What is VARA? Dubai’s Virtual Assets Regulator Explained

What is VARA?

Dubai’s Virtual Assets Regulator Explained for Founders and Compliance Teams

A practical, regulation-first overview of who VARA regulates, what it expects, and how to approach licensing in Dubai.

●    VARA is Dubai’s specialist regulator for virtual assets under Dubai Law No. 4 of 2022. It supervises virtual asset activities across the Emirate of Dubai (including free zones) except the DIFC, which has its own regulator (DFSA).
●    If you carry on a virtual asset activity “by way of business” in or from Dubai, you must be licensed by VARA for the relevant activity. Exemptions are narrow.
●    Expect cross-cutting rulebooks (Company; Compliance & Risk; Technology & Information; Market Conduct) + activity-specific rulebooks (e.g., Exchange, Custody, Broker-Dealer, Lending & Borrowing, Management & Investment, Advisory, Transfer & Settlement, Issuance).
●    The Marketing Regulations 2024 capture almost all crypto-related promotions that touch the UAE.
●    AECs (anonymity-enhanced cryptocurrencies) are prohibited. Federal AML/CFT obligations apply in addition to VARA’s regime.

1) VARA at a Glance

Dubai’s Virtual Assets Regulatory Authority (VARA) was created to give the Emirate a dedicated, technology-aware supervisor for crypto markets. Its mandate blends innovation enablement with consumer protection and market integrity, aiming to make Dubai a safe, competitive hub for digital assets. VARA’s remit covers the entire Emirate—mainland and free zones—excluding the DIFC, where the DFSA regulates separate crypto permissions.

What counts as a “virtual asset”? In practice, the definition is deliberately broad and technology-neutral: crypto-assets, stablecoins, tokens (including asset-referenced and utility tokens), and similar digital representations of value or rights that can be transferred, stored, or traded electronically.

2) Who Needs a VARA License?

If you carry on a VA Activity “by way of business” in or from Dubai, you are in scope. VARA looks at substance: holding out to the public, regularity/scale/continuity, remuneration or a commercial element, and whether you’re arranging or executing transactions for others. Building or promoting from abroad but targeting Dubai clients still creates risk—especially under the Marketing Regulations (see Section 6).

Common scenarios that are in scope:

●    Operating an exchange or matching venue; offering margin.
●    Running a broker-dealer desk, OTC, routing, or order execution.
●    Safekeeping client assets (custody) or collateral wallets.
●    Initiating or receiving client transfers, including payment/remittance touchpoints.
●    Managing or advising on portfolios of VAs; discretionary mandates; research that amounts to personal recommendations.
●    Lending/borrowing programs, collateralisation, or yield products.
●    Issuing or distributing tokens (especially where public or large-scale).

Edge cases:

●    Tech vendors that purely supply software might be outside scope—but if you operate or control a regulated function (e.g., keys, matching, settlement), you drift back into VASP territory.
●    Education can become marketing if it funnels users to a product or creates an expectation of a regulated service.
●    Global websites that accept Dubai traffic without geo-controls can still be “targeting” the UAE.

3) The Activity Model: Which Permissions Exist?

VARA uses an activity-based licensing approach. You apply for the permissions that match your features.

The main VA Activities are:

●    Exchange Services – operating a trading venue/order book/auction facility; market surveillance; venue rules; transparent fees; capacity/kill-switches; settlement discipline (e.g., 24 hours where technologically feasible); margin trading only with pre-approval and strict investor protections.
●    Broker-Dealer Services – receiving/transmitting orders; arranging deals; executing as agent or, in narrow cases, as principal to fill client orders or manage inventory. “Licensed Distribution Services” (new token offers via a venue/broker) sit here and require “quality” due diligence on the asset and issuer.
●    Custody Services – safekeeping client VAs. Baselines include per-client segregated wallets under VASP control, 1:1 holdings, strict key management, monthly statements, and incident reporting. Staking from Custody and Collateral Wallet Services (CWS) is a separate permission with its own technical and disclosure rules.
●    VA Transfer & Settlement Services – initiating/receiving transfers; receipts on initiation and finalisation; default rules for failed/defective transfers; 24-hour refund/restore for unauthorised or non-compliant executions; alignment with CBUAE payment/remittance rules and the AML Travel Rule.
●    Management & Investment Services – discretionary or non-discretionary portfolio management; suitability, independent valuation, monthly statements, explicit client consent for any use of client assets.
●    Advisory Services – personal recommendations; independent, fact-checked statements; robust suitability; staff competence; 8-year record-keeping.
●    Lending & Borrowing Services – lending/borrowing client or proprietary assets; liquidity and collateral sufficiency; quarterly asset-liability disclosures; monthly statements; immediate supervisory notification on shortfalls.
●    Issuance & Distribution – separate Issuance Rulebook with Category-1 vs. Category-2 tests and a special annex for FRVAs (asset-referenced tokens). AEC issuance is prohibited.

4) Cross-cutting Rulebooks you Must Implement

Regardless of your activity mix, VARA expects you to meet these frameworks:

●    Company Rulebook – governance (Board, committees), Responsible Individuals (two, UAE-based), fit-and-proper assessments, outsourcing controls, prudential metrics (paid-up capital, Net Liquid Assets), insurance, reserve assets, and wind-down planning.
●    Compliance & Risk Management Rulebook (CRMR) – independent compliance function and CO/MLRO with experience; risk taxonomy and Board reporting; books/records (8 years); client money (titled Client Accounts at UAE banks, deposit within one day, daily recs, monthly statements); client VAs (per-client segregation, 1:1, no rehypothecation without permissions/consent); sanctions & Travel Rule; STR/GoAML processes; sponsored VASP governance.
●    Technology & Information Rulebook (T&I) – CISO (independent from Compliance), cyber controls, Threat-Led Penetration Testing (TLPT), BCDR, incident notification timelines (e.g., 72 hours for material cyber/BCDR events; 24 hours if you notify a data regulator or data subjects), PDPL-aligned privacy programme, staff training, third-party/cloud risk, blockchain analytics.
●    Market Conduct Rulebook – client agreements (fair, clear, not misleading; version control; 30-day notice of changes; no deposit protection; ownership of client VAs; clear withdrawal terms; third-party providers and when assets leave your control), insider lists (retain 8 years), own-account trading restrictions, investor classification (Retail, Qualified, Institutional), public disclosures (licence number/permissions/restrictions; risks; RIs).

5) Prudential Discipline and Financial Resilience

Two capital lenses matter most: Paid-Up Capital (absolute or % of fixed annual overheads, depending on activity) and Net Liquid Assets (e.g., ≥ 1.2× monthly operating expenses). Add insurance (PII, D&O, crime) and, where relevant, reserve assets. You must monitor daily, reconcile monthly, and notify VARA immediately if thresholds are breached—then provide daily updates until rectified.

Practical tips:

●    Tie prudential metrics to an automated dashboard owned by Finance but visible to Compliance and the Board.
●    Pre-agree remediation levers (capital injection, cost curbs, risk-weighted throttles) and document decision rights.
●    Align treasury/market-making so it never looks like proprietary trading in breach of Market Conduct limits.

6) Marketing: The 2024 Regime is Strict

The Marketing Regulations 2024 apply to any marketing of virtual assets or VA activities in or targeting the UAE—wherever you are located. Only a VARA-licensed VASP (or a third party approved by and acting for a licensed VASP) may market a regulated activity. Content must be fair, clear, and not misleading. Avoid guarantees, claims of “low risk”, urgency/FOMO, or suggesting crypto is “easy”. Do not market AECs. Do not promote buying VAs on credit unless you are licensed for that facility. KOLs/affiliates/agents must be approved, scripted, and monitored with takedown SLAs.

7) AML/CFT Alignment (Federal + VARA)

VARA is a designated supervisory authority for VASPs under federal AML/CFT laws. Expect all standard elements: business-wide risk assessment, RBA-based CDD/EDD, PEP approvals, sanctions screening, Travel Rule (commonly AED 3,500 threshold), STR filing, ongoing monitoring with blockchain analytics, typologies for anonymity-enhanced transactions, and staff training. Keep audit-ready evidence.

8) How to Approach the Licensing Journey

●    Step 1: Map your features to activities. Create a matrix of product features vs. VARA permissions. Decide whether to proceed with a single-entity or group (e.g., separate custody).
●    Step 2: Assemble your people. Identify two Responsible Individuals (UAE-based), CO/MLRO (≥ experience), CISO, CFO, and Ops lead. Map conflicts and segregation.
●    Step 3: Build the RBP. The Regulatory Business Plan is your anchor: business model, governance, prudential, T&I, risk/compliance, client protections, wind-down, project plan.
●    Step 4: Stand up technical controls. CISO in seat; TLPT plan; BCDR; incident response runbooks; wallet governance (if custody); chain analytics integrated to AML.
●    Step 5: Draft legal artefacts. Client Agreements; VA Standards (listing/delisting triggers); website public disclosures; marketing policy; KOL contracts; complaints handling.
●    Step 6: Prove the money. Paid-Up Capital and NLA evidence; insurance binders; reserve-asset policy (if applicable).
●    Step 7: Submit and manage Q&A. Appoint an internal project manager; track commitments; respond with evidence, not rhetoric.

9) Common pitfalls to avoid

●    Treating “education” or “airdrops” as outside marketing.
●    Issuing tokens without mapping Category-1 vs. Category-2 (or FRVAs).
●    Weak VA Standards, no delisting/suspension triggers, or missing market-abuse surveillance.
●    Under-resourcing CO/MLRO and CISO roles or blurring them with operations.
●    Missing client protection mechanics (client account titling; daily recs; 1:1 VA holdings; monthly statements).
●    Forgetting 8-year record-keeping and insider list retention.
●    Poor outsourcing contracts (no audit rights, no incident SLAs, unclear data location).

10) Frequently Asked Questions

●    Is a foreign firm in scope if it has no Dubai entity?

Yes, if it's marketing or activities that target the UAE or are carried on from Dubai.

●    Can I run everything in one entity?

Often yes, but multi-activity models increase prudential, conflict, and operational-resilience expectations. However, custody is a standalone activity and needs a separate entity.

●    Do stablecoins need special treatment?

FRVAs have special compliance requirements (backing, reserves, redemption at par, monthly attestations). AED-referenced FRVAs fall under CBUAE.

●    What about AECs?

Issuance and all VA activities relating to anonymity-enhanced cryptocurrencies are prohibited in Dubai.

11) Action Checklist

●    Map features → activities; decide entity structure.
●    Name two Responsible Individuals: seat CO/MLRO and CISO.
●    Draft RBP, VA Standards, client agreements, disclosures, marketing policy.
●    Stand up client money accounts; configure per-client wallets and 1:1 reconciliation.
●    Build prudential dashboard (Paid-Up Capital, NLA); line up insurance.
●    Implement TLPT/BCDR; integrate chain analytics into AML.
●    Prepare supervisory Q&A pack; allocate owners and timelines.

Need help mapping your features to the right VARA licence or preparing an RBP?

CRYPTOVERSE Legal Consultancy advises founders end-to-end on VARA applications, rulebook compliance, and supervisory Q&A.

Disclaimer: This article is for information only and does not constitute legal advice. Always seek advice tailored to your facts and licence scope.

Written by:

Desmond Tatsi | Cryptoverse Legal Consultancy