The Virtual Assets Regulatory Authority (VARA) is a regulatory body established by the government of Dubai to oversee and regulate the virtual assets industry. In line with its mandate, VARA has issued a number of rule books, in particular the Compliance and Risk Management Rulebook (CRM), which sets out the regulatory framework for virtual asset service providers (VASPs) operating in Dubai. The purpose of this brief is to provide an overview of the CRM, and to analyze its implications for VASPs operating in Dubai.
I. Overview of the Compliance and Risk Management Rulebook
The CRM is a comprehensive regulatory framework that sets out the requirements and standards that VASPs must comply with to operate in Dubai. The CRM covers a wide range of issues, including licensing, customer due diligence, risk management, compliance, and reporting.
A. Licensing Requirements
All VASPs operating in Dubai must be licensed by VARA. To obtain a license from VARA, VASPs must meet a number of requirements, including:
- demonstrating that they have adequate financial resources to operate their business;
- implementing robust customer due diligence procedures;
- having effective policies and procedures for managing risks associated with virtual assets;
- having systems in place to detect and prevent money laundering and terrorist financing;
- having effective governance and internal controls; and
- ensuring that their senior management and staff are fit and proper to carry out their roles.
B. Customer Due Diligence
The CRM requires VASPs to implement robust customer due diligence (CDD) procedures to identify and verify the identity of their customers. The rulebook sets out minimum requirements for CDD, which include:
- obtaining and verifying the customer’s identity;
- obtaining information about the purpose and nature of the business relationship;
- conducting ongoing monitoring of the customer’s transactions and activities; and
- having systems in place to detect and report suspicious transactions either linked to money laundering or financing of terrorism.
While the virtual asset ecosystem relies on complete anonymity through decentralized platforms and exchanges, private wallets, and other types of products and services that enable or allow for reduced transparency and increased obfuscation of fund flows, the CDD requirements set forth in the CRM require VASPs to ensure that they understand the nature of their relationships with their customers prior to commencing business with them. It will be interesting to see how VASPS in Dubai, in particular VASPS that are not providing exchange or custody services, will comply with the CDD requirements set forth in the CRM.
C. Risk Management
VASPs must have effective risk management policies and procedures in place to identify, assess, and mitigate the risks associated with virtual assets. The CRM sets out the minimum requirements for risk management, which include:
- conducting a risk assessment of the VASPs’ business and customers;
- having policies and procedures for managing the risks identified in the risk assessment;
- having effective systems in place to monitor and manage the risks associated with virtual assets; and
- regularly review and update the VASPs’ risk management policies and procedures.
VASPs must put in place and maintain effective compliance policies and procedures to ensure that they comply with all applicable laws, regulations, and standards. The CRM sets out certain minimum requirements, which include:
- having a compliance officer who is responsible for overseeing the VASPs’ compliance program;
- having effective policies and procedures for monitoring and reporting on compliance issues;
- providing regular training to staff on compliance matters; and
- conducting regular internal audits of the VASPs’ compliance programs.
The CRM requires VASPs to provide regular reports to VARA on their activities and compliance. The CRM sets out the requirements for reporting, which include:
- providing regular financial statements and other reports to VARA;
- reporting any suspicious transactions or activities to VARA;
- providing regular updates on the VASPs’ risk management and compliance program; and
- providing any other information or reports that VARA may require.
We consider that this is a positive step in light of the myriad of scandals caused by VASPs elsewhere and VARA’s initiative in advancing a comprehensive and sound regulatory and compliance framework is welcome.
Implications for VASPs
The CRM has significant implications for VASPs operating in Dubai. VASPs must comply with the CRM’s requirements to obtain and maintain their license to operate in Dubai.
A. Increased Compliance Costs
Complying with the CRM will require VASPs to incur significant compliance costs. VASPs must invest in robust compliance, risk management, and governance systems, as well as in training and educating their staff on compliance matters. This may require VASPs to hire additional staff, implement new systems and procedures, and incur other costs.
B. Increased Regulatory Scrutiny
VASPs operating in Dubai will be subject to increased regulatory scrutiny and oversight as a result of the CRM. VARA will monitor VASPs to ensure that they comply with the CRM’s requirements and may conduct regular inspections and audits to assess compliance.
C. Improved Customer Protection
The aim of the CRM is to improve customer protection by requiring VASPs to implement robust customer due diligence procedures and other risk management measures. This will help to prevent money laundering, terrorist financing, and other financial crimes, which will enhance the integrity of the virtual assets industry and protect customers from financial harm.
D. Increased Confidence in the Virtual Assets Industry
The CRM further aims to enhance the credibility and reputation of the virtual assets industry in Dubai. By setting clear regulatory standards and requirements, the CRM will help to increase public confidence in the industry and attract more investors and businesses to Dubai’s virtual assets market.
The CRM provides a comprehensive regulatory framework that sets out the requirements and standards that VASPs must comply with to operate in Dubai. The CRM aims to improve customer protection, enhance the integrity of the virtual assets industry, and increase public confidence in the industry. However, compliance with the CRM will require VASPs to incur significant compliance costs. VASPs should carefully review the CRMs requirements and ensure that they have robust compliance, risk management, and governance systems in place to meet these requirements.■