Any views expressed in this publication are strictly those of the authors and should not be attributed in any way to White & Case LLP.
In 2024, the UAE continued to reinforce its position as not just a regional, but also a global, financial services hub with an even stronger push to develop and grow the UAE’s fintech landscape. There has been significant investment in fintech start-ups in recent years and the UAE now hosts a quarter of all fintech companies in the Middle East and North Africa (MENA) region. According to industry reports, the potential impact of artificial intelligence (AI) in the Middle East is expected to be USD320 billion by 2030, with the UAE set to see the largest impact of close to 14% of 2030 GDP.
The growth in the UAE’s fintech space has largely been driven by initiatives from the UAE’s two financial free zones: the Dubai International Financial Centre (the “DIFC”) and the Abu Dhabi Global Market (the “ADGM”). Both the ADGM and the DIFC have set up their own fintech hubs: the ADGM Regulation Lab (the “ADGM RegLab”) and the DIFC Innovation Hub. The ADGM RegLab and the DIFC Innovation Hub give fintechs access to an extensive network of investors, marketing and PR exposure, bespoke regulatory frameworks and regulatory sandbox schemes, as well as networking events. In the words of the DIFC Innovation Hub, its objective is to “raise unicorns”.
The success of the UAE’s fintech market can also be attributed to the continued entrepreneurialism of the UAE’s regulatory authorities to position the UAE as a regional and international virtual assets leader. This is demonstrated by the actions of the Dubai Virtual Assets Regulatory Authority (the “VARA”) which released its all-encompassing regulatory framework for virtual assets in February 2023 and the UAE’s Securities and Commodities Authority (the “SCA”) which issued guidelines relating to the Regulation of Virtual Assets and Virtual Assets Service Providers in July 2024.
In April 2024, the Central Bank of the UAE (the “CBUAE”) published two key regulations on open banking and fintech innovation. The first was the Open Finance Regulation, which introduced an “Open Finance Framework” in which CBUAE-licensed financial institutions are mandated to apply for licences. Under this arrangement, open finance providers (ie, the licensed financial institutions) will gain access to data of customers and will be permitted to initiate transactions on customer accounts and products. The second was the Sandbox Conditions Regulation, which was issued to facilitate the testing of technologically innovative financial business models, products, services and solutions which may benefit consumers and/or the wider industry for a duration determined by the CBUAE without participants being required to obtain a full regulatory licence.
In June 2024, the CBUAE published the Payment Token Services Regulation (the “PTS Regulation”) which established a comprehensive framework for licensing and supervising digital payment services and covers:
In April 2024, Dubai announced its “Universal Blueprint for Artificial Intelligence”, which is focused on increasing quality of life and GDP through technology and innovation and includes the inauguration of the DIFC’s AI and Web3 incubator to establish one of the world’s largest AI and technology companies hubs.
Abu Dhabi has further made a concerted effort to accelerate the development and adoption of AI and advanced technologies through partnerships in the UAE and internationally with a focus on AI infrastructure (including data centres), semiconductors and AI technologies and applications (including AI models).
In January 2025, Abu Dhabi launched its Digital Strategy 2025-2027, aiming to establish the world’s first fully AI-powered government by 2027 and allocating USD3.5 billion between 2025 and 2027 to boost digital infrastructure, automate all government processes and integrate sovereign cloud computing across all operations.
The UAE’s fintech sector has continued to grow and mature following an increase in the adoption of digital payments, e-commerce activity and an expanding digital banking landscape.
A wide range of actors are active in the UAE’s fintech space, from mature businesses to start-ups that operate across a wide range of sectors from open banking and equity crowdfunding through to insurtech, wealthtech and regtech. The predominant verticals that apply in the UAE relate to virtual assets, cryptocurrencies, payments (including with respect to remittances which are of disproportionately large importance in the UAE given its large expatriate population) and blockchain technology. A continued interest from large virtual asset companies considering whether to relocate to the UAE is expected, given the comparatively developed regulatory landscape amid increasingly aggressive enforcement actions from Western (and other) regulators in this space.
Overview
The UAE is a federation consisting of seven emirates, with Dubai largely seen as the UAE’s international commercial centre and Abu Dhabi being particularly important from a governmental and political perspective. Each emirate is permitted to exercise all powers not assigned to the federal level. This includes being authorised to issue its own laws and regulations.
From a financial services regulatory perspective, the UAE comprises two categories of jurisdiction:
“Onshore UAE” – Payments
In “onshore UAE”, the provision of payment services is generally regulated by the CBUAE pursuant to the following.
Large Value Payment Systems Regulation
This framework sets out the conditions for obtaining and maintaining a licence to operate a large value payment system, defined as “a clearing and settlement system that is designed primarily to process large value and/or wholesale payments typically among financial market participants (so-called wholesale payments) or involving money market, foreign exchange or many commercial transactions, excluding bilateral clearing and settlement arrangements and relationships which do not constitute a ‘system’”.
Retail Payment Systems Regulation
This framework applies to designated retail payment systems providers, setting out (amongst other things):
Retail Payment Services and Card Schemes Regulation (the “RPSCS Regulation”)
This framework applies to retail payment service providers and card scheme providers, setting out the conditions applicable to the granting and maintaining of licences to carry out retail payment services and card schemes in “onshore UAE”, the ongoing obligations of retail payment service and card scheme providers and the powers of the CBUAE with respect to the supervision of retail payment service providers and the ongoing reporting requirements for card schemes.
“Onshore UAE” – Virtual Assets
In “onshore UAE”, virtual assets fall under the jurisdiction of the SCA, the VARA and the CBUAE.
The SCA
The SCA is responsible for overseeing the regulation of virtual assets and related services pursuant to Cabinet Decision No 111/2022 (the “VA Decision”). According to the VA Decision, any person that wishes to carry out virtual asset-related activities must obtain a licence from the SCA (or the competent authority at the emirate level (where one exists)). In July 2024, the SCA issued its guidelines relating to the Regulation of Virtual Assets and Virtual Assets Service Providers.
The VARA
The VARA is the authority responsible for regulating, supervising and overseeing virtual assets and related activities in the emirate of Dubai (excluding the DIFC), in line with the Dubai Virtual Assets Law (the “DVAL”) and its Executive Regulations and Rulebooks. In 2023, the DVAL rolled out its comprehensive virtual asset licensing framework and a number of global market players obtained full operational licences.
The CBUAE
The CBUAE is responsible for regulating activities relating to payment tokens (ie, stablecoins) pursuant to the RPSCS Regulation, while the CBUAE’s Stored Value Facilities Regulation (the “SVF Regulation”) regulates crypto and virtual assets insofar as they may be accepted in exchange for the storage of value. In June 2024, the CBUAE published the PTS Regulation which established a comprehensive framework for licensing and supervising digital payment services. It covers:
“Offshore UAE” – Virtual Assets and Payment Services
In the ADGM, the Financial Services Regulatory Authority (the “FSRA”) regulates virtual assets and virtual asset-related activities. The FSRA’s “Virtual Asset Framework” sets out provisions targeting a range of risks associated with virtual asset-related activities, including risks relating to money laundering and financial crime, consumer protection, technology governance, custody and exchange operations. The FSRA subsequently issued “Guidance – Regulation of Virtual Asset Activities in ADGM” to provide further support to persons when carrying out virtual asset-related activities in the ADGM to interpret its rules and regulations. Payment services are also regulated by various ADGM regulations and FSRA rules.
In the DIFC, the Dubai Financial Services Authority (the “DFSA”) regulates virtual assets and the provision of connected financial services. The DFSA’s regulatory framework is set out in the DFSA Rulebooks, which distinguish between investment tokens as either security tokens or derivative tokens, and crypto tokens. The provision of payment services is also primarily regulated in the DFSA Rulebooks.
The compensation models vary depending on the nature of a fintech’s business and the regulatory rules applicable to the fintech. Certain restrictions may apply depending on the sector in which a fintech operates.
The authors are not aware of any specific regulatory restrictions in “onshore UAE” or “offshore UAE” with respect to the compensation models that industry participants may use to charge customers. However, where a fintech chooses to provide Islamic finance, it will be required to comply with the principles of Sharia in determining its compensation model, including considering matters such as the charging of interest.
Regulators in “onshore UAE” and “offshore UAE” do not differentiate between fintech participants and legacy participants per se. Differences in regulatory regimes are generally based on the risks associated with the activity being carried out. For example, a bank will attract higher levels of regulatory oversight and supervision than a payment services business offering payment initiation services and account information services.
In 2021, the CBUAE established a regulatory sandbox in “onshore UAE” for the insurance sector. In 2021, the CBUAE signed two separate memoranda of understanding with the ADGM and the DIFC to introduce a co-sandbox programme to permit fintechs to test innovative solutions under the existing sandbox programme.
Most recently, in April 2024 the CBUAE published the Sandbox Conditions Regulation. As described in 1.1 Evolution of the Fintech Market, the Sandbox Conditions Regulation has been issued to permit participants enrolled in the Regulatory Sandbox to test their technologically innovative financial business models, products, services and solutions which may benefit consumers and/or the wider industry for a duration determined by the CBUAE, without having to obtain a full regulatory licence.
The ADGM offers the ADGM RegLab. A regulatory sandbox forms part of the ADGM RegLab’s offering that provides a controlled environment for fintech participants to test and develop their innovative fintech solutions. In the RegLab, regulatory requirements are applied based on a participant’s business model and risks and on a case-by-case basis.
In the DIFC, the DFSA operates a licensed sandbox known as the DFSA Innovation Testing Licence Programme. It allows participants to:
The key regulatory authorities responsible for administering the UAE’s financial services frameworks and for regulating the UAE fintech market are the CBUAE, the SCA, the VARA, the FSRA and the DFSA.
“Onshore UAE”
The CBUAE
The CBUAE regulates banks, finance companies, payment service providers, stored value facilities providers, exchange businesses and insurance companies.
The SCA
The SCA regulates markets, listed companies, securities brokers, virtual asset service providers (VASPs) and the trading of commodities.
The VARA
The VARA regulates virtual asset-related activities in the emirate of Dubai, excluding the DIFC.
“Offshore UAE”
The FSRA
The FSRA is the financial services regulator in the ADGM. It supervises all banks, investment firms, securities traders and reinsurers that operate within the ADGM.
The DFSA
The DFSA is the financial services regulator in the DIFC. It supervises all banks, investment firms, securities traders and reinsurers that operate within the DIFC.
The authors are not aware of regulators in either “onshore UAE” or “offshore UAE” issuing “no-action” letters and this practice is not generally common in the UAE.
Regulated financial service providers (FSPs) are permitted to outsource certain functions to third-party vendors. FSPs retain responsibility for the outsourced function and must maintain oversight over the third-party vendor. The level and precise requirements of this oversight depend on the nature of the outsourced function and the FSP.
Generally, where an FSP outsources one of its functions, it will be required to put in place an appropriate agreement governing its commercial relationship with the third-party vendor including audit rights in favour of the FSP. Under the DFSA General Rulebook Module and the FSRA General Rulebook, an outsourcing agreement must also require the third-party vendor to deal with the relevant regulator in an open and co-operative way. Further contractual requirements to be set out in the outsourcing agreements of banks are provided for in the CBUAE’s Outsourcing Regulations and Standards for Banks, which largely centre around access to the bank’s data by the third-party vendor. A bank’s outsourcing agreement must establish (among other things):
In all cases, the UAE’s regulatory authorities require FSPs to take a risk-based approach to outsourcing functions and to carry out appropriate diligence on the selected third-party vendor whilst maintaining overall responsibility for each function that is outsourced.
Regulated FSPs are required to comply with certain conduct of business requirements.
They are also required to adhere to standards in respect of the promotion of financial products and services. For instance, the DFSA General Rulebook Module requires that all financial promotions:
The VARA has issued its own Marketing Regulations governing the promotion of virtual assets in Dubai that contain similar advertising standards.
Beyond this, fintechs are responsible for complying with obligations set out under the UAE’s anti-money laundering and countering of terrorist financing (“AML/CTF”) laws. This includes, carrying out know your customer diligence and monitoring for and reporting suspicious transactions.
The enforcement actions by regulatory authorities have increased considerably in recent years following the UAE’s addition to the Financial Action Task Force’s (FATF’s) grey list in 2022 and its subsequent removal in February 2024. This increased enforcement has also been evident within the UAE’s crypto and virtual asset and payment services verticals. “Onshore UAE” regulatory authorities typically have wide-ranging enforcement powers and have the ability to impose a wide range of penalties from fines and censure for less severe breaches to imprisonment for the most serious offences such as those connected to financial crime. “Offshore UAE” regulatory authorities’ powers do not include criminal powers but otherwise mirror those of “onshore UAE” regulatory authorities.
By way of example, the Executive Regulations relating to the DVAL Virtual Assets and Related Activities Regulations 2023 include the following penalties:
The VARA has already revoked licences and the CBUAE has demonstrated its increased appetite for enforcement by issuing various sanctions against finance companies and exchange houses. The authors are also aware of the increased enforcement appetite of the DFSA and the FSRA in recent times. However, the VARA’s investigatory process suggests that the VARA is willing to work with companies that are in violation of regulations and provide opportunities for them to correct their transgressions.
“Onshore UAE”
Data protection
Federal Decree-Law No 45/2021 (the “Personal Data Protection Law”) is “onshore UAE’s” first written data protection law of general application. The Personal Data Protection Law is inspired by the EU’s General Data Protection Law (the “GDPR”) but is lighter touch. As of the time of publication, the Executive Regulations, which will flesh out the provisions of the Personal Data Protection Law, are yet to be released.
Data and information is also protected in other aspects of “onshore UAE” law. For example, Federal Decree-Law No 31/2021 prohibits the unlawful copy, distribution or provision of information or data.
Cybercrime
Federal Decree-Law No 34/2021 Concerning the Fight against Rumours and Cybercrime sets out a wide range of offences, including in relation to illegal digital content and illegal uses of information technology. This is a broad law that goes considerably further than equivalent regulation in this area in Western Europe and the US.
“Offshore UAE”
Data protection
Both the DIFC and the ADGM have had consolidated data protection regimes for many years and both were recently reformed. They bear a significant resemblance to the GDPR, albeit being more business friendly and somewhat lighter touch.
There are a growing number of formal industry bodies emerging in the fintech space such as the MENA Fintech Association. These industry bodies have an increasingly important role to play with respect to representing industry participants, communicating with regulators to address concerns and seeking guidance in respect of, or input with respect to, planned regulations within the fintech space.
The DIFC Innovation Hub and the ADGM RegLab also oversee the fintech market and can influence the rules and regulations within the industry as an informal network by interpreting the practical application of the rules and regulations, thereby influencing how the market operates. Regulatory sandboxes also play a part in helping regulators to examine how their regulatory regimes impact real life business models, enabling regulators to adapt and develop in line with their aim of promoting the UAE as a global fintech industry hub.
While it will depend on the nature of the business activities contemplated, it is generally expected that corporate entities maintain a degree of separation between regulated and unregulated business activities to ensure that they can ring-fence those which are regulated and have higher supervision requirements from those which are not. For instance, in the ADGM it is prohibited to combine financial and non-financial services on the licence of a single entity.
AML/CTF is regulated in the UAE by:
Financial institutions and VASPs fall within the scope of the UAE’s AML/CTF Laws. As such, where fintechs fall within the scope of the definition of a financial institution or VASP, they will also fall within the scope of the UAE’s AML/CTF Laws.
Fintechs regulated by the SCA are required to ensure compliance with the standards and obligations set out in the UAE’s AML/CTF Laws. This is confirmed, for instance, by SCA Decision No 13/RM/2021 (the “SCA Rulebook”), which requires licensed bodies to meet the requirements of the “Law of Anti-Money Laundering and Combating the Financing of Terrorism and Illicit Organisations and its Implementing Regulations”.
The SCA has also issued a number of circulars and notices governing various aspects of AML/CTF compliance, including the freezing and unfreezing of accounts and the implementation of targeted financial sanctions. This is in addition to any standards issued by the CBUAE in respect of this FATF guidance. Furthermore, both the VA Decision and the DVAL are explicit in requiring VASPs licensed thereunder to comply with the obligations of the UAE’s AML/CTF Laws.
Under Article 71(1) of the DIFC Regulatory Law 2004, regulated FSPs are required to comply with the UAE’s AML/CTF Laws. The Anti-Money Laundering, Counter-Terrorist Financing and Sanctions Module of the DFSA Rulebook also applies to regulated FSPs in respect of their activities carried on, in, or from the DIFC.
Similarly, the UAE’s AML/CTF laws also apply to regulated FSPs in the ADGM. In addition, the ADGM’s Anti-Money Laundering and Sanctions Rules and Guidance Module to the FSRA Rulebook sets out further requirements for regulated FSPs to ensure compliance with the provisions of the UAE’s AML/CTF Laws. This includes implementing appropriate AML/CTF policies and procedures, establishing detection and reporting mechanisms for suspicious customers and transactions, and maintaining appropriate records of these transactions.
The AML and sanctions rules in the UAE generally follow the standards imposed by the FATF. Since its removal from the FATF grey list in 2024, the UAE has continued to evidence its dedication to accelerating its AML reform agenda by making various amendments to its AML laws in August 2024, launching a new national strategy for AML/CTF and proliferation financing developed using the World Bank Group’s methodology and by continuing to take enforcement action in cases of non-compliance with AML rules and regulation.
In “onshore UAE”, the SCA Rulebook contains a reverse solicitation exemption (from the requirement to obtain a promotion licence from the SCA) where, on its own initiative, an investor inside “onshore UAE” enquires with an entity outside “onshore UAE” about the offer or purchase of a specific foreign security, without a promotion by the foreign issuer or their promoters or distributors and provided that documentary evidence exists demonstrating this.
Unlike the position in “onshore UAE”, in the DIFC and the ADGM, no codified reverse solicitation exemptions exist with respect to offering regulated products and services from another jurisdiction. However, certain financial promotion restrictions may not be applicable in reverse solicitation scenarios.
Robo-advisers are found in the UAE’s investment and asset management space. Although business models will largely depend on the particular business proposition being offered, hybrid models are common, combining traditional asset and investment management services with automated solutions in respect of assessing risk appetite or providing algorithm-based financial planning.
Arranging, advising and dealing in investments, and managing assets, constitute regulated financial activities in the ADGM and the DIFC. Similarly, promotion and carrying on the activities of a financial adviser are licensed financial activities under the SCA Rulebook. Where companies wish to carry on these services they will fall within the scope of these licensing regimes.
In 2019, the FSRA issued supplementary guidance for obtaining regulatory authorisation to conduct digital investment management (robo-advisory) activities in the ADGM. The guidance lays down the applicable permissions that a company will need to apply for in order to carry on digital investment management activities, along with the key controls surrounding technology and algorithmic governance that a digital investment manager will need to implement.
Incumbent legacy players within the UAE investment management market use robo-advisers largely in the context of assessing the risk appetite of clients at a retail level and providing investment advice on the basis of this risk assessment.
The UAE robo-advisory segment in wealth management is still at a nascent stage compared to its popularity in the US and the UK. However, with banks taking the lead and the UAE’s growing status as a home for future-facing technology companies, the region represents one of the key markets for robo-advisory services in the MENA region with a new wave of digital investment platforms aiming to provide low-cost options for young professionals and affluent clients.
Due to the increased use of robo-advisers in general, it is expected that regulators in the UAE will start to implement regulatory frameworks governing the licensing and use of robo-advisory services in the coming years.
Depending on the nature of the regulated financial activity offered, best execution principles will also apply to companies providing robo-adviser services. These best execution principles require companies to take reasonable care to determine the best execution available for an investment under the prevailing market conditions and to offer and deal in prices and conditions that are no less advantageous to the relevant client than the prevailing market conditions.
Best execution principles are largely set out in the Conduct of Business (COB) Rulebook Modules issued by both the DFSA and the FSRA. Guidance on best execution provided by the DFSA states that when determining best execution, regard should be had for direct and indirect costs, the relevant order type and the size, settlement arrangements and timing of that client’s order that could affect decisions on when, where and how to trade. Requirements to achieve best execution prices in favour of clients are also set out in the SCA Rulebook.
In “onshore UAE”, the CBUAE has issued regulations setting out the protections that apply with respect to the provision of finance to consumers and small to medium-sized enterprises (SMEs). However, the authors are not aware of differences in the business or regulation of loans to entities, including small businesses, etc.
The CBUAE’s Consumer Protection Regulations provide that financing to individuals must be provided in a responsible manner, to prevent over-indebtedness and support economic stability. In order to achieve this, the Consumer Protection Regulations set out various measures that must be implemented, including:
The SME Market Conduct Regulation sets out materially the same requirements in respect of SMEs as the Consumer Protection Regulations, with a limited number of differences.
The underwriting process adopted by an online lender will depend on its business and internal risk management framework.
The access to sources of funds for loans will depend on the nature and maturity of the online lender. At the early stages of business, online lenders may seek seed investment, for example, from venture capital firms. Separately, the crowdfunding market in the UAE has experienced significant growth in recent years.
Lenders may also seek to fundraise through peer-to-peer lending. In expansion stages, and where an online lender has established a market presence, it may seek a fresh capital injection through a secured or unsecured debt facility.
Depending on the nature of the online lender, challenger banks may also use consumer deposits to fund loans. At all stages, sovereign wealth is an important source of funding within the region.
The authors are not aware of any syndications for online loans. These loans are typically small, short-term checkout loans which do not require syndication.
There is no explicit requirement for payment processors to use existing payment rails or to create new ones. Payment processors commonly use already-established payment rails.
In “onshore UAE”, cross-border payments are regulated by the RPSCS Regulation. The RPSCS Regulation requires providers of cross-border transfer services to obtain a licence in order to carry on these activities in the UAE. Cross-border transfer services are defined as “a retail payment service for the transfer of funds in which the payment service providers of the payer and the payee are located in different jurisdictions or countries”. The RPSCS Regulation sets out various regulatory capital requirements, consumer protection, data protection, compliance and governance, AML/CTF and technology risk and information security requirements which licensed providers must comply with.
Cross-border payments are further facilitated by cross-border payment systems. Two of the main cross-border payments systems in the region are the Arabian Gulf System for Financial Automated Quick Payment Transfer (AFAQ) and Buna. Membership and participation in these systems follows an agreed set of requirements, rules and specified standards that govern the relationship between the participants and the business rules affecting the related transactions, such as the currency or currencies of the transaction, the exchange rate and the settlement institute. In December 2023, the CBUAE announced that it had joined AFAQ, which links payments systems in GCC countries.
The FSRA and the DFSA respectively regulate the provision of money services in the financial free zones. These licensed financial activities capture the provision of cross-border payment services.
“Onshore UAE”
The SCA
The establishment and operation of trading platforms and exchanges is regulated by the SCA. While Federal Decree-Law No 4/2000 concerning the Emirates Securities and Commodities Authorities Market (the “SCA Market Law”) is not prescriptive in terms of the type of platforms permitted, the SCA’s glossary of terms defines a market as “a securities and commodities market licensed in the [UAE] by the [SCA]”.
The VARA
While the DVAL and its supplementary regulations and Rulebooks are not prescriptive in terms of the types of platforms permitted in the emirate of Dubai in respect of trading virtual assets, the DVAL defines a virtual asset platform as “a centralised or decentralised digital platform, managed by a VASP, through which virtual assets are sold, bought, traded, offered, issued, kept and settled and their trading is cleared through the distributed ledger technology”.
Furthermore, carrying on the provision of services of exchange between one or more forms of virtual assets is a regulated activity under the DVAL. Exchange services are defined by the Virtual Asset and Regulated Activities Regulation 2023 as:
“Offshore UAE”
The DIFC
Various trading platforms and marketplaces are permissible in the DIFC. In this regard, the DFSA’s General Rulebook Module sets out the following regulated activities:
Operating an exchange means operating a facility which functions regularly and brings together multiple third-party buying and selling interests in investments, in line with its non-discretionary rules in a way that can result in a contract in respect of investments admitted to trading or traded on the facility.
DFSA guidance provides that the financial service of operating an exchange only applies in relation to investments. A person wishing to operate a facility for the trading of crypto tokens will, therefore, need to use a multilateral trading facility (MTF) and obtain an endorsement on its licence that permits it to operate an MTF.
Operating an alternative trading system means:
A person operates an MTF if that person operates a system which brings together multiple third parties buying and selling interests in investments or crypto tokens, in line with its non-discretionary rules, in a way that results in a contract in respect of these investments or crypto tokens. On the other hand, a person operates an OTF if that person operates a system which brings together multiple third parties buying and selling interests in investments, in line with its discretionary rules, in a way that results in a contract in respect of these investments.
The ADGM
Under the FSRA’s Financial Services and Markets Regulation 2015 (the “FSMR”), operating a trading platform will constitute the regulated financial activity of “operating an MTF or OTF”. Specifically, operating an MTF or an OTF on which financial instruments or virtual assets are traded are each considered separate regulated activities. Carrying on any other ancillary activities deemed suitable by the FSRA for the MTF or OTF to conduct is also its own regulated financial activity.
With the exception of virtual assets regulated separately by the VARA, the application of the UAE’s regulatory regimes are not generally premised on distinctions between asset classes (although certain regulatory rules may apply in respect of a particular asset class), but rather on the type and nature of the financial activity being conducted.
Both the FSRA and the DFSA have amended their regulatory frameworks over the last few years to bring virtual assets, investment tokens and crypto tokens within the scope of their rules and regulations. Most notable, however, is the establishment of the VARA’s regulatory framework and authority in the emirate of Dubai in 2022 and further developed in 2023 and 2024.
The VARA is the only regulatory authority in Dubai that is exclusively dedicated to the licensing and supervision of virtual assets and related activities. The activities captured under the VARA’s jurisdiction include the establishment and operation of cryptocurrency exchanges. The authors expect the VARA to issue derivatives-related guidance in 2025.
Various listing standards exist in order to safeguard and maintain market confidence and ensure a fair, informed and orderly market. For instance, both the DFSA and the FSRA set out the following listing principles in their Markets Rulebooks.
The FSRA’s Market Rules set out the following additional listing principles:
The SCA Rulebook sets out various order handling requirements, including in respect of receiving, aggregating and executing trade orders and the notification of the execution of a trade order and in its settlement. Both the FSMR and the DIFC Markets Law 2012 set out provisions in respect of stop orders which may be issued by the FSRA and the DFSA respectively with regards to listed securities (or crypto tokens in the case of the DIFC).
Peer-to-peer trading is in its nascent stages in the UAE. However, the key challenge posed by peer-to-peer trading is the relative lack of regulatory oversight in comparison to traditional trading platforms or exchanges which operate in a highly regulated environment. As in other jurisdictions, the lack of regulation also raises concerns with respect to AML/CTF and adequate KYC. This is a particularly pertinent point, given the regulatory authorities’ active enforcement appetite in this space on account of the UAE’s addition to the FATF grey list on 4 March 2022 and its subsequent removal from the FATF grey list in February 2024.
During its review of the UAE, the FATF cited the progress made by the UAE in strengthening the effectiveness of its AML/CTF regime including by applying effective and proportionate sanctions for AML/CTF non-compliance involving financial institutions and designated non-financial businesses and professions and increasing suspicious transaction report filings for those sectors and increasing investigations and prosecution of money laundering.
Payment for order flow is a compensation model under which a broker is paid a small commission for routing client trade orders to a particular market maker. A market maker matches buy and sell orders to execute a trade. The SCA Rulebook provides that in executing trade orders, a broker must refrain from using the trading data, transactions and orders of its clients to achieve special benefits or gains. This indicates that the permissibility of payment for order flows in “onshore UAE” will be limited.
With respect to “onshore UAE”, the SCA Market Law sets out specific provisions in respect of disclosure and transparency which must be adhered to.
In the ADGM, there is a prohibition on market abuse, which includes insider trading, dealing or disclosing inside information, and effecting transactions or orders to trade which employ fictitious devices or any other form of deception or contrivance or the dissemination of information which is likely to create a false or misleading impression, amongst other things. This is supplemented by the FSRA’s Code of Market Conduct, which is intended to prevent market abuse by providing further clarity about what activities the FSRA might regard as constituting market abuse.
The DIFC’s Markets Law 2012 sets out a prohibition on various forms of market abuse, including:
The provisions on market abuse set out in the Markets Law 2012 are supplemented by the DFSA’s Code of Market Conduct, which also elaborates on the conduct, which may fall into these categories of market abuse.
Finally, the VARA has issued its Market Conduct Rulebook pursuant to the Virtual Assets and Related Activities Regulations 2023. The Market Conduct Rulebook sets out provisions in respect of disclosure and transparency and requires VASPs to adhere to Virtual Asset Standards in providing and/or offering virtual asset activities.
A separate regulatory regime for high-frequency and algorithmic trading does not appear to be provided for under the UAE’s financial services regulatory frameworks. This trading would be regulated generally as discussed in 6 Marketplaces, Exchanges and Trading Platforms.
There does not appear to be a requirement for principals to register as market makers under applicable UAE regulatory regimes.
The authors are not aware of funds or dealers engaging in high-frequency and algorithmic trading activities in the UAE.
The authors are not aware of any regulatory regime governing the development and creation of trading algorithms and other electronic trading tools in the UAE.
The authors are not aware of a dedicated underwriting process specific to insurtechs that is mandated by UAE regulation. The CBUAE generally requires insurance companies to maintain an underwriting policy and that records of underwriting are kept. The DFSA sets out specific considerations that should be included as part of an insurer’s underwriting risk policies and procedures, including:
The FSRA sets out similar conditions.
From a commercial perspective, insurtech has significantly impacted the underwriting process for insurance policies. To review and assess an individual’s risk profile, multiple data points are used through mined, aggregated or historical data to make educated assumptions about the individual in question. This underwriting process is underpinned by the use of the internet of things, data analytics methods and AI.
Insurance companies are, in principle, all regulated in broadly the same way, irrespective of the type of insurance provided. As an exception to this, takaful, an Islamic form of providing insurance/reinsurance, is regulated separately in line with the requirements of Sharia. The relevant authorities responsible for issuing the regulations and supervising the insurance sector and its participants are:
The CBUAE, the FSRA and the DFSA have all issued their own licensing frameworks setting out specific requirements with respect to insurance-related activities.
In line with the UAE’s leading position as an enabler of emerging technologies, the regulatory authorities are also actively exploring opportunities and avenues through which they can promote the further development and adoption of insurtech solutions. For example, the FSRA and the CBUAE have launched an Insurance Co-Sandbox aimed at promoting a “smart insurance market”.
Regtech in the UAE is still in its nascent phase and there is currently no dedicated regulatory framework for regtech services. As regtech services are often technical services only, they are also less likely to trigger existing financial services licensing requirements.
In January 2019, the UAE launched its RegLab in partnership with the Dubai Future Foundation. The RegLab was launched with the purpose of authorising the UAE Cabinet to grant temporary licences for the testing and vetting of innovations that utilise technologies such as AI.
In 2020, the ADGM launched three regtech pilot initiatives and, in April 2021, launched its Digital Lab to provide a secure environment to test technological solutions to facilitate the growth of regtech in the UAE.
The DIFC has established the DIFC Innovation Hub, the largest innovation community and fintech accelerator in the region, which also looks to support the development of regtech services.
Regtech has recently become more of a focus for UAE regulators as the country looks to further develop its status as a thriving financial centre in the Middle East and is therefore increasingly interested in combating money laundering activities. As such, UAE regulators are looking to utilise regtech to help manage the growing AML requirements and risks associated with its increasingly sophisticated and active financial market.
Regulatory requirements related to outsourcing will need to be reflected in the contracts between the regtech provider and regulated FSPs.
The extent to which these requirements will need to be applied may depend on the type of regulated FSP in question, the applicable regulatory regime and the particular regtech solution provided. Where a regulated FSP outsources a function directly related to its regulated financial activity, the General Rulebook Modules of the FSRA and the DFSA stipulate that a written agreement must be in place but are largely not prescriptive with respect to the contents of these agreements.
By contrast, with respect to banks, the CBUAE’s Outsourcing Regulation details in more substantive terms the provisions that outsourcing agreements must contain. These requirements largely centre on data security and confidentiality and the permissibility of subcontracting within the outsourcing relationship. Obligations in respect of outsourcing also exist under other CBUAE regulations, including, for instance, the RPSCS Regulation and the SVF Regulation.
Where a regtech provider offers insourcing solutions, contractual safeguards will need to be put in place to account for any risks arising out of the reliance on these solutions by the regulated FSP. As dictated largely by industry custom, these agreements often require provisions regarding (among other things) the maintenance of appropriate insurance policies, auditing rights in favour of the regulated FSP and reporting requirements. The requirements set out in the DIFC, the ADGM and the “onshore UAE” data protection laws will also need to be considered.
Please see 1.1 Evolution of the Fintech Market, 2.1 Predominant Business Models and 2.2 Regulatory Regime on the development of blockchain and virtual assets in the UAE.
The UAE’s regulators have reacted quickly to the growth in the use of blockchain within the financial services markets, particularly in respect of assets traded and stored on blockchain technologies: virtual assets. All of the relevant UAE regulatory authorities set out a definition for virtual assets (or similar term) and contemplate the impact and use of decentralised ledger technologies (DLTs), such as blockchain, within the provision of regulated financial activities.
The UAE’s regulatory landscape is continuously evolving in this space as it looks to attract blockchain technologies to the region with transparent regulation and practical solutions. For example, in November 2023, the ADGM released the Distributed Ledger Technology Foundations Regulations 2023, marking a significant milestone in the evolution of digital assets regulatory frameworks across the region and at an international level.
The UAE financial services regulatory frameworks each govern virtual assets to differing degrees, including those that are represented and stored on DLTs, ie, blockchain assets.
The VA Decision defines virtual assets as “a digital representation of value that can be digitally traded or transferred and can be used for investment purposes”. This does not include the digital representation of fiat currency, securities or other assets. This aligns with the definition of virtual assets in the SCA Decision No 26/2023, relating to virtual asset platform operators. The DVAL defines a virtual asset as “a digital representation of the value that can be digitally traded or transferred, or can be used as an instrument for exchange, payment or investment purposes, including virtual tokens, and any digital representation of any other value specified by the VARA in this regard”.
Under the CBUAE’s RPSCS Regulation and SVF Regulation, virtual assets constitute “a digital representation of value that can be digitally traded, or transferred, and can be used for payment or investment purposes”. Virtual asset tokens are also defined to mean a type of crypto-asset that can be digitally traded and functions as:
Crypto-assets are cryptographically secured digital representations of value or contractual rights that use a form of DLT and can be transferred, stored or traded electronically. The PTS Regulation defines a payment token as “a virtual asset that maintains a stable value by referencing the value of the fiat currency it is denominated in or another payment token denominated in the same fiat currency”.
Under its guidelines relating to the Regulation of Virtual Assets and Virtual Assets Service Providers, the SCA defines virtual assets as “a digital representation of value that can be traded or digitally transferred and can be used for investment purposes, and does not include digital representations of paper currencies, securities or other money”.
In “offshore UAE”, the DFSA regulatory regime captures different types of tokens (defined as a cryptographically secured digital representation of value, rights or obligations, which may be issued, transferred and stored electronically, using DLT or other similar technologies) to varying degrees, which include crypto tokens, non-fungible tokens (NFTs), investment tokens, security tokens and utility tokens. The FSRA also regulates virtual assets, which it defines as a digital representation of value that can be digitally traded and functions as:
Under the FSMR, a virtual asset is:
Requirements and conditions around the issuance of virtual assets are set out in VARA’s Virtual Asset Issuance Rulebook (the “Issuance Rulebook”). The Issuance Rulebook includes requirements that all persons in Dubai wishing to issue virtual assets must follow the registration requirements for issuing permitted virtual assets and obtain approval from the VARA for issuing a virtual asset that is not a permitted virtual asset.
Permitted virtual assets are:
The issuer of a permitted virtual asset must:
In its guidelines relating to the Regulation of Virtual Assets and Virtual Assets Service Providers, the SCA regulates the provision of financial services related to the issuer’s offer and/or sale of virtual assets or participation in the provision of these services.
The FSRA also sets out guidance in respect of initial coin offerings in its “Guidance – Regulation of Initial Coin/Token Offerings and Crypto Assets under the Financial Services and Markets Regulations” (the “ICO Guidance”). The ICO Guidance sets out the FSRA’s approach to token issuers seeking to raise funds through ICOs, and market intermediaries or operators dealing in, or offering services in, virtual tokens and crypto-assets. The ADGM’s Distributed Ledger Technology Foundations Regulations 2023 adds further requirements on DLT foundations when they issue tokens.
Trading of virtual assets is regulated under the general provisions applicable to trading set out by the DFSA, the FSRA, the SCA and the VARA where the blockchain assets fall under the scope of their regulatory regimes. For further discussion on trading see 6 Marketplaces, Exchanges and Trading Platforms.
VASPs licensed by the VARA to provide custody services may also provide staking if explicitly authorised to do so by the VARA (and the authorisation is expressly stipulated in their licence). The VARA considers staking as forming part of the custody services that a VASP is permitted to provide. The provision of staking from custody services is therefore considered to be a subset of the custody services activity.
In the DIFC, the DFSA permits the provision of staking services by authorised firms that are authorised to provide custody, subject to certain restrictions including offering and provision only to professional clients and market counterparties and providing appropriate disclosures with respect to the risks of staking.
In the ADGM, the FSRA concluded its consultation on regulating staking in January 2025 and is expected to publish its conclusions and relevant rules during the course of 2025.
The VARA regulates the provision of lending services relating to cryptocurrencies with “lending and borrowing services” being a specific activity requiring a licence from the VARA, with the relevant rules being contained in the VARA’s Lending and Borrowing Services Rulebook. The Lending and Borrowing Services Rulebook stipulates the relevant policies, procedures and public disclosures that need to be developed and made if a VASP is providing lending services and sets out specific rules relating to client lending concerning client reporting and valuation, record-keeping, risk management and due diligence and client agreements.
In the DIFC, the DFSA prohibits authorised firms from offering or providing any facility or service(s) that allows a client to lend crypto tokens whether to the authorised firm itself or to another person. In addition, the DFSA prohibits an authorised firm from providing a credit facility to a retail client in connection with trading in crypto tokens.
In the ADGM, the FSRA concluded its consultation on regulating virtual asset borrowing and lending services in January 2025 and is expected to publish its conclusions and relevant rules in 2025.
The offering of cryptocurrency derivatives is based on a review of the VARA public register which sets out various entities licensed to carry out virtual asset derivatives trading activities. The VARA regulates cryptocurrency derivatives. While the VARA has not yet issued specific derivatives-related guidance, it is expected to do so in 2025.
In the DIFC, the DFSA’s regulatory framework captures crypto token derivatives. The rules governing crypto token derivatives are set out in the DFSA General Rulebook Module. The DFSA General Rulebook Module sets out a number of requirements including requiring authorised firms to carry out an appropriateness assessment of a retail client and form a reasonable view that the person has:
Other restrictions relating to crypto token derivatives are also prescribed.
In the ADGM, in line with the FSRA’s treatment of virtual assets as commodities, derivatives of virtual assets are regulated as commodity derivatives and, as such, are classified as a type of “specified investment” under the FSMR. Consequently, any market operators or market intermediaries in the ADGM dealing or managing investments in derivatives of virtual assets are subject to the appropriate regulations and rules applicable under the FSMR.
There are no regulations that specifically govern decentralised finance (DeFI) in the UAE.
Funds are regulated in both “onshore UAE” and “offshore UAE”. A fund will fall within the scope of a UAE financial services regulatory authority’s licensing framework by virtue of operating as such. Specific rules apply for particular types of investments.
The ADGM has a comprehensive virtual asset framework, which governs financial activities including collective investment funds investing in regulated digital assets. The virtual asset framework imposes certain additional regulatory obligations upon fund managers managing funds investing in regulated digital assets when it comes to periodic statements, capital requirements and technology governance and controls.
The DIFC’s virtual asset framework also imposes certain additional regulatory obligations upon fund managers managing funds investing in regulated tokens.
As a point of difference, virtual assets used for payment purposes, including stored value facilities, except those approved by the CBUAE for listing and trading purposes, are excluded from the VA Decision and fall exclusively under the jurisdiction of the CBUAE. By definition, this applies to cryptocurrencies.
NFTs are governed by a number of the UAE’s regulatory frameworks, including under the VA Decision. The VA Decision defines a virtual asset as a digital representation of value that can be digitally traded or transferred and can be used for investment purposes. This does not include the digital representation of fiat currency, securities or other assets. To the extent that an NFT does not represent a physical asset, it appears to fall under this definition.
NFTs also fall within the definition of virtual assets provided by the DVAL, which defines a virtual asset as a digital representation of the value that can be digitally traded or transferred, or can be used as an instrument for exchange, payment or investment purposes, including virtual tokens, and any digital representation of any other value specified by the VARA in this regard. As such, those that intend to provide virtual asset services related to NFTs in the emirate of Dubai (excluding the DIFC) will be required to comply with the obligations set out under the DVAL and its supplementary regulations and Rulebooks, including obtaining a licence from the VARA.
The DFSA General Rulebook Module determines that a token will constitute an NFT where it:
In contrast to the VA Decision and the DVAL, under the DFSA’s regime, NFTs are considered excluded tokens, which means that their use is not regulated in the DIFC, except under certain circumstances.
While certain FSRA AML/CTF requirements will apply to NFTs in the ADGM, NFTs themselves currently remain outside of the FSRA’s regulatory oversight.
In the UAE, open banking is regulated under:
In “offshore UAE”:
In recent years in the UAE there has been an increased awareness of privacy and data security standards. This has been driven by the impact of the GDPR on international data flows and consumer and business expectations.
The DIFC and the ADGM also amended their data protection regimes in 2020 and 2021 respectively. The DIFC and the ADGM frameworks are largely modelled on the GDPR and require open banking providers to implement the data privacy and security measures contained therein where they are established in the financial free zones or are processing the personal data of individuals in the financial free zones.
The CBUAE also sets out extensive data protection provisions as part of its regulatory framework. These obligations are largely contained in the CBUAE’s Consumer Protection Regulation and Standards. The CBUAE’s data protection provisions require open banking providers to implement various policies, processes, management and business practices in respect of data security, breach notifications, data retention and minimisation principles as well as ensuring that consumers are sufficiently informed to make choices in respect of their personal data.
“Onshore UAE’s” first consolidation of the data protection law came into effect in 2022 and although banking and credit data is excluded from its scope to the extent that provisions exist elsewhere, open banking providers established in “onshore UAE” will also be required to comply with its provisions in respect of most other forms of personal data they process.
Beyond this, the UAE’s financial services regulators issued “Guidelines for Financial Institution Adopting Enabling Technologies” (the “Guidelines”). The Guidelines set out guidance in respect of the adoption of application performance interfaces (APIs), which are integral to the provision of open banking services.
During the period between March 2022 and February 2024, the UAE was on the FATF’s grey list. The UAE’s removal from the grey list was a result of it significantly strengthening the effectiveness of its AML/CTF regime to meet the commitments in its action plan regarding the strategic deficiencies that the FATF had previously identified. The development of a robust regulatory framework to combat AML/CTF risks has previously been a challenge for the UAE, given its rapidly developing financial sector.
As a result of the concerns raised in the FATF’s report, a number of measures were taken including the establishment of an AML and CTF executive office at the centre of the government, the adoption of new guidelines for financial institutions and designated non-financial businesses and professions aimed at AML and CTF, the establishment of a special court to prosecute financial crimes and the implementation of a new Penal Code.
The financial regulators in the UAE are increasingly active in combating instances of fraud and money laundering. Among the most common violations in 2024 that have led to investigations and sanctions are those relating to non-compliance with AML protocols, particularly in respect of notification requirements and developing systems to adequately combat the risk of money laundering and illegal transfers between connected individuals.
The UAE’s logistics and commodities sectors present a particular risk for regulators. For example, Dubai’s role as a centre for trading gold and other high-value commodities leaves it vulnerable to the laundering of illicit funds.
The UAE regulators are focused on ensuring that foreign investors in the financial services industry are not discouraged from doing business by risks of money laundering or non-compliance with international sanctions regimes. In 2022, the CBUAE issued guidance recommending the use of digital identification systems and the tracking of IP addresses to detect suspicious behaviour, including from sanctioned and high-risk jurisdictions.
In August 2023, the DFSA signed a memorandum of understanding with the UAE’s Financial Intelligence Unit to further advance co-ordination and sharing of information to ensure AML/CTF compliance. It also released a consultation paper designed to align DIFC law with a number of guidelines released at the federal level, proposing increased obligations on money laundering reporting offices, changing the threshold for notifications and increasing the scope of those who may be responsible for compliance with AML/CTF conduct standards.
Responsibility of fintech service providers for losses suffered by a customer would depend on the specific facts and circumstances surrounding the situation.
Below are examples of situations and the corresponding responsibility imposed by the relevant regulator on a fintech service provider for losses suffered by a customer.
Level 8, ICD Brookfield Place
Al Mustaqbal Street
Dubai International Financial Centre
Dubai
PO Box 9705
United Arab Emirates
+971 4 381 6000
+971 4 381 6299
stefan.mrozinski@whitecase.com www.whitecase.comIntroduction
In the last 12 months, the UAE has continued to demonstrate its commitment to positioning itself as a leading regional and global financial centre. Similar to the global technology industry, fintech in the UAE continues to evolve at a rapid pace, something assisted by the fact that fintech in the UAE was still relatively undeveloped five or six years ago as compared to traditional financial institutions that have dominated the UAE for decades.
Financial services providers (FSPs) in the UAE, as elsewhere, operate within a strictly regulated framework, a necessity given their role in protecting individuals’ wealth and economic stability. Historically, smaller fintechs benefited from regulatory flexibility due to their limited market impact. However, as these companies expand their footprint and integrate into the UAE’s mainstream financial sector, they face increased regulatory scrutiny comparable to established banks and financial institutions.
Many technology entrepreneurs and start-ups often perceive regulatory compliance as onerous and burdensome. Yet, from a strategic perspective, this challenge presents significant opportunity for fintechs that are prepared and willing to navigate the UAE’s regulatory landscape. Fintechs that invest in robust compliance frameworks position themselves as trusted providers for consumers and can adapt more quickly when there are regulatory changes.
The regulatory evolution is most evident in the payments and virtual asset space, where each regulator in each of the jurisdictions of the UAE has, in the last two to three years, established comprehensive frameworks to govern the provision of payments and virtual asset-related products and services in their respective jurisdictions.
The UAE’s regulatory journey has not been without challenges, particularly in addressing AML challenges that have required co-operation and attention. Following the country’s removal from the Financial Action Task Force’s (the “FATF’s”) grey list in 2024, and in preparation for its upcoming FATF mutual evaluation in 2026, stakeholders across the UAE’s financial ecosystem are intensifying efforts to strengthen compliance frameworks and take enforcement action even more seriously. Fintechs that are able to navigate evolving regulatory frameworks are in a stronger position to gain competitive advantages and ensure sustainable growth and market integrity through enhanced market credibility including from regulators, other market participants and consumers.
The UAE’s Multi-Jurisdictional Regulatory Framework
To fully appreciate the developments in UAE fintech regulation and related initiatives at both federal and emirate levels, it is essential to understand the unique regulatory landscape that governs financial services, including the products and services offered by fintechs, across the country. The UAE comprises a multi-layered regulatory system where numerous regulators operate with distinct, but sometimes overlapping authority, creating a complex landscape that fintechs must carefully navigate.
In onshore UAE (which for financial services regulatory purposes includes the non-financial free zones and mainland UAE), the Central Bank of the UAE (the “CBUAE”) and the Securities and Commodities Authority (the “SCA”) regulate financial services. Following the exponential growth in fintech and, more specifically, virtual asset-related activity in the UAE, a third regulatory authority, the Virtual Assets Regulatory Authority (the “VARA”), was established in 2022 to regulate virtual assets. The VARA only has jurisdiction over the emirate of Dubai (excluding the Dubai International Financial Centre (the “DIFC”)).
There are also two financial free zones in the UAE, being the Abu Dhabi Global Market (the “ADGM”) and the DIFC. These financial free zones are considered to be entirely separate jurisdictions from the onshore UAE. The ADGM and the DIFC each has its own highly sophisticated standalone rules and regulations that are predicated on English common law.
This multi-jurisdictional structure creates a sophisticated but potentially advantageous landscape for fintechs, allowing them to select the regulatory environment that best aligns with their business models and target markets.
National Strategies Driving Fintech Growth
Beyond the regulatory frameworks established by individual regulators, the UAE has implemented several strategic initiatives at both the federal and emirate level to accelerate the adoption of fintech and enhance digital transformation in the financial sector. These co-ordinated strategies provide important context for understanding the regulatory developments within each jurisdiction in the UAE, as they reflect the UAE’s broader vision for financial innovation and modernisation of the financial services sector.
Financial Infrastructure Transformation Programme
A key federal initiative supporting fintech growth has been the CBUAE’s Financial Infrastructure Transformation Programme (the “FIT Programme”). The FIT Programme’s broad aim is to accelerate the digital transformation of the UAE’s financial services sector through nine strategic initiatives:
The FIT Programme was launched in 2023, and several of its initiatives were implemented in 2024, driving the regulatory agenda across the multiple jurisdictions in the UAE. The FIT Programme has established clear priorities for regulatory development while the issuance of the CBUAE’s Open Finance Regulation and other developments demonstrate progress in the execution of the FIT Programme’s vision.
The FIT Programme represents a significant investment in creating the technological foundation necessary for fintech innovation while simultaneously enhancing regulatory oversight capabilities.
Dubai Cashless Strategy
In 2024, the Dubai Digital Authority launched the Dubai Cashless Strategy. The Dubai Digital Authority was established by His Highness Sheikh Mohammed Bin Rashid Al Maktoum, and brings together the expertise of the Dubai Electronic Security Centre, the Dubai Statistics Centre, the Dubai Data Establishment and Smart Dubai Government Establishment. The Dubai Cashless Strategy aims to enhance secure digital payment solutions in government and private sectors with the aim of supporting Dubai’s position as a global digital economy capital. The Dubai Digital Authority, through the Dubai Cashless Strategy, has set an ambitious target for cashless transactions to account for 90% of all transactions in Dubai by 2026.
The Dubai Cashless Strategy more broadly emphasises Dubai’s focus on innovation in digital payments, the utilisation of artificial intelligence and machine learning to provide proactive, fast and secure transactions and the creation of robust digital infrastructure to enable secure and accessible payment systems for businesses of all sizes, consumers across demographic segments and government services. The initiative aims to reduce friction in commercial activities, enhance financial inclusion and further cement Dubai’s regulatory commitment to enabling seamless digital transactions across its economy. Ultimately, the Dubai Cashless Strategy provides important context for understanding the regulatory developments being rolled out across the UAE, as authorities align their frameworks to support Dubai’s cashless vision.
The Dubai Cashless Strategy creates clear opportunities for payment-focused fintechs. As Dubai moves toward its 90% cashless target by 2026, fintechs providing digital payment solutions, merchant services and financial access tools will be key participants in developing the necessary infrastructure and applications to support this transition. However, to fully capitalise on these opportunities, these fintechs must successfully navigate complex regulatory frameworks.
Key Regulatory Developments
Having outlined the strategic initiatives driving fintech growth in the UAE, we now turn to the specific regulatory developments across the UAE’s multiple jurisdictions that are shaping the fintech landscape. The regulations described in this article represent only a snippet of the extensive regulatory activity undertaken by UAE regulators in the last year. These developments demonstrate the UAE regulators’ commitment to creating sophisticated, innovation-friendly frameworks that simultaneously ensure appropriate consumer protection and market integrity.
These regulatory enhancements have been accompanied by an increased focus on AML compliance across the financial sector. The fintech space, which previously operated with few regulatory requirements due to its nascent status, has been identified as potentially vulnerable to financial crime risks without appropriate oversight.
This regulatory focus is particularly pertinent to the UAE’s fintech landscape, where the payments and transfers vertical generally dominates, with blockchain and digital assets continuing to thrive as a close second. Both sectors present unique compliance challenges that recent regulations aim to address. The regulatory developments have carefully balanced AML requirements with fostering technological advancement and financial innovation, establishing clear parameters while supporting responsible growth in these high-priority verticals.
While these developments are influenced by broad initiatives like the FIT Programme and the Dubai Cashless Strategy, specific regulatory frameworks have emerged in response. We begin with three key CBUAE regulations: the Open Finance Regulation; the Payment Token Services Regulation; and the Sandbox Conditions Regulation. Each represent significant steps toward a more comprehensive fintech ecosystem in the UAE.
The Open Finance Regulation
In April 2024, the CBUAE issued the Open Finance Regulation, representing a milestone in the implementation of one of the nine key initiatives under the FIT Programme. The Open Finance Regulation marks a significant step in the financial sector as it aligns itself with other financial hubs and has an impact on all existing financial institutions including, but not limited to, banks, branches of foreign banks, payment services providers and stored value facility providers already licensed by the CBUAE.
Under the Open Finance Regulation, financial institutions will open their systems to other institutions and accredited third-party providers to allow the sharing of financial data held by each of the financial institutions in a way that enables innovation and improves customer experiences across the financial services landscape. The secure data sharing framework under the Open Finance Regulation will allow for the development of new fintech solutions that can leverage customer data from multiple sources, which will ultimately create more personalised and efficient solutions for customers.
In its publications on the Open Finance Regulation, the CBUAE has emphasised that the UAE is the first country globally to implement a consolidated trust framework and centralised application programming interface (API) hub, which will enable a single, secure and centralised, connection to access the whole of the banking and insurance markets. Although other jurisdictions (such as the UK and the EU) have had open banking initiatives in place since 2017, the CBUAE’s approach to data sharing under the Open Finance Regulation is far broader and demonstrates the UAE’s broad commitment to developing its fintech ecosystem and solidifying its position as a leading financial innovation centre in the region.
Building on this foundation of financial innovation, the UAE has also taken significant steps in regulating payment tokens, another critical component of its fintech strategy.
The Payment Token Services Regulation
In June 2024, the CBUAE published the Payment Token Services Regulation. The Payment Token Services Regulation established a comprehensive framework for licensing and supervising digital payment services. This long-awaited regulation explicitly prohibits the carrying out and promotion of payment token-related activities within the UAE, or directed to persons within the UAE, without obtaining a licence from the CBUAE. The Payment Token Services Regulation covers the following key activities:
The Payment Token Services Regulation defines a payment token as “a virtual asset that maintains a stable value by referencing the value of the fiat currency it is denominated in or another payment token denominated in the same fiat currency”. The Payment Token Services Regulation effectively brings stablecoins within the UAE’s regulatory perimeter for the first time, representing an expansion of the CBUAE’s digital asset-related framework. This development also aligns with the global trend towards more enhanced regulation of digital assets, particularly those designed to function as methods of payment.
Under the Payment Token Services Regulation, the CBUAE has drawn a clear distinction between dirham-backed stablecoins and those backed by foreign currencies. This regulatory delineation creates a complex compliance landscape for entities carrying out stablecoin-related activities in Dubai as, while the VARA generally governs stablecoin activities in Dubai, the CBUAE exclusively regulates stablecoins pegged to the dirham. This means that an entity seeking to operate with stablecoins in Dubai may require multiple licences: one from the VARA for general stablecoin operations and an additional licence from the CBUAE if they intend to issue or work with dirham-backed stablecoins. This dual-licensing requirement reflects the UAE’s careful approach to monetary sovereignty while still embracing innovation in the digital assets space.
Adding to this complexity, the SCA recently launched a public consultation on its draft Regulation of Security Tokens and Commodity Tokens Contracts. The draft Regulation of Security Tokens and Commodity Tokens Contracts proposes to govern security and commodity tokens within the UAE and sets out stringent requirements on issuers of security tokens and commodity token contracts. With the SCA’s draft Regulation of Security Tokens and Commodity Tokens Contracts joining the CBUAE’s and the VARA’s frameworks, this creates a further layer of regulatory complexity in the UAE’s digital assets landscape, potentially requiring entities to navigate multiple licensing regimes depending on the specific token types and activities they undertake.
The introduction of dirham-backed stablecoins facilitates the tokenisation of traditional assets priced in dirhams and addresses issues related to the conversion of cryptocurrency to fiat currency and vice versa. More generally, the Payment Token Services Regulation represents a significant advancement that encourage banks and financial institutions, which were previously hesitant about the crypto space, to engage more actively.
The Sandbox Conditions Regulation
In June 2024, the CBUAE also issued the Sandbox Conditions Regulation. The Sandbox Conditions Regulation sets out the conditions established by the CBUAE for exempting persons wishing to test innovative business models, products and services from the requirement to obtain a licence for a duration determined by the CBUAE. The purpose of the regulatory sandbox is to help market participants work out how to best structure their businesses in a regulatory compliant manner whilst having regular engagement with the CBUAE and meeting minimum requirements established by the CBUAE.
The regulatory sandbox is not available for applicants wishing to conduct the following activities:
The regulatory sandbox offers fintechs an opportunity to test innovative concepts in a controlled environment under regulatory oversight, without the full burden of licensing requirements. This approach aligns with international best practices and follows similar models established in jurisdictions such as the UK, Singapore and Hong Kong (as well as in the DIFC and the ADGM). By adopting the regulatory sandbox, the CBUAE demonstrates its commitment to fostering fintech development while maintaining appropriate safeguards, which is of particular value for early-stage fintechs before pursuing full regulatory compliance.
Anti-Money Laundering Considerations
While these regulatory developments create significant opportunities for fintech innovation, they exist within a broader context of strengthened AML oversight in the UAE. As the fintech ecosystem has matured, regulators have recognised that advanced financial technologies not only present new opportunities, but also introduce financial crime risks that require sophisticated mitigation strategies.
Following the UAE’s successful removal from the FATF grey list in February 2024, regulators have not relaxed their vigilance. Instead, they have further enhanced institutional frameworks, created more robust supervision mechanisms and increased co-ordination across jurisdictions. Strategic initiatives launched in 2024 such as the adoption of enhanced regulatory guidance by the CBUAE, strengthening the CBUAE Financial Intelligence Unit and an increase in supervision activity, demonstrated in the increase in confiscation of illicit assets as well as the imposition of money laundering fines and the prosecution of money laundering cases. This has emphasised risk-based compliance, operational effectiveness and sustainable frameworks specifically designed to address the unique challenges presented by fintech business models and virtual assets.
For fintechs operating in the UAE, especially those in the payments and digital assets vertical, this means implementing comprehensive compliance programmes that align with heightened regulatory expectations. Forward-looking companies will integrate AML considerations into their product design from inception rather than treating compliance as an afterthought.
As the UAE prepares for its next FATF evaluation in 2026, we anticipate continued refinement of the regulatory approach to fintech, with growing emphasis on both facilitating innovation and ensuring that adequate safeguards exist to protect the financial system from misuse. This balanced approach will shape the operating environment for fintechs in the UAE for years to come, rewarding those that can successfully navigate both the opportunities and responsibilities of operating in this dynamic market. For fintechs and financial institutions alike, staying ahead in this evolving landscape will demand proactive compliance and strategic foresight. Those that adapt swiftly and effectively will be best positioned to thrive in the UAE’s burgeoning fintech market.
Any views expressed in this publication are strictly those of the authors and should not be attributed in any way to White & Case LLP.
Level 8, ICD Brookfield Place
Al Mustaqbal Street
Dubai International Financial Centre
Dubai
PO Box 9705
United Arab Emirates
+971 4 381 6000
+971 4 381 6299
stefan.mrozinski@whitecase.com www.whitecase.com