- within Finance and Banking topic(s)
- within Finance and Banking and Technology topic(s)
- in India
- with readers working within the Banking & Credit, Healthcare and Technology industries
Introduction
The Payment Facilitator model, commonly referred to as the 'PayFac' model, has emerged as one of the more commercially significant innovations in the card payment space.
The proposition is straightforward: a single entity, authorised under a card network as a master merchant, onboards sub-merchants under its own identification number (MID), and the sub-merchants do not have the burden of obtaining independent acquiring relationships. The PayFac assumes contractual liability towards the card scheme and acquiring bank, controls settlement timelines and, in many configurations, holds merchant funds during the settlement cycle. In exchange, it offers sub-merchants speed of onboarding, simplified compliance administration and faster access to liquidity.
The PayFac operates across multiple categories of regulated activity: it acquires transactions, it holds funds, it settles to merchants and, in some instances, it issues stored value.
From a regulator's lens all or most of these would be regulated functions and hence, the regulatory characterisation of these activities in a jurisdiction determines the structure a PayFac must implement. In this context, the jurisdictions of the European Union (EU), the United Kingdom (UK), and the United Arab Emirates (UAE), including its financial free zones, the Dubai International Financial Centre (DIFC) and the Abu Dhabi Global Market (ADGM) are discussed here.
The European Union: Harmonised Breadth Under PSD2
The Consolidated Permission Model
The EU's payment services framework is grounded in the Second Payment Services Directive, Directive (EU) 2015/2366 (PSD2).1 It requires that entities providing payment services listed in Annex I obtain authorisation as a Payment Institution from the competent authority of their home Member State. Annex I includes, among other services, the acquiring of payment transactions.2
The PSD2 authorisation is based on a consolidated model, with the standalone Payment Institution authorisation permitting for the provision of all payment services. The European Banking Authority's Guidelines on Authorisation and Registration under PSD2 (EBA/GL/2017/09), which specify the information requirements for authorisation applications, confirm that an applicant must identify all payment services it intends to provide, and those services will be covered by a single grant of authorisation.3
The EBA's 2023 Peer Review Report on the authorisation of payment institutions under PSD2, and its December 2025 follow-up report noted that the consolidated authorisation model itself remained consistent across Member States despite the divergent nation-specific practices persisting in certain supervisory assessments, particularly in relation to governance, internal controls and local substance requirements.4
Further, safeguarding of funds obligations require the funds received from payment service users to be either deposited in a segregated account with a credit institution or else covered by an insurance policy or guarantee, and these obligations attach to the authorised entity as a whole.
Exclusions and Their Limits
The PSD2 sets out a series of exclusions from the payment services framework, including for commercial agents acting on behalf of payers or payees and for technical service providers that support the provision of payment services without possessing, controlling or handling of funds. The EBA has consistently emphasised that these exclusions are to be construed narrowly. Thus, a PayFac that exercises discretion over merchant onboarding, that holds funds in transit or that controls settlement timing is unlikely to fall within the technical service provider exclusion, and any attempt to structure a PayFac around that exclusion requires careful analysis of the specific operational flows in question.
The European Commission's legislative package comprising a proposed Regulation on Payment Services in the Internal Market and a Third Payment Services Directive (with a proposed formal adoption set for 2026), are likely to introduce further harmonisation of authorisation requirements and greater clarity on the delineation between payment services categories.5 The trajectory of the EU's regulation is one of consolidated authorisation with heightened supervisory rigour, rather than any move towards activity-specific fragmentation.
The United Kingdom: Consolidated Authorisation Under the Payment Services Regulations 2017
The UK's framework for payment services is principally contained under the Payment Services Regulations 2017 (the PSR 2017).6 The PSR 2017 implements the PSD2, in post-Brexit retained form. The PSR 2017 imposes a prohibition on the provision of payment services in the UK without the benefit of authorisation or registration with the Financial Conduct Authority (FCA) and enlists the payment services that are prohibited and include, relevantly, the acquiring of payment transactions.
The critical feature of the UK regime, from a PayFac perspective, is the breadth of permission conferred by a single authorisation, and an authorised Payment Institution is permitted to provide all of the payment services listed in Schedule 1 that fall within its authorisation. The regime is activity-based in the sense that it regulates defined activities, but consolidated in the sense that those activities can be bundled within a single regulatory permission.
Where a PayFac's operational model extends to the issuance of electronic money, whether through merchant wallets or stored value instruments, it will require separate authorisation as an Electronic Money Institution under the Electronic Money Regulations 2011, though such authorisation equally permits the provision of payment services within a single regulatory permission.
The UAE Mainland: Activity-Specific Regulation and Structural Fragmentation
The RPSCS Regulation 2021
The regulatory treatment of PayFac-like structures in the UAE Mainland diverges from the UK and EU models. The Central Bank of the UAE (CBUAE), as the competent federal authority, regulates payment services on the Mainland under the Retail Payment Services and Card Schemes Regulation (the RPSCS Regulation).7 Under the RPSCS Regulation, no entity may provide or promote retail payment services without first obtaining a licence from the CBUAE.
What distinguishes the RPSCS Regulation from its UK and EU counterparts is the structuring of the regulatory permission, where rather than establishing a single authorisation category of Payment Institution, the CBUAE has divided the regulated 'retail payment services' activity into nine distinct categories of retail payment service, each of which constitutes a separate licence and permission. These are Payment Account Issuance Services; Payment Instrument Issuance Services; Merchant Acquiring Services; Payment Aggregation Services; Domestic Fund Transfer Services; Cross-Border Fund Transfer Services; Payment Token Services;8 Payment Initiation Services;9 and Payment Account Information Services10. The CBUAE issues four licensing tiers and categories, each encompassing different combinations of these service categories, with capital requirements calibrated to the tier and the average monthly value of transactions processed.
This regulatory design has practical consequences for a PayFac, as a typical PayFac structure will intersect with at least three of these licenses: (a) a PayFac will be seen to provide Merchant Acquiring Services, when it onboards sub-merchants and presents their transactions to card schemes; (b) a PayFac it will provide Payment Aggregation Services when it aggregates multiple sub-merchants under a single master identification; and (c) a PayFac may also be considered to provide Payment Account Issuance Services if it operates settlement accounts for its sub-merchants. An additional license may be triggered if a PayFac provides cross-border settlement functionality, in the form of Cross-Border Fund Transfer Services license. Consequently, a PayFac seeking full operational scope on the UAE Mainland must map each of its functions in the end-to-end payment flow against the taxonomy of the RPSCS Regulation and apply for licences across the relevant licenses.
The SVF Regime
The Stored Value Facilities (SVF) Regulation11 which operates entirely separately from the RPSCS Regulation and imposes its own licensing requirements, introduces a further layer of regulatory exposure whose engagement is a matter of operational design rather than commercial intent.
Where a PayFac holds merchant funds in a pooled account between collection and settlement and exercises discretion over settlement timing, the CBUAE may characterise that arrangement as involving stored value, particularly where the float period is extended or the account structure resembles a wallet. This exposure does not arise with the same acuity in the UK or EU, where the holding of funds in transit is addressed within the Payment Institution regime as a safeguarding obligation rather than under a separate instrument. On the UAE Mainland, a PayFac that does not attend carefully to the design of its settlement flows risks triggering SVF licensing requirements in addition to its RPSCS licences, with the additional capital and governance consequences that follow.
The DIFC and ADGM: Consolidated Models Within Jurisdictional Perimeters
The DIFC Framework
The Dubai International Financial Centre operates as an independent financial jurisdiction with its own legislative framework and regulatory authority, the Dubai Financial Services Authority (DFSA). The DFSA regulates payment activity under 'Providing Money Services' licensing category, as set out in the DFSA's General Module (GEN) of the DFSA Rulebook.12 An entity authorised to Provide Money Services may carry on payment services, money transmission and issuance of stored value, subject to prudential requirements set out in the Prudential Module (PRU) and conduct obligations under the Conduct of Business Module (COBS).13
The DIFC model is conceptually aligned with the UK's framework regarding Payment Institution. A single authorisation to Provide Money Services is capable of covering a range of payment functions without requiring separate regulatory permissions for each activity category. A PayFac authorised in the DIFC may aggregate merchants, process transactions and hold as well as safeguarding of client funds. This functional breadth within a single licence category represents a material structural advantage over the Mainland regime.
The above framework comes with DFIC's jurisdictional limitation, under which the regulated activities can be conducted in and from the DIFC and in the realm of cross-border transactions. It does not permit the provision of retail payment services to persons on the UAE Mainland.
A PayFac seeking to serve sub-merchants in both DIFC and UAE Mainland, must consider whether its Mainland-facing operations require separate CBUAE licensing, which will depend on the nature of operations and specific services provided by such PayFac.
The ADGM Framework
The ADGM operates under a consolidated regulatory licensing model as well. The Financial Services and Markets Regulations 2015 of the ADGM (FSMR),14 administered by the Financial Services Regulatory Authority (FSRA), regulates the payment activity involving those of Providing Money Services and Operating a Payment Account.
An entity authorised in the ADGM for these activities may provide a range of payment services under its permission, subject to the capital and safeguarding obligations imposed under the FSRA's Prudential Rulebook.15
The ADGM framework's philosophical and conceptual alignment with the UK model is not coincidental; the FSMR was drafted by reference to English financial services legislation, and the FSRA has consistently sought to maintain regulatory convergence with the UK's FCA. In practice, a PayFac operating from the ADGM benefits from broad permission under a single regulatory status, subject to local substance and governance requirements that the FSRA emphasises with particular vigour in its authorisation assessments.
Akin to the DIFC, the ADGM licence does not permit the extension of the operations to Mainland UAE. Thus, a PayFac with a Mainland commercial footprint must assess such activities in consideration of the regulatory landscape of the CBUAE, as the Federal Regulator.
Comparative Analysis
A review of the five frameworks reveals a consistent philosophical divide across jurisdictions with direct operational consequences. All five regimes apply a functional test grounded in control over merchant onboarding, settlement timing and custody of funds, and that test determines the regulatory character of the activity before any question of authorisation arises.
Where the jurisdictions diverge is in how authorisation is constructed around that perimeter. In the EU, UK, DIFC and ADGM, the regulatory architecture consolidates permissions at the institutional level. A PayFac operating within any of these frameworks can, under one regulatory status, conduct acquiring, aggregation, settlement account operation and money transmission without each function independently engaging a separate licensing requirement.
The UAE Mainland reflects a different philosophy. The CBUAE licences by activity rather than by institution, subjecting each category of retail payment service to oversight calibrated specifically to its risk profile. The RPSCS Regulation does permit a single applicant to seek authorisation across multiple categories, and the CBUAE assesses such applications holistically, which meaningfully mitigates the practical burden of that activity-specific structure. The SVF Regulation introduces a further layer, designed to address the distinct risks of float management and deferred settlement.
Therefore, while the regulatory perimeter for payment facilitators is broadly defined by the functions performed across all five frameworks, the authorisation pathway ultimately reflects each regulator's distinct philosophy in balancing market access with supervisory oversight. In the UAE, the activity-specific licensing framework represents more than a procedural difference; it reflects a structural approach to regulation that requires firms to carefully consider how their operational model aligns with the regulatory perimeter.
For PayFacs with global operations, this means that the commercial proposition cannot simply be transplanted from other markets. Instead, the operational architecture and payment flows must be analysed and structured with the CBUAE's regulatory framework in mind from the outset. Taking this approach at an early stage not only ensures regulatory compliance, but also enables payment facilitators to enter the UAE market with a structure that is both sustainable and aligned with the expectations of local regulators.
Footnotes
1 Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market [2015] OJ L337/35 (PSD2).
2 PSD2, Annex I, which lists payment services including (at point 5) the acquiring of payment transactions.
3 European Banking Authority, Guidelines on the information to be provided for the authorisation of payment institutions and e-money institutions and for the registration of account information service providers under PSD2 (EBA/GL/2017/09), revised and in force.
4 European Banking Authority, Peer Review Report on the Authorisation of Payment Institutions and Electronic Money Institutions under PSD2 (2023); and Follow-up Peer Review Report (EBA, December 2025), assessing implementation of 2023 recommendations across competent authorities for the period 2022-2024.
5 European Commission, Proposal for a Regulation on Payment Services in the Internal Market (PSR), COM(2023) 366 final; and Proposal for a Directive on Payment Services and Electronic Money Services (PSD3), COM(2023) 367 final (28 June 2023). The legislative package was under co-decision procedure at the time of writing.
6 The Payment Services Regulations 2017 (SI 2017/752) (United Kingdom).
7 Central Bank of the UAE, Retail Payment Services and Card Schemes Regulation (Circular No. 15/2021, issued pursuant to Notice No. 3603/2021), which came into force on 15 July 2021.
8 This activity is now separately addressed under the Payment Token Services Regulation (CBUAE Circular No. 2/2024), issued on 7 June 2024 and effective from 6 July 2024.
9 This activity is now separately addressed under the Open Finance Regulation (Circular 7 of 2023, which was updated by Circular 3 of 2025) which came into force on 10 July 2025.
10 This activity is now separately addressed under the Open Finance Regulation (Circular 7 of 2023, which was updated by Circular 3 of 2025) which came into force on 10 July 2025.
11 Central Bank of the UAE, Stored Value Facilities Regulation, which came into effect on 15 November, 2020.
12 Dubai Financial Services Authority, DFSA Rulebook, General Module (GEN), Chapter 2, which sets out the regulated activities framework in the DIFC, including Providing Money Services.
13 DFSA Rulebook, Prudential Module (PIB/PIN) and Conduct of Business Module (COBS), both in force and updated from time to time.
14 Abu Dhabi Global Market, Financial Services and Markets Regulations 2015 (FSMR), as amended, Schedule 1 (Regulated Activities), administered by the Financial Services Regulatory Authority (FSRA).
15 FSRA, Prudential - Finance Companies Rulebook and associated FSRA Guidance, as published and updated by the ADGM Financial Services Regulatory Authority.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
