REGULATORY GOVERNANCE OF BLOCKCHAIN-BASED LOYALTY PROGRAMS IN THE UAE
Please read our first article on the overview and growth of loyalty programs here.
- Providers who wish to offer crypto assets (or related services) must be incorporated on-shore within the UAE or within one of the UAE’s financial free zones and must be licensed by SCA.
- The Stored Value Facilities (SVF) govern loyalty programs and reward points.
- Based on SCA Crypto Regulation, SVF involving crypto-assets and activities related to them will be regulated exclusively by CBUAE under the SVF Regulation.
- Under SCA, once the loyalty scheme coins are listed and made available for trading, these Commodity Tokens shall be treated as Regulated Commodity Tokens.
- The guidance on regulations of virtual asset activities in ADGM financial free zone states that the Virtual Asset Framework is not intended to apply to a loyalty points scheme denominated in virtual assets.
Regulatory Authorities on Crypto Assets in UAE
Providers who wish to offer crypto assets (or related services) must be incorporated on-shore within the UAE or within one of the UAE’s financial free zones. Licensees may ‘passport’ the listing of crypto assets on one or more crypto exchanges. Providers who wish to offer crypto assets within the UAE must be licensed by the SCA. As a part of that process, applicants must demonstrate strict compliance with the UAE’s anti-money laundering and counter-terrorism financing laws, cyber security compliance standards and data protection regulations.
Regulators in onshore UAE:
- UAE Central Bank (“Central Bank”) if the assets are to deemed as currency
- UAE Securities and Commodities Authority (“SCA”) if the assets are deemed to be stocks
Regulators in Financial Free Zones:
- Dubai Financial Services Authority (“DFSA”) in Dubai International Financial Centre (“DIFC”)
- Financial Services Regulatory Authority (“FSRA”) in Abu Dhabi Global Markets (“ADGM”)
The guidance on regulations of virtual asset activities in ADGM states that the Virtual Asset Framework is not intended to apply to a loyalty points scheme denominated in virtual assets.
Stored Value Facilities (SVF) Regulations for Loyalty Programs under CBUAE
Loyalty programs and reward points fall under Stored Value Facilities (SVF) Regulation which governs the digital payments in the UAE.
SVF is defined as any non-cash facility whereby a person pays, directly or indirectly, a sum of money or “Money’s Worth” (which is defined as including values, reward points, Crypto-Assets, or Virtual Assets) to the issuer in exchange for storage of the value of that money or Money’s Worth, whether in whole or in part, and the issuer undertakes that upon the use of the facility by the person as a means for payment for goods and services (which may be or include money or Money’s Worth) or payment to another person, the issuer, or a third party that the issuer has procured to do so, will: (i) supply the goods or services; (ii) make payment for the goods or services; or (ii) make payment to the other person, or as the case requires.
A single licence type, an “SVF Licence”, must be obtained by any person who wishes to issue or operate an SVF in the UAE, unless an exemption applies.
Based on the draft provisions of the SCA Crypto Regulation, it appears that SVF involving crypto-assets and activities related to them (such as fiat/crypto exchange related to the operation of an SVF) will be regulated exclusively by CBUAE under the SVF Regulation.
Exemptions to SVF Regulation
Central Bank of UAE (CBUAE) is granted discretion to exempt SVFs upon application by an issuer based on the risk the SVF poses to customers, customer funds, and the UAE financial system. The SVF regulation lists the following five categories of SVF that CBUAE may exempt from the licensing requirement:
- SVFs used for certain cash reward schemes such as loyalty schemes provided by shops and supermarkets which offer cash rewards for customer loyalty.
- SVFs used for certain bonus point schemes such as airline mileage programs and customer loyalty schemes that provide non-cash points to customers to reward their patronage and where those points and value stored is not cash-redeemable.
- SVFs that can only be used within a limited group of goods or service providers — i.e., SVFs that may be used as a means of making payments only for goods or services provided by the issuer or a person who provides the goods or services under an agreement with the issuer.
- SVFs in respect of which: (i) the aggregate amount of customer funds/money/Money’s Worth held by the issuer does not exceed half a million Dirham (AED 500,000) or its equivalent; and (ii) the aggregate number of customers is not more than 100. Note that only issuers who participate in the CBUAE FinTech regulatory sandbox may apply for this exemption.
SVF Licensing Process
Applicants must obtain an application form from the Licensing Division of CBUAE. The SVF Regulation provides that the senior management of the applicant is “strongly encouraged” to meet with CBUAE and discuss the applicant’s business plan prior to submitting an application. Further, face-to-face meetings with senior management may also be conducted as part of the application process.
The completed application form must be submitted to CBUAE along with the required supporting documents set out in the Annex of this document. These required documents include a report that must be prepared on behalf of the applicant by an independent assessor evidencing the applicant’s compliance with the SVF Regulation’s detailed requirements. The independent assessor cannot be involved in the operations to be reviewed, or in selecting, or implementing the relevant control measures to be reviewed.
CBUAE will inform the applicant in writing once the application is considered complete and processing of the application will begin. The SVF Regulation includes no statutory timeframe for determining a completed application, and CBUAE may request further information whereupon application will be deemed suspended until the requested information is provided. If an application is suspended for six months or more for any reason, a new application will generally be required.
CBUAE may grant an SVF Licence with or without conditions. Conditions attached to a licence may include, among others, additional capital requirements, business restrictions on the licensee, requirements relating to safeguarding of customer funds, and restrictions as to the maximum amount of value that may be stored on an SVF.
Requirements for SVF License Holders
Principal business and financial resources requirements: A licensee’s principal business must be the issue of SVF. Licensees wishing to conduct secondary or ancillary businesses must seek prior approval from CBUAE. The SVF Regulation also stipulates minimum capital requirements for licensees of, in summary: (i) paid-up capital of at least 15 million Dirham (AED15 million) or an equivalent amount in any other currency approved by the Central Bank; and (ii) eligible capital equal to at least 5% of the total customer funds held by the licensee.
Corporate governance requirements: A licensee must demonstrate that it has appropriate policies and procedures to ensure effective decision-making and proper risk management, commensurate with the scale and complexity of its business. Specific requirements include having a clear organisational structure, implementing an employee code of conduct, conducting appropriate due diligence and obtaining CBUAE approval before outsourcing activities.
Information and accounting systems: A licensee must implement robust information and accounting systems to: (i) record all business activities in a timely and accurate manner; (ii) provide quality management information to enable effective and efficient management of business and operations; and (iii) maintain an appropriate audit trail to demonstrate the effectiveness of controls. The licensee must also have in place adequate data protection policies, measures, and procedures to protect its information (particularly customer data) from unauthorised access, retrieval, tampering, and misuse. In particular, a licensee must store all customer data (including customer identification and transaction records) in the UAE for a minimum of five years.
SCA Crypto Assets Regulation — Loyalty Schemes as Commodity Tokens
The SCA Crypto Assets Regulation defines loyalty schemes as a program for the issuance of Commodity Tokens as a reward for purchases of consumer products and/or services which may only be exchanged or redeemed in the following cases:
A) In return for consumer commodities and/or services (not including other Crypto Assets or money) from the operator of the scheme or its Related Parties;
B) In return for consumer commodities and/or services (not including other Crypto Assets or money) from a person with whom the operator of the scheme or its Related Parties have entered into arrangements to redeem the commodity tokens;
C) To credit the balance of Commodity Tokens of another person participating in the relevant reward scheme (whether or not the transferee has agreed to receive value for such transfer outside of the transfer facility).
The information in the next section regarding the required information for listing a crypto asset shall not apply to Loyalty Schemes, unless approved or registered for listing under Article (17) of the Regulation, which covers listing of a crypto asset on a crypto asset exchange.
Once they are listed and made available for trading, these Commodity Tokens issued under Article (11) of this Chapter shall be treated as Regulated Commodity Tokens under this Regulation.
SCA Crypto Assets Regulation — Conditions to List on Crypto Exchange
In order to obtain the Authority’s approval for listing a Crypto Asset and making it available for trading on the Crypto Asset Exchange, the offering person shall meet the following conditions:
1) Provide the Authority with Offer Documentation, provided that it meets the requirements of the Commodity Tokens under this Regulation.
2) Appoint a Crypto Asset Custodian, unless the Authority decides that custody arrangements in respect of the relevant Crypto Asset are not required based on a justified request by the offering person.
3) Disclose to investors all fees and commissions related to listing of the Crypto Assets on the Crypto Asset Exchange.
4) Meet the requirements stipulated in Article (17) of this Regulation.
SCA Crypto Assets Regulation — Article 17
In order to list the Crypto Asset on the Crypto Asset Exchange, the following conditions shall be met:
1) Demonstrating the classification of the Crypto Assets and satisfaction of the applicable requirements in this regard under this Regulation.
2) Fulfilment of any requirements in respect of trading of the Crypto Asset and provision of the adequate guarantees for materialising that.
3) The listing application shall be submitted to the Authority, accompanied by the following information and data:
A) Initial and on-going criteria for selection of the Crypto Asset for listing and trading on its platform;
B) The type and details of the relevant distributed ledger technology and/or protocol used;
C) Any fees or other compensation paid by the issuer, promoter, or sponsor of the Crypto Asset or any third party to the Crypto Asset Exchange Operator in exchange for such listing;
D) Any hacking vulnerabilities of the technology underlying the Crypto Assets; and
E) The traceability of the crypto assets and ability to apply the Controls of combating money laundering and terrorism financing crimes.
4) Demonstrating the applicant connection with the Crypto Asset, and details of the principals or issuing developers behind the Crypto Asset, and its ability to continue to fulfil the requirements of the listing and trading of the Crypto Asset in accordance with the provisions of this Regulation.
SCA Crypto Assets Regulation — Onshore Cloud Computing and Data
Service providers must locate computer systems (or cloud computing facilities) onshore within the UAE using international standards. Typically, this will entail service providers (or their subcontractors) being able to demonstrate compliance, at the very least with ISO9001 and ISO27001 and cybersecurity standards laid down by the UAE’s Federal Government.
In the case of service providers who use offshore servers or public cloud facilities to encrypt, store, process or transfer crypto assets, or personal data, the SCA’s Decision requires such providers to utilise onshore cloud computing services to provide parallel backup and disaster recovery facilities.
Employees and Subcontractors: Licensees may appoint subcontractors but will bear the risks and liabilities stemming from any breach of the Decision committed by their subcontractors. For this reason, the SCA’s Decision requires licensees and their subcontracts to formulate a detailed service level agreement spelling out the division of responsibilities between both parties relating to cyber security and data protection.
Regulation of Security Tokens Under DFSA
On 29th March 2021, DFSA has published its Framework for Regulating Security Tokens for public comments, in the form of a consultation paper (Consultation Paper no. 138).
An issuer of Securities (e.g. Shares, Debentures and Warrants) is required to have a Prospectus meeting the DFSA requirements in the Markets Law, and if it is a Unit, a Prospectus under the Collective Investment Law for:
a) making an offer of its Securities to the public; or
b) admitting their Securities to the Official List of Securities (maintained by the DFSA) and, to trading on an AMI.
A prospectus for public offer, or listing and trading, must contain certain disclosures specified in the MKT module (and if a Fund, in the CIR module), and be approved by the DFSA. The prospectus disclosure is designed so that prospective investors in Securities have sufficient information to make an informed assessment of the assets and liabilities, financial position, profits and losses, and prospects of the issuer and any guarantor, and the nature of the Securities and the rights and liabilities attaching to the relevant securities.
Regulation of Security Tokens Under DFSA
Tokens admitted to trading, should include in their offer documents the following disclosure:
a) the type of rights and interests attaching to the Security Tokens offered
b) if a Security Token referred to in raises capital to create a new type of crypto asset, using the capital from investors
Prospectus for the offer to the public of, or for admission to trading on a facility for Security Tokens, needs to include the following information and sign-offs:
a) the nature of the DLT, or similar technology, application that is being used;
b) whether the Security Tokens are to be listed and traded on a facility, details relating to the facility, and who is responsible for the operation of that facility
c) the manner in which, and by whom, Security Tokens are to be held
d) how the evidence of title to Security Tokens will be established/certified/evidenced;
e) issues relating to governance of the technology underlying the Securities Token;
f) cyber-attack risks, and the possible loss of Security Tokens and how they can be mitigated;
g) any other information that would enable investors to make an informed judgement about investing in the Security Tokens offered;
h) a sign-off by a technology expert of the authenticity, validity and workability of the technology being used to meet the obligations relating to the offer of Security Tokens
Read the first part of our article on overview and growth of loyalty programs in the UAE here.