21.8 C
New York

Key points of the “VARA Compliance & Risk Management Rulebook (Updated May 2025)” – Mandatory for VASPs

Uncategorized

Published:

Reading time: 4 min.

The VARA Compliance and Risk Management Rulebook sets the core supervisory, prudential, operational, and AML/CFT expectations for Virtual Asset Service Providers (VASPs) licensed in Dubai. For financial professionals, the Rulebook serves as the functional equivalent of an integrated compliance, operational resilience, and risk management framework akin to global governance regimes (e.g., MiCA, MAS PS Act, FATF VASP guidance).

It is mandatory for all licensed entities and complements the Company, Technology & Information, and Market Conduct Rulebooks.

Original source: VARA_EN_123_VER20250519

1. Regulatory Foundations & Governance Expectations

1.1 Core Compliance Principles

VARA expects VASPs to operate with integrity, transparency, diligence, and sufficient technical/financial capability, while safeguarding client assets and ensuring clear disclosures.

Key themes:

  • Fair and honest client treatment
  • Robust disclosures to enable informed decision-making
  • Effective compliance strategies spanning all VA activities
  • Transparent engagement with regulators

1.2 Compliance Management System (CMS)

VASPs must implement a comprehensive CMS, independent from business units, with risk-based monitoring, governance oversight, and the authority to investigate violations.

A Compliance Officer (CO) is mandatory and must:

  • Have 5+ years of compliance experience
  • Be a UAE resident or passport holder
  • Report directly to the Board
  • Oversee policies, regulatory interaction, training, and remediation

COs may also serve as MLRO or head of risk if no conflicts arise—mirroring consolidated control structures seen in fintechs and early-stage regulated firms.

2. Risk Management Framework Requirements

VARA prescribes a holistic risk management function—financial, operational, market, cyber, and consumer protection. Quarterly Board reporting is mandatory.

2.1 Financial Stability Risks

Risks include:

  • Capital adequacy & liquidity to support going-concern and wind-down scenarios
  • Market risk controls, including stress testing, VaR modelling, and scenario analysis
  • Credit risk controls, including rating frameworks, margin policies, and pre/settlement exposure metrics
  • Liquidity risk monitoring, concentration limits, maturity mismatch surveillance

This aligns Dubai’s VA market with traditional financial-market prudential disciplines.

2.2 Market Conduct & Operational Risks

Focus areas:

  • Onboarding (KYC/AML) risks
  • Governance, management quality, and board responsibilities
  • Operational resilience and business-continuity planning
  • Cybersecurity and data-breach protections

2.3 Consumer Protection Risks

Financial promotions, legal clarity, disclosure quality, conflicts of interest, and safeguarding of client assets are explicitly regulated.

3. AML/CFT & Financial Crime Controls (Part III)

VARA introduces one of the strictest AML/CFT regimes globally for VASPs, aligned with FATF Standards and UAE Federal AML-CFT laws.

3.1 MLRO Obligations

The MLRO must:

  • Have 2+ years of AML/CFT experience
  • Perform risk assessments, training, and suspicious-transaction management
  • Provide quarterly AML/CFT reports to the Board and VARA upon request

3.2 Policy & Procedure Requirements

VASPs must implement policies aligned with:

  • FATF guidance (2020–2022)
  • UAE Executive Office for Control & Non-Proliferation (EOCN) directives
  • UN sanctions frameworks

Policies must enable:

  • No anonymous/pseudonymous accounts
  • Sanctions compliance
  • 8-year record-keeping
  • Third-party screening, transaction monitoring, and wallet analytics

3.3 Risk Assessments

Conducted every 3 months, covering:

  • Business risks (technology, product innovations, anonymity-enhancing assets)
  • Client risks (tiered AML risk ratings, watchlists, UBO analysis, DAO involvement)

3.4 Client Due Diligence (CDD)

Risk-based CDD includes:

  • Pre-relationship identity verification (individuals and entities)
  • Enhanced CDD for high-risk clients or PEPs (source of funds/wealth, higher monitoring frequency)
  • Mandatory onboarding documentation standards

3.5 Suspicious Transaction Monitoring

Real-time or near real-time systems must:

  • Identify red flags (as per FATF)
  • Report to the UAE FIU via GoAML platform
  • Avoid tipping-off offenses

4. FATF Travel Rule Compliance (Part III.G)

VARA enforces Travel Rule requirements above global minimums. VASPs must:

  • Transmit and receive required originator/beneficiary data for VA transfers over AED 3,500
  • Conduct due diligence on counterparty VASPs internationally
  • Address deposits from unhosted wallets
  • Demonstrate Travel Rule compliance during licensing

This positions Dubai as a Travel Rule-compliant jurisdiction, critical for institutional adoption.

5. Client Asset Protection Framework

5.1 Client Money Rules (Part IV)

Key protections:

  • Client money must be held in segregated “Client Accounts” at UAE banks
  • Funds must be deposited within 1 day of receipt
  • Detailed reconciliation, record-keeping, and audit trails required
  • Client money never forms part of a VASP’s estate in insolvency

5.2 Client Virtual Asset Safeguarding (Part V)

VASPs must meet:

  • Segregation of client VAs
  • Proof-of-reserves obligations
  • Reconciliation of blockchain records with internal ledgers
    This is especially relevant for custodians, exchanges, brokers, and OTC desks.

6. Anti-Bribery & Corruption (Part VI)

Financial practitioners should note VARA’s corporate integrity regime, requiring:

  • Zero tolerance for corrupt payments
  • Internal investigation procedures
  • Mandated employee training
  • Personal accountability for breaches

7. Sponsored VASPs (Part VII)

Dubai allows a unique model where an existing licensed VASP may “sponsor” another entity. Requirements include:

  • Prior VARA approval
  • Governance, capital adequacy, responsible officer designation
  • Marketing and disclosure rules
  • Oversight and reporting responsibilities

This model facilitates global players entering Dubai through regulated partnerships.

8. Reporting & Audit Obligations

8.1 Monthly Reporting

Includes:

  • Balance sheet, income statements
  • Wallet address disclosures
  • Group transactions & related-party records

8.2 Quarterly Reporting

Includes:

  • Board minutes
  • Risk exposure reports
  • Financial projections & business plans

8.3 Annual Reporting

Includes:

  • Audited financials
  • Internal control attestation
  • Board certifications
  • Group shareholding, UBO chart
  • Client onboarding documentation sampling

These obligations resemble the reporting intensity seen in DIFC-regulated DFSA firms.

admin
adminhttps://gccdigitalfinance.com

Related articles

spot_img

Recent articles

spot_img
Premium Content

© Newspaper WordPress Theme by TagDiv