Qatar’s New DLT Guidelines: Balancing Innovation and Regulation in the FinTech Landscape

 

Key Takeaways:

• The Qatar Central Bank has introduced the Distributed Ledger Technology Guideline, effective 22 July 2024, to provide a regulatory framework for DLT applications in the financial sector.
• The Guideline offers a flexible, principles-based approach to governance, encouraging innovation while maintaining stringent regulatory standards for safety and efficiency.
• The Guideline categorises DLT businesses into several types, including internal tools, permissioned networks, and networks interacting with customers.
• DLT businesses must adhere to various regulatory requirements, including risk assessments, governance responsibilities, and maintaining a register of DLT applications.

Background

Nations worldwide have sought to leverage the benefits of Distributed Ledger Technology (“DLT“). Yet, many need help to balance investment and innovation against the need for regulation to address challenges and uncertainties. Similarly, Qatar, through its FinTech (Financial Technology) Strategy,[1] has shown an interest in embracing DLT but has traditionally taken a cautious regulatory approach.[2]

Given the rise of businesses[3] involved in DLT worldwide, especially in Gulf countries like the United Arab Emirates (“UAE”)[4] and Bahrain, Qatar aims to establish itself as a global FinTech hub with clear regulations. Qatar’s Islamic FinTech market is projected to grow to USD 4 billion over the next three years from USD 2.1 billion in 2022-23.[5]

Until recently, DLT-specific regulations were absent in Qatar, with its applications falling under broader legal frameworks such as the Cyberlaw of 2014[6] and the Data Privacy Protection Law of 2016.[7] However, to better govern this emerging sector, the Qatar Central Bank (“QCB“) issued the Distributed Ledger Technology Guideline (“Guideline“) on 22 July 2024.[8] The Guideline includes governance protocols to effectively manage DLT in the financial sector, aiming to foster innovation while maintaining robust regulatory standards.

The Need for DLT-Guideline

Recognising DLT’s transformative potential, the Guideline establishes a robust regulatory framework for DLT businesses. This initiative aims to create a structured environment where businesses can leverage DLT to develop innovative solutions while ensuring safety, security, and efficiency.[9]

The Guideline introduces DLT[10] as a type of shared database that can be updated by a set of Participants[11] using a Consensus Mechanism,[12] eliminating the need for a central management system. Think of it as a super-advanced ledger that every Participant can see and update, but only with everyone’s agreement. While blockchain[13] is a well-known form of DLT, there are numerous other applications of DLT.

The Guideline provides clear oversight requirements for DLT applications, adopting a flexible approach that allows entities to achieve their goals based on guiding principles rather than rigid rules, except where specific requirements are necessary.[14] It also sets out best practice standards to govern the conduct of entities, encouraging compliance as part of their regulatory responsibilities. Additionally, the Guideline offers detailed management protocols for different DLT activities,[15] ensuring financial institutions can safely and effectively integrate DLT into their operations.

In many ways, the Guideline is similar to the new guidelines issued by the Securities and Commodities Authority of the UAE.[16]

Understanding DLT Businesses

The Guideline classifies DLT systems used by businesses into different types based on governance and risk control issues. These businesses have to go through various levels of scrutiny as per the DLT Guideline. The primary types of DLT applications include:

1. Internal Tool: These are DLT applications used internally for administrative tasks or risk evaluation in financial assets and transactions business.
2. Participation in a Permissioned Network: This covers the vast majority of external DLT activities. Three main sub-types are identified:

• Type 1: Regulated networks, such as Financial Market Infrastructures.[17]
• Type 2: Single-entity networks, either regulated or unregulated, without participant rights in the Consensus Mechanism process.
• Type 3: Multi-entity networks involving regulated and/or unregulated firms, possibly co-sponsored by the Entity.

3. DLT network interacting with Customers: This is a subset of the above type, largely focused on putting existing customer products and information onto DLT applications.
4. Participation in a Permissionless Network: QCB currently does not permit Permissionless DLT Networks.[18]

What does it mean for Businesses

DLT businesses operating in Qatar must now adhere to the Guideline, which provides clear regulations for governance and compliance standards essential for business operations and strategic planning.

1. Notification to QCB: Entities are encouraged to inform the QCB about potential DLT applications and submit fully developed proposals for evaluation.
2. DLT Strategy: Entities must develop and periodically review a DLT strategy that aligns with their needs, risk appetite, overall strategies, and internal policies.[19]
3. Governance Responsibilities: The board of directors and senior management are accountable for ensuring effective internal controls, audits, and risk management practices for DLT-related activities.[20]
4. DLT Applications Register: Entities must maintain a comprehensive register of all DLT applications, disclosing this information annually to QCB or upon request.[21]
5. Risk Assessment: A thorough risk assessment is mandatory for all DLT systems, including governance, regulatory compliance, ledger design, smart contracts, and key management.[22]
6. Outsourcing Due Diligence: When outsourcing DLT-related activities, entities must conduct regular due diligence on service providers, ensuring they comply with privacy regulations and confidentiality standards.[23]
7. Regulatory Compliance: Entities must adhere to various secondary regulations in addition to QCB Law and the Guideline.[24]

Following the governance principles and requirements as set out by the Guideline, a set of secondary regulations are listed that must be adhered to, namely:

1. Regulations or guidelines issued by QCB, including those related to emerging technology;
2. Law No. (13) of 2016 on Personal Data Privacy Protection;
3. The Sector-Specific Security Regulations;
4. Know Your Customer (KYC), Anti-Money Laundering (AML), Combating Financing of Terrorism (CFT) rules and laws;
5. E-KYC Regulation, in the event an Entity onboards customers digitally;
6. Technology Risks Circular of January 2018 issued by the QCB; and
7. Cloud Computing Regulation, if the Entity wants to adopt cloud computing deployments.

Qatar vs UAE – A comparison

While Qatar recently issued the Guideline, the UAE already took the lead by issuing “Guidelines for Financial Institutions Adopting Enabling Technologies” in 2021. The UAE regulators[25] have jointly issued guidelines to promote best practices for financial institutions adopting DLT and other enabling technologies, allowing for Permissionless DLT[26] in the UAE. Permissionless DLT allows open and public access, enabling higher transparency and greater flexibility. In contrast, Qatar’s Guideline does not permit Permissionless Networks, which may hinder the development of certain DLT applications.

Further, while the QCB Guidelines do not directly introduce a licensing procedure, they do outline a process for obtaining approval from the QCB to operate a DLT business. In the UAE, regulatory authorities such as the Virtual Assets Regulatory Authority and the Abu Dhabi Global Market provide a clear framework for licence approval to conduct business as a DLT Service Provider.

The UAE’s guidelines strike a balance between innovation and risk management, requiring institutions to develop Permissionless DLT applications to ensure users are not anonymous or pseudonymous. This precaution helps prevent criminal activities like money laundering, terrorism financing, and tax evasion. Qatar’s more restrictive approach may be intended to address similar concerns, but it may also limit the potential benefits of DLT in the country.

In our view, Qatar can reap considerable economic benefits by enhancing its DLT guidelines and introducing a clear licensing regime, enabling such blockchain technology to be adopted. However, as the regulatory landscape continues to evolve, it will be interesting to see how Qatar’s approach compares to the UAE’s more established guidelines.

******

TLP Advisors is a dynamic and forward-thinking consulting, strategy and law firm specialising in providing cutting-edge solutions to our diverse clientele. With our roots deeply embedded in financial services, gaming, web3, and emerging tech, we offer unparalleled knowledge and support tailored to these rapidly evolving sectors’ unique challenges and opportunities.

TLP Advisors has consistently been the firm of choice for L1 chains, DeFi protocols, gaming companies, fintech and payment companies, foundations, funds, and investors. We have built a reputation for excellence through frequent collaborations with regulators, funds, and technology incubators. Our deep understanding of the intricate regulatory landscapes and industry dynamics allows us to provide strategic guidance and innovative solutions that empower our clients to navigate complex challenges and seize emerging opportunities.

www.techlawpolicy.com

******

[1] Third Financial Sector Strategic Plan, Qatar Central Bank, Nov. 27, 2023, https://www.qcb.gov.qa/PublicationFiles/QCB_TSP_Executive_Summary_vFinal5_Option_1A.pdf.

[2] Al Sayegh, Update 1-Qatar Central Bank Warns Against Trading in Bitcoin, 8 February 2018, https://www.reuters.com/article/qatar-Bitcoin-idUSL8N1PY39W.; PYMNTS, Qatar bans Crypto, Jan. 7, 2020, https://www.pymnts.com/cryptocurrency/2020/qatar-bans-crypto/.

[3] Business and Entities are used interchangeably throughout the article. Entity has been used officially by the DLT Guideline, and it means “an organisation regulated by the QCB”.

[4] Soham Panchamiya, et. al., Many VASPs, Many Masters: United Arab Emirates – A Complicated Yet Permanent Home For Crypto, The International Journal of Blockchain Law, Volume 9, 17-21 (July 2024), https://assets.ctfassets.net/so75yocayyva/7cKsCL9lyXTNKNlLhPX8Jj/28ae2518ae5855dbb477f7da8d9569a9/IJBL_Volume_IX.pdf.

[5] Qatar Islamic Fintech market to reach QAR 14.6 billion by 2027, https://www.businessstartupqatar.com/news/qatar-islamic-fintech-market-reach-almost-15-billion/#:~:text=Qatar%27s%20Islamic%20Fintech%20market%20is,billion)%20in%202022%2F23.

[6] Communications, Regulatory Authority, State of Qatar, Cybercrime Prevention Law No 14 of 2014 (Sep. 15, 2014). https://cra.gov.qa/en/document/cybercrime-prevention-law-no-14-of-2014.

[7] International Labour Organisation, Law No. 13 of 2016 Concerning Privacy and Protection of Personal Data. Adopted on Dec. 29, 2016. https://www.ilo.org/dyn/natlex/natlex4.detail?p_lang=en&p_isn=105417&p_country=QAT&p_classification=01.

[8] Distributed Ledger Technology Guideline, Qatar Central Bank, https://www.qcb.gov.qa/Documents/SuperVision/QCB%20-%20DLT%20Guideline.pdf.

[9] Part A, Article 4, Distributed Ledger Technology Guideline.

[10] Part A, Article 3, Distributed Ledger Technology Guideline.

[11] ”Participant” means “a legal Entity or natural person that connects via a Node to use a Distributed Ledger, and the technology behind it, to manage information,” Part A, Article 2(11), Distributed Ledger Technology Guideline.

[12] ”Consensus Mechanism” means ”set of rules used in a DLT environment to find agreement on the current status of the ledger at a specific point in time,” Part A, Article 2(2), Distributed Ledger Technology Guideline.

[13] “Blockchain” means “a form of DLT where transactions are recorded in blocks of data,” Part A, Article 2(1), Distributed Ledger Technology Guideline.

[14] Part A, Article 4(2), Distributed Ledger Technology Guideline.

[15] Annexure 1, Distributed Ledger Technology Guideline.

[16] Soham Panchamiya, Pankhuri Malhotra, Hena Ayisha, SCAnning VASPs: Guidelines for Regulation of Virtual Assets and Virtual Asset Service Providers, TLP Advisors, Aug. 8, 2024, https://techlawpolicy.com/2024/08/scanning-vasps-guidelines-for-regulation-of-virtual-assets-and-virtual-asset-service-providers/

[17] “Financial Market Infrastructure” means “a systemically important Entity regulated by QCB providing an infrastructure or particular functions e.g., payments, clearing, etc. The FMI may run on existing and legacy IT technologies or any form of DLT,” Part A, Article 2(7), Distributed Ledger Technology Guideline.

[18] “Permissionless Network” means “DLT network that has no restrictions on participation. Any Entity can become a Participant and join the network as a Validator Node and validate transactions.” Part A, Article 2(13), Distributed Ledger Technology Guideline.

[19] Part B, Article 6, Distributed Ledger Technology Guideline.

[20] Part B, Article 7, Distributed Ledger Technology (DLT) Guideline.

[21] Part B, Article 8, Distributed Ledger Technology (DLT) Guideline.

[22] Part B, Article 9, Distributed Ledger Technology (DLT) Guideline.

[23] Part B, Article 10, Distributed Ledger Technology (DLT) Guideline.

[24] Part C, Article 11, Distributed Ledger Technology (DLT) Guideline.

[25] The Central Bank of the UAE (CBUAE), together with the Securities and Commodities Authority (SCA), the Dubai Financial Services Authority (DFSA) of the Dubai International Financial Centre, and the Financial Services Regulatory Authority (FSRA) of Abu Dhabi Global Market issued the “Guidelines for Financial Institutions adopting Enabling Technologies,” https://rulebook.centralbank.ae/en/rulebook/guidelines-financial-institutions-adopting-enabling-technologies.

[26] As per Section 1 of Guidelines for Financial Institutions Adopting Enabling Technologies, “Permissionless DLT“ means ”a distributed ledger which can be read or updated by anyone, such as an open-access blockchain used for some cryptocurrencies.”