Virtual Asset Service Providers in the United Arab Emirates
Why setup a financial services firm in the United Arab Emirates?
The UAE is a dynamic and progressive jurisdiction, with a focused approach towards digitization. It is one of the few nations in the world that has a dedicated blockchain strategy, and has in the past few years come out with legislation to support this push towards new technologies.
The United Arab Emirates comprises seven Emirates, with federal laws governing banking, financial and financial regulatory matters, among others. It has has over 35 special economic zones, or free zones, as they are known. These include two financial free zones – the Dubai International Financial Centre (DIFC) and the Abu Dhabi Global Market (ADGM).
A high standard of living, favorable time zone and ability to recruit talent from across the world are some of the advantages of setting up in the UAE.
What is a Virtual Asset Service Provider?
Digital Asset Entities (DAE)
DAE can be any business that is built around crypto transactions. These include Virtual Asset Service Providers (VASP) such as crypto exchanges, ATMs that allow crypto transactions and conversion, gaming sites, business incubators and any other such entity that deals in digital assets. They are also called Virtual Asset Entities or Crypto Asset Entities.
Digital Asset Customer (DAC)
Any Digital Asset Entity that uses the services of a bank or any other financial institution is a DAC. They are classified thus mainly to account for increased AML monitoring and compliance checks.
Virtual Asset Service Providers
Enhanced anti-money laundering/counter terrorism financing and compliance obligations apply to DAEs that engage in financial services. These DAEs are referred to as Virtual Asset Service Providers and include exchanges/platforms that allow for fiat-virtual or virtual-virtual asset conversions (Alternative Trading Systems or Multilateral Trading facilities), transfers of virtual assets, custody of virtual assets such as digital custodians, and issuers/distributors and advisors on virtual assets, such as asset managers and investment advisors.
Most regulators define VASPs in a way to capture the above activities carried out “for and behalf of another person”, so for instance, mining crypto at home or on an individual basis may not come under regulation, but mining pools could be classified as VASPs.
Current regulatory framework for Virtual Asset Service Providers in the UAE
The three regulators – Emirates Security and Commodities Authority of onshore UAE, DFSA of the DIFC and FSRA of the ADGM, all have their own crypto-asset/virtual asset regulations. While the DFSA and FSRA regulations cover their respective free zones, the SCA regulations are expected to cover the rest of the UAE, including certain free zones like the DWTC and DMCC. Further clarity is expected shortly.
VASPs in the Abu Dhabi Global Market
The ADGM’s Virtual Assets Framework is designed to cover all activities concerning virtual assets. This includes non-fiat virtual currencies such as Bitcoin and Ether, Digital Securities that include tokenised offerings of securities (Security Tokens), Fiat tokens or Stablecoins and associated derivatives. Utility Tokens are also mentioned in the framework but may not come under the purview of regulation, if they do not exhibit features and characteristics of a regulated investment.
The ADGM Virtual Assets Framework is of interest to Virtual Asset Service Providers, especially issuers of Virtual Assets, Digital Exchanges that wish to admit Virtual Assets to trading, or performing clearing and settlement services, operators of exchanges such as Multilateral Trading Facilities (MTF) and Organised Trading Facilities (OTF) that wish to trade Virtual Assets, providers of Digital Wallets who provide custody and storage services for such virtual assets, technology providers and in general, any licensed firm that wishes to advise, arrange or manage virtual assets.
What does ADGM consider to be a Virtual Asset?
As per the ADGM’s definition, "Virtual Asset" means a digital representation of value that can be digitally traded and functions as
(1) a medium of exchange; and/or
(2) a unit of account; and/or
(3) a store of value, but does not have legal tender status in any jurisdiction.
A Virtual Asset is -
(a) neither issued nor guaranteed by any jurisdiction, and fulfils the above functions only by agreement within the community of users of the Virtual Asset; and
(b) distinguished from Fiat Currency and E-money."
Virtual Assets are treated as Commodities and hence not deemed Specified Investments, under the ADGM Regulations.
What does the FSRA consider to be a Digital Security?
In addition, a Digital Security is defined as a token that confers rights and obligations that are:
(i) the same as those conferred by a share, debenture or futures contract (Investments); or (ii) substantially similar in nature, purpose or effect, to those conferred by Investments.
In effect, a Digital Security is a token that behaves as a security (equity, debenture, convertible, future, option etc.) and is hence considered by the FSRA as a Security and a Specified Investment.
How are Utility Tokens classified under the ADGM Virtual Assets Framework?
Utility Tokens, i.e. tokens that can be redeemed for access to a specified product or service are treated as commodities and hence not deemed Specified Investments. Trading and transactions in Utility Tokens are not regulated, unless they are caught as Accepted Virtual Assets.
What are Accepted Virtual Assets in the ADGM?
The FSRA would require third-party verification to demonstrate that the Virtual Asset meets security requirements to be deemed an accepted Virtual Asset. The considerations would include:
- Market capitalization and sufficiency of client demand, proportion in free float and the control mechanisms to manage volatility
- Security – the ability of the Virtual Asset to respond and adapt to vulnerabilities
- Origin and destination of the virtual asset, ability to identify counterparties in transactions and monitoring of on-chain transactions
- Number of exchanges where the Virtual Asset is listed and the depth of regulation of such exchanges
- Type of DLT used
- Depth of innovation of the Virtual Asset and practicality of application.
You can read more about the ADGM Regulations for Virtual Asset Service Providers here.
VASPs in the Dubai International Financial Centre
The DIFC’s Digital Assets Framework is designed to cover all activities concerning virtual assets. The Dubai Financial Services Authority (DFSA) recently issued a consultation paper on the regulation of Security Tokens in the DIFC. This paper is one of the two consultation papers that will go on to make the base for the DIFC Digital Assets Regime, thus opening the gateway to a whole new world of exciting and cutting-edge fintech applications using the Distributed Ledger Technology (DLT).
The DFSA then made the relevant amendments to it’s legislation in the end of September, thus creating the framework for the regulation of Security Tokens in the centre.
Part 1 of the DIFC Digital Assets Regime covers Security Tokens. Part 2 is expected to cover Utility Tokens, Exchange Tokens and Stablecoins.
What does DIFC consider to be a token, or a crypto-asset?
The DFSA defines a token as a digital representation of value, rights and obligations that are created, stored and transferred electronically, using distributed ledger technology (DLT) or similar technology.
Generally, crypto-assets depend on cryptography and distributed ledger as part of their perceived or inherent value. They are created, stored and transferred using a DLT application, using:
- An address,
- a public key corresponding to that address, and
- a private key, also corresponding to that address.
What does the DFSA consider to be a Security Token?
In addition, a Security Token is defined as a token that confers rights and obligations that are:
(i) the same as those conferred by a share, debenture or futures contract (Investments); or (ii) substantially similar in nature, purpose or effect, to those conferred by Investments.
In effect, a Security Token is a token that behaves as a security (equity, debenture, convertible, future, option etc.) and is hence considered by the DFSA as a specified investment.
Virtual Asset Service Provider activities expected to be covered by the Regime:
- dealing as Principal or Agent in accepted virtual assets.
- managing virtual assets of clients.
- Arranging deals in investments where such investments are virtual assets.
- Trading in virtual assets or providing trading platforms/exchanges such as Multilateral Trading Platforms.
- Marketing of virtual assets.
- Providing or arranging custody of virtual assets.
- marketing of accepted virtual assets.
- Advising on the purchase or sale of virtual assets.
You can read more about the DIFC Regulations for Virtual Asset Service Providers here.
Virtual Asset Service Providers under the SCA
The SCA Crypto Asset Activities Regulation (CAAR) covers promotion and marketing, issuance and distribution, advice, brokerage, custody and safekeeping, fundraising and operating an exchange in the UAE. The high-profile entry of Binance in the region has accelerated the development and adoption of these regulations, and the finalised rules are expected in the next few months.
What does the SCA consider to be a crypto-asset?
Under the SCA, a crypto-asset is:
a record within an electronic network or distribution database functioning as a medium for exchange, storage of value, unit of account, representation of ownership, economic rights, or right of access or utility of any kind, when capable of being transferred electronically from one holder to another through the operation of computer software or an algorithm governing its use.
The SCA Rules apply to issuance and promotion of crypto-asset services, digital wallets that provide custody and exchanges that provide listing and trading facilities for crypto-assets. It does not cover items regulated by the UAE Central Bank, such as currencies, virtual currencies, digital currencies, stored-value units, payment tokens and payment units.
Virtual Asset Service Provider activities in the UAE
The VASP activities that are covered by the UAE Virtual Asset Service Providers Frameworks include:
- dealing as Principal or Agent in accepted virtual assets.
- managing virtual assets of clients.
- Arranging deals in investments where such investments are virtual assets.
- Trading in virtual assets or providing trading platforms/exchanges such as Multilateral Trading Platforms.
- Marketing of virtual assets.
- Providing or arranging custody of virtual assets.
- marketing of accepted virtual assets.
- Advising on the purchase or sale of virtual assets.
Trading of Virtual Assets
All three regulators have an existing framework for the authorization and regulation of Exchanges, Alternative Trading Systems and Clearing houses. Under the regulation for conventional securities, exchanges are licensed as Authorised Market Institutions (AMI), and MTFs and OTFs are licensed as Alternative Trading Systems in the DIFC. Accordingly, the Regulations permits such institutions to perform the same activities for Virtual Assets as well. However, privacy tokens and anonymous trading will not be allowed.
There are additional requirements applicable to such facilities, mainly comprising KYC and technology-related compliances.
Additional IT-related requirements
The UAE regulators would be interested in reviewing the criteria for market participants who access and update records on the platform, network security and ongoing compliances. They would also review the IT design of the DLT implementation adopted by the VASP that trades virtual assets, and whether it is able to address how the rights and obligations relating to the tokens are properly discharged.
Technology governance mechanisms would also be reviewed, including IT architecture, storage and transmission of data, procedures to address soft and hard forks, cyber-security measures,
decision-making protocols and interfaces with providers of digital wallets.
A comprehensive IT audit, conducted by an independent third-party IT expert would be required to be submitted to the Regulators annually.
What is an Multilateral Trading Facility?
A Multilateral Trading Facility is a platform that is more loosely regulated than an exchange. It is used to match large orders mainly from institutional clients, and hence work as broker-dealers rather than exchange houses. They are also referred to as Multilateral Trading Facilities in Europe.
MTF operators allow for trading of a wide variety of equity and non-equity securities, including shares, warrants, options, derivatives, futures, CFDs, fund units and crypto assets. Contracts between buyers and sellers are formed according to a set of transparent rules that do not discriminate between members or their clients (non-discretionary basis).
Organised Trading Facilities on the other hand, are facilities where contracts for the exchange of non-equities such as bonds, structured finance products, emission allowances or derivatives are formed, on a discretionary basis. An MTF is usually operated by a regulated investment firm or an operator, whereas an OTF can only be operated by a regulated investment firm.
Why are MTFs of interest in the UAE?
Virtual Asset Service Providers that wish to provide a platform for the listing and trading of Virtual Assets, will need to seek authorisations from the DIFC, ADGM or the Securities and Commodities Authority (SCA) to operate an MTF. There are already 6 VASPs in the ADGM, with some more at In-Principle Approval stage. To the best of our knowledge, there are no Digital Exchanges in the DIFC or in the mainland UAE.
What are digital wallets?
Digital wallets are VASPs that store the public and private keys that enable users to interact with DLT to trade in tokens and monitor their balances. These can be hot wallets, i.e. software/cloud-based wallets connected to the Internet, or cold wallets, i.e. hardware devices such as USB sticks with security features.
DLT networks usually provide their own wallet functions, like Bitcoin Core for Bitcoin. There are also specialized wallet providers who hold client’s tokens – these include the likes of Coinbase, Exodus and Mycellum.
Providers of Digital Wallet services will have to be licensed to Provide Custody, either by the UAE or an equivalent regulator. Clients also have the option to self-custody by using their own digital wallets, in which case, the Virtual Assets are held at their own risk. VASPs can also take custody of clients’ Virtual Assets by holding their private keys in a DLT-based account under the operator’s own private key, and hence will have to be licensed by the UAE Regulator to provide such services.
Additionally, the Regulations allows operators of MTFs to hold Client Money, so that they can trade Virtual Assets. Such MTFs will be subject to Client Money requirements from the Regulators.
Token Issuers
The prospectus requirements that apply for public offers of Securities, i.e. Initial Public Offerings, will continue to apply to IPO’s of Security Tokens. In these cases, the white papers released by the issuers can be considered as Prospectuses, provided they contain the information as mandated by the Regulator for issuances of securities. Also, there will be additional information and disclosures required for Security Token issuances.
The Regulators have provisions for exempt offers in the case of conventional securities, and an offer of Security Tokens denominated in an amount of at least US$ 100,000 or equivalent may be considered an exempt offer. However, any further fractional interest in such security tokens (for less than US$ 100,000) may not be exempt.
Token Funds
Funds can also be tokenised. The DFSA, FSRA and the SCA allow Security Tokens that represent rights and obligations similar to Units in a Fund, in which case they will be regulated in the same manner as Units of Funds. Additional prospectus disclosures will be required, similar to those required in the case of initial offers of other Security Tokens. Such tokens can be offered both to the public and via private placement, and the same rules and eligibility criteria will apply to the Fund Managers.
Funds will also be allowed to invest in other crypto-tokens, subject to appropriate disclosures in the Fund Prospectus.
Regulatory approvals
Virtual Asset Service Providers interested in carrying out financial services from the UAE are required to submit applications to the relevant financial services regulator.
Application processes can vary, depending on whether the application is made to the DIFC, the ADGM or the SCA.
In the case of the DIFC and the ADGM, the Virtual Asset Service Provider will have to be based within the respective centres. In the case of licensing from the SCA, the VASP has an option to be based in the mainland, or in a free zone of choice. We do see this being the Dubai World Trade Centre Free Zone, or DWTC, where Binance is in the process of setting up their UAE headquarters.
You can refer to our specific articles on the subject to know more details.
Key requirements for crypto exchanges in the UAE
The UAE regulators expect that the VASP have transparent and non-discriminatory rules and procedures to ensure fair and orderly trading of investments, and objective criteria governing access to its facility. The regulators also require the VASP to have objective and transparent criteria for admitting securities that will be traded on the platform, adequate technology resources and procedures for proper market conduct.
A Virtual Asset Service Provider may only trade investments that reference to an underlying benchmark or index provided by a Price Information Provider, which is usually a price reporting agency or an index provider like Refinitiv.
The VASP is also required to provide adequate pre-trade and post-trade transparency to its market participants. Since an MTF is not authorised to provide clearing and settlement services, it will have to make arrangements for clearing and settling trades from an existing clearing house in the respective jurisdiction.
Technology and governance requirements for VASPs that deal in Virtual Assets
MTFs that allow primary listing and secondary trading of Virtual Assets will have to ensure that the DLT applications used by the facility operate on permissioned access. Privacy tokens and anynomous trading are not allowed.
The regulator would be interested in reviewing the criteria for market participants who access and update records on the platform, network security and ongoing compliances. They would also review the IT design of the DLT implementation adopted by the facility that trades security tokens, and whether it is able to address how the rights and obligations relating to the tokens are properly discharged.
Technology governance mechanisms would also be reviewed, including IT architecture, storage and transmission of data, procedures to address soft and hard forks, cyber-security measures, decision-making protocols and interfaces with providers of digital wallets.
A comprehensive IT audit, conducted by an independent third-party IT expert would be required to be submitted to the regulator annually.
Staffing
The UAE regulator expects that the Virtual Asset Service Provider be adequately staffed depending on the scale, scope and nature of the product portfolio that is proposed to be offered from the UAE. At a minimum, the UAE regulator would like to see the following appointments:
Board of Directors – a well-organized Board with robust governance policies. The Chair would have to be a non-executive Director.
Chief Executive Officer (CEO) – Senior banking professional with over 10 years of experience, ordinarily resident in the UAE.
Finance Officer (FO) – Senior and suitably-qualified finance professional. In case of a group, the FO can be from the parent company and does not have to be resident in the UAE. This role can also be outsourced.
Risk Officer – This position is usually outsourced, and not mandatory.
Chief Technology Officer – suitably qualified and experienced IT expert.
Compliance Officer (CO) - Senior compliance professional with over 10 years of experience, ordinarily resident in the UAE.
Money-Laundering Reporting Officer – Senior AML professional with over 10 years of experience, ordinarily resident in the UAE. This function can be combined with Compliance and one individual can carry out both responsibilities.
The CO and MLRO roles can also be outsourced.
Internal Auditor - Senior and suitably qualified internal audit professional. Usually outsourced to a professional firm.
External Auditor – A well-recognised auditor.
Independent IT Auditor – Suitably qualified IT expert (e.g CISA, CISM, ISACA, CISSP qualified)
Our Services
(I.)Fintech Advisory
Consultations on structuring fintech businesses in the UAE and Saudi Arabia. Starts with advice on holding structures, share vesting plans, investor and founder legal packs. In case of regulated fintechs, we also advise and assist in authorisations from the relevant financial regulators.
Sectors – Money Service Businesses, Open Banking, Robo-Advisory (passive, automated and hybrid), crowdfunding platforms (investment, loan-based, property) and decentralised applications (DeFi and Blockchain-based solutions).
Regulators – UAE Central Bank, Emirates Security and Commodity Authority, Dubai Financial Services Authority (DFSA/DIFC), Financial Services Regulatory Authority (FSRA/ADGM) and the Central Bank of Bahrain.
Regulated licenses – Electronic Money Institutions (EMI), Payment Institutions (PI), Crowdfunding Platforms, AISP/PISP, Automated Investment Advisors and Asset Managers.
(II.)Regulatory Sandbox Consulting
Approach and structuring of regulatory sandbox licenses in the DIFC (Innovation Testing License, or ITL) and the ADGM (Fintech Reglab).
Sectors – Money Service Businesses, Robo-Advisory (passive, automated and hybrid), tokenized crowdfunding platforms (investment, loan-based, property) and decentralised applications (Blockchain-based solutions).
Regulators –Dubai Financial Services Authority (DFSA/DIFC), Financial Services Regulatory Authority (FSRA/ADGM) and the Central Bank of Bahrain.
Regulated licenses – Electronic Money Institutions (EMI), Payment Institutions (PI), Alternate Trading Systems (ATS), DeFi, Blockchain-based regulated fintech.
(III.)Blockchain and Crypto
Consultations
Compliant Token Design, Crypto asset Product Design, Jurisdictional Scoping, KYC/AML Policy Development for Crypto asset Products, Privacy and Data Protection Compliance Strategy for Crypto asset Products.
(IV.)Corporate Structuring
Corporate Structuring – Holding structures, IP vesting, ESOPs, Investor on-boarding, customized Articles, Legal documentation.
Jurisdictional Selection.
Assistance in incorporation.
Jurisdictions – Dubai International Financial Centre (DIFC), Abu Dhabi Global Market (ADGM), Dubai World Trade Centre Free Zone (DWTC), Dubai Multi-Commodities Centre (DMCC), Luxembourg.
(v.)Regulatory Licensing
Tokenised Crowdfunding Licensing.
DeFi.
Crypto-asset Licensing.
Crypto-asset Facility Licensing – MTF, OTF.
Crypto Trading Platforms.
Crypto-related advisory and asset management permissions.
(vi.)Legal
Crypto-asset Purchase Agreements.
Crypto-asset Terms and Conditions.
Key Features Documents for Security Tokens.
Private Placement Memorandums for Tokenised Funds.
STO Prospectuses.
Simple Agreement for Future Tokens (SAFT).
Privacy Notices.
(vii.)Tokenisation of Assets
Legal and technical consultancy services on tokenization of physical or digital assets such as securities, real estate, financial assets, luxury goods, art, and initial public offerings. Assistance in legal documentation, compliance framework for the offering and selection of suitable jurisdictions.
We also assist with corporate and commercial documentation through our legal consultancy - 10 Leaves Legability. We assist in the drafting of:
- Crypto-asset Purchase Agreements.
- Crypto-asset Terms and Conditions.
- Key Features Documents for Security Tokens.
- Private Placement Memorandums for Tokenised Funds.
- STO Prospectuses.
- Simple Agreement for Future Tokens (SAFT).
- Privacy Notices.
- Founder agreements.
- Shareholder agreements.
- Investor agreements.
- Share vesting/ESOP plans.
- Client/Supplier/Distributor agreements.
- Employment agreements
Team
Rohit Ghai – Founder & Blockchain Specialist
Rohit is the Founder of 10 Leaves. With over eighteen years of experience in the region, Rohit consults firms on corporate structuring, market entry strategies, fintech, fund structuring, regulatory authorisations and startup funding. He conducts workshops on doing business in the region and is a regular presenter to visiting trade delegations from Europe and Asia.
Rohit advises clients on legalities related to blockchain technologies and applications, including tokenization, DeFi and DApps, Tokenomics, STOs and secondary listings.
Master in Business Administration.
Capabilities – Fintech, Blockchain, Funds, Venture Capital.
Jurisdictions – DIFC, ADGM, UAE Mainland, DWTC, DMCC.
Bishr Shiblaq
Bishr established and headed the MENA office of the leading Luxembourg law firm, Arendt & Medernach for around 10 years. In this capacity he advised leading financial institutions, sovereign wealth funds, asset managers, MNCs and family offices in both Europe and the Middle East on all issues relating to the structuring of international transactions and the setting up of regulated and unregulated investment structures.
Certified Investment Fund Director (CIFD).
Master of Laws (L.L.M.) in International Economic Law from the University of Warwick (UK). Capabilities – Legal, Structuring, STOs and secondary offerings, Islamic Finance, Funds.
Jurisdictions – DIFC, ADGM, Luxembourg, Europe.
Soumen Ghosh
Soumen is a Master of Computer Applications and has over 20 years of experience in media and technology applications. He has consulted international organisations on technology transformation and helped implement holistic media solutions across India and the United Arab Emirates. Soumen now consults on fintech applications in money services, robo-advisory and blockchain-related solutions. He is an active NFT creator, with profiles on OpenSea and Mintable.
Get in touch! for more Information on Virtual Assets Service ProvidersIn The UAE