On 7 February 2023, the Virtual Assets Regulatory Authority (“VARA”) published its virtual assets regulations and associated rulebooks (“VA Framework”). The VA Framework takes immediate effect and applies to all firms providing services to or from Dubai (other than firms conducting business in the Dubai International Financial Centre).
Key activities within the scope of the framework include: Advisory Services, Broker-Dealer Services, Custody Services, Exchange Services, Lending and Borrowing Services, Payments and Remittances Services and VA Management and Investment Services.
The VARA Framework is a welcome development and sets out the foundation upon which virtual assets will be governed and regulated in the Emirate. Unlike many other jurisdictions, VARA has established a specific virtual assets regime which is tailored towards the technological and operational aspects of virtual assets and virtual asset service providers (“VASPS”). The VARA Framework should help to further Dubai’s ambitions of being not just a regional, but a global hub, for web3 and blockchain enabled activities.
With the VA Framework coming into immediate effect, it is important that any person intending to carry out activities related to virtual assets in or from Dubai familiarise themselves with these developments and the impact on their business.
VARA is now established as the competent virtual assets authority in Dubai and the VA Framework seeks to regulate virtual assets and VASPS operating within Dubai. The VA Framework follows the issuance of Cabinet Decision No. 111/2022 on the regulation of virtual assets and their service providers, under which it is prohibited for any person to engage in virtual asset activities in the UAE (excluding the ADGM and DIFC) without obtaining approval and a licence from the UAE Securities and Commodities Authority (“SCA”) or a local licensing authority (such as VARA) (see our summary here).
The VA Framework follows from “Law No. (4) of 2022 Regulating Virtual Assets in the Emirate of Dubai”, which established VARA and confirmed that VARA is mandated to regulate virtual assets in Dubai. To date, VARA has published one administrative order covering the regulatory guidelines for marketing, promotions and advertising of virtual assets across Dubai (the “Administrative Order”) (see our summary here). The VA Framework is a significant legislative development and sets out the intention and the scope of the virtual assets regulatory perimeter within Dubai moving forward.
We have summarised the key points of the VA Framework below.
1.Overview of the VA Framework
The VA Framework consists of the Virtual Assets and Related Activities Regulations 2023 (the “VARA Regulations”) and a number of separate rulebooks. The VARA Regulations covers licencing and registration requirements for VASPs, sets out the regulated virtual asset activities (“VA Activities”) and describes the anti-money laundering requirements and market offences (such as insider trading and market manipulation) that are within scope. VASPs who fulfil VARA's licensing requirements under the VARA Regulations will be required to comply with four compulsory rulebooks. There are also seven activity specific rulebooks to cater for risks associated with the provision of different VA Activities and will apply if firms have a licence from VARA to offer the respective activity. Separately, VARA has also established rules for the issuance of all virtual assets, as well as endorsing the need to comply with the Administrative Order.
2. The Territorial Scope
The VARA Regulations confirms that VARA will have jurisdiction across all of Dubai (including the free zones) except for the DIFC. With respect to other onshore regulators, the position for competing licenses will be as follows:
- A VASP who is licensed by VARA should not separately require a licence from the SCA.
- The UAE Central Bank (“UAECB”) will regulate central bank digital currencies (and VARA will not).
- Fiat-backed stablecoins and payment tokens may be regulated by both VARA and the UAECB.
- Any firm holding a crypto commercial licence from a free zone in Dubai may separately require a licence from VARA, if that firm carries on VA Activities.
3. The VARA Regulations
The VARA Regulations confirm that VARA has jurisdiction to issue rules, directives or guidance with respect to VA Activities. Entities which intend to carry on VA Activities in Dubai will be required to obtain a licence from VARA prior to carry on such activity. VA Activities are defined in detail in schedule 1 to the VARA Regulations and include, Advisory Services, Broker-Dealer Services, Custody Services, Exchange Services, Lending and Borrowing Services, Payments and Remittances Services and VA Management and Investment Services.
Depending on the specific VA Activity within scope, there will be a requirement to pay application fees and ongoing fees. VARA has also implemented exemptions to licensing including exemptions relating to certain types of professionals that carry on VA Activities incidental to their businesses and certain exempt entities, such as the UAE government or UAE government linked entities. Note exempt entities are still required to obtain a no objection confirmation from VARA.
Separate to the licensing regime, the VA Regulations also cover separate registration requirements for those entities that do not meet the licensing requirements. This includes registration requirements for proprietary traders of virtual assets where their portfolio of virtual assets reaches USD 250,000,000 in equivalent value during any rolling 30-day period. Voluntary registration is also covered in the VARA Regulations for entities that have a commercial or free zone licence in Dubai to provide technology services relating to or utilising distributed ledger technology to other businesses or proprietary traders with portfolios less than the specified amount.
For entities requiring a licence, the application process involves a tiered approval structure. This includes:
- Provisional permit;
- Preparatory Minimum Viable Product (“MVP”) licence;
- Operating MVP licence; and
- Full Market Product (“FMP”) licence.
Prospective applicants should note that to date, VARA licences have only been issued at stages one (Provisional permit) or two (MVP) and VARA has announced that stage four FMP licences will only be granted once the regulations have been tested within the regime. Any VASP that is issued an MVP licence must also comply with the accompanying MVP Licence Conditions Document. VARA has yet to publish detailed guidance on its four-stage licencing process (such as the application forms to be used, the content requirements of the business plans and expected timeframes).
In addition to the above, the VARA Regulations confirm:
- VASPs who are licensed by VARA must comply with the obligations set out in the VARA Regulations when carrying out any VA Activities, even outside of Dubai. It remains to be seen how this would work in practice given competing legislative frameworks.
- Privacy tokens or other forms of anonymous virtual assets are not permitted within Dubai.
- VASPs must comply with AML/CTF laws.
- VASPs must comply with the Administrative Order.
- Market abuse offences pertaining to insider dealing, unlawful disclosure and market manipulation will apply when conducted in Dubai or having an effect on the price of virtual assets traded in Dubai. This is clearly exterritorial in its application and could capture firms who do not provide services to or from Dubai.
- The fines for breach of the VARA Framework depend on the nature of breach but can vary up to AED 50,000,000 (approx. USD 13,600,000), 15% annual revenue of any VASP or 300% of the profits gained or losses avoided.
4. The Compulsory Rulebooks
Part V of the VARA Regulations confirms that VASPs must also comply with four compulsory rulebooks.
The Company Rulebook is extensive and covers matters pertaining to company structure, corporate governance, fit and proper requirements, outsourcing, ESG, capital and prudential requirements, insolvency and wind down and material changes to business or control. The prescriptive nature and detailed regulatory requirements clearly show that VASPs operating in Dubai will be subject to full suite prudential regulation. One interesting development is that whilst two “responsible individuals” with sufficient seniority must be appointed and approved by VARA to be responsible for the VASP’s compliance with legal and regulatory obligations and must be a resident of the UAE or a holder of a UAE passport, there does not appear to be any other requirements for the board or senior managers to be UAE residents or UAE passport holders.
The Compliance and Risk Management Rulebook on the other hand covers a mix of matters including general principles for regulatory compliance, the implementation of a compliance management system, management, operations and information risk, record keeping and audit and employee management and training. Additionally, the detailed rules regarding client due diligence, client money and client virtual assets are set out in this rulebook. Interestingly, the rulebook sets out the reconciliation and proof of reserves requirements for VASPs that hold client virtual assets.
The Technology and Information Rulebook sets out prescriptive requirements with respect to Technology governance, controls and security, personal data protection and confidential information. This rulebook confirms that security is at the forefront of VARA’s mind, requiring firms to appoint a Chief Information Security Officer who is responsible for ensuring that VASPs comply with various parts of the rulebook. A cybersecurity policy is required and VASPs that use algorithms must have a specific governance framework in place for this. VARA also requires firms to ensure that staff are kept abreast of cybersecurity risks and developments and data protection forms part of the compliance programme.
The final mandatory rulebook, the Market Conduct Rulebook, confirms requirements for VASPs to comply with the Administrative Order. Specific requirements are implemented with respect to client agreements, complaints handling, investor classifications, public disclosures, market transparency trading on own account and general VA standards. Notably, VASPs and their group members based within the Emirate are generally prohibited from trading on their own account with respect to both virtual assets and other assets, in turn eliminating the risks arising with proprietary trading and client conflicts.
5. Activity Specific Rulebooks
There are seven specific rulebooks which cover the VA Activities that are in scope and provide further detail on the requirements for each of the activities. Across all rulebooks, VASPs are generally required to publicly disclose details of any past prosecutions or convictions of any members of their senior management or board, regardless of whether such prosecutions/convictions occurred in the UAE or elsewhere.
The Advisory Services rulebook set out the requirements with respect to policies, procedures, and public disclosures. This rulebook also covers client suitability, staff competence, verification of information and methodology of client investments.
The Broker Dealer Services rulebook has detailed requirements with respect to trade and execution rules. Separately, there are specific rules with respect to margin trading including best execution, dealing as principal, placing and distributing virtual assets and advisory services.
The Custody Services rulebook has specific requirements with respect to the board constitution, board remuneration and board committees of VASPs who provide custody services. Additional information is stipulated with respect to segregation, control, wallet management and general relationship management with clients.
The Exchange Services rulebook sets out various requirements with respect to trading venue rules and details regarding to margin trading. The rulebook is prescriptive on prudential requirements and initial and maintenance margin sums along with what is required in a margin trading agreement.
The Lending and Borrowing Services rulebook is an interesting development and confirms that the VA Activities within scope of VARA are potentially broader and more extensive than those of other UAE regulators. This rulebook sets out specific requirements with respect to reporting, valuation, record keeping, risk management and due diligence.
The VA Management and Investment Services rulebook has prescriptive rules regarding the management and investment of virtual assets. Interestingly, there are specific requirements for marketing that involves the distribution of staking rewards and proof of stake consensus mechanisms.
The details with respect to the Payments and Remittances Services rulebook have not yet been published, although it will be interesting to see how this fits in with the requirements of the UAECB.
6. Issuing Virtual Assets
VARA has published a separate rulebook on issuing virtual assets. The issuance of a virtual asset in Dubai requires prior approval from VARA. However, this does not apply to permitted virtual assets, which are those that are deemed to be non-transferable. Permitted virtual assets are instead required to register the whitepaper of the permitted virtual asset prior to its publication. This rulebook also sets out various requirements with regards to whitepapers, risk disclosures and technology and security requirements. However, virtual assets do not seem to need to be individually and separately approved by VARA for use in Dubai. Separately, VARA has the power to revoke its approval should a virtual asset not be issued within six months after approval has been granted. As such, firms who are yet to develop their tokens should keep this in mind.
Co-authored by Theodora Okocha