Classifieds powered by Gulf News

Central Bank releases broad regulation aimed at data privacy

The new rules ensure that data must be stored within the UAE, not offshore, introduces new licences

Image Credit:
Gulf News


On January 1, 2017, the UAE’s Central Bank released a long-awaited regulatory framework for virtual currencies and electronic payment systems, aimed at digital payment service providers (PSPs).

The regulation predominantly pertained to data protection and outsourcing, but also included phrasing that was interpreted at a blanket ban on all digital currencies, such as Bitcoin.

In a move that surprised lawyers and industry insiders, the Central Bank moved to prohibit these currencies, expressly stating on page 42, section D.7.3., that “all virtual currencies (and transactions thereof) are prohibited.”

On Wednesday, Gulf News reported on a statement sent exclusively to the newspaper from Mubarak Rashid Khamis Al Mansouri, Governor of the Central Bank, which clarified the regulation. He said: “These regulations do not cover ‘virtual currency’, which is defined as any type of digital unit used as a medium of exchange, a unit of account, or a form of stored value. In this context, these regulations do not apply to bitcoin or other crypto — currencies, currency exchanges, or underlying technology such as Blockchain.”

The fact that the Central Bank has supported innovation in the past meant that the regulation in its original form confused many industry experts.

“The Central Bank’s clarification that this is not their intended policy position and that further regulations will be issued will be welcomed by all,” said Sally Sfeir-Tait, a partner for Clyde & Co, and expert on regulatory issues in the region.

Virtual currencies, and the laws governing their usage, constituted only a part of the regulation, however.

More broadly speaking, digital payment service providers must now seek authorisations from the Central Bank in order to operate their businesses, and functioning without these authorisations in place will be an offence. Existing businesses will have until the end of the year to comply.

“In the context of digital payment services, it not only prohibits the offshoring of data, but more broadly bans the outsourcing of certain functions to offshore locations. Businesses caught by the regulation will need to review and possibly revisit their existing outsourcing arrangements to make sure they are compliant. Future outsourcing activity in this space will also need to take this new regulation into account,” said Paul Allen, partner and head of intellectual property and technology at DLA Piper, Middle East.

Whilst the direction the Central Bank at first appeared to take regarding virtual currencies came as a surprise to many industry observers, the regulation as a whole did not.

“The new regulation is consistent with the trend we are seeing across the Gulf, and indeed the world, towards greater digital economy regulation. Such regulation is understandable given the broader landscape of cyberattacks on financial institutions and payments systems, leading to massive data breaches. Wisely, the UAE government wants to ensure that a safe and secure financial system is in place for consumers,” added Allen.

All PSPs, with the exception of commercial banks, must now obtain a licence to operate. Details of this application process have yet to be announced.

Sfier-Tait welcomed the regulation, whilst noting that “we would have liked the regulation to support start-ups and challenge financial institutions, as this would have provided customers with more options and the market with more competition and innovation.”

In line with the prohibition of offshoring UAE citizens’ data, whilst PSPs may enter in to business with third parties, these outsourced services must also take place in the UAE.

Financial freezones, such as the Dubai International Financial Centre (DIFC), and Abu Dhabi Global Markets (ADGM), are excluded from this rule.

This exclusion has led to speculation that the authority is trying to increase the appeal of operating within these zones, or shape them in to “sandboxes”, according to multiple legal sources who asked not to be named due to their proximity to the consultation process with the Central Bank.

Such sandboxes, as seen in Singapore, London, and more recently in Hong Kong, are used to allow start-ups who would not meet compliance standards to operate and fold without the burden of onerous regulations.

At the start of November 2016, ADGM announced that it had established such a sandbox, called the FinTech Regulatory Laboratory.

“With digital economy regulation increasing in the region, businesses need to invest in meeting the challenge of compliance. Having clear laws in place, which make the position more black and white, will help companies in this regard,” said Allen.

Aisha Bin Bishr, Director General of Smart Dubai, echoed Allen’s comments, stating “the goal of the framework is to facilitate the adoption of digital payments in a secure manner by introducing a licensing and compliance process that will enable payment service providers to protect the interests of UAE citizens and residents. By providing regulation that supports both the payment service provider and service beneficiary, the Central Bank is building a foundation of trust in the digital payments ecosystem.”