Regulation of Credit Data and Open Banking in UAE
Regulation of Credit Data and Open Banking in UAE
The UAE has attracted much attention from fintech companies engaged in credit data and credit scoring services. This heightened interest is a direct result of the country’s proactive policies which support the fintech ecosystem. As affirmed by the Ministry of Economy, the UAE stands out as a leader in fintech innovation. Notably 46% of fintech startups, 47% of fintech funding deals, and 69% of all fintech funding in the MENA region are concentrated in the UAE.
Over the past few years, important collaborations have shaped the landscape. A noteworthy partnership involves the online financial aggregator, PolicyBazaar, and Al Etihad Credit Bureau (AECB) allowing PolicyBazaar customers easy access to real-time credit score checks. Moreover, the collaboration between AECB and Nova Credit has facilitated the use of expats’ home country credit history to access financial services in the UAE.
Furthermore, Abu Dhabi Global Market (ADGM) introduced a third-party service provider license and in 2023, Dubai International Financial Centre (DIFC) and AECB formalized an agreement aimed at cultivating an ecosystem for fintech startups throughout the UAE.
As the UAE continues to lead in fintech innovation, understanding the evolving regulatory dynamics of credit data and open banking is important. The article aims to provide a broad overview of the recent regulatory initiatives and the interplay between credit data and open banking regulation.
Credit Data and Open Banking
Credit data plays an important role in financial services, influencing credit scoring and loan approvals. It can be categorized into traditional, alternative, and fringe data, with sources ranging from credit reports to utility bills and online activities.
Open banking facilitates secure data sharing with the account holder’s consent. It enables the sharing of financial data, including credit data, among different parties, providing a more comprehensive view of an individual’s financial standing.
Open banking improves the lending sector by making it accessible to a broader pool of applicants, thus improving financial inclusion. Similarly, the incorporation of alternative data into credit scoring models further extends the reach of lending opportunities. AECB itself has been at the forefront of innovation, exemplified by its recent enhancement of credit scoring models by incorporating alternative data to compute credit scores for individuals lacking a traditional banking credit history.
The sourcing of credit data is a critical aspect, and fintechs involved in credit scoring commonly acquire information from two primary sources: financial institutions, such as banks, and credit rating agencies responsible for aggregating and disseminating the relevant data. In turn, the regulatory framework governing the credit data and open banking determines the types of opportunities and permissible business models accessible to fintech companies.
Credit data in the UAE is primarily governed by Federal Law No. 6/2010 On Credit Information (Credit Data Law). It is accompanied by Cabinet Decision No. 115/2021 On the Implementing Regulation of Federal Law No. 6/2010 on Credit Information (Implementing Regulation) and Central Bank Decision No. 67/5/2015 on the Work Regulations of Al Etihad Credit Bureau issued on 8 Jul 2015 (Work Regulations).
The Credit Data Law establishes Al Etihad Credit Bureau (AECB), a public joint stock company owned by the UAE Federal Government. AECB is tasked with the collection of credit information pertaining to individuals and companies. It analyzes the credit data to generate credit scores and produce credit reports, which are subsequently accessible within the UAE.
Credit information, as broadly defined by the Credit Data Law, encompasses data related to an individual’s financial commitments, payments, revenues, assets, bank transactions, and other information essential for determining creditworthiness. Various entities, including government bodies, banks, financial institutions, insurance companies, and companies established in the UAE and its free zones, are obligated to furnish credit data to AECB.
According to the Implementing Regulations, a diverse range of entities is eligible to obtain credit reports or products related to credit data. This includes federal and local government entities, banks, investment companies, finance companies, individual, commercial and professional companies, branches and representative offices of foreign companies, and any person as per the controls established by the Central Bank UAE.
The Credit Data Law empowers AECB to enter into agreements with recipients of credit information reports to regulate the use of credit data. Notably, besides the general requirements of consumer consent and data confidentiality, the law imposes restrictions on the purpose for which credit data can be used. Specifically, credit data cannot be utilized or circulated for purposes other than those agreed upon or for the purposes for which the information was provided.
Although the Credit Data Law, Implementing Regulation, and Work Regulations do not explicitly define the term “permissible purpose,” it can be assumed that assessing creditworthiness is likely the primary, if not the sole, permissible purpose.
Additionally, the Credit Data Law includes a general restriction stipulating that the Credit Bureau exclusively holds the authority to request, gather, preserve, analyze, categorize, use, and circulate credit information and related matters. This limitation seeks to create a central source of credit information in accordance with global standards, thereby improving effectiveness in regulation and supervision. Simultaneously, it ensures that no other organization can carry out comparable functions to AECB.
Open banking is another avenue for accessing consumer data, offering the potential to enable a variety of beneficial products and services. In open banking, the transfer of consumer-permitted financial data takes place via application programming interfaces (APIs), which are structured guidelines that facilitate the communication and exchange of data between various software systems.
The governing legal act is Central Bank Circular No. 15/2021 On Retail Payment Services and Card Schemes Regulation (RPSCS Regulation). RPSCS Regulation lays down the rules for granting a license for the provision of retail payment services which comprise of nine categories such as payment account issuance services, payment instrument issuance services, merchant acquiring services, payment aggregation services, domestic and cross-border fund transfer services, payment token services, payment initiation services and payment account information services.
Of particular interest is the Payment Account Information Service (PAIS), defined as the provision of consolidated information on one or more payment accounts held by a retail payment service user with another payment service provider. According to the RPSCS Regulation, PAIS falls under the category IV license, requiring a minimum initial capital of one hundred thousand (100,000) Dirhams.
Conditions applicable to PAIS providers include, among others, the existence of a contractual arrangement with banks/payment service providers, the provision of services based on user consent, ensuring the security of personalized credentials, refraining from requesting or storing sensitive payment data for purposes other than PAIS service provision, compliance with data transmission safety, technology risk, information security requirements, and accessing only designated payment account information and associated payment transactions.
The RPSCS Regulation permits banks and other payment service providers to enter into contractual arrangements with PAIS providers for direct or indirect access to the accounts held with them. However, the selection of a PAIS provider is solely at the discretion of the bank.
Hence, in the UAE, PAIS providers do not automatically have access to payment accounts held with banks and payment service providers. These entities can voluntarily enter into contractual agreements with PAIS providers to gain access to payment accounts.
In addition to the onshore UAE, the prominent financial free zones such DIFC and ADGM have their own separate regulatory frameworks offering additional avenues for operation, which could be of interest for fintechs providing credit data aggregation and credit scoring services.
DIFC Law No. 1/2004 On Regulatory Law 2004 (DIFC Law) mandates that individuals and entities may not provide financial services within the DIFC without obtaining a license to do so from Dubai Financial Services Authority (DFSA).
Several DIFC licenses are noteworthy: Arranging or Advising on Money Services and Innovative Financial Technology.
According to DFSA General Module (GEN) GEN/VER61/08-23, issued on 1 August 2023 (DFSA Rules) the Arranging or Advising on Money Services involves providing an Account Information Service (AIS), which encompasses an online service offering consolidated information on one or more user-held accounts. AIS allows users to access aggregated information from various accounts in a single location and, with express consent, share this information with third parties such as financial advisers or credit reference agencies.
With regards to Innovative Financial Technology license, DFSA Rules introduce a simplified regulatory framework for businesses seeking to test innovative fintech solutions. This tailored framework allows the DFSA to waive or modify certain rules during the testing phase, including relief from specific prudential requirements, conduct rules, or corporate governance arrangements. However, once the business is fully operational, compliance with all relevant rules and regulations becomes mandatory. To be eligible for this framework, applicants must demonstrate a genuine need to test technology, a readiness for live testing, and an intention to roll out the innovative technology on a broader scale. If the business involves financial services such as AIS, the applicant must first obtain the required license.
Recently, Abu Dhabi Global Market (ADGM) has introduced a new regulatory framework for the authorization and supervision of financial technology firms providing third party services to customers of financial institutions.
The ADGM Financial Services and Markets Regulations 2015, (ADGM Regulations), defines the activity of Providing Third-Party Services as involving the accessing, processing, and transfer of specified information. An entity authorized to carry out this regulated activity is termed a Third-Party Provider (TPP).
Rather than providing a precise definition of specified information, the ADGM Regulations adopts a comprehensive and discretionary approach, stating that specified information, concerning a third-party service provider, is as may be prescribed by Financial Services Regulatory Authority (FSRA) of ADGM. This broad interpretation allows the FSRA to adopt a tailored and case-by-case approach to third-party service provision.
ADGM Conduct of Business Rulebook (Rulebook) provides additional information and guidance related to TPPs. According to the Rulebook, TPPs act as intermediaries between their customers and their customers’ financial institutions. It clarifies that the relationship between TPP and its customer is distinct from and does not affect the customer’s existing relationship with their financial institution.
Among various requirements, the Rulebook mandates that TPPs and their customers must have a governing contract covering, among others, information about the TPP, service description, charges and exchange rates, communication methods, safeguards and security measures, corrective measures, and termination of the contract. Furthermore, the Rulebook details rules about information provision, initiation and execution of third-party transactions, record-keeping, outsourcing, customer consent, security measures, liability, dispute resolution, risk mitigation, and other aspects.
Regulatory landscape for credit data and open banking in the UAE reflects the country’s commitment to fostering a fintech ecosystem. The collaborative efforts among key players of the sector further exemplify a positive impact on enhancing consumer access to financial services.
Moreover, the onshore regulatory framework, especially concerning open banking, plays a key role in shaping opportunities for fintech firms engaged in credit scoring and credit data aggregation services. The regulatory environment in financial free zones such as DIFC and ADGM adds further dimension, providing alternative pathways and regulatory support.
The existing regulatory approach maintains a good balance between promoting innovation, ensuring compliance, and upholding consumer protection through transparent requirements. The result is a dynamic ecosystem that encourages flexibility while safeguarding the interests of both industry players and consumers.
The author of this insight is Baqar Palavandishvili.
Baqar is a Senior Associate at Galadari Advocates & Legal Consultants, specializing in corporate and commercial affairs, with emphasis on energy, oil & gas, M&A, due diligence and regulatory. He brings extensive experience to the firm, with more than 13 years of professional background. For more information about our corporate and commercial practice, please contact Baqar directly.