Table of Contents
The United Arab Emirates has grown into one of the most exciting fintech markets in the world, and at the regulatory core of that growth sits one document every payment company must understand: the Central Bank of the UAE’s (CBUAE) framework for payment service provider licenses. Whether you are a Series A startup building an e-wallet, a global payment gateway entering the Gulf, or an open-banking disruptor trying to get your foot in the door, the CBUAE payment service provider license categories will define what you can do, who you can serve, and how much capital you need to put on the table.
This guide breaks it all down in plain language, the four license categories, the nine regulated services, capital requirements, eligibility criteria, and the step-by-step path to getting licensed. By the end, you will have the clarity to make one of the most important regulatory decisions your business will ever face.
Why the CBUAE Licensing Framework Exists and Why It Matters to You
Before we get into the categories themselves, it helps to understand why the CBUAE built this framework in the first place. The Central Bank is tasked with two often-competing goals: fostering innovation and maintaining financial system stability. The old blanket approach to payment regulation, where one set of rules applied to everyone equally – was poorly suited to a market where a small remittance startup and a global payment processor were fundamentally different animals.
The solution was the Retail Payment Services and Card Schemes (RPSCS) regulation – a risk-based tiered system that assigns regulatory weight proportionally to the size and scope of a payment business. The bigger your transaction volumes and the broader your service offering, the more stringent the oversight. Conversely, a niche early-stage provider faces lower barriers to entry, enabling faster innovation without compromising the system at large.
This framework is not just a compliance box to tick – it is a signal to your customers, investors, and banking partners that you meet institutional-grade standards. In a market where trust is everything, a CBUAE license is one of the most powerful credibility assets a UAE fintech can hold.
The 9 Regulated Payment Services – Know What You Are Before You Choose a Category
The CBUAE does not regulate payments as a monolithic activity. Instead, it defines nine specific services, and the license category you fall under depends entirely on which combination of these you intend to provide. Understanding each one is the first step to choosing the right category.
- Payment Account Issuance Services: This covers the creation and maintenance of accounts used to store and manage funds electronically. If you are offering an e-wallet or any digital account that holds a balance on behalf of users, this applies to you.
- Payment Instrument Issuance Services: Issuing the tools that access payment accounts: physical cards, virtual cards, tokens, or other instruments. Card-issuing fintechs and prepaid card programmes fall here.
- Merchant Acquiring Services: Enabling merchants to accept payments from customers, typically via point-of-sale terminals or payment gateways. This is the backbone of most e-commerce and retail payment infrastructure.
- Payment Aggregation Services: Acting as a middleman that collects payments on behalf of multiple merchants and then distributes funds. Marketplaces and platforms that sit between buyers and sellers commonly require this service type.
- Domestic Fund Transfer Services: The movement of funds between parties within the UAE. This includes person-to-person transfers and business payment flows that stay within national borders.
- Cross-Border Fund Transfer Services: International remittance and cross-border payment services. This is one of the most heavily regulated categories given the AML and foreign exchange implications.
- Payment Token Services: The issuance, management, and redemption of digital payment tokens. This covers a range of use cases, from loyalty points redeemable as currency to tokenised payment instruments.
- Payment Initiation Services (PIS): A core open-banking service where a licensed provider accesses a user’s bank account (with their consent) to initiate a payment directly, without the user needing to log in to their bank manually.
- Payment Account Information Services (PAIS): Another open-banking pillar: aggregating and presenting account information from multiple financial institutions in a single view. Think of personal finance management apps or business cash-flow dashboards.
Once you have mapped your business model against these nine services, you are ready to identify which of the four CBUAE license categories you should be applying for.
Also, read How to Start a Fintech Company in Dubai – A Founder’s Guide 2026
The 4 CBUAE Payment Service Provider License Categories – Explained in Full
Category I: The Full-Stack Payment License
Category I is the most comprehensive, and most demanding, license available under the CBUAE framework. It is designed for organisations that want to operate a full-spectrum payment business within the UAE.
Permitted Activities: Category I covers Payment Account Issuance, Payment Instrument Issuance, Merchant Acquiring, Payment Aggregation, Domestic Fund Transfers, Cross-Border Fund Transfers, and Payment Token Services. In short, almost everything except the open-banking services (PIS and PAIS).
Who Should Apply: This category is the natural home for global Payment Service Providers (PSPs) entering the UAE market, neobanks offering a full suite of financial products, and comprehensive payment ecosystems that intend to compete with traditional banks on product breadth. If your roadmap includes issuing cards, onboarding merchants, processing transfers, and managing digital tokens, all under one entity, Category I is your target.
What It Demands: Category I carries the most rigorous requirements in the framework. Applicants must demonstrate a robust organisational structure, high IT resilience, advanced cybersecurity protocols, and sophisticated AML/CFT compliance programmes. The governance expectations are significant, with the Central Bank paying close attention to the qualifications of board members and senior management. Capital requirements are the highest in the framework, reflecting the systemic importance of a full-stack provider.
The Strategic Case: For businesses with the capital and operational maturity to meet Category I standards, the licence is an extraordinary competitive asset. It allows you to build and grow a complete payment ecosystem without the need for multiple separate licences or reliance on partner institutions for specific service types.
Category II: The Market Workhorse Licence
If Category I is the gold standard, Category II is the practical workhorse, the licence type that most mid-to-large payment businesses in the UAE are likely to pursue. It covers the full range of payment services with one notable exclusion.
Permitted Activities: Category II permits all the same activities as Category I, with the exception of Payment Token Services. Every other service, account issuance, card issuance, merchant acquiring, aggregation, domestic and cross-border transfers, is available under this licence.
Who Should Apply: Category II is ideally suited for e-commerce payment gateways, merchant aggregators, and established payment processors that operate at significant scale but do not have a product requirement for digital tokens. A regional payment gateway processing large volumes of card transactions for UAE merchants, for instance, would typically find Category II to be the most appropriate fit.
What It Demands: Category II sits at a solid middle ground in terms of regulatory overhead. Capital requirements are lower than Category I but still substantial, and the governance, technology, and AML expectations remain rigorous. Organisations applying for Category II should expect the Central Bank to scrutinise their IT infrastructure, data handling protocols, and financial projections carefully.
The Strategic Case: For businesses that do not need tokenisation capabilities, Category II offers a compelling value proposition, nearly the full range of payment services with somewhat more manageable capital and compliance demands than the top tier.
Category III: The Specialised Provider Licence
Category III takes a more focused approach, tailored to businesses that operate in defined, specialised niches within the payment ecosystem rather than offering a broad suite of services.
Permitted Activities: Category III covers a more targeted set of services, typically excluding Payment Account Issuance and Payment Token Services. The exact combination of permitted services depends on the applicant’s business model, but the regulatory intent is clear: this category is designed for providers with a specific, well-defined use case, such as a cross-border remittance specialist or a focused merchant services platform.
Who Should Apply: Category III is the right fit for businesses that provide one or two core payment functions with depth and expertise rather than breadth. A UAE-based international money transfer operator focused purely on remittances to South Asia, for example, would be a strong candidate. Similarly, a payment service company specialising in merchant acquiring for a specific industry vertical would find Category III proportionate to its ambitions.
What It Demands: Capital requirements for Category III are lower than Category I and II, making it a more accessible entry point for well-capitalised but focused businesses. The CBUAE still expects rigorous compliance in the specific services provided, particularly for cross-border transfers where AML and sanctions screening obligations are especially stringent.
The Strategic Case: Category III is an excellent choice for businesses that want to get licensed, start operating, and build a track record in the UAE market before potentially seeking a higher-category licence as they scale. It allows specialised expertise to shine without requiring the full organisational weight of a Category I or II operator.
Category IV: The Open Finance Pioneer Licence
Category IV is the most distinct of the four, purpose-built for the open-banking economy. It represents the CBUAE’s deliberate effort to lower barriers for data-driven, API-first fintech businesses, while still ensuring robust consumer protection.
Permitted Activities: Category IV is exclusively for Payment Initiation Services (PIS) and Payment Account Information Services (PAIS). There is no overlap with the traditional payment services covered by Categories I through III. This is a clean-sheet licence for a new breed of fintech.
Who Should Apply: If your business model is built around open banking, Category IV was designed with you in mind. This includes account aggregation platforms that help consumers see all their bank accounts in one app, personal finance management tools, business treasury dashboards that consolidate multi-bank data, and payment initiation services that allow users to pay directly from their bank accounts without a card. Fintech startups in the early stages of the open-banking space, often with leaner teams and smaller balance sheets than traditional payment processors, will find Category IV’s requirements the most accessible.
What It Demands: Category IV carries the lowest capital requirement in the entire framework, a fixed AED 100,000 regardless of transaction volume (since PIS and PAIS do not involve the same kind of fund movement as the other categories). However, the data privacy and cybersecurity expectations are non-negotiable. Businesses handling sensitive financial account data must implement strict access controls, consent management frameworks, and data handling protocols that comply with UAE data protection laws.
The Strategic Case: Category IV is a landmark opportunity for open-banking entrepreneurs. The fixed and relatively modest capital floor means that genuinely innovative fintech startups, not just well-funded incumbents, can enter the UAE market legally and compliantly. As the UAE’s open-banking infrastructure matures, Category IV licence holders are positioned to be at the forefront of that transformation.
Capital Requirements – What You Need to Have Ready
The CBUAE ties capital requirements to your monthly transaction volume, ensuring that the financial buffer a provider maintains scales with the risk it poses to the system. Here is the full breakdown:
| License Category | Monthly Volume Under AED 10M | Monthly Volume AED 10M and Above |
|---|---|---|
| Category I | AED 1,500,000 | AED 3,000,000 |
| Category II | AED 1,000,000 | AED 2,000,000 |
| Category III | AED 500,000 | AED 1,000,000 |
| Category IV | AED 100,000 (Fixed) | AED 100,000 (Fixed) |
A few important notes on these figures. First, they represent minimum capital, the Central Bank may require additional financial commitments depending on the specifics of your business model and risk profile. Second, the Category IV figure is fixed regardless of volume, because PIS and PAIS activities do not carry the same direct financial exposure as fund-holding or transfer services. Third, you should plan for your capital requirements to potentially step up as your business scales, if you launch below the AED 10M monthly threshold and grow above it, your minimum capital obligation doubles.
Eligibility and Application – What the CBUAE Expects From You
Meeting the capital threshold is necessary but far from sufficient. The CBUAE applies a comprehensive set of eligibility criteria that every applicant must satisfy.
- Legal Form: Your entity must be legally incorporated in the UAE in accordance with CBUAE requirements. Foreign-incorporated entities cannot hold a CBUAE payment service provider licence directly, UAE establishment is a prerequisite.
- Fit and Proper Assessment: Every member of the board and senior management team will be subject to a detailed vetting process. The Central Bank assesses integrity, financial soundness, and professional competence. A single disqualifying background finding can stall or derail an application, so assembling the right leadership team is as important as meeting the capital requirements.
- Governance Framework: You must be able to demonstrate a documented organisational structure with clear segregation of duties, internal controls, and an independent non-executive board chair. The CBUAE wants to see that decision-making power is appropriately distributed and that no single individual or interest can dominate operations unchecked.
- AML/CFT Compliance: Robust anti-money laundering and counter-financing of terrorism policies are mandatory, aligned with Federal Law No. 20 of 2018. This means documented procedures, transaction monitoring systems, sanctions screening, and a designated compliance officer with real authority and resources.
- Technology and Cybersecurity: Applicants must submit their IT architecture documentation, data handling protocols, and evidence of redundant, secure systems. For higher-volume operators, the Central Bank will scrutinise cybersecurity measures especially closely, including how the organisation responds to incidents and how customer data is protected.
The Application Process – Step by Step
Step 1 Pre-Application Meeting
Contact the CBUAE Licensing Division before submitting anything formally. This introductory meeting allows you to present your business model, get preliminary guidance on the appropriate category, and understand any specific concerns the Central Bank may have about your proposed activities.
Step 2 Prepare the LPA Form
Complete the Licensed Person’s Application (LPA) form, the official submission document for CBUAE payment service licences.
Step 3 Compile Your Documentation
Your application package must include a comprehensive business plan, three-year financial projections, AML/CFT policy documentation, your Memorandum of Association (MOA), details of your technology architecture, and the CVs and background materials for all board members and senior managers undergoing the fit and proper assessment.
Step 4 Submit and Await Review
The Central Bank’s review process is thorough. Once all required conditions are met and your submission is complete, the CBUAE typically issues its decision within 60 working days. Incomplete submissions reset the clock, so it pays to get the documentation right the first time.
Ongoing Obligations – Compliance Doesn’t Stop at Licensing
Receiving your licence is the beginning, not the end. CBUAE-licensed payment service providers are subject to continuous obligations that include maintaining minimum capital at all times, submitting regular transaction data reports to the Central Bank, undergoing annual independent audits, and adhering to strict cybersecurity standards as outlined in Article 13 of the RPSCS regulation.
The Central Bank actively monitors licensed entities and has the authority to impose conditions, suspend activities, or revoke licences where obligations are not met. Building a compliance function that treats these obligations as ongoing operational priorities, not annual events, is essential for any serious market participant.
Why the Right CBUAE Payment Service Provider License Category Is Your Biggest Strategic Decision
Choosing between the four CBUAE payment service provider license categories is not just a regulatory formality, it shapes your entire business architecture. The category you hold determines which services you can offer (and which you cannot), how much capital you must maintain as you grow, the governance and technology standards you must meet, and the market opportunities open to you.
Apply for too low a category and you may find yourself unable to serve clients or launch products without going back through the application process. Apply for too high a category and you risk overcommitting capital and organisational resources before your business model has validated them. The best strategy is to map your current and near-term service offering carefully, build in reasonable headroom for growth, and engage the CBUAE early through a pre-application meeting to confirm your chosen category is appropriate.
The UAE’s ambition to become a fully cashless, digital-first economy is not a distant aspiration, it is an active, government-backed programme. The CBUAE’s licensing framework is the infrastructure that makes it possible. For fintech companies that invest the time and resources to navigate it properly, regulatory compliance becomes not a constraint but a competitive advantage: a signal of institutional credibility in a market where trust, transparency, and regulatory standing are increasingly decisive differentiators.
Subscribe to UAE Fintechvibes newsletter for weekly updates.