Card Schemes operating within the State shall obtain a License by the Central Bank prior to commencing operations.
Applicants shall be subject to the procedure envisaged in the Central Bank’s Licensing Guidelines.
The Central Bank shall determine whether to grant or refuse to grant a License to a Card Scheme Applicant and indicate this in writing to the Applicant within (90) calendar days from the receipt of the full set of documents and information requested under the Application.
The Central Bank may grant a License under paragraph (1) with or without conditions or restrictions attached to it, or refuse to grant a License at its discretion.
The Central Bank shall notify the Card Scheme of the decision taken under paragraph (3). In case of a refusal to grant a License, the Central Bank shall indicate the reasons for such refusal.
The Central Bank reserves the sole right to issue Card Issuer (Bank) Identification Numbers (BIN) in accordance with ISO/IEC 7812, as may be amended or supplemented from time to time.
License Conditions
The Central Bank shall grant a License to a Card Scheme under this Article (18) upon the fulfilment of the following conditions:
7.1. the Central Bank has been provided with all necessary documents and information as it may request, in the form and within the timeframe specified by it, to allow it to assess the adequacy, efficiency and soundness of a Card Scheme, including:
7.1.1. the business model and business strategy;
7.1.2. the corporate governance structure;
7.1.3. the Management contact details;
7.1.4. the ownership and Group structure;
7.1.5. the financial and operational resources; and
7.1.6. the description of key risks, including conduct of business and money laundering and terrorist financing risks;
7.2. the Management of the Card Scheme fulfil the fit and proper requirements specified by the Central Bank, including that each member of Management:
7.2.1. possesses the necessary knowledge, skills, and experience;
7.2.2. has a record of integrity and good repute;
7.2.3. has sufficient time to fully discharge the responsibilities under this Regulation and Level 2 Acts; and
7.2.4. has a record of financial soundness.
Reporting Requirements
A Card Scheme that has been granted a License shall:
8.1. report to the Central Bank the information contained in Annex III on a quarterly basis;
8.2. provide additional information or become subject to more frequent reporting, as deemed necessary by the Central Bank; and
8.3. report immediately any changes that affect or are likely to affect its business model or financial viability, or which may otherwise be deemed to be material in nature such as significant increase or decrease in transaction volumes.
Ongoing Requirements
Governance
The Board and Management of a Card Scheme shall be responsible for ensuring that a licensed Card Scheme has an internal control framework that is adequate to establish a properly controlled operating environment for the conduct of its business, taking into account its risk profile.
Management shall be responsible for developing an internal control framework that identifies, measures, monitors and controls all risks faced by the Card Scheme.
Licensed Card Schemes shall have organizational structures that incorporate a “three lines of defense” approach comprising the business lines, the support and control functions and an independent internal audit function.
Compliance Function
The Board shall be responsible for ensuring that a Card Scheme has an independent, permanent and effective compliance function to monitor and report on observance of all applicable laws, regulations and standards and on adherence by staff and members of the Board to legal requirements, proper codes of conduct and policy on conflicts of interest.
The Card Payment Scheme shall have a Boardapproved compliance policy that is communicated to all staff specifying the purpose, standing and authority of the compliance function within the Card Scheme.
Card Schemes shall establish appropriate policies, procedures and controls pertaining to the internal reporting by their Management and staff of suspicious transactions, including the provision of the necessary records and data, to the designated Anti-Money Laundering and Combating the Financing of Terrorism compliance officer for further analysis and reporting decisions. Card Schemes shall report transactions to the competent authority when there are suspicions, or reasonable grounds to suspect, that the proceeds are related to a crime, or to the attempt or intention to use funds or proceeds for the purpose of committing, concealing or benefitting from a crime.
Internal Audit Function
The Board shall be responsible for ensuring that the Card Scheme has an independent, permanent and effective internal audit function commensurate with the size, nature of operations and complexity of its organization.
The internal audit function shall provide independent assurance to the Board and Management on the quality and effectiveness of the Card Scheme’s internal controls, risk management, compliance, corporate governance, and the systems and processes created by the business units, support and control functions.
The Card Scheme shall have an internal audit charter approved by the Board audit committee that articulates the purpose, standing and authority of the internal audit function within the Card Scheme.
Risk Management
Card Schemes shall have an adequately resourced risk management function headed by a chief risk officer or equivalent. The function shall be independent of the management and decision-making of the Card Scheme’s risktaking functions. The risk management function shall include policies, procedures, systems and controls for monitoring and reporting risks, and to ensure that risk exposures are aligned with the entity’s strategy and business plan.
Risk Strategy
Card Schemes shall have a clearly defined business strategy, risk appetite and defined corporate culture that has been approved by the Board and reviewed at least annually. Management shall ensure full compliance of this articulated strategy across all business lines and the Board will be ultimately responsible for such compliance.
Information Security
A Card Scheme shall apply and meet at a minimum the Payment Card Industry Data Security Standard (‘PCI DSS’) and UAE Information Assurance Standards, as may be amended from time to time.
A compliance report regarding the Card Scheme’s adherence to the standards referred to in paragraph (20) shall be presented to the Board at least annually as well as transmitted to the Central Bank.
In the case of a Data Breach, the Card Scheme shall notify the Central Bank without undue delay and not later than (72) hours after having become aware of such Data Breach.
Disaster Recovery and Business Continuity Management
Card Schemes shall have disaster recovery and business continuity plans in place to ensure their ability to operate on an ongoing basis and limit losses in the event of a severe business disruption. Such plans must be commensurate with the risk profile, nature, size and complexity of the Card Scheme’s business and structure and take into account different scenarios to which the Card Scheme may be vulnerable.
Disaster recovery and business continuity plans shall ensure that critical business functions of the Card Scheme can be maintained and recovered in a timely manner to minimize the financial, legal, regulatory, reputational and other risks that may arise from a disruption.
The Board shall ensure there is a periodic independent review of the Card Scheme’s disaster recovery and business continuity plans to ensure adequacy and consistency with current operations, risks and threats, recovery levels and priorities.
Risk Assessment
Card Schemes shall regularly assess risks through the identification of new risks, measurement of known risks and prioritization of risks through thorough understanding of the business and the market.
Risk Mitigation
Card Schemes shall mitigate risks through the implementation of:
27.1. risk mitigation programs and technologies;
27.2. the effective management of risk principles; operation with risk management in mind; and
27.3. outsourcing of risk functions that cannot be performed in-house.
Monitoring
Card Schemes shall perform regular monitoring of all risks and mitigation programs on at least an annual basis to ensure the robustness of the risk management procedures and programs. Continuous monitoring reports, including dashboards, shall be presented to the Management and the Board to ensure that all levels of management are aware of the current risk situation, including potential fraud, in the Card Scheme.
Assurance
Card Schemes shall give assurance to all stakeholders through external and internal audits.
Winding Down
Where a Card Scheme intends to terminate its operation in the State, it shall obtain an approval from the Central Bank to this effect.
A Card Scheme shall notify the Central Bank in advance of (3) months from the intended termination of its operations, and provide an orderly wind-down plan.
Supervisory Examinations
The Central Bank may conduct periodic examinations of the operation of Card Schemes to ensure their financial soundness and compliance with the requirements of this Regulation and Level 2 Acts.
Card Schemes shall provide the Central Bank with full and unrestricted access to their accounts, records and documents, and shall supply such information and facilities as may be required to conduct the examination referred to in paragraph (32).
Fees and Charges
The Central Bank has the right to receive information on any fees and charges of Card Schemes and regulate such fees and charges as it considers appropriate.
The Central Bank may publicly disclose the fees and charges of Card Schemes referred to in paragraph (34).