A Practitioner’s Guide to UAE Retail Payment Services & Card Schemes

What founders, product leads, and compliance teams need to know before scoping a licence in the on-shore UAE plus how CRYPTOVERSE Legal gets you there faster.

1) What the RPSCS Is, and Why It Matters

The Retail Payment Services & Card Schemes Regulation (RPSCS) issued by the Central Bank of the UAE (CBUAE) is the on-shore rulebook for non-bank payment firms and card schemes. It defines:

• Who must be licensed and the menu of activities you can apply for.
• Capital and aggregate-funds thresholds tied to category and scale.
• Mandatory technology, cybersecurity, AML/CFT, and user-protection standards.
• The Central Bank’s supervisory and enforcement powers.

Banks are supervised by default but still require No-Objection Letters (NOLs) for specific retail payment services. All other PSPs must be licensed.

2) What’s Out of Scope

RPSCS is deliberately focused on retail payments. It does not cover:

• Stored Value Facilities (SVF) transactions (separate rulebook).
• Security/commodity/virtual-asset tokens (handled by other UAE regulators).
• Pure currency exchange without a payment account.
• Certain remittance constructs and wholesale/technical back-end services.

Before drafting an application, validate the perimeter first, because many delays come from (a) applying under RPSCS when SVF is actually triggered, or (b) assuming RPSCS covers virtual-asset activity that sits elsewhere.

3) Licence Categories: Picking the Right Box

The regulation packages activities into four licence categories. Choose based on what you will actually do:

• Category I  Broadest scope
  Payment account issuance, payment instrument issuance (cards), merchant acquiring, payment aggregation, domestic & cross-border fund transfers, payment-token services (in the RPSCS sense).
• Category II  The workhorse
  Same as Category I except the payment-token facet. Often right for wallet + cards + domestic/cross-border payouts.
• Category III  Domestic focus
  Narrower set without cross-border transfers.
• Category IV  Open-banking only
  Payment initiation (PIS) and/or account-information services (AIS).

How to decide: Map product features to the rulebook’s nine retail payment service definitions (Annex I). The correct category follows from that mapping.

4) Capital, Aggregate Funds & Controllers

Initial capital depends on category and average monthly transaction value:

Category	≥ AED 10m monthly avg txn value	< AED 10m
I	AED 3,000,000	AED 1,500,000
II	AED 2,000,000	AED 1,000,000
III	AED 1,000,000	AED 500,000
IV	AED 100,000	AED 100,000

• Aggregate Capital Funds (ACF) must never fall below the initial-capital floor.
• The CBUAE may require higher buffers as you scale.
• Controllers (≥20%) require prior approval; the Bank can attach voting/holding conditions.

5) The Payment-Token Facet (and Its Boundaries)

RPSCS includes a limited payment-token services facet:

• Payment token = fiat-referenced crypto-asset used as medium of exchange, unit of account, store of value (not legal tender).
• Covered activities: issuing, spot buy/sell, facilitating exchange, merchant/P2P enablement, and custody.
• Beware the SVF trigger: if you both enable merchant/P2P and offer contractual fiat redemption, you may need an SVF licence in addition to (or instead of) RPSCS.

Non-payment-token virtual assets (e.g., BTC/ETH) sit under VARA/SCA/FSRA/DFSA, not RPSCS.

6) AML/CFT & Sanctions, Treat as Gate-Openers

RPSCS expects a risk-based AML/CFT framework aligned to UAE federal AML law and FATF, including:

• An enterprise-wide risk assessment tied to products, corridors and customers.
• Sanctions screening/freezing and wire-transfer-style obligations where applicable.
• Heightened-risk handling for payment-token services.

In practice, AML maturity is assessed during licensing, not after.

7) Technology, Cybersecurity & Data

Prepare for bank-grade evidence:

• Information-security & tech-risk aligned to UAE Information Assurance standards.
• MFA, end-to-end encryption, strong IAM, secure SDLC/change-control.
• BCP/DR with tested RTO/RPO; annual testing; pen-tests/cyber-attack simulations for higher-volume firms.
• Data localisation & retention: store personal/payment data in the UAE, retain ≥ 5 years, maintain secure backups and fast retrieval.

A regulator-ready architecture pack, IAM matrix, SIEM logs, DR-test evidence, and a recent pen-test dramatically reduce Q&A cycles.

8) User Protection: Safeguarding, Disclosures, Refunds

• Safeguarding funds in transit with strict segregation. If settlement exceeds 24 hours, implement escrow and/or insurance/bank guarantee; no commingling.
• Transparent T&Cs, fee/FX disclosures; monthly statements for framework agreements.
• Clear liability & refunds for unauthorised transactions (tight timelines).
  Align legal terms, finance operations, and customer communications supervisors will check consistency.

9) Agents, Outsourcing & Open-Banking Access

• Agents/branches: allowed with fit-and-proper, AML controls, and customer disclosure; notify the CBUAE of changes.
• Outsourcing: needs prior approval; the PSP remains fully liable. Use SLAs/KPIs/audit rights, resilience testing, and exit plans.
• PIS/AIS access contracts: define liability splits, security duties, uptime & incident handling; spell out justified denial of access (e.g., suspected fraud).

10) Card Schemes & WPS

• Card schemes: separate licence; PCI-DSS + UAE IA compliance; 72-hour breach notification; robust DR/BCP; CBUAE can regulate fees/charges; BIN issuance sits with the Bank.
• WPS access: possible (approval required) with additional operational and reporting duties.

11) Enforcement, Transition & Effective Date

• Administrative/financial sanctions apply for breaches.
• One-year transition applied from entry-into-force; firms operating without a licence after the period can be required to cease.
• Arabic prevails over translations; the Regulation took effect one month after publication.

12) Practical Playbook: Turning Scope into a Licence

1. Inventory services against the nine RPS definitions, don’t start with a category label.
2. Pick the category that matches reality:
   • Wallets + cards + domestic & cross-border transfers → Category II (or I if you also need the RPSCS payment-token facet).
   • Domestic-only → Category III.
   • Open-banking rails only → Category IV.
3. Check for SVF: if you hold balances or promise contractual redemption, plan for an SVF licence.
4. On/off-ramp clarity: non-payment-token crypto flows require a VASP licence; payment-token-only flows may use the CBUAE PTS regime.
5. Safeguarding first: segregation, settlement windows, and (if >24h) escrow/insurance/guarantee, then draft T&Cs to match.
6. Build tech & AML up front: submit architecture, data-residency, pen-test, DR evidence, and AML controls with the initial application.
7. Line up controllers/agents early for approvals.

13) Typical Timeline (Well-Prepared File)

• Months 1–2: Service inventory → category decision; capital/ACF plan.
• Months 2–4: Safeguarding & treasury design; customer T&Cs and disclosures.
• Months 3–6: Governance (Board/SMF F&P), AML (EWRA, CDD/monitoring/sanctions), complaints/refunds.
• Months 4–7: Tech dossier (architecture, IAM, encryption, SIEM), pen-test, DR-test evidence.
• Months 7–10: File; manage Q&A; interviews/demos.
• Months 10–14: Conditions precedent (escrow/guarantee live, scheme onboarding letters, PCI posture if issuing/acquiring).
• Go-live: soft launch with limits; MI and incident reporting humming.

14) Common Pitfalls (and Quick Fixes)

• Mis-categorising scope (e.g., planning cross-border under Cat III).
  Fix: map features to definitions first; choose category second.
• Accidental SVF by promising redemption or holding balances.
  Fix: either commit to SVF or redesign as pass-through (bank-held funds).
• Thin tech evidence (no pen-test/DR logs).
  Fix: deliver a complete tech pack up front.
• Outsourcing without approval/oversight.
  Fix: pre-clear; bake SLAs/KPIs/audit rights & exit plans.
• Token confusion.
  Fix: if it’s not fiat-referenced, it’s not an RPSCS payment token assuming VASP perimeters.

15) How CRYPTOVERSE Legal Can Help

We act as your single-threaded owner from scoping to go-live, aligning law, prudential planning, AML, and technology so the file is credible on day one.

A. Perimeter & Strategy (Weeks 1–2)

• Service-to-regulation mapping against the nine RPS definitions and SVF triggers.
• Category selection memo (I/II/III/IV) with capital/ACF workings.
• Entity & partner architecture (processors, agents, card schemes, settlement banks).

B. Safeguarding & Treasury (Weeks 2–4)

• Funds-in-transit model: segregation, reconciliation cadence, escrow/insurance/guarantee where settlement >24h.
• Treasury/FX controls by corridor; MI templates for volumes, incidents, and complaints.

C. Governance, Conduct & AML (Weeks 3–6)

• Board/SMF fit-and-proper packs; 3LoD charters (Risk, Compliance/MLRO, Internal Audit).
• Consumer artefacts: T&Cs, fees/FX, statements, refunds & liability, complaints handling.
• AML/CFT suite: EWRA, CDD/eKYC, monitoring, sanctions screening/freezing, STR playbooks.

D. Technology & Security (Weeks 4–7)

• Architecture pack (IAM, encryption, vendor oversight, UAE data residency).
• Security evidence: pen-test, logging/SIEM snapshots, DR test reports, incident runbooks.
• PCI-DSS posture and BIN sponsorship support where issuing/acquiring.

E. Filing & Engagement (Weeks 7–10)

• Complete application (forms, controllers, capital, policies, tech dossier, safeguarding evidence).
• Q&A management: written responses; stakeholder interviews; demos with regulators.

F. Conditions & Launch (Weeks 10–14)

• Conditions tracker: escrow live, guarantees in place, scheme letters, training sign-offs.
• Operational dashboards: reconciliation, incidents, complaints, and regulatory reporting.

Pricing: Market-rate, phase-based fixed fees with capped hours; pass-throughs (e.g., application fees, PCI, pen-tests, audits, guarantees) at cost. We also offer a monthly compliance retainer once you’re live.

Why teams pick us

• Deep UAE payments track-record (RPSCS/SVF/PTS) with recent approvals.
• Regulator-ready artefacts that compress Q&A: safeguarding proofs, AML evidence, and tech packs aligned to UAE IA.
• Practical coordination with banks, schemes, processors, and QSAs to keep the programme moving.

16) Final Word

RPSCS will let you deliver modern wallets, cards, acquiring and payouts but it expects bank-grade discipline. Teams that (i) map services precisely, (ii) make an early call on SVF and VASP/PTS perimeters, and (iii) file with complete AML and tech evidence typically licence quicker and launch cleaner.

Disclaimer:

This article provides general regulatory information for planning and is not a substitute for formal legal advice. Outcomes depend on your final business model, ownership, technology and partners, and on determinations by UAE authorities.

FAQs