B
BTC $114,686 ↑ 0.9%
E
ETH $3,559 ↑ 2.8%
X
XRP $3.02 ↑ 5.1%
U
USDT $1.00 ↑ 0%
B
BNB $758.62 ↑ 1.4%
S
SOL $163.66 ↑ 1.4%
U
USDC $1.00 ↑ 0%
S
STETH $3,555 ↑ 2.9%
T
TRX $0.33 ↑ 1%
D
DOGE $0.20 ↑ 3.6%
A
ADA $0.74 ↑ 2.4%
W
WBTC $114,571 ↑ 0.9%
B
BTC $114,686 ↑ 0.9%
E
ETH $3,559 ↑ 2.8%
X
XRP $3.02 ↑ 5.1%
U
USDT $1.00 ↑ 0%
B
BNB $758.62 ↑ 1.4%
S
SOL $163.66 ↑ 1.4%
U
USDC $1.00 ↑ 0%
S
STETH $3,555 ↑ 2.9%
T
TRX $0.33 ↑ 1%
D
DOGE $0.20 ↑ 3.6%
A
ADA $0.74 ↑ 2.4%
W
WBTC $114,571 ↑ 0.9%

Establishing a Comprehensive Technology and Cybersecurity Risk Management Framework

August 4, 2025 Sama Tarek 13 min read Regulations, Technology

At the heart of this regulatory expectation lies the mandate for Payment Service Provider (PSP) to establish an effective technology and cybersecurity risk management framework. This framework is the strategic blueprint for digital resilience, designed to ensure:

  • Adequacy of IT Controls: The implementation of robust internal safeguards within information technology systems.
  • Cyber Resilience: The capability of computer systems to withstand, adapt to, and rapidly recover from cyberattacks.
  • Quality and Security: Ensuring that systems are inherently reliable, robust, stable, and consistently available.
  • Safety and Efficiency: Guaranteeing that all operations pertaining to Retail Payment Services are conducted securely and without undue impediment.

Crucially, this framework must be “fit for purpose” – meaning it is precisely tailored and proportionate to the individual PSP’s specific risk profile. This includes considering the entity’s nature, size, complexity, the types of business and operations it conducts, the specific technologies it employs (e.g., cloud computing, blockchain, AI), and its broader enterprise-wide risk management system. PSPs are explicitly directed to adopt recognized international standards and practices, such as ISO 27001, NIST Cybersecurity Framework, and critically, to meet or exceed the UAE Information Assurance Standards, which are periodically updated to reflect evolving threats.

An effective technology risk management framework, therefore, is not a static document but a dynamic and integrated system comprising:

  • Proper IT Governance: Clear oversight and decision-making structures.
  • A Continuous Technology Risk Management Process: An ongoing cycle of identification, assessment, mitigation, and monitoring of risks.
  • Implementation of Sound IT Control Practices: The technical and procedural safeguards that enforce security policies.

Furthermore, PSPs must institute a general framework for managing all major technology-related projects, encompassing both in-house software development and the acquisition of third-party information systems. This framework must detail the specific project management methodology adopted, ensuring that security requirements are embedded from the earliest stages of design and development, rather than being retrofitted.

IT Governance: The Digital Command Structure

Effective management of technology risk begins with robust IT Governance. This establishes the organizational structure and decision-making processes for all IT-related functions, ensuring that technology serves business objectives while simultaneously managing inherent risks.

  • Clear Structure of IT Functions: This entails a well-defined organizational chart for the IT department, delineating clear roles, responsibilities, and reporting lines. It ensures that critical functions such as IT operations, cybersecurity, and risk management are appropriately segregated or managed to avoid conflicts of interest.
  • Establishment of IT Control Policies: Formal, documented policies are essential, covering all facets of IT operations—from system development and data management to access controls and incident response. These policies serve as the rulebook for how technology is managed and secured within the organization.
  • Major Functional Components: Regardless of the specific organizational construct, the CBUAE mandates the presence of three major functions:
    1. An Effective IT Function: Responsible for the day-to-day operation, maintenance, and support of all computer systems and infrastructure.
    2. A Robust Technology Risk Management Function: Dedicated to systematically identifying, assessing, and mitigating technology-related risks across the enterprise.
    3. An Independent Technology Audit Function: This function is paramount. It must be functionally separate from both IT operations and risk management, reporting directly to the Board or a designated Board committee. Its independence ensures objective evaluations of IT controls’ effectiveness and adherence to policies, providing unbiased assurance to senior leadership.

Crucially, the Board of Directors, or a committee specifically designated by the Board, bears ultimate responsibility for ensuring that a sound and robust technology risk management framework is established, maintained, and continuously adapted. This oversight must be commensurate with the specific risks posed by the PSP’s Retail Payment Activities, reflecting the “tone from the top” regarding technology security.

Security Requirements: Integrating Security from Conception to Deployment

Security cannot be an afterthought; it must be an intrinsic element of every system. PSPs are mandated to bake security into their technological DNA.

  • Early-Stage Definition: Security requirements must be clearly defined in the nascent stages of system development or acquisition, forming an integral part of the overarching business requirements. These requirements must then be adequately built into the system during its development lifecycle.
  • Security in Agile Development: For PSPs employing Agile methodologies to accelerate software development, the integration of security practices at every stage of the development process is non-negotiable. This includes secure coding standards, regular security testing (e.g., static and dynamic application security testing), and vulnerability management throughout development sprints, to ensure the software remains uncompromised.
  • API Management and Safeguards: Given the widespread reliance on Application Programming Interfaces (APIs) for interoperability and data exchange, PSPs developing or providing APIs must establish robust safeguards. This includes secure API design principles, strong authentication and authorization mechanisms for API access, rigorous input validation, and continuous monitoring of API interactions to secure data exchange between various software applications.

Network and Infrastructure Management

The underlying network and IT infrastructure are the lifelines of a PSP. Their management requires meticulous attention to detail and stringent security controls.

  • Assigned Network Responsibility: For PSPs with monthly average transaction values of AED 10 million or more, the overall responsibility for network management must be clearly assigned to individuals possessing the requisite expertise to fulfill these critical duties.
  • Documented Procedures: Network standards, design specifications, topological diagrams, and operational procedures must be formally documented, meticulously kept up-to-date, communicated effectively to all relevant network staff, and periodically reviewed to ensure their continued relevance and accuracy.
  • Security Administration and Access Control: PSPs must establish a dedicated security administration function supported by a formal set of procedures for systematically managing access rights to system resources and application systems. This includes granting, modifying, and revoking access based on the principle of least privilege (granting only the minimum access necessary for a user to perform their job). Furthermore, continuous monitoring of system resource usage is essential to detect any unusual or unauthorized activities.
  • Rigorous Control of Privileged and Emergency IDs: Access to “privileged IDs” (e.g., administrator, root accounts) and “emergency IDs” (used for urgent, break-glass access) represents a significant risk vector. PSPs must exercise extreme care in controlling their use and access, implementing a comprehensive set of control procedures, including:
    1. Changing Default Passwords: Prohibiting the use of factory default credentials.
    2. Strong Password Control: Implementing policies mandating minimum length, complexity (requiring a mix of characters), password history, and defining maximum password validity periods.
    3. Restricting Privileged Users: Limiting the number of individuals granted privileged access to the absolute minimum necessary.
    4. Secure Remote Access: Implementing robust controls, such as Multi-Factor Authentication (MFA) and secure VPNs, for remote access by privileged users.
    5. Strictly Necessary Authorities: Granting only the precise authorities required for the specific task to privileged and emergency IDs.
    6. Formal Approval for Usage: Requiring formal approval from appropriate senior personnel before a privileged or emergency ID is released for use.
    7. Logging and Monitoring Activities: Meticulously logging, preserving, and continually monitoring all activities performed by privileged and emergency IDs (e.g., through regular peer reviews of activity logs).
    8. Prohibiting Account Sharing: Absolutely forbidding the sharing of privileged accounts among individuals.
    9. Physical Safeguard of Credentials: Ensuring privileged IDs and passwords are securely stored (e.g., in a sealed, tamper-evident envelope in a physically secure location like a data center vault).
    10. Immediate Password Change: Mandating immediate password changes for privileged and emergency IDs upon their return by the requesters.

Proactive Defense and Incident Response

Given the heavy reliance on internet and mobile technologies, cyber security risks must be managed with utmost priority through the PSP’s overarching technology risk management process.

  • Adequate Resource Commitment: PSPs must commit sufficient skilled human resources (cybersecurity experts, incident responders) and technological resources (threat intelligence platforms, security information and event management – SIEM systems) to effectively:
    • Identify emerging cyber threats and vulnerabilities.
    • Protect critical services and assets against potential attacks.
    • Contain the impact of any cybersecurity incidents rapidly.
    • Restore affected services and data to normal operations efficiently.
  • Cyber Incident Response and Management Plan: A comprehensive, documented plan is mandatory for swiftly isolating and neutralizing cyber threats and resuming affected services as quickly as possible. This plan must detail procedures for responding to plausible cyber threat scenarios, including communication protocols, escalation paths, and designated roles and responsibilities.
  • Penetration and Cyber-Attack Simulation Testing: For PSPs exceeding AED 10 million in monthly average transaction value, regular assessments of the necessity to perform penetration testing and cyber-attack simulations are mandated. The scope of these tests must be determined by the PSP’s cyber security risk profile and available cyber intelligence, covering not only networks (external and internal) and application systems but also social engineering tactics and emerging cyber threats. Crucially, PSPs must take timely and appropriate actions to mitigate all identified issues, threats, and vulnerabilities based on an impact and risk exposure analysis.

Retail Payment Service User Authentication

Secure user authentication is fundamental to protecting customer accounts and transactions.

  • Reliable Authentication Techniques: PSPs must implement robust and effective authentication techniques to validate the identity and authority of Retail Payment Service Users.
  • Multi-Factor Authentication (MFA): MFA is a mandatory requirement for all high-risk transactions. This adds layers of security (e.g., something the user knows, has, or is) to confirm identity beyond a single password.
  • End-to-End Encryption for Passwords: User passwords must be protected through end-to-end encryption during transmission, ensuring they are not exposed at any intermediate points between the user’s device and the system where passwords are verified.
  • Login Attempts and Session Management Controls: Effective controls are required to limit the number of login or authentication attempts (e.g., account lockout after multiple incorrect password entries), implement time-out controls for inactive sessions, and set strict time limits for the validity of authentication tokens (especially one-time passwords, which should have minimal validity periods).
  • Comprehensive Audit Trails: PSPs must maintain processes ensuring that all Payment Transactions are meticulously logged with an appropriate audit trail, allowing for full traceability and accountability.

Secure Account Lifecycle Management

The entire lifecycle of a Retail Payment Service User account, from opening to changes, must be secured.

  • Online Account Opening (eKYC): For Payment Account Issuance Services offered through online channels, a reliable method for authenticating the identity of the Retail Payment Service User must be adopted. The CBUAE explicitly states that electronic Know Your Customer (eKYC) processes accepted for traditional banks are generally acceptable for these customer verification and validation processes.
  • Identity Checks for Account Changes: PSPs must perform adequate identity checks when any Retail Payment Service User requests changes to their Payment Account information or contact details, particularly those crucial for receiving important information or monitoring account activities (e.g., phone number, email address).
  • Re-authentication for High-Risk Transactions: PSPs must implement effective controls, such as two-factor authentication, to re-authenticate the Retail Payment Service User before executing each high-risk transaction. High-risk transactions are defined to include, at a minimum:
    1. Payment Transactions that exceed predefined transaction limit(s).
    2. Changes of personal contact details.
    3. Unless impractical to implement, Payment Transactions that exceed aggregate rolling limit(s) (i.e., total value of Payment Transactions over a period of time).

Business Continuity: Ensuring Uninterrupted Service Delivery

Major disruptions, whether from cyberattacks, natural disasters, or system failures, cannot halt critical payment services. PSPs must have robust business continuity management (BCM) programs.

  • Adequate BCM Program: This program must ensure the continuation, timely recovery, or, in extreme scenarios, the orderly scaledown of critical operations in the event of major disruptions. It comprises:
    • Business Impact Analysis (BIA): Identifying critical business functions and the impact of their disruption.
    • Recovery Strategies: Plans for how to recover these critical functions.
    • Business Continuity Plan (BCP): A detailed, documented plan for execution during a disruption.
    • Alternative Sites: Backup locations for business operations and IT recovery.
  • Documented and Tested Recovery Strategies: Recovery strategies must be clearly documented, thoroughly tested, and regularly reviewed to ensure achievement of predefined recovery timeframes.
  • Timely Restoration of Records: PSPs must have effective measures to ensure all business records, especially Retail Payment Service User records, can be timely restored if lost, damaged, or destroyed. Users must also be able to access their own records promptly. In the event of record loss due to operational failure or theft, PSPs must notify affected users and make reasonable efforts to prevent wrongful use of lost personal records.
  • Comprehensive Business Continuity Plan: The BCP must include: detailed recovery procedures, escalation protocols and crisis management (including timely reporting to the CBUAE), proactive communication strategies (user notifications, media response), updated contact details of key personnel, and assignment of primary and alternate personnel for system recovery.
  • Annual BCP Testing: The BCP must be tested at least annually, with management and relevant personnel participating to familiarize themselves with recovery responsibilities. All testing activities must be formally documented, including test plans, scenarios, procedures, and results, culminating in a post-mortem review report for formal management sign-off.

Alternate Sites for Business and IT Recovery

To mitigate concentration risk, PSPs must ensure their alternate recovery sites are strategically located.

  • Geographic Dispersion: Alternate sites must be sufficiently distanced from primary sites to avoid being affected by the same localized disaster.
  • Readiness and Accessibility: Alternate sites must be readily accessible, equipped with appropriate facilities, and available for occupancy within the recovery timeframes specified in the BCP. Physical access controls must be robust.
  • Remote Work Preparedness: If remote work is part of the recovery strategy, adequate computer systems and communication facilities must be made available to staff in advance.
  • IT Recovery Site Equipment: Alternate IT recovery sites must possess sufficient technical equipment, including communication facilities, of an appropriate standard and capacity to meet all recovery requirements.
  • Managing Vendor Reliance: PSPs must avoid excessive reliance on external vendors for BCM support. Where vendors are used, the PSP must satisfy itself that the vendor has the capacity to provide services when needed and that contractual responsibilities are clearly specified.
  • Cloud Service Risk Management: If shared computing services (like cloud computing) are used for disaster recovery, the PSP must actively manage the associated risks, ensuring contracts, security, and recovery capabilities meet regulatory standards.

Reputation Risk Management: Safeguarding the Brand’s Integrity

Finally, beyond operational and security specificities, PSPs must actively manage their reputational risk.

  • Effective Process: An established and implemented process for managing reputational risk, proportionate to the PSP’s size and complexity, is mandatory. This involves monitoring public perception, proactively addressing negative narratives, and ensuring transparent communication during incidents that could impact trust.

Technology as the Enabler of Trust in the UAE’s Financial Future

The CBUAE’s comprehensive requirements for Technology Risk and Information Security are a testament to the UAE’s commitment to building a secure, reliable, and trustworthy digital financial ecosystem. For Payment Service Providers, these mandates are not merely technical hurdles but strategic imperatives that directly impact operational resilience, regulatory standing, and market competitiveness.

By diligently implementing these detailed requirements, PSPs contribute directly to the stability of the UAE’s retail payment landscape, protect their customers’ assets and data, and ultimately, fortify their own brand reputation. In an era where digital trust is paramount, mastering technology risk is the key to sustainable success and a mark of true leadership in the financial services sector.

Sama Tarek

Sama Farghaly is a contributing writer covering the evolving intersection of compliance, fintech, and digital assets. She brings practical, on-the-ground experience advising Web3 startups and licensed entities on regulatory frameworks across the UAE and international markets. Sama specializes in AML/CFT policy development, licensing strategy, and operational compliance, with a focus on helping companies navigate complex legal environments. Her writing translates regulatory developments into clear, actionable insights—bridging the gap between policy and innovation for a global crypto audience.

Related Posts

Gate U.S. finally launches in the United States.

Gate U.S. Launches, To Offer Spot Crypto Trading to U.S. Customers
Paul Atkins launches Project Crypto

SEC Chairman Announces the launch of “Project Crypto”
Ethereum's co-founder Vitalik Buterin explains his roadmap for the blockchain.

Ethereum’s 10th Anniversary: Vitalik Buterin Declares “It Must Never Go Down”

The Payment Service Provider (PSP) License in the UAE

Sign Up to Our Newsletter

Be the first to know the latest updates