A new rule: digital payments and virtual currencies
The Regulatory Framework for Stored Values and Electronic Payment Systems in a nutshell.
The Central Bank of the UAE on the 1 January 2017 issued the Regulatory Framework for Stored Values and Electronic Payment Systems. These regulations are aimed at facilitating the increased adoption of secure digital payments by introducing a mandatory licencing and related compliance regime for certain electronic payment service providers operating in the UAE. Digital payment service providers in the country must now comply with a range of new rules including those relating to licencing, data protection and outsourcing.
As global legal firm DLA Piper explained in a comprehensive commentary on the matter, the regulations are designed to create a safe and secure digital payment system in the UAE. Amongst other things, the guidelines establish a new licencing regime for digital payment service providers (PSPs). It regulates the protection of user data, including prohibition of storage of user data outside of the UAE. It also requires PSPs to enter into customer service agreements with every user of their service as well as create rules for the outsourcing of services by PSPs to third parties.
Organisations that are involved in digital payments are urged to study the regulations closely to determine the applicable compliance requirements and create and implement a suitable compliance programme. Based on DLA Piper’s commentary, the new regulations provide a one-year grace period for organisations that has been providing digital payment services in the UAE prior to the commencement of the new regulations to ensure they are fully compliant. Failure to do so will expose themselves to the risk of being ordered to cease provision of these services by the central bank.
With the exception of commercial banks, all PSPs must apply for and obtain a licence covering one of the following PSP categories—retail PSP, micropayment PSP, government PSP, or non-issuing PSP. Commercial banks that wish to offer digital payment services need only obtain an authorization from the Central Bank, rather than separately apply for a specific licence. DLA Piper points out that the details of the application process for a licence has not yet been published. However, the projected timeframe for the Central Bank to respond is three months from receipt of the completed application.
In terms of data protection, PSPs must comply with strict rules regarding the storage of identification data and transaction records of users. These rules include the requirement to store and retain all user and transaction data exclusively in the UAE (excluding UAE financial free zones) for a period of five years from the date of the original transaction.
Similar to the data protection requirements, while PSPs may enter into outsourcing contracts with third parties, the outsourced services must only be carried out within the UAE (excluding UAE financial free zones). Additionally, unless an exception applies, central bank approval is required three months before the implementation of any operational function outsourcing and a range of safeguards must be put in place depending on whether the outsourcing involves critical operational functions or material operational functions. Whether such approval can be obtained prior to the commencement of a procurement activity was not addressed in the regulation.
One pertinent fact under the regulation is the explicit prohibition of virtual currencies. The regulation clearly states that all virtual currencies, and any virtual currency transactions, are prohibited. The legislation defined virtual currency as any type of digital unit used as a medium of exchange, a unit of account, or a form of stored value. It does not include a digital unit that can be redeemed for goods, services and discounts as part of a user loyalty or rewards programme with the issuer and cannot be converted into a fiat or virtual currency.
In addition, the regulations also seek to establish a further category of service provider; namely, a Payment System Operator. Explaining this in a paper, leading multinational law firm, Dentons, elucidated that it is an entity that operates a fund transfer system or any other system that facilitates the circulation of digital money. This entity may apply for its payment system to become a ‘Designated Payment System’ (defined as one that is designated by the central bank as being ‘systemically important’).
While further detail on these ‘Designated Payment Systems’ seems to be pending by way of subsequent central bank instruments, according to Dentons, the key significance of it appears to rest in the payment settlement process mandated by the regulations. Under the regulations, all payment transactions shall be settled through a settlement institution—which is in turn defined as either a Designated Payment System by the Central Bank, or a commercial bank providing settlement services.
It should also be noted that the regulations set out a number of additional and quite comprehensive further obligations on PSPs that are clearly motivated by the central bank's drive for effective consumer protection in the digital payment economy. Dentons opined that these include detailed user registration requirements, transaction and spending limits, PSP liability provisions, minimum prescribed terms for user contracts, technical security requirements, data privacy and protection controls as well as the above-mentioned requirements for effective all-around governance and compliance policies.