Fintech in UAE 2024

Fintech in UAE 2024

FINTECH 2024

UNITED ARAB EMIRATES

Raza Rizvi, Muneer Khan

(Simmons & Simmons)

FINTECH LANDSCAPE AND INITIATIVES

General innovation climate

1. What is the general state of fintech innovation in your jurisdiction?

There is a progressive and ambitious vision around fintech innovation in the UAE, with some fintech subsectors generating more notable and scaled innovation than others. Government and public-sector entities and regulators play a key role in the innovation strategies across most industry verticals and this is also the case for fintech. From a financial services regulatory perspective, the UAE comprises three separate and independent jurisdictions:

• the Dubai International Financial Centre (DIFC);
• the Abu Dhabi Global Market (ADGM); and
• the remainder of the UAE (often referred to as ‘onshore’ or ‘onshore UAE’).

Federal-level financial services regulators have jurisdiction over onshore UAE; however, the DIFC and the ADGM each have their own regulatory bodies, and all the various regulators across all three jurisdictions have identified fintech innovation (albeit with some different flavors) as a key priority.

In the DIFC, the DIFC FinTech Hive runs a now well-established accelerator program that has focused on fintech, insurtech, regtech and Islamic fintech start-ups. In tandem, the DIFC’s financial services regulator, the Dubai Financial Services Authority (DFSA) launched its Innovation Testing license (ITL), a regulatory sandbox in 2017. These initiatives are in line with the goals of the Dubai Plan 2021 strategy to develop Dubai’s economy. The DFSA has also signed a number of bilateral fintech agreements with other regulators globally, such as with the Monetary Authority of Singapore in August 2018 and Japan’s Financial Services Agency in September 2018, to cooperate in the development of fintech and to foster innovation in their respective jurisdictions. Other similar agreements that the DFSA has entered into include with the Australian Securities and Investment Commission, the Hong Kong Monetary Authority, the Hong Kong Securities and Futures Commission, the Hong Kong Insurance Authority and the Securities Commission Malaysia.

In 2023, the DIFC introduced the DIFC Launchpad as the world’s first venture studio platform exclusively focused on promoting the growth of innovative start-ups and scale-ups in the region. To accompany this initiative, the DIFC introduced the Venture Studio Regulations as the first global legal framework for the venture-building model.

Similarly, the ADGM’s financial services regulator, the Financial Services Regulatory Authority (FSRA) launched its regulatory sandbox, the Regulatory Laboratory (RegLab) following the implementation of its fintech legislative framework. The ADGM has also partnered with the Association of Southeast Asian Nations Financial Innovation Network, which launched a digital marketplace – the Application Programming Interface Exchange (APIX) – for South-East Asia to support financial inclusion, to test the cross-border connectivity between the ADGM Digital Sandbox and APIX.

Both the DFSA and the FSRA are members of the Global Financial Innovation Network (GFIN), to, among other objectives, assist with cross-border testing of fintech solutions.

Beyond the DIFC and ADGM financial free zones, there are a number of other initiatives to foster innovation in the UAE that cross over into the UAE fintech sector. Additionally, the Smart Dubai initiative is the Emirate of Dubai government office charged with facilitating Dubai’s citywide smart transformation, to empower, deliver and promote an efficient, seamless, safe and impactful city experience for residents and visitors. Among its key initiatives are the development of Dubai’s first Artificial Intelligence Smart lab and the Dubai Blockchain Strategy, which is a collaboration between the Smart Dubai Office and the Dubai Future Foundation to continually explore and evaluate the latest technology innovations. The UAE created the first Minister of Artificial Intelligence with a mandate that will cross over into fintech innovation.

In May 2021, another key freezone, the Dubai Multi Commodities Centre (DMCC) launched the DMCC Crypto Centre to provide an ecosystem for businesses operating in the cryptographic and blockchain sectors. The DMCC inked a memorandum of understanding with the UAE Securities and Commodities Authority (SCA) to provide a regulatory framework for crypto-related businesses. Following on from this, it should be noted that 2022 was a hugely significant year for the UAE’s crypto ambitions with the introduction of the Virtual Assets Regulatory Authority as the world’s first independent regulator for virtual assets.

In February 2023, the UAE Central Bank issued a press release announcing the launch of the Financial Infrastructure Transformation (FIT) Program to promote the digital transformation across the financial services sector in the region. The FIT Program is set to be integrated by 2026 and is divided into nine key pillars, one being central bank digital currency (CBDC). This initiative is part of the first stage of the implementation of the program, which aims to develop a number of digital payment infrastructures and services such as the issuance of CBDCs for cross-border and domestic uses. According to the press release, by doing this the UAE Central Bank aims to improve the inefficiencies of domestic payments.

This and other notable initiatives around crypto, digital assets and other payments innovation geared towards supporting the UAE’s Web 3.0 ambitions reinforce the widely held view that in this region, the UAE is breaking new ground in fintech innovation.

Government and regulatory support

2. Do government bodies or regulators provide any support specific to financial innovation? If so, what are the key benefits of such support?

The UAE’s financial services free zones (namely, the ADGM and the DIFC) each have their own regulators that have launched initiatives to enable fintech businesses to participate and test their solutions in environments with lighter-touch regulation.

In the ADGM, the FSRA has created a RegLab. Participants in the RegLab are not subjected to the full suite of authorization regulations and rules from the outset; rather, a customized set of rules will be applied, which will depend on the business model, the technology deployed and the risk profile of the fintech participant.

Under the RegLab framework, fintech participants are given two years to develop, test and launch their products and services in a controlled environment, after which fintech participants with viable business models will be transferred to the full authorization and supervisory regime (provided they meet the authorization criteria). Firms that are not ready after the two-year period will exit the RegLab framework.

In the DIFC, the DFSA has created the ITL, which fintech companies can apply for to test an innovative product or service for six to 12 months. In exceptional cases, the DFSA will consider extending that period. If an ITL licensee has met the outcomes detailed in its regulatory test plan, and it can meet the full DFSA authorization requirements, it will migrate to full authorization. If it does not, the company will have to cease carrying on activities in the DIFC that need regulation. The DIFC also launched a fintech fund of US$100 million fund with a stated objective to help promising start-ups raise growth capital, while also supporting their outreach and connections within the wider financial services industry.

To further the ambition of innovation of Dubai and the UAE in the financial world, the DFSA and the FSRA are committed to cross-border testing under the direction of the GFIN. The purpose of such a pilot scheme is to assist in providing efficient ways for fintech firms to engage with regulators across multiple jurisdictions.

FINANCIAL REGULATION

Regulatory bodies

3. Which bodies regulate the provision of fintech products and services?

For banking and lending-related activities in onshore UAE, the financial services regulator is the UAE Central Bank, while for securities and capital markets-related matters, the UAE Securities and Commodities Authority (SCA) is the relevant regulator. Following the merger between the UAE Central Bank and the UAE Insurance Authority under Decretal Federal Law No. 25 of 2020, the UAE Central Bank is now also the Onshore UAE insurance sector regulator.

In February 2022, Law No. 4/2022 Regulating Virtual Assets in the Emirate of Dubai (the Dubai Virtual Assets Law), creating the Virtual Assets Regulatory Authority (VARA), was passed. VARA regulates businesses relating to virtual assets, including cryptoassets and non-fungible tokens (NFTs) in the Emirate of Dubai including all special development zones and free zones in Dubai, other than the Dubai International Financial Centre (DIFC). Since VARA’s introduction, it has enacted the Virtual Assets and Related Activities Regulations 2023 (the Virtual Assets Regulations), establishing a central legal framework for virtual asset service providers (VASPs) to advance VARA’s regulatory objectives in Dubai’s virtual assets space.

For all regulated financial activities in the DIFC, the regulator is the Dubai Financial Services Authority (DFSA). For all regulated financial activities in the Abu Dhabi Global Market (ADGM), the regulator is the Financial Services Regulatory Authority (FSRA).

It should also be noted that the UAE Central Bank established the FinTech Office, following its announcement at the FinTech Abu Dhabi 2020, to foster the development of the fintech sector, placing the country at the forefront of the market. However, it is important to highlight that the FinTech Office’s aim is to embrace innovation and digital transformation but does not have its own regulatory mandate and has no regulatory purposes.

Regulated activities

4. Which activities trigger a licensing requirement in your jurisdiction?

The onshore UAE regulatory regime is separate and different from the regulatory regime found in the DIFC and the ADGM. So, when considering the UAE, it is important to first ask which specific jurisdiction and financial regulatory regime is applicable.

As financial free zones, both the DIFC and the ADGM have their own common law-based commercial and civil legal and financial services regulatory frameworks, as well as their own dedicated courts. The DFSA is the financial services regulator for activities conducted in or from the DIFC and the FSRA regulates financial services activities in or from the ADGM. The relevant federal onshore UAE (namely, in the UAE but outside the DIFC and ADGM) financial regulators are the SCA and the UAE Central Bank. The UAE Central Bank is the prudential regulator for onshore UAE and mainly regulates activities relating to banking and lending activities such as:

• deposit-taking (including sweep deposit accounts);
• foreign exchange trading;
• guarantees and commitments;
• payment services (including the issuance of payment instruments and other means of payments);
• primary lending;
• factoring;
• invoice discounting;
• arranging primary loans;
• secondary market loan trading; and
• secondary market loan intermediation.

Outside the banking and lending context, the UAE Central Bank was historically the sole financial services regulator for onshore UAE prior to the establishment of the SCA (in 2001) and the UAE Insurance Authority (IA) (in 2007). However, the IA has now been absorbed by the UAE Central Bank. There are therefore some other areas of financial activity that the UAE Central Bank continues to regulate – such as, among other things, currency brokerage, money exchange and some activities that would be typically associated with investment banking.

Generally, the types of regulated activities in onshore UAE, the DIFC and the ADGM include, among other things:

• the marketing and sale of securities;
• providing investment advice;
• dealing in products and investments (either as principal or agent);
• underwriting and placing financial products;
• offering and providing discretionary investment management services;
• marketing or selling funds (including the provision of investment advice);
• accepting deposits;
• providing credit;
• providing money services;
• arranging deals in investments;
• managing assets;
• managing a collective investment fund;
• advising on financial products; and
• insurance intermediation.

Securities and financial products that are regulated by the respective financial services regulators across onshore UAE, the DIFC and the ADGM include, but are not limited to, equity securities, debt securities, linked products, derivatives, structured products, deposits, notes and warrants.

The Securities and Commodities Authority Decision No. 23/RM/2020 Concerning Crypto Assets Activities Regulation (the Crypto Assets Regulation) establishes a regime for crypto trading within the UAE. The Crypto Assets Regulation is applicable to exchanges, crowdfunding platforms and other related financial services based on leveraging cryptoassets. The following are considered to fall under the ambit of the Crypto Assets Regulation:

• promoting, offering or issuing cryptoassets in the UAE;
• providing cryptoasset custody services, operating an exchange for cryptoassets or operating a crypto fundraising platform in the UAE; and
• carrying on any other financial activities relating to cryptoassets such as promotion and marketing, issuance and distribution, advice, brokerage, custody and safekeeping, fundraising and operating an exchange.

More recently, VARA imposes the obligation to obtain an express authorization from VARA when carrying out seven virtual asset activities, including:

• advisory services;
• broker-dealer services;
• custody services;
• exchange services;
• payments and remittances services;
• management and investment services; and
• transfer and settlement services.

VASPs that fulfill VARA’s licensing requirements are also required to comply with activity-specific rulebooks (in addition to the five VARA compulsory rulebooks) relating to their provision of the relevant virtual asset activities.

Consumer lending

5. Is consumer lending regulated in your jurisdiction?

Yes. Article 65 of UAE Decretal Federal Law No. 14 of 2018 Regarding the Central Bank and Organization of Financial Institutions and Activities provides that the UAE Central Bank will regulate, among other things, the activities of ‘providing credit facilities of all types’, ‘providing stored values services, electronic retail payments and digital money services’ and ‘providing virtual banking services’.

With regard to the provision and booking of these services ‘in or from’ either the DIFC or the ADGM, these activities are likely to be considered as ‘providing credit’, which will require a license from either the DFSA or FSRA respectively. To the extent that these services are only ‘advised’ on or ‘arranged’ from the same jurisdictions, an appropriate license would also be required from either the DFSA or FSRA. If these services are merely promoted (with no ‘advising’ or ‘arranging’) ‘in or from’ either financial free zone, unless an exemption applies, a Representative Office license would be required from either the DFSA or the FSRA respectively.

In November 2020, the UAE Central Bank issued the Consumer Protection Regulations 2020 to ensure the protection of consumers’ interests in their use of any financial product, service or relationship with licensed financial institutions. This ensures that the licensed financial institutions’ approach to consumer protection is in line with international standards. Along with the objective of promoting a culture within licensed financial institutions of respecting and acting in the best interest of consumers, it specifically aims to protect consumers by defining the institutional obligations for the protection of consumers.

Secondary market loan trading

6. Are there restrictions on trading loans in the secondary market in your jurisdiction?

Secondary market loan trading is an activity regulated by the UAE Central Bank. It constitutes primary lending and is regulated whether or not the loan has been fully drawn. The trading of loans would also constitute a regulated financial services activity in the DIFC and the ADGM.

Collective investment schemes

7. Describe the regulatory regime for collective investment schemes and whether fintech companies providing alternative finance products or services would fall within its scope.

In onshore UAE, there is a general prohibition on marketing unregistered collective investment schemes (i.e, funds) unless they have been registered with the SCA accordingly (either for private or public promotion). However, the onshore UAE marketing prohibition does not apply to the promotion of foreign funds to a non-natural ‘qualified investor’. A non-natural qualified investor is defined in the SCA rules and includes the federal government, among others.

There is a private placement regime under the SCA rules, where if the potential investor is a natural person, foreign funds can be registered for private placement by an SCA-licensed promoter subject to several conditions.

With regard to the DIFC, there is a prohibition on marketing unregistered funds in the DIFC except through a DFSA-licensed intermediary with the appropriate type of license, unless an exemption applies. The prohibition on the offer or sale of a fund only applies where this activity is carried out ‘in or from’ the DIFC. It is not possible to register a foreign fund for distribution in the DIFC. Funds need only be registered with the DFSA if they are domiciled in the DIFC. There are currently relatively few funds domiciled in the DIFC and so most funds marketed in the DIFC are foreign (i.e, non-DIFC-domiciled) and, therefore, unregistered. However, all funds and collective investment schemes promoted ‘in or from’ the DIFC need to meet a fund eligibility criteria.

Once a marketing entity holds the appropriate license it may market foreign-domiciled funds or DIFC-domiciled funds, provided it markets only to investors within the scope of its license, and in the case of any foreign fund:

• the fund qualifies as a ‘designated’ or ‘non-designated fund’;
• the marketing entity has a reasonable basis for recommending a fund as suitable to a particular client; or
• the fund offered discreetly to persons who are professional clients and the minimum subscription per investor is US$50,000.

Similar provisions exist with regard to the ADGM.

Following a public consultation, the DFSA updated its rules to include ‘operating a crowdfunding platform’ as a regulated activity.

With regard to onshore UAE, Circular No. 7/2020, the Loan-Based Crowdfunding Activities Regulation, was published in October 2020 by the UAE Central Bank. This regulates the operation of crowdfunding companies, platforms, borrowers, lending and controls over client money. The regulation sets out rules on the requirements for entities that can be involved in such regulated activities and the segregation of crowdfunding money to be held within UAE banks with such accounts being required to be audited regularly.

However, depending on the specific activities undertaken (i.e, where the platform merely introduces two independent contracting parties or if the platform is actively establishing a fund or offering securities), the activity may potentially fall under existing UAE Central Bank or SCA regulation.

Alternative investment funds

8. Are managers of alternative investment funds regulated?

Yes, managers of alternative investment funds are regulated in onshore UAE, the DIFC and the ADGM.

Peer-to-peer and marketplace lending

9. Describe any specific regulation of peer-to-peer or marketplace lending in your jurisdiction.

Lending is a regulated activity whereby intermediary platforms are required to obtain approvals to operate from the UAE Central Bank, which would trigger compliance requirements on the platform including the proper vetting of borrowers and anti-money laundering checks.

While interest is prohibited under articles 458 to 459 of Federal Decree-Law No. 31/2021 On the Issuance of the Crimes and Penalties Law and is void under articles 204 and 714 of the Civil Code, interest is permitted under articles 72 of the Commercial Code, provided it does not exceed 9 percent. In any case, UAE Federal Supreme Court Decision No. 14/9 of 28 June 1981 permits the charging of simple interest (presumably as opposed to compound interest) in connection with banking operations.

On 1 August 2017, changes to the DFSA rules came into force that introduced rules relevant to crowdfunding. Additional rules, which included investment limits and property valuation requirements in the context of property crowdfunding, came into force on 1 July 2019.

In September 2018, the ADGM launched the Guidance on the Regulatory Framework for Private Financing Platforms after holding a consultation on the matter. This framework intends to regulate operators of private financing platforms serving equity investment, debt financing and trade receivables funding needs of start-ups, private enterprises and small and medium-sized enterprises (SMEs). It contains rules on loan-based or investment-based crowdfunding, which affects private financing platform operators that seek to connect clients or investors to their stakeholders.

Crowdfunding

10. Describe any specific regulation of crowdfunding in your jurisdiction.

Financial services in the UAE are regulated either by the UAE Central Bank or the SCA depending on the nature of the activity. In respect of financial free zones in the UAE, such activities are regulated by the DFSA in the DIFC, and the FSRA in the ADGM. In particular, issues of securities by UAE companies are regulated under the UAE Companies Law (Federal Law No. 2 of 2015) (as amended by Federal Decree-Law No. 26/2020 on the amendment of certain provisions of Federal Law No.2/2015 on Commercial Companies) and regulations issued by the SCA. As such, under the UAE Companies Law, only public joint-stock companies may offer securities by way of a public subscription through a prospectus. Other companies, whether incorporated in the UAE (onshore or in a free zone) or in a foreign jurisdiction, are prohibited from advertising including the invitation to a public subscription without the approval of the SCA. In practice, private joint-stock companies are entitled to issue securities to sophisticated investors by way of a private placement. Accordingly, this regulatory limitation restricts the ability of limited liability companies, the legal form adopted by most SMEs in the UAE, from raising funds through equity-based crowdfunding.

In recent times, changes to the DFSA rules came into force that introduced rules relevant to crowdfunding. Additional rules, which included investment limits and property valuation requirements in the context of property crowdfunding, came into force on 1 July 2019.

The FSRA previously issued the Guidance on Regulatory Framework for Private Financing Platforms, which seeks to regulate crowdfunding activities aimed at private companies (start-ups to SMEs) to source alternative financing from private and institutional investors. Regulatory requirements include capital requirements, risk analysis, due diligence, marketing restrictions and limits on exit options.

The UAE Central Bank has published Circular No. 7 of 2020 Loan-Based Crowd Funding Activities Regulations containing a framework for licensing, regulating and monitoring load-based crowdfunding platforms (CFPs), safeguarding the financial system from the risks posed by such platforms, assisting in administering the loans resulting from CFP operations as well as to safeguard the interests of the consumers in the UAE.

Invoice trading

11. Describe any specific regulation of invoice trading in your jurisdiction.

Invoice trading currently falls within the activity of ‘arranging credit’ within the DIFC and is regulated as such by the DFSA. Similar provisions exist in the ADGM. With regard to onshore UAE, invoice trading will require a form of regulatory license either from the UAE Central Bank (if its activities fall under Federal Decree-Law No. 16/2021 on Factoring and Transfer of Civil Accounts Receivable) or the SCA (if invoices were to be considered as a financial product falling within the SCA’s Promoting and Introducing Regulations – Regulation 3/RM of 2017). To the extent that services are merely promoted within onshore UAE, the DIFC or the ADGM, a Representative Office license in the respective jurisdiction would be required.

Payment services

12. Are payment services regulated in your jurisdiction?

Yes. In 2017, the UAE Central Bank published its Regulatory Framework for Stored Values and Electronic Payment Systems, which singularly covered digital payment services.

This has since been replaced by the UAE Central Bank’s Stored Value Facilities Regulation (the SVF Regulation), issued in September 2020. In addition, the UAE Central Bank issued the Retail Payment Systems Regulation (the RPS Regulation) and the Large Value Payment Systems Regulations (the LVPS Regulation) in January 2021. Further, the Retail Payment Services and Card Schemes Regulation (the RPSCS Regulation) was issued in July 2021. Together, the four regulations now cover the regulatory framework for payment system providers in the UAE (the Payment Services Regulations).

The SVF Regulation covers the licensing, enforcement and supervision of SVF in the UAE as well as non-UAE entities that promote SVF on a cross-border basis.

The RPS Regulation sets out the licensing, designation and oversight framework that the Central Bank intends to follow with respect to the licensing and designation of RPS. It aims to ensure the safety and efficiency and smooth and efficient operation of the financial infrastructure system.

The LVPS Regulation applies to LVPS operating in the UAE or those that accept clearing or settlement of transfer orders denominated in the UAE dirham both within the UAE and outside. The LVPS Regulation requires compliance with the provisions of the Principle of Financial Market Infrastructures. It also covers the licensing obligations and requirements in relation to LVPS as well as the ongoing requirements for designated LVPS.

The RPSCS Regulation sets out the rules and conditions for acquiring and maintaining a license for the provision of retail payment services and operating a card scheme. The term ‘retail payment services’ comprises nine defined categories of retail payments services: payment account issuance services, payment instrument issuance services, merchant acquiring services, payment aggregation services, domestic and cross-border fund transfer services, payment token services, payment initiation services and payment account information services.

The Payment Services Regulations each point to various other UAE Central Bank instruments and should therefore be considered in a wider context.

In the DIFC, following the publication of the DFSA’s Consultation Paper No. 125 on Proposals for Money Services in 2019, the DFSA Rulebook Conduct of Business Module (COB Module) was amended to introduce requirements for the provision of money services in relation to electronic money in the DIFC.

The FSRA issued enhancements to its Regulations and Rules concerning providing money services (PMS) in November 2020. The improvements include amendments to the scope of PMS as well as the introduction of a new set of rules in the FSRA’s COB Rulebook for payment accounts and stored value services as well as more risk-sensitive capital requirements for such services.

The recent Virtual Assets Regulations also provide ‘payment and remittances services’ as one of the seven virtual assets activities covered by the new regulations. All VASPs operating in Dubai must now be licensed by VARA and must also comply with the compulsory and activity-specific rulebooks. The payments-related rulebook was published in June 2023.

Open banking

13. Are there any laws or regulations introduced to promote competition that require financial institutions to make customer or product data available to third parties?

Other than in the context of a regulatory or official investigation, there is no specific obligation in UAE legislation requiring the disclosure of data to third parties.

The general position is that financial institutions that are in a position to collect and store data from the public are bound by a duty of confidentiality. A breach of this duty of confidentiality could attract criminal liability under article 432 of the UAE Penal Code. Further, article 106 of the Banking Law requires the UAE Central Bank to keep confidential all banking data that it receives.

In February 2023, the Central Bank of the UAE issued a press release announcing the launch of the Financial Infrastructure Transformation (FIT) Program to promote the digital transformation across the financial services sector in the region. The FIT Program is set to be integrated by 2026 and is divided into nine key pillars, one being open finance. This initiative is part of the second stage of the implementation of the program, which aims to develop a number of digital infrastructures, including the establishment of open finance platforms to foster cost-efficiency, innovation, customer experience and improve regulatory compliance security and operational resilience. In particular, by developing open finance infrastructures, the UAE Central Bank wishes to strengthen collaboration in the financial services sectors through interconnectivity and interoperability among all players and institutions.

Robo-advice

14. Describe any specific regulation of robo-advisers or other companies that provide retail customers with automated access to investment products in your jurisdiction.

The FSRA has issued a regulatory framework for digital investment managers (robo-advisers) operating in the ADGM. To supplement this, the FSRA has also released guidance to illustrate how its regulatory framework applies to robo-advisers in the ADGM. In particular, the guidance outlines:

• the regulatory permission that may be required to provide digital investments services in or from the ADGM; and
• how the FSRA will apply its authorization criteria in key existing areas of technology governance, suitability and disclosure, and newer areas such as algorithm governance.

Insurance products

15. Do fintech companies that sell or market insurance products in your jurisdiction need to be regulated?

Nothing in current DIFC or ADGM legislation specifically regulates fintech companies that wish to sell or market insurance products, and, therefore, the general regulation around the sale and marketing of insurance products in the relevant jurisdictions applies.

Insurance operations in onshore UAE are now regulated by the UAE Central Bank following the merger between the Insurance Authority and the UAE Central Bank under Federal Decree-Law No. 25 of 2020. The UAE Central Bank has assumed regulatory, supervisory, licensing and enforcement functions for the insurance sector.

The Electronic Insurance Regulations 2020 (Insurance Authority Board of Directors’ Resolution No. 18 of 2020) was introduced to regulate insurance agents, actuaries, brokers, surveyors and insurance consultants carrying out insurance activities via electronic operations. Prior approval must be obtained to conduct insurance activity electronically and requires a raft of safeguards relating to electronic transactions including risk analysis and contingency plans for system disruptions.

The UAE Central Bank is committed to facilitating the advancements of new technologies across the financial sector as part of its fintech strategy. This includes adopting insurtech for insurance services.

Although the Insurance Authority and the UAE Central Bank have merged, the rules and regulations issued by the Insurance Authority under Federal Law No. 6 of 2007 will continue to apply to all licensed organizations until their replacement by the UAE Central Bank.

Credit references

16. Are there any restrictions on providing credit references or credit information services in your jurisdiction?

Yes. Pursuant to the SCA Board of Directors’ Decision No. 18/RM of 2018 Concerning the Regulations as to Licensing Credit Rating Agencies, a credit rating is ‘a periodic measure to determine and assess the ability of the rated entity to meet its financial liabilities, and potential risks that may affect it, and to evaluate the financial products and potential risks of acquiring them by the investor’ and credit rating activities are regulated. To be eligible for a license to carry on credit rating activities, an entity must have, among other things, a minimum of 2 million UAE dirhams in capital and consent from the UAE Central Bank (should the license application be subject to their mandate).

In the DIFC, ‘operating a credit rating agency’ is a regulated activity that would require a DFSA license. Similar provisions exist in the ADGM.

However, individual credit reference and information services are possible in the UAE through the Al Etihad Credit Bureau (AECB), which is a public joint stock company wholly owned by the UAE federal government. According to UAE Federal Law No. 6 of 2010 concerning Credit Information, the AECB is mandated to regularly collect credit information from financial and non-financial institutions in the UAE. The AECB aggregates and analyses this data to calculate credit scores and produce credit reports that are made available to individuals and companies in the UAE. The AECB collects information on individuals and companies from banks, finance companies and telecoms companies. Additional information from other sources such as utilities, real estate, government and other entities are planned to be added in the future. Financial institutions in the UAE are mandated by law to supply the AECB with all credit information on a monthly basis.

CROSS-BORDER REGULATION

Passporting

17. Can regulated activities be passported into your jurisdiction?

In March 2019, the Emirates Securities and Commodities Authority, Financial Services Regulatory Authority (FSRA) and the Dubai Financial Services Authority (DFSA) announced that a new fund passporting regime would be available to facilitate the promotion of funds licensed by each authority across the UAE. The passporting of a UAE fund will allow the licensed firm to promote units to ‘qualified investors’ domiciled in the other relevant jurisdiction. A notification specifying to which other jurisdictions the fund is to be promoted needs to be given to the relevant regulator and the details of the passported UAE fund should be listed in the relevant regulators’ Register of Passported Funds. This regime removes the need for multiple regulatory licenses and reduces the costs for the promotion of funds across the UAE. The funds will still have to comply with the relevant requirements and the regulators have the power to take a fund off the Register of Passported Funds if they are non-compliant, wound up, or if one of the other regulators of fund managers requests that the fund be removed.

Other than in respect of funds, there is no passporting arrangement applicable to regulated activities although there is an industry desire to push for this and enable businesses to have wider reach.

Requirement for a local presence

18. Can fintech companies obtain a license to provide financial services in your jurisdiction without establishing a local presence?

It is possible for fintech companies to market on a cross-border basis into onshore UAE without having to obtain a license. If marketing activities are undertaken on a genuinely cross-border basis (namely, by telephone, website or email from outside the UAE) they should not be subject to UAE regulation. To ensure that marketing activities are conducted on a true cross-border basis and not deemed to be conducting business in the UAE, several guidelines should be followed, which include not having a physical or legal presence in the UAE, marketing only towards non-natural qualified investors and making any subscription payments made outside the UAE.

In relation to cross-border marketing into the Dubai International Financial Centre (DIFC), there are several guidelines that should be followed to reduce the risk of marketing activities being treated as having taken place ‘in’ the DIFC, such as not having a physical or legal presence in the DIFC, keeping marketing materials generic and only made to certain types of pre-identified ‘professional clients’ (as defined under the DFSA’s Conduct of Business Rules) and performing all generic marketing from outside the DIFC.

With regard to regulated activities where a license is required from a UAE financial services regulator (including the UAE Central Bank, the Securities and Commodities Authority, the DFSA or the FSRA), a fintech company would need to be locally established in the relevant jurisdiction to obtain a license. Note, however, that the initiatives launched by the Abu Dhabi Global Market and the DIFC require lighter regulatory oversight for qualified participants.

SALES AND MARKETING

Restrictions

19. What restrictions apply to the sales and marketing of financial services and products in your jurisdiction?

There are a number of restrictions on the offering or promotion of financial services in onshore UAE, the DIFC and the Abu Dhabi Global Market, and in many cases corresponding exemptions relating to these promotions, all of which differ according to the type of product or service offered.

In February 2023, the new Virtual Assets and Related Activities Regulations 2023 issued by the Virtual Assets Regulatory Authority came into force, which imposes a number of restrictions on the sales and marketing of cryptoassets. This is mentioned in more detail in the Cryptoassets question of this chapter.

CRYPTOASSETS AND TOKENS

Distributed ledger technology

20. Are there rules or regulations governing the use of distributed ledger technology or blockchains?

The UAE federal government and certain emirate-level governments have publicly committed to the creation of problem statements and use cases to enable government services to benefit from distributed ledger technology (DLT) and, in particular, blockchain. Examples of this include the government of Dubai’s public commitment to have all government services and transactions on the blockchain by 2020.

In some areas, UAE law is permissive as regards the use of DLT and distributed digital ledgers or databases in scenarios where parties intend to create legal relations; for example, article 12 of Federal Law No. 1 of 2006 on Electronic Commerce and Transactions, which seems to have foreseen ‘smart contracts’ by confirming the validity and enforceability of contracts formed through computer programs that include two or more electronic information systems present and pre-programmed to carry out the transaction, even if no individual is directly involved. The UAE government launched the Emirates Blockchain Strategy 2021, with the aim of transforming government transactions into the blockchain platform.

The Dubai Virtual Assets Law is designed to help regulate the operation of virtual asset platforms that utilize DLT. The Dubai Virtual Assets Law is applicable to the Emirate of Dubai including all special development zones and free zones in Dubai, other than the Dubai International Financial Centre (DIFC). The Virtual Assets Regulatory Authority (VARA) will be responsible for issuing licenses for the provision of any virtual asset platform operation and management services. To date, only a handful of virtual asset service providers (VASPs) have demonstrated compliance with the VARA requirements and been granted licenses in this regard – although it has been reported that hundreds of institutions are currently working to obtain licensing status.

The current VARA license types that VASPs can seek to obtain are as follows:

• Preparatory Minimum Viable Product (MVP) license: VASPs must satisfy all of the licensing requirements under the VARA MVP license Conditions Document. The VASP must obtain an Operational MVP License before it can begin offering virtual asset services;
• Operational MVP license: VASPs that satisfy all of the operational requirements under the VARA MVP license Conditions Document. It allows VASPs to offer approved virtual asset services to institutional clients and qualified investors; and
• Full Market Product (FMP) license: VASPs must satisfy all of the requirements as specified under the Virtual Assets Regulations. It allows a VASP to offer approved virtual asset services to retail customers as well as institutional customers and qualified investors.

Only two VASPs to date have been granted Operational MVP licenses. The remaining VARA license recipients are currently at the MVP Provisional or MVP Preparatory stage. However, following the recent bankruptcies of renowned crypto institutions like FTX, those in the space have reported that VARA has tightened its licensing requirements and will likely be requesting additional information from applicants, thus presenting additional regulatory obstacles for prospective VASPs seeking licenses in the near future.

In March 2021, the Dubai Financial Services Authority (DFSA) issued Consultation Paper No. 138 on the Regulation of Security Tokens (CP138). Although this proposal went through the consultation stages, it appears that no formal Feedback Statement was publicly released in this regard. As such, the DFSA launched a regulatory framework for investment tokens on the back of CP138 and updated its rulebook to reflect the same. Investment tokens are broadly defined as:

• a security or derivative in the form of a cryptographically secured digital representation of rights and obligations that is issued, transferred and stored using DLT or other similar technology; or
• a cryptographically secured digital representation of rights and obligations that is issued, transferred and stored using DLT or other similar technology and:
• confers rights and obligations that are substantially similar in nature to those conferred by a security or derivative; or
• has a substantially similar purpose or effect to a security or derivative.

In this regard, the marketing, issuing, trading or holding of investment tokens in or from the DIFC will be regulated.

Further, in April 2023, the Registration Authority (RA) of Abu Dhabi Global Market (ADGM), issued Consultation Paper No. 3 of 2023 to seek feedback on its proposal for a new legal framework for foundations that facilitate DLT and token issuance (the Distributed Ledger Technology Foundations Regulations 2023). The RA’s key proposals include the structure of the DLT foundations, governance and control, tokens, reporting obligations, disclosures and publication, beneficial ownership, supervision, insolvency, liquidation or voluntary strike-off. The Distributed Ledger Technology Foundations Regulations 2023 are expected to be implemented shortly.

Cryptoassets

21. Are there rules or regulations governing the promotion or use of cryptoassets, including digital currencies, stablecoins, utility tokens and non-fungible tokens (NFTs)?

The Stored Value Facilities Regulation allows the use of crypto or virtual assets as a stored value when purchasing goods and services. However, it was later clarified that such assets are not recognized legal tenders in the UAE, with the official legal tender being the UAE dirham. These assets may also be used as a form of investment and as such be subject to the UAE Securities and Commodities Authority (SCA) Regulations.

The SCA issued Board of Directors Decision No. 23/RM of 2020 Concerning the Regulation of Cryptoassets and Administrative Decision No. 11 of 2021 Concerning Guidance for Cryptoasset Regulations. The regulatory scheme aims to provide a licensing regime for the offering of cryptoassets in the UAE. The Decision defines cryptoassets as:

A record within an electronic network or distribution database functioning as a medium for exchange, storage of value, unit of account, representation of ownership, economic rights, or right of access or utility of any kind, when capable of being transferred electronically from one holder to another through the operation of computer software or an algorithm governing its use.

The regime also applies to security tokens and commodity tokens.

The Dubai Virtual Assets Law is also relevant to the regulation of virtual assets, which are broadly defined as ‘a digital representation of the value that can be digitally traded or transferred or used as an instrument for exchange, payment or investment purposes’. This definition would therefore include cryptoassets such as security tokens, cryptocurrencies and NFTs. There is a general prohibition under the Dubai Virtual Assets Law preventing entities from carrying out any virtual asset services to consumers unless they have received a license from VARA, operate in Dubai and have a trade license from the relevant commercial authority in Dubai. Applicants are currently granted an initial MVP license by VARA, which allows them to provide products and services to select groups of investors, before they are fully authorized. Further details of the VARA licensing requirements are set out above. In August 2022, VARA enforced Administrative Order No. 1/2022 Relating to Regulation of Marketing, Advertising and Promoting Related to Virtual Assets (Marketing Regulations) to govern the promotion of virtual asset-related activities in Dubai (excluding the DIFC). To accompany this, VARA issued Administrative Order No. 2/2022, which lists certain fines and penalties for breaches of the Marketing Regulations. Relevant businesses will be liable to pay penalties ranging between 50,000 UAE dirhams to 200,000 UAE dirhams for independent offenses, with fines being doubled (up to a maximum of 500,000 UAE dirhams) for repeat violations within the following year.

The ADGM regulatory framework for virtual assets (first introduced on 25 June 2018 and amended in February 2020) features a number of guidance points related to virtual assets and digital wallets.

In November 2019, the DFSA published Consultation Paper No. 125 on Proposals for Money Services. In the paper, the DFSA set out its proposal to allow certain activities relating to money services that have emerged owing to rapid advancements in technology, with the DFSA recognizing that these activities could promote the growth of regulated financial services activities in DIFC and provide greater protection and choices to users of money services. One of the activities it proposed to allow was the provision of money services (as defined in the DFSA Rulebook Conduct of Business Module (COB Module)) in respect of electronic currency. Amendments to the DFSA Rulebook COB Module came into force on 1 April 2020, introducing requirements for the provision of money services in relation to electronic money in the DIFC.

More recently, in April 2023, the DFSA announced (through Consultation Paper No. 150) its plans to make several changes to the DFSA Rulebooks particularly to clarify elements of the money services, crypto tokens and crowdfunding regimes in the DIFC. It is also reported that the DFSA plans to carry out a broader review of the policy framework in 2024.

Although crypto tokens and investment tokens both form an integral part of the DFSA’s broader digital assets regime in DIFC, they are both regulated under separate frameworks (the investment tokens framework is discussed above). The crypto tokens regime went live in November 2022 following the DFSA’s publication of its Consultation Paper No. 143 on the Regulation of Crypto Tokens (CP143) in March 2022 and the subsequent release of its Feedback Statement on the CP123 in October 2022. The crypto tokens regime is very comprehensive and regulates a wider scope of cryptoassets compared to the investment tokens regime, covering not only the definition and promotion of crypto tokens but also establishing clear rules for other categories of tokens including ‘excluded tokens’ and ‘prohibited tokens’, as well covering other regulatory requirements in this regard such as market abuse, Islamic finance and token custody.

Token issuance

22. Are there rules or regulations governing the issuance of tokens, including security token offerings (STOs), initial coin offerings (ICOs) and other token generation events?

Following a public consultation, in June 2018 the Financial Services Regulatory Authority (FSRA) issued its framework for the regulation of spot cryptoasset activities, including those undertaken by exchanges, custodians and other intermediaries in the ADGM. Specifically, the FSRA introduced the new regulated activity of ‘operating a crypto asset business’ that covers, among other things, the arranging, buying, selling, custody provision, marketing and advising on the merits of the buying or selling of ‘accepted cryptoassets’. The regime also included a regulatory framework for the operation of a ‘cryptoassets exchange’ and a ‘cryptoasset custodian’.

On 14 May 2019, the FSRA issued its updated guidance addressing, among other things:

• Stablecoins and fiat tokens: stablecoins that are fully backed by fiat currencies (fiat tokens) will be treated as a form of digital representation of money. Where used as a payment instrument for the purposes of money transmission as defined under the ADGM’s Financial Services and Markets Regulations 2015 (FSMR), the activity will be licensed and regulated as ‘providing money services’.
• Custody: further clarity on the types of cryptoasset custody activities that can be undertaken and setting out FSRA expectations in terms of custody governance and operations.
• Technology governance: further enhancements and clarifications are introduced,including in relation to changes in the underlying protocol of a cryptoasset that results in a fork (coding change), and the associated governance and control expectations for cryptoasset exchanges and license
• FSRA Anti-Money Laundering and Sanctions Rules and Guidance: as the Anti-Money Laundering Rulebook applies in full to the regulated activity of cryptoasset operators or holders, the guidance has been updated with the latest local and global changes and provides further clarity on the use of new regulatory and surveillance technologies in this area.

As part of its ongoing commitment to regularly update and improve its crypto-regulatory framework based on global developments, the FSRA updated its virtual asset regulatory framework in February 2020.

Among other things, the key amendments include:

• changing the definition of ‘cryptoasset’ to ‘virtual asset’ (to align the terminology with that of the Financial Action Task Force); and
• moving the applicable regulations and rules from the bespoke category of ‘operating a crypto asset business’ to the respective underlying regulated activities (eg, providing custody, operating a multilateral trading facility and dealing in investments). This is to better reflect the nature of the underlying activities in relation to virtual assets.

In October 2019, the SCA issued draft legislation – the Regulation for Issuing and Offering Crypto Assets – that, when implemented, will directly regulate cryptoassets in the UAE, including crypto exchanges. In 2020, the SCA issued Board Decision No. 23/RM 2020, which applies to exchanges based on cryptoassets.

In June 2021, the UAE Central Bank issued the Retail Payment Services and Card Schemes Regulation. This regulates payment service providers and requires firms providing payment token services in onshore UAE (excluding the DIFC and the ADGM) to obtain a license from the UAE Central Bank. The definition of payment token is narrow, however, only covering fiat-backed stablecoins.

The DFSA’s regulatory framework is currently limited to investment tokens, which can be categorized as security tokens or derivative tokens. These provisions will apply to parties that market, issue, trade or hold investment tokens in or from the DIFC or authorized firms that intend to undertake financial services relating to investment tokens. However, following CP143, the DFSA is expected to introduce a broader regulatory regime encompassing any token that can be used as a ‘medium of exchange or for payment or investment purposes’ other than utility tokens, NFTs and central bank digital currencies. Investment tokens will continue to be regulated by the provisions currently in place. The new regulations may also require firms to obtain DFSA approval for each crypto token they intend to use for regulated activities (e.g, marketing, issuing or trading).

The Dubai Virtual Assets Law applies onshore in the Emirate of Dubai (excluding the DIFC) and covers both ‘virtual assets’ (digital representations of value) and ‘virtual tokens’ (digital representations of sets of rights that can be offered and traded through digital platforms). It also requires platforms to obtain licenses from VARA to provide services of exchange (namely, exchange between virtual assets and fiat currencies or between one or more forms of virtual assets) and services relating to the offering of or trading in virtual tokens. While VARA license holders are currently only permitted to provide services to institutional investors, the regulator is expected to expand the scope of its licenses to include retail investor activities before the end of 2022.

As a general point, in February 2023, the UAE Central Bank issued a press release announcing the launch of the Financial Infrastructure Transformation (FIT) Program to promote the digital transformation across the financial services sector in the region. The FIT Program is set to be integrated by 2026 and is divided into nine key pillars, one being central bank digital currency (CBDC). This initiative is part of the first stage of the implementation of the program, which aims to develop a number of digital payment infrastructures and services such as the issuance of CBDCs for cross-border and domestic uses. According to the press release, by doing this the UAE Central Bank aims to improve the inefficiencies of domestic payments.

ARTIFICIAL INTELLIGENCE

Artificial intelligence

23. Are there rules or regulations governing the use of artificial intelligence, including in relation to robo-advice?

The Financial Services Regulatory Authority (FSRA) has issued a regulatory framework for digital investment managers (robo-advisers) operating in the Abu Dhabi Global Market (ADGM). To supplement this, the FSRA has also released guidance to illustrate how its regulatory framework applies to robo-advisers in the ADGM. In particular, the guidance outlines:

• the regulatory permissions that may be required to provide digital investments services in or from the ADGM; and
• how the FSRA will apply its authorization criteria in key existing areas of technology governance, suitability and disclosure, and newer areas such as algorithm governance.

In addition, certain sector-focused regulations, particularly data protection laws (as set out in more detail below) do cover topics such as automated decision-making and profiling, which, by extension, are likely to govern the activities of certain artificial intelligence (AI) systems and machine learning (tools that are commonly used in the fintech space) from a data privacy perspective. More recently, in April 2023, the Dubai International Financial Centre (DIFC) issued Consultation Paper No. 2 of 2023, which includes proposals to amend DIFC’s existing Data Protection Regulations 2020. Such updates include obligations on controllers and processors who process personal data through the use of digital enablement technology systems (including AI and autonomous and automated systems).

It should also be noted that in 2019, Smart Dubai introduced the ‘ethical AI toolkit’ that lays out non-binding guidelines and standards, for the providers of AI services and systems, in respect of the ethical and responsible use of AI.

Otherwise, there are currently no formal rules or regulations governing the use of artificial intelligence or automated investment advice (namely, robo-advisory services) in the DIFC or onshore UAE. Those conducting these automated investment activities will need to ensure that they are authorized to provide investment advice, irrespective of the method of delivery.

The Dubai Financial Services Authority’s (DFSA) Innovation Testing license regime has been used to issue licenses relevant to automated investment advisory services. In these cases, there are bespoke disclosures, reporting conditions and monitored progress in line with an agreed ‘regulatory test plan’. Firms intending to provide robo-advisory services have also been accepted into the ADGM’s Regulatory Laboratory (which provides a controlled environment for fintech participants to develop and test innovative fintech solutions).

CHANGE OF CONTROL

Notification and consent

24. Describe any rules relating to notification or consent requirements if a regulated business changes control.

Under the Dubai International Financial Centre and Abu Dhabi Global Market frameworks, there are detailed provisions relating to changes of control, including where notifications need to be made with the Dubai Financial Services Authority (DFSA) or the Financial Services Regulatory Authority respectively, or where their prior approval needs to be obtained. In both cases, these are contained in the general modules of the respective regulator’s rulebook. Similar, although less detailed, provisions exist within the regulatory frameworks relevant to the UAE Central Bank and the UAE Securities and Commodities Authority.

FINANCIAL CRIME

Anti-bribery and anti-money laundering procedures

25. Are fintech companies required by law or regulation to have procedures to combat bribery or money laundering?

In March 2021, the Securities and Commodities Authority (SCA) introduced the Board of Directors Decision No. 23/RM of 2020 Concerning the Regulation of Cryptoassets and Administrative Decision No. 11 of 2021 Concerning Guidance for Cryptoasset Regulations. It is now a specific requirement for persons conducting financial activities in respect of cryptoassets to apply the Financial Action Task Force’s guidance and recommendations in respect of the mitigation of anti-money laundering (AML) risks for virtual assets and virtual asset services providers (VASPs), in addition to any standards issued by the UAE Central Bank in respect of Financial Action Task Force guidance. The SCA’s regulations on virtual assets, which entered into force in 2020, have also introduced financial crime controls, including AML protections and market abuse provisions, to all market participants. The regulations permit regular enhancements to the standards and requirements in line with global developments.

In 2021, the UAE Central Bank issued, among others, the updated Guidelines for Financial Institutions on Anti-Money Laundering and Combating the Financing of Terrorism and Illegal Organizations, which is applicable to financial institutions. The guidelines provide additional clarity on the preferred risk-based approach and standards expected of a financial institution’s AML and sanctions programmes. In conjunction with this, in May 2023, the UAE Central Bank issued further guidance to assist licensed financial institutions identify the money laundering risks and vulnerabilities related to virtual assets and VASPs, and to assist such institutions comply with their legal obligations in this regard. However, these guidelines are not intended to have force of law and are to be read in conjunction with the relevant laws, cabinet decisions, regulations and regulatory rulings in force.

Outside the cryptoasset regulations, the UAE’s AML provisions apply directly to financial institutions and designated businesses and professions. While the UAE’s anti-bribery and corruption (ABAC) provisions apply to all individuals and entities in the UAE, there are currently no positive requirements in relation to ABAC; however, it is a positive obligation to notify the authorities if you become aware of any criminal offence.

In the Dubai International Financial Centre (DIFC), under article 71(1) of the DIFC Regulatory Law No. 1 of 2004, the DIFC regime requires compliance with the federal regime. The federal legislation governing money laundering and terrorist financing is also applicable in the DIFC. The Anti-Money Laundering, Counter-Terrorist Financing and Sanctions Module to the Dubai Financial Services Authority (DFSA) Rulebook applies to entities in respect of their activities carried on in or from the DIFC. The procedures that must be put in place include applying a risk-based approach that is objective and proportionate to the risks, based on reasonable grounds, properly documented and reviewed and updated at appropriate intervals. Effective AML systems and controls must also be established and maintained to prevent opportunities for money laundering. A risk-based assessment must be undertaken for every customer to assign the customer a risk rating proportionate to the customer’s money laundering risks. Customer due diligence must be undertaken to verify the identity of the customer and the beneficial owner and understand the source of funds. This should be ongoing by monitoring transactions and complex and unusual transactions. A money laundering reporting officer must be appointed with responsibility for implementing and overseeing compliance; the officer must have an appropriate level of seniority and independence to act in the role and be resident in the UAE.

Similar to the DIFC, the federal legislation governing money laundering and terrorist financing also applies within the Abu Dhabi Global Market (ADGM). The ADGM’s AML rules are contained in the Anti-Money Laundering and Sanctions Rules and Guidance Module to the Financial Services Regulatory Authority Rulebook (the ADGM AML Module). According to the ADGM AML Module, an entity must have policies, procedures, systems and controls that ensure compliance with the federal law, enable suspicious customers and transactions to be detected and reported, ensure the entity can provide an appropriate audit of a transaction trail, and ensure compliance with any other obligations as contained in the ADGM AML Module. The DIFC’s AML rules are contained in the DFSA’s Anti-Money Laundering, Counter Terrorist Financing and Sanctions Module.

In March 2022, the UAE was added by the Financial Action Task Force, the global financial crime watchdog, to the Grey List, a list of counties that are under increased monitoring because of deficiencies in their AML and countering the financing of terrorist regimes. The UAE has committed to implementing the recommendations of the Internal Cooperation Review Group’s Action Plan to remove itself from the Grey List and improve its regimes.

Guidance

26. Is there regulatory or industry anti-financial crime guidance for fintech companies?

There is no guidance specifically targeted at fintech companies. The regulatory guidance on financial crime is contained in the DFSA AML rules, the ADGM AML rules and the applicable federal laws and regulations. Federal legislation targeting financial criminal activities applies equally to individuals and companies operating or present in the commercial-free zones, financial fee zones and throughout all Emirates of the UAE.

DATA PROTECTION AND CYBERSECURITY

Data protection

27. What rules and regulations govern the processing and transfer (domestic and cross-border) of data relating to fintech products and services?

The Federal Decree-Law No. 45/2021 On the Protection of Personal Data (the UAE PDP Law) has been issued but will only be fully enforceable six months after the issuance of the corresponding executive regulations (the PDPL Regulations). The PDPL Regulations, which will contain further details and conditions of the UAE PDP Law, have yet to be issued.

Until then, the UAE still does not have a specific, enforceable standalone data protection law. Instead, various general and sector-specific laws and regulations govern aspects of the processing of personal data in the UAE. For example:

• the UAE Constitution provides for a right to freedom and secrecy of communications;
• the Penal Code and Cybercrime Law provide for a range of criminal offenses prohibiting the disclosure or publication of private information and the interception of personal communications;
• the Civil Code and Labor Law set out certain obligations on employers when dealing with employee information;
• another law governs the collection, processing and disclosure of credit-related information; and
• telecoms operators are subject to special regulations regarding the protection of subscriber information.

In addition, certain health-related laws such as the Federal Decree-Law No. 2/2019 Concerning the Use of Information and Communication Technology in Health Fields cover certain requirements in respect of the processing, security, retention and transfer of health data – which fintech businesses providing healthcare-related products and services may need to consider.

The Abu Dhabi Global Market (ADGM) and the Dubai International Financial Centre (DIFC) have each introduced standalone laws governing the processing of personal data by organizations operating in their respective zones.

The DIFC’s much anticipated new and refreshed Data Protection Law, DIFC Law No. 5 of 2020 was enacted on 1 June 2020 and became enforceable from 1 October 2020. The data protection law is enforced by the Commissioner of Data Protection and is also supplemented by the Data Protection Regulations 2020. In March 2022, the DIFC introduced the DIFC Laws Amendment Law, DIFC Law No. 2 of 2022, which includes amendments to several DIFC laws, including the data protection law. Such changes include clarification on the judicial redress process, increased accountability obligations on controllers and processors and the granting of additional powers to the Commissioner of Data Protection, as well as introducing a new monetary penalty. Further key amendments to DIFC’s existing Data Protection Regulations 2020 have also been proposed through the issuance of Consultation Paper No. 2 of 2023 in April 2023. Subject to any further refinements, the updated Data Protection Regulations 2020 are expected to be rolled out in due course.

On 11 February 2021, the ADGM enacted the Data Protection Regulations 2021, which replaced the Data Protection Regulations 2015. The 2021 regulations, which formally came into effect on 14February 2022, have been modelled on international best practice and, in particular, the European Union’s General Data Protection Regulation but have been adapted to cater to the needs of the ADGM. A key feature of the new regulations is the establishment of an independent Office of Data Protection headed by a Commissioner of Data Protection.

In February 2022, the DIFC granted adequacy recognition to Singapore, South Korea and other countries that are part of the Asia Pacific Economic Cooperation Cross-Border Privacy Rules, for the purpose of cross-border personal data transfers with the DIFC.

In December 2022, the DIFC chief executive officer and the Commissioner of Data Protection issued a joint statement with the UK Minister of State for Media, Data and Digital Infrastructure regarding positive progress on the building of a ‘data bridge’ to promote trusted and secure data flows between the two jurisdictions. Similar announcements were also made by ADGM.

The DIFC and ADGM laws require that personal data is processed in a manner that is fair, lawful and secure.

Fintech-specific rules and regulations

The UAE Central Bank’s Stored Value Facilities Regulation (the SVF Regulation) requires licensees to maintain adequate systems and policies related to data protection to ensure the protection of information from unauthorized access, ensure encryption of sensitive data, retrieval access controls must also be enforced to ensure confidentiality and integrity of the databases. The SVF Regulation also requires licenses to implement an information retention and disposal policy to limit the data storage amount and retention time. In addition, the Retail Payment Systems Regulation (the RPS Regulation) also imposes data protection, security and integrity obligations on RPS licensees.

The UAE Central Bank has also issued the Consumer Protection Regulation (Circular No. 8/2020), which regulates the way financial institutions have to deal with consumer data in the UAE. A few of the changes introduced include the requirement to report significant data breaches, the establishment of a department dedicated to managing consumer data protection, the need to have security measures to protect consumer data and a limit on the amount of data collected from consumers (namely, data is to be used and stored for the duration necessary to provide financial services).

More recently, the Virtual Assets and Related Activities Regulations 2023 (the Virtual Assets Regulations) would require applicable fintech businesses (operating as virtual asset service providers (VASPs) under the regulations) to comply with activity-specific rulebooks (in addition to the five Virtual Assets Regulatory Authority (VARA) compulsory rulebooks) relating to their provision of the relevant virtual asset activities. Most notably, VARA’s compulsory rulebook on technology and information requires VASPs to comply with applicable UAE data protection and privacy laws – including the requirement to appoint a data protection officer, establish an organizational function responsible for the management and protection of personal data, data breach notification requirements, as well as other controls and procedures.

Anonymization and aggregation of personal data

There are no specific legal requirements or regulatory guidance in the UAE dealing with the anonymization or aggregation of personal data used for commercial gain. This, and the absence of a specific data protection law in the UAE (outside the financial free zones) (subject to the UAE PDP Law becoming enforceable), has resulted in a wider scope for the commercial exploitation of data for commercial purposes in the UAE.

The definitions of ‘personal data’ in the ADGM and DIFC data protection laws each require the individual to whom the data relates to being identifiable. The guidance published by the DIFC Commissioner of Data Protection suggests that, as data that is stripped of all personal identifiers will no longer relate to an identifiable individual, the DIFC data protection law will no longer apply.

The guidance cautions that complete anonymization may be difficult to achieve in practice, as data will still be protected if it is possible to identify an individual indirectly using the data. The guidance also reminds organizations that the act of anonymization is itself an activity that must be conducted in compliance with the DIFC data protection law. The guidance published in respect of the ADGM data protection regime does not provide further comment on the anonymization or aggregation of personal data.

Cybersecurity

28. What cybersecurity regulations or standards apply to fintech businesses?

Fintech businesses must comply with the UAE Federal Decree-Law No. 34/2021 Concerning the Fight Against Rumors and Cybercrime (the Cyber Crimes Law), the provisions of which broadly relate to IT security, state security and political stability, morality and proper conduct and financial and commercial issues arising from the use of the internet or IT infrastructure. It also addresses cybercrimes that are prepared, planned, directed, supervised or financed in the UAE. The Cyber Crimes Law has extraterritorial effect.

Various ongoing cybersecurity obligations apply to applicants of payment services licenses from the UAE Central Bank in the Payment Services Regulations.

For the purposes of the Virtual Assets Regulations, VARA’s compulsory rulebook on technology and information requires VASPs to create and implement, among other things, a cybersecurity policy containing mandatory terms and security controls as set out in that rulebook.

OUTSOURCING AND CLOUD COMPUTING

Outsourcing

29. Are there legal requirements or regulatory guidance with respect to the outsourcing by a financial services company of a material aspect of its business?

The UAE Central Bank has issued Central Bank Circular No. 14/2021 (the Outsourcing Regulations) to adopt minimum acceptable risk management standards for outsourcing arrangements, particularly when international service providers are engaged. With the new Outsourcing Regulations, and the accompanying Outsourcing Standards for Banks 14/2021 (the Outsourcing Standards), the UAE Central Bank makes explicit its objective to guarantee the soundness of UAE banks and improve financial stability in the banking sector. The Outsourcing Regulations impose obligations on the internal audit and operational risk functions of UAE banks and are expected to implement various new policies, procedures and controls. In particular, banks will need to create a comprehensive risk management framework that takes into account the additional risks that arise when business activities are outsourced.

Further, new minimum standards for outsourcing agreements have been introduced

including certain contractual terms that have become standard inclusions across the market, for example, the requirement that banks retain full ownership of the data they share with outsourcing service providers. The Outsourcing Regulations also provide that data required to conduct the core activities of the bank must be maintained and stored within the UAE and any customers’ confidential data must not be shared outside the UAE without the UAE Central Bank’s approval and consent of their customers.

Cloud computing

30. Are there legal requirements or regulatory guidance with respect to the use of cloud computing in the financial services industry?

There are regulations that set parameters around the use of cloud computing in the context of outsourcing, which includes those within the financial services industry.

Organizations carrying out functions that are regulated by the Dubai Financial Services Authority (in Dubai International Financial Centre) or the Financial Services Regulatory Authority (FSRA) (in the Abu Dhabi Global Market) have specific obligations in relation to material outsourcings, which in practice will include many cases of the use of cloud computing services. In respect of each material outsourcing, the organization must implement policies and risk management programs, enter into an appropriate contract with the service provider incorporating certain minimum terms, and notify the relevant regulator of the outsourcing arrangement. The Stored Value Facilities Regulation allows licensed businesses to outsource processes to third-party service providers, including independent third parties or companies within the licensee’s group, subject to approval from the UAE Central Bank. A separate section of rules governing outsourcing applies when an outsourcing is considered for an operational function or activity, although no specific distinction or guidance is given in relation to cloud computing solutions.

INTELLECTUAL PROPERTY RIGHTS

IP protection for software

31. Which intellectual property rights are available to protect software, and how do you obtain those rights?

Original computer programs and related software applications are protected by copyright as literary works. Databases underlying software programs can also attract copyright protection. Copyright arises automatically as soon as the relevant literary work is created, so when a computer program is recorded, software lines are coded or a database is created. There is no requirement to register these rights to be able to have them recognized or enforce them against a third party in the UAE.

If the software code has been kept confidential, it may also be protected as confidential information and unauthorized disclosure can attract criminal sanctions. No registration is required.

As computer programs are not specifically excluded from patentability under UAE legislation, so long as registration formalities are followed, it is possible in principle to obtain patent protection for software-implemented inventions and business methods. It is likely to be more difficult, however, for these inventions to meet the criteria of novelty, inventiveness and industrial applicability as required by UAE legislation.

IP developed by employees and contractors

32. Who owns new intellectual property developed by an employee during the course of employment? Do the same rules apply to new intellectual property developed by contractors or consultants?

The Federal Law No. 38 of 2021 concerning Copyright and Neighboring Rights (the New Copyright Law) replaces the old Federal Law No. 7 of 2002 as of January 2022 (the Old Copyright Law). The New Copyright Law now reverses the position under the Old Copyright Law by confirming the ‘work for hire’ doctrine. Article 28 of the new Copyright Law states that any intellectual property created during the course of employment belongs to the employer and not the employee. However, any copyright made by an employee unrelated to the business of the employer that does not use the employer’s resources will remain with the employee.

In the context of patents, provided that an employee’s role includes inventive activities, inventions created by an employee in the course of an employment contract are automatically owned by the employer, unless otherwise agreed. Different rules apply if the employee’s role does not include inventive activities. In these cases, the employer may exercise an option to take ownership of the invention within four months of becoming aware of the invention and the employee is entitled to receive fair compensation.

Similar to the New Copyright Law, under Dubai International Financial Centre (DIFC) Law No. 4 of 2019 on Intellectual Property, the employer has automatic ownership rights over works created by employees when produced within the scope of employment or while using the employer’s resources, unless otherwise agreed by them. The same position applies to patents. The law also regulates ownership rights over works created by contractors or consultants.

Joint ownership

33. Are there any restrictions on a joint owner of intellectual property’s right to use, license, charge or assign its right in intellectual property?

Joint owners of a copyright-protected work in which it is not possible to separate the contributions of each owner cannot exercise their rights to use, license or assign the work individually, unless otherwise agreed in writing (article 26 of the New Copyright Law).

Where multiple authors contribute different kinds of art to a single work, they may each exploit their individual contributions provided that this does not damage the exploitation of the joint work. The legal position is less clear in relation to works that include contributions of the same kind of art from multiple contributors.

A joint owner of a patented invention may exploit or assign his or her rights independently of the other patentees. However, joint patentees may only license the exploitation of the patent jointly with the other patentees.

Under DIFC Law No. 4 of 2019 on Intellectual Property, rights over an invention created by two or more persons, will be shared equally between them unless otherwise agreed in writing.

Trade secrets

34. How are trade secrets protected? Are trade secrets kept confidential during court proceedings?

The UAE legislation dealing with patents and industrial designs also includes specific protection for trade secrets and know-how. Employees have specific statutory duties to keep the commercial and industrial secrets of their employers confidential and may be criminally liable in cases of unlawful use or disclosure of information. Trade secrets and confidential information more broadly are commonly protected by way of contractual obligations.

Court proceedings in the UAE are not held in public and there is therefore less of a concern about maintaining the confidentiality of trade secrets in this context.

DIFC Law No. 4 of 2019 on Intellectual Property provides protection to trade secrets if obtained by improper means. However, it may be possible to uncover trade secrets through legitimate means.

Branding

35. What intellectual property rights are available to protect branding and how do you obtain those rights? How can fintech businesses ensure they do not infringe existing brands?

Brands can be protected as registered trademarks in the UAE. An application for registration and other formalities must be pursued to obtain protection. A law recognizing a unified trademark regime for Gulf Cooperation Council countries has been decreed in the UAE but has not yet entered into force.

The UAE trademark database can be used to identify registered trademark rights and, therefore, help ensure that a fintech business does not infringe on existing brands. The database is not available to the public but the law provides for a right to obtain a certified extract of the contents of a register upon payment of a fee. Applicants must pay a separate fee to search each class for existing trademark rights.

It is highly advisable for new businesses, perhaps using the services of specialist trademark attorneys, to check whether the database enquiry results indicate earlier registrations that are identical or similar to their proposed brand names and marks. It may also be advisable to conduct internet searches for any unregistered trademark rights that may prevent the use of the proposed mark.

Remedies for infringement of IP

36. What remedies are available to individuals or companies whose intellectual property rights have been infringed?

Remedies available to individuals or companies include:

• precautionary measures, including requirements to cease the use of an infringing item;
• confiscation or destruction of infringing items;
• damages; and
• publication orders.

The UAE legislation dealing with intellectual property rights, including in respect of patents, designs, trademarks and copyright, provides for criminal liability in various cases of infringement.

DIFC Law No. 4 of 2019 on Intellectual Property introduces penalties for infringement of intellectual property rights. The DIFC courts can also issue injunction orders and award damages resulting from the violation of intellectual property law.

COMPETITION 

Sector-specific issues

37. Are there any specific competition issues that exist with respect to fintech companies in your jurisdiction?

Since the enactment of Federal Law No. 12 of 2012, the UAE has had a standalone, federally applicable competition law that covers anti-competitive agreements, abuse of dominance and merger control; however, the law also has a list of sectors that are entirely excluded from its scope. One of these wholly excluded sectors is the financial sector. The list of excluded sectors and other important aspects of the competition regime in the UAE is within the discretion of the Ministry of Economy, and fintech businesses in the UAE will need to consider their specific competition law issues to assess their exposure. Looking ahead, there is expected to be increased consolidation in the banking sector and an expectation of greater collaboration, information-sharing and other horizontal arrangements, all of which could give rise to competition law risks in the UAE.

TAX

Incentives

38. Are there any tax incentives available for fintech companies and investors to encourage innovation and investment in the fintech sector in your jurisdiction?

There are no special incentives. However, onshore UAE, the Dubai International Financial Centre and the Abu Dhabi Global Market are all currently low or zero-tax jurisdictions.

Increased tax burden

39. Are there any new or proposed tax laws or guidance that could significantly increase tax or administrative costs for fintech companies in your jurisdiction?

There are no relevant new or proposed tax laws or guidance.

IMMIGRATION

Sector-specific schemes

40. What immigration schemes are available for fintech businesses to recruit skilled staff from abroad? Are there any special regimes specific to the technology or financial sectors?

Once an employee enters the UAE on an entry permit, the employer must make an application for a residence visa to the immigration authorities. Before the visa is granted, the employee must pass a medical examination. These requirements must be satisfied within 60 days of the employee’s entry into the UAE on the entry permit. Residence visas are typically valid for two years outside the free zones and three years for employees within a free zone. The total cost of the residence visa and the required permits depends on the nature of the company’s activity and whether the employee is hired within or outside the UAE. The cost outside the free zones ranges from US$400 to US$1,200. Free zone costs can differ.

Both financial free zones in the UAE offer start-up-specific licenses that, if obtained, provide for the recruitment of skilled staff from outside of the UAE. In 2018, the Abu Dhabi Global Market (ADGM) introduced the ADGM Tech Start-up Commercial license, under which it is possible to secure up to four UAE residence visas. In the Dubai International Financial Centre (DIFC), the DIFC FinTech Commercial license enables fintech start-ups to apply for residence visas for their staff, the number of which is dependent on office space (generally one visa per 80 square feet).

Investor visas are available to shareholders and proprietors.

The UAE government announced the UAE Strategy for Talent Attraction and Retention, an initiative aimed at enhancing the country’s attractiveness to foreign investments and talents. The strategy aims to position the UAE among the top 10 countries in the global talent competitiveness indices, ensure the availability of talented workforce all across strategic sectors and cement the UAE’s image as an ideal destination for living and working.

The UAE also announced its remote working visas for overseas professionals and the Dubai virtual working program for a period of one year to attract talent and expertise from all over the world.

UPDATE AND TRENDS IN FINTECH IN UAE

Current developments

41. Are there any other current developments or emerging trends to note?

No updates at this time.

* The information in this chapter was accurate as of June 2023.

If you need more consulting, please Contact Us at TNHH NT International Law Firm (ntpartnerlawfirm.com)

You can also download the .docx version here.

“The article’s content refers to the regulations that were applicable at the time of its creation and is intended solely for reference purposes. To obtain accurate information, it is advisable to seek the guidance of a consulting lawyer.”

LEGAL CONSULTING SERVICES

090.252.4567

HÃY CLICK ĐỂ LẠI SĐT CHÚNG TÔI SẼ GỌI NGAY CHO BẠN MIỄN PHÍ

NT INTERNATIONAL LAW FIRM

• Email: info@ntpartnerlawfirm.com – luatsu.toannguyen@gmail.com
• Phone: 090 252 4567
• Address: B23 Nam Long Residential Area, Phu Thuan Ward, District 7, Ho Chi Minh City, Vietnam