Regulatory Playbook: UAE¶
| Field | Value |
|---|---|
| Market | United Arab Emirates (AE) |
| Regulator | DFSA (DIFC) / CBUAE (onshore) |
| Status | Draft — requires local compliance review |
| Owner | Group Compliance / CDO |
| Created | 2026-04-04 |
| Review | Semi-annually |
| Reference | Cross-Border Compliance Framework |
Purpose¶
This is the operational playbook for Simpaisa's UAE presence. The Cross-Border Compliance Framework defines what the law requires. This playbook defines what we actually do: who is responsible, what processes run, what reporting is due, and what happens when something goes wrong.
The UAE is the holding company jurisdiction. Simpaisa Holdings is registered in the Dubai International Financial Centre (DIFC). The DIFC operates as a common law free zone with its own regulator (DFSA) and data protection regime, separate from onshore UAE regulation (CBUAE). This creates a dual regulatory regime:
- DIFC (DFSA): Governs the holding company. No onshore payment operations conducted from DIFC.
- Onshore UAE (CBUAE): Would govern any retail payment services offered to UAE consumers. Simpaisa does not currently hold a CBUAE RPSCS licence and does not conduct onshore payment operations.
Current status: Holding company only — no onshore payment operations currently.
Regulatory Landscape¶
| Dimension | Requirement | Source |
|---|---|---|
| Holding company registration | DIFC holding company registration. Not offering financial services from DIFC. | DIFC Regulatory Law 2004 |
| Onshore licence (if applicable) | CBUAE Retail Payment Services and Card Schemes (RPSCS) licence required if offering retail payment services onshore | CBUAE Circular 15/2021; New CBUAE Law (effective September 2025) |
| AML/KYC | Federal AML Law (Federal Decree-Law No. 20 of 2018). CDD, EDD, sanctions screening. STR filing with UAE FIU. | Federal Decree-Law No. 20 of 2018; CBUAE AML/CFT regulations |
| Data localisation (DIFC) | No mandatory data localisation. Cross-border transfers permitted to jurisdictions with adequate protection or with appropriate safeguards (standard contractual clauses, binding corporate rules). | DIFC Data Protection Law No. 5 of 2020 |
| Data localisation (onshore) | Sector-specific requirements per Federal Decree-Law No. 45 of 2021. | Federal Decree-Law No. 45 of 2021 on Personal Data Protection |
| PII handling (DIFC) | DIFC Data Protection Law 2020. Data subject rights including right to erasure. | DIFC Data Protection Law No. 5 of 2020 |
| PII handling (onshore) | Federal Decree-Law No. 45 of 2021 on Personal Data Protection. | Federal Decree-Law No. 45 of 2021 |
| Reporting | DFSA/CBUAE reporting per licence conditions. Annual audited financial statements. STRs to UAE FIU. | Licence conditions; Federal AML Law |
| Audit | Annual external audit. DFSA/CBUAE inspection at regulator's discretion. | Licence conditions |
| Incident reporting | DIFC Data Protection Commissioner: within 72 hours for personal data breaches. CBUAE: per licence conditions. | DIFC Data Protection Law 2020, Article 41 |
| Capital adequacy (CBUAE, if applicable) | RPSCS capital requirements scale with average monthly transaction value. Exceeding AED 10M monthly average for three consecutive months triggers higher capital obligations. AED 100,000 minimum for payment initiation services. | CBUAE Circular 15/2021 |
| Record retention | DFSA/DIFC: 6 years. CBUAE: per RPSCS regulation. AML records: 6 years. | DFSA rules; CBUAE regulations |
Current Compliance Status¶
Holding company only — no onshore payment operations currently.
| Requirement | Status | Gap | Risk |
|---|---|---|---|
| DIFC holding company registration | Active | None | — |
| CBUAE RPSCS licence | Not applicable | No onshore payment operations. Licence required before any onshore UAE payment services. | — |
| AML/KYC (group level) | Partially compliant | Group-level AML policy exists but not documented for UAE-specific obligations under Federal Decree-Law No. 20 of 2018. | MEDIUM |
| DIFC Data Protection | Partially compliant | DIFC DPL 2020 applies to any personal data processed in DIFC. Data processing register not documented. | MEDIUM |
| Federal Data Protection (onshore) | Not applicable | No onshore operations. Would apply if onshore operations commence. | — |
| Encryption at rest | Non-compliant | PII stored in plain text across the group (SECURITY-ARCHITECTURE.md, Finding R2). Affects group reporting data flowing to UAE. | HIGH |
| DIFC breach notification (72 hours) | Unknown | No documented process for notification to DIFC Data Protection Commissioner within 72 hours. | HIGH |
| Annual audit | Compliant | Holding company audit completed per DIFC requirements. | — |
| Group reporting data flows | Unknown | Data flows from operating markets to UAE for group reporting not documented. Classification and lawful basis for cross-border transfer not established. | HIGH |
Operational Processes¶
1. Merchant Onboarding (UAE)¶
No merchant onboarding is conducted in the UAE. Simpaisa Holdings is a holding company only. If onshore payment operations are launched in future, a full merchant onboarding process aligned to CBUAE RPSCS requirements must be established.
MERCHANT ONBOARDING FLOW (AE) — NOT CURRENTLY ACTIVE
─────────────────────────────────────────────────────
CBUAE Licence Application CDD/KYC Technical Go-Live
──────────┐ ┌──────────┐ ┌──────────┐ ┌──────────┐ ┌──────────┐
│ Obtain │──▶│ Merchant │──▶│ Identity │──▶│ API Key │──▶│ Live │
│ RPSCS │ │ applies │ │ verified │ │ Sandbox │ │ traffic │
│ licence │ │ │ │ Docs │ │ Testing │ │ │
└──────────┘ └──────────┘ │ checked │ │ Webhook │ └──────────┘
└──────────┘ │ config │
└──────────┘
Prerequisite: CBUAE RPSCS licence must be obtained before any onshore operations.
Owner: TBD TBD Engineering TBD
SLA: TBD TBD TBD TBD
Required documents for CDD (UAE — if onshore operations commence): - Trade licence (DED or free zone authority) - Commercial registration certificate - Emirates ID / passport copies of directors and beneficial owners - Bank account verification letter (UAE bank) - Business address verification - Beneficial ownership declaration (>25% shareholders) - Sanctions screening (UN, OFAC, local UAE lists)
Enhanced Due Diligence triggers: - High monthly transaction volume - High-risk merchant category (gambling, crypto, precious metals) - PEP (Politically Exposed Person) as beneficial owner - Adverse media screening hit - Sanctions list match
2. Transaction Monitoring¶
No payment transactions are processed in the UAE. If onshore payment operations are launched, transaction monitoring must be established per CBUAE requirements.
Group-level monitoring applicable to UAE holding company:
| Check | Frequency | Threshold | Action |
|---|---|---|---|
| Group data flow audit | Quarterly | N/A | Verify data flows from operating markets comply with DIFC DPL and cross-border transfer requirements |
| Sanctions screening (group level) | Ongoing | Any match against UN, OFAC, UAE local lists | Escalation to Group Compliance |
3. Incident Response (UAE-Specific)¶
In addition to the global Incident Response Playbook (Standards/INCIDENT-RESPONSE-PLAYBOOK.md):
| Requirement | SLA | Owner |
|---|---|---|
| DIFC Data Protection Commissioner notification for personal data breaches | Within 72 hours of becoming aware | Group Compliance + CDO |
| CBUAE notification (if onshore operations active) | Per CBUAE licence conditions | TBD |
| DFSA notification for material incidents | Per DFSA rules | Group Compliance + CDO |
DIFC breach notification template:
TO: Data Protection Commissioner, DIFC
FROM: Simpaisa Holdings — DIFC Registration No: [XXXX]
DATE: [YYYY-MM-DD]
SUBJECT: Personal Data Breach Notification — [Brief Description]
Per Article 41, DIFC Data Protection Law No. 5 of 2020:
1. Nature of the personal data breach: [description]
2. Categories and approximate number of data subjects affected: [detail]
3. Categories and approximate number of records affected: [detail]
4. Name and contact details of Data Protection Officer or contact point: [detail]
5. Likely consequences of the breach: [assessment]
6. Measures taken or proposed to address the breach: [list]
7. Measures taken or proposed to mitigate adverse effects: [list]
4. Data Localisation¶
DIFC (holding company): - No mandatory data localisation within DIFC. - Cross-border transfers permitted with adequate safeguards. - Standard contractual clauses or binding corporate rules required for transfers to jurisdictions without adequate protection.
Onshore UAE (not currently applicable): - Federal Decree-Law No. 45 of 2021 governs onshore data protection. - Sector-specific data localisation requirements would apply if CBUAE RPSCS licence obtained.
Current architecture: - Group reporting data flows from operating markets (PK, BD, NP, IQ) to UAE for consolidation. - These data flows are not documented with data classification or lawful basis for transfer.
Action items: 1. Document all data flows from operating markets to the UAE holding company. 2. Classify data flowing to UAE (personal data, aggregated, anonymised). 3. Establish lawful basis for each cross-border transfer under DIFC DPL 2020. 4. Implement standard contractual clauses for transfers from markets without adequate protection. 5. Ensure PII is encrypted or anonymised before transmission to UAE for group reporting.
5. Reporting Calendar¶
| Report | Frequency | Due Date | Recipient | Owner |
|---|---|---|---|---|
| Annual audited financial statements | Annually | Per DIFC/DFSA timeline | DFSA | Finance + CDO |
| DIFC Data Protection compliance review | Annually | Per DIFC DPL requirements | Internal (DIFC DPC on request) | Group Compliance |
| Suspicious Transaction Reports (group level) | As needed | Per UAE FIU requirements | UAE FIU | Group Compliance |
| AML/KYC programme review (group level) | Annually | Per Federal AML Law | Internal + regulators on request | Group Compliance |
| CBUAE regulatory returns (if onshore ops) | Per CBUAE schedule | Per licence conditions | CBUAE | TBD |
6. Key Contacts¶
| Role | Responsibility | Name |
|---|---|---|
| Group Compliance Officer | UAE regulatory relationship, DIFC compliance, group AML | TBD |
| DIFC Data Protection Officer | DIFC DPL compliance, breach notification | TBD |
| Finance (Group) | DFSA reporting, annual audit | TBD |
| CDO | Technology, security, data architecture decisions, group data flows | Daniel O'Reilly |
Remediation Priorities¶
Based on the compliance status assessment above:
| Priority | Item | Risk | Owner | Target |
|---|---|---|---|---|
| 1 | Document group data flows to UAE with data classification | HIGH | CDO | Q2 2026 |
| 2 | DIFC breach notification process (72-hour SLA) | HIGH | Group Compliance + CDO | Q2 2026 |
| 3 | PII encryption at rest (group-wide, affects data in UAE) | CRITICAL | CDO | Q2 2026 |
| 4 | DIFC DPL data processing register | MEDIUM | Group Compliance | Q2 2026 |
| 5 | Standard contractual clauses for cross-border transfers | MEDIUM | Group Compliance + Legal | Q3 2026 |
| 6 | Group-level AML policy aligned to Federal Decree-Law No. 20 of 2018 | MEDIUM | Group Compliance | Q3 2026 |
Connection to Strategy¶
This playbook directly supports: - SG1 (Operational Excellence): documented group compliance processes, DIFC breach notification SLAs. - SG4 (Market Expansion): UAE as the holding company jurisdiction must have clean compliance posture to support expansion into new markets (including KSA). Regulatory credibility of the holding company underpins licensing applications in other jurisdictions. - Foundational Support #5 (Standardised global network): UAE aligned to the same playbook structure as all Simpaisa markets, with holding-company-specific adaptations.