Dubai: Decrypting the new DFSA Crypto Regime


Token Taxonomy

In CP143, the DFSA defined a Token as:

A Token is a cryptographically secured digital representation of value, rights or obligations, which may be issued, transferred and stored electronically, using Distributed Ledger Technology or other similar technology.”

This broad definition of a Token was adopted into the Glossary Module of the DFSA Rulebook (“Rulebook”) and any digital asset that met this definition would be considered a “Crypto Token”.

The DFSA specified that there would also be “Excluded Tokens” that fall outside of this definition, which includes non-fungible tokens (“NFTs”), utility tokens (“UTs”) and Central Bank Digital Currencies (“CBDCs”). The DFSA also provided that it will include on its website an initial list of tokens that are recognised and will not need to go through the formal recognition process.

The DFSA confirmed in their feedback statement that they did not make any substantial changes to the classification of Tokens but will continue to monitor the market as it develops and follow international regulatory developments within this space. The DFSA produced a Token Taxonomy flowchart intended to help firms classify the type of Token they are operating to determine whether it falls within the DFSA regulatory regime.

It is important to note that only recognised Crypto Tokens may be transacted in or from the DIFC as per the DFSA regulations. Since 1st November 2022, the DFSA has listed three recognised Crypto Tokens; Bitcoin (BTC), Ethereum (ETH) and Litecoin (LTC).

Excluded Tokens

The DFSA has maintained the narrow definition of an NFT. Any deviation from the NFT characteristics specified therein is likely to result in that Token being a Crypto Token, or an Investment Token, depending on the arrangements. The DFSA provides helpful guidance on this point.

There were many questions from firms during the consultation period as to whether Gaming Tokens were inside or outside of the DFSA regulatory regime. The DFSA clarifies that it depends whether the Token has the characteristics of an NFT or that of a UT.

The DFSA has provided that they will take a “substance over form” approach in determining whether a certain Token is in fact an NFT and will not rely on an “NFT label”.

CBDCs are also considered Excluded Tokens. In contrast to NFTs and UTs, CBDCs are not prohibited for use by Authorised Firms. Firms and their clients should be able to use CBDCs, if and when created by any government, subject to AML federal requirements.

Prohibited Tokens

CP143 prohibited Privacy Tokens, Algorithmic Tokens and Privacy Devices. The DFSA did not find the consultation feedback from firm’s persuasive and as such, the DFSA has confirmed that these tokens remain prohibited.

Registration as a Designated Non-Financial Business or Profession (“DNFBP”)

The biggest change that the DFSA has made within CP143 is to bring NFTs and UTs within the anti-money laundering regime. There was concern amongst market participants that UT creators and service providers were not originally included within the scope of the DNFBP regime and as such this opened up potential money laundering risks. The DFSA has since amended the Rulebook to include a requirement in 3.2.1, that a person who carries on the business or profession of issuing, or providing services related to, an NFT or UT must apply to the DFSA to be registered as a DNFBP. There is a notable exclusion, namely, for issuers where each issue involves a single transaction, or series of multiple interrelated transactions that are equal to or less than USD 15,000 in value; or in the case of a service provider, where the service constitutes solely technology support or technology advice to an issuer. The DFSA clarifies that such exclusion will not apply to NTF exchanges, either operating in a centralised or decentralised manner, on the basis that they will not be viewed as solely providing a technology service as they also bring together buyers and sellers who wish to transact in NFTs.


The DFSA has reaffirmed its position that no Financial Services[1] or activities can be undertaken with a Crypto Token unless it is recognised by the DFSA. This also extends to derivative transactions relating to Crypto Tokens and to funds that invest directly or indirectly in Crypto Tokens. This was despite many respondents disagreeing with the DFSA’s approach. The DFSA further stated that in their view it is too early for firms to self-certify the types of Crypto Tokens they can use.

Recognition Process & Jurisdiction

The DFSA has provided some helpful guidance on how they envisage the recognitions process working. The DFSA will generally issue a notice on its website of the fact that it has received an application for recognition of a specific Token. This enables other firms oversight and transparency into the types of Tokens being reviewed by the DFSA.

The DFSA has also touched upon the de-recognition process where a Crypto Token’s recognised status is revoked. Examples provided by the DFSA where revocation may occur include major hacks, serious fraud, a lack of transparency or anti-money laundering concerns.

The DFSA has also provided that they may recognise another jurisdiction as having a regulatory regime that is equivalent to that of the DFSA. These will be published on the DFSA’s website.


The DFSA made very few changes to CP143 in respect of funds, but these can be summarised as follows:

  1. Any business set to manage assets that include Crypto Tokens must be established in the DIFC and such Crypto Tokens must be recognised by the DFSA.
  2. The offering and marketing of funds that contain crypto tokens must be limited to recognised Crypto Tokens.
  3. The offering and marketing of exchange traded funds must be limited to recognised Crypto Tokens.
  4. The DFSA will not allow foreign or external funds providing Crypto Tokens to be offered or marketed in or from the DIFC, even to Professional Investors.
  5. No self-custody for funds consisting of Crypto Tokens will be permitted.
  6. Where a fund invests in another fund or entity which has a total exposure to Crypto Tokens that does not exceed 5% of the gross value of the fund or entity, then those Crypto Tokens do not have to be recognised Crypto Tokens.

Foreign branches

The DFSA has changed its position since CP143 and has provided that they will permit DIFC authorised firms, who are currently operating as a branch of a financial institution, to continue operating as a branch and provide services relating to Crypto Tokens without having to establish a DIFC body corporate. The only requirement is that the head office of such branch must be authorised to carry out the crypto activity.

Trading Venues

In CP143, the DFSA provided that a crypto trading venue could be operated as either an Exchange or a Multilateral Trading Facility (“MTF”), however, the DFSA have since confirmed that only an MTF will be permitted to be used as a crypto trading venue for Crypto Tokens. An operator of the MTF will be required to carry out an appropriateness test for providing services in relation to Crypto Tokens. Trading on account by the operator of the MTF is not permissible on their own venue under any circumstances.

Other requirements

Technology Audit

The DFSA has amended COB 15.8 to require firms to carry out a technology audit if they are providing Crypto Tokens. Firms must ensure there is a regular review of the adequacy of their arrangements by an independent third party.

Client Classification

The net asset test for Professional Clients has been amended to change the haircut from 80% to 66% of the market value of the respective Crypto Token. Note, only recognised Crypto Tokens can be taken into account when determining the monetary threshold for Professional Client status.


As a reminder, the UAE’s Federal AML legislation applies to all Crypto Token businesses in the DIFC. Under Federal AML Law No 20 of 2018 this extends to Virtual Asset Service Providers. The DFSA has therefore prohibited the use of Crypto Tokens and devices that hide, anonymise, obscure or prevent the tracing of information.


In order to obtain a licence to operate or provide Crypto Tokens in or from the DIFC, firms will first need to submit a pre-application to the DFSA via the DFSA website.

There will be a six-month transitional period starting from 1 November, however, such transitional period only applies to persons who before 1 November were Authorised Persons and were carrying on a financial services activity relating to a Crypto Token. Once the transitional period ends such authorised persons will need to have in place the correct permissions from the DFSA.

Authorised firms looking to vary their licence, or new companies seeking a DFSA licence to carry out Crypto Token business will need to ensure that their AML/CFT policies and procedures are effective for combatting money laundering/terrorist financing risks.


This is a welcome development within the UAE market. The DFSA crypto regime is in addition to the regimes already in place by FSRA, Securities and Commodities Authority, Central Bank of the UAE and newcomer VARA. The expanding regimes across the UAE demonstrate the regions commitment to become a leader in the digital asset space.

Existing and new firms will need to ensure that they have the appropriate licences in place and can demonstrate they meet their ability to operate a Crypto Token business. The focus on AML/CFT policies and procedures remains key and as such firms should ensure they have the appropriate systems and controls, strong KYC checks and robust policies and procedures in place.



[1] As defined in the DFSA Rulebook.