UAE: SCA Issues New Guidelines on the Regulation of Virtual Assets and VASPs

UAE

Introduction

The Securities and Commodities Authority (“SCA”) has published the long awaited guidelines (the “Guidelines”) that supplement its existing legislative framework for virtual assets in the UAE, in particular Cabinet Resolution No. 111 of 2022, SCA Decision 13/RM of 2021 (the “SCA Rulebook”) and SCA Decision No.26 (Chairman) of 2023 respectively.

The Guidelines apply to all Virtual Assets and Virtual Assets Services Providers (“VASPs”) in the UAE, with the exception of the financial freezones of the DIFC and ADGM.

The Guidelines are comprehensive, spanning 67 pages. We have summarised the key takeaways in this article.

1. The Virtual Assets within scope of SCA regulation

The SCA has confirmed that there are two different types of “Virtual Asset”, with different regulators and regulatory frameworks applying to each:

  • Virtual Assets for investment purposes, which remain under the purview of the SCA; and
  • Virtual Assets used for payment purposes, which fall under the ambit of the UAE Central Bank (unless exclusively approved by the Central Bank for investment purposes on a virtual assets platform).

Furthermore, certain assets will not be caught under the remit of the SCA. These include:

  • digital securities or digital commodity derivatives contracts;
  • service tokens and non-fungible tokens that do not represent virtual assets for investment purposes;
  • developing, deploying or using software to mine, create or extract virtual assets;
  • loyalty programs;
  • virtual assets for payment purposes; and
  • virtual assets evaluated by the SCA.

 2. The SCA’s view on risks and mitigation

The Guidelines identify several key risk areas and offer solutions on how to mitigate them. This includes:

RiskMitigation for SCA licensed entities
AML/CTF/TaxComply with Module 5 of the SCA Rulebook, as well as reporting obligations in the Foreign Account Tax Compliance Act and the Common Reporting Standard.
Consumer ProtectionDisclose, monitor and continuously update consumer protection risks and preventative policies.
Technology GovernanceEnsure systems and controls are in place regarding virtual asset wallets, private keys, source and destination of virtual assets funds by applying the ‘travel rule’, security procedures and measures including for testing and restoration, and risk management. 
Virtual Asset Platform ActivitiesPlatform operators should provide market monitoring, fair and orderly trading, settlement operations, recording transactions, rulebooks, transparency and disclosure mechanisms, and platform-like operational systems and controls.
Custody of Virtual AssetsComply with Article 12 of Chapter 5 of Module 3 (Conduct of Business) of the SCA Rulebook, as well as Chapter 3 in respect of client funds. Conduct periodic review, compliance and reconciliation procedures and prepare reports and internal controls to protect client funds.

 3. What governance and control measures apply?

The Guidelines dictate that in addition to the general licensing requirements under the SCA Rulebook, VASPs will be required to ensure that they undergo routine systems maintenance and development, have robust security procedures and measures in place, ensure that cryptographic keys and wallets are stored safely and that all held assets have sufficient password protection and encryption, as well as adequate personnel management and decision making processes, and publicly available procedures outlining their process in the event of an unplanned outage.

Other obligations outside the SCA remit include awareness of the UAE’s Data Protection Law, which requires controls for processing personal data, controls for cross-border transfers or personal data, and procedures for reporting personal data breaches. Personal data subjects also have various rights which must be protected, including to request correction, destruction or notification of data, and to obtain free of charge any of their personal data which is processed by a VASP.  VASPs will also need to comply with tax reporting requirements that apply in the UAE.

Interestingly the SCA has noted that insurance is difficult to obtain and does not mandate that VASPs obtain insurance in relation to their activities. However, the SCA expects VASPs to ensure that their business operations are properly structured and to implement robust mechanisms to mitigate areas of actual and potential risk.

4. Obligations that apply to VASPs?

The Guidelines identify areas in which VASPs must continue to demonstrate effective compliance even after licensing. These vary from activity to activity but include a general theme of  operational efficiency and flexibility, integrity, transparency and professional behaviour, protecting and preserving virtual assets, protecting clients, discipline and commitment, and organising access to services.

5. Custody of virtual assets

There is also a clear emphasis on the provision of the services of safe custody of Virtual Assets by firms. Attention is brought to ensuring appropriate due diligence is taken when evaluating accepted Virtual Assets, such as taking into account the situation, volume, and fluctuation of a Virtual Asset, maintaining transparency for technology and protocols, ensuring the efficiency and appropriateness of any technology used, and examining the risks associated with using the Virtual Assets and how to mitigate those risks.

For safe custody of Virtual Assets, the Guidelines recognise three types of arrangements:

  • Custodial wallet: the licensed body fully manages the client’s assets, including providing solutions.
  • Outsourced custodial wallet: the licensed body outsources help from external entities for operations.
  • Non- Custodial wallet: the licensed body has no control over the Virtual Assets, and the client has independent control over the assets (e.g. used for hardware, mobile, and desktop wallets).

The Guidelines also include sections for other Virtual Asset activities, including obligations of brokers/dealers, obligations of financial consultants, and obligations of portfolio managers.

6. Requirements in relation to AML & CTF

The Guidelines provide a detailed summary of the various AML & CTF laws and regulations which apply to Virtual Assets, which are those at a federal level. This includes a focus on key considerations for AML & CTF including: responsibilities of VASPs, adopting a risk-based approach, using business risk assessments, using client risk assessments and client due diligence, implementing governance, systems and controls, monitoring obligations for reporting suspicious activities, providing appropriate training to staff, and keeping adequate records.

7. Submitting a Licensing Application

Finally, the Guidelines summarise the process for submitting an application, which is broken down to include: (i) due diligence and discussions with the SCA, (ii) submitting an official application, (iii) receiving initial approval, (iv) receiving a license, and finally (v) paying license and renewal fees and commissions.

Comment

The Guidelines provide a detailed breakdown of the obligations of VASPs under the SCA’s virtual assets framework, and will be a useful tool for entities seeking to obtain and maintain SCA licensing in respect of Virtual Assets, especially in respect of ensuring that their internal systems and governance processes are sufficient to meet the SCA’s licensing criteria. With the SCA now clarifying its remit, and the practical obligations on VASPs within its jurisdiction, it will be interesting to see whether firms will now start applying for SCA licenses and whether the SCA will be an attractive regulator, as VARA has become.

 

Co-authored by Rupert Nodder