August 8, 2024

SCAnning VASPs: Guidelines for Regulation of Virtual Assets and Virtual Asset Service Providers

by Soham Jethani, Pankhuri Malhotra and Hena Ayisha

in Articles
5688e2940cb0d9b

Key Takeaways

  • In July 2024, the SCA issued new guidelines to regulate Virtual Assets (VAs) and Virtual Asset Service Providers (VASPs) in the UAE.
  • There is nothing to indicate that the new SCA regulations would displace VARA’s authority in the emirate of Dubai. It would appear that SCA regulations would apply to VASPs in all emirates outside Dubai and outside the two financial free zones (ADGM and DIFC).
  • The guidelines are part of the Virtual Assets Framework, focusing on investment purposes rather than payment purposes, which falls under the Central Bank of the UAE.
  • Objectives of the guidelines include consumer protection, technology governance, market integrity, and AML/CFT compliance.
  • Licensing is required for activities such as operating VA platforms, providing exchange and transfer services, acting as brokers or dealers, and offering financial services related to VAs.
  • License applicants must comply with SCA regulations, including the SCA’s Rulebook for Financial Activities and Status Regularisation Mechanisms.
  • Licensed VASPs must establish secure systems, maintain business continuity, document system implementation, and follow best practices in network security, including conducting annual third-party audits.
  • Strong measures are required for securing cryptographic keys, identifying the source of funds, and managing system outages.
  • VASPs must disclose all material risks to clients, ensure market integrity, comply with market abuse regulations, and report transactions to the SCA.
  • Substantial resources must be committed to governance, compliance, operations, technology, and human resources within the state.
  • Comparisons with VARA highlight differences in regulatory approaches, licensing costs, and capital requirements, with SCA regulations being much more comprehensive and, significantly, costly.

Introduction

In July 2024, the Securities and Commodities Authority (“SCA”) issued new guidelines which aim to regulate Virtual Assets (“VAs”) and Virtual Asset Service Providers (“VASPs”) within the state, excluding financial free zones (i.e., the DIFC and ADGM). These guidelines form part of the Virtual Assets Framework, established under various decisions by the SCA to ensure effective regulation and oversight of VAs.

Overview

The continuous advancement of distributed ledger technologies has led to the emergence of VAs, including cryptocurrencies. These assets facilitate economic transactions or value transfers and have created unique regulatory challenges. The SCA’s guidelines provide a regulatory approach for VAs, particularly focusing on investment purposes rather than payment purposes.

This is an important distinction because any use of VAs for payment purposes would fall within the purview of the Central Bank of the UAE.

Objectives of the Virtual Assets Framework

  1. Consumer Protection: Ensuring that all material risks associated with VAs are appropriately disclosed and managed.
  2. Technology Governance: Establishing robust systems and controls for VA wallets, private keys, and the source and destination of VA funds.
  3. Market Integrity: Ensuring fair and orderly trading, settlement operations, and transparency in the operations of VA platforms.
  4. AML/CFT Compliance: Adhering to regulations regarding anti-money laundering and combating the financing of terrorism.

Virtual Asset Activities Subject to Licensing

The SCA requires licensing for several VA-related activities, including:[i]

  • Operating and managing VA platforms, i.e., exchanges.
  • Providing exchange services between different forms of VAs.
  • Offering VA transfer services.
  • Acting as brokers or dealers in VAs.
  • Providing safe custody and management services for VAs.
  • Providing financial services relating to offer or sale of VAs.

Regulatory Requirements for Licence Applicants

Licence applicants must demonstrate compliance with all SCA regulations, specifically the SCA’s Rulebook for Financial Activities and Status Regularisation Mechanisms (“Rulebook”), which encompasses several modules, such as:[ii]

  • General Provisions
  • Licensing and Accreditation
  • Conduct of Business
  • Capital Adequacy
  • AML/CFT

These provisions of the Rulebook will apply to all VASPs in addition to the provisions of the newly issued guidelines.

General Guidelines for VASPs

Technology Governance and Controls

Licensed VASPs must establish systems and controls to manage their affairs effectively and responsibly.[iii] This includes:

  • Maintaining and developing secure systems.
  • Implementing robust security procedures and measures.
  • Ensuring business continuity during planned and unplanned outages.

Systems Maintenance and Development

VASPs are expected to:

  • Document their approach to system implementation and updates.[iv]
  • Regularly test systems for vulnerabilities.[v]
  • Maintain audit trails for all system changes and issues.[vi]

Security Procedures and Measures

VASPs should follow best practices in network security, including:

  • Using firewalls, strong passwords, multifactor authentication, and data encryption.[vii]
  • Conducting annual third-party audits of their IT infrastructure.[viii]

Cryptographic Keys and Wallets Storage

Strong measures must be taken to secure the generation, storage, backup, and destruction of cryptographic keys.[ix] Multi-signature wallets and recovery procedures for lost login credentials should be considered.[x]

The Source and Destination of Virtual Asset Funds

VASPs must establish policies and procedures to identify the source of funds and ensure compliance with AML rules. [xi]This includes tracking transactions and maintaining a list of suspicious wallet addresses.[xii]

Planned and Unplanned System Outages

VASPs must have clear procedures for both planned and unplanned outages, ensuring clients are informed and the business can continue operating smoothly.[xiii]

Personnel Management and Decision Making

Processes should be in place to manage decision-making and access to sensitive information, ensuring only essential personnel have access to critical data.[xiv]

Outsourcing

VASPs can use third-party services but remain fully responsible for any issues arising from outsourcing.[xv] Thorough due diligence on third-party service providers is required.[xvi]

Forks

Changes to the underlying protocol of VAs that lead to forks must be managed and tested.[xvii] VASPs should ensure client balances are accurately maintained during forks.[xviii]

Protecting Client Funds

VASPs holding client funds must adhere to strict audit and reconciliation procedures, ensuring the safety and integrity of client assets.[xix]

Disclosure of Risks of VAs

VASPs must conduct detailed risk analyses and disclose all material risks to clients before any transactions. This disclosure must be continuously updated to reflect new risks.[xx]

Market Abuse, Transaction Reporting, and Misleading Impressions

VASPs must comply with market abuse regulations and report all relevant transactions to the SCA.[xxi] Communications and advertisements must be conducted appropriately, without misleading information.[xxii]

Realistic Requirements for VASPs

VASPs must commit substantial resources within the state across all lines of activity, including governance, compliance, operations, technology, and human resources.[xxiii]

Tax Reporting

VASPs must comply with the Foreign Account Tax Compliance Act and the Common Reporting Standard, ensuring accurate and timely tax reporting.[xxiv]

Appointment of Consultants

VASPs are advised to appoint compliance consultants to assist with regulatory requirements and ensure smooth application processes.[xxv]

Applications for Amendment or Exemption

The SCA may grant exceptions to certain regulations upon request, provided a compelling case is made.[xxvi]

Obligations to Protect Data for Individuals

VASPs must comply with data protection laws, ensuring the confidentiality and security of personal data. This includes obtaining consent for data processing and reporting any breaches promptly.[xxvii]

Transactions with Unknown Counterparties

VASPs should avoid transactions with unknown or anonymous counterparties to minimise risks associated with money laundering and other financial crimes.[xxviii]

Margin Trading

VASPs offering margin trading must adhere to specific rules issued by the VA platform operator.[xxix]

Insurance

While insurance is not mandatory, VASPs are expected to structure their business operations properly and to implement robust mechanisms to mitigate operational risks.[xxx]

Specific Requirements for Virtual Assets Platform Operators

VA platform operators must:

  • Ensure operational efficiency and flexibility.[xxxi]
  • Establish and maintain clear operational rules.[xxxii]
  • Maintain high levels of integrity and transparency.[xxxiii]
  • Protect and preserve client virtual assets.[xxxiv]
  • Ensure compliance with AML and CFT regulations.[xxxv]
  • Provide appropriate trading and post-trading transparency.[xxxvi]
  • Ensure access only to permitted persons.[xxxvii]

Accepted Virtual Assets

Only VAs registered with the SCA and included in the official list can be traded.[xxxviii] The VA platform operator must conduct due diligence when evaluating and accepting VAs for listing.[xxxix]

Costs for Licensing

Applicants for VASP licences must be prepared for several stages, including due diligence, submission of the official application, granting initial approval, and finally, obtaining the licence.[xl] Fees associated with these stages must be paid as stipulated by the SCA.

Capital Requirements

The capital requirements for different virtual asset activities are as follows:[xli]

  • VA Platform Operator: Paid-up capital of 1 million dirhams and maintaining operating capital equivalent to six months of operating expenses if only operating the platform, or 5 million dirhams if engaged in other VASP activities.
  • Safe Custody of VAs: Paid-up capital of 4 million dirhams, maintaining operating capital equivalent to six months of operating expenses.
  • Financial Consulting in VAs: Paid-up capital of 500,000 dirhams.
  • Managing Portfolio of VAs: Paid-up capital of 3 million dirhams.
  • VA Brokerage Activity: Paid-up capital of 2 million dirhams.
  • VA Dealer Activity: Paid-up capital of 30 million dirhams.

Comparison to Dubai’s Virtual Asset Regulatory Authority (“VARA”)

VARA and the SCA have distinct approaches to regulating VAs and VASPs. Unlike the SCA, VARA does not maintain a list of approved VAs. The SCA aligns more with the practices of the DIFC and ADGM, both of which have approved VA lists for use within their financial-free zones (the “Recognized Crypto Tokens” list for DIFC[xlii] and the “Accepted Virtual Assets” list for ADGM[xliii]).

There is ongoing uncertainty regarding the value of a VARA licence in the context of SCA regulations at the federal level. VARA’s jurisdiction is limited to the emirate of Dubai, while the SCA’s regulations apply nationwide. This issue first arose in 2023 when the SCA introduced significant regulatory changes.[xliv] Despite new guidelines and anticipated regulations from the SCA, the delegated authority to VARA for supervising and regulating VAs and VASPs within Dubai remains unchanged.[xlv]

Depending on the activity, the cost of obtaining an SCA licence can be nearly ten times higher than a VARA licence. In some instances, SCA licensing fees are comparable to those in Switzerland, which is one of the most expensive jurisdictions in the world to get regulated. For example, while the capital requirement for an SCA dealer is AED 30 million and an SCA broker is AED 2 million, a VARA broker-dealer needs only AED 600,000, which can be further reduced to AED 400,000 if using a VARA-regulated custodian.

The recent changes appear to be part of a broader effort to standardise the regulatory environment across the UAE. VARA has actively pursued enforcement actions, shutting down several illegal crypto operators in Dubai.[xlvi] Many of these operators have since moved their operations to other emirates outside VARA’s jurisdiction. The new SCA regulations aim to curtail such activities nationwide, ensuring the removal of illegal operators throughout the UAE.

There remains a question of whether these developments signal a move towards making a VARA licence obsolete or if they represent a step towards consolidating Dubai’s position as a central hub for VA activities outside the financial free zones in the UAE. The outcome will significantly impact the regulatory landscape for VAs and VASPs in the region.

***
  • TLP Advisors is a dynamic and forward-thinking consulting, strategy and law firm specialising in providing cutting-edge solutions to our diverse clientele. With our roots deeply embedded in financial services, gaming, web3, and emerging tech, we offer unparalleled knowledge and support tailored to these rapidly evolving sectors’ unique challenges and opportunities.
  • TLP Advisors has consistently been the firm of choice for L1 chains, DeFi protocols, gaming companies, fintech and payment companies, foundations, funds, and investors. We have built a reputation for excellence through frequent collaborations with regulators, funds, and technology incubators. Our deep understanding of the intricate regulatory landscapes and industry dynamics allows us to provide strategic guidance and innovative solutions that empower our clients to navigate complex challenges and seize emerging opportunities.
  • www.techlawpolicy.com

[i] Paragraph 14 of the Guidelines for Regulation of Virtual Assets and Virtual Assets Services Providers.

[ii] Paragraph 17 of the Guidelines for Regulation of Virtual Assets and Virtual Assets Services Providers.

[iii] Paragraph 28 of the Guidelines for Regulation of Virtual Assets and Virtual Assets Services Providers.

[iv] Paragraph 29 of the Guidelines for Regulation of Virtual Assets and Virtual Assets Services Providers.

[v] Paragraph 31 of the Guidelines for Regulation of Virtual Assets and Virtual Assets Services Providers.

[vi] Paragraph 32 of the Guidelines for Regulation of Virtual Assets and Virtual Assets Services Providers.

[vii] Paragraph 35 of the Guidelines for Regulation of Virtual Assets and Virtual Assets Services Providers.

[viii] Paragraph 34 of the Guidelines for Regulation of Virtual Assets and Virtual Assets Services Providers.

[ix] Paragraph 45 of the Guidelines for Regulation of Virtual Assets and Virtual Assets Services Providers.

[x] Paragraph 47 of the Guidelines for Regulation of Virtual Assets and Virtual Assets Services Providers.

[xi] Paragraph 52 of the Guidelines for Regulation of Virtual Assets and Virtual Assets Services Providers.

[xii] Paragraph 53 of the Guidelines for Regulation of Virtual Assets and Virtual Assets Services Providers.

[xiii] Paragraph 55 of the Guidelines for Regulation of Virtual Assets and Virtual Assets Services Providers.

[xiv] Paragraph 57 of the Guidelines for Regulation of Virtual Assets and Virtual Assets Services Providers.

[xv] Paragraph 60 of the Guidelines for Regulation of Virtual Assets and Virtual Assets Services Providers.

[xvi] Paragraph 61 of the Guidelines for Regulation of Virtual Assets and Virtual Assets Services Providers.

[xvii] Paragraph 66 of the Guidelines for Regulation of Virtual Assets and Virtual Assets Services Providers.

[xviii] Paragraph 70 of the Guidelines for Regulation of Virtual Assets and Virtual Assets Services Providers.

[xix] Paragraph 72 of the Guidelines for Regulation of Virtual Assets and Virtual Assets Services Providers.

[xx] Paragraph 73 of the Guidelines for Regulation of Virtual Assets and Virtual Assets Services Providers.

[xxi] Paragraph 79 of the Guidelines for Regulation of Virtual Assets and Virtual Assets Services Providers. Specifically, VASPs are required to comply with Articles 15, 16 and 17 of the SCA’s Board of Directors Decision No. (2) of 2001 concerning the regulations as to trading, clearing, settlements, transfer of ownership and custody of securities. The provisions concern insider trading and market manipulation, prohibiting any transactions involving either.

[xxii] Paragraph 80 of the Guidelines for Regulation of Virtual Assets and Virtual Assets Services Providers.

[xxiii] Paragraph 83 of the Guidelines for Regulation of Virtual Assets and Virtual Assets Services Providers.

[xxiv] Paragraph 84 of the Guidelines for Regulation of Virtual Assets and Virtual Assets Services Providers.

[xxv] Paragraph 85 of the Guidelines for Regulation of Virtual Assets and Virtual Assets Services Providers.

[xxvi] Paragraph 86 of the Guidelines for Regulation of Virtual Assets and Virtual Assets Services Providers.

[xxvii] Paragraph 90 of the Guidelines for Regulation of Virtual Assets and Virtual Assets Services Providers.

[xxviii] Paragraph 94 of the Guidelines for Regulation of Virtual Assets and Virtual Assets Services Providers.

[xxix] Paragraph 96 of the Guidelines for Regulation of Virtual Assets and Virtual Assets Services Providers.

[xxx] Paragraph 97 of the Guidelines for Regulation of Virtual Assets and Virtual Assets Services Providers.

[xxxi] Paragraph 103 of the Guidelines for Regulation of Virtual Assets and Virtual Assets Services Providers.

[xxxii] Paragraph 104 of the Guidelines for Regulation of Virtual Assets and Virtual Assets Services Providers.

[xxxiii] Paragraph 110 of the Guidelines for Regulation of Virtual Assets and Virtual Assets Services Providers.

[xxxiv] Paragraph 112 of the Guidelines for Regulation of Virtual Assets and Virtual Assets Services Providers.

[xxxv] Paragraph 114 of the Guidelines for Regulation of Virtual Assets and Virtual Assets Services Providers.

[xxxvi] Paragraph 118, 119 of the Guidelines for Regulation of Virtual Assets and Virtual Assets Services Providers.

[xxxvii] Paragraph 125 of the Guidelines for Regulation of Virtual Assets and Virtual Assets Services Providers.

[xxxviii] Paragraph 132 of the Guidelines for Regulation of Virtual Assets and Virtual Assets Services Providers.

[xxxix] Paragraph 133 of the Guidelines for Regulation of Virtual Assets and Virtual Assets Services Providers.

[xl] Paragraph 205 of the Guidelines for Regulation of Virtual Assets and Virtual Assets Services Providers.

[xli] Paragraph 19 of the Guidelines for Regulation of Virtual Assets and Virtual Assets Services Providers.

[xlii] Rule GEN 3A.3 of the DFSA Rulebook, Full list available at https://www.dfsa.ae/innovation.

[xliii] Rule 24 of the FSRA Guidance on Regulation of Virtual Asset Activities in ADGM. There is no public list of Accepted Virtual Assets, since the authorisation of the FSRA Is given on an individual basis.

[xliv] Soham Panchamiya and Pankhuri Malhotra, Security and Commodities Authority in the UAE, TLP Advisors (May 7, 2023), https://techlawpolicy.com/2023/05/security-and-commodities-authority-in-the-uae/

[xlv] Cabinet Decision No. 112/2022 On Delegating Certain Competencies related to the Regulation of Virtual Assets, https://rulebooks.vara.ae/sites/default/files/en_net_file_store/VARA_EN_340_VER1.pdf read with Law No. (4) of 2022 Regulating Virtual Assets in the Emirate of Dubai, https://dlp.dubai.gov.ae/Legislation%20Reference/2022/Law%20No.%20(4)%20of%202022%20Regulating%20Virtual%20Assets.html

[xlvi] Regulatory notices for enforcement issued by VARA are available at: https://www.vara.ae/en/regulations/regulatory-notices/#enforcement-notices

© 2024 TLP Advisors

Terms and Conditions Privacy Policy