2021 in Review: The Legal & Regulatory Changes Impacting FinTech in the UAE

Nadim Bardawil Partner nadim.bardawil@bsabh.com

Throughout 2021, the UAE continues to maintain its title as the leader of FinTech in the Middle East. In fact, it has become, in the last couple of years, a popular jurisdiction in the GCC to various FinTech businesses.

While Fintech comprises a broad range of activities, we note that some specific categories are currently trending such as digital payments, InsurTech, and cryptocurrencies. The increasing popularity of the FinTech industry is backed up by supportive governmental policies and the implementation of attractive FinTech programs, both onshore and in free zones.

Below we provide an overview of the key legal and regulatory legal updates impacting the FinTech sector in the UAE in 2021.

1. Central Bank Circular No. 15/2021 regarding Retail Payment Services and Card Schemes Regulation (RPSCS)

The RPSCS Regulation was published in the official gazette on 15 July 2021 and is effective within 1 month of its publication. As per the Regulation, it is prohibited to conduct a retail payment service without obtaining a prior license from the Central Bank.

The Regulation sets out the requirement and the conditions for obtaining a license for the provision of retail payment services and operating a card scheme. Payment Service Providers (PSP) are given 1 year to comply with the licensing requirements.

What does this change?

The Regulation divided the retail payment services into 4 licensing categories. PSPs must now apply for one of the categories.

Any PSP applying for a license must meet the initial capital requirement. The initial capital requirement will depend on the licensing category and can reach AED 3M for some categories.

Any PSP is expected to comply as well with other hefty requirements relating to corporate governance and Risk Management (i.e., PSP must establish a risk management function, an internal audit function and a compliance function).

What is the impact on business owners?

Any PSP wishing to offer ancillary services, which are not included under its license, must obtain the approval of the Central Bank. The Central Bank may require that the PSP create a separate entity for the provision of such services. Companies wishing to set up PSP services must consider the substantial costs associated with the regulatory requirements.

2. Central Bank Circular No. 9/2020 regarding Large Value Payment Systems Regulations

This Regulation focuses on Large-value Payment Systems (LVPS) which are Financial Infrastructure Systems that support the financial and wholesale activities in the UAE.

The Regulation covers the licensing requirements in relation to LVPS as well as the obligations and ongoing requirements in relation to a designated LVPS.

The Regulation applies to:

1. LVPS that are operated in the UAE; or
2. LVPS that accept the clearing or settlement of transfer orders denominated in the AED currency both in the UAE or outside the UAE.

We note that the Regulation does not apply to LVPS incorporated in financial free zones, unless when expressly provided in the Regulation.

What does this change?

Operating an LVPS in the UAE requires a prior license from the Central Bank. LVPS must ensure compliance with the Central Bank’s instructions and request for information.

The LVPS operator is also required to comply with the Principles of Financial Market Infrastructures (PFMI), which are key standards that the international community considers essential to strengthening and preserving financial stability. By way of example, the PFMI includes compliance with safety and efficiency requirements, submission of information or documents, and allow the Central Bank to examine at any time, with a short prior notice, any books, accounts or transaction of the LVPS operator.

What is the impact on business owners?

Any LVPS operator should expect a high supervision from the Central Bank, and an obligation to efficiently cooperate with the latter. 

3. DFSA- Consultation Paper No. 138 – Regulation of Security Tokens

The Dubai Financial Services Authority (DFSA) has launched its regulatory framework for “Investment Tokens” based on its Consultation Paper No. 138 – Regulation of Security Tokens, published in March 2021.

“Investment Token” is defined to include:

1. a security (which includes, for example, a share, debenture or warrant) or derivative (an option or future) in the form of a cryptographically secured digital representation of rights and obligations that is issued, transferred and stored using Distributed Ledger Technology (“DLT”) or other similar technology; or
2. a cryptographically secured digital representation of rights and obligations that is issued, transferred and stored using DLT or other similar technology and: (i) confers rights and obligations that are substantially similar in nature to those conferred by a security or derivative; or (ii) has a substantially similar purpose or effect to a security or derivative.

This means that key cryptocurrencies (i.e., bitcoin, ETH) will not be subject to this regulatory framework, given that they are not securities, nor are considered substantially similar in nature or purpose to a security or derivative.

What does this change?

Firms who wish to undertake financial services relating to Investment Tokens in or from the DIFC (i.e., issuing, trading, holding, dealing in, advising on, managing portfolios etc.) must meet certain licensing and technological requirements set by the DFSA.

What is the impact on business owners?

Businesses conducting financial services in relation to Investment Tokens will need to obtain DFSA approval. We note that it is prohibited to promote and advertise Investment Tokens.

The new rules impose a technology audit requirement on all firms that operate a facility for Investment Tokens.

4. The new Stored Value Facilities (SVF) Regulation

The new Stored Value Facilities (SVF) Regulation, which was issued in September 2020 but has had ramifications across 2021, repeals and replaces the Regulatory Framework for Stored Value and Electronic Payment Systems.

The Regulation defines an SVF as a facility whereby a customer can pay a sum of money to the SVF issuer in exchange for the storage of that money on the facility.

The Regulation applies to companies wishing to undertake an SVF activity, with certain exceptions. For instances, the Regulation does not apply to the below SFVs:

• SVFs used for certain cash reward schemes;
• SVFs used for purchasing certain digital products;
• SVF used for certain bonus point schemes;
• SVFs that can only be used within a limited group of products or services providers; and
• Those within which (subject to being accepted by the UAECB) the aggregate amount of the float of the facilities does not exceed AED 500,000 and the aggregate number of customers is not more than 100.

SVF are given 1 year period to comply with the Regulation’s requirements. 

What does this change?

The most important change we note is that the requirement to have a regulated bank as a majority shareholder has been removed. However, other technical and capital requirements are put in place. 

Moreover, the Regulation introduces an express prohibition on the marketing of overseas SVF in the UAE.

What is the impact on business owners?

SVF must comply with the technical and capital requirements of the Regulation. For example, SVF are required to have a minimum paid up capital of at least AED 15m and an aggregate capital of funds of at least 5% of the total float received by the SVF from customers.

The Regulation is highly focused on Technology and Risk Management and includes extensive obligations around cyber security and technology governance that businesses will need to consider when setting up a SVF activity in the UAE. This is seen by many as a step towards the adoption of crypto and virtual assets.

5. Federal Decree-Law No. 45 of 2021 regarding Personal Data Protection (the Law)

The long-awaited Data Protection Law was finally issued on 27 November 2021 and shall take effect on 2 January 2022.

The Law applies to:

1. Organizations incorporated in the UAE that process data of subjects inside or outside the UAE; and
2. Organization outside of the UAE that process data of subject inside the UAE.

Some organizations are excluded from the scope of application of this Law such as governmental entities. Furthermore, certain industries will not be subject to the Law and will have their separate data protection regulations such as health personal data and banking personal data.

We note that this Law will not replace data protection laws issued in some free zones (DIFC and ADGM) but will be applied concurrently. 

What does this change?

The Law provides for the establishment of a national data privacy regulator who will be overviewing the implementation of the Law and issuing guidelines relating to data privacy.

Organizations processing personal data must comply with the Law requirements and protect the privacy of data collected. Organizations are granted a period of 6 months to re-consider their data operation and comply with the Law.

What is the impact on business owners?

The law includes several principles found in the General Data Protection Law (GDPR). For example, organizations that process personal data must:

• Have a legal base for the processing of personal data;
• Obtain clear consent of the data subject prior to processing their data;
• Provide the data subject with a range of rights relating to its personal data such as the right to erase or correct the data, request its transfer, object to certain types of data processing;
• Limit the purpose of collecting the data to what is necessary; and
• Conduct an impact assessment when using modern technologies.

Our expectations for 2022

While the FinTech industry remains a highly regulated area in the UAE, which can give rise to significant barriers to entry, we are expecting some positive regulatory developments to mirror global trends and have already witnessed improvements in 2021.

Many of the major FinTech regulations issued in 2021 are set to become effective in 2022. We advise to keep an eye out on the Executive Regulations and the Authorities’ approach to such recent and untested regulations.

We note that FinTech and data privacy are inter-related and should be assessed and analysed simultaneously.

About FinTech at BSA

We provide services across the full spectrum of financial technology and we benefit from the ability to draw upon our extensive wider corporate, insurance, regulatory and financial experience to address the various micro-industries that form the FinTech ecosystem. We advise financial institutions, venture capitalists and start-ups on maximising technological innovation, enhancing and safeguarding their trade secrets and tech, and ensuring compliance with all local and international laws.

Working within an ever-changing regulatory ecosystem, both from a regulatory and technological perspective, requires us to be in touch with various stakeholders. We regularly interact with financial regulators in various capacities: (1) when providing comments on draft legislation when and if we are brought on board in a consultatory capacity, (2) when approaching regulators on behalf of clients to enquire on the applicability and malleability of the current regulatory framework, and (3) when attempting to match new products and services to existing legislation.