• CBUAE — RPSCS Mandatory Requirements

Mandatory Licensing Requirements (RPSCS) Under the RPSCS

Legal, prudential, governance, AML, technology, and capital requirements every Retail Payment Service Provider and Card Scheme operator must satisfy before operating in the UAE (outside DIFC and ADGM).

Book an RPSCS Licensing Structuring Call
Get Licensing Requirements Checklist

Six Mandatory Pillars

📋

Legal & Corporate Structure

💰

Capital & Prudential Adequacy

🏛️

Governance & Fit & Proper

🗺️

AML / CFT Compliance

⚙️

Technology & Operational Resilience

📋

Ongoing Supervision & Reporting

⚠️

This is a multi-layered prudential and supervisory assessment — not a single filing

We translate CBUAE RPSCS requirements into implementation-ready frameworks: licence category mapping, capital planning, governance buildout, AML architecture, safeguarding controls, technology governance, and full application file management.

01 / Who Must Be Licensed

Who Must Obtain a CBUAE Licence?

Any person conducting Retail Payment Services (RPS) or operating a Card Scheme in the UAE (outside financial free zones) must obtain authorisation from the Central Bank of the UAE before commencing operations.

🚫

Carrying on regulated activity without a licence may result in enforcement action, fines, and suspension orders.

Regulated Activitie

  • Payment Account Issuance
  • Payment Instrument Issuance
  • Merchant Acquiring
  • Payment Aggregation
  • Domestic Fund Transfer
  • Cross-Border Fund Transfer
  • Payment Token Services
  • Payment Initiation
  • Account Information
  • Card Scheme Operation

02 / Core Requirements

Core Licensing Requirements — Six Pillars

CBUAE licensing under the RPSCS is not a single filing. It is a multi-layered prudential and supervisory assessment across six mandatory pillars.

PILLAR 01

Legal & Corporate Structure

  • UAE-incorporated legal entity
  • Physical presence in UAE
  • UBO disclosure
  • Transparent shareholding

PILLAR 02

Capital & Prudential Adequacy

  • Tiered initial capital
  • Fully paid-up & unencumbered
  • Source-of-funds documentation
  • Ongoing capital maintenance

PILLAR 03

Governance & Fit & Proper

  • Senior management assessment
  • Board & committee charters
  • Compliance history review
  • Succession planning

PILLAR 04

AML / CFT Compliance

  • Enterprise-wide AML risk assessment
  • Risk-based CDD & EDD
  • Sanctions screening
  • Transaction monitoring & STR

PILLAR 05

Technology & Operational Resilience

  • System architecture documentation
  • Cybersecurity controls
  • BCDR plan
  • Incident response framework

PILLAR 06

Ongoing Supervision & Reporting

  • Continuous capital adequacy
  • Regulatory reporting
  • Incident notification
  • Annual renewal obligations

03 / Pillar 1 — Legal & Corporate

Legal & Corporate Structure Requirements

Applicants must establish a transparent, UAE-based corporate structure that satisfies CBUAE requirements.

Applicants Must

  • Establish a UAE-incorporated legal entity in an acceptable legal form
  • Maintain adequate physical presence in the UAE
  • Disclose Ultimate Beneficial Ownership (UBO)
  • Provide transparent shareholding structure
  • Obtain prior approval for Controllers
  • Demonstrate lawful source of capital
  • Maintain constitutional documents (MoA/AoA) aligned with regulated activities

🚫

Opaque ownership or nominee structures without transparency will not satisfy licensing conditions.

ℹ️

Prior approval for Controllers is mandatory — CBUAE must approve all persons exercising significant influence over the entity.

04 / Pillar 2 — Capital

Capital & Prudential Requirements

CBUAE applies a tiered capital regime based on licence category and transaction volume.

Category

≥ AED 10m Monthly Avg.

< AED 10m Monthly Avg.

Category I

AED 3M

AED 1.5M

Category I

AED 2M

AED 1M

Category I

AED 1M

AED 500K

Category IV

AED 100K

Fixed — regardless of volume

Mandatory Conditions

  • Fully paid-up
  • Unencumbered
  • Demonstrably available
  • Source-of-funds documented
  • Maintained at all times

⚠️

If monthly transaction averages exceed AED 10 million for three consecutive months, higher capital requirements apply. Prudential best practice: maintain a capital buffer above regulatory minimum.

05 / Pillar 3 — Governance

Governance & Fit & Proper Requirements

CBUAE assesses the competence, integrity, and financial soundness of all key persons involved in the applicant entity.

CBUAE Assesses

  • Competence and experience of senior management
  • Integrity and reputation
  • Financial soundness
  • Compliance history
  • Independence of oversight functions

Applicants Must Provide

  • CVs and supporting documentation
  • Governance structure map
  • Role descriptions
  • Board and committee charters
  • Conflicts of interest framework
  • Succession plan

Key Roles Typically Required

Chief Executive Officer

Compliance Officer

MLRO

Risk Oversight

Finance Oversight

ℹ️

Fit & Proper assessment applies to all senior management, board members, and persons exercising significant control.

06 / Pillar 4 — AML/CFT

AML / CFT & Financial Crime Controls

Every Retail Payment Service Provider must implement a comprehensive AML framework aligned with UAE federal AML legislation and FATF standards.

  • Enterprise-wide AML risk assessment
  • Risk-based Customer Due Diligence (CDD)
  • Enhanced Due Diligence (EDD) where required
  • Sanctions screening
  • Transaction monitoring
  • Suspicious Transaction Reporting (STR)
  • Recordkeeping systems
  • Cross-border risk exposure screening

⚠️

For Payment Token Services, additional transaction monitoring sophistication is expected. AML frameworks must align with UAE federal AML legislation and FATF standards.

07 / Pillar 5 — Technology

Technology & Operational Requirements

For Aggregation, Acquiring, Token, Custody, and Card Scheme models, CBUAE expects comprehensive technology governance. Technology maturity is a licensing condition, not a post-approval enhancement.

Core Technology Requirements

  • System architecture documentation
  • Technology risk assessment
  • Information security framework
  • Cybersecurity controls
  • Business Continuity & Disaster Recovery (BCDR)
  • Incident response framework
  • Data governance controls
  • Reconciliation procedures

Additional — Payment Token Services

  • Token governance framework
  • Custody & key management policy
  • Safeguarding & segregation controls

🚫

Technology maturity is a licensing condition — not a post-approval enhancement. Immature technology architecture is a common licensing failure.

08 / Business Plan

Regulatory Business Plan Requirement

Applicants must submit a detailed Regulatory Business Plan. Unrealistic financial assumptions or undercapitalised models may delay approval.

  • Business model description
  • Revenue and expense forecasts (3 years)
  • Capital planning & threshold modelling
  • Transaction volume projections
  • Risk profile
  • Client segmentation
  • Compliance infrastructure
  • Technology roadmap

⚠️

Unrealistic financial assumptions or undercapitalised models are a common cause of approval delays.

09 / Safeguarding

Safeguarding & Client Protection Requirements

Where applicable, applicants must implement robust client protection measures.

  • Client fund segregation
  • Reconciliation controls
  • Settlement procedures
  • Complaints handling mechanism
  • Transparent disclosures
  • Conflict-of-interest management

10 / Post-Licence Obligations

Ongoing Licensing Obligations

Licensing is not a one-time approval. Post-licence obligations are continuous and enforceable.

1

Continuous capital adequacy

2

Maintenance of aggregate capital funds

3

Regulatory reporting

4

Incident notification

5

Supervisory engagement

6

Annual renewal obligations

7

Approval for material changes (ownership, scope, governance)

ℹ️

CBUAE retains inspection and enforcement authority over all licensed entities on an ongoing basis.

11 / Common Failures

Common Licensing Failures

Where Applications Commonly Fail

  • Incorrect licence category selection
  • Underestimating transaction escalation impact
  • Weak source-of-funds documentation
  • Incomplete AML framework
  • Insufficient safeguarding controls
  • Inadequate governance documentation
  • Immature technology architecture
  • Attempting to scale beyond approved scope

Quick Takeaways

Key Facts at a Glance

Licensing is mandatory before operation

Capital requirements are tiered and volume-sensitive

Governance, AML & safeguarding are core pillars

Technology readiness is heavily scrutinised

Ongoing supervision continues post-licence

Foreign firms targeting UAE clients require licensing

What We Deliver

How We Support RPSCS Licensing

🔬

Regulatory Perimeter Analysis

Activity classification & licence category mapping

📊

Capital Modelling & Stress Testing

Tiered capital planning & threshold scenarios

🏛️

Governance Framework Drafting

Board charters, role descriptions & F&P packs

⚖️

AML Implementation

Enterprise-wide AML programme build

💻

Technology Governance Structuring

Architecture docs, BCDR & incident frameworks

📝

Regulatory Business Plan

3-year forecasts, risk profile & compliance roadmap

📁

Full Application File Prep

Complete dossier assembly & submission

🤝

Pre-Application Engagement

Regulator dialogue & positioning

🔄

Post-Licensing Compliance

Ongoing supervision readiness & reporting

FAQs

Frequently Asked Questions

Is licensing mandatory for foreign firms targeting UAE clients?

Yes. Marketing or conducting regulated Retail Payment Services in the UAE triggers licensing requirements regardless of where the firm is incorporated.

Can we operate during the application process?

No. Regulated activities may only commence after licence issuance. Operating without a licence may result in enforcement action, fines, and suspension orders.

Is capital required before approval?

Yes. Capital must be demonstrably available and paid-up prior to licence grant. Source-of-funds documentation is mandatory.

Are all requirements applicable to every activity?

No. Certain requirements are activity-specific (e.g., Payment Token Services, Card Schemes, cross-border models). We map your specific activity scope to the applicable requirements.

Get Started

Meet Every CBUAE Requirement From Day One

CBUAE licensing is a multi-layered prudential assessment — not a single filing. We build your legal structure, capital file, governance framework, AML architecture, technology governance, and full application dossier through to licence issuance and go-live.

Book an RPSCS Strategy Call