Fintech landscape and initiatives

General innovation climate

What is the general state of fintech innovation in your jurisdiction?

There is a generally progressive and ambitious trend around fintech innovation in the UAE, with some subsectors having more notable innovation than others. Government and public sector entities and regulators play a key role in the innovation strategies in most industry verticals and this is also the case for fintech. From a financial services regulatory perspective, the UAE comprises three separate and independent jurisdictions:

  • the Dubai International Financial Centre (the DIFC);
  • the Abu Dhabi Global Market (the ADGM);
  • and the remainder of the UAE (often referred to as ‘onshore’ or ‘onshore UAE’).

Federal-level financial services regulators have jurisdiction over onshore UAE; however, the DIFC and the ADGM each has its own regulatory bodies, and all the various regulators across all three jurisdictions have identified fintech innovation as a key priority.

In the DIFC, the DIFC FinTech Hive runs an accelerator programme focusing on fintech, insuretech, regtech and Islamic fintech start-ups. In tandem, the DIFC’s financial services regulator, the Dubai Financial Services Authority (DFSA) launched its Innovation Testing Licence (ITL), a regulatory sandbox in 2017. These initiatives are in line with the goals of the Dubai Plan 2021 strategy to develop Dubai’s economy. The DFSA has also signed a number of bilateral fintech agreements with other regulators globally, such as with the Monetary Authority of Singapore in August 2018 and Japan’s Financial Services Agency in September 2018, to cooperate in the development of fintech and to foster innovation in their respective jurisdictions. Other similar agreements that the DFSA has entered into include with the Australian Securities and Investment Commission, the Hong Kong Monetary Authority, the Hong Kong Securities and Futures Commission, the Hong Kong Insurance Authority and the Securities Commission Malaysia.

Similarly, the ADGM’s financial services regulator, the Financial Services Regulatory Authority (FSRA) launched its regulatory sandbox, the Regulatory Laboratory (RegLab) following the implementation of its fintech legislative framework. The ADGM has also partnered with the Association of Southeast Asian Nations Financial Innovation Network, which launched a digital marketplace - the Application Programming Interface Exchange (APIX) - for South-East Asia to support financial inclusion, to test the cross-border connectivity between the ADGM Digital Sandbox and APIX. Both the DFSA and the FSRA joined the Global Financial Innovation Network (GFIN), to assist with cross-border testing.

Beyond the DIFC and ADGM financial free zones, there are a number of other initiatives to foster innovation in the UAE that cross over into the UAE fintech sector. The UAE Blockchain Strategy 2021 aims to have 50 per cent of all government transactions on the blockchain network by 2021. In October 2016, the UAE cabinet launched Government Accelerators as a new mechanism to boost the achievement of the National Agenda to achieve Vision 2021. Additionally, the Smart Dubai initiative is the Emirate of Dubai government office charged with facilitating Dubai’s citywide smart transformation, to empower, deliver and promote an efficient, seamless, safe and impactful city experience for residents and visitors. Amongst its key initiatives includes the development of Dubai’s first Artificial Intelligence Smart lab and the Dubai Blockchain Strategy, which is a collaboration between the Smart Dubai Office and the Dubai Future Foundation to continually explore and evaluate the latest technology innovations. The UAE created the first Minister of AI with a mandate that will cross over into fintech innovation. In August 2018, it was announced that the DIFC courts has partnered with Smart Dubai to create the world’s first Court of Blockchain.

Government and regulatory support

Do government bodies or regulators provide any support specific to financial innovation? If so, what are the key benefits of such support?

The UAE’s financial services free zones (namely, the ADGM and the DIFC) each has its own regulators that have launched initiatives to enable fintech businesses to participate and test their solutions in environments with lighter-touch regulation.

In the ADGM, the FSRA has created a ‘regulatory laboratory’, or RegLab. Participants in the RegLab are not subjected to the full suite of authorisation regulation and rules from the outset; rather, a customised set of rules will be applied, which will depend on the business model, technology deployed and risk profile of the fintech participant.

Under the RegLab framework, fintech participants are given two years to develop, test and launch their products and services in a controlled environment, after which fintech participants with viable business models will be transferred to the full authorisation and supervisory regime (provided they meet the authorisation criteria). Firms that are not ready after the two-year period will exit the RegLab framework.

In the DIFC, the DFSA has created the ITL, which fintech companies can apply for to test an innovative product or service for six to 12 months. In exceptional cases, the DFSA will consider extending that period. If an ITL licensee has met the outcomes detailed in its regulatory test plan, and it can meet the full DFSA authorisation requirements, it will migrate to full authorisation. If it does not, the company will have to cease carrying on activities in the DIFC that need regulation.

In furtherance of the ambition of innovation of Dubai and the UAE in the financial world, the DFSA and the FSRA are due to take part in cross-border testing under the direction of the GFIN. The purpose of such a pilot scheme is to assist in providing efficient ways for fintech firms to engage with regulators across multiple jurisdictions.

Financial regulation

Regulatory bodies

Which bodies regulate the provision of fintech products and services?

For banking and lending-related activities in onshore UAE (see question 4), the financial services regulator is the UAE Central Bank, while for securities and capital markets-related matters, the UAE Securities and Commodities Authority (SCA) is the relevant regulator. Onshore UAE also has an insurance-sector regulator, which is the UAE Insurance Authority (IA). For all regulated financial activities in the DIFC the regulator is the DFSA. For all regulated financial activities in the ADGM the regulator is the FSRA.

Regulated activities

Which activities trigger a licensing requirement in your jurisdiction?

The onshore UAE regulatory regime is separate and different from the regulatory regime found in the DIFC and the ADGM. So when considering the UAE, it is important to first ask which specific jurisdiction and financial regulatory regime should apply.

As financial free zones, both the DIFC and the ADGM have their own common law-based commercial and civil legal and financial services regulatory frameworks, as well as their own dedicated courts. The DFSA is the financial services regulator for activities conducted in or from the DIFC and the FSRA regulates financial services activities in or from the ADGM. The relevant federal onshore UAE (ie, in the UAE but outside the DIFC and ADGM) financial regulators are the SCA, the UAE Central Bank and the IA. The UAE Central Bank is the prudential regulator for onshore UAE and mainly regulates activities relating to banking and lending activities such as:

  • deposit taking (including sweep deposit accounts);
  • foreign exchange trading;
  • guarantees and commitments;
  • payment services (including the issuance of payment instruments and other means of payments);
  • primary lending;
  • factoring;
  • invoice discounting;
  • arranging primary loans;
  • secondary market loan trading; and
  • secondary market loan intermediation.

Outside the banking and lending context, the UAE Central Bank was historically the sole financial services regulator for onshore UAE prior to the establishment of the SCA (in 2001) and the IA (in 2007). There are therefore some other areas of financial activity that the UAE Central Bank continues to regulate - such as, among other things, currency brokerage, money exchange and some activities that would be typically associated with investment banking.

Generally, the types of regulated activities in onshore UAE, the DIFC and the ADGM include, among other things:

  • the marketing and sale of securities;
  • the provision of investment advice;
  • dealing in products and investments (either as principal or agent);
  • the underwriting and placing of financial products;
  • the offering and providing of discretionary investment management services;
  • the marketing or sale of funds (including the provision of investment advice);
  • accepting deposits;
  • providing credit;
  • providing money services;
  • arranging deals in investments;
  • managing assets;
  • managing a collective investment fund;
  • advising on financial products; and
  • insurance intermediation.

Securities and financial products that are regulated by the respective financial services regulators across onshore UAE, the DIFC and the ADGM include, but are not limited to, equity securities, debt securities, linked products, derivatives, structured products, deposits, notes and warrants.

Consumer lending

Is consumer lending regulated in your jurisdiction?

Yes. Article 65 of UAE Decretal Federal Law No. 14 of 2018 Regarding the Central Bank and Organisation of Financial Institutions and Activities (the CB Law) provides that the UAE Central Bank will regulate, among other things, the activities of ‘providing credit facilities of all types’, ‘providing stored values services, electronic retail payments and digital money services’ and ‘providing virtual banking services’.

With regard to the provision and booking of such services ‘in or from’ either the DIFC or the ADGM, such activities are likely to be considered as ‘providing credit’, which will require a licence from either the DFSA or FSRA respectively. To the extent that such services are only ‘advised’ on or ‘arranged’ from the same jurisdictions, an appropriate licence would also be required from either the DFSA or FSRA. If such services are merely promoted (with no ‘advising’ or ‘arranging’) ‘in or from’ either financial free zone, unless an exemption applies, a Representative Office licence would be required from either the DFSA or the FSRA respectively.

Secondary market loan trading

Are there restrictions on trading loans in the secondary market in your jurisdiction?

Secondary market loan trading is an activity regulated by the UAE Central Bank. It constitutes primary lending and is regulated whether or not the loan has been fully drawn. The trading of loans would also constitute a regulated financial services activity in the DIFC and the ADGM.

Collective investment schemes

Describe the regulatory regime for collective investment schemes and whether fintech companies providing alternative finance products or services would fall within its scope.

In onshore UAE, there is a general prohibition on marketing unregistered collective investment schemes (ie, funds) unless they have been registered with the SCA accordingly (either for private or public promotion). However, the onshore UAE marketing prohibition does not apply to the promotion of foreign funds to a non-natural ‘qualified investor’. A non-natural ‘qualified investor’ is defined in the SCA rules and includes the federal government, among others.

There is a private placement regime under the SCA rules, where if the potential investor is a natural person, foreign funds can be registered for private placement by an SCA-licensed promoter subject to several conditions.

With regard to the DIFC, there is a prohibition on marketing unregistered funds in the DIFC except through a DFSA-licensed intermediary with the appropriate type of licence, unless an exemption applies. The prohibition on the offer or sale of a fund only applies where such activity is carried out ‘in or from’ the DIFC. It is not possible to register a foreign fund for distribution in the DIFC. Funds need only be registered with the DFSA if they are domiciled in the DIFC. There are currently relatively few funds domiciled in the DIFC and so most funds marketed in the DIFC are foreign (ie, non-DIFC-domiciled) and therefore unregistered. However, all funds and collective investment schemes promoted ‘in or from’ the DIFC need to meet a fund eligibility criteria (see below).

Once a marketing entity holds the appropriate licence it may market foreign domiciled funds or DIFC-domiciled funds, provided it markets only to investors within the scope of its licence, and in the case of any foreign fund:

  • the fund qualifies as a ‘designated’ or ‘non-designated fund’;
  • the marketing entity has a reasonable basis for recommending a fund as suitable to a particular client; or
  • the fund offered discreetly to persons who are professional clients and the minimum subscription per investor is US$50,000.

Similar provisions exist with regard to the ADGM.

Following public consultation, with effect from 31 August 2017, the DFSA updated its rules to include ‘operating a crowdfunding platform’ as a regulated activity. See question 18 for an outline of the FSRA’s position on regulating fintech in the ADGM.

With regard to onshore UAE, while the UAE Central Bank has been reported to be in the process of drafting regulations relevant to crowdfunding, no specific regulatory regime has been introduced. However, depending on the specific activities undertaken (ie, where the platform merely introduces two independently contracting parties or if the platform is actively establishing a fund or offering securities), the activity may potentially fall under existing UAE Central Bank or SCA regulation.

Alternative investment funds

Are managers of alternative investment funds regulated?

Yes. See questions 4 and 7.

Peer-to-peer and marketplace lending

Describe any specific regulation of peer-to-peer or marketplace lending in your jurisdiction.

Lending is a regulated activity whereby intermediary platforms are required to obtain approvals to operate from the UAE Central Bank, which would trigger compliance requirements on the platform including the proper vetting of borrowers and anti-money laundering (AML) checks.

While interest is prohibited under articles 409 to 412 of the Penal Code and is void under articles 204 and 714 of the Civil Code, interest is permitted under articles 77 and 90 of the Commercial Code, provided it does not exceed 12 per cent. In any case, UAE Federal Supreme Court Decision No. 14/9 of 28 June 1981 permits the charging of simple interest (presumably as opposed to compound interest) in connection with banking operations.

The DFSA issued a consultation paper in early 2017 called ‘Crowdfunding: SME Financing through Lending’, which proposed a regulatory framework to operate loan-based crowdfunding platforms in the DIFC. In summary, the DFSA proposed that a regime whereby loan-based crowdfunding platforms in the DIFC:

  • benefit from a new financial activity and licence for operating such a platform;
  • apply appropriate prudential and conduct of business requirements for such platforms;
  • disseminate appropriate risk warnings and disclosures to lenders and borrowers;
  • conduct suitable due diligence on the borrowers as well as checks on lenders;
  • deploy a business cessation plan in the event that it ceases operations; and
  • follow rules in relation to transfer of rights and obligations between lenders.

More formal legislation and a more defined regime is set to emerge around DIFC-based peer-to-peer and marketplace lending platforms.

On 1 August 2017, changes to the DFSA rules came into force that introduced rules relevant to crowdfunding.


Describe any specific regulation of crowdfunding in your jurisdiction.

As mentioned in question 3, financial services in the UAE are regulated either by the UAE Central Bank, the IA or the SCA depending on the nature of the activity. In respect of financial free zones in the UAE, such activities are regulated by the DFSA in the DIFC, and the FSRA in the ADGM. In particular, issues of securities by UAE companies are regulated under the UAE Companies Law (Federal Law No. 2 of 2015) and regulations issued by the SCA. As such, under the UAE Companies Law, only public joint-stock companies may offer securities by way of a public subscription through a prospectus. Other companies, whether incorporated in the UAE (onshore or in a free zone) or in a foreign jurisdiction, are prohibited from advertising including the invitation to a public subscription without the approval of the SCA. In practice, private joint-stock companies are entitled to issue securities to sophisticated investors by way of a private placement. Accordingly, such regulatory limitation restricts the ability of limited liability companies, the legal form adopted by most SMEs in the UAE, from raising funds through equity-based crowdfunding.

Invoice trading

Describe any specific regulation of invoice trading in your jurisdiction.

Invoice trading currently falls within the activity of ‘arranging credit’ within the DIFC and is regulated as such by the DFSA. Similar provisions exist in the ADGM. With regard to onshore UAE, invoice trading will require a form of regulatory licence either from the UAE Central Bank (if providing credit) or the SCA (if invoices were to be considered as a financial product falling within the SCA’s Promoting and Introducing Regulations - Regulation 3/RM of 2017). To the extent that services are merely promoted within onshore UAE, the DIFC or the ADGM, a Representative Office licence in the respective jurisdiction would be required.

Payment services

Are payment services regulated in your jurisdiction?

Yes. On 1 January 2017, the UAE Central Bank published its Regulatory Framework for Stored Values and Electronic Payment Systems (the Digital Payment Regulation), which covers the following digital payment services:

  • cash-in services: enabling cash to be placed in a payment account;
  • cash-out services: enabling cash withdrawals from a payment account;
  • retail credit and debit digital payment transactions;
  • government credit and debit digital payment transactions;
  • peer-to-peer digital payment transactions; and
  • money remittances.

The Digital Payment Regulation does not apply to the following payment services or providers, although it states that the list below may be subject to other Central Bank laws and regulations:

  • payment transactions in cash without any involvement from an intermediary;
  • payment transactions using a credit or debit card;
  • payment transactions using paper cheques;
  • payment instruments accepted as a means of payment only to make purchases of goods or services provided from the issuer or any of its subsidiaries (ie, closed-loop payment instruments);
  • payment transactions within a payment or settlement system between settlement institutions, clearinghouses, central banks and payment service providers (PSPs);
  • payment transactions related to transfer of securities or assets (including dividends, income and investment services);
  • payment transactions carried out between PSPs (including their agents and branches) for their own accounts; and
  • technical services providers.

The Digital Payment Regulation specifies four categories of PSPs: retail PSPs, micropayment PSPs, government PSPs and non-issuing PSPs.

Open banking

Are there any laws or regulations introduced to promote competition that require financial institutions to make customer or product data available to third parties?

Other than in the context of a regulatory or official investigation, there is no specific obligation in UAE legislation requiring the disclosure of data to third parties. However, the Digital Payment Regulation maintains the UAE Central Bank’s rights to impose access regimes and interoperability obligations on PSPs.

The general position is that financial institutions that are in a position to collect and store data from the public are bound by a duty of confidentiality. A breach of this duty of confidentiality could attract criminal liability under article 379 of the UAE Penal Code. Further, article 106 of the Banking Law requires the UAE Central Bank to keep confidential all banking data that it receives.

Insurance products

Do fintech companies that sell or market insurance products in your jurisdiction need to be regulated?

Nothing in current UAE legislation (whether onshore UAE, DIFC or ADGM) specifically regulates fintech companies that wish to sell or market insurance products, and therefore the general regulation around the sale and marketing of insurance products in the relevant jurisdictions applies.

The IA was established under Federal Law No. 6 of 2007 (the Insurance Law). The IA, through the powers given to it under the Insurance Law, regulates insurance and reinsurance operations in onshore UAE. Insurance operations include insurance activities such as life assurance and funds accumulation operations, properties insurance and life liability insurance.

Detailed financial regulations around insurance companies were published at the end of 2014. The IA has issued various guidance and circulars that affect the scope of regulation around the insurance industry in the UAE. Insuretech businesses looking at the UAE market will need to observe additional guidance from the IA.

Credit references

Are there any restrictions on providing credit references or credit information services in your jurisdiction?

On 15 April 2018, the SCA issued Chairman of the SCA Board of Directors’ Decision No. 18/RM of 2018 Concerning the Regulations as to Licensing Credit Rating Agencies. Under these regulations, a credit rating is ‘a periodic measure to determine and assess the ability of the rated entity to meet its financial liabilities, and potential risks that may affect it, and to evaluate the financial products and potential risks of acquiring them by the investor’ and credit rating activities are regulated. In order to be eligible for a licence to carry on credit rating activities, an entity must have, among other things, a minimum of 2 million UAE dirhams in capital and consent from the UAE Central Bank or the IA (should the licence application be subject to their mandate).

In the DIFC, ‘operating a credit rating agency’ is a regulated activity that would require a DFSA licence. Similar provisions exist in the ADGM.

However, individual credit reference and information services are possible in the UAE through the Al Etihad Credit Bureau (AECB), which is a public joint stock company wholly owned by the UAE federal government. As per UAE Federal Law No. 6 of 2010 concerning Credit Information, AECB is mandated to regularly collect credit information from financial and non-financial institutions in the UAE. AECB aggregates and analyses this data to calculate credit scores and produce credit reports that are made available to individuals and companies in the UAE. AECB collects information on individuals and companies from banks, finance companies and telecoms companies. Additional information from other sources such as utilities, real estate, government and other entities are planned to be added in the future. Financial institutions in the UAE are mandated by law to supply AECB with all credit information on a monthly basis.

Cross-border regulation


Can regulated activities be passported into your jurisdiction?

There is currently no passport regime either into the DIFC, the ADGM or onshore UAE, or between these jurisdictions.

It was announced in May 2017 that the Dubai Department of Economic Development (the relevant commercial registry for onshore UAE within the Emirate of Dubai) and the DIFC Authority had signed a memorandum of understanding to allow companies operating within DIFC and holding a commercial licence issued by the DIFC Registrar of Companies to obtain licences to operate in mainland Dubai. However, legislation and regulation to facilitate this remains forthcoming. Notwithstanding the efforts to create a facilitative cross-border regime between onshore UAE within the Emirate of Dubai and the DIFC at a commercial licence level, passporting with regard to financial services between any of the onshore UAE regulators and the DFSA or FSRA has yet to be formally announced (other than in the case of marketing a domestic (ie, DIFC, ADGM or onshore UAE) domiciled fund across the three financial services jurisdictions within the UAE.

Requirement for a local presence

Can fintech companies obtain a licence to provide financial services in your jurisdiction without establishing a local presence?

It is possible for fintech companies to market on a cross-border basis into onshore UAE without having to obtain a licence. If marketing activities are undertaken on a true cross-border basis (ie, by telephone, website or email from outside the UAE) they should not be subject to UAE regulation. To ensure that marketing activities are conducted on a true cross-border basis and not deemed to be conducting business in the UAE, several guidelines should be followed, which include not having a physical or legal presence in the UAE, marketing only towards non-natural qualified investors (see question 4 for the definition) and making any subscription payments made outside the UAE.

In relation to cross-border marketing into the DIFC, there are several guidelines that should be followed to reduce the risk of marketing activities being treated as having taken place ‘in’ the DIFC, such as not having a physical or legal presence in the DIFC, keeping marketing materials generic and only made to certain types of pre-identified ‘professional clients’ (as defined under the DFSA’s Conduct of Business Rules) and performing all generic marketing from outside the DIFC.

With regard to regulated activities where a licence is required from a UAE financial services regulator (including the UAE Central Bank, SCA, DFSA or FSRA), a fintech company would need to be locally established in the relevant jurisdiction to obtain a licence. Note, however, that the initiatives launched by the ADGM and the DIFC (see question 18) require lighter regulatory oversight for qualified participants.

Sales and marketing


What restrictions apply to the sales and marketing of financial services and products in your jurisdiction?

There are a number of restrictions on the offering or promotion of financial services in onshore UAE, the DIFC and the ADGM, and in many cases corresponding exemptions relating to such promotions, all of which differ according to the type of product or service offered.

Change of control

Notification and consent

Describe any rules relating to notification or consent requirements if a regulated business changes control.

Under the DIFC and ADGM frameworks, there are detailed provisions relating to changes of control, including where notifications need to be made with the DFSA or the FSRA respectively, or where their prior approval needs to be obtained. In both cases, these are contained in the general modules of the respective regulator’s rulebook. Similar, although less detailed, provisions exist within the regulatory frameworks relevant to the UAE Central Bank, the SCA and the IA.

Financial crime

Anti-bribery and anti-money laundering procedures

Are fintech companies required by law or regulation to have procedures to combat bribery or money laundering?

There are express restrictions on insider dealing and market abuse that would apply to UAE-licensed counterparties.

For there to be an AML offence, there needs to be actual awareness that such funds are derived from an offence or misdemeanour.

In addition to various administrative penalties, the Federal UAE AML Law states that whoever commits or attempts to commit money laundering shall be punished by imprisonment for a term not exceeding 10 years, or by a fine of between 100,000 and 500,000 dirhams, or both.

In the DIFC, under article 71(1) of the DIFC Regulatory Law, the DIFC regime requires compliance with the federal regime. The federal legislation governing money laundering and terrorist financing is also applicable in the DIFC. The Anti-Money Laundering, Counter-Terrorist Financing and Sanctions Module to the DFSA Rulebook applies to entities in respect of their activities carried on in or from the DIFC. The procedures that must be put in place include applying a risk-based approach that is objective and proportionate to the risks, based on reasonable grounds, properly documented and reviewed and updated at appropriate intervals. Effective AML systems and controls must also be established and maintained to prevent opportunities for money laundering. A risk-based assessment must be undertaken for every customer in order to assign the customer a risk rating proportionate to the customer’s money laundering risks. Customer due diligence must be undertaken in order to verify the identity of the customer and the beneficial owner and understand the source of funds. This should be ongoing by monitoring transactions and complex and unusual transactions. A money laundering reporting officer must be appointed with responsibility for implementing and overseeing compliance; the officer must have an appropriate level of seniority and independence to act in the role and be resident in the UAE.

Similar to the DIFC, the federal legislation governing money laundering and terrorist financing also applies within the ADGM. The ADGM’s AML rules are contained in the Anti-Money Laundering and Sanctions Rules and Guidance Module to the FSRA Rulebook (the ADGM AML Module). According to the ADGM AML Module, an entity must have policies, procedures, systems and controls that ensure compliance with the federal law, enable suspicious customers and transactions to be detected and reported, ensure the entity is able to provide an appropriate audit of trail of a transaction, and ensure compliance with any other obligations as contained in the ADGM AML Module.


Is there regulatory or industry anti-financial crime guidance for fintech companies?

There is no guidance specifically targeted at fintech companies. The regulatory guidance on financial crime is contained in the DFSA AML rules and the ADGM AML rules as described in question 20, as well as the applicable federal laws.

Further federal legislation in relation to financial crime regarding corporate and business fraud is contained in articles 399 to 402 of the UAE Penal Code (Federal Law No. 3 of 1987), provisions of the Dubai Recovery of Public Funds (Dubai Law No. 37 of 2009) and other specific offences set out in legislation including the UAE Cyber Crimes Law (Federal Law No. 5 of 2012) and the UAE Commercial Transactions Law (Federal Law No. 18 of 1993).

Peer-to-peer and marketplace lending

Execution and enforceability of loan agreements

What are the requirements for executing loan agreements or security agreements? Is there a risk that loan agreements or security agreements entered into on a peer-to-peer or marketplace lending platform will not be enforceable?

If any security is based within the UAE, the agreements should be entered into with a local security agent whereby the local security agent holds security on behalf of the service provider. Security may need to be perfected, depending on the type of asset to which the security relates.

In the DIFC, there is no licensing or registration requirement for a lender to take security over DIFC-based assets. Any real estate mortgages must be registered with the DIFC Register of Real Property without delay. For all other types of security interest, a security interest will be considered perfected if it has ‘attached’ and a financing statement has been filed with the DIFC Security Register. For security to ‘attach’, different procedures will need to be taken depending on the type of security interest under either the DIFC Real Property Law or the DIFC Law of Security (land, shares in a DIFC company, bank accounts, receivables, insurance, floating charges, etc). Similar protection requirements exist within the ADGM.

Assignment of loans

What steps are required to perfect an assignment of loans originated on a peer-to-peer or marketplace lending platform? What are the implications for the purchaser if the assignment is not perfected? Is it possible to assign these loans without informing the borrower?

In onshore UAE, an assignment of rights requires only notification from the assignor to the counterparty, confirming the assignment to the assignee. Where this is not possible, the bank may require such income to be deposited into a collection account, which will be covered by an accounts pledge.

In the DIFC, an assignment is perfected when it attaches (ie, when it becomes enforceable against the debtor or third party). The position in the ADGM is similar.

Assuming there are no contractual restrictions on transfers, the position in each of the relevant jurisdictions is as follows.

Onshore UAE

Article 1109 of the UAE Civil Code (Federal Law No. 5 of 1985) provides that the assignor, the assignee and the borrower must consent for there to be a valid assignment. There are Federal Supreme Court judgments holding that, in commercial matters, the consent to the assignment by the borrower is not necessary, although evidence will be required that the borrower has been notified of the assignment.

UAE law does not generally recognise the concept of beneficial ownership. Accordingly, an assignee of certain rights otherwise than in accordance with the UAE will not be recognised as having a beneficial interest in the rights to be assigned.


The DIFC makes a distinction between assignment of rights and assignment of obligations. The DIFC Contract Law No. 6 of 2005 (the DIFC Contract Law) sets out several limitations on assignments and delegations. Under section 94 of the DIFC Contract Law, a contractual right can be assigned unless the substitution of a right of the assignee for the right of the assignor would:

  • materially change the duty of the borrower;
  • materially increase the burden or risk imposed on the borrower by his or her contract;
  • materially impair the borrower’s chance of obtaining return performance; or
  • materially reduce its value to the obligor.

A contractual obligation can be transferred unless the obligee has a substantial interest in having the obligor perform or control the acts promised.

While there are no explicit requirements under the DIFC Contract Law to notify borrowers of an assignment or transfer, it is advisable that the borrower be notified of such assignment or transfer.


In the ADGM, as per the ADGM Application of English Law Regulations 2015, the principles of English law relating to the assignment of rights and transfer of obligations would apply. Under English law, an assignment is perfected once notice is given to the borrower. In the absence of such notice, the assignee’s rights under the assignment become an equitable right. The transfer of an obligation would require the consent of the borrower.

Borrower consent may be required prior to any assignment of loans.

Securitisation risk retention requirements

Are securitisation transactions subject to risk retention requirements?

See question 23.

Securitisation confidentiality and data protection requirements

Is a special purpose company used to purchase and securitise peer-to-peer or marketplace loans subject to a duty of confidentiality or data protection laws regarding information relating to the borrowers?

There are likely to be contractual duties of confidentiality in the relevant local documentation that may require borrower consent prior to disclosure concerning the loans or the borrowers. Further, if the borrowers are data subjects for the purposes of the DIFC Data Protection Law, the special purpose vehicle is likely to be treated as a processor for the purposes of the DIFC Data Protection Law.

Artificial intelligence, distributed ledger technology and crypto-assets

Artificial intelligence

Are there rules or regulations governing the use of artificial intelligence, including in relation to robo-advice?

There are currently no rules or regulations governing the use of artificial intelligence, nor are there currently any regulations specific to automated investment advice (ie, robo-advisory services). Those conducting such automated investment activities will need to ensure that they are authorised to provide investment advice, irrespective of the method of delivery of that advice.

The DFSA’s ITL regime (see question 2) has been used to issue licences relevant to automated investment advisory services. In such cases, there are bespoke disclosures, reporting conditions and monitored progress in line with an agreed ‘regulatory test plan’. Firms intending to provide robo-advisory services have also been accepted into the ADGM’s RegLab (which provides a controlled environment for fintech participants to develop and test innovative fintech solutions - see question 2).

Distributed ledger technology

Are there rules or regulations governing the use of distributed ledger technology or blockchains?

There are currently no dedicated rules or guidelines regarding the use of distributed ledger technology (DLT) or blockchain.

It is important to note that the UAE federal government and certain emirate-level governments have publicly committed to the creation of problem statements and use cases to enable government services to benefit from DLT and, in particular, blockchain. Examples of this include the government of Dubai’s public commitment to have all government services and transactions on the blockchain by 2020.

In some areas, UAE law is permissive as regards the use of DLT and distributed digital ledgers or databases in scenarios where parties intend to create legal relations; for example, article 12 of Federal Law No. 1 of 2006 on Electronic Commerce and Transactions, which seems to have foreseen ‘smart contracts’ by confirming the validity and enforceability of contracts formed through computer programs that include two or more electronic information systems preset and preprogrammed to carry out the transaction, even if no individual is directly involved.


Are there rules or regulations governing the use of cryptoassets, including digital currencies, digital wallets and e-money?

Virtual currencies are defined in the Digital Payment Regulation (referred to in question 12) as:

Any type of digital unit used as a medium of exchange, a unit of account, or a form of stored value. Virtual Currency is not recognised by this Regulation. Exceptions are made to a digital unit that: (a) can be redeemed for goods, services, and discounts as part of a user loyalty or rewards programme with the Issuer; and (b) cannot be converted into a fiat/virtual currency.

The Digital Payment Regulation contained a provision which expressly stated that ‘all virtual currencies (and any transactions thereof) are prohibited’. A month after the Digital Payment Regulation was published, the Governor of the UAE Central Bank issued a statement to the state media to say that the regulations ‘do not cover digital currency’ but are under further review and likely to be subject to new regulations in due course. There remains a grey area around the specific legal status of virtual currencies (eg, bitcoin) in the UAE, which affects how they are treated and any restrictions around specific use.

The new ADGM regulatory framework for cryptoassets introduced on 25 June 2018 (see question 29) features a number of guidance points related to cryptoassets and digital wallets.

Digital currency exchanges

Are there rules or regulations governing the operation of digital currency exchanges or brokerages?

Following a public consultation, on 25 June 2018 the ADGM FSRA issued its framework for the regulation of spot cryptoasset activities, including those undertaken by exchanges, custodians and other intermediaries in ADGM. Specifically, the FSRA has introduced the new regulated activity of ‘Operating a Crypto Asset Business’ that covers, among other things, the arranging, buying, selling, providing custody, marketing and advising on the merits of buying or selling of ‘Accepted Crypto Assets’. The new regime also includes a regulatory framework for the operation of a ‘Crypto Assets Exchange’ and a ‘Crypto Asset Custodian’.

On 14 May 2019, the FSRA issued its updated guidance addressing, among other things:

  • Stablecoins and fiat tokens: stablecoins that are fully backed by fiat currencies (fiat tokens) will be treated as a form of digital representation of money. Where used as a payment instrument for the purposes of money transmission as defined under the ADGM’s Financial Services and Markets Regulations 2015 (FSMR), the activity will be licensed and regulated as ‘providing money services’.
  • Custody: further clarity on the types of cryptoasset custody activities that can be undertaken, and setting out FSRA expectations in terms of custody governance and operations.
  • Technology governance: further enhancements and clarifications are introduced, including in relation to changes in the underlying protocol of a cryptoasset that results in a fork (coding change), and the associated governance and control expectations for cryptoasset exchanges and licence-holders.
  • FSRA Anti-Money Laundering and Sanctions Rules and Guidance: as the AML Rulebook applies in full to the regulated activity of cryptoasset operators or holders, the guidance has been updated with the latest local and global changes, and provides further clarity on the use of new regulatory and surveillance technologies in this area.

Currently, there are no other rules in onshore UAE, the DIFC or the ADGM specific to the operation of digital currency exchanges or brokerages However, the existing regulations relevant to exchanges or authorised market institutions generally may apply if a digital currency is deemed to be a security (see question 30).

Initial coin offerings

Are there rules or regulations governing initial coin offerings (ICOs) or token generation events?

Not specifically, although it is increasingly an area of focus for regulators.

On 13 September 2017, the DFSA issued a General Investor Statement on Cryptocurrencies that warned that it considered ICOs to be high-risk investments due, in part, to the complex systems and technology on which they are based. According to the DFSA General Statement, cryptocurrencies and ICOs have their own unique risks, which may not be easy to identify or understand. The statement urged potential investors to conduct due diligence and exercise caution. This is a similar approach to that taken by the UK’s Financial Conduct Authority, which released a consumer warning on the risks of ICOs on 12 September 2017.

In the ADGM, the FSRA is moving towards greater regulation of virtual currencies under its principal financial services legislation, the ADGM FSMR, as amended. The FSRA issued its Supplementary Guidance - Regulation of Initial Coin/Token Offerings and Virtual Currencies under the FSMR on 9 October 2017, which is aimed at those wanting to use ICOs to raise funds, investors and generally anyone considering transacting in virtual currencies. It states that whether or not an ICO is regulated under the FSMR will be assessed by the FSRA on a case-by-case basis. If the tokens in an ICO are assessed to exhibit the characteristics of a security (as defined in FSMR, such as, among other things, ‘certificates representing certain financial instruments’ or ‘instruments giving entitlements to investments’), the FSRA may deem them to be a security under section 58(2)(b) of the FSMR, which empowers the FSRA to deem any investment a security under ADGM regulation. The ADGM Guidance also outlines that derivatives of virtual currencies or security tokens will be regulated as ‘specified investments’ under the FSMR. However, the ADGM Guidance states that other virtual tokens that do not exhibit the features and characteristics of a regulated investment or instrument under the FSMR will be treated as commodities and not regulated as specified investments under the FSMR.

Outside the UAE’s financial free zones in onshore UAE, the UAE Central Bank issued a Regulatory Framework for Stored Values and Electronic Payment Systems on 1 January 2017 (the EPS Regulation (see question 12)), under powers vested in the UAE Central Bank under the CB Law. The EPS Regulation states that its purpose is to facilitate robust adoption of digital payments across the UAE in a secure manner. However, it then states that virtual currencies (and any transactions thereof) are prohibited.

A virtual currency is defined as ‘any type of digital unit used as a medium of exchange, a unit of account, or a form of stored value, although there are exceptions for digital units that can be redeemed for goods, services, and discounts as part of a user loyalty or rewards programmes with the issuer, and which cannot be converted into a fiat or virtual currency’.

On the face of it, the EPS Regulation seemed to cover the major virtual or cryptocurrencies on the market. However, on 23 October 2017, the Governor of the UAE Central Bank stated that the EPS Regulation did not apply to all virtual currencies. The Governor then clarified the UAE Central Bank’s policy on virtual currencies on 23 October 2017 by warning against use of ‘digital coins’ saying it had not issued a licence to allow virtual currencies in the local UAE market. The Governor also warned of the risks of using digital currencies as a medium for exchange, stating that because virtual currencies do not go through official channels and cannot be monitored or controlled, they pose a risk of being used for money laundering or terrorist financing purposes.

Similarly, the SCA issued a public warning on ICOs in February 2018, cautioning investors to be aware of some risks associated with these investments, such as the potential for fraud, high volatility in light of speculation, and the fact they are not specifically catered for under existing SCA regulations. Whether the SCA will consider ICOs as a ‘foreign security’ under existing legislation, such as the SCA Promoting and Introducing Regulations (SCA Decision No. 3/R of 2017), remains to be seen.

Data protection and cybersecurity

Data protection

What rules and regulations govern the processing and transfer (domestic and cross-border) of data relating to fintech products and services?

Rules and regulations governing the processing and transfer (domestic and cross-border) of data relating to fintech products and services

The UAE does not have a specific, standalone data protection law. Instead, various general and sector-specific laws and regulations govern aspects of the processing of personal data in the UAE. For example, the UAE Constitution provides for a right to freedom and secrecy of communications; the Penal Code and Cybercrime Law provide for a range of criminal offences prohibiting the disclosure or publication of private information and the interception of personal communications; the Civil Code and Labour Law set out certain obligations on employers when dealing with employee information; another law governs the collection, processing and disclosure of credit-related information; and telecoms operators are subject to special regulations regarding the protection of subscriber information.

While there has been no formal confirmation or release, a draft data protection law is understood to be under consideration by the UAE government.

The ADGM and DIFC have each introduced standalone laws governing the processing of personal data by organisations operating in their respective zones. These laws share many common elements. Each law requires that personal data is processed in a manner that is fair, lawful and secure.

The most common methods used by businesses in each free zone to ensure that their processing of personal data is fair and lawful are:

  • by obtaining the consent of the relevant individual to the processing of their data;
  • by processing the data based on the ‘legitimate interests’ of the company undertaking the processing (provided that the interests of the individual are not unduly affected);
  • by processing in order for the company undertaking the processing to comply with a legal requirement (not a contractual requirement); and
  • by processing in order to perform or enter into a contract with the individual.

The ADGM and DIFC data protection laws also require organisations to:

  • provide specific information to individuals before collecting their personal data;
  • create various rights for individuals, including rights to obtain a copy of personal data, to require the correction or deletion of personal data, and to object to the processing of personal data, that a company holds about them;
  • require organisations to implement appropriate security measures; and
  • impose conditions concerning the disclosure of personal data to third parties and the transfer of personal data outside the respective free zone.

The DIFC law is enforced by the Commissioner of Data Protection, while the Registrar is responsible for enforcing the ADGM law.

Fintech-specific rules and regulations

Of particular relevance to fintech products and services is the Digital Payment Regulation (see question 12), which requires PSPs to keep users’ identification and transaction data confidential and to only disclose such data to the relevant user, the Central Bank, another regulatory authority approved by the Central Bank or by order of a UAE court. There is a separate requirement to ensure that personal data is only processed and shared for the purposes of compliance with AML and terrorist financing legislation. The Digital Payment Regulation also provides for minimum retention periods for user and transaction data. There are no other legal requirements or regulatory guidance relating to personal data that are specifically aimed at fintech companies.

Anonymisation and aggregation of personal data

There are no specific legal requirements or regulatory guidance in the UAE dealing with the anonymisation or aggregation of personal data used for commercial gain. This, and the absence of a specific data protection law in the UAE (outside the financial free zones), has the result that there is a wider scope for the commercial exploitation of data for commercial purposes in the UAE.

The definitions of ‘personal data’ in the ADGM and DIFC data protection laws each require the individual to whom the data relates to be identifiable. The guidance published by the DIFC Commissioner of Data Protection suggests that, as data that is stripped of all personal identifiers will no longer relate to an identifiable individual, the DIFC data protection law will no longer apply.

The guidance cautions that complete anonymisation may be difficult to achieve in practice, since data will still be protected if it is possible to identify an individual indirectly using the data. The guidance also reminds organisations that the act of anonymisation is itself an activity that must be conducted in compliance with the DIFC Data Protection Law. The guidance published in respect of the ADGM data protection regime does not provide further comment on the anonymisation or aggregation of personal data.

In light of the restrictions on the processing of user and transaction data introduced by the Digital Payment Regulation (see question 43), PSPs seeking to use personal data for commercial gain will need to consider employing anonymisation and aggregation techniques in respect of the data they hold.


What cybersecurity regulations or standards apply to fintech businesses?

Fintech businesses must comply with the UAE Cyber Crimes Law (Federal Law 5 of 2012 on Combatting Cybercrimes), the provisions of which broadly relate to IT security, state security and political stability, morality and proper conduct and financial and commercial issues arising from the use of the internet or IT infrastructure. It should be noted that the Cyber Crimes Law has extraterritorial effect.

Outsourcing and cloud computing


Are there legal requirements or regulatory guidance with respect to the outsourcing by a financial services company of a material aspect of its business?

There is no regulatory guidance setting out notification or approval requirements where a financial services company in the UAE intends to outsource a material aspect of its business. However, depending on the nature of the company and the functions being outsourced, there may be other restrictions. For example, the Digital Payment Regulation imposes restrictions upon certain PSPs (as referred to in question 12) looking to outsource operational functions where, among other things, the functions being outsourced are deemed materially important or where a defect or failure in performance of the outsourced functions would materially impact continued compliance with licensing requirements.

Cloud computing

Are there legal requirements or regulatory guidance with respect to the use of cloud computing in the financial services industry?

There are regulations that set parameters around the use of cloud computing in the context of outsourcings, which includes those within the financial services industry.

Organisations carrying out functions that are regulated by the DFSA (in the DIFC) or the FSRA (in the ADGM) have specific obligations in relation to material outsourcings, which in practice will include many cases of the use of cloud computing services. In respect of each material outsourcing, the organisation must implement policies and risk management programmes, enter into an appropriate contract with the service provider incorporating certain minimum terms, and notify the relevant regulator of the outsourcing arrangement.

The Digital Payment Regulation regulates how PSPs (other than non-issuing PSPs) may outsource operational functions, which could include outsourcings to cloud service providers. In respect of each outsourcing, the PSP must obtain approval from the Central Bank. The outsourced services are required to be carried out in the UAE (outside the financial free zones). Special rules apply when an outsourcing is considered to relate to a material operational function (see question 33), although no specific distinction or guidance is given in relation to cloud computing solutions.

Intellectual property rights

IP protection for software

Which intellectual property rights are available to protect software, and how do you obtain those rights?

Original computer programs and related software applications are protected by copyright as literary works. Databases underlying software programs can also attract copyright protection. Copyright arises automatically as soon as the relevant literary work is created, so when a computer program is recorded, software lines are coded or when a database is created. There is no requirement to register these rights in order to be able to have them recognised or enforce them against a third party in the UAE.

If the software code has been kept confidential, it may also be protected as confidential information and unauthorised disclosure can attract criminal sanctions. No registration is required.

As computer programs are not specifically excluded from patentability under UAE legislation, so long as registration formalities are followed, it is possible in principle to obtain patent protection for software-implemented inventions and business methods. It is likely to be more difficult, however, for such inventions to meet the criteria of novelty, inventiveness and industrial applicability as required by UAE legislation.

IP developed by employees and contractors

Who owns new intellectual property developed by an employee during the course of employment? Do the same rules apply to new intellectual property developed by contractors or consultants?

Copyright in works created by an employee in the course of employment will not automatically be owned by the employer. Such a work will be owned by the individual employee or, if created alongside others, may be protected as a joint work. It may be possible for the employer to assert that a work created under the supervision or direction of the employer meets the conditions for protection as a collective work under the UAE legislation.

In most cases, however, employers seeking to take ownership of copyright-protected works created by employees must do so by way of written assignment. Under the Copyright Law, a provision in a contract that purports to assign the copyright in more than five future works will be void.

In the context of patents, provided that an employee’s role includes inventive activities, inventions created by an employee in the course of an employment contract are automatically owned by the employer, unless otherwise agreed. Different rules apply if the employee’s role does not include inventive activities. In these cases, the employer may exercise an option to take ownership of the invention within four months of becoming aware of the invention and the employee is entitled to receive fair compensation.

The same rules that apply to employee creators of copyright-protected works apply in respect of works created by contractors and consultants. Such works will be owned by the individual creator or, if created alongside others, may be protected as joint works.

As against employee creators, different rules apply in respect of inventions created by a contractor or consultant during the course of a contract. In these cases, the contractor or consultant will own the invention, unless otherwise agreed.

Joint ownership

Are there any restrictions on a joint owner of intellectual property’s right to use, license, charge or assign its right in intellectual property?

Joint owners of a copyright-protected work in which it is not possible to separate the contributions of each owner cannot exercise their rights to use, license or assign the work individually, unless otherwise agreed in writing.

Where multiple authors contribute different kinds of art to a single work, they may each exploit their individual contributions provided that this does not damage the exploitation of the joint work. The legal position is less clear in relation to works that include contributions of the same kind of art from multiple contributors.

A joint owner of a patented invention may exploit or assign his or her rights independently of the other patentees. However, joint patentees may only license the exploitation of the patent jointly with the other patentees.

Trade secrets

How are trade secrets protected? Are trade secrets kept confidential during court proceedings?

The UAE legislation dealing with patents and industrial designs also includes specific protection for trade secrets and know-how. Employees have specific statutory duties to keep the commercial and industrial secrets of their employers confidential and may be criminally liable in cases of unlawful use or disclosure of information. Trade secrets and confidential information more broadly are commonly protected by way of contractual obligations.

Court proceedings in the UAE are not held in public and there is therefore less of a concern around maintaining the confidentiality of trade secrets in this context.


What intellectual property rights are available to protect branding and how do you obtain those rights? How can fintech businesses ensure they do not infringe existing brands?

Brands can be protected as registered trademarks in the UAE. An application for registration and other formalities must be pursued to obtain protection. A law recognising a unified trademark regime for Gulf Cooperation Council countries has been decreed in the UAE but has not yet entered into force.

The UAE trademark database can be used to identify registered trademark rights and therefore help ensure that a fintech business does not infringe existing brands. The database is not available to the public but the law provides for a right to obtain a certified extract of the contents of a register upon payment of a fee. Applicants must pay a separate fee to search each class for existing trademark rights.

It is highly advisable for new businesses, perhaps using the services of specialist trademark attorneys, to check whether the database enquiry results indicate earlier registrations that are identical or similar to their proposed brand names and marks. It may also be advisable to conduct internet searches for any unregistered trademark rights that may prevent use of the proposed mark.

Remedies for infringement of IP

What remedies are available to individuals or companies whose intellectual property rights have been infringed?

Remedies available to individuals or companies include:

  • precautionary measures, including requirements to cease use of an infringing item;
  • confiscation or destruction of infringing items;
  • damages; and
  • publication orders.

The UAE legislation dealing with intellectual property rights, including in respect of patents, designs, trademarks and copyright, provides for criminal liability in various cases of infringement.


Sector-specific issues

Are there any specific competition issues that exist with respect to fintech companies in your jurisdiction?

Since the enactment of Federal Law No. 12 of 2012, the UAE has had a standalone, federally applicable competition law that covers anticompetitive agreements, abuse of dominance and merger control; however, the law also has a list of sectors that are entirely excluded from its scope. One of these wholly excluded sectors is the financial sector. The list of excluded sectors and other important aspects of the competition regime in the UAE are within the discretion of the Ministry of Economy, and fintech businesses in the UAE will need to consider their specific competition law issues to assess their exposure. Looking ahead, there is expected to be increased consolidation in the banking sector and an expectation of greater collaboration, information-sharing and other horizontal arrangements, all of which could give rise to competition law risks in the UAE.



Are there any tax incentives available for fintech companies and investors to encourage innovation and investment in the fintech sector in your jurisdiction?

There are no special incentives. However, onshore UAE, the DIFC and ADGM are all currently low or zero-tax jurisdictions.

Increased tax burden

Are there any new or proposed tax laws or guidance that could significantly increase tax or administrative costs for fintech companies in your jurisdiction?

There are no relevant new or proposed tax laws or guidance.


Sector-specific schemes

What immigration schemes are available for fintech businesses to recruit skilled staff from abroad? Are there any special regimes specific to the technology or financial sectors?

Once an employee enters the UAE on an entry permit, the employer must make an application for a residence visa to the immigration authorities. Before the visa is granted, the employee must pass a medical examination. These requirements must be satisfied within 60 days of the employee’s entry into the UAE on the entry permit. Residence visas are typically valid for two years outside the free zones and three years for employees within a free zone. The total cost of the residence visa and the required permits depends on the nature of the company’s activity and whether the employee is hired within or outside the UAE. The cost outside the free zones ranges from US$400 to US$1,200. Free zone costs can differ.

Both financial free zones in the UAE offer start-up-specific licences that, if obtained, provide for the recruitment of skilled staff from outside of the UAE. In 2018 the ADGM introduced the ADGM Tech Start-up Commercial Licence, under which it is possible to secure up to four UAE residence visas. In the DIFC, the DIFC FinTech Commercial Licence enables fintech start-ups to apply for residence visas for their staff, the number of which is dependent on office space (generally one visa per 80 square feet).

Investor visas are available to shareholders and proprietors.

Update and trends

Current developments

Are there any other current developments or emerging trends to note?

Current developments45 Are there any other current developments or emerging trends to note?

Not applicable.