Original Source: VARA_EN_243_VER20250519
1. Regulatory Context & Strategic Positioning
VARA (Virtual Assets Regulatory Authority), created under Dubai VA Law (Law No. 4 of 2022), supervises Virtual Asset Service Providers (VASPs). The Custody Services Rulebook is a core regulatory text governing any VASP licensed to provide custody (including optional staking-from-custody and collateral wallet services).
It is cumulative—meaning firms must comply simultaneously with:
- Company Rulebook
- Compliance & Risk Management Rulebook
- Technology & Information Rulebook
- Market Conduct Rulebook
- Any other VA-activity-specific rulebook.
2. Corporate Governance Requirements
Board Structure & Oversight
VARA imposes robust governance standards:
- Mandatory mix of executive and non-executive directors, including at least one independent director.
- Strict independence criteria (no recent employment, ownership >10%, audit ties, or long tenure >7 years).
For practitioners:
Expect the same governance scrutiny as a regulated financial institution. Group structures where trading, market-making, lending, or token issuance occurs must remain legally separate from the custody entity (with limited exceptions).
Board Committees
Required committees:
- Remuneration
- Nomination
- Audit
Minutes must be retained for 8 years.
Remuneration Reporting
Annually, the custodian must submit complete board-level remuneration disclosures to VARA.
3. Policies, Procedures & Transparency
Mandatory Internal Controls
Custody VASPs must maintain:
- Policies for withdrawal and client access, even during market stress.
- Annual effectiveness reviews.
Public Disclosures
Custodians must publicly publish:
- Conflicts of interest
- Data privacy, whistleblowing, client complaint policies
- Third-party service provider information
- Senior management criminal records (if applicable)
4. Core Custody Requirements (Part III)
This is the heart of the rulebook.
A. Verified Client Instructions
Custodians may move assets only based on verified client orders (or legally authorised agents).
B. Client Asset Segregation & No Rehypothecation
Critical for institutional operations:
- Client VAs are never custodian assets or liabilities.
- Rehypothecation is strictly prohibited, even if a client consents.
- Each client must have their own VA wallet(s)—no pooling.
- Custody must be conducted by a legally separate entity from other VA activities (except Transfer & Settlement Services).
This means:
- No lending of client VAs
- No collateralisation of client VAs except under Collateral Wallet rules
- No proprietary trading by the custody entity
C. Wallet & Key Management Standards
This section mirrors institutional security frameworks similar to SOC2, CCSS, and digital asset custodial best practice.
Hot/Cold Wallet Management
- Risk-based wallet allocation required.
- Methodology for wallet transfers must be documented and audited by independent third-party auditors.
Key Generation & Storage
Custodians must:
- Use secure, industry-best-practice key generation mechanisms.
- Avoid single-person key generation or signing.
- Store backups separately, encrypted, and split (e.g., split mnemonic phrases).
- Adopt multi-signature or multi-key schemes where appropriate (VARA can require it).
- Mitigate collusion risks among key signers.
Compromised Keys
Mandatory procedures must exist for:
- Incident response
- Asset recovery
- Notifications to clients and VARA
- Potential wind-down arrangements
D. Client Agreements—Mandatory Content
Client agreements must clearly outline:
- Custodial model & security framework
- Fork/chain change handling
- Withdrawal processes & settlement finality
- Statement frequency and content
- Outsourcing details
- Cybersecurity and data protection controls
- Key access rights and multi-sig governance
E. Reporting, Audit & Reconciliation
Custodians must:
- Maintain monthly client statements
- Keep 8-year audit trails for all transactions
5. Staking from Custody Services (Optional) (Part IV)
A major differentiator: VARA permits staking only when authorised, and only for VAs already under custody.
A. Licensing & Limits
- Additional licensing and supervision fees apply.
- Staking is viewed as a subset of custody, so legal-entity segregation rules do not apply again.
B. Client Instructions
- Staking cannot be “opt-out.”
- Pre-authorised instructions must cover all foreseeable scenarios, especially governance voting.
C. Wallet & Node-Level Segregation
Key requirement for institutional staking providers:
- Per-client nodes only—no pooling of client VAs to meet minimum validator thresholds.
- Custodian retains full key control.
This effectively bans:
- Shared validators
- Liquid staking pools
- Omnibus validation nodes
D. Node Management & Outsourcing
Custodians must minimise slashing risk by ensuring:
- Hardware, software, uptime requirements
- Proper maintenance & upgrades
Third-party node operators must comply with VARA outsourcing rules.
E. DLT Standards Framework
Before supporting staking on a network, VASPs must maintain documented DLT Standards evaluating:
- Security, immutability, decentralisation
- Staking protocol reliability
- Reward sources
- Regulatory treatment across jurisdictions
- Developer history & potential misconduct
- Any AML/CFT, sanctions, or IP risks
If a DLT fails to meet these standards, the VASP must:
- Notify VARA & clients
- Stop onboarding new VAs for staking
- Execute an agreed wind-down
F. Mandatory Risk Disclosure
Separate from the client agreement, explaining:
- Slashing risk
- Protocol risks
- Loss severity & likelihood
6. Collateral Wallet Services (Optional) (Part V)
These rules govern wallets used for net settlement of client positions between a Custody VASP and a VARA-licensed Exchange.
A. Authorisation
Collateral wallets are permitted only:
- For VASPs already licensed for custody
- With specific VARA approval
B. Client Instructions & Receipts
Detailed receipts must be provided:
- When initiating transfers
- When settling transactions
With timestamps, balances, fees, trade details, and references.
C. Wallet Restrictions
A dedicated CWS Client VA Wallet must be used:
- Only for collateral wallet services
- Cannot be repurposed
- Segregation exceptions apply (pooling may occur)
D. Exchange Integration Rules
- Each CWS VA wallet can be used for one Exchange only.
- Client may have multiple collateral wallets for multiple Exchanges.
- Only VARA-licensed Exchanges are allowed.
Conflicts of interest must be identified and disclosed.
E. Risk Disclosure
Clients must be informed of:
- Commingling of VAs (unique exception to segregation rule)
- Exchange rights over collateral
- Safekeeping arrangements
F. Monthly Reporting to VARA
Must include:
- Total VAs in collateral wallets (units + AED value)
- Client counts
- Names of linked Exchanges
Practical Implications for Financial Practitioners
A. For Custodians & Trust Companies
- Build institution-grade key management and segregation frameworks.
- Prepare for recurring audits, reconciliations, and board-level reporting.
- Avoid offering lending, rehypothecation, or proprietary trading from the custody entity.
B. For Exchanges
- Integrate only with CWS-enabled custody VASPs.
- Expect strict segregation of wallets and mandatory reporting obligations.
C. For Asset Managers, Funds & Institutional Investors
- This framework ensures:
- Bankruptcy-remote custody
- No hidden rehypothecation
- Transparent staking participation
- Ability to evaluate DLT risks formally
D. For Staking Providers
- You must run per-client validator nodes—increasing infrastructure cost but enhancing regulatory compliance.
E. For Broker-Dealers & OTC
- Use Collateral Wallet Services to provide efficient settlement with VARA-licensed exchanges.
