The new UAE Central Bank SVF Regulation

Introduction

On 30th September 2020, the UAE Central Bank (UAECB) issued its new regulation (the Regulation) on Stored Value Facilities (SVF) to support the development of digital payment services in the UAE. Through this new regulation, the UAECB aims to facilitate access to the UAE market for SVF providers, FinTech firms and Payment Service Providers (PSPs), whilst continuing to safeguard customer interests, ensure proper business conduct practice and support the development of payment products and services in the UAE. While banks are exempt from the Regulation, they are still required to notify the UAECB in writing if they plan to issue an SVF and carry out any SVF business function

Scope of the Regulation

The scope of the Regulation includes licensing, supervision and enforcement provisions applicable to companies licensed to provide SVF. Pursuant to the Regulation, financial institutions regulated by Financial Free Zones are excluded from the scope of the Regulation. However, it is possible to conduct SVF activities in the UAE after obtaining an SVF license from the UAECB.

Types of Stored Value Facility 

The Regulation introduces a variety of Stored Value Facility (SVF) activities including:

* Device-based SVF: a facility that uses devices to store values in an electronic chip on a card or physical device e.g. prepaid cards, watches or ornaments;

* Non-device Based SVF: a facility that uses a network based account to store value and is accessible via the internet, computer network or mobile network e.g. mobile e-wallets or internet based payment platforms; and 

* Single-purpose SVF : a facility that grants the individual value for certain non-monetary goods or services e.g. a closed loop facility.

Crypto Assets and Virtual Assets

The Regulation provides that both crypto assets and virtual assets may be used as a stored value to use when purchasing other goods and services. Each are defined as follows: 

• Crypto Assets means cryptographically secured digital representations of value or contractual rights that use a form of distributed ledger technology and can be transferred, stored or traded electronically.
• Virtual Assets includes digital tokens (such as digital currencies, utility tokens or asset-backed tokens) and any other virtual commodities, crypto assets and other assets of essentially the same nature.

Customer Accounts

The Regulation provides that a reasonable limit should be set by the facility provider on the value that can be stored within each type of customer account held under a SVF scheme. When opening customer accounts, SVF providers are permitted to use online channels similar to that of a banks electronic know your customer process. 

Exclusions

The Regulation does not apply to a number of SVFs including: 

• SVFs used for certain cash reward schemes;
• SVFs used for purchasing certain digital products;
• SVFs used for certain bonus point schemes;
• SVFs that can only be used within a limited group of products or services providers; and 
• Subject to being accepted by the UAECB, if the aggregate amount of the float of the facilities does not exceed AED 500,000 and the aggregate number of customers is not more than 100.

The Regulation has scrapped, among other things, the previous 60% ownership requirements of a bank, meaning companies may have a wider option of partners and are able to retain a greater shareholding. To obtain a SVF license, the applicant must, among other things, also have an effective risk management, technology risk and internal controls framework which is approved by the board of directors, including:

• Corporate governance and risk management; 
• Float management; 
• Technology risk management; 
• Payment security management; 
• Business continuity management; 
• Business conduct and Customer protection; and
• AML/CFT control systems.

Financial Resource Requirements

To assess the financial soundness of an applicant, the UAECB has introduced financial resource requirements, including the following: 

• paid-up capital of at least AED 15 million or an equivalent amount in any other currency approved by the UAECB; 
• aggregate capital funds of at least 5% of the total float received from the customers.

*An unconditional, irrevocable bank guarantee for the full paid up capital amount in favour of the Central Bank paid upon first demand shall also be submitted to the Central Bank with the application of the License. Such a guarantee should be renewable before expiry or based on the Central Bank’s demand.

Aggregate capital funds are calculated by taking the total of the paid up capital, reserves, retained earnings, minus the losses of the company. The aggregate capital funds must be at least 5% of the float. 

The Float

The UAECB describes the float as “the Customers’ funds/money/Money’s Worth paid to the Licensee in exchange for the value of the money/Money’s Worth (including Money’s Worth such as values, points, Crypto-Assets or Virtual Assets) on the facility”.

Companies are required to protect the float from insolvency and ensure customers are able to redeem their values stored on the facility at all times. 

Technology Risk Management and Governance

The Regulation provides comprehensive guidelines to establish an effective technology risk management framework to ensure the reliability, robustness, stability and availability of technology operations, payment systems, safety and efficiency of the SVF scheme. The Regulation places an emphasis on strong governance that covers various aspects of IT function including:

• IT control policies and procedures
• Identification, Estimation and Management of Technology Risk
• Implementation of full project lifecycle methodology
• Quality assurance of major technology projects
• Risk based source code review
• Segregation of duties among IT teams
• The change management process to ensure the integrity and reliability of production environment and changes to the application systems
• Baseline security requirements including configurations, system software, database, servers and network devices

Cyber Resilience

SVF is heavily reliant on Internet and mobile technologies to deliver its services. Therefore, in order to mitigate cyber security risks, the licensee should arrange adequate resources to ensure its capabilities to identify the risk, protect its critical services against an attack and contain the impact of cyber security incidents.

Information and Data Management

The Regulation emphasizes how important it is to establish a strong program and allocate adequate resources for the management and security of information and data including its ownership, classification, storage, processing, transmission and disposal.

Data is required to be stored and maintained in the UAE and should only be made available to the corresponding Customer, the UAECB and other regulatory authorities with prior approval of the UAECB, or by a UAE court order.