Central Bank of UAE issues new security requirements for digital payments and prohibits virtual currencies

Financial Services Alert

By:

The Regulatory Framework for Stored Values and Electronic Payment Systems (Regulation) issued by the UAE's Central Bank came into effect on 1 January 2017. Digital payment service providers in the UAE must now comply with a range of new rules including those relating to licensing, data protection and outsourcing.

Designed to create a safe and secure digital payment system in the UAE, among other things, the Regulation:

  • Establishes a new licensing regime for digital payment service providers (PSPs)
  • Regulates the protection of user data, including prohibition of storage of user data outside of the UAE
  • Requires PSPs to enter into customer service agreements with every user of their service
  • Creates rules for the outsourcing of services by PSPs to third parties

Any organisation involved in digital payments will need to study the Regulations closely to determine the applicable compliance requirements and create and implement a suitable compliance programme.

Any organisation that has been providing digital payment services in the UAE prior to the commencement of the Regulation on 1 January 2017 will have one year to ensure they are fully compliant with the Regulation or risk being ordered to cease provision of these services by the UAE's Central Bank. However, organisations that wish to commence new digital payment services must comply with the Regulation now.

Licensing

With the exception of commercial banks, all PSPs must apply for and obtain a licence covering one of the following PSP categories:

  • Retail PSP
  • Micropayment PSP
  • Government PSP
  • Non-issuing PSP

Commercial banks wishing to offer digital payment services need only obtain an authorization from the Central Bank, rather than separately apply for a specific licence.

Details of the application process for a licence from the Central Bank have not yet been published. However, potential applicants should bear in mind that the timeframe for the Central Bank to respond is three months from receipt of the completed application.

Data protection

PSPs must comply with strict rules regarding the storage of identification data and transaction records of users. These rules include the requirement to store and retain all user and transaction data exclusively in the UAE (excluding UAE financial free zones). This data must be stored for a period of five years from the date of the original transaction.

Consumer service agreements

PSPs must enter into customer service agreements, either in paper or electronic form, with every user, and each agreement must meet a minimum set of content requirements including a privacy policy of the PSP.

Outsourcing

In a similar vein to the data protection requirements, while PSPs may enter into outsourcing contracts with third parties, the outsourced services must only be carried out within the UAE (excluding UAE financial free zones). Additionally, unless an exception applies, Central Bank approval is required three months before the implementation of any operational function outsourcing and a range of safeguards must be put in place depending on whether the outsourcing involves critical operational functions or material operational functions. Whether such approval can be obtained prior to the commencement of a procurement activity is not addressed in the Regulation.

Virtual currency prohibited

The Regulation clearly states that all Virtual Currencies, and any Virtual Currency transactions, are prohibited. The term “Virtual Currencies” means any type of digital unit used as a medium of exchange, a unit of account, or a form of stored value. It does not include a digital unit that can be redeemed for goods, services and discounts as part of a user loyalty or rewards program with the issuer and cannot be converted into a fiat or virtual currency.

What does this mean for you?

The Regulation will require any entity that offers or is looking to offer any form of digital payments service to:

  1. Check whether the service is caught by the Regulation
  2. If such a service falls within the Regulation, make sure that they (among other things):
    • Apply for and obtain the requisite licences/approvals from the Central Bank, prior to commencing new digital payment services
    • Have the facility to store and retain all user and transaction data exclusively within the borders of the UAE (excluding UAE financial free zones) for a period of five years from the date of the original transaction
    • Three months prior to the implementation of any outsourcing of an operational function, have written approval from the Central Bank and ensure such services are provided onshore in the UAE under a contract which satisfies the relevant safeguard requirements
    • Prepare Customer Service Agreements which meet the required standards of the Regulation and ensure those agreements are put in place with all users
    • Do not use or process any form or type of Virtual Currency

As noted above, if an organization has already been providing such services prior to the commencement of the Regulation (on 1 January 2017), then they must undertake all such steps required to ensure compliance with the Regulation within the one year transition window (ie by no later than 1 January 2018).

It is important to note that the above summary has focused only on key aspects of the licensing, data protection, consumer service agreements and outsourcing elements of the Regulation.There are many other important elements of the Regulation which PSPs will need to assess carefully to determine their specific compliance approach.

For more information, please contact the authors.