Under the directive issued this week, all e‑payment service providers—including digital wallet operators and buy‑now‑pay‑later schemes—must now adhere to more robust licensing tiers and heightened internal oversight. Providers are required to upgrade compliance systems, enhance anti‑money‑laundering controls and bolster cybersecurity frameworks. The move reflects the Central Bank’s objective to close regulatory loopholes exposed by technology-driven payment innovations. This step marks the latest in a series of Central Bank measures to align Kuwait’s fintech ecosystem with international best practices.
The new measures apply a tiered licensing approach, which distinguishes between various types of providers according to transaction volume and nature. This mechanism echoes the 2023 "Instructions for Regulating the Electronic Payment of Funds", which introduced five license categories, ranging from e‑money issuers to full‑service payment platforms. The updated rules reinforce capital requirements, governance structures, cybersecurity protocols, and business continuity planning. Providers operating under the buy‑now‑pay‑later model have been brought within regulatory scope for the first time, reflecting both their rapid adoption and potential risks.
Officials emphasise that the directive calls for stronger board‑level governance and risk‑management frameworks. Providers are now compelled to implement advanced anti‑fraud and AML/CFT systems to detect illicit transactions. They must conduct regular vulnerability assessments and incident‑response drills, as well as maintain resilience plans to ensure continuity in the event of cyber‑attacks or operational disruptions. Consumer protection has also been intensified, requiring clear disclosures, timely complaint‑resolution procedures and compensation mechanisms for failed or fraudulent transactions.
This move follows earlier Central Bank efforts targeting cybersecurity and encryption. In June, banks were mandated to fully encrypt card data—extending security requirements to Apple Pay and Samsung Pay wallets by the end of 2025. The e‑payment directive complements this by extending controls beyond card networks to the entire digital payment ecosystem, ensuring oversight is comprehensive and coordinated.
The timing of the directive coincides with Kuwait’s broader open banking and fintech strategy. Last week, the Central Bank released a draft open banking framework, inviting public consultation on API standards, data‑sharing protocols and governance requirements. The aim is to foster collaboration between banks and licensed fintech entities under its Wolooj sandbox programme. Combining fintech liberalisation with tighter oversight suggests a dual‑track strategy: nurturing innovation while maintaining the integrity of financial infrastructure.
Industry observers note that the Central Bank’s approach mirrors international regulatory trends. Payment regulators in the UK, Singapore and the UAE have instituted similar tiered licensing regimes and mandatory oversight for digital payment and BNPL services. Analysts at LexisNexis comment that Kuwait’s 2023 update under Decision 45/2023 aligns the country with global regulatory frameworks. The incorporation of BNPL under the e‑payment regulations is particularly notable, as many jurisdictions are just beginning to address the consumer and systemic risks tied to deferred payment schemes.
Fintech entrepreneurs in Kuwait are cautiously optimistic. Many say licensing hurdles have increased, but view enhanced clarity on regulatory expectations as ultimately beneficial. One CEO of a digital wallet firm noted that the updated governance and cybersecurity criteria “raise the market standard, making it easier for compliant players to gain consumer trust”. Smaller startups, however, warn that compliance costs may discourage new entrants, calling for a balanced implementation schedule that supports innovation while ensuring safety.
Analysts highlight that enforcement will be the key to the directive’s success. While regulatory frameworks are evolving, their effectiveness depends on active supervision and regular audits. Sources within the Central Bank confirm plans for periodical reviews of providers, including penetration testing and external audits, conducted under the Payment Systems Oversight function. The Payment Systems Oversight wing, aligned with Bank for International Settlements standards, is expected to expand its scope to include fintech and e‑payment providers.
Since the implementation of the 2023 regulation, the Central Bank has licensed several new fintech players through its sandbox. These include BNPL services and digital wallet platforms. The introduction of the current directive signals a shift: sandbox participants must now transition to full operating licences or withdraw. The Central Bank has reportedly granted a window of six months for this migration period.
Topics
Kuwait