Central Bank of the UAE (CBUAE) Stored Value Facilities (SVF) Regulation

A comprehensive, practitioner-oriented guide for founders, operators, and investors planning an SVF licence in the on-shore UAE, plus how CRYPTOVERSE Legal can help you get there efficiently.

1) Executive Overview

The Stored Value Facilities Regulation (SVF Regulation) issued by the Central Bank of the UAE (CBUAE) is the primary, on-shore rulebook for anyone who issues or operates stored-value wallets in the UAE (outside the financial free zones of ADGM and DIFC). It establishes the licensing perimeter, prudential standards, float safeguarding and daily reconciliation rules, technology and cybersecurity baselines, AML/CFT obligations, conduct and consumer-protection duties, and the enforcement toolkit available to the Central Bank. In short: if your product holds or promises to hold customer money or money’s worth for later use, this is the regime that governs your business.

Why the SVF Regulation matters

• It is the gateway for any wallet that keeps customer balances on-shore.
• It is intentionally prudential: capital, aggregate funds, bank guarantees, and recovery/exit expectations are all built in.
• It is operationally demanding: daily reconciliation, UAE data residency and five-year records, bank-grade cyber controls, and robust consumer protection are not “after licensing” ; they are assessed during licensing and remain binding thereafter.

For founders and sponsors, the Regulation brings clarity: meet the baseline once, maintain disciplined controls from day one, and you can scale with regulatory credibility.

2) Scope, Definitions & Licensing Perimeter

2.1 What is an SVF?

At its core, an SVF is a facility (other than cash) where a user (or someone on the user’s behalf) pays money or money’s worth (which can include rewards value or value derived from digital assets) to an issuer in exchange for storing that value and the issuer’s contractual undertaking to honour it in future transactions. SVFs include device-based (e.g., chip cards) and non-device-based (e.g., app wallets) arrangements.

Three practical litmus tests help determine if your product sits inside the perimeter:

1. Are you taking value from customers for later use (top-ups, credits, reward conversions)?
2. Do customers have a contractual right to spend or redeem that value with you or your network?
3. Does the balance sit under your control (not merely as an instantaneous pass-through at a settlement bank)?

If the answer to these is “yes,” you likely need an SVF licence.

2.2 Territorial reach

The regime applies to SVF issuance or operation in the UAE. Banks are deemed licensed institutions but still require a Central Bank No-Objection before launching an SVF line of business. Non-bank firms must be licensed. A one-year transition applied from the Regulation’s entry into force; the Bank may order cessation for unlicensed activity after that window.

2.3 Exemptions (narrow and conditional)

Limited exemptions exist for small/closed-loop or digital-content schemes, and for “micro” arrangements ≤ AED 500,000 total float and ≤ 100 customers subject to Central Bank review and conditions. Exemption is not automatic: the Bank looks at customer-harm risk and systemic relevance before granting relief, and it can revoke that relief as your programme grows.

3) Eligibility, Corporate Form & Controllers

• Who can apply. A UAE-incorporated company (free zones allowed, not the financial free zones).
• Principal business rule. Your primary business must be SVF issuance; other regulated activities require their own licences or approvals. This keeps governance focused and prevents risk “creep” from adjacent businesses.
• Controllers & fit-and-proper. 20%+ shareholders (“Controllers”), Directors, and the CEO require prior approval and must pass integrity and competence tests. The Regulation expects senior management to be UAE-based to ensure day-to-day accountability.
• Governance architecture. The Board must approve and oversee risk management, compliance, and internal audit functions. Independence and effectiveness of these lines are assessed during licensing and on an ongoing basis.

4) Prudential Requirements: Capital, Aggregate Funds & Bank Guarantee

4.1 Paid-up capital

The SVF licensee must maintain a minimum paid-up capital of AED 15,000,000. This is own funds, not shareholder loans, and must remain available to absorb losses.

4.2 Aggregate Capital Funds (ACF)

On top of paid-up capital, you must maintain Aggregate Capital Funds (ACF) ≥ 5% of total customer float at all times. ACF is the sum of paid-up capital, reserves (excluding revaluation), and retained earnings net of accumulated losses and goodwill. It is a living buffer that scales with the float.

4.3 Bank guarantee

An unconditional, irrevocable bank guarantee equal to the full paid-up capital and callable on first demand must accompany the application and be kept current. This instrument ensures immediate recourse for the supervisor if prudential weaknesses surface.

4.4 Supervisory uplift

The Central Bank may increase prudential expectations based on scale, complexity, business model, and risk, and it expects you to demonstrate orderly wind-down capability so that customers can be refunded in a stress event.

5) Float Safeguarding: The Heart of the Regime

If you remember one section, make it this one.

5.1 Segregation & ring-fencing

Customer funds (“Float”) must be legally and operationally segregated from your own resources and from other business receipts. The legal structure (trust/escrow/assignment) and the operational controls (separate ledgers, restricted accounts) must make it crystal-clear that float is not available to your creditors if things go wrong.

5.2 Daily reconciliation & ledger accuracy

The aggregate ledger balance must equal float every day. Reconciling daily (with documented exception handling and timelines) is mandatory. Many licensees implement D and D+1 reconciliations (in-day and next-day) with automated variance flags to catch timing and processing breaks fast.

5.3 Liquidity first not investment return

Floats must be managed primarily for liquidity. Non-cash or non-deposit holdings require prior approval and robust risk controls. The Central Bank’s preference is clear: readily available, stable instruments that allow same-day or next-day customer redemption under stress.

5.4 Independent assurance

The Bank can request legal opinions on segregation and independent reviews over your safeguarding arrangements. Expect evidence not just policy but practice (e.g., bank letters for restricted accounts, escrow terms, sample reconciliations, and exception logs).

6) Conduct & Consumer Protection

6.1 Fair dealing & transparent terms

• Write clear, fair, and non-misleading customer terms and disclosures.
• Explain fees/FX upfront and publish limits that are reasonable and proportionate to your risk appetite.
• Credit top-ups promptly and provide accessible channels to query or complain.

6.2 Liability & refunds for unauthorised transactions

The Regulation outlines refund obligations and liability allocation for unauthorised transactions, particularly where the customer is not at fault. Time limits, investigation standards, and decision notifications should be codified in your Operating Rules and customer T&Cs.

6.3 Anti-fraud & security hygiene

Establish a dedicated anti-fraud framework covering real-time monitoring, anomaly detection, velocity checks, step-up authentication, device fingerprinting, and customer security guidance (do’s and don’ts, phishing education, password hygiene).

6.4 Agents and partners

You are responsible for your ecosystem, acquirers, merchants, programme managers, processors, and outsourced service providers. Perform due diligence, keep contracts tight (SLAs, KPIs, audit rights, data clauses, exit plans), and monitor continually. Failures in your chain are your failures in the eyes of the supervisor.

7) Technology & Cybersecurity (Article 12)

Think of Article 12 as the UAE Information Assurance-aligned operating system for wallets:

• Secure SDLC & change control: versioning, segregation of environments, approvals, and rollbacks.
• Access management: strong MFA, least privilege, periodic re-certification, and privileged-access monitoring.
• Encryption: end-to-end encryption for sensitive data at rest and in transit; key-management standards.
• Logging, monitoring, and SIEM: centralised logs, correlation rules, alerting, incident timelines, and retention.
• Resilience: documented BCP/DR with target RTO/RPO, failover tests, and “live” evidence (test reports, screenshots, tickets).
• Testing: annual penetration testing and, for larger volumes, cyber-attack simulations.
• Third-party risk: onboarding due diligence, performance KPIs, security clauses, audit rights, and periodic reviews.

A strong architecture pack (diagrams, data flows, boundary controls), IAM matrix, pen-test report, DR test evidence, and sample incident runbooks are the artefacts regulators expect with the filing, not months later.

8) Data Localisation & Record-Keeping

• Data residency: Customer and transaction data must be stored in the UAE. Make sure your supplier contracts, hosting choices, and DR locations comply.
• Retention: keep records for at least five years (longer where other laws demand it).
• Access control: log and limit who can see or export personal and payment data; implement segregation of duties and periodic access reviews.
• Retrievability: be able to produce records promptly for supervisory queries and customer disputes.

9) AML/CFT (Article 14)

The Regulation overlays a risk-based AML/CFT programme aligned with UAE federal law and FATF standards. Key expectations:

• Governance: appoint an experienced Compliance Officer/MLRO with direct escalation to the Board.
• Enterprise-wide risk assessment (EWRA): score products, customers, delivery channels, and corridors; revisit at least annually.
• Onboarding & CDD/eKYC: bank-grade digital onboarding is acceptable where controls meet the test; capture BO, PEP, sanctions, and adverse media signals.
• Monitoring: scenario and typology-driven transaction monitoring; periodic model calibration; quality assurance over alerts and case management.
• Sanctions: real-time screening and freezing/notification mechanics.
• VA/VASP relationships: enhanced diligence if you interact with virtual-asset actors or convert value across regimes.
• Reporting: timely STRs/SARs to the FIU and event reporting to the Central Bank.

10) Application Process & Documentation

10.1 Pre-filing engagement

A pre-filing meeting with the Licensing Division is recommended. The Bank can consult home regulators of controllers and key shareholders, so have group structure and regulatory history ready.

10.2 Independent assessments (seven areas)

Applicants provide independent assessments across:

1. Governance & risk, 2) Float safeguarding, 3) Technology, 4) Payment security, 5) BCP/DR, 6) Conduct/consumer protection, and 7) AML/CFT.
   These are substantive reviews (not checklists) and often conducted by recognised firms with relevant domain depth.

10.3 Annex checklist (the master to-do)

The Annex sets out a detailed documentary pack that typically includes:

• Application forms; auditor’s certificate of paid-up capital; bank-guarantee term sheet/issuance plan.
• Ownership/control chart; controllers’ applications; Board resolutions; AoA/MoA (Arabic & English).
• Three-year business plan with stress scenarios; Operating Rules; customer T&Cs; fee/FX schedule.
• Full policy suite: risk, compliance, internal audit, AML/CFT, tech/cyber, BCP/DR, outsourcing/agents, complaints, disclosure & refunds, and reconciliation.
• Technology dossier: architecture, IAM, encryption, logging/SIEM, DR test reports, pen-test results, incident runbooks.
• Evidence of segregated accounts/escrow letters; sample daily reconciliation outputs and exception workflows.

A submission that reads like a working operation (as opposed to an aspiration) travels faster.

11) Supervision, Reporting & Enforcement

• The CBUAE has wide supervisory powers: it can demand regular and ad-hoc reports, conduct on-site and off-site reviews, and set corrective actions.
• Sanctions range from administrative penalties to restrictions, management replacement, monetary fines, and sector bans.
• Fit-and-proper status is ongoing: material issues with key individuals or controllers must be disclosed promptly.

12) Interplay with RPSCS and Payment-Token Services

• RPSCS (Retail Payment Services & Card Schemes) governs retail payments (account issuance, card issuance, acquiring/aggregation, domestic & cross-border transfers). If you will hold balances, you still need SVF in addition to an RPSCS category that matches your rails.
• Payment-Token Services (PTS) is the Central Bank’s framework for fiat-referenced payment tokens (stablecoins) and covers Issuance, Conversion (spot), and Custody & Transfer. If your wallet supports payment-token flows with fiat redemption rights under your contract, you may trigger both PTS and SVF obligations depending on design.
• If your model involves non-payment-token virtual assets (e.g., BTC/ETH), expect VARA/SCA/FSRA/DFSA perimeters for the crypto leg, while SVF/RPSCS govern the fiat leg.

13) Structuring Patterns That Work

Pattern A  Full wallet with cards and cross-border payouts

• SVF licence to hold balances; RPSCS Category II (workhorse) for account & instrument issuance, acquiring, aggregation, and domestic/cross-border transfers.
• If you add a payment-token component, consider Category I under RPSCS and/or PTS permissions, depending on the exact design.

Pattern B  Pass-through payments (no balances)

• If customer money never becomes your float (true pass-through via a settlement bank, no redemption rights with you), you may avoid SVF and rely on a suitable RPSCS category. Draft customer T&Cs to reflect that reality accidental “stored value” language is a common pitfall.

Pattern C  Wallet + on/off-ramp

• Two entities: a CBUAE-licensed company for the SVF/RPSCS fiat stack, and a separately licensed VASP entity (or PTS permissions if strictly payment tokens) for the conversion/custody leg. Keep staff, systems, and risk governance clearly separated.

14) Timeline & Readiness Plan (Well-Prepared File)

• Weeks 1–2: Service inventory & perimeter memo (SVF vs. RPSCS vs. PTS/VASP); prudential plan (paid-up capital, ACF, bank guarantee); bank and escrow term sheets.
• Weeks 2–4: Safeguarding architecture (segregated accounts, reconciliation SOPs, exception workflows); consumer artefacts (T&Cs, disclosures, refunds/chargebacks).
• Weeks 3–6: Governance & people (Board/SMF fit-and-proper packs); AML/CFT (EWRA, onboarding/monitoring/sanctions); complaints and conduct programme.
• Weeks 4–7: Technology dossier (architecture, IAM, encryption, SIEM snapshots, DR test evidence); pen-test and remediation records.
• Weeks 7–10: File application; respond to Q&A; join interviews/demos with the supervisor.
• Weeks 10–14: Satisfy conditions precedent (escrow activation, bank guarantee issuance, auditor appointment, dashboards live).
• Go-live: soft launch with controlled limits; produce MI on reconciliation, incidents, fraud, complaints, and AML alerts from day one.

15) Common Pitfalls (and How to Avoid Them)

• Accidental SVF: T&Cs promise redemption or balances sit with you “temporarily.”
  Fix: if you intend pass-through, design for it operationally and contractually; otherwise commit to SVF and build the safeguards.
• Under-capitalisation as float grows: ACF falls below 5% of float.
  Fix: forecast float, set buffer triggers, and pre-agree capital top-ups.
• Weak segregation evidence: bank accounts aren’t truly restricted; reconciliation is manual and ad hoc.
  Fix: ring-fenced accounts with bank attestations; automated daily reconcile; exception MI to senior management.
• Tech debt during licensing: no pen-test, unclear DR posture, thin logs.
  Fix: deliver a complete tech pack with evidence; rehearse incident runbooks.
• Outsourcing without approvals or oversight: processors and programme managers engaged informally.
  Fix: seek prior approval where required; embed SLAs/KPIs/audit rights and conduct periodic reviews.
• AML/CFT as an afterthought: tools procured late; EWRA generic.
  Fix: run AML in parallel with product build; tailor scenarios to corridor risks; document sanctions freeze workflows.

16) How CRYPTOVERSE Legal Can Help

As a UAE-based regulatory practice focused on payments and virtual-asset frameworks, CRYPTOVERSE Legal acts as your single-threaded owner from scope definition to go-live. Our goal is simple: compress licensing timelines and de-risk approval by submitting a working-grade operating model, not a theoretical one.

16.1 Perimeter & Strategy (Weeks 1–2)

• Service-to-regulation mapping: we translate your feature set into SVF vs. RPSCS vs. PTS/VASP obligations and draft a perimeter memo that supervisors and banks can follow.
• Entity architecture: whether you need one or two entities (for fiat vs. crypto components), how to allocate staff, and where to place contracts and risk functions.
• Prudential plan: step-through of paid-up capital, ACF mechanics, and bank guarantee terms; advice on orderly wind-down and recovery options.

16.2 Safeguarding & Treasury Design (Weeks 2–4)

• Float model blueprint: segregation structures, escrow or restricted accounts, daily reconciliation design (D and D+1), exception workflows, and MI to the Board.
• Liquidity-first treasury: investment constraints aligned to supervisory expectations; letters with settlement banks that confirm restrictions and rights.
• Assurance: templates for bank letters, independent opinions, and reconciliation exhibits requested in Q&A.

16.3 Governance, Conduct & AML/CFT (Weeks 3–6)

• Board/SMF fit-and-proper: role descriptions, reporting lines, and directors’ governance dossiers.
• Consumer artefacts: customer T&Cs, fee/FX disclosures, monthly statements, refunds & chargeback policies, complaint handling and escalation.
• AML/CFT suite: EWRA tailored to products and corridors; CDD/eKYC playbooks; transaction monitoring methodology; sanctions screening/freezing SOPs; STR/ SAR procedures and MI.

16.4 Technology & Security Dossier (Weeks 4–7)

• Architecture pack: network/data flows, IAM, encryption, vendor oversight, UAE data residency controls, DR topology.
• Security evidence: pen-test scoping and integration, SIEM screenshots, DR failover test reports, and incident runbooks aligned to Article 12.
• Change management: SDLC artifacts, code review gates, and rollback plans.

16.5 Application Filing, Q&A & Hearings (Weeks 7–10)

• We assemble the Annex-grade file: forms, capital evidence, bank guarantees, Operating Rules, policy suite, technology dossier, and independent assessments.
• We manage Q&A, prepare executives for interviews/demos, and align remedial proofs for conditions precedent.

16.6 Conditions-Precedent & Launch (Weeks 10–14)

• Conditions tracker: escrow activation confirmations, guarantee issuance, auditor appointment/letters, dashboards live.
• Operational readiness: reconciliation and incident MI, fraud/complaint metrics, AML reporting cadence, and regulatory notifications templates.

16.7 Why teams choose CRYPTOVERSE

• Specialist UAE focus: SVF/RPSCS/PTS/VASP workstreams under one roof.
• Regulator-ready artefacts: our templates map rule-by-rule to Article requirements, reducing back-and-forth.
• Bank & scheme coordination: practical support with settlement banks, escrow, and card-scheme partners (if relevant).
• Cost discipline: we benchmark third-party costs (audit, pen-test, escrow, guarantee fees) and help you plan realistic budgets.

Engagement options: fixed-fee phases (with capped hours) for licensing; optional monthly compliance retainer after go-live (reporting, audits, policy maintenance, and change-control).

17) Practical Takeaways & Next Steps

• If you hold customer balances, the SVF Regulation is your baseline. Plan for AED 15m paid-up capital, ACF ≥ 5% of float, a bank guarantee equal to paid-up capital, daily reconciliation, UAE data residency (5 years), bank-grade cyber, and robust consumer and AML controls.
• If you do not hold balances, design a genuine pass-through model and draft contracts to fit; otherwise you will accidentally trigger SVF.
• If you add payments rails (cards, acquiring, cross-border), select the RPSCS category that matches actual services and volumes; SVF may still apply if you hold value.
• If you touch payment tokens or non-payment-token crypto, assess PTS (for fiat-referenced stablecoins) or VASP regimes (for BTC/ETH, etc.), and separate entities accordingly.

What we need from you to begin

1. A short service inventory (features, corridors, users, volumes).
2. Your proposed float design (if any).
3. Governance candidates (Board/SMF) and current technology posture (architecture, pen-test status).
4. Funding plan for capital, ACF, and bank guarantee.

With these in hand, CRYPTOVERSE Legal will draft your perimeter memo, confirm licensing scope, and present a timeline and fixed-fee engagement to take you from scoping to licence and launch.

Disclaimer: 

This article provides general regulatory information for planning purposes and is not a substitute for formal legal advice. Final licensing outcomes depend on your business model, ownership, technology, partners, and on the CBUAE’s determinations in each case. For formal advice, filings, or negotiations with the supervisor, please engage us to perform a tailored review of your structure, documentation, and disclosures.

FAQs