Nadim Bardawil
Partner nadim.bardawil@bsalaw.comNews
- Published: May 28, 2023
- Title: FinTech: How is the world shaping the financial innovation industry
- Practice: Banking and Finance, Financial Institutions, Technology, Media & Telecommunications (TMT)
The following UAE Guide, was written for the International Bar Association (IBA) Banking Law Committee, and forms part of a global report.
1. Fintech regulatory framework: a summary of the most relevant laws and regulations concerning fintech and financial innovation.
The United Arab Emirates (UAE) continues to hold its position as the leader in fintech in the Middle East. This position is maintained with the help of supportive governmental policies and most importantly, by the implementation of attractive programs, both onshore and in free zones. The UAE consists of onshore and financial free zone jurisdictions, to which different legal frameworks apply. There are currently two financial free zones in the UAE: the Dubai International Financial Centre (DIFC) and the Abu Dhabi Global Market (ADGM).
Contrary to other jurisdictions, the UAE does not have a single regulator responsible for the supervision of fintech activities. In fact, fintech companies often choose where they would like to do business, based on the regulatory body supervising their activity. The main regulatory bodies that exist in UAE are listed below, along with the relevant laws.
Onshore UAE
The main financial regulators in onshore UAE are
• the UAE Central Bank (CBUAE), which regulates banks, finance companies, payment service providers and insurance companies; and
• the Securities and Commodities Authority (SCA), which that regulates markets, listed companies and securities brokers.
They are primarily tasked with supervising and regulating financial activities conducted in onshore UAE.
DIFC
The Dubai Financial Services Authority (DFSA) is the principal regulatory body of the DIFC. The DFSA supervises regulated companies and monitors their compliance with applicable laws and rules. The Regulatory Law, DIFC Law No 1 of 2004 grants the DFSA its powers as a financial services regulator.
ADGM
The ADGM’s financial regulator is the Financial Services Regulatory Authority (FSRA) which has regulatory and supervision oversight of the financial services provided within its jurisdiction. The FSRA was one of the first jurisdictions to introduce (in 2018) a comprehensive and bespoke regulatory framework for the regulation of crypto asset activities. Since then, the ADGM has continued to update its legal framework to keep up with the cryptocurrency ecosystem.
Several laws have been enacted with the aim to either supplement existing legislation or create new legislation to address disruptive technology in financial services. Some of these include large value payment systems regulations, security tokens and of course cryptocurrency regulations.
Central Bank Circular No 9/2020 on Large-Value Payment Systems Regulations
This Regulation focuses on large-value payment systems (LVPSs) which are financial infrastructure systems that support the financial and wholesale activities in the UAE. The regulation covers the licensing requirements in relation to LVPSs as well as the obligations and ongoing requirements in relation to a designated LVPS. The Regulation applies to:
• LVPSs that are operated in the UAE; or
• LVPSs that accept the clearing or settlement of transfer orders denominated in the AED currency both in the UAE or outside the UAE.
The regulation does not apply to LVPS incorporated in financial free zones, unless when expressly provided for.
The Stored Value Facilities regulation
The stored value facilities (SVF) regulation, issued in September 2020, repeals and replaces the regulatory framework for stored value and electronic payment systems.
An SVF is defined as a facility whereby a customer can pay a sum of money to the SVF issuer in exchange for the storage of that money on the facility. This regulation applies to companies wishing to undertake a SVF activity, with certain exceptions.
This regulation is highly focused on technology and risk management, and includes extensive obligations around cyber security and technology governance that businesses will need to consider when setting up a SVF activity in the UAE.
Regulation of security tokens
The DFSA has launched its regulatory framework for investment tokens based on its Consultation Paper No 138 – Regulation of Security Tokens, published in March 2021. Investment token is defined to include:
• a security (which includes, for example, a share, debenture or warrant) or derivative (an option or future) in the form of a cryptographically secured digital representation of rights and obligations that is issued, transferred and stored using distributed ledger technology (DLT) or other similar technology; or
• a cryptographically secured digital representation of rights and obligations that is issued, transferred and stored using DLT or other similar technology and:
○ confers rights and obligations that are substantially similar in nature to those conferred by a security or derivative; or
○ has a substantially similar purpose or effect to a security or derivative.
Key cryptocurrencies (ie Bitcoin, ETH) are not subject to this regulatory framework, given that they are not securities, nor are considered substantially similar in nature or purpose to a security or derivative.
Companies who wish to undertake financial services relating to investment tokens in or from the DIFC (ie, issuing, trading, holding, dealing in, advising on, managing portfolios etc) must meet certain licensing and technological requirements set by the DFSA.
The DFSA Rulebook General Module
The DFSA is the regulatory authority for the DIFC financial free zone. DFSA’s objective is to contribute to the stability of the UAE financial system by examining and supervising the financial activities conducted in or from the DIFC.
The DFSA Rulebook sets out the DFSA’s requirements for authorised companies, including banks, brokers and dealers, asset managers, corporate financiers, wealth managers, insurers, and insurance intermediaries.
Depending on the type of financial services business that is conducted in the DIFC, financial institutions will need to obtain the appropriate DFSA regulatory approval and be authorised to undertake the specified regulated activities.
If financial services wish to conduct any of these financial businesses in the DIFC, they must comply with all DFSA rules and regulations.
The FSRA regulatory framework for the authorisation and supervision of fintech
The FSRA manages any potential risks to the marketplace and oversees all financial activities within the ADGM international financial centre. By promoting a supportive and well-regulated 136 International Bar Association Banking Law Committee environment, the FSRA plays a vital role in attracting businesses to the ADGM, helping it grow into a leading international financial centre.
The FSRA introduced a new regulatory framework in 2021 for the authorisation and supervision of fintech companies providing third-party services to customers of financial institutions.
This new regulatory framework enables the FSRA to grant licences to fintech companies providing third-party financial technology services to customers of authorised financial institutions in the ADGM. The FSRA will also be able to impose requirements on these companies and supervise their activities. This regulatory framework promotes innovation in the financial services sector while ensuring that customers are protected from risks. It is intended that the introduction of the new regulatory framework will encourage more fintech companies to enter the ADGM market and provide innovative new services to customers.
Regulatory and insurance technology
In the wake of Covid-19, financial institutions were forced to move to remote working models, which was difficult to monitor, especially in terms of regulatory compliance. To deal with the pandemic and mitigate risks incurred, the UAE continued to push for the emergence of regulatory technology (RegTech), whereby artificial intelligence (AI) was used to help companies meet their due diligence requirements.
Regulations Lab (RegLab) was launched in January 2019 in partnership with Dubai Future Foundation, pursuant to a federal law issued in 2018 authorising the UAE Cabinet to grant temporary licences for the testing and vetting of innovations that use future technologies and its applications such as AI. RegLab was designed to proactively anticipate and develop future legislation governing the use and applications of emerging technologies in the UAE in ways that maximise the benefits and minimise the risks. It aims to create a reliable and transparent legislative environment, introduce new or develop existing legislation and regulate advanced technological products.
RegLab works closely with lawmakers from federal and local government authorities, as well as the private sector and business leaders to support the UAE’s role as a global incubator of innovations and creative projects.
Insurance Technology (insurtech) is now engrained in the region after having gained popularity at a slow but steady pace in the UAE. Most insurtech startups are focused on (1) offering comparison features to users allowing them to select the insurance package that best suits their needs, (2) digitising the process of subscribing to an insurance policy, and/or (3) streamlining processes between insurance companies using blockchain technology.
It is worth noting that we have seen traditional insurance companies collaborating with insurtechs to improve their efficiency which is an indicator of the potential and benefits of the insurtech industry.
2. Regulations on crypto assets: a summary of the legal framework regarding crypto assets and how they are regulated.
Onshore UAE
The SCA issued Decision No 23 of 2020 concerning the Crypto Assets Activities Regulation (CAAR), which aims to regulate and licence key aspects of dealing in crypto assets – including the issuance and promotion thereof, provision of crypto asset custody services, operating exchanges, and fundraising platforms.
The CAAR applies to most forms of crypto assets which are listed and available for trading on a recognised market, whether securities or otherwise. The CAAR is not intended to include items regulated by the CBUAE such as currencies, virtual currencies, digital currencies, stored-value units, payment tokens and payment units.
Generally, there are two main requirements to provide cryptocurrency assets or related services in the UAE:
• The service provider must be incorporated onshore within the UAE or any of the UAE’s financial free zones.
• The service provider must be licensed by the SCA.
DIFC
Having previously excluded crypto assets from the scope of application of issued regulations regarding security tokens and investment tokens, the DFSA issued a consultation paper on the regulation of crypto tokens in early March 2022. The DFSA was influenced by the increase in the use of cryptocurrency as a means for financial transactions. Following this public consultation paper, the DFSA will enact legislation as needed.
ADGM
The FSRA has released a framework in conjunction with its original guidance issued in 2017. The Framework makes it evident that:
• crypto asset activities may only be allowed in connection with crypto assets that are categorised as accepted crypto assets – ie, those crypto assets that fulfil criteria prescribed by the FSRA; and any person dealing with such accepted crypto assets including intermediaries (such as brokers/ dealers, asset managers, crypto asset exchanges and crypto asset custodians) involved in dealing, managing or arranging accepted crypto assets would require a financial service provider to operate in and from the ADGM.
Dubai World Trade Centre
The Virtual Assets Law No 4/2022 (VAL) was issued whereby establishing a framework for the regulation of virtual assets in Dubai and creating a regulatory authority for virtual assets called the 138 International Bar Association Banking Law Committee Virtual Assets Regulatory Authority (VARA). While implementing regulations of the VAL have not been issued yet, we anticipate permission for comprehensive cryptocurrency related activities.
VARA has unveiled the guidelines governing the marketing and promotion of digital assets. These guidelines are said to ensure ‘factual accuracy, explicitly demonstrate any promotional intent and in no way mislead on the guaranteed nature of their returns’.
3. Payment service providers and digital wallets: a summary of regulations applying to payment service providers and/or digital wallets.
Onshore UAE
The sources of payments law in onshore UAE principally consist of four regulations, which have been enacted by CBUAE as follows:
• The Stored Value Facilities Regulation, issued in November 2020;
• The Large Value Payment Regulation, issued in January 2021;
• The Retail Payment Systems Regulation, issued in January 2021; and
• The Retail Payment Services and Card Schemes Regulation, issued in July 2021.
DIFC
The sources of payments law in DIFC are found in the DFSA Rulebook, specifically the DFSA Rulebook Conduct of Business Module or COB. The DFSA issued a new financial services category in April 2020, categorised as money services under Category 3D; this covers payment service providers.
ADGM
The FSRA regulates financial services conducted in or from the ADGM. The sources of payments law in the ADGM are found in the FSRA Rulebook, which has added a money services activity in October 2020 under a Category 3C licence.
New law or regulation foreseen in the future
The CBUAE, along with the SCA, DFSA and FSRA, released a consultation paper titled Guidelines for Financial Institutions adopting Enabling Technologies in 2021. The Guidelines laid down certain key principles for financial institutions to apply when using enabling technologies, such as application programming interfaces (APIs), cloud computing, biometrics, big data analytics, AI and DLT. The Guidelines were published to invite consultation from stakeholders. However, concrete guidelines on integrating enabling technologies into financial services are still to be issued by the CBUAE.
4. Special support to fintechs: a description of special programmes supporting the fintech ecosystem, fintech startups (eg, regulatory sandboxes and accelerator programmes) and regulations regarding special support.
Various initiatives have been taken to encourage innovation, especially in the financial sector. Most notably, regulators have put in place sandbox regimes to allow innovators to test their products under more lenient regulatory requirements.
Onshore UAE
In the past couple of years, many government authorities have shown an increasing interest in fintech. In fact, many initiatives to encourage the emergence of fintech in the UAE has been introduced. Notably, the SCA has put in place a pilot regulatory environment (sandbox) to encourage innovation in the fintech industry and allow entrepreneurs to test their products in more relaxed regulatory environments.
Furthermore, CBUAE launched a fintech office in the second half of 2020 to support startups and build a mature fintech ecosystem in the UAE.
DIFC
The DIFC launched an accelerator programme, named the Fintech Hive, to encourage cuttingedge fintech solutions for leading financial institutions. Pursuant to this programme, the DIFC established an innovation testing licence which permits qualifying fintech companies to develop and test innovative concepts for a period of six to 12 months without being subject to all regulatory requirements that normally apply to regulated companies. If the outcomes detailed in the regulatory test plan are fulfilled, and the participating company can satisfy DFSA requirements, it may migrate to full authorisation. If on the contrary, such conditions are not met, the company must cease to carry on any and all activities requiring regulation in the DIFC.
ADGM
The ADGM launched an accelerator program named the Regulatory Laboratory to encourage cutting-edge fintech solutions for leading financial institutions. Pursuant to this program, the ADGM established a special type of financial services permission (ie, a licence) which allows qualifying fintech companies to develop and test innovative concepts for up to two years without being subject to all regulatory requirements that normally apply to regulated companies.
If participating companies are capable of meeting ADGM requirements at the expiry of the licence, they may be transferred to the regular authorisation and supervision review. If such companies cannot meet these requirements, they must cease to carry on activities requiring regulation in the ADGM.
In addition to launching an accelerator program, the ADGM added legislation in the Financial Services and Markets Regulations specifically addressing the emergence of new technologies, namely crypto assets.
The CBUAE and ADGM have together signed a fintech cooperation agreement to develop fintech initiatives. This agreement will improve their collaboration along with a co-sandbox programme. Additionally, the DIFC and the CBUAE have also signed a cooperation agreement in the field of fintech with the implementation of a co-sandbox programme.
5. Open banking: a summary of regulations regarding open banking and direct or indirect regulations that affect open banking.
Onshore UAE
No regulations targeting open banking have expressly been issued. Several regulations can notably be relied on to conclude the UAE’s position on open banking. For example, we note the Retail Payment Services and Card Schemes Regulation regulates and mandates the licensing of account information services (AIS) and payment initiation services (PIS).
DIFC
The DFSA recognises money service businesses as a category of activities that require its authorisation and licensing. Money service businesses are further categorised into two groups: (1) arranging and advising on money services; and (2) providing money services. Entities involved in arranging and advising on money services include AIS and PIS that enable them to provide open banking services. In April 2022, the DFSA granted its first AIS and PIS licence to Tarabut Gateway to provide open banking services in and from the DIFC.
ADGM
Like the DFSA, the FSRA issues licences to entities involved in money service businesses. By obtaining a Category 3C licence, companies can engage in money service business activities, including arranging and advising on money services.
The full global report can be downloaded here: FinTech: How is the world shaping the financial innovation industry.