Technology & Digital Assets Technology

Fintech & payments

Payments · SVF · RPSCS

For a decade, payments in the UAE lived in the interstices of banking law. Today they have their own perimeter — a formal, categorised, capital-backed regime built by the Central Bank of the UAE, sitting alongside two free-zone innovation regulators. For any fintech founder, the first strategic decision is no longer whether to be licensed, but where, and under which instrument.

The Central Bank as the core regulator

The centre of gravity is the Central Bank of the UAE (CBUAE). Two instruments define the onshore payments perimeter. The Stored Value Facilities (SVF) Regulation, issued in 2020, replaced the older 2016 framework for stored values and electronic payment systems and governs any facility that holds customer funds as a redeemable float — the classic e-wallet. The Retail Payment Services and Card Schemes (RPSCS) Regulation, issued in 2021, is the more consequential text: it converts a patchwork of tolerated activity into a structured licensing regime for payment service providers and card schemes.

RPSCS is built around nine retail payment services: payment account issuance; payment instrument issuance; merchant acquiring; payment aggregation; domestic fund transfer; cross-border fund transfer; payment token services; payment initiation services; and payment account information services. The last two are the open-banking primitives — PIS and AIS — that European practitioners will recognise from PSD2.

Crucially, these services are bundled into four licence categories of descending scope:

  • Category I — the full menu, including the payment-token facet.
  • Category II — the workhorse authorisation for most wallet-and-cards businesses, excluding payment tokens.
  • Category III — domestic services only.
  • Category IV — payment initiation and account information services only, the lightest footprint for pure open-banking players.

Capital requirements scale with both category and transaction volume, and the Central Bank retains discretion to require more. The architectural point for founders is that scope is priced: you buy exactly the breadth of activity your model needs, and no more.

E-money, the float, and safeguarding

Where a business holds customer balances rather than merely moving them, the SVF Regulation engages. Here the regulatory anxiety is not fraud but insolvency — what happens to the float if the operator fails. The regime answers with a substantial paid-up capital anchor (widely cited at AED 15 million for SVF issuers), ongoing capital calibrated to the size of the float, and — most importantly — safeguarding: legal and operational segregation of customer money through trust or escrow arrangements at a UAE bank, daily reconciliation, and treasury management that prioritises liquidity over yield. A wallet operator that also issues cards and moves money cross-border will typically stack an SVF licence with an RPSCS Category II authorisation.

The strategic decision is no longer whether to be licensed, but where, and under which instrument — and whether the float you hold belongs, in law, to you or to your customers.

The Central Bank's fintech agenda

The two regulations are not standalone; they are components of the CBUAE's Financial Infrastructure Transformation (FIT) Programme, a nine-part modernisation of national payment rails. Three FIT initiatives matter most to a payments business.

Open finance

The Open Finance Regulation, published in 2024, moves the UAE beyond bank-scoped open banking toward a cross-sector data-and-payment-sharing framework. It creates a licensed Open Finance Provider role — a minimum capital figure of AED 1 million is reported — and a trust framework governing consented access. For AIS/PIS fintechs, this is the substrate on which product is built.

Aani instant payments

Aani, launched in 2023 through Al Etihad Payments (a CBUAE subsidiary), is the domestic real-time payments platform. It is an open-loop, 24/7 system addressable by proxy — a mobile number, email, or QR code — rather than by IBAN. Aani is a distribution rail: access and participation conditions shape how a licensed PSP reaches consumers instantly and cheaply, and it is domestic-only by design.

The digital dirham

At the frontier sits the digital dirham, the UAE's central bank digital currency, pursued on a two-tier intermediated model spanning retail and wholesale use, with cross-border settlement explored through the multi-CBDC mBridge platform. For now this is horizon-scanning for most fintechs, but the intermediated design means licensed institutions — not the Central Bank directly — will distribute it. That is a future channel worth architecting toward.

The free-zone innovation regimes

Parallel to the onshore CBUAE perimeter sit the two financial free zones, each with its own regulator and each expressly carved out of the CBUAE payments regulations. They offer common-law frameworks and, importantly, structured sandboxes.

  • The DFSA, in the DIFC (Dubai), operates the Innovation Testing Licence (ITL) — a restricted, time-boxed authorisation with rolling admission, letting a firm test a live model under tailored conditions before graduating to full authorisation.
  • The FSRA, in ADGM (Abu Dhabi), operates the RegLab — the region's first regulatory sandbox, historically a cohort-based, bespoke framework granting a controlled window to test before migrating to a full licence category.

The distinction to hold in mind: a free-zone licence lets you passport into DIFC or ADGM's investor-friendly, English-language, common-law environment, but it does not by itself authorise you to serve the onshore UAE market under the CBUAE regime. Many scaling fintechs ultimately need both.

Compliance touchpoints that decide viability

Whichever gate you choose, four compliance disciplines determine whether a licence is grantable and, more importantly, keepable:

  • AML/CFT — payment firms are squarely within Federal Decree-Law No. 20 of 2018 and its implementing regulation: risk-based customer due diligence, sanctions screening, transaction monitoring, and suspicious-transaction reporting to the UAE FIU via the goAML platform.
  • Safeguarding of customer funds — segregation, trust/escrow structures, and daily reconciliation, treated as a first-order licensing condition rather than an operational afterthought.
  • Outsourcing and technology risk — governance of cloud, third-party processors, and information security, with the regulator expecting the licensee to remain accountable for outsourced functions.
  • Consumer protection — the CBUAE's consumer protection framework imposes disclosure, complaint-handling, and fair-treatment obligations that bite hardest on retail-facing payment products.

Choosing a structure

The practical sequence I counsel founders through runs: define the regulated activities precisely against the nine RPSCS services; decide whether you hold a float (SVF) or merely move funds; then choose the gate. A pure open-banking play may live comfortably at RPSCS Category IV or in a free-zone sandbox. A consumer wallet with cards and remittance points to SVF plus RPSCS Category II onshore. A model that is genuinely novel — and needs to prove itself before committing capital — may start in the DFSA ITL or FSRA RegLab and graduate. The error to avoid is licence maximalism: acquiring breadth you will not use imports capital and compliance cost that can strangle an early-stage balance sheet.

Instruments referenced: CBUAE Stored Value Facilities Regulation (2020); Retail Payment Services and Card Schemes Regulation (2021); Open Finance Regulation (2024); Financial Infrastructure Transformation Programme; Federal Decree-Law No. 20 of 2018 on Anti-Money Laundering; DFSA Innovation Testing Licence regime (DIFC); FSRA RegLab framework (ADGM). This page is general information, not legal advice.

A technology or digital-asset matter on your desk?

Every matter is handled personally. Tell me about your situation and I'll advise on the best way forward — confidentially and without obligation.

Get in touch