Skip to main content
Entire section Custom print Text Only Rich Text Print

  • Retail Payment Systems Regulation

    C 10/2020 Effective from 10/2/2021

    • Introduction

      The Central Bank is responsible for licensing, designating and overseeing systemically important Retail Payment Systems (RPS) pursuant to the Central Bank Law. The Central Bank Law stipulates criteria and relevant factors based on which the Central Bank will determine whether or not a licensed RPS should be designated and subject to the ongoing oversight of the Central Bank. The policy objective is to ensure that operations of designated RPS are safe, sound, efficient and in compliance with relevant international standards (e.g. the PFMI), and also, would contribute to the financial and payment system stability of the State.

      The Central Bank Law expressly sets out the powers of the Central Bank in relation to the licensing, designation and oversight of Financial Infrastructure Systems that are systemically important such as the RPS.

    • Objective and Scope of Application

      The objective of this Regulation is to ensure safety and efficiency of Financial Infrastructure Systems and promote efficient and smooth operations thereof. The Regulation sets out the licensing, designation and oversight framework that the Central Bank intends to follow with respect to the licensing and designation of RPS, and the ongoing oversight of such systems. This Regulation also outlines the major obligations and ongoing requirements of a designated RPS, the powers of the Central Bank in respect thereof, the licensing, designation and ongoing oversight of an RPS.

      The scope of this Regulation will cover the systematically important RPS which meet one of the following conditions: (a) the concerned system is operated in the State; or (b) the concerned system has the capacity to provide transfer, clearing or settlement of payment obligations relating to retail activities denominated in the Currency, any currency or any Regulated Medium of Exchange.

      This Regulation explains the relevant policies and procedures adopted by the Central Bank with respect to the licensing and designation of RPS. It sets out: (a) the types of RPS which are likely to be covered by the Regulation; (b) the Central Bank’s intended interpretation of the key criteria for designating an RPS; (c) the licensing and designation process; (d) the ongoing requirements of the designated RPS; and (e) the appeal mechanism in respect of the licensing, designation, suspension and revocation of licensing and/or designation.

      The provisions of this Regulation shall not apply to Financial Free Zones and to RPS operating therein unless when expressly provided hereunder.

    • Article (1): Definitions

      1. Central Bank: means the Central Bank of the United Arab Emirates.
         
      2. Central Bank Law: means Decretal Federal Law No. (14) of 2018 Regarding the Central Bank & Organization of Financial Institutions and Activities and its amendments from time to time.
         
      3. Clearing: means the process of transmitting, reconciling and, in some cases, confirming transactions prior to settlement, potentially including the Netting of transactions and the establishment of final positions for settlement.
         
      4. Clearing and Settlement System: means a system established for (a) the clearing or settlement of payment obligations; or (b) the clearing or settlement of obligations for the transfer of book-entry securities, or the transfer of such securities.
         
      5. Currency: means the State’s official national currency notes and coins, which its unit is referred as the “Dirham”.
         
      6. Default Arrangements: in respect of a Financial Infrastructure System, means the arrangements in place within the system for limiting systemic and other types of risk in the event of a Participant Person appearing to be, or likely to become, unable to meet his obligations in respect of a Transfer Order; and would include any arrangements that have been enforced by the System Operator or Settlement Institution for the following: (1) the Netting of obligations owed to or by a Participant Person; (2) the closing out of open financial position of a Participant Person; or (3) the realization of collateral securities to secure payment of obligations owed by the Participant Person.
         
      7. Designated System: means any Financial Infrastructure System designated by the Central Bank as systemically important, in accordance with the provisions of the Central Bank Law and the Regulation.
         
      8. Financial Free Zones (FFZ): means free zones subject to the provisions of Federal Law No 8 of 2004, regarding Financial Free Zones, and amending laws.
         
      9. Financial Infrastructure System: means either (1) a Clearing and Settlement System or (2) a Retail Payment System, established, operated, licensed, or overseen by any of the Regulatory Authorities in the State.
         
      10. Grievances & Appeals Committee: means the Committee referred to in Article (136) of the Central Bank Law.
         
      11. License: means a License issued by the Central Bank to an SO and/or SI to operate an RPS in the State. The License shall be valid for a period of five years, unless it is suspended or revoked by the Central Bank.
         
      12. Licensee: means an SO and/or SI that holds a valid License to operate an RPS from the Central Bank.
         
      13. Money’s Worth: value added onto an SVF by the customer; value received on the customer’s SVF account; and value redeemed by the customer including not only “money” in the primary sense but also other forms of monetary consideration or assets such as values, reward points, Crypto-Assets, or Virtual Assets. For example, a value top-up of an SVF account may take the form of values, reward points, Crypto-Assets, or Virtual Assets earned by the SVF customer from making purchases of goods and services. Similarly, value received on the account of the SVF customer may take the form of an on-line transfer of value, reward points, Crypto-Assets, or Virtual Assets between fellow SVF customers.
         
      14. Netting: in respect of a Clearing and Settlement System, means the conversion of the various obligations owed to or by a Participant Person towards all the other Participant Persons in the system, into one net obligation owed to or by the Participant Person.
         
      15. Operating Rules: means rules set up by the System Operator to cover the operation of a Financial Infrastructure System, including but not limited to, Participant Person account opening and maintenance, contractual relationships with and among Participant Persons, Default Arrangements, payment and settlement processing, Netting and collateral arrangements, authorization and post-transaction processes.
         
      16. Payment System: a Financial Infrastructure System which consists of a set of instruments, procedures, and rules for the transfer of funds between or among Participant Persons.
         
      17. Participant Person: in respect of a Financial Infrastructure System shall mean a Person who is party to or participant of the arrangements for which the system has been established.
         
      18. Person: means a natural or juridical person, as the case may be.
         
      19. Principles of Financial Market Infrastructures (PFMI): means the international standards for financial market infrastructures (i.e. Payment Systems, central securities depositories, securities settlement systems, central counterparties and trade repositories) issued by the Committee on Payments and Market Infrastructures (CPMI) and the International Organization of Securities Commissions (IOSCO). The PFMI are part of a set of 12 key standards that international community considers essential to strengthening and preserving financial stability.
         
      20. Regulated Medium of Exchange: means an instrument or a token that is widely used and accepted in the State as a means of payment for goods and services and regulated by the Central Bank to be a medium of exchange.
         
      21. Regulation: means the Retail Payment Systems Regulation.
         
      22. Regulatory Authorities: means the Central Bank and the Securities & Commodities Authority.
         
      23. Relevant Undertaking: In relation to an SVF, Relevant Undertaking means an undertaking by the Licensee that, upon the use of SVF by the customer as a means for payment for goods and services (which may be or include money or Money’s Worth) or payment to another person, and whether or not some other action is also required, the Licensee, or a third party that the SVF issuer has procured to do so, will, in accordance with the Operating Rules: (a) supply the goods or services; (b) make payment for the goods or services; or (c) make payment to the other person, or as the case requires.
         
      24. Retail Payment System (RPS): means any fund transfer system and related instruments, mechanism, and arrangements that typically handles a large volume of relatively low-value payments in such forms as cheques, credit transfers, direct debit, card payment transactions or a Regulated Medium of Exchange.
         
      25. Settlement Institution (SI): means an institution that provides settlement services to a Financial Infrastructure System, settlement accounts in one currency or multi-currency in the Financial Infrastructure System and in certain cases grants access to intraday liquidity to Participant Persons.
         
      26. State: means the United Arab Emirates.
         
      27. Stored Value Facilities (SVF): A facility (other than cash) for or in relation to which a customer, or another person on the customer’s behalf, pays a sum of money (including Money’s Worth such as values, reward points, Crypto-Assets or Virtual Assets) to the issuer, whether directly or indirectly, in exchange for: (a) the storage of the value of that money (including Money’s Worth such as values, reward points, Crypto-Assets or Virtual Assets), whether in whole or in part, on the facility; and (b) the “Relevant Undertaking”. SVF includes device-based Stored Value Facility and non-device based Stored Value Facility.
         
      28. System Operator (SO): means a Person responsible for the operation of a Financial Infrastructure System, including the comprehensive management of all risks in the Financial Infrastructure System and ensuring that the operation of the system is in accordance with this Regulation and other relevant regulations issued by the Central Bank.
         
      29. Systemically Important Payment System: means a Financial Infrastructure System which has the potential to trigger or transmit systemic disruptions to the State’s monetary and financial stability; this includes, among other things, systems that are the sole Financial Infrastructure System in a jurisdiction or the principal system in terms of the aggregate value of payments, and systems that mainly handle time-critical, high-value payments or settle payments used to effect settlement in other Financial Infrastructure Systems.
         
      30. Transfer: means operationally, the sending (or movement) of funds or securities or of a right relating to funds and securities from one party to another party by (i) conveyance of physical instruments/money; (ii) accounting entries on the books of a financial intermediary; or (iii) accounting entries processed through a funds and/or securities transfer system.
         
      31. Transfer Order: in respect of a Financial Infrastructure System shall mean any of the following instructions: (1) instructions by a Participant Person to make funds available to another Participant Person to be transferred, on a book-entry basis, in the accounts of the Settlement institution for a Clearing and Settlement System; or (2) instructions for discharge from obligation to pay, for the purposes of the Operating Rules of a Clearing and Settlement Systems; or (3) instructions by a Participant Person to either settle an obligation by transferring a book-entry security, or transferring those securities; or (4) instructions by a Participant Person that result in liability or discharge of retail operations payment obligation.
         

    • Article (2): Licensing Requirements

      1. As stipulated in Article (129) (1) (a) of the Central Bank Law, operating an RPS in the State requires a prior License from the Central Bank.
         
      2. The SO and/or SI of the RPS must apply and submit the required information and documents set out in Annex A to the Central Bank for a License if the RPS is in operation in the State.
         

    • Article (3): Eligibility and Criteria for Designation as Systemically Important Financial Infrastructure System

      1. As stipulated in Article (126) (2) of the Central Bank Law, if a licensed RPS falls within the eligibility for designation as set out in the aforementioned Article, the Central Bank may designate such RPS as systemically important.
         
      2. Financial Infrastructure Systems which may be covered by the definition of RPS include, but are not limited to, the following systems:
         
        1. 2.1. Electronic funds transfer system: a system that handles transfer of funds which is initiated through a computer system, for the purpose of ordering, instructing, or authorizing a financial institution to debit or credit a customer’s account. The Central Bank will not license or designate RPS owned and/or operated by licensed banks (e.g. Internet or mobile banking systems, electronic fund transfer systems, etc.) for serving their own customers because such RPS are already subject to the Central Bank’s prudential supervision of the licensed bank as a whole. However, if a licensed bank provides RPS services to other payment service providers or financial institutions, such RPS may be subject to designation if the RPS falls within the designation criteria.
           
        2. 2.2. Payment card system: a set of functions, procedures, arrangements, rules, and most importantly, a Clearing and Settlement System and network infrastructure that enable a holder of a payment card to effect a payment and/or cash withdrawal transaction with a third party other than the card issuer.
           
        3. 2.3. Clearing and Settlement System for SVF1: a Payment System used to support the SVF business and scheme. An SVF scheme normally requires a Payment System to support their operation. Such a system normally falls within the RPS definition. To avoid regulatory overlap and inducing excess regulatory burden on SVF Licensees, the Central Bank does not intend to designate a Payment System run by a SVF Licensee to support its own SVF business and scheme. It is because the entire SVF business scheme and the related Payment System are already subject to the SVF Regulation, which ensures the safety and soundness of the Payment System including the transfer, clearing and settlement of payment obligations. Nonetheless, if the RPS operated by the SVF Licensee also supports SVF schemes run by other issuers or if a third party operates a Payment System to support other SVF schemes operating in the State, the Central Bank may designate such RPS if it meets the designation criteria.
           
        4. 2.4. Payment gateway: a system that processes, accepts or declines payment transactions on behalf of the merchant secure network connections.
           
      3. In forming an opinion as to whether an RPS satisfies the designation criteria, the Central Bank may consider one or more of the following factors in order to determine whether or not the RPS is a Systemically Important Payment System: -
         
        1. 3.1. The estimated aggregate value of Transfer Orders transferred, cleared or settled through the RPS in a normal business day. The foregoing refers to the total value of individual instructions cleared or settled in the RPS. For established RPS during the transitional period, the estimated value can be worked out with reference to historical data and business plan.
           
        2. 3.2. The estimated average value of Transfer Orders transferred, cleared or settled through the RPS in a normal business day. The foregoing refers to the aggregate value of instructions transferred, cleared or settled through the RPS in a normal business day, divided by the number of instructions processed.
           
        3. 3.3. The estimated number of Transfer Orders transferred, cleared or settled through the RPS in a normal business day.
           
        4. 3.4. Whether those transactions or the equivalent payment services could be immediately and effectively handled by another Payment System in the State.
           
        5. 3.5. Whether any cross-border activities are involved, including the number of involved countries and the total volume of processed Transfer Orders.
           
        6. 3.6. The estimated number of Participant Persons of the RPS.
           
        7. 3.7. Whether such RPS is linked to any Designated Systems or any Payment System that is licensed or regulated by other Regulatory Authorities in the State.
           
      4. In general, the higher the estimated aggregate value or number of Transfer Orders, the more likely an RPS is material to the financial system of the State and of significant public interest. The number of linkages of an RPS to another Designated System is an important factor that the Central Bank will consider when making a designation decision given the contagion risk to the financial system such linkage could bring.
         
      5. Apart from the above factors, the Central Bank will also consider other factors, for example, in the case of a card payment system, among others, the number of cards issued, the number of card acceptance points. The Central Bank will take a holistic approach in considering these factors, as they complement each other in providing different criteria for assessing the significance of an RPS.
         
      6. The above-mentioned factors are intended to identify an RPS whose proper functioning is material to the monetary or financial stability of the State, or that should be designated, having regard to matters of significant public interest or public order. During the designation process, should the need arise, the Central Bank will discuss with the SO and/or SI of the relevant RPS so as to understand the design and features of the system and assess whether it fulfills the criteria of a Systemically Important Financial Infrastructure System.
         


       

      1 Detailed regulatory requirements of SVF are set out in the SVF Regulation

    • Article (4): Designation Process

      1. The Central Bank will initiate the designation process under the designation framework as stipulated in Article (126) (3) of the Central Bank Law if it considers an RPS is meeting, or is likely to meet the criteria for designation. It is important to note that designation of an RPS does not in any way represent or imply that the Central Bank endorses such system. Designation of an RPS is to provide for such system to be subject to oversight by the Central Bank, with a view to maintaining and promoting the general safety and efficiency of such system.
         
      2. For the Central Bank to determine whether an RPS is eligible to be designated and whether it satisfies the designation criteria for the purposes of this Regulation, the Central Bank will request information or documents regarding the RPS from any Person who is holding, or whom the Central Bank reasonably believes holds such information or documents or is a SO and/or SI of the RPS or a Participant Person in the RPS. This power to request information or documents applies to RPS, individuals or corporations established, located or incorporated in the State and/or outside the State. The Central Bank will coordinate with any competent Regulatory Authority in the State or other competent authorities in other jurisdictions for the purpose of requesting and securing such information and documents.
         
      3. Generally speaking, the Central Bank will seek to request information or documents as set out in the Annexes of this Regulation and may, where necessary, seek additional information as is required in order to assist the Central Bank in making such determination. The types of information or documents that the Central Bank will require might vary from RPS to RPS.
         
      4. During the designation process, the Central Bank may discuss with the SO and/or SI of such system where necessary to understand the features and the design of the system and determine the RPS’s eligibility for designation.
         
      5. The time for the designation process may vary depending on the particular situation of each case, including the nature and complexity of the prospective designated RPS, the completeness of information and documents submitted to the Central Bank.
         
      6. The SO and/or SI of the designated RPS may submit a grievance against the designation decision by applying to the Grievances & Appeal Committee. Details on the appeal mechanism as set out in Article (11) of this Regulation.
         
      7. If the Central Bank intends to designate any of the RPS licensed by a competent Regulatory Authority in the State or competent regulatory authorities in other jurisdictions as systemically important RPS, the Central Bank shall implement the process provided for under Article (126) (6) of the Central Bank Law.
         

      RPS deemed to have been licensed and designated

      1. As stipulated in Article (126) (5) of the Central Bank Law, the RPS established, developed, and/or operated by the Central Bank are deemed to have been licensed and designated.
         
      2. The RPSs that are deemed to have been designated are required to observe all the obligations and requirements imposed on designated RPSs under this Regulation in the same manner as other designated RPSs.
         

    • Article (5): Cooperation with Relevant Regulatory Authorities

      1. As part of the designation process for RPS established and/or licensed by another Regulatory Authority in the State or by relevant regulatory authorities in other jurisdictions, the Central Bank may agree with the relevant regulatory authority which parts of this Regulation, where relevant, may not apply to concerned designated RPS to avoid additional regulatory burden on the SO and SI of the RPS.
         
      2. The Central Bank will rely on co-operative oversight with the relevant regulatory authority of a designated RPS operating in the State or in other jurisdictions, in accordance with articles (28) and (127) (2) of the Central Bank Law and the cooperative framework set out in the PFMI.
         

    • Article (6): Revocation of License and Designation

      Grounds for revocation

      1. As stipulated in Article (128) of the Central Bank Law, the Central Bank may revoke the License of an RPS if the RPS is unable to carry out its operations in compliance with the provisions of the Central Bank Law or this Regulations.
         
      2. As stipulated in Article (126) (7) of the Central Bank Law, the Central Bank may revoke the designation of an RPS if the RPS has ceased to be, or is likely to cease being a Systemically Important Financial Infrastructure System or an RPS whose proper functioning is material to the monetary or financial stability of the State.
         

      Revocation process

      1. The Central Bank will prepare a review report on whether a licensed and/or designated RPS satisfies the revocation criteria under this Regulation. If the Central Bank intends to revoke the License and/or the designation of a RPS, the Central Bank will notify in writing the SO and/or SI of the RPS or the regulatory authority where the RPS is licensed so that such authority can notify the SO and/or SI of the system of the intention of the Central Bank to revoke the License and/or the designation. The notice needs to state the grounds on which the revocation is to be made and specify in the notice a period of not less than twenty (20) working days from the date of notification, during which the SO and/or SI of the system may be heard, or may make written justifications, as to why the grounds for revocation stated in the notice are not valid
         
      2. If any SO and/or SI of the licensed and/or designated RPS wish to be heard or to make written justifications, it should make such a request to the Central Bank in writing before the revocation takes effect, giving reasons as to why the grounds for revocation specified in the notice have not been established. After reviewing the reasons given by the SO and/or SI, the Central Bank will determine whether the Licensee and/or designation should be revoked. In the course of reviewing the matter, the Central Bank may meet with the SO and/or SI of the License and/or designated RPS should such need arise.
         
      3. If the Central Bank decides to proceed to revoke the License and/or designation of the RPS, the Central Bank will notify the SO and/or SI of the RPS of the Central Bank’s decision in writing.
         
      4. The SO and/or SI may object to the Central Bank’s decision to revoke the License and/or the designation of the RPS and provide justifications for such objection by applying to the Grievances & Appeals Committee as provided by the Central Bank Law.
         
      5. The Central Bank, if it considers that any of the RPS licensed by another Regulatory Authority in the State or the relevant regulatory authorities in other jurisdictions is no longer meeting the designation criteria, may request the concerned regulatory authority, via an official notice, to revoke the License and/or designation of the RPS.
         
      6. In all cases, the revocation of the License and/or designation of the RPS shall not affect any transaction cleared and settled in the concerned RPS prior to the effective date of revocation.
         

    • Article (7): Settlement Finality

      1. In accordance with Article (131) of the Central Bank Law settlement finality is “the discharge of an obligation by a transfer of funds that has become irrevocable and unconditional”. Specifically, “settlement finality” refers to the abrogation of all rights otherwise existing at law that would allow the reversal of a Transfer Order effected through, or proceeding within, an RPS.
         
      2. Article (131) (1) of the Central Bank Law grants finality to all transactions conducted through a Financial Infrastructure System, therefore rendering the same final, irrevocable and irreversible, in any of the cases provided for thereunder. Besides finality in respect of Transfer Orders, the Central Bank Law also provides legal certainty on the Netting arrangements in a designated RPS.
         
      3. If Netting has been effected in an RPS that meets any of the designation conditions refers to in Article (126) (2) of the Central Bank Law, the SO and/or SI needs to take into consideration the Netting of obligations of insolvent or bankrupt parties in Article (133) of the Central Bank Law.
         
      4. In addition, the preservation of rights in underlying transactions and obligation of Participant Person to notify of insolvency are set out in Article (134) and Article (135) of the Central Bank Law respectively.
         

    • Article (8): Ongoing Requirements of Designated Retail Payment Systems

      Principal Requirements

      1. The SO and/or SI of a designated RPS, are required to ensure compliance with the following:
         
        1. 1.1. RPS must comply with any instructions issued by the Central Bank and any relevant international standards (e.g. PFMI), and ensure proper and continued functioning of the designated RPS; and
           
        2. 1.2. RPS must provide the information required by the Central Bank or where SO and/or SI consider it appropriate for achievement of the Central Bank objectives.
           
      2. The Central Bank may exempt the SO and/or SI or a Participant Person of a designated RPS in a general or specific manner, from the provisions of this Regulation.
         
      3. The Central Bank may appoint experts and advisors specialized in Financial Infrastructure Systems to assist the Central Bank in performing its duties and functions in accordance with this Regulation.
         

      Detailed requirements

      Principal requirements

      1. Upon designation, a designated RPS is required to comply with the ongoing requirements imposed under this Regulation and the relevant provisions of PFMI (see Article (9) for detail). Failure to comply with any of those requirements would expose the concerned party to possible sanctions provided for under the Central Bank Law. The principal requirements include: -
         
        1. 4.1. Submission of particulars – the Central Bank requires any SO and/or SI of a newly designated RPS to inform the Central Bank in writing of the designation particulars within fourteen (14) working days after the notification of designation, including the name, place of business, postal address and electronic mail address, as well as the aspects of the management or operations of the system. For any SO and/or SI which is a corporation, the names and personal particulars of the directors, chief executive (if any) and shareholders of the corporation are similarly required to be submitted to the Central Bank. Details of any subsequent change in any of those particulars are to be notified to the Central Bank in writing within fourteen (14) days of the change taking effect.
           
        2. 4.2. Compliance with safety and efficiency requirements - the general requirements include safe and efficient operation of the RPS, the establishment of appropriate Operating Rules, the existence of adequate compliance arrangements, and the availability of appropriate financial resources.
           
        3. 4.3. Submission of information or documents - the Central Bank may request information or documents relating to a designated RPS from the SO and/or SI of, or the Participant Person in, the RPS when performing the oversight functions under this Regulation. The SO and/or SI of, or the Participant Person in the designated RPS to whom a request is made is required to submit the information or documents within the period specified in the request.
           
        4. 4.4. The Central Bank may, at any time, with a short prior notice to the SO and/SI concerned, examine any books, accounts or transactions of the SO and/or SI of a designated RPS when performing the oversight functions.
           
        5. 4.5. The Central Bank may require the SO and/or SI of, or the Participant Person in, a designated RPS to submit to the Central Bank a report prepared by one or more auditors on matters that the Central Bank requires for discharging or exercising its duties and powers under this Regulation.
           
        6. 4.6. The Central Bank may direct the SO and/or SI of a designated RPS to take any action necessary to bring the RPS into compliance with any of the requirements under this Regulation. Such a direction will specify the Central Bank’s concerns and the action(s) to be taken, include a statement of the respect in which the Central Bank considers the designated RPS not be in compliance with a requirement under this Regulation and specify the period within which the direction is to be complied with.
           
        7. 4.7. The Central Bank may, by notice in writing, direct the SO and/or SI of a designated RPS to take any action the Central Bank considers necessary to bring the RPS into compliance with any of the requirements under this Regulation.
           

      Obligation of SO and SI to notify the Central Bank of certain events

      1. The SO and/or SI of a designated RPS must notify the Central Bank of the occurrence of any of the following events as soon as practicable after that occurrence:
         
        1. 5.1. An event or irregularity that impedes or prevents access to, or impairs the usual operations of, the designated RPS or its settlement operations.
           
        2. 5.2. Any material function of the SO and/or SI that is outsourced.
           
        3. 5.3. Any civil or criminal proceeding instituted against the SO and/or SI, whether in the State or elsewhere.
           
        4. 5.4. The SO and/or SI being unable to meet any of the financial, statutory, contractual or other obligations of the SO and/or SI.
           
        5. 5.5. Any disciplinary action taken against the SO and/or SI by any regulatory authority, whether in the State or elsewhere.
           
        6. 5.6. Any change of the chief executive officer or senior management of the SO and/or SI.
           

      Governance arrangements

      1. The SO and/or SI of the designated RPS must have clearly defined and documented organizational arrangements, such as ownership and management structure. Each should operate with appropriate segregation of duties and internal control arrangements so as to reduce the risk of mismanagement and fraud.
         
      2. The SO and/or SI of the designated RPS must have effective measures and controls to ensure compliance with this Regulation. Appropriate processes must be in place to ensure that rules and procedures as well as the contractual relationships with its Participant Persons are valid and enforceable. These include clear rules and procedures to govern transfer, clearing and settlement for both domestic and cross-border transactions (if applicable).
         

      Compliance

      1. The SO and/or SI of the designated RPS are required to perform a periodic self-assessment or independent assessment of its compliance with this Regulation and the relevant principles of the PFMI set out in Article (9) of this Regulation. Such assessment must be done at least every 24 months. Its internal auditors, internal compliance officer or appointed independent assessor should perform such assessment as part of their on-going duties and provide the Central Bank with a copy of their compliance report. Assessment reports submitted to the Central Bank by the SO and/or SI of the designated RPS are confidential and shall not be disclosed to any third party unless the approval of the Central Bank is obtained.
         

      Financial requirement

      1. The financial condition of the SO and/or SI of the designated RPS must be sound and viable, and subject to ongoing review and monitoring by the senior management of the SO and/or SI.
         

      Participation criteria

      1. The SO and/or SI of the designated RPS must have an established process for considering applications to become its Participant Person. The SO and/or SI of the designated RPS must have procedures in place to allow prospective Participant Persons to access or obtain the information necessary to determine whether to apply to become a Participant Person.
         
      2. The general eligibility and participation criteria should be disclosed to genuine applicants upon request.
         

      Transparency, interoperability and competition

      1. The SO and/or SI of the designated RPS shall not establish or impose any operational policies, procedures and arrangements that will prevent operational transparency or interoperability among Payment Systems, and competition among market players. The SO and/or SI of the designated RPS must observe and comply with all relevant laws, codes of practice and guidelines applicable to their payment activities and services in the State.
         
      2. If the Central Bank considers the interoperability between the RPS and other Payment System(s) would be in the interest of the public or the Participant Persons of systems involved, it may direct the SO and/or SI of the RPS involved to enter into arrangements to enable the interoperability among the systems involved or to adopt any common standards.
         
      3. The relevant fees and charges must be documented and communicated clearly to the Participant Persons.
         
      4. The SO and/or SI of the designated RPS must inform affected Participant Persons of changes to its operational procedures and arrangements that materially affect such parties’ financial risk, operational risk, data security risk and legal risk in the State.
         

      Rules and procedures

      1. The SO and/or SI of the designated RPS must have proper Operating Rules to enable its Participant Persons to obtain sufficient information regarding their respective rights and obligations associated with their participation in the RPS. Such rights and obligations must be clearly defined and disclosed to the Participant Persons.
         
      2. Operating Rules of the RPS must be complete, up-to-date and readily available to all Participant Persons. Participant Persons must also be duly informed of any relevant changes in the Operating Rules.
         
      3. The SI must establish rules and procedures to enable final settlement to take place no later than the end of the intended settlement date. The related rules and procedures must also ensure certainty in terms of circumstances under which Transfer Orders effected through the RPS are to be regarded as settled for the purposes of the RPS.
         
      4. The liabilities of Participant Persons for any loss arising from unauthorized use of the RPS and the arrangements to handle any disputes over Participant Persons’ liability with respect to unauthorized transactions must be clearly set out in the rules and procedures.
         

      Operational efficiency

      1. The SO and/or SI of the designated RPS should provide convenient and efficient payment services to its Participant Persons, and ensure that the RPS can process transactions at a speed which is efficient and complies with the RPS’ committed service level.
         

      Operational reliability and business continuity

      1. The SO and/or SI of the designated RPS must have sound and prudent management, administrative, accounting and control procedures managing the financial and non-financial risks to which it reasonably considers it may be exposed.
         
      2. The SO and/or SI of the designated RPS must conduct risk analysis on new payment activity or service. In addition, where it reasonably believes that there has been a change of relevant circumstances, the SO and/or SI of the designated RPS should perform a review on the risk profile of existing activities and services to assess risks relating to security and business continuity.
         
      3. The SO and/or SI of the designated RPS must seek to ensure that it has an adequate number of properly trained and competent personnel to operate its system at a level it considers appropriate in all situations that it considers are reasonably foreseeable.
         
      4. The SO and/or SI of the designated RPS should provide its Participant Persons with information it reasonably considers relevant to fraud awareness in the context of the operation of its payment activities and services. The SO and/or SI of the designated RPS should provide Participant Persons with education it reasonably considers relevant to fraud awareness and the proper use or processing of the RPS to reduce the risk of fraud so that the Participant Persons can educate and promote the awareness of their customers accordingly.
         
      5. The SO and/or SI of the designated RPS must have comprehensive, rigorous and well-documented operational and technical procedures to address reasonable operational reliability, the integrity of its network and the timeliness of transactions in the face of malfunctions, system interruption and transmission failures or delays. The SO and/or SI of the designated RPS must also have in place a reasonable, effective, well-documented and regularly-tested business contingency plan addressing system functionality in the event of unforeseen interruption.
         
      6. The SO and/or SI of the designated RPS must have a thorough due diligence and management oversight process for managing its outsourcing relationships, if any, that it considers may impact the operation of its payment activities and services. The liabilities and responsibilities between the SO and/or SI of the designated RPS and its outsourcing service providers must be clearly defined.
         
      7. The SO and/or SI of the designated RPS must design its technical system for payment activities and services with sufficient capacity to enable its ongoing operations, which should be monitored periodically and upgraded on a periodic basis.
         
      8. The SO and/or SI of the designated RPS must have sufficient clearing and settlement arrangements to enable efficient, reliable and secure operation of the RPS.
         
      9. The SO and/or SI of the designated RPS must review periodically its security objectives, policies and operational services.
         
      10. The SO and/or SI of the designated RPS must develop well-defined procedures to respond to payment activity or service security-related incidents. The procedures should encompass a consistent and systematic approach in handling an incident.
         
      11. As a follow-up to each security-related incident materially affecting the Participant Persons, the SO and/or SI of the designated RPS should initiate a confidential post-incident assessment of the situation by the parties it considers appropriate having regard to the nature and the root cause of the incident, weaknesses leading to the incident and other potentially vulnerabilities underlying the incident.
         

      Safety

      1. The SO and/or SI of the designated RPS must adopt appropriate and commercially reasonable technical security measures and procedural safeguards to protect the security of its system. The SO and/or SI of the designated RPS should also consider adopting international technical security standards where appropriate.
         
      2. The required measures must include the building and maintenance of a secure network, including conditions to install and maintain firewalls to protect data, and a change of vendor-supplied default system passwords and other security passwords.
         
      3. The implemented measures must protect data through the entire life cycle of a transaction, particularly on control measures to access data, procedures for storing Participant Persons’ transaction data, and disposal of Participant Persons’ transaction information after use.
         
      4. The designated RPS must use and regularly update anti-virus software to maintain secure systems and applications, and take proper measures to manage cyber security risk effectively, including the capability to keep pace with the trends of cyber attacks.
         
      5. In addition, the SO and/or SI of the designated RPS must have mechanisms which enable them to monitor on an ongoing basis attempted security breaches that may compromise its systems and data. There should be measures to control access and to regularly monitor and test the operation networks. There must be a policy that addresses information security for all related parties, such as employees and contractors.
         
      6. The SO and/or SI of the designated RPS must conduct periodic security reviews of its system. Such reviews could be performed either by the SO and/or SI of the designated RPS or, at its (or the Central Bank’s) discretion, by an independent party appointed by it.
         

      Data Security and Integrity

      1. The SO and/or SI of the designated RPS are responsible for the security and integrity of all payment data and records maintained or controlled by it. The SO and/or SI of the designated RPS should ensure that the Participant Persons have, rules and procedures to safeguard the necessary confidentiality of all data and records in its control, including customer and transaction information. The SO and/or SI of the designated RPS should adopt generally accepted industry and international data security standards that it considers to be applicable to its operations.
         
      2. The SO and/or SI of the designated RPS must establish and maintain policies and procedures for the recovery of transaction data that is necessary for its daily operation in the event of system failure.
         

      Incident Reporting

      1. The SO and/or SI of the designated RPS must report to the Central Bank of any incident (such as data security breaches) that may have a material and adverse impact on its operation or other Systematically Important Payment Systems in the State.
         
      2. Where action has been taken under Default Arrangements of a designated RPS by the SO and/or SI in respect of a Participant Person in the RPS, the Central Bank may direct the SO and/or SI of a designated RPS to give information relating to the default to any official nominated by the Central Bank. The nominated official is responsible for assessing and examining any matter arising out of or connected with the default of the Participant Person in that RPS. The liabilities of Participant Persons for any loss arising from the default of the Participant Person and the arrangements to handle any disputes over Participant Persons’ liability with respect to default transactions should be clearly set out in the rules and procedures.
         

    • Article (9): Compliance with Principles of Financial Market Infrastructures Requirements

      1. The Committee on Payment and Market Infrastructures (CPMI) and the Technical Committee of the International Organization of Securities Commissions (IOSCO) have set forth a set of PFMI. PFMI aims to assist central banks, market regulators, and other relevant authorities in enhancing safety and efficiency in payment, clearing, settlement, and recording arrangements, and more broadly, limiting systemic risk and fostering transparency and financial stability. (details of PFMI are available in the two websites: www.bis.org and www.iosco.org).
         
      2. Another objective of PFMI is to harmonize and, where appropriate, strengthen the existing international standards and risk management practice for Financial Infrastructure Systems such as RPS that are systemically important.
         
      3. A poorly designed and operated systemically important RPS can contribute to and exacerbate systemic crises if the risks of the RPS are not adequately managed. The financial shocks, as a result, could be passed from one Participant Person to another Participant Person as well as a separate Systematically Important Payment System. The effects of such a disruption could extend well beyond the RPS and their Participant Persons, threatening the stability of domestic financial markets and the broader economy.
         
      4. Against this backdrop, the SI and/or SO should robustly manage the risks of their systematically important RPS to ensure its safety and promote financial stability. In addition, a systemically important RPS should not only be safe, but also efficient. Efficiency refers generally to the use of resources by SO and/or SI and their Participant Persons in performing their functions. Safe and efficient systemically important RPS contributes to well-functioning financial markets and economy.
         
      5. The Central Bank requires any designated RPS to observe and comply with the relevant principles in the PFMI, in addition to the compliance with the ongoing requirements set out in Article (8) of this Regulation. Moreover, the Central Bank may consider imposing higher requirements than PFMI for the designated RPS either on the basis of specific risks posed by the RPS or as a general policy.
         
      6. The SO and/or SI must apply the relevant principles on an ongoing basis in the operation of their RPS and business, including when reviewing their own performance, assessing or proposing new services, or proposing changes to risk controls.
         
      7. In aligning this regulation with leading international practice, RPS must comply with the relevant principles set out in the following paragraphs.
         
      8. Principle 1: Legal basis – a systemically important RPS must have a well-founded, clear, transparent, with a high degree of legal certainty, and an enforceable legal framework for each material aspect of its activities.
         
      9. Principle 2: Governance – a systemically important RPS must have governance arrangements that are clear and transparent, promote the safety and efficiency of the RPS, and support the stability of the broader financial system, other relevant public interest considerations, and the objectives of relevant stakeholders.
         
      10. Principle 3: Framework for the comprehensive management of risks – a systemically important RPS must have a sound risk management framework for comprehensively managing legal, credit, liquidity, operational, and other risks.
         
      11. Principle 4: Credit risk – a systemically important RPS must effectively measure, monitor, and manage its credit exposures to Participant Persons and those arising from its payment, clearing and settlement processes. The systematically important RPS must maintain sufficient financial resources to cover its credit exposures to each Participant Person fully with a high degree of confidence.
         
      12. Principle 5: Collateral – a systemically important RPS that requires collateral to manage its or its Participant Persons’ credit exposure should accept collateral with low credit, liquidity, and market risks. A systematically important RPS should also set and enforce appropriately conservative haircuts and concentration limits.
         
      13. Principle 6: Liquidity risk – a systemically important RPS must effectively measure, monitor, and manage its liquidity risk. A systemically important RPS should maintain sufficient liquid resources in all relevant currencies to effect same-day and, where appropriate, intraday and multiday settlement of payment obligations with a high degree of confidence under a wide range of potential stress scenarios that should include, but not be limited to, the default of the Participant Person and its affiliates that would generate the largest aggregate liquidity obligation for the systemically important RPS in extreme but plausible market conditions.
         
      14. Principle 7: Money settlement – a systemically important RPS should conduct its money settlements in central bank money where practical and available. If central bank money is not used, a systemically important RPS should minimize and strictly control the credit and liquidity risk arising from the use of commercial bank money.
         
      15. Principle 8: Participant-default rules and procedures – a systemically important RPS must have effective and clearly defined rules and procedures to manage a Participant Person default. These rules and procedures should be designed to ensure that the systemically important RPS can take timely action to contain losses and liquidity pressures and continue to meet its obligations.
         
      16. Principle 9: General business risk – a systemically important RPS must identify, monitor, and manage its general business risk and hold sufficient liquid net assets funded by equity to cover potential general business losses so that it can continue operations and services as a going concern if those losses materialize. Further, liquid net assets should at all times be sufficient to ensure a recovery or orderly wind-down of critical operations and services.
         
      17. Principle 10: Operational risk – a systemically important RPS must identify the plausible sources of operational risk, both internal and external, and mitigate their impact through the use of appropriate systems, policies, procedures, and controls. Systemically important RPS should be designed to ensure a high degree of security and operational reliability and should have adequate, scalable capacity. Business continuity management should aim for timely recovery of operations and fulfilment of the systemically important RPS’s obligations, including in the event of a wide-scale or major disruption.
         
      18. Principle 11: Access and participation requirements – a systemically important RPS should have objective, risk-based, and publicly disclosed criteria for participation, which permit fair and open access.
         
      19. Principle 12: Tiered participation arrangements – a systemically important RPS should identify, monitor, and manage the material risks to the systemically important RPS arising from tiered participation arrangements.
         
      20. Principle 13: Financial market infrastructure links – a systemically important RPS that establishes a link with one or more FMIs should identify, monitor, and manage link-related risks.
         
      21. Principle 14: Efficiency and effectiveness – a systemically important RPS should be efficient and effective in meeting the requirements of its Participant Persons and the markets it serves.
         
      22. Principle 15: Communication procedures and standards – a systemically important RPS should use, or at a minimum accommodate, relevant internationally accepted communication procedures and standards in order to facilitate efficient payment, clearing, settlement, and recording.
         
      23. Principle 16: Disclosure of rules, key procedures, and market data – a systemically important RPS must have clear and comprehensive rules and procedures and must provide sufficient information to enable Participant Persons to have an accurate understanding of the risks, fees, and other material costs they incur by participating in the systemically important RPS. All relevant rules and key procedures should be adequately disclosed.
         

    • Article (10): Enforcement and Sanctions

      1. Violation of any provision of this Regulation or committing any of the violations provided for under the Central Bank Law may subject SI and/or SO to administrative and financial sanctions and penalties as deemed appropriate by the Central Bank.

    • Article (11): Appeal Mechanism

      1. For the purposes of this Regulation, the relevant Central Bank’s decisions that may be subject to appeal before the Grievances & Appeals Committee include: -
         
        1. 1.1. licensing and designation of RPS;
           
        2. 1.2. revocation of License and designation of RPS; and
           
        3. 1.3. any Central Bank’s actions undertaken against a violating Person.
           
      2. Under the Regulation, any Person aggrieved by any of the decisions set out in paragraph 1 of this Article may refer the decision to the Grievances & Appeals Committee in writing for review.
         
      3. Any person who intends to refer any of the relevant decisions of the Central Bank to the Grievances & Appeals Committee is required to do so in writing to the Central Bank stating the grounds on which the review is sought.
         

    • Article (12): Transition Period

      1. A one-year transitional period will commence on the date the Regulation comes into force. System Operators and Settlement Institutions of existing RPS operating in the State may continue operating throughout the transitional period without being regarded as contravening this Regulation. Nevertheless, they are required to obtain a license from the Central Bank to operate their RPS before the expiration of the transition period.

      2. If the Central Bank considers that a Financial Infrastructure System fulfills the criteria for designation as provided for under the Central Bank Law, the Central Bank shall have the power to require any such system to obtain a license within a reasonable period to be determined by the Central Bank prior to the expiration of the transition period.

    • Article (13): Interpretation of Regulation

      1. The Regulatory Development Division of the Central Bank shall be the reference for interpretation of the provisions of this Regulation.

    • Article (14): Publication & Application

      1. This Regulation shall be published in the Official Gazette in both Arabic and English and shall come into effect one month from the date of publication. In case of any discrepancy between the Arabic and the English, the Arabic version will prevail.

    • Annex A

      Information or documents that may be requested for licensing of RPS operating in the State under this Regulation

      1. Name of clearing and settlement system to which the designated RPS relates.
         
      2. Name of SO / SI.
         
      3. Legal form (body corporate, partnership, etc.).
         
      4. Country of incorporation or formation.
         
      5. Date of incorporation or formation.
         
      6. Registered office.
         
      7. Principal place of business.
         
      8. Contact details (names, physical and email addresses).
         
      9. Aspects of the management or operations of the system for which the entity is responsible.
         
      10. Organization chart of your company.
         
      11. A copy of the Operating Rules of the Payment System.
         
      12. Details of the type of activities and/or services offered by the RPS.
         
      13. Details of the constitution, structure, nature of business, ownership and management of the RPS, the SO and the SI.
         
      14. Details of the design and function and external system interfaces of the RPS, including details specifying the point at which a Transfer Order takes effect as having been entered into the RPS and of the point after which a Transfer Order may not be revoked by a Participant Person or any other party.
         
      15. A copy of the last three annual reports, if any, and the financial statements (with any auditor’s reports) for the current financial year of the RPS, the SO and/or the SI.
         
      16. The basis for membership of or participation in the RPS System (i.e. admission criteria) and a list of the current members of or Participant Persons in the RPS.
         
      17. Tariff information and schedule.
         
      18. Names of the SO and/or SI, if any, of the RPS and whether the SO and/or SI are also Participant Persons in the RPS under the Operating Rules of the System. Legal contracts or documents between the SO and/or the SI in relation to the RPS (for instance, documents which show the co-operation between the SO and/or SI, such as MoUs between them on data security, and the functional specifications of the linkages between the computer systems and networks between them that makes the system works.).
         
      19. Name and contact details of the Person to whom questions relating to the designation of the RPS should be directed.
         

    • Annex B

      Information or documents that may be requested under this Regulation

      1. A copy of the Operating Rules of the Payment System.
         
      2. Details of the type of activities and/or services offered by the RPS.
         
      3. Details of the constitution, structure, nature of business, ownership and management of the RPS, the SO and the SI.
         
      4. Details of the design and function and external system interfaces of the RPS, including details specifying the point at which a Transfer Order takes effect as having been entered into the RPS and of the point after which a Transfer Order may not be revoked by a Participant Person or any other party.
         
      5. A copy of the last three annual reports, if any, and the financial statements (with any auditor’s reports) for the current financial year of the RPS, the SO and/or the SI.
         
      6. The basis for membership of or participation in the RPS System (i.e. admission criteria) and a list of the current members of or Participant Persons in the RPS.
         
      7. Tariff information and schedule.
         
      8. Names of the SO and/or SI, if any, of the RPS and whether the SO and/or SI are also Participant Persons in the RPS under the Operating Rules of the System. Legal contracts or documents between the SO and/or the SI in relation to the RPS (for instance, documents which show the co-operation between the SO and/or SI, such as MoUs between them on data security, and the functional specifications of the linkages between the computer systems and networks between them that makes the system works.).
         
      9. Details of the types, volume and values of Transfer Orders processed by the RPS.
         
      10. Detailed business contingency plan.
         
      11. Name and contact details of the Person to whom questions relating to the designation of the RPS should be directed.
         

      For overseas systems, the following additional information may be required: -

      1. Name of each of the relevant regulators where the RPS is regulated by one or more regulatory authorities not within the State jurisdiction.
         
      2. An outline of any laws and other regulatory requirements relating to the operations of the RPS, if regulated by a regulatory authority not within the State jurisdiction.
         
      3. Evidence of the RPS’ compliance with any applicable laws and regulatory requirements of a jurisdiction outside State, which may include comments from home supervisory authority on the RPS’s compliance with any applicable laws and regulatory requirements of a jurisdiction outside State.