Article by Hamdan Al Shamsi Lawyers & Legal Consultants

As of January 1, 2017 the UAE Central Bank’s new regulations for “stored value digital payments” came into effect. By proposing the Regulatory Framework for Stored Values and Electronic Payment Systems (Regulation), the new mandates establish binding licensing and related compliance agreements for electronic payment service providers (PSPs) operating in the UAE. The new Regulations aim to help facilitate the enhanced adoption of secure digital payments throughout the region.

According to the Governor of the Central Bank Mubarak Al Mansoori, the issuing of these regulations “is a landmark in supporting the government of UAE’s vision to position the country as a global leader in digital services, via a knowledge-based and innovation driven economy. The regulations are also designed to foster financial inclusion in the UAE.”

Designed to promote safe and secure digital payment operations in the UAE, the Regulations:

• Mandate a fresh licensing system for digital payment service providers (PSPs)

• Establish security protocol for user information and data (to include prohibiting the storage of consumer data outside of the UAE)

• Require that PSPs enter into customer service agreements with every individual who uses their services

• Clearly establish rules for outsourcing services to third parties

What is a payment service provider?

A Payment Service Provider (PSP) is any organization or individual that provides digital payment services. This includes using electronic, mobile or magnetic means of payment, excluding credit and debit card payments within the UAE. The Regulations further breakdown the sentiment of a PSP into four distinct sub-categories: Retail PSPs, Micropayments PSPs, Government PSPs, and Non-issuing PSPs.

Licensing

All PSPs must submit an application for and receive a license covering one of the PSP subcategories (with the exception of commercial banks). Rather than apply for specific individual licenses, commercial banks aspiring to provide online payment services must obtain approval from the Central Bank. While details of the requisition process for a permit from the Central Bank have not been released, we do know that the process is not immediate. Applicants should be aware that it may take up to four months from receipt of application to obtain a response from the Central Bank.

Data protection and consumer service agreements

According to the new data protection regulations, PSPs must meet strict regulations pertaining to the storage of user transaction records and personal identification data. With the exception of UAE financial free zones, the new set of rules includes a regulation requiring PSPs to store and maintain all such data solely in the UAE for a minimum of five years. Additionally, all PSPs must establish customer service agreements with every user (i.e. paper or electronic). Each customer service agreement must meet the minimum requirements, to include presenting the PSPs privacy policy to the user.

Any organization receiving online payments in the UAE prior the establishment of the new Regulations will have one year to reach full compliance or face penalty by the UAE’s Central Bank, to include extensive fines and/or termination of services. However, any PSP wishing to begin new online payment services must comply with the new Regulations immediately.