Setting Up Virtual Assets Service Providers in the DIFC
Why setup a financial services firm in the DIFC?
DIFC is one of the world’s top eight onshore financial centers and offers a secure and efficient platform for businesses and financial institutions to reach into and out of the emerging markets of the region. The quality and independence of DIFC’s regulator, the prevailing common law framework, excellent infrastructure and tax efficiencies make it the perfect base to take advantage of the rapidly growing demand for financial and business services in the MENASA region.
DIFC fills the time-zone gap for a global financial centre between the leading financial centres of London and New York in the West and Hong Kong and Tokyo in the East.
What is a Virtual Asset Service Provider?
Digital Asset Entities (DAE)
DAE can be any business that is built around crypto transactions. These include Virtual Asset Service Providers (VASP) such as crypto exchanges, ATMs that allow crypto transactions and conversion, gaming sites, business incubators and any other such entity that deals in digital assets. They are also called Virtual Asset Entities or Crypto Asset Entities.
Digital Asset Customer (DAC)
Any Digital Asset Entity that uses the services of a bank or any other financial institution is a DAC. They are classified thus mainly to account for increased AML monitoring and compliance checks.
Virtual Asset Service Providers
Enhanced anti-money laundering/counter terrorism financing and compliance obligations apply to DAEs that engage in financial services. These DAEs are referred to as Virtual Asset Service Providers and include exchanges/platforms that allow for fiat-virtual or virtual-virtual asset conversions (Alternative Trading Systems or Multilateral Trading facilities), transfers of virtual assets, custody of virtual assets such as digital custodians, and issuers/distributors and advisors on virtual assets, such as asset managers and investment advisors.
Most regulators define VASPs in a way to capture the above activities carried out “for and behalf of another person”, so for instance, mining crypto at home or on an individual basis may not come under regulation, but mining pools could be classified as VASPs.
The DIFC’s Digital Assets Framework is designed to cover all activities concerning virtual assets. The Dubai Financial Services Authority (DFSA) recently issued a consultation paper on the regulation of Security Tokens in the DIFC. This paper is one of the two consultation papers that will go on to make the base for the DIFC Digital Assets Regime, thus opening the gateway to a whole new world of exciting and cutting-edge fintech applications using the Distributed Ledger Technology (DLT).
The DFSA then made the relevant amendments to it’s legislation in the end of September, thus creating the framework for the regulation of Security Tokens in the centre.
Part 1 of the DIFC Digital Assets Regime covers Security Tokens. Part 2 is expected to cover Utility Tokens, Exchange Tokens and Stablecoins.
The DIFC Digital Assets Regime will be of interest to Virtual Asset Service Providers, especially issuers of Security Tokens, Authorised Market Institutions that wish to admit Security Tokens to trading, or performing clearing and settlement services, operators of Alternate Trading Systems such as Multilateral Trading Facilities (MTF) and Organised Trading Facilities (OTF) that wish to trade Security Tokens, providers of Digital Wallets who provide custody and storage services for such tokens, technology providers and in general, any licensed firm that wishes to advise, arrange or manage crypto-assets. By the end of the second quarter, it is expected that the Regime will cover other virtual assets as well, and hence provide a comprehensive framework for the authorization and regulation of Virtual Asset Service Providers in the region.
What does DIFC consider to be a token, or a crypto-asset?
The DFSA defines a token as a digital representation of value, rights and obligations that are created, stored and transferred electronically, using distributed ledger technology (DLT) or similar technology.
Generally, crypto-assets depend on cryptography and distributed ledger as part of their perceived or inherent value. They are created, stored and transferred using a DLT application, using:
- An address,
- a public key corresponding to that address, and
- a private key, also corresponding to that address.
What does the DFSA consider to be a Security Token?
In addition, a Security Token is defined as a token that confers rights and obligations that are:
(i) the same as those conferred by a share, debenture or futures contract (Investments); or (ii) substantially similar in nature, purpose or effect, to those conferred by Investments.
In effect, a Security Token is a token that behaves as a security (equity, debenture, convertible, future, option etc.) and is hence considered by the DFSA as a specified investment.
What is a security?
The DFSA has a list of instruments that they consider a security. In general, a transaction is considered a security if a) there is an investment of money, b) there is an expectation of profit, c) the investment of money is in a common enterprise and d) any profit comes from the efforts of a promoter or third party. This is also commonly known as the Howey Test.
How would the DFSA determine whether a particular Security Token is an Investment or not?
The DFSA aims to take a hybrid approach, where they will make their own assessment of whether the proposed token is a Security Token, based on a self-assessment submitted by the applicant.
Virtual Asset Service Provider activities expected to be covered by the Regime:
- dealing as Principal or Agent in accepted virtual assets
- managing virtual assets of clients
- Arranging deals in investments where such investments are virtual assets
- Trading in virtual assets or providing trading platforms/exchanges such as Multilateral Trading Platforms
- Marketing of virtual assets
- Providing or arranging custody of virtual assets
- marketing of accepted virtual assets
- Advising on the purchase or sale of virtual assets
Trading of Virtual Assets
The DFSA has an existing framework for the authorization and regulation of Exchanges, Alternate Trading Systems and Clearing houses. Under the regulation for conventional securities, exchanges are licensed as Authorised Market Institutions (AMI), and MTFs and OTFs are licensed as Alternate Trading Systems. Accordingly, the DFSA now permits such institutions to perform the same activities for Security Tokens as well. However, privacy tokens and anonymous trading will not be allowed.
In cases where the facility is exclusively dedicated to trading only in Security Tokens, it would be labeled a Security Token Market (or Derivative Token Market, or Investment Token Clearing House etc.).
There will be additional requirements applicable to such facilities, mainly comprising KYC and technology-related compliances.
Additional IT-related requirements
The DFSA would be interested in reviewing the criteria for market participants who access and update records on the platform, network security and ongoing compliances. They would also review the IT design of the DLT implementation adopted by the facility that trades security tokens, and whether it is able to address how the rights and obligations relating to the tokens are properly discharged.
Technology governance mechanisms would also be reviewed, including IT architecture, storage and transmission of data, procedures to address soft and hard forks, cyber-security measures,
decision-making protocols and interfaces with providers of digital wallets.
A comprehensive IT audit, conducted by an independent third-party IT expert would be required to be submitted to the DFSA annually.
What is an Alternative Trading System?
An ATS is a platform that is more loosely regulated than an exchange. It is used to match large orders mainly from institutional clients, and hence work as broker-dealers rather than exchange houses. They are also referred to as Multilateral Trading Facilities in Europe.
The DFSA recognizes two types of ATS platforms – Multilateral Trading Facilities that operate on non-discretionary rules, and Organised Trading Facilities that operate on discretionary rules.
MTF operators allow for trading of a wide variety of equity and non-equity securities, including shares, warrants, options, derivatives, futures, CFDs, fund units and crypto assets. Contracts between buyers and sellers are formed according to a set of transparent rules that do not discriminate between members or their clients (non-discretionary basis).
Organised Trading Facilities on the other hand, are facilities where contracts for the exchange of non-equities such as bonds, structured finance products, emission allowances or derivatives are formed, on a discretionary basis. An MTF is usually operated by a regulated investment firm or an operator, whereas an OTF can only be operated by a regulated investment firm.
Why are Alternate Trading Systems of interest in the DIFC?
While the DIFC has provisions for ATS facilities, there are none registered at present. This is set to change however, with the introduction of the DIFC Digital Assets Regime. It is expected that there will be interest from Virtual Asset Service Providers to register and get regulated in the centre, primarily to engage in Security Token Offers and secondary trading of crypto assets.
What are digital wallets?
Digital wallets are VASPs that store the public and private keys that enable users to interact with DLT to trade in tokens and monitor their balances. These can be hot wallets, i.e. software/cloud-based wallets connected to the Internet, or cold wallets, i.e. hardware devices such as USB sticks with security features.
DLT networks usually provide their own wallet functions, like Bitcoin Core for Bitcoin. There are also specialized wallet providers who hold client’s tokens – these include the likes of Coinbase, Exodus and Mycellum.
Providers of Digital Wallet services will have to be licensed to Provide Custody, either by the DFSA or an equivalent regulator. Clients also have the option to self-custody by using their own digital wallets, in which case, the Security Tokens are held at their own risk. Operators can also take custody of clients’ Security Tokens by holding their private keys in a DLT-based account under the operator’s own private key, and hence will have to be licensed by the DFSA to provide such services.
Additionally, the DFSA now allows operators of Alternate Trading Systems to hold Client Money, so that they can trade Security Tokens. Such ATS will be subject to Client Money requirements from the DFSA, with a base capital of US$ 140,000 and expense-based capital calculations at 18/52.
Token Issuers
The prospectus requirements that apply for public offers of Securities, i.e. Initial Public Offerings, will continue to apply to IPO’s of Security Tokens. In these cases, the white papers released by the issuers can be considered as Prospectuses, provided they contain the information as mandated by the DFSA for issuances of securities. Also, there will be additional information and disclosures required for Security Token issuances.
The DFSA has provisions for exempt offers in the case of conventional securities, and an offer of Security Tokens denominated in an amount of at least US$ 100,000 or equivalent will be considered an exempt offer. However, any further fractional interest in such security tokens (for less than US$ 100,000) will not be exempt.
Token Funds
Funds can also be tokenised. The DFSA allows Security Tokens that represent rights and obligations similar to Units in a Fund, in which case they will be regulated in the same manner as Units of Funds. Additional prospectus disclosures will be required, similar to those required in the case of initial offers of other Security Tokens. Such tokens can be offered both to the public and via private placement, and the same rules and eligibility criteria will apply to the Fund Managers.
Funds will also be allowed to invest in other crypto-tokens, subject to appropriate disclosures in the Fund Prospectus.
There are additional disclosures required in case of public funds where 10% or more of their underlying assets are crypto assets.
All the above requirements also extend to distribution of foreign security tokens. Marketing and promotional activities related to security tokens will be subject to the same compliance requirements as conventional securities.
In addition, firms that market, promote, manage or undertake any other financial services in relation to Security Tokens will be required to provide to their clients a Key Features Document, with relevant disclosures.
Regulatory approvals
Virtual Asset Service Providers interested in carrying out financial services from the DIFC are required to submit applications to the Dubai Financial Services Authority, or DFSA.
The type of business that the VASP wishes to engage in defines the category of License that is required. For example, a firm undertaking low risk activities such as advising or arranging will require a Category 4 License, while a discretionary portfolio manager will require a Category 3C License. A STP broker, dealing on a matched principal basis will require a Category 3A License, whereas a market maker or provider of credit provider will require a Category 2 License. Full-fledged banks, that accept deposits, will come under a Category 1 License.
A common misinterpretation is that a firm applies for a DIFC Category 3C or a DIFC Category 4 license. As described above, the activity defines the category, i.e. a company that wishes to engage in Asset Management, advisory and arranging activities falls in the Category 3C, by virtue of the highest activity of Managing Assets, even though advisory activities fall in category 4.
Virtual Asset Service Providers that wish to provide a platform for trading of virtual assets, will have to apply for the activity of Operating an Alternative Trading System, which comes under the Category 4 licensed activities.
Category 4 – Operating an Alternative Trading System
Base Capital – US$ 140,000
Other VASPs will be licensed according to the intended activities
Key requirements
The DFSA expects that the VASP have transparent and non-discriminatory rules and procedures to ensure fair and orderly trading of investments, and objective criteria governing access to its facility. The regulator also requires the ATS operator to have objective and transparent criteria for admitting securities that will be traded on the platform, adequate technology resources and procedures for proper market conduct.
An ATS Operator may only trade investments that reference to an underlying benchmark or index provided by a Price Information Provider, which is usually a price reporting agency or an index provider like Refinitiv.
The ATS operator is also required to provide adequate pre-trade and post-trade transparency to its market participants. Since an ATS Operator is not authorised to provide clearing and settlement services, it will have to make arrangements for clearing and settling trades from an existing clearing house in the DIFC (Nasdaq Dubai is the only such institution at present).
Technology and governance requirements for VASPs that deal in Security Tokens
ATS operators that allow primary listing and secondary trading of Security Tokens will have to ensure that the DLT applications used by the facility operate on permissioned access. Privacy tokens and anynomous trading are not allowed.
The DFSA would be interested in reviewing the criteria for market participants who access and update records on the platform, network security and ongoing compliances. They would also review the IT design of the DLT implementation adopted by the facility that trades security tokens, and whether it is able to address how the rights and obligations relating to the tokens are properly discharged.
Technology governance mechanisms would also be reviewed, including IT architecture, storage and transmission of data, procedures to address soft and hard forks, cyber-security measures,
decision-making protocols and interfaces with providers of digital wallets.
A comprehensive IT audit, conducted by an independent third-party IT expert would be required to be submitted to the DFSA annually.
Staffing
The DFSA expects that the Virtual Asset Service Provider be adequately staffed depending on the scale, scope and nature of the product portfolio that is proposed to be offered from the DIFC. At a minimum, the DFSA would like to see the following appointments:
Board of Directors – a well-organized Board with robust governance policies. The Chair would have to be a non-executive Director.
Senior Executive Officer (SEO) – Senior banking professional with over 10 years of experience, ordinarily resident in the UAE.
Finance Officer (FO) – Senior and suitably-qualified finance professional. In case of a group, the FO can be from the parent company and does not have to be resident in the UAE. This role can also be outsourced.
Risk Officer – This position is usually outsourced, and not mandatory.
Chief Technology Officer – suitably qualified and experienced IT expert.
Compliance Officer (CO) - Senior compliance professional with over 10 years of experience, ordinarily resident in the UAE.
Money-Laundering Reporting Officer – Senior AML professional with over 10 years of experience, ordinarily resident in the UAE. This function can be combined with Compliance and one individual can carry out both responsibilities.
The CO and MLRO roles can also be outsourced.
Internal Auditor - Senior and suitably qualified internal audit professional. Usually outsourced to a professional firm.
External Auditor – DFSA-recognised auditor.
Independent IT Auditor – Suitably qualified IT expert (e.g CISA, CISM, ISACA, CISSP qualified)
DIFC Capital requirements
The category of license will determine the amount of capital required. The base capital requirement for a Category 4 firm is $10,000. This rises to $500,000 for a Category 3 firm, $2 million for a Category 2 firm and $10m for a Category 1 firm.
Capital waivers may be available to the DIFC branch of a regulated financial institution having its head office in a recognised regulatory jurisdiction.
Actually, there are three components of capital - base capital, risk-based capital and expense-based capital. The higher of the three is set to be the capital requirement. These figures are calculated using the financial models that we make for the Regulatory Business Plan during the application process, and so are mostly unique to the company that applies for the license.
The figures given above are for base capital only, and actual capital may vary depending on the business model and the associated expenses and risks.
In general, for ATS operators that hold Client Assets - 18/52 of the projected annual expenses of the firm.
Calculation of capital is a detailed process and involves many factors. We recommend that you contact us for more details on the application process and capital calculations.
Can DIFC firms service clients outside the centre, and in the greater UAE?
Yes, they can. Sheikh Mohammed bin Rashid Al Maktoum issued Law No. (5) of 2021 relating to the DIFC, which brought further clarity to the rules governing the promotion and supply of services and products for firms registered in the centre.
The revised law confirms that DIFC-registered entities can supply services and products outside the DIFC, as long as they are primarily provided out of the firm’s premises in the DIFC area. Marketing and promotional activities are also allowed outside the centre.
There may be additional rules to follow, for instance, when actively marketing funds from the DIFC. A passporting regime exists in this case, where the fund manager can register for a passport for the fund to be marketed in the UAE and the ADGM. Do get in touch for more information on this.
Specific Advantages
Here are some specific advantages of establishing in the Dubai International Financial Centre.
LEGAL AND REGULATORY FRAMEWORK
- Legal framework supports cross-border activities
- 100% foreign ownership permitted
- No restriction on foreign talent or employees
- No restrictions on capital repatriation
TAX BENEFITS
- Zero tax for 50 years on profits, capital or assets from 2004
- Zero tax on employee income
COUNTERPARTY CONFIDENCE
- Highly regarded, independent regulator
- Independent, English-speaking, common law judicial system
- Distinct from the UAE legal system
- Risk-based regulatory approach
DIVERSE ECOSYSTEM
- Central to regional deal making
- High concentration of international firms, investment funds, wealth management firms, banks, and financial institutions
- World-class regional and international law and auditing firms, and other professional services
- The largest fund domicile in the region
GEOGRAPHIC EPICENTRE
- Management offices, holding companies and family offices are located closer to the assets they own or manage
- The Middle East, Africa and South Asia (MEASA) is increasingly the centre of gravity for the global economy
- Dubai plays a central role in the growing South-South trade, principally between Asia and Africa
- Well-positioned to harness the potential of emerging markets
The application process
The DIFC application process commences with formal introductions to the DIFC and the DFSA.
Following the introductory call, a detailed Regulatory Business Plan (RBP) is prepared, along with financial projections, for a quick review by the regulator.
The comments of the regulator are incorporated into the RBP, and a comprehensive application is compiled, comprising policies, processes and other related documentation. The KYC and associated forms of all key individuals are also prepared for submissions.
The formal application is then sent across to the DFSA, who reviews the pack over a period of 7-10 business days, and then accepts it. The detailed review process then commences, and this can take anywhere between 90-120 days to complete.
The regulator maintains communication with the applicant at all times during the review, reverting with an initial review 2 weeks into the application, and then follow-up reviews thereafter. The DFSA also meets with the SEO, FO, Technology Head and CO/MLRO designates, and conducts a detailed interview with them.
An in-principle approval is issued in case the application is successful. The applicant then proceeds to satisfy the in-principle conditions, and this involves the setting up of a legal structure, opening a bank account, and depositing the share capital in the account. Other tasks include finalization of auditors and obtaining professional indemnity insurance for the firm.
Once done, a final submission is made to the DFSA, following which the regulator issues the Financial Service Permissions and the process is then complete. The firm is now open for business.
Costs
The fees for filing an application to be licensed as an Alternate Trading System that allows for trading in security tokens will be US$ 150,000 and annual license fees will be US$ 100,000. An additional US$ 10,000 per year will be applicable for AMIs and ATSs that operate direct access markets for security tokens. Firms will also have to pay an additional US$ 20,000 for Retail Endorsements, to deal with Retail Clients.
The admission fees for listing and trading will be US$ 2500.
Data Protection
The data protection notification is part of the process of registering a new entity in the DIFC. The costs involved are as follows:
Registration - US$ 1,250
Annual renewal – US$ 500
Office spaces
Every entity registered in the DIFC is required to lease a physical office. You can choose from the Gate and surrounding buildings, or other buildings within the DIFC, such as Emirates Financial Towers, Central Park, Park Avenue, Burj Daman and Currency House.
Prices vary, depending on the space availed and the building. Here is an indication of the prevailing rates:
DIFC Business Centre – from a two-desk office at US$ 35,000.
DIFC Fitted Offices – from US$ 55 per square foot.
Other buildings – from US$ 35,000 per annum
Visas
Establishment Card Application – US$ 630
PSA Deposit – US$ 682
Visas (per visa) – from US$ 1,500
PSA Deposit (per visa) – US$ 682
Visa allocation is calculated as 80 square feet per visa.
Our Services
1. Fintech Advisory
Consultations on structuring fintech businesses in the UAE and Saudi Arabia. Starts with advice on holding structures, share vesting plans, investor and founder legal packs. In case of regulated fintechs, we also advise and assist in authorisations from the relevant financial regulators.
Sectors – Money Service Businesses, Open Banking, Robo-Advisory (passive, automated and hybrid), crowdfunding platforms (investment, loan-based, property) and decentralised applications (DeFi and Blockchain-based solutions).
Regulators – UAE Central Bank, Emirates Security and Commodity Authority, Dubai Financial Services Authority (DFSA/DIFC), Financial Services Regulatory Authority (FSRA/ADGM) and the Central Bank of Bahrain.
Regulated licenses – Electronic Money Institutions (EMI), Payment Institutions (PI), Crowdfunding Platforms, AISP/PISP, Automated Investment Advisors and Asset Managers
2. Regulatory Sandbox Consulting
Approach and structuring of regulatory sandbox licenses in the DIFC (Innovation Testing License, or ITL) and the ADGM (Fintech Reglab).
Sectors – Money Service Businesses, Robo-Advisory (passive, automated and hybrid), tokenized crowdfunding platforms (investment, loan-based, property) and decentralised applications (Blockchain-based solutions).
Regulators –Dubai Financial Services Authority (DFSA/DIFC), Financial Services Regulatory Authority (FSRA/ADGM) and the Central Bank of Bahrain.
Regulated licenses – Electronic Money Institutions (EMI), Payment Institutions (PI), Alternate Trading Systems (ATS), DeFi, Blockchain-based regulated fintech
Blockchain and Crypto
3. Consultations
Compliant Token Design, Crypto asset Product Design, Jurisdictional Scoping, KYC/AML Policy Development for Crypto asset Products, Privacy and Data Protection Compliance Strategy for Crypto asset Products
4. Corporate Structuring
Corporate Structuring – Holding structures, IP vesting, ESOPs, Investor on-boarding, customized Articles, Legal documentation
Jurisdictional Selection
Assistance in incorporation
Jurisdictions – Dubai International Financial Centre (DIFC), Abu Dhabi Global Market (ADGM), Dubai World Trade Centre Free Zone (DWTC), Dubai Multi-Commodities Centre (DMCC), Luxembourg
5. Regulatory Licensing
Tokenised Crowdfunding Licensing
DeFi
Crypto-asset Licensing
Crypto-asset Facility Licensing – MTF, OTF
Crypto Trading Platforms
Crypto-related advisory and asset management permissions
6. Legal
Crypto-asset Purchase Agreements
Crypto-asset Terms and Conditions
Key Features Documents for Security Tokens
Private Placement Memorandums for Tokenised Funds
STO Prospectuses
Simple Agreement for Future Tokens (SAFT)
Privacy Notices
7. Tokenisation of Assets
Legal and technical consultancy services on tokenization of physical or digital assets such as securities, real estate, financial assets, luxury goods, art, and initial public offerings. Assistance in legal documentation, compliance framework for the offering and selection of suitable jurisdictions.
We also assist with corporate and commercial documentation through our legal consultancy - 10 Leaves Legability. We assist in the drafting of:
- Crypto-asset Purchase Agreements
- Crypto-asset Terms and Conditions
- Key Features Documents for Security Tokens
- Private Placement Memorandums for Tokenised Funds
- STO Prospectuses
- Simple Agreement for Future Tokens (SAFT)
- Privacy Notices
- Founder agreements
- Shareholder agreements
- Investor agreements
- Share vesting/ESOP plans
- Client/Supplier/Distributor agreements
- Employment agreements
Team
Rohit Ghai – Founder & Blockchain Specialist
Rohit is the Founder of 10 Leaves. With over eighteen years of experience in the region, Rohit consults firms on corporate structuring, market entry strategies, fintech, fund structuring, regulatory authorisations and startup funding. He conducts workshops on doing business in the region and is a regular presenter to visiting trade delegations from Europe and Asia.
Rohit advises clients on legalities related to blockchain technologies and applications, including tokenization, DeFi and DApps, Tokenomics, STOs and secondary listings.
Master in Business Administration
Capabilities – Fintech, Blockchain, Funds, Venture Capital
Jurisdictions – DIFC, ADGM, UAE Mainland, DWTC, DMCC
Bishr Shiblaq
Bishr established and headed the MENA office of the leading Luxembourg law firm, Arendt & Medernach for around 10 years. In this capacity he advised leading financial institutions, sovereign wealth funds, asset managers, MNCs and family offices in both Europe and the Middle East on all issues relating to the structuring of international transactions and the setting up of regulated and unregulated investment structures.
Certified Investment Fund Director (CIFD)
Master of Laws (L.L.M.) in International Economic Law from the University of Warwick (UK). Capabilities – Legal, Structuring, STOs and secondary offerings, Islamic Finance, Funds
Jurisdictions – DIFC, ADGM, Luxembourg, Europe
Soumen Ghosh
Soumen is a Master of Computer Applications and has over 20 years of experience in media and technology applications. He has consulted international organisations on technology transformation and helped implement holistic media solutions across India and the United Arab Emirates. Soumen now consults on fintech applications in money services, robo-advisory and blockchain-related solutions. He is an active NFT creator, with profiles on OpenSea and Mintable.
Get in touch! for more details on Setting up Virtual Asset Service Providers in the DIFC