VARA establishes a clear pathway to virtual assets regulation

Covering strong governance, compliance, and consumer protection
VARA establishes a clear pathway to virtual assets regulation
Nadim Bardawil, Partner at BSA Ahmad Bin Hezeem & Associates LLC

On February 8, the Dubai government’s Virtual Assets Regulatory Authority (VARA) released its 2023 rulebook for the regulation of cryptocurrency in the emirate. The new regulations require all entities involved in the issuance of virtual assets (VA) to adhere to the rules and apply for a license to operate in Dubai.

The primary objective of VARA’s new rules is to protect both crypto businesses and investors while also cracking down on illicit activities. To gain further insight into the legislation and its implications, Economy Middle conducted an interview with Nadim Bardawil, Partner at BSA Ahmad Bin Hezeem & Associates LLC.

Read: Binance gains MVP License from Dubai’s VARA

What prompted this security VA framework by VARA? Weren’t these addressed before? What’s new?


The Virtual Assets and Related Activities Regulations of 2023 (the “VA Regulations”) have long been awaited since the passing of Dubai Law No. 4 of 2022 which established VARA in Dubai. The VA Regulations are composed of four compulsory rulebooks and seven activity-specific rulebooks.

The compulsory rulebooks are composed of the Company Rulebook, the Compliance & Risk Management Rulebook, the Technology & Information Rulebook, and the Market Conduct Rulebook. These will be applicable across all entities regulated by VARA that carry out any type of activity related to virtual assets.

The seven activity-specific rulebooks will only be applicable to an entity carrying out said specific activity and regulated by VARA. One activity-specific rulebook that has yet to be published is the Payments & Remittances Services Rulebook

While the initial legislation that established VARA was a watershed moment for the regulation of virtual assets in Dubai, the VA Regulations have been long awaited as the industry now has a clear and public pathway to regulation under VARA.

Are these new regulations targeted at banks, the central bank, or private enterprises that deal and trade with virtual assets and currencies?


The regulations are targeted at any entity that wishes to carry out an activity in the virtual asset space in Dubai but outside of the Dubai International Financial Centre. As a reminder, the DIFC has enacted its own token and crypto legislative frameworks that apply to entities carrying out activities within the DIFC and regulated by the DFSA.

Under the VA Regulations, the activities that can be carried out and regulated by VARA are as follows:

  1. Advisory services
  2. Broker-dealer services
  3. Custody services
  4. Exchange services
  5. Lending and borrowing services
  6. Payments and remittances services
  7. VA management and investment services

Each of these activities is defined in the VA Regulations, which enable entities to determine whether their current or prospective operations may be subject to the regulation of VARA. Certain exemptions are included in the VA Regulations, which permit some entities to operate without a license. It should be noted that UAE government-owned or linked entities are exempt from complying with the regulations.

Vara Virtual assets

Are the regulations enough to ensure security against potential misuse of new tech? What else is needed?


The nature of new or nascent technologies is that regulation often lags behind their development. This has usually allowed technology to continue to evolve without facing significant restrictions on its usage or innovation. The VA Regulations have struck a good balance by providing clear licensing and registration requirements for prospective entities while at the same time ensuring that strong governance, compliance, and consumer protections remain.

While no one can effectively fully guard against the misuse of new technology, VARA seems to be making a commitment to being a proactive regulator in the virtual assets space having chosen to address several aspects of the industry.

Are the new regulations flexible enough to allow for VA and crypto innovation to thrive, i.e. are the new regulations stringent enough to kill innovation in the sector?


The VA Regulations seem to have struck the right balance as mentioned above. VARA has not currently defined which virtual assets will be recognized or permitted under its regulatory framework. This means that VARA has kept the door open for recognition of assets, noting that it reserves the right to suspend the trading of any virtual asset on reasonable grounds.

One unique aspect is that the VA Regulations include an ESG component where entities are required to satisfy certain disclosure requirements during the licensing process. This is quite an innovative approach from VARA and demonstrates that it will be taking on the characteristic of a proactive regulator, as mentioned above.

What additional costs will licensed private-sector enterprises incur to be fully compliant with AML? Do they need to be insured against such risks?


The VA Regulations have been made with direct reference and recognition of the applicable AML legislative framework in the UAE. This means that any entity regulated by VARA must comply with applicable AML laws set by the UAE federal government.

The Compliance & Risk Management Rulebook provides for a thorough AML framework similar to those of other financial institutions in operation in the UAE and in line with international standards. VARA-regulated entities will need to have an appointed money laundering reporting officer or MLRO which must adhere to a strict set of responsibilities and must be deemed fit and proper by VARA.

For more on virtual assets, click here.

Disclaimer: Opinions conveyed in this article are solely those of the author. The information presented in this article is intended for informational purposes only. It does not constitute advice on tax and legal matters; neither are they financial or investment recommendations. Refer to our full disclaimer policy here.