For any business providing payment services, wallet functionality, prepaid products, money transfer or merchant acquiring to UAE mainland customers, CBUAE is the primary regulator. The DIFC (DFSA) and ADGM (FSRA) frameworks cover payment-services activities within their free-zone perimeters — but anything reaching the UAE mainland customer base falls within CBUAE jurisdiction.

CBUAE's payment-services framework has evolved materially over the past 5 years from a relatively narrow Stored Value Facility regulation into a comprehensive framework covering payment services, retail payment service providers, payment-system operators and money exchange. For fintechs, wallet operators, payment processors and remittance businesses, the framework is the regulatory perimeter that determines who can operate.

The main licence categories.

CategoryWhat it coversTypical applicant
SVF — Stored Value FacilityPrepaid value held on behalf of a customer for spending on goods/services or transferWallet operators, prepaid card issuers, closed/limited/open-loop SVFs
RPSP — Retail Payment Services ProviderIssuing payment instruments, merchant acquiring, payment-account services, remittance, agency banking, payment aggregation, payment tokensPayment processors, remittance providers, merchant acquirers, payment-aggregator fintechs
RPISP — Retail Payment Infrastructure Service ProviderOperating payment-system infrastructure, switching, clearing, settlementPayment network operators, switching infrastructure
Money exchangeBuying, selling and exchanging foreign currency, money transferMoney-exchange houses, currency-conversion businesses

The right category depends on the activity. A payment-services business may need multiple licences where it conducts overlapping activities — for example, a wallet operator that also offers domestic and cross-border remittance may need both SVF and RPSP authorisations.

What an SVF licence actually authorises.

An SVF licence permits the holder to issue a stored-value facility — a prepaid balance held on behalf of a customer for spending on goods or services from the issuer or third parties, or for transfer to other persons. The framework distinguishes:

  • Closed-loop SVF — usable only for goods or services from the issuer itself. Lower regulatory burden.
  • Limited-purpose SVF — usable within a defined network of merchants or for a defined category of goods/services.
  • Open-loop SVF — usable broadly, including for general spending and inter-personal transfer. Highest regulatory burden.

What an RPSP licence covers.

RPSP is the broader payment-services framework, covering activities including:

  • Issuing payment instruments — cards, mobile wallets, payment-app credentials.
  • Merchant acquiring — enabling merchants to accept card and digital payments.
  • Payment account services — operating payment accounts for customers.
  • Domestic and cross-border remittance — money transfer services.
  • Agency banking — performing limited banking-adjacent services on behalf of a sponsor.
  • Payment aggregation — aggregating payment flows for downstream merchants.
  • Payment-token issuance — certain payment tokens fall within the framework.

RPSP applicants typically identify the specific activity categories within scope and the CBUAE assesses the application against the framework applicable to each.

The capital and prudential framework.

Capital requirements scale with the activity category and the operating profile. Open-loop SVF carries higher capital than closed-loop. RPSP with merchant acquiring carries higher capital than agency-banking-only. The capital position must be maintained continuously, with prudential reporting to CBUAE on a regular cadence.

Beyond the headline capital, CBUAE expects:

  • Client-money segregation — customer funds held in trust or segregated accounts, separate from operational working capital.
  • Settlement and reconciliation — documented frameworks for daily reconciliation and prompt remediation of breaks.
  • Liquidity management — proportionate to the wallet float, redemption profile and counterparty exposure.
  • Stress and scenario testing — documented analysis of stress scenarios and the capital and liquidity response.

The governance and senior-officer expectations.

CBUAE-regulated firms must operate with proper senior governance:

  • Chief Executive Officer / Managing Director — UAE-resident, accountable for the firm.
  • Compliance Officer — accountable for regulatory compliance.
  • MLRO — AML/CFT framework operation and STR reporting.
  • Risk Management function — proportionate to the activity, with documented framework and reporting.
  • Internal Audit — periodic independent review of the firm's control environment.

The technology and cyber framework.

Payment services are fundamentally technology businesses, and CBUAE's technology and cyber expectations have tightened materially. Applicants are expected to evidence:

  • Information-security framework consistent with ISO 27001 or equivalent.
  • Documented business continuity and disaster recovery, with regular testing.
  • Cyber-incident response framework with scenario testing.
  • Third-party / outsourcing risk management.
  • Data-governance framework consistent with UAE PDPL.
  • Customer-authentication and fraud-prevention framework.
CBUAE applicants frequently underestimate the depth of the technology and cyber documentation expected. For a payment-services applicant, technology assurance is on par with the AML/CFT framework as the area where applications most often need substantive remediation.

The application pathway.

  1. Pre-application engagement — informal discussion with CBUAE on the proposed activity, business model, scale and applicable category.
  2. Initial application — covering business plan, ownership, financial projections, senior officers, governance, technology, AML/CFT.
  3. Detailed review and engagement — CBUAE typically requests additional materials and clarifications.
  4. In-principle approval — CBUAE confirms it is minded to authorise subject to operational readiness.
  5. Operational readiness — the firm establishes its operating platform, technology infrastructure, governance arrangements and capital position.
  6. Final approval and licence issuance — with any specific conditions attached.

Realistic timeline: 9-15 months for a well-prepared application. Complex applications — particularly cross-border remittance or wallet operators with virtual-asset adjacency — can run longer.

The interaction with VARA and DIFC/ADGM.

Where the payment-services activity has virtual-asset adjacency (custodial wallets, payment tokens, on-ramp/off-ramp functionality), the CBUAE framework interacts with the VARA payment-services category. The boundary depends on whether the activity is fiat-payment-services with virtual-asset adjacency (CBUAE), virtual-asset payment-services (VARA), or both. Cross-perimeter operators frequently need both authorisations.

Similarly, payment-services activities conducted from DIFC or ADGM (and reaching only the free-zone perimeter) fall under DFSA or FSRA. Once activity reaches UAE mainland customers, CBUAE jurisdiction engages.

Conclusion.

CBUAE payment-services licensing is the gateway for any business operating in the UAE mainland payments space — wallets, remittance, merchant acquiring, payment aggregation. The framework has matured significantly and operates to international standards, but the application is substantively demanding and the technology and capital expectations are not trivial. Neo Legal supports fintechs and payment-services operators through the full CBUAE licensing pathway, including coordination with VARA, DIFC and ADGM where the activity is cross-perimeter.