The fine line between Online marketplaces and Payment service providers - UAE Regulation as a case study
Late last year, the UAE enacted Federal Decree-Law No (6) of 2025, a law (I will refer to it as “the new banking law”) that updated the supervisory faculties of the Central Bank. It was a very interesting development because it seemed to expand the supervision perimeter of the CBUAE in the direction of technology companies.
In fact, Art. 62 lays out a fertile terrain for including tech firms in the scope of the regulation insofar as they act as facilitators of any Licensed Financial Activity. The provision reads as follows:
“Without prejudice to the Licensed Financial Activities referred to in item (1) of Article (61) of this decree-law, any Person carrying on, offering, issuing, or facilitating, whether directly or indirectly, any Licensed Financial Activity – regardless of the medium, technology, or form employed – shall be subject to the licensing, regulatory, and oversight jurisdiction of the Central Bank. This includes the following:
1. Virtual Assets payment tokens, decentralized finance (DeFi), other emerging technology, or other digital or physical instruments used in connection with the Licensed Financial Activities; and
2. Offering or operation of platforms, decentralized applications (dApps), protocols, or technological infrastructure that facilitate, intermediate, or enable the provision of financial services, such as payments, credit, deposits, money exchange, remittances, or investment services.” (Underlines and accents are mine)
This development was very pertinent for the tech industry, in particular for firms that are part of the value chain of a regulated service. The most conservative interpretations would suggest that firms which are merely vendors of regulated firms, or which are simply providing services to regulated firms, would now fall inside the “regulatory perimeter” of the CBUAE. A more moderate interpretation would not go that far, but it would not overlook the fact that the wording of Art. 62 raises a question about what constitutes “facilitation of a licensed activity” and what are the lines not to be crossed to avoid being deemed a facilitator. For firms operating two-sided or three-sided online marketplaces, the new banking law also seems to put into question the resemblance of their business models to licensed activities. For multi-sided marketplaces (such as Noon and Deliveroo) the concern stems from the fact that they typically act as intermediaries for the purchase of goods or services from third parties. They are two-sided marketplaces in the sense that they rely on two types of commercial relationships: their customers (side #1) are able to make purchases from selections of goods and services that are offered by both the operator of the online store and other firms, such as restaurants, manufacturers or other sellers (side #2). The concerning part is that whenever a customer decides to purchase an item sold by a third party, be it a restaurant or a mobile phone manufacturer, the online marketplace operators typically find themselves in a role that resembles that of a payment service provider vis-a-vis the third party. For clarity, here is a very simplified diagram of how a typical two-sided marketplace of this nature works:
It doesn’t take too much imagination to see the resemblance between the commercial activity described in the diagram above and the provision of payment services. Therefore, it is only natural that there was some confusion in the market about the actual implications of Art. 62 of the new banking Law.
Thankfully, the CBUAE released an FAQ that brings further clarity about the scope of the new banking law, highlighting the following takeaways that are very important for the tech industry:
Article 62 does not create new categories of licensed financial activities:
The emphasis of the FAQ on this point is that the new banking law does not expand the catalogue of licensed activities overseen by the Central Bank but instead that “(...) when any of the licensed financial activities listed in Article (61) of the Decree-Law are conducted "by any technological means, technique, form, or model," whether directly or indirectly, those activities remain subject to the licensing, regulatory, and supervisory authority of the Central Bank.” This is an important clarification because it confirms that the list of financial activities subject to license by the CBUAE remains the same under the new banking law: There are no new categories of licensed entities in the new Decree-Law.
Purely Technical Service Providers are not subject to new licensing requirements
On this point, the FAQ is clear in stating that “ (...) the activities of a technology service provider in providing software, infrastructure, technological solutions, or other emerging technologies, insofar as such provision is exclusively for the benefit of a licensed financial institution, shall not, whether directly or indirectly, be deemed to constitute ‘practice,’ ‘offering,’ ‘issuance,’ or ‘facilitation (...) ”. This clarification should put to rest the concern that a mere vendor (such as a KYC software vendor, cloud provider or similar) who provides services that are not part of the list of licensed financial activities to regulated firms may be subject to licensing requirements. In fact, looking at the experience in other jurisdictions, this concern was rather artificial: There is no real policy rationale for financial regulators to oversee the operations of tech companies that do not engage in financial services. Indirectly, outsourcing regimes already provide the toolkit for regulators to rein in the third-party risk that regulated firms take when externalizing certain functions to technology vendors, but those regimes are not driven by the intention to regulate tech firms as a direct subject of supervision. It would have been rather surprising for the CBUAE to take a different position.
Tech firms are only at risk of license requirements if they engage in regulated financial activities themselves
This is perhaps the most important clarification provided by the FAQ: “Providers of software, infrastructure, purely technical solutions, or other emerging technologies fall outside the licensing, regulatory, and supervisory authority of the Central Bank, unless they themselves engage in—or present themselves as engaging in—or offer, issue, or facilitate a financial activity as defined in Article (61) of the Decree-Law (for example, operating a payment service, wallet service, a stored-value facility, or any other regulated financial service on a professional basis), whether directly or indirectly.”
Here, the expression “present themselves” is very telling. It suggests that the question for tech companies is not whether their pure tech businesses fall under the regulatory supervision of the CBUAE, but whether these businesses themselves constitute or “present themselves” as regulated financial activities. In other words: The CBUAE is not departing from the typical approach of regulators across the world. Determining whether a given firm is subject to their supervision is an “activity-based” question, that is, a question of whether the firm engages in any activity that is or “presents as” a regulated activity in accordance with applicable law.
While the FAQ provides at least those three very helpful clarifications, there is still an open question for technology firms who operate two or three-sided online marketplaces in the UAE. It is in turn related to the question of when a tech business “presents itself” as a regulated financial activity. In fact, in most jurisdictions with mature regulatory frameworks for payment services, a key criterion for determining whether the business of an online marketplace should be subject to regulatory oversight is the question of whether the marketplace operator enters into possession of funds in transit. For example, Art 3(j) of the European Payment Services Directive (PSD2) clearly excludes technical service providers from its scope on those very terms:
“This Directive does not apply to any of the following: [...] (j) services provided by technical service providers, which support the provision of payment services, without them entering at any time into the possession of the funds to be transferred, including processing and storage of data, trust and privacy protection services, data and entity authentication, information technology (IT) and communication network provision, provision and maintenance of terminals and devices used for payment services, with the exception of payment initiation services and account information services;"
This takes us to the question that was not entirely resolved by the FAQ: Is a technology firm operating in the UAE mainland subject to licensing requirements if it enters into possession of funds that are in-transit to payees (such as manufacturers or sellers)?
The question is very important for online marketplaces because the CBUAE’s future stance on the matter will determine whether their core businesses are subject to licensing requirements or not. In fact, in most other jurisdictions with advanced payment services regimes, regulators have already decided this question with a resounding yes, so it is wise to consider the matter very carefully. In practice, online marketplaces may adopt four distinct approaches to navigate this gray area:
1 - Entering into direct possession of funds
This approach is the boldest: Online marketplaces may decide to enter into direct possession of funds by receiving payment proceeds from their users directly into their accounts and then settling them directly to their network of manufacturers/sellers. The diagram below shows this approach in more detail:
Why would an online marketplace choose this approach?
They may have an outsized risk appetite and decide to avoid both the cost of integrating with a licensed payment service provider and obtaining a license. They may have obtained an express exemption from a competent regulator.
Why should an online marketplace avoid this approach?
This payment flow is the one that most likely resembles or “presents itself” as a payment service. In fact, the marketplace will be entering into direct possession of funds, which is bound to attract regulatory attention. Overall, this approach is the one that exposes online marketplaces to the highest risk of adversarial regulatory scrutiny and potential disruptions in their payment flows.
2- The Pass-through Approach: Entering into direct possession of funds only after a licensed payment service provider has settled the funds to their accounts
This approach is not uncommon in some geographies and is a more risk-averse variation of the payments flow above, wherein the online marketplace postpones its position in the flow of funds by involving a licensed payment services provider that settles the payment proceeds into the marketplace’s accounts. The marketplace will then settle the proceeds minus its fees to the manufacturer/sellers. The flow is described in the diagram below:
Why would an online marketplace choose this approach?
They may lack infrastructure for processing payments themselves and may also wish to mitigate the risk of license requirements by involving a licensed payment service provider in the flow of funds. This could support a potential (albeit rather weak) argument that a license is not required because the funds are “only passing through”. Some might add an extra mitigant as a twist to this approach consisting of having the funds-in-transit land in some kind of escrow account (or similar) in order to provide an extra protection for payment proceeds. The success of this extra mitigant would depend on whether the escrow arrangement in question sufficiently segregates the funds-in-transit from the assets to be liquidated in an insolvency scenario.
Why should an online marketplace avoid this approach?
As I mentioned above, this is a mere variation of the initial approach that still presupposes that the operator of the online marketplace will enter into possession of funds before disbursing them to manufacturers/sellers. The pass-through argument is never particularly welcome amongst regulators because insofar as the payment proceeds are touching the accounts of the marketplace, the latter is playing a custodian role which requires close supervision to ensure funds in transit are adequately safeguarded, consumers are protected and bad actors are prevented from using the marketplace as a conduit for money laundering and/or terrorism financing. Introducing a licensed payment service provider into the flow of funds in this scenario is a rather cosmetic measure that will probably not obscure the custodian role of the marketplaces and will add to the cost of payments without much mitigation effectiveness from the perspective of licensing risk (defined as the risk that a regulator may impose licensing requirements in the future).
3 - The Risk-averse Approach: Excluding themselves from the flow of funds by having a licensed payment service provider settle directly
This approach is the most risk-averse of them all. It consists of making a third party fully responsible for the flow of funds, removing the marketplace from entering into possession of any funds that are in transit to the manufacturers/sellers.
Why would an online marketplace choose this approach?
This might be suitable for smaller online marketplaces that can’t afford expensive payment processing infrastructure or the cost of a license. Some firms may also see it as a way to remain focused on their core verticals by outsourcing the complexities of payment processing and maintaining a payments license.
Why should an online marketplace avoid this approach?
This approach is well suited for mitigating the licensing risk, but it puts a third party (the licensed payment service provider) in charge of all the funds stemming from the marketplace’s business. At scale, this is not a sensible approach because it simply cuts off the marketplace from accessing funds (float) that could yield interest rate and prevents them from implementing custom settlement logics and cadences. Moreover, given that the external payment service provider will be disbursing funds directly to the manufacturers/sellers, they will effectively have to enter into contractual relationships, which would result in separate KYC/onboarding processes driven by the risk appetite of the payment service provider. This will introduce friction to seller/manufacturer onboarding and reduce the control that the online marketplace has on onboarding experiences. In general, no ambitious online marketplace is eager to become so dependent on a third party.
4- The future-proofed approach: Routing the flow of funds through a wholly-owned licensed subsidiary or other affiliate
This approach consists of obtaining a payment service license that allows a subsidiary or an affiliate of the entity operating the marketplace to hold the funds in transit and disburse them directly to the marketplace and to the manufacturers/sellers. This is the most widely adopted approach to this issue in jurisdictions with mature regulatory regimes for payments services. It is illustrated in the diagram below:
Why would an online marketplace choose this approach?
This approach future-proofs the operations of an online marketplace that wishes to keep control of its payment flows. It segregates the regulatory obligations stemming from the license into a specific licensed vehicle that is separate from the entity that operates the marketplace. The main reason to choose this approach is to adopt a long-term view of the regulatory perimeter and to ensure that control over payment flows is not disrupted by future regulatory scrutiny.
Why should an online marketplace avoid this approach?
An online marketplace might avoid this approach if it prefers to outsource its payment flows due to cost or specialization considerations (as previously outlined in approach #3) or in the event that it obtains a clear waiver/exemption from the competent regulator.
Online marketplace operators in countries with recently enacted payment services regulation often have identity crises and try to wish away the fact that their business is partially the provision of payment services. However, the experience in jurisdictions with more mature payment services regulation is that two-sided marketplaces that enter into possession of funds will ultimately fall within the scope of payments regulation and the supervision of a financial regulator. Therefore, approaches like the ones described in options 1 and 2 above are likely to result in operational disruption stemming from regulatory scrutiny. Firms adopting these approaches take the risk that regulatory bodies deem them to be operating payment services without a license and consequently issue binding instructions to exclude unregulated entities from the flow of funds. This could result in expensive and urgent fire drills to temporarily (or permanently) integrate with external payment service providers, reroute their payment flows under a deadline and/or obtain the necessary licenses. Given the inherently lengthy nature of these two courses of action, business continuity may be at stake. Senior leaders at online marketplaces would be wise to avoid trying to cover the sun with their fingers and adopt more proactive compliance strategies with long term views. A very wise payments senior leader I once worked with called this “the theory of inevitability”.
While these risk considerations are firmly rooted in the 19-year history of the EU Payment Services Directives (the most influential regulatory framework for payment services and the indirect inspiration for the UAE payments regime) it will be very interesting to see whether the recent developments result in more proactive approaches from the industry and whether the CBUAE settles the open questions through further FAQs or enforcement action. It is possible that certain UAE-specific factors (such as the presence of payment service providers in the free-zones and potential resource constraints for regulatory enforcement) keep the issue in a gray area for a while longer, but it is a good idea to remain skeptical of a future where marketplaces in the flow of funds are exempted from regulatory supervision. Payments law is not a novel invention, and the apple never falls too far away from the tree.
Disclaimer: This does not constitute legal advice but mere commentary of recent developments in UAE financial regulation. The opinions and views held in this piece are exclusively mine and do not reflect the views of my employer or any other third party.
