Any views expressed in this publication are strictly those of the authors and should not be attributed in any way to White & Case LLP.

In 2024, the UAE continued to reinforce its position as not just a regional, but also a global, financial services hub with an even stronger push to develop and grow the UAE’s fintech landscape. There has been significant investment in fintech start-ups in recent years and the UAE now hosts a quarter of all fintech companies in the Middle East and North Africa (MENA) region. According to industry reports, the potential impact of artificial intelligence (AI) in the Middle East is expected to be USD320 billion by 2030, with the UAE set to see the largest impact of close to 14% of 2030 GDP.

The growth in the UAE’s fintech space has largely been driven by initiatives from the UAE’s two financial free zones: the Dubai International Financial Centre (the “DIFC”) and the Abu Dhabi Global Market (the “ADGM”). Both the ADGM and the DIFC have set up their own fintech hubs: the ADGM Regulation Lab (the “ADGM RegLab”) and the DIFC Innovation Hub. The ADGM RegLab and the DIFC Innovation Hub give fintechs access to an extensive network of investors, marketing and PR exposure, bespoke regulatory frameworks and regulatory sandbox schemes, as well as networking events. In the words of the DIFC Innovation Hub, its objective is to “raise unicorns”.

The success of the UAE’s fintech market can also be attributed to the continued entrepreneurialism of the UAE’s regulatory authorities to position the UAE as a regional and international virtual assets leader. This is demonstrated by the actions of the Dubai Virtual Assets Regulatory Authority (the “VARA”) which released its all-encompassing regulatory framework for virtual assets in February 2023 and the UAE’s Securities and Commodities Authority (the “SCA”) which issued guidelines relating to the Regulation of Virtual Assets and Virtual Assets Service Providers in July 2024.

In April 2024, the Central Bank of the UAE (the “CBUAE”) published two key regulations on open banking and fintech innovation. The first was the Open Finance Regulation, which introduced an “Open Finance Framework” in which CBUAE-licensed financial institutions are mandated to apply for licences. Under this arrangement, open finance providers (ie, the licensed financial institutions) will gain access to data of customers and will be permitted to initiate transactions on customer accounts and products. The second was the Sandbox Conditions Regulation, which was issued to facilitate the testing of technologically innovative financial business models, products, services and solutions which may benefit consumers and/or the wider industry for a duration determined by the CBUAE without participants being required to obtain a full regulatory licence.

In June 2024, the CBUAE published the Payment Token Services Regulation (the “PTS Regulation”) which established a comprehensive framework for licensing and supervising digital payment services and covers:

• payment token issuance;
• payment token conversion; and
• payment token custody and transfer.

In April 2024, Dubai announced its “Universal Blueprint for Artificial Intelligence”, which is focused on increasing quality of life and GDP through technology and innovation and includes the inauguration of the DIFC’s AI and Web3 incubator to establish one of the world’s largest AI and technology companies hubs.

Abu Dhabi has further made a concerted effort to accelerate the development and adoption of AI and advanced technologies through partnerships in the UAE and internationally with a focus on AI infrastructure (including data centres), semiconductors and AI technologies and applications (including AI models).

In January 2025, Abu Dhabi launched its Digital Strategy 2025-2027, aiming to establish the world’s first fully AI-powered government by 2027 and allocating USD3.5 billion between 2025 and 2027 to boost digital infrastructure, automate all government processes and integrate sovereign cloud computing across all operations.

The UAE’s fintech sector has continued to grow and mature following an increase in the adoption of digital payments, e-commerce activity and an expanding digital banking landscape.

A wide range of actors are active in the UAE’s fintech space, from mature businesses to start-ups that operate across a wide range of sectors from open banking and equity crowdfunding through to insurtech, wealthtech and regtech. The predominant verticals that apply in the UAE relate to virtual assets, cryptocurrencies, payments (including with respect to remittances which are of disproportionately large importance in the UAE given its large expatriate population) and blockchain technology. A continued interest from large virtual asset companies considering whether to relocate to the UAE is expected, given the comparatively developed regulatory landscape amid increasingly aggressive enforcement actions from Western (and other) regulators in this space.

Overview

The UAE is a federation consisting of seven emirates, with Dubai largely seen as the UAE’s international commercial centre and Abu Dhabi being particularly important from a governmental and political perspective. Each emirate is permitted to exercise all powers not assigned to the federal level. This includes being authorised to issue its own laws and regulations.

From a financial services regulatory perspective, the UAE comprises two categories of jurisdiction:

• “onshore UAE”: constituting the territories of the seven emirates of the UAE, including approximately 45 economic free zones that are largely concentrated in the emirate of Dubai; and
• “offshore UAE”: constituting the financial free zones of the DIFC and the ADGM. Each of the financial free zones are, from a financial services regulatory perspective, separate jurisdictions from “onshore UAE”. Each financial free zone has its own standalone rules and regulations that are largely premised on English common law and are based on benchmarking against the rules of leading international financial centres.

“Onshore UAE” – Payments

In “onshore UAE”, the provision of payment services is generally regulated by the CBUAE pursuant to the following.

Large Value Payment Systems Regulation

This framework sets out the conditions for obtaining and maintaining a licence to operate a large value payment system, defined as “a clearing and settlement system that is designed primarily to process large value and/or wholesale payments typically among financial market participants (so-called wholesale payments) or involving money market, foreign exchange or many commercial transactions, excluding bilateral clearing and settlement arrangements and relationships which do not constitute a ‘system’”.

Retail Payment Systems Regulation

This framework applies to designated retail payment systems providers, setting out (amongst other things):

• the CBUAE’s key criteria for designating a retail payment service;
• the licensing and designation process for retail payment services; and
• the ongoing requirements of designated retail payment services.

Retail Payment Services and Card Schemes Regulation (the “RPSCS Regulation”)

This framework applies to retail payment service providers and card scheme providers, setting out the conditions applicable to the granting and maintaining of licences to carry out retail payment services and card schemes in “onshore UAE”, the ongoing obligations of retail payment service and card scheme providers and the powers of the CBUAE with respect to the supervision of retail payment service providers and the ongoing reporting requirements for card schemes.

“Onshore UAE” – Virtual Assets

In “onshore UAE”, virtual assets fall under the jurisdiction of the SCA, the VARA and the CBUAE.

The SCA

The SCA is responsible for overseeing the regulation of virtual assets and related services pursuant to Cabinet Decision No 111/2022 (the “VA Decision”). According to the VA Decision, any person that wishes to carry out virtual asset-related activities must obtain a licence from the SCA (or the competent authority at the emirate level (where one exists)). In July 2024, the SCA issued its guidelines relating to the Regulation of Virtual Assets and Virtual Assets Service Providers.

The VARA

The VARA is the authority responsible for regulating, supervising and overseeing virtual assets and related activities in the emirate of Dubai (excluding the DIFC), in line with the Dubai Virtual Assets Law (the “DVAL”) and its Executive Regulations and Rulebooks. In 2023, the DVAL rolled out its comprehensive virtual asset licensing framework and a number of global market players obtained full operational licences.

The CBUAE

The CBUAE is responsible for regulating activities relating to payment tokens (ie, stablecoins) pursuant to the RPSCS Regulation, while the CBUAE’s Stored Value Facilities Regulation (the “SVF Regulation”) regulates crypto and virtual assets insofar as they may be accepted in exchange for the storage of value. In June 2024, the CBUAE published the PTS Regulation which established a comprehensive framework for licensing and supervising digital payment services. It covers:

• payment token issuance;
• payment token conversion; and
• payment token custody and transfer.

“Offshore UAE” – Virtual Assets and Payment Services

In the ADGM, the Financial Services Regulatory Authority (the “FSRA”) regulates virtual assets and virtual asset-related activities. The FSRA’s “Virtual Asset Framework” sets out provisions targeting a range of risks associated with virtual asset-related activities, including risks relating to money laundering and financial crime, consumer protection, technology governance, custody and exchange operations. The FSRA subsequently issued “Guidance – Regulation of Virtual Asset Activities in ADGM” to provide further support to persons when carrying out virtual asset-related activities in the ADGM to interpret its rules and regulations. Payment services are also regulated by various ADGM regulations and FSRA rules.

In the DIFC, the Dubai Financial Services Authority (the “DFSA”) regulates virtual assets and the provision of connected financial services. The DFSA’s regulatory framework is set out in the DFSA Rulebooks, which distinguish between investment tokens as either security tokens or derivative tokens, and crypto tokens. The provision of payment services is also primarily regulated in the DFSA Rulebooks.

The compensation models vary depending on the nature of a fintech’s business and the regulatory rules applicable to the fintech. Certain restrictions may apply depending on the sector in which a fintech operates.

The authors are not aware of any specific regulatory restrictions in “onshore UAE” or “offshore UAE” with respect to the compensation models that industry participants may use to charge customers. However, where a fintech chooses to provide Islamic finance, it will be required to comply with the principles of Sharia in determining its compensation model, including considering matters such as the charging of interest.

Regulators in “onshore UAE” and “offshore UAE” do not differentiate between fintech participants and legacy participants per se. Differences in regulatory regimes are generally based on the risks associated with the activity being carried out. For example, a bank will attract higher levels of regulatory oversight and supervision than a payment services business offering payment initiation services and account information services.

In 2021, the CBUAE established a regulatory sandbox in “onshore UAE” for the insurance sector. In 2021, the CBUAE signed two separate memoranda of understanding with the ADGM and the DIFC to introduce a co-sandbox programme to permit fintechs to test innovative solutions under the existing sandbox programme.

Most recently, in April 2024 the CBUAE published the Sandbox Conditions Regulation. As described in 1.1 Evolution of the Fintech Market, the Sandbox Conditions Regulation has been issued to permit participants enrolled in the Regulatory Sandbox to test their technologically innovative financial business models, products, services and solutions which may benefit consumers and/or the wider industry for a duration determined by the CBUAE, without having to obtain a full regulatory licence.

The ADGM offers the ADGM RegLab. A regulatory sandbox forms part of the ADGM RegLab’s offering that provides a controlled environment for fintech participants to test and develop their innovative fintech solutions. In the RegLab, regulatory requirements are applied based on a participant’s business model and risks and on a case-by-case basis.

In the DIFC, the DFSA operates a licensed sandbox known as the DFSA Innovation Testing Licence Programme. It allows participants to:

• test new and innovative financial products, services and business models; and
• benefit from adaptations to the regulatory framework on a case-by-case basis.

The key regulatory authorities responsible for administering the UAE’s financial services frameworks and for regulating the UAE fintech market are the CBUAE, the SCA, the VARA, the FSRA and the DFSA.

“Onshore UAE”

The CBUAE

The CBUAE regulates banks, finance companies, payment service providers, stored value facilities providers, exchange businesses and insurance companies.

The SCA

The SCA regulates markets, listed companies, securities brokers, virtual asset service providers (VASPs) and the trading of commodities.

The VARA

The VARA regulates virtual asset-related activities in the emirate of Dubai, excluding the DIFC.

“Offshore UAE”

The FSRA

The FSRA is the financial services regulator in the ADGM. It supervises all banks, investment firms, securities traders and reinsurers that operate within the ADGM.

The DFSA

The DFSA is the financial services regulator in the DIFC. It supervises all banks, investment firms, securities traders and reinsurers that operate within the DIFC.

The authors are not aware of regulators in either “onshore UAE” or “offshore UAE” issuing “no-action” letters and this practice is not generally common in the UAE.

Regulated financial service providers (FSPs) are permitted to outsource certain functions to third-party vendors. FSPs retain responsibility for the outsourced function and must maintain oversight over the third-party vendor. The level and precise requirements of this oversight depend on the nature of the outsourced function and the FSP.

Generally, where an FSP outsources one of its functions, it will be required to put in place an appropriate agreement governing its commercial relationship with the third-party vendor including audit rights in favour of the FSP. Under the DFSA General Rulebook Module and the FSRA General Rulebook, an outsourcing agreement must also require the third-party vendor to deal with the relevant regulator in an open and co-operative way. Further contractual requirements to be set out in the outsourcing agreements of banks are provided for in the CBUAE’s Outsourcing Regulations and Standards for Banks, which largely centre around access to the bank’s data by the third-party vendor. A bank’s outsourcing agreement must establish (among other things):

• that the bank retains ownership of the data and unfettered access to it;
• that the data is adequately safeguarded (through confidentiality provisions and provisions relating to data destruction following termination);
• the extent to which subcontracting is permitted; and
• data breach notification requirements.

In all cases, the UAE’s regulatory authorities require FSPs to take a risk-based approach to outsourcing functions and to carry out appropriate diligence on the selected third-party vendor whilst maintaining overall responsibility for each function that is outsourced.

Regulated FSPs are required to comply with certain conduct of business requirements.

They are also required to adhere to standards in respect of the promotion of financial products and services. For instance, the DFSA General Rulebook Module requires that all financial promotions:

• are clear, fair and not misleading;
• indicate who the regulated FSP is;
• are directed at the intended category of customer or client;
• provide fair, unbiased and balanced information; and
• when directed at retail clients, contain a prominent warning that past performance is not necessarily a reliable indicator of future performance.

The VARA has issued its own Marketing Regulations governing the promotion of virtual assets in Dubai that contain similar advertising standards.

Beyond this, fintechs are responsible for complying with obligations set out under the UAE’s anti-money laundering and countering of terrorist financing (“AML/CTF”) laws. This includes, carrying out know your customer diligence and monitoring for and reporting suspicious transactions.

The enforcement actions by regulatory authorities have increased considerably in recent years following the UAE’s addition to the Financial Action Task Force’s (FATF’s) grey list in 2022 and its subsequent removal in February 2024. This increased enforcement has also been evident within the UAE’s crypto and virtual asset and payment services verticals. “Onshore UAE” regulatory authorities typically have wide-ranging enforcement powers and have the ability to impose a wide range of penalties from fines and censure for less severe breaches to imprisonment for the most serious offences such as those connected to financial crime. “Offshore UAE” regulatory authorities’ powers do not include criminal powers but otherwise mirror those of “onshore UAE” regulatory authorities.

By way of example, the Executive Regulations relating to the DVAL Virtual Assets and Related Activities Regulations 2023 include the following penalties:

• written reprimands;
• enforcement notices requiring non-compliance to be rectified within a specified period of time;
• licence restrictions, suspensions or revocations; and
• fines.

The VARA has already revoked licences and the CBUAE has demonstrated its increased appetite for enforcement by issuing various sanctions against finance companies and exchange houses. The authors are also aware of the increased enforcement appetite of the DFSA and the FSRA in recent times. However, the VARA’s investigatory process suggests that the VARA is willing to work with companies that are in violation of regulations and provide opportunities for them to correct their transgressions.

“Onshore UAE”

Data protection

Federal Decree-Law No 45/2021 (the “Personal Data Protection Law”) is “onshore UAE’s” first written data protection law of general application. The Personal Data Protection Law is inspired by the EU’s General Data Protection Law (the “GDPR”) but is lighter touch. As of the time of publication, the Executive Regulations, which will flesh out the provisions of the Personal Data Protection Law, are yet to be released.

Data and information is also protected in other aspects of “onshore UAE” law. For example, Federal Decree-Law No 31/2021 prohibits the unlawful copy, distribution or provision of information or data.

Cybercrime

Federal Decree-Law No 34/2021 Concerning the Fight against Rumours and Cybercrime sets out a wide range of offences, including in relation to illegal digital content and illegal uses of information technology. This is a broad law that goes considerably further than equivalent regulation in this area in Western Europe and the US.

“Offshore UAE”

Data protection

Both the DIFC and the ADGM have had consolidated data protection regimes for many years and both were recently reformed. They bear a significant resemblance to the GDPR, albeit being more business friendly and somewhat lighter touch.

There are a growing number of formal industry bodies emerging in the fintech space such as the MENA Fintech Association. These industry bodies have an increasingly important role to play with respect to representing industry participants, communicating with regulators to address concerns and seeking guidance in respect of, or input with respect to, planned regulations within the fintech space.

The DIFC Innovation Hub and the ADGM RegLab also oversee the fintech market and can influence the rules and regulations within the industry as an informal network by interpreting the practical application of the rules and regulations, thereby influencing how the market operates. Regulatory sandboxes also play a part in helping regulators to examine how their regulatory regimes impact real life business models, enabling regulators to adapt and develop in line with their aim of promoting the UAE as a global fintech industry hub.

While it will depend on the nature of the business activities contemplated, it is generally expected that corporate entities maintain a degree of separation between regulated and unregulated business activities to ensure that they can ring-fence those which are regulated and have higher supervision requirements from those which are not. For instance, in the ADGM it is prohibited to combine financial and non-financial services on the licence of a single entity.

AML/CTF is regulated in the UAE by:

• Federal Decree-Law No 20/2018 (as amended);
• Cabinet Decision No 10/2019 (as amended);
• Cabinet Decision No 58/2020; and
• Federal Law No 7/2014, collectively, the “UAE’s AML/CTF Laws”.

Financial institutions and VASPs fall within the scope of the UAE’s AML/CTF Laws. As such, where fintechs fall within the scope of the definition of a financial institution or VASP, they will also fall within the scope of the UAE’s AML/CTF Laws.

Fintechs regulated by the SCA are required to ensure compliance with the standards and obligations set out in the UAE’s AML/CTF Laws. This is confirmed, for instance, by SCA Decision No 13/RM/2021 (the “SCA Rulebook”), which requires licensed bodies to meet the requirements of the “Law of Anti-Money Laundering and Combating the Financing of Terrorism and Illicit Organisations and its Implementing Regulations”.

The SCA has also issued a number of circulars and notices governing various aspects of AML/CTF compliance, including the freezing and unfreezing of accounts and the implementation of targeted financial sanctions. This is in addition to any standards issued by the CBUAE in respect of this FATF guidance. Furthermore, both the VA Decision and the DVAL are explicit in requiring VASPs licensed thereunder to comply with the obligations of the UAE’s AML/CTF Laws.

Under Article 71(1) of the DIFC Regulatory Law 2004, regulated FSPs are required to comply with the UAE’s AML/CTF Laws. The Anti-Money Laundering, Counter-Terrorist Financing and Sanctions Module of the DFSA Rulebook also applies to regulated FSPs in respect of their activities carried on, in, or from the DIFC.

Similarly, the UAE’s AML/CTF laws also apply to regulated FSPs in the ADGM. In addition, the ADGM’s Anti-Money Laundering and Sanctions Rules and Guidance Module to the FSRA Rulebook sets out further requirements for regulated FSPs to ensure compliance with the provisions of the UAE’s AML/CTF Laws. This includes implementing appropriate AML/CTF policies and procedures, establishing detection and reporting mechanisms for suspicious customers and transactions, and maintaining appropriate records of these transactions.

The AML and sanctions rules in the UAE generally follow the standards imposed by the FATF. Since its removal from the FATF grey list in 2024, the UAE has continued to evidence its dedication to accelerating its AML reform agenda by making various amendments to its AML laws in August 2024, launching a new national strategy for AML/CTF and proliferation financing developed using the World Bank Group’s methodology and by continuing to take enforcement action in cases of non-compliance with AML rules and regulation.

In “onshore UAE”, the SCA Rulebook contains a reverse solicitation exemption (from the requirement to obtain a promotion licence from the SCA) where, on its own initiative, an investor inside “onshore UAE” enquires with an entity outside “onshore UAE” about the offer or purchase of a specific foreign security, without a promotion by the foreign issuer or their promoters or distributors and provided that documentary evidence exists demonstrating this.

Unlike the position in “onshore UAE”, in the DIFC and the ADGM, no codified reverse solicitation exemptions exist with respect to offering regulated products and services from another jurisdiction. However, certain financial promotion restrictions may not be applicable in reverse solicitation scenarios.

Robo-advisers are found in the UAE’s investment and asset management space. Although business models will largely depend on the particular business proposition being offered, hybrid models are common, combining traditional asset and investment management services with automated solutions in respect of assessing risk appetite or providing algorithm-based financial planning.

Arranging, advising and dealing in investments, and managing assets, constitute regulated financial activities in the ADGM and the DIFC. Similarly, promotion and carrying on the activities of a financial adviser are licensed financial activities under the SCA Rulebook. Where companies wish to carry on these services they will fall within the scope of these licensing regimes.

In 2019, the FSRA issued supplementary guidance for obtaining regulatory authorisation to conduct digital investment management (robo-advisory) activities in the ADGM. The guidance lays down the applicable permissions that a company will need to apply for in order to carry on digital investment management activities, along with the key controls surrounding technology and algorithmic governance that a digital investment manager will need to implement.

Incumbent legacy players within the UAE investment management market use robo-advisers largely in the context of assessing the risk appetite of clients at a retail level and providing investment advice on the basis of this risk assessment.

The UAE robo-advisory segment in wealth management is still at a nascent stage compared to its popularity in the US and the UK. However, with banks taking the lead and the UAE’s growing status as a home for future-facing technology companies, the region represents one of the key markets for robo-advisory services in the MENA region with a new wave of digital investment platforms aiming to provide low-cost options for young professionals and affluent clients.

Due to the increased use of robo-advisers in general, it is expected that regulators in the UAE will start to implement regulatory frameworks governing the licensing and use of robo-advisory services in the coming years.

Depending on the nature of the regulated financial activity offered, best execution principles will also apply to companies providing robo-adviser services. These best execution principles require companies to take reasonable care to determine the best execution available for an investment under the prevailing market conditions and to offer and deal in prices and conditions that are no less advantageous to the relevant client than the prevailing market conditions.

Best execution principles are largely set out in the Conduct of Business (COB) Rulebook Modules issued by both the DFSA and the FSRA. Guidance on best execution provided by the DFSA states that when determining best execution, regard should be had for direct and indirect costs, the relevant order type and the size, settlement arrangements and timing of that client’s order that could affect decisions on when, where and how to trade. Requirements to achieve best execution prices in favour of clients are also set out in the SCA Rulebook.

In “onshore UAE”, the CBUAE has issued regulations setting out the protections that apply with respect to the provision of finance to consumers and small to medium-sized enterprises (SMEs). However, the authors are not aware of differences in the business or regulation of loans to entities, including small businesses, etc.

The CBUAE’s Consumer Protection Regulations provide that financing to individuals must be provided in a responsible manner, to prevent over-indebtedness and support economic stability. In order to achieve this, the Consumer Protection Regulations set out various measures that must be implemented, including:

• ensuring credible and independent information regarding the financial situation of the consumer has been obtained;
• not providing excessive credit; and
• issuing credit on the basis of the consumer’s consent.

The SME Market Conduct Regulation sets out materially the same requirements in respect of SMEs as the Consumer Protection Regulations, with a limited number of differences.

The underwriting process adopted by an online lender will depend on its business and internal risk management framework.

The access to sources of funds for loans will depend on the nature and maturity of the online lender. At the early stages of business, online lenders may seek seed investment, for example, from venture capital firms. Separately, the crowdfunding market in the UAE has experienced significant growth in recent years.

Lenders may also seek to fundraise through peer-to-peer lending. In expansion stages, and where an online lender has established a market presence, it may seek a fresh capital injection through a secured or unsecured debt facility.

Depending on the nature of the online lender, challenger banks may also use consumer deposits to fund loans. At all stages, sovereign wealth is an important source of funding within the region.

The authors are not aware of any syndications for online loans. These loans are typically small, short-term checkout loans which do not require syndication.

There is no explicit requirement for payment processors to use existing payment rails or to create new ones. Payment processors commonly use already-established payment rails.

In “onshore UAE”, cross-border payments are regulated by the RPSCS Regulation. The RPSCS Regulation requires providers of cross-border transfer services to obtain a licence in order to carry on these activities in the UAE. Cross-border transfer services are defined as “a retail payment service for the transfer of funds in which the payment service providers of the payer and the payee are located in different jurisdictions or countries”. The RPSCS Regulation sets out various regulatory capital requirements, consumer protection, data protection, compliance and governance, AML/CTF and technology risk and information security requirements which licensed providers must comply with.

Cross-border payments are further facilitated by cross-border payment systems. Two of the main cross-border payments systems in the region are the Arabian Gulf System for Financial Automated Quick Payment Transfer (AFAQ) and Buna. Membership and participation in these systems follows an agreed set of requirements, rules and specified standards that govern the relationship between the participants and the business rules affecting the related transactions, such as the currency or currencies of the transaction, the exchange rate and the settlement institute. In December 2023, the CBUAE announced that it had joined AFAQ, which links payments systems in GCC countries.

The FSRA and the DFSA respectively regulate the provision of money services in the financial free zones. These licensed financial activities capture the provision of cross-border payment services.

“Onshore UAE”

The SCA

The establishment and operation of trading platforms and exchanges is regulated by the SCA. While Federal Decree-Law No 4/2000 concerning the Emirates Securities and Commodities Authorities Market (the “SCA Market Law”) is not prescriptive in terms of the type of platforms permitted, the SCA’s glossary of terms defines a market as “a securities and commodities market licensed in the [UAE] by the [SCA]”.

The VARA

While the DVAL and its supplementary regulations and Rulebooks are not prescriptive in terms of the types of platforms permitted in the emirate of Dubai in respect of trading virtual assets, the DVAL defines a virtual asset platform as “a centralised or decentralised digital platform, managed by a VASP, through which virtual assets are sold, bought, traded, offered, issued, kept and settled and their trading is cleared through the distributed ledger technology”.

Furthermore, carrying on the provision of services of exchange between one or more forms of virtual assets is a regulated activity under the DVAL. Exchange services are defined by the Virtual Asset and Regulated Activities Regulation 2023 as:

• conducting an exchange, trade or conversion between virtual assets and fiat currency;
• conducting an exchange, trade or conversion between one or more virtual assets;
• matching orders between buyers and sellers and conducting an exchange, trade or conversion between virtual assets and fiat currency or one or more virtual assets; or
• maintaining an order book in furtherance of conducting an exchange, trade or conversion between virtual assets and fiat currency, conducting an exchange, trade or conversion between one or more virtual assets, or matching orders between buyers and sellers and conducting an exchange, trade or conversion between virtual assets and fiat currency or one or more virtual assets.

“Offshore UAE”

The DIFC

Various trading platforms and marketplaces are permissible in the DIFC. In this regard, the DFSA’s General Rulebook Module sets out the following regulated activities:

• operating an exchange; and
• operating an alternative trading system.

Operating an exchange means operating a facility which functions regularly and brings together multiple third-party buying and selling interests in investments, in line with its non-discretionary rules in a way that can result in a contract in respect of investments admitted to trading or traded on the facility.

DFSA guidance provides that the financial service of operating an exchange only applies in relation to investments. A person wishing to operate a facility for the trading of crypto tokens will, therefore, need to use a multilateral trading facility (MTF) and obtain an endorsement on its licence that permits it to operate an MTF.

Operating an alternative trading system means:

• operating an MTF; or
• operating an organised trading facility (OTF).

A person operates an MTF if that person operates a system which brings together multiple third parties buying and selling interests in investments or crypto tokens, in line with its non-discretionary rules, in a way that results in a contract in respect of these investments or crypto tokens. On the other hand, a person operates an OTF if that person operates a system which brings together multiple third parties buying and selling interests in investments, in line with its discretionary rules, in a way that results in a contract in respect of these investments.

The ADGM

Under the FSRA’s Financial Services and Markets Regulation 2015 (the “FSMR”), operating a trading platform will constitute the regulated financial activity of “operating an MTF or OTF”. Specifically, operating an MTF or an OTF on which financial instruments or virtual assets are traded are each considered separate regulated activities. Carrying on any other ancillary activities deemed suitable by the FSRA for the MTF or OTF to conduct is also its own regulated financial activity.

With the exception of virtual assets regulated separately by the VARA, the application of the UAE’s regulatory regimes are not generally premised on distinctions between asset classes (although certain regulatory rules may apply in respect of a particular asset class), but rather on the type and nature of the financial activity being conducted.

Both the FSRA and the DFSA have amended their regulatory frameworks over the last few years to bring virtual assets, investment tokens and crypto tokens within the scope of their rules and regulations. Most notable, however, is the establishment of the VARA’s regulatory framework and authority in the emirate of Dubai in 2022 and further developed in 2023 and 2024.

The VARA is the only regulatory authority in Dubai that is exclusively dedicated to the licensing and supervision of virtual assets and related activities. The activities captured under the VARA’s jurisdiction include the establishment and operation of cryptocurrency exchanges. The authors expect the VARA to issue derivatives-related guidance in 2025.

Various listing standards exist in order to safeguard and maintain market confidence and ensure a fair, informed and orderly market. For instance, both the DFSA and the FSRA set out the following listing principles in their Markets Rulebooks.

• A listed entity must take reasonable steps to ensure that its senior management and any other relevant employees understand and comply with their responsibilities and obligations.
• A listed entity must take reasonable steps to establish and maintain adequate policies, procedures, systems and controls to enable it to comply with its obligations.
• A listed entity must act with integrity towards holders and potential holders of its listed securities.
• A listed entity must communicate information to holders and potential holders of its listed securities in such a way as to avoid the creation or continuation of a false market in the listed securities.
• A listed entity must deal with the competent regulatory authority in an open and co-operative manner.
• A listed entity must ensure that it treats all holders of the same class of its listed securities equally in respect of the rights attaching to these listed securities.

The FSRA’s Market Rules set out the following additional listing principles:

• the structure and operations of a listed entity must be appropriate for it; and
• a listed entity must ensure that the terms that apply to each class of its securities are appropriate and fair, taking into account voting and other rights.

The SCA Rulebook sets out various order handling requirements, including in respect of receiving, aggregating and executing trade orders and the notification of the execution of a trade order and in its settlement. Both the FSMR and the DIFC Markets Law 2012 set out provisions in respect of stop orders which may be issued by the FSRA and the DFSA respectively with regards to listed securities (or crypto tokens in the case of the DIFC).

Peer-to-peer trading is in its nascent stages in the UAE. However, the key challenge posed by peer-to-peer trading is the relative lack of regulatory oversight in comparison to traditional trading platforms or exchanges which operate in a highly regulated environment. As in other jurisdictions, the lack of regulation also raises concerns with respect to AML/CTF and adequate KYC. This is a particularly pertinent point, given the regulatory authorities’ active enforcement appetite in this space on account of the UAE’s addition to the FATF grey list on 4 March 2022 and its subsequent removal from the FATF grey list in February 2024.

During its review of the UAE, the FATF cited the progress made by the UAE in strengthening the effectiveness of its AML/CTF regime including by applying effective and proportionate sanctions for AML/CTF non-compliance involving financial institutions and designated non-financial businesses and professions and increasing suspicious transaction report filings for those sectors and increasing investigations and prosecution of money laundering.

Payment for order flow is a compensation model under which a broker is paid a small commission for routing client trade orders to a particular market maker. A market maker matches buy and sell orders to execute a trade. The SCA Rulebook provides that in executing trade orders, a broker must refrain from using the trading data, transactions and orders of its clients to achieve special benefits or gains. This indicates that the permissibility of payment for order flows in “onshore UAE” will be limited.

With respect to “onshore UAE”, the SCA Market Law sets out specific provisions in respect of disclosure and transparency which must be adhered to.

In the ADGM, there is a prohibition on market abuse, which includes insider trading, dealing or disclosing inside information, and effecting transactions or orders to trade which employ fictitious devices or any other form of deception or contrivance or the dissemination of information which is likely to create a false or misleading impression, amongst other things. This is supplemented by the FSRA’s Code of Market Conduct, which is intended to prevent market abuse by providing further clarity about what activities the FSRA might regard as constituting market abuse.

The DIFC’s Markets Law 2012 sets out a prohibition on various forms of market abuse, including:

• fraud and market manipulation;
• making false and misleading statements, conduct and distortion;
• deception and use of fictitious devices;
• insider dealing;
• providing insider information;
• inducing persons to deal; and
• misuse of information.

The provisions on market abuse set out in the Markets Law 2012 are supplemented by the DFSA’s Code of Market Conduct, which also elaborates on the conduct, which may fall into these categories of market abuse.

Finally, the VARA has issued its Market Conduct Rulebook pursuant to the Virtual Assets and Related Activities Regulations 2023. The Market Conduct Rulebook sets out provisions in respect of disclosure and transparency and requires VASPs to adhere to Virtual Asset Standards in providing and/or offering virtual asset activities.

A separate regulatory regime for high-frequency and algorithmic trading does not appear to be provided for under the UAE’s financial services regulatory frameworks. This trading would be regulated generally as discussed in 6 Marketplaces, Exchanges and Trading Platforms.

There does not appear to be a requirement for principals to register as market makers under applicable UAE regulatory regimes.

The authors are not aware of funds or dealers engaging in high-frequency and algorithmic trading activities in the UAE.

The authors are not aware of any regulatory regime governing the development and creation of trading algorithms and other electronic trading tools in the UAE.

The authors are not aware of a dedicated underwriting process specific to insurtechs that is mandated by UAE regulation. The CBUAE generally requires insurance companies to maintain an underwriting policy and that records of underwriting are kept. The DFSA sets out specific considerations that should be included as part of an insurer’s underwriting risk policies and procedures, including:

• clear identification and quantification of the insurer’s willingness and capacity to accept risk;
• clear identification of the classes and characteristics of the insurance business that the insurer is prepared to underwrite;
• formal evaluation processes for the effective assessment of risks underwritten;
• concentration limits; and
• methods for monitoring compliance with underwriting policies and procedure.

The FSRA sets out similar conditions.

From a commercial perspective, insurtech has significantly impacted the underwriting process for insurance policies. To review and assess an individual’s risk profile, multiple data points are used through mined, aggregated or historical data to make educated assumptions about the individual in question. This underwriting process is underpinned by the use of the internet of things, data analytics methods and AI.

Insurance companies are, in principle, all regulated in broadly the same way, irrespective of the type of insurance provided. As an exception to this, takaful, an Islamic form of providing insurance/reinsurance, is regulated separately in line with the requirements of Sharia. The relevant authorities responsible for issuing the regulations and supervising the insurance sector and its participants are:

• the CBUAE in “onshore UAE”;
• the FSRA in the ADGM; and
• the DFSA in the DIFC.

The CBUAE, the FSRA and the DFSA have all issued their own licensing frameworks setting out specific requirements with respect to insurance-related activities.

In line with the UAE’s leading position as an enabler of emerging technologies, the regulatory authorities are also actively exploring opportunities and avenues through which they can promote the further development and adoption of insurtech solutions. For example, the FSRA and the CBUAE have launched an Insurance Co-Sandbox aimed at promoting a “smart insurance market”.

Regtech in the UAE is still in its nascent phase and there is currently no dedicated regulatory framework for regtech services. As regtech services are often technical services only, they are also less likely to trigger existing financial services licensing requirements.

In January 2019, the UAE launched its RegLab in partnership with the Dubai Future Foundation. The RegLab was launched with the purpose of authorising the UAE Cabinet to grant temporary licences for the testing and vetting of innovations that utilise technologies such as AI.

In 2020, the ADGM launched three regtech pilot initiatives and, in April 2021, launched its Digital Lab to provide a secure environment to test technological solutions to facilitate the growth of regtech in the UAE.

The DIFC has established the DIFC Innovation Hub, the largest innovation community and fintech accelerator in the region, which also looks to support the development of regtech services.

Regtech has recently become more of a focus for UAE regulators as the country looks to further develop its status as a thriving financial centre in the Middle East and is therefore increasingly interested in combating money laundering activities. As such, UAE regulators are looking to utilise regtech to help manage the growing AML requirements and risks associated with its increasingly sophisticated and active financial market.

Regulatory requirements related to outsourcing will need to be reflected in the contracts between the regtech provider and regulated FSPs.

The extent to which these requirements will need to be applied may depend on the type of regulated FSP in question, the applicable regulatory regime and the particular regtech solution provided. Where a regulated FSP outsources a function directly related to its regulated financial activity, the General Rulebook Modules of the FSRA and the DFSA stipulate that a written agreement must be in place but are largely not prescriptive with respect to the contents of these agreements.

By contrast, with respect to banks, the CBUAE’s Outsourcing Regulation details in more substantive terms the provisions that outsourcing agreements must contain. These requirements largely centre on data security and confidentiality and the permissibility of subcontracting within the outsourcing relationship. Obligations in respect of outsourcing also exist under other CBUAE regulations, including, for instance, the RPSCS Regulation and the SVF Regulation.

Where a regtech provider offers insourcing solutions, contractual safeguards will need to be put in place to account for any risks arising out of the reliance on these solutions by the regulated FSP. As dictated largely by industry custom, these agreements often require provisions regarding (among other things) the maintenance of appropriate insurance policies, auditing rights in favour of the regulated FSP and reporting requirements. The requirements set out in the DIFC, the ADGM and the “onshore UAE” data protection laws will also need to be considered.

Please see 1.1 Evolution of the Fintech Market, 2.1 Predominant Business Models and 2.2 Regulatory Regime on the development of blockchain and virtual assets in the UAE.

The UAE’s regulators have reacted quickly to the growth in the use of blockchain within the financial services markets, particularly in respect of assets traded and stored on blockchain technologies: virtual assets. All of the relevant UAE regulatory authorities set out a definition for virtual assets (or similar term) and contemplate the impact and use of decentralised ledger technologies (DLTs), such as blockchain, within the provision of regulated financial activities.

The UAE’s regulatory landscape is continuously evolving in this space as it looks to attract blockchain technologies to the region with transparent regulation and practical solutions. For example, in November 2023, the ADGM released the Distributed Ledger Technology Foundations Regulations 2023, marking a significant milestone in the evolution of digital assets regulatory frameworks across the region and at an international level.

The UAE financial services regulatory frameworks each govern virtual assets to differing degrees, including those that are represented and stored on DLTs, ie, blockchain assets.

The VA Decision defines virtual assets as “a digital representation of value that can be digitally traded or transferred and can be used for investment purposes”. This does not include the digital representation of fiat currency, securities or other assets. This aligns with the definition of virtual assets in the SCA Decision No 26/2023, relating to virtual asset platform operators. The DVAL defines a virtual asset as “a digital representation of the value that can be digitally traded or transferred, or can be used as an instrument for exchange, payment or investment purposes, including virtual tokens, and any digital representation of any other value specified by the VARA in this regard”.

Under the CBUAE’s RPSCS Regulation and SVF Regulation, virtual assets constitute “a digital representation of value that can be digitally traded, or transferred, and can be used for payment or investment purposes”. Virtual asset tokens are also defined to mean a type of crypto-asset that can be digitally traded and functions as:

• a unit of account; and/or
• a store of value.

Crypto-assets are cryptographically secured digital representations of value or contractual rights that use a form of DLT and can be transferred, stored or traded electronically. The PTS Regulation defines a payment token as “a virtual asset that maintains a stable value by referencing the value of the fiat currency it is denominated in or another payment token denominated in the same fiat currency”.

Under its guidelines relating to the Regulation of Virtual Assets and Virtual Assets Service Providers, the SCA defines virtual assets as “a digital representation of value that can be traded or digitally transferred and can be used for investment purposes, and does not include digital representations of paper currencies, securities or other money”.

In “offshore UAE”, the DFSA regulatory regime captures different types of tokens (defined as a cryptographically secured digital representation of value, rights or obligations, which may be issued, transferred and stored electronically, using DLT or other similar technologies) to varying degrees, which include crypto tokens, non-fungible tokens (NFTs), investment tokens, security tokens and utility tokens. The FSRA also regulates virtual assets, which it defines as a digital representation of value that can be digitally traded and functions as:

• a medium of exchange;
• a unit of account; and/or
• a store of value but does not have legal tender status in any jurisdiction.

Under the FSMR, a virtual asset is:

• neither issued nor guaranteed by any jurisdiction, and fulfils the above functions only by agreement within the community of users of the virtual asset; and
• distinguished from fiat currency and e-money.

Requirements and conditions around the issuance of virtual assets are set out in VARA’s Virtual Asset Issuance Rulebook (the “Issuance Rulebook”). The Issuance Rulebook includes requirements that all persons in Dubai wishing to issue virtual assets must follow the registration requirements for issuing permitted virtual assets and obtain approval from the VARA for issuing a virtual asset that is not a permitted virtual asset.

Permitted virtual assets are:

• free and non-transferable virtual assets;
• non-redeemable and non-transferable virtual assets; and
• redeemable closed-loop and non-transferable virtual assets.

The issuer of a permitted virtual asset must:

• register a white paper of the virtual asset with the VARA at least seven working days before its publication, accompanied by a declaration signed by the issuer in the form set out in Schedule 2 of the Issuance Rulebook which must be sent to the VARA; and
• comply with the requirements set out in the Issuance Rulebook.

In its guidelines relating to the Regulation of Virtual Assets and Virtual Assets Service Providers, the SCA regulates the provision of financial services related to the issuer’s offer and/or sale of virtual assets or participation in the provision of these services.

The FSRA also sets out guidance in respect of initial coin offerings in its “Guidance – Regulation of Initial Coin/Token Offerings and Crypto Assets under the Financial Services and Markets Regulations” (the “ICO Guidance”). The ICO Guidance sets out the FSRA’s approach to token issuers seeking to raise funds through ICOs, and market intermediaries or operators dealing in, or offering services in, virtual tokens and crypto-assets. The ADGM’s Distributed Ledger Technology Foundations Regulations 2023 adds further requirements on DLT foundations when they issue tokens.

Trading of virtual assets is regulated under the general provisions applicable to trading set out by the DFSA, the FSRA, the SCA and the VARA where the blockchain assets fall under the scope of their regulatory regimes. For further discussion on trading see 6 Marketplaces, Exchanges and Trading Platforms.

VASPs licensed by the VARA to provide custody services may also provide staking if explicitly authorised to do so by the VARA (and the authorisation is expressly stipulated in their licence). The VARA considers staking as forming part of the custody services that a VASP is permitted to provide. The provision of staking from custody services is therefore considered to be a subset of the custody services activity.

In the DIFC, the DFSA permits the provision of staking services by authorised firms that are authorised to provide custody, subject to certain restrictions including offering and provision only to professional clients and market counterparties and providing appropriate disclosures with respect to the risks of staking.

In the ADGM, the FSRA concluded its consultation on regulating staking in January 2025 and is expected to publish its conclusions and relevant rules during the course of 2025.

The VARA regulates the provision of lending services relating to cryptocurrencies with “lending and borrowing services” being a specific activity requiring a licence from the VARA, with the relevant rules being contained in the VARA’s Lending and Borrowing Services Rulebook. The Lending and Borrowing Services Rulebook stipulates the relevant policies, procedures and public disclosures that need to be developed and made if a VASP is providing lending services and sets out specific rules relating to client lending concerning client reporting and valuation, record-keeping, risk management and due diligence and client agreements.

In the DIFC, the DFSA prohibits authorised firms from offering or providing any facility or service(s) that allows a client to lend crypto tokens whether to the authorised firm itself or to another person. In addition, the DFSA prohibits an authorised firm from providing a credit facility to a retail client in connection with trading in crypto tokens.

In the ADGM, the FSRA concluded its consultation on regulating virtual asset borrowing and lending services in January 2025 and is expected to publish its conclusions and relevant rules in 2025.

The offering of cryptocurrency derivatives is based on a review of the VARA public register which sets out various entities licensed to carry out virtual asset derivatives trading activities. The VARA regulates cryptocurrency derivatives. While the VARA has not yet issued specific derivatives-related guidance, it is expected to do so in 2025.

In the DIFC, the DFSA’s regulatory framework captures crypto token derivatives. The rules governing crypto token derivatives are set out in the DFSA General Rulebook Module. The DFSA General Rulebook Module sets out a number of requirements including requiring authorised firms to carry out an appropriateness assessment of a retail client and form a reasonable view that the person has:

• adequate skills and expertise to understand the risks involved in trading crypto token derivatives; and
• the ability to absorb potentially significant losses resulting from trading in crypto token derivatives.

Other restrictions relating to crypto token derivatives are also prescribed.

In the ADGM, in line with the FSRA’s treatment of virtual assets as commodities, derivatives of virtual assets are regulated as commodity derivatives and, as such, are classified as a type of “specified investment” under the FSMR. Consequently, any market operators or market intermediaries in the ADGM dealing or managing investments in derivatives of virtual assets are subject to the appropriate regulations and rules applicable under the FSMR.

There are no regulations that specifically govern decentralised finance (DeFI) in the UAE.

Funds are regulated in both “onshore UAE” and “offshore UAE”. A fund will fall within the scope of a UAE financial services regulatory authority’s licensing framework by virtue of operating as such. Specific rules apply for particular types of investments.

The ADGM has a comprehensive virtual asset framework, which governs financial activities including collective investment funds investing in regulated digital assets. The virtual asset framework imposes certain additional regulatory obligations upon fund managers managing funds investing in regulated digital assets when it comes to periodic statements, capital requirements and technology governance and controls.

The DIFC’s virtual asset framework also imposes certain additional regulatory obligations upon fund managers managing funds investing in regulated tokens.

As a point of difference, virtual assets used for payment purposes, including stored value facilities, except those approved by the CBUAE for listing and trading purposes, are excluded from the VA Decision and fall exclusively under the jurisdiction of the CBUAE. By definition, this applies to cryptocurrencies.

NFTs are governed by a number of the UAE’s regulatory frameworks, including under the VA Decision. The VA Decision defines a virtual asset as a digital representation of value that can be digitally traded or transferred and can be used for investment purposes. This does not include the digital representation of fiat currency, securities or other assets. To the extent that an NFT does not represent a physical asset, it appears to fall under this definition.

NFTs also fall within the definition of virtual assets provided by the DVAL, which defines a virtual asset as a digital representation of the value that can be digitally traded or transferred, or can be used as an instrument for exchange, payment or investment purposes, including virtual tokens, and any digital representation of any other value specified by the VARA in this regard. As such, those that intend to provide virtual asset services related to NFTs in the emirate of Dubai (excluding the DIFC) will be required to comply with the obligations set out under the DVAL and its supplementary regulations and Rulebooks, including obtaining a licence from the VARA.

The DFSA General Rulebook Module determines that a token will constitute an NFT where it:

• is unique and not fungible with any other token;
• is related to an identified asset; and
• is used to prove the ownership or provenance of the asset.

In contrast to the VA Decision and the DVAL, under the DFSA’s regime, NFTs are considered excluded tokens, which means that their use is not regulated in the DIFC, except under certain circumstances.

While certain FSRA AML/CTF requirements will apply to NFTs in the ADGM, NFTs themselves currently remain outside of the FSRA’s regulatory oversight.

In the UAE, open banking is regulated under:

• the RPSCS Regulation, under which payment initiation service providers and account information service providers are required to obtain a licence to operate in “onshore UAE”; and
• the Open Finance Regulation. The Open Finance Regulation issued by the CBUAE in 2024 introduced an “Open Finance Framework” which CBUAE-licensed financial institutions are mandated to participate in. In summary, licensed financial institutions will, following consent from a customer, be able to access customer data (including that held by other licensed financial institutions) for the purpose of initiating transactions on customers’ accounts.

In “offshore UAE”:

• the DFSA General Rulebook Module was amended in 2020 to include the provision of open banking-related services within the scope of its licensing framework; and
• the FSRA introduced a new regulatory framework for Third Party Financial Technology Services. The framework for Third Party Financial Technology Services focuses on the activities provided by third parties that act as intermediaries between customers and FSPs.

In recent years in the UAE there has been an increased awareness of privacy and data security standards. This has been driven by the impact of the GDPR on international data flows and consumer and business expectations.

The DIFC and the ADGM also amended their data protection regimes in 2020 and 2021 respectively. The DIFC and the ADGM frameworks are largely modelled on the GDPR and require open banking providers to implement the data privacy and security measures contained therein where they are established in the financial free zones or are processing the personal data of individuals in the financial free zones.

The CBUAE also sets out extensive data protection provisions as part of its regulatory framework. These obligations are largely contained in the CBUAE’s Consumer Protection Regulation and Standards. The CBUAE’s data protection provisions require open banking providers to implement various policies, processes, management and business practices in respect of data security, breach notifications, data retention and minimisation principles as well as ensuring that consumers are sufficiently informed to make choices in respect of their personal data.

“Onshore UAE’s” first consolidation of the data protection law came into effect in 2022 and although banking and credit data is excluded from its scope to the extent that provisions exist elsewhere, open banking providers established in “onshore UAE” will also be required to comply with its provisions in respect of most other forms of personal data they process.

Beyond this, the UAE’s financial services regulators issued “Guidelines for Financial Institution Adopting Enabling Technologies” (the “Guidelines”). The Guidelines set out guidance in respect of the adoption of application performance interfaces (APIs), which are integral to the provision of open banking services.

During the period between March 2022 and February 2024, the UAE was on the FATF’s grey list. The UAE’s removal from the grey list was a result of it significantly strengthening the effectiveness of its AML/CTF regime to meet the commitments in its action plan regarding the strategic deficiencies that the FATF had previously identified. The development of a robust regulatory framework to combat AML/CTF risks has previously been a challenge for the UAE, given its rapidly developing financial sector.

As a result of the concerns raised in the FATF’s report, a number of measures were taken including the establishment of an AML and CTF executive office at the centre of the government, the adoption of new guidelines for financial institutions and designated non-financial businesses and professions aimed at AML and CTF, the establishment of a special court to prosecute financial crimes and the implementation of a new Penal Code.

The financial regulators in the UAE are increasingly active in combating instances of fraud and money laundering. Among the most common violations in 2024 that have led to investigations and sanctions are those relating to non-compliance with AML protocols, particularly in respect of notification requirements and developing systems to adequately combat the risk of money laundering and illegal transfers between connected individuals.

The UAE’s logistics and commodities sectors present a particular risk for regulators. For example, Dubai’s role as a centre for trading gold and other high-value commodities leaves it vulnerable to the laundering of illicit funds.

The UAE regulators are focused on ensuring that foreign investors in the financial services industry are not discouraged from doing business by risks of money laundering or non-compliance with international sanctions regimes. In 2022, the CBUAE issued guidance recommending the use of digital identification systems and the tracking of IP addresses to detect suspicious behaviour, including from sanctioned and high-risk jurisdictions.

In August 2023, the DFSA signed a memorandum of understanding with the UAE’s Financial Intelligence Unit to further advance co-ordination and sharing of information to ensure AML/CTF compliance. It also released a consultation paper designed to align DIFC law with a number of guidelines released at the federal level, proposing increased obligations on money laundering reporting offices, changing the threshold for notifications and increasing the scope of those who may be responsible for compliance with AML/CTF conduct standards.

Responsibility of fintech service providers for losses suffered by a customer would depend on the specific facts and circumstances surrounding the situation.

Below are examples of situations and the corresponding responsibility imposed by the relevant regulator on a fintech service provider for losses suffered by a customer.

• The VARA stipulates that VASPs must have procedures for ensuring that all virtual assets transfer and settlement services carried out for a client are authorised by the client, and that the VASP is acting in line with the client’s instructions. If any virtual assets transmission/transfer, and/or settlement processed by a VASP is not authorised by the client, or is not carried out in line with the client’s instructions, the VASP:
1. will, as soon as practicable but in all events within 24 hours of becoming aware of the erroneous execution, refund the client or otherwise restore the client’s account to the state it would have been in, had the wrongful transmission or transfer, and/or settlement not been effected; and
2. is liable to the client in respect of the loss suffered by the client as a direct result of the VASP’s actions or omissions.
• The DFSA COB Rulebook Module states that if an authorised firm is responsible for an unauthorised or incorrectly executed payment transaction, or for the non-execution of a payment transaction, and the user’s payment account has been incorrectly debited, it must promptly and within three business days restore the user’s payment account to the state it would have been in had the payment transaction been correctly executed.
• The FSRA, in its COB Rulebook Module, states that where an executed payment transaction was not authorised by the payer, the payment service provider must:
1. refund the amount of the unauthorised payment transaction; and
2. where applicable, restore the debited payment account to the state it would have been in had the unauthorised payment transaction not taken place. The payment service provider must provide a refund as soon as practicable, and in any event no later than the end of the day following the day on which it becomes aware of the unauthorised payment transaction, although the requirement to provide a refund does not apply where the payment service provider has reasonable grounds to suspect fraudulent behaviour by the payment service user.