VARA Compliance and Risk Management Rulebook

The Virtual Assets Regulatory Authority (VARA) is a regulatory body established by the government of Dubai to oversee and regulate the virtual assets industry. In line with its mandate, VARA has issued a number of rule books, in particular the Compliance and Risk Management Rulebook (CRM), which sets out the regulatory framework for virtual asset service providers (VASPs) operating in Dubai. The purpose of this brief is to provide an overview of the CRM, and to analyze its implications for VASPs operating in Dubai.


I. Overview of the Compliance and Risk Management Rulebook


The CRM is a comprehensive regulatory framework that sets out the requirements and standards that VASPs must comply with to operate in Dubai. The CRM covers a wide range of issues, including licensing, customer due diligence, risk management, compliance, and reporting.


A. Licensing Requirements


All VASPs operating in Dubai must be licensed by VARA. To obtain a license from VARA, VASPs must meet a number of requirements, including:


  • demonstrating that they have adequate financial resources to operate their business;
  • implementing robust customer due diligence procedures;
  • having effective policies and procedures for managing risks associated with virtual assets;
  • having systems in place to detect and prevent money laundering and terrorist financing;
  • having effective governance and internal controls; and
  • ensuring that their senior management and staff are fit and proper to carry out their roles.


B. Customer Due Diligence


The CRM requires VASPs to implement robust customer due diligence (CDD) procedures to identify and verify the identity of their customers. The rulebook sets out minimum requirements for CDD, which include:


  • obtaining and verifying the customer’s identity;
  • obtaining information about the purpose and nature of the business relationship;
  • conducting ongoing monitoring of the customer’s transactions and activities; and
  • having systems in place to detect and report suspicious transactions either linked to money laundering or financing of terrorism.


While the virtual asset ecosystem relies on complete anonymity through decentralized platforms and exchanges, private wallets, and other types of products and services that enable or allow for reduced transparency and increased obfuscation of fund flows, the CDD requirements set forth in the CRM require VASPs to ensure that they understand the nature of their relationships with their customers prior to commencing business with them. It will be interesting to see how VASPS in Dubai, in particular VASPS that are not providing exchange or custody services, will comply with the CDD requirements set forth in the CRM.


C. Risk Management


VASPs must have effective risk management policies and procedures in place to identify, assess, and mitigate the risks associated with virtual assets. The CRM sets out the minimum requirements for risk management, which include:


  • conducting a risk assessment of the VASPs’ business and customers;
  • having policies and procedures for managing the risks identified in the risk assessment;
  • having effective systems in place to monitor and manage the risks associated with virtual assets; and
  • regularly review and update the VASPs’ risk management policies and procedures.


D. Compliance


VASPs must put in place and maintain effective compliance policies and procedures to ensure that they comply with all applicable laws, regulations, and standards. The CRM sets out certain minimum requirements, which include:


  • having a compliance officer who is responsible for overseeing the VASPs’ compliance program;
  • having effective policies and procedures for monitoring and reporting on compliance issues;
  • providing regular training to staff on compliance matters; and
  • conducting regular internal audits of the VASPs’ compliance programs.


E. Reporting


The CRM requires VASPs to provide regular reports to VARA on their activities and compliance. The CRM sets out the requirements for reporting, which include:


  • providing regular financial statements and other reports to VARA;
  • reporting any suspicious transactions or activities to VARA;
  • providing regular updates on the VASPs’ risk management and compliance program; and
  • providing any other information or reports that VARA may require.


We consider that this is a positive step in light of the myriad of scandals caused by VASPs elsewhere and VARA’s initiative in advancing a comprehensive and sound regulatory and compliance framework is welcome.


Implications for VASPs


The CRM has significant implications for VASPs operating in Dubai. VASPs must comply with the CRM’s requirements to obtain and maintain their license to operate in Dubai.


A. Increased Compliance Costs


Complying with the CRM will require VASPs to incur significant compliance costs. VASPs must invest in robust compliance, risk management, and governance systems, as well as in training and educating their staff on compliance matters. This may require VASPs to hire additional staff, implement new systems and procedures, and incur other costs.


B. Increased Regulatory Scrutiny


VASPs operating in Dubai will be subject to increased regulatory scrutiny and oversight as a result of the CRM. VARA will monitor VASPs to ensure that they comply with the CRM’s requirements and may conduct regular inspections and audits to assess compliance.


C. Improved Customer Protection


The aim of the CRM is to improve customer protection by requiring VASPs to implement robust customer due diligence procedures and other risk management measures. This will help to prevent money laundering, terrorist financing, and other financial crimes, which will enhance the integrity of the virtual assets industry and protect customers from financial harm.


D. Increased Confidence in the Virtual Assets Industry


The CRM further aims to enhance the credibility and reputation of the virtual assets industry in Dubai. By setting clear regulatory standards and requirements, the CRM will help to increase public confidence in the industry and attract more investors and businesses to Dubai’s virtual assets market.


II. Conclusion


The CRM provides a comprehensive regulatory framework that sets out the requirements and standards that VASPs must comply with to operate in Dubai. The CRM aims to improve customer protection, enhance the integrity of the virtual assets industry, and increase public confidence in the industry. However, compliance with the CRM will require VASPs to incur significant compliance costs. VASPs should carefully review the CRMs requirements and ensure that they have robust compliance, risk management, and governance systems in place to meet these requirements.■

VARA issues full market product regulations

The Virtual Assets Regulatory Authority (VARA), established in March 2022 to regulate all activities relating to virtual assets in Dubai, has issued its much-awaited regulatory framework. So far, VARA was only issuing MVP (minimal viable product) licenses on a select basis. In addition, VARA had, in August 2022, issued its Marketing Regulations governing the marketing activities relating to virtual assets in Dubai.


On 7 February 2023, VARA has issued its full market product regulations and introduced the following regulations applicable to all virtual asset service providers:


1 – Virtual Assets and Related Activities Regulations 2023

2 – Company Rulebook

3 – Compliance & Risk Management Rulebook

4 – Technology & Information Rulebook

5 – Market Conduct Rulebook


In addition, VARA has introduced several activity-specific Rulebooks to cater for risks associated with the provision of each virtual asset activity. These will apply depending on the category of license obtained by the relevant entity:


1 – Advisory Services Rulebook

2 – Broker-Dealer Services Rulebook

3 – Custody Services Rulebook

4 – Exchange Services Rulebook

5 – Lending & Borrowing Services Rulebook

6 – Payments & Remittances Services Rulebook

7 – Management & Investment Services Rulebook


VARA has also issued a VA Issuance Rulebook which provides for registration requirements for issuing permitted virtual assets and approval requirements for issue of any other virtual assets.


Pursuant to the new regulations, all entities seeking a license from VARA have to adhere to the licensing process as prescribed by VARA from time to time, which shall include compliance with the VARA regulations. The licensing procedure and application forms are awaited. ■

Federal cabinet decision concerning the regulation of Virtual Assets issued

The UAE Federal Cabinet has issued Cabinet Decision 111 of 2022, concerning the regulation of virtual assets (the Virtual Assets Decision). The Virtual Assets Decision was issued on 12 December 2022 and will come into force 30 days following its publication in the Official Gazette.


The Virtual Assets Decision aims to regulate virtual assets and virtual asset businesses at a Federal level in the UAE. It is anticipated that the Virtual Assets Decisions and any implementing regulations issued pursuant to it will operate together with Emirate-level regulations (such as those issued by the Virtual Assets Regulatory Authority in the Emirate of Dubai).


The Virtual Assets Decision requires (this is not an exhaustive list) that businesses within its scope:


  • implement measures to safeguard data in accordance with current global cybersecurity standards and technological best practices;
  • have sufficient capital and satisfy any further or specific requirements imposed by law (including any prescribed by the Emirates Securities and Commodities Authority);
  • provide sufficient information involving the risks concerning investments or dealings in virtual assets in a clear, fair and non-misleading manner;
  • comply with Federal Decree-Law 20 of 2018, as well as the guidelines and recommendations issued by the Financial Action Task Force; and
  • notify the concerned authorities in the event of a security risk, security breach, or any activity that falls within the scope of electronic crimes.


The introduction of federal legislation on the regulation of virtual asset businesses is a welcome development and should go some way in establishing a common standard for the regulation of such businesses across the United Arab Emirates. As with all such legislation, it remains to be seen how this legislation will be enforced and applied in practice. ■

VARA announces rules on marketing of crypto currencies and other virtual assets

The issue of the Dubai Law No. 4 of 2022 regulating Virtual Assets in Dubai (VA Law) issued in March 2022 created a lot of buzz and further strengthened Dubai’s position as a global hub for digital assets. The VA Law also established the Dubai Virtual Assets Regulatory Authority (VARA) which was tasked with creating a legal framework for virtual assets sector.


In its first administrative order (Administrative Order 1/2022 dated 18 August 2022), VARA has issued regulations relating to the marketing, advertising and promotion of virtual assets (Marketing Regulations).


Who does it apply to?


  • All entities that facilities marketing in virtual assets and cater to resident customers – domestic or foreign, whether or not licensed by VARA.


  • Any entity that is not authorized by VARA but wishes to conduct any form of marketing must seek authorization from VARA or provide a valid permit, by the competent authority outside UAE.


  • Marketing by an entity: (i) not conducting virtual assets activity in Dubai; (ii) that originates outside the UAE; and (iii) is not targeting any UAE residents – is not required to comply with Marketing Regulations. However, VARA will have authority to act if it views that such marketing poses a risk to its reputation or UAE or Dubai’s reputation.


What do you mean by marketing activities?

Considering the importance of social media and other new-age media in the virtual assets sector, the Marketing Regulations have provided a very wide definition of the term marketing. Marketing, promotion or advertising includes any direct or indirect:


a. communications, promotional-influenced or sponsored material – across any traditional and new-age multi-media channels;

b. self-generated or third-party published social media posts, non-written communications, banners or billboards, videos, livestreams;

c. activities held in Dubai to encourage market participation; or

d. advertisements (paid or non-paid) and all forms of publicity-driving content.


Guidelines for marketing activities

  • All marketing activities must:


a. be fair, clear, not misleading, early identifiable as marketing or promotional in nature;

b. not advocate that investments are safe or low risk or imply guaranteed future return and include a prominent disclaimer that the value of virtual assets is variable and highly volatile;

c. not imply that past performance of investments is an effective guide for, or guarantee of a future return or imply an urgency to buy;

d. not advocate the purchase of virtual assets using credit or other interest accruing facilities; and

e. ensure that any targeted marketing is undertaken responsibly by suitably licensed entities.


  • If any entity posts or presents content on any physical or virtual media platform (including social media, OTT etc.) in relation to virtual assets, in exchange for any renumeration (which may include issue of virtual assets) or value in kind, such content should clearly be marked as paid content.


  • Further, the issuance of any kind of virtual assets as part of marketing is classified as a virtual asset activity, and will be subject to licensing approval by VARA.


  • Any entity undertaking marketing must retain a record of relevant content for two years and provide all such information for inspection on request.


Consequences for breach

VARA has the power to issue a cease-and-desist warning or to suspend the activity. If VARA requires an event to be suspended or cancelled, the entity must state non-compliance with the Marketing Regulations as the reasons for suspension or cancellation.


The consequences for any non-compliance with the Marketing Regulation are set out under VARA Administrative Order No. 02/2022 and these include suspension of marketing activities, revocation of licenses and fines ranging from AED 50,000 to AED 200,000 with such fine being doubled if same violation is repeated within one year. ■




For more detailed information, please do not hesitate to contact Shahram Safai at


ADGM’s Virtual Asset Regulations Published

The Financial Services Regulatory Authority (the FSRA) of the Abu Dhabi Global Market (the ADGM) has published its “Guiding Principles for the Financial Services Regulatory Authority’s Approach to Virtual Asset Regulation and Supervision” (the Guidance). This follows the publication of the FSRA’s February 2020 note concerning the regulation of virtual asset activities in the ADGM.


The Guidance is expressed as indicative of the FSRA’s approach to the regulation of virtual assets within the ADGM. The following principles are identified:


  • Principle 1: a robust and transparent risk-based regulatory framework
  • Principle 2: high standards of authorisation
  • Principle 3: preventing money laundering and other financial crime
  • Principle 4: risk-sensitive supervision
  • Principle 5: commitment to enforce on regulatory breaches
  • Principle 6: international cooperation


While all of the six principles are in line with the general direction of regulatory oversight, of note is Principle 3 concerning the approach of the FSRA towards money laundering risks present in virtual asset activities. The Guidance stipulates that the “FSRA requires those firms to avoid VA transactions where a counterparty’s identity is unknown at any stage in the process.”. While this is unsurprising given the UAE’s stated desire to ensure a very high standard of compliance with anti-money laundering legislation, it will be interesting to see how the in-built anonymity of many virtual asset transactions will interact with this requirement.


The FSRA is to be commended on taking a proactive approach to the regulation and licensing of virtual asset businesses and the Guidance will go some way to further clarify the approach of the FSRA towards such businesses. Given the stated policy of the UAE government to encourage the development of the virtual asset economy, further rulemaking and regulatory guidance is expected. It remains to be seen how the other regulators involved in the oversight of virtual asset businesses (for example, the Dubai Virtual Asset Regulatory Authority) will approach these and other issues concerning virtual assets. ■