CBUAE Licensing Requirements For Payment Service Providers in The UAE

Does your business need a CBUAE payment services licence?

• Yes, if you provide any of the nine regulated retail payment services in the UAE mainland, regardless of whether your entity is incorporated in a free zone or onshore. DIFC and ADGM entities are outside CBUAE's perimeter, but promoting or providing services into mainland UAE can still trigger licensing obligations.
• The Retail Payment Services and Card Schemes (RPSCS) Regulation, issued under CBUAE Circular No. 15/2021, requires a licence before any person provides or promotes retail payment services in the UAE.
• A new CBUAE Law (Federal Decree-Law No. 6 of 2025) came into force on 16 September 2025, broadening the regulatory perimeter to include open finance services, payment services using virtual assets, and enabling technology providers. Entities newly in scope have until 16 September 2026 to obtain the necessary licence or approval.
• Operating without a licence is now a criminal offence carrying imprisonment and fines up to AED 500 million under the 2025 Law.

Who this applies to

This article is for fintech companies, payment processors, e-wallet providers, merchant acquirers, money transfer operators, payment aggregators, and any business that facilitates digital payment transactions in the UAE mainland.

It is also relevant to technology companies that provide infrastructure enabling payment services, a category that the 2025 CBUAE Law now explicitly captures.

Entities regulated exclusively by the DFSA (DIFC) or FSRA (ADGM) for financial services fall outside the RPSCS framework, but should assess whether any activity directed at mainland UAE customers triggers CBUAE perimeter analysis. Banks licensed by the CBUAE are exempt from obtaining a separate RPSCS licence but must notify the CBUAE if they intend to provide retail payment services.

The nine regulated retail payment services

The RPSCS Regulation identifies nine categories of retail payment services that require CBUAE licensing. Understanding which services your business provides determines the licence category you need, the capital you must hold, and the ongoing compliance obligations that apply.

Payment account issuance services cover opening and operating payment accounts, including deposit and withdrawal functions. This is the core service for digital wallet providers and neobank-style platforms.

Payment instrument issuance services involve providing the devices, cards (debit or credit), or agreed digital procedures that allow a user to initiate payment orders. Issuing a prepaid card or a tokenised payment credential falls here.

Merchant acquiring services cover the contractual relationship with merchants to accept and process payments. If your business processes card or digital payments on behalf of retailers or service providers, this applies.

Payment aggregation services involve aggregating multiple payment instruments or methods and connecting merchants to the payment infrastructure. Payment facilitators and marketplace payment platforms typically fall under this category.

Domestic fund transfer services cover transfers of funds between accounts within the UAE. Peer-to-peer payment apps and internal transfer services fall here.

Cross-border fund transfer services cover remittances and international transfers. This is a separate regulated activity from domestic transfers and carries additional compliance requirements, including correspondent banking due diligence.

Payment token services cover the issuance, conversion, custody, and transfer of payment tokens (stablecoins). This is distinct from the standalone Payment Token Services Regulation issued under Circular No. 2/2024, which layers additional licensing requirements specifically for stablecoin-related activities.

Payment initiation services allow a third party to initiate a payment order from a user's existing payment account, typically through an API. Open banking service providers fall under this heading.

Payment account information services involve aggregating and presenting payment account data from one or more providers to a user. Account aggregation platforms and financial management apps are captured here.

For financial services lawyers in the UAE, helping clients map their product offering to the correct regulated service is often the first step in any PSP licensing engagement.

The four licence categories

The RPSCS framework uses a tiered licensing model. Category I is the broadest in scope and carries the highest capital requirements. Category IV is the narrowest. Your licence category is determined by the services you intend to provide, not by the size of your business.

The distinction between Category II and Category III is whether the PSP provides cross-border fund transfer services. Adding cross-border capability pushes you from Category III to Category II and doubles the capital requirement at the higher tier. For fintechs planning to offer remittance or international payment features, this is a material cost consideration that should be factored into the business plan before the application is filed.

Category IV is designed for open banking and account aggregation providers. The AED 100,000 capital requirement is significantly lower, but Category IV licensees must hold professional indemnity insurance, which is not required for the other categories.

What the 2025 CBUAE Law changes for payment service providers

Federal Decree-Law No. 6 of 2025 (the "2025 CBUAE Law") came into force on 16 September 2025, replacing the 2018 Central Bank Law. For payment service providers, the 2025 Law introduces several changes that matter in practice.

Broader licensing perimeter. The 2025 Law explicitly captures open finance services, payment services using virtual assets, and the offering or operation of platforms and technological infrastructure that facilitate financial services such as payments, credit, deposits, or remittances. Companies that previously considered themselves technology providers rather than regulated entities should reassess whether their activities now fall within CBUAE's licensing scope.

Technology-as-a-service providers. Article 62 of the 2025 Law imposes a licensing requirement on any person carrying on, offering, or facilitating any licensed financial activity, regardless of the medium or technology used. This includes decentralised applications, protocols, and technological infrastructure that enable payment services. The practical boundary between a regulated PSP and an unregulated technology vendor has shifted.

Higher penalties. Operating without a licence is now a criminal offence. Penalties include imprisonment and fines ranging from AED 50,000 to AED 500 million. Under the 2018 Law, enforcement options were more limited.

Fraud prevention obligations. The 2025 Law introduces specific requirements for licensed financial institutions to implement fraud prevention and detection systems, customer notification procedures, and cooperation obligations in CBUAE investigations. These are new mandatory obligations, not discretionary best-practice recommendations.

Transition deadline: 16 September 2026. Entities whose activities are newly captured under the 2025 Law have one year from the effective date (16 September 2025) to regularise their position and obtain the necessary licences or approvals. The existing RPSCS Regulation and Stored Value Facilities Regulation remain in force until replaced by new regulations under the 2025 Law.

The application process

The CBUAE Licensing Division handles PSP applications. The process is sequential and approval-dependent at each stage. There is no published statutory timeline for processing, and turnaround varies with application complexity and CBUAE workload.

Pre-application preparation. Before filing, applicants need to identify exactly which retail payment services they will provide and confirm the corresponding licence category. The CBUAE expects a clear alignment between the services listed in the application and the applicant's actual business model. Attempting to apply for a broader category than needed (or a narrower one to reduce capital requirements) will draw questions.

Documentation. The application must include a detailed business plan covering the target market, projected transaction volumes over 12 to 24 months, revenue model, and growth strategy. The CBUAE will also require evidence of the required initial capital (with source-of-funds documentation), corporate governance structure with fit-and-proper assessments for directors and senior management, a risk management framework, AML/CFT policies and procedures, information security and technology risk documentation, and evidence of adequate operational infrastructure.

Fit and proper requirements. Directors, senior managers, and controllers (persons with significant influence or ownership) must satisfy the CBUAE's fit-and-proper criteria. This includes background checks, financial soundness, and relevant experience. The CBUAE has broad discretion to refuse or condition a licence based on the suitability of key personnel.

Principal business requirement. Under Article 9 of the RPSCS Regulation, the principal business of the PSP must be the retail payment service for which the licence is granted. If the PSP wants to offer ancillary services outside the scope of its licence, it must obtain prior CBUAE approval. The CBUAE may require the creation of a separate entity for non-core activities.

Regulatory review. The CBUAE conducts due diligence on the applicant, its shareholders, its technology infrastructure, and its compliance readiness. Interviews may form part of the assessment. Applications are commonly returned with requests for additional information or clarification before a decision is issued.

Ongoing compliance obligations

Obtaining the licence is the beginning, not the end. CBUAE-licensed PSPs face ongoing regulatory obligations that are actively supervised.

Capital maintenance. PSPs must maintain aggregate capital funds at or above the initial capital requirement for their licence category at all times. Capital includes paid-up capital, reserves, and retained earnings, less deductions for losses and goodwill. If monthly average transaction values exceed AED 10 million for three consecutive months, the higher capital tier applies and the CBUAE determines the new minimum.

AML/CFT compliance. PSPs must implement and maintain internal AML/CFT policies, procedures, and controls that comply with Federal Decree-Law No. 20 of 2018 (as amended), its implementing regulations, and CBUAE-specific AML guidance. This includes customer due diligence (CDD), ongoing transaction monitoring, suspicious transaction reporting through goAML, and regular staff training. For a detailed treatment of AML obligations, see our guide on AML compliance in the UAE and DIFC.

Technology risk and information security. The RPSCS Regulation requires PSPs to implement technology risk management aligned with international best practices. In practice, the CBUAE expects alignment with standards such as PCI DSS for card data environments and ISO 27001 for broader information security management. The regulation also imposes requirements around operational resilience, incident reporting, and business continuity planning.

Consumer protection. PSPs must provide clear disclosure of fees, charges, and terms to users. The regulation prescribes liability allocation rules for unauthorised transactions, refund mechanics, and dispute resolution procedures. The 2025 CBUAE Law reinforces these with new obligations around fee transparency and customer notification.

Outsourcing controls. Where a PSP outsources operational functions (technology, customer support, compliance monitoring), the CBUAE requires that the outsourcing arrangement does not diminish the PSP's ability to meet its regulatory obligations. The PSP remains fully responsible for the outsourced activity.

Reporting. PSPs must submit periodic reports to the CBUAE covering transaction volumes, financial performance, compliance metrics, and incidents. Licensed PSPs must also appoint an external auditor to review their annual financial statements.

Payment token services: additional layer

If a PSP intends to offer payment token services (issuance, conversion, custody, or transfer of stablecoins), the RPSCS Regulation requires a Category I licence. Additionally, the CBUAE's standalone Payment Token Services Regulation (Circular No. 2/2024) imposes a separate licensing and registration framework specifically for payment token activities.

Under the PTSR, a distinction exists between Dirham Payment Tokens (AED-denominated stablecoins, which require a full CBUAE licence) and Foreign Payment Tokens (non-AED stablecoins, which require CBUAE registration). Entities incorporated in DIFC or ADGM cannot obtain a PTSR licence but may apply for Foreign Payment Token Issuer registration.

Virtual asset service providers (VASPs) licensed by the SCA or VARA that provide custody, transfer, or conversion services involving payment tokens need a Non-Objection Registration (NOR) from the CBUAE under the PTSR. The PTSR transitional period ended on 14 June 2025, meaning full compliance is now required.

Stored value facilities: a separate regime

The RPSCS Regulation does not cover stored value facilities (SVFs), which are regulated separately under the CBUAE's Stored Value Facilities Regulation. SVFs are prepaid products that store monetary value electronically. If your platform allows users to load and store funds for future use (without the funds constituting a deposit), the SVF regime may apply instead of, or in addition to, the RPSCS framework.

SVF licensing carries significantly higher capital requirements (AED 15 million minimum paid-up capital), reflecting the custodial risk involved. Companies should determine early in the product design phase whether their offering constitutes a payment account (RPSCS) or a stored value facility (SVF), as the regulatory and financial implications are substantially different.

DIFC and ADGM: separate regulatory perimeters

Payment service providers operating exclusively within the DIFC are regulated by the DFSA, not the CBUAE. Similarly, providers within the ADGM are regulated by the FSRA. Each free zone has its own licensing categories, capital requirements, and ongoing compliance obligations.

The overlap risk arises when a DIFC or ADGM entity offers or promotes payment services to customers in the UAE mainland. The CBUAE's perimeter analysis focuses on where the customer is located and where the service is being provided or promoted, not solely on where the PSP is incorporated. A DIFC-licensed payment firm marketing to mainland UAE customers may trigger a CBUAE licensing obligation, depending on the facts.

For businesses structuring a payment service across multiple UAE jurisdictions, early regulatory mapping is essential. The CBUAE, DFSA, and FSRA do not operate a mutual recognition framework for payment services licences. For a broader treatment of cross-border data and regulatory considerations, see our separate guide.

What payment service providers should do now

Assess whether you are in scope. Map every payment-related service your business provides against the nine regulated categories. Include services that your business facilitates through technology infrastructure, which may now fall within scope under the 2025 CBUAE Law.

Identify the correct licence category. The category is driven by the actual services you provide, not by how you describe them commercially. A payment aggregator that also offers cross-border transfers needs at least a Category II licence, not Category III.

Prepare capital and governance ahead of filing. The CBUAE expects the initial capital to be in place at the time of licence grant, with documented source-of-funds. Governance structures, fit-and-proper documentation, and compliance frameworks should be substantially built before the application is submitted.

Plan for the September 2026 deadline. If your business activities are newly within CBUAE's scope under the 2025 Law, the transition deadline is 16 September 2026. CBUAE application processing is not instantaneous, so filing well before the deadline is essential.

Review existing contracts and outsourcing arrangements. The RPSCS Regulation requires that commercial contracts between PSPs and their technology providers, merchants, and partner institutions include specific provisions around data security, service continuity, and regulatory compliance.

Legal advice may be required to determine which licensing regime applies to your specific business model and to prepare an application that meets CBUAE expectations.

Update note: This article reflects the position as of March 2026. The RPSCS Regulation (Circular No. 15/2021) remains in force pending the issuance of new implementing regulations under the 2025 CBUAE Law (Federal Decree-Law No. 6 of 2025). The transition deadline for entities newly in scope under the 2025 Law is 16 September 2026. Capital requirements, licence categories, and application procedures may be revised when new regulations are published.

External sources referenced

• RPSCS Regulation (CBUAE Rulebook) (CBUAE official)
• Article 3: Licence Categories (CBUAE official)
• Article 6: Initial Capital (CBUAE official)
• Payment Token Services Regulation (CBUAE official)
• CBUAE Licensing Division (CBUAE official)

‍