Overview of the RPSCS Regulation
Overview of the RPSCS Regulation
The RPSCS Regulation (Circular No. 15/2021, issued June 6, 2021) governs digital retail payment services in the UAE. It mandates that entities providing such services—including payment accounts, merchant acquiring, fund transfers, payment token issuance, and card schemes—must hold a Central Bank license.
It defines nine core service categories that require licensing:
- Payment Account Issuance Services
- Payment Instrument Issuance Services
- Merchant Acquiring Services
- Payment Aggregation Services
- Domestic Fund Transfer Services
- Cross-border Fund Transfer Services
- Payment Token Services
- Payment Initiation Services
- Payment Account Information Services
Additionally, card schemes—defined as the set of rules and standards facilitating card-based transactions—must also be licensed and are subject to ongoing oversight, including Central Bank authority over fees and contractual structures.
Initial Requirements for Licensing Under RPSCS
Here are the key areas that applicants must prepare as part of the initial licensing process:
1. License Category & Scope
Applicants need to determine which license category aligns with the services they intend to offer: Categories I through IV, based on service complexity—from simple payment initiation (Category IV) to full payment token issuance (Category I).
2. Capital Requirements
Initial capital depends on the license category and transaction volume:
- Category I:
- AED 1.5 million if monthly transaction average is below AED 10 million
- AED 3 million if average is AED 10 million or more
- Category IV: AED 100,000, irrespective of volume
Other categories scale accordingly (e.g., Category II/III).
Also required is maintaining Aggregate Capital Funds (ACF) at or above the initial requirement, with flexibility for the Central Bank to demand higher levels based on risk profile.
3. Corporate Governance Framework
Applicants must establish robust governance structures: board of directors, senior management, defined responsibilities, and a non-executive chair are expected.
4. Risk Management & Internal Controls
Comprehensive risk management systems must be in place, with annual reviews and updates. Controls should address operational, cybersecurity, and compliance risks.
5. Technology & Cybersecurity Measures
Applicants must outline their technology architecture, data handling protocols, and cybersecurity controls. Specific requirements apply to payment token operators:
- Regular penetration testing and cyber-attack simulations if monthly volume ≥ AED 10 million
- Documented mitigation measures based on risk analysis.
6. Payment Token-Specific Obligations
For services involving payment tokens:
Maintain a Reserve of Assets, matching token issuance
Implement a Stabilization Policy, covering:
- Composition and allocation of reference assets
- Risk assessments (market, credit, liquidity, etc.)
- Token lifecycle processes (creation/redemption)
- Investment policy details, if the reserve is invested
- Redemption mechanisms and authorized parties.
7. AML/CFT Compliance
Strict adherence to UAE AML/CFT laws—including Federal Law No. 20 of 2018—and implementation of relevant policies, controls, and ongoing monitoring are mandatory.
8. Principal Business & Ancillary Activities
The firm's principal business must be the licensed payment service. Any additional or ancillary services require prior Central Bank approval.
9. Agent, Branch, and Outsourcing Arrangements
Applicants must clearly define relationships with agents or branches, along with governance of outsourcing and contractual frameworks.
10. Access to Government Systems
For participation in mechanisms like the Wages Protection System, specific requirements apply, subject to regulatory oversight.
Summary Table: Initial Licensing Preparation for RPSCS
|
Area |
Initial Licensing Requirements |
|
License Category & Scope |
Choose from Categories I–IV based on services |
|
Capital & ACF |
Initial capital; maintain ACF; possible risk-based increases |
|
Governance |
Board, clear responsibilities, non-executive chair |
|
Risk Management & Controls |
Documented policies, annual reviews |
|
Technology & Cybersecurity |
Architecture, penetration testing (if volume ≥ AED 10M) |
|
Payment Token Operations |
Reserve backend, stabilization policy, redemption mechanics |
|
AML/CFT |
Compliance framework per UAE regulations |
|
Principal Business Definition |
Payment service cores; prior approval for ancillary |
|
Agents / Outsourcing |
Contracts and governance for branches/agents |
|
Government System Access |
Requirements for systems like WPS, as applicable |
Retail Payment Services and Card Schemes (RPSCS) licensing is the foundation for operating in the UAE’s growing payments ecosystem. With Crowe’s expertise, you can simplify compliance, strengthen your application, and accelerate your licensing process. Reach out to our team and build a trusted payment services business with confidence. Contact [email protected] | +971 553438693
Contact Us
