, or exceed, the target level;
                                                11. Steps the crowdfunding company will take if there is a material change in a Borrower’s circumstances and the rights of the Lender and Borrower in that situation;
                                                12. How the crowdfunding company will deal with overdue payments or a default by a Borrower;
                                                13. Which jurisdiction’s laws will govern the loan agreement between the lender and borrower;
                                                14. Arrangements and safeguards for Client Money held or controlled by the crowdfunding company, including details of any legal arrangements that may be used to hold Client Money;
                                                15. Any facility it provides to facilitate the transfer of Loans, the conditions for using the facility and any risks relating to the use of that facility;
                                                16. Measures it has in place to ensure the CFP is not used for money-laundering or other unlawful activities;
                                                17. Measures it has in place for the security of information technology systems and data protection; and
                                                18. Contingency portfolio administration arrangements the crowdfunding company has in place to ensure the orderly administration of Loans if the CFP ceases to carry on business.
                                                    
                                              2. Additional risks that the crowdfunding company must prominently disclose on its website include:
                                                 
                                                1. By participating in the CFP, Clients are exposing themselves to material risks pertaining to the business model of the CFP;
                                                2. Listing the specific material risks for Borrowers and for Lenders separately and clearly;
                                                3. Lenders are not placing deposits and are not protected by any insurance or guarantee scheme; and
                                                4. Lenders may face material risks, including the loss of some or all of their money, should the Borrower fail or default on loan repayments
                                                    
                                              3. A crowdfunding company shall post the disclosures (in this Part) on promotional material whether in electronic medium or otherwise.
                                                 
                                              4. A crowdfunding company shall also disclose additional information including (but not limited to) the following:
                                                 
                                                1. Lack of full visibility of use of funds and means to monitor Borrowers closely similar to methods adopted by conventional financing channels such as banking channels;
                                                2. Risk of misleading or insufficient information disclosure by the borrower; and
                                                3. Dispute resolution and redress mechanisms

                                                    
                                              5. A crowdfunding company must
                                                 
                                                1. Attach key disclosure clauses in agreement which must be initialled by the borrower;
                                                2. Issue statement of transactions (monthly);
                                                3. Provide 30-day notice of any changes to fees, interests etc.
                                                   

                                                 
      • Stored-value facilities

        • Stored Value Facilities (SVF) Regulation

          C 6/2020 Effective from 30/10/2020
          • Scope and Objectives

            The scope of this Regulation includes the licensing and the ongoing supervisory and enforcement requirements on the licensed companies for providing SVF in the UAE, excluding the Financial Free Zones. Financial institutions regulated by Financial Free Zone Authorities may conduct SVF business in the State after obtaining a License from the Central Bank. Under the framework, the Central Bank is empowered to (a) decide whether an SVF License should be granted; (b) conduct ongoing supervision of Licensees; and (c) conduct examination and impose sanctions and measures on Licensees when required.

          • Transition Period

            A one-year transitional period will commence on the date the Regulation comes into force. Licensees already holding an SVF License granted under the previous regulatory framework may continue operating without contravening this Regulation. Nevertheless, they are required to complete the implementation of the relevant measures set out in this Regulation by the end of the transition period.

            The existing Licensees are required to submit an independent assessment report as prescribed in paragraphs 5 and 6 of Article (3) before the end of the transition period to ensure that they are in full compliance with this Regulation.

            • Article (1): Definitions

              1. AML/CFT: Anti-Money Laundering and Combating the Financing of Terrorism and financing of illegal organizations.
                 
              2. Applicant: a company duly incorporated in the United Arab Emirates in accordance with the Federal Law No. (2) of 2015 on Commercial Companies, except Joint Liability Company, Simple Commandite Company, which files an Application for the issuance of an SVF License.
                 
              3. Application: a request submitted by an Applicant in the form and with the documents and information set out in the Annex for providing an SVF Services.
                 
              4. Central Bank: The Central Bank of the United Arab Emirates.
                 
              5. Central Bank Law: Decretal Federal Law No. (14) of 2018 Regarding the Central Bank & Organization of Financial Institutions and Activities and its amendments.
                 
              6. Closed Loop Payment Scheme: a payment scheme, which is limited in terms of where it can be used to purchase goods and services from an issuing retailer or entity.
                 
              7. Controlling Shareholder: a shareholder who has the ability to directly or indirectly influence or control the appointment of the majority of the board of directors, or the decisions made by the board of directors, or has the power to direct or cause the direction of the management or policies of an entity, whether by the general assembly of the entity, through the ownership of a percentage of the shares or stocks or under an agreement or other arrangement providing for such influence or control.
                 
              8. Crypto-Assets: cryptographically secured digital representations of value or contractual rights that use a form of distributed ledger technology and can be transferred, stored or traded electronically.
                 
              9. Customer: a natural or legal person who contracts with a Licensee in order to establish and use an SVF in accordance with this Regulation.
                 
              10. Customer Due Diligence (CDD): includes measures and processes to be taken for: (a) identifying the Customer and verifying that Customer’s identity using reliable, independent source documents, data or information, and (b) on-going due diligence on the Customer or business relationship and scrutiny of transactions undertaken throughout the course of that relationship.
                 
              11. Device-based Stored Value Facility: an SVF which has the value stored in an electronic chip on a card or physical device such as pre-paid cards, watches and ornaments.
                 
              12. Financial Action Task Force (FATF): an inter-government body which sets international standards that aim to prevent global money laundering and terrorist financing activities.
                 
              13. Financing of Terrorism: any of the acts mentioned in Articles (29) and (30) of the Federal Law no. (7) of 2014 On Combating Terrorism Offences.
                 
              14. Float: the Customers’ funds / money / Money’s Worth paid to the Licensee in exchange for the value of the money/Money’s Worth (including Money’s Worth such as values, points, Crypto-Assets or Virtual Assets) on the facility.
                 
              15. Information Technology (IT): the use of any computers, smart devices, storage, networking and other physical devices, infrastructure and processes to create, process, store, secure and exchange all forms of electronic data.
                 
              16. IT Controls: a set of policies and procedures that aims to provide a reasonable assurance that the technologies and computer systems used by an organization operates as intended and in a secure and reliable manner, that data security, integrity and reliability can be ensured, and that the organization is able to comply with applicable laws and regulations.
                 
              17. License: a License issued by the Central Bank to an Applicant for the issuance and operation of SVF business in the State. The License is valid, unless it is withdrawn, suspended or revoked by the Central Bank.
                 
              18. Licensee: an Applicant who has been granted an SVF License by the Central Bank.
                 
              19. Licensed Financial Activity: The financial activities subject to the Central Bank’s licensing and supervision, which are specified in article (65) of the Decretal Federal Law No. (14) of 2018 Regarding the Central Bank & Organization of Financial Institutions and Activities.
                 
              20. Money Laundering: any of the acts mentioned in Clause (1) of the Article (2) of the Federal Decree-law No. (20) of 2018 on Anti-Money Laundering and Combating the Financing of Terrorism and Financing of Illegal Organizations.
                 
              21. Money’s Worth: value added onto an SVF by the Customer; value received on the Customer’s SVF account; and value redeemed by the Customer include not only “money” in the primary sense but also other forms of monetary consideration or assets such as values, reward points, Crypto-Assets, or Virtual Assets. For example, a value top-up of an SVF account may take the form of values, reward points, Crypto-Assets, or Virtual Assets earned by the SVF Customer from making purchases of goods and services. Similarly, value received on the account of the SVF Customer may take the form of an online transfer of value, reward points, Crypto-Assets, or Virtual Assets between fellow SVF Customers.
                 
              22. Non-device Based Stored Value Facility: is a facility which has the value stored on a network-based account and can be accessed through the internet, a computer network or mobile network. Examples include internet-based payment platforms or mobile e-wallets which provide “network-based accounts” with which Customers can store value for making payments for online and off-line purchases, or for person-to-person funds transfers.
                 
              23. Operating Rules: are rules set up by a Licensee to cover the complete chain of an SVF’s operation including but not limited to Customer account opening and maintenance, merchant acquisition and contractual relationships with business partners, pre-transaction, payment authorization and post-transaction processes.
                 
              24. Senior Management: a team of individuals at the highest level of management of the Licensee who have the day-to-day tasks of managing the Licensee’s business.
                 
              25. Single-purpose Stored Value Facility: a facility that in respect of which the issuer gives an undertaking that, if the facility is used as a means of making payments for goods or services (not being money or Money’s Worth) provided by the issuer, the issuer will provide the goods or services under the rules of the facility. A Closed Loop Payment Scheme is a typical Single-purpose Stored Value Facility.
                 
              26. State: the United Arab Emirates, excluding the Financial Free Zones.
                 
              27. Stored Value Facility (SVF): A facility (other than cash) for or in relation to which a Customer, or another person on the Customer’s behalf, pays a sum of money (including Money’s Worth such as values, reward points, Crypto-Assets or Virtual Assets) to the issuer, whether directly or indirectly, in exchange for: (a) the storage of the value of that money (including Money’s Worth such as values, reward points, Crypto-Assets or Virtual Assets), whether in whole or in part, on the facility; and (b) the “Relevant Undertaking”. SVF includes Device-based Stored Value Facility and Non-device based Stored Value Facility.
                 
              28. SVF Issuer: a company which carries out the business of the provision of SVF and is responsible and accountable for the safekeeping of the Float.
                 
              29. Relevant Undertaking: In relation to an SVF, Relevant Undertaking means an undertaking by the Licensee that, upon the use of SVF by the Customer as a means for payment for goods and services (which may be or include money or Money’s Worth) or payment to another person, and whether or not some other action is also required, the Licensee, or a third party that the SVF Issuer has procured to do so, will, in accordance with the Operating Rules: (a) supply the goods or services; (b) make payment for the goods or services; or (c) make payment to the other person, or as the case requires.
                 
              30. Virtual Assets: Virtual assets include digital tokens (such as digital currencies, utility tokens or asset-backed tokens) and any other virtual commodities, Crypto Assets and other assets of essentially the same nature.
                 
              31. Virtual Asset Service Provider: is a business which conducts Virtual Assets-related activities or operations for or on behalf of another natural or legal person. The activities or operation may include exchange between Virtual Assets and fiat currencies; exchange between one or more forms of Virtual Assets; transfer of Virtual Assets; safekeeping and/or administration of Virtual Assets or instruments enabling control over Virtual Assets; and participation in and provision of financial services related to an issuer’s offer and/or sale of a Virtual Asset.
                 
          • Part I – Licensing Requirements

            • Article (2): Scope of Application

              1. This Regulation applies to all SVF as defined in Article (1) Definition.

              License required for issuing SVF

              1. Issuing and operating SVF in the State requires a prior License from the Central Bank. It is prohibited to carry on the activity of issuing or operating SVF without prior License except if the issued SVF is a Single-purpose Stored Value Facility.

              Exclusion of certain types of SVF

              1. On application by an Issuer, the Central Bank may exempt an SVF from the licensing requirements and will do so based on the risk the SVF poses to its (potential) Customers, Customer funds and the financial system.
                 
              2. The types of SVF that may be exempted from the licensing requirements by the Central Bank include:
                 
                1. 4.1. SVF used for certain cash reward schemes. Such SVF may be used for storing only a sum of money paid by (i) the issuer; or (ii) a person who agrees to pay a sum of money for storage in the facility under an agreement with the issuer and the sum of money stored may only be used for making payments for goods or services provided by the issuer or person under very specific terms and conditions of the facility. Examples include loyalty schemes provided by shops and supermarkets which offer cash rewards for customer loyalty;
                   
                2. 4.2. SVF used for purchasing certain digital products. Such SVF may only be used as a means of making payments for goods or services that are delivered to, and are to be used through, a telecommunication, digital or technology device; the payments are executed through such a device; and the telecommunication, digital or technology operator acts as an intermediary between the Customer of the facility and the provider of the goods or services. Examples include purchase of digital contents such as ringtones, music, videos, electronic books, games and applications that can be used on smartphones, computers or other information technology devices;
                   
                3. 4.3. SVF used for certain bonus point schemes. Such SVF may be used only for storing points or units (by whatever name called) that are Money’s Worth provided by (i) the issuer; or (ii) a person who agrees to provide goods or services to the Customer under an agreement with the issuer. The Customer may use the points or units for making payments for the goods or services provided by the issuer or person either by (i) using only the points or units; or (ii) using the points or units together with a sum of money (in any currency) that is stored on the facility temporarily for the sole purpose of executing the payments; and the sum of money so stored is not redeemable for cash. Examples are airline mileage programs and customer loyalty schemes that provide non-cash points to customers to reward their patronage, and whereby such points and value stored, if any, is not redeemable for cash;
                   
                4. 4.4. SVF that can only be used within a limited group of goods or services providers. Such SVF may be used as a means of making payments only for goods or services provided by (i) the issuer; or (ii) a person who provides the goods or services under an agreement with the issuer; and
                   
                5. 4.5. whereby (i) the aggregate amount of the Float of the facilities does not exceed half a million Dirham (500,000 AED) or its equivalent and the aggregate number of Customers is not more than 100. If a potential SVF Issuer wishes to apply for this particular exemption, the SVF is required to test out its product before making a full launch of SVF. In this regard, the relevant issuer is required to participate in the Central Bank’s FinTech Office sandboxing arrangement for a possible trial run.
                   
              3. The Central Bank may request any information from an exempted SVF Issuer when the Central Bank considers it necessary to determine its eligibility for exemption and continued exemption. The Central Bank may declare an SVF not exempt from the licensing requirement and require the issuer of the SVF to apply for a License.

              Overseas SVF schemes

              1. It is prohibited for an SVF without a prior License to publish in the State or elsewhere, an advertisement, invitation or document which is, or contains, an invitation or a solicitation to the public of the State relating (whether in whole or in part) to the issuance of SVF.

              Relevant factors to be considered

              1. The Central Bank will take into account the factors to determine whether an overseas SVF is issued in the State or a person publishes an advertisement, invitation or document which is, or contains, an invitation or solicitation to the State public relating to the issuance of SVF.
                 
              2. In determining whether an SVF scheme is presented or provided in such a manner that it appears to be issued in the State, the Central Bank will consider all relevant factors including, in particular, the following:
                 
                1. 8.1. whether the location for the delivery of the facility and the provision of the subsequent customer service to facility users is in the State;
                   
                2. 8.2. whether the location for and the manner to top-up the SVF is through channels in the State (e.g. banks in the State);
                   
                3. 8.3. whether the promotional material is targeted, via “push” techniques, at a group or groups of people whom the issuer knows, or should reasonably know, reside in the State. “Push” techniques include spamming, broadcasting or directing information to a particular person or group of people through, for instance, e-mails, SMS messages and any social media channels;
                   
                4. 8.4. whether any news group, bulletin board, chat room or similar facility associated with the site has been used to promote the SVF service in the State; and
                   
                5. 8.5. in the case of services details and promotional material hosted on a site, the Central Bank will assess whether the website's existence has been included in a State search engine or the State section of a search engine; and whether the SVF advertisements, in print or online forms, are easily accessible in the State and whether the website has been advertised in the State through advertising agencies, in periodicals (e.g. newspapers, journals or electronic publications) or by broadcasting (e.g. television or radio).
                   
              3. In determining whether the content of the issuer’s website and the relevant promotional materials are written in a manner which gives an impression that the SVF is issued in the State, the Central Bank will take a holistic approach and consider a host of factors including but not limited to the following:
                 
                1. 9.1. whether representations made in any promotional materials and advertisements regarding the location of the issue of the SVF and the usage of that facility is in the State; and
                   
                2. 9.2. whether the website and its functions are designed in a manner that may imply or give the impression that the SVF is issued in the State, such as the languages used in the SVF website (e.g. the Arabic language), the use of particular domain name such as a State domain name, the currencies accepted for the services (e.g. AED), contact details in the State.
                   
              4. The Central Bank will consider all relevant factors including, in particular, whether reasonable precautions are in place to avoid the promotional materials being made available or accessible to persons in the State and whether the issuer has systems in place to avoid providing services to persons residing in the State.
                 
              5. The Central Bank may also consider matters such as whether the SVF Issuer has established a physical presence in the State; and whether it has established business relationships with banks or financial institutions in the State for payment or other banking support services in the State.
                 
              6. The above factors and criteria are neither exhaustive nor conclusive. The Central Bank will use a holistic approach to judge each case on its merits and take into account the particular circumstances and all relevant facts.
                 
            • Article (3): Licensing Requirements

              1. In accordance with Article (65) of the Central Bank Law, the provision of Stored Value Facilities is considered a Licensed Financial Activity and subject to the Central Bank’s licensing and supervision in accordance with the provisions of the Central Bank Law. In this connection, an Applicant must satisfy the licensing requirements set by the Central Bank for SVF issuance, and continue to do so on an ongoing basis as a Licensee.
                 
              2. The Applicant must be a company incorporated in the State, including free zones but excluding Financial Free Zones.
                 
              3. Applicants must meet, or demonstrate that they will meet upon License issuance, the ongoing requirements set out in Articles (7) to (14) of this Regulation applicable to Licensees, in particular:
                 
                1. 3.1. The requirements regarding financial resources as set out in Article (7) of this Regulation. The Central Bank may add additional requirements regarding financial resources or increase the existing ones as a condition for License issuance, where it considers such additional requirements necessary;
                   
                2. 3.2. The requirements regarding their principal business, as set out in Article (7) of this Regulation. The Application must disclose to the Central Bank any activities and secondary or ancillary businesses that the Applicant conducts or plans to conduct that may not be directly related to the issuance of SVF;
                   
                3. 3.3. The requirements regarding corporate governance, general risk management and internal control, and accounting system as set out in Articles (8) to (10) of this Regulation. In particular, board of directors, the Senior Management, and the Controlling Shareholder must have been approved by the Central Bank as fit and proper in the context of the Application before the License is granted;
                   
                4. 3.4. The requirements regarding risk management policies and procedures for the management and protection of the Float, as set out in Article (11) of this Regulation;
                   
                5. 3.5. The requirements regarding technology and specific risk management policies and procedures for managing the risks arising from the operation of the SVF business, as set out in Article (12) of this Regulation;
                   
                6. 3.6. The requirements regarding business conduct and Customer protection as set out in Article (13) of this Regulation;
                   
                7. 3.7. The requirements regarding anti-money laundering and countering the financing of terrorism, as set out in Article (14) of this Regulation.
                   
              4. As part of the licensing process, separate face-to-face meetings between Central Bank staff and the Applicant’s board of directors and the Senior Management may be conducted.

              Independent assessments

              1. The Applicant is required to submit a report of independent assessments on seven key areas based on the scope set out in paragraphs 3.3 to 3.7 above: (a) corporate governance and risk management; (b) Float management; (c) technology risk management; (d) payment security management; (e) business continuity management; (f) business conduct and Customer protection; and (g) AML/CFT control systems.
                 
              2. The Central Bank expects the Applicant to appoint one or more competent and qualified assessor(s), which are independent from the business units of the Applicant, to carry out the independent assessments. The assessors should not be involved in the operations to be reviewed or in selecting or implementing the relevant control measures to be reviewed, have relevant knowledge and experience, and should be able to report their findings independently. They should also confirm to the Central Bank that there is no conflict of interest in the conduct of independent assessments.
                 
              3. Bank that are deemed to be licensed for providing of SVF, are exempted from the assessment report mentioned in paragraphs 5 and 6 above, unless the Central Bank explicitly requires the report from them.
                 
            • Article (4): Application Procedure

              Licensed bank to issue SVF

              1. Although licensed banks are deemed to be authorized for the issuance of SVF, they are nevertheless required to notify the Central Bank in writing if they plan to issue an SVF and carry out the SVF business. A “No Objection” letter is required from the Central Bank before the licensed bank concerned can commence the SVF business.

              Preliminary meeting with the Central Bank

              1. Any company that is interested in obtaining a License may obtain the Application form from the Licensing Division of the Central Bank.
                 
              2. The Senior Management of the company is strongly encouraged to meet and discuss the SVF business plan with the Central Bank before submitting a formal Application.

              Consultation with home regulator

              1. Where the Controlling Shareholder of the Applicant is regulated by another authority, including by authorities in other jurisdictions, the Central Bank may contact the relevant authority about the Applicant. The Central Bank may take into account the relevant authority’s views in respect of matters such as the financial soundness and the overall internal control environment of the Controlling Shareholder, and whether the relevant home regulator has any concern about that Controlling Shareholding extending its SVF business to the State.

              Completing and submitting the Application

              1. The Application must be lodged with the Central Bank with the completed form and the required documents as set out in the Annex.

              Processing of Application

              1. The Central Bank may seek additional information from the Applicant to reach a decision on the Application. The circumstances of each particular Application will dictate the additional information required. Specifically, the applicant is required to submit a report of independent assessments as set out in paragraphs 5 and 6 of Article (3) of this Regulation. The validity of the assessment report should not exceed six months after the report’s sign-off date.
                 
              2. Incomplete information may result in delays. Applicants should, therefore, pay attention to the following points:
                 
                1. 7.1. All Applications must be submitted with documents and information listed in the Annex. The Applicant will be informed in writing that the Application is complete and the processing of the Application will begin;
                   
                2. 7.2. Where an Application received is incomplete or supporting documents or information is lacking, the Applicant will be informed in writing that the Application will be treated as “draft” and will be asked to complete the Application or provide the missing information by a date specified by the Central Bank. Once a properly completed Application with all necessary supporting documents and information is received, the Applicant will be notified in writing that Application is complete and the processing of the Application will begin;
                   
                3. 7.3. Where information requested is not received by the specified date or a revised date agreed in writing by the Central Bank at the request of the Applicant, the Application may be treated as “suspended” and the Applicant will be notified of this in writing;
                   
                4. 7.4. Where an Application is “suspended”, the Applicant will be informed in writing that the processing of the Application will cease temporarily. Suspended Applications will be reactivated only when the outstanding information is submitted; and
                   
                5. 7.5. Where an Application is “suspended” for 6 months or more for any reasons, a new Application will generally be required if the Applicant wishes to pursue the matter further.

              Approval of Application

              1. The Central Bank may approve an Application for the License made by the Applicant provided that all the licensing criteria can be met by the Applicant.
                 
              2. The Central Bank may grant the License without conditions or subject to any conditions attached. Conditions attached to a License may include, among others, imposing a higher level of capital requirement, restrictions on the SVF business or any secondary or ancillary businesses, requirements relating to protection of the Float, and restrictions as to the maximum amount of value that may be stored on an SVF, etc.
                 
              3. If the Central Bank grants a License to the Applicant, the Central Bank will:
                 
                1. 10.1. assign a unique reference number to the License; and
                   
                2. 10.2. specify in the License the date on which the License is to take effect.
                   
              4. Specifically, a Licensee must ensure that the License reference number of the License is clearly displayed in the Licensee’s website and promotional materials.
            • Article (5): Suspension, Withdrawal and Revocation of License

              1. The Central Bank may suspend, withdraw or revoke a License as stipulated in the Central Bank Law.
                 
              2. In considering whether to exercise such power, the Central Bank would have primary regard to the need to maintain the stability of the payment system in the State, reputation of the UAE and to protect the interests of the Customer or potential Customer of the Licensee in question.
                 
              3. Where a Licensee is suspended, withdrawn or revoked, the Licensee must immediately cease to take any further sum of money from Customers.
                 
            • Article (6): Authority over Licensees

              1. The Central Bank may take all measures and actions it deems appropriate for achieving its objectives and discharging its functions, and may particularly take the following actions, if it was found that a material violation to the provisions of this Regulation has occurred:
                 
                1. 1.1. The Central Bank may require the concerned Licensee to take necessary actions to rectify the situation immediately;
                   
                2. 1.2. Appoint a specialized expert, or a Central Bank employee, to advise or guide the concerned Licensee, or oversee some of its operations, for a period specified by the Central Bank. The concerned Licensee shall pay remunerations of such appointee if he is an expert from outside the Central Bank; or
                   
                3. 1.3. The Central Bank may appoint a manager where the Central Bank is of the view that the management of the Licensee cannot be relied upon to take appropriate steps to rectify a situation. The main objectives of appointing a manager to take control of the management of a Licensee are:
                   
                  1. 1.3.1. to provide for the control of the affairs, business and property of a troubled Licensee so that it can be nursed back to health or else be run down in an orderly fashion; or
                     
                  2. 1.3.2. to safeguard the assets and maintain the business of the Licensee until a liquidator can be appointed
                     
                4. 1.4. Take any other action or measure, or impose any penalties it deems appropriate.
                   
          • Part II – Ongoing Regulatory Requirements

            • Article (7): Principal Business and Financial Resources Requirements

              1. The principal business of a licensee must be the issuance of SVF under a License.
                 
              2. The principal business and financial resources requirements set out in this Article do not apply to licensed banks that carry out the SVF business in the State.

              Principal business requirement

              1. For the avoidance of doubt, a Licensee is not permitted to carry on any other Licensed Financial Activity without obtaining a License from the relevant authority. If the Licensee wishes to conduct any secondary or ancillary businesses, the Licensee must seek approval from the Central Bank before undertaking such activity.

              Financial resources requirements

              1. A Licensee must maintain the following:
                 
                1. 4.1. paid-up capital of at least 15 million Dirham (15,000,000 AED) or an equivalent amount in any other currency approved by the Central Bank;
                   
                2. 4.2. Aggregate Capital Funds must be at least 5% of the total Float received from the Customers.
                   
              2. The Aggregate Capital Funds consist of the following items:
                 
                1. 5.1. Paid-up capital;
                   
                2. 5.2. Reserves, excluding revaluation reserves; and
                   
                3. 5.3. Retained earnings.
                   
              3. The following items must be deducted from Aggregate Capital Funds:
                 
                1. 6.1. Accumulated losses; and
                   
                2. 6.2. Goodwill.
                   
              4. A Licensee must be able to demonstrate that its financial resources are sufficient for implementing its business model in a safe, efficient and sustainable manner, without compromising the interests of Customers.
                 
              5. A Licensee must provide adequate details to the Central Bank on the source of funds that will be used to support the proposed business activities.
                 
              6. A Licensee must demonstrate that it will be able to maintain sufficient financial resources to facilitate an orderly wind-down of its SVF business, including a smooth refunding process.
                 
              7. The Central Bank may impose a higher financial resources requirement if, taking into account the scale and complexity of a Licensee’s business, it considers such a requirement important in ensuring that the Licensee concerned has the ability to fulfil its regulatory obligations under this Regulation. An unconditional irrevocable bank guarantee for the full paid up capital amount in favor of the Central Bank paid upon first demand shall also be submitted to the Central Bank with the application of the License. Such a guarantee should be renewable before expiry or based on the Central Bank’s demand.
            • Article (8) Corporate Governance Requirements

              1. A Licensee must have in place appropriate risk management policies and procedures for managing the risks arising from the operation of its SVF business that are commensurate with the scale and complexity of the scheme.
                 
              2. The corporate governance requirements set out in this Article do not apply to licensed banks that carry out the SVF business. Banks are required to adhere to the Central Bank regulation and standards for corporate governance at banks.

              Responsibilities of the board of directors

              1. A Licensee is required to have in place sound governance arrangements for the purpose of effective decision-making and proper management and control of the risks of its business and operations. Such arrangements should include a clear organizational structure with well-defined, transparent and consistent lines of responsibility. There should also be clear documentation on decision-making procedures, reporting lines, internal reporting and communication process.
                 
              2. As part of a sound governance arrangement, a Licensee should put in place a code of conduct which lays down the standards of integrity and probity expected of its management and employees. The Licensee should also have adequate systems for enforcing the code of conduct, including regular assessments of the relevancy and effectiveness of the code.
                 
              3. The board of directors is responsible for the sound and prudent management of the Licensee’s SVF business operations.
                 
              4. The board of directors should have an adequate number and appropriate composition of members to ensure sufficient checks and balances and collective expertise for effective and objective decision-making. The size and composition of the board of directors will vary from institution to institution depending on the size of the Licensee and the nature and scope of its activities.
                 
              5. The board of directors should document and clearly define appropriate internal governance practices and procedures for the conduct of its own work and have in place the means to ensure that such practices are followed and periodically reviewed with a view to ongoing improvement.
                 
              6. Effective arrangements should be put in place such that the board of directors can assess the performance of the Senior Management and hold them accountable for their performance.

              Fitness and propriety of officers and Controlling Shareholder

              1. A person must not become a chief executive or director of a Licensee except with the Central Bank’s approval. The Central Bank’s approval must be obtained for a person to become Controlling Shareholder of a Licensee. In considering the fitness and propriety of the chief executive, directors and Controlling Shareholder of a Licensee, the Central Bank will take into account factors including, among others, the integrity, willingness to uphold professional ethics and industry good practices, and competence of the person concerned. Set out below are the Central Bank’s general expectations in relation to the fitness and propriety of chief executives, directors and the Controlling Shareholders of licensees.

              Directors and chief executives

              1. Given the leadership role of directors and chief executives, fitness and propriety will be assessed taking into consideration their integrity and competence, which will generally be assessed in terms of relevant knowledge, experience, judgement as well as leadership. Their commitment and ability to devote sufficient time and attention to the SVF business will also be assessed. The standards required from persons in these respects will vary, depending on the scale and complexity of a Licensee’s operations.

              Controlling Shareholder

              1. In assessing the fitness and propriety of the Controlling Shareholder, a key consideration is the influence that the Controlling Shareholder could potentially have on the interests of the Customers and potential Customers of the scheme concerned. This has to be assessed in the context of the circumstances of individual cases. The general presumption is that the greater the influence on the Licensee, the higher the standard will be for the Controlling Shareholder to fulfil the criterion.

              Outsourcing

              1. A Licensee may outsource activities and processes to service providers, including independent third parties, or companies within the Licensee’s group. Such outsourcing must be approved by the Central Bank.
                 
              2. A Licensee is ultimately responsible for the adequacy, service levels, quality and security of the outsourced activities and processes, including the reliability, robustness, stability and availability, of the outsourced activities and processes as well as the integrity and protection of the information held by the service providers.
                 
              3. Prior to outsourcing an activity or process, a Licensee must:
                 
                1. 14.1. Conduct a comprehensive independent risk assessment, identifying all risks involved, and ensuring that all material risks, including business interruption risk, and controls over Customer data protection, are adequately managed. The assessment should identify any additional risks or increases in risks caused by the outsourcing;
                   
                2. 14.2. Perform an appropriate due diligence regarding not just the cost and quality of the services offered, but also on the provider’s financial soundness, reputation, managerial skills, technical and operational capacity to meet the Licensee’s requirements in the longer run, ability to meet the regulatory requirements with regard to the services offered, familiarity with the payment industry, and capacity to keep pace with innovation in the market.
                   
                3. 14.3. Prior to outsourcing any process or activity: (a) perform an appropriate due diligence to ensure that the services to be rendered fully meet the performance and relevant regulatory requirements, (b) executing appropriate outsourcing agreements with the service providers to set out clearly the outsourcing arrangements and the related rights and obligations, and (c) carrying out proper transfer of the related operations or functions to ensure smooth transition; and
                   
                4. 14.4. Properly manage the outsourcing arrangements on an ongoing basis by performing appropriate regular audits and/or quality reviews of the outsourced operations or services.
                   
              4. The outsourcing agreement must set out clearly:
                 
                1. 15.1. The type and level of services to be provided and the related performance standards of the service provider, including its contingency arrangements in respect of daily operational and systems problems;
                   
                2. 15.2. The contractual obligations and liabilities of the service provider;
                   
                3. 15.3. The rights and obligations of the Licensee including the relevant fees and charges payable by the Licensee and the rights of the Licensee to access, retrieve and retain on a timely basis accurate and up-to-date records and make those records available for inspection by the relevant authorities including the Central Bank or an independent assessor appointed by the Licensee or the Central Bank, if required; and
                   
                4. 15.4. Data handling controls and arrangements relating to the storage, backup, protection and confidentiality, and data removal and transfer arrangements upon termination or expiry of the contract. The right for the Licensee, the Central Bank and/or an independent assessor appointed by the Licensee or Central Bank to conduct an on-site inspection and off-site review of the operations and controls of the service provider. This includes access by the Central Bank or an appointed independent assessor to the premises, systems, record and documents relevant to the outsourced activity or process.
                   
              5. A Licensee should ensure that it has an adequate understanding of its service provider’s contingency plan and consider the implications for its own business continuity planning in the event that an outsourced service is disrupted due to failure of the service provider’s system. Such contingency plans should be tested by the licensee and its service providers regularly.
                 
              6. A Licensee should ensure that its outsourcing arrangements comply with the relevant personal data privacy/protection requirements and any relevant codes of practice, guidelines and best practices issued by the Central bank and relevant authorities.

              Location of Senior Management

              1. The chief executive and the alternate chief executive should be individuals who are ordinarily resident in the State. Licensees must ensure that this requirement is being complied with on an ongoing basis. Furthermore, the Senior Management team and the key personnel responsible for scheme operation, system support, risk management and compliance of the Licensee must be based in the State. Depending on the nature, scale, complexity of business, and the organization structure of the Licensee, the Central Bank may approve different arrangements.
                 
            • Article (9): General Risk Management & Internal Control Systems

              1. The Licensee must have in place appropriate risk management policies and procedures for managing the risks arising from the operation of its SVF scheme that are commensurate with the scale and complexity of the scheme.
                 
              2. The general risk management and internal control systems requirements set out in this Article also apply to licensed banks that carry out the SVF business in the State.

              Risk management

              1. A Licensee must have in place effective risk management framework, which is approved by the board of directors. Dedicated human resources should be equipped with sufficient professional knowledge and experience to oversee the risk management and internal control processes.

              Liquidity risk management

              1. A Licensee must establish and implement an effective process for managing liquidity risk that is appropriate for the size and complexity of its operations. The objective is to ensure that the Licensee will have sufficient liquidity to meet different financial obligations arising from its day-to-day operations as well as redemption requests under all plausible circumstances.

              Internal controls

              1. A robust internal control system must be put in place to promote effective and efficient operation, safeguard assets, provide reliable financial and management information, enable prevention or early detection of irregularities, fraud and errors, and ensure compliance with relevant statutory and regulatory requirements and internal policies.
                 
              2. A Licensee should put in place a comprehensive business strategy and plan, including details on the strategic goals and roadmap. A business plan should normally cover proposed business in terms of geographical scope of operations, target markets and Customer breakdown, client types and base size, product and services offering, delivery channels, pricing strategy, and promotion and marketing activities.

              Compliance and internal audit functions

              1. A Licensee must maintain an effective (i) compliance function; and (ii) internal audit function to ensure compliance with all applicable legal and regulatory requirements as well as its own policies, procedures and controls. Among other factors, the quality of a Licensee’s compliance and internal audit functions will be assessed by the Central Bank based on its:
                 
                1. 7.1. clear governance framework with board level support to ensure effective policies and sufficient authorities to perform the functions;
                   
                2. 7.2. relevant professional knowledge and experience;
                   
                3. 7.3. independence from business units;
                   
                4. 7.4. direct and unfettered access to the board;
                   
                5. 7.5. coverage, comprehensiveness and effectiveness of compliance and internal audit programs; and
                   
                6. 7.6. ability to take timely and proactive rectifying actions upon identifying non-compliance or other control deficiencies.
                   
              2. The compliance function must not be combined with the internal audit function.

              Reporting to the Central Bank

              1. A Licensee must have effective procedures to ensure submission of data and information requested by the Central Bank in a timely and accurate manner, including: (a) incidents having a material adverse impact on its business, operation, assets, risks or reputation; and (b) breach of any statutory or regulatory requirements by the Licensee or its officers or employees.
                 
              2. A Licensee should at least annually perform a risk assessment by its own risk management or audit function. If the results of the risk assessment suggest that a detailed independent assessment is necessary, the Licensee should conduct such assessment and cover the following seven key areas: (a) corporate governance and risk management; (b) Float management; (c) technology risk management; (d) payment security management; (e) business continuity management; (f) business conduct and consumer protection; and (g) AML/CFT controls systems. If the Licensee has an independent function elsewhere in its group, with the relevant knowledge and experience, the independent assessment can be conducted by its internal function. Otherwise the assessment must be carried out by an independent third party.
                 
              3. The report mentioned in paragraph 10 above must be submitted to the Central Bank after being approved by the board of directors. These reports must include an executive summary highlighting the key risks, most important findings and the actions for rectifying the issues.
                 
              4. Arising from the findings of the annual risk assessment, a Licensee that is unable to meet its obligations must immediately report this to the Central Bank.
                 
              5. A Licensee must also immediately notify the Central Bank of any breach or potential breach of major regulatory requirements in this Regulation.
            • Article (10): Information and Accounting Systems

              1. The information and accounting systems, risk management and internal control systems set out in this Article do not apply to licensed banks that carry out the SVF business in the State. Banks must comply with the relevant regulations in these areas issued by the Central Bank for banks.

              Information and accounting systems

              1. A Licensee must have in place robust information and accounting systems to (a) record all business activities in a timely and accurate manner; (b) provide quality management information to enable effective and efficient management of business and operations; and (c) maintain appropriate audit trail to demonstrate effectiveness of controls.
                 
              2. A Licensee must properly maintain books and accounts and prepare financial statements and returns in compliance with all applicable regulatory reporting requirements and accounting standards in the State.

              Record keeping

              1. A Licensee must have in place adequate record keeping policies and systems for maintaining accurate and sufficient records of its books, accounts, management decisions and business activities, including transactions of Customers.

              Data protection

              1. A Licensee must have in place adequate policies, measures and procedures to protect its information and accounting systems, databases, books and accounts, and other records and documents from unauthorized access, unauthorized retrieval, tampering and misuse.
                 
              2. A Licensee must also adequately protect the Customer data (including Customer identification and transaction records) which are required to be stored and maintained in the State. Such data can only be made available to the corresponding Customer, the Central Bank, other regulatory authorities following prior approval of the Central Bank, or by a UAE court order. A Licensee must store and retain all Customer and transaction data for a period of five years from the date of the creation of the Customer data, or longer if required by other laws.
            • Article (11): Management and Safekeeping of the Float

              1. A Licensee must have in place an effective and robust system to protect and manage the Float to ensure that: (a) all funds are deployed for the prescribed usage only; (b) funds belonging to Customers are protected against claims by other creditors of the Licensee in all circumstances; and (c) funds are protected from operational and other relevant risks.
                 
              2. A Licensee may need to seek an external legal opinion on the protection arrangement of the Float to ensure the legal soundness of the arrangements and to commission an independent review to ensure the operational soundness.
                 
              3. Licensed banks are required to comply with the requirements set out in paragraphs 7 to 16 in this Article, and are exempt from the other paragraphs.

              Protection of the Float

              1. A Licensee must put in place an effective contractual arrangement to ensure the legal right and priority claim of the Float by Customers in the event of insolvency of a Licensee. With respect to the contractual arrangement, a Licensee should ensure that the assets of the Float must be adequately protected from any possible claims and in segregated accounts with licensed banks or a foreign bank recognized by the Central Bank.
                 
              2. Alternatively, an effective bank guarantee and/or insurance coverage may be used. For the avoidance of doubt, any funds received by the Licensee that are not yet credited to the Customers’ accounts, or funds that are still held by the Licensee but have already been deducted from the Customer’ account are treated as the Float received from the Customer and must be accorded the same level of protection.
                 
              3. Where circumstances warrant a trigger to redeem the Float to Customers, the contractual arrangement should operate to the effect that proper legal positions and authorizations are in place to ensure a smooth and efficient redemption process. Detailed procedures to ensure a smooth and efficient redemption process must be put in place. In assessing the efficiency of the redemption process, the Central Bank will consider factors including but not limited to notification to relevant Customers, the duration in which a Customer is expected to receive the redemption, and the steps that a Customer needs to take to seek redemption.
                 
              4. A Licensee must ensure that there are sufficient funds for the redemption of the Float to all Customers at all times and there are sufficient additional funds to pay for the costs of distributing the Float to all Customers in case of need.
                 
              5. An adequate process must be put in place to ensure timely and accurate records of funds paid into and out of a Licensee’s Float, with appropriately regular reconciliation between system records and the actual Float (e.g. balances of the dedicated bank account holding the Float). Such reconciliation should be done at least on a daily basis.
                 
              6. A Licensee must ensure that all Customer accounts in the SVF scheme Customer ledger are maintained in an accurate and timely manner and that the aggregate balance of all Customer accounts in the ledger accurately reflects the total amount of the Float of the SVF scheme at all times.
                 
              7. The assets, including cash and bank deposits, in which the Float of an SVF scheme are held must be segregated from the Licensee’s own funds as well as funds received for the Licensee’s other business activities.
                 
              8. A Licensee must put in place effective internal control measures and procedures, which constitute an integral part of the Licensee’s overall robust internal control system, to protect the Float from all operational risks, including the risk of theft, fraud and misappropriation.

              Management of the Float

              1. The Float of an SVF scheme must be managed mainly for the purpose of liquidity management to ensure that there will always be sufficient funds for redemption. A Licensee must put in place effective liquidity management policies, guidelines and control measures commensurate with the mode of operation of the SVF scheme in respect of the assets in which the Float are held.
                 
              2. A Licensee must not adopt a business model that takes investment returns from the Float management as a significant source of income. A Licensee who proposes to hold a proportion of the Float in low risk financial assets other than cash or bank deposits must obtain the Central Bank’s prior written consent by demonstrating to the Central Bank that the Float will be adequately protected from all relevant risks, including investment risk, market risk, concentration risk and liquidity risk. The Licensee seeking the Central Bank’s prior consent must put in place adequate investment policies and guidelines and effective control measures to protect the Float from all relevant risks.
                 
              3. Unless effective currency risk management policies, guidelines and control measures are put in place, mismatch between the currency denomination of the Float and that of the assets in which the Float are held is not allowed except for the mismatch between AED and US dollar positions.
                 
              4. If there are legitimate reasons that render it inevitable for a Licensee to run a currency mismatch as described in paragraph 14 above, the licensee must obtain an exemption from the Central Bank. Licensees exempted from this provision, will be expected to put in place appropriate policies and procedures to monitor or manage the foreign exchange risk arising therefrom and to ensure the sufficiency of the Float.

              Reporting to the Central Bank

              1. In respect of the protection and management of the Float, any material non-compliance with any regulatory requirements or internal policies, procedures and controls as well as any material unresolved discrepancies identified in any reconciliation must be reported to the Central Bank together with adequate rectification measures immediately through the established communication channels.
                 
            • Article (12): Technology and Specific Risk Management

              1. A Licensee is expected to take into account international best practices and standards when designing and implementing the technology and specific risk management systems and processes.
                 
              2. All technology and specific risk management requirements set out in this Article also apply to licensed banks that carry out the SVF business in the State.

              Technology risk management

              1. A Licensee must establish an effective technology and cyber security risk management framework to ensure (a) the adequacy of IT controls, (b) cyber resilience, (c) the quality and security, including the reliability, robustness, stability and availability, of its computer and payment systems, and (d) the safety and efficiency of the operations of the SVF scheme. The framework must be “fit for purpose” and commensurate with the risks associated with the nature, size, complexity and types of business and operations, the technologies adopted and the overall risk management system of the Licensee. Consideration should be given to adopting recognized international standards and practices when formulating such risk management framework.
                 
              2. A Licensee must establish an incident management framework with sufficient management oversight to ensure effective incident response and management capability to deal with significant incidents properly. This includes: (a) timely reporting to the Central Bank of any confirmed technology-related fraud cases or major security breaches, including cyber-attacks, cases of prolonged disruption of service and systemic incidents where Customers suffer from monetary loss or Customers’ interests are being affected (e.g. data leakage) and (b) a communication strategy to address the concerns any stakeholders may have arising from the incidents, and restore the reputational damage that the incidents may cause.
                 
              3. An effective technology risk management framework should comprise proper IT governance, a continuous technology risk management process and implementation of sound IT control practices.

              IT governance

              1. A Licensee must establish a proper IT governance framework. IT governance covers various aspects, including a clear structure of IT functions and the establishment of IT control policies. While there could be different constructs, the major functions should include an effective IT function, a robust technology risk management function, and an independent technology audit function.
                 
              2. A set of IT control policies that fits the Licensee’s business model and technology applications, must be put in place. The IT control policies which establish the ground rules for IT controls must be formally approved by Senior Management and properly implemented among IT functions and business units. Processes used to verify compliance with IT control policies and the process for seeking appropriate approval by Senior Management for dispensation from IT control policies must also be clearly specified, and consequences associated with any failure to adhere to these processes are in place.

              Technology risk management process

              1. A Licensee must put in place an effective risk management system that fits its specific business model and risk profile.
                 
              2. A robust process must be established to manage all changes (e.g. changes arising from new products, services, processes, contract terms, or any changes of external factors such as law and regulations) that might change a Licensee’s technology risk exposures. All identified risks must be critically evaluated, monitored and controlled on an ongoing basis.
                 
              3. A general framework for management of major technology-related projects, such as in-house software development and acquisition of information systems must be established. This framework should specify, among other things, the project management methodology to be adopted and applied to these projects.

              Project life cycle

              1. A full project life cycle methodology governing the process of developing, implementing and maintaining major computer and payment systems should be adopted and implemented.
                 
              2. Where a Licensee acquires a software package from vendors, a formal software package acquisition process should be established to manage risks associated with acquisitions, such as breach of software license agreement or patent infringement.
                 
              3. Quality assurance review of major technology-related projects by an independent party, with the assistance of the legal and compliance functions should be conducted if necessary.

              Security requirements

              1. Security requirements should be defined clearly in the early stage of system development or acquisition as part of business requirements and adequately built during the program development stage.

              Coding practice

              1. Guidelines and standards for software development with reference to industry generally accepted practice on secure development should be developed. Source code reviews (e.g. peer review and automated analysis review), which could be risk-based, as part of software quality assurance process should be conducted.

              System testing, acceptance and deployment

              1. A formal testing and acceptance process should be established to ensure that only properly tested and approved systems are promoted to the production environment. The scope of tests should cover business logic, security controls and system performance under various stress-load scenarios and recovery conditions.
                 
              2. Segregated environments for development, testing and production purposes should be maintained. System testing and user acceptance testing (UAT) should be properly carried out in the testing environment. Production data should not be used in development or acceptance testing unless the data has been desensitized and prior approval from the information owner has been obtained.

              Segregation of duties

              1. Segregation of duties among IT teams should be properly maintained. Developers should not be able to get access to production libraries and promote programming code into the production environment. If automated tools are used for the promotion of programming code, adequate monitoring, reviews and checks by independent teams should be done. Vendor accesses to the UAT environment, if necessary, should be closely monitored.

              End-user computing

              1. An inventory of end-user developed applications should be maintained and where necessary, control practices and responsibilities with respect to end-user computing to cover areas such as ownership, development standard, data security, documentation, data/file storage and backup, system recovery, audit responsibilities and training should be established.

              IT service support - Problem management

              1. A problem management process to identify, classify, prioritize and address all IT problems in a timely manner should be established. A trend analysis of past incidents should be performed regularly to facilitate the identification and prevention of similar problems.

              Change management

              1. A formal change management process should be developed to ensure the integrity and reliability of the production environment and that the changes to application systems, system software (e.g. operating systems and utilities), hardware, network systems and other IT facilities and equipment, are proper and do not have any undesirable impact on the production environment. Formal procedures for managing emergency changes (including the record keeping and endorsement arrangement) should also be established to enable unforeseen problems to be addressed in a timely and controlled manner.

              Security baseline standards

              1. Control procedures and baseline security requirements, including all configurations and settings of operating systems, system software, databases, servers and network devices should be adequately and accurately documented. Periodic reviews on the compliance of the security settings with the baseline standards should be performed.

              IT operation - Job scheduling

              1. The initial schedules and changes to scheduled jobs should be appropriately authorized. Procedures should be in place to identify, investigate and approve departures from standard job schedules.

              Vulnerability and patch management

              1. A combination of automated tools and manual techniques should be deployed to regularly perform comprehensive vulnerability assessments. For web-based external facing systems, the scope of vulnerability assessment should include common web vulnerabilities.
                 
              2. Patch management procedures should be formulated to include the identification, categorization, prioritization and installation of security patches. To implement security patches in a timely manner, the implementation timeframe for each category of security patches should be defined based on severity and impact on systems.
                 
              3. Security monitoring tools should be implemented to retain system, application and network device logs to facilitate examination when necessary in accordance with the Licensee’s defined log retention policy. The tools should also monitor and report, on a real-time basis if possible, critical configurations and security settings to identify unauthorized changes to these settings and block anomalies on IT assets, e.g. abnormal user behaviors, unusual system processes and memory access and malicious callbacks to devices.

              IT facilities and equipment maintenance

              1. IT facilities and equipment should be maintained in accordance with the industry practice, and suppliers’ recommended service intervals and specifications to ensure the facilities and equipment are well supported.

              Mobile computing

              1. Where a Licensee provides mobile devices for its employees, policies and procedures covering, among others, requisition, authentication, hardening, encryption, data backup and retention should be established.

              Network and infrastructure management

              1. Overall responsibility for network management should be clearly assigned to individuals who are equipped with expertise to fulfil their duties. Network standards, design, diagrams and operating procedures should be formally documented, kept up-to-date, communicated to all relevant network staff and reviewed periodically.
                 
              2. A Licensee should have in place adequate measures to maintain appropriate segregation of databases for different purposes to prevent unauthorized or unintended access or retrieval and robust access controls should be enforced to ensure the confidentiality and integrity of the databases. In respect of any personal data of Customers, including merchants, a Licensee should at all times comply with this Regulation, the relevant data protection laws as well as any relevant codes of practice, guidelines or best practice issued by the relevant authorities from time to time.
                 
              3. Access to the information and application systems should be restricted by an adequate authentication mechanism associated with access control rules. A role-based access control framework should be adopted and access rights should only be granted on a need-to-have basis.
                 
              4. A security administration function and a set of formal procedures should be established for administering the allocation of access rights to system resources and application systems, and monitoring the use of system resources to detect any unusual or unauthorized activities.
                 
              5. Due care should be exercised by Licensees when controlling the use of and access to privileged and emergency IDs. The necessary control procedures include: (a) changing the default password; (b) restricting the number of privileged users; (c) implementing strong controls over remote access by privileged users; (d) granting of authorities that are strictly necessary to privileged and emergency IDs; (e) formal approval by appropriate senior personnel prior to being released for usage; (f) logging, preserving and monitoring of the activities performed by privileged and emergency IDs (e.g. peer reviews of activity logs); (f) prohibiting sharing of privileged accounts; (g) proper safeguard of privileged and emergency IDs and passwords (e.g. kept in a sealed envelope and locked up inside the data center); and; (h) changing of privileged and emergency IDs’ passwords immediately upon return by the requesters.

              Cyber resilience

              Cyber security risk assessment process

              1. Where a Licensee is heavily reliant on Internet and mobile technologies to deliver its services, cyber security risks must be adequately managed through the Licensee’s technology risk management process. The Licensee should also commit adequate resources to ensure its capabilities to identify the risk, protect its critical services against the attack, contain the impact of cyber security incidents and restore the services.

              Cyber threat intelligence

              1. A Licensee must keep pace with the trends in cyber threats. It may consider subscribing to quality cyber threat intelligence services, which are relevant to its business, to enhance its ability to precisely respond to new type of threats in a timely manner. The Licensee may also seek opportunities to collaborate with other organizations to share and gather cyber threat intelligence with the aim of facilitating the SVF industry to better prepare and manage cyber security risks.

              Penetration and cyber-attack simulation testing

              1. A Licensee must regularly assess the necessity to perform penetration and cyber-attack simulation testing. Coverage and scope of testing should be based on the cyber security risk profile, cyber intelligence information available, covering not only networks (both external and internal) and application systems but also social engineering and emerging cyber threats. A Licensee should also take appropriate actions to mitigate the issues, threats and vulnerabilities identified in penetration and cyber-attack simulation testing in a timely manner, based on the impact and risk exposure analysis.

              Internet connected device

              1. As Internet evolves, more devices or appliances are embedded with Internet connectivity. These devices with “always on” network connectivity may create more end-points which allow intruders to get access to a Licensee’s critical IT infrastructure. The Licensee should pay attention to related risks and take appropriate measures accordingly.

              Payment security management

              1. A Licensee must put in place a robust payment security management framework that is commensurate with the scale and nature of payment security risks associated with its SVF schemes to effectively monitor, identify, evaluate, respond and mitigate the payment security risks arising from the operation of the SVF schemes.
                 
              2. A Licensee must have adequate policies and procedures on the ownership, classification, storage, transmission, processing and retention of information collected from Customers through registration of SVF service and execution of payment transactions to ensure confidentiality and integrity of the information.

              Information ownership

              1. An information owner should be assigned to the specific information being collected, processed, created, and maintained. The information owner should be accountable for classification, usage authorization and protection of information processed by and stored in systems.

              Information classification

              1. Information should be classified into different categories according to the degree of sensitivity to indicate the extent of protection required. To aid the classification process, a Licensee should develop guidelines and definitions for each classification and define an appropriate set of procedures for information protection in accordance with the classification scheme.

              Information in storage

              1. Sensitive data stored in end-user devices as well as the backend systems of Licensees, such as payment data, personal identifiable information and authentication data must be appropriately secured against theft and unauthorized access or modification. Sensitive data should be encrypted and stored in a secure storage environment, using strong and widely recognized encryption techniques.

              Information in transmission

              1. A Licensee must ensure that when transmitting sensitive data, e.g. from a Customer’s device to a Licensee’s server, a strong and secure end-to-end encryption is adopted and maintained in order to safeguard the confidentiality and integrity of the data, using strong and widely recognized cryptographic techniques.
                 
              2. Where applicable, communication channels for data exchange should only be open on a need-to-use basis. For example, where it is practical to do so, communications via contactless channels should only be allowed after activation by the Customer and within a limited time window.

              Information in processing

              1. If a Licensee offers merchant acquiring services, it should require its merchants to have necessary measures in place to protect sensitive data related to payments and should refrain from providing services to merchants which cannot ensure such protection. The Licensee should also implement sufficient controls to maintain and verify the integrity of the information processed by its systems.

              Information retention and disposal

              1. A Licensee must implement an information retention and disposal policy to limit the data storage amount and retention time, having regard to applicable legal, regulatory, and business requirements.

              Information minimization

              1. In designing, developing and maintaining payment services, a Licensee should ensure that information minimization is an essential principle of the core functionality: gathering, routing, processing, storing and/or archiving.
                 
              2. A Licensee must implement adequate security measures to protect each payment channel (including cards and user devices) provided to Customers for using its SVF against all material vulnerabilities and attacks. A Licensee providing payment card services should implement adequate safeguards to protect sensitive payment card data.

              Customer device

              1. A Licensee should assume that Customer devices are exposed to security vulnerabilities and take appropriate measures when designing, developing and maintaining payment services. Security measures should be in place to guard against different situations, including unauthorized device access, malware or virus attack, compromised or unsecure status of mobile device and unauthorized mobile applications.

              Mobile device for payment acceptance

              1. If mobile devices are used by merchants to accept a Licensee’s payment solutions, additional security measures should be implemented to safeguard the mobile payment acceptance solution, including the detection of abnormal activities and logging them in reports, and the provision of merchant identification for Customers to validate its identity.

              Customer authentication

              1. A Licensee should select reliable and effective authentication techniques to validate the identity and authority of its Customers. Two-factor authentication is normally expected for high-risk transactions. Customer authentication is stronger when two-factor authentication is adopted by combining any two of the following three factors: (a) something a Customer knows (e.g. user IDs and passwords); (b) something a Customer has or possesses (e.g. one-time passwords generated by a security token or a Licensee’s security systems); and (c) something a Customer is (e.g. retina, fingerprint or voice recognition).
                 
              2. If a password (including a personal identification number) is used as one factor of authentication, a Licensee must put in place adequate controls related to the strength of the password (e.g. minimum password length).

              Login attempts and session management

              1. Effective controls include limiting the number of login or authentication attempts (e.g. wrong password entries), implementing time-out controls and setting time limits for the validity of authentication. If one-time password is used for authentication purpose, a Licensee should ensure that the validity period of such passwords is limited to the strict minimum necessary.

              Activities logging

              1. A Licensee should have processes in place ensuring that all transactions are logged with an appropriate audit trail.
                 
              2. A Licensee should have robust log files allowing retrieval of historical data including a full audit trail of additions, modifications or deletions of transactions. Access to such tools, including privileged responsibilities, should only be available to authorized personnel and should be appropriately logged.
                 
              3. Channels should be provided for Customers to check their past transactions.

              Fraud detection systems

              1. A Licensee must operate transaction monitoring mechanisms designed to prevent, detect and block fraudulent payment transactions. Suspicious or high-risk transactions should be subject to a specific screening, filtration and evaluation procedure.
                 
              2. Where an SVF enables a Customer to bind a credit/debit/prepaid card as a funding source for his/her SVF account, the Licensee should implement appropriate verification arrangements, to be conducted by the card issuer with the cardholder (e.g. SMS one-time password or other effective measures), to confirm that cardholder gives consent to the card binding. Such verification arrangement should be triggered at least during the binding process or when the card is initially used by the relevant SVF account. Licensees should disallow binding a card if the relevant card issuer does not support the verification arrangement required by the Licensee or fails to perform the required verification with the relevant cardholder.
                 
              3. Where an SVF enables a Customer to set up a direct debit from a bank account, the Licensee should implement appropriate measures to ensure that the setting up of such a direct debit has been authorized by the relevant bank account owner.

              Administration of Customer accounts

              1. If a Licensee allows a Customer to open an account through online channel, a reliable method should be adopted to authenticate the identity of the Customer. In general, the electronic know your customer (eKYC) process currently adopted by licensed banks is acceptable for SVF account opening.
                 
              2. A Licensee should perform adequate identity checks when any Customer requests a change to the Customer’s account information or contact details that are useful for the Customer to receive important information or monitor the activities of the Customer’s accounts.

              Controls over higher-risk transactions

              1. A Licensee should implement effective controls, such as two-factor authentication, to re-authenticate the Customer before effecting each high-risk transaction. High-risk transactions should, at least, include: (a) transactions that exceeded the predefined transaction limit(s); (b) change of personal contact details; and (c) unless it is not practicable to implement in the SVF concerned, transactions that exceeded the aggregate rolling limit(s) (i.e. total value of transactions over a period of time).
                 
              2. A Licensee should define the per transaction limit(s) and the aggregate rolling limit(s), having regard to factors such as its fraud monitoring capability, maximum stored value per SVF (if applicable), maximum daily top up limit (if applicable) and other fraud protection mechanism implemented. Such limits should be clearly communicated to Customers.

              Business continuity management

              1. A Licensee must have in place an adequate business continuity management program to ensure continuation, timely recovery, or in extreme situations orderly scale-down of critical operations in the event of major disruptions caused by different contingent scenarios. An adequate business continuity management program comprises business impact analysis, recovery strategies, a business continuity plan and alternative sites for business and IT recovery. These components are elaborated further below.

              Business impact analysis

              1. A business impact analysis normally comprises two stages. The first stage is to (a) identify potential scenarios that may interrupt a Licensee’s services over varying periods of time, and (b) identify the minimum level of critical business and payment services that must be maintained in the event of a prolonged service interruption.
                 
              2. The second stage of a business impact analysis is a recovery time-frame assessment. It aims to develop key realistic, measurable and achievable recovery time objectives: (a) maximum tolerable downtime to recover and resume the minimum service levels of critical business and payment services; (b) recovery time objective to recover critical IT resources and critical business and payment services; and (c) recovery point objective to recover data in a secure, timely manner and full integrity.

              Recovery strategies

              1. A set of recovery strategies should be put in place to ensure that all critical business functions identified in business impact analysis can be recovered in accordance with the recovery timeframe defined. These recovery strategies should be clearly documented, thoroughly tested and regularly drilled to ensure achievement of recovery targets.
                 
              2. A crucial element of service recovery is robust record management. A Licensee must put in place effective measures to ensure that all business records, in particular Customer records, can be timely restored in case they are lost, damaged, or destroyed. It is also crucial for a Licensee to allow Customers to access their own records in a timely manner.
                 
              3. In determining a Licensee’s levels of minimal services and the recovery objectives, it should take into account a host of relevant factors, including but not limited to interdependency among critical services/systems, expectations of Customers and other stakeholders in terms of speed, stability, and reliability of its services, legal and reputational risk implications.

              Business continuity plan

              1. A business continuity plan must be developed based on the business impact analysis and related recovery strategies. A business continuity plan should comprise, at a minimum, (a) detailed recovery procedures to ensure full accomplishment of the service recovery strategies, (b) escalation procedures and crisis management protocol (e.g. set up of a command center, timely reporting to the Central Bank, etc.) in case of severe or prolonged service disruptions, (c) proactive communication strategies (e.g. Customer notification, media response, etc.), (d) updated contact details of key personnel involved in the business continuity plan; and (d) assignment of primary and alternate personnel responsible for recovery of critical systems.

              Alternate sites for business and IT recovery

              1. A Licensee should examine the extent to which key business functions are concentrated in the same or adjacent locations and the proximity of the alternate sites to primary sites. Alternate sites should be sufficiently distanced to avoid any shared risk and being affected by the same disaster.
                 
              2. A Licensee’s alternate site should be readily accessible, installed with appropriate facilities and available for occupancy within the time requirement specified in its business continuity plan. Appropriate physical access controls should be implemented. If certain recovery staff are required to work from home in the event of a disaster, adequate computer and systems facilities should be made available in advance.
                 
              3. Alternate sites for IT recovery should have sufficient technical equipment, including communication facilities, of appropriate model and capacity to meet recovery requirements.
                 
              4. A Licensee must avoid placing excessive reliance on external vendors in providing business continuity management support, including the provision of the disaster recovery site and back-up equipment and facilities. A Licensee should satisfy itself that such vendors do have the capacity to provide the services when needed and the contractual responsibilities of the vendors, including the lead-time, types of support and capacity, are clearly specified.
                 
              5. If a Licensee is reliant on shared computing services provided by external providers, such as cloud computing, to support its disaster recovery, it should manage the risk associated with these services.

              Senior Management oversight

              1. Senior Management of the Licensee must establish clearly, which function has the responsibility for the entire process of business continuity management, and ensure that it has sufficient resources and expertise.
                 
              2. Given the importance of business continuity management, the chief executive of a Licensee should prepare and sign-off a formal annual statement submitted to the board of directors on whether the recovery strategies adopted are still valid and whether the documented business continuity plan is properly tested and maintained.

              Implementation of business continuity plan

              1. A Licensee is expected to conduct testing of its business continuity plan at least annually. Senior Management, primary and alternate relevant personnel should participate in the annual testing to familiarize themselves with their recovery responsibilities.
                 
              2. All business continuity planning related risks and assumptions must be reviewed for relevancy and appropriateness as part of the annual planning of testing. Formal testing documentation (including test plan, scenarios, procedures and results) should be produced. A post mortem review report should be prepared for formal sign-off by Senior Management.

              Reputation risk management

              1. A Licensee must establish and implement an effective process for managing reputation risk that is appropriate for the size and complexity of its operations. A Licensee should integrate into its business processes proper due diligence work to (a) critically assess the potential reputational implications of its plans and activities for itself and for the industry; (b) take proactive actions to avoid or contain the identified risks; and (c) respond swiftly to mitigate the potential impact should such risks materialize.
                 
              2. A Licensee must also devote appropriate resources to conduct surveillance work with a view to identifying any issues with reputational implications for its operations. The objective is to protect the Licensee from potential threats to its reputation and, should there be a reputation event, minimize the effects of such an event.
                 
              3. A Licensee must ensure that the relevant process is capable of detecting and responding swiftly to new and emerging threats to reputation, monitoring the changing status of risks, providing early warning of potential problems to enable remedial actions to be taken, and providing assurance that the risks affecting reputation are under control.
            • Article (13): Business Conduct and Customer Protection

              1. The SVF schemes must be operated prudently and with competence in a manner that will not adversely affect the interests of the Customer or potential Customer of the Licensee. All Licensees must also comply with the existing regulatory requirements for consumer protection of the Central Bank.
                 
              2. The business conduct and Customer protection requirements set out in this Article also apply to licensed banks that carry out the SVF business in the State.

              Standard of conduct and business practices

              1. A Licensee must ensure that its business is operated in a responsible, honest and professional manner. A Licensee must treat all Customers, as well as merchants, equitably, honestly and fairly at all stages of their relationship with the Licensee. A Licensee must also act in a manner that will not adversely affect the interests of the Customer or potential Customer or the stability of any payment system in the State.
                 
              2. A Licensee must be responsible for the acts or omissions of its employees, service providers and agents in respect of the conduct of its business. Employees and agents of a Licensee must be properly trained and qualified.
                 
              3. A Licensee must ensure that it adopts and if needed, develops good business practices that can demonstrate its standard of conduct, including:
                 
                1. 5.1. Due diligence must be performed by a Licensee to ensure that all promotional materials it issues are accurate and not misleading;
                   
                2. 5.2. A Licensee may use its websites and mobile apps to provide links to e-commerce portals and other online merchants. When providing such links, the Licensee must carry out due-diligence on the e-commerce portals and merchants acquired to ascertain they are bona fide companies conducting legitimate business so as to manage reputation risk; and
                   
                3. 5.3. Websites or apps of a Licensee may only provide hyper-links to other websites which offer advisory and/or sale of financial products and services provided that the Licensee has sought external legal opinion to ensure that the arrangements comply with all relevant legal and regulatory requirements.

              Schemes and Operating Rules

              1. The Operating Rules of an SVF scheme must be fair to all parties concerned. A Licensee must operate its SVF scheme in strict accordance with the relevant Operating Rules.
                 
              2. If a Licensee intends to engage business partners (e.g. merchant acquirers to procure merchants), it must ensure that the arrangement with business partners will not compromise its obligations under this Regulation in respect of ensuring safe and efficient operation of the SVF scheme, in particular:
                 
                1. 7.1. The Licensee must conduct due diligence on business partners to carefully assess the risks involved before engaging the business relationship, and to put in place adequate control mechanism to mitigate the risks identified;
                   
                2. 7.2. The Licensee must be satisfied that the contractual relationship between itself and business partners (e.g. merchants) is clearly constructed and enforceable with well-defined division of duties and liabilities supported by well-documented service level agreements, and that there are necessary safeguards in its contractual relationship with the business partners to ensure the operational safety and efficiency of the SVF scheme;
                   
                3. 7.3. The Licensee must impose appropriate controls and oversight over the business arrangements with its business partners (e.g. in case of merchant acquirers), to ensure that they have proper systems in place for settlement of funds with the merchants and for mitigation of any potential money laundering and terrorist financing risks; and
                   
                4. 7.4. The Licensee must ensure that the arrangement of engaging business partners is compliant with relevant personal data privacy/protection requirements and also observes this Regulation and the relevant supervisory guidelines on data protection in order to safeguard the interest of its Customers.
                   
              3. The Operating Rules of an SVF scheme must provide that the amount of funds received by a Licensee or its agent from a Customer will be credited to the account of the Customer and made available for use by the Customer in a timely manner according to the Operating Rules.
                 
              4. Whilst the Central Bank will not establish a hard limit on the maximum amount of the value stored in each type of Customer accounts under an SVF scheme, a reasonable limit, supported by business justifications and control measures, must be set for the maximum amount that can be stored in each type of Customer accounts under an SVF scheme. Different storage limits can be set for different types of Customer accounts according to their respective features. All limits must be set out in the Operating Rules. The Central Bank may request a Licensee to change the limits on a case-by-case basis if the Central Bank considers it appropriate to apply such limits or the business justifications and control measures put up by the Licensee are considered unsatisfactory.
                 
              5. 10. A Licensee must set out and explain clearly the key features, risks, terms and conditions, and applicable fees, charges and commissions of its schemes, facilities, services and products. Such details must be effectively communicated and made available to the relevant Customers, as well as merchants. Additional disclosures, including appropriate warnings, must be developed to provide information commensurate with the nature, complexity and risks of the schemes, facilities, services and products.
                 
              6. A Licensee is solely responsible for the robustness of its SVF scheme and as such it must bear the full loss of the value stored in a Customer account where there is no fault on the part of the Customer. In general, a Customer of the Licensee must not be responsible for any direct loss suffered by him/her as a result of unauthorized transactions conducted through his/her account.

              Anti-fraud framework

              1. A Licensee must implement an anti-fraud framework. Such framework must include duties and obligations of chief executive officer, Compliance Committee, and fraud reporting and follow-up mechanism. Appropriate and documented anti-fraud training must be provided to all employees.

              Security advice for Customers

              1. The Licensee should provide easy-to-understand, prominent and regularly reviewed advice from time to time via effective methods and multiple channels to its Customers on security precautionary measures.
                 
              2. A Licensee must manage the risk associated with fraudulent emails, websites and mobile applications, which are designed to trick customers into revealing sensitive user information such as login identifiers, passwords and one-time passwords.

              Business exit plan

              1. With a view to minimizing the potential impact that a failure, disruption, or exit of a Licensee would have on Customers and the payment systems in the State, a Licensee is required to maintain viable plans for an orderly exit of its business and operations should other options be proven not possible.
                 
              2. Among other things, a business exit plan should (a) identify a range of remote but plausible scenarios which may render it necessary for a Licensee to consider an exit; (b) develop risk indicators to gauge the plausibility of the identified scenarios; (c) set out detailed, concrete, and feasible action steps to be taken upon triggering the exit plan; (d) assess the time and cost required to implement the exit plan in an orderly manner; and (e) set out clear procedures to ensure that sufficient time and financial resources are available to implement the exit plan. The plan should be reviewed on an annual basis to ensure its relevancy and workability.

              Systems interoperability

              1. A Licensee should ensure that its SVF systems are interoperable with other major payment systems in the State to allow connectivity of all key payment services. This is important for building a cost effective and efficient digital payment ecosystem in the State.
                 
              2. The Central Bank expects Licensees to adopt a risk-based approach and refrain from adopting practices that would result in financial exclusion, particularly in respect of the need for bona fide businesses and individuals to have access to SVF products and services.
                 
              3. The risk assessment processes should be able to differentiate the risks of individual Customers within a particular segment or grouping through the application of a range of factors, including country risk, business risk, product/service risk and delivery/distribution channel risk. It is inappropriate for Licensees to adopt a one-size-fits-all approach.
            • Article (14): Anti-Money Laundering and Countering the Financing of Terrorism Procedures

              1. All Licensees must comply with the existing legal obligations and regulatory requirements for AML/CFT of the Central Bank and address money laundering and terrorist financing risks through appropriate preventive measures to deter abuse of the sector as a conduit for illicit funds, and detect money laundering and terrorist financing activities and report any suspicious transactions to the Financial Intelligence Unit at the Central Bank.
                 
              2. The Central Bank requires the Licensees to undertake periodic risk profiling and assessment based on the AML/CFT requirements.

              Risk factors

              1. The risk of an SVF product will to a significant degree, depend on its design, its functions and the mitigating measures applied. In assessing the risk of an SVF product, a Licensee should take into account the following risk factors:
                 
                1. 3.1. maximum stored value or transaction amount of the SVF – SVF products with higher transaction value or higher maximum stored value may increase the money laundering and terrorist financing risk;
                   
                2. 3.2. methods of funding – SVF products that allow funding by cash offer with little or no audit trail present a higher money laundering and terrorist financing risk. On the other hand, funding by unverified parties or via other payment methods without Customer identification can also create an anonymous funding mechanism and hence present higher money laundering and terrorist financing risks;
                   
                3. 3.3. cross-border usage – in general, SVF products with cross-border usage may increase the risk as transactions may be subject to different AML/CFT requirements and oversight in other jurisdictions and also give rise to difficulties with information sharing;
                   
                4. 3.4. person-to-person fund transfer function – an SVF product that allows person-to-person fund transfers may give rise to higher money laundering and terrorist financing risks;
                   
                5. 3.5. cash withdrawal function – an SVF product that allows access to cash for instance through automated teller machine networks may increase the level of money laundering and terrorist financing risk;
                   
                6. 3.6. holding of multiple accounts/cards – SVF products that allow a Customer to hold more than one account or card may also increase the money laundering and terrorist financing risk as it may be utilized by a third-party user other than the Customer;
                   
                7. 3.7. multiple cards linked to the same account – SVF products that permit this functionality may present higher money laundering and terrorist financing risks, especially where the linked card is anonymous; and
                   
                8. 3.8. payment for high-risk activities – some merchant activities, for example, gaming, present higher money laundering and terrorist financing risks.
                   
              2. The money laundering and terrorist financing risks of an SVF product can be reduced by implementing risk mitigating measures, which may include: (a) the application of limits on the maximum storage values, cumulative turnover or transaction amounts; (b) disallowing higher risk funding sources; (c) restricting the SVF product being used for higher risk activities; (d) restricting higher risk functions such as cash access; and (e) implementing measures to detect multiple SVF accounts/cards held by the same Customer or group of Customers.
                 
              3. The level of money laundering and terrorist financing risks posed by a particular SVF product will depend on a consideration of all risk factors, the existence and effectiveness of risk mitigating measures and their functionality.
                 
              4. A Licensee should assess whether a business relationship presents a higher money laundering and terrorist financing risk and assign a related risk rating. Generally, the Customer risk assessment will be based on the information collected during the identification stage. The Licensee should ensure that their CDD models are designed to address the specific risks associated to its Customer profile and SVF product features.

              Compliance management arrangements and independent audit function

              1. A Licensee must have appropriate compliance management arrangements that facilitate the SVF’s implementation of AML/CFT systems to comply with relevant legal and regulatory obligations and to manage money laundering and terrorist financing risks effectively. Compliance management arrangements should at a minimum include oversight by the Licensee’s Senior Management and appointment of a Compliance Officer and a Money Laundering Reporting Officer.
                 
              2. In addition, a Licensee should put in place comprehensive AML/CFT policies and procedures in accordance with the AML/CFT law and regulations.

              Use of technology

              1. The Central Bank supports innovative means by which Licensees implement AML/CFT Systems effectively as well as exploring the greater use of technology and analytical tools. The Central Bank expects Licensees, before introducing any new product, service or technology, to conduct adequate risk assessments and ensure that any identified risks are effectively managed or mitigated.
                 
              2. In general, the eKYC process currently adopted by licensed banks for digital onboarding of Customers is acceptable for SVF account opening. No physical face-to-face meetings with the Customer or physical documents verification are required so long as the digital authentication of the Customer and digital verification of all required documents can be done in accordance with the existing requirements of the Central Bank.
                 
              3. Depending on the nature of relationship, Licensees may undertake additional CDD measures, including the collection of sufficient information to adequately understand the nature of the Virtual Asset Service Providers’ business; determining from publicly available information whether the Virtual Asset Service Providers are licensed or registered, and subject to AML/CFT supervision; and assessing the AML/CFT controls of the Virtual Asset Service Providers as appropriate. The extent of Customer due diligence measure should be commensurate with the assessed money laundering and terrorist financing risks of the Virtual Asset Service Providers.
                 
              4. Globally there is an emerging range of new products and services involving Virtual Asset. In line with the FATF standards, before a Licensee offers any new products relating to Virtual Assets, it should undertake money laundering and terrorist financing risk assessment and take appropriate measures to manage and mitigate the identified risks in accordance with applicable legal and regulatory requirements. Licensees are encouraged to refer to the suggestions provided by FATF in relation to the guidance for a risk-based approach to Virtual Assets and Virtual Assets Service Providers.
          • Part III – Enforcement

            • Article (15): Enforcement and Sanctions

              1. Violation of any provision of this Regulation may be subject to supervisory action and administrative & financial sanctions measures as deemed appropriate by the Central Bank.
                 
              2. Supervisory action and administrative & financial sanctions by the Central Bank may include replacing or restricting the powers of Senior Management or board of directors, providing for the interim management of the Licensee, imposition of fines or barring individuals from the UAE financial sector.
                 
            • Article (16): Interpretation of Regulation

              The Regulatory Development Division of the Central Bank shall be the reference for interpretation of the provisions of this Regulation.

            • Article (17): Cancellation of Previous Regulation

              This Regulation repeals and replaces the “Regulatory Framework for Stored Value and Electronic Payment Systems” Regulation issued in the UAE on 13/12/2016.

            • Article (18): Publication & Application

              This Regulation shall be published in the Official Gazette in both Arabic and English and shall come into effect one month from the date of publication. In case of any discrepancy between the Arabic and the English, the Arabic version will prevail.

          • Annex

            List of documents to be submitted in an application

            1. Completed application form for License
               
            2. A report on paid-up capital certified by external auditor
               
            3. A copy of the ownership structure
               
            4. The latest audited financial statements for each Controlling Shareholder
               
            5. Completed application form(s) for each Controlling Shareholder
               
            6. Outline of the Senior Management and staff structure
               
            7. Completed application forms for chief executive, alternate chief executive and director
               
            8. Independent assessment report(s) on seven areas as set out in paragraph 5 of Article (3).
               
            9. Copies of risk management policies and procedures on AML/CFT systems
               
            10. Copies of policies and procedures for managing the Float
               
            11. A copy of the investment policy for managing the investment of Float
               
            12. A copy of contract, and terms & conditions between the Applicant and the Customer
               
            13. A copy of Operating Rules for the SVF scheme
               
            14. A copy of contractual agreements which describe the rights and obligations of the related parties involved in the SVF scheme
               
            15. Business plan that covers a three-year time horizon
               
            16. Board of director’s resolution in support of the Application
               
            17. A copy of the articles of association (or equivalent) of the Applicant company in English and Arabic
               
            18. A copy of the Applicant's audited annual reports and / or audited financial statements for the past three financial years immediately prior to application.
               
            19. Each of the following:
              1. a). A copy of the notarized Memorandum and Articles of Association
                 
              2. b). A copy of the Licensee Commercial License
                 
              3. c). Auditors certification that the paid-up capital has been injected into the business
                 
      • Retail Payment Systems Regulation

        C 10/2020 Effective from 10/2/2021
        • Introduction

          The Central Bank is responsible for licensing, designating and overseeing systemically important Retail Payment Systems (RPS) pursuant to the Central Bank Law. The Central Bank Law stipulates criteria and relevant factors based on which the Central Bank will determine whether or not a licensed RPS should be designated and subject to the ongoing oversight of the Central Bank. The policy objective is to ensure that operations of designated RPS are safe, sound, efficient and in compliance with relevant international standards (e.g. the PFMI), and also, would contribute to the financial and payment system stability of the State.

          The Central Bank Law expressly sets out the powers of the Central Bank in relation to the licensing, designation and oversight of Financial Infrastructure Systems that are systemically important such as the RPS.

        • Objective and Scope of Application

          The objective of this Regulation is to ensure safety and efficiency of Financial Infrastructure Systems and promote efficient and smooth operations thereof. The Regulation sets out the licensing, designation and oversight framework that the Central Bank intends to follow with respect to the licensing and designation of RPS, and the ongoing oversight of such systems. This Regulation also outlines the major obligations and ongoing requirements of a designated RPS, the powers of the Central Bank in respect thereof, the licensing, designation and ongoing oversight of an RPS.

          The scope of this Regulation will cover the systematically important RPS which meet one of the following conditions: (a) the concerned system is operated in the State; or (b) the concerned system has the capacity to provide transfer, clearing or settlement of payment obligations relating to retail activities denominated in the Currency, any currency or any Regulated Medium of Exchange.

          This Regulation explains the relevant policies and procedures adopted by the Central Bank with respect to the licensing and designation of RPS. It sets out: (a) the types of RPS which are likely to be covered by the Regulation; (b) the Central Bank’s intended interpretation of the key criteria for designating an RPS; (c) the licensing and designation process; (d) the ongoing requirements of the designated RPS; and (e) the appeal mechanism in respect of the licensing, designation, suspension and revocation of licensing and/or designation.

          The provisions of this Regulation shall not apply to Financial Free Zones and to RPS operating therein unless when expressly provided hereunder.

        • Article (1): Definitions

          1. Central Bank: means the Central Bank of the United Arab Emirates.
             
          2. Central Bank Law: means Decretal Federal Law No. (14) of 2018 Regarding the Central Bank & Organization of Financial Institutions and Activities and its amendments from time to time.
             
          3. Clearing: means the process of transmitting, reconciling and, in some cases, confirming transactions prior to settlement, potentially including the Netting of transactions and the establishment of final positions for settlement.
             
          4. Clearing and Settlement System: means a system established for (a) the clearing or settlement of payment obligations; or (b) the clearing or settlement of obligations for the transfer of book-entry securities, or the transfer of such securities.
             
          5. Currency: means the State’s official national currency notes and coins, which its unit is referred as the “Dirham”.
             
          6. Default Arrangements: in respect of a Financial Infrastructure System, means the arrangements in place within the system for limiting systemic and other types of risk in the event of a Participant Person appearing to be, or likely to become, unable to meet his obligations in respect of a Transfer Order; and would include any arrangements that have been enforced by the System Operator or Settlement Institution for the following: (1) the Netting of obligations owed to or by a Participant Person; (2) the closing out of open financial position of a Participant Person; or (3) the realization of collateral securities to secure payment of obligations owed by the Participant Person.
             
          7. Designated System: means any Financial Infrastructure System designated by the Central Bank as systemically important, in accordance with the provisions of the Central Bank Law and the Regulation.
             
          8. Financial Free Zones (FFZ): means free zones subject to the provisions of Federal Law No 8 of 2004, regarding Financial Free Zones, and amending laws.
             
          9. Financial Infrastructure System: means either (1) a Clearing and Settlement System or (2) a Retail Payment System, established, operated, licensed, or overseen by any of the Regulatory Authorities in the State.
             
          10. Grievances & Appeals Committee: means the Committee referred to in Article (136) of the Central Bank Law.
             
          11. License: means a License issued by the Central Bank to an SO and/or SI to operate an RPS in the State. The License shall be valid for a period of five years, unless it is suspended or revoked by the Central Bank.
             
          12. Licensee: means an SO and/or SI that holds a valid License to operate an RPS from the Central Bank.
             
          13. Money’s Worth: value added onto an SVF by the customer; value received on the customer’s SVF account; and value redeemed by the customer including not only “money” in the primary sense but also other forms of monetary consideration or assets such as values, reward points, Crypto-Assets, or Virtual Assets. For example, a value top-up of an SVF account may take the form of values, reward points, Crypto-Assets, or Virtual Assets earned by the SVF customer from making purchases of goods and services. Similarly, value received on the account of the SVF customer may take the form of an on-line transfer of value, reward points, Crypto-Assets, or Virtual Assets between fellow SVF customers.
             
          14. Netting: in respect of a Clearing and Settlement System, means the conversion of the various obligations owed to or by a Participant Person towards all the other Participant Persons in the system, into one net obligation owed to or by the Participant Person.
             
          15. Operating Rules: means rules set up by the System Operator to cover the operation of a Financial Infrastructure System, including but not limited to, Participant Person account opening and maintenance, contractual relationships with and among Participant Persons, Default Arrangements, payment and settlement processing, Netting and collateral arrangements, authorization and post-transaction processes.
             
          16. Payment System: a Financial Infrastructure System which consists of a set of instruments, procedures, and rules for the transfer of funds between or among Participant Persons.
             
          17. Participant Person: in respect of a Financial Infrastructure System shall mean a Person who is party to or participant of the arrangements for which the system has been established.
             
          18. Person: means a natural or juridical person, as the case may be.
             
          19. Principles of Financial Market Infrastructures (PFMI): means the international standards for financial market infrastructures (i.e. Payment Systems, central securities depositories, securities settlement systems, central counterparties and trade repositories) issued by the Committee on Payments and Market Infrastructures (CPMI) and the International Organization of Securities Commissions (IOSCO). The PFMI are part of a set of 12 key standards that international community considers essential to strengthening and preserving financial stability.
             
          20. Regulated Medium of Exchange: means an instrument or a token that is widely used and accepted in the State as a means of payment for goods and services and regulated by the Central Bank to be a medium of exchange.
             
          21. Regulation: means the Retail Payment Systems Regulation.
             
          22. Regulatory Authorities: means the Central Bank and the Securities & Commodities Authority.
             
          23. Relevant Undertaking: In relation to an SVF, Relevant Undertaking means an undertaking by the Licensee that, upon the use of SVF by the customer as a means for payment for goods and services (which may be or include money or Money’s Worth) or payment to another person, and whether or not some other action is also required, the Licensee, or a third party that the SVF issuer has procured to do so, will, in accordance with the Operating Rules: (a) supply the goods or services; (b) make payment for the goods or services; or (c) make payment to the other person, or as the case requires.
             
          24. Retail Payment System (RPS): means any fund transfer system and related instruments, mechanism, and arrangements that typically handles a large volume of relatively low-value payments in such forms as cheques, credit transfers, direct debit, card payment transactions or a Regulated Medium of Exchange.
             
          25. Settlement Institution (SI): means an institution that provides settlement services to a Financial Infrastructure System, settlement accounts in one currency or multi-currency in the Financial Infrastructure System and in certain cases grants access to intraday liquidity to Participant Persons.
             
          26. State: means the United Arab Emirates.
             
          27. Stored Value Facilities (SVF): A facility (other than cash) for or in relation to which a customer, or another person on the customer’s behalf, pays a sum of money (including Money’s Worth such as values, reward points, Crypto-Assets or Virtual Assets) to the issuer, whether directly or indirectly, in exchange for: (a) the storage of the value of that money (including Money’s Worth such as values, reward points, Crypto-Assets or Virtual Assets), whether in whole or in part, on the facility; and (b) the “Relevant Undertaking”. SVF includes device-based Stored Value Facility and non-device based Stored Value Facility.
             
          28. System Operator (SO): means a Person responsible for the operation of a Financial Infrastructure System, including the comprehensive management of all risks in the Financial Infrastructure System and ensuring that the operation of the system is in accordance with this Regulation and other relevant regulations issued by the Central Bank.
             
          29. Systemically Important Payment System: means a Financial Infrastructure System which has the potential to trigger or transmit systemic disruptions to the State’s monetary and financial stability; this includes, among other things, systems that are the sole Financial Infrastructure System in a jurisdiction or the principal system in terms of the aggregate value of payments, and systems that mainly handle time-critical, high-value payments or settle payments used to effect settlement in other Financial Infrastructure Systems.
             
          30. Transfer: means operationally, the sending (or movement) of funds or securities or of a right relating to funds and securities from one party to another party by (i) conveyance of physical instruments/money; (ii) accounting entries on the books of a financial intermediary; or (iii) accounting entries processed through a funds and/or securities transfer system.
             
          31. Transfer Order: in respect of a Financial Infrastructure System shall mean any of the following instructions: (1) instructions by a Participant Person to make funds available to another Participant Person to be transferred, on a book-entry basis, in the accounts of the Settlement institution for a Clearing and Settlement System; or (2) instructions for discharge from obligation to pay, for the purposes of the Operating Rules of a Clearing and Settlement Systems; or (3) instructions by a Participant Person to either settle an obligation by transferring a book-entry security, or transferring those securities; or (4) instructions by a Participant Person that result in liability or discharge of retail operations payment obligation.
             
        • Article (2): Licensing Requirements

          1. As stipulated in Article (129) (1) (a) of the Central Bank Law, operating an RPS in the State requires a prior License from the Central Bank.
             
          2. The SO and/or SI of the RPS must apply and submit the required information and documents set out in Annex A to the Central Bank for a License if the RPS is in operation in the State.
             
        • Article (3): Eligibility and Criteria for Designation as Systemically Important Financial Infrastructure System

          1. As stipulated in Article (126) (2) of the Central Bank Law, if a licensed RPS falls within the eligibility for designation as set out in the aforementioned Article, the Central Bank may designate such RPS as systemically important.
             
          2. Financial Infrastructure Systems which may be covered by the definition of RPS include, but are not limited to, the following systems:
             
            1. 2.1. Electronic funds transfer system: a system that handles transfer of funds which is initiated through a computer system, for the purpose of ordering, instructing, or authorizing a financial institution to debit or credit a customer’s account. The Central Bank will not license or designate RPS owned and/or operated by licensed banks (e.g. Internet or mobile banking systems, electronic fund transfer systems, etc.) for serving their own customers because such RPS are already subject to the Central Bank’s prudential supervision of the licensed bank as a whole. However, if a licensed bank provides RPS services to other payment service providers or financial institutions, such RPS may be subject to designation if the RPS falls within the designation criteria.
               
            2. 2.2. Payment card system: a set of functions, procedures, arrangements, rules, and most importantly, a Clearing and Settlement System and network infrastructure that enable a holder of a payment card to effect a payment and/or cash withdrawal transaction with a third party other than the card issuer.
               
            3. 2.3. Clearing and Settlement System for SVF1: a Payment System used to support the SVF business and scheme. An SVF scheme normally requires a Payment System to support their operation. Such a system normally falls within the RPS definition. To avoid regulatory overlap and inducing excess regulatory burden on SVF Licensees, the Central Bank does not intend to designate a Payment System run by a SVF Licensee to support its own SVF business and scheme. It is because the entire SVF business scheme and the related Payment System are already subject to the SVF Regulation, which ensures the safety and soundness of the Payment System including the transfer, clearing and settlement of payment obligations. Nonetheless, if the RPS operated by the SVF Licensee also supports SVF schemes run by other issuers or if a third party operates a Payment System to support other SVF schemes operating in the State, the Central Bank may designate such RPS if it meets the designation criteria.
               
            4. 2.4. Payment gateway: a system that processes, accepts or declines payment transactions on behalf of the merchant secure network connections.
               
          3. In forming an opinion as to whether an RPS satisfies the designation criteria, the Central Bank may consider one or more of the following factors in order to determine whether or not the RPS is a Systemically Important Payment System: -
             
            1. 3.1. The estimated aggregate value of Transfer Orders transferred, cleared or settled through the RPS in a normal business day. The foregoing refers to the total value of individual instructions cleared or settled in the RPS. For established RPS during the transitional period, the estimated value can be worked out with reference to historical data and business plan.
               
            2. 3.2. The estimated average value of Transfer Orders transferred, cleared or settled through the RPS in a normal business day. The foregoing refers to the aggregate value of instructions transferred, cleared or settled through the RPS in a normal business day, divided by the number of instructions processed.
               
            3. 3.3. The estimated number of Transfer Orders transferred, cleared or settled through the RPS in a normal business day.
               
            4. 3.4. Whether those transactions or the equivalent payment services could be immediately and effectively handled by another Payment System in the State.
               
            5. 3.5. Whether any cross-border activities are involved, including the number of involved countries and the total volume of processed Transfer Orders.
               
            6. 3.6. The estimated number of Participant Persons of the RPS.
               
            7. 3.7. Whether such RPS is linked to any Designated Systems or any Payment System that is licensed or regulated by other Regulatory Authorities in the State.
               
          4. In general, the higher the estimated aggregate value or number of Transfer Orders, the more likely an RPS is material to the financial system of the State and of significant public interest. The number of linkages of an RPS to another Designated System is an important factor that the Central Bank will consider when making a designation decision given the contagion risk to the financial system such linkage could bring.
             
          5. Apart from the above factors, the Central Bank will also consider other factors, for example, in the case of a card payment system, among others, the number of cards issued, the number of card acceptance points. The Central Bank will take a holistic approach in considering these factors, as they complement each other in providing different criteria for assessing the significance of an RPS.
             
          6. The above-mentioned factors are intended to identify an RPS whose proper functioning is material to the monetary or financial stability of the State, or that should be designated, having regard to matters of significant public interest or public order. During the designation process, should the need arise, the Central Bank will discuss with the SO and/or SI of the relevant RPS so as to understand the design and features of the system and assess whether it fulfills the criteria of a Systemically Important Financial Infrastructure System.
             


           

          1 Detailed regulatory requirements of SVF are set out in the SVF Regulation

        • Article (4): Designation Process

          1. The Central Bank will initiate the designation process under the designation framework as stipulated in Article (126) (3) of the Central Bank Law if it considers an RPS is meeting, or is likely to meet the criteria for designation. It is important to note that designation of an RPS does not in any way represent or imply that the Central Bank endorses such system. Designation of an RPS is to provide for such system to be subject to oversight by the Central Bank, with a view to maintaining and promoting the general safety and efficiency of such system.
             
          2. For the Central Bank to determine whether an RPS is eligible to be designated and whether it satisfies the designation criteria for the purposes of this Regulation, the Central Bank will request information or documents regarding the RPS from any Person who is holding, or whom the Central Bank reasonably believes holds such information or documents or is a SO and/or SI of the RPS or a Participant Person in the RPS. This power to request information or documents applies to RPS, individuals or corporations established, located or incorporated in the State and/or outside the State. The Central Bank will coordinate with any competent Regulatory Authority in the State or other competent authorities in other jurisdictions for the purpose of requesting and securing such information and documents.
             
          3. Generally speaking, the Central Bank will seek to request information or documents as set out in the Annexes of this Regulation and may, where necessary, seek additional information as is required in order to assist the Central Bank in making such determination. The types of information or documents that the Central Bank will require might vary from RPS to RPS.
             
          4. During the designation process, the Central Bank may discuss with the SO and/or SI of such system where necessary to understand the features and the design of the system and determine the RPS’s eligibility for designation.
             
          5. The time for the designation process may vary depending on the particular situation of each case, including the nature and complexity of the prospective designated RPS, the completeness of information and documents submitted to the Central Bank.
             
          6. The SO and/or SI of the designated RPS may submit a grievance against the designation decision by applying to the Grievances & Appeal Committee. Details on the appeal mechanism as set out in Article (11) of this Regulation.
             
          7. If the Central Bank intends to designate any of the RPS licensed by a competent Regulatory Authority in the State or competent regulatory authorities in other jurisdictions as systemically important RPS, the Central Bank shall implement the process provided for under Article (126) (6) of the Central Bank Law.
             

          RPS deemed to have been licensed and designated

          1. As stipulated in Article (126) (5) of the Central Bank Law, the RPS established, developed, and/or operated by the Central Bank are deemed to have been licensed and designated.
             
          2. The RPSs that are deemed to have been designated are required to observe all the obligations and requirements imposed on designated RPSs under this Regulation in the same manner as other designated RPSs.
             
        • Article (5): Cooperation with Relevant Regulatory Authorities

          1. As part of the designation process for RPS established and/or licensed by another Regulatory Authority in the State or by relevant regulatory authorities in other jurisdictions, the Central Bank may agree with the relevant regulatory authority which parts of this Regulation, where relevant, may not apply to concerned designated RPS to avoid additional regulatory burden on the SO and SI of the RPS.
             
          2. The Central Bank will rely on co-operative oversight with the relevant regulatory authority of a designated RPS operating in the State or in other jurisdictions, in accordance with articles (28) and (127) (2) of the Central Bank Law and the cooperative framework set out in the PFMI.
             
        • Article (6): Revocation of License and Designation

          Grounds for revocation

          1. As stipulated in Article (128) of the Central Bank Law, the Central Bank may revoke the License of an RPS if the RPS is unable to carry out its operations in compliance with the provisions of the Central Bank Law or this Regulations.
             
          2. As stipulated in Article (126) (7) of the Central Bank Law, the Central Bank may revoke the designation of an RPS if the RPS has ceased to be, or is likely to cease being a Systemically Important Financial Infrastructure System or an RPS whose proper functioning is material to the monetary or financial stability of the State.
             

          Revocation process

          1. The Central Bank will prepare a review report on whether a licensed and/or designated RPS satisfies the revocation criteria under this Regulation. If the Central Bank intends to revoke the License and/or the designation of a RPS, the Central Bank will notify in writing the SO and/or SI of the RPS or the regulatory authority where the RPS is licensed so that such authority can notify the SO and/or SI of the system of the intention of the Central Bank to revoke the License and/or the designation. The notice needs to state the grounds on which the revocation is to be made and specify in the notice a period of not less than twenty (20) working days from the date of notification, during which the SO and/or SI of the system may be heard, or may make written justifications, as to why the grounds for revocation stated in the notice are not valid
             
          2. If any SO and/or SI of the licensed and/or designated RPS wish to be heard or to make written justifications, it should make such a request to the Central Bank in writing before the revocation takes effect, giving reasons as to why the grounds for revocation specified in the notice have not been established. After reviewing the reasons given by the SO and/or SI, the Central Bank will determine whether the Licensee and/or designation should be revoked. In the course of reviewing the matter, the Central Bank may meet with the SO and/or SI of the License and/or designated RPS should such need arise.
             
          3. If the Central Bank decides to proceed to revoke the License and/or designation of the RPS, the Central Bank will notify the SO and/or SI of the RPS of the Central Bank’s decision in writing.
             
          4. The SO and/or SI may object to the Central Bank’s decision to revoke the License and/or the designation of the RPS and provide justifications for such objection by applying to the Grievances & Appeals Committee as provided by the Central Bank Law.
             
          5. The Central Bank, if it considers that any of the RPS licensed by another Regulatory Authority in the State or the relevant regulatory authorities in other jurisdictions is no longer meeting the designation criteria, may request the concerned regulatory authority, via an official notice, to revoke the License and/or designation of the RPS.
             
          6. In all cases, the revocation of the License and/or designation of the RPS shall not affect any transaction cleared and settled in the concerned RPS prior to the effective date of revocation.
             
        • Article (7): Settlement Finality

          1. In accordance with Article (131) of the Central Bank Law settlement finality is “the discharge of an obligation by a transfer of funds that has become irrevocable and unconditional”. Specifically, “settlement finality” refers to the abrogation of all rights otherwise existing at law that would allow the reversal of a Transfer Order effected through, or proceeding within, an RPS.
             
          2. Article (131) (1) of the Central Bank Law grants finality to all transactions conducted through a Financial Infrastructure System, therefore rendering the same final, irrevocable and irreversible, in any of the cases provided for thereunder. Besides finality in respect of Transfer Orders, the Central Bank Law also provides legal certainty on the Netting arrangements in a designated RPS.
             
          3. If Netting has been effected in an RPS that meets any of the designation conditions refers to in Article (126) (2) of the Central Bank Law, the SO and/or SI needs to take into consideration the Netting of obligations of insolvent or bankrupt parties in Article (133) of the Central Bank Law.
             
          4. In addition, the preservation of rights in underlying transactions and obligation of Participant Person to notify of insolvency are set out in Article (134) and Article (135) of the Central Bank Law respectively.
             
        • Article (8): Ongoing Requirements of Designated Retail Payment Systems

          Principal Requirements

          1. The SO and/or SI of a designated RPS, are required to ensure compliance with the following:
             
            1. 1.1. RPS must comply with any instructions issued by the Central Bank and any relevant international standards (e.g. PFMI), and ensure proper and continued functioning of the designated RPS; and
               
            2. 1.2. RPS must provide the information required by the Central Bank or where SO and/or SI consider it appropriate for achievement of the Central Bank objectives.
               
          2. The Central Bank may exempt the SO and/or SI or a Participant Person of a designated RPS in a general or specific manner, from the provisions of this Regulation.
             
          3. The Central Bank may appoint experts and advisors specialized in Financial Infrastructure Systems to assist the Central Bank in performing its duties and functions in accordance with this Regulation.
             

          Detailed requirements

          Principal requirements

          1. Upon designation, a designated RPS is required to comply with the ongoing requirements imposed under this Regulation and the relevant provisions of PFMI (see Article (9) for detail). Failure to comply with any of those requirements would expose the concerned party to possible sanctions provided for under the Central Bank Law. The principal requirements include: -
             
            1. 4.1. Submission of particulars – the Central Bank requires any SO and/or SI of a newly designated RPS to inform the Central Bank in writing of the designation particulars within fourteen (14) working days after the notification of designation, including the name, place of business, postal address and electronic mail address, as well as the aspects of the management or operations of the system. For any SO and/or SI which is a corporation, the names and personal particulars of the directors, chief executive (if any) and shareholders of the corporation are similarly required to be submitted to the Central Bank. Details of any subsequent change in any of those particulars are to be notified to the Central Bank in writing within fourteen (14) days of the change taking effect.
               
            2. 4.2. Compliance with safety and efficiency requirements - the general requirements include safe and efficient operation of the RPS, the establishment of appropriate Operating Rules, the existence of adequate compliance arrangements, and the availability of appropriate financial resources.
               
            3. 4.3. Submission of information or documents - the Central Bank may request information or documents relating to a designated RPS from the SO and/or SI of, or the Participant Person in, the RPS when performing the oversight functions under this Regulation. The SO and/or SI of, or the Participant Person in the designated RPS to whom a request is made is required to submit the information or documents within the period specified in the request.
               
            4. 4.4. The Central Bank may, at any time, with a short prior notice to the SO and/SI concerned, examine any books, accounts or transactions of the SO and/or SI of a designated RPS when performing the oversight functions.
               
            5. 4.5. The Central Bank may require the SO and/or SI of, or the Participant Person in, a designated RPS to submit to the Central Bank a report prepared by one or more auditors on matters that the Central Bank requires for discharging or exercising its duties and powers under this Regulation.
               
            6. 4.6. The Central Bank may direct the SO and/or SI of a designated RPS to take any action necessary to bring the RPS into compliance with any of the requirements under this Regulation. Such a direction will specify the Central Bank’s concerns and the action(s) to be taken, include a statement of the respect in which the Central Bank considers the designated RPS not be in compliance with a requirement under this Regulation and specify the period within which the direction is to be complied with.
               
            7. 4.7. The Central Bank may, by notice in writing, direct the SO and/or SI of a designated RPS to take any action the Central Bank considers necessary to bring the RPS into compliance with any of the requirements under this Regulation.
               

          Obligation of SO and SI to notify the Central Bank of certain events

          1. The SO and/or SI of a designated RPS must notify the Central Bank of the occurrence of any of the following events as soon as practicable after that occurrence:
             
            1. 5.1. An event or irregularity that impedes or prevents access to, or impairs the usual operations of, the designated RPS or its settlement operations.
               
            2. 5.2. Any material function of the SO and/or SI that is outsourced.
               
            3. 5.3. Any civil or criminal proceeding instituted against the SO and/or SI, whether in the State or elsewhere.
               
            4. 5.4. The SO and/or SI being unable to meet any of the financial, statutory, contractual or other obligations of the SO and/or SI.
               
            5. 5.5. Any disciplinary action taken against the SO and/or SI by any regulatory authority, whether in the State or elsewhere.
               
            6. 5.6. Any change of the chief executive officer or senior management of the SO and/or SI.
               

          Governance arrangements

          1. The SO and/or SI of the designated RPS must have clearly defined and documented organizational arrangements, such as ownership and management structure. Each should operate with appropriate segregation of duties and internal control arrangements so as to reduce the risk of mismanagement and fraud.
             
          2. The SO and/or SI of the designated RPS must have effective measures and controls to ensure compliance with this Regulation. Appropriate processes must be in place to ensure that rules and procedures as well as the contractual relationships with its Participant Persons are valid and enforceable. These include clear rules and procedures to govern transfer, clearing and settlement for both domestic and cross-border transactions (if applicable).
             

          Compliance

          1. The SO and/or SI of the designated RPS are required to perform a periodic self-assessment or independent assessment of its compliance with this Regulation and the relevant principles of the PFMI set out in Article (9) of this Regulation. Such assessment must be done at least every 24 months. Its internal auditors, internal compliance officer or appointed independent assessor should perform such assessment as part of their on-going duties and provide the Central Bank with a copy of their compliance report. Assessment reports submitted to the Central Bank by the SO and/or SI of the designated RPS are confidential and shall not be disclosed to any third party unless the approval of the Central Bank is obtained.
             

          Financial requirement

          1. The financial condition of the SO and/or SI of the designated RPS must be sound and viable, and subject to ongoing review and monitoring by the senior management of the SO and/or SI.
             

          Participation criteria

          1. The SO and/or SI of the designated RPS must have an established process for considering applications to become its Participant Person. The SO and/or SI of the designated RPS must have procedures in place to allow prospective Participant Persons to access or obtain the information necessary to determine whether to apply to become a Participant Person.
             
          2. The general eligibility and participation criteria should be disclosed to genuine applicants upon request.
             

          Transparency, interoperability and competition

          1. The SO and/or SI of the designated RPS shall not establish or impose any operational policies, procedures and arrangements that will prevent operational transparency or interoperability among Payment Systems, and competition among market players. The SO and/or SI of the designated RPS must observe and comply with all relevant laws, codes of practice and guidelines applicable to their payment activities and services in the State.
             
          2. If the Central Bank considers the interoperability between the RPS and other Payment System(s) would be in the interest of the public or the Participant Persons of systems involved, it may direct the SO and/or SI of the RPS involved to enter into arrangements to enable the interoperability among the systems involved or to adopt any common standards.
             
          3. The relevant fees and charges must be documented and communicated clearly to the Participant Persons.
             
          4. The SO and/or SI of the designated RPS must inform affected Participant Persons of changes to its operational procedures and arrangements that materially affect such parties’ financial risk, operational risk, data security risk and legal risk in the State.
             

          Rules and procedures

          1. The SO and/or SI of the designated RPS must have proper Operating Rules to enable its Participant Persons to obtain sufficient information regarding their respective rights and obligations associated with their participation in the RPS. Such rights and obligations must be clearly defined and disclosed to the Participant Persons.
             
          2. Operating Rules of the RPS must be complete, up-to-date and readily available to all Participant Persons. Participant Persons must also be duly informed of any relevant changes in the Operating Rules.
             
          3. The SI must establish rules and procedures to enable final settlement to take place no later than the end of the intended settlement date. The related rules and procedures must also ensure certainty in terms of circumstances under which Transfer Orders effected through the RPS are to be regarded as settled for the purposes of the RPS.
             
          4. The liabilities of Participant Persons for any loss arising from unauthorized use of the RPS and the arrangements to handle any disputes over Participant Persons’ liability with respect to unauthorized transactions must be clearly set out in the rules and procedures.
             

          Operational efficiency

          1. The SO and/or SI of the designated RPS should provide convenient and efficient payment services to its Participant Persons, and ensure that the RPS can process transactions at a speed which is efficient and complies with the RPS’ committed service level.
             

          Operational reliability and business continuity

          1. The SO and/or SI of the designated RPS must have sound and prudent management, administrative, accounting and control procedures managing the financial and non-financial risks to which it reasonably considers it may be exposed.
             
          2. The SO and/or SI of the designated RPS must conduct risk analysis on new payment activity or service. In addition, where it reasonably believes that there has been a change of relevant circumstances, the SO and/or SI of the designated RPS should perform a review on the risk profile of existing activities and services to assess risks relating to security and business continuity.
             
          3. The SO and/or SI of the designated RPS must seek to ensure that it has an adequate number of properly trained and competent personnel to operate its system at a level it considers appropriate in all situations that it considers are reasonably foreseeable.
             
          4. The SO and/or SI of the designated RPS should provide its Participant Persons with information it reasonably considers relevant to fraud awareness in the context of the operation of its payment activities and services. The SO and/or SI of the designated RPS should provide Participant Persons with education it reasonably considers relevant to fraud awareness and the proper use or processing of the RPS to reduce the risk of fraud so that the Participant Persons can educate and promote the awareness of their customers accordingly.
             
          5. The SO and/or SI of the designated RPS must have comprehensive, rigorous and well-documented operational and technical procedures to address reasonable operational reliability, the integrity of its network and the timeliness of transactions in the face of malfunctions, system interruption and transmission failures or delays. The SO and/or SI of the designated RPS must also have in place a reasonable, effective, well-documented and regularly-tested business contingency plan addressing system functionality in the event of unforeseen interruption.
             
          6. The SO and/or SI of the designated RPS must have a thorough due diligence and management oversight process for managing its outsourcing relationships, if any, that it considers may impact the operation of its payment activities and services. The liabilities and responsibilities between the SO and/or SI of the designated RPS and its outsourcing service providers must be clearly defined.
             
          7. The SO and/or SI of the designated RPS must design its technical system for payment activities and services with sufficient capacity to enable its ongoing operations, which should be monitored periodically and upgraded on a periodic basis.
             
          8. The SO and/or SI of the designated RPS must have sufficient clearing and settlement arrangements to enable efficient, reliable and secure operation of the RPS.
             
          9. The SO and/or SI of the designated RPS must review periodically its security objectives, policies and operational services.
             
          10. The SO and/or SI of the designated RPS must develop well-defined procedures to respond to payment activity or service security-related incidents. The procedures should encompass a consistent and systematic approach in handling an incident.
             
          11. As a follow-up to each security-related incident materially affecting the Participant Persons, the SO and/or SI of the designated RPS should initiate a confidential post-incident assessment of the situation by the parties it considers appropriate having regard to the nature and the root cause of the incident, weaknesses leading to the incident and other potentially vulnerabilities underlying the incident.
             

          Safety

          1. The SO and/or SI of the designated RPS must adopt appropriate and commercially reasonable technical security measures and procedural safeguards to protect the security of its system. The SO and/or SI of the designated RPS should also consider adopting international technical security standards where appropriate.
             
          2. The required measures must include the building and maintenance of a secure network, including conditions to install and maintain firewalls to protect data, and a change of vendor-supplied default system passwords and other security passwords.
             
          3. The implemented measures must protect data through the entire life cycle of a transaction, particularly on control measures to access data, procedures for storing Participant Persons’ transaction data, and disposal of Participant Persons’ transaction information after use.
             
          4. The designated RPS must use and regularly update anti-virus software to maintain secure systems and applications, and take proper measures to manage cyber security risk effectively, including the capability to keep pace with the trends of cyber attacks.
             
          5. In addition, the SO and/or SI of the designated RPS must have mechanisms which enable them to monitor on an ongoing basis attempted security breaches that may compromise its systems and data. There should be measures to control access and to regularly monitor and test the operation networks. There must be a policy that addresses information security for all related parties, such as employees and contractors.
             
          6. The SO and/or SI of the designated RPS must conduct periodic security reviews of its system. Such reviews could be performed either by the SO and/or SI of the designated RPS or, at its (or the Central Bank’s) discretion, by an independent party appointed by it.
             

          Data Security and Integrity

          1. The SO and/or SI of the designated RPS are responsible for the security and integrity of all payment data and records maintained or controlled by it. The SO and/or SI of the designated RPS should ensure that the Participant Persons have, rules and procedures to safeguard the necessary confidentiality of all data and records in its control, including customer and transaction information. The SO and/or SI of the designated RPS should adopt generally accepted industry and international data security standards that it considers to be applicable to its operations.
             
          2. The SO and/or SI of the designated RPS must establish and maintain policies and procedures for the recovery of transaction data that is necessary for its daily operation in the event of system failure.
             

          Incident Reporting

          1. The SO and/or SI of the designated RPS must report to the Central Bank of any incident (such as data security breaches) that may have a material and adverse impact on its operation or other Systematically Important Payment Systems in the State.
             
          2. Where action has been taken under Default Arrangements of a designated RPS by the SO and/or SI in respect of a Participant Person in the RPS, the Central Bank may direct the SO and/or SI of a designated RPS to give information relating to the default to any official nominated by the Central Bank. The nominated official is responsible for assessing and examining any matter arising out of or connected with the default of the Participant Person in that RPS. The liabilities of Participant Persons for any loss arising from the default of the Participant Person and the arrangements to handle any disputes over Participant Persons’ liability with respect to default transactions should be clearly set out in the rules and procedures.
             
        • Article (9): Compliance with Principles of Financial Market Infrastructures Requirements

          1. The Committee on Payment and Market Infrastructures (CPMI) and the Technical Committee of the International Organization of Securities Commissions (IOSCO) have set forth a set of PFMI. PFMI aims to assist central banks, market regulators, and other relevant authorities in enhancing safety and efficiency in payment, clearing, settlement, and recording arrangements, and more broadly, limiting systemic risk and fostering transparency and financial stability. (details of PFMI are available in the two websites: www.bis.org and www.iosco.org).
             
          2. Another objective of PFMI is to harmonize and, where appropriate, strengthen the existing international standards and risk management practice for Financial Infrastructure Systems such as RPS that are systemically important.
             
          3. A poorly designed and operated systemically important RPS can contribute to and exacerbate systemic crises if the risks of the RPS are not adequately managed. The financial shocks, as a result, could be passed from one Participant Person to another Participant Person as well as a separate Systematically Important Payment System. The effects of such a disruption could extend well beyond the RPS and their Participant Persons, threatening the stability of domestic financial markets and the broader economy.
             
          4. Against this backdrop, the SI and/or SO should robustly manage the risks of their systematically important RPS to ensure its safety and promote financial stability. In addition, a systemically important RPS should not only be safe, but also efficient. Efficiency refers generally to the use of resources by SO and/or SI and their Participant Persons in performing their functions. Safe and efficient systemically important RPS contributes to well-functioning financial markets and economy.
             
          5. The Central Bank requires any designated RPS to observe and comply with the relevant principles in the PFMI, in addition to the compliance with the ongoing requirements set out in Article (8) of this Regulation. Moreover, the Central Bank may consider imposing higher requirements than PFMI for the designated RPS either on the basis of specific risks posed by the RPS or as a general policy.
             
          6. The SO and/or SI must apply the relevant principles on an ongoing basis in the operation of their RPS and business, including when reviewing their own performance, assessing or proposing new services, or proposing changes to risk controls.
             
          7. In aligning this regulation with leading international practice, RPS must comply with the relevant principles set out in the following paragraphs.
             
          8. Principle 1: Legal basis – a systemically important RPS must have a well-founded, clear, transparent, with a high degree of legal certainty, and an enforceable legal framework for each material aspect of its activities.
             
          9. Principle 2: Governance – a systemically important RPS must have governance arrangements that are clear and transparent, promote the safety and efficiency of the RPS, and support the stability of the broader financial system, other relevant public interest considerations, and the objectives of relevant stakeholders.
             
          10. Principle 3: Framework for the comprehensive management of risks – a systemically important RPS must have a sound risk management framework for comprehensively managing legal, credit, liquidity, operational, and other risks.
             
          11. Principle 4: Credit risk – a systemically important RPS must effectively measure, monitor, and manage its credit exposures to Participant Persons and those arising from its payment, clearing and settlement processes. The systematically important RPS must maintain sufficient financial resources to cover its credit exposures to each Participant Person fully with a high degree of confidence.
             
          12. Principle 5: Collateral – a systemically important RPS that requires collateral to manage its or its Participant Persons’ credit exposure should accept collateral with low credit, liquidity, and market risks. A systematically important RPS should also set and enforce appropriately conservative haircuts and concentration limits.
             
          13. Principle 6: Liquidity risk – a systemically important RPS must effectively measure, monitor, and manage its liquidity risk. A systemically important RPS should maintain sufficient liquid resources in all relevant currencies to effect same-day and, where appropriate, intraday and multiday settlement of payment obligations with a high degree of confidence under a wide range of potential stress scenarios that should include, but not be limited to, the default of the Participant Person and its affiliates that would generate the largest aggregate liquidity obligation for the systemically important RPS in extreme but plausible market conditions.
             
          14. Principle 7: Money settlement – a systemically important RPS should conduct its money settlements in central bank money where practical and available. If central bank money is not used, a systemically important RPS should minimize and strictly control the credit and liquidity risk arising from the use of commercial bank money.
             
          15. Principle 8: Participant-default rules and procedures – a systemically important RPS must have effective and clearly defined rules and procedures to manage a Participant Person default. These rules and procedures should be designed to ensure that the systemically important RPS can take timely action to contain losses and liquidity pressures and continue to meet its obligations.
             
          16. Principle 9: General business risk – a systemically important RPS must identify, monitor, and manage its general business risk and hold sufficient liquid net assets funded by equity to cover potential general business losses so that it can continue operations and services as a going concern if those losses materialize. Further, liquid net assets should at all times be sufficient to ensure a recovery or orderly wind-down of critical operations and services.
             
          17. Principle 10: Operational risk – a systemically important RPS must identify the plausible sources of operational risk, both internal and external, and mitigate their impact through the use of appropriate systems, policies, procedures, and controls. Systemically important RPS should be designed to ensure a high degree of security and operational reliability and should have adequate, scalable capacity. Business continuity management should aim for timely recovery of operations and fulfilment of the systemically important RPS’s obligations, including in the event of a wide-scale or major disruption.
             
          18. Principle 11: Access and participation requirements – a systemically important RPS should have objective, risk-based, and publicly disclosed criteria for participation, which permit fair and open access.
             
          19. Principle 12: Tiered participation arrangements – a systemically important RPS should identify, monitor, and manage the material risks to the systemically important RPS arising from tiered participation arrangements.
             
          20. Principle 13: Financial market infrastructure links – a systemically important RPS that establishes a link with one or more FMIs should identify, monitor, and manage link-related risks.
             
          21. Principle 14: Efficiency and effectiveness – a systemically important RPS should be efficient and effective in meeting the requirements of its Participant Persons and the markets it serves.
             
          22. Principle 15: Communication procedures and standards – a systemically important RPS should use, or at a minimum accommodate, relevant internationally accepted communication procedures and standards in order to facilitate efficient payment, clearing, settlement, and recording.
             
          23. Principle 16: Disclosure of rules, key procedures, and market data – a systemically important RPS must have clear and comprehensive rules and procedures and must provide sufficient information to enable Participant Persons to have an accurate understanding of the risks, fees, and other material costs they incur by participating in the systemically important RPS. All relevant rules and key procedures should be adequately disclosed.
             
        • Article (10): Enforcement and Sanctions

          1. Violation of any provision of this Regulation or committing any of the violations provided for under the Central Bank Law may subject SI and/or SO to administrative and financial sanctions and penalties as deemed appropriate by the Central Bank.

        • Article (11): Appeal Mechanism

          1. For the purposes of this Regulation, the relevant Central Bank’s decisions that may be subject to appeal before the Grievances & Appeals Committee include: -
             
            1. 1.1. licensing and designation of RPS;
               
            2. 1.2. revocation of License and designation of RPS; and
               
            3. 1.3. any Central Bank’s actions undertaken against a violating Person.
               
          2. Under the Regulation, any Person aggrieved by any of the decisions set out in paragraph 1 of this Article may refer the decision to the Grievances & Appeals Committee in writing for review.
             
          3. Any person who intends to refer any of the relevant decisions of the Central Bank to the Grievances & Appeals Committee is required to do so in writing to the Central Bank stating the grounds on which the review is sought.
             
        • Article (12): Transition Period

          1. A one-year transitional period will commence on the date the Regulation comes into force. System Operators and Settlement Institutions of existing RPS operating in the State may continue operating throughout the transitional period without being regarded as contravening this Regulation. Nevertheless, they are required to obtain a license from the Central Bank to operate their RPS before the expiration of the transition period.

          2. If the Central Bank considers that a Financial Infrastructure System fulfills the criteria for designation as provided for under the Central Bank Law, the Central Bank shall have the power to require any such system to obtain a license within a reasonable period to be determined by the Central Bank prior to the expiration of the transition period.

        • Article (13): Interpretation of Regulation

          1. The Regulatory Development Division of the Central Bank shall be the reference for interpretation of the provisions of this Regulation.

        • Article (14): Publication & Application

          1. This Regulation shall be published in the Official Gazette in both Arabic and English and shall come into effect one month from the date of publication. In case of any discrepancy between the Arabic and the English, the Arabic version will prevail.

        • Annex A

          Information or documents that may be requested for licensing of RPS operating in the State under this Regulation

          1. Name of clearing and settlement system to which the designated RPS relates.
             
          2. Name of SO / SI.
             
          3. Legal form (body corporate, partnership, etc.).
             
          4. Country of incorporation or formation.
             
          5. Date of incorporation or formation.
             
          6. Registered office.
             
          7. Principal place of business.
             
          8. Contact details (names, physical and email addresses).
             
          9. Aspects of the management or operations of the system for which the entity is responsible.
             
          10. Organization chart of your company.
             
          11. A copy of the Operating Rules of the Payment System.
             
          12. Details of the type of activities and/or services offered by the RPS.
             
          13. Details of the constitution, structure, nature of business, ownership and management of the RPS, the SO and the SI.
             
          14. Details of the design and function and external system interfaces of the RPS, including details specifying the point at which a Transfer Order takes effect as having been entered into the RPS and of the point after which a Transfer Order may not be revoked by a Participant Person or any other party.
             
          15. A copy of the last three annual reports, if any, and the financial statements (with any auditor’s reports) for the current financial year of the RPS, the SO and/or the SI.
             
          16. The basis for membership of or participation in the RPS System (i.e. admission criteria) and a list of the current members of or Participant Persons in the RPS.
             
          17. Tariff information and schedule.
             
          18. Names of the SO and/or SI, if any, of the RPS and whether the SO and/or SI are also Participant Persons in the RPS under the Operating Rules of the System. Legal contracts or documents between the SO and/or the SI in relation to the RPS (for instance, documents which show the co-operation between the SO and/or SI, such as MoUs between them on data security, and the functional specifications of the linkages between the computer systems and networks between them that makes the system works.).
             
          19. Name and contact details of the Person to whom questions relating to the designation of the RPS should be directed.
             
        • Annex B

          Information or documents that may be requested under this Regulation

          1. A copy of the Operating Rules of the Payment System.
             
          2. Details of the type of activities and/or services offered by the RPS.
             
          3. Details of the constitution, structure, nature of business, ownership and management of the RPS, the SO and the SI.
             
          4. Details of the design and function and external system interfaces of the RPS, including details specifying the point at which a Transfer Order takes effect as having been entered into the RPS and of the point after which a Transfer Order may not be revoked by a Participant Person or any other party.
             
          5. A copy of the last three annual reports, if any, and the financial statements (with any auditor’s reports) for the current financial year of the RPS, the SO and/or the SI.
             
          6. The basis for membership of or participation in the RPS System (i.e. admission criteria) and a list of the current members of or Participant Persons in the RPS.
             
          7. Tariff information and schedule.
             
          8. Names of the SO and/or SI, if any, of the RPS and whether the SO and/or SI are also Participant Persons in the RPS under the Operating Rules of the System. Legal contracts or documents between the SO and/or the SI in relation to the RPS (for instance, documents which show the co-operation between the SO and/or SI, such as MoUs between them on data security, and the functional specifications of the linkages between the computer systems and networks between them that makes the system works.).
             
          9. Details of the types, volume and values of Transfer Orders processed by the RPS.
             
          10. Detailed business contingency plan.
             
          11. Name and contact details of the Person to whom questions relating to the designation of the RPS should be directed.
             

          For overseas systems, the following additional information may be required: -

          1. Name of each of the relevant regulators where the RPS is regulated by one or more regulatory authorities not within the State jurisdiction.
             
          2. An outline of any laws and other regulatory requirements relating to the operations of the RPS, if regulated by a regulatory authority not within the State jurisdiction.
             
          3. Evidence of the RPS’ compliance with any applicable laws and regulatory requirements of a jurisdiction outside State, which may include comments from home supervisory authority on the RPS’s compliance with any applicable laws and regulatory requirements of a jurisdiction outside State.
             
      • Retail Payment Services and Card Schemes Regulation

        C 15/2021 Effective from 6/6/2021
        • Large Value Payment Systems Regulation

          C 9/2020 Effective from 10/2/2021
          • Introduction

            The Regulation (‘RPSCS Regulation’) lays down the rules and conditions established by the Central Bank for granting a License for the provision of Retail Payment Services. The Retail Payment Services are digital payment services in the State and comprise nine categories, namely Payment Account Issuance Services, Payment Instrument Issuance Services, Merchant Acquiring Services, Payment Aggregation Services, Domestic and Cross-border Fund Transfer Services, Payment Token Services, Payment Initiation Services and Payment Account Information Services. It also requires Card Schemes to obtain a License from the Central Bank and sets out the conditions for granting such License as well as the ongoing obligations of Card Schemes. The Central Bank has furthermore been given the right to receive information on the fees and charges of Card Schemes, and regulate such fees and charges if the Central Bank considers it appropriate. In addition, proper contractual arrangements are required between Banks or other Payment Service Providers providing Payment Account Issuance Services, on one hand, and Payment Service Providers providing Payment Initiation and Payment Account Information Services, on the other hand. Payment Service Providers wishing to participate in wages distribution and be given access to the Wages Protection System are subject to a set of on-going requirements.

            The Central Bank Law requires providing money transfer services, electronic retail payments, and digital money services to be subject to a licensing regime administered by the Central Bank and provides the statutory basis for the powers of the Central Bank in relation to the licensing and ongoing supervision of Payment Service Providers and Card Schemes.

            • Introduction

              Robust Financial Infrastructure Systems are essential to monetary and financial stability, the smooth and efficient operation of the financial system, and the effectiveness of international financial centers. Against this backdrop, the policy objective of the Central Bank is to promote and ensure the safety and efficiency of Financial Infrastructure Systems in the UAE. For the purpose of this Regulation, the regulatory focus is on Large-value Payment Systems (LVPS) which are Financial Infrastructure Systems that support the financial and wholesale activities in the State.

              The Regulation covers the licensing requirements in relation to LVPS as well as the obligations and ongoing requirements in relation to a designated LVPS.

              The Central Bank Law expressly sets out the powers of the Central Bank in relation to the licensing, designation, oversight and enforcement of Financial Infrastructure Systems that are systemically important, including LVPS.

              The Central Bank Law also considers finality of payment and settlement to all transactions conducted through Financial Infrastructure Systems, that meet one of the designation conditions provided for in Article (126) (2) of the Central Bank Law.

            • Scope and Objectives

              This Regulation sets out the requirements concerning:

              • conditions for granting and maintaining a License for the provision of Retail Payment Services;
                 
              • rights and obligations of Retail Payment Service Users and Payment Service Providers;
                 
              • proper contractual arrangements allowing Payment Service Providers providing Payment Initiation and Payment Account Information Services to access Payment Accounts held with Banks and other Payment Service Providers providing Payment Account Issuance Services;
                 
              • conditions for granting a License to Card Schemes;
                 
              • conditions for participating and obtaining an access to the Wages Protection System;
                 
              • powers of the Central Bank with regard to the supervision of Payment Service Providers and the on-going reporting requirements for Card Schemes.
                 

              In exercising its powers and functions under this Regulation, the Central Bank has regard to the following objectives:

              • ensuring the safety, soundness and efficiency of Retail Payment Services;
                 
              • adoption of effective and risk-based licensing requirements for Payment Service Providers;
                 
              • promoting the reliability and efficiency of Card Schemes as well as public confidence in Card-based Payment Transactions;
                 
              • promoting innovation and creating a level playing field for market participants; and
                 
              • reinforcing the UAE’s status as a leading payment hub in the region.
                 
              • Objectives and Scope

                The objective of this Regulation is to ensure safety and efficiency of Financial Infrastructure Systems in the UAE and promote efficient and smooth operations thereof.

                This Regulation applies to LVPS that are operated in the State, or accept the clearing or settlement of Transfer Orders denominated in the Currency both in the State or outside the State, in compliance with the provisions of the Central Bank Law, including Article 28 thereof. With respect to designated LVPS, this Regulation also requires compliance with the relevant provisions of the PFMI relating to the obligations of central banks, market regulators and relevant authorities for financial market infrastructures to cooperate with each other, domestically and internationally, as appropriate, in order to promote the safety and efficiency of financial market infrastructures.

                The provisions of this Regulation shall not apply to Financial Free Zones and to LVPS operating therein unless when expressly provided hereunder

              • Exclusions

                This Regulation shall not apply to the following:

                1. Payment Transactions involving Stored Value Facilities;
                   
                2. Transactions involving Commodity or Security Tokens;
                   
                3. Transactions involving Virtual Asset Tokens;
                   
                4. Payment Transactions involving Remittances;
                   
                5. Currency exchange operations where the funds are not held on a Payment Account;
                   
                6. Any service other than Payment Initiation and Payment Account Information Service, including (but not limited to) any of the following:
                   
                  1. 6.1. services, provided by any technical service provider that supports the provision of any payment service, but does not at any time enter into possession of any money under that payment service;
                     
                  2. 6.2. the service of processing or storing data;
                     
                  3. 6.3. any information technology security, trust or privacy protection service;
                     
                  4. 6.4. any data or entity authentication service;
                     
                  5. 6.5. any information technology service;
                     
                  6. 6.6. the service of providing a communication network; and
                     
                  7. 6.7. the service of providing and maintaining any terminal or device used for any payment service.
                     
                7. Payment Transactions carried out within a payment system or securities settlement system between Payment Service Providers and settlement agents, central counterparties, clearing houses, central banks or other participants in such system including central securities depositories;
                   
                8. Payment Transactions and related services between a parent undertaking and its subsidiary or between subsidiaries of the same parent undertaking, without any intermediary intervention by a Payment Service Provider other than an undertaking belonging to the same group; and
                   
                9. Any other relevant activity that may be designated by the Central Bank.
                   
                • Article (1): Definitions

                  1. Central Bank: means the Central Bank of the United Arab Emirates.
                     
                  2. Central Bank Law: means Decretal Federal Law No. (14) of 2018 Regarding the Central Bank & Organization of Financial Institutions and Activities and its amendments from time to time.
                     
                  3. Clearing: means the process of transmitting, reconciling and, in some cases, confirming transactions prior to settlement, potentially including the Netting of transactions and the establishment of final positions for settlement.
                     
                  4. Clearing and Settlement System: means a system established for (a) the clearing or settlement of payment obligations; or (b) the clearing or settlement of obligations for the transfer of book-entry securities, or the transfer of such securities.
                     
                  5. Currency: means the State’s official national currency notes and coins, which unit is referred to as the “Dirham”.
                     
                  6. Default Arrangements: in respect of a Financial Infrastructure System, means the arrangements in place within the system for limiting systemic and other types of risk in the event of a Participant Person appearing to be, or likely to become, unable to meet his obligations in respect of a Transfer Order; and would include any arrangements that have been enforced by the System Operator or Settlement Institution for the following: (1) the Netting of obligations owed to or by a Participant Person; (2) the closing out of open financial position of a Participant Person; or (3) the realization of collateral securities to secure payment of obligations owed by the Participant Person.
                     
                  7. Designated System: means any Financial Infrastructure System designated by the Central Bank as systemically important, in accordance with the provisions of the Central Bank Law and this Regulation.
                     
                  8. Financial Free Zones (FFZ): means free zones subject to the provisions of Federal Law No 8 of 2004, regarding Financial Free Zones, and amending laws.
                     
                  9. Financial Infrastructure System: means either (1) a Clearing and Settlement System or (2) a Retail Payment System, established, operated, licensed, or overseen by any of the Regulatory Authorities in the State.
                     
                  10. Grievances & Appeals Committee: means the Committee referred to in Article (136) of the Central Bank Law.
                     
                  11. Large-value Payment System (LVPS): means a Clearing and Settlement System that is designed primarily to process large-value and/or wholesale payments typically among financial market participants (so-called wholesale payments) or involving money market, foreign exchange or many commercial transactions, excluding bilateral clearing and settlement arrangements and relationships which do not constitute a “system”.
                     
                  12. License: means a License issued by the Central Bank to an SO and/or SI to operate an LVPS in the State. The License shall be valid for a period of five years, unless it is suspended or revoked by the Central Bank.
                     
                  13. Netting: in respect of a Clearing and Settlement System, means the conversion of the various obligations owed to or by a Participant Person towards all the other Participant Persons in the system, into one net obligation owed to or by the Participant Person.
                     
                  14. Operating Rules: means rules set up by the System Operator to cover the operation of a Financial Infrastructure System including, but not limited to, Participant Person account opening and maintenance, contractual relationships with and among Participant Persons, Default Arrangements, payment and settlement processing, Netting and collateral arrangements, authorization and post-transaction processes.
                     
                  15. Participant Person: in respect of a Financial Infrastructure System, means a Person who is party to or participant of the arrangements for which the system has been established.
                     
                  16. Person: means a natural or juridical person, as the case may be.
                     
                  17. Principles of Financial Market Infrastructures (PFMI): means the international standards for financial market infrastructures (i.e. payment systems, central securities depositories, securities settlement systems, central counterparties and trade repositories) issued by the Committee on Payments and Market Infrastructures (CPMI) and the International Organization of Securities Commissions (IOSCO). The PFMI are part of a set of 12 key standards that the international community considers essential to strengthening and preserving financial stability.
                     
                  18. Regulation: means the Large-value Payment Systems Regulation.
                     
                  19. Regulatory Authorities: means the Central Bank and the Securities & Commodities Authority.
                     
                  20. Retail Payment System: means any fund transfer system and related instruments, mechanism, and arrangements that typically handles a large volume of relatively low-value payments in such forms as cheques, credit transfers, direct debit, or card payment transactions.
                     
                  21. Settlement Institution (SI): means an institution that provides settlement services to a Financial Infrastructure System, settlement accounts in one currency or multi-currency in the Financial Infrastructure System and in certain cases, grants access to intraday liquidity to Participant Persons.
                     
                  22. State: means the United Arab Emirates.
                     
                  23. System Operator (SO): means a Person responsible for the operation of a Financial Infrastructure System including the comprehensive management of all risks in the Financial Infrastructure System, and ensuring that the operation of the system is in accordance with this Regulation and other relevant regulations issued by the Central Bank.
                     
                  24. Systemically Important Financial Infrastructure System: a Financial Infrastructure System which has the potential to trigger or transmit systemic disruptions to the State’s monetary and financial stability; this includes, among other things, systems that are the sole Financial Infrastructure System in a jurisdiction or the principal system in terms of the aggregate value of payments, and systems that mainly handle time-critical, high-value payments or settle payments used to effect settlement in other Financial Infrastructure Systems.
                     
                  25. Transfer Order: in respect of a Financial Infrastructure System, means any of the following instructions: (1) instructions by a Participant Person to make funds available to another Participant Person to be transferred, on a book-entry basis, in the accounts of the SI for a Clearing and Settlement System; or (2) instructions for discharge from obligation to pay, for the purposes of the Operating Rules of a Clearing and Settlement Systems; or (3) instructions by a Participant Person to either settle an obligation by transferring a book-entry security, or transferring those securities; or (4) instructions by a Participant Person that result in liability or discharge of retail operations payment obligation.
                • Article (1): Definitions

                  1. Agent: means a juridical Person providing Retail Payment Services on behalf of a Payment Service Provider.
                     
                  2. AML/CFT: means Anti-Money Laundering and Combating the Financing of Terrorism.
                     
                  3. AML Law: means Decree Federal Law No. (20) of 2018 on Anti-Money Laundering and Combating the Financing of Terrorism and Illegal Organizations and Cabinet Decision No. (10) of 2019 Concerning the Implementing Regulation of Decree Federal Law No. (20) of 2018 on Anti-Money Laundering and Combating the Financing of Terrorism and Illegal Organizations, as may be amended from time to time, and any instructions, guidelines and notices issued by the Central Bank relating to their implementation or issued in this regard.
                     
                  4. Annex I: means the list of Retail Payment Services that a Payment Service Provider may provide subject to the requirements of this Regulation.
                     
                  5. Annex II: means the Guidance on the best practices for technology risk and information security.
                     
                  6. Annex III: means the minimum level of information to be reported by Card Schemes to the Central Bank.
                     
                  7. Applicant: means a juridical Person duly incorporated in the State in accordance with Federal Law No. 2 of 2015 on Commercial Companies and as provided for under Article (74) of the Central Bank Law, which files an Application with the Central Bank for the granting of a License for the provision of one or more Retail Payment Services, operation of a Card Scheme or the modification of the scope of a granted License.
                     
                  8. Application: means a written request for obtaining a License for the provision of one or more Retail Payment Services submitted by an Applicant which contains the information and documents specified in this Regulation or by the Central Bank, and is in the form specified by the Central Bank’s Licensing Division, including a written request for obtaining a modification to the scope of a granted License.
                     
                  9. Auditor: means an independent juridical Person that has been appointed to audit the accounts and financial statements of a Payment Service Provider in accordance with Article (10) (7).
                     
                  10. Bank: any juridical person licensed in accordance with the provisions of the Central Bank Law, to primarily carry on the activity of taking deposits, and any other Licensed Financial Activities.
                     
                  11. Beneficial Owner: means the natural person who owns or exercises effective ultimate control, directly or indirectly, over a Retail Payment Service User (client) or the natural person on whose behalf a transaction is being conducted or, the natural person who exercises effective ultimate control over a legal person or legal arrangement.
                     
                  12. Branded: means having any digital name, term, sign, logo, symbol or combination thereof that is capable of differentiating the Card Scheme under which Payment Transactions are executed.
                     
                  13. Board: means the board of directors of an Applicant, Payment Service Provider or a Card Scheme in accordance with applicable corporate law.
                     
                  14. Business Day: means a day other than Friday, Saturday, public holiday or other non-working holiday or day in the State.
                     
                  15. Card-based Payment Transactions: means a service based on a Card Scheme's infrastructure and business rules to make Payment Transactions by means of any card, telecommunication, digital or IT device or software if this results in a debit or a credit card transaction.
                     
                  16. Card Issuer: means a category of Payment Service Provider providing a Payer with a Payment Instrument to initiate and process the Payer’s Card-based Payment Transactions.
                     
                  17. Cardholder: means a Person who holds a Payment Instrument, physical or otherwise, issued by a Card Issuer based on a contract for the provision of an electronic payment instrument.
                     
                  18. Card Scheme: means a single set of rules, practices and standards that enable a holder of a Payment Instrument to effect the execution of Card-based Payment Transactions within the State which is separated from any infrastructure of payment system that supports its operation, and includes the Card Scheme Governing Body. For the avoidance of doubt, a Card Scheme may be operated by a private or Public Sector Entity.
                     
                  19. Card Scheme License: means a License for operating as a Card Scheme, as referred to in Article (18).
                     
                  20. Card Scheme Governing Body: means the juridical Person responsible and/or accountable for the functioning and operation of a Card Scheme.
                     
                  21. Category I License: means a License for the provision of the Retail Payment Services referred to in Article (3) (2).
                     
                  22. Category II License means a License for the provision of the Retail Payment Services referred to in Article (3) (3).
                     
                  23. Category III License means a License for the provision of the Retail Payment Services referred to in Article (3) (4).
                     
                  24. Category IV License means a License for the provision of the Retail Payment Services referred to in Article (3) (5).
                     
                  25. Central Bank: means the Central Bank of the United Arab Emirates.
                     
                  26. Central Bank Law: means the Decretal Federal Law No. (14) of 2018 Regarding the Central Bank and Organization of Financial Institutions and Services, as may be amended or substituted from time to time.
                     
                  27. Co-Branded: means having the inclusion of at least one payment brand and one non-payment brand on the same Payment Instrument.
                     
                  28. Controller: means a natural or juridical Person that alone or together with the Person’s associates has an interest in at least 20% of the shares in a Payment Service Providers or is in a position to control at least 20% of the votes in a Payment Service Provider.
                     
                  29. Commodity Token: means a type of Crypto-Asset that grants its holder an access to a current or prospective product or service, and is only accepted by the issuer of that token. Commodity token can also be referred to as utility token
                     
                  30. Complaint: Means an expression of dissatisfaction by a consumer with a product, service, policy, procedure or actions by the licensed financial institution that is presented to an Employee of the licensed financial institution in writing or verbally.
                     
                  31. Cross-Border Fund Transfer Service: means a Retail Payment Service for the transfer of funds in which the Payment Service Providers of the Payer and the Payee are located in different jurisdictions/countries.
                     
                  32. Crypto-Assets: means cryptographically secured digital representations of value or contractual rights that use a form of Distributed Ledger Technology and can be transferred, stored or traded electronically.
                     
                  33. Customer Due Diligence or CDD: means the process of identifying or verifying the information of a Retail Payment Service User or Beneficial Owner, whether a natural or legal person or a legal arrangement, and the nature of its activity and the purpose of the business relationship and the ownership structure and control over it.
                     
                  34. Custodian Services: means the safekeeping or controlling, on behalf of third parties, of Payment Tokens, the means of access to such tokens, where applicable in the form of private cryptographic keys.
                     
                  35. Data Breach: means an intrusion into an IT system where unauthorized disclosure or theft, modification or destruction of Cardholder or Retail Payment Service User data is suspected and such is likely to result in a loss for the Cardholder or Retail Payment Service User.
                     
                  36. Data Subject: means an identified or identifiable natural Person who is the subject of Personal Data.
                     
                  37. Digital Money Services: means, for the purposes of this Regulation, the business activity related to the provision of Payment Token Services.
                     
                  38. Distributed Ledger Technology: means a class of technologies that supports the distributed recording of encrypted data across a network and which is a type of decentralized database of which there are multiple identical copies distributed among multiple participants and accessible across different sites and locations, and which are updated in a synchronized manner by consensus of the participants, eliminating the need for a central authority or intermediary to process, validate or authenticate transactions or other types of data exchanges.
                     
                  39. Domestic Fund Transfer Service: means the Retail Payment Service of accepting money for the purpose of executing, or arranging for the execution of Payment Transactions between a Payer in the State and a Payee in the State.
                     
                  40. Electronic Payment Service: means any and each of the Retail Payment Services listed in points (1) to (4) and (8) to (9) of Annex I.
                     
                  41. Employer: means a Person using the Wages Protection System for the payment of wages.
                     
                  42. Exchange House: means an exchange business that has been licensed under the Regulations re Licensing and Monitoring of Exchange Business.
                     
                  43. Exempted Person: means any Person who is exempted from the requirement to hold a License as per Article (2) of this Regulation.
                     
                  44. Facilitating the Exchange of Payment Tokens: means a Retail Payment Service related to establishing or operating a Payment Token exchange, in a case where the person that establishes or operates that exchange, for the purposes of an offer or invitation made or to be made on that Payment Token exchange, to buy or sell any Payment Token in exchange for Fiat Currency or Payment Token, whether of the same or a different type, comes into possession of any Fiat Currency or Payment Token, whether at the time that offer or invitation is made or otherwise.
                     
                  45. FATF: an inter-government body which sets international standards that aim to prevent global money laundering and terrorist financing activities.
                     
                  46. Fiat Currency: means a currency that is controlled by the respective central bank, has the status of legal tender and is required to be accepted within a given jurisdiction.
                     
                  47. Financial Free Zones: means free zones subject to the provisions of Federal Law No (8) of 2004, regarding Financial Free Zones, as may be amended or supplemented from time to time.
                     
                  48. Four Party Card Scheme: means a Card Scheme in which Card-based Payment Transactions are made from the payment account of a Payer to the payment account of a payee through the intermediation of the scheme, an issuer (on the payer’s side) and an acquirer (on the Payee’s side).
                     
                  49. Framework Agreement: means a payment service agreement for the provision of Retail Payment Services which governs the future execution of individual and successive Payment Transactions and which may contain the terms and conditions for opening a Payment Account.
                     
                  50. Group: means a corporate group which consists of a parent entity and its subsidiaries, and the entities in which the parent entity or its subsidiaries hold, directly or indirectly, 5% or more of the shares, or are otherwise linked by a joint venture relationship.
                     
                  51. Legal Form: means the legal form of Applicants established in accordance with Article (74) of the Central Bank Law.
                     
                  52. Level 2 Acts: means any written act that may be adopted or issued by the Central Bank complementing the implementation of this Regulation, such as, without being limited to, rules, directives, decisions, instructions, notices, circulars, standards, and rulebooks.
                     
                  53. License: means a License issued by the Central Bank to an Applicant to provide Retail Payment Services or operate a Card Scheme in the State. The License is valid unless it is withdrawn, suspended or revoked by the Central Bank.
                     
                  54. Licensed Financial Activities: means the financial activities subject to Central Bank licensing and supervision, which are specified in Article (65) of the Central Bank Law.
                     
                  55. Major Regulatory Requirement: means any requirement of this Regulation or Level 2 Acts the violation of which is capable of compromising and/or negatively affecting the attainment of the Central Bank’s objectives pursued under this Regulation, as determined at the discretion of the Central Bank.
                     
                  56. Management: means the Applicant, Payment Service Provider, Agent and Card Scheme’s senior officers that are involved in the daily management, supervision and control of the business services of the entity, typically including the chief executive officer, his or her alternate(s) and each person directly reporting to that officer. The chief executive officer and his or her alternate(s) shall be a natural person who are ordinarily residing in the State whereas the remaining members of Management shall be based in the State unless the Central Bank allows otherwise.
                     
                  57. Means of Distance Communication: means a method which may be used for the conclusion of a payment services agreement without the simultaneous physical presence of the Payment Service Provider and the Retail Payment Service User.
                     
                  58. Merchant: means a Person who accepts Payment Instruments as a mode of payment for the purchase and sale of goods and services.
                     
                  59. Merchant Acquirer: means a category of Payment Service Provider providing Merchant Acquiring Services.
                     
                  60. Merchant Acquiring Service: means a Retail Payment Service provided by a Payment Service Provider contracting with a Payee to accept and process Payment Transactions, which results in a transfer of funds to the Payee.
                     
                  61. Money Transfer Services: means the Domestic and Cross-border Fund Transfers Services, excluding Remittances.
                     
                  62. Money’s Worth: means value added onto an SVF by the customer; value received on the customer’s SVF account; and value redeemed by the customer including not only “money” in the primary sense but also other forms of monetary consideration or assets such as values, reward points, Crypto-Assets, or Virtual Assets. For example, a value top-up of an SVF account may take the form of values, reward points, Crypto-Assets, or Virtual Assets earned by the SVF customer from making purchases of goods and services. Similarly, value received on the account of the SVF customer may take the form of an on-line transfer of value, reward points, Crypto-Assets, or Virtual Assets between fellow SVF customers.
                     
                  63. Payment Account: means an account with a Payment Service Provider held in the name of at least one Retail Payment Service User which is used for the execution of Payment Transactions.
                     
                  64. Payment Account Information Service: means a Retail Payment Service to provide consolidated information on one or more Payment Accounts held by a Retail Payment Service User with either another Payment Service Provider or with more than one Payment Service Providers. For the avoidance of doubt, the Payment Account Information Service does not involve the holding of Retail Payment Service User’s funds at any time.
                     
                  65. Payment Account Issuance Service: means a Retail Payment Service, other than Domestic and Cross-border Fund Transfer Services, enabling (i) the opening of a Payment Account; (ii) cash to be placed on a Payment Account; (iii) cash to be withdrawn from a Payment Account; and (iv) all necessary operations for operating a Payment Account. The Payment Account is only used for holding fund/cash in transit and not allowed to store and maintain fund/cash.
                     
                  66. Payment Aggregation Service: means a Retail Payment Service facilitating e-commerce websites and Merchants to accept various Payment Instruments from the Retail Payment Service Users for completion of their payment obligations without the need for Merchants to create a separate payment integration system of their own. Payment aggregation facilitates Merchants to connect with Merchant acquirers; in the process, they receive payments from Retail Payment Service Users, pool and transfer them on to the Merchants after a time period.
                     
                  67. Payment Data: means any information related to a Retail Payment Service User, including financial data and excluding Personal Data.
                     
                  68. Payment Initiation Service: means a Retail Payment Service to initiate a Payment Order at the request of the Retail Payment Service User with respect to a Payment Account held at another Payment Service Provider. For the avoidance of doubt, the Payment Initiation Service does not involve the holding and maintenance of Payer’s funds at any time.
                     
                  69. Payment Instrument: means a personalized device(s), a payment card and/or set of procedures agreed between the Retail Payment Service User and the Payment Service Provider, and used in order to initiate a Payment Order.
                     
                  70. Payment Instrument Issuance Service: means a Retail Payment Service related to the provision of a Payment Instrument to a Retail Payment Service User which enables it to initiate Payment Orders as well as the Processing of the Retail Payment Service User’s Payment Transactions.
                     
                  71. Payment Service Provider: means a legal Person that has been licensed in accordance with this Regulation to provide one or more Retail Payment Services and has been included in the Register as per Article (73) of the Central Bank Law.
                     
                  72. Payment Token Issuing: means a Retail Payment Service related to the issuing of Payment Tokens by a Payment Service Provider. For the avoidance of doubt, Payment Tokens may not be offered to the public or segments thereof unless the Payment Service Provider issuing the Payment Tokens has obtained a Category I License, drafted a White Paper in respect of those Payment Tokens and received an approval by the Central Bank prior to offering such tokens to the public.
                     
                  73. Payment Token: means a type of Crypto-Asset that is backed by one or more Fiat Currencies, can be digitally traded and functions as (i) a medium of exchange; and/or (ii) a unit of account; and/or (iii) a store of value, but does not have legal tender status in any jurisdiction. A Payment Token is neither issued nor guaranteed by any jurisdiction, and fulfils the above functions only by agreement within the community of users of the Payment Token. For the avoidance of doubt, a Payment Token does not represent any equity or debt claim.
                     
                  74. Payment Token Buying: means the buying of Payment Tokens in exchange for any Fiat Currency or Payment Token.
                     
                  75. Payment Token Selling: means the selling of Payment Tokens in exchange for any Fiat Currency or Payment Token.
                     
                  76. Payment Token Services: means the Retail Payment Services consisting of any of the following activities related to Payment Tokens: (i) Payment Token Issuing; (ii) Payment Token Buying; (iii) Payment Token Selling; (iv) Facilitating the Exchange of Payment Tokens; (v) enabling payments to Merchants and/or enabling peer-to-peer payments; and (vi) Custodian Services. For the avoidance of doubt, a Payment Service Provider may provide only one of the Retail Payment Services referred to in points (v) and (vi); if it wishes to provide both and allows Retail Payment Service Users to redeem the Payment Tokens with any Fiat Currency under a contractual arrangement, it must comply with the respective SVF requirements.
                     
                  77. Payment Transaction: means an act initiated by the Payer or on his behalf or by the Payee of placing, transferring or withdrawing funds, irrespective of any underlying obligations between the Payer and the Payee.
                     
                  78. Payee: means a Person who is the intended recipient of funds which have been the subject of a Payment Transaction.
                     
                  79. Payer: means a Person who holds a Payment Account and allows a Payment Order from that Payment Account, or, where there is no Payment Account, a Person who gives a Payment Order.
                     
                  80. Person means any natural or legal Person.
                     
                  81. Personal Data: means any information which are related to an identified or identifiable natural Person.
                     
                  82. Processing: means Payment Transaction processing necessary for the handling of an instruction, including clearing and settlement, between the Merchant Acquirer and the Card Issuer.
                     
                  83. Promotion: means any form of communication, by any means, aimed at inviting or offering to enter into an agreement related to any Retail Payment Service. For the avoidance of doubt, any Person that has been mandated to provide or engage in Promotion activities by a Person providing Retail Payment Services without holding a License shall not be held liable under this Regulation.
                     
                  84. Public Sector Entity: means the Federal Government, Governments of the Union’s member Emirates, public institutions and organizations.
                     
                  85. Register: means the Register referred to in Article (73) of the Central Bank Law.
                     
                  86. Regulation: means the Retail Payment Services and Card Schemes Regulation.
                     
                  87. Remittance: means the receipt of funds from a Payer without any Payment Accounts being created in the name of the Payer or the Payee.
                     
                  88. Reserve of Assets: means the pool of Fiat Currencies that are legal tender backing the value of a Payment Token.
                     
                  89. Retail Payment Service: means any business activity set out in Annex I.
                     
                  90. Retail Payment Service User: means a Person who intends to make use of or makes use of a Retail Payment Service in the capacity of a Payer, Payee or both.
                     
                  91. Sensitive Payment Data: means data, including personalized security credentials which can be used to carry out unauthorized activities. For the purposes of Payment Initiation and Payment Account Information Services, the name of the Payment Account owner and Payment Account number shall not constitute Sensitive Payment Data.
                     
                  92. Single Retail Payment Agreement: means an agreement which governs the execution of an individual Payment Transaction.
                     
                  93. State: means the United Arab Emirates.
                     
                  94. Security Token: means a type of Crypto-Asset that provides its holder with rights and obligations that represent a debt or equity claim against the issuer of that token.
                     
                  95. Stored Value Facility or SVF: means a facility (other than cash) for or in relation to which a Customer, or another person on the Customer’s behalf, pays a sum of money (including Money’s Worth such as values, reward points, Crypto-Assets or Virtual Assets) to the issuer, whether directly or indirectly, in exchange for: (a) the storage of the value of that money (including Money’s Worth such as values, reward points, Crypto-Assets or Virtual Assets), whether in whole or in part, on the facility; and (b) the “Relevant Undertaking”. SVF includes Devicebased Stored Value Facility and Non-device based Stored Value Facility.
                     
                  96. Third country: means a country other than the UAE.
                     
                  97. Three Party Card Scheme: means a Card Scheme in which the scheme itself provides Merchant Acquiring and Payment Instrument Issuing Services and Card-based Payment Transactions are made from the Payment Account of a Payer to the Payment Account of a Payee within the Card Scheme. When a Three Party Card Scheme licenses other Payment Service Providers for the issuance of Card-based Payment Instruments or the Merchant Acquiring of Card-based Payment Transactions, or both, or issues Card-based Payment Instruments with a co-branding partner or through an agent, it is considered to be a Four Party Card Scheme.
                     
                  98. UAE: means the United Arab Emirates.
                     
                  99. Unauthorized Payment Transaction: means a Payment Transaction for the execution of which the Payer has not given consent. Consent to execute a Payment Transaction or a series of Payment Transactions shall be given in the form agreed between the Payer and the Payment Service Provider. Consent to execute a Payment Transaction may also be given via the Payee or the Payment Initiation Service Provider.
                     
                  100. Virtual Assets: A Virtual Asset is a digital representation of value that can be digitally traded, or transferred, and can be used for payment or investment purposes. Virtual Assets do not include digital representations of Fiat Currencies, securities and other financial assets that are already covered elsewhere in the FATF Recommendations.
                     
                  101. Virtual Assets Service Providers: Virtual Asset Service Provider means any natural or legal person who is not covered elsewhere under the FATF Recommendations, and as a business conducts one or more of the following activities or operations for or on behalf of another natural or legal person: (i) exchange between Virtual Assets and Fiat Currencies; (ii) exchange between one or more forms of Virtual Assets; (iii) transfer of Virtual Assets; (iv.) safekeeping and/or administration of Virtual Assets or instruments enabling control over Virtual Assets; and (v) participation in and provision of financial services related to an issuer’s offer and/or sale of a Virtual Asset.
                     
                  102. Virtual Asset Token: means a type of Crypto-Asset that can be digitally traded and functions as (i) a unit of account; and/or (ii) a store of value. Although some Virtual Asset Tokens may be accepted as a means of payment, they are generally not accepted as a medium of exchange, may not have an issuer and do not have legal tender status in any jurisdiction. A Virtual Asset Token is neither issued nor guaranteed by any jurisdiction, and fulfils the above functions only by agreement within the community of users of the Virtual Asset Token. For the avoidance of doubt, a Virtual Asset Token does not represent any equity or debt claim, and it is not backed by any Fiat Currency.
                     
                  103. Virtual Asset Token Services: means any of the following services: (i) enabling peer-to-peer Virtual Asset Token transfers, and (ii) custodian services of Virtual Asset Tokens.
                     
                  104. Wages Protection System or WPS: means a reconciliation system implemented at the Central Bank aimed at providing a safe, secure, efficient and robust mechanism for streamlining the timely and efficient payment of wages.
                     
                  105. Wire Transfer: means any transaction carried out on behalf of an originator through a financial institution by electronic means with a view to making an amount of funds available to a beneficiary person at a beneficiary financial institution, irrespective of whether the originator and the beneficiary are the same person
                     
                  106. WPS Payment Account: means a WPS account opened in the infrastructure of the Central Bank and held for the purposes of holding and payment of wages.
                     
                  107. WPS Payment Account Holder: means a holder of a Payment Account held with a Payment Service Provider who has been given access to the Wages Protection System for the purpose of executing transfers of wages.
                     
                  108. White Paper: means a detailed description in Arabic and English of: (i) the Payment Service Provider issuing a Payment Token and a presentation of the main participants involved in the project’s design and development; (ii) a detailed description of the project and the type of Payment Token that will be offered to the public; (iii) the number of Payment Tokens that will be issued and the issue price; (iv) a detailed description of the rights and obligations attached to the Payment Token and the procedures and conditions for exercising those rights; (v) information on the underlying technology and standards applied by the Payment Service Provider issuing the Payment Token allowing for the holding, storing and transfer of those Payment Tokens; (vi) a detailed description of the risks relating to the Payment Service Provider issuing Payment Tokens, the Payment Tokens, the offer to the public and the implementation of the project, and other disclosures that the Central Bank may specify; (vii) detailed description of the Payment Service Provider’s governance arrangements, including a description of the role, responsibilities and accountability of the third-parties responsible for operating, investment and custody of the Reserve of Assets, and, where applicable, the distribution of the Payment Tokens; (viii) a detailed description of the Reserve of Assets; (ix) a detailed description of the custody arrangements for the Reserve of Assets, including the segregation of the assets; (x) in case of an investment of the Reserve of Assets, a detailed description of the investment policy; and (xi) information on the nature and enforceability of rights, including any direct redemption right or any claims that holders of Payment Tokens may have on the Reserve of Assets or against the Payment Service Provider issuing the Payment Tokens, including how such rights may be treated in insolvency procedures. For the avoidance of doubt, the White Paper shall be written in a simple, easy to understand and non-misleading language, and shall be dated. The White Paper shall be endorsed by the Payment Service Provider’s Management and published on the Payment Service Provider’s website after receipt of an approval by the Central Bank.
                     
                  • Article (2): Licensing Requirements

                    1. As stipulated in Article (129) (1) (a) of the Central Bank Law, operating an LVPS in the State requires a prior License from the Central Bank.
                       
                    2. The SO and/or SI of the LVPS must apply and submit the required information and documents set out in Annex A of this Regulation to the Central Bank to obtain a License if the LVPS is in operation in the State.
                  • Article (2): Licensing

                    1. No Person shall provide or engage in the Promotion within the State of any of the Retail Payment Services set out in Annex I without obtaining a prior License from the Central Bank unless this Person is an exempted Person.
                       

                    Exempted Persons

                    1. Banks licensed in accordance with the Central Bank Law shall be deemed licensed to provide Retail Payment Services and shall therefore be exempt from the prohibition laid down in paragraph (1). Nevertheless, Banks shall be required to notify the Central Bank in writing if they intend to provide the Retail Payment Services referred to in points (3) to (4) and (7) to (9) of Annex I and obtain a No Objection Letter prior to commencing the provision of such services. Banks are exempted from the No Objection Letter requirement and any licensing requirements for providing the Retail Payment Services referred to in points (1), (2), (5) and (6) of Annex I.
                       
                    2. For the avoidance of doubt, Banks providing Retail Payment Services other than the Retail Payment Services referred to in points (1), (2), (5) and (6) of Annex I, shall be required to comply only with the requirements set out in Article (11) on Payment Token Services, Article (12) on Anti-Money Laundering and Combating the Financing of Terrorism and Illegal Organizations, Article (13) on Technology Risk and Information Security, and Article (14) on Obligations Towards Retail Payment Service Users.
                       
                    3. Finance companies licensed in accordance with the finance companies Regulation shall be exempt from the prohibition laid down in paragraph (1) for the service of issuance of credit cards. For the avoidance of doubt, except issuance of credit cards, finance companies that intend to provide Retail Payment Services shall be required to obtain a prior License from the Central Bank.
                       
                    4. The Central Bank may request from a Person or Exempted Person the provision of any information or documentation that it considers necessary to determine the eligibility for exemption or continued exemption, respectively.
                       
                    5. The Central Bank reserves the right to withdraw an exemption granted under this Article 2.
                       
                    • Article (3): Eligibility and Criteria for Designation as Systemically Important Financial Infrastructure System

                      1. As stipulated in Article (126) (2) of the Central Bank Law, if a licensed LVPS falls within the eligibility for designation as set out in the aforementioned Article, the Central Bank may designate such LVPS as systemically important.
                         
                      2. In forming an opinion as to whether an LVPS satisfies the designation criteria, the Central Bank may consider one or more of the following factors in order to determine whether or not the LVPS is a Systemically Important Financial Infrastructure System: -
                         
                        1. 2.1. The estimated aggregate value of Transfer Orders transferred, cleared or settled through the LVPS in a normal business day. This refers to the total value of individual instructions transferred, cleared or settled in the LVPS. It also represents the sum of total debits (or credits) to all accounts maintained by the system prior to or in the absence of any Netting of transactions in a normal business day. For established systems during the transition period, the estimated value can be worked out with reference to historical data and business plan.
                           
                        2. 2.2. The estimated average value of Transfer Orders transferred, cleared or settled through the LVPS in a normal business day. This refers to the aggregate value of instructions transferred, cleared or settled through the system in a normal business day, divided by the number of instructions processed.
                           
                        3. 2.3. The estimated number of Transfer Orders transferred, cleared or settled through the LVPS in a normal business day.
                           
                        4. 2.4. The estimated number and the type of Participant Persons of the LVPS.
                           
                        5. 2.5. Whether the LVPS is linked to any Designated Systems that are licensed or regulated by other Regulatory Authorities in the State.
                           
                      3. The above factors are intended to identify an LVPS whose proper functioning is material to the monetary or financial stability of the State or that should be designated, having regard to matters of significant public interest or public order. During the designation process, should the need arise, the Central Bank will discuss with the SO and/or SI of the relevant LVPS so as to understand the design and features of the system and assess whether it fulfills the criteria of a Systemically Important Financial Infrastructure System.
                    • Article (3): License Categories

                      1. A Person that intends to provide Retail Payment Services shall apply for one of the following categories of License:
                         
                        1. 1.1. Category I License;
                           
                        2. 1.2. Category II License;
                           
                        3. 1.3. Category III License; and
                           
                        4. 1.4. Category IV License
                           
                      2. An Applicant shall apply for a Category I License where it intends to provide one or more of the following Retail Payment Services:
                         
                        1. 2.1. Payment Account Issuance Services;
                           
                        2. 2.2. Payment Instrument Issuance Services;
                           
                        3. 2.3. Merchant Acquiring Services;
                           
                        4. 2.4. Payment Aggregation Services;
                           
                        5. 2.5. Domestic Fund Transfer Services;
                           
                        6. 2.6. Cross-border Fund Transfer Services; and
                           
                        7. 2.7. Payment Token Services.
                           
                      3. An Applicant shall apply for a Category II License where it intends to provide one or more of the following Retail Payment Services:
                         
                        1. 3.1. Payment Account Issuance Services;
                           
                        2. 3.2. Payment Instrument Issuance Services;
                           
                        3. 3.3. Merchant Acquiring Services;
                           
                        4. 3.4. Payment Aggregation Services;
                           
                        5. 3.5. Domestic Fund Transfer Services; and
                           
                        6. 3.6. Cross-border Fund Transfer Services.
                           
                      4. An Applicant shall apply for a Category III License where it intends to provide one or more of the following Retail Payment Services:
                         
                        1. 4.1. Payment Account Issuance Services;
                           
                        2. 4.2. Payment Instrument Issuance Services;
                           
                        3. 4.3. Merchant Acquiring Services;
                           
                        4. 4.4. Payment Aggregation Services; and
                           
                        5. 4.5. Domestic Fund Transfer Services.
                           
                      5. An Applicant shall apply for a Category IV License where it intends to provide one or all of the following Retail Payment Services:
                         
                        1. 5.1. Payment Initiation Services; and
                           
                        2. 5.2. Payment Account Information Services.
                           
                      • Article (4): Designation Process

                        1. The Central Bank will initiate the designation process under the designation framework as stipulated in Article (126) (3) of the Central Bank Law, if it considers an LVPS is meeting or is likely to meet the criteria for designation.
                           
                        2. For the Central Bank to determine whether an LVPS is eligible to be designated and whether it satisfies the designation criteria for the purposes of this Regulation, the Central Bank will request information or documents regarding the LVPS from any Person who is holding, or whom the Central Bank reasonably believes holds such information or documents, or from the SO or SI of the LVPS. This power to request for information or documents applies to LVPS, individuals or corporations established, located or incorporated in the State and/or outside the State. The Central Bank will coordinate with any competent Regulatory Authority or other competent authorities in other jurisdictions for the purpose of requesting and securing such information and documents.
                           
                        3. The nature of information or documents that the Central Bank may require might vary from LVPS to LVPS. Generally speaking, the Central Bank will seek to request information or documents as set out in the Annexes of this Regulation and may, where necessary, seek additional information as is required in order to assist the Central Bank in making such determination.
                           
                        4. During the designation process, the Central Bank may discuss with the SO and/or SI of such system where necessary to understand the features and the design of the system and determine the LVPS’s eligibility for designation.
                           
                        5. The time for the designation process may vary depending on the particular circumstances of each case, including the nature and complexity of the prospective designated LVPS and the completeness of the information and documents submitted to the Central Bank.
                           
                        6. The SO and/or SI of a Designated System licensed by the Central Bank may submit a grievance against the designation decision, issued by the Central Bank in accordance with Article (126) (3) of the Central Bank Law, by applying to the Grievances & Appeals Committee as set out in Article (11) of this Regulation.
                           
                        7. If the Central Bank intends to designate any of the LVPS licensed by any Regulatory Authority in the State or the competent regulatory authorities in other jurisdictions as systemically important, the Central Bank shall implement the process for designation as provided for under Article (126) (6) of the Central Bank Law.

                        LVPS deemed to have been licensed and designated

                        1. As stipulated in Article (126) (5) of the Central Bank Law, the LVPS established, developed, and/or operated by the Central Bank are deemed to have been licensed and designated.
                           
                        2. The LVPS that are deemed to have been designated are required to observe all the obligations and oversight requirements imposed on designated LVPS under this Regulation in the same manner as other designated LVPS.
                      • Article (4): License Conditions

                        1. To be granted a License, an Applicant shall, at the time of submitting an Application:
                           
                          1. 1.1. fulfil the Legal Form;
                             
                          2. 1.2. meet the respective initial capital requirements per License Category specified in Article (6); and
                             
                          3. 1.3. provide the necessary documents and information specified in the Central Bank application form as provided by the Licensing Division.
                             
                        2. In addition to the requirements set out in paragraph (1) to be granted a Category I License, an Applicant shall, at the time of submitting an Application, provide a list of all Payment Tokens that it intends to issue and obtain a legal opinion on the assessment for all Payment Tokens.
                           
                        3. In addition to the requirements set out in paragraph (1), to be granted a Category IV License, an Applicant shall, at the time of submitting an Application, hold a professional indemnity insurance as per Article (10) paragraphs (14) to (16).
                           
                        • Article (5): Cooperation with Relevant Regulatory Authorities

                          1. As part of the designation process for LVPS established and/or licensed by another Regulatory Authority in the State or by relevant regulatory authorities in other jurisdictions, the Central Bank may agree with the relevant regulatory authority which parts of this Regulation, where relevant, may not apply to concerned designated LVPS to avoid additional regulatory burden on the SO and SI of the LVPS.
                             
                          2. The Central Bank will rely on co-operative oversight with the relevant regulatory authority of a designated LVPS operating in the State or in other jurisdictions, in accordance with articles (28) and (127) (2) of the Central Bank Law and the cooperative framework set out in the PFMI.
                        • Article (5): Licensing Procedure

                          1. The licensing of Applicants shall be subject to the procedure envisaged in the Central Bank’s Licensing Guidelines.
                             
                          2. The Management of an Applicant is encouraged to meet with the Central Bank’s Licensing Division before submitting a formal Application.
                             
                          • Article (6): Revocation of License and Designation

                            Grounds for revocation

                            1. As stipulated in Article (128) of the Central Bank Law, the Central Bank may revoke the License it has given to an LVPS if the LVPS is unable to carry out its operations in compliance with the provisions of the Central Bank Law or this Regulation.
                               
                            2. As stipulated in Article (126) (7) of the Central Bank Law, the Central Bank may revoke the designation of an LVPS it licenses if the LVPS has ceased or is likely to cease being a Systemically Important Financial Infrastructure System or an LVPS whose proper functioning is material to the monetary or financial stability of the State.

                            Revocation process

                            1. The Central Bank will prepare a review report on whether a licensed and/or designated LVPS satisfies the ground of revocation under this Regulation. If the Central Bank intends to revoke the License and/or designation of an LVPS, the Central Bank will notify in writing the SO and/or the SI of the LVPS or the regulatory authority where the LVPS is licensed so that such authority can notify the SO and/or SI of the system the intention of the Central Bank to revoke the License and/or designation. The notice will state the grounds on which the revocation is to be made and specify in the notice a period of not less than twenty (20) working days from the date of notification, during which the SO and/or SI of the system may be heard, or may make written justifications, as to why the grounds for revocation stated in the notice are not valid.
                               
                            2. If any SO and/or SI of the licensed and/or designated LVPS wish to be heard or to make written justifications, it should make such a request to the Central Bank in writing before the revocation takes effect, giving reasons as to why the grounds for revocation specified in the notice have not been established. After reviewing the reasons given by the SO and/or SI, the Central Bank will determine whether the License and/or designation should be revoked. In the course of reviewing the matter, the Central Bank may meet with the SO and/or SI of the licensed and/or designated LVPS should such need arise.
                               
                            3. If the Central Bank decides to proceed to revoke the License and/or designation of the LVPS, the Central Bank will notify the SO and/or SI of the LVPS of the Central Bank’s decision in writing.
                               
                            4. The SO and/or SI may object to the Central Bank’s decision to revoke the License and/or designation of the LVPS and provide justifications for such objection by applying to the Grievances & Appeals Committee as provided by the Central Bank Law.
                               
                            5. If the Central Bank considers that any designated LVPS licensed by another Regulatory Authority in the State or the concerned regulatory authorities in other jurisdictions is no longer meeting the designation criteria, the Central Bank may request the concerned regulatory authority, via an official notice, to revoke the designation of the LVPS.
                               
                            6. In all cases, the revocation of the License and/or designation of the LVPS shall not affect any transaction cleared and settled in the concerned LVPS prior to the effective date of revocation.
                          • Article (6): Initial Capital

                            1. An Applicant shall hold, upon being granted a License by the Central Bank, initial capital as per the below:
                               
                              1. 1.1. for obtaining a Category I License:
                                 
                                1. 1.1.1. initial capital of at least three (3) million Dirhams where the monthly average value of Payment Transactions amounts to ten (10) million Dirhams or above; or
                                   
                                2. 1.1.2. initial capital of at least one and a half (1.5) million Dirhams where the monthly average value of Payment Transactions amounts to less than ten (10) million Dirhams.
                                   
                              2. 1.2. for obtaining a Category II License:
                                 
                                1. 1.2.1. initial capital of at least two (2) million Dirhams where the monthly average value of Payment Transactions amounts to ten (10) million Dirhams or above; or
                                   
                                2. 1.2.2. initial capital of at least one (1) million Dirhams where the monthly average value of Payment Transactions amounts to less than ten (10) million Dirhams.
                                   
                              3. 1.3. for obtaining a Category III License:
                                 
                                1. 1.3.1. initial capital of at least one (1) million Dirhams where the monthly average value of Payment Transactions amounts to ten (10) million Dirhams or above; or
                                   
                                2. 1.3.2. initial capital of at least five hundred thousand (500,000) Dirhams where the monthly average value of Payment Transactions amounts to less than ten (10) million Dirhams.
                                   
                              4. 1.4. for obtaining a Category IV License: initial capital of at least one hundred thousand (100,000) Dirhams regardless of the monthly average value of Payment Transactions.
                                 
                            2. An Applicant shall provide information to the Central Bank on the source(s) of funds that constitute the initial capital as per paragraph (1).
                               

                            Calculation Method

                            1. The monthly average value of Payment Transactions referred to in paragraph (1) shall be calculated on the basis of the moving average of the preceding (3) months or, where such data does not exist at the time of being granted a License by the Central Bank, on the basis of the business plan and financial projections provided.
                               
                            • Article (7) Settlement Finality

                              1. In accordance with Article (131) of the Central Bank Law settlement finality is “the discharge of an obligation by a transfer of funds that has become irrevocable and unconditional”. Specifically, “settlement finality” refers to the abrogation of all rights otherwise existing at law that would allow the reversal of a Transfer Order effected through, or proceedings within, an LVPS.
                                 
                              2. Article (131) (1) of the Central Bank Law grants finality to all transactions conducted through a Financial Infrastructure System, therefore rendering the same final, irrevocable and irreversible, in any of the cases provided for thereunder. Besides finality in respect of Transfer Orders, the Central Bank Law also provides legal certainty on the Netting arrangements in a designated LVPS.
                                 
                              3. If Netting has been effected in an LVPS that meets any of the designation conditions refers to in Article (126) (2) of the Central Bank Law, the SO and/or SI needs to take into consideration the Netting of obligations of insolvent or bankrupt parties to all obligations owed to or by a participant person in the system, as per Article (133) of the Central Bank Law.
                                 
                              4. In addition, this Regulation shall not limit, restrict or otherwise effect, the preservation of rights in underlying transactions and obligation of Participant Person to notify of insolvency are set out in Article (134) and Article (135) of the Central Bank Law respectively.
                            • Article (7): Aggregate Capital Funds

                              1. A Payment Service Provider shall hold and maintain at all times aggregate capital funds that do not fall below the initial capital requirements laid down in Article (6), taking into consideration the applicable License category.
                                 
                              2. The Central Bank may impose aggregate capital funds requirements higher than the ones referred to in paragraph (1) if, taking into consideration the scale and complexity of the Payment Service Provider’s business, it considers such higher requirements essential to ensuring that the Payment Service Provider has the ability to fulfil its obligations under this Regulation.
                                 
                              3. Where the monthly average value of Payment Transactions calculated in accordance with Article (6) (3) exceeds the Payment Transaction threshold of ten (10) million Dirhams in (3) consecutive months, Payment Service Providers shall report this fact to the Central Bank and become automatically subject to the higher aggregate capital funds requirements determined by the Central Bank under paragraph (2).
                                 
                              4. The aggregate capital funds referred to in paragraph (1) shall be comprised of one or more of the capital items provided for in paragraphs (5) and (6).
                                 

                              Capital Items

                              1. A Payment Service Provider’s aggregate capital funds shall consist of:
                                 
                                1. 5.1. Paid-up capital;
                                   
                                2. 5.2. Reserves, excluding revaluation reserves; and
                                   
                                3. 5.3. Retained earnings.
                                   
                              2. The following items shall be deducted from the aggregate capital funds:
                                 
                                1. 6.1. Accumulated losses; and
                                   
                                2. 6.2. Goodwill.
                                   
                              • Article (8): Ongoing Requirements of Designated Large-Value Payment Systems

                                Principal Requirements

                                1. The SO and/or SI of a designated LVPS, are required to ensure compliance with the following:
                                   
                                  1. 1.1. LVPS must comply with any instructions issued by the Central Bank and any relevant international standards (e.g. PFMI), and ensure proper and continued functioning of the designated LVPS; and
                                     
                                  2. 1.2. LVPS must provide the information required by the Central Bank and where it deems appropriate for achievement of its objectives.
                                     
                                2. The Central Bank may exempt the SO, SI or a Participant Person of a designated LVPS in a general or specific manner, from the provisions of this Regulation, instructions, rules, directives, rules, and controls issued by it.
                                   
                                3. The Central Bank may appoint experts and advisors specialised in Financial Infrastructure Systems to assist the Central Bank in performing its duties and functions in accordance with this Regulation.

                                Detailed requirements

                                1. Upon designation, an LVPS must comply with the oversight requirements imposed under this Regulation and the relevant provisions of PFMI (see Article (9) for detail). Failure to comply with any of those requirements may expose the concerned party to possible sanctions as provided for under the Central Bank Law. The principal requirements, in addition to the relevant provisions of the PFMI, include: -
                                   
                                  1. 4.1. Submission of particulars – the Central Bank requires any SO and/or SI of a newly designated LVPS to inform the Central Bank in writing of the designation particulars within fourteen (14) working days after the notification of designation, including the name, place of business, postal address and electronic mail address, as well as the aspects of the management or operations of the system. For any SO and/or SI which are a corporation, the names and personal particulars of the directors, chief executive (if any) and shareholders of the corporation are similarly required to be submitted to the Central Bank. Details of any subsequent change in any of those particulars are to be notified to the Central Bank in writing within fourteen (14) days of the change taking effect.
                                     
                                  2. 4.2. Compliance with safety and efficiency requirements – the general requirements include safe and efficient operation of the LVPS, the establishment of appropriate Operating Rules, the existence of adequate compliance arrangements, and the availability of appropriate financial resources. Any major change to a designated LVPS’s Operating Rules requires prior approval of the Central Bank.
                                     
                                  3. 4.3. Submission of information or documents - the Central Bank may request information or documents relating to a designated LVPS from the SO and/or SI of, or the Participant Person in, the LVPS when performing the oversight functions under this Regulation. The SO and/or SI of, or the Participant Person in, the designated LVPS to whom a request is made is required to submit the information or documents within the period specified in the request.
                                     
                                  4. 4.4. The Central Bank may, at any time, with a short prior notice to the concerned SO and/or SI, examine any books, accounts or transactions of the SO and/or SI of a designated LVPS when performing its functions.
                                     
                                  5. 4.5. The Central Bank may require the SO and/or SI of, or the Participant Person in, a designated LVPS to submit to the Central Bank a report prepared by one or more auditors on matters that the Central Bank requires for discharging or exercising its duties and powers under this Regulation. The SO and/or SI of, or the Participant Person in, a designated LVPS may only appoint an auditor approved by the Central Bank or an auditor amongst auditors approved by the Central Bank for preparing a report required by the Central Bank.
                                     
                                  6. 4.6. The Central Bank may direct the SO and/or SI of a designated LVPS to take any action necessary to bring the LVPS into compliance with any of the requirements of this Regulation. Such a direction will specify the Central Bank’s concerns and the action(s) to be taken, include a statement of the respect in which the Central Bank considers the designated LVPS not to be in compliance with a requirement of this Regulation and specify the period within which the direction is to be complied with.
                                     
                                  7. 4.7. The SO and/or SI of the designated LVPS must have proper Operating Rules to enable its Participant Persons to obtain sufficient information regarding their respective rights and obligations associated with their participation in the LVPS, especially the Default Arrangements and the related procedures. Such rights and obligations must be clearly defined and disclosed to the Participant Persons.
                                     
                                  8. 4.8. The SI must establish rules and procedures as part of the Operating Rules to enable final settlement to take place no later than the end of the intended settlement time and date. The related rules and procedures must also ensure certainty in terms of circumstances under which Transfer Orders effected through the LVPS are to be regarded as final as well as settled for the purposes of the LVPS.
                                     
                                  9. 4.9. Where action has been taken under Default Arrangements of a designated LVPS by the SO and/or SI in respect of a Participant Person in the LVPS, the Central Bank may direct the SO and/or SI of a designated LVPS to give information relating to the default to any official nominated by the Central Bank. The nominated official is responsible for assessing and examining any matter arising out of or connected with the default of the Participant Person in that LVPS. The liabilities of Participant Persons for any loss arising from the default of the Participant Person and the arrangements to handle any disputes over Participant Persons’ liability with respect to default transactions should be clearly set out in the rules and procedures.
                              • Article (8): Control of Controllers

                                1. A Person shall not become a Controller in a Payment Service Provider without obtaining a prior approval from the Central Bank.
                                   
                                2. The Central Bank shall grant an approval under paragraph (1) if it considers that:
                                   
                                  1. 2.1. having regard to the likely influence of the Controller, the Payment Service Provider will remain compliant with the requirements of this Regulation and Level 2 Acts; and
                                     
                                  2. 2.2. the Controller meets the fit and proper requirements specified by the Central Bank.
                                     
                                3. The approval under paragraph (2) may be granted subject to any conditions that the Central Bank may impose on the Person, including but not limited to:
                                   
                                  1. 3.1. conditions restricting the Person’s disposal or further acquisition of shares or voting powers in the Payment Service Provider; and
                                     
                                  2. 3.2. conditions restricting the Person’s exercise of voting power in the Payment Service Provider.
                                     
                                • Article (9): Compliance with Principles of Financial Market Infrastructures Requirements

                                  1. The Committee on Payment and Market Infrastructures (CPMI) and the Technical Committee of the International Organization of Securities Commissions (IOSCO) have set forth a set of PFMI (details of PFMI are available in the two websites: www.bis.org and www.iosco.org).
                                     
                                  2. PFMI aims to assist central banks, market regulators, and other relevant authorities in enhancing safety and efficiency in payment, clearing, settlement, and recording arrangements, and more broadly, limiting systemic risk and fostering transparency and financial stability.
                                     
                                  3. Another objective of PFMI is to harmonize and, where appropriate, strengthen the existing international standards and risk management practice for Financial Infrastructure Systems such as LVPS that are systemically important. In general, these standards are expressed as broad principles in recognition of the differing organizations, functions, and designs of the SO and/or SI, and the different ways to achieve a particular result. The principles have also incorporated a range of specific minimum requirements (such as in the credit, liquidity, the general business risk principles) to ensure a common base level of risk management across Systemically Important Financial Infrastructure Systems and jurisdictions.
                                     
                                  4. The SI and SO must robustly manage the risks of their systemically important LVPS to ensure their safety and promote financial stability. In addition, a systemically important LVPS should not only be safe, but also efficient. Efficiency refers generally to the use of resources by SO, SI and their Participant Persons in performing their functions. Safe and efficient systemically important LVPS contributes to well-functioning financial markets.
                                     
                                  5. PFMI, as global standards, are broadly designed to apply to all Systemically Important Financial Infrastructure Systems across jurisdictions. The Central Bank therefore requires any designated LVPS to observe and comply with the relevant principles in PFMI, in addition to the compliance with the oversight requirements set out in Article (8) of this Regulation. Moreover, the Central Bank may impose higher requirements than PFMI for the LVPS either on the basis of specific risks posed by a LVPS or as a general policy.
                                     
                                  6. The requirements set out in the following paragraphs are applicable to the systemically important LVPS operated by the Central Bank, a related entity/subsidiary of the Central Bank and those operated by the private sector. The SO and/or SI should apply these requirements on an ongoing basis in the operation of their LVPS and business, including when reviewing their own performance, assessing or proposing new services, or proposing changes to risk controls.
                                     
                                  7. In aligning this regulation with leading international practice, LVPS must comply with the relevant principles set out in the following paragraphs.
                                     
                                  8. Principle 1: Legal basis – a systemically important LVPS must have a well-founded, clear, transparent, with a high degree of legal certainty and an enforceable legal framework for each material aspect of its activities.
                                     
                                  9. Principle 2: Governance – a systemically important LVPS must have governance arrangements that are clear and transparent, promote the safety and efficiency of the LVPS, and support the stability of the broader financial system, other relevant public interest considerations, and the objectives of relevant stakeholders.
                                     
                                  10. Principle 3: Framework for the comprehensive management of risks – a systemically important LVPS must have a sound risk management framework for comprehensively managing legal, credit, liquidity, operational, and other risks.
                                     
                                  11. Principle 4: Credit risk – a systemically important LVPS must effectively measure, monitor, and manage its credit exposures to Participant Person and those arising from its payment, clearing and settlement processes. The systemically important LVPS must maintain sufficient financial resources to cover its credit exposures to each Participant Person fully with a high degree of confidence.
                                     
                                  12. Principle 5: Collateral – a systemically important LVPS that requires collateral to manage its or its participants’ credit exposure must accept collateral with low credit, liquidity, and market risks. A systemically important LVPS must also set and enforce appropriately conservative haircuts and concentration limits.
                                     
                                  13. Principle 6: Liquidity risk – a systemically important LVPS must effectively measure, monitor, and manage its liquidity risk. A systemically important LVPS must maintain sufficient liquid resources in all relevant currencies to effect same-day and, where appropriate, intraday and multiday settlement of payment obligations with a high degree of confidence under a wide range of potential stress scenarios that should include, but not be limited to, the default of the participant and its affiliates that would generate the largest aggregate liquidity obligation for the systemically important LVPS in extreme but plausible market conditions.
                                     
                                  14. Principle 7: Settlement finality – a systemically important LVPS must provide clear and certain final settlement, at a minimum by the end of the value date. Where necessary or preferable, a systemically important LVPS should provide final settlement intraday or in real-time.
                                     
                                  15. Principle 8: Money settlement – a systemically important LVPS must conduct its money settlements in central bank money where practical and available. If central bank money is not used, a systemically important LVPS should minimize and strictly control the credit and liquidity risk arising from the use of commercial bank money.
                                     
                                  16. Principle 9: Exchange-of-value settlement systems – if a systemically important LVPS settles transactions that involve the settlement of two linked obligations such as securities or foreign exchange transactions, it must eliminate principle risk by conditioning the final settlement of one obligation upon the final settlement of the other.
                                     
                                  17. Principle 10: Participant-default rules and procedures – a systemically important LVPS must have effective and clearly defined rules and procedures to manage a Participant Person default. These rules and procedures should be designed to ensure that the systemically important LVPS can take timely action to contain losses and liquidity pressures and continue to meet its obligations.
                                     
                                  18. Principle 11: General business risk – a systemically important LVPS must identify, monitor, and manage its general business risk and hold sufficient liquid net assets funded by equity to cover potential general business losses so that it can continue operations and services as a going concern if those losses materialize. Further, liquid net assets should at all times be sufficient to ensure a recovery or orderly wind-down of critical operations and services.
                                     
                                  19. Principle 12: Custody and investment risks – a systemically important LVPS must safeguard its own and its Participant Persons’ assets and minimize the risk of loss on and delay in access to these assets. A systemically important LVPS’s investments should be in instruments with minimal credit, market, and liquidity risks.
                                     
                                  20. Principle 13: Operational risk – a systemically important LVPS must identify the plausible sources of operational risk, both internal and external, and mitigate their impact through the use of appropriate systems, policies, procedures, and controls. LVPS should be designed to ensure a high degree of security and operational reliability and should have adequate, scalable capacity. Business continuity management should aim for timely recovery of operations and fulfilment of the systemically important LVPS’s obligations, including in the event of a wide-scale or major disruption.
                                     
                                  21. Principle 14: Access and participation requirements – a systemically important LVPS must have objective, risk-based, and publicly disclosed criteria for participation, which permit fair and open access.
                                     
                                  22. Principle 15 – Tiered participation arrangements – a systemically important LVPS must identify, monitor, and manage the material risks to the systemically important LVPS arising from tiered participation arrangements.
                                     
                                  23. Principle 16: Financial market infrastructure links – a systemically important LVPS that establishes a link with one or more FMIs must identify, monitor, and manage link-related risks.
                                     
                                  24. Principle 17: Efficiency and effectiveness – a systemically important LVPS must be efficient and effective in meeting the requirements of its Participant Persons and the markets it serves.
                                     
                                  25. Principle 18: Communication procedures and standards – a systemically important LVPS must use, or at a minimum accommodate, relevant internationally accepted communication procedures and standards in order to facilitate efficient payment, clearing, settlement, and recording.
                                     
                                  26. Principle 19: Disclosure of rules, key procedures, and market data – a systemically important LVPS must have clear and comprehensive rules and procedures and should provide sufficient information to enable Participant Persons to have an accurate understanding of the risks, fees, and other material costs they incur by participating in the systemically important LVPS. All relevant rules and key procedures should be adequately disclosed.
                                     
                                  27. In addition, CPMI issued a strategy, “Reducing the risk of wholesale payments fraud related to endpoint security”, on 8th May 2018, to encourage industry efforts to reduce the risk of wholesale payments fraud and help market participants stay focused. The strategy is designed to help SO, SI and Participant Persons of Financial Infrastructure Systems and messaging networks as well as their respective supervisors, regulators and overseers. The strategy sets out seven elements, which cover all areas relevant to preventing, detecting, responding to and communicating about fraud and will work holistically.
                                     
                                  28. The Central Bank requires the SO and/or SI of the designated LVPS to take into account this CPMI strategy and any amendments thereto, when implementing the security measures over the LVPS.
                                • Article (9): Principal Business

                                  1. The principal business of a Payment Service Provider shall be the provision of the Retail Payment Service(s) for which it has been granted a License.
                                     
                                  2. Where a Payment Service Provider intends to provide ancillary service(s) falling outside the scope of its License, it shall obtain the approval of the Central Bank prior to commencing the provision of such service(s).
                                     
                                  3. The Central Bank requires prior approval for the provision of any ancillary service(s) by a Payment Service Provider, and may require a Payment Service Provider that intends to provide ancillary service(s), to create a separate entity for the provision of such services, if it believes that the conduct of the ancillary activities may have a negative impact on the Payment Service Provider’s ability to comply with the requirements of this Regulation and Level 2 Acts.
                                     
                                  • Article (10): Enforcement and Sanctions

                                    Violation of any provision of this Regulation or committing any of the violations provided for under the Central Bank Law may subject SI and/or SO to administrative and financial sanctions and penalties as deemed appropriate by the Central Bank.

                                  • Article (10): On-Going Requirements

                                    Corporate Governance

                                    1. Payment Service Providers must comply with the below requirements on corporate governance.
                                       
                                    2. Payment Service Providers must have and maintain effective, robust and well-documented corporate governance arrangements, including a clear organizational structure with well-defined, transparent and consistent lines of responsibility.
                                       
                                    3. The corporate governance arrangements referred to in paragraph (2) must be comprehensive and proportionate to the nature, scale and complexity of the Retail Payment Services provided, and shall contain, at a minimum:
                                       
                                      1. 3.1. an organization chart showing each division, department or unit, indicating the name of each responsible individual accompanied by a description of the respective function and responsibilities;
                                         
                                      2. 3.2. controls on conflicts of interest;
                                         
                                      3. 3.3. controls on integrity and transparency of the Payment Service Provider’s operations;
                                         
                                      4. 3.4. controls to ensure compliance with applicable laws and regulations;
                                         
                                      5. 3.5. methods for maintaining confidentiality of information; and
                                         
                                      6. 3.6. procedures for regular monitoring and auditing of all corporate governance arrangements.
                                         

                                    Risk Management

                                    1. Payment Service Providers must have and maintain robust and comprehensive policies and procedures to identify, manage, monitor and report the risks arising from the provision of Retail Payment Services to which they are or might become exposed, and adequate internal control mechanisms, including sound administrative and accounting procedures.
                                       
                                    2. Payment Service Providers’ risk management policies and procedures shall be:
                                       
                                      1. 5.1. kept up-to-date;
                                         
                                      2. 5.2. reviewed annually; and
                                         
                                      3. 5.3. proportionate to the nature, scale and complexity of the Retail Payment Services provided.
                                         
                                    3. Payment Service Providers must establish a risk management function, an internal audit function and a compliance function.
                                       

                                    Accounting and Audit

                                    1. Payment Service Providers must appoint an Auditor to audit on an annual basis:
                                       
                                      1. 7.1. the financial statements or consolidated financial statements of the Payment Service Provider prepared in accordance with the accepted accounting standards and practices; and
                                         
                                      2. 7.2. the systems and controls of the Retail Payment Services provided by the Payment Service Provider, separately from any audit on non-Retail Payment Services.
                                         
                                    2. Upon request by the Central Bank, the appointed Auditor shall submit, directly or through the Payment Service Provider, a report of the audit in a form and within a timeframe acceptable to the Central Bank.
                                       
                                    3. In addition to the report of audit, the Central Bank may request from the Auditor to:
                                       
                                      1. 9.1. submit any additional information in relation to the audit, if the Central Bank considers it necessary;
                                         
                                      2. 9.2. enlarge or extend the scope of the audit;
                                         
                                      3. 9.3. carry out any other examination.
                                         

                                    Record Keeping

                                    1. Payment Service Providers shall keep all necessary records on Personal and Payment Data for a period of (5) years from the date of receipt of such data, unless otherwise required by other applicable laws or the Central Bank.
                                       

                                    Notification Requirements

                                    1. Where any material change affects the accuracy and completeness of information provided in an Application, the Applicant or Payment Service Provider, as the case may be, shall immediately notify the Central Bank of such change and provide all necessary information and documents.
                                       
                                    2. A Payment Service Provider shall immediately notify the Central Bank of any violation or potential violation of a Major Regulatory Requirement of this Regulation or Level 2 Acts.
                                       
                                    3. A Payment Service Provider shall immediately notify the Central Bank if it becomes aware that any of the following events have occurred or are likely to occur:
                                       
                                      1. 13.1. any event that prevents access to or disrupts the operations of the Payment Service Provider;
                                         
                                      2. 13.2. any legal action taken against the Payment Service Provider either in the State or in a Third Country;
                                         
                                      3. 13.3. the commencement of any insolvency, winding up, liquidation or equivalent proceedings, or the appointment of any receiver, administrator or provisional liquidator under the laws of any country;
                                         
                                      4. 13.4. any disciplinary measure or sanction taken against the Payment Service Provider or imposed on it by a regulatory body other than the Central Bank, whether in the State or in a Third Country;
                                         
                                      5. 13.5. any change in regulatory requirements to which it is subject beyond those of the Central Bank, whether in the State or in a Third Country; and
                                         
                                      6. 13.6. any other event specified by the Central Bank.
                                         

                                    Professional Indemnity Insurance

                                    1. Payment Service Providers providing Payment Initiation and Payment Account Information Services shall hold a professional indemnity insurance whose amount shall be decided upon by the Central Bank.
                                       
                                    2. The professional indemnity insurance of Payment Service Providers providing Payment Initiation Services referred to in paragraph (14) shall cover these Payment Service Providers’ liabilities for Unauthorized Payment Transactions and non-execution, defective or late execution of Payment Transactions.
                                       
                                    3. The professional indemnity insurance of Payment Service Providers providing Payment Account Information Services referred to in paragraph (14) shall cover these Payment Service Providers’ liability vis-à-vis the Payment Service Provider providing Account Issuance Services or the Retail Payment Service User resulting from non-authorized or fraudulent access to or non-authorized or fraudulent use of Payment Account information.
                                       
                                    • Article (11): Appeal Mechanism

                                      1. For the purposes of this Regulation, the relevant Central Bank’s decisions that may be subject to appeal before the Grievances & Appeals Committee include: -
                                         
                                        1. 1.1. licensing and designation of LVPS;
                                           
                                        2. 1.2. revocation or cancellation or suspension of a License and designation of LVPS; and
                                           
                                        3. 1.3. any Central Bank’s actions undertaken against a violating Person.
                                           
                                      2. Under the Regulation, any Person aggrieved by any of the decisions set out in paragraph 1 of this Article may refer the decision to the Grievances & Appeals Committee in writing for review.
                                         
                                      3. Any Person who intends to refer any of the relevant decisions of the Central Bank to the Grievances & Appeals Committee is required to do so in writing to the Central Bank stating the grounds on which the review is sought, as per the committee charter.
                                    • Article (11) Payment Token Services

                                      1. This Article (11) is without prejudice to other provisions of this Regulation that are relevant to Payment Service Providers providing Payment Token Services.
                                         
                                      2. For the avoidance of doubt, Payment Token Services do not include Security Token, Commodity Token and Virtual Asset Token and the provision of services associated with the same.
                                         
                                      3. Security Token and Commodity Token fall within the jurisdiction of the Securities and Commodities Authority and as such are regulated by the Securities and Commodities Authority.
                                         
                                      4. Virtual Asset Tokens, although may be accepted as a means of payment, are not generally accepted as a medium of exchange due to the lack of stability and high volatility in their market value. As a result, any services associated with Virtual Asset Tokens, including Virtual Asset Token Services, fall outside the scope of this Regulation.
                                         

                                      Anti-Money Laundering and Combating the Financing of Terrorism and Illicit Organizations

                                      1. Payment Token Services shall be considered to carry high money laundering and terrorist financing risk due to their speed, anonymity and cross-border nature. In line with the FATF standards, Payment Services Providers providing Payment Token Services shall undertake risk assessment and take appropriate measures to manage and mitigate the identified risks in accordance with applicable legal and regulatory requirements. Payment Service Providers providing Payment Token Services shall comply with the FATF Guidance for a Risk-based Approach to Virtual Assets and Virtual Assets Service Providers, as may be supplemented from time to time, or any related standards or guidance in assessing and managing risks in Payment Token Services.
                                         

                                      Technology Risk and Information Security

                                      Security Requirements

                                      1. A Payment Service Provider providing Payment Token Services shall have a good understanding of the security risks and vulnerabilities of each Payment Token provided. It shall carry out a security risk assessment for each Payment Token.
                                         

                                      Cyber Security Risk

                                      1. Payment Service Providers providing Payment Token Services whose monthly average value of Payment Transactions amounts to ten (10) million Dirhams or above shall regularly assess the necessity to perform penetration and cyber-attack simulation testing. Coverage and scope of testing shall be based on the cyber security risk profile, cyber intelligence information available, covering not only networks (both external and internal) and application systems but also social engineering and emerging cyber threats. A Payment Service Provider shall also take appropriate actions to mitigate the issues, threats and vulnerabilities identified in penetration and cyber-attack simulation testing in a timely manner, based on the impact and risk exposure analysis.
                                         

                                      Specific Obligations for Providing Retail Payment Service on Payment Tokens

                                      Reserve of Assets

                                      1. Payment Service Providers issuing Payment Tokens shall keep and maintain at all times a Reserve of Assets per category of Payment Token issued.
                                         
                                      2. Payment Service Providers issuing Payment Tokens shall ensure effective and prudent management of the Reserve of Assets. They shall ensure that the creation and destruction of Payment Tokens is matched by a corresponding increase or decrease in the Reserve of Assets and that such increase or decrease is adequately managed to avoid any adverse impacts on the market of the Reserve Assets.
                                         

                                      Stabilisation Mechanism

                                      1. Payment Service Providers issuing Payment Tokens shall have and maintain a clear and detailed policy on the selected stabilisation mechanism. That policy and procedure shall in particular:
                                         
                                        1. 10.1. describe the type, allocation and composition of the reference assets the value of which aims at stabilising the value of the Payment Tokens;
                                           
                                        2. 10.2. contain a detailed assessment of the risks, including credit risk, counterparty risk, market risk and liquidity risk, resulting from the Reserve of Assets;
                                           
                                        3. 10.3. describe the procedure for the creation and destruction of Payment Tokens and the consequence of such creation or destruction on the increase and decrease of the Reserve of Assets;
                                           
                                        4. 10.4. provide information on whether the Reserve of Assets is invested, and where part of the Reserve of Assets is invested, describe in detail the investment policy and contain an assessment of how that investment policy can affect the value of the Reserve of Assets; and
                                           
                                        5. 10.5. describe the procedure to purchase and redeem Payment Tokens against the Reserve of Assets, and list the persons who are entitled to such redemption.
                                           
                                      2. Payment Service Providers issuing Payment Tokens shall ensure an independent audit of the Reserve of Assets on a bi-annual basis as from the receipt of the Central Bank’s approval of the White Paper with respect of the Payment Tokens.
                                         

                                      Custody

                                      1. Payment Service Providers issuing Payment Tokens shall establish, maintain and implement custody policies, procedures and contractual arrangements for each category of issued Payment Tokens that ensure at all times that:
                                         
                                        1. 12.1. the Reserve of Assets is segregated from the Payment Service Provider’s own assets;
                                           
                                        2. 12.2. the Reserve of Assets is not encumbered or pledged;
                                           
                                        3. 12.3. the Reserve of Assets is held in custody in accordance with paragraph (14); and
                                           
                                        4. 12.4. the Payment Service Providers have prompt access to the Reserve of Assets to meet any redemption requests from the holders of Payment Token.
                                           
                                      2. The assets received in exchange for the Payment Tokens shall be held in custody by no later than (5) Business Days after the issuance of the Payment Tokens by:
                                         
                                        1. 13.1. Bank; or
                                           
                                        2. 13.2. Payment Service Provider providing Payment Token Custody.
                                           

                                      Investment of the Reserve of Assets

                                      1. Payment Service Providers issuing Payment Tokens that invest a portion of the Reserve of Assets shall invest those assets only in highly liquid financial instruments with minimal market and credit risk. The investments shall be capable of being liquidated rapidly with minimal adverse price effect.
                                         
                                      2. All profits or losses, including fluctuations in the value of the financial instruments referred to in paragraph (14), and any counterparty or operational risks that result from the investment of the assets shall be borne by Payment Service Providers issuing the Payment Tokens.
                                         

                                      Pre-Trade Transparency

                                      1. Payment Service Providers that engage in Facilitating the Exchange of Payment Tokens shall disclose to its Retail Payment Service Users and the public as appropriate, on a continuous basis during normal trading, the following information relating to trading of each accepted Payment Tokens on their platform:
                                         
                                        1. 16.1. the current bid, offer prices and volume;
                                           
                                        2. 16.2. the depth of trading interest shown at the prices and volumes advertised through their systems for the accepted Payment Tokens; and
                                           
                                        3. 16.3. any other information relating to accepted Payment Tokens which would promote transparency relating to trading.
                                           
                                      2. Payment Service Providers that engage in Facilitating the Exchange of Payment Tokens shall use appropriate mechanisms to enable pre-trade information to be made available to the public in an easy to access and uninterrupted manner.
                                         

                                      Post-Trade Transparency

                                      1. Payment Service Providers that engage in Facilitating the Exchange of Payment Tokens shall disclose the price, volume and time of the Payment Transactions executed in respect of accepted Payment Tokens to the public as close to real-time as is technically possible on a nondiscretionary basis. They shall use adequate mechanisms to enable post-trade information to be made available to the public in an easy to access and uninterrupted manner, at least during business hours.
                                         
                                      • Article (12): Transition Period

                                        1. A one-year transitional period will commence on the date the Regulation comes into force. System Operators and Settlement Institutions of existing LVPS operating in the State may continue operating throughout the transitional period without being regarded as contravening this Regulation. Nevertheless, they are required to obtain a license from the Central Bank to operate their LVPS before the expiration of the transition period.
                                           
                                        2. If the Central Bank considers that a Financial Infrastructure System fulfills the criteria for designation as provided for under the Central Bank Law, the Central Bank shall have the power to require any such system to obtain a license within a reasonable period to be determined by the Central Bank prior to the expiration of the transition period.
                                      • Article (12) Anti-Money Laundering and Combating the Financing of Terrorism and Illicit Organizations

                                        1. Payment Service Providers must comply with the relevant UAE AML Laws and Regulations and address money laundering and terrorist financing risks through appropriate preventive measures to deter abuse of the sector as a conduit for illicit funds, and detect money laundering and terrorist financing activities and report any suspicious transactions to the Financial Intelligence Department at the Central Bank.
                                           
                                        2. Payment Service Providers must have comprehensive and effective internal AML/CFT policies, procedures and controls in place. Payment Service Providers shall be prohibited from invoking banking, professional or contractual secrecy as a pretext for refusing to perform their statutory reporting obligation in regard to suspicious activity.
                                           
                                        3. Payment Service Providers must identify, assess, and understand the ML/FT risks to which they are exposed and conduct enterprise-level and business relationship-specific risk assessments. Accordingly, all AML/CFT CDD, monitoring and controls must be risk-based and aligned to the risk assessments.
                                           
                                        4. Payment Service Providers shall undertake periodic risk profiling of Retail Payment Service Users and assessment based on the AML/CFT requirements.
                                           
                                        5. Payment Service Providers shall assess whether a business relationship presents a higher money laundering and terrorist financing risk and assign a related risk rating. Payment Service Providers shall be prohibited from dealing in any way with shell banks or other shell financial institutions and from establishing or maintaining any business relationship or conducting any Payment Transaction under an anonymous or fictitious name or by pseudonym or number.
                                           
                                        6. Payment Service Providers shall ensure that their CDD models are designed to address the specific risks posed by a Retail Payment Service User profile and Payment Instrument features. Payment Service Providers shall be prohibited from establishing or maintaining any business relationship or executing any Payment Transaction in the event that they are unable to complete adequate risk-based CDD measures for any reason.
                                           
                                        7. Payment Service Providers providing Retail Payment Services must undertake certain CDD measures concerning Wire Transfers as stipulated in the relevant provisions of the AML Law if Wire Transfer services are provided by Payment Service Providers. Payment Service Providers should introduce appropriate systems for screening, as part of the CDD process, on all parties involved in a transaction against all applicable sanction lists (i.e. the UN sanction lists and the names contained in the ‘search notices’/’search and freeze notices’ issued by the Central Bank).
                                           
                                        8. If Payment Service Providers provide the service of Wire Transfers, they should take freezing action and prohibit conducting transactions with designated persons and entities, as per the obligations set out in the Central Bank’s Notice 103/2020 on the Implementation of United Nations Security Council (UNSC) and the UAE Cabinet Resolutions regarding UNSC and Local Lists, as amended from time to time.
                                           
                                        9. Payment Service Providers should also be guided by the Financial Action Task Force (FATF) Standards on anti-money laundering and countering the financing of terrorism and proliferation. Payment Service Providers should incorporate the regular review of ML/FT trends and typologies into their compliance training programmes as well as into their risk identification and assessment procedures.
                                           
                                        • Article (13): Interpretation of this Regulation

                                          1. The Regulatory Development Division of the Central Bank shall be the reference for interpretation of the provisions of this Regulation.
                                        • Article (13) Technology Risk and Information Security

                                          1. Payment Service Providers shall comply with this Article (13) and are encouraged to consult Annex II for the Guidance on the best practices for technology risk and information security.
                                             

                                          Technology Risk

                                          1. Payment Service Providers are expected to take into account international best practices and standards when designing and implementing the technology and specific risk management systems and processes.
                                             
                                          2. A Payment Service Provider shall establish an effective technology and cyber security risk management framework to ensure the adequacy of IT controls, cyber resilience, the quality and security, including the reliability, robustness, stability and availability, of its computer systems, and the safety and efficiency of the operations of Retail Payment Services. The framework shall be “fit for purpose” and commensurate with the risks associated with the nature, size, complexity and types of business and operations, the technologies adopted and the overall risk management system of the Payment Service Provider. Consideration shall be given to adopting recognized international standards and practices when formulating such risk management framework.
                                             
                                          3. A Payment Service Provider’s effective technology risk management framework shall comprise proper IT governance, a continuous technology risk management process and implementation of sound IT control practices.
                                             
                                          4. A Payment Service Provider shall establish a general framework for management of major technology-related projects, such as in-house software development and acquisition of information systems. This framework shall specify, among other things, the project management methodology to be adopted and applied to these projects.
                                             
                                          5. Payment Service Provider shall apply and meet at a minimum the UAE Information Assurance Standards, as may be amended from time to time.
                                             

                                          IT Governance

                                          1. A Payment Service Provider shall establish a proper IT governance framework. IT governance shall cover various aspects, including a clear structure of IT functions and the establishment of IT control policies. While there could be different constructs, the major functions shall include an effective IT function, a robust technology risk management function, and an independent technology audit function.
                                             
                                          2. The Board, or a committee designated by the Board shall be responsible for ensuring that a sound and robust risk management framework is established and maintained to manage technology risks in a manner that is commensurate with the risks posed by the Payment Service Provider’s Retail Payment Activities.
                                             

                                          Security Requirements

                                          1. A Payment Service Provider must define clearly its security requirements in the early stage of system development or acquisition as part of business requirements and adequately built during the system development stage.
                                             
                                          2. A Payment Service Provider using the Agile methods to accelerate software development must incorporate adequate security practices to ensure the software is not compromised at any stage in its development process.
                                             
                                          3. A Payment Service Provider that develops an Application Programming Interface (API) or provides an API shall establish safeguards to manage the development and provision of the APIs to secure the interaction and exchange of data between various software applications.
                                             

                                          Network and Infrastructure Management

                                          1. A Payment Service Provider whose monthly average value of Payment Transactions amounts to ten (10) million Dirhams or above shall clearly assign overall responsibility for network management to individuals who are equipped with expertise to fulfil their duties. Network standards, design, diagrams and operating procedures shall be formally documented, kept up-to-date, communicated to all relevant network staff and reviewed periodically.
                                             
                                          2. A Payment Service Provider shall establish a security administration function and a set of formal procedures for administering the allocation of access rights to system resources and application systems, and monitoring the use of system resources to detect any unusual or unauthorized activities.
                                             
                                          3. Payment Service Providers shall exercise due care when controlling the use of and access to privileged and emergency IDs. The necessary control procedures include:
                                             
                                            1. 14.1. changing the default password;
                                               
                                            2. 14.2. implement strong password control, with minimum password length and history, password complexity as well as maximum validity period;
                                               
                                            3. 14.3. restricting the number of privileged users;
                                               
                                            4. 14.4. implementing strong controls over remote access by privileged users;
                                               
                                            5. 14.5. granting of authorities that are strictly necessary to privileged and emergency IDs;
                                               
                                            6. 14.6. formal approval by appropriate senior personnel prior to being released for usage;
                                               
                                            7. 14.7. logging, preserving and monitoring of the activities performed by privileged and emergency IDs (e.g. peer reviews of activity logs);
                                               
                                            8. 14.8. prohibiting sharing of privileged accounts;
                                               
                                            9. 14.9. proper safeguard of privileged and emergency IDs and passwords (e.g. kept in a sealed envelope and locked up inside the data center); and
                                               
                                            10. 14.10.changing of privileged and emergency IDs’ passwords immediately upon return by the requesters.
                                               

                                          Cyber Security Risk

                                          1. Where a Payment Service Provider is heavily reliant on Internet and mobile technologies to deliver the Retail Payment Services it provides, cyber security risks shall be adequately managed through the Payment Service Provider’s technology risk management process. The Payment Service Provider shall also commit adequate skilled resources to ensure its capability to identify the risk, protect its critical services against the attack, contain the impact of cyber security incidents and restore the services.
                                             
                                          2. A Payment Service Provider shall establish a cyber incident response and management plan to swiftly isolate and neutralize a cyber threat and to resume affected services as soon as possible. The plan shall describe procedures to respond to plausible cyber threat scenarios
                                             
                                          3. Payment Service Providers whose monthly average value of Payment Transactions amounts to ten (10) million Dirhams or above shall regularly assess the necessity to perform penetration and cyber-attack simulation testing. Coverage and scope of testing shall be based on the cyber security risk profile, cyber intelligence information available, covering not only networks (both external and internal) and application systems but also social engineering and emerging cyber threats. A Payment Service Provider shall also take appropriate actions to mitigate the issues, threats and vulnerabilities identified in penetration and cyber-attack simulation testing in a timely manner, based on the impact and risk exposure analysis.
                                             

                                          Retail Payment Service User Authentication

                                          1. A Payment Service Provider shall select and implement reliable and effective authentication techniques to validate the identity and authority of its Retail Payment Service Users. Multi-factor authentication shall be required for high-risk transactions.
                                             
                                          2. End-to-end encryption shall be implemented for the transmission of Retail Payment Service User passwords so that they are not exposed at any intermediate nodes between the Retail Payment Service User mobile application or browser and the system where passwords are verified.
                                             

                                          Login Attempts and Session Management

                                          1. A Payment Service Provider shall implement effective controls to limit the number of login or authentication attempts (e.g. wrong password entries), implementing time-out controls and setting time limits for the validity of authentication. If one-time password is used for authentication purpose, a Payment Service Provider shall ensure that the validity period of such passwords is limited to the strict minimum necessary.
                                             
                                          2. A Payment Service Provider shall have processes in place ensuring that all Payment Transactions are logged with an appropriate audit trail.
                                             

                                          Administration of Retail Payment Service User Accounts

                                          1. Where a Payment Service Provider providing Payment Account Issuance Services allows a Retail Payment Service User to open a Payment Account through an online channel, a reliable method shall be adopted to authenticate the identity of that Retail Payment Service User. In general, the electronic know your customer (i.e. Retail Payment Service User) (eKYC) processes accepted by the Central Bank for Banks is acceptable for the customer verification and validation processes of Payment Account Issuance Services.
                                             
                                          2. A Payment Service Provider shall perform adequate identity checks when any Retail Payment Service User requests a change to the Retail Payment Service User’s Payment Account information or contact details that are useful for the Retail Payment Service User to receive important information or monitor the activities of the Retail Payment Service User’s Payment Accounts.
                                             
                                          3. A Payment Service Provider shall implement effective controls such as two-factor authentication, to re-authenticate the Retail Payment Service User before effecting each high-risk transaction. High-risk transactions shall, at least, include:
                                             
                                            1. 24.1. Payment Transactions that exceeded the predefined transaction limit(s);
                                               
                                            2. 24.2. Change of personal contact details; and
                                               
                                            3. 24.3. Unless it is not practicable to implement, Payment Transactions that exceeded the aggregate rolling limit(s) (i.e. total value of Payment Transactions over a period of time).
                                               

                                          Business Continuity

                                          1. A Payment Service Provider shall have in place an adequate business continuity management program to ensure continuation, timely recovery, or in extreme situations orderly scaledown of critical operations in the event of major disruptions caused by different contingent scenarios. An adequate business continuity management program comprises business impact analysis, recovery strategies, a business continuity plan and alternative sites for business and IT recovery.
                                             
                                          2. A Payment Service Provider shall put in place a set of recovery strategies to ensure that all critical business functions identified in a business impact analysis can be recovered in accordance with the predefined recovery timeframe. These recovery strategies shall be clearly documented, thoroughly tested and regularly reviewed to ensure achievement of recovery targets.
                                             
                                          3. A Payment Service Provider shall put in place effective measures to ensure that all business records, in particular Retail Payment Service User records, can be timely restored in case they are lost, damaged, or destroyed. A Payment Service Provider shall also allow Retail Payment Service Users to access their own records in a timely manner. A Payment Service Provider shall notify Retail Payment Service Users of any loss in their records through an operational failure or through theft, and make reasonable effort to ensure that personal records so lost are not used wrongfully.
                                             
                                          4. A Payment Service Provider shall develop a business continuity plan based on the business impact analysis and related recovery strategies. A business continuity plan shall comprise, at a minimum:
                                             
                                            1. 28.1. detailed recovery procedures to ensure full accomplishment of the service recovery strategies;
                                               
                                            2. 28.2. escalation procedures and crisis management protocol (e.g. set up of a command center, timely reporting to the Central Bank, etc.) in case of severe or prolonged service disruptions;
                                               
                                            3. 28.3. proactive communication strategies (e.g. Retail Payment Service User notification, media response, etc.);
                                               
                                            4. 28.4. updated contact details of key personnel involved in the business continuity plan; and
                                               
                                            5. 28.5. assignment of primary and alternate personnel responsible for recovery of critical systems.
                                               
                                          5. A Payment Service Provider shall conduct testing of its business continuity plan at least annually. Its Management, primary and alternate relevant personnel shall participate in the annual testing to familiarize themselves with their recovery responsibilities.
                                             
                                          6. A Payment Service Provider shall review all business continuity planning-related risks and assumptions for relevancy and appropriateness as part of the annual planning of testing. Formal testing documentation, including a test plan, scenarios, procedures and results, shall be produced. A post mortem review report shall be prepared for formal sign-off by Management
                                             

                                          Alternate Sites for Business and IT Recovery

                                          1. A Payment Service Provider shall examine the extent to which key business functions are concentrated in the same or adjacent locations and the proximity of the alternate sites to primary sites. Alternate sites shall be sufficiently distanced to avoid any shared risk and being affected by the same disaster.
                                             
                                          2. A Payment Service Provider’s alternate site shall be readily accessible, installed with appropriate facilities and available for occupancy within the time requirement specified in its business continuity plan. Appropriate physical access controls shall be implemented. If certain recovery staff are required to work from home in the event of a disaster, adequate computer systems and communication facilities shall be made available in advance.
                                             
                                          3. Alternate sites for IT recovery shall have sufficient technical equipment, including communication facilities, of an appropriate standard and capacity to meet recovery requirements.
                                             
                                          4. A Payment Service Provider shall avoid placing excessive reliance on external vendors in providing business continuity management support, including the provision of the disaster recovery site and back-up equipment and facilities. A Payment Service Provider shall satisfy itself that each vendor has the capacity to provide the services when needed, and that the contractual responsibilities of the vendors, including the lead-time to provide necessary emergency services, types of support and capacity, are clearly specified.
                                             
                                          5. Where a Payment Service Provider is reliant on shared computing services provided by external providers, such as cloud computing, to support its disaster recovery, it shall manage the risk associated with these services.
                                             

                                          Reputation Risk Management

                                          1. A Payment Service Provider shall establish and implement an effective process for managing reputational risk that is appropriate for the size and complexity of its operations.
                                             
                                          • Article (14): Publication & Application

                                            1. This Regulation shall be published in the Official Gazette in both Arabic and English and shall come into effect one month from the date of publication. In case of any discrepancy between the Arabic and the English, the Arabic version will prevail.
                                          • Article (14): Obligations Towards Retail Payment Service Users

                                            1. Payment Service Providers must be operated prudently and with competence in a manner that will not adversely affect the interests of the Retail Payment Service Users or potential Retail Payment Service Users. In addition, they must also observe and comply with the relevant regulatory requirements and standards on consumer protection of the Central Bank. For the avoidance of doubt, in case of discrepancies between this Regulation and the Central Bank’s requirements and standards on consumer protection, the respective provisions of this Regulation shall prevail.
                                               

                                            Safeguarding of Funds In-Transit

                                            1. At no time shall Payment Service Providers hold funds of Retail Payment Service Users unless these are funds in transit.
                                               
                                            2. Payment Service Providers that settle Payment Transactions within twenty four (24) hours shall segregate Retail Payment Service Users’ funds in the following ways:
                                               
                                              1. 3.1. funds shall not be commingled at any time with the funds of any Person other than the Retail Payment Service Users on whose behalf the funds are held; and/or
                                                 
                                              2. 3.2. funds shall be insulated in the interest of the Retail Payment Service Users against the claims of other creditors of the Payment Service Provider, in particular in the event of insolvency.
                                                 
                                            3. Payment Service Providers that settle Payment Transactions after twenty-four (24) hours shall segregate Retail Payment Service Users’ funds in the following ways:
                                               
                                              1. 4.1. open a separate escrow account with a Bank and restrict any operations and transactions on this account save for the transfer of the deposited Retail Payment Service Users’ funds to the end beneficiary; and/or
                                                 
                                              2. 4.2. funds shall be covered by an insurance policy or by a bank guarantee from a regulated insurance company or Bank which does not belong to the same Group as the Payment Service Provider.
                                                 
                                              3. 4.3. While Banks, acting as Retail Payment Service Provider, are not required to establish a separate escrow account, an insurance policy or a bank guarantee to safeguard Retail Payment Service Users’ funds, a separate bank account under the name of the concerned Retail Payment Service Users must be set up for protecting the funds.
                                                 

                                            Transparency of Contractual Terms

                                            1. Payment Service Providers shall provide the terms and conditions governing their contractual relationship with:
                                               
                                              1. 5.1. each new Retail Payment Service User, sufficiently in advance of entering into the contractual relationship as to allow the Retail Payment Service User to make an informed decision; and
                                                 
                                              2. 5.2. each existing Retail Payment Service User, at their request in writing and delivered as per the Retail Payment Service User’s preference, including through an e-mail, mobile application or any other electronic manner.
                                                 
                                            2. The terms and conditions referred to in paragraph (5) shall be written in a clear, plain and understandable language, in a manner that is not misleading and shall be provided to the Retail Payment Service User in both Arabic and English, as may be requested by the Retail Payment Service User.
                                               
                                            3. Any changes to the terms and conditions referred to in paragraph (5) shall be communicated to the Retail Payment Service User by the Payment Service Provider sufficiently in advance and at least 30 calendar days prior to any such change becoming effective.
                                               
                                            4. A Retail Payment Service User shall be entitled to terminate its contractual relationship with a Payment Service Provider at no charge where it does not agree with the revised terms and conditions referred to in paragraph (7).
                                               

                                            Single Retail Payment Service Agreements

                                            1. For transactions that are to be concluded under a Single Retail Payment Service Agreement, Payment Service Providers shall provide Retail Payment Service Users with the following information before the entry into a contractual relationship:
                                               
                                              1. 9.1. schedule of fees, charges and commissions, including conversion rates and withdrawal charges, where applicable;
                                                 
                                              2. 9.2. contact details of the Payment Service Provider, including legal name and registered address, including the address of the agent or branch, where applicable;
                                                 
                                              3. 9.3. the form and procedure for giving consent to the initiation of a Payment Order or execution of a Payment Transaction and for the withdrawal of consent;
                                                 
                                              4. 9.4. the communication channel between the Payment Service Provider and the Retail Payment Service User;
                                                 
                                              5. 9.5. the manner in safeguarding of funds as per Article 14(3) and (4) and Reserve of Assets as per Article 11(9);
                                                 
                                              6. 9.6. the manner and timeline for notification by the Retail Payment Service User to the Payment Service Provider in case of Unauthorized or incorrectly initiated or executed Payment Transaction;
                                                 
                                              7. 9.7. information on Payment Service Provider’s and Retail Payment Service User’s liability for Unauthorized Payment Transactions;
                                                 
                                              8. 9.8. the service level for the provision of the Retail Payment Service;
                                                 
                                              9. 9.9. information on the Payment Service Provider’s complaint procedure; and
                                                 
                                              10. 9.10. the Payment Service Provider’s procedure for reporting of Unauthorized Payment Transactions.
                                                 
                                            2. The information required in paragraph (9) shall be provided immediately after the execution of the Payment Transaction where it is concluded at a Payment Service User’s request using a Means of Distance Communication which does not allow for the provision of such information before the entry into a contractual relationship.
                                               

                                            Framework Agreements

                                            1. For transactions that are concluded under a Framework Agreement, Payment Service Providers shall provide to Retail Payment Service Users the following information before the Retail Payment Service User consents to the entry into a Payment Transaction as well as at any other time the Retail Payment Service User requests this information, and within (5) Business Days of such request:
                                               
                                              1. 11.1. schedule of fees, charges and commissions, including conversion rates and withdrawal charges, where applicable;
                                                 
                                              2. 11.2. contact details of the Payment Service Provider, including legal name and registered address, including address of the agent or branch, where applicable;
                                                 
                                              3. 11.3. the form and procedure for giving consent to the initiation of a Payment Order or execution of a Payment Transaction and for the withdrawal of consent;
                                                 
                                              4. 11.4. the communication channel between the Payment Service Provider and the Retail Payment Service User;
                                                 
                                              5. 11.5. the manner in safeguarding of funds as per Article 14(3) and (4) and Reserve of Assets as per Article 11(9);
                                                 
                                              6. 11.6. the manner and timeline for notification by the Retail Payment Service User to the Payment Service Provider in case of Unauthorized or incorrectly initiated or executed Payment Transaction;
                                                 
                                              7. 11.7. information on Payment Service Provider’s and Retail Payment Service User’s liability for Unauthorized Payment Transactions;
                                                 
                                              8. 11.8. information relating to terms under which a Payment Service User may be deemed to have accepted changes to the terms and conditions, the duration of the contract and the rights of the parties to terminate the Framework Agreement;
                                                 
                                              9. 11.9. the service level for the execution of the Retail Payment Service;
                                                 
                                              10. 11.10.information on the Payment Service Provider’s complaint procedure; and
                                                 
                                              11. 11.11.the Payment Service Provider’s procedure for reporting of Unauthorized Payment Transactions.
                                                 
                                            2. The information required in paragraph (11) shall be provided immediately after the execution of the Payment Transaction where it is concluded at a Payment Service User’s request using a Means of Distance Communication which does not allow for the provision of such information before the entry into a contractual relationship.
                                               
                                            3. Payment Service Providers shall provide Retail Payment Service Users with a written statement of the Payment Transactions under a Framework Agreement at least once per month free of charge, including details of the amounts, fees, charges and commissions, the dates and times of execution and the reference numbers for each Payment Transaction.
                                               

                                            Information Requirements

                                            1. Immediately after the receipt of an order for a Payment Transaction, the Payment Service Provider of the Payer shall provide a receipt for Retail Payment Service Users with:
                                               
                                              1. 14.1. confirmation of the successful or unsuccessful initiation and execution of the Payment Transaction;
                                                 
                                              2. 14.2. acknowledgement and reference number to track the status of the Payment Transaction, including:
                                                 
                                                1. 14.2.1. the date and amount of the Payment Transaction; and
                                                   
                                                2. 14.2.2. information relating to the Payee;
                                                   
                                              3. 14.3. the amount of the Payment Transaction, any related fees or charges, including the actual currency and conversion rates used, and withdrawal charges, where applicable; and
                                                 
                                              4. 14.4. the date on which the Payment Service Provider received the Payment Order.
                                                 
                                            2. The Payee’s Payment Service Provider shall, immediately after the execution of the Payment Transaction, provide to the Payee with a statement with the following information:
                                               
                                              1. 15.1. reference enabling the Payee to identify the Payment Transaction and, where appropriate, the Payer and any information transferred with the Payment Transaction;
                                                 
                                              2. 15.2. the amount of the Payment Transaction in the currency in which the funds are to be dispersed disbursed to the Payee;
                                                 
                                              3. 15.3. the amount of any fees or charges for the Payment Transaction payable by the Payee;
                                                 
                                              4. 15.4. where applicable, the currency exchange rate used in the Payment Transaction by the Payee’s Payment Service Provider; and
                                                 
                                              5. 15.5. the date on which the amount of a Payment Transaction is credited to a Payee’s Payment Account.
                                                 
                                            3. The Payer’s Payment Service Provider shall ensure that Payment Orders are accompanied by the necessary information so that they can be processed accurately and completely, and also, be easily identified, verified, reviewed, audited and for any subsequent investigation if needed.
                                               
                                            4. The Payee’s Payment Service Provider shall implement procedures to detect when any necessary information is missing or inaccurate for a Payment Transaction.
                                               

                                            Protection of Payment and Personal Data

                                            1. Payment Service Providers shall have in place and maintain adequate policies and procedures to protect:
                                               
                                              1. 18.1. Payment Data and identify, prevent and resolve any data security breaches; and
                                                 
                                              2. 18.2. Personal Data.
                                                 
                                            2. Payment Service Providers may disclose Payment and Personal Data to:
                                               
                                              1. 19.1. a third party where the disclosure is made with the prior written consent of the Retail Payment Service User or is required pursuant to applicable laws;
                                                 
                                              2. 19.2. to the Central Bank;
                                                 
                                              3. 19.3. other regulatory authorities upon request/following prior approval of the Central Bank;
                                                 
                                              4. 19.4. a court of law; and
                                                 
                                              5. 19.5. other government bodies who have lawfully authorized rights of access.
                                                 
                                            3. In addition to the envisaged in paragraph (19), Payment Service Providers may also disclose Personal Data to its corresponding Data Subject.
                                               
                                            4. Payment Service Providers shall have in place and maintain Payment and Personal Data protection controls.
                                               
                                            5. Personal and Payment Data shall be stored and maintained in the State. Payment Service Providers must also establish a safe and secure backup of all Personal and Payment Data in a separate location for the required period of retention of (5) years.
                                               
                                            6. Payment Service Providers shall comply with applicable regulatory requirements and standards on data protection. They shall control, process and retain only Personal Data that is necessary for the provision of Retail Payment Services and upon obtaining the explicit consent of the Retail Payment Service User.
                                               

                                            Liability for Unauthorized Payment Transactions and Refunds

                                            1. Payment Service Providers shall be fully liable for any fraudulent or Unauthorized Payment Transaction, whether before or after the Payer informs the Payment Service Provider of any potential or suspected fraud, except where there is evidence that:
                                               
                                              1. 24.1. the Payer acts fraudulently; or
                                                 
                                              2. 24.2. the Payer acted with gross negligence and did not take reasonable steps to keep its personalized security credentials safe.
                                                 

                                            Refunds

                                            1. The Payment Service Provider shall refund the amount of the Unauthorized Payment Transaction to the Payer and, where applicable, restore the debited Payment Account to the state it would have been in had the Unauthorized Payment Transaction not taken place.
                                               
                                            2. The Payment Service Provider shall provide a refund under paragraph (25) as soon as practicable and in any event no later than the end of the Business Day following the day on which it becomes aware of the Unauthorized Payment Transaction.
                                               
                                            3. Paragraphs (25), (26) and (30) do not apply where the Payment Service Provider has reasonable grounds to suspect fraudulent behavior by the Retail Payment Service User and notifies the Central Bank of those grounds in writing.
                                               
                                            4. When crediting a Payment Account under paragraph (30), a Payment Service Provider shall ensure that the date on which the amount of a Payment Transaction is credited to a Payee’s Payment Account is no later than the date on which the amount of the Unauthorized Payment Transaction was debited.
                                               
                                            5. Where an Unauthorized Payment Transaction was initiated through a Payment Initiation Service Provider, the Payment Service Provider providing Payment Account Issuance Services shall comply with paragraph (30). In addition, if the Payment Initiation Service Provider is liable for the Unauthorized Payment Transaction, it shall, on the request of the Payment Service Provider providing Payment Account Issuing Services, compensate the Payment Service Provider providing Payment Account Issuing Services immediately for the losses incurred or sums paid as a result of complying with paragraph (30), including the amount of the Unauthorized Payment Transaction.
                                               
                                            6. Other than in relation to the circumstances contemplated in paragraphs (25) to (29), on conclusion of an investigation by a Payment Service Provider into an error or Complaint, a Payment Service Provider shall pay any refund or monetary compensation due to a customer within (7) calendar days of such conclusion or instruction. In case of a delay in payment of any refund or compensation, the Payment Service Provider shall update the customer with the expected time for crediting the amount due, along with a justification for the delay.
                                               
                                            • Annex A

                                              Information or documents that may be requested under this Regulation

                                              1. A copy of the Operating Rules of the LVPS.
                                                 
                                              2. Details of the type of services offered by the LVPS.
                                                 
                                              3. Details of the constitution, structure, nature of business, ownership and management of the LVPS, the SO and the SI.
                                                 
                                              4. Details of the design and function and external system interfaces of the LVPS, including details specifying the point at which a Transfer Order takes effect as having been entered into the LVPS and of the point after which a Transfer Order may not be revoked by a Participant Person or any other party.
                                                 
                                              5. A copy of the last three annual reports, if any, and the financial statements (with any auditor’s reports) for the current financial year of the LVPS, the SO and the SI.
                                                 
                                              6. The basis for membership of or participation in the LVPS (i.e. admission criteria) and a list of the current members of or Participant Persons in the LVPS.
                                                 
                                              7. Tariff information and schedule.
                                                 
                                              8. Names of the SO and/or SI, if any, of the LVPS and whether the SO and/or SI are also Participant Persons in the LVPS under the Operating Rules of the system. Legal contracts or documents between the SO and the SI in relation to the LVPS.
                                                 
                                              9. Details of the types, volume and values of Transfer Orders processed by the LVPS.
                                                 
                                              10. Detailed business contingency plan.
                                                 
                                              11. Name and contact details of the Person to whom questions relating to the designation of the LVPS should be directed.

                                              For overseas systems, the following additional information may be required: -

                                              1. Name of each of the relevant regulators where the LVPS is regulated by one or more regulatory authorities not within the State jurisdiction.
                                                 
                                              2. An outline of any laws and other regulatory requirements relating to the operations of the LVPS, if regulated by a regulatory authority not within the State jurisdiction.
                                                 
                                              3. Evidence of the LVPS’ compliance with any applicable laws and regulatory requirements of a jurisdiction outside State, which may include comments from home supervisory authority on the LVPS’ compliance with any applicable laws and regulatory requirements of a jurisdiction outside State.
                                            • Article (15): Use of Agents and Branches

                                              1. Where a Payment Service Provider intends to provide Retail Payment Services through an Agent or branch, it must conduct an assessment of such arrangement and provide a report on an annual basis to the Central Bank of the following:
                                                 
                                                1. 1.1. name and address of the Agent or branch;
                                                   
                                                2. 1.2. assessment of the adequacy of the internal control mechanisms that will be used by the Agent in order to comply with AML/CTF requirements;
                                                   
                                                3. 1.3. assessment of the Persons responsible for the Management of the Agent or branch, and evidence that they fulfil the fit and proper requirements specified by the Central Bank; and
                                                   
                                                4. 1.4. the scope of Retail Payment Services for which the Agent or branch is mandated.
                                                   
                                              2. Payment Service Providers shall contractually ensure that Agents acting on their behalf disclose this fact to the Retail Payment Service Users.
                                                 
                                              3. Payment Service Providers shall immediately notify the Central Bank of any change regarding the use of Agents or branches.
                                                 
                                              • Annex B

                                                Information on System Operator (SO) / Settlement Institution (SI)

                                                1. Name of clearing and settlement system to which the designated LVPS relates.
                                                   
                                                2. Name of SO / SI.
                                                   
                                                3. Legal form (body corporate, partnership, etc.).
                                                   
                                                4. Country of incorporation or formation.
                                                   
                                                5. Date of incorporation or formation.
                                                   
                                                6. Registered office.
                                                   
                                                7. Principal place of business.
                                                   
                                                8. Contact details (names, physical and email addresses).
                                                   
                                                9. Aspects of the management or operations of the system for which the entity is responsible.
                                                   
                                                10. Organization chart of your company.
                                              • Article (16): Outsourcing

                                                1. Payment Service Providers outsourcing services and processes to service providers, Agents or Group entities shall be obliged to contractually ensure that such third parties comply with the requirements of this Regulation, Level 2 Acts and other relevant laws.
                                                   
                                                2. The outsourcing under paragraph (1) shall be subject to the prior approval of the Central Bank. Furthermore, Payment Service Providers shall provide details on all outsourcing under paragraph (1) in a report on an annual basis to the Central Bank.
                                                   
                                                3. Payment Service Providers shall remain fully liable for any acts of any Agent, branch or service provider to which a Retail Payment Service has been outsourced.
                                                   
                                                4. Payment Service Providers shall be responsible for ensuring and maintaining appropriate training and qualifications of their Agents.
                                                   
                                                • Annex C

                                                  LVPS Turnover Information

                                                  1. Aggregate value of Transfer Orders transferred, cleared or settled through the LVPS in a normal business day (in billions of the original currency transferred, cleared or settled).
                                                     
                                                  2. Average value of Transfer Orders transferred, cleared or settled through the LVPS in a normal business day (in thousands of the original currency transferred, cleared or settled).
                                                     
                                                  3. Number of Transfer Orders transferred, cleared or settled through the LVPS in a normal business day.
                                                • Article (17): Contractual Arrangements

                                                  Access to Payment Accounts

                                                  1. Payment Service Providers providing Payment Account Issuance Services and/or Banks may agree to contract with Payment Service Providers providing Payment Initiation and Payment Account Information Services for the provision of access, direct or indirect, to the Payment Accounts held with them in order to allow such Payment Service Providers to provide Payment Initiation and Payment Account Information Services in an unhindered and efficient manner.
                                                     
                                                  2. The contractual arrangements under paragraph (1) shall:
                                                     
                                                    1. 2.1. have a sound legal basis and be legally enforceable;
                                                       
                                                    2. 2.2. clearly describe the rights and obligations of the counterparties;
                                                       
                                                    3. 2.3. clearly define the allocation of liability between the counterparties, including in cases of fraud, unauthorized access or Data Breach, in a manner that each counterparty takes responsibility for the respective parts of the Payment Transaction under its control;
                                                       
                                                    4. 2.4. specify the reasons for denying access to Payment Accounts related to unauthorized or fraudulent access by Payment Service Providers providing Payment Initiation and Payment Account Information Services; and
                                                       
                                                    5. 2.5. explicitly oblige the counterparties to comply with Article (13) on Technology Risk and Information Security.
                                                       
                                                  3. The choice of Payment Service Providers providing Payment Initiation and Payment Account Information Services shall be at the sole discretion of the Payment Service Providers providing Payment Account Issuance Services and/or Banks.
                                                     
                                                  4. Payment Service Providers providing Payment Initiation and Payment Account Information Services shall:
                                                     
                                                    1. 4.1. provide services only where based on the Retail Payment Service User’s explicit consent;
                                                       
                                                    2. 4.2. ensure that the personalized security credentials of the Retail Payment Service User are not, with the exception of the Retail Payment Service User and the issuer of the personalized security credentials, accessible to other parties and that they are transmitted through safe and efficient channels;
                                                       
                                                    3. 4.3. not request or store Sensitive Payment Data of the Retail Payment Service User;
                                                       
                                                    4. 4.4. not use, access or store any data for purposes other than for the provision of the Payment Initiation or Payment Account Information Services, as explicitly requested by the Retail Payment Service User; and
                                                       
                                                    5. 4.5. comply with the requirements of Article (13) on Technology Risk and Information Security where the Payer initiates an electronic Payment Transaction or carries out any action through a remote channel which may imply a risk of payment fraud or other abuses.
                                                       
                                                  5. In addition to the requirements set out in paragraph (4), Payment Service Providers providing Payment Account Information Services shall access only the information from designated Payment Accounts and associated Payment Transactions.
                                                     
                                                  6. In addition to the requirements set out in paragraph (4), Payment Service Providers providing Payment Initiation Services shall not modify the amount, the Payee or any other feature of the Payment Transaction.
                                                     
                                                  • Annex D

                                                    Information to be collected from SO/SI by the Central Bank

                                                    To be submitted before the end of the first year of designation

                                                    1. Liquidity commitment or other financial commitment by SI for daily operation of LVPS.
                                                       
                                                    2. Current credit rating(s) of SI.
                                                       
                                                    3. Throughput guidelines (if changed) from SO/SI.
                                                       
                                                    4. Results of stress testing, if any (once the results are available) from SO.
                                                       
                                                    5. Fees and cost from SO, including: -
                                                       
                                                      1. Joining cost (breakdown into (i) entry/admission fee, (ii) basic system set-up costs (limit to those costs known to SO) and membership fee).
                                                         
                                                      2. Calculation basis of (i) admission fee and (ii) membership fee.
                                                         
                                                      3. Transaction tariff (breakdown by types) and how the tariff is determined (e.g. whether determined on a cost-recovery basis).
                                                         
                                                      4. Other fees of participating in the LVPS, if any.
                                                         
                                                    6. Outsourcing plan (if any) (for any outsourcing plan not yet implemented) from SO.
                                                       
                                                    7. Internal and/or external auditor’s report on various risk areas (if any) from SO and/or SI.

                                                    To be submitted if and when available by SO and/or SI

                                                    1. Development plan and business forecast for the designated LVPS for the coming year, if available.
                                                       
                                                    2. Budgetary plan highlighting the resources devoted to system maintenance and development for the coming year, if available.

                                                    To be submitted within two weeks when available by SO and/or SI

                                                    1. Audited financial statements and accounts of SO and/or SI, such as balance sheet, cash flow statement, profit and loss account for the latest financial year.
                                                       
                                                    2. Results of stress testing, if any (once the results are available).
                                                       
                                                    3. Internal and/or external auditor’s report on various risk areas (if any) if initiated by SO/SI.

                                                    To be submitted within two weeks when changes are made, highlighting the changes

                                                    1. Current credit rating(s) by SI.
                                                       
                                                    2. Throughput guidelines (if changed) by SI.
                                                       
                                                    3. Fees and Cost by SO.
                                                       
                                                    4. Outsourcing plan (if any) (when new plan is available) by SO.
                                                       
                                                    5. Business continuity plan (if any, during the year).
                                                       
                                                    6. Organization chart and structure (if changed) Throughput guidelines (if changed) by SO and/or SI.
                                                       
                                                    7. Business continuity plan (if any, during the year) by SO and/or SI.
                                                       
                                                    8. LVPS specifications by SO and/or SI.

                                                    To be submitted as and when required by the Central Bank

                                                    1. Internal and/or external auditor’s report on various risk areas as and when required by the Central Bank.

                                                    To be submitted on a yearly basis

                                                    1. Liquidity commitment or other financial commitment by SI for daily operation of LVPS.
                                                       
                                                    2. Development plan and business forecast for the designated LVPS for the coming year, if available by SO and/or SI.
                                                       
                                                    3. Budgetary plan highlighting the resources devoted to system maintenance and development for the coming year, if available by SO and/or SI.
                                                  • Article (18): Card Schemes

                                                    Card Scheme License

                                                    1. Card Schemes operating within the State shall obtain a License by the Central Bank prior to commencing operations.
                                                       
                                                    2. Applicants shall be subject to the procedure envisaged in the Central Bank’s Licensing Guidelines.
                                                       
                                                    3. The Central Bank shall determine whether to grant or refuse to grant a License to a Card Scheme Applicant and indicate this in writing to the Applicant within (90) calendar days from the receipt of the full set of documents and information requested under the Application.
                                                       
                                                    4. The Central Bank may grant a License under paragraph (1) with or without conditions or restrictions attached to it, or refuse to grant a License at its discretion.
                                                       
                                                    5. The Central Bank shall notify the Card Scheme of the decision taken under paragraph (3). In case of a refusal to grant a License, the Central Bank shall indicate the reasons for such refusal.
                                                       
                                                    6. The Central Bank reserves the sole right to issue Card Issuer (Bank) Identification Numbers (BIN) in accordance with ISO/IEC 7812, as may be amended or supplemented from time to time.
                                                       

                                                    License Conditions

                                                    1. The Central Bank shall grant a License to a Card Scheme under this Article (18) upon the fulfilment of the following conditions:
                                                       
                                                      1. 7.1. the Central Bank has been provided with all necessary documents and information as it may request, in the form and within the timeframe specified by it, to allow it to assess the adequacy, efficiency and soundness of a Card Scheme, including:
                                                         
                                                        1. 7.1.1. the business model and business strategy;
                                                           
                                                        2. 7.1.2. the corporate governance structure;
                                                           
                                                        3. 7.1.3. the Management contact details;
                                                           
                                                        4. 7.1.4. the ownership and Group structure;
                                                           
                                                        5. 7.1.5. the financial and operational resources; and
                                                           
                                                        6. 7.1.6. the description of key risks, including conduct of business and money laundering and terrorist financing risks;
                                                           
                                                      2. 7.2. the Management of the Card Scheme fulfil the fit and proper requirements specified by the Central Bank, including that each member of Management:
                                                         
                                                        1. 7.2.1. possesses the necessary knowledge, skills, and experience;
                                                           
                                                        2. 7.2.2. has a record of integrity and good repute;
                                                           
                                                        3. 7.2.3. has sufficient time to fully discharge the responsibilities under this Regulation and Level 2 Acts; and
                                                           
                                                        4. 7.2.4. has a record of financial soundness.
                                                           

                                                    Reporting Requirements

                                                    1. A Card Scheme that has been granted a License shall:
                                                       
                                                      1. 8.1. report to the Central Bank the information contained in Annex III on a quarterly basis;
                                                         
                                                      2. 8.2. provide additional information or become subject to more frequent reporting, as deemed necessary by the Central Bank; and
                                                         
                                                      3. 8.3. report immediately any changes that affect or are likely to affect its business model or financial viability, or which may otherwise be deemed to be material in nature such as significant increase or decrease in transaction volumes.
                                                         

                                                    Ongoing Requirements

                                                    Governance

                                                    1. The Board and Management of a Card Scheme shall be responsible for ensuring that a licensed Card Scheme has an internal control framework that is adequate to establish a properly controlled operating environment for the conduct of its business, taking into account its risk profile.
                                                       
                                                    2. Management shall be responsible for developing an internal control framework that identifies, measures, monitors and controls all risks faced by the Card Scheme.
                                                       
                                                    3. Licensed Card Schemes shall have organizational structures that incorporate a “three lines of defense” approach comprising the business lines, the support and control functions and an independent internal audit function.
                                                       

                                                    Compliance Function

                                                    1. The Board shall be responsible for ensuring that a Card Scheme has an independent, permanent and effective compliance function to monitor and report on observance of all applicable laws, regulations and standards and on adherence by staff and members of the Board to legal requirements, proper codes of conduct and policy on conflicts of interest.
                                                       
                                                    2. The Card Payment Scheme shall have a Boardapproved compliance policy that is communicated to all staff specifying the purpose, standing and authority of the compliance function within the Card Scheme.
                                                       
                                                    3. Card Schemes shall establish appropriate policies, procedures and controls pertaining to the internal reporting by their Management and staff of suspicious transactions, including the provision of the necessary records and data, to the designated Anti-Money Laundering and Combating the Financing of Terrorism compliance officer for further analysis and reporting decisions. Card Schemes shall report transactions to the competent authority when there are suspicions, or reasonable grounds to suspect, that the proceeds are related to a crime, or to the attempt or intention to use funds or proceeds for the purpose of committing, concealing or benefitting from a crime.
                                                       

                                                    Internal Audit Function

                                                    1. The Board shall be responsible for ensuring that the Card Scheme has an independent, permanent and effective internal audit function commensurate with the size, nature of operations and complexity of its organization.
                                                       
                                                    2. The internal audit function shall provide independent assurance to the Board and Management on the quality and effectiveness of the Card Scheme’s internal controls, risk management, compliance, corporate governance, and the systems and processes created by the business units, support and control functions.
                                                       
                                                    3. The Card Scheme shall have an internal audit charter approved by the Board audit committee that articulates the purpose, standing and authority of the internal audit function within the Card Scheme.
                                                       

                                                    Risk Management

                                                    1. Card Schemes shall have an adequately resourced risk management function headed by a chief risk officer or equivalent. The function shall be independent of the management and decision-making of the Card Scheme’s risktaking functions. The risk management function shall include policies, procedures, systems and controls for monitoring and reporting risks, and to ensure that risk exposures are aligned with the entity’s strategy and business plan.
                                                       

                                                    Risk Strategy

                                                    1. Card Schemes shall have a clearly defined business strategy, risk appetite and defined corporate culture that has been approved by the Board and reviewed at least annually. Management shall ensure full compliance of this articulated strategy across all business lines and the Board will be ultimately responsible for such compliance.
                                                       

                                                    Information Security

                                                    1. A Card Scheme shall apply and meet at a minimum the Payment Card Industry Data Security Standard (‘PCI DSS’) and UAE Information Assurance Standards, as may be amended from time to time.
                                                       
                                                    2. A compliance report regarding the Card Scheme’s adherence to the standards referred to in paragraph (20) shall be presented to the Board at least annually as well as transmitted to the Central Bank.
                                                       
                                                    3. In the case of a Data Breach, the Card Scheme shall notify the Central Bank without undue delay and not later than (72) hours after having become aware of such Data Breach.
                                                       

                                                    Disaster Recovery and Business Continuity Management

                                                    1. Card Schemes shall have disaster recovery and business continuity plans in place to ensure their ability to operate on an ongoing basis and limit losses in the event of a severe business disruption. Such plans must be commensurate with the risk profile, nature, size and complexity of the Card Scheme’s business and structure and take into account different scenarios to which the Card Scheme may be vulnerable.
                                                       
                                                    2. Disaster recovery and business continuity plans shall ensure that critical business functions of the Card Scheme can be maintained and recovered in a timely manner to minimize the financial, legal, regulatory, reputational and other risks that may arise from a disruption.
                                                       
                                                    3. The Board shall ensure there is a periodic independent review of the Card Scheme’s disaster recovery and business continuity plans to ensure adequacy and consistency with current operations, risks and threats, recovery levels and priorities.
                                                       

                                                    Risk Assessment

                                                    1. Card Schemes shall regularly assess risks through the identification of new risks, measurement of known risks and prioritization of risks through thorough understanding of the business and the market.
                                                       

                                                    Risk Mitigation

                                                    1. Card Schemes shall mitigate risks through the implementation of:
                                                       
                                                      1. 27.1. risk mitigation programs and technologies;
                                                         
                                                      2. 27.2. the effective management of risk principles; operation with risk management in mind; and
                                                         
                                                      3. 27.3. outsourcing of risk functions that cannot be performed in-house.
                                                         

                                                    Monitoring

                                                    1. Card Schemes shall perform regular monitoring of all risks and mitigation programs on at least an annual basis to ensure the robustness of the risk management procedures and programs. Continuous monitoring reports, including dashboards, shall be presented to the Management and the Board to ensure that all levels of management are aware of the current risk situation, including potential fraud, in the Card Scheme.
                                                       

                                                    Assurance

                                                    1. Card Schemes shall give assurance to all stakeholders through external and internal audits.
                                                       

                                                    Winding Down

                                                    1. Where a Card Scheme intends to terminate its operation in the State, it shall obtain an approval from the Central Bank to this effect.
                                                       
                                                    2. A Card Scheme shall notify the Central Bank in advance of (3) months from the intended termination of its operations, and provide an orderly wind-down plan.
                                                       

                                                    Supervisory Examinations

                                                    1. The Central Bank may conduct periodic examinations of the operation of Card Schemes to ensure their financial soundness and compliance with the requirements of this Regulation and Level 2 Acts.
                                                       
                                                    2. Card Schemes shall provide the Central Bank with full and unrestricted access to their accounts, records and documents, and shall supply such information and facilities as may be required to conduct the examination referred to in paragraph (32).
                                                       

                                                    Fees and Charges

                                                    1. The Central Bank has the right to receive information on any fees and charges of Card Schemes and regulate such fees and charges as it considers appropriate.
                                                       
                                                    2. The Central Bank may publicly disclose the fees and charges of Card Schemes referred to in paragraph (34).
                                                       
                                                  • Article (19): Access to the Wages Protection System

                                                    Eligibility and Conditions

                                                    1. Payment Service Providers are eligible to apply to the Central Bank to participate in and, be given access to the Wages Protection System. They shall be given access to the Wages Protection System subject to an approval granted by the Central Bank.
                                                       
                                                    2. To allow wages to be credited to an account that can store and maintain the funds, Payment Service Providers may engage with an SVF scheme or a Bank for the provision of such account. Payment Service Providers that apply for participation in and access to the Wages Protection System shall demonstrate, among other things, that they have stringent security measures put in place so as to minimize the risks to the Wages Protection System.
                                                       
                                                    3. Upon being given access to the Wages Protection System, Payment Service Providers shall be entitled to open WPS Payment Accounts.
                                                       
                                                    4. The requirements in this Article (19) are without prejudice to other requirements of this Regulation to which Payment Service Providers are subject.
                                                       

                                                    Obligations

                                                    1. Payment Service Providers that have been given access to the Wages Protection System under paragraph (1) shall:
                                                       
                                                      1. 5.1. organize marketing campaigns targeting the unbanked and underbanked segments with the objective of educating WPS Payment Account Holders on the benefits and risks associated with the services provided by the Payment Service Providers;
                                                         
                                                      2. 5.2. conduct workshops with the objective of raising awareness of Employers on the salary information file (SIF) format to be submitted, penalties and related procedures and regulatory requirements;
                                                         
                                                      3. 5.3. ensure that they provide WPS Payment Account Holders with a transaction statement in a timely manner;
                                                         
                                                      4. 5.4. execute the payments to WPS Payment Account Holders in a timely manner and acknowledge such execution in accordance with the WPS Rulebook;
                                                         
                                                      5. 5.5. not hold WPS Payment Account Holders liable for any fraudulent or Unauthorized Payment Transactions, and shall guarantee the full amount of funds; and
                                                         
                                                      6. 5.6. provide a dedicated Retail Payment Service User service and complaints team for WPS Payment Account Holders that are separate from the equivalent teams servicing other Retail Payment Services that may be provided by the Payment Service Providers.
                                                         
                                                    2. Payment Service Providers that fail to comply with the requirements of paragraph (5.4) shall be subject to the penalties specified in the WPS Rulebook.
                                                       
                                                    3. The Central Bank may request from the Payment Service Providers that have been given access to the Wages Protection System under paragraph (1) to:
                                                       
                                                      1. 7.1. prepare and provide quarterly reports on the average Payment Transactions value per WPS Payment Account Holder; and
                                                         
                                                      2. 7.2. prepare and provide quarterly reports on the number of WPS Payment Account Holders being serviced.
                                                         
                                                  • Article (20): Enforcement and Sanctions

                                                    Violation of any provision of this Regulation or committing any of the violations provided for under the Central Bank Law may subject the Payment Service Provider or Card Scheme to administrative and financial sanctions and penalties as deemed appropriate by the Central Bank.

                                                  • Article (21): Transition Period

                                                    A one-year transitional period will commence on the date this Regulation comes into force. The Central Bank may order the cessation of provision of the Retail Payment Services or the operations of the Card Scheme if the Payment Service Provider or the Card Scheme concerned has not obtained the relevant License from the Central Bank before the end of the transition period. The Central Bank may extend the transition period for the Applicant at its own discretion.

                                                  • Article (22): Interpretation of Regulation

                                                    The Regulatory Development Division of the Central Bank shall be the reference for interpretation of the provisions of this Regulation.

                                                  • Article (23): Publication & Application

                                                    1. This Regulation shall be published in the Official Gazette in both Arabic and English and shall come into effect one month from the date of publication. In case of any discrepancy between the Arabic and the English, the Arabic version will prevail.

                                                  • Annex I: Retail Payment Services

                                                    1. Payment Account Issuance Service
                                                       
                                                    2. Payment Instrument Issuance Service
                                                       
                                                    3. Merchant Acquiring Service
                                                       
                                                    4. Payment Aggregation Service
                                                       
                                                    5. Domestic Fund Transfer Service
                                                       
                                                    6. Cross-border Fund Transfer Service
                                                       
                                                    7. Payment Token Service
                                                       
                                                    8. Payment Initiation Service
                                                       
                                                    9. Payment Account Information Service
                                                       
                                                  • Annex II: Guidance on the Best Practices for Technology Risk and Information Security

                                                    The following best practices will enable Payment Service Providers to operate adaptive and responsive cyber resilience processes. Payment Service Providers are encouraged to discuss and consider their application to improve their technology risk, information security and cyber resilience preparedness.

                                                    Technology Risk

                                                    An incident management framework with sufficient management oversight to ensure effective incident response and management capability to deal with significant incidents properly should include:

                                                    1. (i) timely reporting to the Central Bank of any confirmed technology-related fraud cases or major security breaches, including cyberattacks, cases of prolonged disruption of service and systemic incidents where Retail Payment Service Users suffer from monetary loss or Retail Payment Service Users’ interests are being affected (e.g. data leakage); and
                                                       
                                                    2. (ii) a communication strategy to address the concerns any stakeholders may have arising from the incidents and restore the reputational damage that the incidents may cause.
                                                       

                                                    Change Management

                                                    Payment Service Providers whose monthly average value of Payment Transactions amounts to (10) million Dirham or above are encouraged to:

                                                    1. (i) develop a formal change management process to ensure the integrity and reliability of the production environment and that the changes to application systems, system software (e.g. operating systems and utilities), hardware, network systems and other IT facilities and equipment, are proper and do not have any undesirable impact on the production environment. Formal procedures for managing emergency changes (including the record keeping and endorsement arrangement) should also be established to enable unforeseen problems to be addressed in a timely and controlled manner; and
                                                       
                                                    2. (ii) adequately and accurately document control procedures and baseline security requirements, including all configurations and settings of operating systems, system software, databases, servers and network devices. They are also expected to perform periodic reviews on the compliance of the security settings with the baseline standards.
                                                       

                                                    Project Life Cycle

                                                    A full project life cycle methodology governing the process of developing, implementing and maintaining major computer should be established.

                                                    Where a software package is acquired from vendors, a formal software package acquisition process should be established to manage risks associated with acquisitions, such as breach of software license agreement or patent infringement.

                                                    Quality assurance reviews of major technology-related projects by an independent party, with the assistance of the legal and compliance functions should be conducted.

                                                    IT Governance

                                                    A set of IT control policies that fits the business model and technology applications should be implemented. The IT control policies which establish the ground rules for IT controls should be formally approved by Management and properly implemented among IT functions and business units. Processes used to verify compliance with IT control policies and the process for seeking appropriate approval by Management for dispensation from IT control policies are also be clearly specified, and consequences associated with any failure to adhere to these processes should be effected.

                                                    Security Requirements

                                                    Guidelines and standards for software development are adopted with reference to industry generally accepted practices on secure development. Source code reviews (e.g. peer review and automated analysis review), which could be risk-based, as part of a software quality assurance process should be conducted.

                                                    Formal testing and acceptance processes should be conducted to ensure that only properly tested and approved systems are promoted to the production environment. The scope of tests covers business logic, security controls and system performance under various stress-load scenarios and recovery conditions.

                                                    Segregated environments for development, testing and production purposes should be maintained. System testing and user acceptance testing (UAT) should be properly carried out in the testing environment. Production data should not be used in development or acceptance testing unless the data has been desensitized and prior approval from the information owner has been obtained.

                                                    A segregation of duties among IT teams should be introduced. Developers should not be permitted to access to production libraries and promote programming code into the production environment. If automated tools are used for the promotion of programming code, adequate monitoring, reviews and checks by independent teams should be done. Vendor accesses to the UAT environment, if necessary, should be closely monitored.

                                                    An inventory of end-user developed applications and where necessary, control practices and responsibilities with respect to end-user computing to cover areas such as ownership, development standards, data security, documentation, data/file storage and backup, system recovery, audit responsibilities and training should be established.

                                                    A problem management process to identify, classify, prioritize and address all IT problems in a timely manner should be established. It should perform a trend analysis of past incidents regularly to facilitate the identification and prevention of similar problems.

                                                    Network and Infrastructure Management

                                                    Network security devices such as firewalls at critical junctures of its IT infrastructure should be installed to secure the connection to untrusted external networks, such as the Internet and connections with third parties.

                                                    Where mobile devices are provided to employees, policies and procedures covering, among others, requisition, authentication, hardening, encryption, data backup and retention should be established.

                                                    Adequate measures to maintain appropriate segregation of databases for different purposes to prevent unauthorized or unintended access or retrieval and robust access controls should be enforced to ensure the confidentiality and integrity of the databases. In respect of any Personal Data of Retail Payment Service Users, including Merchants, the relevant data protection laws as well as any relevant codes of practice, guidelines or best practice issued by the Central Bank or any other relevant authorities should be assessed from time to time.

                                                    Access to the information and application systems should be restricted by an adequate authentication mechanism associated with access control rules. A role-based access control framework should be adopted and access rights should be granted on a need-to-have basis.

                                                    Cyber Security Risk

                                                    The trends in cyber threats should be considered, including subscribing to quality cyber threat intelligence services, which are relevant to the provision of Retail Payment Services to enhance ability to precisely respond to new type of threats in a timely manner. The Payment Service Provider may also seek opportunities to collaborate with other organizations to share and gather cyber threat intelligence with the aim of facilitating the Retail Payment Services industry to better prepare and manage cyber security risks.

                                                    Monitoring or surveillance systems to ensure being alerted to any suspicious or malicious system activities such as multiple sessions of same account from different geographic locations should be carried out. Real-time monitoring of cyber events for critical systems should be performed to facilitate the prompt detection of anomalous activities.

                                                    Close attention should be paid to evolving risks related to accessing critical IT infrastructure and appropriate measures are accordingly taken.

                                                    Payment Acceptance Devices

                                                    Retail Payment Service User devices should be assumed to be exposed to security vulnerabilities and appropriate measures when designing, developing and maintaining Retail Payment Services should be taken. Security measures to guard against different compromising situations, including unauthorized device access, malware or virus attack, compromised or unsecure status of mobile device and unauthorized mobile applications should be taken.

                                                    Where Merchants use mobile devices to accept a Payment Service Provider’s Retail Payment Services, additional security measures should be implemented to safeguard the mobile payment acceptance solution, including the detection of abnormal activities and logging them in reports, and the provision of Merchant identification for Retail Payment Service Users to validate identity.

                                                    Retail Payment Service User Authentication

                                                    Retail Payment Service User authentication based on a multi-factor authentication by combining any two or more of the following three factors is adopted:

                                                    1. (i) verification information specified by Retail Payment Service User knows (e.g. user IDs and passwords);
                                                       
                                                    2. (ii) verification information a Retail Payment Service User has provided or possesses (e.g. one-time passwords generated by a security token or a Payment Service Provider’s security systems); and
                                                       
                                                    3. (iii) physical verification information belonging to a Retail Payment Service User (e.g. retina, fingerprint or voice recognition).
                                                       

                                                    If a password (including a personal identification number) is used as one factor of authentication, adequate controls related to the strength of the password (e.g. minimum password length) should be put in place.

                                                    Login attempts and session management

                                                    Robust log files allowing retrieval of historical data including a full audit trail of additions, modifications or deletions of transactions are provided. Access to such tools, including privileged responsibilities, should only be available to authorized personnel and is appropriately logged.

                                                    Retail Payment Service Users should be provided with channels to check their Past Payment Transactions.

                                                    Fraud Detection Systems

                                                    Payment Transaction monitoring mechanisms designed to prevent, detect and block fraudulent Payment Transactions should be operated by Payment Service Providers providing Payment Token Services and Payment Service Providers whose monthly average value of Payment Transactions amounts to ten (10) million Dirhams or above. Suspicious or high-risk transactions are subject to a specific screening, filtration and evaluation procedure.

                                                  • Annex III: Information to be Reported by Card Schemes in English and Arabic

                                                    I. ATM data:

                                                    Field NameMax SizeTypeField Details
                                                    Primary Account Number (PAN)16-19NumericPAN is a series of digits used to identify a Retail Payment Service User account or relationship
                                                    Transaction Code2NumericTransaction Code - 31 (Balance Enquiry), 01 (Cash Withdrawal).
                                                    Transaction Amount12NumericTransaction amount gives the value of the funds requested by the cardholder in the local currency of the acquirer or source location of the transaction.
                                                    Transaction Currency Code3Alphabet (or) NumericIdentifies the local currency of the acquirer or source location of the transaction. See ISO 4217.
                                                    Transmission Date and Time10NumericMM/DD/hh/mm/ss format
                                                    The date used is the current calendar day in Greenwich Mean Time (GMT) that the transaction occurred (not Business Day)
                                                    Systems Trace Audit Number6NumericContains a number assigned by the transaction acquirer to identify uniquely a transaction. The trace number remains unchanged for all messages throughout the life of the transaction.
                                                    Merchant’s Type4NumericContains the classification of the merchant's type (ATM/web/etc) of business product or service.
                                                    Acquiring Institution Country Code3NumericContains the code of the country where the acquiring institution is located (see ISO 3166)
                                                    Point of Service Entry Mode3NumericContains two numeric to indicate the method by which the primary account number was entered into the system and one numeric to indicate the PIN entry capabilities.
                                                    Acquiring Institution Identification Component11NumericContains a code identifying the acquiring institution (e.g. merchant bank) or its agent.
                                                    Card Acceptor Name/Location40Alpha Numeric Special CharContains the name and location of the card acceptor (i.e. the merchant or ATM).
                                                    Card Acceptor Terminal Identification15Alpha Numeric Special CharContains a unique code identifying a terminal at the card acceptor location.
                                                    Authorization Identification Response6Alpha NumericContains the response identification assigned by the authorizing institution.
                                                    This field is often referred to as "auth-code".
                                                    Response Code2Alpha NumericContains a code, which defines the disposition of a message.


                                                     

                                                    II. PoS data:

                                                    Field NameMax SizeTypeField Details
                                                    Primary Account Number (PAN)16-19NumericPAN is a series of digits used to identify a Retail Payment Service User account or relationship
                                                    Transaction Code2NumericTransaction Code - 00 (Purchase/Sale), 20 (Refund), 31 (Balance Enquiry).
                                                    Transaction Amount12NumericAmount of funds requested by the cardholder.
                                                    Transaction Currency Code3NumericCode that indicates the local currency of the acquirer or source location of the transaction. This defines the currency that applies to the transaction amount.
                                                    Transmission Date and Time10NumericMMDDhhmmss format
                                                    Generated and sent by the message initiator. It is expressed in GMT.
                                                    Systems Trace Audit Number6NumericUnique identifier assigned to the transaction by the message sender. It remains unchanged for all messages within a transaction between the two parties. This is used to provide an audit trail for every message sent by the acquirer for a given business date.
                                                    Merchant Category Code4NumericContains the classification of the merchant's type of business product or service.
                                                    Acquiring Institution Country Code3NumericContains the code of the country where the acquiring institution is located (see ISO 3166)
                                                    Point of Service Entry Mode3NumericContains two numeric to indicate the method by which the primary account number was entered into the system and one numeric to indicate the PIN entry capabilities.
                                                    POS Condition Code2NumericContains an identification of the condition under which the transaction takes place at the point of service.
                                                    00 - Normal Presentment
                                                    59 - eCommerce
                                                    Authorization Identification Response6Alpha NumericContains the response identification assigned by the authorizing institution.
                                                    This field is often referred to as "auth-code".
                                                    Card Acceptor Terminal ID16Alpha Numeric Special CharUnique code identifying the terminals at the acquirer location
                                                    Card Acceptor Identification Code15Alpha Numeric Special CharUnique code identifying the card acceptor
                                                    Card Acceptor Name and Location40Alpha Numeric Special CharUsed to hold the name and location of the card acceptor as known to the cardholder.
                                                    Response Code2Alpha NumericContains a code, which defines the disposition of a message.


                                                     

                                                    III. Fraud data:

                                                    Field NameMax SizeTypeField Details
                                                    Primary Account Number (PAN)16-19NumericPAN is a series of digits used to identify a Retail Payment Service User account or relationship
                                                    Transaction Code2NumericTransaction Code - 00 (Purchase/Sale), 20 (Refund), 31 (Balance Enquiry).
                                                    Transaction Amount12NumericAmount of funds requested by the cardholder.
                                                    Transaction Currency Code3NumericCode that indicates the local currency of the acquirer or source location of the transaction. This defines the currency that applies to the transaction amount.
                                                    Transmission Date and Time10NumericMMDDhhmmss format
                                                    Generated and sent by the message initiator. It is expressed in GMT.
                                                    Systems Trace Audit Number6NumericUnique identifier assigned to the transaction by the message sender. It remains unchanged for all messages within a transaction between the two parties. This is used to provide an audit trail for every message sent by the acquirer for a given business date.
                                                    Merchant Category Code4NumericContains the classification of the merchant's type of business product or service.
                                                    Acquiring Institution Country Code3NumericContains the code of the country where the acquiring institution is located (see ISO 3166)
                                                    Point of Service Entry Mode3NumericContains two numeric to indicate the method by which the primary account number was entered into the system and one numeric to indicate the PIN entry capabilities.
                                                    POS Condition Code2NumericContains an identification of the condition under which the transaction takes place at the point of service.
                                                    00 - Normal Presentment
                                                    59 - eCommerce
                                                    Authorization Identification Response6Alpha NumericContains the response identification assigned by the authorizing institution.
                                                    This field is often referred to as "auth-code".
                                                    Card Acceptor Terminal ID16Alpha Numeric Special CharUnique code identifying the terminals at the acquirer location
                                                    Card Acceptor Identification Code15Alpha Numeric Special CharUnique code identifying the card acceptor
                                                    Card Acceptor Name and Location40Alpha Numeric Special CharUsed to hold the name and location of the card acceptor as known to the cardholder.
                                                    Response Code2Alpha NumericContains a code, which defines the disposition of a message.
        • Mortgage loans & Personal loans

          • Bank Loans & Other Services Offered to Individual Customers

            • Regulation No. 29/2011 Regarding Bank Loans & Other Services Offered to Individual Customers

              C 29/2011 Effective from 29/3/2011

               

              This regulation has been amended and clarified by the following notices respectively (E 28/02/2011), (N 2705/2012), (N 4501/2011), (N 13/1187/2013), (N 22/2017), (N 193/2018)(N 3986/2019), (N 5060/2019) and (N 2535/2022). You are viewing the latest version. Please find the PDF of the previous version on the table below.
              version 2 (consolidated as of 24/06/2022)pdf download
              version 1 (effective from 29/03/2011)pdf download
              • Introduction

                Following review of reports on loans and other services offered to individual customers, and banks' responses to the questionnaire previously sent, titled "Personal Consumer Loans", and pursuant to provisions of article nos. (5), (18), (94) and (96) of Union Law No (10) of 1980, Regarding the Central Bank, the Monetary System & Organization of Banking, the Central Bank has decided that all banks must abide by the provisions of these regulations, at all times.

              • Objective

                The objective of these regulations is to determine the relationship between banks (conventional and Islamic) and finance companies on the one hand, and their individual customers on the other, in a more transparent manner, so as to boost confidence in banks and finance companies and enhance credibility of the banking system.

              • Article (1) Definitions

                a) Bank Transfer: Transferring funds electronically from one account to another, whether inside the UAE or to an account abroad.

                b) Bank's Cheque: A manager's cheque, or a cheque where the bank is the drawer and the beneficiary is an individual, an establishment, a commercial company or a government institution, inside or outside the UAE.

                c) Bank Guarantees: Guarantees issued by banks on behalf of their customers (including retail customers), which are usually payable upon first demand by the beneficiary.

                d) Debit Cards: Cards similar to credit cards, except that purchases and withdrawals charged to it are immediately deductible from the account.

                e) Prepaid Cards: Cards filled with value, where purchases and withdrawals are deducted from the stored value until depleted (or fully exhausted).

                f) Top-Up Loan: An additional loan obtained by the borrower from the lending bank or finance company, prior to full repayment of the outstanding loan.

                g) Commissions: Rates charged against particular banking services rendered by banks.

                h) Fees: Rates charged against particular banking services, commitments or obligations.

                i) Deductions: deductions or debits to bank accounts against banking services.

                j) Deductible Charges: Charges to accounts against banking services.

              • Article (2) Personal Loan

                a) Personal Loan: Is "a loan that is given to individual customers, where repayments are made out of salary and end of service indemnity and/or any other verifiable regular income from a well-defined source".

                b) Personal Loan's Limit: Amount of the personal consumer loan has been set at (20) twenty times the salary or the total income of the borrower, and banks and finance companies must make sure that this limit is not exceeded.

                c) Repayment Period: The repayment period for this loan must not exceed (48) months.

                d) In order to ensure that the monthly installments deducted for repayment of this loan and resulting interest are kept in a reasonable proportion to the customer’s income, the deductions from his salary and/or regular income must not exceed the limits specified under Article (7) of these Regulations.

                e) Loans extended to sole proprietorship firms and companies, secured by salary of the owner or salaries of the partners shall be treated the same way this loan is treated, and shall be subject to the same terms and conditions.

                f) This loan shall be extended as per an application by the customer to be approved by the bank or the finance company, and it should be drafted in the manner set out in Article (12) hereof.

                Clarifications and Guidelines (Notice No. 2901/2011)
                1. These regulations apply to personal facilities viz. loans, overdrafts, car loans and credit cards extended to individuals which are repayable from salary, end of service indemnity and/ or other verifiable regular income from a well defined source.
                2. It should be ensured that the borrowers’ salary and end of service benefits are properly ascertained from the employer. If the facility is partly or fully given against other income, it should be from a well defined source and its full details should be obtained.
                3. In case of borrowers with heavy personal commitments and lower disposable income or uncertain employment/ job prospects, banks may not allow facilities upto the upper limit of 20 times salary and/ or the total income, repayable within 48 months despite meeting the specified criteria.
                4. .For sound loan decisions, banks should have clear policy guidelines on issues which have direct bearing on the quality of risk and repayment of the loan.
                5. If a customer avails for a lower amount than his eligibility or there is significant increase in his income level in subsequent months due to promotion etc, banks may reassess his eligibility after proper verification. In such a case, either existing loan is enhanced or a new loan is set up (without disturbing the existing loan).
                6. If other income is main or supplementary source of repayment, it should be ensured that such income is from a known regular source, the borrower has produced documentary evidence of such income.
                7. Besides personal facilities against salary and other income as above, banks may extend loans and overdrafts against lien over fixed deposits held with them.
              • Article (3) Car Loan

                a) Car Loan: Is a loan extended by the bank or the finance company to its customer for the purpose of purchasing a private car.

                b) Car loan shall be treated as separate from the personal consumer loan, and should not exceed (80%) eighty percent of the value of the financed vehicle.

                c) Repayment Period: The maximum period for repayment of the loan shall be (60) months.

                d) Security: This loan should be secured by a mortgage over the car.

                e) Car loans extended to sole proprietorship firms and companies, secured by salary of the owner or salaries of the partners shall be treated the same way this loan is treated, and shall be subject to the same terms and conditions.

                f) This loan shall be extended as per an application by the customer and approved by the bank or the finance company, and it should be drafted in the manner set out in Article (12) of these Regulations.

                Clarifications and Guidelines (Notice No. 2901/2011)
                1. Banks may finance passenger new and used cars to the extent of 80% of their value. Financing of commercial vehicles is outside the purview of these regulations unless repayment of the loan is from the salary of the customer and other laid down criteria are satisfied.
                2. Financing of operating leases to individuals would not be considered as car finance and would not fall within these regulations.
                3. Car loans may be allowed in addition to the personal loan as above but within the 50% of gross salary and any regular income as explained in Article (7).
              • Article (4) Overdraft Facilities

                a) Overdrafts: Are "facilities linked to customers accounts, and are provided by banks for payment on their behalf, in advance. This usually results in a negative balance in the customers' accounts, which would require deposit of funds to cover that balance plus resulting interest and deductions".

                b) Overdraft facilities extended to sole proprietorship firms and companies, secured by salary of the owner or salaries of the partners shall be treated the same way these facilities are treated, and shall be subject to the same terms and conditions

                c) To obtain such facilities, there should be pre-arrangements between the customer and the bank. The customer must submit his application, which shows the purpose of the facilities, the expected repayment period and the sources of repayment, in accordance with the form set out in Article (12) of these Regulations.

                Clarifications and Guidelines (Notice No. 2901/2011)
                1. Overdrafts limits will be counted within 20 times salary as specified for the personal loans under Article (2) above
                2. Islamic banks may allow overdraft facilities by whatever name described in accordance with Shariaah principles, without violating the upper limits and other requirements of these regulations.
              • Article (5) Credit Cards

                a) Credit Cards: Are "Plastic cards linked to an electronic network, containing details and credit limit of the card holder. Value of a customer's purchases and cash withdrawals are paid on his behalf by the issuing bank or the finance company, and the customer pays the value at the beginning of the month following the transactions' month, or by installments as per agreement with the issuing bank or finance company, after end of the period allowed for full payment of the balance.

                b) Credit cards shall be issued to customers of the bank or the finance company, and may be issued to non-customers, in which case customer statistical data, as residents or non-residents, must be recorded separately.

                c) Banks and finance companies issuing such cards must abide by the following:

                1. Provide these cards to persons whose annual income equal or exceeds AED 60,000.

                2. These cards may be provided against a pledged deposit of value not less than AED 60,000.

                d) Banks or finance companies should provide their credit card customers with a monthly statement of expenses, showing values of purchases and cash withdrawals, and they should immediately investigate if a customer challenges any expense item.

                e) Credit card facilities for the unpaid balances of these cards provided to sole proprietorship firms and companies and secured by salary of the owner or salaries of the partners shall be treated the same way these facilities are treated, and shall be subject to the same terms and conditions.

                f) Provisions of the agreement for providing credit cards, signed by the customer, should be in accordance with the form set forth in Article (12) of these Regulations.

                Clarifications and Guidelines (Notice No. 2901/2011)
                1. In order to ensure that credit cards are issued to creditworthy individuals, a mandatory minimum income level of AED 60,000 per annum has been stipulated. Banks may fix the limits within the policy as stated in this regulation.
                2. Those not meeting the above income criteria are required to place a pledged deposit of not less than AED 60,000 with the bank for issuance of credit card. However such persons may be permitted credit facility besides credit card provided aggregate of credit facility and credit card limit do not exceed 50% of the pledged deposit.
                3. Credit card limit is allowed as additional facility but repayment of outstandings must remain within 50% of gross salary and any regular income as explained in Article (7).
                4. Banks may encourage greater use of debit cards for the customers who are not found to be eligible for issuance of credit card.
                5. If the cards have been issued to non-customers, banks should compile statistical data separately for residents and non-residents and review them from time to time.
                6. Banks will take particular care in respect of credit cards issued to non-residents.
              • Article (6) Interest

                Computation of Interest

                a) Each bank or finance company must calculate the interest rate charged for the loans mentioned under article nos. (2) and (3) and overdraft facilities (Article- 4 in case of banks only) as well as unpaid credit card balances (Article -5), in accordance with the following formula:

                b) All banks and finance companies must declare their respective interest rates on loans, overdraft balances (In case of banks only), and balances due for credit cards within the table. The rate shall be determined on basis of the reducing balance of the loan on annual basis and included in the display board mentioned in Article (11) of these Regulations.

                c) "Interest Amount" on loans and overdraft balances shall be determined on basis of the formula mentioned under (a) above.

                d) Deduction of a ratio of the loan in advance, as the payable interest amount is prohibited, the formula mentioned under (a) above should be used to calculate the first interest amount, and then interest amount shall be calculated on the reducing balance of the loan by using the following simple equation:

                e) Banks and finance companies must arrive at the "Interest Amount" and deduct it from the agreed monthly installment, then use the net amount to reduce the loan balance and reach "the new balance of the loan at the beginning of the month" which would, in turn, be used in the calculation process at the end of the following month.

                f) With regard to calculation of interest amount on credit cards due balances, these shall only be calculated for the outstanding balance after the maturity date for its full payment; i.e., in the month following the month on which the purchases and withdrawals have occurred. Interest amount must then be calculated as per the equation mentioned under (a) above and in accordance with the rates declared on the display board mentioned under Article (11) of these Regulations.

                g) A Bank or a finance company shall determine the penalty rate in the event of full or partial prepayment before maturity date, or in case of a top- up loan, however, a top- up loan, should not be granted unless the original loan was repaid, without default, for a period not less than one year, and in this case the rate shall be declared in the table mentioned in Annex-2

                 

                Clarifications and Guidelines (Notice No. 2901/2011)
                1. Method of interest calculation has not been changed from the earlier Circular No 12/93. Banks should continue to follow reducing balance method, by taking a year of 365 days. However they must ensure that effective interest rate on per annum basis is disclosed to the customer, displayed on the Board, it is used for calculation and specified in the loan documentation.
                2. .While reducing balance method of interest calculation will be followed on personal and car loans, average daily outstanding balances will form the basis for interest calculation in all cases.
                3. In case of credit cards, the banks may continue to follow the global practice where no interest/ finance charges are levied on the outstanding balance (excluding cash advance transactions) when the new balance outstanding shown in the statement is paid in full by the Payment Due Date. Finance/ interest charges on cash advance may be applied from the transaction date till final repayment.
                4. Within the above broad framework, Islamic banks may vary display of interest rates or use appropriate terminology as permitted under the Shariaah.
                5. Any bank advertising or propagating ‘Flat’ interest rate must invariably state the equivalent effective rate side by side.

                 

              • Article (7) Repayment Installments

                a) Deductions from salary or regular income of any borrower, for all types of loans extended by banks and finance companies together, including, but not necessarily restricted to, car and private housing loans, overdraft facilities, and credit cards facilities, must not exceed 50% fifty percent of his gross salary, and any regular income from a defined and specific source at any time.

                b) Should a loan or a banking facility's repayment period extends to the retirement age, banks and finance companies must schedule reduction of these loans or facilities in such way as to allow deduction of only 30% of the income (or pension salary).

                c) Banks and finance companies may only take from the customer the number of postdated cheques covering the installments, and of value not exceeding 120% of value of the loan or the debit balance.

                Clarifications and Guidelines (Notice No. 2901/2011)
                1. All the lenders are obliged to carry out proper due diligence to ascertain the applicants’ liabilities and income sources so that total installments including payments on account of credit card do not exceed 50% of their gross salary and other regular income.
                2. Personal loans will be setup for a maximum tenor of 48 months. However if a borrower retires before full repayment, his loan will be restructured from the date of retirement so that his total repayments do not exceed 30% of income (or pension salary).
                3. Existing loans will continue in accordance with the present arrangement and documentation. However no top ups, deferrals or rescheduling will be permitted beyond eligibility in terms of salary multiplier, tenor and repayment percentage.
                4. Banks should formulate specific policy on top ups and rescheduling in order to restrict their frequency. It should be ensured that there is no ‘ever greening’ of loans to disguise problem or delinquent loans.
                5. In case of Islamic banks, they have to ensure that in case of prepayment, adequate rebate is allowed to a customer so that final charge to him does not exceed the level given in Annexure 2 to the Circular.

                Banks are permitted to defer up to two instalments in a year at their discretion. (NOTICE NO. 4501/2011)

              • Article (8) Armed Forces Staff Loans

                In the case of army personnel, the conditions detailed in our Notice No. 1850/2004 dated 14/06/2004 shall continue to apply, but with the following amendments:

                a) The value of installments deducted by the bank (or the finance company) for all types of loans and facilities (personal- commercial- housing – car loan- credit cards and any other loans or facilities) shall not exceed 50% of the borrower's gross salary.

                b) Military ID cards should not be taken, nor photocopied. A certificate issued by the Armed Forces stating gross salary, period of service and that the applicant is still holding his job should suffice.

                c) In case a lending bank or finance company fails to abide with the above, the Armed Forces shall transfer the salary of the concerned Armed Forces staff to any other bank (or finance company) without referring to the bank that extended the loans or facilities.

              • Article (9) Bank Accounts & Related Commissions, Fees and Charges

                a) Bank Accounts are: current accounts, savings accounts, call accounts and the like, as well as accounts set-up for specific purposes.

                b) Commercial banks may open all types of accounts for their retail customers, but in such cases, they must abide by the standard agreement mentioned under Article (12) of these Regulations. In case a customer requested closing of the account and termination of the business relationship with the bank, the bank should do that without imposing a penalty if the account opening date goes back to more than one year. In all cases, an account must be closed and an appropriate certificate must be issued within, maximum, seven days (7) from date of submission of the application.

                c) Banks may set a minimum credit balance for each account, and impose charges if such minimum was not maintained, as specified in Article (11) of this regulation.

                d) None of the opened accounts can be considered "dormant" if the customer's address is known or if the customer is present and has other active accounts with the bank. Accounts are classified as dormant only in accordance with the provisions of these regulations issued by the Central Bank in this regard.

                e) Banks may issue ATM cards, or debit cards linked to any type of these accounts. They may also charge fees for issuance of new cards, replacement of lost cards or renewal of expired cards. However, they must declare these fees in the manner specified in Article (11) of these Regulations.

                Clarifications and Guidelines (Notice No. 2901/2011)
                1. Banks may continue with their present practices and internal guidelines to control and monitor dormant accounts. However in no case they should transfer the balance of such accounts to their profit and loss account.
                2. Central Bank is in the process of issuing suitable guidelines in respect of dormant accounts. In the interim, banks may continue to comply with Notice No 24/2000 in respect of dormant accounts and take necessary precautions for operating such accounts.
              • Article (10) Personal Banking Services & the Fees and Commissions Charged on them

                a) Personal Banking Services: are bank transfers, issuance of bank cheques (or manager's cheques) issuance of bank guarantees, opening of documentary credit, discount of cheques of local and foreign banks, issuance of balance certificates, issuance of indebtedness certificates and the like.

                b) All banks and finance companies (finance companies are not permitted to open current, savings or call accounts to retail customers or provide services and facilities relating to such accounts) may provide the personal banking services mentioned in (a) above and collect related commissions and fees, or deduct such fees from the account, however they should declare them in the manner specified in Article (11) of these Regulations.

                Clarifications and Guidelines (Notice No. 2901/2011)
                1. Relevant fees, charges and commissions applicable to personal customers have been specified in the Appendices to the Circular. Banks are not allowed to levy any other commissions, fees, charges or fines without Central Bank’s written approval. Banks are however free to reduce or exempt their customers from payment of certain fees and charges at their discretion.
                2. Loans and insurance are separate products. Hence it should be a customer’s choice to select either to pay them together over the period of loan or to pay upfront. Banks should however explain to the customer properly and obtain his concurrence before charging him for the insurance.
                3. List of charges and commissions apply to personal loans, car loans and personal overdrafts. Banks may continue to levy charges and commissions on credit cards as hitherto as no change has been proposed in the regulations.
                4. If there are other important fees and charges applicable to certain segment of customers but left out in the Appendices, these may be submitted for consideration of the Central Bank.
              • Article (11) Interest Rates, Commissions and Banking Service Charges

                a) Each bank or finance company shall determine the interest rates pertaining to personal loans and car loans (must include insurance and expressed in one figure) along with overdraft balances and unpaid credit cards balances and include them in the table shown in Annex-1 of these Regulations. Copy of this table must be sent for publication by the Central Bank.

                b) Fees, commissions, deductions and charges on loans, overdraft balances and unpaid credit card balances and those charged on retail banking services, shall be in accordance with the limits prescribed in the table shown in Annex-2 of these Regulations. Banks and finance companies may not impose any commissions, fees, charges or fines other than those mentioned in the said table without Central Bank's written approval.

                c) Any Fees/commissions on purchase/sale of currency notes, Travelers Cheques, Demand Drafts, and Telegraphic Transfers for major countries must also be clearly written in Arabic and English on a board of an appropriate size to be fixed next to the Foreign Exchange Counter in the banking hall at banks’ branches, as shown in Annex-3 of these Regulations.

                d) The Central Bank shall annually review fees, commissions and charges imposed as per table No-(2) attached to these regulations.

                Clarifications and Guidelines (Notice No. 2901/2011)
                1. Relevant fees, charges and commissions applicable to personal customers have been specified in the Appendices to the Circular. Banks are not allowed to levy any other commissions, fees, charges or fines without Central Bank’s written approval. Banks are however free to reduce or exempt their customers from payment of certain fees and charges at their discretion.
                2. Loans and insurance are separate products. Hence it should be a customer’s choice to select either to pay them together over the period of loan or to pay upfront. Banks should however explain to the customer properly and obtain his concurrence before charging him for the insurance.
                3. List of charges and commissions apply to personal loans, car loans and personal overdrafts. Banks may continue to levy charges and commissions on credit cards as hitherto as no change has been proposed in the regulations.
                4. If there are other important fees and charges applicable to certain segment of customers but left out in the Appendices, these may be submitted for consideration of the Central Bank.
              • Article (12) Conditions for Opening of Accounts, Providing of Credit Cards and Granting Loans & Bank Facilities

                a) Conditions for opening of accounts of all types as well as conditions for obtaining credits cards must be included in a standard agreement, drafted in both English and Arabic and written in an easily readable font, and in accordance with texts drafted and approved by the Emirates Banks Association.

                b) Conditions for granting personal loans, car loans, overdraft facilities and facilities for covering unpaid credit card balances must be included in standard applications, drafted in both Arabic and English and written in an easily readable font, and in accordance with texts drafted and approved by the Emirates Banks Association.

                Clarifications and Guidelines (Notice No. 2901/2011)
                1. Emirates Banks Association will be providing the banks with standard account opening forms including general terms and conditions and other loan documentation which will be beneficial to various user groups. Pending finalization and introduction of new forms, the banks may continue to use the existing forms as hitherto.
                2. In addition to the above, each bank will also be allowed to define specific terms and conditions which do not require prior approval from the Emirates Banks Association or Central Bank provided these are signed by the customer and do not contravene or contradict any other requirement. These terms will be shown in a separate section alongwith general terms and conditions.
              • Article (13) Shariaah Compliant Banking Services

                The provisions of these Regulations shall apply to Shariaah compliant banking services, except in the matter of computing interest and determining its amount, which would be done in accordance with Shariaah principles.

                In such case, clarity, transparent disclosure, accuracy and documentation at all times, must all be observed, and copy of the established rates should be sent to the Central Bank for publication.

                Clarifications and Guidelines (Notice No. 2901/2011)

                Islamic banks will be allowed to use certain special terms applicable only to such banks, viz profit, finance, etc. However scheduled rates under different names or descriptions should be in accordance with these regulations and sent to Central Bank for information and publication.

              • Article (14) Violations to the Provisions of These Regulations

                Should suspicions arise as to the violation of provisions of these Regulations by any bank, the matter shall be referred to the Legal Development Unit of the Central Bank to decide whether such violation has occurred. If the violation is established, the fine referred to in Article (107) of Union Law No-(10) of 1980 Regarding the Central Bank, the Monetary System and Organization of Banking, shall be imposed, and shall apply to each violation, and be charged on daily basis to the violating bank, until rectified.

              • Article (15) General Provisions

                a) Banks or finance companies are not allowed to alter or vary terms and conditions for granting the loan or the facility during the tenor of the loan or the facility, unless agreed to in writing by the borrower. In case of changes to the commissions or fees, customers must be notified, at least, two months prior to implementation of such changes.

                b) Banks and finance companies are prohibited from taking blank cheques for granting loans or overdraft facilities, or for issuing credit cards.

                Clarifications and Guidelines (Notice No. 2901/2011)
                1. If a bank uses additional pages to the forms prescribed by the Emirates Banks Association, such sheets containing terms and conditions should be accepted by the borrower under his signature.
                2. Banks are not expected to upgrade a customer’s status whether for his credit card or other similar facility unless his prior concurrence has been obtained. Besides written concurrence, banks would be allowed to use SMS or email facility to communicate with the customers and obtain their concurrence.
                3. Effective 1 May, 2011 all new personal accounts will be subject to the revised fee structure. Existing customers will however be given two months notice from that date through letters or via electronic means. Further the revised fee and charges will not be applied retrospectively.
                4. Banks should continue to pay greater emphasis on cash flow/ repaying capacity of the borrower and less on security or guarantee.
                5. 5.As hitherto, banks are prohibited to take private houses as security for personal loans or take personal guarantees as security when these loans are given to non-UAE nationals.
                6. No fees and charges have been mentioned for credit cards and banks may maintain status quo.
                7. Banks may levy relationship based fee on personal accounts and offer incentives to high value customers provided a specific fee or charge does not exceed the maximum permissible rate specified in the rate structure.
              • Article (16) The Provisions of These Regulations are not Applicable to Merchant and Investment Banks

                The provisions of these Regulations are not applicable to investment banks or merchant banks, nor to finance or investment companies, since these institutions are not authorized to provide personal loans or retail banking services. Moneychangers, however, shall only be subject to the provisions regarding bank transfers and exchange of currency.

              • Article (17) Responsibilities of the Banking Supervision & Examination Department

                a) The Banking Supervision & Examination Department will issue a guide to clarify how banks should comply with the provisions of these Regulations and submit the required statistical data to the Central Bank.

                b) The Banking Supervision & Examination Department will also issue a guide to its examiners to explain the regulatory procedures relevant to these Regulations.

              • Article (18) Cancellation of the Previous Circular on the Subject

                Upon enforcement of this Regulation, Circular No- 12/93 dated 23/2/1993, and Central Bank's clarifications ref. DMM/1263/93 dated 6/7/1993, and any notices or directives relating thereto shall be cancelled, except for Notice No- 1850/2004, dated 14/6/2004, regarding Armed Forces Personnel.

              • Article (19) Interpretation of These Regulations

                The Legal Development Unit of the Central Bank shall be the reference for interpretation of the provisions these Regulations.

              • Article (20) Currently Outstanding Loans

                a- The provisions of these Regulations shall apply to all banks and finance companies including Islamic banks and Islamic finance companies in relation to personal consumer loans and car loans granted by these entities currently existing, except for commissions, fees or any fines charged on them prior to the date on which these regulations come into force, which is considered finalized.
                 

                b- Any borrower may transfer his/her loan/financing from any bank or finance company operating in the UAE against paying of an early payment fee not exceeding 1% of the outstanding balance of the loan, or AED 10,000, whichever is less. Another bank or a finance company operating in the UAE may accept the transfer under the following conditions:

                1. For loans granted after the issuance of this Regulation, the requirements of the Regulation must be fully complied with, in particular those relating to the loan or financing amount, the repayment period and monthly deduction.
                   
                2. For loans granted prior to the issuance of this Regulation, the profit/interest rate should be reduced and the repayment period or loan/financing balance should not be increased by granting an additional loan or financing to the borrower.
                Clarifications and Guidelines (as per Notice No. 2901/2011)
                1. Existing loans and overdrafts will continue to be governed by the terms and conditions agreed between the parties. However early settlement charges, other charges, fees and commissions levied after 1st May, 2011 will be in accordance with the new structure.
                2. New loans extended after 1st May, 2011 or rescheduled after that date will be subject to the new regulations.
                3. In exceptional circumstances such as rescheduling due to retirement of the borrower or loss of his income for any other reason, a longer repayment period beyond 48 months could be permitted.
              • Article (21) Publication

                These regulations shall be published in the Official Gazette in both Arabic and English, and shall come into effect one month after date of its publication.

              • Appendix No. (1)

                Interest rates charge on Loans

                 Interest Rate Range

                Interest/profit on a personal loan (p.a.)

                - from AED 0 – AED 50 k

                - from AED 51 k – AED 100 k

                - from AED 101 k – AED 200 k

                - above AED 200 k

                 

                --------------

                --------------

                --------------

                --------------

                Interest/profit on a car loan (p.a.)

                - from AED 0 – AED 50 k

                - from AED 51 k – AED 100 k

                - from AED 101 k – AED 200 k

                - above AED 200 k

                 

                --------------

                --------------

                --------------

                --------------

                Interest/profit on overdrafts (p.a.)

                - from AED 0 – AED 30 k

                - from AED 31 k – AED 50 k

                - from AED 51 k – AED 100 k

                - above AED 100 k

                 

                --------------

                --------------

                --------------

                --------------

                Interest/profit on unpaid balance on credit card (p.m.)

                - from AED 0 – AED 30 k

                - from AED 31 k – AED 50 k

                - from AED 51 k – AED 100 k

                - above AED 100 k

                 

                --------------

                --------------

                --------------

                --------------

                 

              • Appendix No. (2)

                Introduction:

                1. This Amendment applies to and forms part of the Regulations Regarding Bank Loans & Services Offered to Individual Customers (29/2011) (the “Regulations”). It applies specifically to Appendix 2 of those Regulations, which set out the “Maximum Limits for Fees and Commissions Charged on Retail Customer Service”. Upon coming into force, this Amendment replaces the previous version of Appendix 2 and is mandatory and enforceable in the same manner as the Regulations. This Amendment also replaces any other fee caps set out by the Central Bank at this time but not future caps set outside of the scope of this document.
                   
                2. All fees set out in this Amendment are exclusive of UAE VAT charges.
                   
                3. Article 11 of 29/2011 remains in force and banks and finance companies must comply accordingly.
                   
                4. Banks and finance companies will need to notify and seek approval from the CBUAE ex-ante for any planned introduction of a new fee or a change in existing fee levels (which are larger than 5%) not capped by this amendment. Such notifications can be submitted to the CBUAE during the first 5 business days of April and October of any given year.
                   
                5. The Central Bank will accept ad hoc notifications for exempt fees on an ad hoc basis where it is shown to the Central Bank’s satisfaction that these relate to new products. This will be assessed on a case-by-case basis.
                   
                6. The fee caps set out in this Amendment represent the maximum permissible charges. Banks and finance companies must have appropriate product approval processes in place for all products, which include an examination of the basis and appropriateness of a fee calculation and, if applicable, must charge lower fees than those prescribed in these caps.
                   
                7. The Central Bank will supervise regulated entities to ensure that rates are applied in a fair and appropriate manner. This will include ensuring that regulated entities do not automatically default to using maximum caps where actual costs may be lower.
                   
                8. Regulated entities to which the Regulations apply are required to provide the Central Bank with a full list of the fees they charge no later than 30 days after this Amendment comes into force. Up to date fees should also be made publicly available and should be easily accessible for consumers (e.g. online and in branches).
                   
                9. These fee caps will be reviewed on an annual basis for continued suitability.

                 

                Maximum Limits for Fees and Commissions Charged on Retail Customer Service

                No.ProductFeeCap (AED)
                1Personal AccountsAccount closure fee100
                2Personal AccountsAccount balance letter50
                3Personal AccountsNo liability certificate60
                4Personal AccountsRelease letter50
                5Personal AccountsLiability letter issued to Govt Departments/embassies60
                6Personal AccountsLiability letter issued to financial institutions60
                7Debit CardIssuing supplementary ATM Card25
                8Debit CardReplacing Secret Pin Code25
                9Debit CardReplacing lost or stolen ATM card25
                10Debit CardOwn ATM fees0
                11Debit CardFees for using other bank’s ATM2
                12Debit CardCopy of sales slip25
                13Consumer LoansDelayed payment penal interest chargesMax 200
                14Consumer LoansEarly settlement from other bank loans1% Max 10,000
                15Consumer LoansFinal settlement from other sources/EOSB1% Max 10,000
                16Consumer LoansPartial payment1% Max 10,000
                17Consumer LoansRevolving overdraft fees200
                18Consumer LoansLoan Cancellation Fee100
                19Consumer LoansOther (loan copy, issuing redemption statements, audit confirmation etc)25
                20Car LoansEarly settlement1% outstanding
                21Car LoansNOC to Traffic Department0
                22Car LoansAdvance payment of installment1% of installment
                23Car LoansLate payment penal chargesMax 500
                24Car LoansIssuance of liability letter to other banks60
                25Car LoansCancellation fee100
                26RemittanceSwift copy charges15
                27RemittanceDemand draft/pay order issuance/cancellation75
                28Customer Term DepositsAccount closure fees-terms depositsCost (max 2%)
                29Credit CardsCard replacement fee75
                30Credit CardsLiability/no liability letter50
                31Credit CardsDuplicate statement45
                32Credit CardsCopy of sales voucher65
                33Credit CardsLate Payment feesMax 230
                34Home LoansLate payment feesMax 700
                35Home LoansEarly settlement feesMax 1% of outstanding balance or 10,000, whichever is less
                36Home LoansIssuance of liability letter85
                37Home LoansOther certificate75
                38Home LoansNon-standard statement production/copy of original documentation100
                 Home LoansProperty swaps administration feeMax 1320
                (valuation included)
                40Home LoansIssuance of NOC150
                41Home LoansPartial settlement chargesMax 1% of outstanding balance or 10,000, whichever is less
                42Home LoansClearance letter95
                43Home LoansRequest of other letters90

                 

              • Appendix (3)

                Foreign Exchange
                Related fees/commissions

                 

                 

                Fees for purchase/Sale of currency notes & TC’s (Over & above posted Exchange rates).

                 

                Fees on sale of TCs:

                 

                - ----------------------.

                - ----------------------.

                - ----------------------

                 

                Fees on issuing Demand Drafts:

                 

                Fees on Telegraphic Transfers to:

                 

                - India

                - Pakistan

                - Egypt

                - --------

                - --------

                - -------- etc.


                 

                 

            • Clarifications and Guidelines Manual for Regulations No 29/2011 Regarding Bank Loans & Services Offered to Individual Customers

              N 2901/2011 Effective from 28/4/2011
              • Introduction:

                Central Bank of the United Arab Emirates has issued Circular No 29/2011 dated 23.02.2011 titled Loans and Services Offered to Individual Customers. In compliance with Article 17 of the Circular and based on feed-back received from Emirates Bankers Association/ various banks, this Manual is being issued to clarify certain relevant provisions and requirements.

                Banks and finance companies (hereafter referred to as bank or banks) extending personal facilities in accordance with the underlying regulations must ensure that they have adequate risk management systems to approve and monitor such facilities. Banks should also ensure that they have trained staff to market the relative products with proper guidance being given to the borrowing customers

              • Article (2)- Personal Loan:

                1. 1.These regulations apply to personal facilities viz. loans, overdrafts, car loans and credit cards extended to individuals which are repayable from salary, end of service indemnity and/ or other verifiable regular income from a well defined source.
                2. 2.It should be ensured that the borrowers’ salary and end of service benefits are properly ascertained from the employer. If the facility is partly or fully given against other income, it should be from a well defined source and its full details should be obtained.
                3. 3.In case of borrowers with heavy personal commitments and lower disposable income or uncertain employment/ job prospects, banks may not allow facilities upto the upper limit of 20 times salary and/ or the total income, repayable within 48 months despite meeting the specified criteria.
                4. 4.For sound loan decisions, banks should have clear policy guidelines on issues which have direct bearing on the quality of risk and repayment of the loan.
                5. 5.If a customer avails for a lower amount than his eligibility or there is significant increase in his income level in subsequent months due to promotion etc, banks may reassess his eligibility after proper verification. In such a case, either existing loan is enhanced or a new loan is set up (without disturbing the existing loan).
                6. 6.If other income is main or supplementary source of repayment, it should be ensured that such income is from a known regular source, the borrower has produced documentary evidence of such income.
                7. 7.Besides personal facilities against salary and other income as above, banks may extend loans and overdrafts against lien over fixed deposits held with them.
              • Article (3)- Car Loan:

                1. 1.Banks may finance passenger new and used cars to the extent of 80% of their value. Financing of commercial vehicles is outside the purview of these regulations unless repayment of the loan is from the salary of the customer and other laid down criteria are satisfied.
                2. 2.Financing of operating leases to individuals would not be considered as car finance and would not fall within these regulations.
                3. 3.Car loans may be allowed in addition to the personal loan as above but within the 50% of gross salary and any regular income as explained in Article (7).
              • Article (4)- Overdraft Facilities:

                1. 1.Overdrafts limits will be counted within 20 times salary as specified for the personal loans under Article (2) above
                2. 3.Islamic banks may allow overdraft facilities by whatever name described in accordance with Shariaah principles, without violating the upper limits and other requirements of these regulations.
              • Article (5)- Credit Cards:

                1. 1.In order to ensure that credit cards are issued to creditworthy individuals, a mandatory minimum income level of AED 60,000 per annum has been stipulated. Banks may fix the limits within the policy as stated in this regulation.
                2. 2.Those not meeting the above income criteria are required to place a pledged deposit of not less than AED 60,000 with the bank for issuance of credit card. However such persons may be permitted credit facility besides credit card provided aggregate of credit facility and credit card limit do not exceed 50% of the pledged deposit.
                3. 3.Credit card limit is allowed as additional facility but repayment of outstandings must remain within 50% of gross salary and any regular income as explained in Article (7).
                4. 4.Banks may encourage greater use of debit cards for the customers who are not found to be eligible for issuance of credit card.
                5. 5.If the cards have been issued to non-customers, banks should compile statistical data separately for residents and non-residents and review them from time to time.
                6. 6.Banks will take particular care in respect of credit cards issued to non-residents.
              • Article (6)- Computation of Interest:

                1. 1.Method of interest calculation has not been changed from the earlier Circular No 12/93. Banks should continue to follow reducing balance method, by taking a year of 365 days. However they must ensure that effective interest rate on per annum basis is disclosed to the customer, displayed on the Board, it is used for calculation and specified in the loan documentation.
                2. 2.While reducing balance method of interest calculation will be followed on personal and car loans, average daily outstanding balances will form the basis for interest calculation in all cases.
                3. 3.In case of credit cards, the banks may continue to follow the global practice where no interest/ finance charges are levied on the outstanding balance (excluding cash advance transactions) when the new balance outstanding shown in the statement is paid in full by the Payment Due Date. Finance/ interest charges on cash advance may be applied from the transaction date till final repayment.
                4. 4.Within the above broad framework, Islamic banks may vary display of interest rates or use appropriate terminology as permitted under the Shariaah.
                5. 5.Any bank advertising or propagating ‘Flat’ interest rate must invariably state the equivalent effective rate side by side.
              • Article (7)- Repayment Installments:

                1. 1.All the lenders are obliged to carry out proper due diligence to ascertain the applicants’ liabilities and income sources so that total installments including payments on account of credit card do not exceed 50% of their gross salary and other regular income.
                2. 2.Personal loans will be setup for a maximum tenor of 48 months. However if a borrower retires before full repayment, his loan will be restructured from the date of retirement so that his total repayments do not exceed 30% of income (or pension salary).
                3. 3.Existing loans will continue in accordance with the present arrangement and documentation. However no top ups, deferrals or rescheduling will be permitted beyond eligibility in terms of salary multiplier, tenor and repayment percentage.
                4. 4.Banks should formulate specific policy on top ups and rescheduling in order to restrict their frequency. It should be ensured that there is no ‘ever greening’ of loans to disguise problem or delinquent loans.
                5. 5.In case of Islamic banks, they have to ensure that in case of prepayment, adequate rebate is allowed to a customer so that final charge to him does not exceed the level given in Annexure 2 to the Circular.
              • Article (9)- Bank Accounts & Related Commissions and Charges:

                1. 1.Banks may continue with their present practices and internal guidelines to control and monitor dormant accounts. However in no case they should transfer the balance of such accounts to their profit and loss account.
                2. 2.Central Bank is in the process of issuing suitable guidelines in respect of dormant accounts. In the interim, banks may continue to comply with Notice No 24/2000 in respect of dormant accounts and take necessary precautions for operating such accounts.
              • Articles (10) and (11)- Personal Banking Services & Fees and Commissions Charged on them:

                1. 1.Relevant fees, charges and commissions applicable to personal customers have been specified in the Appendices to the Circular. Banks are not allowed to levy any other commissions, fees, charges or fines without Central Bank’s written approval. Banks are however free to reduce or exempt their customers from payment of certain fees and charges at their discretion.
                2. 2.Loans and insurance are separate products. Hence it should be a customer’s choice to select either to pay them together over the period of loan or to pay upfront. Banks should however explain to the customer properly and obtain his concurrence before charging him for the insurance.
                3. 3.List of charges and commissions apply to personal loans, car loans and personal overdrafts. Banks may continue to levy charges and commissions on credit cards as hitherto as no change has been proposed in the regulations.
                4. 4.If there are other important fees and charges applicable to certain segment of customers but left out in the Appendices, these may be submitted for consideration of the Central Bank.
              • Article (12)- Conditions for Opening of Accounts, Providing of Credit Cards and Granting Loans & Bank Facilities:

                1. 1.Emirates Banks Association will be providing the banks with standard account opening forms including general terms and conditions and other loan documentation which will be beneficial to various user groups. Pending finalization and introduction of new forms, the banks may continue to use the existing forms as hitherto.
                2. 2.In addition to the above, each bank will also be allowed to define specific terms and conditions which do not require prior approval from the Emirates Banks Association or Central Bank provided these are signed by the customer and do not contravene or contradict any other requirement. These terms will be shown in a separate section alongwith general terms and conditions.
              • Article (13)- Shariaah Compliant Banking Services:

                Islamic banks will be allowed to use certain special terms applicable only to such banks, viz profit, finance, etc. However scheduled rates under different names or descriptions should be in accordance with these regulations and sent to Central Bank for information and publication.

              • Article (15)- General Provisions:

                1. 1.If a bank uses additional pages to the forms prescribed by the Emirates Banks Association, such sheets containing terms and conditions should be accepted by the borrower under his signature.
                2. 2.Banks are not expected to upgrade a customer’s status whether for his credit card or other similar facility unless his prior concurrence has been obtained. Besides written concurrence, banks would be allowed to use SMS or email facility to communicate with the customers and obtain their concurrence.
                3. 3.Effective 1 May, 2011 all new personal accounts will be subject to the revised fee structure. Existing customers will however be given two months notice from that date through letters or via electronic means. Further the revised fee and charges will not be applied retrospectively.
                4. 4.Banks should continue to pay greater emphasis on cash flow/ repaying capacity of the borrower and less on security or guarantee.
                5. 5.As hitherto, banks are prohibited to take private houses as security for personal loans or take personal guarantees as security when these loans are given to non-UAE nationals.
                6. 6.No fees and charges have been mentioned for credit cards and banks may maintain status quo.
                7. 7.Banks may levy relationship based fee on personal accounts and offer incentives to high value customers provided a specific fee or charge does not exceed the maximum permissible rate specified in the rate structure.
              • Article (20)- Currently Outstanding Loans:

                1. 1.Existing loans and overdrafts will continue to be governed by the terms and conditions agreed between the parties. However early settlement charges, other charges, fees and commissions levied after 1st May, 2011 will be in accordance with the new structure.
                2. 2.New loans extended after 1st May, 2011 or rescheduled after that date will be subject to the new regulations.
                3. 3.In exceptional circumstances such as rescheduling due to retirement of the borrower or loss of his income for any other reason, a longer repayment period beyond 48 months could be permitted.
          • Regulations Regarding Mortgage Loans

            C 31/2013 Effective from 28/11/2013

             

            This regulation has been amended by the Central Bank Board of Directors Resolution No. 96/2019 and Central Bank Board of Directors Resolution No. 31/2/2020 respectively. You are viewing the latest version. Please find the PDFs of previous versions on the table below.
            version 2 (consolidated as of 08/04/2020)pdf download
            version 1 (effective from 28/11/2013)pdf download
            • Introduction

              The Central Bank is seeking to promote the proper development, organization and regulation of the mortgage loans market in the United Arab Emirates (UAE).

              In introducing these Regulations the Central bank wishes to ensure that banks, finance companies and other financial institutions providing mortgage loans to UAE nationals, GCC nationals and expatriates do so in accordance with best practice.

              The Central Bank is also seeking to ensure that financial institutions have and maintain effective business standards and control frameworks in place for the granting of mortgage loans

              These Regulations make a distinction between loans to owner occupiers of residential property and investors in residential property since the risk profile and due diligence required is distinctly different for each type of borrower

            • Objective

              The objective of these Regulations is to set minimum acceptable standards for granting mortgage loans with a view to:

              i. protecting the financial sector;
              ii. fostering consumer protection; and
              iii. enhancing financial stability.

              These Regulations are issued pursuant to the powers vested in the Central Bank under Articles (5), (18), (94) and (96) of Union Law No (10) of 1980 concerning the Central Bank, the Monetary System and Organization of Banking.

            • Application

              These Regulations apply to:

              a. Banks
              b. Finance companies
              c. Other financial institutions providing mortgage loans

              For the purpose of these Regulations banks, finance companies and other financial institutions that provide mortgage loans are collectively referred to as ‘mortgage loan providers’.

              These Regulations set minimum standards and regulated financial institutions are encouraged to apply higher standards in order to protect the financial soundness of their business. Nothing in these Regulations prevent mortgage loan providers from adopting more conservative limits in relation to granting mortgage loans where deemed appropriate.

            • Article (1): Definitions

              1. Mortgage loan: A loan that is collateralized against a residential property granted for the purpose of constructing, purchasing or renovating a house for owner occupier or investment purposes. It also includes loans granted for the purchase or the development of land for these purposes.
                 
              2. Collateral: Property upon which the residential real estate loan is secured.
                 
              3. Collateral Management: All tasks and processes within granting of mortgage loans where collateral is involved, e.g. appraisal and constitution of collateral; confirmation of its legal existence and enforceability.
                 
              4. Debt Burden Ratio: Ratio of debt burden to income.
                 
              5. Down payment: Up-front payment from the buyer for a portion of the purchase price, which reduces the value of the loan against the property.
                 
              6. Equity: Difference between the appraised value of the property and the total claims held against the property.
                 
              7. Loan-to-Value (LTV): The ratio of the amount of the loan outstanding to the appraised value of the residential property.
                 
              8. Property appraisal: a comprehensive assessment of the property characteristics including the determination of the collateral’s value.
                 
              9. Mortgage loan providers: All banks, finance companies and other financial institutions that provide mortgage loans.
                 
              10. Tenor: The initial term length of a mortgage loan.
            • Article (2): Risk Management Requirements

              1. 1. Lending Policy

                All mortgage loan providers must have a separate mortgage lending policy in place which has been approved by the board of directors of the concerned institution.

                Mortgage loan providers should set a limit for this type of lending in relation to (a) exposure to property lending and (b) the overall loan book.

                The lending policy for mortgage loans must make a clear distinction between financing for owner occupiers and financing for investors and take account of the different risks involved.

                Lending policy must include, inter alia, detailed requirements in relation to verification of income and assessment of the borrower’s ability to repay, the maximum loan-to-value and tenor allowable for each type of loan, effective collateral management procedures for taking security against the loan and the application of the risk management framework in relation to this area of business.

                Mortgage loan providers are required to have robust procedures and processes in place to monitor completion schedules for the financing of properties being constructed. Where stage payments are to be made as part of the financing agreement, the mortgage loan provider must first use owner’s equity portion of the construction price to pay the developer/contractor before the mortgage loan provider provides any of the loan monies.

                Payments to the developer/contractor should be based upon prescribed completion milestones that must be physically confirmed either by the mortgage loan provider or by a suitably qualified professional agent who is independent from both the borrower and the developer/contractor.

                Lending policies must be reviewed and signed off by the board of directors of the mortgage loan provider, at least annually, and updated or amended as and when appropriate.
                 
              2. 2. Effective Verification of Income and Other Financial Information

                A key input to effective management of mortgage loans granting process is properly verifying the borrower’s ability to service the loan. Accordingly mortgage loan providers must have in place proper processes and procedures to ensure effective and accurate verification of income and other financial information which the lender will rely on to determine the borrower’s capacity to repay.

                Loan documentation should be designed to collect a full income and liabilities history for each applicant. A detailed record of the steps taken to verify income capacity along with full documentary evidence to support the decision (including a formal sign off by the appropriate approval authority) should be maintained on file and be available for inspection by the Central Bank’s examiners if required.
                 
              3. 3. Reasonable Debt Service Coverage

                Prudent granting of mortgage loans requires an accurate assessment of the borrower’s ability to repay the loan. This is an important factor in the context of:
                 
                1. a. minimizing defaults and losses to the mortgage loan provider.
                   
                2. b. limiting the possibility of consumer over-indebtedness; and
                   
                3. c. maintaining stability in the financial system.
                   
                Mortgage loan providers must establish appropriate processes to assess the borrower’s ability to repay the loan, review the processes regularly and maintain up-to date records of such processes.

                In making this assessment the mortgage loan providers must take into account all relevant factors that could impact on the ability of the borrower to repay the loan, including, for example, other debt servicing obligations (including credit card debt), security of employment and the individual’s particular ‘lifestyle’ expenditure. Only reliable and sustainable income should be included when making the assessment. Bonuses and other non-standard or temporary income should be suitably discounted or if not guaranteed excluded from the assessment of repayment.

                Mortgage loan providers should develop standard Debt Burden Ratio (DBR) calculation templates that enable lenders to gain a full understanding of the borrower’s financial capacity in order to make an informed decision on the borrower’s ability to service the new loan. The DBR assessment should include an appropriate amount calculated to cover normal recurring household expenditure commitments in addition to other liabilities.

                Where the loan extends beyond normal retirement age, lenders must take account of the adequacy of the borrower’s retirement income to repay the loan in making the assessment.

                Also, the prevailing interest rate environment shall be taken into account, as such a stress test should be carried out to determine whether the borrower could continue to repay the loan should interest rates rise.

                In the case of mortgage loans with deferred repayment of the principal in the first stage and interest only is paid, lenders must be satisfied that the borrower will be able to meet principal and interest payments arising at the end of that period, when assessing the borrower’s ability to repay the loan.

                The assessment of the borrower’s ability to repay should not be based on future property price appreciation or an expected increase in the borrower’s earning capacity.
                 
              4. 4. Appropriate Loan to Value Ratio (LTV)

                The taking of collateral is an important element in the lending decision. Accordingly, the Central Bank expects mortgage loan providers to adopt prudent LTV ratios when granting loans.

                Lenders must ensure that all loans granted are subject to an appropriate LTV that takes into account current, latent, or emerging risk factors that may impact on the value of the collateral and the lenders’ ability to realize it. The value of collateral should be suitably discounted to take account of these risk factors.

                The level of down payment required from the borrower should be drawn from the borrower’s own resources and not from other sources of borrowing (including personal loans or credit cards). The Central Bank expects mortgage loan providers lending policy to be explicit in this regard to ensure the borrower has an appropriate level of financial interest in the collateral.

                It is also important to note that the LTV ratios set out in these Regulations are the maximum allowable. Ultimately mortgage loan providers are responsible for ensuring their institutions remain financially sound. Accordingly, mortgage loan providers should adopt more conservative LTV ratios where the underlying risks in lending markets or segments of the lending markets are higher.

                Lending decisions should not be based solely on the security available and it is important that lenders do not rely on the LTV as an alternative to assessing repayment capacity. Mortgage loan providers must ensure that appropriate processes and procedures are in place to capture this risk.
                 
              5. 5. Effective Collateral Management

                Mortgage loan providers are required to have adequate internal risk management and collateral management processes in places that ensure property appraisals are realistic and substantiated. Property appraisal reports should not reflect expected future house price appreciation.

                Prior to any irrevocable commitment to lend an independent on-site valuation of the property must be undertaken by a professional third party who is suitably qualified and independent of the borrower, seller, developer/contractor and the loan decision process.

                Based on clear evaluation criteria, each bank and finance company should have in place a board approved list of independent Valuers.

                All legal titles must be free from encumbrances and contain no impediments for the registration of security interests. In the case of land gifted to UAE Nationals confirmation of the gift from either The relevant Diwan, or Housing Program, as well as confirmation from the land department is required.
                 
              6. 6. Due Diligence

                In order to limit and mitigate the risk arising from mortgage loans business, mortgage loan providers must have in place a clear written program of due diligence (legal and other) to be followed during all stages of the application process to ensure lending policies are being implemented correctly. Procedures must also be in place to ensure that, prior to drawdown, all conditions attaching to the loan have been (or are being) complied with.
            • Article (3): Important Ratios

              1. 1. Debt Burden Ratio (DBR)

                The maximum DBR allowed is set out in “Regulations Regarding Bank Loans and Other Services Offered to Individual Customers”- i.e. 50 percent of gross salary and any regular income from a defined and specific source at any time’. It is important however that when making an assessment of the borrower’s ability to repay, financial institutions do not automatically apply the maximum DBR and take into account the specific circumstances of the borrower and the exposure to the institution.

                In arriving at the DBR, mortgage loan providers are required to stress test the loan at (2 to 4) percentage points above the current rate of interest on the loan, depending upon what level interest rates are at in the cycle. Where an introductory interest rate applies the stress test should be carried with reference to the rate that will apply on cessation of the introductory rate.

                Where the property is for investment purposes mortgage loan providers are required to make a deduction of at least two months’ rental income from the DBR calculation to assess the borrower’s ability to repay taking account of non-rental periods.

                Where the loan repayment schedule extends beyond the expected retirement age, mortgage loan providers are required to ensure that the balance outstanding at that time can continue to be serviced at a DBR of 50 percent of the borrower’s post retirement income.
                 
              2. 2. Loan to Value Ratio (LTV)

                The maximum Loan to Value (LTV) ratio are as follows:
                1. A. UAE Nationals
                  • First House/Owner Occupier

                  Each borrower can only claim one property under this category.

                2. a. Value of Property less or equal to AED 5 million - maximum 85% of the value of the property.
                   
                3. b. Value of Property more than AED 5 million - maximum 75% of the value of the property.
                   
                4. • Second and Subsequent House or Investment Property

                  65% of the value of the property, regardless of value.
                   
                5. B. Expatriates
                6. • First House/Owner Occupier

                  Each borrower can only claim one property under this category.

                7. a. Value of Property less than AED 5 million - maximum 80% of the value of the property.
                   
                8. b. Value of Property more than AED 5 million – maximum 70% of the value of the property.

                  Second and Subsequent House or Investment Property
                  60% of the value of the property, regardless of value.
                   
                9. C. All Categories - Property purchased off plans

                  Given the long term nature of the development process and the higher level of risk to completion, the maximum LTV for mortgages on property being purchased off plans is 50% regardless of purpose, value, or category of purchaser.
                   

              3.  
              4. 3. Maximum Term of Loan

                The maximum tenor of the mortgage loan is 25 years.
              5.  
              6. The maximum age at the time of the last repayment should be determined by the mortgage loan providers in accordance with their risk management and lending policies.
                .
              7. 4. Maximum Financing Amount

                As per Article 3.1, the DBR cannot exceed 50%.

                In addition, the maximum financing amount allowed is as follows:
                 
                1. • UAE Nationals: up to 8 years annual income.
                   
                2. • Expatriates: up to 7 years annual income.
                   
              8. 5. Source and Frequency of Repayment

                Repayment should be made from salary or verifiable business or rental income. The use of ‘End of Service Benefit’ is not allowed.

                Principal and interest repayments should be made on a reducing balance basis (except for mortgage loans with differed repayment of principal – treated as per 6 below).

                Repayments should be at a frequency not less than quarterly. The Central Bank would expect there to be minimum exceptions to this policy.
                 
              9. 6. Interest Only Period

                Mortgage loans with deferred principal repayment should only apply to investment loans. These loans should not allow for non-repayment of principal for longer than 5 years from date of first drawdown of the loan.
                 
              10. 7. Acceptable Collateral

                A first class mortgage in the name of the mortgage loan provider must be taken on all financed properties.

                In cases where the property being financed falls under the various Government Housing Schemes and a first charge cannot be created, mortgage loan providers should have other means in place to protect the loan collateral including the taking of a second charge on the mortgaged property where possible.
            • Article (4): Disclosure and Transparency

              Lenders should provide the borrower with sufficient and transparent information, including costs and risks associated with the loan, to enable the borrower to make an informed assessment of the suitability of the loan to their needs and financial circumstances.

              There should be transparency in preparing and publishing all fees, charges and interest rates (or profits) including the method of calculating interest/profit.

              Loan documentation should include, inter alia, the details of the property or the development, the borrower’s contribution, the amount of the loan, the repayment period, the periodic installment, the interest/profit rate, insurance requirement, mode and method of disbursement, the milestones required for progress payments in case of properties under construction with a clear pre-payment policy. For fees and charges it should be detailed in a separate schedule to be attached to the loan contract.

              Borrowers should be provided with information setting out the total cost of the loan during its lifetime. The borrower must sign each page of the loan documentation and be given a copy signed by both the mortgage loan provider and the borrower.

              The maximum charges to refinance with other banks or financial institutions or for early repayments are the actual cost (to break fixed loans) to the lender and/or fees and charges as set out in Regulations No. 29/2011. There should also be no impediment for borrowers to refinance with other institutions.

              Financial institutions should also follow the transparency and disclosure requirements for real-estate lending in accordance with Regulations No. 29/2011.

              Mortgage loan providers are not allowed to alter or vary terms and conditions of the loan or the facility during the tenor of the loan or the facility, unless agreed to in writing by the borrower. In case of changes to the commissions or fees, customers must be notified, at least, two months prior to implementation of such changes.

            • Article (5): Housing Programs

              The Central Bank wishes to support specific Government housing programs that are established for the purpose of serving society for the betterment of communities and individuals.

              The Central Bank will engage with such programs directly and seek to agree a more preferential regulatory treatment where loans under such programs are guaranteed by the Government.

              Where the loan amount advanced to a UAE National to construct or purchase a property for ‘owner occupation purposes’ under a local housing program is guaranteed, the maximum DBR allowable is increased to 60 percent.

              The maximum LTV allowable may be increased to 85 percent when the value of the property is AED 5 million or less.

            • Article 6: Shari’ah Compliant Finance

              Certain mortgage loan providers will be providing mortgage finance in accordance with Shari’ah principles.

              While it is recognized that Islamic finance has specific features, an institution offering Islamic financial services is generally exposed to the same types of risks as a conventional mortgage loan provider.

              In addition to observing the specific requirements set out by the Shari’ah advisory committees given under each mode of financing separately, the requirements laid down in these Regulations should also be complied with while granting mortgage loans under Shari’ah principles.

            • Article (7): Reporting

              Reporting requirements will be as set out in the Central Bank’s online periodic Banking Return Forms system.

            • Article (8): Monitoring and Supervision

              The Central Bank will monitor and supervise the implementation of these Regulations and take appropriate regulatory action where breaches occur.

              In implementing these Regulations the Central Bank expects mortgage loan providers to apply ‘substance over form’ in making lending decisions and have appropriate policies and procedures in place to ensure that requirements of these Regulations are not circumvented. The Central Bank will be mindful of schemes or vehicles some mortgage loan providers may establish to circumvent these Regulations and shall take appropriate action as necessary.

              The Central Bank reserves the right to alter any of the “Important Ratios” contained in these Regulations either globally, or for an individual mortgage loan provider, where it so deems appropriate

            • Article (9): Interpretation of Regulations

              The Legal Development Unit of the Central Bank shall be the reference for interpretation of the provisions of these Regulations.

            • Article (10): Cancellation of Previous Notices

              Notice number 3871/2012 is withdrawn from the date these Regulations become effective.

            • Article (11): Publication and Application

              These Regulations shall be published in the Official Gazette in both Arabic and English and shall come into effect one month from the date of publication.

          • Loans Extended to Finance Purchase of Company Shares

             

            This Circular has been amended by the Notice No. 2418/2006. You are viewing the latest version. Please find the PDF of the previous version on the table below.
            version 2 (consolidated as of 28/05/2006) 
            version 1 (effective from 28/04/2006) 

             

            In order to organize lending against pledge of company shares, for the benefit of the banking and financial system in the UAE, the Board of Directors of the Central Bank has resolved to establish the following rules:

            1. No loans should be extended to purchase shares except against tangible securities, among which shares of joint stock public companies, newly established or those under establishment.
               
            2. Loans extended to the founders of companies against the pledge of their allotted shares should not exceed 50% of the nominal value of those shares. This position continues until the expiry of the legal period required to maintain ownership of these shares as per companies law, thereafter, they will be treated as in (4) below.
               
            3. Loans extended to subscribers in the public subscription of companies under establishment against an undertaking to pledge their allotted shares should not exceed 10% of the nominal value of the subscribed shares, except in case where the issuing company or the bank receiving the subscription funds (subscription bank) undertakes to refund excess funds directly to the lending bank (or lending party). In this case, lending may be extended to maximum fivefolds the amount contributed by the subscriber for the purchase of IPO shares
               
            4. Loans extended against pledge of allotted shares in the public subscription of newly established companies should not exceed 70% of the book value of these shares. This limitation shall remain valid until these companies have been in operation for five years.
               
            5. Loans extended against pledge of shares of companies which have been in operation for more than five years should not exceed 80% of the market value of these shares.
               
            6. Banks and other financial institutions operating in the UAE may extend loans to purchase shares of companies established in the other AGCC countries, as per paragraphs (2), (3), (4) and (5) above, but with a maximum, in all cases, of 40% (the 10% in (3) above remains as it is in similar cases), and on condition that they must comply with all local laws prevailing in the country of origin of the company.
               
            7. In case borrowers pledged other assets (such as deposits, shares of other companies, property, bonds) or their application included submitting various securities, priority should be given to securities according to quality and degree of liquidity.

            It should be noted that in case any of the banks (lending parties) violated the monetary policy by undertaking book-lending in order to lend subscribers to shares (or other securities), whether directly or indirectly, the Central Bank shall deprive such banks from the entire amount of the resulting interest, by debiting their accounts with it. Please note that book-lending means loans which have no corresponding customer deposits, capital and reserves of the lending party.

            Please withdraw and cancel our Notice No. 311/96 of 4/6/1996, and our Circular No. 19/97 of 4/11/1997.

        • Payment Token Services Regulation

          C 2/2024 Effective from 21/8/2024
          • Introduction

            This Regulation (the ‘Payment Token Services Regulation’) lays down the rules and conditions established by the Central Bank for granting a License or Registration for the provision of Payment Token Services and related matters. Payment Token Services are digital payment services in the UAE and comprise three categories, namely Payment Token Issuance, Payment Token Conversion and Payment Token Custody and Transfer.

            Providing digital money services is a financial activity subject to Central Bank licensing and supervision in accordance with the provisions of the Central Bank Law. Accordingly, the Central Bank Law provides the statutory basis for the powers of the Central Bank in relation to the licensing and ongoing supervision of Licensed Payment Token Service Providers, and related matters.

          • Part 1

            • Scope and Objectives

              This Regulation sets out:

              •  
              conditions for the grant and maintenance of a License or Registration for the provision of Payment Token Services;
              •  
              rights and obligations of Customers, Licensed Payment Token Service Providers, Registered Foreign Payment Token Issuers, Registered Foreign Payment Token Custodians and
               Transferors and Registered Payment Token Conversion Providers; and
              •  
              powers of the Central Bank including with regard to the licensing, registration and supervision of Licensed Payment Token Service Providers, Registered Foreign Payment Token Issuers, Registered Foreign Payment Token Custodians and Transferors and Registered Payment Token Conversion Providers, and on-going reporting requirements;
              •  
              limitations on certain services and the promotion of services relating to Foreign Payment Tokens, and on acceptance of such Foreign Payment Tokens as a Means of Payment; and
              •  
              a prohibition of the issuance, promotion and performance of certain services in relation to Algorithmic Stablecoins, Privacy Tokens or other Means of Payment which are not Dirham Payment Tokens or Foreign Payment Tokens.
               In exercising its powers and functions under this Regulation, the Central Bank has regard to the following objectives:
              •  
              ensuring the safety, soundness and efficiency of Payment Token Services;
              •  
              ensuring adequate protection and avoidance of misappropriation of the Reserve of Assets held by Payment Token Issuers;
              •  
              adoption of effective and risk-based licensing and registration requirements for Licensed Payment Token Service Providers, Registered Foreign Payment Token Issuers, Registered Foreign Payment Token Custodians and Transferors and Registered Payment Token Conversion Providers; and
              •  
              promoting consumer protection and innovation.
            • Exclusions

              This Regulation shall not apply to the following:

              1.Any activity for which the service provider is licensed by (or requires a license from) the Central Bank under the Retail Payment Services and Card Schemes Regulation or the Stored Value Facilities (SVF) Regulation;
              2.Any information technology security, operation of technology infrastructure, trust or privacy protection service not of itself constituting a Payment Token Service;
              3.Any service of providing or maintaining a communication network or Distributed Ledger Technology;
              4.Any service of providing and maintaining any terminal or device used for any Payment Token Service;
              5.Any Payment Token Transfers carried out within a payment system or securities settlement system between Licensed Payment Token Service Providers and settlement agents, central counterparties, clearing houses, central banks or other participants in such system including central securities depositories; or
              6.Payment Token Transfers and related services between a parent undertaking and its subsidiary or between subsidiaries of the same parent undertaking, without any intermediary intervention by a Licensed Payment Token Service Provider, Registered Foreign Payment Token Issuer, Registered Foreign Payment Token Custodian and Transferor or Registered Payment Token Conversion Provider other than an undertaking belonging to the same group.
          • Part 2

            • Article (1): Definitions

              Except where an alternative definition is expressly stated in this Regulation, the following terms are defined as set out in this Article (1).

              1.

              Agent: means a juridical person performing Payment Token Services on behalf of a Licensed Payment Token Service Provider.

              2.

              Algorithmic Stable coins: means a virtual Asset which purports to maintain a stable value by reference to a Fiat Currency or other asset as a result of interventions (either automated or manual) by its issuer or another Person to alter the supply of or demand for the Virtual Asset from time to time, and which is used or may be used as a Means of Payment.

              3.

              AML/CFT: means Anti-Money Laundering and Combating the Financing of Terrorism.

              4.

              AML Law: means Decree Federal Law No. (20) of 2018 on Anti-Money Laundering and Combating the Financing of Terrorism and Illegal Organizations and Cabinet Decision No. (10) of 2019 Concerning the Implementing Regulation of Decree Federal Law No. (20) of 2018 on Anti-Money Laundering and Combating the Financing of Terrorism and Illegal Organizations, as amended, and any regulations issued hereunder and any instructions, guidelines and notices issued by the Central Bank relating to their implementation or issued in this regard.

              5.

              AML Obligor: means a Licensee or Registree.

              6.

              Applicant: means a juridical person:

              a)

              duly incorporated in the UAE in accordance with Federal Law No. 2 of 2015 on Commercial Companies, as may be amended or substituted from time to time and as provided for under Article (74) of the Central Bank Law (or other analogous commercial regulation applying in a free zone), which files an Application with the Central Bank for the granting of a License for the provision of one or more Payment Token Services or the modification of the scope of a granted License;

              b)

              incorporated and located outside of the UAE (which for the purposes of this Regulation would include a juridical person incorporated and located in a Financial Free Zone), which files an Application with the Central Bank for the granting of a Foreign Payment Token Issuer Registration or the modification of the scope of a granted Registration; or

              c)

              that is a Virtual Assets Exchange Platform Operator, Bank or Exchange House which files an Application with the Central Bank for the granting of a Non-Objection Registration or the modification of the scope of a granted Non-Objection Registration.

              7.

              Application: means a written request for obtaining a License for the provision of one or more Payment Token Services, for obtaining a Foreign Payment Token Issuer Registration, or for obtaining a Non-Objection Registration, submitted by an Applicant which contains the information and documents specified in this Regulation or by the Central Bank, and is in the form specified by the Central Bank’s Licensing Division, including a written request for obtaining a modification to the scope of a granted License or Registration.

              8.

              Bank: any juridical person licensed in accordance with the provisions of the Central Bank Law, to carry on the activity of taking deposits of all types, including Shari`ah-compliant deposits.

              9.

              Beneficial Owner: means the natural person who owns or exercises effective ultimate control over the Customer or the natural person on whose behalf a transaction is being conducted, or the natural person who exercises effective ultimate control over a legal person or legal arrangement, whether directly or through a chain of ownership, control or other indirect means.

              10.

              Board: means the board of directors of an Applicant, a Controller of an Applicant, a Licensed Payment Token Service Provider or a Registree in accordance with applicable corporate law.

              11.

              Business Day: means a day other than Saturday, Sunday, public holiday or other non-working holiday or day in the UAE.

              12.

              CBUAE Regulation: means any written act that may be adopted or issued by the Central Bank complementing the implementation of this Regulation, such as, without being limited to, rules, directives, decisions, instructions, notices, circulars, standards, and rulebooks.

              13.

              Central Bank: means the Central Bank of the United Arab Emirates.

              14.

              Central Bank Digital Currency: means a digital version of a Fiat Currency that is issued by the Central Bank or another central bank.

              15.

              Central Bank Law: means the Decretal Federal Law No. (14) of 2018 Regarding the Central Bank & Organization of Financial Institutions and Activities, as amended.

              16.

              Consumer Protection Regulation: means Consumer Protection Regulation (Circular No. 8 – 2020) dated 25 November 2020, as amended, and Consumer Protection Standards, as amended.

              17.

              Controller: means a Person that alone or together with the Person’s associates has an interest in at least 10% of the shares in an Applicant or Licensed Payment Token Service Provider or Registree or is in a position to control at least 10% of the votes in an Applicant or Licensed Payment Token Service Provider or Registree.

              18.

              Customer: means a Person receiving or potentially receiving a Payment Token Service and includes a Token holder.

              19.

              Customer Agreement: means a Framework Agreement or a Single Payment Token Service Agreement.

              20.

              Customer Due Diligence or CDD: means the process of identifying and verifying the identity of a Customer and its Beneficial Owners, whether a natural or legal person or a legal arrangement, and of collecting information as to the nature of the Customer's activity and the purpose of any business relationship between the Customer and the Payment Token Services provider and the ownership structure and control over it.

              21.

              Data Breach: means an intrusion into an IT system where unauthorized disclosure or theft, modification or destruction of Customer data is suspected and such is likely to result in a loss for the Customer.

              22.

              Data Subject: means an identified or identifiable natural person who is the subject of Personal Data.

              23.

              Designated Payment Token: mean a Virtual Asset that the Central Bank has designated as a Payment Token in accordance with Article (12)6.

              24.

              Dirham Payment Token: means a Payment Token whose value is denominated in Dirham (AED), or denominated by reference to the value of another Payment Token whose value is denominated in Dirham (AED), and which is issued by a Dirham Payment Token Issuer.

              25.

              Dirham Payment Token Issuer: means a Payment Token Issuer that is Licensed to perform Payment Token Issuing for Dirham Payment Tokens pursuant to Article (5)1(a).

              26.

              Distributed Ledger Technology: means a class of technologies that supports the distributed recording of encrypted data across a network and which is a type of decentralized database of which there are multiple identical copies distributed among multiple participants and accessible across different sites and locations, and which are updated in a synchronized manner by consensus of the participants, without involving a central authority or intermediary using a system other than the network or another distributed ledger.

              27.

              Dormant Accounts Regulation: means Dormant Accounts Regulation (C 1/2020) dated 15 January 2020, as amended.

              28.

              Exchange House: means an exchange business that has been licensed under the Regulations re Licensing and Monitoring of Exchange Business.

              29.

              Exempted Person: means any Person who is exempted from the requirement to hold a License under Article (4).

              30.

              External Auditor: means an independent juridical Person that has been appointed to audit the accounts and financial statements of a Licensed Payment Token Service Provider in accordance with Article (34)9, to audit the Reserve of Assets of a Licensed Payment Token Issuer in accordance with Article (22)8(b) or to audit the White Paper of a Licensed Payment Token Issuer in accordance with Article (26)4.

              31.

              FATF: means the Financial Action Task Force, being an inter-government body which sets international standards that aim to prevent global money laundering and terrorist financing activities.

              32.

              Fiat Currency: means a currency that is controlled by a central bank, has the status of legal tender and is required to be accepted within a given jurisdiction.

              33.

              Financial Free Zones: means free zones subject to the provisions of Federal Law No. (8) of 2004, regarding Financial Free Zones, as amended.

              34.

              Foreign Currency: means a Fiat Currency which is not the Dirham (AED).

              35.

              Foreign Payment Token: means a Payment Token whose value is denominated in a Foreign Currency, or denominated by reference to the value of another Payment Token whose value is denominated in a Foreign Currency.

              36.

              Foreign Payment Token Custodian and Transferor: means a Person who, by way of business, performs Payment Token Custody and Transfer of Foreign Payment Tokens, pursuant to Article (5)2.

              37.

              Foreign Payment Token Issuer: means a Payment Token Issuer that is Registered pursuant to Article (5)2.

              38.

              Foreign Payment Token Registration: means a registration granted by the Central Bank to an Applicant registered and located outside of the UAE (which for the purposes of this Regulation would include a juridical person incorporated and located in a Financial Free Zone) to perform Payment Token Issuing with respect to Foreign Payment Tokens, pursuant to Article (5)2, and Foreign Payment Token Registree refers to a Foreign Payment Token Issuer holding a valid Foreign Payment Token Registration.

              39.

              Framework Agreement: means an agreement between a Licensed Payment Token Service Provider and a Customer for the provision of a Payment Token Service, other than a Single Payment Token Service Agreement, which governs the rights and obligations as between the Licensed Payment Token Service Provider and the Customer (and their assignees, transferees or successors).

              40.

              Group: means a corporate group which consists of a parent entity and its subsidiaries, and the entities in which the parent entity or its subsidiaries hold, directly or indirectly, 5% or more of the shares, or are otherwise linked by a joint venture relationship.

              41.

              License: means a License issued by the Central Bank provide a Payment Token Service, pursuant to Article (5)1. Licensed refers to having been granted such a License, where such License remains valid, and Licensee refers to a Licensed Payment Token Service Provider holding a valid License.

              42.

              Licensed Payment Token Issuer: means a juridical person that has been Licensed in accordance with this Regulation to perform Payment Token Issuing.

              43.

              Licensed Payment Token Service Provider: means a juridical person that has been Licensed in accordance with this Regulation to provide one or more Payment Token Services. For the avoidance of doubt, a Registree is not included within the definition of Licensed Payment Token Service Provider.

              44.

              Local Licensing Authority: means any authority competent to regulate Virtual Assets in the concerned Emirate in accordance with Cabinet Resolution No. (111) of 2022 Concerning the Regulation of Virtual Assets and their Service Providers, as amended.

              45.

              Means of Payment: means a Virtual Asset:

              a)

              which is, or which is able to be used as, or is purported or promoted to be, a store of value, medium of exchange and unit of account; or

              b)

              which the Central Bank designates, pursuant to Article (3)1, as being a Means of Payment.

              46.

              Merchant: means a Person who accepts Payment Tokens as a Means of Payment for the sale or provision of goods or services.

              47.

              Non-Objection Registration: means a registration by the Central Bank of an Applicant based on a decision by the Central Bank to permit the Applicant to perform Payment Token Conversion or Foreign Payment Token Custody and Transfer, pursuant to Article (8)1, and Non-Objection Registree refers to a Payment Token Conversion Provider or Foreign Payment Token Custodian and Transferor holding a valid Non-Objection Registration.

              48.

              Outsourcing Regulation means the Outsourcing Regulation for Banks (Circular No. 14/2021) dated 31 May 2021, as amended.

              49.

              Payee: means a Person who is the intended recipient of a Payment Token Transfer.

              50.

              Payer: means a Person who performs a Payment Token Transfer of a Payment Token for which it is the Tokenholder, or instructs a Licensee or Registree to perform such Payment Token Transfer on its behalf (by having the Licensee or Registree initiate, facilitate, effect or direct such transfer).

              51.

              Payment Token: means a Virtual Asset which purports to maintain a stable value by referencing the value of:

              a)

              the same Fiat Currency as the Payment Token is denominated in; or

              b)

              another Payment Token also denominated in the same Fiat Currency.

               

              A Designated Payment Token shall be deemed to be a Payment Token.

              52.

              Payment Token Conversion: means a service, other than Payment Token Issuing, which is performed by way of business, of selling or buying Payment Tokens in return for any form of remuneration by spot conversion as principal or agent or enabling other counterparties to place and accept offers for sale of Payment Tokens.

              53.

              Payment Token Conversion Provider: means a Person who, by way of business, performs Payment Token Conversion, other than a Person acting as a Payment Token Issuer.

              54.

              Payment Token Custody and Transfer: means a service, performed by way of business, to:

              a)

              safeguard, or to safeguard and administer:

              (i)

              Payment Tokens on behalf of Customers, or

              (ii)

              private cryptographic keys on behalf of Customers in order to hold, store and transfer Payment Tokens; or

              b)

              receive, hold and transfer Payment Tokens on behalf of Customers.

              For the avoidance of doubt, Payment Token Custody and Transfer excludes provision of technology (including provision of updates to the technology, and support to address any technical issues with the technology) to another Person which enables the other Person to safeguard or safeguard and administer their own Payment Tokens or the cryptographic keys for such Payment Tokens or the Wallet in which they are held, or to transfer such Payment Tokens on their own behalf.

              For the avoidance of doubt, Payment Token Custody and Transfer may be a service performed to facilitate or enable a Merchant to receive payments by Payment Token in exchange for the supply of goods or services under a merchant acquiring-style arrangement.

              55.

              Payment Token Custodian and Transferor: means a Person who, by way of business, performs Payment Token Custody and Transfer.

              56.

              Payment Token Data: means any information related to a Customer, including financial data and excluding Personal Data.

              57.

              Payment Token Issuer: means a Person who, by way of business, performs Payment Token Issuing.

              58.

              Payment Token Issuing: means a sale or transfer, performed by way of business, of a Payment Token, where it is the first occasion on which that Payment Token is sold or transferred.

              a)

              This can include (without limitation) where such first sale or transfer is undertaken through an exchange or trading venue.

              b)

              If the first occasion on which a Payment Token is transferred is when one Person (an ‘issuer’) generates a Payment Token (or arranges for its generation) for transfer to a distributor with a view to the distributor selling the Payment Token, or otherwise transferring the Payment Token to the public, the Payment Token Issuing is performed by the distributor rather than by the issuer.

              59.

              Payment Token Service: means the performance by way of business of any of the following activities:

              a)

              Payment Token Issuing;

              b)

              Payment Token Custody and Transfer; and

              c)

              Payment Token Conversion.

              60.

              Payment Token Transfer: means an act initiated by the Payer or Payee or on either of their behalves, or by the Payment Token Issuer, of transferring a Payment Token(s) or an interest in a Payment Token(s), whether or not such transfer is performed using Distributed Ledger Technology and irrespective of any underlying obligations between the Payer and the Payee.

              61.

              Person: means any natural or juridical person.

              62.

              Personal Data: means any information which is related to an identified or identifiable natural person.

              63.

              Privacy Token: means a Virtual Asset which, by design, disguises or otherwise obfuscates, or purports to hide or obfuscate, details of its Tokenholder or transaction history which would otherwise be visible to third parties through the Distributed Ledger Technology on which the Virtual Asset is hosted, and which is used or may be used as a Means of Payment.

              64.

              Promotion: means any form of communication, by any means, aimed at inviting or offering to enter into an agreement for provision of services.

              65.

              Registered Foreign Payment Token Issuer: means a Foreign Payment Token Issuer which is registered pursuant to Article 5(2).

              66.

              Registered Foreign Payment Token Custodian and Transferor: means a juridical person that has received a Non-Objection Registration in accordance with this Regulation to perform Payment Token Custody and Transfer of Foreign Payment Token.

              67.

              Registered Payment Token Conversion Provider: means a juridical person that has received a Non-Objection Registration in accordance with this Regulation to perform Payment Token Conversion.

              68.

              Registration: means a Foreign Payment Token Issuer Registration or a Non-Objection Registration, and Registered refers to having been granted such a Registration, where such Registration remains valid, and Registree refers to a Foreign Payment Token Issuer or Payment Token Conversion Provider or Foreign Payment Token Custodian and Transferor holding a valid Registration.

              69.

              Regulation: means this Payment Token Services Regulation.

              70.

              Reserve of Assets: means the assets held in accordance with Article (22).

              71.

              Retail Payment Services and Card Schemes Regulation: means Retail Payment Services and Card Schemes Regulation (Circular No. 15/2021) dated 6 June 2021, as amended.

              72.

              SCA: means the UAE Securities & Commodities Authority.

              73.

              Senior Management: means a team of individuals at the highest level of management of the Licensee or Registeree who have the day-to-day tasks of managing the Licensee’s business.

              74.

              Single Payment Token Service Agreement: means an agreement which governs the rights and obligations as between a Licensed Payment Token Service Provider and a Customer (and their assignees, transferees or successors) and which is limited to:

              a)

              governing a single sale, transfer and redemption of Payment Tokens; or

              b)

              provision of a Payment Token Custody and Transfer Service for a single Payment Token Transfer.

              75.

              Stored Value Facilities (SVF) Regulation: means Stored Value Facilities (SVF) Regulation (Circular No. 6/2020) dated 30 September 2020, as amended.

              76.

              Third Country: means any Financial Free Zone or any country other than the UAE.

              77.

              Tokenholder: means the person who has the lawful power of disposal over a Payment Token.

              78.

              Transition Period: has the meaning given in Article (40).

              79.

              UAE: means the United Arab Emirates.

              80.

              Unauthorized Payment Token Transfer: means a Payment Token Transfer:

              a)

              initiated, facilitated, effected or directed by a Licensed Payment Token Service Provider as part of its Payment Token Service; and

              b)

              where such transfer has not been consented to by the Tokenholder or (in the case of the Licensed Payment Token Service Provider selling a Payment Token) the purchaser of the Payment Token.

              81.

              Virtual Asset: means a digital representation of value or of a right that can be transferred and stored electronically using Distributed Ledger Technology. Excluding, for the purposes of this regulation, Central Bank Digital Currencies.

              82.

              Virtual Assets Exchange Platform Operator: means a Person licensed by SCA as a virtual assets platform operator and regulated by SCA or any Local Licensing Authority.

              83.

              Wallet: means a Distributed Ledger Technology address or account to which a Virtual Asset is attributed from time to time and in relation to which a Payment Token Transfer is performed.

              84.

              Wire Transfer: means any Payment Token Transfer carried out on behalf of a Payer through a Licensed Payment Token Service Provider with a view to making an amount of Payment Tokens available to a Payee at the beneficiary’s Licensed Payment Token Service Provider, irrespective of whether the Payer and the Payee are the same Person.

              85.

              White Paper: means a document setting out the information stipulated in Article (26) and published or otherwise made available in accordance with the provisions of that Article.

          • Part 3

            • Article 2: Prohibitions on Activities and Promotions

              Restrictions on activities

              1.

              No Person shall perform any Payment Token Service within the UAE or directed to Persons in the UAE, unless such Person is Licensed or Registered by the Central Bank to perform such Payment Token Service.

              2.

              No Person shall perform any service, within the UAE or directed to Persons in the UAE, where that service:

              a)

              is performed with respect to any Means of Payment that is not a Payment Token; and

              b)

              is a service that is similar or equivalent to a Payment Token Service.

              This prohibition shall apply to all Persons, including any Person acting in the course of performing Virtual Asset activities for which it is licensed or regulated by SCA or a Local Licensing Authority.

              3.

              No Person shall, within the UAE or directed to Persons in the UAE, issue Algorithmic Stablecoins or Privacy Tokens or perform services relating to Algorithmic Stablecoins or Privacy Tokens. This prohibition shall apply to all Persons, including any Person acting in the course of performing Virtual Asset activities for which it is licensed or regulated by SCA or a Local Licensing Authority.

              4.

              A Licensee or Registree must not knowingly initiate, facilitate, effect or direct a Payment Token Transfer as part of its Payment Token Service unless the transfer is of a:

              a)

              Dirham Payment Token issued by a Licensed Payment Token Issuer being used for any lawful purpose; or

              b)

              Foreign Payment Token issued by a Registered Foreign Payment Token Issuer being lawfully used (or sold for use) as a Means of Payment for purchase of Virtual Assets or derivatives of Virtual Assets.

              5.

              A Foreign Payment Token Registree may only initiate, facilitate, effect or direct a Payment Token Transfer as part of its Payment Token Service in the UAE if the transfer is of a Foreign Payment Token being used (or sold for use) as a Means of Payment for purchase of Virtual Assets or derivatives of Virtual Assets.

              6.

              A Licensed Payment Token Issuer may only issue Dirham Payment Tokens to Persons resident in the UAE. For the avoidance of doubt, aside from this Article (2)6 there shall be no restriction under this Regulation as to the territory in which a Payment Token may be used or to or from which it may be transferred.

              7.

              No Merchant or other Person in the UAE selling goods or services during the course of business may accept a Virtual Asset towards payment for that sale unless that Virtual Asset is:

              a)

              a Dirham Payment Token issued by a Licensed Payment Token Issuer being used as a Means of Payment ; or

              b)

              a Foreign Payment Token issued by a Registered Foreign Payment Token Issuer being used as a Means of Payment for purchase of a Virtual Asset or Virtual Asset derivative.

              8.

              A Bank may not act as a Payment Token Issuer, but may, subject to the licensing and other requirements of this regulation, set up a subsidiary, affiliate or other related entity to perform this activity.

              Restrictions on promotions

              9.

              No Person shall engage in any Promotion, within the UAE or directed to Persons in the UAE, where such Promotion relates to Payment Token Services unless such Person:

              a)

              has a License or Registration to perform the activities which are the subject matter of the Promotion; or

              b)

              is appointed by such a Licensee to engage in the Promotion on the Licensee’s behalf.

              10.

              No Person shall engage in any Promotion, within the UAE or directed to Persons in the UAE, where such Promotion is for services relating to any Means of Payment unless the Promotion solely relates to:

              a)

              Dirham Payment Tokens issued by Licensed Payment Token Issuers being used for any lawful purpose; or

              b)

              Foreign Payment Tokens issued by Registered Foreign Payment Token Issuers being lawfully used as a Means of Payment for purchase of a Virtual Asset or Virtual Asset derivative.

              This prohibition shall apply to all Persons, including any Person engaging in Promotions relating to Virtual Asset activities for which it is licensed or regulated by SCA or a Local Licensing Authority.

              11.

              No Person shall engage in a Promotion, within the UAE or directed to Persons in the UAE, where such Promotion is for the issuance of Algorithmic Stablecoins or Privacy Tokens or services relating to Algorithmic Stablecoins or Privacy Tokens. This prohibition shall apply to all Persons, including any Person engaging in Promotions relating to Virtual Asset activities for which it is licensed or regulated by SCA or a Local Licensing Authority.

              12.

              The Central Bank may require any Person to provide a reasonable level of evidence to demonstrate that such Person is not performing an activity in breach of this Article (2). The Central Bank may request such evidence on a single occasion or may require regular reporting (in such form as the Central Bank may specify from time to time) of such evidence by any Person.

              13.

              For the avoidance of doubt, reference to ‘the UAE’ in this Article (2) excludes the jurisdiction of the Financial Free Zones.

               

            • Article (3): Designation of Means of Payment

              1.

              The Central Bank may designate a type of Virtual Asset as constituting a Means of Payment.

              2.

              The Central Bank may require any Person which, within the UAE or directed at Persons in the UAE, issues Virtual Assets or performs services relating to Virtual Assets, to provide the Central Bank with such information as the Central Bank requires in order to determine whether to designate the Virtual Asset as a Means of Payment.

              3.

              For the avoidance of doubt, reference to ‘the UAE’ in this Article (2) excludes the jurisdiction of the Financial Free Zones.

            • Article (4): Exemptions

              1.

              Payment Token Services limited to the following types of Payment Tokens and posing a low level of risk to Customers and the financial system are exempt from this Regulation:

              a)

              Payment Tokens used for certain reward schemes. Such Payment Tokens may only be:

              (i)

              issued in return for a sum of money paid by (A) the Payment Token Issuer; or (B) a Merchant under an agreement with the Payment Token Issuer; and

              (ii)

              used for making payments for goods or services provided by the Payment Token Issuer or Merchant under specific terms and conditions of the Payment Token Service.

              Examples may include loyalty schemes provided by shops and supermarkets that offer Payment Token rewards for customer loyalty;

              b)

              Payment Tokens used for certain bonus point schemes:

              (i)

              Such Payment Tokens may be used as points or units (by whatever name called) provided by (A) the Payment Token Issuer; or (B) a Merchant who agrees to provide goods or services to the Customer under an agreement with the Payment Token Issuer.

              (ii)

              The Customer may only use the Payment Token for making payments for goods or services provided by the Payment Token Issuer or a Merchant.

              Examples are airline mileage programmes and customer loyalty schemes that provide Payment Tokens to customers to reward their patronage, and whereby such Payment Tokens are not redeemable for cash;

              c)

              Payment Tokens that can only be used as a Means of Payments for non-financial goods or services provided by the Payment Token Issuer; or

              d)

              Payment Tokens falling within Article (4)2.

              2.

              The Central Bank may exempt a Payment Token Issuer from licensing and other requirements under this Regulation with respect to its Payment Tokens, and specify the conditions for such exemption, where:

              a)

              if the Payment Token Issuer had to hold a Reserve of Assets in accordance with Article (22), the aggregate amount of the Reserve of Assets would not exceed half a million Dirham (500,000 AED) or its equivalent; and

              b)

              the aggregate number of Tokenholders is not more than 100.

              3.

              The Central Bank may determine that a Payment Token Service is not exempt or is no longer exempt and require the Person performing the service to apply for a License.

          • Part 4

            • Article (5): License Categories

              1.

              A Person that intends to provide Payment Token Services shall as appropriate apply for one or more of the following categories of License:

              a)Dirham Payment Token Issuer;
              b)Payment Token Custodian and Transferor; and
              c)Payment Token Conversion.
              2.A Person not incorporated and located in the UAE may apply for a Foreign Payment Token Issuer Registration. For the avoidance of doubt, this includes a Person located in a Financial Free Zone.
            • Article (6): License Conditions

              1.

              To be granted a License, an Applicant shall, at the time of submitting an Application:

              a)

              fulfil the legal form requirement as set out in Article (74) of the Central Bank Law;

              b)

              meet the respective initial capital requirements specified in Article (13) to (15); and

              c)

              provide the necessary documents and information specified in the Central Bank application form as provided by the Licensing Division.

              2.

              The Applicant must be a company incorporated in the UAE, including free zones but excluding Financial Free Zones

              3.

              An Applicant must meet, or demonstrate that it will meet upon License issuance, the ongoing requirements set out in Article (12) to Article (36), to the extent applicable to the License category for which it has applied, in particular:

              a)

              The requirements regarding regulatory capital as set out in Article (13) to Article (15). The Central Bank may add additional requirements regarding regulatory capital or increase the existing ones as a condition for License issuance, where it considers such additional requirements necessary;

              b)

              The requirements regarding corporate governance, general risk management and internal control, and accounting system as set out in Article (34). In particular, the Board, the Senior Management, and the Controller(s) must have been approved by the Central Bank as fit and proper in the context of the Application before the License is granted;

              c)

              The requirements regarding risk management policies and procedures for the management and protection of the Reserve of Assets, as set out in Article (22);

              d)

              The requirements regarding technology and specific risk management policies and procedures for managing the risks arising from the operation of the Payment Token business, as set out in Article (34) and Article (35);

              e)

              The requirements regarding business conduct and Customer protection as set out in Article (25) to Article (32); and

              f)

              The requirements regarding anti-money laundering and countering the financing of terrorism, as set out in Article (24).

              4.

              As part of the licensing process, separate face-to-face meetings between Central Bank staff and the Applicant’s and the Applicant’s Controllers’ Boards and the Senior Management may be conducted.

               

              Independent assessments

              5.

              The Applicant is required to submit an independent assessment report not older than six (6) months assessing how it will comply with Article (6)3, covering at least the following key areas:

              a)

              capital requirements;

              b)

              corporate governance and risk management;

              c)

              Reserve of Assets management;

              d)

              technology risk management;

              e)

              payment security management;

              f)

              business continuity management;

              g)

              business conduct and Customer protection; and

              h)

              AML/CFT control systems.

              6.

              The Applicant must appoint one or more competent and qualified assessor(s), which are independent from the business units of the Applicant, to carry out the independent assessments. The assessors must not be involved in the operations to be reviewed or in selecting or implementing the relevant control measures to be reviewed, must have relevant knowledge and experience, and must be able to report their findings independently. They must also confirm to the Central Bank that there is no conflict of interest in the conduct of independent assessments.

              7.

              An Applicant for Payment Token Issuing shall, at the time of submitting an Application, provide a list of all Payment Tokens that it intends to issue. The Central Bank may require that the Applicant obtain a legal opinion for all Payment Tokens assessing whether the Payment Tokens and the operations of the Payment Token Issuer comply with Central Bank regulations including but not limited to whether the White Paper is accurate and the Reserve of Assets is properly held.

               

            • Article (7): Licensing Procedure

               

              1.The licensing of Applicants shall be subject to the procedure envisaged in the Central Bank’s licensing manual.

               

              Preliminary meeting with the Central Bank

              2.Any Person that is interested in obtaining a License may obtain the Application form from the Licensing Division of the Central Bank.
              3.The Senior Management of the Applicant is strongly encouraged to meet and discuss the Applicant’s Payment Token business plan with the Central Bank before submitting a formal Application.

               

              Consultation with home regulator

              4.Where a Controller of the Applicant is regulated by another authority, including by authorities in other jurisdictions, the Central Bank may contact the relevant authority about the Applicant to elicit the relevant authority’s views.

               

              Completing and submitting the Application

              5.An Application must be lodged with the Central Bank with the completed form and the required documents and information set out in the Annex to this Regulation.

               

              Processing of Application

              6.The Central Bank may seek any additional information it deems necessary from the Applicant to reach a decision on the Application.
              7.

              Incomplete information may result in delays. Applicants should, therefore, pay attention to the following points:

              a)All Applications must be submitted with documents and information listed in the Annex to this Regulation.;
              b)Where an Application received is incomplete or supporting documents or information is lacking, the Applicant will be informed in writing that the Application will be treated as “draft” and will be asked to complete the Application or provide the missing information by a date specified by the Central Bank.;
              c)Where information requested is not received by the specified date or a revised date agreed in writing by the Central Bank at the request of the Applicant, the Application may be treated as “suspended” and the Applicant will be notified of this in writing;
              d)Where an Application is “suspended”, the Applicant will be informed in writing that the processing of the Application will cease temporarily. Suspended Applications will be reactivated only when the outstanding information is submitted; and
              e)Where an Application is “suspended” for six (6) months or more for any reason, a new Application will be required if the Applicant wishes to pursue the matter further.

               

              Approval of Application

              8.The Central Bank may approve an Application for a License made by an Applicant provided that all the licensing criteria are met by the Applicant.
              9.

              The Central Bank may grant the License without conditions or subject to any conditions attached. Conditions attached to a License may include, among others:

              a)imposing a higher capital or liquidity requirement;
              b)additional requirements relating to protection of the Reserve of Assets; and
              c)restrictions on the Payment Token business or any secondary or ancillary businesses, or as to the maximum volume or value of Payment Tokens which may be issued.
              10.

              After the Central Bank has granted a License to an Applicant, the Central Bank will:

              a)assign a unique reference number to the License;
              b)specify in the License the date on which the License has taken effect; and
              c)list the details in (a) and (b) in a publicly available register on its website.
              11.A Licensee must ensure that the License reference number of the License assigned to it by the Central Bank is clearly displayed on the Licensee’s website and promotional materials.
            • Article (8): Application for a Non-Objection to perform Payment Token Conversion or Foreign Payment Token Custody and Transfer

               

              1.

              A Virtual Assets Exchange Platform Operator may apply for a Non-Objection Registration in order to perform Payment Token Conversion.

              2.

              A Bank or Exchange House may apply for a Non-Objection Registration in order to perform Dirham Payment Token Conversion.

              3.

              A Person who is licensed by SCA or any Local Licensing Authority as a Virtual Assets Service Provider to provide custody services for Virtual Assets, may apply for a Non-Objection Registration to perform Payment Token Custody and Transfer of Foreign Payment Tokens. For the avoidance of doubt, any other Person seeking to perform Payment Token Custody and Transfer shall be required to obtain a Payment Token Custodian and Transferor license from the Central Bank.

              4.

              To be granted a Non-Objection Registration, an Applicant must provide details in its Application of its SCA or Local Licensing Authority licensing status, where applicable, and the nature and extent of its SCA-licensed or Local Licensing Authority licensed business.

              5.

              To be granted a Non-Objection Registration, an Applicant must demonstrate, in such manner as the Licensing Division may direct, that it will meet any conditions imposed by the Central Bank and the requirements listed in Article (8)10 or Article 8(11)

               

              Non-Objection Registration process

              6.

              To be granted a Registration as a Payment Token Conversion Provider or Foreign Payment Token Custodian and Transferor, an Applicant shall, at the time of submitting an Application, provide the necessary documents and information specified in the Central Bank application form as provided by the Licensing Division.

              7.

              As part of the licensing process, separate face-to-face meetings between Central Bank staff and the Applicant’s and its Controllers’ Boards and Senior Management may be conducted.

              8.

              Article (7) shall apply to Applicants and Applications for Registration as a Payment Token Conversion Provider or Foreign Payment Token Custodian and Transferor, for which purposes:

              a)

              references to License, Licensee and licensing in that Article shall be construed as references to Non-Objection Registration, Registered Payment Token Conversion Provider and registration or Registered Foreign Payment Token Custodian and Transferor; and

              b)

              the Applicant shall only be required to provide such information and documents listed in the Annex as the Central Bank may specify.

              9.

              The Central Bank may contact SCA and any relevant Local Licensing Authority to obtain such information as the Central Bank considers relevant in relation to the Applicant, including in order to take into account:

              a)

              the relevant authority’s views in respect of matters such as the financial soundness and the overall internal control environment of the Applicant, and whether SCA or any relevant Local Licensing Authority has any concern about that Applicant extending its business to include Payment Token Conversion; and

              b)

              the relevant authority’s scope of and approach to regulation and supervision of the Applicant, in order to assist the Central Bank with determining which if any conditions or requirements of this Regulation (in addition to those listed in Article (7)9(c), Article (8)10 and Article (8)11, as applicable) the Central Bank will impose on the Applicant.

               

              Application of this Regulation to Registered Payment Token Conversion Providers

              10.

              Without prejudice to the other provisions of this Article (8), a Registered Payment Token Conversion Provider which is a Virtual Assets Exchange Platform Operator shall comply with the following Articles of this Regulation:

              (i)

              Article (10);

              (ii)

              Article (11);

              (iii)

              Article (12);

              (iv)

              Article (17)2;

              (v)

              Article (18);

              (vi)

              Article (24);

              (vii)

              Article (25);

              (viii)

              Article (33);

              (ix)

              Article (34);

              (x)

              Article (35);

              (xi)

              Article (36);

              (xii)

              Article (37); and

              (xiii)

              Article (38),

               

              to the extent provided for in those Articles.

              11.

              Without prejudice to the other provisions of this Article (8) and without prejudice to the application of other laws and regulations, a Registered Payment Token Conversion Provider which is a Bank or Exchange House shall comply with the following Articles of this Regulation:

              (i)

              Article (10);

              (ii)

              Article (11);

              (iii)

              Article (12);

              (iv)

              Article (17)2;

              (v)

              Article (18);

              (vi)

              Article (23);

              (vii)

              Article (24);

              (viii)

              Article (25);

              (ix)

              Article (27);

              (x)

              Article (28);

              (xi)

              Article (29);

              (xii)

              Article (33);

              (xiii)

              Article (34);

              (xiv)

              Article (35);

              (xv)

              Article (36);

              (xvi)

              Article (37); and

              (xvii)

              Article (38),

              to the extent provided for in those Articles.

              12.

              The Central Bank may apply any other provision or requirement under this Regulation, not already applicable, to a Registered Payment Token Conversion Provider or Registered Foreign Payment

              Token Custodian and Transferor if the Central Bank determines it necessary to do so to achieve its statutory objectives.

            • Article (9): Foreign Payment Token Issuer Registration

               

              1.

              A Person incorporated outside the UAE (which for the purposes of this Regulation would include a Person incorporated in a Financial Free Zone) may apply for a Registration as a Foreign Payment Token Issuer.

               

              Registration process

              2.

              To be granted a Registration as a Registered Foreign Payment Token Issuer, an Applicant shall, at the time of submitting an Application:

              a)

              provide the necessary documents and information specified in the Central Bank application form as provided by the Licensing Division;

              b)

              obtain written evidence of the non-objection from SCA or a Local Licensing Authority for the Registration based on a joint framework between the relevant authorities; and

              c)

              demonstrate, in such a manner as the Licensing Division may direct, that it will meet any conditions which may be imposed by the Central Bank pursuant to Article (7)9(c) and the requirements listed in Article (9)7.

              3.

              As part of the registration process, separate face-to-face meetings between Central Bank staff and the Applicant’s and its Controllers’ Boards and Senior Management may be conducted.

              4.

              An Applicant for a Foreign Payment Token Issuer Registration shall, at the time of submitting an Application, provide a list of all Foreign Payment Tokens that it intends to issue and obtain a legal opinion on the assessment for all Foreign Payment Tokens. The legal opinion must assess whether the Foreign Payment Tokens and the operations of the Payment Token Issuer comply with this Regulation including but not limited to whether the White Paper is complete and accurate.

              5.

              Article (7) shall apply to Applicants and Applications for Registration as a Foreign Payment Token Issuer, for which purposes:

              a)

              references to License, Licensee and licensing in that Article shall be construed as references to Registration, Registered Foreign Payment Token Issuer and registration;

              b)

              Article (7)3, Article (7)4, and Article (7)9(a) shall not apply; and

              c)

              the Applicant shall only be required to provide such information and documents listed in the Annex as the Central Bank may specify.

              6.

              Where the Applicant is regulated by another authority, including by authorities in other jurisdictions, the Central Bank may contact the relevant authority about the Applicant. The Central Bank may take into account the relevant authority’s views in respect of matters such as the financial soundness and the overall internal control environment of the Applicant, and whether the relevant authority has any concern about that Applicant extending its Payment Token business to the UAE.

               

              Application of this Regulation to Registered Foreign Payment Token Issuers

              7.

              Without prejudice to the remainder of this Article (9), a Registered Foreign Payment Token Issuer shall comply with the following Articles of this Regulation:

              a)

              Article (10);

              b)

              Article (11);

              c)

              Article (12);

              d)

              Article (17);

              e)

              Article (18);

              f)

              Article (21)1 to Article (21)5;

              g)

              Article (24);

              h)

              Article (25)1 and Article (25)3;

              i)

              Article (26); and

              j)

              Article (38),

              to the extent provided for in those Articles.

              8.

              A Registered Foreign Payment Token Issuer shall:

              a)

              hold a reserve of the same value as the total value of Foreign Payment Tokens which that Foreign Payment Token Registree has issued, and denominated in the same currency as that of the Foreign Payment Tokens which that Foreign Payment Token Registree has issued;

              b)

              procure and publish regular audits of the reserve referred to in (a) by an External Auditor;

              c)

              at any time requested by the Central Bank, demonstrate that it holds Fiat Currency received from Customers for the issuance of Payment Tokens to equivalent standards of proper management and safekeeping as are set out in Article (22); and

              d)

              comply with all laws, regulations and guidance which apply to it in the jurisdiction of its incorporation and in any other jurisdiction in which it operates, including but not limited to AML/CFT laws and regulations.

            • Article (10): Suspension, Withdrawal and Revocation of License or Registration

              1.The Central Bank may suspend, withdraw or revoke a License or Registration as stipulated in the Central Bank Law.
              2.Where a License or Registration is suspended, withdrawn or revoked, the Licensee or Registree must immediately cease to perform Payment Token Services.
          • Part 5

            • Article (11): Authority Over Licensees and Registrees

              1.

              The Central Bank may take all measures and actions it deems appropriate in relation to a Licensee or Registree for achieving its objectives and discharging its functions, and may particularly take one or more of the following actions, if a material violation to the provisions of this Regulation has occurred:

              a)

              The Central Bank may require the concerned Licensee or Registree to take necessary actions to rectify the situation immediately;

              b)

              The Central Bank may appoint a specialized expert, or a Central Bank employee, to advise or guide the concerned Licensee or Registree or oversee some of its operations, for a period specified by the Central Bank. The concerned Licensee or Registree shall pay remuneration for such appointee if he is an expert from outside the Central Bank;

              c)

              The Central Bank may appoint a manager where the Central Bank is of the view that the management of a Licensee cannot be relied upon to take appropriate steps to rectify a situation. The main objectives of appointing a manager to take control of the management of a Licensee are:

              (i)

              to provide for the control of the affairs, business and property of a Licensee until such time as the Central Bank is satisfied that its concerns in relation to that Licensee have been addressed; or

              (ii)

              to safeguard the assets and maintain the business of the Licensee until a liquidator can be appointed;

              d)

              The Central Bank may take any other action or measure, or impose any penalties it deems appropriate, in relation to a Licensee or Registree.

              2.

              Where the Central Bank provides a Non-Objection Registration to a Virtual Assets Exchange Platform Operator, the Central Bank will coordinate with the relevant Local Licensing Authorities before and when taking any measures or actions under Article (11)1.

            • Article (12): Restrictions on Payment Tokens

              1.

              All Payment Tokens issued by a Dirham Payment Token Issuer shall be denominated only in Dirham.

              2.

              All Payment Tokens issued by a Foreign Payment Token Issuer shall be denominated only in a Foreign Currency.

              3.

              A Payment Token Issuer may not (and may not arrange that another person shall) pay to or for the benefit of a Customer:

              a)

              interest related to the length of time during which the Customer holds a Payment Token; or

              b)

              any other benefit related to the length of time during which the Customer holds a Payment Token,

              with respect to Payment Tokens for which the Payment Token Issuer performs Payment Token Issuing.

              4.

              The Central Bank may place a limit(s) on:

              a)

              the total volume or value of Payment Tokens which a Dirham Payment Token Issuer may sell or transfer, or restrict the sale or transfer of further Payment Tokens by that Payment Token Issuer;

              b)

              the total volume or value of Payment Tokens which a Foreign Payment Token Issuer may sell or transfer to Persons in the UAE, or restrict the sale or transfer of further Payment Tokens by that Payment Token Issuer to Persons in the UAE;

              c)

              the total number of Customers, or restrict the onboarding of new Customers, to which a Dirham Payment Token Issuer may sell or transfer its Payment Tokens;

              d)

              the total number of Customers in the UAE, or restrict the on-boarding of new Customers in the UAE, to which a Foreign Payment Token Issuer may sell or transfer its Payment Tokens;

              e)

              the total volume or value of Payment Tokens which a Payment Token Conversion Provider may buy, sell or admit to trading on its platform; and

              f)

              the total number of Customers to which a Payment Token Conversion Provider or Payment Token Custodian and Transferor may provide services, or the on-boarding of new Customers by that Payment Token Conversion Provider or Payment Token Custodian and Transferor.

              5.

              If the Central Bank determines that to do so is necessary to achieve its statutory objectives, the Central Bank may impose any other restrictions on a specific Licensee or Registree, or across Licensees and Registrees.

              6.

              If the Central Bank determines that to do so is necessary to achieve its statutory objectives, the Central Bank may designate any Virtual Asset to be a Payment Token whether or not it is sold or transferred by a Payment Token Issuer, and may impose any one or more of the restrictions set out in Article (12)4 in relation to such Designated Payment Token.

              7.

              If the Central Bank imposes any restriction set out in Article (12)4, the Licensed Payment Token Service Provider, Registered Foreign Payment Token Issuer, Registered Foreign Payment Token Custodian and Transferor or Registered Payment Token Conversion Provider must:

              a)

              provide the Central Bank with daily reporting evidence verifying its compliance with such restriction(s); and

              b)

              maintain policies and procedures to ensure that any breach of such a restriction is rectified promptly.

            • Article (13): Regulatory Capital Requirement for Licensed Payment Token Issuers

              1.

              A Licensed Payment Token Issuer must maintain at least:

              a)

              Initial and ongoing capital of fifteen (15) million Dirhams; plus

              b)

              additional ongoing capital of at least 0.5% of the Fiat Currency face value of outstanding Payment Tokens.

              2.

              A Payment Token Issuer subject to the alternative requirement for the Reserve of Assets as set out in Article (22)3 must, instead of the requirement in Article (13)1 above, maintain at least:

              a)

              initial and ongoing capital of fifteen (15) million Dirhams; plus

              b)

              additional ongoing capital of at least 2% of the Fiat Currency face value of outstanding Payment Tokens.

            • Article (14): Regulatory Capital Requirement for Licensed Payment Token Custodians and Transferors and Licensed Payment Token Conversion Providers

              1.

              A Licensed Payment Token Service Provider performing Payment Token Custody and Transfer or Payment Token Conversion shall:

              a)

              where the monthly average value of Payment Token Transfers initiated, facilitated, effected, directed or received by that Licensed Payment Token Service Provider as part of those Payment Token Services amounts to ten (10) million Dirhams or above, hold regulatory capital of at least three (3) million Dirhams; and

              b)

              where the monthly average value of Payment Token Transfers initiated, facilitated, effected, directed or received by that Licensed Payment Token Service Provider as part of those Payment Token Services amounts to less than ten (10) million Dirhams, hold regulatory capital of at least one and a half (1.5) million Dirhams.

              2.

              For a Licensed Payment Token Service Provider falling within Article (14)1(b) whose monthly average value of Payment Token Transfers referred to in Article (14)1 rises above ten (10) million Dirhams in three (3) consecutive months, the Licensee shall report this fact to the Central Bank and become subject to the higher regulatory capital requirement in Article (14)1(a).

              3.

              The monthly average value of Payment Token Transfers referred to in Article (14)1 shall:

              a)

              be calculated on the basis of the moving average of the preceding three (3) months or, where such data does not exist at the time of being granted a License by the Central Bank, on the basis of the business plan and financial projections provided; and

              b)

              take into account both Payment Token Transfers initiated, facilitated, effected or directed by a Licensed Payment Token Service Provider and those received by the provider.

            • Article (15): Regulatory Capital Supplementary Requirements (for all Licensed Payment Token Service Providers)

              1.

              The Central Bank may impose aggregate regulatory capital requirements higher than that provided for in Article (13) and Article (14) if, taking into consideration the scale and complexity of the Licensee’s business, it considers such higher requirements essential to ensuring that the Licensee has the ability to fulfil its obligations under this Regulation.

              2.

              An Applicant shall provide information to the Central Bank on the source(s) of funds that constitute the regulatory capital held under Article (13) or Article (14).

              • Capital Items

                3.

                A Licensed Payment Token Service Provider’s aggregate regulatory capital shall consist of:

                a)Paid-up capital;
                b)Reserves, excluding revaluation reserves; and
                c)Retained earnings.
                4.In addition to the capital requirement, an unconditional irrevocable bank guarantee equal to the full paid-up capital amount in favour of the Central Bank paid upon first demand, shall be submitted to the Central Bank with the application of the License. Such a guarantee must remain in place at all times.
                5.Licensee must demonstrate that its regulatory capital and other financial resources are sufficient for implementing its business model in a safe, efficient and sustainable manner, without compromising the interests of Customers.
                6.A Licensee must provide adequate details to the Central Bank on the source of funds that will be used to support the proposed business activities.
                7.A Licensee must demonstrate that it will be able to maintain sufficient regulatory capital and other financial resources to facilitate an orderly wind-down of its Payment Token business, including a smooth refunding process.
              • Deductions

                8.

                The following items shall be deducted from the aggregate regulatory capital:

                a)

                Accumulated losses;

                b)

                Anticipated losses in the first year of operation;

                c)

                Goodwill;

                d)

                Any assets encumbered to secure the unconditional irrevocable bank guarantee; and

                e)

                Any other items which the Central Bank may direct from time to time.

                9.

                If a Licensed Payment Token Service Provider is both:

                a)

                Licensed as a Payment Token Conversion Provider or Payment Token Custodian and Transferor; and

                b)

                licensed or regulated for any Virtual Asset activities by SCA or any Local Licensing Authority,

                any regulatory capital it holds pursuant to requirements imposed by SCA or any Local Licensing Authority shall not contribute towards satisfying the regulatory capital requirements in this Article (15).

            • Article (16) Assessment of Controllers and Senior Management

              1.

              A Person shall not become a Controller or member of Senior Management of a Licensed Payment Token Service Provider without obtaining prior approval from the Central Bank.

              2.

              The Central Bank shall grant an approval under Article (16)1 if it considers that the proposed Controller or member of Senior Management meets all fit and proper requirements specified by the Central Bank.

              3.

              The Central Bank may attach conditions to its approval under Article (16)1 of a Controller, including but not limited to:

              a)

              conditions restricting or preventing the Person’s disposal or further acquisition of shares or voting powers in the Licensed Payment Token Service Provider; and

              b)

              conditions restricting or preventing the Person’s exercise of voting power in the Licensed Payment Token Service Provider.

            • Article (17): Principal Business

              1.

              The exclusive business of a Payment Token Issuer shall be the performance of the Payment Token Issuing for which it has been granted a License.

              a)

              In addition to performing the sale or transfer of Payment Tokens that forms part of its Payment Token Issuing, a Payment Token Issuer shall be responsible for the generation of Payment Tokens, development and maintenance of associated technology required for Payment Tokens to operate in accordance with their White Paper and Customer Terms, and burning of Payment Tokens. If any of those activities are performed by another Person, they must be performed on behalf of the Payment Token Issuer and in accordance with the outsourcing requirements under Article (20).

              2.

              The exclusive business of a Payment Token Conversion Provider or Payment Token Custodian and Transferor which is a Virtual Assets Exchange Platform Operator shall be the performance of:

              a)

              any Payment Token Conversion and Payment Token Custody and Transfer activities for which it has been granted a License or Non-Objection Registration; and

              b)

              any Virtual Asset activities for which it is licensed or regulated by SCA or any Local Licensing Authority prior to receipt of its License or Non-Objection Registration under this Regulation.

              3.

              The exclusive business of a Payment Token Conversion Provider or Payment Token Custodian and Transferor which is an Exchange House shall be the performance of:

              a)

              Any Payment Token Conversion and Payment Token Custody and Transfer activities for which it has been granted a License or Non-Objection Registration; and

              b)

              any activities for which it is licensed or regulated by the CBUAE under the Regulations re Licensing and Monitoring of Exchange Business.

              4.

              The exclusive business of a Payment Token Conversion Provider or Payment Token Custodian and Transferor which is licensed under the Retail Payment Services and Card Schemes Regulation or the Stored Value Facilities (SVF) Regulation shall be the performance of:

              a)

              any Payment Token Conversion and Payment Token Custody and Transfer activities for which it has been granted a License; and

              b)

              any activities for which it is licensed, regulated or otherwise approved by the CBUAE under the Retail Payment Services and Card Schemes Regulation or the Stored Value Facilities (SVF) Regulation.

              5.

              Except where one of Article (17)2 to Article (17)4 apply or the Payment Token Conversion Provider or Payment Token Custodian and Transferor is a Bank, the exclusive business of a Payment Token Conversion Provider or Payment Token Custodian and Transferor shall be the performance of any Payment Token Conversion and Payment Token Custody and Transfer activities for which it has been granted a License.

            • Article (18): Notification and Reporting Requirements

              1.

              Where any material change affects the accuracy and completeness of information provided in an Application, the Applicant, Licensee or Registree, as the case may be, shall immediately notify the Central Bank of such change and provide all necessary information and documents.

              2.

              A Licensee or Registree shall immediately notify the Central Bank of any violation or potential violation of any provision of this Regulation or CBUAE Regulations. Such notification must be accompanied by details of adequate measures which the Licensee or Registree will implement to rectify the violation.

              3.

              A Licensee or Registree shall immediately notify the Central Bank if it becomes aware that any of the following events have occurred or are likely to occur:

              a)

              any event that prevents access to or disrupts the operations of the Licensee or Registree;

              b)

              any legal action taken against the Licensee or Registree either in the UAE or in a Third Country;

              c)

              the commencement of any insolvency, winding up, liquidation or equivalent proceedings in relation to the Licensee or Registree, or the appointment of any receiver, administrator or provisional liquidator under the laws of any country;

              d)

              any disciplinary measure or sanction taken against the Licensee or Registree or imposed on it by a regulatory body other than the Central Bank, whether in the UAE or in a Third Country;

              e)

              any change in regulatory requirements to which a Licensee or Registree is subject beyond those of the Central Bank, whether in the UAE or in a Third Country;

              f)

              any repeated occurrence of sales of a Payment Token at below its nominal/Fiat Currency face value where the sale is by or facilitated by the Licensee or Registree; or

              g)

              any other event specified by the Central Bank from time to time.

              4.

              Payment Token Conversion Providers and Payment Token Custodian and Transferors shall report to the Central Bank on the volume and value of business that they conduct in relation to Virtual Assets which are not Payment Tokens, in accordance with such reporting requirements as the Central Bank may determine from time to time.

              5.

              Licensees shall report to the Central Bank on their complaints management programme, including reporting on the number of complaints received, the topics of complaints, the number of open and closed complaints, and the amount of time complaints have been open or took to close, in accordance with such reporting requirements as the Central Bank may determine from time to time.

              6.

              Licensees and Registrees must comply with any further regular or ad-hoc reporting as determined by the Central Bank.

              7.

              Notwithstanding the paragraphs above, Licensees and Registrees shall, as appropriate and applicable, comply with their notification requirements as further specified in this Regulation, including but not limited to under:

              a)

              Article (14)2;

              b)

              Article (19)4(a);

              c)

              Article (22)8(a);

              d)

              Article (24); and

              e)

              Article (34)15

            • Article (19): Use of Agents

              1.

              Where a Licensee intends to perform Payment Token Services through an Agent, it must conduct an assessment of such arrangement and provide a report to the Central Bank of the following:

              a)

              name and address of each Agent;

              b)

              assessment of the adequacy of the internal control mechanisms that will be used by the Agent in order to comply with the requirements of Article (33) and any CBUAE Regulations produced under it;

              c)

              assessment of the Persons responsible for the management of the Agent, and evidence that they fulfil any fit and proper requirements specified by the Central Bank;

              d)

              the scope of Payment Token Services for which the Agent is mandated; and

              e)

              evidence of the Licensed Payment Token Service Provider’s adherence, in its contractual arrangements with the Agent, to Article (20).

              2.

              The Central Bank shall assess the suitability of a proposed Agent and Agent arrangements based on the report submitted under Article (19)1, and may require the Licensee to supply additional information for its assessment.

              a)

              Following its assessment, the Central Bank shall make a decision whether to approve or decline to approve the Agent.

              b)

              The Licensee shall not engage an Agent to perform Payment Token Services before having received such approval.

              3.

              Licensees shall contractually ensure that Agents acting on their behalf disclose this fact to Customers.

              4.

              Licensees shall:

              a)

              immediately notify the Central Bank of any change regarding their use of Agents; and

              b)

              on an annual basis conduct an additional assessment and provide an additional report to the Central Bank of the matters listed in Article (19)1.

              5.

              The Central Bank may suspend, withdraw or revoke its approval of an Agent. Where the approval of an Agent is suspended, withdrawn or revoked, the Licensee must ensure that the Agent immediately ceases to perform Payment Token Services on the Licensee’s behalf.

              6.

              Licensees shall be responsible for ensuring and maintaining appropriate training and qualifications for their Agents.

              7.

              A Payment Token Service performed by an Agent shall be treated as performed by its principal Licensees.

            • Article (20): Outsourcing

              All Licensees shall comply with the Outsourcing Regulation as if they were a “Bank” as defined in the Outsourcing Regulation.

          • Part 6

            • Article (21): Issuance and Redemption of Payment Tokens

              1.

              A Payment Token Issuer must:

              a)on receipt of payment for a Payment Token, without delay transfer the Payment Token to the Wallet nominated by the purchaser; and
              b)at the request of the Tokenholder, without delay (and in any case by the same time on the next Business Day after the day on which the request was made, unless the Central Bank permits otherwise) redeem (or, in the case of a Foreign Payment Token, initiate redemption) in Fiat Currency at par value the Dirham (AED) or Foreign Currency denominated face value of the Payment Token presented by the Tokenholder to the Payment Token Issuer for redemption.
              2.A Tokenholder may request redemption of a Payment Token without any limitation in time. The Central Bank may extend the Dormant Accounts Regulation, or any provision thereof to Payment Token Issuers.
              3.A Tokenholder shall not be entitled to a Payment Token once it is redeemed.
              4.A Payment Token Issuer must provide a Customer with a Customer Agreement that clearly and prominently states the conditions of redemption, including any fees relating to redemption, in good time before the parties enter into the Customer Agreement.
              5.Redemption may be subject to a fee only where the fee is proportionate and commensurate with the costs actually incurred by the Payment Token Issuer.
              6.

              A Licensed Payment Token Issuer must:

              a)maintain a copy of the Distributed Ledger Technology on which its Payment Tokens are issued;
              b)put in place a process to enable Customers to redeem their Payment Tokens in the event of a failure or other disruption of the Distributed Ledger Technology on which the Payment Token is issued, which does not rely on the normal operation of that Distributed Ledger Technology; and
              c)in the event that a ‘fork’ or similar event which results in the creation of one or more versions of a Payment Token, redeem any one version of each Payment Token as if it were the version of the Payment Token that the Payment Token Issuer originally sold or transferred.
            • Article (22): Management and Safekeeping of the Reserve of Assets

              Requirement for a Reserve of Assets

              1.

              A Licensed Payment Token Issuer must have in place an effective and robust system to protect and manage the Reserve of Assets to ensure that the constituent assets:

              a)

              are deployed for the prescribed usage only;

              b)

              are protected against claims by other creditors of the Licensee in all circumstances; and

              c)

              are protected from operational and other relevant risks.

               

              Composition of the Reserve of Assets

              2.

              A Licensed Payment Token Issuer must hold the Reserve of Assets as cash in a separate escrow account that:

              a)

              is wholly denominated in the same currency as the Payment Tokens in relation to which it is held;

              b)

              it holds in its name with another Person not in its Group which is a Bank licensed in the UAE;

              c)

              is designated in such a way as to show that it is an account which is held for the purpose of safeguarding the Reserve of Assets in accordance with this Regulation; and

              d)

              is used only for holding that Payment Token Issuer’s Reserve of Assets.

              3.

              Where a Licensed Dirham Payment Token Issuer is a wholly-owned subsidiary of a Bank, it may choose, as an alternative to holding 100% of the Reserve of Assets in accordance with Article (22)2, to hold at least 50% of the Reserve of Assets as cash in accordance with Article (22)2 and invest the remaining portion of the Reserve of Assets in UAE government bonds and Central Bank of the UAE Monetary Bills (M-bills) that have an average duration of 6 months or less. If the Dirham Payment Token Issuer makes such a choice, it must hold regulatory capital in accordance with Article (13)2.

              4.

              The Central Bank may require a Licensed Payment Token Issuer to hold the Reserve of Assets as cash in an account held with the Central Bank, rather than on one of the other bases permitted under this Article (22).

               

              Protection of the Reserve of Assets

              5.

              A Licensed Payment Token Issuer must put in place an effective contractual arrangement to ensure that, in the event of its insolvency, its Customers have a legal right and claim to payment of all amounts owed on the redemption of their Payment Tokens from the Reserve of Assets. A Licensed Payment Token Issuer shall, at the request of the Central Bank, seek an external legal opinion on the protection arrangement of the Reserve of Assets to ensure the legal soundness of the arrangements, and commission an independent review to ensure the operational soundness.

              6.

              A Licensed Payment Token Issuer must ensure that no other Person has any claim on or interest in the Reserve of Assets.

              7.

              The Reserve of Assets held in relation to one type of Payment Token must be segregated (including being held in a different account or Wallet) from that held in relation to any other type of Payment Token.

               

              Management of the Reserve of Assets

              8.

              A Licensed Payment Token Issuer must ensure that the value of its Reserve of Assets amounts at least to the total Fiat Currency face value of Payment Tokens in circulation, including without limitation by putting in place:

              a)

              an adequate process to ensure timely and accurate records of cash or Payment Tokens paid into and out of a Reserve of Assets, with appropriately regular reconciliation between system records and the actual Reserve of Assets (e.g. balances of the account or Wallet holding the Reserve of Assets). Such reconciliation must be done at least on a daily basis and reported to the Central Bank daily;

              b)

              a monthly audit by an External Auditor, who is not an officer or employee of the Payment Token Issuer or an officer or employee of another company or undertaking in its Group, to confirm that, during the course of the preceding month, the value of its Reserve of Assets amounted at all times at least to the total Fiat Currency face value of Payment Tokens in circulation; and

              c)

              effective internal control measures and procedures, which constitute an integral part of the Licensee’s or Registree’s overall robust internal control system, to protect the Reserve of Assets from possible misappropriation and all operational risks, including the risk of theft, fraud and misappropriation.

            • Article (23) Safeguarding of Payment Tokens Held in Relation to the Performance of Payment Token Custody and Transfer

              1.

              Payment Token Custodians and Transferors must keep Customer Payment Tokens in a separate Wallet from any Wallet that it uses to hold any other Virtual Assets.

              2.

              A Wallet in which Customer Payment Tokens are placed under Article (23)1 must:

              a)

              be designated as a Wallet held for the purpose of safeguarding or holding Customer Payment Tokens in accordance with this Regulation; and

              b)

              be used only for holding those Customer Payment Tokens.

              3.

              No person other than the Customer may have any interest in or right over the Customer Payment Tokens placed in a Wallet in accordance with Article (23)1.

              4.

              The Payment Token Custodian and Transferor must keep a record of any Customer Payment Tokens segregated in accordance with Article (23)1.

          • Part 7

            • Article (24): Anti-Money Laundering and Combating the Financing of Terrorism and Illicit Organizations

              1.

              This Article (24) applies to an AML Obligor in addition to, and without prejudice to, that AML Obligor’s obligations under other applicable UAE AML/CFT laws and regulations, including but not limited to the AML Law.

              2.

              AML Obligors must comply with relevant and applicable UAE AML/CFT laws and regulations, address money laundering and terrorist financing risks through appropriate preventive measures to deter abuse of the sector as a conduit for illicit funds, detect money laundering and terrorist financing activities and report any suspicious transactions to the Financial Intelligence Unit at the Central Bank.

              3.

              AML Obligors must have comprehensive and effective internal AML/CFT policies, procedures and controls in place.

              4.

              AML Obligors shall be prohibited from invoking banking, professional or contractual secrecy as a pretext for refusing to perform their statutory reporting obligation in regard to suspicious activity.

              5.

              Payment Token Services shall be considered to carry high money laundering and terrorist financing risk due to their speed, anonymity and cross-border nature.

              6.

              AML Obligors must identify, assess, and understand the AML/CFT risks to which they are exposed and conduct enterprise-level and business relationship-specific risk assessments. Accordingly, all AML/CFT CDD, monitoring and controls must be risk-based and aligned to the risk assessments.

              7.

              AML Obligors shall undertake an AML/CFT risk assessment and take appropriate measures to manage and mitigate the identified risks in accordance with applicable legal and regulatory requirements. AML Obligors shall comply with the FATF Guidance for a Risk-based Approach to Virtual Assets and Virtual Assets Service Providers, as may be supplemented from time to time, or any related standards or guidance in assessing and managing risks in Payment Token Services.

              8.

              AML Obligors shall undertake periodic risk profiling of Customers and assessment based on the AML/CFT requirements.

              9.

              AML Obligors shall assess whether a business relationship presents a higher money laundering and terrorist financing risk and assign a related risk rating. AML Obligors shall be prohibited from dealing in any way with shell banks or other shell financial institutions and from establishing or maintaining any business relationship or conducting any Payment Token Services under an anonymous or fictitious name or by pseudonym or number.

              10.

              AML Obligors shall ensure that their CDD models are designed to address the specific risks posed by a Customer profile and Payment Token or Payment Token Service features. AML Obligors shall be prohibited from establishing or maintaining any business relationship with a Customer or performing any Payment Token Services for a Customer in the event that they are unable to complete adequate risk-based CDD measures for any reason for that Customer.

              11.

              AML Obligors must undertake CDD measures concerning Wire Transfers as stipulated in the relevant provisions of the AML Law if Wire Transfer services are provided by the AML Obligor. AML Obligors must introduce appropriate systems for screening, as part of the CDD process, on all parties involved in a transaction against all applicable sanction lists (including the UN sanction lists and the names contained in the ‘search notices’/’search and freeze notices’ issued by the Central Bank).

              12.

              If AML Obligors conduct Wire Transfers, they must take freezing action and prohibit conducting transactions with designated persons and entities, as per the obligations set out in the Central Bank’s Notice 103/2020 on the Implementation of United Nations Security Council (UNSC) and the UAE Cabinet Resolutions regarding UNSC and Local Lists, as amended from time to time.

              13.

              AML Obligors must also be guided by FATF Standards on anti-money laundering and countering the financing of terrorism and proliferation. AML Obligors must incorporate the regular review of AML/CFT trends and typologies into their compliance training programmes as well as into their risk identification and assessment procedures.

               

              Risk Factors

              14.

              In assessing the risk associated with a Payment Token or Payment Token Service for the purposes of Article (24)6, 7, 10 and 13, AML Obligors must take into account the following risk factors:

              a)

              maximum stored value or transaction amount of the Payment Token Service or Wallet – Payment Token Services or Wallets which enable higher transaction values or higher maximum stored value may increase the money laundering and terrorist financing risk;

              b)

              methods of funding – Payment Token Services or Wallets that can be funded by cash or with little or no audit trail present a higher money laundering and terrorist financing risk. Funding from unverified sources or via other payment methods without Customer identification can also create an anonymous funding mechanism and hence present higher money laundering and terrorist financing risks;

              c)

              cross-border usage – in general, Payments Tokens and Payment Token Services providing for cross-border usage may increase the risk as transactions may be subject to different AML/CFT requirements and oversight in other jurisdictions and also give rise to difficulties with information sharing;

              d)

              person-to-person fund transfer function – Payments Tokens and Payment Token Services that allow person-to-person fund transfers may give rise to higher money laundering and terrorist financing risks;

              e)

              cash withdrawal function – Payments Tokens and Payment Token Services that enable access to cash for instance through automated teller machine networks may increase the level of money laundering and terrorist financing risk;

              f)

              holding of multiple Wallets – Payment Token Services that allow a Customer to hold more than one Wallet may also increase the money laundering and terrorist financing risk as it may be utilized by a third-party user other than the Customer;

              g)

              payment for high-risk activities – some Merchant activities, for example, gaming, present higher money laundering and terrorist financing risks.

              15.

              The money laundering and terrorist financing risks of a Payment Token or Payment Token Service can be reduced by implementing risk mitigating measures, which may include:

              a)

              the application of limits on the maximum storage values, cumulative turnover or transaction amounts;

              b)

              disallowing higher risk funding sources;

              c)

              restricting the Payment Token Services from being used for higher risk activities;

              d)

              restricting higher risk functions such as cash access; and

              (e)

              implementing measures to detect multiple Wallets held by the same Customer or group of Customers.

              16.

              The level of money laundering and terrorist financing risks posed by a particular Payment Token or Payment Token Service will depend on a consideration of all risk factors, the existence and effectiveness of risk mitigating measures and their functionality.

              17.

              AML Obligors must assess whether a business relationship with a Customer presents a higher money laundering and terrorist financing risk and assign a related risk rating. Generally, the Customer risk assessment will be based on the information collected during the identification stage and subsequently updated as new information becomes available through ongoing due diligence and transaction monitoring. AML Obligors must ensure that their CDD models are designed to address the specific risks associated to its Customer profile and Payment Token or Payment Token Service features.

               

              Compliance management arrangements

              18.

              AML Obligors must have appropriate compliance management arrangements that facilitate their implementation of AML/CFT systems to comply with relevant legal and regulatory obligations and to manage money laundering and terrorist financing risks effectively. Compliance management arrangements must at a minimum include oversight by the AML Obligor’s Senior Management and appointment of a compliance officer and a money laundering reporting officer.

              19.

              In addition, AML Obligors must put in place comprehensive AML/CFT policies and procedures in accordance with the AML/CFT laws and regulations.

               

              Use of technology

              20.

              The Central Bank supports innovative means by which AML Obligors implement AML/CFT systems effectively as well as exploring the greater use of technology and analytical tools. The Central Bank expects AML Obligors, before introducing any new product, service or technology, to conduct adequate risk assessments and ensure that any identified risks are effectively managed or mitigated.

              21.

              In general, the electronic Know Your Customer process currently adopted by licensed banks for digital onboarding of Customers is acceptable for Wallet opening and provision of Payment Token Services. No physical face-to-face meetings with the Customer or physical documents verification are required so long as the digital authentication of the Customer and digital verification of all required documents can be done in accordance with the existing requirements of the Central Bank.

              22.

              Depending on the nature of relationship, AML Obligors may undertake additional CDD measures, including the collection of sufficient information to adequately understand the nature of the Customer’s business. The extent of CDD measure should be commensurate with the assessed money laundering and terrorist financing risks of the Customer.

              23.

              Globally there is an emerging range of new products and services involving Virtual Assets. In line with the FATF standards, before an AML Obligor offers any new products relating to Virtual Assets, it must undertake money laundering and terrorist financing risk assessment and take appropriate measures to manage and mitigate the identified risks in accordance with applicable legal and regulatory requirements. AML Obligors are encouraged to refer to the suggestions provided by the FATF Guidance for a risk-based approach to Virtual Assets.

          • Part 8

            • Article (25): Obligations Towards Customers

              1.

              Licensees and Registrees must be operated prudently and with competence in a manner that will not adversely affect the interests of their Customers.

              a)In addition, Licensees and Registrees must also observe and comply with the relevant regulatory requirements and standards on consumer protection of the Central Bank, including all relevant provisions of the Consumer Protection Regulation.
              b)For the avoidance of doubt, in case of discrepancies between this Regulation and the Consumer Protection Regulation, the respective provisions of the Consumer Protection Regulation shall prevail.
              2.

              Licensees and Registered Payment Token Conversion Providers must:

              a)maintain a copy of each Distributed Ledger Technology on which it provides Payment Token Services; and
              b)in the event that a ‘fork’ or similar event results in the creation of two or more versions of a Payment Token, treat any one version of each Payment Token presented by a Customer as being equal to any other version of the same type of Payment Token and as if it were the version of the Payment Token to which its Payment Token Service applies.
              3.Licensees and Registrees must ensure that their business is operated in a responsible, honest and professional manner. Licensees and Registrees must treat all Customers, as well as merchants, equitably, honestly and fairly at all stages of their relationship with the Licensee or Registree. Licensees and Registrees must also act in a manner that will not adversely affect the interests of their Customer.
              4.Licensees and Registered Payment Token Conversion Providers must be responsible for the acts or omissions of their Senior Management, employees, service providers and Agents in respect of the conduct of its business. Senior Management, employees and Agents of Licensees and Registered Payment Token Conversion Providers must be properly trained and qualified.
              5.

              Licensees and Registered Payment Token Conversion Providers must ensure that they adopt and, if needed, develop good business practices that can demonstrate their standard of conduct, including as follows:

              a)Due diligence must be performed by Licensees and Registered Payment Token Conversion Providers to ensure that all promotional materials it issues are accurate and not misleading;
              b)Licensees and Registered Payment Token Conversion Providers may use their websites and mobile apps to provide links to other online merchants. Before providing such links, the Licensee or Registered Payment Token Conversion Provider must carry out due diligence on the merchants to ascertain they are bona fide companies conducting legitimate business so as to manage reputational risk;
              c)Websites or apps of Licensees and Registered Payment Token Conversion Providers may only provide hyper-links to other websites that offer advisory and/or sale of Payment Token Services, or financial products and services, if the arrangements comply with all relevant legal and regulatory requirements. The Central Bank may require that the Licensee or Registered Payment Token Conversion Provider obtain a legal opinion assessing whether such arrangements comply with all relevant legal and regulatory requirements; and
              d)Licensees and Registered Payment Token Conversion Providers shall adhere to such other disclosure or customer communications requirements as the Central Bank may direct in CBUAE Regulations from time to time or otherwise require.
            • Article (26): Payment Token White Papers

              1.

              Obligation to publish a White Paper

              a)

              No Payment Token Issuer shall perform Payment Token Issuing with respect to a Payment Token unless that Payment Token Issuer has:

              (1) produced a White Paper in respect of that Payment Token;

              (2) submitted the White Paper to the Central Bank;

              (3) received the Central Bank’s acceptance of the White Paper; and

              (4) published the White Paper,

              in accordance with this Article (26).

              b)

              The Central Bank may publish a White Paper with respect to a particular Payment Token on its website, in which case any Payment Token Issuer which publishes a web-link to the White Paper on the Central Bank website shall be deemed to have complied with Article (26)1(a).

              2.

              Content and form of the White Paper

              a)

              A White Paper shall contain, insofar as it is relevant to each Licensee or Registered Foreign Payment Token Issuer, a detailed description of all of the following:

              I.

              the Payment Token Issuer;

              II.

              the type of Payment Token that will be offered to the public;

              III.

              the number of Payment Tokens that will be issued and the issue price;

              IV.

              the rights and obligations attached to the Payment Token and the procedures and conditions for exercising those rights;

              V.

              information on the underlying technology and standards applied by the Payment Token Issuer when allowing for the holding, storing and transfer of those Payment Tokens;

              VI.

              the risks relating to the Payment Token Issuer issuing Payment Tokens, the Payment Tokens, the offer to the public, and other disclosures that the Central Bank may specify;

              VII.

              the Payment Token Issuer’s governance arrangements, including a description of the role, responsibilities and accountability of the third-parties responsible for operating, investment and custody of the Reserve of Assets, and, where applicable, the distribution of the Payment Tokens;

              VIII.

              the constituent parts of the Reserve of Assets held by the Licensed Payment Token Issuer or similar reserve held by a Registered Foreign Payment Token Issuer;

              IX.

              the custody arrangements for the Reserve of Assets or similar reserve held by a Registered Foreign Payment Token Issuer, including but not limited to the relevant segregation and safeguarding measures;

              X.

              information on the nature and enforceability of rights, including any direct redemption right or any claims that holders of Payment Tokens may have on the Reserve of Assets (or other reserve held by a Registered Foreign Payment Token Issuer) or against the Payment Token Issuer issuing the Payment Tokens, including how such rights may be treated in insolvency procedures;

              XI.

              information on the permitted use of a Payment Token and any restrictions on its use including having regard to Article (2) and Article (12); and

              XII.

              any such other matters as the Central Bank may direct from time to time.

              b)

              The White Paper shall be fair, clear and not misleading, and shall be presented in a concise and comprehensible form.

              c)

              The White Paper shall be drafted in both Arabic and English.

              d)

              The White Paper shall contain an attestation by the Board of the Payment Token Issuer of the White Paper’s completeness and accuracy.

              e)

              The White Paper shall prominently contain the following statement:

              “The Central Bank of the UAE is not responsible for determining the accuracy or completeness of this White Paper. The Central Bank of the UAE’s review and acceptance of this White Paper does not constitute an endorsement of the Payment Token or Payment Token Issuer to which it relates, or of the accuracy or completeness of any information or statements in this White Paper.”

              f)

              The White Paper shall be dated, including with the date of the application of any update to the White Paper.

              g)

              In good time before a Licensed Payment Token Issuer enters into a Customer Agreement, or a Registree enters into an agreement with a Customer relating to a Payment Token, it must (subject to Article (26)5) provide a copy of or web-link to the White Papers of all Payment Tokens to which the Customer has access pursuant to the Customer Agreement.

              3.

              Updates

              A Payment Token Issuer must (subject to Article (26)5) without delay update any White Paper it has previously produced to reflect:

              a)

              any material change to the information in the White Paper; or

              b)

              any material addition that it would be appropriate to make to the White Paper in order to reflect any changes in the arrangements or circumstances relating to its Payment Tokens or Payment Token Issuing.

              4.

              Audit

              A Payment Token Issuer must procure an audit of a White Paper by an External Auditor, who is not an officer or employee of the Payment Token Issuer or an officer or employee of another company or undertaking in its Group, to confirm that the form and content of the White Paper complies with all applicable requirements of Article (26)2(a) to (f).

              5.

              Notification of the White Paper

              a)

              A Payment Token Issuer must submit a White Paper to the Central Bank for review and acceptance before it sells or transfers the Payment Token to any Person in the UAE (excluding a Person in a Financial Free Zone).

              1.

              The Payment Token Issuer must, at the time when it submits a White Paper to the Central Bank, also submit the audit report of that White Paper, referred to in Article (26)4, to the Central Bank for review.

              2.

              If the Central Bank accepts the White Paper, the Payment Token Issuer must publish the White Paper on a publicly and freely accessible website at least 7 days in advance of the Payment Token becoming available for sale or transfer to Persons in the UAE (excluding a Person in a Financial Free Zone).

              3.

              If the Central Bank declines to accept the White Paper the Payment Token issuer may resubmit an updated White Paper for approval under this Article (26)5(a).

              b)

              If a Payment Token Issuer desires to amend (including, for the avoidance of doubt, making additions), or is required to amend, the White Paper previously submitted in accordance with Article (26)5(a), it must submit the amendments to the White Paper, and an audit report of the amended White Paper conducted in accordance with Article (26)4 to the Central Bank for review and acceptance before making the amendments. If the amendments are urgent, the Payment Token Issuer shall prominently bring the urgency to the attention of the Central Bank.

              (1)

              If the Central Bank accepts the amendments, the Payment Token Issuer must publish the White Paper on a publicly and freely accessible website at least 14 days in advance of such amendment taking effect unless the Central Bank requires or agrees to a shorter period.

              (2)

              If the Central Bank declines to accept the amendments the Payment Token issuer may resubmit an updated White Paper for approval under this Article (26)5(b).

              c)

              The Central Bank shall not be responsible for determining the accuracy or completeness of a White Paper. The Central Bank’s review and acceptance of the White Paper shall not constitute an endorsement of the Payment Token or Payment Token Issuer to which it relates, or of the accuracy or completeness of any information or statements in the White Paper.

              6.

              Liability for White Papers

              a)

              A Payment Token Issuer shall be liable for and shall compensate a Customer within at least 28 calendar days for any and all loss or damage caused to a Customer arising from a material misstatement in a White Paper which it has published, except to the extent that any UAE law or regulation prevents the payment or provision of compensation to that Customer by the Payment Token Issuer. Any contractual exclusion or limitation of civil liability as referred to in this paragraph shall be deprived of legal effect.

              b)

              In addition, the Central Bank may consider conducting an investigation and taking enforcement action against any misstatement in the White Paper.

              c)

              The Central Bank shall not be liable to Customers or other Persons for the contents of any White Paper that it has accepted.

              7.

              Exemptions

              The Central Bank may, at its discretion, exempt a Payment Token Issuer from one or more of the requirements in this Article (26) if equivalent documentation has been published, or obligations complied with, pursuant to regulation issued by SCA or any Local Licensing Authority.

            • Article (27): Customer Agreement

              1.

              In this Article (27), “Payment Token Service Provider” refers to a Licensee or a Registree, with the exception of Registered Foreign Payment Token Issuers.

              2.

              A Payment Token Service Provider shall:

              a)

              set out in the Customer Agreement the terms and conditions governing their contractual relationship with each Customer, including the terms required under Article (28), sufficiently in advance of entering into the contractual relationship as to allow the Customer to make an informed decision; and

              b)

              provide each Customer and Tokenholder with a copy of the Customer Agreement, at their request at any time in writing and delivered as per the Customer’s or Tokenholder’s preference, including through an e-mail, mobile application or any other electronic manner.

              3.

              The Customer Agreement (and any changes to it) referred to in Article (27)2 shall be written in a clear, plain and understandable language, in a manner that is not misleading and shall be provided to the Customer in both Arabic and English, as may be requested by the Customer.

              4.

              Any changes to the Customer Agreement referred to in Article (27)2 shall be communicated to the Customer and Tokenholder by the Payment Token Service Provider sufficiently in advance and at least 30 calendar days prior to any such change becoming effective.

              5.

              A Customer or Tokenholder shall be entitled to terminate its Customer Agreement with a Payment Token Service Provider at no charge where it does not agree with the revised terms and conditions referred to in Article (27)4.

              6.

              The rights and obligations set out in a Customer Agreement shall apply as between a Payment Token Issuer and each Tokenholder, whether or not the Payment Token Issuer is aware of the identity of the Tokenholder or has made any arrangements with the Tokenholder, subject to any UAE laws which would prevent the Payment Token Issuer from performing its obligations under a Customer Agreement for that Tokenholder.

            • Article (28): Required Terms and Pre-Contractual Information

              1.

              In this Article (28), “Payment Token Service Provider” refers to a Licensee or a Registree, with the exception of Registered Foreign Payment Token Issuers.

              2.

              A Payment Token Service Provider shall include the following terms in, and information with, its Customer Agreement, and must provide them to the Customer before the provision of any services:

              a)

              schedule of fees, charges and commissions, including redemption fees, conversion rates and withdrawal charges, where applicable;

              b)

              contact details of the Payment Token Service Provider, including legal name and registered address, and including the name and address of any Agent where applicable;

              c)

              the form and procedure for giving consent to the initiation, facilitation, effecting or directing by a Payment Token Service Provider as part of its Payment Token Service; of a Payment Token Transfer and for the withdrawal of such consent;

              d)

              the communication channel between the Payment Token Service Provider and the Customer;

              e)

              the manner of safeguarding of Payment Tokens as per Article (23);

              f)

              the manner and timeline for notification by the Customer to the Payment Token Service Provider in case of Unauthorized Payment Token Transfers or incorrectly initiated, facilitated, effected or directed Payment Token Transfers;

              g)

              the Payment Token Service Provider’s and Customer’s or Tokenholder’s liability for Unauthorized Payment Token Transfers;

              h)

              information relating to terms under which a Customer may be deemed to have accepted changes to the Customer Agreement, the duration of the Customer Agreement and the rights of the parties to terminate the Customer Agreement;

              i)

              the service level for the provision of the Payment Token Service; and

              j)

              information on the Payment Token Service Provider’s complaint procedure.

            • Article (29): Transactional Information

              1.

              In this Article (29), “Payment Token Service Provider” refers to a Licensee or a Registree, with the exception of Registered Foreign Payment Token Issuers.

              2.

              Payment Token Service Providers shall provide Customers with a written or an electronic statement of the Payment Token Transfers initiated, facilitated, effected, directed or received by a Payment Token Service Provider under a Customer Agreement at least once per month free of charge. The statement shall include details of (insofar as relevant) the amounts, fees, charges and commissions, the dates and times of performance and the reference numbers for each Payment Token Transfer.

              3.

              Immediately after the receipt of an instruction for initiation, facilitation, effecting or directing of a Payment Token Transfer, the Payment Token Service Provider of the Payer shall provide a receipt for the Payer with the following information insofar as relevant:

              a)

              confirmation of the successful or unsuccessful performance of the Payment Token Transfer;

              b)

              acknowledgement and reference number to track the status of the Payment Token Transfer, including:

              (i)

              the date, time and amount of the Payment Token Transfer; and

              (ii)

              information relating to the Payee;

              c)

              the amount of the Payment Token Transfer, any related fees or charges, including any actual currency and conversion rates used, and withdrawal charges, where applicable; and

              d)

              the date and time on which the Payment Token Service Provider received the instruction for the Payment Token Transfer.

              4.

              The Payee’s Payment Token Service Provider shall, immediately after receipt of a Payment Token Transfer, provide to the Payee with a statement with the following information insofar as relevant:

              a)

              reference enabling the Payee to identify the Payment Token Transfer and, where appropriate, the Payer and any information transferred with the Payment Token Transfer;

              b)

              the amount of the Payment Token Transfer in the currency in which the Payment Token is denominated;

              c)

              the amount of any fees or charges for the Payment Token Transfer payable by the Payee;

              d)

              where applicable, the currency exchange rate used in the Payment Token Transfer by the Payee’s Licensed Payment Token Service Provider; and

              e)

              the date and time on which the amount of a Payment Token Transfer is received into the Payee’s Wallet.

              5.

              The Payer’s Payment Token Service Provider shall ensure that instructions for a Payment Token Transfer are accompanied by the necessary information so that they can be processed accurately and completely, and also, be easily identified, verified, reviewed, audited and for any subsequent investigation if needed.

              6.

              The Payee’s Payment Token Service Provider shall implement procedures to detect when any necessary information is missing or inaccurate for a Payment Token Transfer.

            • Article (30): Protection of Payment and Personal Data

              1.

              A Licensed Payment Token Service Provider shall have in place and maintain adequate policies and procedures to protect Personal Data received or held by the provider and identify, prevent and resolve any data security breaches.

              2.

              Licensed Payment Token Service Providers may disclose such Personal Data to:

              a)

              a third party where the disclosure is made with the prior written consent of the Customer or is required pursuant to applicable laws;

              b)

              the Central Bank;

              c)

              other regulatory authorities upon request/following prior approval of the Central Bank;

              d)

              a court of law; or

              e)

              other government bodies who have lawfully authorized rights of access.

              3.

              In addition to the disclosures envisaged in Article (30)2, Licensed Payment Token Service Providers may also disclose Personal Data to the corresponding Data Subject.

              4.

              Licensed Payment Token Service Providers shall have in place and maintain Personal Data protection controls.

              5.

              Personal Data shall be stored and maintained in the UAE unless otherwise approved by the Central Bank. Licensed Payment Token Service Providers must also establish a safe and secure backup of all Personal Data in a separate location for the required period of retention of five (5) years.

              6.

              Licensed Payment Token Service Providers shall comply with applicable legal and regulatory requirements and standards on data protection, including as set out in or pursuant to the Consumer Protection Regulation. They shall control, process and retain only Personal Data that is necessary for the provision of Payment Token Services and upon obtaining the explicit consent of the Customer.

            • Article (31): Liability for Unauthorized Payment Token Transfers and Refunds

              1.

              A Payment Token Custodian and Transferor shall be fully liable for any fraudulent or Unauthorized Payment Token Transfer initiated, facilitated, effected or directed by the Payment Token Custodian and Transferor or otherwise made from a Wallet maintained by the Payment Token Custodian and Transferor, whether before or after the Customer as Payer informs the Payment Token Custodian and Transferor of any potential or suspected fraud, except where there is evidence that:

              a)

              the Customer acted fraudulently; or

              b)

              the Customer acted with gross negligence and did not take reasonable steps to keep their Wallet safe.

              2.

              The Payment Token Custodian and Transferor shall refund the amount of the Unauthorized Payment Token Transfer for which it is liable to its Customer and, where applicable, restore the debited Wallet to the state it would have been in had the Unauthorized Payment Token Transfer not taken place.

              3.

              The Payment Token Custodian and Transferor shall provide a refund under Article (31)2 as soon as practicable and in any event no later than the end of the Business Day following the day on which it becomes aware of the Unauthorized Payment Token Transfer.

              4.

              Article (31)2 and Article (31)3 do not apply where the Payment Token Custodian and Transferor has reasonable grounds to suspect that fraud or gross negligence as referred to in Article (31)1 applies, and notifies the Central Bank of those grounds in writing.

              5.

              Other than in relation to the circumstances contemplated in paragraphs Article (31)2 to Article (31)4, on conclusion of an investigation by a Payment Token Custodian and Transferor into an error or Complaint, a Payment Token Custodian and Transferor shall pay any refund or monetary compensation due to a Customer within (7) calendar days of such conclusion or instruction. In case of a delay in payment of any refund or compensation, the Payment Token Custodian and Transferor shall update the Customer with the expected time for crediting the amount due, along with a justification for the delay.

            • Article (32): Certainty of Transfers of Payment Tokens

              1.

              Licensed Payment Token Issuers must exercise prudence and due diligence in their choice of Distributed Ledger Technology for their Payment Tokens, to ensure that the Distributed Ledger Technology is technologically resilient, secure and has a clear operating procedure in which Customers can identify and understand the point at which a Payment Token passes from one Wallet to another. A copy of this due diligence must be provided to the Central Bank as part of the Licensed Payment Token Issuer’s Application.

              2.

              Licensed Payment Token Issuers must specify, in their White Paper and Customer Agreement, the point at which the lawful power of disposal over a Payment Token transfers from a sending Tokenholder to a receiving Tokenholder in a Payment Token Transfer. This must be specific to the Distributed Ledger Technology of the Payment Token.

              3.

              A Person may provide evidence to a Licensed Payment Token Issuer demonstrating that, but for a ‘fork’, error or similar failure in the operation of the Distributed Ledger Technology of a Payment Token, they would be the Tokenholder of that Token, in which case the Licensed Payment Token Issuer shall give them the same rights of redemption as are given to a Tokenholder pursuant to Article (21).

              4.

              A Licensed Payment Token Issuer must include a warning in the White Paper and Customer Agreement for each Payment Token that they issue, that:

              a)

              there is always a risk that a Payment Token Transfer may fail or be reversed or unwound as a result of the operation of the Distributed Ledger Technology, and that anyone who believes they are the victim of a failed or unwound transfer must contact the Payment Token Issuer which issued that Payment Token to ensure that they are compensated in accordance with Article (32)3; and

              b)

              the Licensed Payment Token Issuer has no control over the time that a Payment Token Transfer may take to complete on the Distributed Ledger Technology, and that (aside from their obligation to submit a Payment Token Transfer to the Distributed Ledger Technology for execution) they are not responsible for ensuring that a Payment Token Transfer completes within a specific time-period. Nevertheless a comprehensive audit trail must be made available to the Customer.

          • Part 9

            • Article (33): Corporate Governance

              1.

              In this Article (33), “Payment Token Service Provider” refers to a Licensee or a Registree, with the exception of Registered Foreign Payment Token Issuers.

              2.

              A Payment Token Service Provider must have and maintain effective, robust and well-documented corporate governance arrangements, including a clear organizational structure with well-defined, transparent and consistent lines of responsibility.

              3.

              The corporate governance arrangements referred to in Article (33)2 must be comprehensive and proportionate to the nature, scale and complexity of the Payment Token Services provided, and shall contain, at a minimum:

              a)

              an organization chart showing each division, department or unit, indicating the name of each responsible individual accompanied by a description of the respective function and responsibilities;

              b)

              controls on conflicts of interest;

              c)

              controls on integrity and transparency of the Licensed Payment Token Service Provider’s operations;

              d)

              controls to ensure compliance with applicable laws and regulations;

              e)

              methods for maintaining confidentiality of information; and

              f)

              procedures for regular monitoring and auditing of all corporate governance arrangements.

            • Article (34): General Risk Management & Internal Control Systems

              1.

              In this Article (34), “Payment Token Service Provider” refers to a Licensee or a Registree, with the exception of Registered Foreign Payment Token Issuers.

              2.

              A Payment Token Service Provider must have and maintain robust and comprehensive policies and procedures to identify, manage, monitor and report the risks arising from the provision of Payment Token Services to which it is or might become exposed, and adequate internal control mechanisms, including sound administrative and accounting procedures.

              3.

              A Payment Token Service Provider’s risk management policies and procedures shall be:

              a)

              kept up-to-date;

              b)

              reviewed annually; and

              c)

              proportionate to the nature, scale and complexity of the Payment Token Services provided.

              4.

              A Payment Token Service Provider must establish a risk management function, an internal audit function and a compliance function.

               

              Capital adequacy and capital planning

              5.

              A Payment Token Service Provider must implement an effective process for managing its capital adequacy. This process must monitor capital adequacy over time and include forward-estimations of the level of capital and the capital requirement, and ensure that the Payment Token Service Provider at a minimum complies at all times with the capital requirements set out in this regulation.

               

              Liquidity risk management

              6.

              A Payment Token Service Provider must establish and implement an effective process for managing liquidity risk that is appropriate for the size and complexity of its operations. The objective is to ensure that the Payment Token Service Provider will have sufficient liquidity to meet different financial obligations arising from its day-to-day operations as well as redemption requests under all plausible circumstances.

               

              Internal controls

              7.

              A Payment Token Service Provider must put in place a robust internal control system to promote effective and efficient operation, safeguard assets, provide reliable financial and management information, enable prevention or early detection of irregularities, fraud and errors, and ensure compliance with relevant statutory and regulatory requirements and internal policies.

              8.

              A Payment Token Service Provider must put in place a comprehensive business strategy and plan, including details on the strategic goals and roadmap. A business plan must normally cover proposed business in terms of geographical scope of operations, target markets and Customer breakdown, client types and base size, product and services offering, delivery channels, pricing strategy, and promotion and marketing activities.

               

              Accounting and External Audit

              9.

              A Payment Token Service Provider must appoint one or more External Auditor(s) to audit, on an annual basis:

              a)

              the financial statements or consolidated financial statements of the Payment Token Service Provider prepared in accordance with the accepted accounting standards and practices; and

              b)

              the systems, controls and technology (including any ‘smart contracts’) of the Payment Token Services provided by the Payment Token Service Provider, including the results of any penetration or cyber-attack simulation testing performed pursuant to Article (35)17, separately from any audit of non-Payment Token Services.

              10.

              Upon request by the Central Bank, the appointed External Auditor shall submit, directly or through the Payment Token Service Provider, a report of the audit in a form and within a timeframe acceptable to the Central Bank.

              11.

              In addition to the report of audit, the Central Bank may request the External Auditor to:

              a)

              submit any additional information in relation to the audit, if the Central Bank considers it necessary;

              b)

              enlarge or extend the scope of the audit;

              c)

              carry out any other examination.

               

              Compliance and internal audit functions

              12.

              A Payment Token Service Provider must maintain effective compliance and internal audit functions; to ensure compliance with all applicable legal and regulatory requirements as well as its own policies, procedures and controls. Among other factors, the quality of a Payment Token Service Provider’s compliance and internal audit functions will be assessed by the Central Bank based on its:

              a)

              clear governance framework with Board level accountability to ensure effective policies and sufficient authorities to perform the functions;

              b)

              relevant professional knowledge and experience;

              c)

              independence from business units;

              d)

              direct and unfettered access to the Board;

              e)

              coverage, comprehensiveness and effectiveness of compliance and internal audit programs; and

              f)

              ability to take timely and pro- active rectifying actions upon identifying non-compliance or other control deficiencies.

              13.

              A Payment Token Service Provider must at least annually perform a risk assessment by its own risk management.

              a)

              If the results of the risk assessment suggest that a detailed independent assessment is necessary, the Payment Token Service Provider must conduct such assessment and cover the following key areas:

              (i)

              business model assessment;

              (ii)

              corporate governance and risk management;

              (iii)

              Reserve of Assets management;

              (iv)

              technology risk management;

              (v)

              security management;

              (vi)

              business continuity management;

              (vii)

              business conduct and consumer protection;

              (viii)

              business exit plan; and

              (ix)

              AML/CFT controls systems.

              b)

              If the Payment Token Service Provider has an independent function elsewhere in its Group, with the relevant knowledge and experience, an independent assessment can be conducted by its internal function. Otherwise the assessment must be carried out by an independent third party.

              14.

              A Payment Token Service Provider must submit any assessment under Article (34)13 to the Central Bank after it has been approved by the Board, accompanied by an executive summary highlighting the key risks, most important findings and the actions for rectifying the issues.

              15.

              Arising from the findings of the annual risk assessment, a Payment Token Service Provider that is unable to meet its obligations must immediately report this to the Central Bank.

               

              Reputation Risk Management

              16.

              A Payment Token Service Provider shall establish and implement an effective process for managing reputational risk that is appropriate for the size and complexity of its operations.

               

              Record Keeping

              17.

              Payment Token Service Providers shall keep all necessary records of Personal Data and Payment Data for a period of five (5) years from the date of receipt of such data, unless otherwise required by other applicable laws or the Central Bank.

            • Article (35): Technology Risk and Information Security

               

              1.

              In this Article (35), “Payment Token Service Provider” refers to a Licensee or a Registree, with the exception of Registered Foreign Payment Token Issuers.

              2.

              Payment Token Service Providers are expected to take into account international best practices and standards when designing and implementing the technology and specific risk management systems and processes.

              3.

              A Payment Token Service Provider shall establish an effective technology and cyber security risk management framework to ensure the adequacy of IT controls, cyber resilience, the quality and security, including the reliability, robustness, stability and availability, of its computer systems, and the safety and efficiency of the operations of Payment Token Services. The framework shall be fit for purpose and commensurate with the risks associated with the nature, size, complexity and types of business and operations, the technologies adopted and the overall risk management system of the Payment Token Service Provider. Consideration shall be given to adopting recognized international standards and practices when formulating such risk management framework.

              4.

              A Payment Token Service Provider’s effective technology risk management framework shall comprise proper IT governance, a continuous technology risk management process and implementation of sound IT control practices.

              5.

              Payment Token Service Provider shall apply and meet at a minimum the UAE Information Assurance Standards, as amended.

              6.

              Licensed Payment Token Issuers must maintain policies and procedures on how to respond to ‘forking’ events or adverse governance actions affecting the Distributed Ledger Technology in which their Payment Tokens are issued, including by establishing a process to ensure that redemption rights are afforded in accordance with Article (21)6(c), and to prevent redemption by Persons who are not Tokenholders. Such policies and procedures must address each blockchain in which a Payment Token is issued.

              7.

              Licensed Payment Token Issuers which hold any Payment Tokens which they have issued (on their own behalf) must maintain a safeguarding and security policy setting out the manner in which the security of those Payment Tokens shall be ensured.

               

              IT Governance

              8.

              A Payment Token Service Provider shall establish a proper IT governance framework. IT governance shall cover various aspects, including a clear structure of IT functions and the establishment of IT control policies. While there could be different constructs, the major functions shall include an effective IT function, a robust technology risk management function, and an independent technology audit function.

              9.

              The Board, or a committee designated by the Board shall be responsible for ensuring that a sound and robust risk management framework is established and maintained to manage technology risks in a manner that is commensurate with the risks posed by the Payment Token Service Provider’s Payment Token Services.

               

              Security Requirements

              10.

              A Payment Token Service Provider must clearly define its security requirements in the early stage of system development or acquisition as part of the business requirements and these must be adequately built-in during the system development stage.

              11.

              A Payment Token Service Provider that develops or provides an application programming interface (API) shall establish safeguards to manage the development and provision of the API to secure the interaction and exchange of data between various software applications.

               

              Network and Infrastructure Management

              12.

              A Payment Token Service Provider shall clearly assign overall responsibility for network management to individuals who are equipped with expertise to fulfil their duties. Network standards, design, diagrams and operating procedures shall be formally documented, kept up-to-date, communicated to all relevant network staff and reviewed periodically.

              13.

              A Payment Token Service Provider shall establish a security administration function and a set of formal procedures for administering the allocation of access rights to system resources and application systems, and monitoring the use of system resources to detect any unusual or unauthorized activities.

              14.

              A Payment Token Service Provider shall exercise due care when controlling the use of and access to privileged and emergency IDs. The necessary control procedures include:

              a)

              changing the default password;

              b)

              implement strong password control, with minimum password length and history, password complexity as well as maximum validity period;

              c)

              restricting the number of privileged users;

              d)

              implementing strong controls over remote access by privileged users;

              e)

              granting of authorities that are strictly necessary to privileged and emergency IDs;

              f)

              formal approval by appropriate senior personnel prior to being released for usage;

              g)

              logging, preserving and monitoring of the activities performed by privileged and emergency IDs (e.g. peer reviews of activity logs);

              h)

              prohibiting sharing of privileged accounts;

              i)

              proper safeguard of privileged and emergency IDs and passwords (e.g. kept in a sealed envelope and locked up inside the data centre); and

              j)

              changing of privileged and emergency IDs’ passwords immediately upon return by the requesters.

               

              Cyber Security Risk

              15.

              A Payment Token Service Provider shall ensure that its cyber security risks are adequately managed through its technology risk management process. The Payment Token Service Provider shall also commit adequate skilled resources to ensure its capability to identify the risk, protect its critical services against the attack, contain the impact of cyber security incidents and restore the services.

              16.

              A Payment Token Service Provider shall establish a cyber incident response and management plan to swiftly isolate and neutralize a cyber threat and to resume affected services as soon as possible. The plan shall describe procedures to respond to plausible cyber threat scenarios.

              17.

              A Payment Token Service Provider shall regularly assess the necessity to perform penetration and cyber-attack simulation testing, based on a risk-based assessment of the likelihood of a cyber-attack and its impact (considering amongst other things the size and nature of its business). Coverage and scope of testing shall be based on the cyber security risk profile, cyber intelligence information available, covering not only networks (both external and internal) and application systems but also social engineering and emerging cyber threats. A Payment Token Service Provider shall also take appropriate actions to mitigate the issues, threats and vulnerabilities identified in penetration and cyber-attack simulation testing in a timely manner, based on the impact and risk exposure analysis. The Central Bank may request evidence of the risk-based assessment referred to in this paragraph, and may direct that further or alternative penetration and cyber-attack simulation testing measures be adopted.

               

              Customer Authentication

              18.

              A Payment Token Service Provider shall select and implement reliable and effective authentication techniques to validate the identity and authority of its Customers or Tokenholders. Multi-factor authentication shall be required.

              19.

              End-to-end encryption shall be implemented for the transmission of Customer passwords so that they are not exposed at any intermediate nodes between the Customer mobile application or browser and the system where passwords are verified.

               

              Login Attempts and Session Management

              20.

              A Payment Token Service Provider shall implement effective controls to limit the number of login or authentication attempts (e.g. wrong password entries), implementing time-out controls and setting time limits for the validity of authentication. If one-time passwords are used for authentication purposes, a Payment Token Service Provider shall ensure that the validity period of such passwords is limited to the strict minimum necessary.

              21.

              A Payment Token Service Provider shall have processes in place ensuring that all Payment Token Transfers occurring in the context of its Payment Token Services are logged with an appropriate audit trail.

               

              Fraud Detection Systems

              22.

              Payment Transaction monitoring mechanisms designed to prevent, detect and block fraudulent Payment Transactions must be operated by a Payment Token Service Provider, in a manner which is proportionate based on a risk-based assessment of the likelihood of fraudulent Payment Transactions and their impact (considering amongst other things the size and nature of its business). Suspicious or high-risk transactions must be subject to a specific screening, filtration and evaluation procedure. The Central Bank may request evidence of such risk-based assessment, and may direct that further or alternative monitoring mechanisms be adopted.

               

              Security advice for Customers

              23.

              A Payment Token Service Provider must provide easy-to-understand, prominent and regularly reviewed advice from time to time via effective methods and multiple channels to its Customers and Tokenholders on security precautionary measures.

              24.

              A Payment Token Service Provider must manage the risk associated with fraudulent emails, websites and mobile applications, which are designed to trick customers into revealing sensitive user information such as login identifiers, passwords and one-time passwords.

               

              Security incident reporting

              25.

              Payment Token Service Providers shall report major security and operational incidents including downtimes to the Central Bank, either immediately or in such form and on such basis as the Central Bank may direct from time to time, or as set out in CBUAE Regulations.

            • Article (36): Business Continuity

              1.

              In this Article (36), “Payment Token Service Provider” refers to a Licensee or a Registree, with the exception of Registered Foreign Payment Token Issuers.

              2.

              A Payment Token Service Provider shall have in place an adequate business continuity management program to ensure continuation, timely recovery, or in extreme situations orderly scale-down of critical operations in the event of major disruptions caused by different contingent scenarios. An adequate business continuity management program comprises business impact analysis, recovery strategies, a business continuity plan and alternative sites for business and IT recovery.

              3.

              A Payment Token Service Provider shall put in place a set of recovery strategies to ensure that all critical business functions identified in a business impact analysis can be recovered in accordance with the predefined recovery timeframe. These recovery strategies shall be clearly documented, thoroughly tested and regularly reviewed to ensure achievement of recovery targets.

              4.

              A Payment Token Service Provider shall put in place effective measures to ensure that all business records, in particular Customer records, can be timely restored in case they are lost, damaged, or destroyed. A Payment Token Service Provider shall also allow Customers to access their own records in a timely manner. A Payment Token Service Provider shall notify Customers of any loss in their records through an operational failure or through theft, and make reasonable effort to ensure that personal records so lost are not used wrongfully.

              5.

              A Payment Token Service Provider shall develop a business continuity plan based on the business impact analysis and related recovery strategies. A business continuity plan shall comprise, at a minimum:

              a)

              detailed recovery procedures to ensure full accomplishment of the service recovery strategies;

              b)

              escalation procedures and crisis management protocol (e.g. set up of a command centre, timely reporting to the Central Bank, etc.) in case of severe or prolonged service disruptions;

              c)

              proactive communication strategies (e.g. Customer notification, media response, etc.);

              d)

              updated contact details of key personnel involved in the business continuity plan; and

              e)

              assignment of primary and alternate personnel responsible for recovery of critical systems.

              6.

              A Payment Token Service Provider shall conduct testing of its business continuity plan at least annually. Its Senior Management, primary and alternate relevant personnel shall participate in the annual testing to familiarize themselves with their recovery responsibilities.

              7.

              A Payment Token Service Provider shall review all business continuity planning-related risks and assumptions for relevance and appropriateness as part of the annual planning of testing. Formal testing documentation, including a test plan, scenarios, procedures and results, shall be produced. A post mortem review report shall be prepared for formal sign-off by Senior Management.

               

              Business exit plan

              8.

              With a view to minimizing the potential impact that a failure, disruption, or exit of a Payment Token Service Provider would have on Customers and the payment systems in the UAE, a Payment Token Service Provider is required to maintain viable plans for an orderly exit of its business and operations should other options be proven not possible.

              9.

              Among other things, a business exit plan must:

              a)

              identify a range of remote but plausible scenarios which may render it necessary for a Payment Token Service Provider to consider an exit;

              b)

              develop risk indicators to gauge the plausibility of the identified scenarios;

              c)

              set out detailed, concrete, and feasible action steps to be taken upon triggering the exit plan;

              d)

              assess the time and cost required to implement the exit plan in an orderly manner; and

              e)

              set out clear procedures to ensure that sufficient time and regulatory capital and other financial resources are available to implement the exit plan.

              10.

              A Payment Token Service Provider must review the plan on an annual basis to ensure its relevance and workability.

          • Part 10

            • Article (37): Enforcement and Sanctions

              Violation of any provision of this Regulation or committing any of the violations provided for under the Central Bank Law may subject the Licensee or Registree to administrative and financial sanctions and penalties as deemed appropriate by the Central Bank.

            • Article (38): Additional Information Gathering Powers

              1.

              The Central Bank may require the following persons to provide it with such information as the Central Bank considers necessary:

              a)Licensees and Registrees;
              b)providers of Virtual Asset services who are not Licensed or Registered by the Central Bank or licensed or regulated by SCA or any Local Licensing Authority with respect to those activities.
              2.

              The Central Bank may enter into information-sharing agreements or other memoranda of understanding with, or otherwise request the following persons to provide it with such information as the Central Bank considers helpful in order to exercise its powers or meet its objectives under this Regulation:

              a)SCA;
              b)any Local Licensing Authority;
              c)other regulators.
            • Article (39): Amendment to Retail Payment Services and Card Schemes Regulation and Stored Value Facilities (SVF) Regulation

              1.A Person licensed under the Retail Payment Services and Card Schemes Regulation or Stored Value Facilities (SVF) Regulation with respect to Crypto-Asset, Virtual Asset Token or Virtual Asset activities shall cease to be licensed with respect to those activities under either Regulation following the end of the Transition Period.
              2.The Retail Payment Services and Card Schemes Regulation shall not apply with respect to Crypto-Assets, Virtual Asset Tokens, Virtual Assets Service Providers or Virtual Asset Token Services (each as defined in the Retail Payment Services and Card Schemes Regulation), with effect from the end of the Transition Period.
              3.The Stored Value Facilities (SVF) Regulation shall not apply with respect to Crypto-Assets, Virtual Assets or Virtual Asset Service Providers (each as defined in the Stored Value Facilities (SVF) Regulation), with effect from the end of the Transition Period.
            • Article (40): Transition Period

              1.

              There shall be a one calendar year period following the commencement of this Regulation during which Article (2) shall not apply (the “Transition Period”).

              2.

              The Central Bank may extend the Transition Period at its discretion.

              3.

              Notwithstanding Article (40)1, if the Central Bank determines that a service provider is unlikely to be able to comply with any provision of Article (2) following the Transition Period, it may order the cessation of any aspect of that service provider’s business which is within scope of this Regulation.

            • Article (41): Interpretation of Regulation

              The Regulatory Development Department of the Central Bank shall be the reference for interpretation of the provisions of this Regulation.

            • Article (42): Publication & Application

              This Regulation shall be published in the Official Gazette in both Arabic and English and shall come into effect one month from the date of publication.

          • Annex

            List of documents to be submitted in an application

            1.

            Completed application form for License

            2.

            A report on paid-up capital certified by External Auditor

            3.

            A copy of the ownership structure

            4.

            The latest audited financial statements for each Controller

            5.

            Completed application form(s) for each Controller

            6.

            Outline of the Senior Management and staff structure

            7.

            Completed application forms for members of the Board and Senior Management

            8.

            Independent assessment report(s) on the key areas as set out in Article (6)5

            9.

            Documentation on the sources of funds (Article (15)2 and Article (15)6)

            10.

            A copy of the cyber-security policy

            11.

            Risk management policies and procedures

            12.

            Policies and procedures regarding AML/CFT risk

            13.

            A copy of the risk appetite framework

            14.

            Copies of policies and procedures for managing the Reserve of Assets

            15.

            A copy of the investment policy for managing the investment of Reserve of Assets

            16.

            A copy of any Customer Agreements to be used

            17.

            Business plan that covers a three-year time horizon

            18.

            A copy of the business exit plan

            19.

            Board resolution in support of the Application

            20.

            A copy of the articles of association (or equivalent) of the Applicant company in English and Arabic

            21.

            A copy of the Applicant's audited annual reports and / or audited financial statements for the past three financial years immediately prior to application

            22.

            Each of the following:

            (a)

            A copy of the notarized Memorandum and Articles of Association

            (b)

            A copy of the Licensee Commercial License

            (c)

            External Auditor's certification that the paid-up capital has been injected into the business