Skip to main content

Article (11) Payment Token Services

C 15/2021 Effective from 6/6/2021
  1. This Article (11) is without prejudice to other provisions of this Regulation that are relevant to Payment Service Providers providing Payment Token Services.
     
  2. For the avoidance of doubt, Payment Token Services do not include Security Token, Commodity Token and Virtual Asset Token and the provision of services associated with the same.
     
  3. Security Token and Commodity Token fall within the jurisdiction of the Securities and Commodities Authority and as such are regulated by the Securities and Commodities Authority.
     
  4. Virtual Asset Tokens, although may be accepted as a means of payment, are not generally accepted as a medium of exchange due to the lack of stability and high volatility in their market value. As a result, any services associated with Virtual Asset Tokens, including Virtual Asset Token Services, fall outside the scope of this Regulation.
     

Anti-Money Laundering and Combating the Financing of Terrorism and Illicit Organizations

  1. Payment Token Services shall be considered to carry high money laundering and terrorist financing risk due to their speed, anonymity and cross-border nature. In line with the FATF standards, Payment Services Providers providing Payment Token Services shall undertake risk assessment and take appropriate measures to manage and mitigate the identified risks in accordance with applicable legal and regulatory requirements. Payment Service Providers providing Payment Token Services shall comply with the FATF Guidance for a Risk-based Approach to Virtual Assets and Virtual Assets Service Providers, as may be supplemented from time to time, or any related standards or guidance in assessing and managing risks in Payment Token Services.
     

Technology Risk and Information Security

Security Requirements

  1. A Payment Service Provider providing Payment Token Services shall have a good understanding of the security risks and vulnerabilities of each Payment Token provided. It shall carry out a security risk assessment for each Payment Token.
     

Cyber Security Risk

  1. Payment Service Providers providing Payment Token Services whose monthly average value of Payment Transactions amounts to ten (10) million Dirhams or above shall regularly assess the necessity to perform penetration and cyber-attack simulation testing. Coverage and scope of testing shall be based on the cyber security risk profile, cyber intelligence information available, covering not only networks (both external and internal) and application systems but also social engineering and emerging cyber threats. A Payment Service Provider shall also take appropriate actions to mitigate the issues, threats and vulnerabilities identified in penetration and cyber-attack simulation testing in a timely manner, based on the impact and risk exposure analysis.
     

Specific Obligations for Providing Retail Payment Service on Payment Tokens

Reserve of Assets

  1. Payment Service Providers issuing Payment Tokens shall keep and maintain at all times a Reserve of Assets per category of Payment Token issued.
     
  2. Payment Service Providers issuing Payment Tokens shall ensure effective and prudent management of the Reserve of Assets. They shall ensure that the creation and destruction of Payment Tokens is matched by a corresponding increase or decrease in the Reserve of Assets and that such increase or decrease is adequately managed to avoid any adverse impacts on the market of the Reserve Assets.
     

Stabilisation Mechanism

  1. Payment Service Providers issuing Payment Tokens shall have and maintain a clear and detailed policy on the selected stabilisation mechanism. That policy and procedure shall in particular:
     
    1. 10.1. describe the type, allocation and composition of the reference assets the value of which aims at stabilising the value of the Payment Tokens;
       
    2. 10.2. contain a detailed assessment of the risks, including credit risk, counterparty risk, market risk and liquidity risk, resulting from the Reserve of Assets;
       
    3. 10.3. describe the procedure for the creation and destruction of Payment Tokens and the consequence of such creation or destruction on the increase and decrease of the Reserve of Assets;
       
    4. 10.4. provide information on whether the Reserve of Assets is invested, and where part of the Reserve of Assets is invested, describe in detail the investment policy and contain an assessment of how that investment policy can affect the value of the Reserve of Assets; and
       
    5. 10.5. describe the procedure to purchase and redeem Payment Tokens against the Reserve of Assets, and list the persons who are entitled to such redemption.
       
  2. Payment Service Providers issuing Payment Tokens shall ensure an independent audit of the Reserve of Assets on a bi-annual basis as from the receipt of the Central Bank’s approval of the White Paper with respect of the Payment Tokens.
     

Custody

  1. Payment Service Providers issuing Payment Tokens shall establish, maintain and implement custody policies, procedures and contractual arrangements for each category of issued Payment Tokens that ensure at all times that:
     
    1. 12.1. the Reserve of Assets is segregated from the Payment Service Provider’s own assets;
       
    2. 12.2. the Reserve of Assets is not encumbered or pledged;
       
    3. 12.3. the Reserve of Assets is held in custody in accordance with paragraph (14); and
       
    4. 12.4. the Payment Service Providers have prompt access to the Reserve of Assets to meet any redemption requests from the holders of Payment Token.
       
  2. The assets received in exchange for the Payment Tokens shall be held in custody by no later than (5) Business Days after the issuance of the Payment Tokens by:
     
    1. 13.1. Bank; or
       
    2. 13.2. Payment Service Provider providing Payment Token Custody.
       

Investment of the Reserve of Assets

  1. Payment Service Providers issuing Payment Tokens that invest a portion of the Reserve of Assets shall invest those assets only in highly liquid financial instruments with minimal market and credit risk. The investments shall be capable of being liquidated rapidly with minimal adverse price effect.
     
  2. All profits or losses, including fluctuations in the value of the financial instruments referred to in paragraph (14), and any counterparty or operational risks that result from the investment of the assets shall be borne by Payment Service Providers issuing the Payment Tokens.
     

Pre-Trade Transparency

  1. Payment Service Providers that engage in Facilitating the Exchange of Payment Tokens shall disclose to its Retail Payment Service Users and the public as appropriate, on a continuous basis during normal trading, the following information relating to trading of each accepted Payment Tokens on their platform:
     
    1. 16.1. the current bid, offer prices and volume;
       
    2. 16.2. the depth of trading interest shown at the prices and volumes advertised through their systems for the accepted Payment Tokens; and
       
    3. 16.3. any other information relating to accepted Payment Tokens which would promote transparency relating to trading.
       
  2. Payment Service Providers that engage in Facilitating the Exchange of Payment Tokens shall use appropriate mechanisms to enable pre-trade information to be made available to the public in an easy to access and uninterrupted manner.
     

Post-Trade Transparency

  1. Payment Service Providers that engage in Facilitating the Exchange of Payment Tokens shall disclose the price, volume and time of the Payment Transactions executed in respect of accepted Payment Tokens to the public as close to real-time as is technically possible on a nondiscretionary basis. They shall use adequate mechanisms to enable post-trade information to be made available to the public in an easy to access and uninterrupted manner, at least during business hours.