The UAE has been undergoing a digitalization in finance. In other words, all governmental services are available digitally under the UAE Digital Government Strategy 2025.
In September 2023, the United Arab Emirates (“UAE”) issued Federal Decree Law No. 14/2023 through presidential decree, introducing new digital legislation. The new law sets out to regulate digital trade and offer additional protection to resident sellers and consumers in the UAE or abroad. The new law will replace its predecessor, Federal Decree Law No. 9/2022, as it offers a wider range of protections and covers various types of additional technology. In the last few years, e-commerce has surpassed its traditional website format and now encompasses several other platforms, such as apps and blockchain. These are now covered by the Federal Decree Law No. 14/2023, as are all other digital means of trade.
Digital Finance
In December 2023, the Central Bank of the UAE joined the Gulf Cooperation Council (GCC) AFAQ payment system. AFAQ is a digital payment system operated by Gulf Payment Company. It facilitates secure financial transactions within the GCC in local currencies instantly and at reduced fees. This marks a significant progress in digital finance, enhancing integration within the GCC region.
Furthermore, the UAE government adopted blockchain to ensure data security and accessibility. Introduced in 2018, the Emirates Blockchain Strategy aimed to digitize 50% of government transactions in 2021. A prime example is UAE Pass, utilizing biometrics and blockchain, granting digital access to government services instantly. Additionally, blockchain is utilized in healthcare, supply chain management, and smart contracts, ensuring transparency and data integrity.
Cryptocurrency
In February 2024, the UAE achieved its first successful cross-border transfer of fifty million digital dirhams (approx. USD 13 million) from its Central Bank’s digital dirham to China. During the same week, the Central Bank signed a Memorandum of Understanding with digital asset provider Fuze. The aim was to develop compliant digital assets solutions.
Cryptocurrency has seen an exponential rise in use and reliance in the region in the last couple of years, as it facilitates cross-border transactions and acts as an alternative form of investment.
In February 2024, the UAE completed its first successful cross-border transfer of fifty million digital dirhams (approximately USD 13 million) from its Central Bank’s digital dirham to China. During that week, the Central Bank and Fuze, a digital asset provider, signed a Memorandum of Understanding to create digital asset solutions that adhere to the legal regulations.
As these new strategies and digitalisation processes are increasingly gaining momentum in the UAE, Federal Law No. 4/2022 was issued to help protect virtual asset investors. As a result, the Virtual Assets Regulatory Authority was put in place to help support their protection.
Virtual Assets Regulatory Authority (VARA): Appointing a Data Protection Officer
With the launch of Dubai’s Virtual Assets Regulatory Authority (VARA) in March 2022, VARA became the world’s first independent regulator overseeing the provision, use, and exchange of virtual assets, commonly known as crypto assets or crypto/digital currency.
With this pioneering innovation, VARA serves as a transparent authority for the regulation and compliance of virtual asset brokers, cryptocurrency companies, and other supporting service providers. VARA intends to “develop the regulations, rules, and standards required for regulating, supervising, and overseeing Virtual Asset Platforms, Virtual Asset Service Providers, and all other matters related to Virtual Assets.”
As part of its regulations, VARA recognises that with the continued rise in cyber-attacks and data breaches, it requires all its Member Organisations to adhere to an increased focus on securing personal and company data and meeting data protection compliance regulations.
Therefore, entities seeking to obtain a license with VARA must demonstrate and comply with data protection laws by fulfilling the data privacy requirements, including the appointment of a Data Protection Officer and/or Chief Information Security Officer (CISO) as outlined under Rule II, A1 & A2.The mentioned requirements will ensure that existing Member Organisations of VARA and future license applicants, meet the UAE’s recent Personal Data Protection Law (PDPL), the Dubai International Financial Centre (DIFC) Data Protection Law 2020 (DPL), and if applicable other international regulations and legislation including GDPR.
VARA outlines its expectations for data protection compliance by stating the following Rules:
Rule II, A1: Compliance with Applicable Data Protection Law
1.VASPs (“Virtual Asset Service Providers”) must comply with all applicable data protection and data privacy requirements in all relevant jurisdiction[s] as follows:
a) within the UAE, including the PDPL and any sectoral or free zone laws and regulations that may apply to the VASP; and
b) any data protection laws outside of the UAE that may apply to the VASP’s activities wherever conducted.
2. Compliance with all applicable data protection and data privacy requirements under Rule II.A.1 of this Technology and Information Rulebook shall include, but not be limited to, where data may be stored or located and how such data is transferred.
Rule II, A2: Compliance Programme
- VASPs shall produce and implement a written compliance program to protect the privacy of Personal Data, following all applicable data protection laws.
- Not withstanding the requirements of any applicable data protection laws, VASPs shall at a minimum comply with the following VARA requirements:
a) Appoint a Data Protection Officer who has the appropriate competencies and experience to perform the statutory duties and responsibilities associated with this role under applicable data protection laws [including under Article 11 of the PDPL] [Data Protection Officer]. The Data Protection Officer can be the same individual as the CISO of the VASP; and
b) Establish a function in their organisation that is responsible for the management and protection of Personal Data by all applicable laws and is appropriate for the level of risk involved with such Personal Data, including responsibility for implementing and maintaining appropriate policies, procedures, systems, and controls.
The role of Data Protection Officer (or DPO) is a designated individual who has the experience to be responsible for overseeing an organisation’s data protection strategy and ensuring compliance with data protection laws. The DPO acts as a bridge between the organisation, data subjects, and regulatory authorities. They play a crucial role in maintaining data privacy and security.
TenIntelligence Thoughts
These structural and technological advancements to the UAE’s governmental and financial sector have led to a more enhanced security system with a wide accessibility and efficiency. The nation’s ambitions of becoming a leading destination for digital assets is well underway. However, it is working to ensure the proper laws are in place. In these instances, it is vital to maintain user privacy and compliance with the corresponding regulations.
If you are based in the UAE or are looking to invest in their digital financial sector, submit your interest or contact us at info@tenintel.com for expert guidance.