In February 2022,  the Government of Dubai enacted a new law, creating the Virtual Assets Regulatory Authority (VARA) to oversee virtual assets and related service providers. A year later, in 2023, VARA launched a set of regulations and 13 rulebooks, including the Compliance and Risk Management Rulebook.  The Compliance and Risk Management Rulebook provides a comprehensive regulatory framework for Dubai’s virtual assets, covering licensing, customer due diligence, risk management, and Crypto Travel Rule compliance. 

Timeline of regulatory action

• February 28, 2022: The Government of Dubai passed “Law No. (4) of 2022 Regulating Virtual Assets in the Emirate of Dubai,” establishing VARA and giving it authority to regulate VAs and VASPs. 
• March 11, 2022: Law No. [4] of 2022 Regulating VAs in the Emirate of Dubai entered into force.
• February 7, 2023: ​​VARA issues the Virtual Assets and Related Activities Regulations 2023. The Compliance and Risk Management Rulebook specified Crypto Travel Rule requirements for Dubai VASPs.

‍

1. Is cryptocurrency legal in Dubai?

It is legal to hold, sell, and trade cryptocurrency in Dubai.

2. Are there any AML crypto regulations in Dubai?

Yes. Dubai VASPs must establish and follow implement policies and procedures to comply with all anti-money laundering / countering terrorism financing (AML/CTF) requirements and existing applicable laws, regulatory requirements, and guidelines, including but not limited to those from the Federal AML/CTF Laws, FATF’s reviews and guidance on VAs, and the UAE’s regulations on terrorism financing. Dubai VASPs must also follow the UAE Executive Office for Control & Non-Proliferation (EOCN)’s guidance on counter-proliferation financing and its local terrorist list. [1]

3. Who regulates cryptocurrency in Dubai?

The Virtual Assets Regulatory Authority (VARA) is the crypto regulator in Dubai.

4. Are there licensing or registration requirements for VASPs in Dubai?

No person can conduct certain virtual asset activities in the Emirate without obtaining a permit from VARA. [2] The following virtual asset activities that require permits and are subject to VARA oversight are as follows: 

• virtual asset platform operation and management services, 
• virtual asset exchange services, 
• virtual asset transfer services, 
• virtual asset safekeeping, management, or control services, 
• virtual asset wallet services, and 
• services related to offering and trading in virtual tokens. [3]

‍

FATF Travel Rule Requirements in Dubai

1. Is the Crypto Travel Rule mandated in Dubai?

Yes. VARA’s Compliance and Risk Management Rulebook states that VASPs must demonstrate their Crypto Travel Rule compliance and submit relevant policies and controls during licensing. Dubai VASPs should also include their plan to comply with the Travel Rule in jurisdictions where it’s not mandatory.

“VASPs shall be required to demonstrate to VARA how they comply with the Travel Rule during the licensing process and submit to VARA relevant policies and controls. VASPs should also include their plan to comply with the Travel Rule with virtual asset service providers in jurisdictions where the Travel Rule is not a legislative requirement [i.e. the “sunrise issue”].” [4]

2. Does Dubai permit a grace period to comply with the crypto Travel Rule?

There is no formal grace period mentioned in VARA’s Compliance and Risk Management Rulebook, which enforces the Crypto Travel Rule. 

‍

{{training2="/cta-components"}}

‍

Complying with the Crypto Travel Rule in Dubai

‍

1. What is the minimum threshold for the Crypto Travel Rule in Dubai?

The minimum threshold for crypto Travel Rule compliance is AED 3,500. [5]

2. What personally identifiable information is required to be shared for the Crypto Travel Rule in Dubai?

VARA’s Compliance and Risk Management Rulebook states that VASPs must obtain the Originator and Beneficiary information prior to initiating an outbound transaction and prior to permitting any clients to access funds received in inbound transactions. 

Required Originator and Beneficiary information shall include, but is not limited to:

‍

3. What are the non-custodial or self-hosted wallet requirements in Dubai?

VARA urges local VASPs to consider how to manage the risks involved in transactions with self-hosted wallets. However, VARA has not provided specific guidelines or instructions for VASPs on how to handle these risks. [6]

4. What are the counterparty due diligence requirements for Dubai VASPs?

Before entering into any transaction with a counterparty VASP, VASPs must complete risk-based due diligence on the counterparty to mitigate AML/CFT risks.

“Prior to entering into any transaction with a counterparty VASP or virtual asset service provider in any other jurisdiction, VASPs must complete risk-based due diligence on such counterparty in order to mitigate AML/CFT risks. This due diligence does not need to be completed for every subsequent transaction with the counterparty unless a heightened counterparty risk is assessed or identified. [7]

5. How does VARA approach the sunrise issue? 

VARA’s Compliance and Risk Management Rulebook explicitly mentions the Sunrise Issue, stating:

“VASPs should also include their plan to comply with the Travel Rule with virtual asset service providers in jurisdictions where the Travel Rule is not a legislative requirement [i.e. the “sunrise issue”].” [4]

Why choose Notabene for Crypto Travel Rule Compliance in Dubai?

Counterparty due diligence is an essential component of Travel Rule compliance. Often, financial regulators fail to spell out counterparty due diligence requirements in local implementations explicitly, so we welcome the explicit reference to this in the VARA regulations. 

As the crypto industry's only pre-transaction decision making platform, we have integrated the industry standard VASP due diligence questionnaire (DDQ). This allows VASPs upload and share their due diligence information 1:1 between parties, removing friction from an already complex process.

Notabene Network members can:

• Request access to a VASP's DDQ within the Notabene Network, even if they haven’t yet filled it out. This request will trigger an email to the VASP, inviting them to complete the DDQ.
• Share and Decline access to the questionnaire.
• Revoke access to the questionnaire at any time.
• View the document’s share history.

‍Click here to access the Notabene Network.