Expert Insights from: Punit Thakker, Founding team at PayPal, Checkout.com, and PayTabs. 20 years of experience in Fintech

Punit Thakker has spent over 20 years at the intersection of payments, licensing, and financial infrastructure. As a veteran of founding teams at PayPal, Checkout.com, and PayTabs, he has navigated the regulatory landscape of the GCC from the inside. Here, he explains why the sandbox isn’t a shortcut; it’s a smarter way to build.

The Problem with Going All-In from Day One

When a FinTech startup enters the GCC market, the licensing question isn’t just paperwork; it’s a strategic bet. Get it wrong, and you’re looking at capital locked in a compliance structure that doesn’t fit your product. Get it right, and you have a launchpad.

The traditional route is a full-fledged license. But as Punit Thakker explains, that path comes with a steep upfront cost and a long runway before you can test anything in the real world.

“The cost of a license, just the share capital, could be two million dollars. How would you try a product and test it in the market without that runway?”

This is the core tension that regulatory sandboxes were designed to resolve. Rather than forcing a startup to commit fully before it has proven its model, a sandbox grants a limited, time-bound license, what Punit calls a ‘mini-license’, that allows testing under lighter compliance conditions and a defined customer cap. The central bank of the UAE, Bahrain’s CBB, Saudi Arabia’s SAMA, and similar GCC regulators all offer variations of this structure.

In Dubai’s DIFC, for example, the equivalent is an Innovation Testing License (ITL) issued by the DFSA. The ITL defines a ceiling, say, 100 customers in phase one, 500 in phase two, 1,000 in phase three, and graduates the company toward full licensing as it satisfies each set of requirements.

Expert Voices · Infoquest

GCC FinTech License Types — And the Companies That Used Them

The GCC licensing landscape isn’t one-size-fits-all. Different products require different structures — and many of today’s leading FinTechs started with far lighter authorizations than they hold now.

💳
Buy Now Pay Later / Short-Term Financing
Sandbox → Short-Term Financing License
Operators collect merchant proceeds and pay installments to customers. When BNPL emerged, no license category existed — regulators created one. Transaction caps start small and expand as trust is established (e.g. 500 → 3,000 AED for Tabby).
Companies that took this path
Tabby Tamara Cashew
👜
Digital Wallets & Payment Accounts
Money Service Business (MSB) License
MSB covers four activities: card issuance (prepaid), money/payment transmission, virtual IBANs (payment accounts), and stored value. All require a client money account held at a licensed bank — the startup is a digital layer on top.
Companies that took this path
Mamo Pay Zena
🔗
Account-to-Account & Open Banking
AISP / PISP Framework
AISPs (Account Information Service Providers) pull consented account data for credit scoring and analytics. PISPs (Payment Initiation Service Providers) initiate real-time payments directly between accounts. Built on national rails: SAR (KSA), ANI (UAE), Benefit (Bahrain).
Companies that took this path
Lean Technologies
🏢
Corporate Cards & Expense Management
Piggyback / SVF / BIN Sponsorship
Many corporate card platforms launch by piggybacking on a bank’s existing BIN or Stored Value Facility (SVF) license. This avoids the capital requirement of a standalone license and allows fast go-to-market while the product proves itself.
Companies that took this path
Peel Alan Pluto
💡
The Strategic Principle: Start Narrow, Then Expand
Punit Thakker’s advice to founders: only take the license you need today. Getting over-licensed too early ties up capital, adds compliance burden, and limits your ability to pivot. Pick one country, prove the product, replicate. The GCC’s sandbox framework exists precisely to make this possible — and the evidence is in the companies that used it.
INFOQUEST · Expert Voices
Based on interview with Punit Thakker · iqnetwork.co

Sandboxes as Permission to Pivot

One of the most underappreciated aspects of a sandbox is what it allows companies to do that a full license does not: make mistakes without paying fines.

“Sandbox is designed to make mistakes and learn from your mistakes, and if you make mistakes, you have to rectify them before you become a mature licensed holder.”

For early-stage FinTechs, this is operationally significant. A startup applying for a sandbox license can typically get approved within two to three months. The same process for a full-fledged license takes closer to a year. That nine-month gap is the difference between a product that pivots in time and one that runs out of runway trying to prove a model that doesn’t work.

The flexibility also extends to the product itself. Because the sandbox creates a structured but adaptive environment, companies can test their infrastructure, refine their policies, and adjust their governance, all with the regulatory body’s awareness and input. Punit describes it like a product trial: “It’s a three-month subscription. You only pay after you’ve tested it.”

How Tabby Used Licensing to Build Trust at Scale

When Tabby entered the market as a Buy Now Pay Later platform, no license category mapped neatly onto what it was doing. The company was essentially providing short-term financing on behalf of customers, collecting merchant proceeds and paying them out on installment terms, but the regulatory framework hadn’t yet caught up.

Rather than operating in a gray area indefinitely, the regulatory response was to create a new license category: the short-term financing license. Tabby operated within this framework, and the impact was measurable. Its initial transaction cap was 500 dirhams. As it demonstrated compliance and scale, the cap expanded to 3,000 dirhams.

The regulatory stamp did more than increase limits. It built customer trust. As Punit frames it: “When you get into licensed activity with the central bank, it not only gives you safeguarding measures but it also protects the customers, they know they’re paying a company that isn’t going to disappear.”

Tabby is one of four categories of GCC FinTechs that Punit points to as sandbox success stories. The others include digital wallet operators like Mamo Pay and Zena, account-to-account open banking players like Lean Technologies (operating under the AISP and PISP framework), and corporate card and expense management companies like Peel, Alan, and Pluto, many of which started with sandbox-level MSB (Money Service Business) licenses before expanding their activities and jurisdictions.

Saudi Arabia’s Deliberate Ecosystem Play

Not all GCC markets approach the sandbox identically. Saudi Arabia has taken a particularly proactive stance through Fintech Saudi, a dedicated initiative under SAMA that has cultivated a licensed FinTech ecosystem now approaching 300 companies, with ambitions to reach 1,000.

Part of what makes Saudi’s approach distinctive is how established banks are being drawn into the ecosystem as anchor partners rather than competitors. Al Rajhi Bank, for instance, has developed multiple FinTech subsidiaries, including Neo Leap, MAN Finance, and Ajada. These subsidiaries don’t build all their technology in-house; they work with FinTech companies and can effectively act as a “mini sandbox” themselves, helping startups obtain NOCs from the central bank or Fintech Saudi in a fraction of the usual time.

“If you go without Neo Leap in Saudi Arabia, you might wait two years,” Punit notes. “With Neo Leap, you can get started in two months. And the bank becomes your first customer.”

This model is also appearing in the UAE and other GCC markets, where banks are spinning off fintech subsidiaries and creating structured onboarding pathways for startups, compressing time-to-market, reducing compliance friction, and providing a ready customer base from day one.

The Sandbox-to-Full-License Pathway

The sandbox isn’t meant to be a permanent state. Its value lies in the pathway it creates, from concept to pilot to compliant, scalable operation.

Punit’s advice to FinTech founders considering the licensing question is precise: start with the sandbox, operate in one country, and only expand activities as the product proves itself. “Focus on licenses once you’ve pivoted your product one step, then get more activities and categories, but start something.”

The broader GCC regulatory infrastructure supports this approach. Saudi Arabia has SAR (its account-to-account framework), the UAE has ANI and the Open Finance Framework, Bahrain has Benefit, Oman has Omanet, and Kuwait has Knet. Each of these provides a compliant rail on which FinTechs can build, and sandbox licenses are the mechanism through which new entrants gain access to those rails without full capital commitment upfront. For international companies eyeing the GCC, the message is similarly pragmatic. The region has significant purchasing power, a central banking system open to innovation, and regulatory frameworks designed to bring new entrants in carefully rather than shut them out. The sandbox is the front door

Expert Voices · Infoquest

The GCC FinTech Sandbox Pathway

From concept to compliant operation — how startups move from sandbox license to full-scale market presence.

2–3mo
Sandbox approval timeline
~12mo
Full license approval timeline
$2M
Typical share capital for a full license
300+
Licensed FinTechs under Fintech Saudi
1
Application Phase · 2–3 months
Apply for a Sandbox / Innovation Testing License
Submit to the relevant GCC regulator — SAMA (Saudi Arabia), DFSA via DIFC (UAE), CBB (Bahrain), or CBO (Oman). The sandbox is a sub-license of the full-fledged license, with lighter compliance requirements and reduced capital thresholds. The DIFC version is called an Innovation Testing License (ITL).
SAMA · Saudi Arabia DFSA ITL · UAE CBB · Bahrain CBO · Oman
2
Phase 1 — Pilot · Capped at ~100 customers
Test the product within defined thresholds
The regulator defines a customer cap — for example, 100 customers with a regulatory capital of ~$200,000. The company builds its infrastructure, policies, and governance in a live environment. It can operate legally but at limited scale. This is also the window to pivot the product model without penalty.
Phased customer cap Lighter compliance Pivot-friendly
3
Phase 2–3 — Scale · 500 → 1,000+ customers
Expand in stages, satisfy requirements at each gate
As the company demonstrates regulatory compliance, governance maturity, and operational stability, it advances through sandbox phases — each allowing a larger customer base. Client money must be held in a licensed bank’s pool account throughout. The sandbox phase builds the track record needed for full licensing.
Client money account Progressive thresholds Bank partnership
Full License — Unlimited Scale
Granted full-fledged license — then replicate to new countries
Once all sandbox requirements are met, the regulator issues a full-fledged license. The company can now operate at scale, take on full compliance obligations, and begin expanding into adjacent GCC markets. The playbook: launch in one country, execute well, then replicate.
Full license issued Multi-country expansion Established trust signal
“Sandbox is designed to make mistakes and learn from them — and if you make mistakes, you have to rectify them before you become a matured licensed holder.”
Punit Thakker, FinTech Expert — via Infoquest Expert Voices
INFOQUEST · Expert Voices
Based on interview with Punit Thakker · iqnetwork.co

Need Expert Insights?

Connect with Brian or similar experts
DFSA
FinTech
GCC
Licensing
Open Banking
Regulatory Sandbox
SAMA