The new CBUAE Payment Token Services Regulation: 10 things you need to know

08/08/2024

In June 2024, the Central Bank of the UAE (“CBUAE”), the supervisory and regulatory authority of the banking and insurance sector within the United Arab Emirates (“UAE”), published the long awaited Payment Token Services Regulation in Circular No.2 /2024 (the “PTSR”). The publication of the PTSR marks a significant development in the UAE’s regulatory framework for virtual assets. We have highlighted ten key issues below.

1.      What activities are within scope of the PTSR?

The PTSR sets out a comprehensive framework for licensing and supervising digital payment services. The key activities covered under the PTSR include the following:

  • payment token issuance;
  • payment token conversion; and
  • payment token custody and transfer,

together referred to in the PTSR as “Payment Token Services”.

2.      What “Payment Tokens” are covered under the PTSR?

The PTSR defines a ‘Payment Token’ as “a Virtual Asset which purports to maintain a stable value by referencing the value of” fiat currency or another Payment Token denominated in the same currency. This type of token is commonly referred to as a ‘stablecoin’.

Importantly, the PTSR differentiates between ‘Dirham Payment Tokens’ and ‘Foreign Payment Tokens’. A ‘Dirham Payment Token’ means a Payment Token whose value is denominated in Dirham, or is dominated by reference to another Payment Token that is denominated in Dirham.

‘Foreign Payment Tokens’ are Payment Tokens whose value is denominated in foreign currency, or is denominated by reference to another Payment Token whose value is denominated in foreign currency.

3.      What are the licensing / registration requirements under the PTSR?

Licensing / registration requirements

The PTSR provides that no person shall perform any Payment Token Service within the UAE, or directed to persons in the UAE, unless such person is licensed (in the case of Dirham Payment Tokens) or registered (in the case of Foreign Payment Tokens) by the CBUAE to perform such Payment Token Service.

Who can obtain a license or registration

A person that intends to provide Payment Token Services must apply for one or more of the following categories of license:

    (a) Dirham Payment Token Issuer;

    (b) Payment Token Custodian and Transferor; and/or

    (c) Payment Token Conversion.

Licenses may only be given to companies which are incorporated in the UAE, including free zones but excluding financial free zones (i.e. the Dubai International Financial Centre (“DIFC”) and Abu Dhabi Global Market “ADGM”)).

An entity not incorporated and located in the UAE (including DIFC and ADGM entities) may apply for a Foreign Payment Token Issuer registration.

Virtual asset service providers (VASPs) which are licensed by the SCA or any local licensing authority (such as the Virtual Assets Regulatory Authority (“VARA”) of Dubai) to provide custody services for virtual assets may apply for a ‘Non-Objection Registration’ to perform payment token custody and transfers of Foreign Payment Tokens. Virtual asset exchange platform operators licensed by the Securities & Commodities Authority (“SCA”), as well as locally licensed banks and exchange houses, may also apply for a ‘Non-Objection Registration’.

4.      Are there any exclusions or exemptions?

Exclusions

The PTSR explicitly excludes the following from its scope:

  • Activities for which the service provider is licensed by (or requires a license from) the CBUAE under the Retail Payment Services and Card Schemes Regulation or the Stored Value Facilities Regulation.
  • Any information technology security, operation of technology infrastructure, trust or privacy protection service not of itself constituting a Payment Token Service.
  • Any service of providing or maintaining a communication network or distributed ledger technology.
  • Any service of providing and maintaining any terminal or device used for any Payment Token Service.
  • Any payment token transfers carried out within a payment system or securities settlement system between licensed payment token service providers and settlement agents, central counterparties, clearing houses, central banks or other participants in such system including central securities depositories.
  • Payment token transfers and related services between group companies (subject to certain requirements).

Exemptions

The PTSR also exempts certain types of Payment Tokens, including:

  • Payment Tokens used for certain reward schemes and bonus point schemes; and
  • Payment Tokens that can only be used as a means of payment for non-financial goods or services provided by the Payment Token Issuer.

The Central Bank may also exempt a Payment Token Issuer from licensing and other requirements with respect to its Payment Tokens, and specify the conditions for such exemption, where:

    (a) if the Payment Token Issuer has to hold a reserve of assets in accordance with the PTSR, the aggregate amount of this would not exceed AED 500,000 or its equivalent; and

    (b) the aggregate number of token holders is not more than 100.

5.      Are there any types of activities and tokens that are prohibited?

Yes, see below.

Prohibition on providing Payment Token Services in respect of non-Payment Tokens

The PTSR provides that no person shall perform any service, within the UAE or directed to persons in the UAE, where that service:

    (a) is performed with respect to any means of payment that is not a Payment Token; and

    (b) is a service that is similar or equivalent to a Payment Token Service.

This prohibition applies to all persons, including those acting in the course of performing virtual asset activities for which they are licensed or regulated by SCA or a local licensing authority (such as the VARA).

Prohibition on issuing or performing services relating to algorithmic stablecoins and privacy tokens

The PTSR provides that no person shall, within the UAE or directed to persons in the UAE, issue algorithmic stablecoins or privacy tokens or perform services relating to them.

Like the above prohibition, this prohibition applies to all persons, including those acting in the course of performing virtual asset activities for which they are licensed or regulated by the SCA or a local licensing authority (such as the VARA).

Restrictions on Foreign Payment Tokens

Transfers

A licensed or registered person must not knowingly initiate, facilitate, effect or direct a Foreign Payment Token transfer as part of its Payment Token Service unless the transfer is of a Foreign Payment Token issued by a registered Foreign Payment Token Issuer being lawfully used (or sold for use) as a means of payment for purchase of virtual assets or derivatives of virtual assets.

Acceptance as a means of payment

No merchant or other person in the UAE selling goods or services during the course of business may accept a Foreign Payment Token towards payment for that sale unless that Foreign Payment Token is issued by a Registered Foreign Payment Token Issuer and is being used as a means of payment for purchase of a virtual asset or virtual asset derivative.

Restrictions on Dirham Payment Token issuance

A licensed Payment Token Issuer may only issue Dirham Payment Tokens to persons resident in the UAE (although there is no other restriction under the PTSR as to the territory in which a Payment Token may be used or to or from which it may be transferred).

Prohibition on paying interest on Payment Tokens

A Payment Token Issuer may not (and may not arrange that another person shall) pay to or for the benefit of a customer:

    (a) interest related to the length of time during which the customer holds a Payment Token; or

    (b) any other benefit related to the length of time during which the customer holds a Payment Token.

Power for CBUAE to place limits on Payment Token Service providers

The CBUAE may place limits on Payment Token Issuers, Conversion Providers and Custodians relating to, amongst other things, the total volume or value of Payment Tokens they provide services in relation to, or their total number of customers.

6.      What about financial promotions in relation to Payment Token Services?

Financial promotions in relation to Payment Token Services can only be made by licensed or registered persons or those persons that are appointed by licensed or registered persons.

No person may engage in any promotion, within the UAE or directed to Persons in the UAE, relating to the use of Foreign Payment Tokens as a means of payment unless the promotion solely relates to Foreign Payment Tokens issued by Registered Foreign Payment Token Issuers and being lawfully used as a means of payment for purchase of a virtual asset or virtual asset derivative.

Promotions within the UAE or directed to persons in the UAE for the issuance of algorithmic stablecoins and privacy tokens or services relating to them are also prohibited.

7.      Can licensed firms use agents?

The provision of Payment Token Services through agents is permissible, subject to each of the following:

  • the licensed firm conducting an assessment of the arrangement and providing a report to the CBUAE with various information relating to the agent and the relationship;
  • the CBUAE assessing the suitability of the use of the agent prior to any activity being conducted by the agent; and
  • various compliance requirements being adhered to.

8.      Can licensed firms outsource the provision of their regulated services?

Yes, subject to compliance with the Outsourcing Regulation as if they were a “Bank” under such Regulation.

9.      What about consumer protection?

The PTSR includes a number of provisions aimed at protecting consumers, including requirements on firms to comply with the Consumer Protection Regulation. Further examples of consumer protection measures set out in the PTSR include:

  • Regulatory capital requirements.
  • Assessment of controllers and senior management.
  • Issuance and redemption requirements.
  • Requirements relating to the management and safekeeping of the reserve of assets.
  • Safeguarding requirements for Payment Tokens held in relation to the performance of Payment Token custody and transfer services.
  • AML / CTF requirements.
  • Payment Token white paper requirements.
  • Obligations towards customers, including robust customer agreements and the provision of pre-contractual information and transactional information.
  • Protection of payment and customer data.
  • Liability for unauthorised Payment Token transfers and refunds.
  • Corporate governance and business continuity requirements.
  • Risk management and control system requirements.
  • Technology risk and IT security requirements.

10.   Are there any transitional periods for compliance?

Yes, there is a one calendar year transitional period following the commencement of the PTSR before compliance with the Regulation is required.

Comment

The PTSR is an important development in the UAE’s ongoing programme to facilitate continued innovation in the fintech and digital economy sectors under a robust regulatory regime, which now for the first time encompasses specific rules regarding the usage of payment tokens, i.e. stablecoins.

However, many of the PTSR’s restrictions and requirements represent new challenges for virtual asset businesses to comply with, and may prove particularly challenging for the smaller scale companies and start-ups who operate in this emerging sector.

Particularly interesting points to note are the prohibition on the issuance and provision of services in relation to (as well as the promotion of) algorithmic stablecoins and privacy tokens, the restriction on Foreign Payment Token transfers otherwise than as a means of payment for purchase of virtual assets or virtual asset derivatives, and the prohibition on Payment Token issuers paying interest to customers (or arranging for other persons to do so).

How the PTSR will interact in practice with regulations imposed by other virtual assets regulators in the UAE, such as the VARA and the SCA, also remains unclear.