Dubai has placed itself at the centre of the global virtual-asset conversation by establishing a dedicated regulator: the Virtual Assets Regulatory Authority (VARA). While most firms first think of exchanges and broker-dealers, VARA’s regime treats custody as its own high-risk activity- because custody is where client assets can be lost, frozen, misappropriated, or compromised through key-management failure.

If a business wants to hold or control client virtual assets, operate wallets on behalf of clients, manage private keys, provide safeguarded storage solutions, or offer client-asset handling that is more than “tech support”, that business will typically require a VARA Custody Services license. Operating without the proper authorisation is not a viable strategy: custody is one of the most scrutinised permissions under VARA’s framework.

In this article, we look at the Custody Services license, including what custody means under VARA, typical models captured, capital and insurance expectations, and the licensing process and ongoing compliance considerations.

What is a VARA Custody Services license?

A VARA Custody Services license authorises an entity to safeguard virtual assets on behalf of clients, including by controlling the mechanisms that enable transfers (for example, keys, seed phrases, signing devices, wallet infrastructure, and operational approvals).

Custody extends beyond “cold storage” to encompass the governance and control mechanisms that determine how client assets are authorised, accessed, and transferred. Under VARA’s Custody Services Rulebook, the regulatory focus is on control, segregation, client protections, governance, and operational resilience, particularly around wallet design, key security, reconciliations, and restrictions on how client assets may be used.

What is VARA?

The Virtual Assets Regulatory Authority (VARA), established in early 2022, represents a pioneering initiative by the Dubai government to regulate the fast-growing sector of virtual assets.

VARA is the first regulatory body of its kind dedicated to ensuring the secure and effective functioning of Virtual Asset Service Providers (VASPs) in Dubai. This initiative positions Dubai and the UAE as a prominent centre for digital finance and innovation.

What are VARA’s objectives?

VARA’s primary objectives include promoting Dubai as a regional and international centre for virtual assets, enhancing the competitive edge of the Emirate in this domain, and fostering a robust digital economy.

The authority is tasked with developing regulations that protect investors while curbing illegal practices associated with virtual assets, including requirements around governance, disclosure, market conduct, and operational resilience.

What are the advantages of getting licensed by VARA?

The Virtual Assets Regulatory Authority (VARA) is Dubai’s dedicated regulator for virtual asset activities and the primary licensing gateway for firms that want to operate compliantly in this sector. A VARA licence can offer several practical advantages:

Regulatory compliance and legitimacy

1. Legal authorisation: A VARA licence gives a business formal legal authorisation to conduct permitted virtual asset activities in Dubai, and it provides a clear regulatory basis for how the firm may operate, market its services, and onboard clients in line with applicable requirements.

2. Investor trust: A licensed status typically strengthens credibility with investors, counterparties, and clients because it signals that the firm is operating under a recognised supervisory framework, with defined compliance, governance, and conduct expectations.

Access to a thriving market

1. Strategic location: Dubai has positioned itself as a regional and international hub for blockchain and digital asset innovation, and a VARA licence can help firms participate more effectively in this market by enabling them to build regulated offerings and engage institutional and retail segments (as applicable).

2. Supportive ecosystem: VARA’s regulatory infrastructure is designed to support the development of compliant business models, which can make it easier for licensed firms to scale operations, form partnerships, and expand service lines within a structured supervisory environment.

A comprehensive licensing framework

1. Diverse licensing categories: VARA offers multiple licensing categories that map to distinct virtual asset services, such as advisory, broker-dealer/exchange-related activities, custody, and payments, allowing firms to select the authorisation that aligns most closely with their business model and risk profile.

2. Ongoing regulatory engagement: Licensed firms benefit from clearer channels of regulatory engagement during the authorisation process and through ongoing supervision, which can help management teams interpret expectations, address regulatory queries, and implement compliance requirements in a more structured way.

 

Enhanced operational standards

1. High compliance standards: Applicants are expected to implement robust compliance controls, including anti-money laundering and counter-terrorist financing frameworks, alongside governance, risk management, and operational policies that are proportionate to their activities. In addition, firms are typically expected to maintain effective cybersecurity and technology risk controls to address threats that are common in virtual asset operations. These standards help protect clients and reduce the likelihood of operational, financial crime, and security incidents.

2. Training and development: Licensed entities are generally expected to adopt ongoing training and competence programmes for staff and senior management so that internal teams remain up to date with regulatory developments and evolving industry risks. In practice, this pushes firms to institutionalise professional development, maintain consistent operational standards, and ensure that key personnel can demonstrate continuing competence in a fast-changing sector.

What activities fall under the VARA Custody Services license?

 

Covered custody activities (typical scenarios)

A VARA Custody Services licence is generally triggered where a firm is in the business of holding or controlling client virtual assets for any monetary or non-monetary benefit, and where the client’s ability to move those assets depends (in substance) on the custodian’s systems, governance, or access to transaction-enabling components. In VARA’s framing, custody is not merely “storage”: it is an accountability function in which the VASP must ensure custody is provided only on verified client instructions and on the basis that the client assets held in custody are not treated as the custodian’s own balance-sheet assets or liabilities.

1. Safekeeping and control of client virtual assets: Safekeeping and control captures the operational reality of running the “control layer” around client assets: key/seed generation and storage, approval workflows, secure wallet architecture (hot/warm/cold), and the internal controls that determine how assets can be accessed, moved, or withdrawn. Where the custodian is the party that can ultimately sign (or cause signing) of transactions, or can block/permit withdrawals through its security and authorisation stack, this is custody because the client is relying on the custodian’s control environment, not merely its infrastructure. VARA’s custody framework also expects a risk-based approach to wallet design and documented, auditable pathways for transfers between wallet types, reflecting where cyber and operational risks typically concentrate.

2. Wallet provision and administration (where the custodian controls keys/signing/approvals): Wallet provision and administration becomes custody when the provider controls the transaction-enabling components (private keys/seed phrases, signing modules, multi-sig approval rights, or equivalent mechanisms), or where the provider’s governance effectively determines when a transaction can be executed. This is why custody is treated as a distinct “control” service: VARA expects client asset segregation in custody wallets (as a baseline, one client per wallet) and prohibits rehypothecation of client assets held under custody, regardless of whether a client might be willing to consent. In addition, VARA’s framework anticipates structural and operational segregation for custodians, reflecting the regulator’s view that custody should be ring-fenced from other, more conflict-prone virtual asset activities.

3. Client asset segregation in custody wallets: Segregation is not a cosmetic recordkeeping preference; it is the legal-risk and insolvency-risk backbone of the custody model. By requiring assets to be identifiable and attributable at the client level, VARA is aiming to reduce ambiguity in any dispute scenario (instruction challenges, reconciliation errors, fraud events) and to preserve clarity if the custodian faces distress. Operationally, this pushes custodians toward wallet architectures and ledgering that can demonstrate, at any point in time, what is held for whom, what movements occurred, and under what approvals, supported by audit-ready logs and reconciliations.

4. Staking from custody (only if authorised): Where a custodian offers staking from custody, VARA treats this as an extension of custody rather than a mere “add-on”: it may only be provided if explicitly authorised and stated in the licence, and it remains subject to the broader custody obligations throughout. Practically, this means staking cannot be used to dilute segregation or control standards; instead, it must be structured so that client entitlements remain clear, instructions are properly evidenced, and protocol risks (including slashing, validator/node risk, and lock-up/withdrawal constraints) are managed through additional governance, disclosures, and controls.

5. Collateral Wallet Services (ancillary and only with explicit authorisation): Collateral Wallet Services are treated as ancillary custody functionality and are only permitted where the custodian is specifically authorised to provide them. These arrangements typically support the holding of assets as collateral in connection with trading and settlement flows between regulated entities, which makes them especially sensitive from a market-integrity perspective. Accordingly, VARA’s approach implies enhanced operational discipline around designation, recordkeeping, permitted use, and restriction of those wallets to the collateral purpose, so they do not become de facto general custody wallets, and so collateral movements remain strictly governed, receipted, and auditable.

What restrictions apply to licensed custody VASPs?

 

VARA’s custody framework includes a couple of non-negotiable design constraints that should sit at the start of any custody business model discussion, not as “legal footnotes” to be dealt with later. They are intentionally drafted to keep custody as a pure safekeeping/control function and to reduce conflict and contagion risk across a group.

1. No rehypothecation of client virtual assets: VARA draws a bright regulatory boundary around client assets held under custody: a custodian must not authorise or permit rehypothecation of the virtual assets for which it provides Custody Services regardless of whether the client has consented. Importantly, VARA goes further and states that custodians must not seek or attempt to obtain such consent as part of the custody service. In practice, this means “better disclosure” or “stronger contractual drafting” cannot be used to legitimise a custody model that involves lending, re-pledging, re-using, or otherwise encumbering client custody assets for the custodian’s (or a third party’s) benefit. The commercial implication is clear: yield-generating activity needs to be structurally separated from custody, and custody revenues must be built on permitted fees rather than balance-sheet style use of client assets.

2. Separate legal entity expectation: VARA also states that a VASP providing Custody Services must be an independent legal entity, separate from other members of its group that provide other VA activities or linked services, subject only to a limited exception pathway tied to VA Transfer and Settlement Services. The regulatory logic is conflict containment: custody is a trust-sensitive control function, and VARA expects it to be insulated from the incentives and operational pressures that arise in trading venues, brokerage, lending/borrowing, and other activities where proprietary exposures and liquidity demands can create friction with client-asset protection. For groups, this requirement typically drives a ring-fenced custody entity with distinct governance and operational boundaries (including conflicts management, intercompany dependency controls, and credible wind-down planning) so that custody cannot be treated as an accessory to higher-risk business lines.

Which activities do not fall under custody?

Custody risk often arises when firms describe themselves as “custody-adjacent” while still controlling keys or transaction approval. In practice, the line is usually drawn around control:

• Pure technology delivery (e.g., software development, audits, bug fixes) can sit outside custody if the provider does not hold client assets, control keys, or operate wallet infrastructure in a way that enables transfers.
• Once a provider controls the transaction rails (key custody, signing, approval workflows, wallet administration for clients), it typically moves into custody-risk territory and should be assessed as such.

VARA also states that entities must be licensed before undertaking VA activities, and that multiple activities require meeting each activity’s requirements in full. 

I want to operate a virtual asset business. Do I need a VARA license?

Yes. You will need to obtain a license from VARA, before you conduct any virtual asset business within the emirate of Dubai.

There are two stages in the licensing process. Step 1 is submission of an intial application, followed by a detailed review and in-principal approval.

VASPs are also required to be physically present in Dubai, in the form of leasing or purchasing an office.

The authority has also outlined specific requirements regarding capital adequacy, operational transparency, and compliance with anti-money laundering protocols.

What staffing and “fit and proper” expectations apply?

VARA expects advisory services firms to operate with an identifiable, accountable professional layer.

Advisory staff (including senior management and key advisory personnel) are typically expected to satisfy:

1. Integrity checks (fitness, propriety, conflicts, past conduct);
   
   
2. Competence checks (skills and capability to deliver advisory services responsibly);
   
   
3. Financial soundness checks; and
   
   
4. For analysts, formal education and relevant experience in crypto and/or financial markets (especially where the firm produces research or recommendations relied upon by clients).

What is the process to set up a VARA license in Dubai?

1. Choose the zone of incorporation of the legal entity, this can be the DWTC or any other free zone in Dubai, or the Dubai Economic Department (mainland) license.
2. Finalise the physical office- this will be based on the number of visas required and actual space required to carry out your business operations.
3. Complete the reserving of the name and signing the corporate documents such as the Memorandum of Association.
4. Submit an Initial Disclosure Questionnaire (IDQ) to VARA.
5. VARA reviews the submission, revert with questions, if any, and then sends across an invoice for 50% of the application fees.
6. VARA issues an Initial Approval once the fees are paid.
7. Submit the Initial Approval to the contracted free zone to obtain the non-operational license.
8. Complete Part 2 of the VARA application within 12 months- this includes detailed document submissions, policies and procedures, appointment of responsible individuals, Compliance and AML officers, and company secretaries.
9. VARA then issues an invoice for the balance 50% of it’s application fees.
10. Once paid, VARA issues the permissions to formally carry out the activities applied for. This is now a fully functional and regulated license.

Fees and capital requirements 

1) VARA regulatory fees (official schedule)

Under VARA’s Schedule 2- Supervision and Authorisation Fees, the Custody Services activity attracts the following regulator fees:

• Licence application fee: AED 100,000 (one-time; payable on submission).
  
  

• Licence extension fee: 50% of the lower Licence Application Fee(s) (payable for each additional regulated VA activity added under the same application).
  
  

• Annual supervision fee: AED 200,000 (payable per year, per activity).

VARA notes that applications are not processed until applicable application/extension fees are received, and it retains discretion to impose additional supervision fees depending on a VASP’s risk profile.

2) Paid-up capital (minimum capitalisation)

VARA’s Company Rulebook (Paid-Up Capital) prescribes a minimum paid-up capital requirement for Custody Services of:

• The higher of: AED 600,000 or 25% of fixed annual overheads (to be held and maintained at all times).

If the entity is licensed for more than one VA activity, VARA applies an activity-by-activity capitalisation approach (i.e., the VASP must hold the paid-up capital specified for each VA activity).

Form / where capital is held: Paid-up capital must be maintained in one of the prescribed forms, including:

• a trust account with a UAE-licensed bank with VARA as beneficiary;
  
  

• a surety bond (no end date) with VARA as beneficiary; or
  
  

• another method specified by VARA as a licence condition.
  
  

3) Expense-based liquidity buffer (net liquid assets)

In addition to paid-up capital, VARA requires VASPs to maintain Net Liquid Assets such that:

• Net Liquid Assets ≥ 1.2 × monthly operating expenses, maintained at all times.
  
  

Key practical points under the Company Rulebook include:

• NLA must be reconciled daily and reported to VARA monthly.
  
  

• NLA may only be maintained in permitted liquid assets, including cash/cash equivalents and USD/AED-referenced virtual assets approved by VARA.
  
  

4) Insurance

VARA requires VASPs to hold insurance adequate to the size/complexity of the business, including professional indemnity, directors’ & officers’, and commercial crime (or similar) cover for virtual assets stored in hot wallets, plus any other cover VARA stipulates as a licence condition.

Separately, the Company Rulebook also requires Reserve Assets equivalent to 100% of liabilities owed to clients, held one-to-one in the same virtual asset, with daily reconciliation and independent audit at least every six months. 

Governance and operating-model requirements 

 

Custody comes with additional governance expectations. For example, the Custody Services Rulebook includes requirements around board composition and oversight, including having executive and non-executive directors and at least one independent director, and meeting at least quarterly.

Operationally, VARA’s custody rulebook emphasises controls such as:

• Client asset segregation per client wallet (for standard custody).
• Continuous control over client assets while providing custody.
• Key/seed security controls, including industry best practices for encryption and secure storage; and ensuring that keys stored online or in one physical location are not, by themselves, sufficient to transact unless controls prevent single-person compromise.
• Lost/compromised key procedures (recovery and communications requirements are explicitly contemplated).
• Reconciliation discipline (custodians must maintain a register/record of reconciliations as part of custody control).
• VA wallet management- custodians should conduct a risk-based analysis of storage methods (hot vs cold etc.) and maintain appropriate certifications aligned with industry best practice. 

Ongoing compliance expectations 

VARA will generally expect a custodian to evidence a live, functioning control environment, including:

• Client asset safeguarding and segregation controls, and clear client legal terms.
• Wallet and key governance (signing controls, separation of duties, secure device management, recovery procedures).
• No rehypothecation / strict limitations on use of client assets.
• Reconciliations and records that are timely, accurate, and defensible under scrutiny.
• Technology and cyber governance, including staff competency around cyber risks and incident reporting practices. 
• Conflict management and disclosures, particularly where custody is integrated with exchanges or collateral wallet arrangements.

FAQ

1) Does VARA regulate custody across Dubai free zones and mainland, and what about DIFC?

VARA is the regulator for virtual asset activities across Dubai’s mainland and free zones, except within the jurisdiction of the DIFC (which has its own regulator and regime).

2) Do I need a VARA custody licence if I provide wallet technology, MPC, or “key management as a service”?

If your product is purely software (and you never control keys, signing, approvals, or withdrawal permissions), you may fall outside custody. But if you (or your systems) can approve, block, or execute transfers, or hold any transaction-enabling component on the client’s behalf, you are in custody-risk territory and should assess VARA licensing early.

3) What are the two biggest “red line” restrictions for VARA-licensed custodians?

Two non-negotiables sit at the centre of VARA’s custody design:

• No rehypothecation of client assets, even if a client would consent, and the custodian must not seek that consent as part of custody services.
  
  
• Ring-fencing: custody is expected to sit in a separate legal entity from group entities providing other VA activities (subject to limited exceptions tied to transfer and settlement structures).
  
  

4) Does VARA require “one client per wallet” segregation?

Yes. VARA’s custody rules include a clear segregation expectation that each client’s virtual assets are kept in separate VA wallets containing only that client’s assets.

5) Can a VARA custodian offer staking from custody?

Yes, but only if expressly authorised. VARA treats “Staking from Custody Services” as a custody subset with additional controls, including strict client segregation and instruction-driven execution, plus specific operational standards to manage protocol risks.

6) What are Collateral Wallet Services, and do they require additional VARA permission?

Collateral Wallet Services are treated as ancillary to custody and are permitted only where the custodian is authorised to provide them. VARA expects the custodian to comply with the broader custody framework throughout the collateral wallet service (subject to explicit exceptions).

7) What governance requirements apply to a VARA custody firm’s board?

VARA imposes additional board expectations for custody, including a board made up of executive and non-executive directors with at least one independent director, and the board must meet at least quarterly.

8) Can a VARA custodian outsource custody operations or use sub-custodians?

Outsourcing is possible, but it is tightly controlled. VARA expects robust outsourcing governance, and specifically addresses sub-outsourcing risk, including ensuring subcontracting does not undermine confidentiality, access/audit rights, or business continuity obligations.

9) What documents and evidence does VARA typically expect from custody applicants?

In practice, the heaviest scrutiny is on “proof of control” and “proof of resilience”. Applicants should be ready to evidence, in a reviewable and testable way: wallet architecture (hot/warm/cold), key ceremony and key lifecycle governance, signing policies (multi-party approvals, separation of duties, privileged access management), reconciliations and audit trails (including exception handling), incident response, compromise and recovery procedures, and client communications playbooks, outsourcing due diligence, vendor contracts, audit rights, and BCP/DR testing evidence and client legal terms that clearly preserve client ownership and reflect custody restrictions.

How can 10 Leaves help you?

10 Leaves is a Corporate Service Provider at VARA.

We provide turnkey services for VARA Licenses, from initial consultations, to assistance in authorisations, to preparation of the legal documentation, helping you navigate VARA’s Rulebooks and submit an application that is comprehensive, complete and compliant.

Our services include assistance in:

1. Reviewing the business model and advising on the applicable regulatory framework and licensing perimeter;

2. Preparing the Regulatory Business Plan and submission narrative, including advisory operating model and governance approach;

3. Preparing the policy suite required for an advisory practice (conflicts, suitability, disclosures, recordkeeping, complaints, cyber and risk);

4. Supporting controlled functions and staffing readiness (including fit-and-proper support for key persons);

5. Finalising the legal structure, including holding company setup and customisation of Memorandums; and

6. Supporting office setup and regulatory coordination through the IDQ stage and the detailed phase through to approvals.