Virtual Assets regulation in Dubai: VARA issues updates to its Rulebooks

The multifaceted regulatory landscape for Virtual Assets (VAs) in the UAE continues to evolve to keep pace with the fast-changing nature of the industry. In the latest development, the Dubai Virtual Asset Regulatory Authority (VARA), which regulates both Virtual Asset activities and Virtual Asset Service Providers (VASPs) in the Emirate of Dubai, has issued updated versions of all twelve of its Rulebooks in line with global regulatory best practices. 

Licensed VASPs have a 30-day transition period, with full compliance required by 19 June 2025.  VASPS operating in Dubai or entities considering setting up in Dubai to conduct VA activities need to be aware of and prepare for these changes introduced. 

We summarise some of the key changes introduced in the Virtual Asset Issuance Rulebook and the four mandatory rulebooks.

Virtual Asset Issuance Rulebook

This Rulebook sets out the requirements that all entities in the Emirate of Dubai must follow in issuing a VA.

The concepts of a Category 1 VA issuance and Category 2 VA issuance remain, with some changes to the requirements for these types of issuances. All VA issuers, other than issuers of a new category of Exempt VAs, need to publish both a Whitepaper and a Risk Disclosure Statement, with more detailed Whitepaper requirements and enhanced disclosure requirements for Category 1 VA Issuances.

VARA’s supervisory powers have been extended to include rights to immediate access to all premises, data, and books and records.  VARA also has the power to suspend issuances. 

Category 1 VA issuance:

• A VARA licence is required for this type of issuance, which applies to Fiat-Referenced Virtual Assets (FRVAs) and a new category of VAs - Asset-Referenced Virtual Assets (ARVAs).
• ARVAs include any Virtual Asset (which is not an FVRA) which represents or purports to represent (directly or indirectly) current or future ownership of any Real-World Assets (RWA).  
• RWA includes any interest in any financial instrument, a physical and/or tangible asset or an intangible asset – this is incredibly broad and would therefore capture commodities, real estate and any traditional financial instrument.  
• A new Annex II provides for the issuance rules for ARVAs which are similar to those of FVRAs, with certain adjustments to account for the particular characteristics of ARVAs. 
• Category 1 VA Issuances are, in all events without exception, deemed to be carried out in the course of a business and licensed VASPs must obtain approval from VARA prior to issuing a FVRA or an ARVA. 

Category 2 VA issuance:

• A Category 2 VA issuance now captures any issuance that is neither a Category 1 VA Issuance nor an Exempt VA. 
• No VARA licence or prior approval is required, but placement or distribution of the VAs must be carried out through or by a VARA Licensed Distributor. 
• Approval of the issuer is no longer required, however, licensed distributors are responsible for ensuring that the issuer complies with the VA Issuance Rulebook.

Exempt VAs:

• This new category of Exempt VA has no requirements prior to issuance. 
• It includes non-transferable VAs and redeemable closed-loop VAs (which are broadly similar to the previous “Permitted VAs” which could be issued only by Exempt Entities).

Company Rulebook 

This Rulebook covers key topics such as Corporate Governance, Fit & Proper, Outsourcing and Capital and Prudential requirements. 

• All VASPS are now required to prepare and maintain a wind down plan, regardless of whether a decision to discontinue its business or operations has been taken. 
• The VASP must ensure that VARA can intervene and assume control of any Client Money and VAs, including when the VASP is in breach of any Regulation, Rule or Directive.
• If a solvent VASP decides to discontinue its business or operations, there is now a detailed procedure to follow, including the requirement to notify VARA (within one day after the decision has been taken) and ongoing notifications and updates throughout the wind down process. 
• Under the adjusted liquidity requirements, VASPs must hold and maintain sufficient liquid assets.  Any type of VA referencing USD or AED (or as approved by VARA) can count towards net liquid asset calculations, and this is no longer restricted to FRVAs. 

Compliance and Risk Management Rulebook

Changes to this Rulebook reflect the wider trend for progressive regulation to address the evolving nature of VAs and risks associated with them.  The changes focus on enhancements to AML and CTF checks, sanctions compliance, business risk assessments, client risk assessments and protection of client money and client VAs. 

• VASPs must now conduct AML/CFT client risk assessments at regular intervals and no longer than every three months. 
• Each client should be assigned a risk rating proportionate to the assessed AML/CFT risk. 
• There are enhanced requirements for clients with a high-risk rating or where the client's Ultimate Beneficial Owner is a politically exposed person (such as obtaining additional information from the clients, more regular update of due diligence information and obtaining senior management’s approval prior to starting a business relationship with the client).
• The nature of the business risk assessments must be tailored to the nature of the VASP’s business, VAs, VA-related technologies and now also technologies not specific to VAs (such as AI and machine learning).
• VASPs are now also required to comply with the FATF Travel Rule requirements. There are detailed requirements for complying with targeted financial sanctions in relation to screening, freezing assets and any transactions involving any entities or individuals listed in the UNSC sanctions frameworks are prohibited. Individuals including MLROs and Senior Management may also now be subject to enforcement action for non-compliance. 
• The client money section now clarifies that client money and client VAs held by the VASP on behalf of their clients is not owned by the VASP and will not form part of its estate in the event of insolvency. 
• Generally, VASPs cannot take ownership of client money under their client agreements (unless placed under a trust). Separate VA wallets where clients’ VAs are held must be labelled” Client VA Wallet” in their books and records.
• There is now a new concept of a “Sponsored VASP”, which is an entity that is sponsored by a VARA regulated VASP to carry out VA Activities in Dubai (the Regulated Sponsor). The Sponsored VASP must be either an entity controlled by the Regulated Sponsor or have the same controlling entity.  Both entities must at all times comply with the VARA Marketing Regulations.  Stringent documentary and compliance requirements apply, particularly on Regulated Sponsors who must ensure, and be responsible for ensuring, their Sponsored VASPs' compliance. 

Technology and Information Rulebook

This Rulebook addresses topics such as technology governance frameworks, personal data protection and maintaining confidential information. 

• One of the primary changes to the new Rulebook is the introduction of a “Technology Governance and Risk Assessment Framework”.  The concept of such framework previously existed under the previous Rulebook, however, the new changes set out the expectations of how the framework should operate in practice.  
• VASPs must ensure that the framework remains effective by continually reviewing against the business risks, arranging for the testing of their policies, processes, procedures and controls aimed at managing risks on a periodic basis. 
• There is a new requirement that VASPs must now conduct Thread Led Penetration Testing (TLPT).  The Rulebook sets out detailed provisions, including, but not limited to, the requirement to use an external tester and ensuring the tester has the necessary qualifications, experience and is of good repute before being instructed. 

Market Conduct Rulebook

This Rulebook addresses topics such as the marketing of VAs, the content of client agreements, complaints handling and investor classifications.  

• The most significant update relates to the definition of Qualified Investors, bringing it more closely in line with the onshore UAE definition of a Professional Investor. Under the previous Rulebook, the definition captured individuals who maintained a relatively low cash holdings threshold of AED 500,000 (supported by evidence of a bank statement). 
• Under the new Rulebook, to qualify as a Qualified Investor, the individual or legal entity:
  • must maintain net assets (comprising of fiat currency, financial instruments, VAs or equity) of at least AED 3,500,000 (excluding the value of the individual’s primary residence); and
  • have an annual income of AED 700,000 or more. In addition, for the calculation of net assets, only 50% of VAs’ value is may be included.  
    This is a significant departure from the original cash holdings amount of AED 500,000 and will likely require licensed VASPs to recategorize a number of their clients and revise their onboarding forms and documents accordingly. 
• VASPs must now clearly state in their Client Agreement that all client assets are owned by the client and clearly identify if and when any assets will not be owned by the client at any time (such as, when the clients’ money is placed in trust). 

Looking ahead

With the surge in interest of digital assets within the Emirate of Dubai, the regulatory framework must strike a balance between supporting this growth and ensuring risks (whether related to technology or combatting AML) are adequately managed through policy or otherwise. It must also keep step with the fast-paced environment of virtual assets and the key challenges faced within the industry and seek to address those challenges appropriately and proportionately. 

Given the transitional compliance period is only 30 days, VASPs must act promptly to ensure their policies, processes and frameworks (including notifying senior management) are in compliance with the new updated Rulebooks.