The United Arab Emirates (UAE) has taken even greater steps since the COVID-19 pandemic to become not just a regional, but also a global, financial services hub. Fintech has been an important aspect of this. There has been significant investment in fintech start-ups in recent years and the UAE now hosts a quarter of all fintech companies in the Middle East and North Africa (MENA) region. In 2023, the UAE bucked global trends by almost doubling the level of funding in the fintech sector, partly fuelled by the launch of a USD100 million venture capital finance fund by Sheikh Hamdan bin Mohammed, the Crown Prince of Dubai, aimed at empowering start-ups to expand globally.

The growth in the UAE’s fintech space has largely been driven by initiatives from the Dubai International Financial Centre (DIFC) and the Abu Dhabi Global Market (ADGM), the UAE’s two financial free zones. The DIFC and ADGM serve as hubs for innovative fintechs looking to establish a Middle Eastern base. Both the ADGM and the DIFC have set up their own fintech hubs, the ADGM Regulation Lab (the “ADGM RegLab”) and the DIFC Innovation Hub. The ADGM RegLab and the DIFC Innovation Hubs are key accelerators for up-and-coming fintechs and support start-ups across the fintech spectrum, from open banking and payment services, to regtech, insurtech and wealthtech. The ADGM RegLab and DIFC Innovation Hub give fintechs access to an extensive network of investors, marketing and PR exposure, bespoke regulatory frameworks and regulatory sandbox schemes, as well as networking events. In the words of the DIFC Innovation Hub, its objective is to “raise unicorns”.

The success of the UAE’s fintech market can also be attributed to the continued entrepreneurialism of the UAE’s regulatory authorities to position the UAE as a regional and international leader for virtual assets and related services. This is demonstrated, for example, by the actions of the Dubai virtual assets regulatory authority (VARA) which released its all-encompassing regulatory framework in respect of virtual assets in February 2023.

It is expected that clarifications and updates will continue to be made to the UAE’s fintech regulatory environment in 2024. From a market perspective, prior to and following COP28 (which was hosted by the UAE at the end of 2023), there has been a focus on developing ESG and climate finance initiatives and there has been continued further growth in open banking, digital and instant payments. At the end of 2023, the Central Bank of the UAE (CBUAE) announced that the issuance of its newly amended Financial Companies Regulation also captured the provision of short-term credit (including BNPL services) in the UAE. The MENA region has continued to be largely unaffected by the global economic slowdown that has been evident in the US and Europe, which, in the view of the authors, can be attributed to a number of factors, including sovereign wealth funds, being buoyed by rising oil prices, continuing to drive activity as they seek to diversify and expand their investments, as well as the increasing attractiveness of the UAE to foreign investors as a stable and tech-friendly environment.

The UAE’s fintech sector has continued to grow and mature following an increase in the adoption of digital payments, e-commerce activity and a nascent but expanding digital banking landscape.

A wide range of actors are active in the UAE’s fintech space, ranging from mature businesses to start-ups that operate across a wide range of sectors from open banking and equity crowdfunding through to insurtech, wealthtech and regtech. The predominant verticals that apply in the UAE relate to virtual assets , cryptocurrencies, payments (including with respect to remittances which are of disproportionately large importance in the UAE given its large expat population) and blockchain technology. In particular, a continued interest from large virtual asset companies considering whether to relocate to the UAE is expected, given the comparatively developed regulatory landscape amid increasingly aggressive enforcement actions from Western (and other) regulators in the virtual assets space. 

Overview

The UAE is a federation comprising seven emirates, with Dubai largely seen as the UAE’s international commercial centre and Abu Dhabi being particularly important from a governmental and political perspective. Each emirate is permitted to exercise all powers not assigned to the federal level. This includes being authorised to issue its own laws and regulations.

From a financial services regulatory perspective, the UAE is best understood as comprising two categories of jurisdictions:

• “onshore UAE” – constituting the territories of the seven emirates of the UAE, including approximately 45 economic free zones that are largely concentrated in the emirate of Dubai; and
• “offshore UAE” – constituting the financial free zones of the DIFC and ADGM. Each of the financial free zones are, from a financial services regulatory perspective, separate jurisdictions from onshore UAE. Each financial free zone has its own standalone rules and regulations that are largely premised on English common law and are based on benchmarking against the rules of leading international financial centres.

Onshore UAE – Payments

In onshore UAE, the provision of payment services is generally regulated by the CBUAE pursuant to the following.

Large value payment systems regulation

This framework sets out the conditions for obtaining and maintaining a licence to operate a large value payment system, which is defined as “a clearing and settlement system that is designed primarily to process large-value and/or wholesale payments typically among financial market participants (so-called wholesale payments) or involving money market, foreign exchange or many commercial transactions, excluding bilateral clearing and settlement arrangements and relationships which do not constitute a ‘system’”.

Retail payment systems regulation

This framework applies to designated retail payment systems providers, setting out (amongst other things):

• the CBUAE’s key criteria for designating a retail payment service;
• the licensing and designation process for retail payment services; and
• the ongoing requirements of designated retail payment services.

Retail payment services and card schemes regulation (the “RPSCS Regulation”)

This framework applies to retail payment service providers and card scheme providers. It sets out the conditions applicable to the granting and maintaining of licences to carry out retail payment services and card schemes in onshore UAE, the ongoing obligations of retail payment service and card scheme providers as well as the powers of the CBUAE with respect to the supervision of retail payment service providers and the ongoing reporting requirements for card schemes.

Onshore UAE – Virtual Assets

In onshore UAE, virtual assets fall under the jurisdiction of the SCA, VARA and the CBUAE.

The SCA

The SCA is responsible for overseeing the regulation of virtual assets and related services pursuant to Cabinet Decision No 111 of 2022 (the “VA Decision”). According to the VA Decision, any person that wishes to carry out virtual asset-related activities must obtain a licence from the SCA (or the competent authority at emirate level (where one exists)).

The VARA

The VARA is the authority responsible for regulating, supervising and overseeing virtual assets and related activities in the Emirate of Dubai (excluding the DIFC), in accordance with the DVAL and its Executive Regulations and rulebooks. In 2023, the DVAL rolled out its comprehensive virtual asset licensing framework and a number of global market players obtained full operational licences.

The CBUAE

The CBUAE is responsible for regulating activities relating to payment tokens (ie, stable coins) pursuant to the RPSCS Regulation, while the CBUAE’s Stored Value Facilities Regulation (the “SVF Regulation”) regulates crypto and virtual assets insofar as they may be accepted in exchange for the storage of value.

Offshore UAE – Virtual Assets and Payment Services

In the ADGM, the Financial Services Regulatory Authority (FSRA) regulates virtual assets and virtual asset-related activities. The FSRA issued its “Virtual Asset Framework” in 2018. This sets out provisions targeting a range of risks associated with virtual asset-related activities, including risks relating to money laundering and financial crime, consumer protection, technology governance, custody and exchange operations. The FSRA subsequently issued its “Guidance – Regulation of Virtual Asset Activities in ADGM” to provide further support to persons when carrying out virtual asset-related activities in the ADGM to interpret its rules and regulations. Payment services are also regulated by various ADGM regulations and FSRA rules.

In the DIFC, the DFSA regulates virtual assets and the provision of connected financial services. The DFSA’s regulatory framework is set out in the DFSA Rulebooks, which distinguish between investment tokens as either security tokens or derivative tokens, and crypto tokens. The provision of payment services is also primarily regulated in the DFSA Rulebooks.

The compensation models that fintechs can utilise vary depending on the nature of a fintech’s business and the regulatory rules applicable to the fintech. Certain restrictions may apply depending on the sector in which a fintech operates.

The authors are not aware of any specific regulatory restrictions in onshore UAE or offshore UAE with respect to the compensation models that industry participants may use to charge customers. However, where a fintech chooses to provide Islamic finance, it will be required to comply with the principles of Sharia in determining its compensation model, which will include considering matters such as the charging of interest.

Regulators in onshore UAE and offshore UAE do not differentiate between fintech participants and legacy participants per se. Differences in regulatory regimes are generally based on the risks associated with the activity being carried out. For example, a bank will attract higher levels of regulatory oversight and supervision than a payment services business offering payment initiation services and account information services.

In 2021, the CBUAE established a regulatory sandbox in onshore UAE for the insurance sector. This was in response to rapid developments in digital technologies impacting the sector. In 2021, the CBUAE signed two separate memoranda of understanding with the ADGM and DIFC to introduce a co-sandbox programme to permit fintechs to test innovative solutions under the existing sandbox programme. In a report published in 2023, the Dubai Chamber of Digital Economy (DCDE) highlighted the need to create more regulatory sandboxes to support regulatory developments in digital industries, including blockchain, AI and digital asset technologies. 

The ADGM offers the ADGM RegLab, which was established in 2019. A regulatory sandbox forms part of the ADGM RegLab’s offering that provides a controlled environment for fintech participants to test and develop their innovative fintech solutions. In the RegLab, regulatory requirements are applied based on a participant’s business model and risks and on a case-by-case basis. It is designed to allow fintech participants to explore and develop solutions in a risk appropriate and cost-effective environment. 

In the DIFC, the DFSA operates a licensed sandbox known as the DFSA Innovation Testing Licence Programme. The DFSA Innovation Testing Licence Programme allows participants to: (i) test new and innovative financial products, services and business models; and (ii) benefit from adaptations to the regulatory framework on a case-by-case basis.

The key regulatory authorities responsible for administering the UAE’s financial services frameworks and for regulating the UAE fintech market are the CBUAE, SCA, VARA, the FSRA and the DFSA. A brief description of each of their roles and objectives is set out below.

Onshore UAE

• The CBUAE – regulates banks, finance companies, payment service providers, stored value facilities providers, exchange businesses and insurance companies.
• The SCA – regulates markets, listed companies, securities brokers, virtual asset service providers and the trading of commodities.
• The VARA – regulates virtual asset-related activities in the emirate of Dubai, excluding the DIFC.

Offshore UAE

• The FSRA – is the financial services regulator in the ADGM. It supervises all banks, investment firms, securities traders and re-insurers that operate within the ADGM.
• The DFSA – is the financial services regulator in the DIFC. It supervises all banks, investment firms, securities traders and re-insurers that operate within the DIFC.

Regulated financial service providers (SPs) are permitted to outsource certain functions to third-party vendors. In doing so, SPs retain responsibility for the outsourced function and must maintain oversight over the third-party vendor. The level and precise requirements of this oversight depend on the nature of the outsourced function and the SP.

In general, where an SP outsources one of its functions, it will be required to put in place an appropriate agreement governing its commercial relationship with the third-party vendor that includes audit rights in favour of the SP. Under the DFSA General Rulebook Module and the FSRA General Rulebook (each “GEN”), an outsourcing agreement must also require the third-party vendor to deal with the DFSA or FSRA (as applicable) in an open and co-operative way. Further contractual requirements to be set out in the outsourcing agreements of banks are provided for in the CBUAE’s Outsourcing Regulations and Standards for Banks, which largely centre around access to the bank’s data by the third-party vendor. A bank’s outsourcing agreement must establish (among other things):

• that the bank retains ownership of the data and unfettered access to it;
• that the data is adequately safeguarded (through confidentiality provisions and provisions relating to data destruction following termination);
• the extent to which subcontracting is permitted; and
• data breach notification requirements.

In all cases, the UAE’s regulatory authorities require SPs to take a risk-based approach to outsourcing functions and to carry out appropriate diligence on the selected third-party vendor with which the vendor will be required to engage – all whilst maintaining overall responsibility for each function that is outsourced.

Regulated financial service providers are required to comply with certain conduct of business requirements.

They are also required to adhere to standards in respect of the promotion of financial products and services. For instance, DFSA GEN requires that all financial promotions: (i) are clear, fair and not misleading; (ii) indicate who the regulated financial service provider is; (iii) are directed at the intended category of customer or client; (iv) provide fair, unbiased and balanced information; and (v) when directed at retail clients, contain a prominent warning that past performance is not necessarily a reliable indicator of future performance. The VARA has issued its own Marketing Regulations governing the promotion of virtual assets in Dubai that contain similar advertising standards.

Beyond this, fintechs are responsible for complying with obligations set out under the UAE’s anti-money laundering and the countering of terrorist financing (AML/CTF) laws. This includes, amongst other things, carrying out know-your-customer diligence as well as monitoring for and reporting suspicious transactions. Where a fintech fails to comply with obligations under AML/CTF laws, it will be liable in accordance with the liability provisions in such laws.

The enforcement actions by regulatory authorities have increased in recent years following the UAE’s addition to the Financial Action Task Force’s (FATF) grey list. Such increased enforcement has also been evident within the UAE’s crypto and virtual asset and payment services verticals. Onshore UAE’s regulatory authorities have typically wide-ranging enforcement powers and have the ability to impose a wide range of penalties from fines and censure for less severe breaches to imprisonment for the most serious offences such as those connected to financial crime. Offshore UAE’s regulatory authorities’ powers do not include criminal powers, but otherwise mirror those of Onshore UAE’s regulatory authorities. In practice, the UAE is a jurisdiction where co-operation with relevant authorities is required on an ongoing basis in order to operate a business.

By way of example, the Executive Regulations relating to the DVAL – the Virtual Assets and Related Activities Regulations 2023 – include the following penalties (among others):

• written reprimands;
• enforcement notices requiring non-compliance to be rectified within a specified period of time;
• licence restrictions, suspensions or revocations; and
• fines.

The VARA has already revoked licences and the CBUAE has demonstrated its increased appetite for enforcement by issuing various sanctions against finance companies and exchange houses. The authors are also aware of increased enforcement appetite of the DFSA and FSRA in recent times. However, VARA’s investigatory process suggests that VARA is willing to work with companies that are in violation of regulations and provide opportunities for them to correct their transgressions.

Onshore UAE

Data protection

Federal Decree Law No 45 of 2021 (the “Personal Data Protection Law”) is onshore UAE’s first written data protection law of general application. The Personal Data Protection Law is inspired by the EU’s General Data Protection Law (GDPR) but is lighter touch. As of the date of this note, the Executive Regulations, which will flesh out the provisions of the Personal Data Protection Law, are yet to be released.

Data and information is also protected in other aspects of Onshore UAE law. For example, Federal Decree No 31 of 2021 prohibits the unlawful copy, distribution or provision of information or data.

Cybercrime

Federal Decree Law No 34 of 2021 Concerning the Fight against Rumours and Cybercrime (the “Cybercrime Law”) sets out a wide range of offences, including in relation to illegal digital content and illegal uses of information technology. This is a broad law that goes considerably further than equivalent regulation in this area in western Europe and the US.

Offshore UAE

Data protection

Both the DIFC and ADGM have had consolidated data protection regimes for many years and both were recently reformed. They bear a significant resemblance to the GDPR, albeit being more business friendly and somewhat lighter touch.

There are a growing number of formal industry bodies emerging in the fintech space such as the MENA Fintech Association. These industry bodies have an increasingly important role to play with respect to representing industry participants, communicating with regulators to address concerns and seeking guidance in respect of, or input with respect to, planned regulations within the fintech space. For example, they will often provide input at the consultation phase of proposed regulations.

The DIFC Innovation Hub and ADGM RegLab also oversee the fintech market and can influence the rules and regulations within the industry as an informal network by interpreting the practical application of such rules and regulations, thereby influencing how the market operates. The regulatory sandboxes examined at 2.5 Regulatory Sandbox also play a part in helping regulators to examine how their regulatory regimes impact real life business models, enabling regulators to adapt and develop in line with their aim of promoting the UAE as a global hub for the fintech industry.

This will depend on the nature of the contemplated business activities. However, it is generally expected that corporate entities maintain a degree of separation between regulated and unregulated business activities to ensure that they can ring-fence those which are regulated and have higher supervision requirements from those which are not. For instance, in the ADGM it is prohibited to combine financial and non-financial services on the licence of a single entity.       

AML/CTF is regulated in the UAE by the following laws:

• Federal Decree Law No 20/2018 (as amended);
• Cabinet Decision No 10/2019 (as amended); 
• Cabinet Decision No (58) of 2020; and
• Federal Law No 7/2014,

collectively, the “UAE’s AML/CTF Laws”.

Financial institutions and virtual asset service providers fall within the scope of the UAE’s AML/CTF Laws. As such, where fintechs fall within the scope of the definition of a financial institution or virtual asset service provider, they will also fall within the scope of the UAE’s AML/CTF Laws. This does, however, need to be assessed on a case-by-case basis depending on the business and services offered by the fintech in question. In addition, certain criminal offences may be committed by a fintech under the UAE’s AML/CTF Laws, irrespective of what services are being offered.

Fintechs regulated by the SCA are required to ensure compliance with the standards and obligations set out in the UAE’s AML/CTF Laws. This is confirmed, for instance, by Decision No 13/RM/2021 (the “SCA Rulebook”), which requires licensed bodies to meet the requirements of the “Law of Anti-Money Laundering and Combating the Financing of Terrorism and Illicit Organisations and its implementing regulations”. The SCA has also issued a number of circulars and notices governing various aspects of AML/CTF compliance, including the freezing and unfreezing of accounts and the implementation of targeted financial sanctions. This is in addition to any standards issued by the CBUAE in respect of such FATF guidance. Furthermore, both the VA Decision and the DVAL are explicit in requiring virtual asset service providers licensed thereunder to comply with the obligations of the UAE’s AML/CTF Laws.

Pursuant to Article 71(1) of the DIFC Regulatory Law 2004, regulated financial service providers are required to comply with the UAE’s AML/CTF Laws. The Anti-Money Laundering, Counter-Terrorist Financing and Sanctions Module to the Dubai Financial Services Authority Rulebook also applies to regulated financial service providers in respect of their activities carried on, in, or from the DIFC.

Similarly, the UAE’s AML/CTF laws also apply to regulated financial service providers in the ADGM. In addition, the ADGM’s Anti-Money Laundering and Sanctions Rules and Guidance Module to the Financial Services Regulatory Authority Rulebook sets out further requirements for regulated financial service providers to ensure compliance with the provisions of the UAE’s AML/CTF Laws. This includes implementing appropriate AML/CTF policies and procedures, establishing detection and reporting mechanisms for suspicious customers and transactions, and maintaining appropriate records of such transactions.

Robo-advisers are found in the UAE’s investment and asset management space. As the UAE emerges as one of the leading destinations for wealth management and private banking (driven in large part by its significant and ever-increasing population of high net worth individuals) the robo-adviser segment is expected to comprise of over 400,000 users by 2027 according to Ken Research. Although business models will largely depend on the particular business proposition being offered, hybrid models are common, combining traditional asset and investment management services with automated solutions in respect of assessing risk appetite or providing algorithm-based financial planning.

Arranging, advising and dealing in investments, as well as managing assets, constitute regulated financial activities in the ADGM and DIFC. Similarly, promotion and carrying on the activities of a financial adviser are licensed financial activities under the SCA Rulebook. Where companies wish to carry on such services, including through robo-advisers, they will fall within the scope of these licensing regimes. In 2019, the FSRA issued supplementary guidance for obtaining regulatory authorisation to conduct digital investment management (robo-advisory) activities in the ADGM. The guidance lays down the applicable permissions (as stated above) that a company will need to apply for in order to carry on digital investment management activities, along with the key controls surrounding technology and algorithmic governance that a digital investment manager will need to implement.

Incumbent legacy players within the UAE investment management market use robo-advisers largely in the context of assessing the risk appetite of clients at a retail level and providing investment advice on the basis of such risk assessment.

The UAE robo-advisory segment in wealth management is still at a nascent stage compared to popularity in the US and the UK. However, with the big banks taking the lead and the UAE’s growing status as a home for future-facing technology companies, the region represents one of the key markets for robo-advisory services in the MENA region with a new wave of digital investment platforms aiming to provide low-cost options for young professionals and affluent clients.

Due to the increase in use of robo-advisers generally, it is expected that regulators in the UAE will start to implement regulatory frameworks governing the licensing and use of robo-advisory services in the coming years.

Depending on the nature of the regulated financial activity offered, best execution principles will also apply to companies providing robo-adviser services. Such best execution principles require companies to take reasonable care to determine the best execution available for an investment under the prevailing market conditions and to offer and deal in prices and conditions that are no less advantageous to the relevant client than the prevailing market conditions. Best execution principles are largely set out in the Conduct of Business Rulebook Modules (each “COBS”) issued by both the DFSA and FSRA. Guidance on best execution provided by the DFSA states that when determining best execution, regard should be had for direct and indirect costs, the relevant order type and the size, settlement arrangements and timing of that client’s order that could affect decisions on when, where and how to trade. Requirements to achieve best execution prices in favour of clients are also set out in the SCA Rulebook.

In onshore UAE, the CBUAE has issued regulations setting out the protections that apply with respect to the provision of finance to consumers and small to medium-sized enterprises (SMEs). However, the authors are not aware of differences in the business or regulation of loans to entities, including small businesses, etc.

The CBUAE’s Consumer Protection Regulations, initially issued in November 2020, with regular updates to reflect changes in market conditions, provide that financing to individuals must be provided in a responsible manner, to prevent over-indebtedness and support economic stability. In order to achieve this, the Consumer Protection Regulations set out various measures that must be implemented, including (amongst other things):

• ensuring credible and independent information regarding the financial situation of the consumer has been obtained;
• not providing excessive credit; and
• issuing credit on the basis of the consumer’s consent.

The SME Market Conduct Regulation sets out materially the same requirements in respect of SMEs as the Consumer Protection Regulations, with a limited number of differences.

The underwriting process adopted by an online lender will depend on its business and internal risk management framework.

The access to sources of funds for loans will depend on the nature and maturity of the online lender. At the early stages of business, online lenders may seek seed investment, for example, from VC firms. Separately, the crowdfunding market in the UAE has experienced significant growth in recent years. Lenders may also seek to fundraise through peer-to-peer lending. In expansion stages, and where an online lender has established a market presence, it may seek a fresh capital injection through a secured or unsecured debt facility. Depending on the nature of the online lender, challenger banks may also use consumer deposits to fund loans. At all stages, sovereign wealth is an important source of funding within the region. That being said, the source of funds for each online lender will depend on the nature of its business, its maturity and target customers.

The authors are not aware of any syndications for online loans. These loans are typically small, short-term checkout loans which do not require syndication.

There is no explicit requirement for payment processors to use existing payment rails or to create new ones. Payment processors commonly use already-established payment rails.

In onshore UAE, cross-border payments are regulated by the CBUAE’s Retail Payment Services and Card Schemes Regulation (the “RPSCS Regulation”). The RPSCS Regulation requires providers of cross-border transfer services to obtain a licence in order to carry on such activities in the UAE. Cross-border transfer services are defined as “a Retail Payment Service for the transfer of funds in which the payment service providers of the payer and the payee are located in different jurisdictions or countries”. The RPSCS Regulation sets out various regulatory capital requirements, consumer protection, data protection, compliance and governance, AML/CTF and technology risk and information security requirements with which licensed providers must comply.

Cross-border payments are further facilitated by cross-border payment systems. Two of the main cross-border payments systems in the region are the Arabian Gulf System for Financial Automated Quick Payment Transfer (AFAQ) and Buna. Membership and participation in these systems follows an agreed set of requirements, rules and specified standards that govern the relationship between the participants and the business rules affecting the related transactions, such as the currency or currencies of the transaction, the exchange rate and the settlement institute. In December 2023, the CBUAE announced that it had joined AFAQ, which links payments systems in GCC countries.

The FSRA and DFSA respectively regulate the provision of money services in the financial free zones. These licensed financial activities capture the provision of cross-border payment services.

Regulators in the UAE are also open to co-operating with their counterparts in other jurisdictions in order to remain at the forefront of the industry. For example, the CBUAE has signed memoranda of understanding with the Reserve Bank of India (March 2023) and the Central Bank of Cuba (December 2023) to enhance, among other things, the quality of laws and regulations in respect of payments and the wider fintech sector.

Fund administrators are regulated in onshore UAE by the SCA and in offshore UAE by the FSRA in the ADGM and the DFSA in the DIFC. The SCA Rulebook prohibits the carrying on of a financial activity without a licence issued by the SCA. This includes the provision of “administrative services of an investment fund”, which the SCA Rulebook defines as a financial activity involving the carrying out of business assistance services that support an investment fund. As such, a person wishing to carry on such services in onshore UAE will require the approval of the SCA. The FSRA and DFSA also classify “acting as the administrator of a collective investment fund” and “providing fund administration” respectively as regulated financial activities. As in onshore UAE, it is prohibited to carry on a regulated financial activity in the ADGM or DIFC without obtaining a licence from the relevant regulator. As such, fund administrators must undergo the FSRA or DFSA (as applicable) licensing process in order to provide their services within the respective financial free zone.

With respect to the ADGM, as stated in Rule 17.1.4, the FSRA’s Fund Rules provide that a fund administrator of a domestic fund (excluding a qualified investor fund) or of a foreign fund managed by an authorised fund manager, must have a delegation agreement in place with the fund manager or trustee of the fund. This delegation agreement must meet various regulatory requirements including containing provisions that prevent the fund administrator from holding or controlling monies or assets belonging to third parties in connection with such administration, except in the very limited circumstances. The FSRA expects such a delegation agreement to include, at a minimum, the following provisions, as set out in the guidance to Rule A1.2.1 of the FSRA’s Fund Rules:

• unambiguous descriptions and definitions of the activities and functions to be provided by the fund administrator and the duties to be performed by both parties;
• an agreed standard in respect of resources and services, supported as necessary by performance measures in accordance with the applicable rules;
• the requirement for regular detailed reporting in a specified frequency from the fund administrator in respect of its duties and activities;
• provisions relating to the reporting of relevant events such as technological changes or error reporting and, in particular, any event which undermines the ability of the fund administrator to fulfil its duties; and
• the requirement for an annual review (at a minimum) of the performance of the functions by the fund administrator.

Equivalent obligations exist under the DFSA’s Collective Investment Rules (CIR), which also stipulate that a fund administrator of a domestic fund (excluding a qualified investor fund) for which it is providing fund administration must have a delegation agreement that meets the requirements set out in the CIR with the fund manager or trustee of the fund. The DFSA imposed equivalent provisions to those listed above, which are contained in the guidance to Rule A1.2.1 of the CIR.

Onshore UAE

The SCA

The establishment and operation of trading platforms and exchanges is regulated by the SCA. While Federal Decree Law No 4/2000 concerning the Emirates Securities and Commodities Authorities Market (the “SCA Market Law”) is not prescriptive in terms of the type of platforms permitted, the SCA’s glossary of terms defines a market as “a securities and commodities market licensed in the [UAE] by the [SCA]”.

The VARA

While the DVAL and its supplementary regulations and rulebooks are not prescriptive in terms of the types of platforms permitted in the emirate of Dubai in respect of trading virtual assets, the DVAL defines a virtual asset platform as “a centralised or decentralised digital platform, managed by a virtual asset service provider, through which virtual assets are sold, bought, traded, offered, issued, kept and settled and their trading is cleared through the distributed ledger technology”.

Furthermore, carrying on the provision of services of exchange between one or more forms of virtual assets is a regulated activity under the DVAL. Exchange services are defined by the Virtual Asset and Regulated Activities Regulation 2023 as: (i) conducting an exchange, trade or conversion between virtual assets and fiat currency; (ii) conducting an exchange, trade or conversion between one or more virtual assets; (iii) matching orders between buyers and sellers and conducting an exchange, trade or conversion between virtual assets and fiat currency or one or more virtual assets; or (iv) maintaining an order book in furtherance of (i), (ii) or (iii).

Offshore UAE

The DIFC

Various trading platforms and marketplaces are permissible in the DIFC. In this regard, the DFSA’s GEN sets out the following regulated activities: (i) operating an exchange; and (ii) operating an alternative trading system.

Operating an exchange means operating a facility which functions regularly and brings together multiple third-party buying and selling interests in investments, in accordance with its non-discretionary rules in a way that can result in a contract in respect of investments admitted to trading or traded on the facility.

DFSA guidance provides that the financial services of operating an exchange only applies in relation to investments. A person wishing to operate a facility for the trading of crypto tokens will, therefore, need to use a multilateral trading facility (MTF) and obtain an endorsement on its licence that permits it to operate an MTF.

Operating an alternative trading system means: (i) operating an MTF; or (ii) operating an organised trading facility (OTF). A person operates an MTF if that person operates a system which brings together multiple third parties buying and selling interests in investments or crypto tokens, in accordance with its non-discretionary rules, in a way that results in a contract in respect of such investments or crypto tokens. On the other hand, a person operates an OTF if that person operates a system which brings together multiple third parties buying and selling interests in investments, in accordance with its discretionary rules, in a way that results in a contract in respect of such investments.

The ADGM

Similar trading platforms to those permitted in the DIFC are also allowed to operate in the ADGM. Under the FSRA’s Financial Services and Markets Regulation 2015 (FSMR), operating a trading platform will constitute the regulated financial activity of “operating an MTF or OTF”. Specifically, operating an MTF or an OTF on which financial instruments or virtual assets are traded are each considered separate regulated activities. Carrying on any other ancillary activities deemed suitable by the FSRA for the MTF or OTF to conduct is also its own regulated financial activity.

With the exception of virtual assets regulated separately by VARA, the application of the UAE’s regulatory regimes are not generally premised on distinctions between asset classes (although certain regulatory rules may apply in respect of a particular asset class), but rather on the type and nature of the financial activity being conducted.

The emergence of virtual asset and cryptocurrency exchanges has brought about significant regulatory reforms in the UAE. Both the FSRA and DFSA have amended their regulatory frameworks over the last few years to bring virtual assets, investment tokens and crypto tokens within the scope of their rules and regulations. Most notable, however, is the establishment of the VARA’s regulatory framework and authority in the emirate of Dubai in 2022, and further developed in 2023. VARA is the only regulatory authority in Dubai that is exclusively dedicated to the licensing and supervision of virtual assets and related activities. The activities captured under VARA’s jurisdiction include the establishment and operation of cryptocurrency exchanges, amongst other things. In terms of upcoming developments, the authors expect VARA to issue derivatives-related guidance in 2024/2025.

Various listing standards exist in order to safeguard and maintain market confidence and ensure a fair, informed and orderly market. For instance, both the DFSA and FSRA set out the following listing principles in their Markets Rulebooks:

• a listed entity must take reasonable steps to ensure that its senior management and any other relevant employees understand and comply with their responsibilities and obligations;
• a listed entity must take reasonable steps to establish and maintain adequate policies, procedures, systems and controls to enable it to comply with its obligations;
• a listed entity must act with integrity towards holders and potential holders of its listed securities;
• a listed entity must communicate information to holders and potential holders of its listed securities in such a way as to avoid the creation or continuation of a false market in such listed securities;
• a listed entity must deal with the competent regulatory authority in an open and co-operative manner; and
• a listed entity must ensure that it treats all holders of the same class of its listed securities equally in respect of the rights attaching to such listed securities.

The FSRA’s Market Rules set out the following additional listing principles:

• the structure and operations of a listed entity must be appropriate for it; and
• a listed entity must ensure that the terms that apply to each class of its securities are appropriate and fair, taking into account voting and other rights.

The SCA Rulebook sets out various order handling requirements, including in respect of receiving, aggregating and executing trade orders as well as in regards to the notification of the execution of a trade order and in its settlement. Both the FSMR and DIFC Markets Law 2012 set out provisions in respect of stop orders which may be issued by the FSRA and DFSA respectively with regards to listed securities (or crypto tokens in the case of the DIFC).

Peer-to-peer trading is in its nascent stages in the UAE; however, the key challenge posed by peer-to-peer trading is the relative lack of regulatory oversight in comparison to traditional trading platforms or exchanges, which operate in a highly regulated environment. As in other jurisdictions, such lack of regulation also raises concerns with respect to AML/CTF and adequate KYC. This is a particularly pertinent point, given the regulatory authorities’ active enforcement appetite in this space on account of the UAE’s addition to the FATF grey list on 4 March 2022. Notwithstanding this, at its October 2023 plenary, FATF made the initial determination that the UAE has substantially completed its action plan designed to strengthen the effectiveness of its AML/CTF regime in partnership with FATF, including: (i) increasing the amount of outbound MLA requests to facilitate money laundering investigations; and (ii) applying more effective and proportionate sanctions where necessary. Certain market commentators expect that FATF may remove the UAE from its grey list in 2024. Furthermore, there is evidence of state-owned enterprises looking to develop the peer-to-peer trading market as one way of increasing the number of lending solutions to individuals and businesses in the UAE. For example, through the UAE’s leading technology group, which acquired a majority stake in a peer-to-peer lending platform in July 2023.

Please see 3.3 Issues Relating to Best Execution of Customer Trades for applicable information regarding best execution practices of customer trades.

Payment for order flow is a compensation model under which a broker is paid a small commission for routing client trade orders to a particular market maker. A market maker matches buy and sell orders to execute a trade. The SCA Rulebook provides that in executing trade orders, a broker must refrain from using the trading data, transactions and orders of its clients to achieve special benefits or gains. This indicates that the permissibility of payment for order flows in onshore UAE will be limited.       

With respect to onshore UAE, the SCA Market Law sets out specific provisions in respect of disclosure and transparency which must be adhered to.

In the ADGM, there is a prohibition on market abuse, which includes insider trading, dealing or disclosing inside information, and effecting transactions or orders to trade which employ fictitious devices or any other form of deception or contrivance or the dissemination of information which is likely to create a false or misleading impression, amongst other things. This is supplemented by the FSRA’s Code of Market Conduct, which is intended to prevent market abuse by providing further clarity about what activities the FSRA might regard as constituting market abuse.

Similarly, the DIFC’s Markets Law 2012 sets out a prohibition on various forms of market abuse, including: (i) fraud and market manipulation; (ii) making false and misleading statements, conduct and distortion; (iii) deception and use of fictitious devices; (iv) insider dealing; (v) providing insider information; (vi) inducing persons to deal; and (vii) misuse of information. Again, the provisions on market abuse set out in the Markets Law 2012 are supplemented by the DFSA’s Code of Market Conduct, which also elaborates on the conduct, which may fall into the categories of market abuse set out at items (i) to (vii).

Finally, VARA has issued its Market Conduct Rulebook pursuant to the Virtual Assets and Related Activities Regulations 2023. The Market Conduct Rulebook sets out provisions in respect of disclosure and transparency and requires virtual asset service providers to adhere to Virtual Asset Standards in providing and/or offering virtual asset activities.

A separate regulatory regime for algorithmic and high-frequency trading does not appear to be provided for under the UAE’s financial services regulatory frameworks. Such trading would be regulated generally as discussed in 7. Marketplaces, Exchanges and Trading Platforms.

There does not appear to be a requirement for principals to register as market makers under applicable UAE regulatory regimes.

The authors are not aware of funds or dealers engaging in high-frequency and algorithmic trading activities in the UAE.

The authors are not aware of any regulatory regime governing the development and creation of trading algorithms and other electronic trading tools in the UAE.

There are no regulations that specifically govern decentralised finance in the UAE.

There is no specific registration or regulatory framework governing financial research platforms in the UAE. The extent to which research platforms may be subject to regulation by the UAE’s various financial services authorities will depend on the nature of the service provided.

Advising on investments and financial promotion are both regulated financial activities in onshore UAE and offshore UAE. Where research platforms communicate with individuals inside the UAE in any way or by any means that could be construed as inviting, inducing or encouraging them to buy or subscribe to a financial product, this would trigger the general financial promotion prohibition set out by the FSRA, the DFSA and SCA in their respective regulatory regimes and will require such research platforms to obtain a licence to carry on such activity.

By the same measure, where research platforms are seen to give advice or make recommendations in respect of the financial information provided, for instance with respect to the merits of buying, selling, holding, subscribing for or underwriting a particular financial product or service, this may constitute the regulated financial activity of advising, again triggering financial services licensing requirements in both onshore and offshore UAE.

The UAE has strict laws on such matters, the breach of which may attract the imposition of significant penalties. The scope of these laws is significantly wider than in western Europe and the US.

The Telecommunications and Digital Government Regulatory Authority (TDRA) is the authority responsible for regulating the UAE’s telecommunications and digital sectors. This includes ensuring internet content standards are enforced. In practice, it is the responsibility of Etisalat and Du, the two national telecommunications service providers licensed by the TDRA to monitor and block prohibited digital content. Such content includes (amongst many other categories): (i) impersonation; (ii) fraud; (iii) phishing; (iv) insult; (v) slander; (vi) defamation; and (vii) content promoting investment portfolios or funds and trading of stocks, currencies and metals without obtaining a licence from the competent regulatory authorities. The TDRA Internet Guidelines also set out guidelines for owners and operators of websites accessible in the UAE in respect of content standards that must be complied with, among other things.

Beyond this, Federal Decree Law No 34/2021 concerning the Fight Against Rumours and Cybercrime (the “Cybercrime Law”) sets out criminal offences with respect to the dissemination or publication of various forms, content and information by electronic means. Penalties under the Cybercrime Law may range from prison sentences of between one year and 25 years and monetary fines from AED30,000 to AED5 million.

Specifically, any person that advertises, promotes or deals in any form or encourages the dealing in a virtual currency, cryptocurrency, stored value unit or any payments unit not officially recognised in the state or without a licence from the competent regulatory authority through information technology or an information network is guilty of an offence. The Cybercrime Law also contains offences against divulging, publishing, re-publishing, circulating or re-circulating fake news or false, malicious, misleading or incorrect reports or rumours.

Any person that manages, creates or uses a website or information network account to facilitate the commission of such content crimes may also be guilty of an offence under the Cybercrime Law. Moreover, any administrator that manages a website or electronic account that publishes on either thereof any content, data or information which is inconsistent with the UAE’s media content criteria may also be guilty of an offence.

Please see 9.2 Regulation of Unverified Information.

The authors are not aware of a dedicated underwriting process specific to insurtechs that is mandated by UAE regulation. The CBUAE generally requires insurance companies to maintain an underwriting policy and that records of underwriting are kept. The DFSA sets out specific considerations that should be included as part of an insurer’s underwriting risk policies and procedures, including (amongst other things): (i) clear identification and quantification of the insurer’s willingness and capacity to accept risk; (ii) clear identification of the classes and characteristics of the insurance business that the insurer is prepared to underwrite; (iii) formal evaluation processes for the effective assessment of risks underwritten; (iv) concentration limits; and (v) methods for monitoring compliance with underwriting policies and procedure. The FSRA sets out similar conditions.

From a commercial perspective, insurtech has significantly impacted the underwriting process for insurance policies. To review and assess an individual’s risk profile, multiple data points are used through mined, aggregated or historical data to make educated assumptions about the individual in question. This underwriting process is underpinned by the use of the internet of things, data analytics methods and artificial intelligence. For instance, the administration system of Sheteq, a Dubai-based health insurance start-up, is powered by thousands of claim adjudication rules, which are used to process most claims and requests without the need for manual assessment. This high degree of automation allows Sheteq to control benefit utilisation while maintaining accuracy and consistency.

Insurance companies are, in principle, all regulated in broadly the same way, irrespective of the type of insurance provided. As an exception to this, takaful, an Islamic form of providing insurance/reinsurance, is regulated separately in accordance with the requirements of Sharia. The relevant authorities responsible for issuing the regulations and supervising the insurance sector and its participants are: (i) the CBUAE in onshore UAE; (ii) the FSRA in the ADGM; and (iii) the DFSA in the DIFC. The CBUAE, FSRA and the DFSA have all issued their own licensing frameworks setting out specific requirements with respect to insurance-related activities.

In line with the UAE’s leading position as an enabler of emerging technologies, the regulatory authorities are also actively exploring opportunities and avenues through which they can promote the further development and adoption of insurtech solutions. For example, the FSRA and the CBUAE have launched an Insurance Co-Sandbox aimed at promoting a “smart insurance market”. Insurtech start-ups are also being supported through the DIFC’s Innovation Hub.

Regtech in the UAE is still in its nascent phase and there is currently no dedicated regulatory framework for regtech services. As regtech services are often technical services only, they are also less likely to trigger existing financial services licensing requirements, although this should be evaluated on a case-by-case basis.

In January 2019, the UAE launched its RegLab in partnership with the Dubai Future Foundation. RegLab was launched with the purpose of authorising the UAE Cabinet to grant temporary licences for the testing and vetting of innovations that utilise technologies such as artificial intelligence. RegLab works with the federal and local government authorities, as well as the private sector participants, to continue to develop a reliable legislative environment by introducing new, or developing existing, legislation to regulate emerging technology and its applications, including with respect to regtech.

In 2020, the ADGM launched three regtech pilot initiatives and, in April 2021, launched its Digital Lab to provide a secure environment to test technological solutions to facilitate the growth of regtech in the UAE.

The DIFC has established the DIFC Innovation Hub, the largest innovation community and fintech accelerator in the region, which also looks to support the development of regtech services.

Recently, regtech has become more of a focus for UAE regulators as the country looks to further develop its status as a thriving financial centre in the Middle East and is therefore increasingly interested in combatting money laundering activities. As such, UAE regulators are looking to utilise regtech to help manage the growing AML requirements and risks associated with its increasingly sophisticated and active financial market.

Regulatory requirements related to outsourcing will need to be reflected in the contracts between regtech and regulated financial service providers.

The extent to which these requirements will need to be applied, may depend on the type of regulated financial service provider in question, the applicable regulatory regime and the particular regtech solution provided. Where a regulated financial service provider outsources a function directly related its regulated financial activity, GEN of both the FSRA and DFSA stipulate that a written agreement must be in place, but are largely not prescriptive with respect to the contents of such agreements. By contrast, with respect to banks, the CBUAE’s Outsourcing Regulation details in more substantive terms the provisions that outsourcing agreements must contain. These requirements largely centre on data security and confidentiality as well as the permissibility of subcontracting within the outsourcing relationship. Obligations in respect of outsourcing also exist under other CBUAE regulations, including, for instance, the RPSCS Regulation and Stored Value Facilities Regulation (the “SVF Regulation”).

Where a regtech provider offers insourcing solutions, contractual safeguards will need to be put in place to account for any risks arising out of the reliance on such solutions by the regulated financial service provider. As dictated largely by industry custom, such agreements often require provisions regarding (among other things) the maintenance of appropriate insurance policies, auditing rights in favour of the regulated financial service provider and reporting requirements. To the extent a regtech provider has access to personal data, the requirements set out in the DIFC, ADGM and the onshore UAE data protection laws will need to be considered.

Please refer to 1.1 Evolution of the Fintech Market, 2.1 Predominant Business Models and 2.2 Regulatory Regime on the development of blockchain and virtual assets in the UAE.

The UAE’s regulators have reacted quickly to the growth in the use of blockchain within the financial services markets, particularly in respect of assets traded and stored on blockchain technologies – ie, virtual assets. All of the relevant UAE regulatory authorities set out a definition for virtual assets (or similar term) and contemplate the impact and use of decentralised ledger technologies, such as blockchain, within the provision of regulated financial activities.

The UAE’s regulatory landscape is continuously evolving in this space as it looks to attract blockchain technologies to the region with transparent regulation and practical solutions. For example, in March 2023, RAK Digital Assets Oasis was launched with its focus being on digital and virtual asset companies operating in the metaverse, blockchain, utility tokens, virtual asset wallet, NFT, decentralised autonomous organisation, decentralised application and Web3-related sectors. Separately, in November 2023, the ADGM released the Distributed Ledger Technology Foundations Regulations 2023, marking a significant milestone in the evolution of digital assets regulatory frameworks across the region and at an international level. The legislative structure is designed to provide a comprehensive framework for DLT foundations and decentralised autonomous organisations, enabling them to operate and issue tokens and recognising the unique needs of the blockchain industry.

The UAE financial services regulatory frameworks each govern virtual assets to differing degrees, including those that are represented and stored on decentralised ledger technologies (DLT) – ie, blockchain assets.

The VA Decision defines virtual assets as “a digital representation of value that can be digitally traded or transferred and can be used for investment purposes”. This does not include the digital representation of fiat currency, securities or other assets. This aligns with the definition of virtual assets in the SCA Decision No 26 of 2023, relating to virtual asset platform operators. The DVAL defines a virtual asset as “a digital representation of the value that can be digitally traded or transferred, or can be used as an instrument for exchange, payment or investment purposes, including virtual tokens, and any digital representation of any other value specified by the VARA in this regard”.

Under the CBUAE’s RPSCS Regulation and SVF Regulations, virtual assets constitute “a digital representation of value that can be digitally traded, or transferred, and can be used for payment or investment purposes”. Virtual asset tokens are also defined to mean a type of crypto-asset that can be digitally traded and functions as: (i) a unit of account; and/or (ii) a store of value. Crypto-assets are cryptographically secured digital representations of value or contractual rights that use a form of DLT and can be transferred, stored or traded electronically.

In offshore UAE, the DFSA regulatory regime captures different types of tokens (defined as a cryptographically secured digital representation of value, rights or obligations, which may be issued, transferred and stored electronically, using DLT or other similar technologies) to varying degrees, which include crypto tokens, non-fungible tokens, investment tokens, security tokens and utility tokens. The FSRA also regulates virtual assets, which it defines as a digital representation of value that can be digitally traded and functions as: (i) a medium of exchange; (ii) a unit of account; and/or (iii) a store of value, but does not have legal tender status in any jurisdiction. Under the FSMR, a virtual asset is: (i) neither issued nor guaranteed by any jurisdiction, and fulfils the above functions only by agreement within the community of users of the virtual asset; and (ii) distinguished from fiat currency and e-money.

Requirements and conditions around the issuance of virtual assets are set out in VARA’s Virtual Asset Issuance Rulebook (the “Issuance Rulebook”). The Issuance Rulebook includes requirements that all persons in Dubai wishing to issue virtual assets must follow the registration requirements for issuing permitted virtual assets and obtain approval from VARA for issuing a virtual asset that is not a permitted virtual asset. Permitted virtual assets are: (i) free and non-transferable virtual assets; (ii) non-redeemable and non-transferable virtual assets; and (iii) redeemable closed-loop and non-transferable virtual assets. The issuer of a permitted virtual asset must: (i) register a white paper of the virtual asset with VARA at least seven working days before its publication, accompanied by a declaration signed by the issuer in the form set out in Schedule 2 of the Issuance Rulebook which must be sent to VARA; and (ii) comply with the requirements set out in the Issuance Rulebook. These requirements centre on the principles of honesty and integrity, conducting diligence, effective disclosure, implementing appropriate capabilities and resources, compliance and environmental responsibility.

The FSRA also sets out guidance in respect of initial coin offerings (ICO) in its “Guidance – Regulation of Initial Coin/Token Offerings and Crypto Assets under the Financial Services and Markets Regulations” (the “ICO Guidance”). The ICO Guidance sets out the FSRA’s approach to token issuers seeking to raise funds through ICOs, and market intermediaries or operators dealing in, or offering services in, virtual tokens and crypto-assets. Furthermore, the ADGM’s Distributed Ledger Technology Foundations Regulations 2023 adds further requirements on DLT foundations when they issue tokens.

Trading of virtual assets is regulated under the general provisions applicable to trading set out by the DFSA, FSRA, SCA and VARA where the blockchain assets fall under the scope of their regulatory regimes. For further discussion on trading, please refer to the response in 7. Marketplaces, Exchanges and Trading Platforms.

Funds are regulated in both onshore and offshore UAE. A fund will fall within the scope of a UAE financial services regulatory authority’s licensing framework by virtue of operating as such. Specific rules apply for particular types of investments.

The ADGM has a comprehensive virtual asset framework, which governs financial activities including collective investment funds investing in regulated digital assets. The virtual asset framework imposes certain additional regulatory obligations upon fund managers managing funds investing in regulated digital assets when it comes to periodic statements, capital requirements and technology governance and controls.

Similar to the ADGM regime, the DIFC’s virtual asset framework also imposes certain additional regulatory obligations upon fund managers managing funds investing in regulated tokens.

As a point of difference, virtual assets used for payment purposes, including stored value facilities, except those approved by the CBUAE for listing and trading purposes, are excluded from the VA Decision and fall exclusively under the jurisdiction of the CBUAE. By definition, this  applies to cryptocurrencies.

While decentralised finance (DeFi) is captured under the scope of VARA’s regulatory regime in Dubai by virtue of the definition of a virtual asset platform set out under the DVAL, DeFi is not uniformly regulated across the UAE. In April 2022, the FSRA issued a discussion paper on policy considerations regarding the risks of DeFi, stating that regulatory intervention in respect of DeFi was likely in the medium term. In January 2023, the DFSA followed the FSRA’s lead and released a consultation paper on updates on the regulation of crypto tokens which included further proposals with respect to DeFi.

Non-fungible tokens (NFTs) are captured by a number of the UAE’s regulatory frameworks, including under the VA Decision. As noted above, the VA Decision defines a virtual asset as a digital representation of value that can be digitally traded or transferred and can be used for investment purposes. This does not include the digital representation of fiat currency, securities or other assets. To the extent that an NFT does not represent a physical asset, it appears to fall under this definition.

NFTs also fall within the definition of virtual assets provided by the DVAL, which defines a virtual asset as a digital representation of the value that can be digitally traded or transferred, or can be used as an instrument for exchange, payment or investment purposes, including virtual tokens, and any digital representation of any other value specified by VARA in this regard. As such, those that intend to provide virtual asset services related to NFTs in the emirate of Dubai (excluding the DIFC) will be required to comply with the obligations set out under the DVAL and its supplementary regulations and rulebooks, including obtaining a licence from VARA.

The DFSA’s GEN determines that a token will constitute an NFT where it: (i) is unique and not fungible with any other token; (ii) is related to an identified asset; and (iii) is used to prove the ownership or provenance of the asset. In contrast to the VA Decision and the DVAL, under the DFSA’s regime, NFTs are considered excluded tokens, which means that their use is not regulated in the DIFC, except under certain circumstances.

While certain FSRA AML/CTF requirements will apply to NFTs in the ADGM, NFTs themselves currently remain outside of FSRA’s regulatory oversight.

In the UAE, open banking is regulated under the RPSCS Regulation. Under the RPSCS Regulation, payment initiation service providers (PISP) and account information service providers (AISP) are required to obtain a licence to operate in onshore UAE.

In offshore UAE:

• the DFSA amended GEN in 2020 to include the provision of open banking-related services within the scope of its licensing framework; and
• the FSRA introduced a new regulatory framework for Third Party Financial Technology Services. The framework for Third Party Financial Technology Services focuses on the activities provided by third parties that act as intermediaries between customers and financial service providers.

In recent years in the UAE there has been an increased awareness of privacy and data security standards. This has been driven by the impact of the GDPR on international data flows as well as consumer and business expectations. The introduction of the GDPR has prompted a number of reforms in the regulation of data protection in the UAE with which providers of open banking services are also required to comply.

The DIFC and ADGM also amended their data protection regimes in 2020 and 2021 respectively. The DIFC and ADGM frameworks are largely modelled off the GDPR and require open banking providers to implement the data privacy and security measures contained therein where they are established in the financial free zones, or are processing the personal data of individuals in the financial free zones.

The CBUAE also sets out extensive data protection provisions as part of its regulatory framework. These obligations are largely contained in the CBUAE’s Consumer Protection Regulation and Standards. The CBUAE’s data protection provisions require open banking providers licensed by the CBUAE to implement various policies, processes, management and business practices in respect of data security, breach notifications, data retention and minimisation principles as well as ensuring that consumers are sufficiently informed to make choices in respect of their personal data. Onshore UAE’s first consolidated data protection law came into effect in 2022 and although banking and credit data is excluded from its scope to the extent that provisions exist elsewhere, open banking providers established in onshore UAE will also be required to comply with its provisions in respect of most other forms of personal data they process.

Beyond this, the UAE’s financial services regulators issued “Guidelines for Financial Institution Adopting Enabling Technologies” (the “Guidelines”). The Guidelines set out guidance in respect of the adoption of application performance interfaces (API), which are integral to the provision of open banking services. The Guidelines make clear, among other things, that in adopting or developing such APIs, the principle of “privacy by design” should be adhered to, such that only relevant data elements are exposed to any party in order to fulfil the purpose of the API.

In March 2022, the UAE was added to the FATF Grey List in response to the FATF finding “strategic deficiencies” in the UAE’s AML and CTF regimes. The development of a robust regulatory framework to combat AML/CTF risks has been a challenge for the UAE, given its rapidly developing financial sector. It is also made more difficult by the complex governance structure of the UAE, which comprises of seven Emirates and various free zones which are home to a wide range of companies and commercial activities. A number of concerns raised in the FATF’s report have already been addressed; an AML and CTF executive office has been established at the centre of the government. Furthermore, the UAE’s financial regulators are increasingly active in ensuring AML/CTF compliance among regulated entities.

The financial regulators in the UAE are increasingly active in combating instances of fraud and money laundering. Among the most common violations in 2023 that have led to investigations and sanctions are those relating to non-compliance with AML protocols, particularly in respect of notification requirements and the development of systems to adequately combat the risk of money laundering and illegal transfers between connected individuals. Typically, non-compliance has been seen to be met with a monetary fine, but there have been instances in 2023 where the CBUAE has also decided to revoke licences in respect of more serious acts of misconduct.

The UAE’s logistics and commodities sectors present a particular risk for regulators. For example, Dubai’s role as a centre for trading gold and other high-value commodities leaves it vulnerable to the laundering of illicit funds.

Separately, global geopolitical developments in the US and Europe, such as the war in Ukraine, has seen Dubai position itself as a popular destination for individuals from the affected countries to undertake business and live in. Whilst the UAE has an increasingly regulated economy, obtaining reliable information on ultimate beneficial ownership of companies can still be challenging. Regulators are focused on ensuring that foreign investors in the UAE’s financial services industry are not discouraged from doing business by risks of money laundering or non-compliance with international sanctions regimes. In response, in 2022 the CBUAE issued guidance recommending the use of digital identification systems and the tracking of IP addresses to detect suspicious behaviour, including from sanctioned and high-risk jurisdictions. In August 2023, the DFSA signed a memorandum of understanding with the UAE’s Financial Intelligence Unit to further advance co-ordination and the sharing of information to ensure AML/CTF compliance. It also released a consultation paper designed to align DIFC law with a number of guidelines released at the federal level, proposing increased obligations on money laundering reporting offices, changing the threshold for notifications and increasing the scope of those who may be responsible for compliance with AML/CTF conduct standards.