Book traversal links for Payment Token Services Regulation
Payment Token Services Regulation
C 2/2024 Effective from 21/8/2024Introduction
This Regulation (the ‘Payment Token Services Regulation’) lays down the rules and conditions established by the Central Bank for granting a License or Registration for the provision of Payment Token Services and related matters. Payment Token Services are digital payment services in the UAE and comprise three categories, namely Payment Token Issuance, Payment Token Conversion and Payment Token Custody and Transfer.
Providing digital money services is a financial activity subject to Central Bank licensing and supervision in accordance with the provisions of the Central Bank Law. Accordingly, the Central Bank Law provides the statutory basis for the powers of the Central Bank in relation to the licensing and ongoing supervision of Licensed Payment Token Service Providers, and related matters.
Part 1
Scope and Objectives
This Regulation sets out:
conditions for the grant and maintenance of a License or Registration for the provision of Payment Token Services; rights and obligations of Customers, Licensed Payment Token Service Providers, Registered Foreign Payment Token Issuers, Registered Foreign Payment Token Custodians and Transferors and Registered Payment Token Conversion Providers; and powers of the Central Bank including with regard to the licensing, registration and supervision of Licensed Payment Token Service Providers, Registered Foreign Payment Token Issuers, Registered Foreign Payment Token Custodians and Transferors and Registered Payment Token Conversion Providers, and on-going reporting requirements; limitations on certain services and the promotion of services relating to Foreign Payment Tokens, and on acceptance of such Foreign Payment Tokens as a Means of Payment; and a prohibition of the issuance, promotion and performance of certain services in relation to Algorithmic Stablecoins, Privacy Tokens or other Means of Payment which are not Dirham Payment Tokens or Foreign Payment Tokens. In exercising its powers and functions under this Regulation, the Central Bank has regard to the following objectives: ensuring the safety, soundness and efficiency of Payment Token Services; ensuring adequate protection and avoidance of misappropriation of the Reserve of Assets held by Payment Token Issuers; adoption of effective and risk-based licensing and registration requirements for Licensed Payment Token Service Providers, Registered Foreign Payment Token Issuers, Registered Foreign Payment Token Custodians and Transferors and Registered Payment Token Conversion Providers; and promoting consumer protection and innovation. Exclusions
This Regulation shall not apply to the following:
1. Any activity for which the service provider is licensed by (or requires a license from) the Central Bank under the Retail Payment Services and Card Schemes Regulation or the Stored Value Facilities (SVF) Regulation; 2. Any information technology security, operation of technology infrastructure, trust or privacy protection service not of itself constituting a Payment Token Service; 3. Any service of providing or maintaining a communication network or Distributed Ledger Technology; 4. Any service of providing and maintaining any terminal or device used for any Payment Token Service; 5. Any Payment Token Transfers carried out within a payment system or securities settlement system between Licensed Payment Token Service Providers and settlement agents, central counterparties, clearing houses, central banks or other participants in such system including central securities depositories; or 6. Payment Token Transfers and related services between a parent undertaking and its subsidiary or between subsidiaries of the same parent undertaking, without any intermediary intervention by a Licensed Payment Token Service Provider, Registered Foreign Payment Token Issuer, Registered Foreign Payment Token Custodian and Transferor or Registered Payment Token Conversion Provider other than an undertaking belonging to the same group. Part 2
Article (1): Definitions
Except where an alternative definition is expressly stated in this Regulation, the following terms are defined as set out in this Article (1).
1.
Agent: means a juridical person performing Payment Token Services on behalf of a Licensed Payment Token Service Provider.
2.
Algorithmic Stable coins: means a virtual Asset which purports to maintain a stable value by reference to a Fiat Currency or other asset as a result of interventions (either automated or manual) by its issuer or another Person to alter the supply of or demand for the Virtual Asset from time to time, and which is used or may be used as a Means of Payment.
3.
AML/CFT: means Anti-Money Laundering and Combating the Financing of Terrorism.
4.
AML Law: means Decree Federal Law No. (20) of 2018 on Anti-Money Laundering and Combating the Financing of Terrorism and Illegal Organizations and Cabinet Decision No. (10) of 2019 Concerning the Implementing Regulation of Decree Federal Law No. (20) of 2018 on Anti-Money Laundering and Combating the Financing of Terrorism and Illegal Organizations, as amended, and any regulations issued hereunder and any instructions, guidelines and notices issued by the Central Bank relating to their implementation or issued in this regard.
5.
AML Obligor: means a Licensee or Registree.
6.
Applicant: means a juridical person:
a)
duly incorporated in the UAE in accordance with Federal Law No. 2 of 2015 on Commercial Companies, as may be amended or substituted from time to time and as provided for under Article (74) of the Central Bank Law (or other analogous commercial regulation applying in a free zone), which files an Application with the Central Bank for the granting of a License for the provision of one or more Payment Token Services or the modification of the scope of a granted License;
b)
incorporated and located outside of the UAE (which for the purposes of this Regulation would include a juridical person incorporated and located in a Financial Free Zone), which files an Application with the Central Bank for the granting of a Foreign Payment Token Issuer Registration or the modification of the scope of a granted Registration; or
c)
that is a Virtual Assets Exchange Platform Operator, Bank or Exchange House which files an Application with the Central Bank for the granting of a Non-Objection Registration or the modification of the scope of a granted Non-Objection Registration.
7.
Application: means a written request for obtaining a License for the provision of one or more Payment Token Services, for obtaining a Foreign Payment Token Issuer Registration, or for obtaining a Non-Objection Registration, submitted by an Applicant which contains the information and documents specified in this Regulation or by the Central Bank, and is in the form specified by the Central Bank’s Licensing Division, including a written request for obtaining a modification to the scope of a granted License or Registration.
8.
Bank: any juridical person licensed in accordance with the provisions of the Central Bank Law, to carry on the activity of taking deposits of all types, including Shari`ah-compliant deposits.
9.
Beneficial Owner: means the natural person who owns or exercises effective ultimate control over the Customer or the natural person on whose behalf a transaction is being conducted, or the natural person who exercises effective ultimate control over a legal person or legal arrangement, whether directly or through a chain of ownership, control or other indirect means.
10.
Board: means the board of directors of an Applicant, a Controller of an Applicant, a Licensed Payment Token Service Provider or a Registree in accordance with applicable corporate law.
11.
Business Day: means a day other than Saturday, Sunday, public holiday or other non-working holiday or day in the UAE.
12.
CBUAE Regulation: means any written act that may be adopted or issued by the Central Bank complementing the implementation of this Regulation, such as, without being limited to, rules, directives, decisions, instructions, notices, circulars, standards, and rulebooks.
13.
Central Bank: means the Central Bank of the United Arab Emirates.
14.
Central Bank Digital Currency: means a digital version of a Fiat Currency that is issued by the Central Bank or another central bank.
15.
Central Bank Law: means the Decretal Federal Law No. (14) of 2018 Regarding the Central Bank & Organization of Financial Institutions and Activities, as amended.
16.
Consumer Protection Regulation: means Consumer Protection Regulation (Circular No. 8 – 2020) dated 25 November 2020, as amended, and Consumer Protection Standards, as amended.
17.
Controller: means a Person that alone or together with the Person’s associates has an interest in at least 10% of the shares in an Applicant or Licensed Payment Token Service Provider or Registree or is in a position to control at least 10% of the votes in an Applicant or Licensed Payment Token Service Provider or Registree.
18.
Customer: means a Person receiving or potentially receiving a Payment Token Service and includes a Token holder.
19.
Customer Agreement: means a Framework Agreement or a Single Payment Token Service Agreement.
20.
Customer Due Diligence or CDD: means the process of identifying and verifying the identity of a Customer and its Beneficial Owners, whether a natural or legal person or a legal arrangement, and of collecting information as to the nature of the Customer's activity and the purpose of any business relationship between the Customer and the Payment Token Services provider and the ownership structure and control over it.
21.
Data Breach: means an intrusion into an IT system where unauthorized disclosure or theft, modification or destruction of Customer data is suspected and such is likely to result in a loss for the Customer.
22.
Data Subject: means an identified or identifiable natural person who is the subject of Personal Data.
23.
Designated Payment Token: mean a Virtual Asset that the Central Bank has designated as a Payment Token in accordance with Article (12)6.
24.
Dirham Payment Token: means a Payment Token whose value is denominated in Dirham (AED), or denominated by reference to the value of another Payment Token whose value is denominated in Dirham (AED), and which is issued by a Dirham Payment Token Issuer.
25.
Dirham Payment Token Issuer: means a Payment Token Issuer that is Licensed to perform Payment Token Issuing for Dirham Payment Tokens pursuant to Article (5)1(a).
26.
Distributed Ledger Technology: means a class of technologies that supports the distributed recording of encrypted data across a network and which is a type of decentralized database of which there are multiple identical copies distributed among multiple participants and accessible across different sites and locations, and which are updated in a synchronized manner by consensus of the participants, without involving a central authority or intermediary using a system other than the network or another distributed ledger.
27.
Dormant Accounts Regulation: means Dormant Accounts Regulation (C 1/2020) dated 15 January 2020, as amended.
28.
Exchange House: means an exchange business that has been licensed under the Regulations re Licensing and Monitoring of Exchange Business.
29.
Exempted Person: means any Person who is exempted from the requirement to hold a License under Article (4).
30.
External Auditor: means an independent juridical Person that has been appointed to audit the accounts and financial statements of a Licensed Payment Token Service Provider in accordance with Article (34)9, to audit the Reserve of Assets of a Licensed Payment Token Issuer in accordance with Article (22)8(b) or to audit the White Paper of a Licensed Payment Token Issuer in accordance with Article (26)4.
31.
FATF: means the Financial Action Task Force, being an inter-government body which sets international standards that aim to prevent global money laundering and terrorist financing activities.
32.
Fiat Currency: means a currency that is controlled by a central bank, has the status of legal tender and is required to be accepted within a given jurisdiction.
33.
Financial Free Zones: means free zones subject to the provisions of Federal Law No. (8) of 2004, regarding Financial Free Zones, as amended.
34.
Foreign Currency: means a Fiat Currency which is not the Dirham (AED).
35.
Foreign Payment Token: means a Payment Token whose value is denominated in a Foreign Currency, or denominated by reference to the value of another Payment Token whose value is denominated in a Foreign Currency.
36.
Foreign Payment Token Custodian and Transferor: means a Person who, by way of business, performs Payment Token Custody and Transfer of Foreign Payment Tokens, pursuant to Article (5)2.
37.
Foreign Payment Token Issuer: means a Payment Token Issuer that is Registered pursuant to Article (5)2.
38.
Foreign Payment Token Registration: means a registration granted by the Central Bank to an Applicant registered and located outside of the UAE (which for the purposes of this Regulation would include a juridical person incorporated and located in a Financial Free Zone) to perform Payment Token Issuing with respect to Foreign Payment Tokens, pursuant to Article (5)2, and Foreign Payment Token Registree refers to a Foreign Payment Token Issuer holding a valid Foreign Payment Token Registration.
39.
Framework Agreement: means an agreement between a Licensed Payment Token Service Provider and a Customer for the provision of a Payment Token Service, other than a Single Payment Token Service Agreement, which governs the rights and obligations as between the Licensed Payment Token Service Provider and the Customer (and their assignees, transferees or successors).
40.
Group: means a corporate group which consists of a parent entity and its subsidiaries, and the entities in which the parent entity or its subsidiaries hold, directly or indirectly, 5% or more of the shares, or are otherwise linked by a joint venture relationship.
41.
License: means a License issued by the Central Bank provide a Payment Token Service, pursuant to Article (5)1. Licensed refers to having been granted such a License, where such License remains valid, and Licensee refers to a Licensed Payment Token Service Provider holding a valid License.
42.
Licensed Payment Token Issuer: means a juridical person that has been Licensed in accordance with this Regulation to perform Payment Token Issuing.
43.
Licensed Payment Token Service Provider: means a juridical person that has been Licensed in accordance with this Regulation to provide one or more Payment Token Services. For the avoidance of doubt, a Registree is not included within the definition of Licensed Payment Token Service Provider.
44.
Local Licensing Authority: means any authority competent to regulate Virtual Assets in the concerned Emirate in accordance with Cabinet Resolution No. (111) of 2022 Concerning the Regulation of Virtual Assets and their Service Providers, as amended.
45.
Means of Payment: means a Virtual Asset:
a)
which is, or which is able to be used as, or is purported or promoted to be, a store of value, medium of exchange and unit of account; or
b)
which the Central Bank designates, pursuant to Article (3)1, as being a Means of Payment.
46.
Merchant: means a Person who accepts Payment Tokens as a Means of Payment for the sale or provision of goods or services.
47.
Non-Objection Registration: means a registration by the Central Bank of an Applicant based on a decision by the Central Bank to permit the Applicant to perform Payment Token Conversion or Foreign Payment Token Custody and Transfer, pursuant to Article (8)1, and Non-Objection Registree refers to a Payment Token Conversion Provider or Foreign Payment Token Custodian and Transferor holding a valid Non-Objection Registration.
48.
Outsourcing Regulation means the Outsourcing Regulation for Banks (Circular No. 14/2021) dated 31 May 2021, as amended.
49.
Payee: means a Person who is the intended recipient of a Payment Token Transfer.
50.
Payer: means a Person who performs a Payment Token Transfer of a Payment Token for which it is the Tokenholder, or instructs a Licensee or Registree to perform such Payment Token Transfer on its behalf (by having the Licensee or Registree initiate, facilitate, effect or direct such transfer).
51.
Payment Token: means a Virtual Asset which purports to maintain a stable value by referencing the value of:
a)
the same Fiat Currency as the Payment Token is denominated in; or
b)
another Payment Token also denominated in the same Fiat Currency.
A Designated Payment Token shall be deemed to be a Payment Token.
52.
Payment Token Conversion: means a service, other than Payment Token Issuing, which is performed by way of business, of selling or buying Payment Tokens in return for any form of remuneration by spot conversion as principal or agent or enabling other counterparties to place and accept offers for sale of Payment Tokens.
53.
Payment Token Conversion Provider: means a Person who, by way of business, performs Payment Token Conversion, other than a Person acting as a Payment Token Issuer.
54.
Payment Token Custody and Transfer: means a service, performed by way of business, to:
a)
safeguard, or to safeguard and administer:
(i)
Payment Tokens on behalf of Customers, or
(ii)
private cryptographic keys on behalf of Customers in order to hold, store and transfer Payment Tokens; or
b)
receive, hold and transfer Payment Tokens on behalf of Customers.
For the avoidance of doubt, Payment Token Custody and Transfer excludes provision of technology (including provision of updates to the technology, and support to address any technical issues with the technology) to another Person which enables the other Person to safeguard or safeguard and administer their own Payment Tokens or the cryptographic keys for such Payment Tokens or the Wallet in which they are held, or to transfer such Payment Tokens on their own behalf.
For the avoidance of doubt, Payment Token Custody and Transfer may be a service performed to facilitate or enable a Merchant to receive payments by Payment Token in exchange for the supply of goods or services under a merchant acquiring-style arrangement.
55.
Payment Token Custodian and Transferor: means a Person who, by way of business, performs Payment Token Custody and Transfer.
56.
Payment Token Data: means any information related to a Customer, including financial data and excluding Personal Data.
57.
Payment Token Issuer: means a Person who, by way of business, performs Payment Token Issuing.
58.
Payment Token Issuing: means a sale or transfer, performed by way of business, of a Payment Token, where it is the first occasion on which that Payment Token is sold or transferred.
a)
This can include (without limitation) where such first sale or transfer is undertaken through an exchange or trading venue.
b)
If the first occasion on which a Payment Token is transferred is when one Person (an ‘issuer’) generates a Payment Token (or arranges for its generation) for transfer to a distributor with a view to the distributor selling the Payment Token, or otherwise transferring the Payment Token to the public, the Payment Token Issuing is performed by the distributor rather than by the issuer.
59.
Payment Token Service: means the performance by way of business of any of the following activities:
a)
Payment Token Issuing;
b)
Payment Token Custody and Transfer; and
c)
Payment Token Conversion.
60.
Payment Token Transfer: means an act initiated by the Payer or Payee or on either of their behalves, or by the Payment Token Issuer, of transferring a Payment Token(s) or an interest in a Payment Token(s), whether or not such transfer is performed using Distributed Ledger Technology and irrespective of any underlying obligations between the Payer and the Payee.
61.
Person: means any natural or juridical person.
62.
Personal Data: means any information which is related to an identified or identifiable natural person.
63.
Privacy Token: means a Virtual Asset which, by design, disguises or otherwise obfuscates, or purports to hide or obfuscate, details of its Tokenholder or transaction history which would otherwise be visible to third parties through the Distributed Ledger Technology on which the Virtual Asset is hosted, and which is used or may be used as a Means of Payment.
64.
Promotion: means any form of communication, by any means, aimed at inviting or offering to enter into an agreement for provision of services.
65.
Registered Foreign Payment Token Issuer: means a Foreign Payment Token Issuer which is registered pursuant to Article 5(2).
66.
Registered Foreign Payment Token Custodian and Transferor: means a juridical person that has received a Non-Objection Registration in accordance with this Regulation to perform Payment Token Custody and Transfer of Foreign Payment Token.
67.
Registered Payment Token Conversion Provider: means a juridical person that has received a Non-Objection Registration in accordance with this Regulation to perform Payment Token Conversion.
68.
Registration: means a Foreign Payment Token Issuer Registration or a Non-Objection Registration, and Registered refers to having been granted such a Registration, where such Registration remains valid, and Registree refers to a Foreign Payment Token Issuer or Payment Token Conversion Provider or Foreign Payment Token Custodian and Transferor holding a valid Registration.
69.
Regulation: means this Payment Token Services Regulation.
70.
Reserve of Assets: means the assets held in accordance with Article (22).
71.
Retail Payment Services and Card Schemes Regulation: means Retail Payment Services and Card Schemes Regulation (Circular No. 15/2021) dated 6 June 2021, as amended.
72.
SCA: means the UAE Securities & Commodities Authority.
73.
Senior Management: means a team of individuals at the highest level of management of the Licensee or Registeree who have the day-to-day tasks of managing the Licensee’s business.
74.
Single Payment Token Service Agreement: means an agreement which governs the rights and obligations as between a Licensed Payment Token Service Provider and a Customer (and their assignees, transferees or successors) and which is limited to:
a)
governing a single sale, transfer and redemption of Payment Tokens; or
b)
provision of a Payment Token Custody and Transfer Service for a single Payment Token Transfer.
75.
Stored Value Facilities (SVF) Regulation: means Stored Value Facilities (SVF) Regulation (Circular No. 6/2020) dated 30 September 2020, as amended.
76.
Third Country: means any Financial Free Zone or any country other than the UAE.
77.
Tokenholder: means the person who has the lawful power of disposal over a Payment Token.
78.
Transition Period: has the meaning given in Article (40).
79.
UAE: means the United Arab Emirates.
80.
Unauthorized Payment Token Transfer: means a Payment Token Transfer:
a)
initiated, facilitated, effected or directed by a Licensed Payment Token Service Provider as part of its Payment Token Service; and
b)
where such transfer has not been consented to by the Tokenholder or (in the case of the Licensed Payment Token Service Provider selling a Payment Token) the purchaser of the Payment Token.
81.
Virtual Asset: means a digital representation of value or of a right that can be transferred and stored electronically using Distributed Ledger Technology. Excluding, for the purposes of this regulation, Central Bank Digital Currencies.
82.
Virtual Assets Exchange Platform Operator: means a Person licensed by SCA as a virtual assets platform operator and regulated by SCA or any Local Licensing Authority.
83.
Wallet: means a Distributed Ledger Technology address or account to which a Virtual Asset is attributed from time to time and in relation to which a Payment Token Transfer is performed.
84.
Wire Transfer: means any Payment Token Transfer carried out on behalf of a Payer through a Licensed Payment Token Service Provider with a view to making an amount of Payment Tokens available to a Payee at the beneficiary’s Licensed Payment Token Service Provider, irrespective of whether the Payer and the Payee are the same Person.
85.
White Paper: means a document setting out the information stipulated in Article (26) and published or otherwise made available in accordance with the provisions of that Article.
Part 3
Article 2: Prohibitions on Activities and Promotions
Restrictions on activities
1.
No Person shall perform any Payment Token Service within the UAE or directed to Persons in the UAE, unless such Person is Licensed or Registered by the Central Bank to perform such Payment Token Service.
2.
No Person shall perform any service, within the UAE or directed to Persons in the UAE, where that service:
a)
is performed with respect to any Means of Payment that is not a Payment Token; and
b)
is a service that is similar or equivalent to a Payment Token Service.
This prohibition shall apply to all Persons, including any Person acting in the course of performing Virtual Asset activities for which it is licensed or regulated by SCA or a Local Licensing Authority.
3.
No Person shall, within the UAE or directed to Persons in the UAE, issue Algorithmic Stablecoins or Privacy Tokens or perform services relating to Algorithmic Stablecoins or Privacy Tokens. This prohibition shall apply to all Persons, including any Person acting in the course of performing Virtual Asset activities for which it is licensed or regulated by SCA or a Local Licensing Authority.
4.
A Licensee or Registree must not knowingly initiate, facilitate, effect or direct a Payment Token Transfer as part of its Payment Token Service unless the transfer is of a:
a)
Dirham Payment Token issued by a Licensed Payment Token Issuer being used for any lawful purpose; or
b)
Foreign Payment Token issued by a Registered Foreign Payment Token Issuer being lawfully used (or sold for use) as a Means of Payment for purchase of Virtual Assets or derivatives of Virtual Assets.
5.
A Foreign Payment Token Registree may only initiate, facilitate, effect or direct a Payment Token Transfer as part of its Payment Token Service in the UAE if the transfer is of a Foreign Payment Token being used (or sold for use) as a Means of Payment for purchase of Virtual Assets or derivatives of Virtual Assets.
6.
A Licensed Payment Token Issuer may only issue Dirham Payment Tokens to Persons resident in the UAE. For the avoidance of doubt, aside from this Article (2)6 there shall be no restriction under this Regulation as to the territory in which a Payment Token may be used or to or from which it may be transferred.
7.
No Merchant or other Person in the UAE selling goods or services during the course of business may accept a Virtual Asset towards payment for that sale unless that Virtual Asset is:
a)
a Dirham Payment Token issued by a Licensed Payment Token Issuer being used as a Means of Payment ; or
b)
a Foreign Payment Token issued by a Registered Foreign Payment Token Issuer being used as a Means of Payment for purchase of a Virtual Asset or Virtual Asset derivative.
8.
A Bank may not act as a Payment Token Issuer, but may, subject to the licensing and other requirements of this regulation, set up a subsidiary, affiliate or other related entity to perform this activity.
Restrictions on promotions
9.
No Person shall engage in any Promotion, within the UAE or directed to Persons in the UAE, where such Promotion relates to Payment Token Services unless such Person:
a)
has a License or Registration to perform the activities which are the subject matter of the Promotion; or
b)
is appointed by such a Licensee to engage in the Promotion on the Licensee’s behalf.
10.
No Person shall engage in any Promotion, within the UAE or directed to Persons in the UAE, where such Promotion is for services relating to any Means of Payment unless the Promotion solely relates to:
a)
Dirham Payment Tokens issued by Licensed Payment Token Issuers being used for any lawful purpose; or
b)
Foreign Payment Tokens issued by Registered Foreign Payment Token Issuers being lawfully used as a Means of Payment for purchase of a Virtual Asset or Virtual Asset derivative.
This prohibition shall apply to all Persons, including any Person engaging in Promotions relating to Virtual Asset activities for which it is licensed or regulated by SCA or a Local Licensing Authority.
11.
No Person shall engage in a Promotion, within the UAE or directed to Persons in the UAE, where such Promotion is for the issuance of Algorithmic Stablecoins or Privacy Tokens or services relating to Algorithmic Stablecoins or Privacy Tokens. This prohibition shall apply to all Persons, including any Person engaging in Promotions relating to Virtual Asset activities for which it is licensed or regulated by SCA or a Local Licensing Authority.
12.
The Central Bank may require any Person to provide a reasonable level of evidence to demonstrate that such Person is not performing an activity in breach of this Article (2). The Central Bank may request such evidence on a single occasion or may require regular reporting (in such form as the Central Bank may specify from time to time) of such evidence by any Person.
13.
For the avoidance of doubt, reference to ‘the UAE’ in this Article (2) excludes the jurisdiction of the Financial Free Zones.
Article (3): Designation of Means of Payment
1.
The Central Bank may designate a type of Virtual Asset as constituting a Means of Payment.
2.
The Central Bank may require any Person which, within the UAE or directed at Persons in the UAE, issues Virtual Assets or performs services relating to Virtual Assets, to provide the Central Bank with such information as the Central Bank requires in order to determine whether to designate the Virtual Asset as a Means of Payment.
3.
For the avoidance of doubt, reference to ‘the UAE’ in this Article (2) excludes the jurisdiction of the Financial Free Zones.
Article (4): Exemptions
1.
Payment Token Services limited to the following types of Payment Tokens and posing a low level of risk to Customers and the financial system are exempt from this Regulation:
a)
Payment Tokens used for certain reward schemes. Such Payment Tokens may only be:
(i)
issued in return for a sum of money paid by (A) the Payment Token Issuer; or (B) a Merchant under an agreement with the Payment Token Issuer; and
(ii)
used for making payments for goods or services provided by the Payment Token Issuer or Merchant under specific terms and conditions of the Payment Token Service.
Examples may include loyalty schemes provided by shops and supermarkets that offer Payment Token rewards for customer loyalty;
b)
Payment Tokens used for certain bonus point schemes:
(i)
Such Payment Tokens may be used as points or units (by whatever name called) provided by (A) the Payment Token Issuer; or (B) a Merchant who agrees to provide goods or services to the Customer under an agreement with the Payment Token Issuer.
(ii)
The Customer may only use the Payment Token for making payments for goods or services provided by the Payment Token Issuer or a Merchant.
Examples are airline mileage programmes and customer loyalty schemes that provide Payment Tokens to customers to reward their patronage, and whereby such Payment Tokens are not redeemable for cash;
c)
Payment Tokens that can only be used as a Means of Payments for non-financial goods or services provided by the Payment Token Issuer; or
d)
Payment Tokens falling within Article (4)2.
2.
The Central Bank may exempt a Payment Token Issuer from licensing and other requirements under this Regulation with respect to its Payment Tokens, and specify the conditions for such exemption, where:
a)
if the Payment Token Issuer had to hold a Reserve of Assets in accordance with Article (22), the aggregate amount of the Reserve of Assets would not exceed half a million Dirham (500,000 AED) or its equivalent; and
b)
the aggregate number of Tokenholders is not more than 100.
3.
The Central Bank may determine that a Payment Token Service is not exempt or is no longer exempt and require the Person performing the service to apply for a License.
Part 4
Article (5): License Categories
1. A Person that intends to provide Payment Token Services shall as appropriate apply for one or more of the following categories of License:
a) Dirham Payment Token Issuer; b) Payment Token Custodian and Transferor; and c) Payment Token Conversion. 2. A Person not incorporated and located in the UAE may apply for a Foreign Payment Token Issuer Registration. For the avoidance of doubt, this includes a Person located in a Financial Free Zone. Article (6): License Conditions
1.
To be granted a License, an Applicant shall, at the time of submitting an Application:
a)
fulfil the legal form requirement as set out in Article (74) of the Central Bank Law;
b)
meet the respective initial capital requirements specified in Article (13) to (15); and
c)
provide the necessary documents and information specified in the Central Bank application form as provided by the Licensing Division.
2.
The Applicant must be a company incorporated in the UAE, including free zones but excluding Financial Free Zones
3.
An Applicant must meet, or demonstrate that it will meet upon License issuance, the ongoing requirements set out in Article (12) to Article (36), to the extent applicable to the License category for which it has applied, in particular:
a)
The requirements regarding regulatory capital as set out in Article (13) to Article (15). The Central Bank may add additional requirements regarding regulatory capital or increase the existing ones as a condition for License issuance, where it considers such additional requirements necessary;
b)
The requirements regarding corporate governance, general risk management and internal control, and accounting system as set out in Article (34). In particular, the Board, the Senior Management, and the Controller(s) must have been approved by the Central Bank as fit and proper in the context of the Application before the License is granted;
c)
The requirements regarding risk management policies and procedures for the management and protection of the Reserve of Assets, as set out in Article (22);
d)
The requirements regarding technology and specific risk management policies and procedures for managing the risks arising from the operation of the Payment Token business, as set out in Article (34) and Article (35);
e)
The requirements regarding business conduct and Customer protection as set out in Article (25) to Article (32); and
f)
The requirements regarding anti-money laundering and countering the financing of terrorism, as set out in Article (24).
4.
As part of the licensing process, separate face-to-face meetings between Central Bank staff and the Applicant’s and the Applicant’s Controllers’ Boards and the Senior Management may be conducted.
Independent assessments
5.
The Applicant is required to submit an independent assessment report not older than six (6) months assessing how it will comply with Article (6)3, covering at least the following key areas:
a)
capital requirements;
b)
corporate governance and risk management;
c)
Reserve of Assets management;
d)
technology risk management;
e)
payment security management;
f)
business continuity management;
g)
business conduct and Customer protection; and
h)
AML/CFT control systems.
6.
The Applicant must appoint one or more competent and qualified assessor(s), which are independent from the business units of the Applicant, to carry out the independent assessments. The assessors must not be involved in the operations to be reviewed or in selecting or implementing the relevant control measures to be reviewed, must have relevant knowledge and experience, and must be able to report their findings independently. They must also confirm to the Central Bank that there is no conflict of interest in the conduct of independent assessments.
7.
An Applicant for Payment Token Issuing shall, at the time of submitting an Application, provide a list of all Payment Tokens that it intends to issue. The Central Bank may require that the Applicant obtain a legal opinion for all Payment Tokens assessing whether the Payment Tokens and the operations of the Payment Token Issuer comply with Central Bank regulations including but not limited to whether the White Paper is accurate and the Reserve of Assets is properly held.
Article (7): Licensing Procedure
1. The licensing of Applicants shall be subject to the procedure envisaged in the Central Bank’s licensing manual. Preliminary meeting with the Central Bank
2. Any Person that is interested in obtaining a License may obtain the Application form from the Licensing Division of the Central Bank. 3. The Senior Management of the Applicant is strongly encouraged to meet and discuss the Applicant’s Payment Token business plan with the Central Bank before submitting a formal Application. Consultation with home regulator
4. Where a Controller of the Applicant is regulated by another authority, including by authorities in other jurisdictions, the Central Bank may contact the relevant authority about the Applicant to elicit the relevant authority’s views. Completing and submitting the Application
5. An Application must be lodged with the Central Bank with the completed form and the required documents and information set out in the Annex to this Regulation. Processing of Application
6. The Central Bank may seek any additional information it deems necessary from the Applicant to reach a decision on the Application. 7. Incomplete information may result in delays. Applicants should, therefore, pay attention to the following points:
a) All Applications must be submitted with documents and information listed in the Annex to this Regulation.; b) Where an Application received is incomplete or supporting documents or information is lacking, the Applicant will be informed in writing that the Application will be treated as “draft” and will be asked to complete the Application or provide the missing information by a date specified by the Central Bank.; c) Where information requested is not received by the specified date or a revised date agreed in writing by the Central Bank at the request of the Applicant, the Application may be treated as “suspended” and the Applicant will be notified of this in writing; d) Where an Application is “suspended”, the Applicant will be informed in writing that the processing of the Application will cease temporarily. Suspended Applications will be reactivated only when the outstanding information is submitted; and e) Where an Application is “suspended” for six (6) months or more for any reason, a new Application will be required if the Applicant wishes to pursue the matter further. Approval of Application
8. The Central Bank may approve an Application for a License made by an Applicant provided that all the licensing criteria are met by the Applicant. 9. The Central Bank may grant the License without conditions or subject to any conditions attached. Conditions attached to a License may include, among others:
a) imposing a higher capital or liquidity requirement; b) additional requirements relating to protection of the Reserve of Assets; and c) restrictions on the Payment Token business or any secondary or ancillary businesses, or as to the maximum volume or value of Payment Tokens which may be issued. 10. After the Central Bank has granted a License to an Applicant, the Central Bank will:
a) assign a unique reference number to the License; b) specify in the License the date on which the License has taken effect; and c) list the details in (a) and (b) in a publicly available register on its website. 11. A Licensee must ensure that the License reference number of the License assigned to it by the Central Bank is clearly displayed on the Licensee’s website and promotional materials. Article (8): Application for a Non-Objection to perform Payment Token Conversion or Foreign Payment Token Custody and Transfer
1.
A Virtual Assets Exchange Platform Operator may apply for a Non-Objection Registration in order to perform Payment Token Conversion.
2.
A Bank or Exchange House may apply for a Non-Objection Registration in order to perform Dirham Payment Token Conversion.
3.
A Person who is licensed by SCA or any Local Licensing Authority as a Virtual Assets Service Provider to provide custody services for Virtual Assets, may apply for a Non-Objection Registration to perform Payment Token Custody and Transfer of Foreign Payment Tokens. For the avoidance of doubt, any other Person seeking to perform Payment Token Custody and Transfer shall be required to obtain a Payment Token Custodian and Transferor license from the Central Bank.
4.
To be granted a Non-Objection Registration, an Applicant must provide details in its Application of its SCA or Local Licensing Authority licensing status, where applicable, and the nature and extent of its SCA-licensed or Local Licensing Authority licensed business.
5.
To be granted a Non-Objection Registration, an Applicant must demonstrate, in such manner as the Licensing Division may direct, that it will meet any conditions imposed by the Central Bank and the requirements listed in Article (8)10 or Article 8(11)
Non-Objection Registration process
6.
To be granted a Registration as a Payment Token Conversion Provider or Foreign Payment Token Custodian and Transferor, an Applicant shall, at the time of submitting an Application, provide the necessary documents and information specified in the Central Bank application form as provided by the Licensing Division.
7.
As part of the licensing process, separate face-to-face meetings between Central Bank staff and the Applicant’s and its Controllers’ Boards and Senior Management may be conducted.
8.
Article (7) shall apply to Applicants and Applications for Registration as a Payment Token Conversion Provider or Foreign Payment Token Custodian and Transferor, for which purposes:
a)
references to License, Licensee and licensing in that Article shall be construed as references to Non-Objection Registration, Registered Payment Token Conversion Provider and registration or Registered Foreign Payment Token Custodian and Transferor; and
b)
the Applicant shall only be required to provide such information and documents listed in the Annex as the Central Bank may specify.
9.
The Central Bank may contact SCA and any relevant Local Licensing Authority to obtain such information as the Central Bank considers relevant in relation to the Applicant, including in order to take into account:
a)
the relevant authority’s views in respect of matters such as the financial soundness and the overall internal control environment of the Applicant, and whether SCA or any relevant Local Licensing Authority has any concern about that Applicant extending its business to include Payment Token Conversion; and
b)
the relevant authority’s scope of and approach to regulation and supervision of the Applicant, in order to assist the Central Bank with determining which if any conditions or requirements of this Regulation (in addition to those listed in Article (7)9(c), Article (8)10 and Article (8)11, as applicable) the Central Bank will impose on the Applicant.
Application of this Regulation to Registered Payment Token Conversion Providers
10.
Without prejudice to the other provisions of this Article (8), a Registered Payment Token Conversion Provider which is a Virtual Assets Exchange Platform Operator shall comply with the following Articles of this Regulation:
(i)
(ii)
(iii)
(iv)
(v)
(vi)
(vii)
(viii)
(ix)
(x)
(xi)
(xii)
Article (37); and
(xiii)
to the extent provided for in those Articles.
11.
Without prejudice to the other provisions of this Article (8) and without prejudice to the application of other laws and regulations, a Registered Payment Token Conversion Provider which is a Bank or Exchange House shall comply with the following Articles of this Regulation:
(i)
(ii)
(iii)
(iv)
(v)
(vi)
(vii)
(viii)
(ix)
(x)
(xi)
(xii)
(xiii)
(xiv)
(xv)
(xvi)
Article (37); and
(xvii)
to the extent provided for in those Articles.
12.
The Central Bank may apply any other provision or requirement under this Regulation, not already applicable, to a Registered Payment Token Conversion Provider or Registered Foreign Payment
Token Custodian and Transferor if the Central Bank determines it necessary to do so to achieve its statutory objectives.
Article (9): Foreign Payment Token Issuer Registration
1.
A Person incorporated outside the UAE (which for the purposes of this Regulation would include a Person incorporated in a Financial Free Zone) may apply for a Registration as a Foreign Payment Token Issuer.
Registration process
2.
To be granted a Registration as a Registered Foreign Payment Token Issuer, an Applicant shall, at the time of submitting an Application:
a)
provide the necessary documents and information specified in the Central Bank application form as provided by the Licensing Division;
b)
obtain written evidence of the non-objection from SCA or a Local Licensing Authority for the Registration based on a joint framework between the relevant authorities; and
c)
demonstrate, in such a manner as the Licensing Division may direct, that it will meet any conditions which may be imposed by the Central Bank pursuant to Article (7)9(c) and the requirements listed in Article (9)7.
3.
As part of the registration process, separate face-to-face meetings between Central Bank staff and the Applicant’s and its Controllers’ Boards and Senior Management may be conducted.
4.
An Applicant for a Foreign Payment Token Issuer Registration shall, at the time of submitting an Application, provide a list of all Foreign Payment Tokens that it intends to issue and obtain a legal opinion on the assessment for all Foreign Payment Tokens. The legal opinion must assess whether the Foreign Payment Tokens and the operations of the Payment Token Issuer comply with this Regulation including but not limited to whether the White Paper is complete and accurate.
5.
Article (7) shall apply to Applicants and Applications for Registration as a Foreign Payment Token Issuer, for which purposes:
a)
references to License, Licensee and licensing in that Article shall be construed as references to Registration, Registered Foreign Payment Token Issuer and registration;
b)
Article (7)3, Article (7)4, and Article (7)9(a) shall not apply; and
c)
the Applicant shall only be required to provide such information and documents listed in the Annex as the Central Bank may specify.
6.
Where the Applicant is regulated by another authority, including by authorities in other jurisdictions, the Central Bank may contact the relevant authority about the Applicant. The Central Bank may take into account the relevant authority’s views in respect of matters such as the financial soundness and the overall internal control environment of the Applicant, and whether the relevant authority has any concern about that Applicant extending its Payment Token business to the UAE.
Application of this Regulation to Registered Foreign Payment Token Issuers
7.
Without prejudice to the remainder of this Article (9), a Registered Foreign Payment Token Issuer shall comply with the following Articles of this Regulation:
a)
b)
c)
d)
e)
f)
g)
h)
i)
Article (26); and
j)
to the extent provided for in those Articles.
8.
A Registered Foreign Payment Token Issuer shall:
a)
hold a reserve of the same value as the total value of Foreign Payment Tokens which that Foreign Payment Token Registree has issued, and denominated in the same currency as that of the Foreign Payment Tokens which that Foreign Payment Token Registree has issued;
b)
procure and publish regular audits of the reserve referred to in (a) by an External Auditor;
c)
at any time requested by the Central Bank, demonstrate that it holds Fiat Currency received from Customers for the issuance of Payment Tokens to equivalent standards of proper management and safekeeping as are set out in Article (22); and
d)
comply with all laws, regulations and guidance which apply to it in the jurisdiction of its incorporation and in any other jurisdiction in which it operates, including but not limited to AML/CFT laws and regulations.
Article (10): Suspension, Withdrawal and Revocation of License or Registration
1. The Central Bank may suspend, withdraw or revoke a License or Registration as stipulated in the Central Bank Law. 2. Where a License or Registration is suspended, withdrawn or revoked, the Licensee or Registree must immediately cease to perform Payment Token Services. Part 5
Article (11): Authority Over Licensees and Registrees
1.
The Central Bank may take all measures and actions it deems appropriate in relation to a Licensee or Registree for achieving its objectives and discharging its functions, and may particularly take one or more of the following actions, if a material violation to the provisions of this Regulation has occurred:
a)
The Central Bank may require the concerned Licensee or Registree to take necessary actions to rectify the situation immediately;
b)
The Central Bank may appoint a specialized expert, or a Central Bank employee, to advise or guide the concerned Licensee or Registree or oversee some of its operations, for a period specified by the Central Bank. The concerned Licensee or Registree shall pay remuneration for such appointee if he is an expert from outside the Central Bank;
c)
The Central Bank may appoint a manager where the Central Bank is of the view that the management of a Licensee cannot be relied upon to take appropriate steps to rectify a situation. The main objectives of appointing a manager to take control of the management of a Licensee are:
(i)
to provide for the control of the affairs, business and property of a Licensee until such time as the Central Bank is satisfied that its concerns in relation to that Licensee have been addressed; or
(ii)
to safeguard the assets and maintain the business of the Licensee until a liquidator can be appointed;
d)
The Central Bank may take any other action or measure, or impose any penalties it deems appropriate, in relation to a Licensee or Registree.
2.
Where the Central Bank provides a Non-Objection Registration to a Virtual Assets Exchange Platform Operator, the Central Bank will coordinate with the relevant Local Licensing Authorities before and when taking any measures or actions under Article (11)1.
Article (12): Restrictions on Payment Tokens
1.
All Payment Tokens issued by a Dirham Payment Token Issuer shall be denominated only in Dirham.
2.
All Payment Tokens issued by a Foreign Payment Token Issuer shall be denominated only in a Foreign Currency.
3.
A Payment Token Issuer may not (and may not arrange that another person shall) pay to or for the benefit of a Customer:
a)
interest related to the length of time during which the Customer holds a Payment Token; or
b)
any other benefit related to the length of time during which the Customer holds a Payment Token,
with respect to Payment Tokens for which the Payment Token Issuer performs Payment Token Issuing.
4.
The Central Bank may place a limit(s) on:
a)
the total volume or value of Payment Tokens which a Dirham Payment Token Issuer may sell or transfer, or restrict the sale or transfer of further Payment Tokens by that Payment Token Issuer;
b)
the total volume or value of Payment Tokens which a Foreign Payment Token Issuer may sell or transfer to Persons in the UAE, or restrict the sale or transfer of further Payment Tokens by that Payment Token Issuer to Persons in the UAE;
c)
the total number of Customers, or restrict the onboarding of new Customers, to which a Dirham Payment Token Issuer may sell or transfer its Payment Tokens;
d)
the total number of Customers in the UAE, or restrict the on-boarding of new Customers in the UAE, to which a Foreign Payment Token Issuer may sell or transfer its Payment Tokens;
e)
the total volume or value of Payment Tokens which a Payment Token Conversion Provider may buy, sell or admit to trading on its platform; and
f)
the total number of Customers to which a Payment Token Conversion Provider or Payment Token Custodian and Transferor may provide services, or the on-boarding of new Customers by that Payment Token Conversion Provider or Payment Token Custodian and Transferor.
5.
If the Central Bank determines that to do so is necessary to achieve its statutory objectives, the Central Bank may impose any other restrictions on a specific Licensee or Registree, or across Licensees and Registrees.
6.
If the Central Bank determines that to do so is necessary to achieve its statutory objectives, the Central Bank may designate any Virtual Asset to be a Payment Token whether or not it is sold or transferred by a Payment Token Issuer, and may impose any one or more of the restrictions set out in Article (12)4 in relation to such Designated Payment Token.
7.
If the Central Bank imposes any restriction set out in Article (12)4, the Licensed Payment Token Service Provider, Registered Foreign Payment Token Issuer, Registered Foreign Payment Token Custodian and Transferor or Registered Payment Token Conversion Provider must:
a)
provide the Central Bank with daily reporting evidence verifying its compliance with such restriction(s); and
b)
maintain policies and procedures to ensure that any breach of such a restriction is rectified promptly.
Article (13): Regulatory Capital Requirement for Licensed Payment Token Issuers
1.
A Licensed Payment Token Issuer must maintain at least:
a)
Initial and ongoing capital of fifteen (15) million Dirhams; plus
b)
additional ongoing capital of at least 0.5% of the Fiat Currency face value of outstanding Payment Tokens.
2.
A Payment Token Issuer subject to the alternative requirement for the Reserve of Assets as set out in Article (22)3 must, instead of the requirement in Article (13)1 above, maintain at least:
a)
initial and ongoing capital of fifteen (15) million Dirhams; plus
b)
additional ongoing capital of at least 2% of the Fiat Currency face value of outstanding Payment Tokens.
Article (14): Regulatory Capital Requirement for Licensed Payment Token Custodians and Transferors and Licensed Payment Token Conversion Providers
1.
A Licensed Payment Token Service Provider performing Payment Token Custody and Transfer or Payment Token Conversion shall:
a)
where the monthly average value of Payment Token Transfers initiated, facilitated, effected, directed or received by that Licensed Payment Token Service Provider as part of those Payment Token Services amounts to ten (10) million Dirhams or above, hold regulatory capital of at least three (3) million Dirhams; and
b)
where the monthly average value of Payment Token Transfers initiated, facilitated, effected, directed or received by that Licensed Payment Token Service Provider as part of those Payment Token Services amounts to less than ten (10) million Dirhams, hold regulatory capital of at least one and a half (1.5) million Dirhams.
2.
For a Licensed Payment Token Service Provider falling within Article (14)1(b) whose monthly average value of Payment Token Transfers referred to in Article (14)1 rises above ten (10) million Dirhams in three (3) consecutive months, the Licensee shall report this fact to the Central Bank and become subject to the higher regulatory capital requirement in Article (14)1(a).
3.
The monthly average value of Payment Token Transfers referred to in Article (14)1 shall:
a)
be calculated on the basis of the moving average of the preceding three (3) months or, where such data does not exist at the time of being granted a License by the Central Bank, on the basis of the business plan and financial projections provided; and
b)
take into account both Payment Token Transfers initiated, facilitated, effected or directed by a Licensed Payment Token Service Provider and those received by the provider.
Article (15): Regulatory Capital Supplementary Requirements (for all Licensed Payment Token Service Providers)
1.
The Central Bank may impose aggregate regulatory capital requirements higher than that provided for in Article (13) and Article (14) if, taking into consideration the scale and complexity of the Licensee’s business, it considers such higher requirements essential to ensuring that the Licensee has the ability to fulfil its obligations under this Regulation.
2.
An Applicant shall provide information to the Central Bank on the source(s) of funds that constitute the regulatory capital held under Article (13) or Article (14).
Capital Items
3. A Licensed Payment Token Service Provider’s aggregate regulatory capital shall consist of:
a) Paid-up capital; b) Reserves, excluding revaluation reserves; and c) Retained earnings. 4. In addition to the capital requirement, an unconditional irrevocable bank guarantee equal to the full paid-up capital amount in favour of the Central Bank paid upon first demand, shall be submitted to the Central Bank with the application of the License. Such a guarantee must remain in place at all times. 5. Licensee must demonstrate that its regulatory capital and other financial resources are sufficient for implementing its business model in a safe, efficient and sustainable manner, without compromising the interests of Customers. 6. A Licensee must provide adequate details to the Central Bank on the source of funds that will be used to support the proposed business activities. 7. A Licensee must demonstrate that it will be able to maintain sufficient regulatory capital and other financial resources to facilitate an orderly wind-down of its Payment Token business, including a smooth refunding process. Deductions
8.
The following items shall be deducted from the aggregate regulatory capital:
a)
Accumulated losses;
b)
Anticipated losses in the first year of operation;
c)
Goodwill;
d)
Any assets encumbered to secure the unconditional irrevocable bank guarantee; and
e)
Any other items which the Central Bank may direct from time to time.
9.
If a Licensed Payment Token Service Provider is both:
a)
Licensed as a Payment Token Conversion Provider or Payment Token Custodian and Transferor; and
b)
licensed or regulated for any Virtual Asset activities by SCA or any Local Licensing Authority,
any regulatory capital it holds pursuant to requirements imposed by SCA or any Local Licensing Authority shall not contribute towards satisfying the regulatory capital requirements in this Article (15).
Article (16) Assessment of Controllers and Senior Management
1.
A Person shall not become a Controller or member of Senior Management of a Licensed Payment Token Service Provider without obtaining prior approval from the Central Bank.
2.
The Central Bank shall grant an approval under Article (16)1 if it considers that the proposed Controller or member of Senior Management meets all fit and proper requirements specified by the Central Bank.
3.
The Central Bank may attach conditions to its approval under Article (16)1 of a Controller, including but not limited to:
a)
conditions restricting or preventing the Person’s disposal or further acquisition of shares or voting powers in the Licensed Payment Token Service Provider; and
b)
conditions restricting or preventing the Person’s exercise of voting power in the Licensed Payment Token Service Provider.
Article (17): Principal Business
1.
The exclusive business of a Payment Token Issuer shall be the performance of the Payment Token Issuing for which it has been granted a License.
a)
In addition to performing the sale or transfer of Payment Tokens that forms part of its Payment Token Issuing, a Payment Token Issuer shall be responsible for the generation of Payment Tokens, development and maintenance of associated technology required for Payment Tokens to operate in accordance with their White Paper and Customer Terms, and burning of Payment Tokens. If any of those activities are performed by another Person, they must be performed on behalf of the Payment Token Issuer and in accordance with the outsourcing requirements under Article (20).
2.
The exclusive business of a Payment Token Conversion Provider or Payment Token Custodian and Transferor which is a Virtual Assets Exchange Platform Operator shall be the performance of:
a)
any Payment Token Conversion and Payment Token Custody and Transfer activities for which it has been granted a License or Non-Objection Registration; and
b)
any Virtual Asset activities for which it is licensed or regulated by SCA or any Local Licensing Authority prior to receipt of its License or Non-Objection Registration under this Regulation.
3.
The exclusive business of a Payment Token Conversion Provider or Payment Token Custodian and Transferor which is an Exchange House shall be the performance of:
a)
Any Payment Token Conversion and Payment Token Custody and Transfer activities for which it has been granted a License or Non-Objection Registration; and
b)
any activities for which it is licensed or regulated by the CBUAE under the Regulations re Licensing and Monitoring of Exchange Business.
4.
The exclusive business of a Payment Token Conversion Provider or Payment Token Custodian and Transferor which is licensed under the Retail Payment Services and Card Schemes Regulation or the Stored Value Facilities (SVF) Regulation shall be the performance of:
a)
any Payment Token Conversion and Payment Token Custody and Transfer activities for which it has been granted a License; and
b)
any activities for which it is licensed, regulated or otherwise approved by the CBUAE under the Retail Payment Services and Card Schemes Regulation or the Stored Value Facilities (SVF) Regulation.
5.
Except where one of Article (17)2 to Article (17)4 apply or the Payment Token Conversion Provider or Payment Token Custodian and Transferor is a Bank, the exclusive business of a Payment Token Conversion Provider or Payment Token Custodian and Transferor shall be the performance of any Payment Token Conversion and Payment Token Custody and Transfer activities for which it has been granted a License.
Article (18): Notification and Reporting Requirements
1.
Where any material change affects the accuracy and completeness of information provided in an Application, the Applicant, Licensee or Registree, as the case may be, shall immediately notify the Central Bank of such change and provide all necessary information and documents.
2.
A Licensee or Registree shall immediately notify the Central Bank of any violation or potential violation of any provision of this Regulation or CBUAE Regulations. Such notification must be accompanied by details of adequate measures which the Licensee or Registree will implement to rectify the violation.
3.
A Licensee or Registree shall immediately notify the Central Bank if it becomes aware that any of the following events have occurred or are likely to occur:
a)
any event that prevents access to or disrupts the operations of the Licensee or Registree;
b)
any legal action taken against the Licensee or Registree either in the UAE or in a Third Country;
c)
the commencement of any insolvency, winding up, liquidation or equivalent proceedings in relation to the Licensee or Registree, or the appointment of any receiver, administrator or provisional liquidator under the laws of any country;
d)
any disciplinary measure or sanction taken against the Licensee or Registree or imposed on it by a regulatory body other than the Central Bank, whether in the UAE or in a Third Country;
e)
any change in regulatory requirements to which a Licensee or Registree is subject beyond those of the Central Bank, whether in the UAE or in a Third Country;
f)
any repeated occurrence of sales of a Payment Token at below its nominal/Fiat Currency face value where the sale is by or facilitated by the Licensee or Registree; or
g)
any other event specified by the Central Bank from time to time.
4.
Payment Token Conversion Providers and Payment Token Custodian and Transferors shall report to the Central Bank on the volume and value of business that they conduct in relation to Virtual Assets which are not Payment Tokens, in accordance with such reporting requirements as the Central Bank may determine from time to time.
5.
Licensees shall report to the Central Bank on their complaints management programme, including reporting on the number of complaints received, the topics of complaints, the number of open and closed complaints, and the amount of time complaints have been open or took to close, in accordance with such reporting requirements as the Central Bank may determine from time to time.
6.
Licensees and Registrees must comply with any further regular or ad-hoc reporting as determined by the Central Bank.
7.
Notwithstanding the paragraphs above, Licensees and Registrees shall, as appropriate and applicable, comply with their notification requirements as further specified in this Regulation, including but not limited to under:
a)
b)
c)
d)
e)
Article (19): Use of Agents
1.
Where a Licensee intends to perform Payment Token Services through an Agent, it must conduct an assessment of such arrangement and provide a report to the Central Bank of the following:
a)
name and address of each Agent;
b)
assessment of the adequacy of the internal control mechanisms that will be used by the Agent in order to comply with the requirements of Article (33) and any CBUAE Regulations produced under it;
c)
assessment of the Persons responsible for the management of the Agent, and evidence that they fulfil any fit and proper requirements specified by the Central Bank;
d)
the scope of Payment Token Services for which the Agent is mandated; and
e)
evidence of the Licensed Payment Token Service Provider’s adherence, in its contractual arrangements with the Agent, to Article (20).
2.
The Central Bank shall assess the suitability of a proposed Agent and Agent arrangements based on the report submitted under Article (19)1, and may require the Licensee to supply additional information for its assessment.
a)
Following its assessment, the Central Bank shall make a decision whether to approve or decline to approve the Agent.
b)
The Licensee shall not engage an Agent to perform Payment Token Services before having received such approval.
3.
Licensees shall contractually ensure that Agents acting on their behalf disclose this fact to Customers.
4.
Licensees shall:
a)
immediately notify the Central Bank of any change regarding their use of Agents; and
b)
on an annual basis conduct an additional assessment and provide an additional report to the Central Bank of the matters listed in Article (19)1.
5.
The Central Bank may suspend, withdraw or revoke its approval of an Agent. Where the approval of an Agent is suspended, withdrawn or revoked, the Licensee must ensure that the Agent immediately ceases to perform Payment Token Services on the Licensee’s behalf.
6.
Licensees shall be responsible for ensuring and maintaining appropriate training and qualifications for their Agents.
7.
A Payment Token Service performed by an Agent shall be treated as performed by its principal Licensees.
Article (20): Outsourcing
All Licensees shall comply with the Outsourcing Regulation as if they were a “Bank” as defined in the Outsourcing Regulation.
Part 6
Article (21): Issuance and Redemption of Payment Tokens
1. A Payment Token Issuer must:
a) on receipt of payment for a Payment Token, without delay transfer the Payment Token to the Wallet nominated by the purchaser; and b) at the request of the Tokenholder, without delay (and in any case by the same time on the next Business Day after the day on which the request was made, unless the Central Bank permits otherwise) redeem (or, in the case of a Foreign Payment Token, initiate redemption) in Fiat Currency at par value the Dirham (AED) or Foreign Currency denominated face value of the Payment Token presented by the Tokenholder to the Payment Token Issuer for redemption. 2. A Tokenholder may request redemption of a Payment Token without any limitation in time. The Central Bank may extend the Dormant Accounts Regulation, or any provision thereof to Payment Token Issuers. 3. A Tokenholder shall not be entitled to a Payment Token once it is redeemed. 4. A Payment Token Issuer must provide a Customer with a Customer Agreement that clearly and prominently states the conditions of redemption, including any fees relating to redemption, in good time before the parties enter into the Customer Agreement. 5. Redemption may be subject to a fee only where the fee is proportionate and commensurate with the costs actually incurred by the Payment Token Issuer. 6. A Licensed Payment Token Issuer must:
a) maintain a copy of the Distributed Ledger Technology on which its Payment Tokens are issued; b) put in place a process to enable Customers to redeem their Payment Tokens in the event of a failure or other disruption of the Distributed Ledger Technology on which the Payment Token is issued, which does not rely on the normal operation of that Distributed Ledger Technology; and c) in the event that a ‘fork’ or similar event which results in the creation of one or more versions of a Payment Token, redeem any one version of each Payment Token as if it were the version of the Payment Token that the Payment Token Issuer originally sold or transferred. Article (22): Management and Safekeeping of the Reserve of Assets
Requirement for a Reserve of Assets
1.
A Licensed Payment Token Issuer must have in place an effective and robust system to protect and manage the Reserve of Assets to ensure that the constituent assets:
a)
are deployed for the prescribed usage only;
b)
are protected against claims by other creditors of the Licensee in all circumstances; and
c)
are protected from operational and other relevant risks.
Composition of the Reserve of Assets
2.
A Licensed Payment Token Issuer must hold the Reserve of Assets as cash in a separate escrow account that:
a)
is wholly denominated in the same currency as the Payment Tokens in relation to which it is held;
b)
it holds in its name with another Person not in its Group which is a Bank licensed in the UAE;
c)
is designated in such a way as to show that it is an account which is held for the purpose of safeguarding the Reserve of Assets in accordance with this Regulation; and
d)
is used only for holding that Payment Token Issuer’s Reserve of Assets.
3.
Where a Licensed Dirham Payment Token Issuer is a wholly-owned subsidiary of a Bank, it may choose, as an alternative to holding 100% of the Reserve of Assets in accordance with Article (22)2, to hold at least 50% of the Reserve of Assets as cash in accordance with Article (22)2 and invest the remaining portion of the Reserve of Assets in UAE government bonds and Central Bank of the UAE Monetary Bills (M-bills) that have an average duration of 6 months or less. If the Dirham Payment Token Issuer makes such a choice, it must hold regulatory capital in accordance with Article (13)2.
4.
The Central Bank may require a Licensed Payment Token Issuer to hold the Reserve of Assets as cash in an account held with the Central Bank, rather than on one of the other bases permitted under this Article (22).
Protection of the Reserve of Assets
5.
A Licensed Payment Token Issuer must put in place an effective contractual arrangement to ensure that, in the event of its insolvency, its Customers have a legal right and claim to payment of all amounts owed on the redemption of their Payment Tokens from the Reserve of Assets. A Licensed Payment Token Issuer shall, at the request of the Central Bank, seek an external legal opinion on the protection arrangement of the Reserve of Assets to ensure the legal soundness of the arrangements, and commission an independent review to ensure the operational soundness.
6.
A Licensed Payment Token Issuer must ensure that no other Person has any claim on or interest in the Reserve of Assets.
7.
The Reserve of Assets held in relation to one type of Payment Token must be segregated (including being held in a different account or Wallet) from that held in relation to any other type of Payment Token.
Management of the Reserve of Assets
8.
A Licensed Payment Token Issuer must ensure that the value of its Reserve of Assets amounts at least to the total Fiat Currency face value of Payment Tokens in circulation, including without limitation by putting in place:
a)
an adequate process to ensure timely and accurate records of cash or Payment Tokens paid into and out of a Reserve of Assets, with appropriately regular reconciliation between system records and the actual Reserve of Assets (e.g. balances of the account or Wallet holding the Reserve of Assets). Such reconciliation must be done at least on a daily basis and reported to the Central Bank daily;
b)
a monthly audit by an External Auditor, who is not an officer or employee of the Payment Token Issuer or an officer or employee of another company or undertaking in its Group, to confirm that, during the course of the preceding month, the value of its Reserve of Assets amounted at all times at least to the total Fiat Currency face value of Payment Tokens in circulation; and
c)
effective internal control measures and procedures, which constitute an integral part of the Licensee’s or Registree’s overall robust internal control system, to protect the Reserve of Assets from possible misappropriation and all operational risks, including the risk of theft, fraud and misappropriation.
Article (23) Safeguarding of Payment Tokens Held in Relation to the Performance of Payment Token Custody and Transfer
1.
Payment Token Custodians and Transferors must keep Customer Payment Tokens in a separate Wallet from any Wallet that it uses to hold any other Virtual Assets.
2.
A Wallet in which Customer Payment Tokens are placed under Article (23)1 must:
a)
be designated as a Wallet held for the purpose of safeguarding or holding Customer Payment Tokens in accordance with this Regulation; and
b)
be used only for holding those Customer Payment Tokens.
3.
No person other than the Customer may have any interest in or right over the Customer Payment Tokens placed in a Wallet in accordance with Article (23)1.
4.
The Payment Token Custodian and Transferor must keep a record of any Customer Payment Tokens segregated in accordance with Article (23)1.
Part 7
Article (24): Anti-Money Laundering and Combating the Financing of Terrorism and Illicit Organizations
1.
This Article (24) applies to an AML Obligor in addition to, and without prejudice to, that AML Obligor’s obligations under other applicable UAE AML/CFT laws and regulations, including but not limited to the AML Law.
2.
AML Obligors must comply with relevant and applicable UAE AML/CFT laws and regulations, address money laundering and terrorist financing risks through appropriate preventive measures to deter abuse of the sector as a conduit for illicit funds, detect money laundering and terrorist financing activities and report any suspicious transactions to the Financial Intelligence Unit at the Central Bank.
3.
AML Obligors must have comprehensive and effective internal AML/CFT policies, procedures and controls in place.
4.
AML Obligors shall be prohibited from invoking banking, professional or contractual secrecy as a pretext for refusing to perform their statutory reporting obligation in regard to suspicious activity.
5.
Payment Token Services shall be considered to carry high money laundering and terrorist financing risk due to their speed, anonymity and cross-border nature.
6.
AML Obligors must identify, assess, and understand the AML/CFT risks to which they are exposed and conduct enterprise-level and business relationship-specific risk assessments. Accordingly, all AML/CFT CDD, monitoring and controls must be risk-based and aligned to the risk assessments.
7.
AML Obligors shall undertake an AML/CFT risk assessment and take appropriate measures to manage and mitigate the identified risks in accordance with applicable legal and regulatory requirements. AML Obligors shall comply with the FATF Guidance for a Risk-based Approach to Virtual Assets and Virtual Assets Service Providers, as may be supplemented from time to time, or any related standards or guidance in assessing and managing risks in Payment Token Services.
8.
AML Obligors shall undertake periodic risk profiling of Customers and assessment based on the AML/CFT requirements.
9.
AML Obligors shall assess whether a business relationship presents a higher money laundering and terrorist financing risk and assign a related risk rating. AML Obligors shall be prohibited from dealing in any way with shell banks or other shell financial institutions and from establishing or maintaining any business relationship or conducting any Payment Token Services under an anonymous or fictitious name or by pseudonym or number.
10.
AML Obligors shall ensure that their CDD models are designed to address the specific risks posed by a Customer profile and Payment Token or Payment Token Service features. AML Obligors shall be prohibited from establishing or maintaining any business relationship with a Customer or performing any Payment Token Services for a Customer in the event that they are unable to complete adequate risk-based CDD measures for any reason for that Customer.
11.
AML Obligors must undertake CDD measures concerning Wire Transfers as stipulated in the relevant provisions of the AML Law if Wire Transfer services are provided by the AML Obligor. AML Obligors must introduce appropriate systems for screening, as part of the CDD process, on all parties involved in a transaction against all applicable sanction lists (including the UN sanction lists and the names contained in the ‘search notices’/’search and freeze notices’ issued by the Central Bank).
12.
If AML Obligors conduct Wire Transfers, they must take freezing action and prohibit conducting transactions with designated persons and entities, as per the obligations set out in the Central Bank’s Notice 103/2020 on the Implementation of United Nations Security Council (UNSC) and the UAE Cabinet Resolutions regarding UNSC and Local Lists, as amended from time to time.
13.
AML Obligors must also be guided by FATF Standards on anti-money laundering and countering the financing of terrorism and proliferation. AML Obligors must incorporate the regular review of AML/CFT trends and typologies into their compliance training programmes as well as into their risk identification and assessment procedures.
Risk Factors
14.
In assessing the risk associated with a Payment Token or Payment Token Service for the purposes of Article (24)6, 7, 10 and 13, AML Obligors must take into account the following risk factors:
a)
maximum stored value or transaction amount of the Payment Token Service or Wallet – Payment Token Services or Wallets which enable higher transaction values or higher maximum stored value may increase the money laundering and terrorist financing risk;
b)
methods of funding – Payment Token Services or Wallets that can be funded by cash or with little or no audit trail present a higher money laundering and terrorist financing risk. Funding from unverified sources or via other payment methods without Customer identification can also create an anonymous funding mechanism and hence present higher money laundering and terrorist financing risks;
c)
cross-border usage – in general, Payments Tokens and Payment Token Services providing for cross-border usage may increase the risk as transactions may be subject to different AML/CFT requirements and oversight in other jurisdictions and also give rise to difficulties with information sharing;
d)
person-to-person fund transfer function – Payments Tokens and Payment Token Services that allow person-to-person fund transfers may give rise to higher money laundering and terrorist financing risks;
e)
cash withdrawal function – Payments Tokens and Payment Token Services that enable access to cash for instance through automated teller machine networks may increase the level of money laundering and terrorist financing risk;
f)
holding of multiple Wallets – Payment Token Services that allow a Customer to hold more than one Wallet may also increase the money laundering and terrorist financing risk as it may be utilized by a third-party user other than the Customer;
g)
payment for high-risk activities – some Merchant activities, for example, gaming, present higher money laundering and terrorist financing risks.
15.
The money laundering and terrorist financing risks of a Payment Token or Payment Token Service can be reduced by implementing risk mitigating measures, which may include:
a)
the application of limits on the maximum storage values, cumulative turnover or transaction amounts;
b)
disallowing higher risk funding sources;
c)
restricting the Payment Token Services from being used for higher risk activities;
d)
restricting higher risk functions such as cash access; and
(e)
implementing measures to detect multiple Wallets held by the same Customer or group of Customers.
16.
The level of money laundering and terrorist financing risks posed by a particular Payment Token or Payment Token Service will depend on a consideration of all risk factors, the existence and effectiveness of risk mitigating measures and their functionality.
17.
AML Obligors must assess whether a business relationship with a Customer presents a higher money laundering and terrorist financing risk and assign a related risk rating. Generally, the Customer risk assessment will be based on the information collected during the identification stage and subsequently updated as new information becomes available through ongoing due diligence and transaction monitoring. AML Obligors must ensure that their CDD models are designed to address the specific risks associated to its Customer profile and Payment Token or Payment Token Service features.
Compliance management arrangements
18.
AML Obligors must have appropriate compliance management arrangements that facilitate their implementation of AML/CFT systems to comply with relevant legal and regulatory obligations and to manage money laundering and terrorist financing risks effectively. Compliance management arrangements must at a minimum include oversight by the AML Obligor’s Senior Management and appointment of a compliance officer and a money laundering reporting officer.
19.
In addition, AML Obligors must put in place comprehensive AML/CFT policies and procedures in accordance with the AML/CFT laws and regulations.
Use of technology
20.
The Central Bank supports innovative means by which AML Obligors implement AML/CFT systems effectively as well as exploring the greater use of technology and analytical tools. The Central Bank expects AML Obligors, before introducing any new product, service or technology, to conduct adequate risk assessments and ensure that any identified risks are effectively managed or mitigated.
21.
In general, the electronic Know Your Customer process currently adopted by licensed banks for digital onboarding of Customers is acceptable for Wallet opening and provision of Payment Token Services. No physical face-to-face meetings with the Customer or physical documents verification are required so long as the digital authentication of the Customer and digital verification of all required documents can be done in accordance with the existing requirements of the Central Bank.
22.
Depending on the nature of relationship, AML Obligors may undertake additional CDD measures, including the collection of sufficient information to adequately understand the nature of the Customer’s business. The extent of CDD measure should be commensurate with the assessed money laundering and terrorist financing risks of the Customer.
23.
Globally there is an emerging range of new products and services involving Virtual Assets. In line with the FATF standards, before an AML Obligor offers any new products relating to Virtual Assets, it must undertake money laundering and terrorist financing risk assessment and take appropriate measures to manage and mitigate the identified risks in accordance with applicable legal and regulatory requirements. AML Obligors are encouraged to refer to the suggestions provided by the FATF Guidance for a risk-based approach to Virtual Assets.
Part 8
Article (25): Obligations Towards Customers
1. Licensees and Registrees must be operated prudently and with competence in a manner that will not adversely affect the interests of their Customers.
a) In addition, Licensees and Registrees must also observe and comply with the relevant regulatory requirements and standards on consumer protection of the Central Bank, including all relevant provisions of the Consumer Protection Regulation. b) For the avoidance of doubt, in case of discrepancies between this Regulation and the Consumer Protection Regulation, the respective provisions of the Consumer Protection Regulation shall prevail. 2. Licensees and Registered Payment Token Conversion Providers must:
a) maintain a copy of each Distributed Ledger Technology on which it provides Payment Token Services; and b) in the event that a ‘fork’ or similar event results in the creation of two or more versions of a Payment Token, treat any one version of each Payment Token presented by a Customer as being equal to any other version of the same type of Payment Token and as if it were the version of the Payment Token to which its Payment Token Service applies. 3. Licensees and Registrees must ensure that their business is operated in a responsible, honest and professional manner. Licensees and Registrees must treat all Customers, as well as merchants, equitably, honestly and fairly at all stages of their relationship with the Licensee or Registree. Licensees and Registrees must also act in a manner that will not adversely affect the interests of their Customer. 4. Licensees and Registered Payment Token Conversion Providers must be responsible for the acts or omissions of their Senior Management, employees, service providers and Agents in respect of the conduct of its business. Senior Management, employees and Agents of Licensees and Registered Payment Token Conversion Providers must be properly trained and qualified. 5. Licensees and Registered Payment Token Conversion Providers must ensure that they adopt and, if needed, develop good business practices that can demonstrate their standard of conduct, including as follows:
a) Due diligence must be performed by Licensees and Registered Payment Token Conversion Providers to ensure that all promotional materials it issues are accurate and not misleading; b) Licensees and Registered Payment Token Conversion Providers may use their websites and mobile apps to provide links to other online merchants. Before providing such links, the Licensee or Registered Payment Token Conversion Provider must carry out due diligence on the merchants to ascertain they are bona fide companies conducting legitimate business so as to manage reputational risk; c) Websites or apps of Licensees and Registered Payment Token Conversion Providers may only provide hyper-links to other websites that offer advisory and/or sale of Payment Token Services, or financial products and services, if the arrangements comply with all relevant legal and regulatory requirements. The Central Bank may require that the Licensee or Registered Payment Token Conversion Provider obtain a legal opinion assessing whether such arrangements comply with all relevant legal and regulatory requirements; and d) Licensees and Registered Payment Token Conversion Providers shall adhere to such other disclosure or customer communications requirements as the Central Bank may direct in CBUAE Regulations from time to time or otherwise require. Article (26): Payment Token White Papers
1.
Obligation to publish a White Paper
a)
No Payment Token Issuer shall perform Payment Token Issuing with respect to a Payment Token unless that Payment Token Issuer has:
(1) produced a White Paper in respect of that Payment Token;
(2) submitted the White Paper to the Central Bank;
(3) received the Central Bank’s acceptance of the White Paper; and
(4) published the White Paper,
in accordance with this Article (26).
b)
The Central Bank may publish a White Paper with respect to a particular Payment Token on its website, in which case any Payment Token Issuer which publishes a web-link to the White Paper on the Central Bank website shall be deemed to have complied with Article (26)1(a).
2.
Content and form of the White Paper
a)
A White Paper shall contain, insofar as it is relevant to each Licensee or Registered Foreign Payment Token Issuer, a detailed description of all of the following:
I.
the Payment Token Issuer;
II.
the type of Payment Token that will be offered to the public;
III.
the number of Payment Tokens that will be issued and the issue price;
IV.
the rights and obligations attached to the Payment Token and the procedures and conditions for exercising those rights;
V.
information on the underlying technology and standards applied by the Payment Token Issuer when allowing for the holding, storing and transfer of those Payment Tokens;
VI.
the risks relating to the Payment Token Issuer issuing Payment Tokens, the Payment Tokens, the offer to the public, and other disclosures that the Central Bank may specify;
VII.
the Payment Token Issuer’s governance arrangements, including a description of the role, responsibilities and accountability of the third-parties responsible for operating, investment and custody of the Reserve of Assets, and, where applicable, the distribution of the Payment Tokens;
VIII.
the constituent parts of the Reserve of Assets held by the Licensed Payment Token Issuer or similar reserve held by a Registered Foreign Payment Token Issuer;
IX.
the custody arrangements for the Reserve of Assets or similar reserve held by a Registered Foreign Payment Token Issuer, including but not limited to the relevant segregation and safeguarding measures;
X.
information on the nature and enforceability of rights, including any direct redemption right or any claims that holders of Payment Tokens may have on the Reserve of Assets (or other reserve held by a Registered Foreign Payment Token Issuer) or against the Payment Token Issuer issuing the Payment Tokens, including how such rights may be treated in insolvency procedures;
XI.
information on the permitted use of a Payment Token and any restrictions on its use including having regard to Article (2) and Article (12); and
XII.
any such other matters as the Central Bank may direct from time to time.
b)
The White Paper shall be fair, clear and not misleading, and shall be presented in a concise and comprehensible form.
c)
The White Paper shall be drafted in both Arabic and English.
d)
The White Paper shall contain an attestation by the Board of the Payment Token Issuer of the White Paper’s completeness and accuracy.
e)
The White Paper shall prominently contain the following statement:
“The Central Bank of the UAE is not responsible for determining the accuracy or completeness of this White Paper. The Central Bank of the UAE’s review and acceptance of this White Paper does not constitute an endorsement of the Payment Token or Payment Token Issuer to which it relates, or of the accuracy or completeness of any information or statements in this White Paper.”
f)
The White Paper shall be dated, including with the date of the application of any update to the White Paper.
g)
In good time before a Licensed Payment Token Issuer enters into a Customer Agreement, or a Registree enters into an agreement with a Customer relating to a Payment Token, it must (subject to Article (26)5) provide a copy of or web-link to the White Papers of all Payment Tokens to which the Customer has access pursuant to the Customer Agreement.
3.
Updates
A Payment Token Issuer must (subject to Article (26)5) without delay update any White Paper it has previously produced to reflect:
a)
any material change to the information in the White Paper; or
b)
any material addition that it would be appropriate to make to the White Paper in order to reflect any changes in the arrangements or circumstances relating to its Payment Tokens or Payment Token Issuing.
4.
Audit
A Payment Token Issuer must procure an audit of a White Paper by an External Auditor, who is not an officer or employee of the Payment Token Issuer or an officer or employee of another company or undertaking in its Group, to confirm that the form and content of the White Paper complies with all applicable requirements of Article (26)2(a) to (f).
5.
Notification of the White Paper
a)
A Payment Token Issuer must submit a White Paper to the Central Bank for review and acceptance before it sells or transfers the Payment Token to any Person in the UAE (excluding a Person in a Financial Free Zone).
1.
The Payment Token Issuer must, at the time when it submits a White Paper to the Central Bank, also submit the audit report of that White Paper, referred to in Article (26)4, to the Central Bank for review.
2.
If the Central Bank accepts the White Paper, the Payment Token Issuer must publish the White Paper on a publicly and freely accessible website at least 7 days in advance of the Payment Token becoming available for sale or transfer to Persons in the UAE (excluding a Person in a Financial Free Zone).
3.
If the Central Bank declines to accept the White Paper the Payment Token issuer may resubmit an updated White Paper for approval under this Article (26)5(a).
b)
If a Payment Token Issuer desires to amend (including, for the avoidance of doubt, making additions), or is required to amend, the White Paper previously submitted in accordance with Article (26)5(a), it must submit the amendments to the White Paper, and an audit report of the amended White Paper conducted in accordance with Article (26)4 to the Central Bank for review and acceptance before making the amendments. If the amendments are urgent, the Payment Token Issuer shall prominently bring the urgency to the attention of the Central Bank.
(1)
If the Central Bank accepts the amendments, the Payment Token Issuer must publish the White Paper on a publicly and freely accessible website at least 14 days in advance of such amendment taking effect unless the Central Bank requires or agrees to a shorter period.
(2)
If the Central Bank declines to accept the amendments the Payment Token issuer may resubmit an updated White Paper for approval under this Article (26)5(b).
c)
The Central Bank shall not be responsible for determining the accuracy or completeness of a White Paper. The Central Bank’s review and acceptance of the White Paper shall not constitute an endorsement of the Payment Token or Payment Token Issuer to which it relates, or of the accuracy or completeness of any information or statements in the White Paper.
6.
Liability for White Papers
a)
A Payment Token Issuer shall be liable for and shall compensate a Customer within at least 28 calendar days for any and all loss or damage caused to a Customer arising from a material misstatement in a White Paper which it has published, except to the extent that any UAE law or regulation prevents the payment or provision of compensation to that Customer by the Payment Token Issuer. Any contractual exclusion or limitation of civil liability as referred to in this paragraph shall be deprived of legal effect.
b)
In addition, the Central Bank may consider conducting an investigation and taking enforcement action against any misstatement in the White Paper.
c)
The Central Bank shall not be liable to Customers or other Persons for the contents of any White Paper that it has accepted.
7.
Exemptions
The Central Bank may, at its discretion, exempt a Payment Token Issuer from one or more of the requirements in this Article (26) if equivalent documentation has been published, or obligations complied with, pursuant to regulation issued by SCA or any Local Licensing Authority.
Article (27): Customer Agreement
1.
In this Article (27), “Payment Token Service Provider” refers to a Licensee or a Registree, with the exception of Registered Foreign Payment Token Issuers.
2.
A Payment Token Service Provider shall:
a)
set out in the Customer Agreement the terms and conditions governing their contractual relationship with each Customer, including the terms required under Article (28), sufficiently in advance of entering into the contractual relationship as to allow the Customer to make an informed decision; and
b)
provide each Customer and Tokenholder with a copy of the Customer Agreement, at their request at any time in writing and delivered as per the Customer’s or Tokenholder’s preference, including through an e-mail, mobile application or any other electronic manner.
3.
The Customer Agreement (and any changes to it) referred to in Article (27)2 shall be written in a clear, plain and understandable language, in a manner that is not misleading and shall be provided to the Customer in both Arabic and English, as may be requested by the Customer.
4.
Any changes to the Customer Agreement referred to in Article (27)2 shall be communicated to the Customer and Tokenholder by the Payment Token Service Provider sufficiently in advance and at least 30 calendar days prior to any such change becoming effective.
5.
A Customer or Tokenholder shall be entitled to terminate its Customer Agreement with a Payment Token Service Provider at no charge where it does not agree with the revised terms and conditions referred to in Article (27)4.
6.
The rights and obligations set out in a Customer Agreement shall apply as between a Payment Token Issuer and each Tokenholder, whether or not the Payment Token Issuer is aware of the identity of the Tokenholder or has made any arrangements with the Tokenholder, subject to any UAE laws which would prevent the Payment Token Issuer from performing its obligations under a Customer Agreement for that Tokenholder.
Article (28): Required Terms and Pre-Contractual Information
1.
In this Article (28), “Payment Token Service Provider” refers to a Licensee or a Registree, with the exception of Registered Foreign Payment Token Issuers.
2.
A Payment Token Service Provider shall include the following terms in, and information with, its Customer Agreement, and must provide them to the Customer before the provision of any services:
a)
schedule of fees, charges and commissions, including redemption fees, conversion rates and withdrawal charges, where applicable;
b)
contact details of the Payment Token Service Provider, including legal name and registered address, and including the name and address of any Agent where applicable;
c)
the form and procedure for giving consent to the initiation, facilitation, effecting or directing by a Payment Token Service Provider as part of its Payment Token Service; of a Payment Token Transfer and for the withdrawal of such consent;
d)
the communication channel between the Payment Token Service Provider and the Customer;
e)
the manner of safeguarding of Payment Tokens as per Article (23);
f)
the manner and timeline for notification by the Customer to the Payment Token Service Provider in case of Unauthorized Payment Token Transfers or incorrectly initiated, facilitated, effected or directed Payment Token Transfers;
g)
the Payment Token Service Provider’s and Customer’s or Tokenholder’s liability for Unauthorized Payment Token Transfers;
h)
information relating to terms under which a Customer may be deemed to have accepted changes to the Customer Agreement, the duration of the Customer Agreement and the rights of the parties to terminate the Customer Agreement;
i)
the service level for the provision of the Payment Token Service; and
j)
information on the Payment Token Service Provider’s complaint procedure.
Article (29): Transactional Information
1.
In this Article (29), “Payment Token Service Provider” refers to a Licensee or a Registree, with the exception of Registered Foreign Payment Token Issuers.
2.
Payment Token Service Providers shall provide Customers with a written or an electronic statement of the Payment Token Transfers initiated, facilitated, effected, directed or received by a Payment Token Service Provider under a Customer Agreement at least once per month free of charge. The statement shall include details of (insofar as relevant) the amounts, fees, charges and commissions, the dates and times of performance and the reference numbers for each Payment Token Transfer.
3.
Immediately after the receipt of an instruction for initiation, facilitation, effecting or directing of a Payment Token Transfer, the Payment Token Service Provider of the Payer shall provide a receipt for the Payer with the following information insofar as relevant:
a)
confirmation of the successful or unsuccessful performance of the Payment Token Transfer;
b)
acknowledgement and reference number to track the status of the Payment Token Transfer, including:
(i)
the date, time and amount of the Payment Token Transfer; and
(ii)
information relating to the Payee;
c)
the amount of the Payment Token Transfer, any related fees or charges, including any actual currency and conversion rates used, and withdrawal charges, where applicable; and
d)
the date and time on which the Payment Token Service Provider received the instruction for the Payment Token Transfer.
4.
The Payee’s Payment Token Service Provider shall, immediately after receipt of a Payment Token Transfer, provide to the Payee with a statement with the following information insofar as relevant:
a)
reference enabling the Payee to identify the Payment Token Transfer and, where appropriate, the Payer and any information transferred with the Payment Token Transfer;
b)
the amount of the Payment Token Transfer in the currency in which the Payment Token is denominated;
c)
the amount of any fees or charges for the Payment Token Transfer payable by the Payee;
d)
where applicable, the currency exchange rate used in the Payment Token Transfer by the Payee’s Licensed Payment Token Service Provider; and
e)
the date and time on which the amount of a Payment Token Transfer is received into the Payee’s Wallet.
5.
The Payer’s Payment Token Service Provider shall ensure that instructions for a Payment Token Transfer are accompanied by the necessary information so that they can be processed accurately and completely, and also, be easily identified, verified, reviewed, audited and for any subsequent investigation if needed.
6.
The Payee’s Payment Token Service Provider shall implement procedures to detect when any necessary information is missing or inaccurate for a Payment Token Transfer.
Article (30): Protection of Payment and Personal Data
1.
A Licensed Payment Token Service Provider shall have in place and maintain adequate policies and procedures to protect Personal Data received or held by the provider and identify, prevent and resolve any data security breaches.
2.
Licensed Payment Token Service Providers may disclose such Personal Data to:
a)
a third party where the disclosure is made with the prior written consent of the Customer or is required pursuant to applicable laws;
b)
the Central Bank;
c)
other regulatory authorities upon request/following prior approval of the Central Bank;
d)
a court of law; or
e)
other government bodies who have lawfully authorized rights of access.
3.
In addition to the disclosures envisaged in Article (30)2, Licensed Payment Token Service Providers may also disclose Personal Data to the corresponding Data Subject.
4.
Licensed Payment Token Service Providers shall have in place and maintain Personal Data protection controls.
5.
Personal Data shall be stored and maintained in the UAE unless otherwise approved by the Central Bank. Licensed Payment Token Service Providers must also establish a safe and secure backup of all Personal Data in a separate location for the required period of retention of five (5) years.
6.
Licensed Payment Token Service Providers shall comply with applicable legal and regulatory requirements and standards on data protection, including as set out in or pursuant to the Consumer Protection Regulation. They shall control, process and retain only Personal Data that is necessary for the provision of Payment Token Services and upon obtaining the explicit consent of the Customer.
Article (31): Liability for Unauthorized Payment Token Transfers and Refunds
1.
A Payment Token Custodian and Transferor shall be fully liable for any fraudulent or Unauthorized Payment Token Transfer initiated, facilitated, effected or directed by the Payment Token Custodian and Transferor or otherwise made from a Wallet maintained by the Payment Token Custodian and Transferor, whether before or after the Customer as Payer informs the Payment Token Custodian and Transferor of any potential or suspected fraud, except where there is evidence that:
a)
the Customer acted fraudulently; or
b)
the Customer acted with gross negligence and did not take reasonable steps to keep their Wallet safe.
2.
The Payment Token Custodian and Transferor shall refund the amount of the Unauthorized Payment Token Transfer for which it is liable to its Customer and, where applicable, restore the debited Wallet to the state it would have been in had the Unauthorized Payment Token Transfer not taken place.
3.
The Payment Token Custodian and Transferor shall provide a refund under Article (31)2 as soon as practicable and in any event no later than the end of the Business Day following the day on which it becomes aware of the Unauthorized Payment Token Transfer.
4.
Article (31)2 and Article (31)3 do not apply where the Payment Token Custodian and Transferor has reasonable grounds to suspect that fraud or gross negligence as referred to in Article (31)1 applies, and notifies the Central Bank of those grounds in writing.
5.
Other than in relation to the circumstances contemplated in paragraphs Article (31)2 to Article (31)4, on conclusion of an investigation by a Payment Token Custodian and Transferor into an error or Complaint, a Payment Token Custodian and Transferor shall pay any refund or monetary compensation due to a Customer within (7) calendar days of such conclusion or instruction. In case of a delay in payment of any refund or compensation, the Payment Token Custodian and Transferor shall update the Customer with the expected time for crediting the amount due, along with a justification for the delay.
Article (32): Certainty of Transfers of Payment Tokens
1.
Licensed Payment Token Issuers must exercise prudence and due diligence in their choice of Distributed Ledger Technology for their Payment Tokens, to ensure that the Distributed Ledger Technology is technologically resilient, secure and has a clear operating procedure in which Customers can identify and understand the point at which a Payment Token passes from one Wallet to another. A copy of this due diligence must be provided to the Central Bank as part of the Licensed Payment Token Issuer’s Application.
2.
Licensed Payment Token Issuers must specify, in their White Paper and Customer Agreement, the point at which the lawful power of disposal over a Payment Token transfers from a sending Tokenholder to a receiving Tokenholder in a Payment Token Transfer. This must be specific to the Distributed Ledger Technology of the Payment Token.
3.
A Person may provide evidence to a Licensed Payment Token Issuer demonstrating that, but for a ‘fork’, error or similar failure in the operation of the Distributed Ledger Technology of a Payment Token, they would be the Tokenholder of that Token, in which case the Licensed Payment Token Issuer shall give them the same rights of redemption as are given to a Tokenholder pursuant to Article (21).
4.
A Licensed Payment Token Issuer must include a warning in the White Paper and Customer Agreement for each Payment Token that they issue, that:
a)
there is always a risk that a Payment Token Transfer may fail or be reversed or unwound as a result of the operation of the Distributed Ledger Technology, and that anyone who believes they are the victim of a failed or unwound transfer must contact the Payment Token Issuer which issued that Payment Token to ensure that they are compensated in accordance with Article (32)3; and
b)
the Licensed Payment Token Issuer has no control over the time that a Payment Token Transfer may take to complete on the Distributed Ledger Technology, and that (aside from their obligation to submit a Payment Token Transfer to the Distributed Ledger Technology for execution) they are not responsible for ensuring that a Payment Token Transfer completes within a specific time-period. Nevertheless a comprehensive audit trail must be made available to the Customer.
Part 9
Article (33): Corporate Governance
1.
In this Article (33), “Payment Token Service Provider” refers to a Licensee or a Registree, with the exception of Registered Foreign Payment Token Issuers.
2.
A Payment Token Service Provider must have and maintain effective, robust and well-documented corporate governance arrangements, including a clear organizational structure with well-defined, transparent and consistent lines of responsibility.
3.
The corporate governance arrangements referred to in Article (33)2 must be comprehensive and proportionate to the nature, scale and complexity of the Payment Token Services provided, and shall contain, at a minimum:
a)
an organization chart showing each division, department or unit, indicating the name of each responsible individual accompanied by a description of the respective function and responsibilities;
b)
controls on conflicts of interest;
c)
controls on integrity and transparency of the Licensed Payment Token Service Provider’s operations;
d)
controls to ensure compliance with applicable laws and regulations;
e)
methods for maintaining confidentiality of information; and
f)
procedures for regular monitoring and auditing of all corporate governance arrangements.
Article (34): General Risk Management & Internal Control Systems
1.
In this Article (34), “Payment Token Service Provider” refers to a Licensee or a Registree, with the exception of Registered Foreign Payment Token Issuers.
2.
A Payment Token Service Provider must have and maintain robust and comprehensive policies and procedures to identify, manage, monitor and report the risks arising from the provision of Payment Token Services to which it is or might become exposed, and adequate internal control mechanisms, including sound administrative and accounting procedures.
3.
A Payment Token Service Provider’s risk management policies and procedures shall be:
a)
kept up-to-date;
b)
reviewed annually; and
c)
proportionate to the nature, scale and complexity of the Payment Token Services provided.
4.
A Payment Token Service Provider must establish a risk management function, an internal audit function and a compliance function.
Capital adequacy and capital planning
5.
A Payment Token Service Provider must implement an effective process for managing its capital adequacy. This process must monitor capital adequacy over time and include forward-estimations of the level of capital and the capital requirement, and ensure that the Payment Token Service Provider at a minimum complies at all times with the capital requirements set out in this regulation.
Liquidity risk management
6.
A Payment Token Service Provider must establish and implement an effective process for managing liquidity risk that is appropriate for the size and complexity of its operations. The objective is to ensure that the Payment Token Service Provider will have sufficient liquidity to meet different financial obligations arising from its day-to-day operations as well as redemption requests under all plausible circumstances.
Internal controls
7.
A Payment Token Service Provider must put in place a robust internal control system to promote effective and efficient operation, safeguard assets, provide reliable financial and management information, enable prevention or early detection of irregularities, fraud and errors, and ensure compliance with relevant statutory and regulatory requirements and internal policies.
8.
A Payment Token Service Provider must put in place a comprehensive business strategy and plan, including details on the strategic goals and roadmap. A business plan must normally cover proposed business in terms of geographical scope of operations, target markets and Customer breakdown, client types and base size, product and services offering, delivery channels, pricing strategy, and promotion and marketing activities.
Accounting and External Audit
9.
A Payment Token Service Provider must appoint one or more External Auditor(s) to audit, on an annual basis:
a)
the financial statements or consolidated financial statements of the Payment Token Service Provider prepared in accordance with the accepted accounting standards and practices; and
b)
the systems, controls and technology (including any ‘smart contracts’) of the Payment Token Services provided by the Payment Token Service Provider, including the results of any penetration or cyber-attack simulation testing performed pursuant to Article (35)17, separately from any audit of non-Payment Token Services.
10.
Upon request by the Central Bank, the appointed External Auditor shall submit, directly or through the Payment Token Service Provider, a report of the audit in a form and within a timeframe acceptable to the Central Bank.
11.
In addition to the report of audit, the Central Bank may request the External Auditor to:
a)
submit any additional information in relation to the audit, if the Central Bank considers it necessary;
b)
enlarge or extend the scope of the audit;
c)
carry out any other examination.
Compliance and internal audit functions
12.
A Payment Token Service Provider must maintain effective compliance and internal audit functions; to ensure compliance with all applicable legal and regulatory requirements as well as its own policies, procedures and controls. Among other factors, the quality of a Payment Token Service Provider’s compliance and internal audit functions will be assessed by the Central Bank based on its:
a)
clear governance framework with Board level accountability to ensure effective policies and sufficient authorities to perform the functions;
b)
relevant professional knowledge and experience;
c)
independence from business units;
d)
direct and unfettered access to the Board;
e)
coverage, comprehensiveness and effectiveness of compliance and internal audit programs; and
f)
ability to take timely and pro- active rectifying actions upon identifying non-compliance or other control deficiencies.
13.
A Payment Token Service Provider must at least annually perform a risk assessment by its own risk management.
a)
If the results of the risk assessment suggest that a detailed independent assessment is necessary, the Payment Token Service Provider must conduct such assessment and cover the following key areas:
(i)
business model assessment;
(ii)
corporate governance and risk management;
(iii)
Reserve of Assets management;
(iv)
technology risk management;
(v)
security management;
(vi)
business continuity management;
(vii)
business conduct and consumer protection;
(viii)
business exit plan; and
(ix)
AML/CFT controls systems.
b)
If the Payment Token Service Provider has an independent function elsewhere in its Group, with the relevant knowledge and experience, an independent assessment can be conducted by its internal function. Otherwise the assessment must be carried out by an independent third party.
14.
A Payment Token Service Provider must submit any assessment under Article (34)13 to the Central Bank after it has been approved by the Board, accompanied by an executive summary highlighting the key risks, most important findings and the actions for rectifying the issues.
15.
Arising from the findings of the annual risk assessment, a Payment Token Service Provider that is unable to meet its obligations must immediately report this to the Central Bank.
Reputation Risk Management
16.
A Payment Token Service Provider shall establish and implement an effective process for managing reputational risk that is appropriate for the size and complexity of its operations.
Record Keeping
17.
Payment Token Service Providers shall keep all necessary records of Personal Data and Payment Data for a period of five (5) years from the date of receipt of such data, unless otherwise required by other applicable laws or the Central Bank.
Article (35): Technology Risk and Information Security
1.
In this Article (35), “Payment Token Service Provider” refers to a Licensee or a Registree, with the exception of Registered Foreign Payment Token Issuers.
2.
Payment Token Service Providers are expected to take into account international best practices and standards when designing and implementing the technology and specific risk management systems and processes.
3.
A Payment Token Service Provider shall establish an effective technology and cyber security risk management framework to ensure the adequacy of IT controls, cyber resilience, the quality and security, including the reliability, robustness, stability and availability, of its computer systems, and the safety and efficiency of the operations of Payment Token Services. The framework shall be fit for purpose and commensurate with the risks associated with the nature, size, complexity and types of business and operations, the technologies adopted and the overall risk management system of the Payment Token Service Provider. Consideration shall be given to adopting recognized international standards and practices when formulating such risk management framework.
4.
A Payment Token Service Provider’s effective technology risk management framework shall comprise proper IT governance, a continuous technology risk management process and implementation of sound IT control practices.
5.
Payment Token Service Provider shall apply and meet at a minimum the UAE Information Assurance Standards, as amended.
6.
Licensed Payment Token Issuers must maintain policies and procedures on how to respond to ‘forking’ events or adverse governance actions affecting the Distributed Ledger Technology in which their Payment Tokens are issued, including by establishing a process to ensure that redemption rights are afforded in accordance with Article (21)6(c), and to prevent redemption by Persons who are not Tokenholders. Such policies and procedures must address each blockchain in which a Payment Token is issued.
7.
Licensed Payment Token Issuers which hold any Payment Tokens which they have issued (on their own behalf) must maintain a safeguarding and security policy setting out the manner in which the security of those Payment Tokens shall be ensured.
IT Governance
8.
A Payment Token Service Provider shall establish a proper IT governance framework. IT governance shall cover various aspects, including a clear structure of IT functions and the establishment of IT control policies. While there could be different constructs, the major functions shall include an effective IT function, a robust technology risk management function, and an independent technology audit function.
9.
The Board, or a committee designated by the Board shall be responsible for ensuring that a sound and robust risk management framework is established and maintained to manage technology risks in a manner that is commensurate with the risks posed by the Payment Token Service Provider’s Payment Token Services.
Security Requirements
10.
A Payment Token Service Provider must clearly define its security requirements in the early stage of system development or acquisition as part of the business requirements and these must be adequately built-in during the system development stage.
11.
A Payment Token Service Provider that develops or provides an application programming interface (API) shall establish safeguards to manage the development and provision of the API to secure the interaction and exchange of data between various software applications.
Network and Infrastructure Management
12.
A Payment Token Service Provider shall clearly assign overall responsibility for network management to individuals who are equipped with expertise to fulfil their duties. Network standards, design, diagrams and operating procedures shall be formally documented, kept up-to-date, communicated to all relevant network staff and reviewed periodically.
13.
A Payment Token Service Provider shall establish a security administration function and a set of formal procedures for administering the allocation of access rights to system resources and application systems, and monitoring the use of system resources to detect any unusual or unauthorized activities.
14.
A Payment Token Service Provider shall exercise due care when controlling the use of and access to privileged and emergency IDs. The necessary control procedures include:
a)
changing the default password;
b)
implement strong password control, with minimum password length and history, password complexity as well as maximum validity period;
c)
restricting the number of privileged users;
d)
implementing strong controls over remote access by privileged users;
e)
granting of authorities that are strictly necessary to privileged and emergency IDs;
f)
formal approval by appropriate senior personnel prior to being released for usage;
g)
logging, preserving and monitoring of the activities performed by privileged and emergency IDs (e.g. peer reviews of activity logs);
h)
prohibiting sharing of privileged accounts;
i)
proper safeguard of privileged and emergency IDs and passwords (e.g. kept in a sealed envelope and locked up inside the data centre); and
j)
changing of privileged and emergency IDs’ passwords immediately upon return by the requesters.
Cyber Security Risk
15.
A Payment Token Service Provider shall ensure that its cyber security risks are adequately managed through its technology risk management process. The Payment Token Service Provider shall also commit adequate skilled resources to ensure its capability to identify the risk, protect its critical services against the attack, contain the impact of cyber security incidents and restore the services.
16.
A Payment Token Service Provider shall establish a cyber incident response and management plan to swiftly isolate and neutralize a cyber threat and to resume affected services as soon as possible. The plan shall describe procedures to respond to plausible cyber threat scenarios.
17.
A Payment Token Service Provider shall regularly assess the necessity to perform penetration and cyber-attack simulation testing, based on a risk-based assessment of the likelihood of a cyber-attack and its impact (considering amongst other things the size and nature of its business). Coverage and scope of testing shall be based on the cyber security risk profile, cyber intelligence information available, covering not only networks (both external and internal) and application systems but also social engineering and emerging cyber threats. A Payment Token Service Provider shall also take appropriate actions to mitigate the issues, threats and vulnerabilities identified in penetration and cyber-attack simulation testing in a timely manner, based on the impact and risk exposure analysis. The Central Bank may request evidence of the risk-based assessment referred to in this paragraph, and may direct that further or alternative penetration and cyber-attack simulation testing measures be adopted.
Customer Authentication
18.
A Payment Token Service Provider shall select and implement reliable and effective authentication techniques to validate the identity and authority of its Customers or Tokenholders. Multi-factor authentication shall be required.
19.
End-to-end encryption shall be implemented for the transmission of Customer passwords so that they are not exposed at any intermediate nodes between the Customer mobile application or browser and the system where passwords are verified.
Login Attempts and Session Management
20.
A Payment Token Service Provider shall implement effective controls to limit the number of login or authentication attempts (e.g. wrong password entries), implementing time-out controls and setting time limits for the validity of authentication. If one-time passwords are used for authentication purposes, a Payment Token Service Provider shall ensure that the validity period of such passwords is limited to the strict minimum necessary.
21.
A Payment Token Service Provider shall have processes in place ensuring that all Payment Token Transfers occurring in the context of its Payment Token Services are logged with an appropriate audit trail.
Fraud Detection Systems
22.
Payment Transaction monitoring mechanisms designed to prevent, detect and block fraudulent Payment Transactions must be operated by a Payment Token Service Provider, in a manner which is proportionate based on a risk-based assessment of the likelihood of fraudulent Payment Transactions and their impact (considering amongst other things the size and nature of its business). Suspicious or high-risk transactions must be subject to a specific screening, filtration and evaluation procedure. The Central Bank may request evidence of such risk-based assessment, and may direct that further or alternative monitoring mechanisms be adopted.
Security advice for Customers
23.
A Payment Token Service Provider must provide easy-to-understand, prominent and regularly reviewed advice from time to time via effective methods and multiple channels to its Customers and Tokenholders on security precautionary measures.
24.
A Payment Token Service Provider must manage the risk associated with fraudulent emails, websites and mobile applications, which are designed to trick customers into revealing sensitive user information such as login identifiers, passwords and one-time passwords.
Security incident reporting
25.
Payment Token Service Providers shall report major security and operational incidents including downtimes to the Central Bank, either immediately or in such form and on such basis as the Central Bank may direct from time to time, or as set out in CBUAE Regulations.
Article (36): Business Continuity
1.
In this Article (36), “Payment Token Service Provider” refers to a Licensee or a Registree, with the exception of Registered Foreign Payment Token Issuers.
2.
A Payment Token Service Provider shall have in place an adequate business continuity management program to ensure continuation, timely recovery, or in extreme situations orderly scale-down of critical operations in the event of major disruptions caused by different contingent scenarios. An adequate business continuity management program comprises business impact analysis, recovery strategies, a business continuity plan and alternative sites for business and IT recovery.
3.
A Payment Token Service Provider shall put in place a set of recovery strategies to ensure that all critical business functions identified in a business impact analysis can be recovered in accordance with the predefined recovery timeframe. These recovery strategies shall be clearly documented, thoroughly tested and regularly reviewed to ensure achievement of recovery targets.
4.
A Payment Token Service Provider shall put in place effective measures to ensure that all business records, in particular Customer records, can be timely restored in case they are lost, damaged, or destroyed. A Payment Token Service Provider shall also allow Customers to access their own records in a timely manner. A Payment Token Service Provider shall notify Customers of any loss in their records through an operational failure or through theft, and make reasonable effort to ensure that personal records so lost are not used wrongfully.
5.
A Payment Token Service Provider shall develop a business continuity plan based on the business impact analysis and related recovery strategies. A business continuity plan shall comprise, at a minimum:
a)
detailed recovery procedures to ensure full accomplishment of the service recovery strategies;
b)
escalation procedures and crisis management protocol (e.g. set up of a command centre, timely reporting to the Central Bank, etc.) in case of severe or prolonged service disruptions;
c)
proactive communication strategies (e.g. Customer notification, media response, etc.);
d)
updated contact details of key personnel involved in the business continuity plan; and
e)
assignment of primary and alternate personnel responsible for recovery of critical systems.
6.
A Payment Token Service Provider shall conduct testing of its business continuity plan at least annually. Its Senior Management, primary and alternate relevant personnel shall participate in the annual testing to familiarize themselves with their recovery responsibilities.
7.
A Payment Token Service Provider shall review all business continuity planning-related risks and assumptions for relevance and appropriateness as part of the annual planning of testing. Formal testing documentation, including a test plan, scenarios, procedures and results, shall be produced. A post mortem review report shall be prepared for formal sign-off by Senior Management.
Business exit plan
8.
With a view to minimizing the potential impact that a failure, disruption, or exit of a Payment Token Service Provider would have on Customers and the payment systems in the UAE, a Payment Token Service Provider is required to maintain viable plans for an orderly exit of its business and operations should other options be proven not possible.
9.
Among other things, a business exit plan must:
a)
identify a range of remote but plausible scenarios which may render it necessary for a Payment Token Service Provider to consider an exit;
b)
develop risk indicators to gauge the plausibility of the identified scenarios;
c)
set out detailed, concrete, and feasible action steps to be taken upon triggering the exit plan;
d)
assess the time and cost required to implement the exit plan in an orderly manner; and
e)
set out clear procedures to ensure that sufficient time and regulatory capital and other financial resources are available to implement the exit plan.
10.
A Payment Token Service Provider must review the plan on an annual basis to ensure its relevance and workability.
Part 10
Article (37): Enforcement and Sanctions
Violation of any provision of this Regulation or committing any of the violations provided for under the Central Bank Law may subject the Licensee or Registree to administrative and financial sanctions and penalties as deemed appropriate by the Central Bank.
Article (38): Additional Information Gathering Powers
1. The Central Bank may require the following persons to provide it with such information as the Central Bank considers necessary:
a) Licensees and Registrees; b) providers of Virtual Asset services who are not Licensed or Registered by the Central Bank or licensed or regulated by SCA or any Local Licensing Authority with respect to those activities. 2. The Central Bank may enter into information-sharing agreements or other memoranda of understanding with, or otherwise request the following persons to provide it with such information as the Central Bank considers helpful in order to exercise its powers or meet its objectives under this Regulation:
a) SCA; b) any Local Licensing Authority; c) other regulators. Article (39): Amendment to Retail Payment Services and Card Schemes Regulation and Stored Value Facilities (SVF) Regulation
1. A Person licensed under the Retail Payment Services and Card Schemes Regulation or Stored Value Facilities (SVF) Regulation with respect to Crypto-Asset, Virtual Asset Token or Virtual Asset activities shall cease to be licensed with respect to those activities under either Regulation following the end of the Transition Period. 2. The Retail Payment Services and Card Schemes Regulation shall not apply with respect to Crypto-Assets, Virtual Asset Tokens, Virtual Assets Service Providers or Virtual Asset Token Services (each as defined in the Retail Payment Services and Card Schemes Regulation), with effect from the end of the Transition Period. 3. The Stored Value Facilities (SVF) Regulation shall not apply with respect to Crypto-Assets, Virtual Assets or Virtual Asset Service Providers (each as defined in the Stored Value Facilities (SVF) Regulation), with effect from the end of the Transition Period. Article (40): Transition Period
1.
There shall be a one calendar year period following the commencement of this Regulation during which Article (2) shall not apply (the “Transition Period”).
2.
The Central Bank may extend the Transition Period at its discretion.
3.
Notwithstanding Article (40)1, if the Central Bank determines that a service provider is unlikely to be able to comply with any provision of Article (2) following the Transition Period, it may order the cessation of any aspect of that service provider’s business which is within scope of this Regulation.
Article (41): Interpretation of Regulation
The Regulatory Development Department of the Central Bank shall be the reference for interpretation of the provisions of this Regulation.
Article (42): Publication & Application
This Regulation shall be published in the Official Gazette in both Arabic and English and shall come into effect one month from the date of publication.
Annex
List of documents to be submitted in an application
1.
Completed application form for License
2.
A report on paid-up capital certified by External Auditor
3.
A copy of the ownership structure
4.
The latest audited financial statements for each Controller
5.
Completed application form(s) for each Controller
6.
Outline of the Senior Management and staff structure
7.
Completed application forms for members of the Board and Senior Management
8.
Independent assessment report(s) on the key areas as set out in Article (6)5
9.
Documentation on the sources of funds (Article (15)2 and Article (15)6)
10.
A copy of the cyber-security policy
11.
Risk management policies and procedures
12.
Policies and procedures regarding AML/CFT risk
13.
A copy of the risk appetite framework
14.
Copies of policies and procedures for managing the Reserve of Assets
15.
A copy of the investment policy for managing the investment of Reserve of Assets
16.
A copy of any Customer Agreements to be used
17.
Business plan that covers a three-year time horizon
18.
A copy of the business exit plan
19.
Board resolution in support of the Application
20.
A copy of the articles of association (or equivalent) of the Applicant company in English and Arabic
21.
A copy of the Applicant's audited annual reports and / or audited financial statements for the past three financial years immediately prior to application
22.
Each of the following:
(a)
A copy of the notarized Memorandum and Articles of Association
(b)
A copy of the Licensee Commercial License
(c)
External Auditor's certification that the paid-up capital has been injected into the business