Part 8
Article (25): Obligations Towards Customers
1. Licensees and Registrees must be operated prudently and with competence in a manner that will not adversely affect the interests of their Customers.
a) In addition, Licensees and Registrees must also observe and comply with the relevant regulatory requirements and standards on consumer protection of the Central Bank, including all relevant provisions of the Consumer Protection Regulation. b) For the avoidance of doubt, in case of discrepancies between this Regulation and the Consumer Protection Regulation, the respective provisions of the Consumer Protection Regulation shall prevail. 2. Licensees and Registered Payment Token Conversion Providers must:
a) maintain a copy of each Distributed Ledger Technology on which it provides Payment Token Services; and b) in the event that a ‘fork’ or similar event results in the creation of two or more versions of a Payment Token, treat any one version of each Payment Token presented by a Customer as being equal to any other version of the same type of Payment Token and as if it were the version of the Payment Token to which its Payment Token Service applies. 3. Licensees and Registrees must ensure that their business is operated in a responsible, honest and professional manner. Licensees and Registrees must treat all Customers, as well as merchants, equitably, honestly and fairly at all stages of their relationship with the Licensee or Registree. Licensees and Registrees must also act in a manner that will not adversely affect the interests of their Customer. 4. Licensees and Registered Payment Token Conversion Providers must be responsible for the acts or omissions of their Senior Management, employees, service providers and Agents in respect of the conduct of its business. Senior Management, employees and Agents of Licensees and Registered Payment Token Conversion Providers must be properly trained and qualified. 5. Licensees and Registered Payment Token Conversion Providers must ensure that they adopt and, if needed, develop good business practices that can demonstrate their standard of conduct, including as follows:
a) Due diligence must be performed by Licensees and Registered Payment Token Conversion Providers to ensure that all promotional materials it issues are accurate and not misleading; b) Licensees and Registered Payment Token Conversion Providers may use their websites and mobile apps to provide links to other online merchants. Before providing such links, the Licensee or Registered Payment Token Conversion Provider must carry out due diligence on the merchants to ascertain they are bona fide companies conducting legitimate business so as to manage reputational risk; c) Websites or apps of Licensees and Registered Payment Token Conversion Providers may only provide hyper-links to other websites that offer advisory and/or sale of Payment Token Services, or financial products and services, if the arrangements comply with all relevant legal and regulatory requirements. The Central Bank may require that the Licensee or Registered Payment Token Conversion Provider obtain a legal opinion assessing whether such arrangements comply with all relevant legal and regulatory requirements; and d) Licensees and Registered Payment Token Conversion Providers shall adhere to such other disclosure or customer communications requirements as the Central Bank may direct in CBUAE Regulations from time to time or otherwise require. Article (26): Payment Token White Papers
1. Obligation to publish a White Paper
a) No Payment Token Issuer shall perform Payment Token Issuing with respect to a Payment Token unless that Payment Token Issuer has: (1) produced a White Paper in respect of that Payment Token;
(2) submitted the White Paper to the Central Bank;
(3) received the Central Bank’s acceptance of the White Paper; and
(4) published the White Paper,
in accordance with this Article (26).
b) The Central Bank may publish a White Paper with respect to a particular Payment Token on its website, in which case any Payment Token Issuer which publishes a web-link to the White Paper on the Central Bank website shall be deemed to have complied with Article (26)1(a). 2. Content and form of the White Paper
a) A White Paper shall contain, insofar as it is relevant to each Licensee or Registered Foreign Payment Token Issuer, a detailed description of all of the following: I. the Payment Token Issuer; II. the type of Payment Token that will be offered to the public; III. the number of Payment Tokens that will be issued and the issue price; IV. the rights and obligations attached to the Payment Token and the procedures and conditions for exercising those rights; V. information on the underlying technology and standards applied by the Payment Token Issuer when allowing for the holding, storing and transfer of those Payment Tokens; VI. the risks relating to the Payment Token Issuer issuing Payment Tokens, the Payment Tokens, the offer to the public, and other disclosures that the Central Bank may specify; VII. the Payment Token Issuer’s governance arrangements, including a description of the role, responsibilities and accountability of the third-parties responsible for operating, investment and custody of the Reserve of Assets, and, where applicable, the distribution of the Payment Tokens; VIII. the constituent parts of the Reserve of Assets held by the Licensed Payment Token Issuer or similar reserve held by a Registered Foreign Payment Token Issuer; IX. the custody arrangements for the Reserve of Assets or similar reserve held by a Registered Foreign Payment Token Issuer, including but not limited to the relevant segregation and safeguarding measures; X. information on the nature and enforceability of rights, including any direct redemption right or any claims that holders of Payment Tokens may have on the Reserve of Assets (or other reserve held by a Registered Foreign Payment Token Issuer) or against the Payment Token Issuer issuing the Payment Tokens, including how such rights may be treated in insolvency procedures; XI. information on the permitted use of a Payment Token and any restrictions on its use including having regard to Article (2) and Article (12); and XII. any such other matters as the Central Bank may direct from time to time.
b) The White Paper shall be fair, clear and not misleading, and shall be presented in a concise and comprehensible form. c) The White Paper shall be drafted in both Arabic and English. d) The White Paper shall contain an attestation by the Board of the Payment Token Issuer of the White Paper’s completeness and accuracy. e) The White Paper shall prominently contain the following statement:
“The Central Bank of the UAE is not responsible for determining the accuracy or completeness of this White Paper. The Central Bank of the UAE’s review and acceptance of this White Paper does not constitute an endorsement of the Payment Token or Payment Token Issuer to which it relates, or of the accuracy or completeness of any information or statements in this White Paper.”
f) The White Paper shall be dated, including with the date of the application of any update to the White Paper. g) In good time before a Licensed Payment Token Issuer enters into a Customer Agreement, or a Registree enters into an agreement with a Customer relating to a Payment Token, it must (subject to Article (26)5) provide a copy of or web-link to the White Papers of all Payment Tokens to which the Customer has access pursuant to the Customer Agreement. 3. Updates
A Payment Token Issuer must (subject to Article (26)5) without delay update any White Paper it has previously produced to reflect:
a) any material change to the information in the White Paper; or b) any material addition that it would be appropriate to make to the White Paper in order to reflect any changes in the arrangements or circumstances relating to its Payment Tokens or Payment Token Issuing. 4. Audit
A Payment Token Issuer must procure an audit of a White Paper by an External Auditor, who is not an officer or employee of the Payment Token Issuer or an officer or employee of another company or undertaking in its Group, to confirm that the form and content of the White Paper complies with all applicable requirements of Article (26)2(a) to (f).
5. Notification of the White Paper
a) A Payment Token Issuer must submit a White Paper to the Central Bank for review and acceptance before it sells or transfers the Payment Token to any Person in the UAE (excluding a Person in a Financial Free Zone). 1. The Payment Token Issuer must, at the time when it submits a White Paper to the Central Bank, also submit the audit report of that White Paper, referred to in Article (26)4, to the Central Bank for review. 2. If the Central Bank accepts the White Paper, the Payment Token Issuer must publish the White Paper on a publicly and freely accessible website at least 7 days in advance of the Payment Token becoming available for sale or transfer to Persons in the UAE (excluding a Person in a Financial Free Zone). 3. If the Central Bank declines to accept the White Paper the Payment Token issuer may resubmit an updated White Paper for approval under this Article (26)5(a).
b) If a Payment Token Issuer desires to amend (including, for the avoidance of doubt, making additions), or is required to amend, the White Paper previously submitted in accordance with Article (26)5(a), it must submit the amendments to the White Paper, and an audit report of the amended White Paper conducted in accordance with Article (26)4 to the Central Bank for review and acceptance before making the amendments. If the amendments are urgent, the Payment Token Issuer shall prominently bring the urgency to the attention of the Central Bank. (1) If the Central Bank accepts the amendments, the Payment Token Issuer must publish the White Paper on a publicly and freely accessible website at least 14 days in advance of such amendment taking effect unless the Central Bank requires or agrees to a shorter period. (2) If the Central Bank declines to accept the amendments the Payment Token issuer may resubmit an updated White Paper for approval under this Article (26)5(b).
c) The Central Bank shall not be responsible for determining the accuracy or completeness of a White Paper. The Central Bank’s review and acceptance of the White Paper shall not constitute an endorsement of the Payment Token or Payment Token Issuer to which it relates, or of the accuracy or completeness of any information or statements in the White Paper. 6. Liability for White Papers
a) A Payment Token Issuer shall be liable for and shall compensate a Customer within at least 28 calendar days for any and all loss or damage caused to a Customer arising from a material misstatement in a White Paper which it has published, except to the extent that any UAE law or regulation prevents the payment or provision of compensation to that Customer by the Payment Token Issuer. Any contractual exclusion or limitation of civil liability as referred to in this paragraph shall be deprived of legal effect. b) In addition, the Central Bank may consider conducting an investigation and taking enforcement action against any misstatement in the White Paper. c) The Central Bank shall not be liable to Customers or other Persons for the contents of any White Paper that it has accepted. 7. Exemptions The Central Bank may, at its discretion, exempt a Payment Token Issuer from one or more of the requirements in this Article (26) if equivalent documentation has been published, or obligations complied with, pursuant to regulation issued by SCA or any Local Licensing Authority.
Article (27): Customer Agreement
1. In this Article (27), “Payment Token Service Provider” refers to a Licensee or a Registree, with the exception of Registered Foreign Payment Token Issuers. 2. A Payment Token Service Provider shall:
a) set out in the Customer Agreement the terms and conditions governing their contractual relationship with each Customer, including the terms required under Article (28), sufficiently in advance of entering into the contractual relationship as to allow the Customer to make an informed decision; and b) provide each Customer and Tokenholder with a copy of the Customer Agreement, at their request at any time in writing and delivered as per the Customer’s or Tokenholder’s preference, including through an e-mail, mobile application or any other electronic manner. 3. The Customer Agreement (and any changes to it) referred to in Article (27)2 shall be written in a clear, plain and understandable language, in a manner that is not misleading and shall be provided to the Customer in both Arabic and English, as may be requested by the Customer. 4. Any changes to the Customer Agreement referred to in Article (27)2 shall be communicated to the Customer and Tokenholder by the Payment Token Service Provider sufficiently in advance and at least 30 calendar days prior to any such change becoming effective. 5. A Customer or Tokenholder shall be entitled to terminate its Customer Agreement with a Payment Token Service Provider at no charge where it does not agree with the revised terms and conditions referred to in Article (27)4. 6. The rights and obligations set out in a Customer Agreement shall apply as between a Payment Token Issuer and each Tokenholder, whether or not the Payment Token Issuer is aware of the identity of the Tokenholder or has made any arrangements with the Tokenholder, subject to any UAE laws which would prevent the Payment Token Issuer from performing its obligations under a Customer Agreement for that Tokenholder. Article (28): Required Terms and Pre-Contractual Information
1. In this Article (28), “Payment Token Service Provider” refers to a Licensee or a Registree, with the exception of Registered Foreign Payment Token Issuers. 2. A Payment Token Service Provider shall include the following terms in, and information with, its Customer Agreement, and must provide them to the Customer before the provision of any services:
a) schedule of fees, charges and commissions, including redemption fees, conversion rates and withdrawal charges, where applicable; b) contact details of the Payment Token Service Provider, including legal name and registered address, and including the name and address of any Agent where applicable; c) the form and procedure for giving consent to the initiation, facilitation, effecting or directing by a Payment Token Service Provider as part of its Payment Token Service; of a Payment Token Transfer and for the withdrawal of such consent; d) the communication channel between the Payment Token Service Provider and the Customer; e) the manner of safeguarding of Payment Tokens as per Article (23); f) the manner and timeline for notification by the Customer to the Payment Token Service Provider in case of Unauthorized Payment Token Transfers or incorrectly initiated, facilitated, effected or directed Payment Token Transfers; g) the Payment Token Service Provider’s and Customer’s or Tokenholder’s liability for Unauthorized Payment Token Transfers; h) information relating to terms under which a Customer may be deemed to have accepted changes to the Customer Agreement, the duration of the Customer Agreement and the rights of the parties to terminate the Customer Agreement; i) the service level for the provision of the Payment Token Service; and j) information on the Payment Token Service Provider’s complaint procedure. Article (29): Transactional Information
1. In this Article (29), “Payment Token Service Provider” refers to a Licensee or a Registree, with the exception of Registered Foreign Payment Token Issuers. 2. Payment Token Service Providers shall provide Customers with a written or an electronic statement of the Payment Token Transfers initiated, facilitated, effected, directed or received by a Payment Token Service Provider under a Customer Agreement at least once per month free of charge. The statement shall include details of (insofar as relevant) the amounts, fees, charges and commissions, the dates and times of performance and the reference numbers for each Payment Token Transfer. 3. Immediately after the receipt of an instruction for initiation, facilitation, effecting or directing of a Payment Token Transfer, the Payment Token Service Provider of the Payer shall provide a receipt for the Payer with the following information insofar as relevant:
a) confirmation of the successful or unsuccessful performance of the Payment Token Transfer; b) acknowledgement and reference number to track the status of the Payment Token Transfer, including:
(i) the date, time and amount of the Payment Token Transfer; and (ii) information relating to the Payee; c) the amount of the Payment Token Transfer, any related fees or charges, including any actual currency and conversion rates used, and withdrawal charges, where applicable; and d) the date and time on which the Payment Token Service Provider received the instruction for the Payment Token Transfer. 4. The Payee’s Payment Token Service Provider shall, immediately after receipt of a Payment Token Transfer, provide to the Payee with a statement with the following information insofar as relevant:
a) reference enabling the Payee to identify the Payment Token Transfer and, where appropriate, the Payer and any information transferred with the Payment Token Transfer; b) the amount of the Payment Token Transfer in the currency in which the Payment Token is denominated; c) the amount of any fees or charges for the Payment Token Transfer payable by the Payee; d) where applicable, the currency exchange rate used in the Payment Token Transfer by the Payee’s Licensed Payment Token Service Provider; and e) the date and time on which the amount of a Payment Token Transfer is received into the Payee’s Wallet. 5. The Payer’s Payment Token Service Provider shall ensure that instructions for a Payment Token Transfer are accompanied by the necessary information so that they can be processed accurately and completely, and also, be easily identified, verified, reviewed, audited and for any subsequent investigation if needed. 6. The Payee’s Payment Token Service Provider shall implement procedures to detect when any necessary information is missing or inaccurate for a Payment Token Transfer. Article (30): Protection of Payment and Personal Data
1. A Licensed Payment Token Service Provider shall have in place and maintain adequate policies and procedures to protect Personal Data received or held by the provider and identify, prevent and resolve any data security breaches. 2. Licensed Payment Token Service Providers may disclose such Personal Data to:
a) a third party where the disclosure is made with the prior written consent of the Customer or is required pursuant to applicable laws; b) the Central Bank; c) other regulatory authorities upon request/following prior approval of the Central Bank; d) a court of law; or e) other government bodies who have lawfully authorized rights of access. 3. In addition to the disclosures envisaged in Article (30)2, Licensed Payment Token Service Providers may also disclose Personal Data to the corresponding Data Subject. 4. Licensed Payment Token Service Providers shall have in place and maintain Personal Data protection controls. 5. Personal Data shall be stored and maintained in the UAE unless otherwise approved by the Central Bank. Licensed Payment Token Service Providers must also establish a safe and secure backup of all Personal Data in a separate location for the required period of retention of five (5) years. 6. Licensed Payment Token Service Providers shall comply with applicable legal and regulatory requirements and standards on data protection, including as set out in or pursuant to the Consumer Protection Regulation. They shall control, process and retain only Personal Data that is necessary for the provision of Payment Token Services and upon obtaining the explicit consent of the Customer. Article (31): Liability for Unauthorized Payment Token Transfers and Refunds
1. A Payment Token Custodian and Transferor shall be fully liable for any fraudulent or Unauthorized Payment Token Transfer initiated, facilitated, effected or directed by the Payment Token Custodian and Transferor or otherwise made from a Wallet maintained by the Payment Token Custodian and Transferor, whether before or after the Customer as Payer informs the Payment Token Custodian and Transferor of any potential or suspected fraud, except where there is evidence that:
a) the Customer acted fraudulently; or b) the Customer acted with gross negligence and did not take reasonable steps to keep their Wallet safe. 2. The Payment Token Custodian and Transferor shall refund the amount of the Unauthorized Payment Token Transfer for which it is liable to its Customer and, where applicable, restore the debited Wallet to the state it would have been in had the Unauthorized Payment Token Transfer not taken place. 3. The Payment Token Custodian and Transferor shall provide a refund under Article (31)2 as soon as practicable and in any event no later than the end of the Business Day following the day on which it becomes aware of the Unauthorized Payment Token Transfer. 4. Article (31)2 and Article (31)3 do not apply where the Payment Token Custodian and Transferor has reasonable grounds to suspect that fraud or gross negligence as referred to in Article (31)1 applies, and notifies the Central Bank of those grounds in writing. 5. Other than in relation to the circumstances contemplated in paragraphs Article (31)2 to Article (31)4, on conclusion of an investigation by a Payment Token Custodian and Transferor into an error or Complaint, a Payment Token Custodian and Transferor shall pay any refund or monetary compensation due to a Customer within (7) calendar days of such conclusion or instruction. In case of a delay in payment of any refund or compensation, the Payment Token Custodian and Transferor shall update the Customer with the expected time for crediting the amount due, along with a justification for the delay. Article (32): Certainty of Transfers of Payment Tokens
1. Licensed Payment Token Issuers must exercise prudence and due diligence in their choice of Distributed Ledger Technology for their Payment Tokens, to ensure that the Distributed Ledger Technology is technologically resilient, secure and has a clear operating procedure in which Customers can identify and understand the point at which a Payment Token passes from one Wallet to another. A copy of this due diligence must be provided to the Central Bank as part of the Licensed Payment Token Issuer’s Application. 2. Licensed Payment Token Issuers must specify, in their White Paper and Customer Agreement, the point at which the lawful power of disposal over a Payment Token transfers from a sending Tokenholder to a receiving Tokenholder in a Payment Token Transfer. This must be specific to the Distributed Ledger Technology of the Payment Token. 3. A Person may provide evidence to a Licensed Payment Token Issuer demonstrating that, but for a ‘fork’, error or similar failure in the operation of the Distributed Ledger Technology of a Payment Token, they would be the Tokenholder of that Token, in which case the Licensed Payment Token Issuer shall give them the same rights of redemption as are given to a Tokenholder pursuant to Article (21). 4. A Licensed Payment Token Issuer must include a warning in the White Paper and Customer Agreement for each Payment Token that they issue, that:
a) there is always a risk that a Payment Token Transfer may fail or be reversed or unwound as a result of the operation of the Distributed Ledger Technology, and that anyone who believes they are the victim of a failed or unwound transfer must contact the Payment Token Issuer which issued that Payment Token to ensure that they are compensated in accordance with Article (32)3; and b) the Licensed Payment Token Issuer has no control over the time that a Payment Token Transfer may take to complete on the Distributed Ledger Technology, and that (aside from their obligation to submit a Payment Token Transfer to the Distributed Ledger Technology for execution) they are not responsible for ensuring that a Payment Token Transfer completes within a specific time-period. Nevertheless a comprehensive audit trail must be made available to the Customer.