CBUAE Payment Token Services Regulation (PTSR) Compliance Framework

The Central Bank of the UAE occupies a unique and powerful position in the GCC’s digital asset landscape. While VARA regulates virtual assets in Dubai, FSRA governs ADGM, and DFSA oversees DIFC, the CBUAE’s authority extends across the entire UAE for a specific and critically important category: payment tokens. Any digital asset that is used or intended as a means of payment and maintains stable value by reference to fiat currency falls under the CBUAE’s jurisdiction through the Payment Token Services Regulation of 2024.

This is not a narrow or niche regulation. It captures every stablecoin, every dirham-backed token, every fiat-referenced digital payment instrument operating in the UAE mainland. It defines who can issue these instruments, what reserves they must hold, how they can be used in commerce, and what happens to entities that operate without authorization. For issuers, payment processors, remittance operators, exchanges, custodians, and any entity that touches stablecoin payments, the PTSR is the regulatory foundation that shapes their operations and determines their legal standing.

The PTSR’s significance extends beyond direct stablecoin operators. It affects the blockchain infrastructure on which payment tokens operate. Infrastructure providers must understand whether their architecture triggers PTSR obligations or falls outside its scope. The design choices that infrastructure providers make — particularly around token economics and gas fee mechanics — determine whether they are classified as payment token service providers or as technology providers outside the PTSR’s perimeter.

This guide provides a comprehensive analysis of the PTSR: its scope, its requirements, its territorial boundaries, and its implications for every type of digital asset operator. It is written for compliance officers, legal counsel, business strategists, and technology architects who need to understand how the PTSR shapes their operations and infrastructure decisions.

1. CBUAE’s Role in UAE Digital Asset Regulation

The UAE’s digital asset regulatory architecture is deliberately distributed across multiple regulators, each with distinct jurisdiction and mandate. Understanding the CBUAE’s specific role requires understanding how it fits within this broader architecture.

The CBUAE regulates financial institutions including banks, payment service providers, and fintech entities. It oversees payment systems, including those involving virtual assets. However, its authority over virtual assets is strictly limited to those used as a means of payment — specifically, stablecoins and payment tokens. The CBUAE does not regulate virtual assets classified as investment instruments (which fall under the Securities and Commodities Authority or relevant free zone regulators) or utility tokens (which may fall under VARA or other regulators depending on their function and jurisdiction).

This jurisdictional boundary is critical for operators to understand. An entity that issues a utility token in Dubai mainland is regulated by VARA, not the CBUAE. An entity that issues an AED-backed stablecoin in Dubai mainland is regulated by the CBUAE under the PTSR. An entity that issues a security token in ADGM is regulated by FSRA. The regulator is determined by the asset’s function and the entity’s location, not by the entity’s preference.

The CBUAE’s regulatory posture is characterized by precision and strictness. The PTSR was published with clear requirements, explicit prohibitions (algorithmic stablecoins, privacy tokens), mandatory licensing, and a one-year transitional period that ended in June 2025. Entities that were operating payment token services before the PTSR took effect had until June 2025 to come into compliance or cease operations. There is no ambiguity about the CBUAE’s expectations or its willingness to enforce them.

The CBUAE also plays a central role in the UAE’s monetary future through the Digital Dirham. The Central Bank Law of 2025 established the Digital Dirham as recognized legal tender, moving the CBDC from pilot to law. This positions the CBUAE not only as the regulator of private payment tokens but as the issuer of the sovereign digital settlement asset that will coexist with (and potentially compete with) private stablecoins. Understanding the PTSR requires understanding this dual role: the CBUAE is simultaneously regulating private stablecoins and creating its own sovereign alternative.

2. What Qualifies as a Payment Token Under the PTSR

The PTSR’s definition of a payment token is deliberately broad. A payment token is any virtual asset that is used, or intended to be used, as a means of payment and that maintains, or purports to maintain, a stable value by reference to one or more fiat currencies. This definition has several important dimensions that operators must understand.

First, the trigger is use or intent. A token does not need to be actively used as a payment instrument to fall under the PTSR. If it is designed, marketed, or intended for payment use, the PTSR applies. An entity that issues a fiat-referenced token and claims it is “only for settlement between institutions” still triggers PTSR if the token is used or could be used as a means of payment. The CBUAE assesses the token’s actual and potential function, not just its marketing.

Second, the definition covers any fiat reference. The PTSR does not apply only to AED-pegged tokens. Any token that maintains or purports to maintain stable value by reference to any fiat currency — USD, EUR, GBP, INR, or any other sovereign currency — falls within scope if it is used for payments. This means that a USD-backed stablecoin used for payment processing in the UAE mainland triggers PTSR obligations, not just dirham-backed tokens.

Third, the definition excludes central bank digital currencies. The Digital Dirham, as a CBUAE-issued instrument, is not a payment token under the PTSR. It is a sovereign currency in digital form. This distinction matters because the Digital Dirham and private payment tokens will coexist in the settlement landscape, but they are regulated under different frameworks.

Fourth, algorithmic stablecoins are explicitly excluded — not excluded from regulation, but prohibited entirely. A token that maintains its peg through algorithmic supply adjustment rather than reserve backing cannot be issued or operated in the UAE under any circumstances. This prohibition reflects the CBUAE’s assessment that algorithmic stability mechanisms pose unacceptable risks to payment system integrity and consumer protection, informed by the collapse of algorithmic stablecoins like TerraUSD in 2022.

Fifth, privacy tokens are also prohibited. Any token that obscures transaction information or participant identity is incompatible with the AML/CFT framework and cannot operate in the UAE. This prohibition applies across all UAE jurisdictions, not just the PTSR’s scope, under Federal Decree Law No. 6/2025.

3. Licensing Requirements for Payment Token Issuers

No entity can issue a payment token in the UAE without CBUAE authorization. The licensing process is detailed and rigorous, designed to ensure that only well-capitalized, well-governed entities with robust risk management can issue instruments that function as money substitutes in the UAE economy.

The licensing application requires submission of a comprehensive white paper. This is not the kind of informal whitepaper common in the crypto industry. The CBUAE’s white paper requirements mandate detailed disclosure of the token’s technical specifications, stabilization mechanism, reserve composition, risk factors, governance structure, and operational procedures. The white paper must be submitted to the CBUAE for review and acceptance before publication. Publication without CBUAE acceptance is a violation.

Reserve requirements are the cornerstone of the PTSR. Every payment token must be backed one-to-one by fiat currency or equivalent high-quality liquid assets. Reserves must be held in segregated accounts with CBUAE-regulated custodians, completely separated from the issuer’s operating funds. This segregation must be legally enforceable — in the event of the issuer’s insolvency, reserve assets must be protected from creditor claims and available for token redemption.

Independent audits of reserves are mandatory, not optional. Issuers must engage independent auditors to verify that reserve assets equal or exceed the value of outstanding tokens at all times. The frequency and scope of these audits are defined by the CBUAE, and audit reports must be made available to the regulator on demand. Some issuers, like RAKBank with its planned stablecoin, are implementing real-time reserve attestations through audited smart contracts, providing continuous rather than periodic verification.

Capital adequacy requirements ensure that issuers have sufficient financial resources to operate reliably. The CBUAE assesses the issuer’s capital position, operating resources, and ability to sustain operations through adverse conditions. This assessment mirrors the prudential standards applied to other CBUAE-regulated entities, reflecting the CBUAE’s view that payment token issuers perform a function analogous to money transmission and should be held to comparable standards.

AML/KYC requirements align with the UAE’s broader anti-money laundering framework and FATF recommendations. Issuers must implement comprehensive customer due diligence, transaction monitoring, sanctions screening, suspicious activity reporting, and record-keeping. These requirements apply to both the issuance and redemption of payment tokens and to any ongoing monitoring of token circulation.

Ongoing compliance obligations are substantial. Licensed issuers must maintain continuous compliance with reserve requirements, capital adequacy standards, and operational procedures. Reserve adequacy must be verified continuously, not just at audit milestones. Any material change in the issuer’s operations, governance, or financial condition must be reported to the CBUAE promptly. The CBUAE retains broad supervisory powers, including the ability to conduct on-site inspections, demand documentation, and issue corrective orders.

The regulatory model parallels how central banks supervise commercial banks. Payment token issuers are treated as entities that perform a quasi-banking function — accepting value from customers and maintaining reserves against that value. The CBUAE applies comparable scrutiny because the risk profile is comparable: if an issuer fails, token holders lose access to their value, creating the same kind of systemic concern that bank failures generate. This is why the PTSR’s requirements are as strict as they are — the CBUAE is protecting the integrity of the UAE’s payment system, not just regulating a technology product.

For prospective issuers evaluating the PTSR’s requirements, the key takeaway is that payment token issuance in the UAE is a heavily regulated financial activity, not a technology startup exercise. The licensing process requires the same level of institutional readiness that a banking license application demands. Entities that approach the CBUAE without adequate capital, governance, and operational infrastructure will not succeed. The CBUAE is not operating a sandbox or a fast-track program — it is conducting rigorous financial institution licensing.

Banks occupy a special position in the PTSR. The regulation states that banks may not directly act as payment token issuers. However, a bank can create a subsidiary, affiliate, or related entity to perform payment token issuance activities, provided that the new entity meets all PTSR licensing and regulatory requirements independently. This structure — bank subsidiary as issuer, with the bank providing custody and banking infrastructure — is the model being followed by RAKBank and contemplated by other UAE banks exploring stablecoin issuance.

4. Territorial Scope: The Free Zone Question

The PTSR’s territorial scope is one of its most operationally significant features. The regulation applies across the entire UAE except in the Dubai International Financial Centre (DIFC) and the Abu Dhabi Global Market (ADGM). This means that payment token activities in Dubai mainland, Abu Dhabi mainland, Sharjah, Ras Al Khaimah, Fujairah, Ajman, Umm Al Quwain, and all non-financial free zones are regulated by the CBUAE under the PTSR.

The DIFC and ADGM exclusions reflect these free zones’ status as independent financial regulatory jurisdictions with their own regulatory frameworks. DFSA regulates digital assets within DIFC, and FSRA regulates digital assets within ADGM. Payment token activities within these free zones are governed by their respective regulators, not by the PTSR.

However, the territorial boundary is not a firewall. The critical nuance that many operators miss is that any entity that scales beyond its free zone triggers PTSR jurisdiction. An entity licensed in ADGM that begins serving UAE mainland customers, processing mainland merchant payments, or partnering with mainland businesses for payment token services moves outside ADGM’s exclusive jurisdiction and into PTSR territory. The PTSR applies based on where the payment activity occurs, not where the entity is licensed.

This creates an important planning consideration. Many digital asset companies establish initial operations in ADGM or DIFC for regulatory clarity and then plan to expand to the broader UAE market. If expansion involves payment token activities — stablecoin issuance, stablecoin-based payment processing, or stablecoin custody for mainland clients — the entity must comply with the PTSR in addition to its free zone regulator’s requirements. This is not an either/or choice; it is a both/and obligation.

For international operators, the territorial scope has extraterritorial implications. An entity based outside the UAE that issues payment tokens targeting UAE mainland users or that facilitates payment token transactions for UAE mainland merchants must comply with the PTSR regardless of its home jurisdiction. The CBUAE’s enforcement reach extends to any entity that touches the UAE mainland payment ecosystem.

5. The Dirham-Only Payment Mandate

Perhaps the PTSR’s most commercially significant provision is the mandate that only CBUAE-approved dirham-backed stablecoins can be used for payment of goods and services in the UAE mainland. After the one-year transitional period ended in June 2025, merchants in the UAE can only accept CBUAE-approved dirham stablecoins for payment. Other digital assets — including Bitcoin, Ether, and USD-backed stablecoins like USDT and USDC — are not authorized for these payment purposes in the mainland.

This mandate fundamentally reshapes the payment landscape. It creates a regulatory moat around dirham-backed stablecoins for domestic commerce, ensuring that the UAE’s digital payment ecosystem operates in the national currency rather than in USD or other foreign currencies. For the CBUAE, this preserves monetary policy sovereignty in an increasingly digital economy.

For payment processors, the mandate creates both a requirement and an opportunity. The requirement is integration with CBUAE-approved stablecoins — currently AE Coin, DDSC, and (pending full approval) RAKBank’s stablecoin. The opportunity is that the mandate creates a captive market for AED-denominated digital payment processing. Every merchant that wants to accept digital payment tokens in the mainland must use CBUAE-approved instruments, and every payment processor that facilitates these transactions must be equipped to handle them.

The mandate does not apply within ADGM or DIFC. USD-backed stablecoins can be traded and used within these financial free zones under their respective regulators’ rules. This creates a dual-track digital currency market: AED stablecoins for mainland commerce and a broader range of stablecoins for free zone financial activities. Operators serving both markets need infrastructure that accommodates both tracks.

The commercial implications of the dirham-only mandate are substantial. The UAE’s total retail payment volume exceeds AED 1.5 trillion annually. Even a modest penetration of digital stablecoin payments — say five percent of retail transactions — represents AED 75 billion in annual stablecoin payment processing volume. Payment processors that are early to market with compliant AED stablecoin processing capabilities will capture disproportionate share of this emerging market.

Merchant adoption is accelerating. e&’s piloting of AE Coin for bill payments demonstrates that major consumer-facing companies are ready to integrate stablecoin payments. As more merchants accept AED stablecoins, consumer adoption follows — creating a virtuous cycle of merchant acceptance, consumer adoption, and increasing transaction volume. Payment processors positioned on compliant infrastructure will benefit from this cycle. Those that delay integration will find themselves competing for market share against established incumbents.

The cross-border dimension adds another layer of commercial opportunity. AED-denominated stablecoins can be used for settlement of international trade where AED is the preferred currency — particularly within the GCC, where bilateral trade is substantial. Infrastructure that supports AED-denominated cross-border settlement alongside domestic payment processing creates a unified platform for both use cases, reducing the operator’s infrastructure costs and increasing the addressable market.

6. The Digital Dirham: CBDC Alongside Private Stablecoins

The CBUAE’s Digital Dirham adds a sovereign dimension to the payment token landscape. Under the Central Bank Law of 2025, the Digital Dirham is recognized as legal tender — giving it a legal status that no private stablecoin can claim. The Digital Dirham will be distributed through licensed banks, exchange houses, and fintech companies, creating a sovereign digital payment infrastructure alongside the private stablecoin ecosystem.

The coexistence of the Digital Dirham and private dirham-backed stablecoins creates a settlement landscape where multiple AED-denominated instruments operate on different rails. The Digital Dirham operates on CBUAE’s infrastructure, directly backed by the central bank. Private stablecoins like AE Coin and DDSC operate on their respective blockchain platforms, backed by AED reserves held with regulated custodians. Both instruments represent one AED per token, but their infrastructure, governance, and risk profiles differ.

For infrastructure providers, the Digital Dirham creates an important design requirement. Infrastructure that is designed to accept any CBUAE-authorized settlement instrument — whether the Digital Dirham, AE Coin, DDSC, or future dirham-backed stablecoins — without issuing any currency of its own has the cleanest regulatory position and the greatest flexibility. The infrastructure is currency-agnostic plumbing that accepts whatever settlement instruments the CBUAE authorizes. This positioning is future-proof because the infrastructure does not need to change as new settlement instruments are approved or existing ones evolve.

The national digital wallet system planned for the Digital Dirham — enabling domestic, wholesale, and international payments — will create a sovereign settlement layer that infrastructure providers can integrate with. Early integration capability is a competitive advantage: payment processors and settlement platforms that can handle Digital Dirham settlement alongside private stablecoin settlement will be positioned to serve the full spectrum of the UAE’s digital payment ecosystem.

7. Infrastructure Provider Considerations Under the PTSR

The PTSR’s scope raises critical questions for blockchain infrastructure providers. Does operating a blockchain on which payment tokens are transacted make the infrastructure provider a payment token service provider? The answer depends on the provider’s architecture and activities.

The functional test is the same one applied under FSRA’s infrastructure provider carve-out: does the entity hold or control virtual assets? An infrastructure provider that operates the blockchain platform but does not hold, control, custody, or have access to payment tokens at any point is providing technology infrastructure, not payment token services. The CBUAE has not published an explicit carve-out equivalent to FSRA’s Consultation Paper No. 10/2025, but the functional principle is consistent: the regulation targets activities involving payment tokens, not the provision of technology on which those activities occur.

Architecture decisions determine classification. An infrastructure provider that issues a native token — even one described as a utility token — that participants must hold to use the platform creates an argument that the provider is facilitating virtual asset activity. If that token references fiat value, it may trigger PTSR classification. Zero-token architecture, where gas is absorbed internally and no token is issued, eliminates this risk entirely. There is no token to classify, no fiat reference to evaluate, and no payment token service being provided.

The gas fee question is particularly relevant. If the infrastructure requires participants to purchase and hold tokens to pay gas fees, the infrastructure provider may be classified as facilitating payment token services, especially if the gas token is pegged to or references fiat value. Gas absorption — where the provider mints gas tokens internally and bills participants in fiat — eliminates this classification risk because participants never interact with any token.

For infrastructure providers planning to operate in the UAE, the safest approach is to design the architecture to eliminate all PTSR triggers from the outset. Zero-token economics, non-custodial design, and clear separation between the infrastructure’s operation and the payment token activities that occur on it create the strongest position for classification outside the PTSR’s scope.

8. International Comparison: PTSR vs. Global Stablecoin Frameworks

The CBUAE’s PTSR sits within a rapidly converging global landscape of stablecoin regulation. Understanding how the PTSR compares to frameworks in the US, EU, Singapore, and Hong Kong helps operators plan for multi-jurisdictional operations and assess the UAE’s competitive positioning.

The US GENIUS Act, enacted in July 2025, requires payment stablecoins to maintain one-to-one backing with US Treasury securities, bank deposits, or equivalent high-quality assets. Monthly reserve disclosures and independent audits with CEO/CFO attestation are mandatory. The 18-month implementation period extends into early 2027. The PTSR and GENIUS Act share the core principle of full reserve backing and licensed issuance, but differ in implementation timelines and enforcement mechanisms.

The EU’s MiCA regime, fully implemented since December 2024, requires similar reserve backing and licensing for stablecoin issuers. MiCA provides a unified EU-wide rulebook, whereas the UAE’s framework splits authority between CBUAE (payment tokens), VARA (other virtual assets in Dubai), and FSRA/DFSA (within their free zones). MiCA’s passporting mechanism allows a single license to cover all EU member states, a feature that the UAE’s multi-regulator model does not provide.

Singapore’s MAS stablecoin framework, coming into force in 2026, requires full reserve backing, S$1 million minimum capital or 50 percent of annual operating costs, and redemption at par within five business days. MAS prioritizes single-currency stablecoins backed by SGD or highly liquid currencies. The framework closely parallels the PTSR’s principles while incorporating Singapore-specific prudential requirements.

Hong Kong’s Stablecoins Ordinance, effective August 2025, requires HKMA licensing for fiat-referenced stablecoin issuers, HK$25 million minimum capital, and 100 percent reserve backing with high-quality liquid assets. The first licenses were issued in March 2026. Hong Kong’s framework includes extraterritorial reach for HKD-referenced stablecoins, meaning overseas issuers of HKD stablecoins must also comply.

The consistent global pattern is convergence: full reserve backing, licensed issuers, independent audits, AML/KYC compliance, and redemption rights. For operators building stablecoin infrastructure that serves multiple jurisdictions, the infrastructure must accommodate the specific requirements of each framework simultaneously. Protocol-level compliance that supports configurable reserve verification, multi-jurisdiction KYC, and structured audit trails provides the foundation for multi-jurisdictional stablecoin operations. Application-layer compliance that is built for one jurisdiction must be rebuilt for each additional market.

Frequently Asked Questions

Can USD-backed stablecoins like USDT or USDC be used for payments in the UAE mainland?

No. After the PTSR’s transitional period ended in June 2025, only CBUAE-approved dirham-backed stablecoins can be used for payment of goods and services in the UAE mainland. USD-backed stablecoins can be traded within ADGM and DIFC under their respective regulators’ frameworks, but they are not authorized for mainland payment processing.

Does holding stablecoins in custody trigger PTSR obligations?

Custody of payment tokens may fall under the PTSR’s scope of payment token services. Custodians holding CBUAE-regulated payment tokens should evaluate whether their activities constitute providing payment token services and whether separate PTSR licensing is required in addition to their custody license from their free zone regulator.

What is the penalty for issuing a payment token without CBUAE approval?

Issuing a payment token without CBUAE authorization is a violation of the PTSR. Penalties are assessed under the CBUAE’s enforcement framework and can include fines, cessation orders, and referral for criminal investigation. Under Federal Decree Law No. 6/2025, digital asset violations can carry penalties up to AED 1 billion.

How does the Digital Dirham differ from AE Coin or DDSC?

The Digital Dirham is a central bank digital currency issued by the CBUAE and recognized as legal tender. AE Coin and DDSC are private stablecoins issued by licensed entities and backed by AED reserves held with regulated custodians. The Digital Dirham carries the full faith and credit of the UAE central bank. Private stablecoins carry the credit risk of their issuers, mitigated by reserve requirements and regulatory oversight.

Does zero-token infrastructure eliminate PTSR exposure?

Zero-token infrastructure that absorbs gas internally, issues no token, and requires no participant to hold any token eliminates PTSR exposure for the infrastructure layer. The infrastructure provider is providing technology services, not payment token services. Payment token activities conducted on the infrastructure by licensed institutions remain subject to the PTSR, but the infrastructure provider itself operates outside the PTSR’s scope.

About the author: This guide was produced by the Falaj team. Falaj is a compliance-first blockchain protocol built as an Avalanche L1 for regulated digital asset institutions in the GCC. Top 5 finalist, Avalanche L1 Builders’ Challenge, January 2026. Learn more at falaj.io.