Fintech UAE SAUDI ARABIA TURKEY UK EU BAHRAIN Compass

KARM LEGAL CONSULTANTS
FINTECH LEGAL
COMPASS
A Ready Reckoner For FinTech Licensing
UAE SAUDI ARABIA TURKEY UK EU BAHRAIN
AUTHORS
TABLE OF CONTENTS
INTRODUCTION 1
FOREWORD 2
FINTECH IN THE UNITED ARAB EMIRATES 3
A. INTRODUCTION 5
B. GENERAL OVERVIEW OF THE UAE’S REGULATORY FRAMEWORK 5
C. MAINLAND – CENTRAL BANK OF THE UAE 6
1. S
tored Value Facilities 6
2.Acquiring And Payment Aggregation 8
3.Open Banking 10
4.Buy Now Pay Later 11
D. DIFC 12
1. Stored Value Facilities 13
3.Open Banking 17
E. ADGM 20
2. Acquiring And Payment Aggregation 23
3. Open Banking 24
4..Buy Now Pay Later 25
FINTECH IN THE KINGDOM OF SAUDI ARABIA 28
A. INTRODUCTION 30
B. GENERAL OVERVIEW OF KSA’S REGULATORY FRAMEWORK 30
3.Open Banking 35
FINTECH IN THE KINGDOM OF BAHRAIN 40
A. INTRODUCTION 42
B. GENERAL OVERVIEW OF BAHRAIN’S REGULATORY FRAMEWORK 42
1.Stored Value Facilities 43
2. Acquiring And Payment Aggregation 45
3.Open Banking 46

FINTECH IN THE REPUBLIC OF TURKEY 49
A. INTRODUCTION 51
B. GENERAL OVERVIEW OF TURKEY’S REGULATORY FRAMEWORK 51
1. S
tored Value Facilities 54
3.Open Banking 55
FINTECH IN THE UNITED KINGDOM 58
A. INTRODUCTION 60
B. GENERAL OVERVIEW OF UK’s REGULATORY FRAMEWORK 60
3.Open Banking 65
FINTECH IN THE EUROPEAN UNION 70
A. INTRODUCTION 72
B. GENERAL OVERVIEW OF EU’S REGULATORY FRAMEWORK 72

3.Open Banking
78
4.Buy Now Pay Later
80
EXECUTIVE SUMMARY
84
INTRODUCTION
In an era where technology and finance converge, the FinTech industry stands at the forefront of a major global
transformation. This report presents a comprehensive landscape of the FinTech regulatory frameworks across several
pivotal jurisdictions:
1 The United Arab Emirates (UAE) 4 Kingdom of Bahrain (Bahrain)
2 Kingdom of Saudi Arabia (KSA) 5 European Union (EU)
3 United Kingdom (UK) 6 Republic of Turkey (Turkey)
Each of these jurisdictions represents a unique confluence of technological innovation and regulatory strategy, shaping
the contours of the global FinTech landscape.
With its visionary leadership, the UAE is spearheading FinTech initiatives in the Middle East and North Africa (MENA)
region, leveraging its strategic position to bridge eastern and western financial markets. KSA and Bahrain are also
emerging as significant players, introducing progressive regulations to nurture FinTech start-ups and attract global
investment. In contrast, the EU and UK, with their established financial systems, face the challenge of integrating FinTech
innovations into a complex regulatory tapestry, balancing the need for innovation with consumer protection and
financial stability. Turkey, on its part, showcases a burgeoning FinTech sector driven by a young, tech-savvy population
and a growing emphasis on digital transformation in financial services.
This report not only maps out the regulatory frameworks but also dives into the growth of the following sectors in these
regions.
1. Stored Value Facilities

2. Acquiring and Payment Aggregation
3. Buy Now Pay Later
4. Open Banking
Along with WH Partners (Malta), TBL Legal (Turkey), and Travers Smith LLP (UK), we bring you this report with the hope of
contributing to FinTech legal know-how. We hope you enjoy reading it as much as we enjoyed drafting it.
- TEAM KARM LEGAL
1
FOREWORD
I am very happy that KARM has taken the initiative to release this report, which
examines regulatory frameworks across key jurisdictions such as the UAE, KSA,
Bahrain, EU, UK, and Turkey. The visionary leadership in the UAE positions it as a
fintech pioneer in the MENA region, while KSA and Bahrain emerge as players
fostering start-up growth.
This report will help the readers delve into cultural and economic influences,
exploring how each region’s stance on digital payments and cross-border
transactions shapes their fintech ecosystems. Ultimately, this report will offer
valuable insights for investors, entrepreneurs, and policymakers navigating the
evolving world of FinTech.
I wish Team KARM the very best.

- Dr. Nouran Youssef
(Senior Financial Sector Specialist, Arab Monetary Fund)
2
CHAPTER 1
UNITED ARAB EMIRATES
Authors - Akshata Namjoshi, Ratul Roshan, Abdulhaleem Mabisi (KARM Legal Consul-
3
ABBREVIATIONS
CBUAE Central Bank of the United Arab Emirates
DIFC Dubai International Financial Centre
DFSA Dubai Financial Services Authority
ADGM Abu Dhabi Global Market
FSRA Financial Services Regulatory Authority
PSP Payment Service Provider
PISP Payment Information Service Provider
AISP Account Initiation Service Provider
BNPL Buy Now Pay Later
FinTech Financial Technology
MENA Middle East and North Africa
GCC Gulf Cooperation Council
GFIN Global Financial Innovation Network
AML Anti-Money Laundering
CTF Counter Terrorism Financing
AED United Arab Emirates Dirham
CAGR Compound Annual Growth Rate
CEO Chief Executive Officer
AMF Arab Monetary Fund
UAE United Arab Emirates
CO Compliance Officer
MLRO Money Laundering Reporting Officer
SEO Senior Executive Officer
4
A. INTRODUCTION
In the dynamic and constantly changing realm of global finance, the Arab world, spanning both the MENA and GCC
regions, stands out prominently. At the center of attention within this landscape is undeniably the UAE, emerging as a
trailblazer in the field of FinTech.
The 2021 AMF Finxar index report is a testament to this, wherein the UAE outshone its regional counterparts, achieving
a leading score of 75% against the general index score of 43% for all members.1 In the same year, the UAE received the
largest proportion of funding (32%) and FinTech deals (49%) in the MENA region.2 A recent report by Amazon Payment
Services (2023) highlighted the UAE’S significant achievement of leading the MENA region with 800+ FinTech start-
ups worth a total of USD 15.5 billion within its borders.3 Additional research and analysis from Mordor Intelligence
found that with the current trajectory, it expects the UAE FinTech market to grow at a 10%+ CAGR by 2028.4
By intertwining progressive technological adoption with thoughtful regulatory development, the UAE has not only
positioned itself as the regional leader but is being recognized globally.
B. GENERAL OVERVIEW OF THE UAE’S REGULATORY FRAME-

The country’s regulatory system is characterized by multiple regulatory authorities contributing to FinTech development
and fostering an environment conducive to growth and innovation.
The UAE’S monetary regulator, the CBUAE, is responsible for regulating financial services at a federal level. Its
collaborative role ensures a unified approach and sets standards that guide the entire financial landscape within the
UAE.
Further, the UAE has two financial free zones, namely, ADGM and DIFC. These financial free zones have distinct
financial, civil, and commercial laws, including detailed financial regulations and independent regulatory authorities.
Companies that want to set up in either ADGM or DIFC need to apply for a different license than they would if they
were operating in the rest of the UAE. Financial services in ADGM and DIFC are regulated by the FSRA and DFSA,
respectively.
This multifaceted regulatory system offers the UAE a unique advantage. FinTech companies are offered a choice of
three distinct jurisdictions, each with its own set of regulatory requirements, further enhancing the flexibility and appeal
of the UAE as a FinTech hub.
Below is a mapping of the key financial services licensing authorities in the UAE, providing an overview of the
jurisdictional framework:
JURISDICTION REGULATOR
Mainland Federal Authority CBUAE
Financial Free Zone - DIFC DFSA
Financial Free Zone - ADGM FSRA
1. Arab Monetary Fund, ’Arab Region FinTech Guide’ (Edition 2) 2021. (link)
2. Magnitt, FinTech 2022 Venture Investment Report (link).
3. Amazon Payment Services, ‘What's Next for Digital Payments in the Middle East and North Africa’ 2023 (link).
4. GlobeNewswire FinTech Report (link).
5
C. MAINLAND – CENTRAL BANK OF UAE
The CBUAE is the onshore regulator for activities including banking, insurance, finance, and payments. The CBUAE is
behind the UAE’S FinTech growth at the federal level, achieving this through several initiatives such as the establishment
of the FinTech Office. The office aims to grow the UAE’S FinTech industry through collaborative partnerships, strategies,
sandbox regimes in collaboration with ADGM and DIFC, and regulatory development.
Furthermore, the CBUAE published the Financial Infrastructure Transformation Programme (FITP) in February 2023.
The program aims to make the UAE a global financial hub with nine key initiatives, including digital eKYC, supervisory
technology, financial cloud, an instant payments platform, and open finance. The FITP aims to improve regulatory
compliance, reduce the cost of operation, enhance innovation and customer experience, and strengthen security and
operational resilience for the financial industry.
The CBUAE regulates the issuance of digital wallets and prepaid cards. As on the date of drafting this report, 8 entities
have received licenses under the Stored Value Facilites (SVF) Regulation (SVF Regulation).
The CBUAE has implemented a four-category licensing scheme for PSPs under the Retail Payment Services and Card
Schemes Regulation (RPSCS Regulation). Each license category will enable a PSP to provide a prescribed number of
the 9 retail payment services covered under the RPSCS Regulation, with lower categories permitting more regulated
activities and having higher capital requirements. As on the date of drafting this report, 15 entities have received
licenses under the RPSCS Regulation.

The issuance of SVFs is governed by the SVF Regulation, administered by the CBUAE. Accordingly, any entity seeking
to issue and operate SVFs in mainland UAE is required to procure a license from the CBUAE under the SVF Regulation.
An SVF refers to a non-cash facility where a customer pays money in advance (or something equivalent to money,
such as reward points or virtual assets) so that they can later use this pre-paid amount to purchase goods or services.
1.1. Licenses
The SVF Regulation expressly recognizes two form factors for SVFs:
a) Device-based: Where stored value can be accessed through an electronic chip on a physical device, such as
pre-paid cards; and
b) Non-device-based: Where value is stored on a network-based account and can be accessed through the internet,
a computer network, or a mobile network, such as digital wallets.
1.2. Capital Requirements

Licensees are required to maintain (both):
a) Paid-up capital: AED 15,000,000 (fifteen million) (~ USD 4,083,805); and
b) Aggregate capital 5: 5% of the total amount of money that has been loaded by customers to the wallet/card but
not yet spent (Float).
5. Aggregate capital = Paid up capital + Reserves ( excluding revaluation reserves ) + retained earnings - Accumulated losses - Good-
6
The CBUAE may stipulate higher capital requirements as well. A licensee must also submit to the CBUAE a bank
guarantee for the capital amount during the application process.
EXEMPTIONS
The SVF Regulation exempts the issuers of certain types of SVFs from licensing requirements, provided exemption is
expressly granted by the CBUAE. In such cases, the CBUAE’S decision to grant an exemption is based on the risk the
SVF poses to its (potential) customers, customer funds, and the UAE’S financial system.
EXEMPTION
S.NO TYPE OF SVF DESCRIPTION EXAMPLE
APPLICATION
Gift cards issued by,

Single-purpose SVFs used only to purchase goods
1. and usable at, a single Required
SVFs or services provided by the issuer.
retail store.
SVFs where money paid by the

issuer or another party can only
Loyalty schemes used by
2. Reward schemes be spent on specific goods Required
shops/supermarkets.
or services from them under
specific terms.
SVFs used to only purchase digital

SVFs for digital content such as ringtones, music, Wallets of app
3. Required
products videos, electronic books, games, stores
and applications.
SVFs used only for bonus point

Bonus point Airline mileage
4. schemes where the points are Required
schemes programs
not redeemable for cash.
SVFs used to make payments for

goods and services offered by a
Gift cards that can
limited range of merchants with
Limited network be used at a specific
5. whom the issuer has a contractual Required
SVFs mall or at stores under
agreement. The merchants may
common ownership.
be limited by location, brand, or
ownership.
SVFs offered to 100 customers

or less, and the total value of Required along
money or money’s worth stored with participation
6. Limited scale SVFs NA
on behalf of such customers does in FinTech Office
not exceed AED 500,000 (five Sandbox.
hundred thousand)(~ USD 136,126)
1.3. Licensing Fees

The SVF Regulation does not expressly state any licensing fees for applications.
7
1.4. Licensing Process
a) The CBUAE’S licensing process begins with pre-application discussions where applicants present their business
model to the CBUAE.
b) They then submit a detailed application covering areas such as corporate governance, AML, information security,
and risk management.
c) If approved, they receive an In-Principle Approval (IPA) and have a year to meet its requirements.
d) Successful completion of the IPA conditions results in a final license.
1.5. Local Hiring Requirements

The CEO or an equal alternative must ordinarily reside within the UAE. Similarly, the senior management team and the
key personnel responsible for SVF’s operation, system support, risk management, and compliance must be based in the
UAE. The CBUAE may approve otherwise on a case-by-case basis.
1.6. Observations
The CBUAE provides clear guidelines on the scope of activities under an SVF license by including and defining device-
based and non-device-based SVFs, whilst excluding closed loop and other types of systems that do not necessarily
pose high risks to the UAE financial system and customers.
The SVF Regulation establishes compliance requirements for SVFs, relating to the conduct of business, risk management,
record keeping, reporting, technology, cyber security, data/customer protection, and AML/CTF. The compliance
requirements observably give more weight to technology and specific risk management guidelines.
The CBUAE does not impose any mandatory limits on the amount of value that can be stored by a customer. However,
the CBUAE expects issuers to impose reasonable limits with respect to business risk, money laundering risks associated
with the product, and individual customer risk levels. The CBUAE may impose limits on SVF issuers during licensing,
including potentially exempt SVFs.
Regarding marketing, overseas and unlicensed SVFs are prohibited from advertising, inviting, or soliciting their
products to the public. The CBUAE will take into account factors such as the nature and location of top-up channels
and promotional material to determine whether an SVF provider is acting within the UAE.

The CBUAE is one of the few regulators that identifies merchant acquiring and payment aggregation as two distinct
services and regulates them as such. Merchant acquiring and payment aggregation services providers are regulated
under the RPSCS Regulation as PSPs and are required to procure a license from the CBUAE to offer such services in
mainland UAE.
A ‘Merchant Acquiring Service’ has been defined as a service that enables payees (such as merchants) to accept and
process payment transactions, leading to the transfer of funds to the payee’s account.
A ‘Payment Aggregation Service’ has been defined as a service that enables online sellers to accept different payment
methods (without needing their own payment integration system or directly engaging with a merchant acquirer) by
collecting payments from customers, pooling them, and transferring them to sellers after a period of time.
8
2.1. Licenses
Merchant acquisition and payment aggregation services are available under 3 license categories:
a) Category I license;
b) Category II license; and
c) Category III license.
PSPs who only offer merchant acquiring and/or payment aggregation services can opt for the most suitable and cost-
effective Category III license.

The capital requirements under the RPSCS Regulation differ based on the license category and the amount of payment
transactions sought to be undertaken by the PSP. Provided below are the capital requirements for a Category III license.
Average monthly value of Initial Capital** Aggregate capital

payment transactions* (Upon grant of license) (During operations)
Below AED 10,000,000 (ten million) AED 500,000 (five hundred

(~ USD 2,722,533); thousand) (~ USD 136,126);
Must not, at any point in
time, fall below the initial
capital requirement.
Above AED 10,000,000 (ten million) AED 1,000,000 (one million)
(~ USD 2,722,533); (~ USD 272,253);
*Calculated on the basis of the moving average of the preceding 3 months or, where such data does not exist at the
time of being granted a license by the CBUAE, on the basis of the business plan and financial projections provided.
**The CBUAE may stipulate higher capital requirements as
2.3. Licensing Fees

The RPSCS Regulation does not expressly state any licensing fees for applications.

Please refer to Section C.1.4.. for CBUAE’S licensing process.

The CEO or an equal alternative must ordinarily reside within the UAE. Similarly, the senior management team and the
key personnel responsible for service operation, system support, risk management, and compliance must be based in
the UAE. The CBUAE may approve otherwise on a case-by-case basis.
9
2.6. Observations
By recognizing merchant acquiring and payment aggregation as two separate payment services, the CBUAE has
demonstrated a clear understanding of the difference between the two services. The express recognition of payment
aggregation removes any regulatory ambiguity that may be present towards the treatment of payment facilitators.
Under the RPSCS Regulation, PSPs must adhere to the corporate governance, risk management, auditing, record
keeping, AML/CTF, risk management, information security, and outsourcing requirements set out by the CBUAE.
Currently, 7 entities licensed under the RPSCS Regulation provide merchant acquiring and payment aggregation
services based on secondary sources.
3. Open Banking
The CBUAE regulates open banking services, in particular, payment initiation services and payment account information
services, under the RPSCS Regulation.
The term ‘Payment Initiation Service’ has been defined as a service that facilitates the initiation of a payment from an
account held with other PSPs or banks, based on a user’s request, without holding or maintaining funds at any point.
A ‘Payment Account Information Service’ has been defined as a service that provides consolidated information about
one or multiple payment accounts (such as current accounts, flexible savings accounts, and credit card accounts) held
by a user with other PSPs or banks.
3.1. Relevant Licenses

Under the four-category licensing scheme for PSPs under the RPSCS Regulation, payment initiation and payment
account information services are only covered under the Category IV license.

The capital requirements for a Category IV license are:
a) Initial capital (upon grant of license): AED 100,000 (one hundred thousand) (~ USD 27,225); and
b) Aggregate capital funds (during operations): Must not, at any point in time, fall below the initial capital requirement.
The CBUAE may stipulate higher capital requirements as well.
In addition to the above, Category IV licensees must hold a professional indemnity insurance whose amount shall
be decided upon by the CBUAE. Such insurance must cover liabilities for unauthorized, fraudulent, non-execution,
defective, or late execution of payment transactions.
3.3. Licensing Fees


Please refer to Section C.1.4. for CBUAE’S licensing process.
10
The local hiring requirements under the RPSCS Regulation have been set out under Section C.2.5.
3.6. Observations
In addition to the requirements applicable to all PSPs licensed under the RPSCS Regulation, PISPs and AISPs must
comply with supplementary data protection and technology risk & information security guidelines.
Open finance forms part of CBUAE’S FITP. Circular No. 7/2023, issued by the CBUAE on April 23, 2024, introduces
the Open Finance Regulation. The rollout of the Open Finance Regulation will occur gradually, with banks and insurers
being the initial participants.
The Open Finance Regulation mandates the sharing of information across various sectors, such as banking, insurance,
and e-money, and includes technical components like the Trust Framework, API Hub, and Common Infrastructural
Services to facilitate secure data sharing and transaction initiation.
Currently, there is an overlap between the RPSCS Regulation and the Open Finance Regulation concerning services
related to payments that fall within the scope of both regulations. Given the nascent state of the Open Finance
Regulation, we anticipate further developments in this area in the near future.

The CBUAE regulates Buy Now Pay Later under the Finance Companies Regulation.

The CBUAE recently issued amendments to their Finance Companies Regulation to introduce a new license category,
i.e., ‘Restricted Licence Finance Company.’ A ‘Restricted Licence Finance Company’ is a legal entity licensed solely to
provide ‘Short-Term Credit.’
‘Short-Term Credit’ is any credit provided to a borrower for up to 12 months specifically for buying identifiable goods
or services. Such credit should be interest-free and should not come with collateral requirements or the need for a
security deposit from the borrower.
Buy Now Pay Later services typically allow consumers to purchase goods or services immediately and pay for them
over a set period, usually within a few weeks to a few months. This aligns with the CBUAE’S definition of ‘Short-Term
Credit,’ as these transactions are typically interest-free and do not require collateral or security deposits from the
borrower.
Any entity intending to offer ‘Short-Term Credit’ must obtain a ‘Restricted Licence Finance Company’ license. As such,
Buy Now Pay Later companies operating in the UAE must apply for the ‘Restricted Licence Finance Company’ license.
Lending limit:
The credit limit for each borrower must be determined through affordability assessments. This assessment must consider
repayment capacity, minimize over-indebtedness risk, and ensure fair treatment of all borrowers. The maximum
permissible ‘Short-Term Credit’ that can be extended to a borrower is AED 20,000 (twenty thousand) (~USD 5,445)
or 3 months’ verified net income.
Cap on fees:
The total fees, including late payment fees, must not exceed 30% of the initial credit amount. This means that the maximum
amount a borrower can be asked to repay, even if there are changes or adjustments to the original agreement (such
as roll-overs and credit restructuring), should not exceed 130% of the original credit amount granted to the borrower.
11
The capital requirements for ‘Restricted Licence Finance Company’ are:
a) AED 20,000,000 (twenty million) (~ USD 5,445,474); or
b) 5% of the outstanding lending volume (whichever is higher);
The CBUAE may stipulate higher capital requirements as well.
4.3. Licensing Fees


Please refer to Section C.1.5. for CBUAE’S licensing process.

While the Finance Companies Regulation does not expressly state any requirements in this regard, the CBUAE generally
expects the CEO and key personnel responsible for system support, risk management, and compliance to be based
in the UAE.
4.6. Observations
The introduction of the ‘Restricted Licence Finance Company’ license under the Finance Companies Regulation marks
a crucial development, offering much-needed regulatory clarity to the Buy Now Pay Later sector in the UAE. Previously
operating in a legal grey area, this sector has gained immense popularity across the country. The new license ensures
a structured framework, fostering compliance and consumer trust in these financial services.
The UAE’S approach to regulating Buy Now Pay Later reflects a growing global trend of incorporating these novel
financial products into existing credit regulation structures (for example, Bahrain). The limit on fees is a novel requirement.
D. DIFC
The DIFC is recognized as a leading jurisdiction for FinTech in the MENA and GCC regions. The DIFC boasted USD
615,000,000 in investment to its FinTech community in 2022.6 Start-ups in the DIFC’s ‘FinTech Hive’ accelerator program
alone raised over USD 530,000,000 in 2021, a 76% increase from the previous year.7 Housing 60% of the GCC’s
FinTech companies, the DIFC expanded from 599 FinTech and innovation-based firms in 2022 to 811 by mid-2023.8
The success can be attributed to initiatives like the ‘FinTech Hive,’ the largest FinTech accelerator in the Middle East,
Africa, and South Asia region, and the Innovation Testing License (ITL) program, providing a flexible regulatory sandbox
for start-ups. The establishment of the DIFC FinTech Fund in 2019 further supported financial growth. DIFC’s consistent
innovation, regulatory development, and investment have solidified its reputation as a global hub for FinTech.
6. Investment surges in DIFC FinTech firms ahead of Dubai FinTech Summit (link).
7. DIFC records best performance in 17 year history driving Dubai’s next phase of growth (link).
8. DIFC’s H1 2023 performance strengthens Dubai’s position as global finance and innovation hub (link).
12
The DFSA’s regulatory framework for all types of financial services (such as banking, investments, and payments) is
provided under, inter alia, the Regulatory Law 2004 and the rulebooks issued thereunder. The rulebooks provide a
single set of regulations for all financial services, with each rulebook covering a different regulatory aspect. The relevant
rulebooks for FinTech services discussed in the report include the General Module, Conduct of Business Module, Fees
Module, Anti-Money Laundering, Counter-Terrorist Financing and Sanctions Module and Prudential – Investment,
Insurance Intermediation and Banking Module.

The issuance of digital wallets or prepaid cards falls within the scope of ‘Providing Money Services.’ In particular, the
following regulated activities are:
a) Issuing ‘Stored Value’: ‘Stored Value’ has been broadly defined as electronically/magnetically stored monetary
value that represents a claim on the issuer and is issued on receipt of funds or other assets (such as digital currency
but excluding reward points) for the purpose of making payments to entities other than the issuer.
Additionally, most applicants that provide SVF services have also applied for the below-regulated activity. However,
its applicability to SVF products in the strict sense must be discussed with the DFSA team during the licensing phase.
b) Issuing ‘Payment Instruments: ‘Payment Instruments’ have been broadly defined as a unique/personalized
physical device (for example, debit or credit card) or a personalized set of steps agreed upon between the user
and the service provider (for example, mobile application or telephone banking) which the user uses to initiate
transfers of funds.

While both ‘Payment Instrument’ and ‘Stored Value’ fall within the regulatory ambit of ‘Providing Money Services,’ the
license categories differ. They are:
a) Providing Money Services - Issuing Stored Value- Category 3C license; and
b) Providing Money Services - Issuing Payment Instruments- Category 3D license.
Depending on the nature of the digital wallet offered, the issuer may be required to procure both licenses. On the other hand,
the issuers of prepaid physical/virtual cards will require both licenses in all instances.
1.2. Account Balance Limits

Issuers must ensure that the below balance and transaction limits are not exceeded for any user:
Particulars Limits
Maximum amount of balance a

USD 5,000 (five thousand)
user is allowed to hold at any time
Maximum transaction amount for

USD 1,000 (one thousand)
each payment made by a user
13
Capital Requirement
Calculated for each activity as the highest

License of the BCR, EBCM, SVCR, or the TBCR
Activity
Category
Base Capital Expenditure-Based Stored Value Capital Transaction-Based
Requirement Capital Minimum Requirement Capital Requirement
(BCR) (EBCM) (SVCR) (TBCR)
An amount equal to 3%
Issuing USD 500,000 (five 18/52 of annual of the average daily
3C N/A
Stored Value hundred thousand) audited expenditure outstanding stored
value of the firm.9
● 4% of the first USD

5,000,000 (Five Million) of
payment volume;
● 2.5% of the next USD

5,000,000 (Five Million) of
payment volume;
Issuing ● 1% of the next USD

USD 200,000 (two 18/52 of annual 90,000,000 (Ninety Million)
Payment 3D N/A
hundred thousand) audited expenditure of payment volume;
Instruments
● 0.5% of the next USD

150,000,000 (Hundred
Fifty Million)of payment
volume;
● 0.25% of any remaining

payment volume.10
The issuer must also maintain a professional indemnity insurance cover appropriate to the nature, size, complexity,
and risk profile of the business.
1.4. Licensing Fees

The licensing fees are as follows:
a) Application fee: USD 25,000 (Twenty Five Thousand); and
b) Annual fee: USD 25,000. (Twenty Five Thousand)
9. ‘Average daily outstanding stored value of the firm’ means the average total of financial liabilities related to stored value in issue at the end of each calendar
day where that average is calculated over the previous six calendar months
10. Payment volume ’ refers to the total value of payment transactions executed by the firm in the previous financial year divided by 12.
14
The application fee is payable at the time of submitting the licensing application. An additional 100% of the application
fee may be payable depending on the Applicant's corporate structure.
Annual fees are payable on or before 1 January of the calendar year to which the fee relates. The first annual fee is
payable within 21 days of receiving the license and is calculated based on the remaining months in the calendar year.

The DFSA’s licensing process in DIFC comprises the following stages:
1. Pre-application: Entities engage in pre-application discussions with the DFSA regarding their business model
and the appropriate licenses.
2. Submission: Essential documents include a business plan and application forms requiring information pertaining
to AML, risk management, client money handling, and compliance procedures and manuals. The DFSA
acknowledges receipt within 2 days.
3. Review: DFSA conducts an initial review within 10 days, followed by a final assessment within 4 months.
4. In-principle letter: After the review, DFSA grants a letter (valid for 3 months) allowing further processes, such as
incorporation and leasing office space.
5. Final license: Issued upon satisfying the in-principle letter’s conditions. The timeframe varies based on application
details.

The SEO, CO, and MLRO must reside within the UAE. The DFSA may waive the residency requirement for an MLRO
or CO on a case-by-case basis.
1.7. Observations
The DFSA’s regulatory scope concerning money services is similar to other jurisdictions such as Europe, the United
Kingdom, and Singapore. In addition to common compliance requirements for all authorized entities in DIFC (record
keeping, risk management, auditing, complaints handling, and AML), issuers must adhere to additional compliance
requirements, which cover disclosures, strong customer authentication requirements, technical standards, and fraud
detection.
Currently, a total of 6 licensed entities are issuing digital wallets and/or pre-paid cards in DIFC. Out of these, 4 entities
are currently testing their services and hold an innovation testing license.
It is pertinent to note that if issuers seek to offer their services in AED, they must tie up with a bank licensed by the CBUAE.

The DFSA does not expressly recognize merchant acquiring or payment aggregation services as distinct regulated
activities.
However, there are certain activities that may be relevant in this regard (discussed under Section D.2.1.) Entities intending
15
2.1. Licenses
Merchant acquirers and payment aggregators may explore licenses for ‘Providing Money Services’ with the DFSA.
‘Providing Money Services’ includes providing or operating a ‘Payment Account.’ The term ‘Payment Account’ includes
an account held in the name of one or more users that is used to execute payment transactions (such as current
accounts, flexible savings accounts, and credit card accounts).
In merchant acquiring, all funds acquired for a particular card-based transaction are transferred from the issuing
bank/PSP to a merchant account maintained by the service provider. This merchant account is in the name of the
merchant and is used to temporarily hold funds before making a final settlement to the merchant’s main bank account.
Such a merchant account may qualify as a ‘Payment Account’ under DFSA’s regulatory framework.
In payment aggregation, the fund flow is similar. However, instead of maintaining separate merchant accounts for each
merchant, the funds are aggregated in an intermediary account maintained for all merchants before onward settlement
to the respective merchants. The DFSA recognizes that ‘Payment Accounts’ can be omnibus bank accounts.
Providing or operating ‘Payment Accounts’ falls within the ambit of a Category 3D license.
Please note that Sections D.2.2. to D.2.4. provide information on the requirements applicable to entities providing or
operating ‘Payment Accounts’ and not necessarily to merchant acquirers and payment aggregators.
Capital Requirement

License of the BCR, EBCM, or the TBCR
Activity
Category
Base Capital Expenditure-Based Transaction-Based
Requirement Capital Minimum Capital Requirement
BCR EBCM TBCR
The sum of:
● 4% of the first USD 5,000,000 (Five Million) of payment volume;
● 2.5% of the next USD 5,000,000 (Five Million) of payment

Providing or
volume;
operating USD 200,000 (two 18/52 of annual
3D
‘Payment hundred thousand) audited expenditure
● 1% of the next USD 90,000,000 (Ninety Million) of payment
Accounts’
volume;
● 0.5% of the next USD 150,000,000 (Hundred Fifty Million) of

payment volume;
The service provider must also maintain a professional indemnity insurance cover appropriate to the nature, size,
complexity, and risk profile of the business.
16
2.3. Licensing Fees
a) Application fee: USD 15,000 (fifteen thousand); and
b) Annual fee: USD 15,000 (fifteen thousand).
fee may be payable depending on the corporate structure of the Applicant.

Please refer to Section D.1.5. for DFSA’s licensing process.

Please refer to Section D.1.6. for DFSA’s local hiring requirements.
2.6. Observations
Unlike the UK, Europe, and Singapore, the DFSA does not expressly recognize merchant acquiring services as a
regulated service. However, it may be explored with the DFSA if merchant acquirers and payment aggregators can
operate after obtaining a ‘Providing Money Services’ license.
Currently, there are 4 licensed entities providing payment acceptance services for businesses. Out of these, 1 entity
is currently testing its services and holds an innovation testing license. All these entities hold a license for providing or
operating a ‘Payment Account.’
3. Open Banking
Open banking services, specifically account information services and payment initiation services, fall within the scope
of ‘Arranging or Advising on Money Services.’
‘Account Information Services,’ under DFSA’s rules, include providing consolidated information relating to accounts of
a user held with one or more account providers (such as banks or other PSPs). Such information can be presented on
an as-is basis or after subjecting it to some form of processing. The information can be shared with the user directly or
with another party as directed.
‘Payment Initiation Services’ under DFSA’s rules include services that allow the user to make a payment for goods
or services using a ‘Payment Account’ provided by another service provider. The PISP establishes a software bridge
between the website of a merchant and the online banking platform of a user’s ‘Payment Account’ provider.

AISPs and PISPs must obtain a Category 4 license.
17
Capital Requirement

License
Activity of the BCR or EBCM
Category
Base Capital Requirement Expenditure-Based Capital Minimum

(BCR) (EBCM)
Arranging or Advising on
4 USD 10,000 (ten thousand) 6/52 of annual audited expenditure
Money Services
PISPs and AISPs must also maintain professional indemnity insurance cover appropriate to the nature, size, complexity,
and risk profile of the business.
3.3. Licensing Fees

a) Application fee: USD 5,000 (five thousand); and
b) Annual fee: USD 10,000 (ten thousand).
fee may be payable depending on the corporate structure of the Applicant.


3.6. Observations
In addition to the common compliance requirements for all authorized entities in DIFC (record keeping, risk management,
auditing, complaints handling, and AML), AISPs and PISPs must adhere to the additional compliance requirements,
which cover disclosures, strong customer authentication requirements, technical standards, and fraud detection.
The DIFC took the region’s first step in expanding from open banking into open finance by launching the Open Finance
Lab in 2022. The Open Finance Lab, a six-month program that started on June 28, 2022, involved 4 banks and a
FinTech firm. They explored use cases, conducted workshops, and discussed API standards and consumer consent. The
lab concluded with a demo to government and bank officials, showcasing data-driven financial innovations.
18
The DFSA regulates Buy Now Pay Later services. The financing of goods and services acquisition falls within the scope
of ‘Providing Credit.’ Buy Now Pay Later service providers are prohibited from providing their services to natural
persons who do not qualify as professional clients under DFSA’s regulatory framework. Such clients must have net
assets of at least USD 1,000,000 (one million). This limits opportunities to provide Buy Now Pay Later services from the
DIFC. This position remains unchanged regardless of whether interest is charged, whether the user obtains the goods
or services from the Buy Now Pay Later service provider, a supplier with whom the Buy Now Pay Later service provider
has a commercial agreement, or any other person.
Buy Now Pay Later service providers are required to obtain a Category 2 license.
Capital Requirement

License of the BCR, EBCM, or the SCR
Activity
Category
Base Capital Expenditure-Based Special Capital
Requirement Capital Minimum Requirement
(BCR) (EBCM) (SCR)
The sum of:
USD 2,000,000 13/52 of annual a) Risk capital requirement;

Providing
2 (2 Million) audited expenditure b) Capital buffer;
Credit
c) Credit risk capital requirement; and
d) Individual capital requirement (if applicable,
based on DFSA’s assessment).
4.2. Licensing fees

a) Application fee: USD 70,000 (Seventy Thousand); and
b) Annual fee: USD 100,000 (Hundred Thousand).
fee may be payable depending on the corporate structure of the applicant.
4.3. Licensing process

4.4. Local hiring requirements

19
4.5. Observations
The DFSA has uniquely limited the availability of Buy Now Pay Later services to professional clients only unlike other
jurisdictions.
Hence, the DIFC is suitable only for jurisdictions that intend to offer services similar to Buy Now Pay Later to businesses
(for example, inventory financing).
While there are 37 entities that have been licensed for ‘Providing Credit,’ none of these firms are providing Buy Now
Pay Later services in the strict sense.
E. ADGM
ADGM has emerged as a formidable player in the global FinTech landscape, with an accommodating regulatory
framework that champions ease of business registration and license flexibility.
Central to its innovative spirit was the 2016 launch of the ‘RegLab’ – a regional first. This sandbox initiative provided
FinTech entities a playground to pilot their offerings, allowing experimentation within a flexible regulatory ambit. It
wasn’t long before the RegLab carved its global niche as the world’s second most active sandbox for FinTech.11 ADGM
further made strides in 2019 by launching the ‘ADGM Digital Lab,’ the world’s premier fully digital FinTech regulatory
sandbox. This initiative positioned ADGM as a catalyst, fostering symbiotic relationships between financial institutions
and groundbreaking FinTech solutions.
ADGM also hosts Hub71, a global tech ecosystem located in Abu Dhabi, designed to facilitate the growth of
start-ups by providing them with unparalleled access to capital, market opportunities, and a vibrant community of
leading entrepreneurs. By 2022, FinTech entities represented a significant 22% presence among start-ups in the Hub71
tech sectors.12
In essence, ADGM’s spirit of innovation and its readiness to venture into new horizons have rendered it the regional
touchstone for FinTech evolution, offering fertile ground for both FinTech entities and investors.
The regulatory framework for financial services (such as banking, investments, and payments) in the ADGM is provided
under, inter alia, the Financial Services and Market Regulations, 2015, and the rulebooks issued thereunder. The
relevant rulebooks for FinTech services discussed in the report include the General Rulebook, Conduct of Business
Rulebook, Fees Rulebook, Anti-Money Laundering and Sanctions Rules and Guidance, and Prudential – Investment,
Insurance Intermediation and Banking Rulebook.

The issuance of digital wallets or prepaid cards falls within the scope of ‘Providing Money Services.’
11. ADGM FinTech Overview (link).

12. Hub71 Impact Report 2022 (link).
20
Similar to the licensing requirements prevalent in DIFC, the following regulated activities are:
a) Issuing ‘Stored Value’;

Additionally, most applicants that provide SVF services have also applied for the below-regulated activity. However,
its applicability to SVF products in the strict sense must be discussed with the FSRA team during the licensing phase.
b) Issuing ‘Payment Instruments’

The scope of both activities is nearly identical to DFSA’s regulatory framework (Section D.1.3.) Both activities fall
within the scope of a Category 3C license.
Capital Requirement

License of the BCR, EBCM, or the SVCR
Activity
Category
Base Capital Expenditure-Based Stored Value Capital
(BCR) (EBCM) (SVCR)
An amount equal to 2.5% of

Issuing USD 250,000 (two hundred 18/52 of annual
3C the average daily outstanding
Stored Value fifty thousand) audited expenditure
stored value of the firm.
Issuing
USD 250,000 (two hundred 18/52 of annual
Payment 3C NA
fifty thousand) audited expenditure
Instruments
The issuer must also maintain professional indemnity insurance cover appropriate to the nature, size, complexity, and
risk profile of the business.
1.3. Licensing Fees

a) Application fee: USD 25,000 (twenty five thousand); and
b) Annual fee: USD 25,000 (twenty five thousand).
The application fee is payable at the time of submitting the licensing application.
Annual fees are payable on or before 31 January of the calendar year to which the fee relates. The first annual fee
is payable within 20 business days of receiving the license and is calculated based on the remaining months in the
calendar year.
21
The FSRA’s licensing process comprises of the following stages:
1. Pre-application contact: Applicants contact the FSRA authorization team to discuss their proposed business model.
2. Pre-application inquiry: Subsequently, the authorization team schedules an introductory meeting with the applicant
to provide guidance on business models, licensed activities under FSRA, and the overall application process.
Depending on the meeting’s outcome, applicants receive an invitation to submit a draft regulatory business plan.
3. Pre-application assessment: The authorization team evaluates the draft regulatory business plan, offering
feedback, and setting the stage for the final business plan submission.
4. Submission of application: At this stage, the applicant needs to provide a detailed business plan and all the
necessary application forms requiring information pertaining to AML procedures, client money handling, risk
management, and compliance procedures and manuals.
5. Review: Post-submission, the authorization team conducts a comprehensive review, addressing any outstanding
matters.
6. Notification: Following the review, the team issues an in-principle approval containing specific conditions.
7. Fulfillment: To meet the in-principle approval conditions, the applicant is tasked with procuring an ADGM
commercial license, leasing office space within ADGM, and opening a bank account.
8. Permission: Upon meeting all IPA conditions, FSRA grants the full license, allowing the applicant to commence their
specified activities.

The SEO, CO, and MLRO must reside within the UAE. The FSRA may waive the residency requirement for an MLRO
or CO on a case-by-case basis.
1.6. Observations
The FSRA’s regulatory scope with regard to money services is like the DFSA’s. However, the issuance of ‘Payment
Instruments’ and ‘Stored Value’ falls within the ambit of the same category of license in ADGM.
Unlike the DFSA, the FSRA does not prescribe any hard limits on the balance and transaction limits of prepaid cards and
digital wallets.
Instead, the FSRA has defined a ‘Low-Value Payment Instrument.’ These payment instruments can only store up to USD
500 (five hundred) and can be used to execute individual payment transactions of USD 25 (twenty-five) (subject to a
monthly spending limit of USD 1,000 (one thousand)). The issuers of such instruments are subject to reduced regulatory
requirements pertaining to disclosures in contracts with users, enabling future execution of payment transactions (i.e.,
framework contracts).
Currently, basis secondary sources, 1 licensed entity is issuing digital wallets and prepaid cards in ADGM.
22
2. Acquiring And Payment Aggregation
The FSRA does not expressly recognize merchant acquiring or payment aggregation services as distinct regulated
activities. Further, no service providers have been specifically licensed to provide such services in the ADGM.
However, there are certain activities that may be relevant in this regard (discussed under Section E.2.1). Entities intending
to offer such services can explore the mentioned activities with the FSRA.

Merchant acquirers and payment aggregators may explore licenses for ‘Providing Money Services’ with the FSRA.
‘Providing Money Services’ includes services enabling cash to be placed in, or withdrawn from, a ‘Payment Account’
(i.e., an account that can be used for the execution of payment transactions, including current accounts) and all the
operations required for operating the payment account. Entities providing payment accounts are referred to as ‘Payment
Account Providers.’
As explained under Section D.2.1 (DIFC), both merchant acquirers and payment aggregators provide merchants with
a payment account for the settlement of their funds.
Hence, a Category 3C for ‘Providing Money Services’ may be explored with the FSRA.
Please note that Sections E.2.2. to E.2.4. provide information on the requirements applicable to ‘Payment Account
Providers’ and not necessarily to merchant acquirers and payment aggregators.
Capital Requirement

of the BCR, EBCM, or the VCR
License
Activity
Category Base Capital Expenditure-Based Variable Capital
(BCR) (EBCM) (VCR)
The sum of:
● 2.5% of the first USD 10,000,000 (ten million) of payment volume;
Payment USD 250,000 ● 1% of the next USD 90,000,000 (ninety million) of payment volume;
18/52 of annual
Account 3C (two hundred
audited expenditure ● 0.5% of the next USD 150,000,000 (hundred fifty million) of payment
Provider fifty thousand)
volume; and
● 0.25% of any remaining payment volume.
The service provider must also maintain professional indemnity insurance cover appropriate to the nature, size,
complexity, and risk profile of the business.
23
2.3. Licensing Fees
a) Application fee: USD 25,000 (twenty-five thousand); and
b) Annual fee: USD 25,000 (twenty-five thousand).
calendar year.

Please refer to Section E.1.4. for FSRA’s licensing process.

Please refer to Section E.1.5. for FSRA’s local hiring requirements.
2.6. Observations
Unlike the UK, Europe, and Singapore, and akin to the DFSA, the FSRA does not expressly recognize merchant
acquiring services as a regulated service. However, it is possible, subject to discussions with the FSRA, that merchant
acquirers and payment aggregators can operate from the ADGM after obtaining a license for ‘Providing Money
Services.’
Currently, basis secondary sources, only 1 licensed entity is providing payment acceptance services in ADGM.
3. Open Banking
Unlike all other jurisdictions discussed in this report, FSRA regulates PISPs and AISPs as ‘Third-Party Providers’ (TPP).
The TPP regulatory framework was introduced in April 2021 to enable open banking services in ADGM.
TPP activities (i.e., ‘Third Party Services’) involve accessing, processing, and transferring of information:
a) relating to a ‘Payment Account’ held by a user at another financial institution (AISPs); and
b) information required to initiate a payment transaction on behalf of a user with respect to a ‘Payment Account’ held
by a user at another financial institution (PISPs).

AISPs and PISPs must obtain a Category 4 license from the FSRA.
24
Activity License Category Capital Requirement
TPP 4 USD 50,000 (fifty thousand)
AISPs and PISPs must maintain at all times a minimum professional indemnity insurance coverage of USD 150,000
(one hundred and fifty). Further, for PISPs, the remaining professional indemnity insurance coverage must always be
greater than thirty times the average daily value of all transactions facilitated in the past ninety calendar days.
3.3. Licensing Fees

a) Application fee: USD 5,000 (five thousand); and
b) Annual fee: USD 5,000 (five thousand).
calendar year.


3.6. Observations
TPPs are subject to several obligations in addition to the common compliance requirements for FSRA authorized entities.
These include requirements pertaining to the inclusion and disclosure of information in contracts with their customers,
authentication and security measures, management of operational risks, and the safety and security of interfacing
systems.
Since the introduction of the TPP framework, only Lean Technologies has obtained a TPP license after passing through
ADGM’s RegLab. As such, it has gained early access due to ADGM’s vast network of commercial companies and has
already onboarded prominent companies within the UAE, including virtual asset service providers.

Buy Now Pay Later services fall within the ambit of “Providing Credit.”
“Providing Credit” includes the extending of any monetary credit (including any type of financial accommodation) to
a borrower.
25
Buy Now Pay Later service providers are prohibited from providing their services to natural persons who do not
qualify as professional clients under FSRA’s regulatory framework. Such clients must have net assets of at least USD

Since they are treated as credit providers, Buy Now Pay Later service providers are required to obtain a Category 2
license from the FSRA.
Capital Requirement

License
Activity of the BCR or RCR
Category
Base Capital Requirement Risk Capital Requirement
(BCR) (RCR)
The sum of:
a) Credit risk capital requirement;
b) Market risk capital requirement;
Providing Credit 2 USD 2,000,000 (two million) c) Operational risk capital requirement;
d) Displaced commercial risk capital

requirement, where applicable; and
e) Credit valuation assessment risk

capital requirement.
4.3. Licensing Fees

a) Application fee: USD 15,000 (fifteen thousand); and
b) Annual fee: USD 15,000 (fifteen thousand).
calendar year.

26
4.6. Observations
As seen with the DFSA regime, the FSRA has similarly limited the availability of credit services/Buy Now Pay Later
products to professional clients and retail businesses only.
LNDDO (an SME financing platform) is already fully operational as the first direct digital lender within the MENA
region, having obtained a category 2 license from the FSRA. This illustrates the potential market for Buy Now Pay Later
service providers under ADGM.
27
CHAPTER 2
KINGDOM OF SAUDI ARABIA
Authors - Kabir Hastir Kumar, Ahlam Faouzi (KARM Legal Consultants)
28
ABBREVIATIONS
AML Anti-Money Laundering
CMA Capital Market Authority
EMI Electronic Money Institutions
FCL Finance Companies Control Law
ICR Initial Capital Requirement
OCR Ongoing Capital Requirements
KSA Kingdom of Saudi Arabia
PAIS Payment Account Information Services
PI Payment Institutions
PIS Payment Initiation Service
PPS Law Payments and Payment Services Law
PSPs Payment Service Providers
PSPR Payment Service Provider Regulations
SAMA Saudi Central Bank
SAR Saudi Riyal
29
A. INTRODUCTION
The FinTech landscape in KSA has evolved rapidly, transforming the country into an innovation centred FinTech hub.
In 2018, SAMA partnered with the CMA to develop the infrastructure necessary to grow FinTech companies and to
support FinTech innovators through their journey. The initiative has achieved significant milestones, with the number of
FinTech firms in KSA increasing from 82 to 147 in 2021. The plan aims to make digital transactions 70% of all financial
activities by 2025 and boost domestic and foreign venture capital investment to SAR 2.6 billion.
Aligned with its 2023 vision, KSA is committed to reconciling financial services and technological development,
introducing various regulations to facilitate this.
B. GENERAL OVERVIEW OF KSA’S REGULATORY FRAME-

In 2021, KSA issued the PPS Law to regulate PSPs operating within and from the jurisdiction.
In 2023, KSA introduced the ‘Implementing Regulations for the Law of Payments and Payment Services (New
Implementing Regulations’, aiming to enhance the efficiency of the payment system infrastructure in KSA, replacing
the PSPR. Further, the ‘Requirements for Appointments to Senior Positions in Financial Institutions Supervised by the
Saudi Arabian Monetary Authority’ (Senior Positions Requirements) stipulate requirements for the appointment of
identified senior positions in SAMA-regulated financial institutions.
The New Implementing Regulations establish the licensing framework and outline prerequisites to be fulfilled by
entities seeking to undertake any of the following activities by way of business (Payment Services), (capitalized
terms in the list hereunder have the same meaning as in the New Implementing Regulations):
a) Services enabling Funds to be deposited on a Payment Account as well as all the operations required for operating
a Payment Account;
b) Services enabling cash withdrawals from a Payment Account as well as all the operations required for operating
a Payment Account;
c) Execution of Payment Transactions, including Credit Transfers on a Payment Account with the user’s Payment
Service Provider or with another Payment Service Provider, which include the following:
i) Execution of Direct Debits, including one-off direct debits;
ii) Execution of Payment Transactions through a payment card or a similar digital device; and
iii) Execution of Credit Transfers, including standing orders.
d) Execution of Payment Transactions where the Funds are covered by a credit line for a Payment Service User:
i) Execution of Direct Debits, including one-off direct debits;
ii) Execution of Payment Transactions through a payment card or a similar device; and
iii) Execution of Credit Transfers, including standing orders.
e) Issuing of Payment Instruments;
f) Payee transactions Acquiring;
g) Payment Aggregation Services;
h) Issuing Electronic Money (by opening e-wallets or otherwise);
i) Payment Initiation Services;

30
j) Payment Account Information Services;
k) Payment Account Service; and
l) Any other service that SAMA may decide to consider as a payment service.
The earlier PSPR’s licensing framework has largely been retained in the New Implementing Regulations. However, the
New Implementing Regulations have extended the validity of a license from 3 years to a maximum of 5 years.
Licenses have been categorized based on the nature of the activity and the scale of operations. PSPs that aim to issue
electronic money, such as e-wallets or prepaid cards, must obtain an ‘Electronic Money Institution License’. Other
PSPs can apply for a ‘Payment Institution License’. These licenses are further classified as ‘Micro’ or ‘Major’ based on
transaction limits and the amount of electronic money the licensee can hold.
For entities wishing to conduct Buy Now Pay Later services, SAMA has issued ‘Rules for Regulating Buy Now Pay Later
Companies’ (Buy Now Pay Later Rules). The Buy Now Pay Later Rules provide guidance on the licensing process under
the FCL, establish minimum operational standards, set AML/CTF requirements, and provide protection for consumers
under the provision of Buy Now Pay Later services. The decision to issue a regulatory framework for Buy Now Pay
Later services is in line with regional development, with Bahrain having issued a framework in 2022, with Kuwait,
Qatar, and UAE following suit in 2023. Moreover, KSA has taken a risk-based approach, having opted to regulate
Buy Now Pay Later services as a credit service, like the approaches taken by Bahrain, Qatar, and UAE, although
dissimilar to Kuwait’s approach, which regulates Buy Now Pay Later as a payment service.
The New Implementing Regulations regulate stored value under the moniker of ‘electronic money’ to be issued by EMI.
Electronic money pertains to monetary value stored electronically or magnetically, which is represented as a claim
upon the issuer, upon the issuer receiving funds to make payments to parties other than the issuer (Electronic Money).

Entities seeking to issue Electronic Money, are required to apply either for a Micro EMI or a Major EMI license.
An EMI is considered:
a) Micro: if the EMI meets all the following conditions:

i) The total average outstanding electronic money does not exceed SAR 10 (ten) million (~USD 2,661,000);
ii) The average monthly payment transaction value does not exceed SAR 10 (ten) million (~USD 2,661,000);
iii) The aggregate total value held across all accounts by any payment service user does not exceed SAR 20,000
(twenty thousand) (~USD 5,331) of Electronic Money;
iv) The monthly total value of payment transactions a user executes does not exceed SAR 20,000 (twenty thousand)
(~USD 5,331) per calendar month in aggregate, including Cash-Out Transactions.
b) Major: if the EMI meets all the following conditions:

i) Exceeds any of the limits that would categorize it as a Micro EMI.

The applicant seeking a license to operate an SVF must comply with the following:
a) ICR:
The minimum paid-up capital requirement applicable for an EMI is:
i) For a Micro EMI: SAR 2,000,000 (two million) (~USD 544,551).
ii) For a Major EMI: SAR 10,000,000 (ten million) (~USD 2,722,755).
31
b) OCR:
EMIs are required to maintain the following:
i) For Micro EMI: The ICR.
ii) For Major EMI: An amount equal to the higher of the following:
- The ICR;
- 2% of the total average of outstanding Electronic Money.
The PSP must provide SAMA with evidence of its compliance with the ongoing capital requirements.
1.3. Licensing Fees

Licensing fees under the New Implementing Regulations are as follows:
a) SAR 20,000 (twenty thousand) (~USD 5,330) for a license of a Micro EMI.
b) SAR 50,000 (fifty thousand) (~USD 13,325) for a license of a Major EMI.
1. Submission of application: The applicant must submit the following forms along with relevant supporting documents:
a) Application form for a license;
b) A draft of articles of incorporation and articles of association of the applicant, or the authenticated copies if the
applicant is incorporated outside the KSA, subject to the related laws in the KSA;
c) A description of the organizational structure of the applicant showing all department units and their main functions
and tasks and the details of the senior positions roles;
d) A list of all controllers, which sets out the number and percentage of ownership that each controller will own; with
submitting the fit and proper form for controllers signed by each controller, as determined by the requirements
for appointments to senior positions, issued by SAMA for all financial sectors;
e) The fit and proper form for senior positions, as determined by the Senior Position Requirements,
issued by SAMA for all financial sectors;
f) Relevant draft policies and procedures demonstrating the ability to comply with the requirements set forth under
the law and the Implementing Regulations and any other instructions from SAMA;
g) An irrevocable bank guarantee issued in favor of SAMA by one of the licensed banks in the KSA for an amount
equivalent to the required minimum capital for the licensed activity or activities for which the applicant requests to
be licensed, in accordance with the model set by SAMA. Such bank guarantee must be renewable automatically
until the required capital is paid up in full following the Implementing Regulations;
h) The applicant’s business continuity and recovery plans and its wind-down plan, showing how the applicant will
manage liquidity, operational and wind-down risk; if the applicant is proposing to become a Major PI or Major
EMI;
Additional documents for Payment Service Providers:

i) A feasibility study showing the target segment, the services to be provided, the proposed business model, and
the strategy of the applicant, signed by the applicant.
ii) A three-year business plan; and
iii) Drafts of proposed material agreements and contracts with third parties, including material agreements and
contracts with related parties and external service providers.
2. Within a 30 day (thirty-day) period from the date of submission: The applicant must furnish SAMA with any
supplementary information or documents SAMA may request.
3. Within 90 (ninety) calendar days from the date of submission of the application: SAMA notifies the applicant of
its decision regarding the license application in writing, unless otherwise specified.
32
4. Upon receipt of the licensing application: SAMA assesses the application to determine if the applicant possesses
the capacity to satisfy the remaining licensing requirements and conditions. If SAMA determines this to be the
case, it issues a preliminary approval to the applicant. This is to ensure that the applicant will work towards fulfilling
other licensing conditions and requirements. The applicant must complete these requirements within a period not
exceeding 1 (one) year from the issuance date of the preliminary approval. SAMA may extend the duration of the
preliminary approval for an additional period not exceeding 180 (one hundred and eighty) calendar days. The
preliminary approval does not grant the applicant the right to engage in any service or activity requiring a license
from SAMA under the New Implementing Regulations.

According to the Senior Positions Requirements, priority for appointment or interim appointment to senior positions (as
listed below) should be given to Saudi candidates.
Senior positions are:
a) Director of human resources;
b) Director of information security/ cyber security;
c) Director of information technology;
d) Chief compliance officer;
e) Director of anti-money laundering and counter-terrorist financing;
f) Director of anti-financial crimes;
g) Director of anti-fraud;
h) Director of legal affairs;
i) Director of governance/ secretary of board of directors;
j) Director of the department concerned with providing information or executing the decisions issued against
customers by SAMA (Financial Enforcement Department);
k) Director of customer services in insurance companies;
l) Director of motor claims in insurance companies; and
m) Director of individual sales in insurance companies.
If the financial institution nominates a non-Saudi candidate to be appointed or interim appointed to a senior position,
the financial institution shall provide justifications for the nomination, demonstrate the non-availability of a qualified
Saudi candidate for the position, develop and include an approved plan for replacement in the written non-objection
request submitted to SAMA. The plan shall include the procedures, programs, and courses the financial institution uses
and conducts to train and qualify Saudi candidates for such positions, as well as the time required.
33
Benefits of Saudization
The Ministry of Human Resources and Social Development has introduced a policy known as “Nitaqat”:
Based on the company’s Saudization rate, the company falls into one of five zones – Red, Low Green, Medium Green,
High Green, or Platinum. Each range has its privileges and limitations.
Under Nitaqat, employers in Platinum, Medium, or high Green zones enjoy privileges such as streamlined work
permit issuance for foreign employees, profession changes for foreign workers, and the ability to hire without previous
employer consent.
Red zone employers face the most restrictions, including the inability to hire new expatriate employees, renew work
permits, or establish new companies or branches within KSA until their Nitaqat rating improves.
1.6. Observations
KSA’S approach to regulating SVFs aligns with international practices. SVFs will help to reduce transaction costs and
support ease of transactions and international integration. Moreover, by providing a progressive licensing regime for
different types of SVFs, the New Implementing Regulations create an accommodating licensing environment for both
start-ups and developed market products. This further aligns with SAMA’s goal to create a more attractive environment
for investors and enhance regional innovation.

The New Implementing Regulations allow payment services to be provided by PI.
‘Acquiring of Payment Transactions’ covers the service provided by a PSP to the recipient (payee). This service involves
the acceptance and processing of payment transactions, ultimately leading to the transfer of funds to the payee.
‘Aggregated payment services’ are defined as an intermediation service whereby transactions are executed upon
fund aggregation. This eliminates the need for entities seeking to accept payments (such as e-commerce platforms and
merchants) to engage directly with merchant acquirers. This is done by allowing merchants to accept various payment
instruments without needing to develop their own distinct payment integration systems or opening a merchant account
with a merchant acquirer.

Entities seeking to provide ‘Acquiring of Payment Transactions’ and/or ‘Acquiring of Payment Transactions’ are required
to apply for a Micro PI or a Major PI license.
A PI is considered:
a) Micro: if the PI meets all the following conditions:

i) It carries on one or more payment services, except issuing Electronic Money;
ii) It does not provide payments services cross-border to persons outside KSA;
iii) The average monthly payment transaction value does not exceed SAR 10,000,000 (ten million) (~USD
2,665,955);
b)
Major: if the PI meets all the following conditions:
i) It carries on one or more payment services, except issuing Electronic Money; and
ii) The average monthly payment transaction value exceeds SAR 10,000,000 (ten million) (~USD 2,665,955).
34
The applicant seeking a license to operate as a PI must comply with the following:
a) ICR:
The minimum paid-up capital requirement applicable for a Payment Institution is:
i) For a Micro PI: SAR 1,000,000 (one million) (~USD 266,529).
ii) For a Major PI: SAR 3,000,000 (three million) (~USD 799,610).
b) OCR:
PIs are required to maintain the following:
i) For Micro PIs: The ICR.
ii) For Major PIs: An amount equal to the higher of the following:
- The ICR;
- 1% of the average value of monthly payment transactions conducted by the Major PI.
2.3. Licensing Fees
Licensing fees granted under the New Implementing Regulations are as follows:
a) SAR 20,000 (twenty thousand) (~USD 5,330) for a license of a Micro PI.
b) SAR 50,000 (fifty thousand) (~USD 13,325) for a license of a Major PI.
Please refer to Section 1.4. above.
2.6. Observations
‘Acquiring of Payment Transactions’ is an intermediation service whereby transactions are executed upon fund
aggregation. This eliminates the need for entities seeking to accept payments (such as e-commerce platforms and
merchants) to engage directly with merchant acquirers. This is done by allowing merchants to accept various payment
instruments without needing to develop their own distinct payment integration systems or opening a merchant account
with a merchant acquirer.
3. Open Banking
SAMA regulates open banking services, in particular, PAIS and/or PIS, under the New Implementing Regulations read
with the Open Banking Framework (OBF).

Entities seeking to provide PAIS and/or PIS, are required to apply for PAIS License and PIS License. This is tailored to
providers who exclusively operate in the open banking sector.

The applicant seeking a license to operate as a PAIS and/or PIS must comply with the following minimum paid-up
capital requirement:
a) SAR 1,000,000 (one million) (~USD 266,529) for a PIS.
b) SAR 500,000 (five hundred thousand) (~USD 133,264) for PAIS.
c) SAR 1,000,000 (one million) (~USD 266,529) for conducting a PIS and a PAIS.
35
3.3. Licensing Fees
Licensing fees granted under the New Implementing Regulations are as follows:
a) For a license of PISPs: SAR 20,000 (twenty thousand) (~USD 5,330).
b) For a license of a PAIS: SAR 20,000 (twenty thousand) (~USD 5,330).
c) For both PIS and PAIS: SAR 40,000 (forty thousand) (~USD 10,661).


3.6. Observations
Unlike the PSPR, the New Implementing Regulations explicitly mandate PIS and PAIS service providers to comply with
SAMA’s decisions and guidelines related to open banking. Such a prescriptive approach ensures fair competition,
data security, and faster adoption and simplifies the process of integrating with multiple banks for FinTech. The OBF
provides an overview of use cases, business rules, customer experience guidelines, API specifications, implementation
requirements, and operational guidelines.

As Buy Now Pay Later services gain popularity within KSA, the GCC region, and globally, introducing the BNPL
Rules is crucial to address the growing demand and ensure regulatory standards are in place. SAMA’s regulatory
sandbox has primarily hosted Buy Now Pay Later service providers in recent times, including Tamara. Tamara is a
KSA-headquartered Buy Now Pay Later service provider that passed SAMA’s regulatory sandbox trial phase in July
2023. It has grown to become the nation’s first FinTech to unicorn by December 2023.
Buy Now Pay Later in KSA is regulated by SAMA under the FCL as per the BNPL Rules issued for establishments
seeking to engage in Buy Now Pay Later activities in KSA.

Entities intending to conduct Buy Now Pay Later activities must formally apply for a license from SAMA. A granted license
will remain valid for five years from its issuance, and a license renewal must be filed 3 months before the currently held
license expires.
The minimum capital requirement for BNPL is SAR 5,000,000 (five million) (~USD 1,333,342), subject to revision by SAMA.
4.3. Licensing Fees

According to the Buy Now Pay Later Rules, licensing fees are SAR 5,000 (five thousand) (~USD 1,334), while license
renewal/amendment fees are SAR 2,000 (two thousand) (~USD 534).
36
1. Submission of application: The applicant must submit the following along with relevant supporting documents:
a) Application for a license along with license fee (~USD 133 approx.);
b) Supporting documents:
i) Copy of the commercial register, memorandum of association, articles of incorporation (if any);
ii) A list of founding members or shareholders of the company, including the percentage of shares held by each
member or shareholder;
iii) The fit and proper form for the founding members or shareholders and the board members;
iv) Information about the Buy Now Pay Later owners and organization structure, along with a feasibility study and
v) business plan;
An irrevocable bank guarantee for an amount equivalent to the minimum capital SAR 5,000,000 (five million)
(USD 1,333,321), issued in favor of SAMA by a bank licensed to operate in KSA.
2. In principle confirmation (IPC): The receipt of the IPC signifies that the application has been reviewed, and the
applicant may proceed to the next stage of the licensing process, whereby remaining information and documents
must be submitted to proceed. Such IPC is provided in working 60 days, where SAMA may seek additional
clarifications, and the applicant has 30 working days to revert to the same.
3. Grant of final approval: Upon the submission of all the requisite documents, the SAMA has 60 calendar days to
make a decision on whether to issue the license or not.
The preliminary approval does not constitute a license or approval to practice the finance activity.
The license is issued for five years, renewable based on SAMA’s regulations.
The final license is issued upon fulfilling all requirements and completing all procedures.
All candidates for supervisory or executive positions must:
a) Meet SAMA’s professional eligibility requirements;
b) Be permanent residents in KSA; and
c) Be theoretically and practically qualified in the field.
Saudization of human resources
Initial (start of operations) 50% of the employee workforce must consist of Saudi nationals.
On-going Increase workforce with Saudi nationals by 5% annually up to 75%.
Additional rules a) Non-Saudi recruitment is restricted to positions requiring expertise

unavailable in the Saudi labor market.
b) A non-objection letter from SAMA is mandatory before appointing any
non-Saudi employee to control departments.
37
4.6. Observations
Licensed Buy Now Pay Later entities are required to adhere to the following at a minimum:
a) Company incorporation: Incorporate as a joint-stock company or provide evidence of the same where the
company already exists within 6 months from the initial approval date.
b) Contract with stores: Draw up contracts with the stores it intends to deal with.
c) Internal policies: Develop internal policies that are key to the company’s operation.
d) AML/CTF & CDD: Comply with AML/CTF laws and develop a CDD program.
e) Advertising: Follow the advertising rules issued by SAMA.
f) Outsourcing: Comply with SAMA’s rules on outsourcing for finance companies.
g) Auditor: Appoint an external auditor that SAMA has approved, or one can be appointed by SAMA.
Customer Eligibility Assessment:
Licensed Buy Now Pay Later entities are required to:
a) Verify and document the consumer’s credit record with their consent to assess solvency, repayment capacity, and
credit conduct.
b) Implement best industry practices within the field for assessing consumer creditworthiness and repayment capacity.
c) Identify consumers and verify their identity using reliable, independent sources.
Credit Limits:
a) Consumer credit limit: The total outstanding credit for each consumer natural person cannot exceed SAR 5,000
(five thousand) (~USD 1,334). Due regard must be given to the ‘Deductible Ratios’ for consumers provided under
SAMA’s ‘Responsible Lending Principles for Retail Consumers.’
b) Installment limit: Consumers can be availed of a maximum of 12 installments.
Consumer Protection Measures:
a) Establish procedures and functions for handling consumer complaints.
b) Maintain the confidentiality of consumer data transactions.
c) Ensure contracted stores do not pass additional charges to the consumer.
d) Prepare a clear, easily understandable, and non-misleading finance contract (terms & conditions) with the consumer
before engaging in any transactions.
38
Operational Limits:
Licensed Buy Now Pay Later entities may not:
a) Exceed 20 times its capital and reserves in outstanding finance, except with a no-objection letter from SAMA.
b) Charge consumers fees except for delay penalties or debt collection fees.
c) Launch new products without prior approval from SAMA.
d) Deal with persons under 18 years (Hijri years).
e) Transact with foreign non-resident customers without prior approval from SAMA.
f) Purchase goods or services in a currency other than SAR without prior approval from SAMA.
39
CHAPTER 3
KINGDOM OF BAHRAIN
Authors - Kabir Hastir Kumar, Ahlam Faouzi (KARM Legal Consultants)
40
ABBREVIATIONS
CBB Central Bank of Bahrain
FinTech Financial Technology
AISP Account Information Service Provider
PISP Payment Initiation Service Provider
POS Point-of-Sale
PSP Payment Service Provider
MENA Middle East and North Africa Region
BD Bahraini Dinar
CEO Chief Executive Officer
41
A. INTRODUCTION
Bahrain’s FinTech landscape evolved rapidly owing to strategic government initiatives. Recent reports from the CBB
indicate significant growth in digital transactions. The ‘Digital Payment Landscape Report 2022’14 states that digital
wallet transactions ‘volume’ and ‘value’ experienced a yearly growth of 196.2% and 111.6% in 2021. Further, card-
based point-of-sale transactions rose in volume and value by 49.8% and 34.6% in the same year.15
Some government initiatives include creating a dedicated FinTech & Innovation Unit at the CBB and launching Bahrain
FinTech Bay, the largest FinTech hub in the Middle East. Bahrain was the first nation in the MENA region to introduce a
regulatory sandbox for FinTechs, which allowed various FinTech companies to refine their products, services, or business
models in a controlled setting, thereby contributing to the robustness and resilience of Bahrain’s FinTech industry.
B. GENERAL OVERVIEW OF BAHRAIN’S REGULATORY FRAMEWORK
The ‘Central Bank of Bahrain and Financial Institutions Law 2006’ empowers the CBB to regulate, supervise, and
license specified financial services. Drawing from this, the CBB issued the CBB Rulebook, comprising 7 volumes,
each governing specific sectors (for example: banking, capital markets, investment businesses, insurance, etc.).
‘Volume 5- Specialized Licensees’ (Volume 5) addresses digital wallets and prepaid cards, merchant acquiring
and payment aggregation, and open banking services. Volume 5 comprises common and service-specific
modules. While common modules are applicable to all licensees regulated under Volume 5, service-specific
modules list requirements for specific types of licensees. Pertinent common modules include:
a) Principals of Business Module: Sets out the fundamental obligations that must be met by every licensee (For
example: integrity, conflicts of interest, due skill, care, and diligence, etc.);
b) Auditors and Accounting Standards Module: Specifies requirements relating to auditors and accounting standards;
c) Financial Crime Module: Specifies requirements pertaining to anti-money laundering and combating the financing
of terrorism; and
d) Enforcement Module: Sets out CBB’s approach to enforcement, and the measures used to address failures by
licensees to comply with its regulatory requirements.
‘Type 7: Ancillary Service Providers’ specific modules (ASP Modules) govern the issuance of digital wallets and
prepaid cards. The ASP Modules include:
a) Authorization Module: Sets out CBB’s approach to licensing providers of regulated ancillary services;
b) CBB Reporting Requirements Module: Specifies the reporting requirements for licensees;
c) General Requirements Module: Sets out the general requirements for licensees pertaining to the conduct of business,
including books and records, information security, outsourcing and customer complaints handling procedures; and
d) High-Level Controls Module: Sets out the corporate governance requirements.
14. ‘Digital Landscape Report 2022’ (Link).

15. ‘Digital Landscape Report 2022’ (Link).
42
In addition to the ASP Modules listed above, the CBB issued an Open Banking Module under ASP Modules to
regulate AISPs and PISPs. The module discusses open banking-specific requirements such as framework contracts,
standards of authentication and communication, and other technology-related requirements.
Buy Now Pay Later services are covered under the ‘Type 3: Financing Companies’ specific modules (FC Modules).
a) Authorisation Module: Sets out CBB’s approach to licensing Financing Companies;
b) CBB Reporting Requirements Module: Specifies the reporting requirements for licensees;
c) General Requirements Module: Sets out the general requirements for licensees pertaining to the conduct of business,
including books and records, information security, outsourcing and customer complaints handling procedures; and
d) High-Level Controls Module: Sets out the corporate governance requirements.
1. STORED VALUE FACILITES

Digital wallets and digital/physical prepaid cards may be issued by entities licensed to provide ‘permitted payment
services provided by payment service provider (PSP)’ under the ASP Modules. The CBB Rulebook does not define
e-money or stored value facilities, differing from many other jurisdictions.

Entities that are not banks or financing companies and wish to issue digital wallets or prepaid cards must be licensed
under CBB’s regulations to provide the regulated ancillary service of a PSP.
Additionally, secondary sources indicate that most licensed PSPs that issue digital wallets and prepaid cards are also
licensed to provide ‘card processing’ services, which is a distinct regulated ancillary service. This may be directed at
enabling the issuance of open-loop prepaid cards by PSPs in addition to their digital wallet offerings. Furthermore, if
an entity wishes to host or manage a card program for other licensed PSPs or seeks to process or transmit prepaid
cardholder data, the regulated ancillary service of ‘card processing’ may be explored.
1.2. Account Balance Limits
Issuers of digital wallets and prepaid cards must ensure that the account balance of their customers, at any given point
of time, does not exceed:
a) For natural persons: BD 2,500 (two thousand five hundred) (~ USD 6,655); and
b) For legal persons: BD 10,000 (ten thousand) (~USD 26,623).

Applicable base capital requirements are:
a) PSP: BD 250,000 (two hundred fifty thousand) (~USD 665,597); and
b) PSP and card processing: BD 250,000 (two hundred fifty thousand) (~USD 665,597).
43
The CBB may stipulate higher capital requirements as well. Said capital must be injected into the applicant company
before the CBB grants its final approval for it to operate as a PSP. A confirmation from a retail bank addressed
to the CBB must be submitted during the licensing process. Additionally, a bank guarantee of BD 100,000 (one
hundred thousand) (~ USD 266,239) must be submitted.
1.4. Licensing Fees

The licensing fees for PSPs and entities providing card processing services are as follows:
License Application Fee Annual Fee
PSPs BD 100 (~ USD 266) BD 2,000 (~ USD 5,324)
PSP and Card Processing BD 100 (~ USD 266) BD 3,000 (~ USD 7,987)
The application fees must be paid at the time of submitting the license application. The annual fee is payable on
the 1st of December of the year preceding the year for which the fee is due. For new licensees, the fee becomes
immediately payable upon grant of the final approval.

The licensing process at CBB is uniform for entities applying for licenses under Volume 5. It involves the following stages.
1) Pre-application discussions: The applicant must contact CBB at an early stage to discuss their plans for guidance
on the CBB’s license categories and associated requirements.
2) Submission of application: The applicant must submit the following forms along with relevant supporting documents:
i) Form 1 (Application for a license);
ii) Form 2 (Application for authorization of shareholders); and
iii) Form 3 (Application for approved person status, i.e., key senior management personnel such as directors,
compliance officer, head of functions, etc.).
3) In principle confirmation (IPC): The receipt of the IPC signifies that the application has been reviewed, and the
applicant may proceed to the next stage of the licensing process, whereby remaining information and documents
must be submitted to proceed.
4) Grant of final approval: Upon the submission of all the requisite documents, the CBB has 60 calendar days to
make a decision on whether to issue the license or not. The licensee must commence operations within 6 months of
being issued the license.
5) Post final approval: The licensee must submit certain information relating to operations (such as a description of IT
systems and business continuity plan) within 6 months of being issued the license.
The general manager/CEO and CO must be resident in Bahrain.
44
1.7. Observations
While Bahrain’s regulatory framework does not define e-money or stored value facilities, as opposed to many other
jurisdictions, the regulations encompass common compliance requirements pertaining to client money handling,
outsourcing, risk management, and information security.
Notably, the CBB’s framework uniquely allows for the establishment of physical kiosks and cash deposit machines by
PSPs. Further, it expressly regulates card processing activities such as the transmission of transactional data and the
hosting and management of card programs.
Currently, a total of 15 entities are licensed as PSPs. Out of these, basis secondary sources, 8 entities are either issuing
digital wallets or prepaid cards.
2. ACQUIRING AND PAYMENT AGGREGATION

The CBB Rulebook does not define merchant acquiring and payment aggregation, differing from many other
jurisdictions. Therefore, the information below is structured primarily based on secondary research. Entities that provide
these services in Bahrain mostly procure licenses for the regulated ancillary service of ‘card processing’ and ‘PSP.’
2.1 Relevant Licenses
In the absence of a specific regulated ancillary service to provide merchant acquiring and payment aggregation
services, entities may explore the regulated ancillary service of ‘card processing’ and ‘PSP.’
2.2 Capital Requirements
The applicable capital requirements are as follows:
a) PSP: BD 250,000 (two hundred and fifty thousand) (~USD 665,597);
b) Card processing: BD 250,000 (two hundred and fifty thousand) (~USD 665,597); and
c) PSP and card processing: BD 250,000 (two hundred and fifty thousand) (~USD 665,597).
before the CBB grants its final approval to it to operate. A confirmation from a retail bank addressed to the CBB must
be submitted during the licensing process as evidence that the capital amount has been injected. Additionally, a bank
guarantee of BD 50,000 (fifty thousand) (~ USD 133,119) must be submitted by entities applying for ‘card processing’
and ‘PSP’ services.
2.3 Licensing Fees
The licensing fees for PSPs and entities providing card processing services are as follows:
PSPs BD 100 (hundred) (~ USD 266) BD 2,000 (two thousand) (~ USD 5,324)
PSP and Card Processing BD 100 (hundred) (~ USD 266) BD 3,000 (three thousand) (~ USD 7,987)
The application fees must be paid at the time of submitting the license application. The annual fee is payable on the 1st
of December of the year preceding the year for which the fee is due. For new licensees, the fee becomes immediately
payable upon grant of the final approval.
45
Please refer to Section 1.5.
2.6. Observations
The CBB has instituted a progressive framework, fostering a thriving ecosystem of these financial intermediaries. With
an extensive network of merchant acquirers and payment aggregators, Bahrain stands as a dynamic hub for digital
payment processing in the region.
Out of the total 14 entities licensed as PSPs, 9 PSPs are providing merchant acquiring or payment aggregation services
based on secondary sources.
3. Open Banking
Bahrain was amongst the first nations in MENA to come out with a comprehensive regulatory framework for open
banking.
An AISP is defined as an entity that provides services that enable consenting customers to obtain aggregate or
consolidated information about their account balances with licensed banks, financing companies, and other entities
licensed by the CBB.
A PISP is defined as an entity that provides services enabling it to initiate payment or credit transfers for the customer
from an account held with a licensed bank, financing company, or PSP.
The ASP Modules and the Open Banking Module impose licensing requirements for AISPs and PISPs.
3.2. Access to Accounts: AISPs/PISPs
A crucial element of a successful open banking framework is enabling access to accounts for AISPs and PISPs. Similar
to the EU, and unlike the UAE, the CBB mandates licensed banks to provide access to customer accounts on an
objective, non-discriminatory basis based on customer consent.
The applicable minimum core capital requirements are:
a) AISP: BD 25,000 (twenty five thousand) (~USD 66,559);
b) PISP: BD 30,000 (thirty thousand) (~USD 79,871); and
c) AISP and PISP: BD 30,000 (thirty thousand) (~USD 79,871).
before the CBB grants its final approval to it to operate as a PSP. A confirmation from a retail bank to this effect
addressed to the CBB must be submitted during the licensing process.
It is pertinent to note that AISPs and PISPs are also required to hold insurance coverage against liabilities arising from
cyber security breaches.
46
3.4. Licensing Fees
The licensing fees for AISPs and PISPs are as follows:
AISP BD 100 (hundred) (~ USD 266) BD 1,000 (one thousand) (~ USD 5,324)
PISP BD 100 (hundred) (~ USD 266) BD 1,000 (one thousand) (~ USD 5,324)
AISP and PISP BD 100 (hundred) (~ USD 266) BD 2,000 (two thousand) (~ USD 10,684)
The application fees must be paid at the time of submitting the license application. The annual fee is payable on the
1st December of the preceding year for which the fee is due. For new licensees, the fee becomes immediately payable
upon grant of the final approval.

3.6.Local Hiring Requirements
3.7. Observations
The CBB has been at the forefront of innovation by implementing an advanced open banking framework. By mandating
retail banks to open up customer account access to licensed FinTech firms, the CBB compels the development of new,
customer-centric products and services, like comprehensive finance management tools or improved payment solutions.
Moreover, the CBB’s open banking framework and Open Banking Module sets out the necessary technical and security
standards, ensuring data security while allowing for innovation. This includes the adoption of standardized APIs to
facilitate secure and efficient data sharing between institutions and detailed customer experience and operational
guidelines.
Such proactive and robust regulation has encouraged the proliferation of open banking players seeking to offer
customer-centric products and services. Currently, 5 entities have been licensed by the CBB as an AISP and/or PISP.
Enabling regulations for Buy Now Pay Later were introduced in February 2022 by making amendments to Volume 5.
Bahrain was one of the first jurisdictions in MENA to introduce a clear and unambiguous regulatory framework for Buy
Now Pay Later services. As noted above in this chapter, Buy Now Pay Later services are regulated under the CBB’s
‘Type 3: Financing Companies’ specific modules (FC Modules).
Pursuant to the February 2022 amendments, the CBB introduced the concept of offering a limited scope of short-term
installment credit (Buy Now Pay Later Services). Entities seeking to offer Buy Now Pay Later services must still apply
for a financing company license. However, they are subjected to less onerous minimum capital, shareholder suitability,
and corporate governance requirements.
4.2.Capital Requirements
Traditional finance companies are required to maintain a minimum capital of BD 5,000,000 (five million) (~ USD
13,311,950). However, entities seeking to only offer Buy Now Pay Later Services can maintain a lower minimum
capital. The exact amount will be determined by the CBB based on the nature, scale, and size of operations.
47
This capital must be injected into the company before the grant of the final approval by CBB. A confirmation from a
retail bank to this effect addressed to the CBB must be submitted at any time before the grant of the final approval.
4.3. Licensing Fees
The licensing fees for entities seeking to offer Buy Now Pay Later Services are as follows:
a) Application fee: BD 100 (hundred) (~USD 266); and
b) Annual fees: 0.25% of operating expenses (excluding training costs, charitable donations, and the previous year’s
annual fees), subject to a minimum of BD 6,000 (six thousand) (~ USD 15,974) and a maximum of BD 24,000
(twenty four thousand) (~ USD 63,897).
The application fees must be paid at the time of submitting the license application. The annual fee is payable on the 1st
December of the year preceding the year for which the fee is due. For new licensees, the first annual fee is BD 6,000
(~ USD 15,974), and it becomes immediately payable upon grant of the final approval.


4.6. Observations
The CBB has established a unique regulatory framework for Buy Now Pay Later companies, acknowledging that
they should not be governed in the same way as traditional financing firms due to their lower risk profiles. Despite the
framework’s infancy, 2 Buy Now Pay Later companies are currently trialing their services in CBB’s regulatory sandbox.
However, no Buy Now Pay Later firm has yet received a full license from the CBB.
48
CHAPTER 4
REPUBLIC OF TURKEY
Author- Burcu Tumer (TBL Legal)
49
ABBREVIATIONS
AIS Account Information Service
BIIT Banking and Insurance Transactions Tax
BRSA Banking Regulation and Supervision Agency
CBRT Central Bank of the Republic of Turkey
EMIs Electronic Money Institutions
FCIB Financial Crimes Investigation Board
IT Information Technology
PI Payment Institution
PIS Payment Information Service
PSPs Payment service providers
SVF Stored Value Facilities
TRY Turkish Lira
50
A. INTRODUCTION
Turkey is actively striving to establish itself as a major player in the FinTech sector. As of 2022, Turkey hosted 520
FinTech companies, with 216 payment services at the forefront.
The expansion of e-commerce in Turkey has led to an increasing popularity of Buy Now Pay Later payment options
among users. Noteworthy companies providing Buy Now Pay Later services in this context include Hepsiburada,
Kredim, Moneypay, and Haso.
B. GENERAL OVERVIEW OF TURKEY’S REGULATORY FRAMEWORK

Turkey’s FinTech laws harmonize with EU standards, a notable example being Law No. 6493 on Payment and
Securities Settlement Systems, Payment Services, and Electronic Money Institutions of 27 June 2014 (Law No.
6493), aligned with EU Payment Services Directives 1.
A key milestone in the sector’s evolution were the amendments to Law No. 6493 introduced by Law No. 7192 on
22 November 2019, effective from 1 January 2020 (Law No. 6493 (as Amended)) alongside the Communiqué
on the Management and Supervision of Information Systems of Payment Institutions and Electronic Money
Institutions (Communiqué). Amendments to Law No. 6493 expanded the scope of payment services, embracing
open banking solutions. While the Regulation on Generation and Usage of TR QR Code in Payment Services (TR
QR Code) aims to establish guidelines for creating and utilizing the TR QR code in payment services.
In addition to these changes, the CBRT replaced the BRSA as the regulatory authority overseeing payment and
e-money companies. Further, the Payment and E-Money Institutions Association of Turkey (Payment Association)
was established, to which all PSPs must register. The Payment Association is empowered to set standards, prevent
unfair competition, oversee advertising principles, initiate lawsuits for mutual member benefits, and impose
administrative penalties from TRY 1,000 (one thousand) (~$ 35) up to TRY 10,000 (ten thousand) (~$ 350) on
members violating its decisions. The CBRT works with the supervision of The Banking Regulatory and Supervisory
Board of the CBRT (CBRT Board), BRSA, and the FCIB.
Moreover, in October 2023, amendments to the Communiqué were published by the CBRT in the Official Gazette
No. 32332. The amendments bring novel concepts and regulatory practices to the forefront, such as the inclusion
of “near field communication” (NFC) technology within the regulatory scope and the establishment of a more
structured framework for data sharing and remote communication in financial transactions.
Entities wishing to operate in the payment and e-money sectors are required to obtain an operational license from
the CBRT. The criteria for obtaining this license include the establishment of a joint-stock company, employing a
qualified workforce, ensuring technical infrastructure, risk management, information security, business continuity,
and maintaining an open and transparent organizational structure.
The Buy Now Pay Later business model is generally implemented by financial institutions, which are regulated
under Financial Leasing, Factoring, Financing, and Saving Financing Institutions Law Numbered 6361 (Finance
Law) and its secondary legislation.

EMIs are authorized to issue SVFs.
The CBRT regulates SVFs through Amendments to Law No. 6493 under ‘electronic money’ (Electronic Money).
51
EMIs, as authorized entities, must adhere to certain structural requirements, including:
a) An EMI must be established as a joint stock company;
b) Shares must be issued against cash and be fully registered in the name of the company;
c) EMIs should set up a transparent and clear partnership structure and an organizational chart that does not hinder
or obstruct the supervision efforts of BRSA of the CBRT.
Applications must be made directly and in person to CBRT Head Office by the applicant’s authorized representatives.
The process is as follows:
a) The whole minimum capital sum must be paid in cash;
b) The required forms and documents must be submitted before registering the trade name to the Trade Register, with
the receipt stating that the application fee has been paid.
1.2. Capital requirements
The applicant seeking a license to operate as an SVF must comply with the following minimum base capital requirements
as per Law No. 6493 (as Amended):
a) Minimum paid capital: TRY 5,000,000 (five million) (~$ 175,282);
b) Minimum equity: TRY 41,000,000 (forty one million) (~$ 1,437,312). .
The entire paid-up capital should be in cash and free of all kinds of fictitious transactions. Additionally, the specified
minimum capital requirements are subject to annual adjustments the CBRT makes every January.
1.3. Licensing fees

According to Law No. 6493 (as Amended), applicable fees should be paid to a designated account at CBRT Ankara
Branch and include:
a) Application fee paid one-time (non-refundable): TRY 500,000 (five hundred thousand) (~$ 17,528);
b) License Fee: TRY 1,000,000 (one million) (~$ 35,056).
In addition, legal obligations like Banking and Insurance Transactions Tax (BITT) must also be paid.

Law No. 6493 (as Amended) and the guidelines issued by the CBRT describe the application process as follow
1) Once the application is submitted, the CBRT conducts preliminary examinations and research regarding the
corporation and related parties upon receiving the application;
2) Within 6 months following the acceptance of the application, the CBRT carries out an intelligence review stage;
3) Within 120 days following the approval of the intelligence review, the application for the final certification stage
is submitted to the CBRT;
52
4) Upon approval of the final certification stage, the required license fees and any relevant charges (BITT) are to be
paid at the CBRT’s Ankara Branch;
5) After payment, the CBRT will send a notification letter stating that the applicant has been granted an operating
license;
6) The total duration of this process varies based on the specific nature of the application and the CBRT’s workload.
Generally, companies can begin their operations within 18 months to 2 years following incorporation if all
application documents are well-prepared and the entity’s information technology (IT) infrastructure complies with
applicable laws and regulations;
7) If any deficiencies in the information and documentation relating to the operating license are not resolved within 6
months of notification by the CBRT, the application will be deemed invalid;
1.5. Hiring requirements

EMIs are subject to specific hiring criteria, including:
a) A minimum of three individuals serving on their board of directors;
b) The general manager is expected to have a minimum of 7 years of relevant experience; and
c) Internal control and risk management personnel must be assigned.
1.6. Observations
SVFs are also governed by:
a) The Regulation on Payment Services and Electronic Money Issuance and Payment Service Providers;
b) The Regulation on the Information Systems of the Banks and Electronic Banking Services; and
c) The Banking Law number 5411.
Shareholders possessing 10% or more of an EMI’s capital and exercising control over the institution must meet
specific eligibility criteria typically reserved for bank founders, which include:
a) Not having been declared bankrupt, undergone restructuring through reconciliation, or had bankruptcy postponed
according to relevant regulations;
b) Not directly or indirectly owning 10% or more shares or exercising control over banks subject to liquidation,
financial leasing, financing, and insurance companies with revoked operating permissions (excluding voluntary
liquidation), and capital market agencies;
c) Not having received a sentence of heavy imprisonment or imprisonment exceeding 5 years, or being convicted of
crimes such as bribery, theft, swindling, forgery, breach of trust, or fictitious bankruptcy;
d) Possessing the necessary financial strength and credibility to meet committed capital amounts;
e) In the case of a legal entity, maintaining a transparent and open partnership structure; and
f) Demonstrate the honesty and competence required for the business.

53
According to Law No. 6493 (as Amended), payment intermediary services in Turkey are conducted by Payment
Institutions (PIs).
Merchant acquiring falls under ‘issuing or acquiring payment instruments’ (Article 12, clause c). This categorization
includes the services related to handling payment transactions through cards or similar devices.
Payment aggregation is not explicitly defined in Article 12. However, it can be interpreted to fall under broader
categories of payment services, such as the execution of payment transactions and possibly issuing or acquiring
payment instruments.
2.2.Capital Requirements
According to Law No. 6493 (as Amended), Applicants must comply with the minimum financial requirements as
follows:
a) Minimum paid capital: TRY 2,000,000 (two million) ($ 70,112);
b) Minimum Equity: TRY 15,000,000 (fifteen million) ($ 525,846);
c) Minimum Deposit: TRY 3,000,000 (three million) ($ 105,169).
These specified amounts are subject to annual adjustments the CBRT makes every January.
2.3. Licensing Fees

2.5. Hiring Requirements

According to Law No. 6493 (as Amended), applicants must comply with the minimum financial requirements as
a) Shareholders who have 10% or more shares in a PI’s capital and have control over the PI should meet the bank
founder’s eligibility criteria as set forth in the Banking Law.
b) A minimum of 3 individuals serving on their board of directors;
c) The general manager is expected to have a minimum of 7 years of relevant experience; and
d) Internal control and risk management personnel must be assigned.
54
2.6. Observations
Robust internal control mechanisms must be established by PIs to execute their activities effectively and to ensure
transparency and compliance. In addition, a rigorous risk management system is mandated for identifying,
measuring, supervising, controlling, and reporting on potential risks to which payment institutions may be exposed.
Beyond these internal requirements, PIs are subject to on-site and remote surveillance inspections by the BRSA. The
aim is to maintain regular and compliant performance of their operations, safeguard the integrity of the financial
sector, and protect consumer interests.
3. Open Banking
According to Law No. 6493 (as Amended) and its related secondary legislation, open banking services are now
categorized as payment services offered by PIs.
3.1. Licenses
PIs operating in open banking assume legal roles as providers of:
a) Payment Initiation Service (PIS): Enables payments from an account held with another payment service provider
upon the user’s request.
b) Account Information Service (AIS: Offers combined information about the user’s payment accounts on online
platforms with the user’s permission.
The CBRT serves as the governing authority responsible for overseeing licensing requirements and procedures for
open banking services.

PIs that exclusively provide AIS are exempted from the minimum capital requirement. Furthermore, these institutions
have a defined collateral liability of TRY 1,000,000 (1 million) (~$ 35,056), with the option to obtain professional
liability insurance as an alternative to the collateral requirement.
On the other hand, institutions that provide PIS must comply with the minimum financial requirements as follows:
a) Minimum paid capital: TRY 2,000,000 (two million) (~$ 70,112);

b) Minimum Equity: TRY 15,000,000 (fifteen million) (~$ 525,846);
c) Minimum Deposit: TRY 3,000,000 (three million) (~$ 105,169).
These specified amounts are subject to annual adjustments the CBRT makes every January.
3.3. Licensing Fees

PIs are subject to specific hiring criteria, including:
55
a) A minimum of 3 individuals serving on their board of directors;
b) The general manager is expected to have a minimum of 7 years of relevant experience; and
c) Internal control and risk management personnel must be assigned.
3.6. Observations
To engage in a payment services business, institutions are required to maintain sound and prudent management,
sufficient personnel, and technical capabilities, as well as establish necessary units for addressing complaints and
objections.
Furthermore, shareholders possessing 10% or more of a PI’s capital and exercising control over the PI must meet
specific eligibility criteria typically reserved for bank founders, as discussed above in Section 3.6.

In Turkey, the Buy Now Pay Later service is generally evaluated within the framework of financing agreements and
consumer credit agreements.
In cases where the business model is provided by a bank to a consumer, the agreement to be concluded between
the parties will be considered a “Consumer Loan Agreement.” In such cases, the provisions of the Law on Consumer
Protection will be applied to the Buy Now Pay Later transaction. It should be noted that in such cases, the lending
party must be a bank; otherwise, the transaction may be considered a “Crime of Unauthorized Activity.”
Companies offering Buy Now Pay Later services must fulfill the necessary obligations under the relevant legislation
and obtain establishment and operation authorization from the BRSA.
Financial institutions must obtain permission from the BRSA in a two-tier licensing procedure
a) Establishment license: The criteria for the establishment license are similar to the criteria applicable to banks under
the Finance Law.
b) Operating license: To obtain operation permission from the BRSA, the System Entrance Fee, which is equivalent to
5% of the minimum capital, should be paid to the accounting units of the Ministry of Finance. The financial institution
would then be registered as income to the general budget, and any related documents need to be submitted to the
BRSA by the founders of the Buy Now Pay Later service providers.

The applicant seeking a license to operate as a financial institution must comply with the following minimum base
capital requirement as per the Finance Law: TRY 50,000,000 (fifty million) (~$ 1,752,820).
4.3. Licensing Fees
According to the Finance Law, the system entrance fee is equivalent to 5% of the minimum capital requirement.
1) If an applicant meets the criteria for the incorporation license (such as entrance fees and fully paid share capital),
the application process will be successfully concluded.
56
2) An application for an operating license must be filed within 9 months of the issuance of the establishment license.
3) In most cases, the BRSA notifies the applicant of its decision regarding an operating license within 6 months of the
first application date or the date on which the applicant provides any missing application documents.
4) Once such institutions obtain the operating license from the BRSA, they must begin their operations within one year.
In Turkey, the following hiring requirements must be met by companies offering Buy Now Pay Later services:
a) The board of directors must consist of a minimum of 3 members, including the general manager;
b) The general manager must have a minimum of 7 years of experience in business management or finance;
c) The assistant general manager must have a minimum of 5 years of experience in business management or finance
and hold at least an undergraduate degree;
d) Other managerial positions with duties equivalent to those of assistant general managers or higher are also subject
to the aforementioned requirements for assistant general managers.
e) Appropriate service units, as well as internal control, accounting, data processing, and reporting systems, should
be established; and
f) Adequate staff should be assigned to the abovementioned units
4.6. Observations
Founders or the founding partners of the financial institutions must meet the criteria specified under the Finance Law.
a) The founders must not be bankrupt;

b) Should not have been sentenced to heavy imprisonment;
c) Should possess financial strength and reputation to meet the amount of committed capital; and
d) Should not directly or indirectly hold 10% or more shares or hold administrative power to control certain banks as
mentioned in the provision.
e) There are also other restrictions and requirements for financial institutions, including but not limited to; the activities
that cannot be conducted by the institutions, financial reporting requirements, acquisition and transfer of shares,
and M&A processes.
57
CHAPTER 5
UNITED KINGDOM
Author- Natalie Lewis (Partner Travers Smith)
58
ABBREVIATIONS
Authorized Payment Institutions APIs
Electronic Money Institutions EMIs
Financial Conduct Authority FCA
Third-Party Providers TPPs
Payment Systems Regulator PSR
Electronic Money Regulations 2011 E-Money Regulations
Payment Services Regulations 2017 2017 PSRs
Money Laundering, Terrorist Financing and AML Regulations

Transfer of Funds (Information on the Payer)
Regulations 2017
FCA Perimeter Guidance 3A (Electronic FCA Perimeter Guidance

Money) and 15 (scope of payment services)
Regulatory Technical Standards on Strong FCA-RTS

Customer Authentication and Common and
Secure Methods of Communication 2021
Payment Initiation Services PIS
Payment Initiation Service Providers PISPs
Account Information Services AIS
Registered Account Information Service RAISPs

Providers
59
A. INTRODUCTION
The UK is a jurisdiction familiar with and home to many EMIs (267 registered as of 18 January 2024) and APIs. It offers
a clear route to authorization and a stable regulator in the FCA, as well as a customer base increasingly willing to use
stored value products. Some of the best-known FinTechs were either regulated or are regulated as EMIs (for example:
Monzo and Revolut). FCA data16 shows that, in 2020, total payments made in the UK using electronic money had a
value of over £233.7 billion.
The UK has now become a home to a variety of businesses that operate to allow merchants to accept payments,
whether online or offline, and there is a well-understood route to authorization – as long as the firm can clearly
understand and articulate how it fits into the payments ecosystem. Critically, developments such as open banking hold
the possibility of disrupting this market still further. There are few verified statistics on the size of the payment facilitation
market, but:
a) in 2020, UK consumers made 15.5 billion debit card payments17 ;

b) by 2020, the largest payment facilitators served nearly 80% of merchants that only or mainly sell face-to-face with
annual card turnover below £15,00018 ;
c) as of September 2023, there were over 400 APIs (not all of which will be carrying out these services)19 .
Open Banking has been a considerable success in the UK, with satisfactory adoption and acceptable regulatory
oversight of the framework as conceived. It is, however, now at a critical stage with several FinTech TPPs urging stronger
regulation to drive a broader range of use cases and greater consumer trust. The UK is committed to open banking, but
it is more likely than not that the legal and regulatory framework will become more complex. Over the course of H2
2023, there has been significant activity by regulators and firms to expand and broaden the scope of the services that
can be provided through open banking.
B. GENERAL OVERVIEW OF UK’S REGULATORY FRAMEWORK

Stored value products, both digital and physical, will (subject to certain narrowly-drawn exceptions) be regulated
as ‘electronic money’, and the sector is collectively referred to as EMIs. Authorization as an EMI is a distinct type of
FCA authorization. It is possible instead to register as a “small EMI.” For digital wallet providers offering no payment
services unrelated to the digital wallet, this is only available where the total business activities are projected to generate
an average outstanding e-money of no more than €5 million, and the small EMI cannot be a PISP or RAISP. There are
currently ~30 small EMIs.
1.1. Relevant Regulator
a) The FCA; and
b) PSR (this is predominantly a competition and economic regulator, which also has responsibility for regulating
payment schemes, such as card schemes and interbank payment schemes).
1.2. Relevant Governing Laws and Regulations
a) E-Money Regulations set out authorization, prudential, and conduct of business requirements for EMIs.
b) 2017 PSRs set out authorization, prudential, and conduct of business requirements for APIs (and providers such as
banks), as well as adding additional conduct requirements for EMIs (for example, execution times and liability for
unauthorized or defective transactions).
16 Freedom of Information Request Response - FCA Electronic Money Data 2020.

17 UK Finance, UK Payments Market 2021, quoted by the Payment Systems Regulator in November 2021.
18 Payment Systems Regulator - Card-acquiring market study - Final Report November 2021.
19 Financial Conduct Authority - Firms with PSD Permissions - Preset Register Search.
60
c) AML Regulations govern anti-money laundering compliance, especially regarding identification, verification, and
customer due diligence.
d) Payment Services and Electronic Money – Our Approach (November 2021) is FCA guidance on the interpretation
of the EMIs and 2017 PSRs.
e)
FCA Perimeter Guidance is FCA guidance on payments and e-money activities that require authorization by the
f) FCA.
g) Consumer Rights Act 2015 for consumer-facing propositions. This includes the rule that an unfair term in a contract
with a consumer is not binding on that consumer.
Certain modules of the FCA Handbook, particularly PRIN (the Principles for Business) and DISP (which deals with
complaints to the Financial Ombudsman Service).
a) Initial capital (IC) (required in order to be authorized): €350,000 (in GBP equivalent) 20 (~ USD 382700). This
capital must be in place for the FCA to grant authorization, and it must be made up of one or more of the following:
i) Capital instruments (For example: ordinary shares);

ii) Share premium accounts;
iii) Retained earnings;
iv) Other comprehensive income; and
v) Other reserves.
b) Ongoing capital (or ‘own funds’) requirements must be the greater of:
i) The IC; or
ii) 2% of the average outstanding electronic money (i.e., it will increase above initial capital once the average
outstanding electronic money reaches €17,500,000 (~ USD 19,130,000)). Firms awaiting authorization should
use the forecast figures they are required to provide as part of their application (this means that firms that expect
to grow their businesses beyond the size requiring the IC very quickly should plan to do so from the outset).
The FCA has the power to direct that the fund requirement be increased or decreased by up to 20%, depending
on its assessment of the firm’s risk profile.
Once authorized, the average must be calculated on the first calendar day of each month and is the average of
the electronic money issued at the end of each calendar day over the previous six calendar months.
Ongoing capital requirements must be met using a potentially complex series of calculations under the Capital
Requirements Regulation; however, for most EMIs providing prepaid wallets/cards, we would expect that items that
meet the requirements for the IC are permissible.
There is no specific requirement to meet the requirements using bank deposits.
20 "Small EMIs" as defined in the E-Money Regulations are subject to lighter requirements but are (subject to a minimum levy of £75 (seventy five) (~USD 95)). In
addition, there is a case fee of £750 (seven fifty) (~USD 950) per case (with the first 3 cases per year free).
61
1.4. Licensing Fees
a) Application fee: £5,000 (five thousand) (~ USD 6,357) (this will be greater if agents are to be used: £1,000 (one
thousand) (~ USD 1,271) per agent)
b) Periodic fee*: For EMIs, the proxy for the “size” of the business is the average amount of outstanding electronic
money (broadly, the total balances across all the prepaid accounts). There is also an additional minimum fee of
£1,833 (one thousand eight hundred thirty three) (~USD 2,330).
c) Annual Financial Ombudsman Service (FOS) levy: This is a fee that is charged to fund the work of the FOS, an
independent complaints-handling service. It is currently £0.0044 per £1,000 (one thousand) of relevant income.
Some EMIs may also be required to pay fees to fund the work of the PSR, where they are direct members of a
payment scheme regulated by the PSR (such as Visa, MasterCard, or the Faster Payments Service). These are based
on transaction volumes and values. For example, if the EMI also issued a digital or physical payment card on the Visa
or MasterCard schemes, then it would be in the scope of these fees. However, because the bulk of these fees are paid
by the large banks (as the largest card issuers and also members of retail interbank payment schemes), for many EMIs,
these fees are not significant: previously, several dozen each year would have been charged less than £100 (one
hundred) per year. The PSR now exempts any firm whose annual fee would amount to less than £100 (one thousand)
from the requirement.
*Periodic fees can change regularly, as the amounts are devised in such a way as to ensure that the FCA has adequate
resources. The provisions in the FEES module of the FCA Handbook are complex and require careful calculation. The
broad principle, however, is that the larger the business, the greater the fees paid.

The FCA must make a decision no later than three months after it has received a “complete” application and 12
months after receiving an application it considers “incomplete.” The FCA will notify an applicant when the application
is complete (which is the point at which the FCA has received all the information and evidence it needs to make the
decision). It is highly inadvisable to attempt to “start the clock” on the 12 month period by knowingly submitting an
incomplete application.
The FCA will set clear deadlines when (as is likely) it asks for additional information on the application.

In order to obtain and maintain authorization, the services must be carried out, at least partially, from an establishment
in the UK, and either the firm’s head office must be in the UK, or, if its head office is elsewhere, there must be a branch
in the UK.
The FCA also requires details of the directors and senior management and requires that the firm can be “effectively
supervised.” In practice, this means that a significant proportion of the senior management must be based in the UK.
There are also expectations about certain roles (mainly the CEO and MLRO as a minimum, alongside at least part of
the compliance function), and exceptions will be assessed on a case-by-case basis – the FCA will regard its ability
to supervise the business as the key test. A clear majority of board directors and the persons making key day-to-day
operational decisions should be based in the UK.
There are no citizenship limitations and, as noted, it is not strictly required that all employees (at whatever level) are
resident in the UK.
62
1.7. Observations
Conduct of business requirements are found in both the PSRs and the E-Money Regulations, and they include:
a) detailed requirements on safeguarding of customer funds;
b) a prohibition on paying interest or using funds received from customers as working capital;
c) various rules on the execution of payment transactions, authentication, communications with customers, and
redemption of electronic money.
EMIs providing these services to consumers or to certain small business customers will also need to comply with the
FCA’s new “Consumer Duty,” which, at a high level, requires that firms “act to deliver good outcomes” for their customers.

Merchant acquirers and payment facilitators (the distinction in the UK generally being that the former are direct
members of one or more card schemes, and the latter are not) are (where they do not issue electronic money or operate
as banks) regulated in the UK as APIs and allow merchants (such as businesses or charities) to accept card payments.
a) The FCA; and
b) The PSR.
a) 2017 PSRs;
b) AML Regulations;
c) Payment Services and Electronic Money – Our Approach (November 2021);
d) FCA Perimeter Guidance 15 (scope of payment services);
e) FCA-RTS;
f) Certain modules of the FCA Handbook, particularly PRIN (the Principles for Business) and DISP (which deals with
complaints to the Financial Ombudsman Service).
Note: A number of acquirers have structured their businesses using authorization as an EMI, in which case the following
will also be relevant:
a) E-Money Regulations; and
b) FCA Perimeter Guidance.
This structure is not necessarily limited to acquirers that also intend to issue e-money. It was adopted because
authorization as an EMI also permits firms to provide unrelated payment services, such as acquiring services.
63
a) The IC (required in order to be authorized): €125,000 (hundred twenty five thousand) (in GBP equivalent) (~USD
136,626). This IC must be in place for the FCA to grant authorization.
b) Ongoing capital (or ‘own funds’) requirements is the higher of:
i) The IC; or
ii) An amount is calculated under what are known as methods A, B, or C. APIs must select a method in their
application, but the FCA has the ultimate power to direct the firm to use one of the 3 methods.
A high-level summary of the three methods (B and C are the most complex, requiring multiple levels of calculations):
a) Method A: 10% of the firm’s “fixed overheads” in the previous financial year (subject to the FCA’s power to direct
a higher or lower percentage where there has been a material change to the firm’s business).
b) Method B: A figure based on a percentage of the firm’s average monthly payment volume and involving tiers as the
payment volumes increase (for example, the lowest tier goes up to €5,000,000 (five million) (~USD 6,184,495),
and the highest tier starts at €250million).
c) Method C: A figure based on a percentage of the firm’s income (broadly speaking, this is investment income, plus
fees/commissions and other operating income, minus interest payable to creditors or, in certain circumstances, to
payment service users) and using tiers as the income increases (for example, the lowest tier goes up to €2,500,000
(two million and five hundred thousand) (~USD 6,184,495, and the highest tier starts at €50,000,000 (fifty million)
(~USD 61,844,950).
2.4. Licensing Fees
a) Application fee: £5,000 (five thousand) (~USD 6,357)
b) Periodic fees*: In the case of APIs, the proxy for the “size” of the business is the firm’s income (broadly speaking,
this is investment income plus fees/commissions and other operating income minus interest expenses). There is an
additional minimum fee of £558 (five fifty eight) (~USD 709).
c) FOS levy: currently £0.0044 per £1,000 (one thousand) of relevant income (subject to a minimum levy of £75
(seventy five) (~USD 95)). In addition, there is a case fee of £750 (seven fifty) (~USD 950) per case (with the first
3 cases per year free).
Some APIs may also be required to pay fees to fund the work of the PSR, where they are direct members of a payment
scheme regulated by the PSR (such as Visa or MasterCard), although it is less common for payment facilitators to
operate with direct access. These are based on transaction volumes.
* Periodic fees can change regularly, as the amounts are devised in such a way as to ensure that the FCA has adequate
64
2.7. Observations
Conduct of business requirements are found in the PSRs, and they include:
a) detailed requirements for safeguarding of customer funds
b) various rules on the execution of payment transactions, authentication, communications with customers, and charges.
APIs providing these services to certain small business customers (or even, possibly, to consumers, for example, in a
non-commercial ‘marketplace’ setting) will also need to comply with the FCA’s new “Consumer Duty,” which at a high
level requires that firms “act to deliver good outcomes” for their customers.
3. Open Banking
Open Banking covers two types of service:
a) PISs that enable TPPs to access a customer’s payment account (such as a bank account) and make payments. An
example of a major use case is the UK’s tax authority, HMRC, now accepts PIS to settle income tax bills.21 These
TPPs are classified as PISPs.
b) AISs that allow TPPs to present information relating to payment accounts to customers. Examples include dashboards
that allow accountholders to see accounts at multiple providers in the same place.22 These TPPs are classified as
RAISPs.
There are slightly more than 200 firms currently registered as PISPs, RAISPS, or both (as of 18 January 2024).
a) The FCA.
b) The PSR also has a role as the co-chair of the Joint Regulatory Oversight Group (JROC). 23
a) PSRs;
b) Some continued relevance of the Retail Banking Market Investigation Order 2017 (this only applies directly to a
group of large banks, but it is of relevance to TPPs because it governs the way in which those banks are required to
provide TPPs with access to the customer’s account);
c) FCA-RTS;
d) AML Regulations;
e) Payment Services and Electronic Money – Our Approach (November 2021);
f) Certain modules of the FCA Handbook, particularly PRIN (the Principles for Business) and DISP (which deals with
complaints to the Financial Ombudsman Service);
g) Consumer Rights Act 2015 for consumer-facing propositions.
21. Open Banking payments at HMRC: A team making history

22. https://www.moneydashboard.com/
23. JROC Proposals
65
a) The IC and the ongoing capital requirements are €50,000 (fifty thousand) (GBP equivalent) (~USD 54,631) for
PISPs.
b) There are no requirements for RAISPs, except that both types of TPP are required to hold professional indemnity
insurance (PII) or a comparable guarantee calculated in a manner that the FCA directs.
c) This PII or comparable guarantee must cover at least liabilities for unauthorized or defectively executed transactions
for PISPs (this means transactions that have been made fraudulently or incorrectly gone to the wrong recipient)
or any losses resulting from fraudulent or unauthorized access to account data for RAISPs. At present, the FCA
directs that the PII or comparable guarantee should be calculated in accordance with Guidelines published by the
European Banking Authority24 – the calculation is too detailed to reproduce in full here. The FCA requires that the
application for authorization sets out full details of the calculation and that cover will be in place if the application
3.4. Licensing Fees
a) Application fee: £2,500 (twenty five hundred) (~USD 3,172) for PISPs or £1,000 (one thousand) (~USD 1,268)
for RAISPs.
b) Periodic fees*: In the case of both PISPs and RAISPs, the proxy for the “size” of the business is the firm’s income
(broadly speaking, this is investment income, plus fees/commissions and other operating income, minus interest
expenses). There is an additional minimum fee of £558 (five hundred fifty eight) (~USD 708).
c) Annual FOS levy: This is currently £0.0044 per £1,000 (one thousand) of relevant income (subject to a minimum
levy of £75 (seventy five) (~USD 95)). In addition, there is a case fee of £750 (seven fifty) (~USD 950) per case
(with the first 3 cases per year free).


3.7. Observations
The PSRs and the FCA-RTS set out various legal and technical requirements applying to the way TPPs access payment
accounts, use customer data, and communicate with account-servicing providers (usually banks). The security of
customer data is paramount. RAISPs are forbidden to provide any other payment services.
Open Banking has been a considerable success in the UK, with satisfactory adoption and acceptable regulatory
oversight of the framework as conceived. It is, however, now at a critical stage with a number of FinTech TPPs urging
stronger regulation to drive a wider range of use cases and greater consumer trust. The UK is committed to Open
Banking, but it is more likely than not that the legal and regulatory framework will become more complex.
24. EBA-GL-2017-08
66
Buy Now Pay Later is used in the UK to refer to an interest-free deferral of payment for goods and services, usually
remunerated by a commission from the seller to the Buy Now Pay Later lender. A review by the FCA found that:
a) The number of transactions funded by the main providers roughly tripled in 2020.
b) 11% of consumers (5 million individuals) said that they had used Buy Now Pay Later in 2020.
c) The total value of transactions in 2020 was £2.7billion (which did make it a small percentage of overall unsecured
personal lending).
The government has stated (with draft legislation in February 2023) that it intends to bring Buy Now Pay Later within
the regulatory perimeter.
There is no current timeline for passage of the legislation, although the current proposal is that there would be a two-
year implementation period for FCA rules. There have also been recent media reports that political developments
may cause a significant delay (or change of direction) because of the cost of living issues in the UK. In addition, the
UK is expected to have a general election in 2024, which means that parliamentary time is under pressure. However,
on 9 January 2024, the Chancellor of the Exchequer (UK finance minister) gave an interview in which he gave an
apparently firm commitment that, while the UK government is seeking to ensure that the regulation is proportionate and
does not cause all providers to stop offering Buy Now Pay Later services, the plan to regulate it remains government
policy.25
The information below is provided based on the abovementioned draft legislation if passed as law in its current state.
Covering the draft legislation provides insight into the regulator’s intended approach to regulating Buy Now Pay Later
services. Therefore, it is important to note that the final legislation may or may not be based on the draft legislation and
may be published with modifications.
The government has stated in the draft legislation released in February 2023 that it intends to bring Buy Now Pay Later
within the regulatory perimeter. Once this happens, the FCA is set to become the regulator for Buy Now Pay Later
services.
a) Consumer Credit Act 1974 and numerous pieces of secondary legislation.
b) Financial Services and Markets Act 2000 (FSMA) and associated secondary legislation, especially the Regulated
Activities Order (RAO).
c) Various modules of the FCA Handbook, particularly CONC (Consumer Credit sourcebook), PRIN (the Principles
for Business), and DISP (which deals with complaints to the Financial Ombudsman Service).
d) Consumer Rights Act 2015 (Note: This applies irrespective of the decision on FCA regulation, and indeed, the FCA
has already acted in this area).

It is expected that consumer credit firms will (perhaps counter-intuitively) not be subjected to enumerated capital
requirements where that is their sole business. Instead, firms must have “appropriate resources,” both in order to be
authorized and on an ongoing basis. The factors the FCA is set to consider when assessing “appropriate resources”
are:
67
25. Buy now, pay later regulation NOT scrapped, says Chancellor (moneysavingexpert.com)
a) The nature and scale of the firm’s business;
b) The risks to the continuity of the services (to be) provided by the firm;
c) Where the firm is a member of a group, any effect which that membership may have;
d) The provision the firm (and its group companies, if relevant) makes in respect of liabilities;
e) The means by which the firm (and its group companies, if relevant) manages the incidence of risk in connection with
its business.
4.4. Licensing Fees

Based on the current fees for credit lenders, its is expected that Buy Now Pay Later services providers will be considered
under the same licensing category and pay the following fees.
a) Application fee: £5,000 (five thousand) (~USD 6,344).
b) Periodic fees*: For consumer credit lenders, the key measure on which the fees are based is gross annual income
from the consumer credit activities, with increasing levels of fees being triggered at various thresholds. Currently,
the highest levels of fees are levied on firms whose gross annual income from consumer credit activities exceeds
£250,000 (two fifty thousand) (~USD 317,222) per year.
c) FOS levy: This is a fee that is charged to fund the work of the FOS, an independent complaints handling service.
It is currently £35 (thirty five) plus £1.497 per £1,000 (one thousand) of gross annual income on income above
£250,000 (two fifty thousand) (~USD 317,222). In addition, there is a case fee of £750 (seven fifty) (~USD 950)
per case (with the first 3 cases per year free).
Assuming that Buy Now Pay Later services are regulated as set out above, providers will need to apply for and obtain
authorization to be a consumer credit lender.
The FCA must make a decision no later than six months after it has received a “complete” application and 12 months
after receiving an application it considers “incomplete.” The FCA will notify an applicant when the application is
complete (which is the point at which the FCA has received all the information and evidence it needs to make the
decision). It is highly inadvisable to attempt to “start the clock” on the 12 month period by knowingly submitting an
incomplete application, except where a firm can be confident that the information can be obtained rapidly if requested.
The FCA will set clear deadlines when (as is likely) it asks for additional information on the application.

Under FSMA, firms must satisfy the “threshold conditions.” One of these is that the firm can be “effectively supervised,”
and an aspect of that is that the management of the firm, as much as possible, should be based in the UK. There are
also exemptions about certain roles (e.g., most obviously, the CEO), and exceptions will be assessed on a case-by-
case basis – the FCA will regard its ability to supervise the business as the key test. There are no citizenship limitations
and, as noted, it is not strictly required that all employees (at whatever level) are resident in the UK.
68
4.7. Observations
It is unlikely that Buy Now Pay Later will be subject to the full consumer credit regime that applies to other forms of
unsecured credit. For example, it is not expected that merchants that accept payment using Buy Now Pay Later will be
required to obtain FCA authorization as credit brokers, nor is it considered likely that “connected lender liability” under
section 75 of the CCA will apply (this allows buyers of goods and services using, for example, credit cards to sue the
credit card issuer for certain breaches of contract or misrepresentations by the seller of the goods). Introducing either
change would have a major impact on the viability and economics of Buy Now Pay Later.
What is likely, however, is that Buy Now Pay Later lenders will need to carry out more detailed creditworthiness and
affordability assessments before extending credit, review and improve the clarity and prominence of their financial
promotions to potential borrowers (and in particular, be very clear about the fact that they are extending a credit line
which must be repaid) and comply with requirements relating to collection of overdue debts.
Buy Now Pay Later is a major political topic at present, given the “cost of living crisis” and its explosive growth over the
last 5+ years. It is now highly likely to be regulated in some way, but serious questions remain about the exact form and
impact of that regulation and its impact on the market.
69
CHAPTER 6
EUROPEAN UNION
Authors- Joseph F Borg (Partner WH Partners), Gaby Zammit (Managing Associate WH Partners),
Galyna Podoprikhina (Associate WH Partners)
70
ABBREVIATIONS
AIS Account Information Services
AISPs Account Information Service Providers
APIs Application Programming Interfaces
AML Anti- Money Laundering
CDD Consumer Credit Directive
EBA The European Banking Authority
EMIs Electronic Money Institutions
EEA European Economic Area
MFSA Malta Financial Services Authority
PI Payment Institutions
PIS Payment Initiation Services
SCA Strong Customer Authentication
SVFs Stored Value Facilities
TPPs Third Party Providers
SMEs Small to Medium-sized Enterprises

A. INTRODUCTION
The EU stands at the forefront of FinTech, where substantial growth and transformation are witnessed. The EU offers a
fertile ground for FinTech innovation due to its comprehensive regulatory framework and significant market potential.
This aspect is particularly crucial for higher-risk industries and SMEs, which often find conventional banking services
less accessible.
Non-cash payments through payment intermediaries are becoming increasingly popular throughout the EU as
opposed to direct cash payments. According to statistics for 2021, non-cash payments in the euro area increased by
12.5% to a total of 114.2 billion. The most popular form of non-cash payments in the EU has been card payments,
which totals 49% of non-cash payments, followed by credit transfers and direct debits, which make up 22% and 20%,
respectively.26 There are currently 724 registered and active payment institutions in the EU with the competent national
authorities. As of August 2023, there are around 500 EMIs registered in the EU.
The value of Buy Now Pay Later services grew by 292% in the EU between 2018 and 2020, particularly due to the
recent pandemic, which has impacted not only people’s financial condition but also led to a worldwide decrease in
the volume of cash transactions. Indeed, in the EU, cash purchases have decreased by 35% compared to before the
pandemic. Furthermore, the European Buy Now Pay Later market is expected to increase considerably, and by 2025,
around 11% of e-commerce purchases in the region are likely to be handled through Buy Now Pay Later services.
Deloitte estimates that by 2025, the Buy Now Pay Later market in Europe is anticipated to reach a value of €300
billion.27
B. GENERAL OVERVIEW OF THE EU’S REGULATORY FRAMEWORK

The EU has established a cohesive regulatory framework under which Member States adapt and enforce EU-wide
directives to ensure a harmonized approach to FinTech regulation, maintaining the balance between innovation
facilitation and robust consumer protection (Member’s Law).
a) Directive 2009/110/EC of the European Parliament and of the Council of 16 September 2009 on the taking up,
pursuit, and prudential supervision of the business of electronic money institutions amending Directives 2005/60/
EC and 2006/48/EC and repealing Directive 2000/46/EC (E-Money Directive);
b) Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 on payment
services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and
Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC (Payment Services Directive) (PSD2).
c) Directive (EU) 2015/849 of the European Parliament and of the Council of 20 May 2015 on the prevention of
the use of the financial system for the purposes of money laundering or terrorist financing, amending Regulation
(EU) No 648/2012 of the European Parliament and of the Council, and repealing Directive 2005/60/EC of the
European Parliament and of the Council and Commission Directive 2006/70/EC (Directive (EU) 2015/849).
d) Directive (EU) 2018/843 of the European Parliament and of the Council of 30 May 2018 amending Directive (EU)
2015/849 on the prevention of the use of the financial system for the purposes of money laundering or terrorist
financing and amending Directives 2009/138/EC and 2013/36/EU (Directive (EU) 2018/843).
e) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection
of natural persons with regard to the processing of personal data and on the free movement of such data, and
repealing Directive 95/46/EC (General Data Protection Regulation) (GDPR) which sets out the principles for data
protection in the EU (Regulation (EU) 2016/679).
26. ECB, ‘Payments Statistics: 2021’ [2022] (Link)

27. Deloitte Legal: Where Buy Now Pay Later is going in Europe (Link) 72
A Third Payment Services Directive (PSD3) and a Payment Service Regulation (PSR) are set to replace PSD2 by building
on the foundations set by the current framework while also introducing enhanced rules to cater to new technologies
in the market. Among the significant amendments that such a new framework proposes is the consolidation of the
licensing and authorization systems of PSD2 and the E-Money Directive into a newly created PSD3. Under this revised
framework, prior EMIs will fall under the payment institutions category. It is envisaged that PSD3 and PSR will start to
apply in 2026, where Member States will be required to transpose PSD3 into national law while PSR will be directly
applicable without any need for implementation.

EMIs are licensed by the competent authority in their home Member State (Member’s Financial Supervisory Authority).
Once licensed in one Member State, an EMI can use the “passporting” rights to offer its services across other EU
Member States without needing a separate license in each jurisdiction.

In the EU, SVFs are primarily regulated under the framework of the E-Money Directive and are issued by EMIs.
Electronic Money is defined as electronically (including magnetically) stored monetary value, represented by a claim
on the issuer, which is issued on receipt of funds for the purpose of making payment transactions and which is accepted
by a natural or legal person other than the electronic money issuer.

The competent authority for licensing and supervision of EMIs varies by Member State. Typically, it is the Member’s
Financial Supervisory Authority.
1) Malta:
The Malta Financial Services Authority (MFSA).
2) Lithuania:
The Bank of Lithuania.
3) Estonia:
The Estonian Financial Supervision Authority.
4) Ireland:
The Central Bank of Ireland.
5) Cyprus:
The Central Bank of Cyprus

a) E-Money Directive
b) PSD 2
c) Directive (EU) 2015/849
d) Directive (EU) 2018/843
e) GDPR
f) The Member’s Law
73
Malta:
The Financial Institutions Act (Chapter 376 of the Laws of Malta).
Estonia:
The Payment Institutions and E-Money Institutions Act.
Lithuania:
Law on Electronic Money and Electronic Money Institutions (XI-1868).

The applicant for an EMI must satisfy the minimum Initial Capital (IC) requirement of at least €350,000 (three hundred
fifty thousand) (~USD 374,178).
Additionally, EMIs must maintain their own funds, which can be calculated using one of several methods outlined in the
Directive, depending on the size and nature of their activities.
A licensed EMI is obliged to ensure that its own funds may not fall below the higher of the following:
1) The amount of IC required; or
2) 2% of the average outstanding Electronic Money.
1.5. Licensing Fees

Fees for obtaining and maintaining an EMI license vary according to the Member’s Law.
Malta Lithuania Estonia
Application and Processing €3,500 (three thousand five Total close to €25,000 (twenty-five €25,000 (twenty-five thousand)
fee hundred) (~USD 3,741) thousand) (~USD 26,725). (~USD 26,725)
State Tax Inspection of €1,500 (one

thousand five hundred) (~USD
1,603)

For obtaining an EMI license, crafting a detailed business plan is essential, delineating proposed activities, corporate
governance arrangements, market strategies, risk management frameworks, and financial projections. Establishing a
legal entity within the EEA that aligns with regulatory standards and meets minimum capital requirements is required.
The subsequent submission of a formal application to the regulatory authority in the relevant EU member state entails
providing a thorough overview of the organization, key personnel, and financial stability. A rigorous regulatory
assessment follows, including a fit and proper test for key individuals. Successful applicants receive the EMI license,
granting them the legal standing to operate as EMI. Ongoing compliance remains imperative to navigate the evolving
regulatory environment.
74
The E-Money Directive mandates that within three months of receiving a complete application, the competent authority
must grant or refuse the license.
However, the actual timeline might vary based on the complexity of the application, the practices of the Member’s
Financial Supervisory Authority, and the responsiveness of the applicant to any queries or additional information
requests from the national competent authority.

The E-Money Directive does not specify local hiring requirements. However, EMIs must have robust governance and
management structures, which might lead to hiring local experts familiar with the regulatory environment. For example,
since EMIs are subject to AML/CTF obligations, they must have a designated Money Laundering Reporting Officer
who understands local AML/CTF regulations and requirements. This being said, such a role is often filled by someone
familiar with the legislative and regulatory environment in the respective Member State.
Specific hiring requirements or incentives might be set by the Member’s Financial Supervisory Authority.
Malta:
The MFSA usually expects to have three board members with the majority being executive directors being resident
in Malta and one independent non-executive director. It also expects that certain key roles are occupied by persons
residing in Malta.
1.8. Observations
EMIs are required to have robust governance arrangements in place, including a well-defined organizational structure
with clear lines of responsibility. EMIs are also required to safeguard the funds of electronic money holders. This can
be achieved through either segregating customer funds in a separate account, obtaining an insurance policy or a bank
guarantee, or using a combination of both methods.
The pace of EMI licensing noticeably decreased in 2022. The latter can be accounted for by a number of factors,
including the fact that obtaining an EMI license might be a rather long and comprehensive process, whereas becoming
an agent or a distributor of an existing EMI is less time-consuming and complex, requiring less paperwork and
interactions with regulators.
As of March 2022, 219 firms (26%) were granted EMI authorization in the EU, with Lithuania, Germany, the
Netherlands, Sweden, and Spain being the Member States with the highest number of new entrants. Nevertheless,
Malta and Luxembourg also stand out since the latter two countries have a high ratio of registered EMIs to population
in contrast to other Member States. The majority of EMIs in Malta are privately owned with low initial start-up capital
investment, just enough to meet the requirements of the European regulations that stipulate a minimum paid-up capital
of €350,000 (three hundred fifty thousand) (USD 374,428).
Since the beginning of 2023, specifically with the approval and subsequent entrance into force of the EU Markets in
Crypto-Assets Regulation (MiCA), the number of EMI licensing applications has considerably increased. As of August
2023, there are around 500 EMIs registered in the EU.
75
Stored Value Facilities
Regulation Status Regulated
At least 3 months upon submission of a

Licensing Timelines
complete application
Number of Licensed Entities Around 500 EMIs registered in the EU
Local Hiring Requirements Depends on The Member’s Law.
License Application Fees Depends on The Member’s Law.
Capital Requirements €350,000 (three fifty thousand) (~USD 374,178).

Payment institutions (PI) are required to fulfill various requirements, including enhanced levels of payment security
pursuant to the PSD2.

PI must be licensed to carry out their services by the Member’s Financial Supervisory Authority and satisfy the
requirements imposed by PSD2 and the Member’s Law. Payment intermediaries will also be subject to AML/CTF
obligations set out in the EU’S Directives, which have been transposed in each of the Member States, as well as the
directly applicable principles of the GDPR.


a) PSD2
b) Directive (EU) 2018/843
c) Directive (EU) 2015/849
d) GDPR
e) Member’s Law
Malta:
The Financial Institutions Act (Chapter 376, Laws of Malta) and the Financial Institutions Rules which together transpose
PSD2. The Financial Institutions Rules applicable to payment intermediaries are:
a) FIR/01/2022 on the application procedures and requirements for authorization under the Financial Institutions
Act 1994, with accompanying Annex 1 on the information required from applicants for authorization as payment
institutions, Annex 2 on the information required from applicants for authorization as Account Information Service
Providers (AISPs), and Annex IV on the criteria on how to stipulate the minimum monetary amount of the professional
indemnity insurance or other comparable guarantees; and
76
b) FIR/02/2020 on the supervisory and regulatory requirements of institutions authorized under the Financial
Institutions Act 199.
Cyprus:
In Cyprus, the main legislative text is The Provision and Use of Payment Services and Access to Payment Systems
Laws of 2018 to 2023, which transposes PSD2 and lays down provisions regulating transparency conditions and
requirements for payment services, rights and obligations of payment service users and PSPs, as well as on the granting
of authorization, operation, and supervision of payment institutions.
Ireland:
In Ireland, the main legislative text transposing PSD2 and regulating payment intermediaries is the European Union
(Payment Services) Regulations 2018.

Payment intermediaries are required to hold an IC, which shall be maintained throughout the entirety of the licensable
period.
Where the payment intermediary provides any of the services listed in paragraphs 1-5 of Annex I of PSD2, a capital
of at least €125,000 (one hundred and twenty-five thousand) (~USD 133,629).
At all times, the funds of the payment intermediary must not fall below the established initial capital. The capital must
be paid up capital and reserves.
2.5. Licensing Fees

Fees vary according to the Member’s Law.
Malta:
For Malta, the application and processing fee is €3,500 (three thousand five hundred) (~USD 3,741), while the annual
supervision fee is 0.0002 x Total Assets of the year immediately preceding the year when the fee is payable, which
shall not be less than €2,500 (two thousand five hundred) (~ USD 2,672).
Cyprus:
In Cyprus, there is a €5,000 (five thousand) (~USD 5,345) fee, which must be paid at the time of submitting an
application for authorization to operate as a payment institution with the Central Bank of Cyprus. If an authorized
institution applies for registration in the register only, a fee of €500 is applicable. Furthermore, if an authorized
institution wishes to apply to extend its existing operating authorization to include any additional services, a €1,000
(one thousand) (~USD 1,069) (fee is to be paid for each additional service requested.
Ireland:
In Ireland, applying for a license with the Central Bank of Ireland is free; however, there are applicable supervisory
fees, which are set out in a fee schedule.
PSD2 requires the competent national authorities to determine applications within 3 months of receipt.
Malta:
In Malta, the MFSA is also bound by the Financial Institutions Act to decide on applications within 3 months for
complete applications, and in any case, not longer than 6 months from initial receipt when changes are required after
initial submission.
77
However, the time can vary based on several factors, including the complexity of the application, the completeness
of the information provided, and the responsiveness of the applicant to any queries or additional information requests
from the MFSA.
Cyprus:
In Cyprus, the Central Bank of Cyprus commits to delivering a decision on an application within 3 months should an
application be complete.
Ireland:
In Ireland, the application process can take up to 4 months. The most time-consuming phase is the Assessment Phase,
which is the 3rd stage of the process, which can take up to 90 working days.

Hiring requirements are set out by the Member’s Law.
Malta:
In Malta, the Financial Institutions Act requires that there should be at least three individuals from Malta effectively
directing the institution, with the majority being executive Malta resident directors. The MFSA must also be satisfied that
the institution has sound and prudent management and robust governance arrangements.
Cyprus:
Similarly, in Cyprus, applicants must satisfy certain operational requirements, including a strong and effective
management structure composed of a Board of Directors and a clear organizational structure that ensures adequate
oversight and risk management.
3. Open Banking
Open banking came into force in 2018, and in 2020, it has already hit the milestone of 12.2 million users being
estimated to be using open banking technology in Europe. The latter figure is expected to reach 63.8 million by
3.1 Relevant Licenses
In the EU, open banking primarily falls under the context of PSD2, which mandates banks to provide access to their
customers’ accounts to TPPs (with the customer’s consent) through APIs. This is often referred to as the “Access to
Accounts” (XS2A) rule. TPPs are entities that offer either AIS, PIS, or both.
a) The European Banking Authority (EBA)

b) The Member’s Financial Supervisory Authority
Malta:
The competent authority is the Malta Financial Services Authority.
Greece:
The competent authority is the Bank of Greece.
Latvia:
The Financial and Capital Market Commission.
78
Directive (EU) 2015/2366
a) Regulation (EU) 2016/679
b) Member’s Law

a) For PIS Payment Initiation Service Providers: Initial Capital of €50,000.
b) For AIS Account Information Service Providers: No Initial Capital is required; however, a professional indemnity
insurance is required or a comparable guarantee against liability arising from professional negligence.
The above requirements can vary based on the specific services offered and the risk associated with them.
3.5. Licensing Fees

The applicable fees vary according to the Member’s Law.

The process for obtaining a license involves submitting a comprehensive application detailing the company’s operations,
risk management, and compliance measures. The application is reviewed by the relevant regulator. It is crucial to
demonstrate robust consumer protection, data security, and anti-money laundering practices. Ongoing compliance
with EU regulations is mandatory, and failure to comply may result in license revocation.
Generally, the Member’s Financial Supervisory Authority has three months from the receipt of the application to grant
or decline a TPP license.
However, the actual timeline might vary based on the complexity of the application, the practices of the national
competent authority, and the responsiveness of the applicant to any queries or additional information requests from
the national competent authority.
There is no specific EU-wide mandate for local hiring. However, some Member States might have requirements or
preferences for having a physical presence or local representatives in their jurisdiction.
Malta:
The MFSA in Malta usually expects to have three board members, with the majority being residents of Malta and
one independent non-executive director.
3.8. Observations
It is important to note that while PSD2 provides a harmonized framework since such harmonization is partial, there can
be variations in how it is implemented in each Member State. TPPs must be authorized or registered by the competent
authorities in their home Member State to provide their services.
PSD2 also introduced requirements for SCA to enhance the security of electronic payments. This means that electronic
payments are subject to at least two forms of authentication from the user.
79
Open Banking
Regulation Status Regulated
Licensing Timelines Depends on the Member’s Law
Number of Licensed Entities Not Disclosed
Local Hiring Requirements Depends on the Member’s Law
License Application Fees Depends on The Member’s Law.
Capital Requirements Depends on the Member’s Law

Buy Now Pay Later services may fall under either the credit institution’s regulatory framework or the payment institution’s
regulatory framework, depending on the activities the Buy Now Pay Later service provider intends to provide.

a) EBA; and
b) Member’s Law
Netherlands:
The main financial regulatory authority is the Dutch Authority for the Financial Markets.
Luxembourg:
Buy Now Pay Later providers may need to comply with the regulations of the Commission de Surveillance du Secteur
Financier.
4.3. Relevant Governing laws and regulations
a) Some of the key legislations and regulatory frameworks that regulate credit institutions in the EU include:
i) Capital Requirements Regulation (CRR) and Capital Requirements Directive (CRD IV), which set out the
capital requirements that credit institutions must maintain to ensure their stability and protect depositors.
They implement the Basel III framework in the EU.
ii) Bank Recovery and Resolution Directive (BRRD), which outlines the EU’S framework for the recovery and
resolution of failing credit institutions. It aims to minimize the impact of bank failures on financial stability
and taxpayers.
iii) Deposit Guarantee Schemes Directive (DGSD), which establishes the requirements for national deposit
guarantee schemes in the EU, ensuring that depositors’ funds are protected up to a certain limit in case a
bank fails.
80
iv) Consumer Credit Directive (CCD) aims to ensure consumer protection when they take on credit. The
regulations of individual European Union countries provide exceptions to the application of consumer
credit regulations, in particular for free loans, insignificant amounts of loans, or loans granted for short
periods.
b) There are certain instances established by the PSD2 whereby an entity aiming to provide Buy Now Pay Later
services may provide such services by holding a payment institution license instead of a credit institution license,
which is subject to less stricter requirements.
c) Pursuant to Article 4 of the PSD2, payment institutions may grant credit relating to the following payment services:
execution of payment transactions where the funds are covered by a credit line for a payment service user and
issuing of payment instruments and/or acquiring of payment transactions; however, only if all of the following
conditions are met:
i) The credit shall be ancillary and granted exclusively in connection with the execution of a payment transaction;
ii) Notwithstanding national rules on providing credit by credit cards, the credit granted in connection with a
payment and executed in accordance with the PSD2 shall be repaid within a short period, which shall in no
case exceed 12 months;
iii) Such credit shall not be granted from the funds received or held for the purpose of executing a payment
transaction;;
iv) The own funds of the payment institution shall, at all times and to the satisfaction of the supervisory authorities,
be appropriate in view of the overall amount of credit granted.
d) The Member’s Law.
Netherlands:
Providers of Buy Now Pay Later products are generally unregulated and do not require a license, but the CCD has
been implemented in both the Dutch Civil Code and the Dutch Financial Supervision Act.
Luxembourg:
The CCD has been transposed through the Consumer Code.
Specific capital requirements would depend on the nature of the Buy Now Pay Later service and whether it is classified
under a particular category of financial institution in the EU or individual Member States
a) In the case of credit institutions, their capital requirements are primarily governed by the CRR and CRD IV. The CRR
establishes minimum capital requirements, including a Common Equity Tier 1 (CET1) capital requirement, a tier 1
capital requirement, and a total capital requirement. These requirements are expressed as a percentage of a credit
institution’s Risk-Weighted Assets (RWAs). It is important to note that the specific capital requirements can vary for
each credit institution and depend on factors such as the institution’s size, complexity, and risk profile. Additionally,
national supervisory authorities may have the discretion to set additional capital requirements or provide guidance
tailored to the specific circumstances of individual credit institutions.
b) In the case of payment intermediaries, they are required to hold an initial capital, which shall be maintained
throughout the entirety of the licensable period as follows:
81
i) where the payment intermediary provides only money remittance payment services, a capital of at least
€20,000 (twenty thousand) (USD 21,380);
ii) where the payment intermediary provides only payment initiation services, a capital of at least €50,000 (fifty
thousand) (USD 53,451); and
iii) where the payment intermediary provides any of the services listed in paragraphs 1-5 of Annex I of PSD2, a
capital of at least €125,000 (one hundred twenty five thousand) (USD 133,629).
At all times, the funds of the payment intermediary must not fall below the established IC. The capital must be paid up
capital and reserves.
4.5. Licensing Fees

The applicable fees for a Buy Now Pay Later license vary according to the Member’s Law and the specific nature of
the Buy Now Pay Later service being offered.

The process for obtaining a license involves submitting a comprehensive application detailing the company’s operations,
risk management, and compliance measures. The application is reviewed by the relevant regulator. It is crucial to
demonstrate robust consumer protection, data security, and anti-money laundering practices. Ongoing compliance
with EU regulations is mandatory, and failure to comply may result in license revocation. The timeline for regulatory
approval or compliance checks would vary based according to the Member’s Law and the specific nature of the Buy
Now Pay Later service.

Specific hiring or staffing requirements for financial institutions or Buy Now Pay Later services would depend on the
Member’s Law and the specific nature of the Buy Now Pay Later service.
4.8. Observations
Buy Now Pay Later products distinguish themselves from typical credit products, such as online loans and credit cards,
by virtue of their uncomplicated activation process, which does not necessitate the submission of extensive personal
information. Furthermore, Buy Now Pay Later seamlessly integrates into the merchant’s purchasing process.
While adhering to the comprehensive criteria established by the CCR serves as the primary foundation for safeguarding
consumers, it can simultaneously result in a dissimilar purchasing experience when compared to Buy Now Pay Later
products in terms of user-friendliness, simplicity, and integration with the e-commerce process. Consequently, this
variance is why certain Buy Now Pay Later products are occasionally presented as non-consumer credit options, a
possibility typically applicable only in specific scenarios, such as low-value or interest-free credit arrangements.
The regulations within individual EU Member States include provisions for exceptions to the enforcement of consumer
credit rules, specifically for instances involving free loans, small loan amounts, or loans with short durations. These
exceptions are observed in countries like Poland, Austria, Cyprus, Luxembourg and Italy. However, in practice, these
exceptions are utilized by entities that prioritize enhancing the customer experience and fostering product innovation
over adhering to formal mechanisms designed to shield consumers from excessive debt.
82
The forthcoming revision of the CCR entails that free loans will cease to be exempt from consumer credit regulations.
This implies that around 2024, when the intended changes are anticipated to take effect, numerous Buy Now Pay Later
products that have not hitherto been subject to regulations designed to safeguard consumers from becoming overly
indebted will necessitate significant restructuring.
In practice, however, they are used by those players who seemingly prefer a better customer experience and product
innovation over formal mechanisms to protect the consumer from over-indebtedness. The planned amendment to the
CDD provides that free loans will no longer be exempt from the regime of consumer credit regulations. This means that,
from approximately 2024, when the changes are expected to come into force, many Buy Now Pay Later products that
have not yet had to comply with regulations aimed at protecting the consumer from over-indebtedness will have to be
fundamentally rebuilt, and it is possible that we will no longer see them in their current form.
83
EXECUTIVE SUMMARY
This comprehensive report provides an in-depth comparative analysis of the FinTech regulatory
environments across the UAE, KSA, Bahrain, EU, UK, and Turkey, highlighting the unique regulatory
landscapes that shape the growth and dynamics of the FinTech sector in each jurisdiction.
In the UAE, the fusion of innovative FinTech services with supportive regulatory policies has created
a vibrant ecosystem for digital finance. KSA and Bahrain are rapidly catching up, with governments
playing a pivotal role in fostering FinTech innovation through strategic partnerships and regulatory
sandboxes. The EU and UK, with their robust and sophisticated financial markets, demonstrate
a commitment to regulating FinTech in a way that ensures consumer protection while fostering
innovation, particularly evident in their approaches to open banking and data privacy. Turkey’s
FinTech landscape, though less mature, shows immense potential, driven by a strong entrepreneurial
culture and a regulatory environment that is increasingly adapting to support FinTech growth.
The report delves into how these jurisdictions are tackling key challenges, such as ensuring cybersecurity,
maintaining financial stability, and protecting consumer rights in the digital age. It also discusses the
impact of emerging technologies like blockchain and artificial intelligence on the FinTech sector and
how regulations are evolving in response. The analysis underscores the importance of regulatory
agility and cross-border collaboration in fostering a conducive environment for FinTech innovation.
As the FinTech industry continues to evolve, this report serves as a crucial guide for stakeholders
looking to understand the diverse regulatory frameworks and market dynamics across these key
global jurisdictions. It offers valuable insights into the opportunities and risks presented by the FinTech
revolution, providing a strategic perspective on navigating the complexities of this rapidly changing
landscape.
84
KARM LEGAL CONSULTANTS
Contact us at admin@karmadv.com or visit us at www.karmadv.com

Fintech UAE SAUDI ARABIA TURKEY UK EU BAHRAIN Compass

Uploaded by

Copyright:

Available Formats

You might also like

Fintech UAE SAUDI ARABIA TURKEY UK EU BAHRAIN Compass

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Fintech UAE SAUDI ARABIA TURKEY UK EU BAHRAIN Compass

Uploaded by

Copyright:

Available Formats

KARM LEGAL CONSULTANTS

UAE SAUDI ARABIA TURKEY UK EU BAHRAIN

FINTECH IN THE UNITED ARAB EMIRATES​ 3

B. GENERAL OVERVIEW OF THE UAE’S REGULATORY FRAMEWORK​ 5

C. MAINLAND – CENTRAL BANK OF THE UAE​ 6

2.​Acquiring And Payment Aggregation​ 8

4.​Buy Now Pay Later​ 11

2.​Acquiring And Payment Aggregation​ 15

4.​Buy Now Pay Later​ 19

1. ​Stored Value Facilities​ 20

2. Acquiring And Payment Aggregation​ 23

4..​Buy Now Pay Later​ 25

FINTECH IN THE KINGDOM OF SAUDI ARABIA​ 28

B. GENERAL OVERVIEW OF KSA’S REGULATORY FRAMEWORK​ 30

1. Stored Value Facilities​ 31

2.​Acquiring And Payment Aggregation​ 34

4.​Buy Now Pay Later​ 36

FINTECH IN THE KINGDOM OF BAHRAIN​ 40

B. GENERAL OVERVIEW OF BAHRAIN’S REGULATORY FRAMEWORK​ 42

1.​Stored Value Facilities 43

2. Acquiring And Payment Aggregation​ 45

4.​Buy Now Pay Later​ 47

B. GENERAL OVERVIEW OF TURKEY’S REGULATORY FRAMEWORK​ 51

2.​Acquiring And Payment Aggregation​ 54

4.​Buy Now Pay Later​ 56

FINTECH IN THE UNITED KINGDOM​ 58

B. GENERAL OVERVIEW OF UK’s REGULATORY FRAMEWORK 60

1.​Stored Value Facilities 60

2.​Acquiring And Payment Aggregation​ 63

4.​Buy Now Pay Later 67

FINTECH IN THE EUROPEAN UNION​ 70

B. GENERAL OVERVIEW OF EU’S REGULATORY FRAMEWORK​ 72

1.​Stored Value Facilities 73

1 The United Arab Emirates (UAE) 4 Kingdom of Bahrain (Bahrain)

2 Kingdom of Saudi Arabia (KSA) 5 European Union (EU)

3 United Kingdom (UK) 6 Republic of Turkey (Turkey)

1. Stored Value Facilities

- TEAM KARM LEGAL

I wish Team KARM the very best.

DIFC Dubai International Financial Centre

DFSA Dubai Financial Services Authority

ADGM Abu Dhabi Global Market

FSRA Financial Services Regulatory Authority

PSP Payment Service Provider

PISP Payment Information Service Provider

AISP Account Initiation Service Provider

BNPL Buy Now Pay Later

FinTech Financial Technology

MENA Middle East and North Africa

GCC Gulf Cooperation Council

GFIN Global Financial Innovation Network

AML Anti-Money Laundering

CTF Counter Terrorism Financing

AED United Arab Emirates Dirham

CAGR Compound Annual Growth Rate

CEO Chief Executive Officer

AMF Arab Monetary Fund

UAE United Arab Emirates

MLRO Money Laundering Reporting Officer

FINTECH IN THE UNITED ARAB EMIRATES 3

B. GENERAL OVERVIEW OF THE UAE’S REGULATORY FRAMEWORK 5

C. MAINLAND – CENTRAL BANK OF THE UAE 6

2.Acquiring And Payment Aggregation 8

4.Buy Now Pay Later 11

2.Acquiring And Payment Aggregation 15

4.Buy Now Pay Later 19

1. Stored Value Facilities 20

2. Acquiring And Payment Aggregation 23

4..Buy Now Pay Later 25

FINTECH IN THE KINGDOM OF SAUDI ARABIA 28

B. GENERAL OVERVIEW OF KSA’S REGULATORY FRAMEWORK 30

1. Stored Value Facilities 31

2.Acquiring And Payment Aggregation 34

4.Buy Now Pay Later 36

FINTECH IN THE KINGDOM OF BAHRAIN 40

B. GENERAL OVERVIEW OF BAHRAIN’S REGULATORY FRAMEWORK 42

1.Stored Value Facilities 43

2. Acquiring And Payment Aggregation 45

4.Buy Now Pay Later 47

B. GENERAL OVERVIEW OF TURKEY’S REGULATORY FRAMEWORK 51

2.Acquiring And Payment Aggregation 54

4.Buy Now Pay Later 56

FINTECH IN THE UNITED KINGDOM 58

1.Stored Value Facilities 60

2.Acquiring And Payment Aggregation 63

4.Buy Now Pay Later 67

FINTECH IN THE EUROPEAN UNION 70

B. GENERAL OVERVIEW OF EU’S REGULATORY FRAMEWORK 72

1.Stored Value Facilities 73