Afridi & Angell inBrief
February 2023
The Virtual Assets Regulatory Authority (VARA) is a regulatory body established by the government of Dubai to oversee and regulate the virtual assets industry. In line with its mandate, VARA has issued a number of rule books, in particular the Compliance and Risk Management Rulebook (CRM), which sets out the regulatory framework for virtual asset service providers (VASPs) operating in Dubai. The purpose of this brief is to provide an overview of the CRM, and to analyze its implications for VASPs operating in Dubai.
I. Overview of the Compliance and Risk Management Rulebook
The CRM is a comprehensive regulatory framework that sets out the requirements and standards that VASPs must comply with to operate in Dubai. The CRM covers a wide range of issues, including licensing, customer due diligence, risk management, compliance, and reporting.
A. Licensing Requirements
All VASPs operating in Dubai must be licensed by VARA. To obtain a license from VARA, VASPs must meet a number of requirements, including:
B. Customer Due Diligence
The CRM requires VASPs to implement robust customer due diligence (CDD) procedures to identify and verify the identity of their customers. The rulebook sets out minimum requirements for CDD, which include:
While the virtual asset ecosystem relies on complete anonymity through decentralized platforms and exchanges, private wallets, and other types of products and services that enable or allow for reduced transparency and increased obfuscation of fund flows, the CDD requirements set forth in the CRM require VASPs to ensure that they understand the nature of their relationships with their customers prior to commencing business with them. It will be interesting to see how VASPS in Dubai, in particular VASPS that are not providing exchange or custody services, will comply with the CDD requirements set forth in the CRM.
C. Risk Management
VASPs must have effective risk management policies and procedures in place to identify, assess, and mitigate the risks associated with virtual assets. The CRM sets out the minimum requirements for risk management, which include:
D. Compliance
VASPs must put in place and maintain effective compliance policies and procedures to ensure that they comply with all applicable laws, regulations, and standards. The CRM sets out certain minimum requirements, which include:
E. Reporting
The CRM requires VASPs to provide regular reports to VARA on their activities and compliance. The CRM sets out the requirements for reporting, which include:
We consider that this is a positive step in light of the myriad of scandals caused by VASPs elsewhere and VARA’s initiative in advancing a comprehensive and sound regulatory and compliance framework is welcome.
Implications for VASPs
The CRM has significant implications for VASPs operating in Dubai. VASPs must comply with the CRM’s requirements to obtain and maintain their license to operate in Dubai.
A. Increased Compliance Costs
Complying with the CRM will require VASPs to incur significant compliance costs. VASPs must invest in robust compliance, risk management, and governance systems, as well as in training and educating their staff on compliance matters. This may require VASPs to hire additional staff, implement new systems and procedures, and incur other costs.
B. Increased Regulatory Scrutiny
VASPs operating in Dubai will be subject to increased regulatory scrutiny and oversight as a result of the CRM. VARA will monitor VASPs to ensure that they comply with the CRM’s requirements and may conduct regular inspections and audits to assess compliance.
C. Improved Customer Protection
The aim of the CRM is to improve customer protection by requiring VASPs to implement robust customer due diligence procedures and other risk management measures. This will help to prevent money laundering, terrorist financing, and other financial crimes, which will enhance the integrity of the virtual assets industry and protect customers from financial harm.
D. Increased Confidence in the Virtual Assets Industry
The CRM further aims to enhance the credibility and reputation of the virtual assets industry in Dubai. By setting clear regulatory standards and requirements, the CRM will help to increase public confidence in the industry and attract more investors and businesses to Dubai’s virtual assets market.
II. Conclusion
The CRM provides a comprehensive regulatory framework that sets out the requirements and standards that VASPs must comply with to operate in Dubai. The CRM aims to improve customer protection, enhance the integrity of the virtual assets industry, and increase public confidence in the industry. However, compliance with the CRM will require VASPs to incur significant compliance costs. VASPs should carefully review the CRMs requirements and ensure that they have robust compliance, risk management, and governance systems in place to meet these requirements.■
Download inBrief as PDF