Skip to content 
Retail payment services have undergone a major transformation in the United Arab Emirates in recent years, propelled by digitalisation and evolving consumer expectations. In mid-2021, the Central Bank of the UAE, or CBUAE, introduced its Retail Payment Services and Card Schemes (RPSCS) Regulation, which includes the PSP and card license. This regime set out new licensing categories and capital thresholds for providers of payment services, aiming to balance innovation with robust consumer safeguards. Companies that issue payment instruments, manage merchant acquiring, or handle fund transfers, among other services, now operate under clear guidelines. The CBUAE’s intent is to modernise the national payments environment, reduce friction for users, and establish the UAE as a global hub for advanced payment solutions.
In this article, we explore the RPSCS framework in detail. We discuss the categories of licenses available, the definitions behind “payment accounts” and “stored value,” and how token-like instruments fit into the CBUAE’s rules. We also explain which businesses need a CBUAE PSP and card license, addressing capital requirements, the potential synergy with other regulated services, and the practical steps to obtaining permission from the Central Bank. By the end, you will gain a thorough overview of how the UAE’s central regulator envisions a streamlined, dynamic payment ecosystem that still upholds strong risk management and consumer protection.
Do you need a CBUAE PSP and card license for retail payment services?
Yes. Any business or platform that provides retail payment services to users in the UAE typically must hold a PSP and card license from the CBUAE. That includes offering payment accounts for daily spending, issuing stored-value e-wallets, or acquiring merchants so they can accept cards or digital payments. The financial free zones, DIFC and ADGM, have their own regulations for certain money services, but those mostly address B2B or cross-border contexts.
Banks that already have a CBUAE PSP and card license can notify the central bank if they intend to add new payment offerings, but they do not need an additional license in many cases. Non-banks, however, must apply for the RPSCS licence that matches their intended scope.
The impetus for the RPSCS regulation
Before 2021, retail payment service providers in the UAE operated in a less uniform environment, with partial guidelines from various laws and onshore–free zone distinctions. Realising the importance of digital payments for economic growth, the CBUAE introduced the Retail Payment Services and Card Schemes (RPSCS) Regulation on 15th July 2021. Existing businesses had a one-year transitional period to comply, either adjusting to new rules or seeking fresh licences.
The central objectives of the RPSCS framework include:
1: Enhancing safety in the digital payments space, reducing risk for everyday users.
2: Allowing financial service companies and fintechs to enter retail payment services.
3: Promoting a level playing field so that large institutions and agile startups can both innovate effectively.
4: Adopting a risk-based licensing approach that links each service category to capital obligations and relevant oversight.
5: Positioning the UAE as a leading regional and international payment hub, attracting cross-border solutions and advanced technologies.
Because of these goals, the RPSCS regulation takes a forward-thinking stance, allowing new forms of value exchange and stablecoins while also requiring the robust governance that the Central Bank deems necessary for systemic stability.
Our working hours: Monday to Friday, 9 AM – 6 PM GMT+4
Categories of RPSCS licenses
The categories range from limited payment services, such as account information or payment initiation, up to advanced cross-border fund transfers and payment token issuance.
Category IV
Firms in this bracket can offer:
- Payment Initiation Services.
- Payment Account Information Services.
These are relatively low-risk services. Payment initiation might, for example, let a user authorise a merchant to withdraw funds from their bank account, while account information means consolidating data from multiple bank accounts for the user. Because these do not generally store or handle money, the capital obligations are lesser.
Category III
This licence covers:
- Payment Account Issuance Services
- Payment Instrument Issuance Services
- Merchant Acquiring Services
- Payment Aggregation Services
- Domestic Fund Transfer Services
Category III participants can provide more direct involvement in money flow. Merchant acquiring, for instance, means signing up merchants to accept card or digital payments, collecting funds from payers and settling them with the merchant. Because these tasks carry higher liability, the capital thresholds rise accordingly.
Category II
Holders of this licence can carry out all services from Category III plus:
- Cross-border Fund Transfer Services
They can handle local and international remittances or money movements. Since cross-border activity entails additional compliance, such as anti-money laundering checks, Category II demands a higher capital and more scrutiny.
Category I
This is the most comprehensive licence, covering:
- Payment Account Issuance Services
- Payment Instrument Issuance Services
- Merchant Acquiring Services
- Payment Aggregation Services
- Domestic Fund Transfer Services
- Cross-border Fund Transfer Services
- Payment Token Services
Category I licensees can issue payment tokens, digital assets pegged to fiat or other forms of stable value for everyday transfers. This area involves the highest oversight, given the complexities of bridging digital tokens with standard monetary frameworks.
"The CBUAE sets four main licence categories for retail payment services, each reflecting different levels of complexity and risk."
Defining a “payment account” and “stored value”
Within the RPSCS rules, two terms often cause confusion: payment account and stored value. Understanding these definitions helps a prospective PSP or card scheme operator ensure compliance.
Payment account
A payment account is basically a user’s account with an authorised institution that is used for the execution of payment transactions. It can receive pay-ins and process pay-outs, but it must not function as a store of funds akin to a deposit. In simple terms, the account can hold transitory sums for immediate or near-term spending, rather than acting as a savings or investment product.
Stored value
The regulation explains that stored value covers systems or arrangements, excluding cash, where a customer gives monetary worth to an issuer, which in turn can store that value in multiple forms. This might be:
- Traditional fiat money.
- Reward points or loyalty systems.
- Crypto-assets or virtual assets.
The issuer commits to honouring that value when the user spends, transfers, or redeems it. Two main categories exist:
Device-based stored value
Possibly pre-paid cards or tokens physically assigned to a user.
Non-device-based stored value
Such as online wallets or user accounts in the cloud, each storing token-based or digital currency.
Given the diversity of what “money’s worth” can include, stablecoins, reward points, or crypto tokens, the scope extends well beyond standard e-wallets. The CBUAE clarifies that stored value can be topped up or transferred in forms like loyalty credits or even certain types of virtual assets, so long as the regulation is satisfied. Note that the Central Bank has a separate set of rules for stored value facilities, which might overlap with RPSCS if the service involves direct consumer transactions.
Get the most relevant information about business life in Dubai
Payment, security, commodity, or virtual assets
The CBUAE also draws distinctions between:
Payment tokens
Digital assets intended to maintain stable value, referencing a fiat currency or stable asset.
Security tokens
Usually falling under the domain of equities, debt, or rights that derive value from a business or underlying instrument, more akin to shares or bonds.
Commodity tokens
Granting claims to goods or services from the issuer. Known commonly as utility tokens.
Virtual asset tokens
Cryptocurrencies functioning as a store of value or means of exchange, but without official legal tender status or governmental backing.
For regulated retail payment services, the central focus is on “payment tokens,” as they are designed to facilitate transactions. Meanwhile, security tokens are typically regulated under separate frameworks, such as those in the financial free zones (DIFC or ADGM), where they are treated similarly to conventional securities.
Combining payment services and currency exchange
Fintechs that plan to provide multi-currency accounts or cross-border transfers might need a Category II licence if they handle domestic and overseas fund flows. But if they also want to carry out the foreign exchange piece themselves, rather than using an external partner, they may need an exchange house licence as well. The central bank is revisiting exchange house regulations, so final details are pending.
In many instances, the simpler solution is to partner with a bank or a licensed exchange. The regulated entity can handle the currency conversions, while the fintech focuses on the user interface, e-wallet, or settlement.
"Partnering with a bank or a licensed exchange approach may reduce complexity, though it might also cut into profits if the bank or exchange charges a margin."
Capital requirements at a glance
Capital obligations vary by the category of the RPSCS licence, driven by average monthly transaction volumes:
Category I
- 3 million AED (around 818,000 US dollars) for average monthly transactions of 10 million AED (2.7 million US dollars) or above.
- 1.5 million AED (409,000 US dollars) for less than 10 million AED in monthly average transactions.
Category II
- 2 million AED (545,000 US dollars) if monthly average transactions are 10 million AED or above.
- 1 million AED (272,000 US dollars) if below 10 million AED.
Category III
- 1 million AED (272,000 US dollars) if monthly average transactions are 10 million AED or more.
- 500,000 AED (137,000 US dollars) if below that threshold.
Category IV
- 100,000 AED (27,000 US dollars) regardless of transaction volume.
The monthly average is calculated over the preceding quarter or, for new applicants, based on projected usage. The central bank may raise capital requirements on a case-by-case basis if a business model is deemed riskier or more complex.
Rationale for obtaining a CBUAE PSP and card license
By securing a CBUAE PSP and card licence, a business in the onshore UAE can serve the entire local population, private consumers and small businesses, without being confined to a free zone or a B2B framework. Mainland operations provide extensive market access and brand visibility, especially relevant for mass-market payment solutions or e-wallet apps.
Fintechs or established firms with global backers might also find that a central bank license fosters credibility. Large institutional or corporate clients often require regulated partners for compliance or contractual reasons. The strategic advantage of being a UAE-based entity that can handle retail or commercial transactions with official regulatory backing cannot be overstated.
Resource requirements and recommended governance
The CBUAE expects each licensed payment institution or card scheme operator to employ or outsource the following roles:
Board of Directors
With robust governance processes, and a non-executive chair.
Chief Executive Officer
Over a decade of relevant experience, residing in the UAE.
Finance Officer
Possibly outsourced or from the group’s parent company, though local CFO presence might be beneficial.
Risk Officer
Typically outsourced, but essential for overseeing operational and market risk.
Compliance Officer and Money-Laundering Reporting Officer
Usually combined, with an experienced AML professional or a compliance expert living in the UAE. They handle KYC, suspicious transactions, and ensure the firm meets ongoing guidelines.
Internal Auditor
Usually outsourced to a professional firm, ensuring that policies align with central bank expectations.
For each member of the staff, the emphasis is on skill, experience, and accountability.
-
The licensing process includes detailed business plans, governance, IT security, and KYC/AML frameworks, typically taking 6–12 months to complete from concept to full operational approval.
-
Key personnel and compliance roles must be filled or outsourced, with the Central Bank expecting strong local presence, cyber resilience, and transparent risk management practices.
-
Aston VIP offers full-cycle support, helping applicants choose the correct license category, prepare documentation, and liaise with the Central Bank through every stage of the application process.
Application process: From concept to launch
Introductory call
The prospective applicant meets the Central Bank’s fintech unit or licensing team to present a summary of the proposed solution.
Detailed application
The firm completes form A22, describing everything from product design to competitor analysis. A thorough business plan covers the target markets, distribution channels, and consumer risk. A three-year financial projection addresses capital usage and revenue streams.
IT and cyber readiness
The CBUAE places particular emphasis on technology architecture, vulnerability assessments, and user data encryption. The applicant must detail how cloud-based or on-premises solutions store data, how the system meets UAE information assurance standards, and how any external providers are integrated.
Review period
The central bank carefully examines the material, requesting clarifications or scheduling interviews with key individuals. This stage can last from three to six months or more. The complexity of the model and responsiveness of the applicant are major factors.
In-principle approval
If the central bank is satisfied, it issues a conditional approval. The firm then must incorporate a mainland entity, deposit share capital (matching its category’s requirement), finalize appointments (like internal audit or external compliance partners), and secure office space.
Final licence
After meeting conditions, the central bank grants the RPSCS licence. The firm can now operate in the UAE, marketing retail payment services or card schemes to everyday users.
The entire journey can take around a year, from initial consultation to final go-live, reflecting thorough checks.
Timeline and cost considerations
Unlike some financial authorities, the central bank currently does not impose an application or annual licensing fee. The main financial demands come from capital, office leasing, professional advisors, and staff salaries. Mainland company registration and statutory permits might total approximately 10,000 US dollars, whereas a functional office in a mid-tier location might begin at 20,000 per year. Because the central bank expects a significant local presence, minimal or virtual offices are generally not feasible.
In addition, the business must budget for external providers like auditing, penetration testing, or system compliance reviews. Although these overheads can be significant, they also reinforce credibility and help align the firm with best practices.
Aston VIP’s role in your licensing journey
Navigating the CBUAE PSP and card license process can be intricate, from clarifying which category best fits your model to ensuring that your technology meets all regulatory standards. Aston VIP offers complete support, from drafting your detailed application and orchestrating the required AML frameworks to liaising with the central bank through each review stage.
If you want to accelerate your payment services or card scheme licence, or if you are still determining which category suits you, contact Aston VIP for a tailored roadmap that blends innovation with rigorous compliance.
