In recent times, we have seen the introduction of the concept of ‘cashless’ ways to pay for goods and services, offering more convenience and security benefits than traditional payment methods. There are e-wallets, retail-based digital reward exchanges, there is direct carrier billing, and there is even the ability to pre-load cash onto mobiles, wristbands and other gadgets to spend later. Getting on board with evolving consumer demands might well be key to giving your business the competitive edge, but if you are using or planning to introduce any of these types of digital or e-payment methods into your business, you would be wise to consider the associated legal and regulatory issues. The nature of the precise activities to be undertaken by your business may mean that you will need Central Bank or other approvals to keep you compliant in the UAE.
The UAE Central Bank’s Regulatory Framework for Stored Values and Electronic Payment Systems (the Regulation) is a key piece of legislation which recognises the significance of, and regulates, this rapidly growing market. It seeks to create a safe and secure landscape for digital payment services as part of the UAE’s drive to support banking modernisation to foster financial inclusion, with consumer protection and driving innovation and competition at its core. Together with advances such as the government’s ‘Emirates digital wallet’, expected to be launched in the coming months, the introduction of the Regulation in January 2017 complements and furthers the development of an inclusive digital payments ecosystem and, perhaps, progression towards a cashless economy.
In this article, we look at some of the key provisions of the Regulation in the context of its potential impact on businesses and in light of new technology, market trends and some potential data protection issues.
In brief, there are four categories of payment services provider (PSP) specified in the Regulation, all of which are required to be licensed by the Central Bank to provide digital payment services in the UAE:
- The retail PSP – a PSP offering retail, government and peer-to-peer digital payment services, as well as money transfers, such as a commercial bank.
- The micropayments PSP – a PSP offering micropayment solutions (being those for very small payments made online) which facilitate digital payments of the unbanked and underbanked.
- The government PSP – covers federal and local government statutory bodies offering government digital payment services.
- The non-issuing PSP – this is a non-deposit-taking institution which does not itself issue digital money, but offers retail, government and peer-to-peer digital payment services.
First of all, the Regulation does not apply to payments using a credit or debit card or to ‘closed loop payments’, which are those for purchases of goods or services in just a single store or group of stores.
‘Technical service providers’ are also excluded from the scope of the Regulation. These are businesses which facilitate the provision of payment services by PSPs, but do not actually transfer or take possession of funds. Their services could include data processing or storage, provision of IT and communication networks or equipment/payment device maintenance for PSPs.
Deciding whether a business is a technical service provider and, therefore, excluded from the Regulation, should be done carefully, since this could mean the difference between being subject to the full remit of oversight of PSPs under the Regulation, or not. The scope of the proposed payment system activities of a business and, in particular, the movement of its cash balances, should be scrutinised as part of this assessment.
We note that the licensing manual, which may provide further practical guidance on the application of the Regulation, has not yet been issued. The governor of the Central Bank has, however, clarified the position regarding virtual currencies, which are stated in the Regulation to be prohibited. This has now been qualified to mean that virtual currencies (including, for example, Bitcoin, Ethereum and Ripple) are excluded from the scope of the Regulation, as opposed to being prohibited under UAE law. These will likely be the subject of distinct regulations, yet to be published, which we understand are currently being considered by the Central Bank. While the Central Bank’s statement may provide some comfort to businesses seeking to use virtual currencies, it should be noted that the wording of the Regulation has not yet been amended, nor has any law, regulation or formal guidance been issued. In strict legal terms, the apparent prohibition of virtual currencies in the Regulation remains.
The virtual currency question, however, raises an important point, that just because one of the exclusions under the Regulation may apply, does not mean that the activities of such business in the digital payments arena will be outside of the jurisdiction of the authorities. Other legislation, and perhaps Central Bank licensing requirements, may still apply, if not now, then potentially in the future.
One final thought on the Regulation is the question raised on the storage and processing of data obtained in connection with digital payment services in the UAE. The Regulation specifically requires all PSPs to store all user and transaction data exclusively within the borders of the UAE (excluding the UAE’s financial free zones), expressly stating that such data cannot be stored outside the UAE.
Although data localisation can help to protect privacy and security, this condition in the Regulation will likely present operational, financial and administrative challenges for businesses looking to operate in this market, and perhaps also for international technical service providers, which, despite otherwise being outside the Regulation, would be indirectly impacted by this rule.
The Central Bank has recognised the appetite for digital payments and has issued the Regulation, which will, we believe, help build consumer trust around the use of digital money in the region and develop confidence among financial institutions and businesses in the adoption of e-payment solutions.
The fintech revolution taking place globally has the government leading by example in the UAE, with its mobile wallet initiative, through which consumers and businesses can pay for numerous government services online. A variety of start-ups have emerged offering alternative payment mechanisms and occupying a space somewhere between traditional banks and consumers. But UAE banks looking to stay current are also already exploring digital transformation.
The implementation of the Regulation is no doubt a sign of things to come. It is perhaps an obvious prediction that UAE businesses in a range of sectors will have little choice but to embrace the concept of digital payments, and the fintech which supports and enables them, or else risk being overtaken by more reactive and flexible competitors. But, a word of caution; it will not be enough for businesses to simply adapt to the new ways their customers want to transact. If sanctions are to be avoided, the implications of legislation, specifically the Regulation, must be part of their evolution.