1. AML/CFT: Anti-Money Laundering and Combating the Financing of Terrorism and financing of illegal organizations.
    
2. Applicant: a company duly incorporated in the United Arab Emirates in accordance with the Federal Law No. (2) of 2015 on Commercial Companies, except Joint Liability Company, Simple Commandite Company, which files an Application for the issuance of an SVF License.
    
3. Application: a request submitted by an Applicant in the form and with the documents and information set out in the Annex for providing an SVF Services.
    
4. Central Bank: The Central Bank of the United Arab Emirates.
    
5. Central Bank Law: Decretal Federal Law No. (14) of 2018 Regarding the Central Bank & Organization of Financial Institutions and Activities and its amendments.
    
6. Closed Loop Payment Scheme: a payment scheme, which is limited in terms of where it can be used to purchase goods and services from an issuing retailer or entity.
    
7. Controlling Shareholder: a shareholder who has the ability to directly or indirectly influence or control the appointment of the majority of the board of directors, or the decisions made by the board of directors, or has the power to direct or cause the direction of the management or policies of an entity, whether by the general assembly of the entity, through the ownership of a percentage of the shares or stocks or under an agreement or other arrangement providing for such influence or control.
    
8. Crypto-Assets: cryptographically secured digital representations of value or contractual rights that use a form of distributed ledger technology and can be transferred, stored or traded electronically.
    
9. Customer: a natural or legal person who contracts with a Licensee in order to establish and use an SVF in accordance with this Regulation.
    
10. Customer Due Diligence (CDD): includes measures and processes to be taken for: (a) identifying the Customer and verifying that Customer’s identity using reliable, independent source documents, data or information, and (b) on-going due diligence on the Customer or business relationship and scrutiny of transactions undertaken throughout the course of that relationship.
     
11. Device-based Stored Value Facility: an SVF which has the value stored in an electronic chip on a card or physical device such as pre-paid cards, watches and ornaments.
     
12. Financial Action Task Force (FATF): an inter-government body which sets international standards that aim to prevent global money laundering and terrorist financing activities.
     
13. Financing of Terrorism: any of the acts mentioned in Articles (29) and (30) of the Federal Law no. (7) of 2014 On Combating Terrorism Offences.
     
14. Float: the Customers’ funds / money / Money’s Worth paid to the Licensee in exchange for the value of the money/Money’s Worth (including Money’s Worth such as values, points, Crypto-Assets or Virtual Assets) on the facility.
     
15. Information Technology (IT): the use of any computers, smart devices, storage, networking and other physical devices, infrastructure and processes to create, process, store, secure and exchange all forms of electronic data.
     
16. IT Controls: a set of policies and procedures that aims to provide a reasonable assurance that the technologies and computer systems used by an organization operates as intended and in a secure and reliable manner, that data security, integrity and reliability can be ensured, and that the organization is able to comply with applicable laws and regulations.
     
17. License: a License issued by the Central Bank to an Applicant for the issuance and operation of SVF business in the State. The License is valid, unless it is withdrawn, suspended or revoked by the Central Bank.
     
18. Licensee: an Applicant who has been granted an SVF License by the Central Bank.
     
19. Licensed Financial Activity: The financial activities subject to the Central Bank’s licensing and supervision, which are specified in article (65) of the Decretal Federal Law No. (14) of 2018 Regarding the Central Bank & Organization of Financial Institutions and Activities.
     
20. Money Laundering: any of the acts mentioned in Clause (1) of the Article (2) of the Federal Decree-law No. (20) of 2018 on Anti-Money Laundering and Combating the Financing of Terrorism and Financing of Illegal Organizations.
     
21. Money’s Worth: value added onto an SVF by the Customer; value received on the Customer’s SVF account; and value redeemed by the Customer include not only “money” in the primary sense but also other forms of monetary consideration or assets such as values, reward points, Crypto-Assets, or Virtual Assets. For example, a value top-up of an SVF account may take the form of values, reward points, Crypto-Assets, or Virtual Assets earned by the SVF Customer from making purchases of goods and services. Similarly, value received on the account of the SVF Customer may take the form of an online transfer of value, reward points, Crypto-Assets, or Virtual Assets between fellow SVF Customers.
     
22. Non-device Based Stored Value Facility: is a facility which has the value stored on a network-based account and can be accessed through the internet, a computer network or mobile network. Examples include internet-based payment platforms or mobile e-wallets which provide “network-based accounts” with which Customers can store value for making payments for online and off-line purchases, or for person-to-person funds transfers.
     
23. Operating Rules: are rules set up by a Licensee to cover the complete chain of an SVF’s operation including but not limited to Customer account opening and maintenance, merchant acquisition and contractual relationships with business partners, pre-transaction, payment authorization and post-transaction processes.
     
24. Senior Management: a team of individuals at the highest level of management of the Licensee who have the day-to-day tasks of managing the Licensee’s business.
     
25. Single-purpose Stored Value Facility: a facility that in respect of which the issuer gives an undertaking that, if the facility is used as a means of making payments for goods or services (not being money or Money’s Worth) provided by the issuer, the issuer will provide the goods or services under the rules of the facility. A Closed Loop Payment Scheme is a typical Single-purpose Stored Value Facility.
     
26. State: the United Arab Emirates, excluding the Financial Free Zones.
     
27. Stored Value Facility (SVF): A facility (other than cash) for or in relation to which a Customer, or another person on the Customer’s behalf, pays a sum of money (including Money’s Worth such as values, reward points, Crypto-Assets or Virtual Assets) to the issuer, whether directly or indirectly, in exchange for: (a) the storage of the value of that money (including Money’s Worth such as values, reward points, Crypto-Assets or Virtual Assets), whether in whole or in part, on the facility; and (b) the “Relevant Undertaking”. SVF includes Device-based Stored Value Facility and Non-device based Stored Value Facility.
     
28. SVF Issuer: a company which carries out the business of the provision of SVF and is responsible and accountable for the safekeeping of the Float.
     
29. Relevant Undertaking: In relation to an SVF, Relevant Undertaking means an undertaking by the Licensee that, upon the use of SVF by the Customer as a means for payment for goods and services (which may be or include money or Money’s Worth) or payment to another person, and whether or not some other action is also required, the Licensee, or a third party that the SVF Issuer has procured to do so, will, in accordance with the Operating Rules: (a) supply the goods or services; (b) make payment for the goods or services; or (c) make payment to the other person, or as the case requires.
     
30. Virtual Assets: Virtual assets include digital tokens (such as digital currencies, utility tokens or asset-backed tokens) and any other virtual commodities, Crypto Assets and other assets of essentially the same nature.
     
31. Virtual Asset Service Provider: is a business which conducts Virtual Assets-related activities or operations for or on behalf of another natural or legal person. The activities or operation may include exchange between Virtual Assets and fiat currencies; exchange between one or more forms of Virtual Assets; transfer of Virtual Assets; safekeeping and/or administration of Virtual Assets or instruments enabling control over Virtual Assets; and participation in and provision of financial services related to an issuer’s offer and/or sale of a Virtual Asset.
     

1. This Regulation applies to all SVF as defined in Article (1) Definition.

License required for issuing SVF

2. Issuing and operating SVF in the State requires a prior License from the Central Bank. It is prohibited to carry on the activity of issuing or operating SVF without prior License except if the issued SVF is a Single-purpose Stored Value Facility.

Exclusion of certain types of SVF

3. On application by an Issuer, the Central Bank may exempt an SVF from the licensing requirements and will do so based on the risk the SVF poses to its (potential) Customers, Customer funds and the financial system.
    
4. The types of SVF that may be exempted from the licensing requirements by the Central Bank include:
    
   1. 4.1. SVF used for certain cash reward schemes. Such SVF may be used for storing only a sum of money paid by (i) the issuer; or (ii) a person who agrees to pay a sum of money for storage in the facility under an agreement with the issuer and the sum of money stored may only be used for making payments for goods or services provided by the issuer or person under very specific terms and conditions of the facility. Examples include loyalty schemes provided by shops and supermarkets which offer cash rewards for customer loyalty;
       
   2. 4.2. SVF used for purchasing certain digital products. Such SVF may only be used as a means of making payments for goods or services that are delivered to, and are to be used through, a telecommunication, digital or technology device; the payments are executed through such a device; and the telecommunication, digital or technology operator acts as an intermediary between the Customer of the facility and the provider of the goods or services. Examples include purchase of digital contents such as ringtones, music, videos, electronic books, games and applications that can be used on smartphones, computers or other information technology devices;
       
   3. 4.3. SVF used for certain bonus point schemes. Such SVF may be used only for storing points or units (by whatever name called) that are Money’s Worth provided by (i) the issuer; or (ii) a person who agrees to provide goods or services to the Customer under an agreement with the issuer. The Customer may use the points or units for making payments for the goods or services provided by the issuer or person either by (i) using only the points or units; or (ii) using the points or units together with a sum of money (in any currency) that is stored on the facility temporarily for the sole purpose of executing the payments; and the sum of money so stored is not redeemable for cash. Examples are airline mileage programs and customer loyalty schemes that provide non-cash points to customers to reward their patronage, and whereby such points and value stored, if any, is not redeemable for cash;
       
   4. 4.4. SVF that can only be used within a limited group of goods or services providers. Such SVF may be used as a means of making payments only for goods or services provided by (i) the issuer; or (ii) a person who provides the goods or services under an agreement with the issuer; and
       
   5. 4.5. whereby (i) the aggregate amount of the Float of the facilities does not exceed half a million Dirham (500,000 AED) or its equivalent and the aggregate number of Customers is not more than 100. If a potential SVF Issuer wishes to apply for this particular exemption, the SVF is required to test out its product before making a full launch of SVF. In this regard, the relevant issuer is required to participate in the Central Bank’s FinTech Office sandboxing arrangement for a possible trial run.
       
5. The Central Bank may request any information from an exempted SVF Issuer when the Central Bank considers it necessary to determine its eligibility for exemption and continued exemption. The Central Bank may declare an SVF not exempt from the licensing requirement and require the issuer of the SVF to apply for a License.

Overseas SVF schemes

6. It is prohibited for an SVF without a prior License to publish in the State or elsewhere, an advertisement, invitation or document which is, or contains, an invitation or a solicitation to the public of the State relating (whether in whole or in part) to the issuance of SVF.

Relevant factors to be considered

7. The Central Bank will take into account the factors to determine whether an overseas SVF is issued in the State or a person publishes an advertisement, invitation or document which is, or contains, an invitation or solicitation to the State public relating to the issuance of SVF.
    
8. In determining whether an SVF scheme is presented or provided in such a manner that it appears to be issued in the State, the Central Bank will consider all relevant factors including, in particular, the following:
    
   1. 8.1. whether the location for the delivery of the facility and the provision of the subsequent customer service to facility users is in the State;
       
   2. 8.2. whether the location for and the manner to top-up the SVF is through channels in the State (e.g. banks in the State);
       
   3. 8.3. whether the promotional material is targeted, via “push” techniques, at a group or groups of people whom the issuer knows, or should reasonably know, reside in the State. “Push” techniques include spamming, broadcasting or directing information to a particular person or group of people through, for instance, e-mails, SMS messages and any social media channels;
       
   4. 8.4. whether any news group, bulletin board, chat room or similar facility associated with the site has been used to promote the SVF service in the State; and
       
   5. 8.5. in the case of services details and promotional material hosted on a site, the Central Bank will assess whether the website's existence has been included in a State search engine or the State section of a search engine; and whether the SVF advertisements, in print or online forms, are easily accessible in the State and whether the website has been advertised in the State through advertising agencies, in periodicals (e.g. newspapers, journals or electronic publications) or by broadcasting (e.g. television or radio).
       
9. In determining whether the content of the issuer’s website and the relevant promotional materials are written in a manner which gives an impression that the SVF is issued in the State, the Central Bank will take a holistic approach and consider a host of factors including but not limited to the following:
    
   1. 9.1. whether representations made in any promotional materials and advertisements regarding the location of the issue of the SVF and the usage of that facility is in the State; and
       
   2. 9.2. whether the website and its functions are designed in a manner that may imply or give the impression that the SVF is issued in the State, such as the languages used in the SVF website (e.g. the Arabic language), the use of particular domain name such as a State domain name, the currencies accepted for the services (e.g. AED), contact details in the State.
       
10. The Central Bank will consider all relevant factors including, in particular, whether reasonable precautions are in place to avoid the promotional materials being made available or accessible to persons in the State and whether the issuer has systems in place to avoid providing services to persons residing in the State.
     
11. The Central Bank may also consider matters such as whether the SVF Issuer has established a physical presence in the State; and whether it has established business relationships with banks or financial institutions in the State for payment or other banking support services in the State.
     
12. The above factors and criteria are neither exhaustive nor conclusive. The Central Bank will use a holistic approach to judge each case on its merits and take into account the particular circumstances and all relevant facts.
     

1. In accordance with Article (65) of the Central Bank Law, the provision of Stored Value Facilities is considered a Licensed Financial Activity and subject to the Central Bank’s licensing and supervision in accordance with the provisions of the Central Bank Law. In this connection, an Applicant must satisfy the licensing requirements set by the Central Bank for SVF issuance, and continue to do so on an ongoing basis as a Licensee.
    
2. The Applicant must be a company incorporated in the State, including free zones but excluding Financial Free Zones.
    
3. Applicants must meet, or demonstrate that they will meet upon License issuance, the ongoing requirements set out in Articles (7) to (14) of this Regulation applicable to Licensees, in particular:
    
   1. 3.1. The requirements regarding financial resources as set out in Article (7) of this Regulation. The Central Bank may add additional requirements regarding financial resources or increase the existing ones as a condition for License issuance, where it considers such additional requirements necessary;
       
   2. 3.2. The requirements regarding their principal business, as set out in Article (7) of this Regulation. The Application must disclose to the Central Bank any activities and secondary or ancillary businesses that the Applicant conducts or plans to conduct that may not be directly related to the issuance of SVF;
       
   3. 3.3. The requirements regarding corporate governance, general risk management and internal control, and accounting system as set out in Articles (8) to (10) of this Regulation. In particular, board of directors, the Senior Management, and the Controlling Shareholder must have been approved by the Central Bank as fit and proper in the context of the Application before the License is granted;
       
   4. 3.4. The requirements regarding risk management policies and procedures for the management and protection of the Float, as set out in Article (11) of this Regulation;
       
   5. 3.5. The requirements regarding technology and specific risk management policies and procedures for managing the risks arising from the operation of the SVF business, as set out in Article (12) of this Regulation;
       
   6. 3.6. The requirements regarding business conduct and Customer protection as set out in Article (13) of this Regulation;
       
   7. 3.7. The requirements regarding anti-money laundering and countering the financing of terrorism, as set out in Article (14) of this Regulation.
       
4. As part of the licensing process, separate face-to-face meetings between Central Bank staff and the Applicant’s board of directors and the Senior Management may be conducted.

Independent assessments

5. The Applicant is required to submit a report of independent assessments on seven key areas based on the scope set out in paragraphs 3.3 to 3.7 above: (a) corporate governance and risk management; (b) Float management; (c) technology risk management; (d) payment security management; (e) business continuity management; (f) business conduct and Customer protection; and (g) AML/CFT control systems.
    
6. The Central Bank expects the Applicant to appoint one or more competent and qualified assessor(s), which are independent from the business units of the Applicant, to carry out the independent assessments. The assessors should not be involved in the operations to be reviewed or in selecting or implementing the relevant control measures to be reviewed, have relevant knowledge and experience, and should be able to report their findings independently. They should also confirm to the Central Bank that there is no conflict of interest in the conduct of independent assessments.
    
7. Bank that are deemed to be licensed for providing of SVF, are exempted from the assessment report mentioned in paragraphs 5 and 6 above, unless the Central Bank explicitly requires the report from them.
    

Licensed bank to issue SVF

1. Although licensed banks are deemed to be authorized for the issuance of SVF, they are nevertheless required to notify the Central Bank in writing if they plan to issue an SVF and carry out the SVF business. A “No Objection” letter is required from the Central Bank before the licensed bank concerned can commence the SVF business.

Preliminary meeting with the Central Bank

2. Any company that is interested in obtaining a License may obtain the Application form from the Licensing Division of the Central Bank.
    
3. The Senior Management of the company is strongly encouraged to meet and discuss the SVF business plan with the Central Bank before submitting a formal Application.

Consultation with home regulator

4. Where the Controlling Shareholder of the Applicant is regulated by another authority, including by authorities in other jurisdictions, the Central Bank may contact the relevant authority about the Applicant. The Central Bank may take into account the relevant authority’s views in respect of matters such as the financial soundness and the overall internal control environment of the Controlling Shareholder, and whether the relevant home regulator has any concern about that Controlling Shareholding extending its SVF business to the State.

Completing and submitting the Application

5. The Application must be lodged with the Central Bank with the completed form and the required documents as set out in the Annex.

Processing of Application

6. The Central Bank may seek additional information from the Applicant to reach a decision on the Application. The circumstances of each particular Application will dictate the additional information required. Specifically, the applicant is required to submit a report of independent assessments as set out in paragraphs 5 and 6 of Article (3) of this Regulation. The validity of the assessment report should not exceed six months after the report’s sign-off date.
    
7. Incomplete information may result in delays. Applicants should, therefore, pay attention to the following points:
    
   1. 7.1. All Applications must be submitted with documents and information listed in the Annex. The Applicant will be informed in writing that the Application is complete and the processing of the Application will begin;
       
   2. 7.2. Where an Application received is incomplete or supporting documents or information is lacking, the Applicant will be informed in writing that the Application will be treated as “draft” and will be asked to complete the Application or provide the missing information by a date specified by the Central Bank. Once a properly completed Application with all necessary supporting documents and information is received, the Applicant will be notified in writing that Application is complete and the processing of the Application will begin;
       
   3. 7.3. Where information requested is not received by the specified date or a revised date agreed in writing by the Central Bank at the request of the Applicant, the Application may be treated as “suspended” and the Applicant will be notified of this in writing;
       
   4. 7.4. Where an Application is “suspended”, the Applicant will be informed in writing that the processing of the Application will cease temporarily. Suspended Applications will be reactivated only when the outstanding information is submitted; and
       
   5. 7.5. Where an Application is “suspended” for 6 months or more for any reasons, a new Application will generally be required if the Applicant wishes to pursue the matter further.

Approval of Application

8. The Central Bank may approve an Application for the License made by the Applicant provided that all the licensing criteria can be met by the Applicant.
    
9. The Central Bank may grant the License without conditions or subject to any conditions attached. Conditions attached to a License may include, among others, imposing a higher level of capital requirement, restrictions on the SVF business or any secondary or ancillary businesses, requirements relating to protection of the Float, and restrictions as to the maximum amount of value that may be stored on an SVF, etc.
    
10. If the Central Bank grants a License to the Applicant, the Central Bank will:
     
    1. 10.1. assign a unique reference number to the License; and
        
    2. 10.2. specify in the License the date on which the License is to take effect.
        
11. Specifically, a Licensee must ensure that the License reference number of the License is clearly displayed in the Licensee’s website and promotional materials.

1. The Central Bank may suspend, withdraw or revoke a License as stipulated in the Central Bank Law.
    
2. In considering whether to exercise such power, the Central Bank would have primary regard to the need to maintain the stability of the payment system in the State, reputation of the UAE and to protect the interests of the Customer or potential Customer of the Licensee in question.
    
3. Where a Licensee is suspended, withdrawn or revoked, the Licensee must immediately cease to take any further sum of money from Customers.
    

1. The Central Bank may take all measures and actions it deems appropriate for achieving its objectives and discharging its functions, and may particularly take the following actions, if it was found that a material violation to the provisions of this Regulation has occurred:
    
   1. 1.1. The Central Bank may require the concerned Licensee to take necessary actions to rectify the situation immediately;
       
   2. 1.2. Appoint a specialized expert, or a Central Bank employee, to advise or guide the concerned Licensee, or oversee some of its operations, for a period specified by the Central Bank. The concerned Licensee shall pay remunerations of such appointee if he is an expert from outside the Central Bank; or
       
   3. 1.3. The Central Bank may appoint a manager where the Central Bank is of the view that the management of the Licensee cannot be relied upon to take appropriate steps to rectify a situation. The main objectives of appointing a manager to take control of the management of a Licensee are:
       
      1. 1.3.1. to provide for the control of the affairs, business and property of a troubled Licensee so that it can be nursed back to health or else be run down in an orderly fashion; or
          
      2. 1.3.2. to safeguard the assets and maintain the business of the Licensee until a liquidator can be appointed
          
   4. 1.4. Take any other action or measure, or impose any penalties it deems appropriate.
       

1. The principal business of a licensee must be the issuance of SVF under a License.
    
2. The principal business and financial resources requirements set out in this Article do not apply to licensed banks that carry out the SVF business in the State.

Principal business requirement

3. For the avoidance of doubt, a Licensee is not permitted to carry on any other Licensed Financial Activity without obtaining a License from the relevant authority. If the Licensee wishes to conduct any secondary or ancillary businesses, the Licensee must seek approval from the Central Bank before undertaking such activity.

Financial resources requirements

4. A Licensee must maintain the following:
    
   1. 4.1. paid-up capital of at least 15 million Dirham (15,000,000 AED) or an equivalent amount in any other currency approved by the Central Bank;
       
   2. 4.2. Aggregate Capital Funds must be at least 5% of the total Float received from the Customers.
       
5. The Aggregate Capital Funds consist of the following items:
    
   1. 5.1. Paid-up capital;
       
   2. 5.2. Reserves, excluding revaluation reserves; and
       
   3. 5.3. Retained earnings.
       
6. The following items must be deducted from Aggregate Capital Funds:
    
   1. 6.1. Accumulated losses; and
       
   2. 6.2. Goodwill.
       
7. A Licensee must be able to demonstrate that its financial resources are sufficient for implementing its business model in a safe, efficient and sustainable manner, without compromising the interests of Customers.
    
8. A Licensee must provide adequate details to the Central Bank on the source of funds that will be used to support the proposed business activities.
    
9. A Licensee must demonstrate that it will be able to maintain sufficient financial resources to facilitate an orderly wind-down of its SVF business, including a smooth refunding process.
    
10. The Central Bank may impose a higher financial resources requirement if, taking into account the scale and complexity of a Licensee’s business, it considers such a requirement important in ensuring that the Licensee concerned has the ability to fulfil its regulatory obligations under this Regulation. An unconditional irrevocable bank guarantee for the full paid up capital amount in favor of the Central Bank paid upon first demand shall also be submitted to the Central Bank with the application of the License. Such a guarantee should be renewable before expiry or based on the Central Bank’s demand.

1. A Licensee must have in place appropriate risk management policies and procedures for managing the risks arising from the operation of its SVF business that are commensurate with the scale and complexity of the scheme.
    
2. The corporate governance requirements set out in this Article do not apply to licensed banks that carry out the SVF business. Banks are required to adhere to the Central Bank regulation and standards for corporate governance at banks.

Responsibilities of the board of directors

3. A Licensee is required to have in place sound governance arrangements for the purpose of effective decision-making and proper management and control of the risks of its business and operations. Such arrangements should include a clear organizational structure with well-defined, transparent and consistent lines of responsibility. There should also be clear documentation on decision-making procedures, reporting lines, internal reporting and communication process.
    
4. As part of a sound governance arrangement, a Licensee should put in place a code of conduct which lays down the standards of integrity and probity expected of its management and employees. The Licensee should also have adequate systems for enforcing the code of conduct, including regular assessments of the relevancy and effectiveness of the code.
    
5. The board of directors is responsible for the sound and prudent management of the Licensee’s SVF business operations.
    
6. The board of directors should have an adequate number and appropriate composition of members to ensure sufficient checks and balances and collective expertise for effective and objective decision-making. The size and composition of the board of directors will vary from institution to institution depending on the size of the Licensee and the nature and scope of its activities.
    
7. The board of directors should document and clearly define appropriate internal governance practices and procedures for the conduct of its own work and have in place the means to ensure that such practices are followed and periodically reviewed with a view to ongoing improvement.
    
8. Effective arrangements should be put in place such that the board of directors can assess the performance of the Senior Management and hold them accountable for their performance.

Fitness and propriety of officers and Controlling Shareholder

9. A person must not become a chief executive or director of a Licensee except with the Central Bank’s approval. The Central Bank’s approval must be obtained for a person to become Controlling Shareholder of a Licensee. In considering the fitness and propriety of the chief executive, directors and Controlling Shareholder of a Licensee, the Central Bank will take into account factors including, among others, the integrity, willingness to uphold professional ethics and industry good practices, and competence of the person concerned. Set out below are the Central Bank’s general expectations in relation to the fitness and propriety of chief executives, directors and the Controlling Shareholders of licensees.

Directors and chief executives

10. Given the leadership role of directors and chief executives, fitness and propriety will be assessed taking into consideration their integrity and competence, which will generally be assessed in terms of relevant knowledge, experience, judgement as well as leadership. Their commitment and ability to devote sufficient time and attention to the SVF business will also be assessed. The standards required from persons in these respects will vary, depending on the scale and complexity of a Licensee’s operations.

Controlling Shareholder

11. In assessing the fitness and propriety of the Controlling Shareholder, a key consideration is the influence that the Controlling Shareholder could potentially have on the interests of the Customers and potential Customers of the scheme concerned. This has to be assessed in the context of the circumstances of individual cases. The general presumption is that the greater the influence on the Licensee, the higher the standard will be for the Controlling Shareholder to fulfil the criterion.

Outsourcing

12. A Licensee may outsource activities and processes to service providers, including independent third parties, or companies within the Licensee’s group. Such outsourcing must be approved by the Central Bank.
     
13. A Licensee is ultimately responsible for the adequacy, service levels, quality and security of the outsourced activities and processes, including the reliability, robustness, stability and availability, of the outsourced activities and processes as well as the integrity and protection of the information held by the service providers.
     
14. Prior to outsourcing an activity or process, a Licensee must:
     
    1. 14.1. Conduct a comprehensive independent risk assessment, identifying all risks involved, and ensuring that all material risks, including business interruption risk, and controls over Customer data protection, are adequately managed. The assessment should identify any additional risks or increases in risks caused by the outsourcing;
        
    2. 14.2. Perform an appropriate due diligence regarding not just the cost and quality of the services offered, but also on the provider’s financial soundness, reputation, managerial skills, technical and operational capacity to meet the Licensee’s requirements in the longer run, ability to meet the regulatory requirements with regard to the services offered, familiarity with the payment industry, and capacity to keep pace with innovation in the market.
        
    3. 14.3. Prior to outsourcing any process or activity: (a) perform an appropriate due diligence to ensure that the services to be rendered fully meet the performance and relevant regulatory requirements, (b) executing appropriate outsourcing agreements with the service providers to set out clearly the outsourcing arrangements and the related rights and obligations, and (c) carrying out proper transfer of the related operations or functions to ensure smooth transition; and
        
    4. 14.4. Properly manage the outsourcing arrangements on an ongoing basis by performing appropriate regular audits and/or quality reviews of the outsourced operations or services.
        
15. The outsourcing agreement must set out clearly:
     
    1. 15.1. The type and level of services to be provided and the related performance standards of the service provider, including its contingency arrangements in respect of daily operational and systems problems;
        
    2. 15.2. The contractual obligations and liabilities of the service provider;
        
    3. 15.3. The rights and obligations of the Licensee including the relevant fees and charges payable by the Licensee and the rights of the Licensee to access, retrieve and retain on a timely basis accurate and up-to-date records and make those records available for inspection by the relevant authorities including the Central Bank or an independent assessor appointed by the Licensee or the Central Bank, if required; and
        
    4. 15.4. Data handling controls and arrangements relating to the storage, backup, protection and confidentiality, and data removal and transfer arrangements upon termination or expiry of the contract. The right for the Licensee, the Central Bank and/or an independent assessor appointed by the Licensee or Central Bank to conduct an on-site inspection and off-site review of the operations and controls of the service provider. This includes access by the Central Bank or an appointed independent assessor to the premises, systems, record and documents relevant to the outsourced activity or process.
        
16. A Licensee should ensure that it has an adequate understanding of its service provider’s contingency plan and consider the implications for its own business continuity planning in the event that an outsourced service is disrupted due to failure of the service provider’s system. Such contingency plans should be tested by the licensee and its service providers regularly.
     
17. A Licensee should ensure that its outsourcing arrangements comply with the relevant personal data privacy/protection requirements and any relevant codes of practice, guidelines and best practices issued by the Central bank and relevant authorities.

Location of Senior Management

18. The chief executive and the alternate chief executive should be individuals who are ordinarily resident in the State. Licensees must ensure that this requirement is being complied with on an ongoing basis. Furthermore, the Senior Management team and the key personnel responsible for scheme operation, system support, risk management and compliance of the Licensee must be based in the State. Depending on the nature, scale, complexity of business, and the organization structure of the Licensee, the Central Bank may approve different arrangements.
     

1. The Licensee must have in place appropriate risk management policies and procedures for managing the risks arising from the operation of its SVF scheme that are commensurate with the scale and complexity of the scheme.
    
2. The general risk management and internal control systems requirements set out in this Article also apply to licensed banks that carry out the SVF business in the State.

Risk management

3. A Licensee must have in place effective risk management framework, which is approved by the board of directors. Dedicated human resources should be equipped with sufficient professional knowledge and experience to oversee the risk management and internal control processes.

Liquidity risk management

4. A Licensee must establish and implement an effective process for managing liquidity risk that is appropriate for the size and complexity of its operations. The objective is to ensure that the Licensee will have sufficient liquidity to meet different financial obligations arising from its day-to-day operations as well as redemption requests under all plausible circumstances.

Internal controls

5. A robust internal control system must be put in place to promote effective and efficient operation, safeguard assets, provide reliable financial and management information, enable prevention or early detection of irregularities, fraud and errors, and ensure compliance with relevant statutory and regulatory requirements and internal policies.
    
6. A Licensee should put in place a comprehensive business strategy and plan, including details on the strategic goals and roadmap. A business plan should normally cover proposed business in terms of geographical scope of operations, target markets and Customer breakdown, client types and base size, product and services offering, delivery channels, pricing strategy, and promotion and marketing activities.

Compliance and internal audit functions

7. A Licensee must maintain an effective (i) compliance function; and (ii) internal audit function to ensure compliance with all applicable legal and regulatory requirements as well as its own policies, procedures and controls. Among other factors, the quality of a Licensee’s compliance and internal audit functions will be assessed by the Central Bank based on its:
    
   1. 7.1. clear governance framework with board level support to ensure effective policies and sufficient authorities to perform the functions;
       
   2. 7.2. relevant professional knowledge and experience;
       
   3. 7.3. independence from business units;
       
   4. 7.4. direct and unfettered access to the board;
       
   5. 7.5. coverage, comprehensiveness and effectiveness of compliance and internal audit programs; and
       
   6. 7.6. ability to take timely and proactive rectifying actions upon identifying non-compliance or other control deficiencies.
       
8. The compliance function must not be combined with the internal audit function.

Reporting to the Central Bank

9. A Licensee must have effective procedures to ensure submission of data and information requested by the Central Bank in a timely and accurate manner, including: (a) incidents having a material adverse impact on its business, operation, assets, risks or reputation; and (b) breach of any statutory or regulatory requirements by the Licensee or its officers or employees.
    
10. A Licensee should at least annually perform a risk assessment by its own risk management or audit function. If the results of the risk assessment suggest that a detailed independent assessment is necessary, the Licensee should conduct such assessment and cover the following seven key areas: (a) corporate governance and risk management; (b) Float management; (c) technology risk management; (d) payment security management; (e) business continuity management; (f) business conduct and consumer protection; and (g) AML/CFT controls systems. If the Licensee has an independent function elsewhere in its group, with the relevant knowledge and experience, the independent assessment can be conducted by its internal function. Otherwise the assessment must be carried out by an independent third party.
     
11. The report mentioned in paragraph 10 above must be submitted to the Central Bank after being approved by the board of directors. These reports must include an executive summary highlighting the key risks, most important findings and the actions for rectifying the issues.
     
12. Arising from the findings of the annual risk assessment, a Licensee that is unable to meet its obligations must immediately report this to the Central Bank.
     
13. A Licensee must also immediately notify the Central Bank of any breach or potential breach of major regulatory requirements in this Regulation.

1. The information and accounting systems, risk management and internal control systems set out in this Article do not apply to licensed banks that carry out the SVF business in the State. Banks must comply with the relevant regulations in these areas issued by the Central Bank for banks.

Information and accounting systems

2. A Licensee must have in place robust information and accounting systems to (a) record all business activities in a timely and accurate manner; (b) provide quality management information to enable effective and efficient management of business and operations; and (c) maintain appropriate audit trail to demonstrate effectiveness of controls.
    
3. A Licensee must properly maintain books and accounts and prepare financial statements and returns in compliance with all applicable regulatory reporting requirements and accounting standards in the State.

Record keeping

4. A Licensee must have in place adequate record keeping policies and systems for maintaining accurate and sufficient records of its books, accounts, management decisions and business activities, including transactions of Customers.

Data protection

5. A Licensee must have in place adequate policies, measures and procedures to protect its information and accounting systems, databases, books and accounts, and other records and documents from unauthorized access, unauthorized retrieval, tampering and misuse.
    
6. A Licensee must also adequately protect the Customer data (including Customer identification and transaction records) which are required to be stored and maintained in the State. Such data can only be made available to the corresponding Customer, the Central Bank, other regulatory authorities following prior approval of the Central Bank, or by a UAE court order. A Licensee must store and retain all Customer and transaction data for a period of five years from the date of the creation of the Customer data, or longer if required by other laws.

1. A Licensee must have in place an effective and robust system to protect and manage the Float to ensure that: (a) all funds are deployed for the prescribed usage only; (b) funds belonging to Customers are protected against claims by other creditors of the Licensee in all circumstances; and (c) funds are protected from operational and other relevant risks.
    
2. A Licensee may need to seek an external legal opinion on the protection arrangement of the Float to ensure the legal soundness of the arrangements and to commission an independent review to ensure the operational soundness.
    
3. Licensed banks are required to comply with the requirements set out in paragraphs 7 to 16 in this Article, and are exempt from the other paragraphs.

Protection of the Float

4. A Licensee must put in place an effective contractual arrangement to ensure the legal right and priority claim of the Float by Customers in the event of insolvency of a Licensee. With respect to the contractual arrangement, a Licensee should ensure that the assets of the Float must be adequately protected from any possible claims and in segregated accounts with licensed banks or a foreign bank recognized by the Central Bank.
    
5. Alternatively, an effective bank guarantee and/or insurance coverage may be used. For the avoidance of doubt, any funds received by the Licensee that are not yet credited to the Customers’ accounts, or funds that are still held by the Licensee but have already been deducted from the Customer’ account are treated as the Float received from the Customer and must be accorded the same level of protection.
    
6. Where circumstances warrant a trigger to redeem the Float to Customers, the contractual arrangement should operate to the effect that proper legal positions and authorizations are in place to ensure a smooth and efficient redemption process. Detailed procedures to ensure a smooth and efficient redemption process must be put in place. In assessing the efficiency of the redemption process, the Central Bank will consider factors including but not limited to notification to relevant Customers, the duration in which a Customer is expected to receive the redemption, and the steps that a Customer needs to take to seek redemption.
    
7. A Licensee must ensure that there are sufficient funds for the redemption of the Float to all Customers at all times and there are sufficient additional funds to pay for the costs of distributing the Float to all Customers in case of need.
    
8. An adequate process must be put in place to ensure timely and accurate records of funds paid into and out of a Licensee’s Float, with appropriately regular reconciliation between system records and the actual Float (e.g. balances of the dedicated bank account holding the Float). Such reconciliation should be done at least on a daily basis.
    
9. A Licensee must ensure that all Customer accounts in the SVF scheme Customer ledger are maintained in an accurate and timely manner and that the aggregate balance of all Customer accounts in the ledger accurately reflects the total amount of the Float of the SVF scheme at all times.
    
10. The assets, including cash and bank deposits, in which the Float of an SVF scheme are held must be segregated from the Licensee’s own funds as well as funds received for the Licensee’s other business activities.
     
11. A Licensee must put in place effective internal control measures and procedures, which constitute an integral part of the Licensee’s overall robust internal control system, to protect the Float from all operational risks, including the risk of theft, fraud and misappropriation.

Management of the Float

12. The Float of an SVF scheme must be managed mainly for the purpose of liquidity management to ensure that there will always be sufficient funds for redemption. A Licensee must put in place effective liquidity management policies, guidelines and control measures commensurate with the mode of operation of the SVF scheme in respect of the assets in which the Float are held.
     
13. A Licensee must not adopt a business model that takes investment returns from the Float management as a significant source of income. A Licensee who proposes to hold a proportion of the Float in low risk financial assets other than cash or bank deposits must obtain the Central Bank’s prior written consent by demonstrating to the Central Bank that the Float will be adequately protected from all relevant risks, including investment risk, market risk, concentration risk and liquidity risk. The Licensee seeking the Central Bank’s prior consent must put in place adequate investment policies and guidelines and effective control measures to protect the Float from all relevant risks.
     
14. Unless effective currency risk management policies, guidelines and control measures are put in place, mismatch between the currency denomination of the Float and that of the assets in which the Float are held is not allowed except for the mismatch between AED and US dollar positions.
     
15. If there are legitimate reasons that render it inevitable for a Licensee to run a currency mismatch as described in paragraph 14 above, the licensee must obtain an exemption from the Central Bank. Licensees exempted from this provision, will be expected to put in place appropriate policies and procedures to monitor or manage the foreign exchange risk arising therefrom and to ensure the sufficiency of the Float.

Reporting to the Central Bank

16. In respect of the protection and management of the Float, any material non-compliance with any regulatory requirements or internal policies, procedures and controls as well as any material unresolved discrepancies identified in any reconciliation must be reported to the Central Bank together with adequate rectification measures immediately through the established communication channels.
     

1. A Licensee is expected to take into account international best practices and standards when designing and implementing the technology and specific risk management systems and processes.
    
2. All technology and specific risk management requirements set out in this Article also apply to licensed banks that carry out the SVF business in the State.

Technology risk management

3. A Licensee must establish an effective technology and cyber security risk management framework to ensure (a) the adequacy of IT controls, (b) cyber resilience, (c) the quality and security, including the reliability, robustness, stability and availability, of its computer and payment systems, and (d) the safety and efficiency of the operations of the SVF scheme. The framework must be “fit for purpose” and commensurate with the risks associated with the nature, size, complexity and types of business and operations, the technologies adopted and the overall risk management system of the Licensee. Consideration should be given to adopting recognized international standards and practices when formulating such risk management framework.
    
4. A Licensee must establish an incident management framework with sufficient management oversight to ensure effective incident response and management capability to deal with significant incidents properly. This includes: (a) timely reporting to the Central Bank of any confirmed technology-related fraud cases or major security breaches, including cyber-attacks, cases of prolonged disruption of service and systemic incidents where Customers suffer from monetary loss or Customers’ interests are being affected (e.g. data leakage) and (b) a communication strategy to address the concerns any stakeholders may have arising from the incidents, and restore the reputational damage that the incidents may cause.
    
5. An effective technology risk management framework should comprise proper IT governance, a continuous technology risk management process and implementation of sound IT control practices.

IT governance

6. A Licensee must establish a proper IT governance framework. IT governance covers various aspects, including a clear structure of IT functions and the establishment of IT control policies. While there could be different constructs, the major functions should include an effective IT function, a robust technology risk management function, and an independent technology audit function.
    
7. A set of IT control policies that fits the Licensee’s business model and technology applications, must be put in place. The IT control policies which establish the ground rules for IT controls must be formally approved by Senior Management and properly implemented among IT functions and business units. Processes used to verify compliance with IT control policies and the process for seeking appropriate approval by Senior Management for dispensation from IT control policies must also be clearly specified, and consequences associated with any failure to adhere to these processes are in place.

Technology risk management process

8. A Licensee must put in place an effective risk management system that fits its specific business model and risk profile.
    
9. A robust process must be established to manage all changes (e.g. changes arising from new products, services, processes, contract terms, or any changes of external factors such as law and regulations) that might change a Licensee’s technology risk exposures. All identified risks must be critically evaluated, monitored and controlled on an ongoing basis.
    
10. A general framework for management of major technology-related projects, such as in-house software development and acquisition of information systems must be established. This framework should specify, among other things, the project management methodology to be adopted and applied to these projects.

Project life cycle

11. A full project life cycle methodology governing the process of developing, implementing and maintaining major computer and payment systems should be adopted and implemented.
     
12. Where a Licensee acquires a software package from vendors, a formal software package acquisition process should be established to manage risks associated with acquisitions, such as breach of software license agreement or patent infringement.
     
13. Quality assurance review of major technology-related projects by an independent party, with the assistance of the legal and compliance functions should be conducted if necessary.

Security requirements

14. Security requirements should be defined clearly in the early stage of system development or acquisition as part of business requirements and adequately built during the program development stage.

Coding practice

15. Guidelines and standards for software development with reference to industry generally accepted practice on secure development should be developed. Source code reviews (e.g. peer review and automated analysis review), which could be risk-based, as part of software quality assurance process should be conducted.

System testing, acceptance and deployment

16. A formal testing and acceptance process should be established to ensure that only properly tested and approved systems are promoted to the production environment. The scope of tests should cover business logic, security controls and system performance under various stress-load scenarios and recovery conditions.
     
17. Segregated environments for development, testing and production purposes should be maintained. System testing and user acceptance testing (UAT) should be properly carried out in the testing environment. Production data should not be used in development or acceptance testing unless the data has been desensitized and prior approval from the information owner has been obtained.

Segregation of duties

18. Segregation of duties among IT teams should be properly maintained. Developers should not be able to get access to production libraries and promote programming code into the production environment. If automated tools are used for the promotion of programming code, adequate monitoring, reviews and checks by independent teams should be done. Vendor accesses to the UAT environment, if necessary, should be closely monitored.

End-user computing

19. An inventory of end-user developed applications should be maintained and where necessary, control practices and responsibilities with respect to end-user computing to cover areas such as ownership, development standard, data security, documentation, data/file storage and backup, system recovery, audit responsibilities and training should be established.

IT service support - Problem management

20. A problem management process to identify, classify, prioritize and address all IT problems in a timely manner should be established. A trend analysis of past incidents should be performed regularly to facilitate the identification and prevention of similar problems.

Change management

21. A formal change management process should be developed to ensure the integrity and reliability of the production environment and that the changes to application systems, system software (e.g. operating systems and utilities), hardware, network systems and other IT facilities and equipment, are proper and do not have any undesirable impact on the production environment. Formal procedures for managing emergency changes (including the record keeping and endorsement arrangement) should also be established to enable unforeseen problems to be addressed in a timely and controlled manner.

Security baseline standards

22. Control procedures and baseline security requirements, including all configurations and settings of operating systems, system software, databases, servers and network devices should be adequately and accurately documented. Periodic reviews on the compliance of the security settings with the baseline standards should be performed.

IT operation - Job scheduling

23. The initial schedules and changes to scheduled jobs should be appropriately authorized. Procedures should be in place to identify, investigate and approve departures from standard job schedules.

Vulnerability and patch management

24. A combination of automated tools and manual techniques should be deployed to regularly perform comprehensive vulnerability assessments. For web-based external facing systems, the scope of vulnerability assessment should include common web vulnerabilities.
     
25. Patch management procedures should be formulated to include the identification, categorization, prioritization and installation of security patches. To implement security patches in a timely manner, the implementation timeframe for each category of security patches should be defined based on severity and impact on systems.
     
26. Security monitoring tools should be implemented to retain system, application and network device logs to facilitate examination when necessary in accordance with the Licensee’s defined log retention policy. The tools should also monitor and report, on a real-time basis if possible, critical configurations and security settings to identify unauthorized changes to these settings and block anomalies on IT assets, e.g. abnormal user behaviors, unusual system processes and memory access and malicious callbacks to devices.

IT facilities and equipment maintenance

27. IT facilities and equipment should be maintained in accordance with the industry practice, and suppliers’ recommended service intervals and specifications to ensure the facilities and equipment are well supported.

Mobile computing

28. Where a Licensee provides mobile devices for its employees, policies and procedures covering, among others, requisition, authentication, hardening, encryption, data backup and retention should be established.

Network and infrastructure management

29. Overall responsibility for network management should be clearly assigned to individuals who are equipped with expertise to fulfil their duties. Network standards, design, diagrams and operating procedures should be formally documented, kept up-to-date, communicated to all relevant network staff and reviewed periodically.
     
30. A Licensee should have in place adequate measures to maintain appropriate segregation of databases for different purposes to prevent unauthorized or unintended access or retrieval and robust access controls should be enforced to ensure the confidentiality and integrity of the databases. In respect of any personal data of Customers, including merchants, a Licensee should at all times comply with this Regulation, the relevant data protection laws as well as any relevant codes of practice, guidelines or best practice issued by the relevant authorities from time to time.
     
31. Access to the information and application systems should be restricted by an adequate authentication mechanism associated with access control rules. A role-based access control framework should be adopted and access rights should only be granted on a need-to-have basis.
     
32. A security administration function and a set of formal procedures should be established for administering the allocation of access rights to system resources and application systems, and monitoring the use of system resources to detect any unusual or unauthorized activities.
     
33. Due care should be exercised by Licensees when controlling the use of and access to privileged and emergency IDs. The necessary control procedures include: (a) changing the default password; (b) restricting the number of privileged users; (c) implementing strong controls over remote access by privileged users; (d) granting of authorities that are strictly necessary to privileged and emergency IDs; (e) formal approval by appropriate senior personnel prior to being released for usage; (f) logging, preserving and monitoring of the activities performed by privileged and emergency IDs (e.g. peer reviews of activity logs); (f) prohibiting sharing of privileged accounts; (g) proper safeguard of privileged and emergency IDs and passwords (e.g. kept in a sealed envelope and locked up inside the data center); and; (h) changing of privileged and emergency IDs’ passwords immediately upon return by the requesters.

Cyber resilience

Cyber security risk assessment process

34. Where a Licensee is heavily reliant on Internet and mobile technologies to deliver its services, cyber security risks must be adequately managed through the Licensee’s technology risk management process. The Licensee should also commit adequate resources to ensure its capabilities to identify the risk, protect its critical services against the attack, contain the impact of cyber security incidents and restore the services.

Cyber threat intelligence

35. A Licensee must keep pace with the trends in cyber threats. It may consider subscribing to quality cyber threat intelligence services, which are relevant to its business, to enhance its ability to precisely respond to new type of threats in a timely manner. The Licensee may also seek opportunities to collaborate with other organizations to share and gather cyber threat intelligence with the aim of facilitating the SVF industry to better prepare and manage cyber security risks.

Penetration and cyber-attack simulation testing

36. A Licensee must regularly assess the necessity to perform penetration and cyber-attack simulation testing. Coverage and scope of testing should be based on the cyber security risk profile, cyber intelligence information available, covering not only networks (both external and internal) and application systems but also social engineering and emerging cyber threats. A Licensee should also take appropriate actions to mitigate the issues, threats and vulnerabilities identified in penetration and cyber-attack simulation testing in a timely manner, based on the impact and risk exposure analysis.

Internet connected device

37. As Internet evolves, more devices or appliances are embedded with Internet connectivity. These devices with “always on” network connectivity may create more end-points which allow intruders to get access to a Licensee’s critical IT infrastructure. The Licensee should pay attention to related risks and take appropriate measures accordingly.

Payment security management

38. A Licensee must put in place a robust payment security management framework that is commensurate with the scale and nature of payment security risks associated with its SVF schemes to effectively monitor, identify, evaluate, respond and mitigate the payment security risks arising from the operation of the SVF schemes.
     
39. A Licensee must have adequate policies and procedures on the ownership, classification, storage, transmission, processing and retention of information collected from Customers through registration of SVF service and execution of payment transactions to ensure confidentiality and integrity of the information.

Information ownership

40. An information owner should be assigned to the specific information being collected, processed, created, and maintained. The information owner should be accountable for classification, usage authorization and protection of information processed by and stored in systems.

Information classification

41. Information should be classified into different categories according to the degree of sensitivity to indicate the extent of protection required. To aid the classification process, a Licensee should develop guidelines and definitions for each classification and define an appropriate set of procedures for information protection in accordance with the classification scheme.

Information in storage

42. Sensitive data stored in end-user devices as well as the backend systems of Licensees, such as payment data, personal identifiable information and authentication data must be appropriately secured against theft and unauthorized access or modification. Sensitive data should be encrypted and stored in a secure storage environment, using strong and widely recognized encryption techniques.

Information in transmission

43. A Licensee must ensure that when transmitting sensitive data, e.g. from a Customer’s device to a Licensee’s server, a strong and secure end-to-end encryption is adopted and maintained in order to safeguard the confidentiality and integrity of the data, using strong and widely recognized cryptographic techniques.
     
44. Where applicable, communication channels for data exchange should only be open on a need-to-use basis. For example, where it is practical to do so, communications via contactless channels should only be allowed after activation by the Customer and within a limited time window.

Information in processing

45. If a Licensee offers merchant acquiring services, it should require its merchants to have necessary measures in place to protect sensitive data related to payments and should refrain from providing services to merchants which cannot ensure such protection. The Licensee should also implement sufficient controls to maintain and verify the integrity of the information processed by its systems.

Information retention and disposal

46. A Licensee must implement an information retention and disposal policy to limit the data storage amount and retention time, having regard to applicable legal, regulatory, and business requirements.

Information minimization

47. In designing, developing and maintaining payment services, a Licensee should ensure that information minimization is an essential principle of the core functionality: gathering, routing, processing, storing and/or archiving.
     
48. A Licensee must implement adequate security measures to protect each payment channel (including cards and user devices) provided to Customers for using its SVF against all material vulnerabilities and attacks. A Licensee providing payment card services should implement adequate safeguards to protect sensitive payment card data.

Customer device

49. A Licensee should assume that Customer devices are exposed to security vulnerabilities and take appropriate measures when designing, developing and maintaining payment services. Security measures should be in place to guard against different situations, including unauthorized device access, malware or virus attack, compromised or unsecure status of mobile device and unauthorized mobile applications.

Mobile device for payment acceptance

50. If mobile devices are used by merchants to accept a Licensee’s payment solutions, additional security measures should be implemented to safeguard the mobile payment acceptance solution, including the detection of abnormal activities and logging them in reports, and the provision of merchant identification for Customers to validate its identity.

Customer authentication

51. A Licensee should select reliable and effective authentication techniques to validate the identity and authority of its Customers. Two-factor authentication is normally expected for high-risk transactions. Customer authentication is stronger when two-factor authentication is adopted by combining any two of the following three factors: (a) something a Customer knows (e.g. user IDs and passwords); (b) something a Customer has or possesses (e.g. one-time passwords generated by a security token or a Licensee’s security systems); and (c) something a Customer is (e.g. retina, fingerprint or voice recognition).
     
52. If a password (including a personal identification number) is used as one factor of authentication, a Licensee must put in place adequate controls related to the strength of the password (e.g. minimum password length).

Login attempts and session management

53. Effective controls include limiting the number of login or authentication attempts (e.g. wrong password entries), implementing time-out controls and setting time limits for the validity of authentication. If one-time password is used for authentication purpose, a Licensee should ensure that the validity period of such passwords is limited to the strict minimum necessary.

Activities logging

54. A Licensee should have processes in place ensuring that all transactions are logged with an appropriate audit trail.
     
55. A Licensee should have robust log files allowing retrieval of historical data including a full audit trail of additions, modifications or deletions of transactions. Access to such tools, including privileged responsibilities, should only be available to authorized personnel and should be appropriately logged.
     
56. Channels should be provided for Customers to check their past transactions.

Fraud detection systems

57. A Licensee must operate transaction monitoring mechanisms designed to prevent, detect and block fraudulent payment transactions. Suspicious or high-risk transactions should be subject to a specific screening, filtration and evaluation procedure.
     
58. Where an SVF enables a Customer to bind a credit/debit/prepaid card as a funding source for his/her SVF account, the Licensee should implement appropriate verification arrangements, to be conducted by the card issuer with the cardholder (e.g. SMS one-time password or other effective measures), to confirm that cardholder gives consent to the card binding. Such verification arrangement should be triggered at least during the binding process or when the card is initially used by the relevant SVF account. Licensees should disallow binding a card if the relevant card issuer does not support the verification arrangement required by the Licensee or fails to perform the required verification with the relevant cardholder.
     
59. Where an SVF enables a Customer to set up a direct debit from a bank account, the Licensee should implement appropriate measures to ensure that the setting up of such a direct debit has been authorized by the relevant bank account owner.

Administration of Customer accounts

60. If a Licensee allows a Customer to open an account through online channel, a reliable method should be adopted to authenticate the identity of the Customer. In general, the electronic know your customer (eKYC) process currently adopted by licensed banks is acceptable for SVF account opening.
     
61. A Licensee should perform adequate identity checks when any Customer requests a change to the Customer’s account information or contact details that are useful for the Customer to receive important information or monitor the activities of the Customer’s accounts.

Controls over higher-risk transactions

62. A Licensee should implement effective controls, such as two-factor authentication, to re-authenticate the Customer before effecting each high-risk transaction. High-risk transactions should, at least, include: (a) transactions that exceeded the predefined transaction limit(s); (b) change of personal contact details; and (c) unless it is not practicable to implement in the SVF concerned, transactions that exceeded the aggregate rolling limit(s) (i.e. total value of transactions over a period of time).
     
63. A Licensee should define the per transaction limit(s) and the aggregate rolling limit(s), having regard to factors such as its fraud monitoring capability, maximum stored value per SVF (if applicable), maximum daily top up limit (if applicable) and other fraud protection mechanism implemented. Such limits should be clearly communicated to Customers.

Business continuity management

64. A Licensee must have in place an adequate business continuity management program to ensure continuation, timely recovery, or in extreme situations orderly scale-down of critical operations in the event of major disruptions caused by different contingent scenarios. An adequate business continuity management program comprises business impact analysis, recovery strategies, a business continuity plan and alternative sites for business and IT recovery. These components are elaborated further below.

Business impact analysis

65. A business impact analysis normally comprises two stages. The first stage is to (a) identify potential scenarios that may interrupt a Licensee’s services over varying periods of time, and (b) identify the minimum level of critical business and payment services that must be maintained in the event of a prolonged service interruption.
     
66. The second stage of a business impact analysis is a recovery time-frame assessment. It aims to develop key realistic, measurable and achievable recovery time objectives: (a) maximum tolerable downtime to recover and resume the minimum service levels of critical business and payment services; (b) recovery time objective to recover critical IT resources and critical business and payment services; and (c) recovery point objective to recover data in a secure, timely manner and full integrity.

Recovery strategies

67. A set of recovery strategies should be put in place to ensure that all critical business functions identified in business impact analysis can be recovered in accordance with the recovery timeframe defined. These recovery strategies should be clearly documented, thoroughly tested and regularly drilled to ensure achievement of recovery targets.
     
68. A crucial element of service recovery is robust record management. A Licensee must put in place effective measures to ensure that all business records, in particular Customer records, can be timely restored in case they are lost, damaged, or destroyed. It is also crucial for a Licensee to allow Customers to access their own records in a timely manner.
     
69. In determining a Licensee’s levels of minimal services and the recovery objectives, it should take into account a host of relevant factors, including but not limited to interdependency among critical services/systems, expectations of Customers and other stakeholders in terms of speed, stability, and reliability of its services, legal and reputational risk implications.

Business continuity plan

70. A business continuity plan must be developed based on the business impact analysis and related recovery strategies. A business continuity plan should comprise, at a minimum, (a) detailed recovery procedures to ensure full accomplishment of the service recovery strategies, (b) escalation procedures and crisis management protocol (e.g. set up of a command center, timely reporting to the Central Bank, etc.) in case of severe or prolonged service disruptions, (c) proactive communication strategies (e.g. Customer notification, media response, etc.), (d) updated contact details of key personnel involved in the business continuity plan; and (d) assignment of primary and alternate personnel responsible for recovery of critical systems.

Alternate sites for business and IT recovery

71. A Licensee should examine the extent to which key business functions are concentrated in the same or adjacent locations and the proximity of the alternate sites to primary sites. Alternate sites should be sufficiently distanced to avoid any shared risk and being affected by the same disaster.
     
72. A Licensee’s alternate site should be readily accessible, installed with appropriate facilities and available for occupancy within the time requirement specified in its business continuity plan. Appropriate physical access controls should be implemented. If certain recovery staff are required to work from home in the event of a disaster, adequate computer and systems facilities should be made available in advance.
     
73. Alternate sites for IT recovery should have sufficient technical equipment, including communication facilities, of appropriate model and capacity to meet recovery requirements.
     
74. A Licensee must avoid placing excessive reliance on external vendors in providing business continuity management support, including the provision of the disaster recovery site and back-up equipment and facilities. A Licensee should satisfy itself that such vendors do have the capacity to provide the services when needed and the contractual responsibilities of the vendors, including the lead-time, types of support and capacity, are clearly specified.
     
75. If a Licensee is reliant on shared computing services provided by external providers, such as cloud computing, to support its disaster recovery, it should manage the risk associated with these services.

Senior Management oversight

76. Senior Management of the Licensee must establish clearly, which function has the responsibility for the entire process of business continuity management, and ensure that it has sufficient resources and expertise.
     
77. Given the importance of business continuity management, the chief executive of a Licensee should prepare and sign-off a formal annual statement submitted to the board of directors on whether the recovery strategies adopted are still valid and whether the documented business continuity plan is properly tested and maintained.

Implementation of business continuity plan

78. A Licensee is expected to conduct testing of its business continuity plan at least annually. Senior Management, primary and alternate relevant personnel should participate in the annual testing to familiarize themselves with their recovery responsibilities.
     
79. All business continuity planning related risks and assumptions must be reviewed for relevancy and appropriateness as part of the annual planning of testing. Formal testing documentation (including test plan, scenarios, procedures and results) should be produced. A post mortem review report should be prepared for formal sign-off by Senior Management.

Reputation risk management

80. A Licensee must establish and implement an effective process for managing reputation risk that is appropriate for the size and complexity of its operations. A Licensee should integrate into its business processes proper due diligence work to (a) critically assess the potential reputational implications of its plans and activities for itself and for the industry; (b) take proactive actions to avoid or contain the identified risks; and (c) respond swiftly to mitigate the potential impact should such risks materialize.
     
81. A Licensee must also devote appropriate resources to conduct surveillance work with a view to identifying any issues with reputational implications for its operations. The objective is to protect the Licensee from potential threats to its reputation and, should there be a reputation event, minimize the effects of such an event.
     
82. A Licensee must ensure that the relevant process is capable of detecting and responding swiftly to new and emerging threats to reputation, monitoring the changing status of risks, providing early warning of potential problems to enable remedial actions to be taken, and providing assurance that the risks affecting reputation are under control.

1. The SVF schemes must be operated prudently and with competence in a manner that will not adversely affect the interests of the Customer or potential Customer of the Licensee. All Licensees must also comply with the existing regulatory requirements for consumer protection of the Central Bank.
    
2. The business conduct and Customer protection requirements set out in this Article also apply to licensed banks that carry out the SVF business in the State.

Standard of conduct and business practices

3. A Licensee must ensure that its business is operated in a responsible, honest and professional manner. A Licensee must treat all Customers, as well as merchants, equitably, honestly and fairly at all stages of their relationship with the Licensee. A Licensee must also act in a manner that will not adversely affect the interests of the Customer or potential Customer or the stability of any payment system in the State.
    
4. A Licensee must be responsible for the acts or omissions of its employees, service providers and agents in respect of the conduct of its business. Employees and agents of a Licensee must be properly trained and qualified.
    
5. A Licensee must ensure that it adopts and if needed, develops good business practices that can demonstrate its standard of conduct, including:
    
   1. 5.1. Due diligence must be performed by a Licensee to ensure that all promotional materials it issues are accurate and not misleading;
       
   2. 5.2. A Licensee may use its websites and mobile apps to provide links to e-commerce portals and other online merchants. When providing such links, the Licensee must carry out due-diligence on the e-commerce portals and merchants acquired to ascertain they are bona fide companies conducting legitimate business so as to manage reputation risk; and
       
   3. 5.3. Websites or apps of a Licensee may only provide hyper-links to other websites which offer advisory and/or sale of financial products and services provided that the Licensee has sought external legal opinion to ensure that the arrangements comply with all relevant legal and regulatory requirements.

Schemes and Operating Rules

6. The Operating Rules of an SVF scheme must be fair to all parties concerned. A Licensee must operate its SVF scheme in strict accordance with the relevant Operating Rules.
    
7. If a Licensee intends to engage business partners (e.g. merchant acquirers to procure merchants), it must ensure that the arrangement with business partners will not compromise its obligations under this Regulation in respect of ensuring safe and efficient operation of the SVF scheme, in particular:
    
   1. 7.1. The Licensee must conduct due diligence on business partners to carefully assess the risks involved before engaging the business relationship, and to put in place adequate control mechanism to mitigate the risks identified;
       
   2. 7.2. The Licensee must be satisfied that the contractual relationship between itself and business partners (e.g. merchants) is clearly constructed and enforceable with well-defined division of duties and liabilities supported by well-documented service level agreements, and that there are necessary safeguards in its contractual relationship with the business partners to ensure the operational safety and efficiency of the SVF scheme;
       
   3. 7.3. The Licensee must impose appropriate controls and oversight over the business arrangements with its business partners (e.g. in case of merchant acquirers), to ensure that they have proper systems in place for settlement of funds with the merchants and for mitigation of any potential money laundering and terrorist financing risks; and
       
   4. 7.4. The Licensee must ensure that the arrangement of engaging business partners is compliant with relevant personal data privacy/protection requirements and also observes this Regulation and the relevant supervisory guidelines on data protection in order to safeguard the interest of its Customers.
       
8. The Operating Rules of an SVF scheme must provide that the amount of funds received by a Licensee or its agent from a Customer will be credited to the account of the Customer and made available for use by the Customer in a timely manner according to the Operating Rules.
    
9. Whilst the Central Bank will not establish a hard limit on the maximum amount of the value stored in each type of Customer accounts under an SVF scheme, a reasonable limit, supported by business justifications and control measures, must be set for the maximum amount that can be stored in each type of Customer accounts under an SVF scheme. Different storage limits can be set for different types of Customer accounts according to their respective features. All limits must be set out in the Operating Rules. The Central Bank may request a Licensee to change the limits on a case-by-case basis if the Central Bank considers it appropriate to apply such limits or the business justifications and control measures put up by the Licensee are considered unsatisfactory.
    
10. 10. A Licensee must set out and explain clearly the key features, risks, terms and conditions, and applicable fees, charges and commissions of its schemes, facilities, services and products. Such details must be effectively communicated and made available to the relevant Customers, as well as merchants. Additional disclosures, including appropriate warnings, must be developed to provide information commensurate with the nature, complexity and risks of the schemes, facilities, services and products.
     
11. A Licensee is solely responsible for the robustness of its SVF scheme and as such it must bear the full loss of the value stored in a Customer account where there is no fault on the part of the Customer. In general, a Customer of the Licensee must not be responsible for any direct loss suffered by him/her as a result of unauthorized transactions conducted through his/her account.

Anti-fraud framework

12. A Licensee must implement an anti-fraud framework. Such framework must include duties and obligations of chief executive officer, Compliance Committee, and fraud reporting and follow-up mechanism. Appropriate and documented anti-fraud training must be provided to all employees.

Security advice for Customers

13. The Licensee should provide easy-to-understand, prominent and regularly reviewed advice from time to time via effective methods and multiple channels to its Customers on security precautionary measures.
     
14. A Licensee must manage the risk associated with fraudulent emails, websites and mobile applications, which are designed to trick customers into revealing sensitive user information such as login identifiers, passwords and one-time passwords.

Business exit plan

15. With a view to minimizing the potential impact that a failure, disruption, or exit of a Licensee would have on Customers and the payment systems in the State, a Licensee is required to maintain viable plans for an orderly exit of its business and operations should other options be proven not possible.
     
16. Among other things, a business exit plan should (a) identify a range of remote but plausible scenarios which may render it necessary for a Licensee to consider an exit; (b) develop risk indicators to gauge the plausibility of the identified scenarios; (c) set out detailed, concrete, and feasible action steps to be taken upon triggering the exit plan; (d) assess the time and cost required to implement the exit plan in an orderly manner; and (e) set out clear procedures to ensure that sufficient time and financial resources are available to implement the exit plan. The plan should be reviewed on an annual basis to ensure its relevancy and workability.

Systems interoperability

17. A Licensee should ensure that its SVF systems are interoperable with other major payment systems in the State to allow connectivity of all key payment services. This is important for building a cost effective and efficient digital payment ecosystem in the State.
     
18. The Central Bank expects Licensees to adopt a risk-based approach and refrain from adopting practices that would result in financial exclusion, particularly in respect of the need for bona fide businesses and individuals to have access to SVF products and services.
     
19. The risk assessment processes should be able to differentiate the risks of individual Customers within a particular segment or grouping through the application of a range of factors, including country risk, business risk, product/service risk and delivery/distribution channel risk. It is inappropriate for Licensees to adopt a one-size-fits-all approach.

1. All Licensees must comply with the existing legal obligations and regulatory requirements for AML/CFT of the Central Bank and address money laundering and terrorist financing risks through appropriate preventive measures to deter abuse of the sector as a conduit for illicit funds, and detect money laundering and terrorist financing activities and report any suspicious transactions to the Financial Intelligence Unit at the Central Bank.
    
2. The Central Bank requires the Licensees to undertake periodic risk profiling and assessment based on the AML/CFT requirements.

Risk factors

3. The risk of an SVF product will to a significant degree, depend on its design, its functions and the mitigating measures applied. In assessing the risk of an SVF product, a Licensee should take into account the following risk factors:
    
   1. 3.1. maximum stored value or transaction amount of the SVF – SVF products with higher transaction value or higher maximum stored value may increase the money laundering and terrorist financing risk;
       
   2. 3.2. methods of funding – SVF products that allow funding by cash offer with little or no audit trail present a higher money laundering and terrorist financing risk. On the other hand, funding by unverified parties or via other payment methods without Customer identification can also create an anonymous funding mechanism and hence present higher money laundering and terrorist financing risks;
       
   3. 3.3. cross-border usage – in general, SVF products with cross-border usage may increase the risk as transactions may be subject to different AML/CFT requirements and oversight in other jurisdictions and also give rise to difficulties with information sharing;
       
   4. 3.4. person-to-person fund transfer function – an SVF product that allows person-to-person fund transfers may give rise to higher money laundering and terrorist financing risks;
       
   5. 3.5. cash withdrawal function – an SVF product that allows access to cash for instance through automated teller machine networks may increase the level of money laundering and terrorist financing risk;
       
   6. 3.6. holding of multiple accounts/cards – SVF products that allow a Customer to hold more than one account or card may also increase the money laundering and terrorist financing risk as it may be utilized by a third-party user other than the Customer;
       
   7. 3.7. multiple cards linked to the same account – SVF products that permit this functionality may present higher money laundering and terrorist financing risks, especially where the linked card is anonymous; and
       
   8. 3.8. payment for high-risk activities – some merchant activities, for example, gaming, present higher money laundering and terrorist financing risks.
       
4. The money laundering and terrorist financing risks of an SVF product can be reduced by implementing risk mitigating measures, which may include: (a) the application of limits on the maximum storage values, cumulative turnover or transaction amounts; (b) disallowing higher risk funding sources; (c) restricting the SVF product being used for higher risk activities; (d) restricting higher risk functions such as cash access; and (e) implementing measures to detect multiple SVF accounts/cards held by the same Customer or group of Customers.
    
5. The level of money laundering and terrorist financing risks posed by a particular SVF product will depend on a consideration of all risk factors, the existence and effectiveness of risk mitigating measures and their functionality.
    
6. A Licensee should assess whether a business relationship presents a higher money laundering and terrorist financing risk and assign a related risk rating. Generally, the Customer risk assessment will be based on the information collected during the identification stage. The Licensee should ensure that their CDD models are designed to address the specific risks associated to its Customer profile and SVF product features.

Compliance management arrangements and independent audit function

7. A Licensee must have appropriate compliance management arrangements that facilitate the SVF’s implementation of AML/CFT systems to comply with relevant legal and regulatory obligations and to manage money laundering and terrorist financing risks effectively. Compliance management arrangements should at a minimum include oversight by the Licensee’s Senior Management and appointment of a Compliance Officer and a Money Laundering Reporting Officer.
    
8. In addition, a Licensee should put in place comprehensive AML/CFT policies and procedures in accordance with the AML/CFT law and regulations.

Use of technology

9. The Central Bank supports innovative means by which Licensees implement AML/CFT Systems effectively as well as exploring the greater use of technology and analytical tools. The Central Bank expects Licensees, before introducing any new product, service or technology, to conduct adequate risk assessments and ensure that any identified risks are effectively managed or mitigated.
    
10. In general, the eKYC process currently adopted by licensed banks for digital onboarding of Customers is acceptable for SVF account opening. No physical face-to-face meetings with the Customer or physical documents verification are required so long as the digital authentication of the Customer and digital verification of all required documents can be done in accordance with the existing requirements of the Central Bank.
     
11. Depending on the nature of relationship, Licensees may undertake additional CDD measures, including the collection of sufficient information to adequately understand the nature of the Virtual Asset Service Providers’ business; determining from publicly available information whether the Virtual Asset Service Providers are licensed or registered, and subject to AML/CFT supervision; and assessing the AML/CFT controls of the Virtual Asset Service Providers as appropriate. The extent of Customer due diligence measure should be commensurate with the assessed money laundering and terrorist financing risks of the Virtual Asset Service Providers.
     
12. Globally there is an emerging range of new products and services involving Virtual Asset. In line with the FATF standards, before a Licensee offers any new products relating to Virtual Assets, it should undertake money laundering and terrorist financing risk assessment and take appropriate measures to manage and mitigate the identified risks in accordance with applicable legal and regulatory requirements. Licensees are encouraged to refer to the suggestions provided by FATF in relation to the guidance for a risk-based approach to Virtual Assets and Virtual Assets Service Providers.

1. Violation of any provision of this Regulation may be subject to supervisory action and administrative & financial sanctions measures as deemed appropriate by the Central Bank.
    
2. Supervisory action and administrative & financial sanctions by the Central Bank may include replacing or restricting the powers of Senior Management or board of directors, providing for the interim management of the Licensee, imposition of fines or barring individuals from the UAE financial sector.
    

The Regulatory Development Division of the Central Bank shall be the reference for interpretation of the provisions of this Regulation.

This Regulation repeals and replaces the “Regulatory Framework for Stored Value and Electronic Payment Systems” Regulation issued in the UAE on 13/12/2016.

This Regulation shall be published in the Official Gazette in both Arabic and English and shall come into effect one month from the date of publication. In case of any discrepancy between the Arabic and the English, the Arabic version will prevail.