Entire Section | Virtual Assets Regulatory Authority (VARA)

Entire section

Print

Compulsory Rulebooks

Company Rulebook

Introduction

The Dubai Virtual Assets Regulatory Authority [VARA] was established and authorised by Law No. [4] of 2022 Regulating Virtual Assets in the Emirate of Dubai [Dubai VA Law] to regulate Virtual Asset Service Providers [VASPs].
This Company Rulebook is issued pursuant to, and forms part of, the Virtual Assets and Related Activities Regulations 2023 [the Regulations] issued by VARA and applies to all VASPs Licensed by VARA to carry out any VA Activity in the Emirate.
This Company Rulebook applies in addition to all other requirements in the Regulations as may be in force from time to time. As such, VASPs Licensed by VARA to carry out any VA Activity must also comply with the following Rulebooks applicable to all VASPs:
	•	Compliance and Risk Management Rulebook;
	•	Technology and Information Rulebook;
	•	Market Conduct Rulebook; and
	•	All Rulebooks specific to the VA Activities that a VASP is Licensed by VARA to carry out.
Capitalised terms in this Company Rulebook have the meanings ascribed to them in the Regulations or as otherwise defined herein or provided in Schedule 1.
Unless otherwise stated, all requirements in this Company Rulebook are Rules and have binding effect.

Part I – Company Structure

Introduction

Parts I-III of this Company Rulebook govern the way a VASP structures and manages its company, Board, Senior Management and Staff and the ongoing maintenance of satisfactory internal control and management systems. Rules in Parts I-III of this Company Rulebook set out requirements regarding:
	•	company structure and Board structure;
	•	responsibilities of the Board and Senior Management;
	•	induction and training for the Board and Staff; and
	•	when individuals will be deemed to be Fit and Proper Persons.
The corporate governance needs of a VASP may vary from one to another depending upon a thorough analysis of its particular structure and business operations. The Board and the Senior Management are ultimately responsible for the adequacy and effectiveness of the internal control system implemented for that VASP.

A. Company Ownership Structure

1.	General requirement. VASPs shall maintain a company structure which is clear and transparent for the purposes of effective oversight by VARA and that ensures a sound and effective operation of the business of the VASP, including its VA Activities, which is conducive to the fair and orderly functioning of any market involving Virtual Assets.
2.	Legal entity in the Emirate. VASPs shall have and maintain a legal entity in the Emirate in one of the legal forms approved by a commercial licensing authority in the Emirate.
3.	Ownership. VASPs shall maintain a company structure with a clear chain of ownership, delegated authority and all associated voting powers such that VARA can clearly identify any Controlling Entity[ies] and the Ultimate Beneficial Owners [UBOs].
4.	Governance. If a VASP adopts a complex company structure including but not limited to trusts and nominee arrangements, and/or structures involving Decentralised Autonomous Organisations [DAOs] or other organisational forms with decentralised governance, then it is required to furnish information to VARA relating to the following, during the licensing process and at any time on request from VARA, for the purpose of VARA assessing the VASP’s compliance with Rule I.A.1 of this Company Rulebook—
	a.	the reason[s] for the adoption of such complex company structure and/or decentralised governance;
	b.	the relationship between the VASP and relevant DAOs and/or Entities with decentralised governance;
	c.	whether the inclusion of DAOs and/or Entities with decentralised governance in the Group or the VASP’s affiliation with such Entities may adversely impact the VASP’s ability to ensure compliance with Regulations, Rules and Directives [including what procedures are in place to ensure effective compliance decisions can be made by way of decentralised governance or voting mechanisms]; and
	d.	whether the relevant DAOs and/or Entities with decentralised governance are registered or otherwise legally recognised as, or have within its structure, an Entity in any jurisdictions other than the Emirate.
5.	VASPs shall obtain VARA’s written approval prior to any material change to their company structure [including Controlling Entity[ies] and UBOs] and/or adopting decentralised governance in respect of their operations relating to VA Activities. In respect of any such changes to its shareholding structure and/or governance model, a VASP shall—
	a.	provide the types of information as set out in Rule I.A.4 of this Company Rulebook [if applicable];
	b.	provide any additional due diligence information about new Controlling Entity[ies], Group Entities and UBOs as may be requested by VARA; and
	c.	comply with any additional conditions or restrictions that VARA may impose to ensure its ability to comply with all applicable laws and regulatory requirements is not impaired, including but not limited to the filing of declarations that any new Controlling Entity[ies] and UBOs are not Politically Exposed Persons or individuals who are subject to any form of economic sanctions.

B. The Board

1.	Board structure.
	a.	VASPs shall ensure the Board comprises suitably qualified individuals with the requisite skills, knowledge and expertise taking into consideration the scope of their responsibilities and the VA Activities carried out by the VASP. Each member of the Board must be assessed by the VASP and approved by VARA as being a Fit and Proper Person according to the criteria set out in Part III of this Company Rulebook.
	b.	VASPs shall—
		i.	adopt a clear and effective procedure for—
			1.	selecting and appointing members to the Board, including the filling of any vacancies on the Board;
			2.	removal of members of the Board; and
		ii.	ensure that all procedures relevant to this Rule I.B.1.b of this Company Rulebook are included in the VASP’s constitutional documents.
	c.	The Board shall assess and confirm each member of the Board is a Fit and Proper Person at least annually. If a VASP has reason to believe a member of the Board no longer remains a Fit and Proper Person at any time, the Board shall promptly assess such member. If such member of the Board no longer remains a Fit and Proper Person, the Board shall remove such member with written notice and appoint a successor in accordance with Rule I.B.1.b of this Company Rulebook.
	d.	VASPs shall ensure that any changes to the constitution of the Board comply with Rules I.B.1.a and I.B.1.b of this Company Rulebook.
	e.	The Board shall establish a process to elect a chairman. The chairman shall have the authority to oversee and be responsible for the overall effective functioning of the Board, and any committees it has established, in accordance with Rule I.B of this Company Rulebook.
	f.	The Board shall carry out annual assessments, alone or with the assistance of external experts, of the Board as a whole, its committees and individual members to review relevant performances.
2.	Responsibilities of the Board.
	a.	The Board shall establish and regularly update the VASP’s procedural rules and other constitutional documents setting out its organisation, responsibilities and procedures.
	b.	The Board and each of its members shall assume full responsibility for—
		i.	the operation, business and affairs of the VASP, such that these are conducted in a manner which is conducive to the fair and orderly functioning of any market involving Virtual Assets;
		ii.	the VASP’s compliance with all applicable laws and regulatory requirements [including but not limited to Regulations, Rules and Directives]; and
		iii.	implementing a professional compliance culture within the VASP.
	c.	The Board shall engage in regular and effective communication with relevant committees, Senior Management, Staff, any other individuals within the VASP and Group Entities to ensure that it is continually and timely apprised of the status of the business, operations and financial position of the VASP.
	d.	The Board shall establish and maintain detailed and clear policies and procedures—
		i.	to set out the process of authorisations within the Senior Management and its subordinates;
		ii.	to identify the authority of each member of the Senior Management; and
		iii.	to identify reporting lines of the Senior Management and its subordinates.
	e.	In performing its duties in official capacity, the Board may delegate its authority to relevant committees and Senior Management. In doing so, the Board shall supervise its delegated authority and remain primarily responsible for its duties. The Board shall establish and maintain effective systems and procedures to supervise the Staff who act under the authority delegated by the Board.
	f.	The Board shall, at least annually, review the performance of the VASP, the practical and professional experience and suitability of its members and the Senior Management in the context of the latest industry standards in the global Virtual Asset sector.
	g.	The Board shall ensure that all Entities performing functions on behalf of the VASP and contractors hired by the VASP have access to, and understand adequate up-to-date information regarding, the applicable policies and procedures implemented within the VASP in acting in their official capacities.
	h.	The Board shall—
		i.	define clear reporting requirements to ensure that internal and external reports can be prepared in a timely manner; and
		ii.	establish and maintain effective record retention policies to comply with all applicable laws and regulations and to enable the VASP, its auditors and other interested Entities such as VARA to carry out routine and ad hoc reviews or investigations.
3.	Board training.
	a.	VASPs shall ensure new Board members receive training programme[s] on their company structure, corporate governance, business and other subjects that would assist them in performing their duties, with a particular focus on—
		i.	the background, strategy and objectives of the VASP;
		ii.	the financial and operational aspects of the VASP’s business, including its VA Activities;
		iii.	the obligations, duties, liabilities and rights of the members of the Board;
		iv.	the functions and obligations of any Board committees; and
		v.	key risks relating to the global Virtual Asset sector.
	b.	The Board shall—
		i.	review the scope of the training programme and the accuracy of its contents annually; and
		ii.	revise the training programme if necessary.
	c.	VASPs shall provide regular, timely and up-to-date training courses to all members of the Board in matters directly related to the interests of the VASP and Virtual Asset markets as a whole, including but not limited to matters set out in Rule I.B.3.a of this Company Rulebook.

C. Responsible Individuals

1.	VASPs shall appoint two [2] individuals of sufficient seniority who shall be responsible for the VASP’s compliance with all legal and regulatory obligations [Responsible Individuals].
2.	Each Responsible Individual shall be—
	a.	a full-time employee of the VASP;
	b.	a Fit and Proper Person;
	c.	a resident of the UAE or a holder of a UAE passport; and
	d.	notified to, and approved by, VARA during the licensing process.
3.	VASPs shall ensure that its Responsible Individuals continue to meet the requirements in Rule I.C.2 of this Company Rulebook at all times, and shall validate and maintain a record of such validation on an annual basis.
4.	VASPs must notify and seek approval from VARA prior to any change in their Responsible Individuals, except in the event of reasonably unforeseen circumstances, in such instances the VASPs must notify VARA immediately and provide information on how they will continue to meet the requirements with regard to Responsible Individuals.

D. Senior Management

1.	VASPs shall establish, document and maintain a management structure which clearly sets out the roles, responsibilities, authority and accountability of the Senior Management.
2.	VASPs shall ensure its Senior Management comprises suitably qualified individuals with the requisite skills, knowledge and expertise as may be reasonably expected in the global Virtual Asset sector.
3.	The Board shall—
	a.	adopt a clear process and procedure for selecting and appointing members to the Senior Management; and
	b.	ensure that such process and procedure are included in the VASP’s constitutional documents.
4.	The Senior Management shall—
	a.	act under the direction and oversight of the Board; and
	b.	carry out and manage day-to-day activities of the VASP in a manner which—
		i.	complies with all applicable laws and regulatory requirements; and
		ii.	aligns with the business objectives and policies approved by the Board.
5.	A member of the Senior Management may—
	a.	except in the case of the Compliance Officer [CO] and/or the head of any internal audit functions, hold a position on the Board;
	b.	subject to prior written approval of the Board and screening of conflicts of interest conducted by the Board, hold a position on the board of Entities other than the VASP; and
	c.	not hold an employee position in any other Entities except with the prior written consent of the Board.
6.	If a member of the Senior Management has been serving on the board of another Entity prior to joining the VASP, such member may continue to serve on the board of that Entity provided that the Board is satisfied that, after conducting relevant screening, no conflicts of interest would arise from the VASP’s appointment of such member.
7.	The Senior Management shall furnish all necessary information that the Board may require to supervise and assess the performance of the Senior Management, which assessment shall be carried out by the Board at least annually.

E. Company Secretary

1.	Notwithstanding any applicable requirements in the constitutional documents of the VASP, the Board must appoint a company secretary independent of the Senior Management, who reports directly to the Board [Company Secretary]. The authorities and remuneration of the Company Secretary shall be determined under a Board resolution, unless the constitutional documents of the VASP provide otherwise.
2.	The Company Secretary shall—
	a.	document the Board meetings and prepare their minutes, which shall include the discussions and deliberations that took place during these meetings, the place and start and end time of these meetings, registering the Board resolutions and voting results, and keeping them in a special and organised record, including the names of attendees and any expressed reservations. These minutes shall be signed by all attending members;
	b.	keep all reports submitted to the Board and those prepared thereby;
	c.	provide Board members with the Board meeting agenda of the meeting and the related papers, documents, and information and any additional information related to subjects contained in clauses of the agenda requested by any Board member;
	d.	make sure that Board members comply with actions approved by the Board;
	e.	notify Board members of the Board meetings dates well in advance of the meeting date;
	f.	submit drafts of the minutes to Board members to express their opinion thereon before signing it;
	g.	make sure that the Board members, completely and immediately, receive a full copy of the minutes of the Board meetings, information and documents related to each meeting;
	h.	keep the minutes of meetings of the Board and its committees;
	i.	inform Staff, including Senior Management, about resolutions of the Board and its committees relevant to their function or roles and report on their implementation and application;
	j.	support the Board in any activities or processes requested by the Board;
	k.	coordinate between Board members and Senior Management; and
	l.	regulate the disclosure record of the Board in accordance with applicable requirements in the Market Conduct Rulebook and provide assistance and advice to the Board members.
3.	The Board may appoint an external Entity as Company Secretary provided that such appointment will be considered as an Outsourcing and must comply with Part IV of this Company Rulebook.

Part II – Corporate Governance

A. Competence

1.	VASPs shall establish and maintain policies and procedures to ensure that all members of the Board, Senior Management and Staff are suitably qualified in their relevant post. Criteria for such internal assessment shall include, but are not limited to—
	a.	academic credentials;
	b.	professional qualifications;
	c.	professional experience;
	d.	awards and honours received; and
	e.	memberships of professional and service organisations.
2.	The Board can only appoint to supervisory positions Staff with relevant experience and qualifications as may be reasonably expected taking into account the responsibilities of the role and the VA Activities of the VASP.

B. Segregation of Duties

1.	The Board shall ensure that policy formulation, supervisory and advisory functions and other internal review functions are effectively segregated from operational duties in order to—
	a.	ensure that supervisory and other internal controls are effectively maintained; and
	b.	avoid undetected errors or abuses of certain functions.
2.	The Board shall ensure that operational duties including sales, dealing, accounting, settlement and safekeeping of Virtual Assets are effectively segregated to minimise potential for conflicts, errors or abuses.
3.	The Board shall ensure that compliance and internal audit functions are effectively segregated from and independent of the operational and related supervisory functions. The CO and any head of the internal audit function should report directly to the Board.

C. Conflicts of Interest

1.	VASPs shall use all reasonable efforts to avoid conflicts of interest between any of the following—
	a.	their Group;
	b.	the VASP;
	c.	their Board;
	d.	their Staff;
	e.	their clients; and/or
	f.	their investors.
	In the event that the VASP cannot avoid conflicts of interest after using all reasonable efforts, it shall ensure that such conflicts of interest are disclosed to its affected clients, and such clients should be fairly treated by the VASP.
2.	If a VASP, a member of the Board or any of its Staff has an interest that may reasonably impair its objectivity, in a transaction with or for a client or a relationship which gives rise to an actual or potential conflicts of interest in relation to the transaction, the VASP shall—
	a.	promptly disclose the nature of such conflict to its affected client; and
	b.	to the extent that the affected client’s interests can be sufficiently protected, manage and minimise such conflict by adopting appropriate measures to ensure fair treatment to its affected client, including establishing and maintaining “Chinese Walls” to separate Staff into different teams.
3.	VASPs shall establish and implement appropriate written internal policies and procedures for the identification and management or resolution [as applicable] of any actual or potential conflicts of interest. VASPs shall maintain a special register for conflicts of interest in which the conflicts and management or remedial measures taken are recorded in detail.
4.	When a member of the Board discloses to the Board that they have a material interest in a transaction, the remaining members of the Board present at the Board meeting shall consider whether it is appropriate for that Board member to continue to participate in the Board meeting after reviewing whether the conflict may affect the objectivity of that member and/or their ability to perform their tasks towards the company properly. If the remaining members of the Board decide that it is not appropriate for that member to participate, they may ask that member to leave the Board meeting. That Board member is not entitled to use the member’s personal influence in issues whether in or outside the meeting. The Board member shall not vote on the decision. The Company Secretary shall record the conflict in the relevant Board minutes.
5.	Where a VASP represents itself as being independent when conducting a VA Activity—
	a.	it shall not receive fees, commissions or any benefits, paid or provided [whether directly or indirectly] by any Entity other than the end client in relation to the provision of services related to such VA Activity to clients; and
	b.	it shall not have any close links or other legal or economic relationships with third parties which are likely to impair its independence to favour a particular third party in relation to its provision of services related to such VA Activity.

D. Information Disclosure

1.	The Board shall establish and maintain effective policies and procedures to disclose all necessary information to the VASP’s shareholders and relevant stakeholders clearly, correctly and in an orderly manner in order to obtain a comprehensive view of the overall performance and financial position of the VASP.
2.	The website of the VASP shall include all information required to be disclosed to the public in accordance with all applicable laws, Regulations, Rules and Directives, including but not limited to all public disclosures required under the Market Conduct Rulebook and all other Rulebooks applicable to the VASP, and any other details and information that can be published through other disclosure methods.
3.	The Board shall review the VASP’s disclosure policies and procedures periodically, and ensure and procure its compliance to the best practices in the Virtual Asset industry.

E. Group Governance

1.	VASPs shall establish a framework for governing their Subsidiaries within the Group. The Board shall be responsible for determining how Subsidiary governance is addressed and conducted.
2.	The Board shall approve the governance framework for the Subsidiaries that sets out the powers within the Subsidiaries and ensure that the boards of the Subsidiaries implement the governance framework for their respective Subsidiary.
3.	The governance framework shall include—
	a.	planning of the rights and the roles of the VASP;
	b.	company policies and procedures adopted by the Subsidiaries;
	c.	participation of the Board with the boards of the Subsidiaries prior to the VASP exercising its right to elect members to the boards of the Subsidiaries; and
	d.	restrictions imposed on the Board members not to use any information obtained as a member of the board of a Group Entity for the purposes of another company within the Group.
4.	VASPs shall verify the performance of the governance framework of the Subsidiaries.

F. Insiders’ Transactions

1.

The Board shall implement rules to govern and monitor the transactions of Board members and its Staff in order to ensure compliance with the Regulations and the Market Conduct Rulebook.

G. Transactions with Related Parties

1.	VASPs shall not enter into transactions with any Related Party without the prior written consent of the Board where the value of the transaction exceeds five percent [5%] of their issued share capital. If there is a significant change to the terms of these transactions, further written consent of the Board is required before the VASP enters into the transaction under the changed terms.
2.	The Related Party who has an interest in a transaction described in Rule II.G.1 of this Company Rulebook shall not participate in voting in terms of the decision taken by the Board in respect of such transactions.
3.	The following Entities shall be liable for damages to the VASP if a transaction with a Related Party is concluded in contravention of this Rule II.G of this Company Rulebook, or if it is proven that the transaction is unfair or involves a conflict of interest and incurs damages or otherwise detrimental to the best interests of the VASP’s shareholders—
	a.	that Related Party with whom the transaction was entered into; and
	b.	the Board if the decision was issued by consensus.
4.	If the decision was only issued by the majority of the Board, the dissenting Board members shall not be held liable in the event that they have recorded their objection in the Board minutes. If a Board member is absent from the meeting in which the decision was issued, they are still responsible for the decision unless they prove that they were unaware of the decision or if they had constructive knowledge of it but could not object thereto.
5.	In the event that a VASP enters into a transaction with a Related Party—
	a.	the Board shall provide VARA with prior notice which shall identify the Related Party and provide details of the transaction, including the nature and the benefit of the involvement of that Related Party in the transaction, together with a written confirmation that the terms of the transaction with that Related Party are fair, reasonable, and proportional to the interests of the shareholders of the VASP;
	b.	it shall allow clients and shareholders to review its company records and any documents relating to those transactions; and
	c.	VARA and/or the VASP’s clients and shareholders may take or join any legal action before a competent court regarding the transactions concluded with that Related Party to compel the parties of the transaction to provide all information and documents relating to those transactions, whether directly to prove the facts set out in the case relevant to it or to lead to the discovery of information that will help in the detection of the facts, and seek cancellation of the transaction and oblige that Related Party to return the profit or benefit gained back to the VASP, in addition to any compensation ordered to be payable by that Related Party.
6.	VASPs shall maintain a register of transactions with Related Parties where the names of such Related Parties shall be recorded together with relevant transactions and actions taken in relation thereto in detail.
7.	In addition to the requirement in Rule II.G.6 above and all other reporting requirements in the Compliance and Risk Management Rulebook, VASPs shall report all transactions with Related Parties to VARA monthly, or otherwise upon request by VARA, including the details of those transactions.
8.	VASPs shall provide any documents and other information relating to transactions with Related Parties as reasonably requested by VARA to for the purposes of supervising the VASP’s compliance with this Rule II.G of this Company Rulebook.

H. Loans to the Board or Staff

1.	VASPs shall notify VARA and obtain approval prior to making any loan to a member of the Board, Senior Management or Responsible Individual.
2.	When making such notification, VASPs shall include full details of—
	a.	the name of the member of the Board, Senior Management or Responsible Individual receiving the loan;
	b.	the amount of the loan; and
	c.	the purpose of the loan.

Part III – Fit and Proper Requirements

A. General Principles

1.	A Fit and Proper Person must—
	a.	possess the necessary academic qualifications and in all cases, have relevant professional knowledge and/or industry qualifications, in each case, having regard to the nature of the functions to be performed;
	b.	be honest, reputable, have integrity and uphold the ethical standards reasonably expected of their role;
	c.	possess adequate relevant global Virtual Asset sector and management experience, or such experience in another relevant sector;
	d.	possess a good understanding of the regulatory framework which governs the nature of the job or role and the market; and
	e.	be financially sound.
2.	In assessing whether an individual is a Fit and Proper Person, VASPs should consider—
	a.	the nature, scale and complexity of their business, including all VA Activities, and the nature and range of activities undertaken by such individual in the ordinary course of business; and
	b.	whether such individual has the knowledge, skills, and experience to perform the specific role that the individual is intended to perform.
3.	In assessing an individual for a position within the Board, VASPs should ensure that, if such individual is appointed to the Board, the Board as a whole will at all times possess adequate knowledge, skills and experience to undertake the business activities of the VASP.
4.	In assessing whether an individual is a Fit and Proper Person, VARA will—
	a.	consider all relevant factors in assessing the application of the fit and proper principles contained herein on a case-by-case basis, taking into account—
		i.	the conditions of the Licence held by the VASP;
		ii.	the business model of the VASP;
		iii.	the market within which the VASP operates;
		iv.	the governance structure, the internal control systems and the competence of the VASP’s Staff;
		v.	decisions made by a relevant authority or regulatory body in respect of that individual, whether in the Emirate or in other jurisdictions;
		vi.	the state of affairs of any other business which that the individual carries on or proposes to carry on; and
	b.	look to the substance of the requirements and the materiality of any failure to meet such requirements.
5.	VARA will not grant approval if it is not satisfied that the individual is a Fit and Proper Person.
6.	If an individual does not meet any individual elements set out in Part III of this Company Rulebook, VARA may nonetheless be satisfied that such individual is a Fit and Proper Person taking into account all relevant factors.

B. Qualification

1.	In assessing whether an individual is a Fit and Proper Person and qualified for the role for which the individual is being considered, the following factors shall be considered—
	a.	whether the individual possesses a degree in the field relevant to the role. For the avoidance of doubt, this does not prevent someone who does not possess a degree in the relevant field to be employed for the role if such individual has relevant professional or industry qualification[s] and/or experience; and
	b.	whether the individual has industry qualifications directly relevant to the activities to be performed by such individual in the role and it is demonstrable that such individual generally understands—
		i.	the structure of the regulatory framework that applies to the job activities;
		ii.	the particular Regulations, Rules, Directives and Guidance that apply to the functions that the individual would perform;
		iii.	the fiduciary obligations owed to clients by the individual or the VASP;
		iv.	the VA Activities which the individual helps the VASP to undertake; and
		v.	the market in which the individual’s services are provided.

C. Industry Experience

1.	Relevant industry experience refers to hands-on working experience acquired through the carrying on of VA Activities in the Emirate or activities of a similar nature in other industries and/or jurisdictions.
2.	In assessing the relevance of an individual’s experience, VASPs must consider whether the substance of the experience is directly relevant or crucial to the VA Activities to be carried out by such individual.
3.	In assessing whether an individual has sufficient relevant industry experience, VASPs may consider such individual’s overall career history accumulated as a whole.

D. Management Experience

1.

In assessing whether an individual has management experience suitable for a role in the Board or the Senior Management, VASPs must consider whether such individual has hands-on working experience in supervising and managing essential VA Activities and staff in a business setting. To this end, management experience which is purely administrative would be less relevant.

E. Financial Status or Solvency

1.	An individual will not be considered to be a Fit and Proper Person if such individual—
	a.	is an undischarged bankrupt, currently subject to bankruptcy proceedings or a bankrupt who has recently been discharged;
	b.	is subject to receivership or other similar proceedings; and
	c.	has failed to meet any judgment debt, having regard to the circumstances of such failure and the recency of such failure.

F. Honesty, Integrity and Reputation

1.	In assessing an individual’s honesty, integrity and reputation, VARA will have regard to all matters it deems relevant, including, but not limited to, the following which may have occurred in the Emirate or in other jurisdictions—
	a.	whether the individual has been convicted of any criminal offence, with particular consideration given to offences of dishonesty, fraud, financial crime or an offence under laws relating to companies, banking, insolvency, money laundering and insider dealing;
	b.	whether the individual has been the subject of any adverse finding or any settlement in civil proceedings, with particular consideration given to investment or other financial business, misconduct, fraud or the formation or management of a body corporate;
	c.	whether the individual has been the subject of any existing or previous investigation or disciplinary proceedings or has been notified of any potential disciplinary proceedings or any investigation which might lead to those proceedings;
	d.	whether the individual is or has been in breach of any regulatory requirements;
	e.	whether the individual has been the subject of any justified complaint relating to VA Activities or similar business activities in any jurisdiction;
	f.	whether the individual has been a director or a member of the senior management of a business that has gone into insolvency, liquidation or administration while the individual has been connected with that business or within one [1] year of that connection;
	g.	whether the individual has been a party to a scheme of arrangement or entered into any form of compromise with a creditor involving any amount greater than AED 50,000;
	h.	whether the individual has been dismissed for cause from employment or from a position of trust, fiduciary appointment, or otherwise found to be deficient in discharging their duties;
	i.	whether the individual has been disqualified from acting as a director or in any managerial capacity; and
	j.	whether, in the past, the individual has been candid and truthful in all dealings with any regulatory body and whether the individual demonstrates a readiness and willingness to comply with the requirements and standards of the regulatory system and all other applicable laws and regulatory requirements.
2.	For the avoidance of doubt, conviction for a criminal offence would not automatically bar an individual from being a Fit and Proper Person. VARA may consider the seriousness of the prior conviction and the circumstances surrounding the offence, including the explanation offered by such individual, the relevance of the offence to the individual’s role, the passage of time since the offence was committed and evidence of such individual’s rehabilitation.
3.	In considering the reputation of an individual, VARA shall consider whether the individual’s reputation has or might have an adverse impact upon the performance or perception in the market of the VASP.

G. Continuing Requirements

1.	When VASPs assess whether an individual remains a Fit and Proper Person, they shall assess the role such individual is actually performing at the time the assessment is done.
2.	If VARA is of the view that an individual is no longer a Fit and Proper Person, it may—
	a.	revoke or suspend the approval granted to such individual or the Licence of the relevant VASP;
	b.	publicly or privately reprimand such individual;
	c.	prohibit such individual from applying again; and
	d.	impose a fine or other non-financial penalties in the event of a material breach of this Part III of this Company Rulebook.

Part IV – Outsourcing Management

Introduction

Whilst VARA recognises the potential benefit to VASPs of Outsourcing certain business activities to third-party Service Providers, Outsourcing poses a number of challenges from an operational and regulatory perspective. Outsourcing may increase a VASP’s dependency on a third party and potentially reduce its control over proprietary and client-related information and systems. This creates risks for the VASP in respect of business disruption, security of data and, in some cases, may create risks to investors in Virtual Assets and the wider market.

A. Application & Scope

1.	Application & scope
	a.	In scope
		Subject to Rules IV.A.1.b and IV.A.1.c, this Part IV shall apply to all Outsourcing arrangements of VASPs.
	b.	Out of scope
		The following shall not be treated as Outsourcing—
		i.	a Function that is legally required to be performed by a Service Provider [e.g. statutory audit];
		ii.	market information services [e.g. provision of data];
		iii.	global network infrastructures; and
		iv.	the acquisition of services that would otherwise not be undertaken by the VASP [e.g. advice from a lawyer, cleaning and gardening, post-room services, receptionists and switchboard operators], goods [e.g. office supplies, furniture] or utilities [e.g. electricity, gas, water, telephone line].
	c.	Non-core systems or business
		An Outsourcing by a VASP to a Service Provider in relation to non-core systems which do not relate to its core business, or any service or task where a defect or failure in their performance would not materially impair the continuing compliance by the VASP with its Licence including all conditions, shall not fall within the scope of this Part IV of this Company Rulebook.
2.	Prohibited Outsourcing. VASPs must not enter into any Outsourcing arrangement that would materially impair—
	a.	the quality of their internal controls; or
	b.	the ability of VARA and other competent authorities to exercise their statutory rights or to monitor, supervise or audit the VASP’s compliance with all applicable laws or regulatory requirements.
3.	Specified officers. VASPs may enter into Outsourcing arrangements with respect to each of their MLRO, CISO and/or Data Protection Officer, provided that—
	a.	any such Outsourcing complies with this Part IV of this Company Rulebook at all times;
	b.	individuals appointed to any of the roles of MLRO, CISO and/or Data Protection Officer agree to individual responsibility to VARA during the licensing process or prior to being appointed;
	c.	to the extent that such individual holds roles with more than one [1] VASP, VARA shall take this into consideration when assessing the individual’s ability to perform the duties required of their role and may impose requirements on the individual to maintain separation between such roles, including but not limited to implementing “Chinese Walls”; and
	d.	whilst VASPs can Outsource such roles, they are encouraged to resource them in-house and VARA may in its sole discretion require a VASP to resource any of those roles with a full-time employee, either during the licensing process or any time thereafter.
4.	Outsourcing - other legal and regulatory obligations.
	a.	To the extent applicable, VASPs must comply with the CBUAE Circular No. [14] of 2021 Outsourcing Regulation for Banks.
	b.	VASPs must also consider, to the extent applicable to its Outsourcing arrangements—
		i.	guiding principles for Outsourcing in financial services issued by the Technical Committee of the International Organisation of Securities Commissions, the Basel Committee on Banking Supervision, or any other international body promulgating standards for Outsourcing by financial services providers; and
		ii.	any equivalent principles or regulations applicable to the VASP’s Group in other jurisdictions.
	c.	Notwithstanding the above, VASPs must comply with all Rules, Directives and Guidance with respect to Outsourcing as may be specified by VARA from time to time, which shall supersede the other guidance and regulations mentioned in this Rule IV.A.4 of this Company Rulebook.
5.	Accountability. VASPs shall be ultimately responsible for compliance with their legal and regulatory obligations and shall be accountable to VARA for any and all Functions that such VASPs may Outsource to a Service Provider to the same extent as if the Function was performed in-house by the VASP.

B. Risk Assessment, Due Diligence and Controls

1.	Risk based approach. VARA recognises that Outsourcing arrangements exhibit a varying degree of risk and expects VASPs to take this into account in assessing and managing the relevant risks. Measures taken by a VASP must be commensurate with the degree of risk associated with the Outsourcing arrangements. Material Outsourcings shall be subject to additional requirements as set out in this Part IV of this Company Rulebook.
2.	Risk assessments.
	a.	VASPs should have a process to assess the risk in relation to each Outsourcing arrangement they propose to enter into [including the variation or renewal of Outsourcing arrangements] and to identify if any such Outsourcing constitutes a Material Outsourcing. This assessment should be conducted prior to the commencement of an Outsourcing relationship and at least annually for the duration of such relationship.
	b.	In respect of Outsourcing arrangements, the assessment of risk is dependent on the specific circumstances of each VASP. In assessing risk, factors that should be considered include but are not limited to the following—
		i.	impact on the financial position, business operation, continuity of services, clients’ best interests, and reputation of the VASP upon the Service Provider’s failure to perform;
		ii.	impact of the Outsourced activity on the ability of the VASP to comply with legal and regulatory requirements;
		iii.	the scope, complexity and criticality of the service to be Outsourced;
		iv.	impact of the Outsourced activity on internal control Functions of the VASP;
		v.	cost of Outsourcing as a proportion to the total operating costs of the VASP;
		vi.	the regulatory status of the Service Provider;
		vii.	risks that are relevant to the geographical location of a Service Provider, including but not limited to those contained in Rule IV.F of this Company Rulebook; and
		viii.	the degree of difficulty and time required to find an alternative Service Provider or to bring the Outsourced service in-house.
3.	Due diligence.
	a.	Prior to selecting a Service Provider, VASPs must perform detailed due diligence in relation to the Service Provider to ensure that the Service Provider has the ability and capacity to undertake the provision of the Outsourcing effectively, reliably and to a high standard. This should include an assessment of the Service Provider’s quality of services, technical, managerial and human resources capacity, financial soundness, reputation and experience, licensing or regulatory status, extent of reliance on and control of subcontractors, compatibility with the VASP’s corporate culture and business strategies, familiarity with the Virtual Asset industry and capacity to keep pace with innovation in the market. Other considerations that may be relevant include aggregate exposure to a particular Service Provider, costs and possible conflicts of interest.
	b.	During the conduct of an Outsourcing, VASPs should regularly [and in any event at least annually and as circumstances warrant] review the selected Service Provider to ascertain whether the Service Provider remains competent to provide the Outsourced service to the standards required.

C. Internal Governance – Outsourcing Policy and Register

1.	Prior to the Outsourcing of services and on an ongoing basis, VASPs should establish and maintain comprehensive Outsourcing policies, contingency plans and Outsourcing risk management programmes [Outsourcing Policy].
2.	Outsourcing Policy.
	a.	An Outsourcing Policy should include, but not be limited to the following—
		i.	the framework for a comprehensive assessment of risks involved in Outsourcing and identifying whether a proposed Outsourcing is a Material Outsourcing or not;
		ii.	procedures for identifying, measuring, managing, mitigating, controlling and reporting the risks of an Outsourcing arrangement and any conflicts of interest;
		iii.	the objectives of the Outsourcing and criteria for approving an Outsourcing arrangement;
		iv.	procedures that clearly identify the Staff involved in the VASP and their roles and responsibilities with regard to Outsourcing arrangements;
		v.	procedures that clearly identify the responsibilities of each party in respect of the Outsourcing and in particular what responsibilities have been retained by the VASP;
		vi.	procedures to deal effectively with any act or omission by the Service Provider that leads, or might lead, to a breach of any law or regulation, and enact required remediation measures promptly; and
		vii.	a review mechanism to ensure the Outsourcing policy can be updated as necessary to align with industry and regulatory developments as well as the VASP’s strategic development needs.
	b.	VASPs must maintain a comprehensive register of all Outsourcing arrangements, including both those of the VASP itself and its Group, which must include the following key information for each Outsourcing arrangement, at a minimum—
		i.	the name of each Service Provider;
		ii.	a description of the scope of the Outsourced service;
		iii.	location where the Outsourced service is being performed;
		iv.	start and end date of the Outsourcing agreement;
		v.	key points of contact for the Service Provider;
		vi.	whether the Outsourcing arrangement is a Material Outsourcing;
		vii.	whether the Outsourcing involves storage or processing of Personal Data [beyond the exchange of business contact information between the VASP and the Service Provider for administration purposes]; and
		viii.	whether the Outsourcing arrangement involves any confidential information.
3.	Oversight of Outsourcing – monitoring the service.
	a.	VASPs must manage identified risks associated with the Outsourcing activity and such Service Provider’s compliance with its contractual obligations as well as managing their relationship with the Service Provider, having regard to the risks presented by the Outsourced activity to the ongoing business of the VASP and its regulatory obligations.
	b.	Monitoring should be assigned to Staff with appropriate expertise and cover the Service Provider’s contractual performance, financial soundness and risk profile, any material issues encountered in the provision of services and any remedial steps and mitigation measures taken in respect thereof. The monitoring and control processes and procedures of VASPs should be subject to regular reviews and audits to evaluate effectiveness and adequacy.

D. Outsourcing Agreements

1.	VASPs must ensure all Outsourcing arrangement are undertaken in the form of a legally binding written agreement which clearly sets out the relevant rights, liabilities and obligations of the Service Provider and the VASP. The contents and level of contractual protection required should reflect the risk level of the Outsourcing arrangement. VASPs should regularly review their Outsourcing agreements to assess whether it is necessary to renegotiate provisions to bring the agreements in line with current market standards and changes in the VASP’s business development strategies.
2.	The following matters should be taken into consideration by the VASP when negotiating the provisions of any Outsourcing agreement—
	a.	performance standards to be achieved in respect of the Outsourced service, and consequences for failing to achieve such standards;
	b.	delineation of intellectual property, proprietary information and asset ownership and rights;
	c.	business continuity and contingency planning for the Outsourced service;
	d.	controls and process for changes to the Outsourcing arrangement;
	e.	guarantees or indemnities from the Service Provider; and
	f.	mechanism to resolve disputes that might arise under the Outsourcing arrangement.
3.	Mandatory provisions for any Outsourcing. The following matters must be included in all legal agreements governing an Outsourcing—
	a.	a clear description of the Outsourced Function to be provided;
	b.	contractual assurance that the Service Provider is able to maintain processes and procedures for the continuous operation of the Outsourcing required by the VASP, in line with all applicable laws and regulatory requirements;
	c.	contractual requirements to maintain an appropriate level of information security, risk management and service delivery commensurate with the profile of the Outsourcing arrangement;
	d.	contractual requirements to protect confidential information and client data [as further specified in Rule IV.D.5 of this Company Rulebook below];
	e.	provisions allowing that the data that is owned or controlled by the VASP can be accessed at any time by the VASP or a competent authority and, in particular, in the case of resolution or discontinuation of business operations of the Service Provider or if it is insolvent;
	f.	notwithstanding Rule IV.E of this Company Rulebook below, conditions to be imposed in relation to sub-Outsourcing;
	g.	clearly set out the obligations of existing Service Provider on termination to securely destroy data relating to the VASP or its clients; and
	h.	the Outsourcing agreement should expressly allow the VASP to terminate the arrangement, in accordance with applicable laws, including in the following situations—
		i.	where the Service Provider is in breach of applicable laws, regulations or in material breach of contractual provisions;
		ii.	where there are material weaknesses regarding the management and security of confidential, personal or otherwise sensitive data or information; and
		iii.	where instructions are given by a competent authority [including VARA] to terminate the Outsourcing agreement or where such competent authority expresses significant concern regarding the adequacy or prudence of any such Outsourcing agreement.
4.	Mandatory provisions for a Material Outsourcing. In addition to the mandatory provisions set out in Rule IV.D.3 of this Company Rulebook above, the following matters must be included in any legal agreement governing a Material Outsourcing—
	a.	the start date and end date, where applicable, of the agreement and the notice periods for the Service Provider and the VASP;
	b.	the parties’ financial obligations;
	c.	the right of the VASP to monitor the Service Provider’s performance on an ongoing basis;
	d.	the agreed service levels or performance standards, which should include precise performance targets for the Outsourced Function to allow for timely monitoring so that appropriate corrective action can be taken without undue delay if the agreed service levels are not met, including consequences if service levels or performance standards are not met;
	e.	the reporting obligations of the Service Provider to the VASP, including—
		i.	the communication [without undue delay] by the Service Provider of any breach of the VASP’s data [including confidential information]; or
		ii.	any development that may have a material impact on the Service Provider’s ability to effectively carry out the Material Outsourcing in line with the agreed service levels, in compliance with all applicable laws and regulatory requirements and, as appropriate, the obligations to submit reports of the internal audit Function of the Service Provider;
	f.	the requirements to implement and test business contingency plans;
	g.	the obligation of the Service Provider to cooperate with the competent authorities of the VASP, including other Entities appointed by them;
	h.	the right of the VASP and competent authorities to inspect and audit the Service Provider as further specified in Rule IV.G.2 of this Company Rulebook;
	i.	termination and exit assistance arrangements to ensure the smooth transfer of the Outsourced service either to another Service Provider or back to the VASP with minimal disruption. To this effect, the Outsourcing agreement should—
		i.	clearly set out the obligations of the existing Service Provider in providing cooperation, reasonable assistance and transitional services on termination of the Outsourcing agreement, including the return, destruction or transfer of data; and
		ii.	include a transition period, where necessary, during which the Service Provider, after the termination of the Outsourcing arrangement, continues to provide the service to reduce disruption;
	j.	the requirement for the Service Provider to hold relevant and adequate insurance; and
	k.	the location[s] [i.e. regions or countries] where Material Outsourcing will be provided and/or where relevant data will be kept and processed, including the possible storage location, and the conditions to be met, including a requirement to notify the VASP if the Service Provider proposes to change the location[s].
5.	Client confidentiality and data.
	a.	VASPs must take appropriate steps to monitor their relationships with Service Providers and ensure that adequate measures are taken to safeguard the confidentiality and integrity of client data.
	b.	Notwithstanding all other requirements in the Technology and Information Rulebook, VASPs must ensure that Outsourcing arrangements comply with all applicable UAE laws and regulations in respect of managing and processing data [e.g. the PDPL]. This includes requiring the Service Provider to procure, in the event a Service Provider subcontracts part of the service to a sub-contractor, the sub-contractor’s compliance with all applicable laws and regulations. VASPs should ensure Service Providers are not permitted to provide any third party with access to confidential data of the VASP or its clients without obtaining the VASP’s prior written consent.
	c.	VASPs should take into account any applicable legal, regulatory or contractual obligations to notify clients or any competent authority in the event of an unauthorised data access or breach. In the event of an unauthorised data access or breach, where the VASP is required to notify clients or a competent authority under applicable legal or regulatory obligations, the VASP shall notify VARA within the same legally required time periods.
	d.	VASPs should ensure that all client data should be destroyed or returned to the VASP in event of any termination of the Outsourcing arrangements, subject to applicable laws and regulatory requirements [e.g. recordkeeping requirements].

E. Sub-Outsourcing

1.	Before entering into any Outsourcing arrangements, VASPs must consider the additional risk that may be posed if the Service Provider is allowed to further contract part of the service to third parties.
2.	Sub-Outsourcing – all Outsourcing arrangements.
	a.	Consent should be given to sub-Outsourcing only if the subcontractor undertakes to—
		i.	comply with all applicable laws, regulatory requirements and contractual obligations; and
		ii.	provide the same contractual rights of access and audit as those granted to the VASP and where applicable its regulators [including VARA] by the Service Provider.
	b.	VASPs should ensure that no sub-Outsourcing engaged by the Service Provider will impede the Service Provider’s ability to comply with its contractual obligations to the VASP, including requirements on confidentiality of client data, information access and audit rights, and business continuity planning.
3.	Sub-Outsourcing – Material Outsourcing. The following requirements apply in relation to sub-Outsourcing in relation to all or part of a Material Outsourcing—
	i.	the Outsourcing agreement should specify whether or not sub-Outsourcing is permitted; and
	ii.	if sub-Outsourcing is permitted, the written Outsourcing agreement should—
		1.	specify any types of activities that are not permitted to be sub-Outsourced;
		2.	specify the conditions to be complied with in the case of sub-Outsourcing; specify that the Service Provider is obliged to oversee those services that it has subcontracted to ensure that all contractual obligations between the Service Provider and the VASP are continuously met;
		3.	include an obligation of the Service Provider to inform the VASP of any planned sub-Outsourcing, or material changes thereof, in particular where that might affect the ability of the Service Provider to meet its responsibilities under the Outsourcing agreement;
		4.	ensure, where appropriate, that the VASP has the right to object to an intended sub-Outsourcing, or material changes thereof, or that explicit approval is required; and
		5.	include provisions such that the VASP has the contractual right to terminate the agreement in the case of undue sub-Outsourcing [e.g. where the sub-Outsourcing materially increases the risks for the VASP or where the Service Provider sub-Outsources without notifying the VASP].

F. Cross-Border Outsourcing

1.	VASPs must take into account additional considerations in respect of Outsourcing to a Service Provider located outside of the UAE, including but not limited to the following factors in respect of the relevant jurisdiction which may affect the ability of an overseas Service Provider to fulfil the terms of an Outsourcing agreement or the ability of the VASP to monitor and control the Outsourced Function—
	a.	economic, political or social conditions;
	b.	differing legal or regulatory systems;
	c.	sophistication of the technology and infrastructure; and
	d.	reputational risk.
2.	VASPs must take active steps in managing such risks, including conducting additional due diligence on potential Service Providers located outside of the UAE to understand whether they will be able to safeguard confidential information and client data and effectively monitor the overseas Service Provider, as well as execute business continuity plans and exit arrangements. VASPs must ensure, by means of adequate contractual and practical arrangements, that overseas Service Providers implement and maintain robust and appropriate levels of information security and service delivery throughout the duration of the Outsourcing relationship.
3.	VASPs must ensure all applicable data protection laws are complied with in cross-border Outsourcing arrangements, including those in respect of international transfers of Personal Data.
4.	VASPs should consider the need to notify [and obtain consent from] their clients in respect of cross-border Outsourcing arrangements, including the jurisdiction in which the service is to be performed and any rights of access available to overseas authorities.
5.	In circumstances where an overseas authority requests access to the VASP’s information, the VASP should notify VARA and any affected clients as soon as possible, subject to the VASP’s compliance with applicable laws.
6.	VASPs must notify VARA prior to undertaking any cross-border Outsourcing and must ensure that the Outsourcing arrangement would not impede VARA’s ability to exercise its statutory rights and responsibilities, such as the rights of access and audit to information of the VASP.

G. Audit Rights

1.	Audit rights – all Outsourcing arrangements. VASPs should ensure within the written Outsourcing arrangement that it is able to review the Outsourced Function. The written Outsourcing arrangements should refer to the information gathering and investigatory powers of competent authorities under applicable laws, and VASPs should also preserve those rights with regard to Service Providers located in third countries.
2.	Audit rights – Material Outsourcing. VASPs should ensure within the written Outsourcing agreement in relation to a Material Outsourcing that they and their competent authorities [including VARA], and any other Entity appointed by them or the competent authorities, are granted, the following—
		i.	full access to all relevant business premises [e.g. head offices and operation centres], including the full range of relevant devices, systems, networks, information and data used for providing the service, including related financial information, personnel and the Service Provider’s external auditors; and
		ii.	unrestricted rights of inspection and auditing related to the Outsourcing arrangement, to enable them to monitor the Outsourcing arrangement and to ensure compliance with all applicable regulatory and contractual requirements.
3.	Pooled audits.
	a.	Without prejudice to their ultimate responsibility regarding Outsourcing arrangements, VASPs may use—
		i.	pooled audits organised jointly with other clients of the same Service Provider and performed by them and these clients or by a third party appointed by them, to use audit resources more efficiently; and
		ii.	third party certifications and third party or internal audit reports, made available by the Service Provider, if they ensure that the scope of the certification or audit report covers the systems, key controls and the compliance with relevant regulatory requirements and assess the content of the certifications or audit reports on an ongoing basis and verify that the reports or certifications are valid, adequate and current.
	b.	VASPs should assess whether third-party certifications and reports as referred to in Rule IV.G.3 of this Company Rulebook are adequate and sufficient to comply with their regulatory obligations and should not rely solely on these reports over time. VASPs should also retain the contractual right to perform individual audits at their discretion with regard to the Material Outsourcing.

H. Regulatory Notifications

1.	Notwithstanding all other notification requirements set out herein, VASPs must immediately notify VARA when they become aware of a material breach of the terms of a Material Outsourcing agreement they have with any Service Provider, or other material development in respect of a Material Outsourcing arrangement that has, or is likely to have, a significant impact on the operations, financial condition or reputation of the VASP.
2.	VASPs are required to notify VARA immediately of any issues that may have arisen that would materially affect their compliance with their legal and regulatory obligations.
3.	When a VASP intends to enter into any new Material Outsourcing arrangement or materially vary an existing Material Outsourcing arrangement, the VASP should notify VARA in advance providing relevant details of any such arrangement or amendment. In their notifications, VASPs should seek to satisfy VARA that all requirements of this Part IV of this Company Rulebook have been taken into account and properly addressed in its Material Outsourcing arrangements.
4.	VARA may object to any Material Outsourcing and/or raise areas of concern, which the VASP must remedy to VARA’s satisfaction prior to entering into any new Material Outsourcing arrangement or materially varying an existing Material Outsourcing arrangement.

Part V – Environmental, Social and Governance

Introduction

This Part V sets out:
	•	Environmental, social and governance [ESG] disclosure requirements; and
	•	Potential scope and direction of further regulation of ESG by VARA.
VARA acknowledges the importance of regulating and managing the ESG impact of VASPs, Virtual Assets and VA Activities. Accordingly, VARA will continue to monitor appropriate ways to regulate such impact and shall issue further Rules or Guidance where required.

A. Application

1.	VASPs shall satisfy ESG disclosure requirements as set out in this Part V of this Company Rulebook.
2.	During the licensing process, VARA will determine the ESG disclosure level required of each VASP, which shall be communicated to the VASP by VARA and required as a condition of the VASP’s Licence.
3.	In making such determination, VARA may consider, but shall not be limited to, the following factors with respect to the VASP and its Group—
	a.	the number of Staff members or other personnel engaged by the VASP;
	b.	turnover and/or other financial information; and
	c.	business models and VA Activities.
4.	VASPs may choose at any time to comply with a higher ESG disclosure level than that set by VARA as a condition of its Licence.
5.	To the extent possible, VASPs should maintain the same ESG standard across its Group. Notwithstanding the preceding provisions of this Rule V.A of this Company Rulebook, such standards should be set and maintained at the highest level of any jurisdiction which is applicable to a VASP’s Group, including in respect of the VASP’s activities in the Emirate.

B. ESG Disclosure Levels

1.	VARA has established three different levels of ESG disclosure requirements, which it may add to or amend from time to time—
	a.	Voluntary ESG Disclosure;
	b.	Compliance ESG Disclosure; and
	c.	Mandatory ESG Disclosure
	with Voluntary ESG Disclosure being the lowest and Mandatory ESG Disclosure being the highest.

C. Voluntary ESG Disclosure Requirements

1.	VARA may issue non-binding Guidance setting out “best practice standards” regarding the conduct of specified VASPs or classes of VASPs in respect of ESG issues. Such “best practice standards” could include considerations of sustainability that are consistent with such Entities’ investment management strategies [if applicable], and diversity and inclusion practices within a VASP.
2.	VASPs who comply with the Voluntary ESG Disclosure requirements understand that any compliance with the Guidance issued in accordance with Rule V.C.1 of this Company Rulebook is voluntary, though encouraged. However, VARA may require relevant VASPs to provide transparency into their ESG practices on a Compliance ESG Disclosure basis.

D. Compliance ESG Disclosure Requirements

1.	VASPs required to comply with a Compliance ESG Disclosure level will be required to explain their ESG strategies in the UAE [including but not limited to investment or operational strategies relating to Virtual Asset mining or staking] or otherwise provide relevant information, for the purpose of increasing transparency into a VASP’s ESG practices.
2.	VARA may require VASPs to make their ESG strategies or relevant information public and/or otherwise made available to Virtual Asset market participants.

E. Mandatory ESG Disclosure Requirements

1.	VASPs required to comply with a Mandatory ESG Disclosure level must, establish practices and procedures to raise awareness of ESG-related activities and opportunities including providing relevant information on their websites and/or social media sites.
2.	VASPs which are required to comply with a Mandatory ESG Disclosure level must publish an annual ESG report which shall disclose, at a minimum—
	a.	governance policies, metrics and targets relating to how the VASP identifies, assesses, and manages risks and opportunities relating to sustainability, diversity and inclusion;
	b.	details on how material risks and opportunities relating to sustainability, diversity and inclusion are factored into the VASP’s overall business strategies and VA Activity processes, including, where relevant, the data and/or methodologies used in identifying investments [whether or not denominated in Virtual Assets] and talent; and
	c.	factual summaries on the environmental and climate-related impact of data-intensive activities in the Virtual Asset sector.
3.	VASPs which are required to comply with a Mandatory ESG Disclosure level shall make publicly available, in a prominent place on their website, up-to-date information related to the diversity and inclusion initiatives undertaken by such VASPs.

F. Virtual Asset Mining and Data-Intensive Activities

1.	Notwithstanding a VASP’s ESG disclosure level, all VASPs which have investments in Virtual Asset mining or staking businesses or conduct or facilitate Virtual Asset mining or staking activities [including by way of selling equipment] shall make publicly available in a prominent place on their website, up-to-date information related to—
	a.	the use of renewable and/or waste energy [e.g. hydroelectric energy, flared gas] by the VASP or its Group in the course of conducting Virtual Asset mining or staking activities [e.g. any renewable energy certificates purchased by the VASP and/or relevant Entities]; and
	b.	initiatives relating to decarbonisation [e.g. purchase of carbon offsets] and emission reduction of Virtual Asset mining or staking activities.
2.	VARA may also require VASPs to provide the information referred to in Rule V.F.1 of this Company Rulebook in relation to other data-intensive activities.

G. Confidentiality

1.	VARA shall maintain information presented in ESG reports, or other ESG disclosures, on a confidential basis, provided VARA may, in its sole discretion, publicly disclose information gathered in such ESG reports, or during such other requests, on an anonymous basis.
2.	VASPs submitting ESG reports are deemed to consent to such anonymous, public disclosures, provided such disclosures are not required to be anonymous if they relate to an enforcement action commenced by VARA in accordance with the Regulations.

H. Service Providers to VASPs

1.	When selecting service providers, VASPs should carefully consider the impact of their decision to contract with a service provider on all stakeholders. This includes taking into account the VASP’s social and environmental responsibilities and whether the decision to contract with a service provider would have any negative impact on the VASP’s ability to discharge such responsibilities.
2.	With regard to service providers and, if applicable, their sub-contractors, VASPs should be satisfied that the service provider acts in an ethical and socially responsible manner and adheres to international standards on environmental protection and appropriate working conditions.

Part VI – Capital and Prudential Requirements

A. Application

1. VASPs shall comply with the Rules in this Part VI of this Company Rulebook [Capital and Prudential Requirements].

B. Paid-Up Capital

1.

VASPs shall, at all times, hold and maintain paid-up capital in the following amounts [Paid-Up Capital]—

VA Activity	Paid-Up Capital Requirement
Advisory Services	AED 100,000.
Broker-Dealer Services	Broker-Dealer Services using a VASP Licensed by VARA to provide Custody Services or otherwise approved during the licensing process: the higher of [i] AED 400,000; or [ii] 15% of fixed annual overheads.
Broker-Dealer Services	In all other instances, the higher of [i] AED 600,000; or [ii] 25% of fixed annual overheads.
Custody Services	The higher of [i] AED 600,000; or [ii] 25% of fixed annual overheads.
Exchange Services	Exchange Services using a VASP Licensed by VARA to provide Custody Services or otherwise approved during the licensing process: the higher of [i] AED 800,000; or [ii] 15% of fixed annual overheads.
Exchange Services	In all other instances, the higher of [i] AED 1,500,000; or [ii] 25% of fixed annual overheads.
Lending and Borrowing Services	The higher of [i] AED 500,000; or [ii] 25% of fixed annual overheads.
VA Management and Investment Services	VA Management and Investment Services using a VASP Licensed by VARA to provide Custody Services or otherwise approved during the licensing process: the higher of [i] AED 280,000; or [ii] 15% of fixed annual overheads.
VA Management and Investment Services	In all other instances, the higher of [i] AED 500,000; or [ii] 25% of fixed annual overheads.
VA Transfer and Settlement Services	The higher of [i] AED 500,000; or [ii] 25% of fixed annual overheads.

2.	Where a VASP is Licensed by VARA to carry out more than one VA Activity, the VASP must hold the amount of Paid-Up Capital specified in Rule VI.B.1 of this Company Rulebook for each VA Activity for which the VASP is Licensed. In such instances, the VASP shall calculate the Paid-Up Capital required for each VA Activity using the fixed annual overheads for that VA Activity only, provided that in combination all Paid-Up Capital is mutually exclusive and collectively exhaustive such that the total fixed annual overheads of the VASP are accounted for in aggregate. VASPs must reconcile Paid-Up Capital on a monthly basis.
3.	Paid-Up Capital shall, at all times, be held and maintained in—
	a.	a trust account with a licensed bank in the UAE with VARA stated as the beneficiary;
	b.	a surety bond furnished by a surety company authorised to conduct business in the UAE, which shall have no end date and state VARA as a beneficiary; or
	c.	any other manner as may be specified by VARA upon granting a Licence.

C. Net Liquid Assets

1.	VASPs shall at all times hold and maintain sufficient current liquid assets such that their surplus over current liabilities is worth at least 1.2 times their monthly operating expenses [Net Liquid Assets] as represented by the following calculation—
Net Liquid Assets ≥ 1.2 x monthly operating expenses
2.	When calculating their Net Liquid Assets under Rule VI.C.1 of this Company Rulebook, VASPs must include such portion of their Operational Exposure to Virtual Assets [as agreed with VARA as a condition of their Licence] in their current liabilities, for the purposes of calculating their current liabilities.
3.	Net Liquid Assets shall be reconciled on a daily basis and reported to VARA monthly.
4.	Net Liquid Assets may be maintained in the following assets only—
	a.	cash and cash equivalents, as defined in internationally recognised accounting standards; and
	b.	Fiat-Referenced Virtual Assets referencing USD [or AED as approved by VARA] and where such Fiat-Referenced Virtual Assets, in all events, are backed by cash or cash equivalent [as defined in internationally recognised accounting standards] reserves denominated in the fiat currency referenced of not less than the market value of the Fiat-Referenced Virtual Asset in public circulation, or not yet redeemed.

D. Insurance

1.	VASPs must hold and maintain the following types of insurance adequate to the size and complexity of the business and VA Activities and in the manner specified by VARA in its Licence [Insurance]—
	a.	professional indemnity insurance;
	b.	directors’ and officers’ insurance;
	c.	commercial crime insurance or similar types of insurance for all Virtual Assets stored in hot wallets; and
	d.	any other type of insurance as assessed by VARA to be appropriate for a VASP’s business and VA Activities and stipulated in the conditions to its Licence.
2.	All Insurance must be held and maintained with a regulated insurer.
3.	Insurance may be held in the name of another Entity in the VASP’s Group, provided that the relevant policy—
	a.	explicitly states the VASP as an insured party; and
	b.	states the level of cover applicable to the VASP.
4.	VARA may apply discretion during the licensing process if, for proven and demonstrated reasons the requirements in Rule VI.D.1 of this Company Rulebook cannot be met, provided that VASPs shall be required to protect against the risks that such Insurance is designed to cover through other means which will be specified by VARA as a condition of a Licence.

E. Reserve Assets

1.	VASPs shall, at all times, maintain reserve assets equivalent to one hundred percent [100%] of the liabilities owed to clients with respect to all VA Activities [Reserve Assets].
2.	VASPs must hold Reserve Assets on a one-to-one basis in the same Virtual Asset that liabilities are owed to its clients.
3.	Reserve Assets must be reconciled on a daily basis and audited by an independent third-party auditor no less than every six [6] months. VASPs shall include such audit reports as part of the subsequent quarterly report to VARA required in the Compliance and Risk Management Rulebook.

F. Notifications and other Requirements

1.	VASPs shall notify VARA immediately if, at any time, it is unable to maintain or fails to meet the Paid-Up Capital, Net Liquid Assets, Insurance or Reserve Assets requirements above and such notification shall include details of—
	a.	all deficit amounts;
	b.	the causes of the failure;
	c.	remedial actions that have been, and will be, taken to rectify the breach; and
	d.	the expected timeline for such remedial actions to be completed.
2.	VASPs shall provide updates to VARA on a daily basis in respect of any notification under Rule VI.E.1 of this Company Rulebook above, unless otherwise directed by VARA or until the VASP confirms and VARA is satisfied that it has rectified all failures and is in compliance with all requirements.
3.	Notwithstanding all other requirements in the Compliance and Risk Management Rulebook, VASPs shall establish and maintain clear procedures to monitor and identify all sources of risks or potential risks that may impact its operation and shall consider the potential adverse impact of such risks on its level of Paid-Up Capital, Net Liquid Assets, Insurance or Reserve Assets.
4.	VARA may require VASPs to hold and maintain additional Paid-Up Capital, Net Liquid Assets, Insurance or Reserve Assets based on the size, scope, geographic exposure, complexity and nature of the VA Activities and operations of a VASP.

Part VII – Insolvency and Wind Down

Introduction

The purpose of this Part VII is to provide for the safeguarding and stable operations of Virtual Asset markets by introducing procedures for:
	•	a VASP that elects to discontinue its business or operations; and
	•	a VASP that is Insolvent or subject to Insolvency Proceedings.

A. Wind Down Plan

1.	In the event that a VASP elects to discontinue its business or operations where it is not Insolvent or subject to Insolvency Proceedings, the VASP will implement a wind down plan, subject to approval by VARA, which shall include the following—
	a.	processes for identifying and mitigating any material risk or obstacles to winding down in an orderly and timely manner;
	b.	an evaluation of the resources that are needed to facilitate an orderly and timely wind down;
	c.	internal controls and procedures to ensure the safekeeping and prompt onward transferring of clients’ Virtual Assets [including returning Virtual Assets to clients];
	d.	personnel management and exit arrangements;
	e.	communications strategy [including the provision of clear and timely disclosures to all clients];
	f.	knowledge transfer as required to support migration of VA Activities and all relevant operations to alternate VASPs;
	g.	system redundancies and retention of records;
	h.	continue to maintain a surety bond until completion of the wind down process;
	i.	discontinue taking on new clients; and
	j.	identify and itemise all current and contingent liabilities.

B. Insolvency

1.

In the event a VASP is subject to Insolvency Proceedings, the VASP will co-operate fully with the Insolvency Appointee to implement the wind down plan as set out in Rule VII.A.1 of this Company Rulebook as the Insolvency Appointee deems to be commensurate with the duties and obligations imposed by the relevant Insolvency Proceedings.

Part VIII – Material Change to Business or Control

A. No Material Change

1.	VASPs shall obtain VARA’s written approval prior to—
	a.	facilitating any development or occurrence of Material Change to themselves; or
	b.	entering into any business or conducting any VA Activity, directly or indirectly, except for those business[es] and VA Activity[ies] in which the VASP and its Subsidiaries are engaged on the date of the Licence being granted and authorised by VARA.
2.	VASPs shall not create, incur, assume, permit to exist or otherwise become liable with respect to any debt that could be reasonably expected to cause a Material Change.
3.	VASPs shall not cause any occurrence of a Material Change. In the event that the acquisition or disposal by a VASP could reasonably be expected to cause a Material Change, such VASP shall immediately cease the acquisition or disposal.
4.	Without obtaining VARA’s prior written approval, VASPs may not implement any changes to its VA Activities authorised under the Licence, including the—
	a.	addition of any VA Activity; or
	b.	material modification of the scope of any VA Activity.
5.	VASPs shall ensure that any change in their business plan covering internal controls, organisational structure, contingency plans and related matters could not be reasonably expected to cause a Material Change.
6.	VASPs shall ensure that any change under Rules VIII.A.1-5 of this Company Rulebook in aggregate could not reasonably be expected to cause a Material Change.

B. Cessation of Business

1.	VARA may revoke or suspend a Licence [in relation to all or certain VA Activities], if a VASP does not—
	a.	carry out all or some of the VA Activities authorised under the Licence for an extended period; and
	b.	notify VARA of its plan to reinstate or carry out relevant VA Activities.
2.	In the event that a VASP intends to cease to carry out any VA Activities authorised under the Licence, it shall notify VARA and request a revocation of either—
	a.	in the event that all VA Activities authorised under a Licence are to be ceased, the Licence; or
	b.	in the event that only some of the VA Activities authorised under a Licence are to be ceased, the VA Activities to be ceased.
3.	VASPs shall notify VARA as soon as reasonably practicable and in any event not later than thirty [30] Working Days before such intended cessation.

C. Change of Control

1.	No action shall be taken, except with the prior written approval of VARA, that may result in a change of Control of a VASP.
2.	Prior to any change of Control, the VASP, together with the Entity seeking to acquire Control of the VASP, shall submit a written application to VARA in a form and substance acceptable to VARA, including but not limited to detailed information about the Entity.
3.	VARA may determine upon application that any Entity does not, or upon the taking of some proposed action will not, Control another Entity. Such determination shall be made within thirty [30] Working Days or such further period as VARA may prescribe. The filing of an application pursuant to this Part VIII of this Company Rulebook in good faith by any Entity shall relieve the applicant from any obligation or liability imposed by this Part VIII of this Company Rulebook with respect to the subject of the application until VARA has acted upon the application. VARA may revoke or modify its determination whenever, in its sole and absolute discretion, revocation or modification is consistent with this Part VIII of this Company Rulebook. VARA may consider the following factors in making such a determination—
	a.	whether such Entity’s purchase of shares is made solely for investment purposes and not to acquire Control over the VASP;
	b.	whether such Entity could direct the Board or Staff, or otherwise influence the policies of the VASP;
	c.	whether such Entity could propose directors in opposition to nominees made by the shareholders of the VASP;
	d.	whether such Entity could solicit or participate in soliciting proxy votes with respect to any matter presented to the shareholders of the VASP; or
	e.	any other factor that indicates such Entity would or would not exercise Control of the VASP.
4.	VARA shall approve or deny every application for a change of Control of a VASP hereunder within thirty [30] Working Days from the filing of an application deemed by VARA to be complete. Such period of thirty [30] Working Days may be extended by VARA, for such additional reasonable period of time as may be required to enable compliance with the requirements and conditions of this Part VIII of this Company Rulebook.
5.	In determining whether to approve a proposed change of Control, VARA shall, among other factors, take into consideration the public interest and the needs and convenience of the public in the Emirate.

D. Mergers and Acquisitions

1.	No action shall be taken, except with the prior written approval of VARA, that may result in a merger or acquisition of all or a substantial part of the assets of a VASP.
2.	Prior to any such merger or acquisition, an application containing a written plan of merger or acquisition shall be submitted to VARA by the Entities that are to merge or by the acquiring Entity, as applicable. Such plan shall be in form and substance satisfactory to VARA, and shall specify each Entity to be merged, the surviving Entity, or the Entity acquiring all or substantially all of the assets of the VASP, as applicable, and shall describe the terms and conditions of the merger or acquisition and the mode of carrying it into effect.
3.	VARA shall approve or deny a proposed merger or a proposed acquisition of all or a substantial part of the assets of a VASP within thirty [30] Working Days after the filing of an application that contains a written plan of merger or acquisition and is deemed by VARA to be complete. Such period of thirty [30] Working Days may be extended by VARA, for such additional reasonable period of time as may be required to enable compliance with the requirements and conditions of this Part VIII of this Company Rulebook.
4.	In determining whether to approve a proposed merger or acquisition, VARA shall, among other factors, take into consideration the public interest and the needs and convenience of the public in the Emirate.

Schedule 1 – Definitions

Term

Definition

“Advisory Services”

has the meaning ascribed to it in Schedule 1 of the Regulations.

“Board”

means the board of directors of a VASP.

“Broker-Dealer Services”

has the meaning ascribed to it in Schedule 1 of the Regulations.

“Capital and Prudential Requirements”

has the meaning ascribed to it in Rule VI.A.1 of this Company Rulebook.

“CBUAE”

means the Central Bank of the United Arab Emirates.

“Chief Information Security Officer” or “CISO”

has the meaning ascribed to it in the Technology and Information Rulebook.

“Company Rulebook”

means this Company Rulebook issued by VARA pursuant to the Regulations, as may be amended from time to time.

“Company Secretary”

has the meaning ascribed to it in Rule I.E.1 of this Company Rulebook.

“Compliance and Risk Management Rulebook”

means the Compliance and Risk Management Rulebook issued by VARA pursuant to the Regulations, as may be amended from time to time.

“Compliance ESG Disclosure"

means the compliance ESG disclosure level defined in Part V of this Company Rulebook.

“Compliance Officer” or “CO”

has the meaning ascribed to it in the Compliance and Risk Management Rulebook.

“Control”

means the possession, directly or indirectly [including but not limited to by way of acting jointly or in concert with one or more Entities], of the power to influence, direct or cause the direction of the management and policies of a VASP whether through the ownership of shares of such VASP, the shares of any Entity that possesses such power, or any other means.

Control shall be presumed to exist if an Entity, directly or indirectly [including but not limited to by way of acting jointly or in concert with one or more Entities], owns, controls, or holds with power to vote with twenty-five percent [25%] or more of the voting shares of a VASP or of any Entity that owns, controls, or holds with power to vote with twenty-five percent [25%] or more of the voting shares of such VASP, or who have the right to appoint or dismiss the majority of the Board or Senior Management. No Entity shall be deemed to control another Entity solely by reason of them being an officer or director of such other Entity.

“Controlling Entity”

means an Entity which has Control over a VASP.

“Critical or Important Function”

means a Function whose discontinued or defective performance would materially impair—
[a]	the continuing compliance of a VASP with the conditions and obligations of its Licence;
[b]	its compliance with its other legal obligations;
[c]	its financial performance; or
[d]	the soundness or continuity of its core business activities.

“Custody Services”

has the meaning ascribed to it in Schedule 1 of the Regulations.

“Data Protection Officer” or “DPO”

has the meaning ascribed to it in the Technology and Information Rulebook.

“Decentralised Autonomous Organisation” or “DAO”

means, generally, any organisation autonomously governed or otherwise managed by a decentralised network, group or collection of Entities, by way of public or private voting mechanisms, whether utilising Distributed Ledger Technology or other means.

“Directive”

has the meaning ascribed to it in the Regulations.

“Distributed Ledger Technology” or “DLT”

has the meaning ascribed to it in the Dubai VA Law.

“Dubai VA Law”

means Law No. [4] of 2022 Regulating Virtual Assets in the Emirate of Dubai, as may be amended from time to time.

“Emirate”

means all zones across the Emirate of Dubai, including Special Development Zones and Free Zones but excluding the Dubai International Financial Centre.

“Entity”

means any legal entity or individual.

“ESG”

means environmental, social and governance.

“Exchange Services”

has the meaning ascribed to it in Schedule 1 of the Regulations.

“Fiat-Referenced Virtual Asset”

means a type of Virtual Asset that purports to maintain a stable value in relation to the value of one or more fiat currencies, can be digitally traded and functions as—
[a]	a medium of exchange;
[b]	a unit of account; and/or
[c]	a store of value,
but does not have legal tender status in any jurisdiction. A Fiat-Referenced Virtual Asset is neither issued nor guaranteed by any jurisdiction, and fulfils the above functions only by agreement within the community of users of the Fiat-Referenced Virtual Asset.

“Fit and Proper Person”

means an individual who complies with all fit and proper requirements in Part III of this Company Rulebook.

“Function”

means a service, process, activity or role.

“Group”

means a VASP and any Entity under the same Control with the VASP.

“Insolvency Appointee”

means a liquidator, receiver, administrator, compulsory manager, trustee or similar officer appointed in respect of an Entity or its assets.

“Insolvency Proceedings”

has the meaning ascribed to it in the Regulations.

“Insolvent”

has the meaning ascribed to it in the Regulations.

“Insurance”

has the meaning ascribed to it in Rule VI.D.1 of this Company Rulebook.

“Lending and Borrowing Services”

has the meaning ascribed to it in Schedule 1 of the Regulations.

“Licence”

has the meaning ascribed to it in the Regulations.

“Licensed”

means having a valid Licence.

“Mandatory ESG Disclosure”

means the mandatory ESG disclosure level defined in Part V of this Company Rulebook.

“Market Conduct Rulebook”

means the Market Conduct Rulebook issued by VARA pursuant to the Regulations, as may be amended from time to time.

“Material Change”

means a change in, or relating to, a VASP with respect to its business and operations [including its VA Activities] and its Group which, taken as a whole, could reasonably be expected to have a significant effect on the VASP’s business model, operations, VA Activities, and/or ability to comply with all applicable laws and regulatory requirements.

“Material Outsourcing”

is an Outsourcing that includes a Function that is a Critical or Important Function.

“Money Laundering Reporting Officer” or “MLRO”

has the meaning ascribed to it in the Compliance and Risk Management Rulebook.

“Net Liquid Assets”

has the meaning ascribed to it in Rule VI.C.1 of this Company Rulebook.

“Operational Exposure”

means an amount representing the value of Virtual Assets at risk of loss, dissipation, devaluation or inaccessibility in the event of operational, procedural, counterparty, settlement or other failure experienced by the VASP.

“Outsourcing”

means an arrangement where a Service Provider performs a process, service or activity on behalf of a firm which the firm would otherwise carry out itself on a recurrent or ongoing basis. It is intended to include only those services that were or can be delivered by internal Staff and management, and may include both regulated and unregulated Functions.

“Outsourcing Policy”

has the meaning ascribed to it in Rule IV.C.1 of this Company Rulebook.

“Paid-Up Capital”

has the meaning ascribed to it in Rule VI.B.1 of this Company Rulebook.

“PDPL”

means the Federal Decree-Law No. [45] of 2021 on the Protection of Personal Data.

“Personal Data”

has the meaning ascribed to it in the PDPL.

“Politically Exposed Person”

has the meaning ascribed to it in Cabinet Decision No. [10] of 2019 Concerning the Implementing Regulation of Decree Law No. [20] of 2018 on Anti-Money Laundering and Combating the Financing of Terrorism and Illegal Organisations, as may be amended from time to time.

“Regulations”

means the Virtual Assets and Related Activities Regulations 2023, as may be amended from time to time.

“Related Party”

means the chairman of the Board, members of the Board, members of the Senior Management, Staff and the companies in which any of such Entities owns ten percent [10%] or more of its share capital or other ownership interest, as well as the Subsidiaries or affiliate companies of such companies.

“Reserve Assets"

has the meaning ascribed to it in Rule VI.E.1 of this Company Rulebook.

“Responsible Individuals”

has the meaning ascribed to it in Rule I.C.1 of this Company Rulebook.

“Rule”

has the meaning ascribed to it in the Regulations.

“Rulebook”

has the meaning ascribed to it in the Regulations.

“Senior Management”

means the executive management of a VASP responsible and accountable to the Board for the sound and prudent day-to-day management of the VASP, generally including but not limited to, the chief executive officer, chief financial officer, chief risk officer, and heads of the compliance and internal audit functions, or as equivalent roles may be titled.

“Service Provider”

means an Entity that contracts with a VASP for the provision of any aspect of the VASP’s functions. The Service Provider may be within or outside the Emirate and may be an independent third party or an Entity related to the VASP.

“Staff”

means all individuals working for a VASP including the members of the Senior Management but excluding members of the Board. If an individual is both a member of the Senior Management and a member of the Board, then such individual is also considered as Staff.

“Subsidiary”

means a company of which an Entity, or such Entity’s Subsidiary[ies], own[s] directly or indirectly more than fifty percent [50%] of the voting capital or similar right of ownership.

“Technology and Information Rulebook”

means the Technology and Information Rulebook issued by VARA pursuant to the Regulations, as may be amended from time to time.

“UAE”

means the United Arab Emirates

“Ultimate Beneficial Owner” or “UBO”

means—
[a]	individuals who ultimately own or have Control; or
[b]	if no individual satisfies [a] above, then an individual with the highest position in Senior Management.

“VA Activity”

means the activities listed in Schedule 1 of the Regulations, as may be amended from time to time.

“VA Management and Investment Services”

has the meaning ascribed to it in Schedule 1 of the Regulations.

“VA Transfer and Settlement Services”

has the meaning ascribed to it in Schedule 1 of the Regulations.

“VARA”

means the Dubai Virtual Assets Regulatory Authority.

“VASP”

means an Entity Licensed by VARA to conduct VA Activity[ies] in the Emirate.

“Virtual Asset” or “VA”

has the meaning ascribed to it in the Dubai VA Law.

“Voluntary ESG Disclosure"

means the voluntary ESG disclosure level defined in Part V of this Company Rulebook.

“Working Day”

means any day which is not a weekend or public holiday in the Emirate.

Compliance and Risk Management Rulebook

Introduction

The Dubai Virtual Assets Regulatory Authority [VARA] was established and authorised by Law No. [4] of 2022 Regulating Virtual Assets in the Emirate of Dubai [Dubai VA Law] to regulate Virtual Asset Service Providers [VASPs].
This Compliance and Risk Management Rulebook is issued pursuant to, and forms part of, the Virtual Assets and Related Activities Regulations 2023 [the Regulations] issued by VARA and applies to all VASPs Licensed by VARA to carry out any VA Activity in the Emirate.
This Compliance and Risk Management Rulebook applies in addition to all other requirements in the Regulations as may be in force from time to time. As such, VASPs Licensed by VARA to carry out any VA Activity must also comply with the following Rulebooks applicable to all VASPs:
	•	Company Rulebook;
	•	Technology and Information Rulebook;
	•	Market Conduct Rulebook; and
	•	All Rulebooks specific to the VA Activities that a VASP is Licensed by VARA to carry out.
Capitalised terms in this Compliance and Risk Management Rulebook have the meanings ascribed to them in the Regulations or as otherwise defined herein or provided in Schedule 1.
Unless otherwise stated, all requirements in this Compliance and Risk Management Rulebook are Rules and have binding effect.

Part I – Compliance Management

Introduction

Part I of this Compliance and Risk Management Rulebook sets out:
	•	General principles for regulatory compliance;
	•	The implementation of a compliance management system including appointing a Compliance Officer [CO];
	•	Management, operations and information risk;
	•	Record keeping and audit; and
	•	Employee management and training.

A. General Principles

	VASPs shall comply with the spirit of the following principles when conducting all their business from or through, or servicing the Emirate, including all VA Activities.
1.	Integrity – honesty and fairness: VASPs should act truthfully, justly and equitably, in good faith serving the best interests of their clients, yet at all times preserving market integrity.
2.	Diligence: VASPs should act with due skill, care and diligence reasonably expected of a VASP of a similar nature and/or catering to a similar activity.
3.	Capabilities: VASPs should have, and effectively employ necessary resources [financial, technical or otherwise] and procedures for the sound, effective and efficient operation of their business, including VA Activities.
4.	Client assets: VASPs should ensure that client assets are promptly and properly accounted for, and adequately safeguarded.
5.	Effective disclosures: VASPs should ensure that any disclosure is clear, concise and effective, and contains information necessary for their clients to make an informed decision and be kept up-to-date. VASPs should dispatch information in a timely manner if ongoing disclosure is required by relevant authorities, including VARA, or under any fiduciary duty owed by VASPs to their clients.
6.	Compliance: VASPs should devise effective strategies to ensure ongoing compliance with—
	a.	all legal and regulatory requirements [including any conditions in respect of a Licence] applicable to the conduct of their business, including VA Activities; and
	b.	their own constitutional documents, internal policies and controls,
	so as to promote the best interests of their clients and for promoting the integrity of the market.
7.	Dealings with regulators. VASPs should act in an open and transparent manner with regulators at all times, including VARA.

B. Compliance Management System

1.	VASPs shall establish and maintain an effective compliance management system [CMS] which—
	a.	covers all relevant aspects of their operations, including the unfettered access to necessary records and documentation by the Board and relevant Staff;
	b.	is independent of all operational and business functions;
	c.	ensures that the CO is notified of any material non-compliance promptly;
	d.	comprises technical competence, resources [including financial and non-financial] and experience necessary for the performance of their functions; and
	e.	comprises a testing and monitoring programme that is risk-based and designed to regularly select and review different areas of the business and analyse key performance and risk indicators,
	in order to allow them to identify potential compliance violations and to ensure that they comply with all applicable laws and regulatory requirements, and their own internal policies and procedures at all times.
2.	The CO shall ultimately be responsible for establishing and administering the CMS and notifying VARA and other relevant authorities of the occurrence of any material non-compliance by the VASP, its Board or its Staff with applicable legal and regulatory requirements.
3.	VASPs shall establish, maintain and enforce clear and detailed compliance policies and procedures to enable all Staff and the Board to—
	a.	comply with all applicable legal and regulatory requirements at all times, including all conditions in respect of a Licence, record keeping, business practices, AML/CFT, and compliance with relevant client, proprietary and Staff dealing requirements;
	b.	ensure that client complaints are handled properly with appropriate remedial action. Complaints should be handled and investigated by Staff who are not directly involved in the subject matter of the complaint; and
	c.	have access to all necessary information required to perform a business transaction.
4.	The CMS and the compliance policies and procedures shall be reviewed and updated from time to time to ensure that they are aligned with the changing business and regulatory landscape applicable to the global Virtual Asset sector.
5.	VASPs shall ensure that all Staff performing compliance functions are Fit and Proper Persons and possess the necessary skills, qualifications and experience for their roles.
6.	To the extent that VASPs carry out any VA Activities or similar business activities anywhere other than the Emirate, VASPs shall comply with all applicable law and regulatory requirements in any jurisdiction in which they carry out such VA Activities or similar business activities.

C. Duties of the Compliance Officer

1.	VASPs shall appoint a CO who—
	a.	possesses at least five [5] years of relevant experience in a compliance function;
	b.	is a Fit and Proper Person as approved by VARA;
	c.	is a resident in the UAE or holds a UAE passport;
	d.	is a full-time employee of the VASP; and
	e.	reports directly to the Board.
	Such appointment shall be reviewed annually to ensure that the CO remains a Fit and Proper Person capable of discharging all relevant duties. VARA has the sole discretion to request a VASP to provide such evidence as VARA may require which shows that the above requirements are satisfied.
2.	The CO shall be responsible for—
	a.	ensuring Staff, including Senior Management, are properly and adequately trained in respect of their understanding and compliance with all applicable laws and regulatory requirements, including those relating to consumer protection and AML/CFT;
	b.	developing and implementing compliance policies and procedures, including a Business Continuity and Disaster Recovery Plan [BCDR Plan] as required in the Technology and Information Rulebook;
	c.	assessing emerging issues and risks;
	d.	reporting compliance activities and compliance audits to the Board; and
	e.	if necessary, ensuring appropriate corrective actions are taken in response to deficiencies in the CMS and/or non-compliance with any applicable laws or regulatory requirements.
3.	Compliance activities may be delegated to appropriate professionals, provided that—
	a.	the CO shall continue to be held accountable for all responsibilities and obligations in relation to the implementation of the CMS; and
	b.	all applicable requirements in the Company Rulebook, including Outsourcing management requirements, are complied with.
4.	Subject to relevant requirements in the Company Rulebook and if deemed appropriate by the VASP, the CO may hold more than one [1] non-client facing role within the VASP, provided such roles do not create conflicting duties, including but not limited to, the Money Laundering Reporting Officer [MLRO] and the head of the risk function. VARA will take into account other roles held by the CO in determining whether the individual is a Fit and Proper Person.

D. Risk Management

1.	VASPs shall establish and maintain—
	a.	an effective risk management function;
	b.	policies and procedures; and
	c.	risk measurement and reporting methodologies,
	commensurate with the nature, size, complexity, and risk profile of the VASP in order to identify, measure, quantify, manage and monitor the risks, whether financial, technological or otherwise, to which they are or may be exposed. Such policies and procedures should be followed strictly to ensure that risks are maintained at acceptable and appropriate levels.
2.	The risk management function should consist of a sufficient number of suitably qualified and experienced Staff. The head of the risk function of a VASP must have the appropriate qualifications and authority to oversee and monitor the overall risk exposures of the VASP. The CO may also be the head of the risk function. If the head of the risk function is a separate individual from the CO, the head of the risk function must also report directly to the Board of the VASP.
3.	The Board shall ensure that the risk management policies are subject to ongoing comprehensive review, particularly when there is a material change in the VASP’s business, operations or Senior Management or Staff, or to the market conditions and applicable laws and regulations that may affect the risk exposure of the VASP.
4.	The head of the risk function of a VASP shall submit risk exposure reports to the Board which identifying and report all actual or potential risks. Such reports must be submitted to the Board at least once every quarter, or more frequently if required for the VASP to address a specific risk which been identified.
5.	The effectiveness of the risk management policy of each VASP will depend on the types of risks associated with the VASP and its business operations, including the VA Activities it carries out. The key types of risks that must be considered by all VASPs, and reported in the risk exposure reports under Rule I.D.4 of this Compliance and Risk Management Rulebook above to the extent they are applicable, and the mitigating measures which must be adopted for each type of risk include, but are not limited to—
	a.	Financial stability risks.
		i.	Financial soundness: Risks arising when a VASP lacks the necessary capital, liquidity or reserves to run operations [both in the going-concern and wind-down scenario] and meet all commitments to its clients, including but not limited to when a VASP is likely to be unable to comply with any of its Capital and Prudential Requirements in the Company Rulebook.
		ii.	Market risk: Risks arising from the type and nature of market risk undertaken by the VASP [e.g. the nature of market risk exposure of the VASP’s services and VA Activities]. In relation to such risks, VASPs shall adopt mitigating measures including but not limited to—
			1.	regular control techniques to monitor market risks, including conducting regular reviews of financial statements and the value of their Virtual Asset holdings; and
			2.	establish and maintain effective risk management measures to quantify the impact of changing market conditions on themselves and their clients. Factors to be considered include—
				(a)	unspecified adverse market movements [including but not limited to “flash crashes”, catastrophic risk or tail events], by using an appropriate value-at-risk model or other methodology to estimate potential loss;
				(b)	individual market factors, to measure the sensitivity of the VASP’s risk exposure to specific market risk factors; and
				(c)	stress testing, determining the effect of material changes in market conditions [whether or not specific to Virtual Asset markets] on the VASP using quantitative and qualitative variable assumptions.
		iii.	Credit risks: Risks arising from the type and nature of credit risk undertaken by the VASP [e.g. the nature and level of credit risk exposure of the VASP’s services and VA Activities]. In relation to such risks, VASPs shall adopt mitigating measures, at both an individual account and consolidated account level, including but not limited to—
			1.	establish and maintain an effective credit rating system to evaluate the creditworthiness of their clients and counterparties;
			2.	adopt clearly defined objective measures to evaluate potential clients and counterparties and to determine or review the relevant credit ratings which are used to set appropriate credit, trading and position limits for all clients and counterparties, which shall be enforced at all times;
			3.	use appropriate quantitative risk measurement methodologies to effectively calculate and monitor the credit exposure of VASP in relation to clients and counterparties, including pre-settlement credit exposures and settlement risks. Credit risks posed by all clients and counterparties belonging to the same group of Entities can be aggregated for the purpose of measuring the credit exposure of the VASP;
			4.	if applicable in respect of the VA Activities of the VASP, establish and maintain all policies in respect of margin required under any Rulebook, which notwithstanding all other requirements in those Rulebooks should include—
				(a)	the types of margin which may be called, the applicable margin rates and the method of calculating the margin;
				(b)	the acceptable methods of margin payment and forms of collateral;
				(c)	the circumstances under which a client or counterparty may be required to provide margin and additional margin, and the consequences of a failure to meet a margin call, including the actions which the VASP may be entitled to take; and
				(d)	applicable escalation procedures where a client or counterparty fails to meet successive margin calls.
		iv.	Liquidity risks: Risks arising from the type and nature of the VASP’s liquidity or asset and liability mix. In relation to such risks, VASPs shall adopt mitigating measures including but not limited to—
			1.	enforce concentration limits with respect to particular products, markets and counterparties, taking into account their liquidity profile and the liquidity profile of the VASP;
			2.	regularly monitor any maturity mismatch between sources and funding requirements and concentrations of individual Virtual Assets, markets and counterparties; and
			3.	establish clear default procedures to alert relevant Staff and Senior Management to potential liquidity problems and to provide such Staff and Senior Management with sufficient time to minimise the impact brought by any client’s or counterparty’s liquidity issues.
	b.	Market conduct risks.
		i.	Business strategy: Risks arising from the overall strategy and current sources of business of the VASP [e.g. strategic planning process and achievability of strategy].
		ii.	Client onboarding risks: Risks arising from onboarding clients [individuals and corporates]. This refers to the level of client due diligence [CDD] applied, such as sanction screening, risk rating and watchlist screening.
		iii.	Organisation and regulation: Risks arising from the structure of a VASP, the characteristics and nature of responsibilities of UBOs, Board members and Senior Management responsibilities.
		iv.	Operational risks: Risks arising from type and nature of operational risk involved in the VASP’s activities [e.g. direct or indirect loss from inadequate or failed internal processes, systems or external events].
		v.	Quality of management & corporate governance: Risks arising from the quality of the VASP’s management, the nature of the corporate governance, management information and compliance culture, including but not limited to non-compliance with relevant requirements in the Company Rulebook.
		vi.	Relationship with regulators: Risk arising from the nature of the VASP’s relationship with other regulators, including recent regulatory history.
		vii.	Cybersecurity risks: Risks of exposure or loss from a cyber-attack, data, system or security breach, including any breach of Personal Data security, not limited to non-compliance with relevant requirements in the Technology and Information Rulebook. VASPs must also include all risks relating or the VASP’s reputation in such events.
	c.	Compliance and risk management risks.
		i.	AML/CFT, market abuse & fraud: Risks arising from the VASP’s susceptibility to financial crime risk arising from money laundering, market abuse, terrorism financing, and fraud, including but not limited to non-compliance with relevant requirements in this Compliance and Risk Management Rulebook.
		ii.	Outsourcing & counterparty risks: Risks arising from Outsourcing to third parties, developing relationships or dependencies on counterparties in any transactions, including with any Controlling Entity, Group Entity or UBO.
		iii.	Risk management systems: Risks arising from the nature and effectiveness of the systems and procedures to identify, measure, monitor and control the VASP’s risks [e.g. credit risk, insurance underwriting risk, market risk, operational risk, legal risk and new product risk].
		iv.	Compliance function and arrangements: Risks arising from the nature and effectiveness of the compliance function of a VASP. These include its mandate, structure, staffing, methodology, reporting lines and effectiveness.
		v.	Business continuity: risks arising from the effectiveness of business continuity arrangements, including but not limited to non-compliance with relevant requirements in this Compliance and Risk Management Rulebook.
	d.	Consumer protection risks.
		i.	Communications with clients & financial promotions: Risks arising from the nature of financial promotion and advertising practices employed by the VASP, including but not limited to non-compliance with relevant requirements in the Market Conduct Rulebook.
		ii.	Legal risks: Risks arising from the nature of the VASP’s contractual agreements.
		iii.	Disclosure and reporting: Risks arising from the nature of terms of business, periodic statements and other documentation provided to clients, including but not limited to non-compliance with relevant requirements in the Market Conduct Rulebook.
		iv.	Client assets: Risk arising from the VASP holding or controlling of Client Money and Client VAs.

E. Operation Management

1.	VASPs shall establish and maintain effective operational policies and processes to ensure—
	a.	they have regular exchange of information with their clients, Group and, where appropriate, counterparties;
	b.	the integrity of their dealing practices, including the treatment of all clients in a fair, honest and professional manner;
	c.	the safeguarding of both their assets and all Virtual Assets [including Client VAs] in accordance with applicable requirements in this Compliance and Risk Management Rulebook and the Technology and Information Rulebook;
	d.	the maintenance of proper records and the reliability of the information contained in such records in accordance with applicable requirements in this Compliance and Risk Management Rulebook; and
	e.	the compliance by VASP and all its Staff with all applicable laws and regulatory requirements.
2.	Where a VASP may act on behalf of the client in relation to the operation of an account, it shall properly communicate to the client the necessary procedures and terms and conditions under which the VASP may act on its behalf in transactions which are consistent with the stated objectives of the client and strictly follow such procedures.
3.	In addition to applicable requirements in the Market Conduct Rulebook, VASPs shall establish and enforce procedures to ensure that there are safeguards against any of their Staff or members of the Board taking advantage of confidential information or Inside Information.
4.	In addition to applicable requirements in the Technology and Information Rulebook, VASPs shall establish and maintain robust procedures to protect their Virtual Assets and Client VAs from theft, fraud and/or misappropriation. All Staff and members of the Board should follow all applicable internal protocols to acquire, transfer or otherwise dispose of any of the VASP’s Virtual Assets and Client VAs in accordance with applicable requirements in this Compliance and Risk Management Rulebook and the Technology and Information Rulebook.
5.	VASPs shall regularly check all—
	a.	records and reports, whether issued by third parties, such as banks, other VASPs, or other virtual asset service providers outside of the Emirate; and
	b.	relevant information recorded on all systems including distributed ledgers,
	and reconcile the above with their internal records for the purpose of identifying any errors, omissions or misplacement of assets, including Virtual Assets.
6.	VASPs may establish committees as they deem appropriate in order to ensure compliance with all applicable laws and regulatory requirements. VARA may require a VASP, either as a condition of granting a Licence or at any stage thereafter, to establish any committee[s] determined by VARA as it deems appropriate, and VASPs shall comply with such requirements.

F. Books and Records

1.	VASPs shall keep their books and records properly in their original form or native file format [including as recorded on distributed ledgers where appropriate], including—
	a.	keeping proper audit trails of all transactions, such as the amount, date and time of each transaction, any payment instruction, the total amount of fees and charges, the names, details of accounts or VA Wallets and country of residence of the clients and to the extent practicable, that of any other Entities involved in the transaction, so as to enable the VASP to carry out thorough investigation of any Suspicious Transactions [subject to further requirements set out in Part III of this Compliance and Risk Management Rule book];
	b.	maintaining and organising all information relating to clients produced by third parties;
	c.	maintaining sufficient records to prove that the VASP is in compliance with all applicable laws and regulatory requirements, including AML/CFT laws and requirements in Part III of this Compliance and Risk Management Rulebook;
	d.	keeping proper records to enable the VASP to carry out an audit in a convenient manner;
	e.	keeping a general ledger containing all assets [including Virtual Assets], liabilities, ownership equity, income and expense accounts;
	f.	keeping statements or valuations sent or provided to clients and counterparties;
	g.	keeping minutes of meetings of the Board;
	h.	retaining communications and documentation related to investigations of client complaints and transaction error resolution or concerning facts giving rise to potential violation of laws and regulatory requirements; and
	i.	maintaining a conflicts of interest register in accordance with the Company Rulebook.
2.	VASPs shall retain each such record as set out in Rule I.F.1 of this Compliance and Risk Management Rulebook in accordance with the following timelines—
	a.	no less than eight [8] years; or
	b.	for an indefinite period for all records which may relate to national security of the UAE.
3.	VASPs shall furnish copies of any records to VARA in accordance with all applicable requirements in the Regulations, Rules or Directives.

G. Audit

1.	External audit.
	a.	VASPs shall appoint an independent third-party auditor to perform an audit of the financial statements of the VASP in order to make available an annual report, and promptly notify VARA of the full name and contact details of the auditor upon appointment.
	b.	The annual report of VASPs shall promptly be made available to their clients and VARA upon request.
	c.	VASPs should understand the steps taken by the auditor in proving the existence and ownership of Virtual Assets and ascertaining the reasonableness of the valuation of Virtual Assets.
	d.	The accounting information given in the annual report shall be prepared in accordance with generally accepted accounting principles.
	e.	If requested, VASPs shall procure relevant counterparties to cooperate with the auditor and to provide with the auditor all necessary information for the auditor to conduct the audit.
	f.	VARA may in its sole and absolute discretion require a VASP to appoint alternative auditors if their original auditors are not deemed appropriate for the size and complexity of their business and in terms of reputation.
2.	Internal audit.
	a.	VASPs shall, where applicable, establish and maintain an objective internal audit function which shall be independent of the operational function and submit regular reports directly to the Senior Management.
	b.	VASPs shall establish and maintain clear policies in defining the role and responsibilities of, and the working relationship between, the internal and external auditors.
	c.	The internal audit function shall—
		i.	perform audit work regularly and at least on a quarterly basis;
		ii.	inform the Senior Management of findings and recommendations; and
		iii.	follow up with and resolve matters or risks highlighted in the relevant reports.

H. Regulatory Reporting

1.	On a monthly basis, VASPs shall as a minimum submit to VARA the following information—
	a.	their balance sheet and a list of all off-balance sheet items;
	b.	their statement of profit and loss;
	c.	their income statement;
	d.	their cashflow statements;
	e.	addresses of their VA Wallets;
	f.	a full list of Entities in their Group that actively invest their own, or the Group’s, portfolio in Virtual Assets, and a complete record of all transactions, including but not limited to loans or any transactions involving any VA Activity for which the VASP is Licensed, with all such Entities identified; and
	g.	transactions with Related Parties as prescribed in the Company Rulebook.
2.	On a quarterly basis, VASPs shall as a minimum submit to VARA the following information—
	a.	the minutes of all Board meetings and Board committee meetings;
	b.	a statement demonstrating compliance with any financial requirements established by VARA including but not limited to Reserve Assets;
	c.	financial projections and strategic business plans; and
	d.	a risk exposure report prepared and submitted to the Board in accordance with Rule I.D.4 of this Compliance and Risk Management Rulebook.
3.	On an annual basis, VASPs shall as a minimum submit to VARA the following information—
	a.	audited annual financial statements, together with an opinion and an attestation by an independent third-party auditor regarding the effectiveness of the VASP’s internal control structure;
	b.	an assessment by Senior Management of the VASP’s compliance with such applicable laws, Regulations, Rules and Directives during the fiscal year covered by the financial statements;
	c.	certification of the financial statements by a member of the Board or a Responsible Individual attesting to the truth and correctness of those statements;
	d.	a representative sample of all documentation relating to client onboarding [including actual documentation of the first one hundred [100] clients onboarded of the year];
	e.	descriptions of product offerings relating to their VA Activities;
	f.	Group structure chart including shareholding of the VASP and the identity of all UBOs;
	g.	the names of each of the members of the Board and the Senior Management in the VASP, a brief biography of each such member including their qualifications and experience and any position that a member of the Board or the Senior Management holds in other Entities;
	h.	the identification of any independent director[s] if applicable;
	i.	the names of all the members of any committees, the authorities and assignments entrusted thereto, and activities carried out by the committees during that year; and
	j.	the number of meetings held by the Board and the committees, and the names of the attendees.
4.	VARA may require upon request to a VASP, information to be provided in addition to those listed in Rule I.F.1 of this Compliance and Risk Management Rulebook.

I. Regulatory Notifications

1.	VASPs shall notify VARA in writing of—
	a.	any changes to items set out in Rule I.H.3 of this Compliance and Risk Management Rulebook; and
	b.	any criminal or material civil action, charge or proceedings or Insolvency Proceedings, or any investigations, inspection or enquiries which may lead to any such action, charge or proceedings, made against the VASP or any of its Board members, UBOs or Senior Management immediately after the commencement of any such action, charge, proceeding, investigation, inspection or enquiry.
2.	VASPs shall submit a report to VARA immediately upon the discovery of any violation or breach of any law, Regulation, Rule or Directive related to the conduct of any VA Activity.
3.	VASPs shall, upon request from VARA, disclose information regarding their activities in jurisdictions other than the Emirate.
4.	VASPs shall comply with all requirements in the Technology and Information Rulebook with regards to notifying VARA of incidents relating to a cybersecurity breach, including but not limited to incidents involving a loss of information or affecting Personal Data.

J. Staff Management and Training

1.	VASPs shall implement procedures to ensure that they only employ suitably qualified individuals with the requisite skills, knowledge and expertise to perform the duties for which they are employed and that such individuals are duly registered with all applicable professional bodies as required.
2.	VASPs shall employ appropriate numbers of Staff to discharge relevant duties effectively. Unless otherwise stated in the Regulations and Rulebooks, Staff are not required to be physically located in the Emirate, provided that the VASP is able to ensure that all supervisory, monitoring and enforcement functions are effectively implemented to VARA’s satisfaction.
3.	VASPs shall ensure that all Staff are provided with adequate and up-to-date information regarding all their policies and procedures.
4.	Adequate training suitable for the duties which the Staff is required to perform in their role shall be provided at the beginning of their employment and on an ongoing basis.
5.	VASPs shall implement and provide AML/CFT training for all Staff on a regular basis and monitor their compliance with all established procedures.
6.	VASPs shall make necessary arrangements to ensure that all operational policies and procedures are communicated to new hires within their first thirty [30] calendar days of starting their employment.
7.	In the event that the operational policies and procedures are updated, VASPs shall ensure that—
	a.	relevant information is promptly communicated to all Staff; and
	b.	any such updated operational policies and procedures are made available to all Staff at all times.

Part II – Tax Reporting and Compliance

1.

VASPs must, at all times, comply with all tax reporting obligations under all applicable laws, regulations, rules or guidance as well as national, international and industry best practices, including under the United States Foreign Account Tax Compliance Act [FATCA] where applicable.

Part III – Anti-Money Laundering and Combating the Financing of Terrorism

Introduction

Part III of this Compliance and Risk Management Rulebook sets out requirements which aim to prevent the use of Virtual Assets and services relating to them in furtherance of illicit activities. VARA considers such illicit activities to include money laundering and the financing of terrorism, as well as proliferation financing and sanctions non-compliance.

A. Appointment and Duties of Money Laundering Reporting Officer

1.	VASPs shall appoint a Money Laundering Reporting Officer who—
	a.	possesses at least two [2] years of experience handling AML/CFT matters; and
	b.	is a Fit and Proper Person [MLRO].
	Such appointment shall be reviewed annually to ensure that the MLRO remains a Fit and Proper Person capable of discharging all relevant duties. VARA has the sole discretion to request a VASP to provide such evidence as VARA may require which shows that the above requirements are satisfied. In addition, VARA shall take into consideration any failures by an individual to comply with Part III of this Compliance and Risk Management Rulebook when assessing whether an individual is a Fit and Proper Person.
2.	The MLRO shall be responsible for—
	a.	ensuring the Board and Staff are properly and adequately trained in respect of their understanding and compliance with all applicable AML/CFT laws and regulatory requirements, particular those relevant to VA Activities;
	b.	developing and implementing AML/CFT policies and procedures as required under Rule III.B of this Compliance and Risk Management Rulebook;
	c.	conducting AML/CFT risk assessments in accordance with Rule III.D of this Compliance and Risk Management Rulebook and implementing all necessary changes to the VASP’s relevant policies and procedures to address such issues and risks;
	d.	monitoring and reporting Suspicious Transactions in accordance with Rule III.F of this Compliance and Risk Management Rulebook;
	e.	if necessary, ensuring appropriate corrective actions are taken in response to non-compliance with any Federal AML-CFT Laws;
	f.	reporting to the Board on a quarterly basis on the effectiveness of the VASP’s AML/CFT policies and procedures, identifying any failures in such policies and procedures and/or any non-compliance with any Federal AML-CFT Laws;
	g.	ensuring the quarterly reports required under Rule III.A.2.f of this Compliance and Risk Management Rulebook include a summary of all Anonymity-Enhanced Transactions and clients involved during that quarter; and
	h.	making the reports required under Rule III.A.2.f of this Compliance and Risk Management Rulebook available to VARA on request.
3.	AML/CFT activities may be delegated to appropriate Entities, provided that—
	a.	the MLRO shall continue to be held accountable for all responsibilities and obligations in relation to the implementation of the relevant policies and procedures; and
	b.	all applicable requirements in the Company Rulebook, including Outsourcing management requirements, are complied with.
4.	Subject to relevant requirements in the Company Rulebook and if deemed appropriate by the VASP, the MLRO may hold more than one [1] non-client facing role within the VASP, provided such roles do not create conflicting duties, including but not limited to, the CO and the head of the risk function. VARA will take into account other roles held by the MLRO in determining whether the individual is a Fit and Proper Person.

B. Policies and Procedures

1.	VASPs will establish and implement policies and procedures to comply with all AML/CFT requirements and existing applicable laws, regulatory requirements and guidelines, including but not limited to—
	a.	the Federal AML-CFT Laws;
	b.	the Financial Action Task Force’s [FATF] 12-Month Review of the Revised FATF Standards on Virtual Assets and Virtual Asset Service Providers [June 2020];
	c.	FATF’s Second 12-Month Review of the Revised FATF Standards on Virtual Assets and Virtual Asset Service Providers [July 2021];
	d.	FATF’s Updated Guidance for a Risk-Based Approach to Virtual Assets and Virtual Asset Service Providers [October 2021];
	e.	the International Standards on Combating Money Laundering and the Financing of Terrorism & Proliferation, The FATF Recommendations [March 2022];
	f.	Cabinet Resolution No. [74] of 2020 regarding the Terrorist List System and The Implementation of Security Council Resolutions Related to Preventing and Suppressing Terrorism and its Financing, Counter of Proliferation and its Financing, and the Relevant Resolutions;
	g.	the UAE Executive Office for Control & Non-Proliferation [EOCN] Guidance on Counter Proliferation Financing for FI’s, DNFPBs, and VASPs [March 2022]; and
	h.	the EOCN’s Local Terrorist List, as may be amended from time to time.
2.	To ensure compliance with the Federal AML-CFT Laws, such policies and procedures must establish courses of action allowing VASPs to—
	a.	refrain from opening or conducting any financial or commercial transaction under an anonymous or fictitious name or by pseudonym or number, and maintaining a relationship or providing any services to it;
	b.	ensure prompt application of the directives when issued by the competent authorities in the UAE for implementing United Nations Security Council Resolutions relating to the suppression and combating of terrorism, terrorist financing and proliferation of weapons of mass destruction and its financing, and other related directives, as well as compliance with all other applicable laws, regulatory requirements and guidelines in relation to economic sanctions;
	c.	notwithstanding all relevant requirements in this Compliance and Risk Management Rulebook, maintain all records, documents, and data for all transactions, whether local or international, and make this information available to VARA upon request; and
	d.	ensure full compliance with any other AML/CFT requirements and applicable laws, regulatory requirements and guidelines as may be promulgated by VARA, UAE federal government bodies, FATF or the Middle East and North Africa Financial Action Task Force from time to time.
3.	VASPs shall establish adequate risk rules to screen clients, UBOs, Virtual Asset transactions and VA Wallet addresses to—
	a.	identify potential illicit activities, potentially adverse information in higher risk situations [e.g. criminal history] and applicability of targeted or other international financial sanctions; and
	b.	alert operation and compliance teams to impose relevant restriction and conduct further investigation.
4.	All policies and procedures established and implemented pursuant to Rule III.B.1 of this Compliance and Risk Management Rulebook must be attested by a competent third party and shall be submitted to VARA in the licensing process and no more than twenty-one [21] calendar days after any changes coming into effect.

C. AML/CFT Controls

1.	VASPs should have effective AML/CFT controls and systems in place which can adequately manage the AML/CFT risks relevant to their VA Activities, including the use of distributed ledger analytics tools, as well as other investigative tools or capabilities to monitor and screen transactions.
2.	In respect of any distributed ledger analytics tools used, VASPs should review and document their review of the capabilities and weaknesses of such tools and design controls to monitor clients’ interaction with their VA Activities.
3.	Information about Virtual Asset transactions and VA Wallet addresses are dynamic in nature. VASPs should review and document their review of the performance and function of any distributed ledger analytics tools used to for ongoing monitoring.
4.	VASPs shall, if applicable, implement internal controls to address the FATF Report Virtual Assets Red Flags Indicators of Money Laundering and Terrorist Financing [September 2020] when designing transaction monitoring scenarios and thresholds to monitor clients’ interaction with their VA Activities.

D. Risk Assessment

1.	In implementing adequate and appropriate AML/CFT policies, procedures, and controls to detect and prevent illicit activities, VASPs must conduct AML/CFT business risk assessments.
2.	The AML/CFT business risk assessments must be designed and implemented to assist VASPs to better understand their risk exposure and areas in which they should prioritise allocation of resources in their AML/CFT activities. This includes identifying and assessing the AML/CFT risks in relation to the development and use of new or existing—
	a.	Virtual Assets [in particular, Anonymity-Enhanced Cryptocurrencies];
	b.	Virtual Asset related products or services [in particular, methods in which Anonymity-Enhanced Transactions can be conducted];
	c.	Virtual Asset related business and professional practices; and
	d.	technologies associated with VA Activities.
3.	VASPs enabling Anonymity-Enhanced Transactions as part of their VA Activities must implement proportionately enhanced controls to ensure compliance with all applicable laws and regulations [including all Federal AML-CFT Laws], Regulations, Rules and Directives, as well as effectively monitor and prevent illicit uses. Such controls shall include conducting enhanced CDD on each client using those services, which shall be verified every six [6] months. In the case where the AML/CFT risks cannot be adequately mitigated, such products or services should not be offered.

E. Client Due Diligence

1.	VASPs shall adopt a risk-based application of CDD measures in accordance with the Federal AML-CFT Laws.
2.	VASPs are required to undertake CDD measures to verify the identity of the client and the UBO[s] before or during the establishment of a business relationship for the purposes of providing services relating to VA Activities, or before executing a transaction [whether or not denominated in Virtual Assets] for a client with whom there is no business relationship.
3.	VASPs shall undertake CDD measures in the following circumstances—
	a.	when establishing a business relationship with a client for the purposes of providing services relating to VA Activities;
	b.	when carrying out occasional transactions in favour of a client for amounts equal to or exceeding AED 3,500, whether the transaction is carried out in a single transaction or in several transactions that appear to be linked;
	c.	where there is an instruction from a client to handle a potential Suspicious Transaction;
	d.	where there are doubts about the veracity or adequacy of previously obtained identification information of a client; and
	e.	when carrying out any transaction for high-risk clients as characterised in the Federal AML-CFT Laws.
4.	VASPs should undertake CDD measures in their ongoing supervision of business relationships with clients, including—
	a.	auditing transactions that are carried out throughout the period of the business relationship, to ensure that the transactions conducted are consistent with the information on file regarding clients and the risks they pose, including, where necessary, the source of funds; and
	b.	ensuring that the documents, data or information obtained from CDD measures are up-to-date and appropriate by regularly reviewing such records, particularly those of high-risk clients as characterised in the Federal AML-CFT Laws.
5.	As part of the CDD process, VASPs shall verify clients’ identity by reference to the following documents, data or information from a reliable and independent source—
	a.	For individuals—
		i.	full name as shown on an identification card or a travel document [along with a copy of the original and valid identification card or travel document];
		ii.	nationality;
		iii.	address;
		iv.	place of birth;
		v.	name and address of employer; and
		vi.	if the client is a Politically Exposed Person, approval from the MLRO and a member of the Senior Management is required prior to establishing a business relationship with such client.
	b.	For Entities which are not individuals—
		i.	full name of the Entity;
		ii.	type of Entity;
		iii.	constitutional documents [e.g. memorandum of association and articles of association] attested by competent authorities within the UAE;
		iv.	principle place of business;
		v.	names of individuals holding Senior Management positions in the Entity; and
		vi.	if the UBO is a Politically Exposed Person, approval from the MLRO and a member of the Senior Management is required prior to establishing a business relationship with such client.
6.	VASPs are further required to—
	a.	verify that any Entity purporting to act on behalf of the client is so authorised, and verify the identity of that Entity in accordance with Rule III.E.5 of this Compliance and Risk Management Rulebook;
	b.	understand the intended purpose and nature of the business relationship with the client, and obtain, when necessary, information related to this purpose; and
	c.	where the VASP’s client is a business or otherwise provides services to other clientele, understand the nature of the client’s business as well as the client’s ownership and control structure, including but not limited to the following—
		i.	the identity of UBO[s];
		ii.	whether such structure includes any DAOs and, if so, the intended purpose of such DAOs;
		iii.	the type, nature and pursuits of the clientele of a prospective client and where necessary carry out appropriate due diligence on the client’s clientele in order to ensure compliance with the Federal AML-CFT Laws.
7.	If a VASP is unable to conduct appropriate CDD on a client, it shall not—
	a.	establish or maintain a business relationship with such client; or
	b.	execute any transaction for such client.
8.	If a VASP relies on third parties to perform CDD, it shall remain liable for ensuring such third parties perform CDD in accordance with all relevant Rules and Directives. VASPs that rely on third parties to undertake CDD on their behalf must therefore implement adequate measures in keeping with the nature and size of their businesses [including VA Activities] to ensure that such third parties’ performance of CDD is in accordance with all relevant Rules and Directives.

F. Suspicious Transaction Monitoring and Reporting

1.	VASPs shall employ methods which are appropriate to their particular circumstances and VA Activities to continuously monitor business relationships with clients to identify any Suspicious Transactions. Such methods shall ensure that no “tipping-off” or similar offence occurs. Such methods shall also ensure all Suspicious Transactions are immediately reported to the MLRO, in order for the MLRO to meet the requirements of this Rule III.F. VASPs are required to document, obtain Senior Management approval for, and periodically review and update such methods to ensure their effectiveness.
2.	VASPs shall put in place and regularly update indicators that can be used to identify possible Suspicious Transactions.
3.	Upon suspicion or reasonable grounds to suspect that the proceeds of a transaction are related to a crime, or the attempt or intention to use funds or proceeds for the purpose of committing, concealing or benefitting from a crime, the MLRO shall be responsible for—
	a.	immediately reporting to the UAE FIU and VARA such Suspicious Transactions in accordance with Rule III.F.4 of this Compliance and Risk Management Rulebook;
	b.	responding to all additional information requests from the UAE FIU and/or VARA promptly and in any event within forty-eight [48] hours of such requests;
	c.	undertaking any additional actions as may be requested by the UAE FIU and/or VARA within any specified timeframe in such requests; and
	d.	in the event the MLRO is not the same individual as the CO, immediately reporting to the CO that a Suspicion Transaction report has been made, provided that the provision of any such report would not be considered “tipping-off” or a similar offence under any applicable laws or regulations.
4.	All reports regarding Suspicious Transactions shall be made—
	a.	to the UAE FIU and VARA on the GoAML platform or by any other means approved by the UAE FIU and/or VARA; and
	b.	in accordance with any Guidance which may be issued by VARA from time to time.
5.	VASPs shall continue monitoring [on a near real time basis where appropriate] any transactions which are the subject of a Suspicious Transaction report.

G. FATF Travel Rule

1.	Prior to initiating any transfer of Virtual Assets with an equivalent value exceeding AED 3,500, VASPs must obtain and hold required and accurate originator information and required beneficiary information and make it available on request to VARA and/or other appropriate authorities.
2.	Prior to permitting any clients access to Virtual Assets received from a transfer with an equivalent value exceeding AED 3,500, a beneficiary VASP must obtain and hold required originator information and required and accurate beneficiary information and make it available on request to VARA and/or other appropriate authorities.
3.	Required originator information shall include, but not be limited to, the originator’s—
	a.	name;
	b.	account number or VA Wallet address; and
	c.	residential or business address.
4.	Required beneficiary information shall include, but not be limited to, the beneficiary’s—
	a.	name; and
	b.	account number or VA Wallet address.
5.	Prior to entering into any transaction with a counterparty VASP or virtual asset service provider in any other jurisdiction, VASPs must complete risk-based due diligence on such counterparty in order to mitigate AML/CFT risks. This due diligence does not need to be completed for every subsequent transaction with the counterparty unless a heightened counterparty risk is assessed or identified.
6.	In complying with the Travel Rule, VASPs must consider how they will handle the risks associated with—
	a.	deposits or withdrawals [including those which are compliant with the Travel Rule and those which are not];
	b.	non-obliged entities [i.e. unhosted VA Wallets]; and
	c.	Anonymity-Enhanced Transactions.
7.	VASPs shall be required to demonstrate to VARA how they comply with the Travel Rule during the licensing process and submit to VARA relevant policies and controls. VASPs should also include their plan to comply with the Travel Rule with virtual asset service providers in jurisdictions where the Travel Rule is not a legislative requirement [i.e. the “sunrise issue”].
8.	In implementing policies and controls to comply with the Travel Rule and AML/CFT Rules, VASPs shall be guided by FATF Interpretive Note to Recommendation 15 and all applicable laws, regulatory requirements and guidelines as may be in force from time to time. VASPs must monitor for any transaction or series of transactions that seeks to circumvent any regulatory thresholds to bypass Travel Rule requirements.
9.	VARA may require VASPs to report on their compliance with the Travel Rule and the effectiveness of their implementing policies and controls, at any time.

H. Record Keeping

1.	VASPs shall retain the following types of records relating to AML/CFT in accordance with the Federal AML-CFT Laws—
	a.	Virtual Asset transaction records, including operational and statistical records, documents and information [whether or not recorded on public distributed ledgers] concerning all transactions executed or processed by the VASP;
	b.	CDD records, including records, documents, and information about clients [e.g. account files and business correspondence], and results from the investigation and analysis of clients’ activities;
	c.	information relating to third parties engaged by the VASP to undertake CDD;
	d.	records relating to ongoing monitoring of business relationships with clients; and
	e.	Suspicious Transaction reports made in accordance with Rule III.F of this Compliance and Risk Management Rulebook.
2.	VASPs shall retain all records required in Rule III.H.1 for a period of no less than eight [8] years.

I. Enforcement

1.

VASPs which fail to comply with Rules in this Part III of this Compliance and Risk Management Rulebook may be subject to enforcement actions taken by VARA or other penalties as set out in the Regulations and the Federal AML-CFT Laws.

Part IV – Client Money Rules

Application and Interpretation

1.	Client Money means all money held or controlled by a VASP on behalf of a client in the course of, or in connection with, the carrying on of any VA Activity, except for—
	a.	money which is immediately due and payable to a VASP for the VASP’s own account, such as fees for services provided to a client;
	b.	amounts payable by the VASP for expenses incurred on behalf of the client; and
	c.	other charges that are due and payable to the VASP.
2.	Client Money does not include any Virtual Assets held by a VASP on behalf of a client.
3.	Client Money is held or controlled by a VASP if it is—
	a.	directly held by the VASP;
	b.	held in an account in the name of the VASP; or
	c.	held by an Entity, or in an account in the name of an Entity, controlled by the VASP.
4.	Client Account means an account at a Third-Party Bank which—
	a.	holds or is established to hold the Client Money of one or more clients; and
	b.	is maintained in the name of the VASP.
5.	Third-Party Bank means the bank with which a Client Account is maintained.

A. Treatment of Client Money

1.	VASPs must have in place the necessary policies, systems and controls, appropriate to the nature and scale of their operations, to ensure compliance with this Part IV of this Compliance and Risk Management Rulebook.
2.	VASPs holding Client Money must hold it on trust for their clients in a Client Account.
3.	All Client Accounts must include the words “Client Account” in their title.
4.	VASPs must have systems and controls to ensure that the Client Money is identifiable and secure at all times.
5.	Where a VASP holds or controls Client Money it must ensure—
	a.	except where otherwise provided in Rule IV.A.6 of this Compliance and Risk Management Rulebook, that the Client Money is paid into a Client Account within one [1] calendar day of receipt;
	b.	Client Money held or controlled on behalf of clients in the UAE is paid into Client Accounts maintained with Third-Party Banks in the UAE; and
	c.	Client Money held or controlled on behalf of clients outside of the UAE may be deposited into Client Accounts with Third-Party Banks outside of the UAE but must be moved to, and maintained with, Third-Party Banks in the UAE and VASPs must initiate such moves within twenty-four [24] hours of receipt.
6.	The requirement for a VASP to pay Client Money into a Client Account does not, subject to Rule IV.A.7 of this Compliance and Risk Management Rulebook, apply with respect to such Client Money—
	a.	temporarily held by the VASP before forwarding to an Entity nominated by the client;
	b.	in connection with a delivery versus payment transaction where—
		i.	in respect of a client purchase, Client Money from the client will be due to the VASP within one [1] calendar day upon the fulfilment of a delivery obligation; or
		ii.	in respect of a client sale, Client Money will be due to the client within one [1] calendar day following the client’s fulfilment of a delivery obligation; or
		iii.	held in the client’s own name where the VASP has a mandate to manage the Client Money on a discretionary basis.
7.	VASPs must pay Client Money of the type described in Rule IV.A.6.b of this Compliance and Risk Management Rulebook into a Client Account where they have not fulfilled their delivery or payment obligation within three [3] calendar days of receipt of the Client Money.
8.	VASPs must maintain adequate records of all payments of Client Money received including, in respect of each payment, the—
	a.	date of receipt;
	b.	name and unique identifier of the client for whom payment is to be credited;
	c.	name of the Entity who made the payment;
	d.	transaction identifier and/or reference; and
	e.	date when the payment was presented to the VASP’s Third-Party Bank.
9.	Payment into Client Accounts.
	a.	VASPs must maintain systems and controls for identifying money which must not be in a Client Account and for transferring it without delay.
	b.	VASPs must not hold or deposit their own money into a Client Account, except where—
		i.	it is a minimum sum required to open the account, or to keep it open;
		ii.	the money is received by way of mixed remittance, provided the VASP transfers out that part of the payment which is not Client Money within one [1] calendar day of the day on which the VASP would normally expect the remittance to be cleared;
		iii.	interest credited to the account exceeds the amount payable to clients, as applicable, provided that the money is removed within twenty [20] calendar days; or
		iv.	it is to meet a temporary shortfall in Client Money.
10.	Payment out of Client Accounts.
	a.	VASPs must have procedures for ensuring all withdrawals from a Client Account are authorised.
	b.	Client Money must remain in a Client Account until it is—
		i.	due and payable to the VASP;
		ii.	paid to the client on whose behalf the Client Money is held;
		iii.	paid in accordance with a client’s instruction on whose behalf the Client Money is held;
		iv.	required to meet the payment obligations of the client on whose behalf the Client Money is held; or
		v.	paid out in circumstances that are otherwise authorised by VARA.
	c.	VASPs must not use Client Money belonging to one client to satisfy an obligation owed to another client, nor for any other obligation owed to other Entities [including but not limited to for liquidity, capital ratios or their own balance sheet purposes].
	d.	VASPs must have a system for ensuring no off-setting or debit balances occur in Client Accounts.

B. Third-Party Bank

1.	VASPs may only maintain Client Accounts at Third-Party Banks appropriately and validly authorised to accept or take deposits in accordance with applicable laws and regulatory requirements in the relevant jurisdiction and which must not be in the same Group as the VASP.
2.	Payment of Client Money to a Third-Party Bank.
	a.	VASPs may only pass, or permit to be passed, Client Money to a Third-Party Bank if—
		i.	the Client Money is to be used in respect of a transaction or series or transactions for that client; and
		ii.	the Third-Party Bank is appropriately and validly authorised to accept or take deposits in accordance with applicable laws and regulatory requirements in its relevant jurisdiction as per Rule IV.B.1 of this Compliance and Risk Management Rulebook.
3.	When a VASP opens a Client Account with a Third-Party Bank it must promptly obtain a written acknowledgement from the Third-Party Bank stating that—
	a.	all money standing to the credit of the account is held by the VASP as agent and that the Third-Party Bank is not entitled to combine the account with any other account or to exercise any charge, mortgage, lien, right of set-off or counterclaim against money in that account in respect of any sum owed to it on any other account of the VASP; and
	b.	the title of the account sufficiently distinguishes that account from any account containing money that belongs to the VASP, and is in the form requested by the VASP.
4.	If the Third-Party Bank does not promptly provide the acknowledgement referred to in Rule IV.B.3 of this Compliance and Risk Management Rulebook, the VASP must refrain from making further deposits of Client Money with that Third-Party Bank and withdraw any Client Money in that Client Account.

C. Disclosure, Reporting and Audit Requirements

1.	Proper record keeping.
	a.	VASPs shall keep proper and up-to-date records regarding—
		i.	the receipt and payment of Client Money and in and out of Client Accounts; and
		ii.	movements of Client Money within internal systems to enable the reconciliation of any differences in balances or positions of Client Money.
	b.	VASPs shall have appropriate procedures for identifying Client Money received. The procedures should cover Client Money received through all means, including electronically or via agents of the VASP [e.g. banks, payment processors].
	c.	VASPs may be requested to demonstrate evidence of above records upon VARA’s request.
2.	Client reporting.
	a.	VASPs must send or otherwise make available a statement to clients at least monthly, or as agreed with the client, which shall include—
		i.	the client’s total Client Money balances held by the VASP;
		ii.	the amount, date and value of each credit and debit paid into and out of the account since the previous statement; and
		iii.	any interest earned or charged on the Client Account since the previous statement.
	b.	The statement sent to the client must be prepared within twenty-five [25] calendar days of the statement date.

D. Reconciliation

1.	VASPs must maintain a system to ensure that accurate reconciliations of the Client Accounts are carried out daily. The reconciliation must include—
	a.	a full list of individual client credit ledger balances, as recorded by the VASP;
	b.	a full list of individual client debit ledger balances, as recorded by the VASP;
	c.	a full list of outstanding lodgements;
	d.	a full list of Client Account cash book balances; and
	e.	formal statements from Third-Party Banks showing account balances as at the date of reconciliation.
2.	VASPs must—
	a.	reconcile the individual credit ledger balances, Client Account cash book balances, and the Third-Party Bank Client Account balances;
	b.	check that the balance in the Client Accounts as at the close of business on the previous day was at least equal to the aggregate balance of individual credit ledger balances as at the close of business on the previous day; and
	c.	ensure that all shortfalls, excess balances and unresolved differences, other than differences arising solely as a result of timing differences between the accounting systems of the Third-Party Bank and the VASP, are investigated and, where applicable, corrective action taken as soon as possible, including where necessary using the VASP’s own funds.
3.	VASPs must perform the reconciliations in Rule IV.D.2 of this Compliance and Risk Management Rulebook on a daily basis.
4.	VASPs must ensure that the process of reconciliation does not give rise to a conflict of interest.
5.	VASPs must notify VARA where there has been a material discrepancy with the reconciliation which has not been rectified.

E. Failure to Comply

1.	VASPs which become aware that they do not comply with any Rules in this Part IV of this Compliance and Risk Management Rulebook must notify VARA in writing of any such non-compliance within one [1] calendar day.
2.	Failure to comply with any Rules in this Part IV of this Compliance and Risk Management Rulebook may result in VARA taking appropriate enforcement action[s] as it deems fit and the VASP must comply with all corrective action[s] as instructed by VARA.

Part V – Client Virtual Assets Rules

Application and Interpretation

1.	Client VAs means all Virtual Assets held or controlled by a VASP on behalf of a client in the course of, or in connection with, the carrying on of any VA Activity, except for—
	a.	Virtual Assets immediately due and payable to a VASP for the VASP’s own account, such as fees for services provided to a client;
	b.	amounts payable by the VASP for expenses incurred on behalf of the client; and
	c.	other charges that are due and payable to the VASP.
2.	Client VAs are held or controlled by a VASP if they are—
	a.	directly held by the VASP in an account or VA Wallet;
	b.	held in an account or VA Wallet in the name of the VASP;
	c.	held by a legal entity, or in an account or VA Wallet in the name of a legal entity, controlled by the VASP; or
	d.	the private keys and/or seed phrase of the VA Wallet are held or controlled by the VASP.

A. Treatment of Client VAs

1.	VASPs must have in place the necessary policies, systems and controls, appropriate to the nature and scale of their operations, to ensure compliance with this Part V of this Compliance and Risk Management Rulebook.
2.	Client VAs are not depository liabilities or assets of the VASP.
3.	VASPs shall hold Client VAs in separate VA Wallets from all Virtual Assets of the VASP.
4.	VASPs must hold Client VAs on a one-to-one basis and shall not authorise or permit rehypothecation of Client VAs, unless they have explicit prior consent from the client providing discretionary authority to do so, and are appropriately authorised and Licensed by VARA to carry out all relevant VA Activity[ies] in respect of such Virtual Assets.
5.	All proceeds related to Client VAs, such as “airdrops”, “staking gains” or similar proceeds shall accrue to the client’s benefit, unless the VASP has the client’s prior consent specified in a written agreement with the client or otherwise. VASPs may decide not to collect or distribute certain proceeds, including where such proceeds are below a value to be determined by the VASP, provided that the VASP has disclosed this to the client and obtained acceptance in accordance with all applicable laws.

B. Proof of Reserves

1.

In addition to the Reserve Assets requirements in the Company Rulebook, VASPs shall comply with all requirements stipulated by VARA from time to time, including as part of a VASP’s licensing process, in order to demonstrate that assets held in reserve cover all of their liabilities with respect to Client VAs.

C. Reconciliation

1.	VASPs must maintain a system to ensure that accurate reconciliations of the Virtual Assets owned by each client are carried out daily. The reconciliation must include—
	a.	a full list of individual client credit ledger balances, as recorded by the VASP; and
	b.	a full list of individual client debit ledger balances, as recorded by the VASP.
2.	VASPs must notify VARA where there has been a material discrepancy with the reconciliation which has not been rectified.

Part VI – Anti-Bribery and Corruption

A. General Principles

1.	VASPs shall establish and maintain an effective anti-bribery and corruption policy to ensure that the Board and all Staff must comply with all applicable laws and regulations relevant to anti-bribery and corruption in all jurisdictions in which they operate. Such policy must allow for reports to be made by Entities outside of the VASP and protect the identity and confidentiality of the Entity who has made a report at all times.
2.	VASPs must conduct all business in an honest and ethical manner and must take a zero-tolerance approach to bribery and corruption. The Board and all Staff must act professionally, fairly and with integrity in all business dealings and relationships.
3.	It is prohibited for any VASP, members of the Board and all Staff, to—
	a.	give, promise to give, or offer, a payment, gift or hospitality to a third party or otherwise engage in or permit a bribery offence to occur, with the expectation or hope that an advantage in business will be received or to reward a business advantage already given;
	b.	give, promise to give, or offer, a payment, gift or hospitality to a third party to facilitate or expedite a routine procedure;
	c.	accept a payment, gift or hospitality from a third party if it knows or suspects that such payment, gift or hospitality is offered or provided with an expectation that a business advantage will be provided by the VASP in return;
	d.	threaten or retaliate against another member of the Board or Staff who has refused to commit a bribery offence or who has raised concerns; and
	e.	engage in any activity that might lead to a breach of the anti-bribery and corruption Rules in this Part VI of this Compliance and Risk Management Rulebook.
4.	The anti-bribery and corruption Rules in this Part VI of this Compliance and Risk Management Rulebook do not prohibit normal and appropriate hospitality [given or received in accordance with the VASP’s own gifts and hospitality policy] to or from third parties, provided relevant policies are compliant with applicable laws. Such gifts and hospitality policy should set out clearly what is and is not appropriate to make or receive gifts and/or hospitality to and from a third party.
5.	The CO will monitor the effectiveness of the anti-bribery and corruption policy on a regular basis. Any deficiencies identified should be dealt with as soon as possible.

B. No Corrupt Payments

1.	It is prohibited for any VASP or any members of its Board, Staff, consultants or contractors, any Group company, agent, business partner, contractor or supplier of the VASP to make any payment[s] to a third party where there is any reason to believe that all or any part of such payment will go towards a bribe or otherwise facilitate any corruption.
2.	All payments made by VASPs for services must be appropriate and justifiable for the purpose of legitimate services provided.

C. Investigation and Reporting

1.	VASPs must establish, maintain and publish methods of contact including, but not limited to, a telephone line, for receiving reports of any violation or possible violation of any applicable laws and regulations relevant to anti-bribery and corruption by the VASP, or its Board or Staff on its behalf.
2.	Any member of the Board or Staff must report to the CO as soon as possible if they believe or suspect that an action in conflict with the anti-bribery and corruption Rules in this Part VI of this Compliance and Risk Management Rulebook has occurred, or may occur, or has been solicited by any other Entity.
3.	The CO shall investigate any report of a violation or possible violation of the anti-bribery and corruption Rules in this Part VI of this Compliance and Risk Management Rulebook and shall follow the below procedures—
	a.	An investigation file should be opened. In the case of an oral report, the CO should prepare a written summary.
	b.	The CO shall appoint an independent Entity who shall promptly commission the conduct of an investigation. The investigation will document all relevant facts, including Entities involved, times and dates.
	c.	The CO shall advise the Board of the existence of an investigation.
	d.	The identity of the individual disclosing relevant information to the CO should be treated in accordance with applicable UAE laws and regulations.
	e.	On completion of the investigation, a written investigation report will be provided by the Entity employed to conduct the investigation to the CO. If any unlawful conduct is found, the CO must advise the Board accordingly.
	f.	If any unlawful conduct is found, the VASP shall take such remedial action as the Board deems appropriate to achieve compliance with its internal anti-bribery and corruption policy and all applicable anti-bribery and corruption laws. The Entity employed to conduct the investigation shall prepare a written summary of the remedial actions taken.
	g.	The written investigation report and a written summary of the remedial actions taken shall be retained by the CO for a period of no less than eight [8] years from completion of the remedial action. Such reports shall be made available to VARA upon request.

D. Information and Trainings

1.	VASPs shall implement and provide an anti-bribery and corruption training programme for the Board and all Staff on a regular basis and monitor their compliance with all established procedures. All members of the Board and Staff must participate in all such trainings provided by the VASP.
2.	VASPs shall ensure that all members of the Board and Staff to have full access at all times to the most up-to-date anti-bribery and corruption policy and will be informed of any changes to such policy.
3.	Training on the anti-bribery and corruption policy should form part of the induction programme made available to all new Board members and Staff.
4.	In addition to relevant requirements in the Market Conduct Rulebook, a zero-tolerance approach to bribery and corruption and all relevant policies must be disclosed by all VASPs to the public and communicated at the outset of all business relationships as appropriate.

E. Responsibility for the Policy

1.	The Board shall have the overall responsibility for ensuring its anti-bribery and corruption policy is up-to-date and complies with all applicable laws and regulations in all jurisdictions where the VASP conducts its business.
2.	The CO has the primary and day-to-day responsibility for implementing the anti-bribery and corruption policy and for monitoring its effectiveness.

F. Consequences of Breach

1.	Failure to comply with a VASP’s anti-bribery and corruption policy should result in severe consequences, including internal disciplinary action and termination of employment without notice.
2.	VASPs should immediately report to VARA any finding of unlawful conduct in breach of the anti-bribery and corruption Rules in this Part VI of this Compliance and Risk Management Rulebook.

Schedule 1 – Definitions

Term

Definition

“AML/CFT”

has the meaning ascribed to it in the Regulations.

“Anonymity-Enhanced Cryptocurrencies”

has the meaning ascribed to it in the Regulations.

“Anonymity-Enhanced Transactions”

means transactions denominated in Virtual Assets which are not Anonymity-Enhanced Cryptocurrencies, but which prevent the tracing of transactions or record of ownership.

“BCDR Plan”

means the Business Continuity and Disaster Recovery Plan of a VASP.

“Board”

has the meaning ascribed to it in the Company Rulebook.

“Capital and Prudential Requirements”

has the meaning ascribed to it in the Company Rulebook.

“CDD”

means client due diligence, including but not limited to due diligence on the clientele of a VASP’s client.

“Client Account”

has the meaning ascribed to it in Part IV of this Compliance and Risk Management Rulebook.

“Client Money”

has the meaning ascribed to it in Part IV of this Compliance and Risk Management Rulebook.

“Client VA”

has the meaning ascribed to it in Part V of this Compliance and Risk Management Rulebook.

“CMS”

means the compliance management system of a VASP.

“Compliance Officer” or “CO”

has the meaning ascribed to it in Part I of this Compliance and Risk Management Rulebook.

“Company Rulebook”

means the Company Rulebook issued by VARA pursuant to the Regulations, as may be amended from time to time.

“Compliance and Risk Management Rulebook”

means this Compliance and Risk Management Rulebook issued by VARA pursuant to the Regulations, as may be amended from time to time.

“Controlling Entity”

has the meaning ascribed to it in the Company Rulebook.

“Decentralised Autonomous Organisation” or “DAO”

has the meaning ascribed to it in the Company Rulebook.

“Directive”

has the meaning ascribed to it in the Regulations.

“Dubai VA Law”

means Law No. [4] of 2022 Regulating Virtual Assets in the Emirate of Dubai, as may be amended from time to time.

“Emirate”

means all zones across the Emirate of Dubai, including Special Development Zones and Free Zones but excluding the Dubai International Financial Centre.

“Entity”

means any legal entity or individual.

“EOCN”

means the UAE Executive Office for Control & Non-Proliferation.

“FATCA”

means the United States Foreign Account Tax Compliance Act.

“FATF”

means the Financial Action Task Force.

“Federal AML-CFT Laws”

has the meaning ascribed to it in the Regulations.

“Fit and Proper Person”

means an individual who complies with all fit and proper requirements in the Company Rulebook.

“GoAML”

means the electronic platform through which Suspicious Transaction reports can be submitted to the UAE FIU.

“Group”

has the meaning ascribed to it in the Company Rulebook.

“Guidance”

has the meaning ascribed to it in the Regulations.

“Inside Information”

has the meaning ascribed to it in the Regulations.

“Insolvency Proceedings”

has the meaning ascribed to it in the Regulations.

“Licence”

has the meaning ascribed to it in the Regulations.

“Licensed”

means having a valid Licence.

“Market Conduct Rulebook”

means the Market Conduct Rulebook issued by VARA pursuant to the Regulations, as may be amended from time to time.

“Money Laundering Reporting Officer” or “MLRO”

has the meaning ascribed to it in Rule III.A.1 of this Compliance and Risk Management Rulebook.

“Outsourcing”

has the meaning ascribed to it in the Company Rulebook.

“Politically Exposed Person” or “PEP”

has the meaning ascribed to it in the Company Rulebook.

“PDPL”

means the Federal Decree-Law No. [45] of 2021 on the Protection of Personal Data.

“Personal Data”

has the meaning ascribed to it in the PDPL.

“Regulations”

means the Virtual Assets and Related Activities Regulations 2023, as may be amended from time to time.

“Related Parties”

has the meaning ascribed to it in the Company Rulebook.

“Reserve Assets”

has the meaning ascribed to it in the Company Rulebook.

“Responsible Individuals”

has the meaning ascribed to it in the Company Rulebook.

“Rule”

has the meaning ascribed to it in the Regulations.

“Rulebook”

has the meaning ascribed to it in the Regulations.

“Senior Management”

has the meaning ascribed to it in the Company Rulebook.

“Staff”

has the meaning ascribed to it in the Company Rulebook.

“Suspicious Transaction”

means any transaction, attempted transaction, or funds which a VASP has reasonable grounds to suspect as constituting, in whole or in part, and regardless of the amount or the timing, any of the following—
[a]	the proceeds of crime [whether designated as a misdemeanour or felony, and whether committed within the Emirate or in another country in which it is also a crime];
[b]	being related to the crimes of money laundering, the financing of terrorism, or the financing of illegal organisations; and
[c]	being intended to be used in an activity related to such crimes.

“Technology and Information Rulebook”

means the Technology and Information Rulebook issued by VARA pursuant to the Regulations, as may be amended from time to time.

“Third-Party Bank”

has the meaning ascribed to it in Part IV of this Compliance and Risk Management Rulebook.

“Travel Rule”

has the meaning ascribed to it in FATF’s Updated Guidance for a Risk-Based Approach for Virtual Assets and Virtual Asset Service Providers [October 2021], as may be amended from time to time.

“UAE”

means the United Arab Emirates.

“UAE FIU”

means the UAE Financial Intelligence Unit.

“Ultimate Beneficial Owner” or “UBO”

has the meaning ascribed to it in the Company Rulebook.

“VA Activity”

means the activities listed in Schedule 1 of the Regulations, as may be amended from time to time.

“VA Wallet”

has the meaning ascribed to the term “Virtual Asset Wallet” in the Dubai VA Law.

“VARA”

means the Dubai Virtual Assets Regulatory Authority.

“VASP”

means an Entity Licensed by VARA to conduct VA Activity[ies] in the Emirate.

“Virtual Asset” or “VA”

has the meaning ascribed to it in the Dubai VA Law.

Technology and Information Rulebook

Introduction

The Dubai Virtual Assets Regulatory Authority [VARA] was established and authorised by Law No. [4] of 2022 Regulating Virtual Assets in the Emirate of Dubai [Dubai VA Law] to regulate Virtual Asset Service Providers [VASPs].
This Technology and Information Rulebook is issued pursuant to, and forms part of, the Virtual Assets and Related Activities Regulations 2023 [the Regulations] issued by VARA and applies to all VASPs Licensed by VARA to carry out any VA Activity in the Emirate.
This Technology and Information Rulebook applies in addition to all other requirements in the Regulations as may be in force from time to time. As such, VASPs Licensed by VARA to carry out any VA Activity must also comply with the following Rulebooks applicable to all VASPs—
	•	Company Rulebook;
	•	Compliance and Risk Management Rulebook;
	•	Market Conduct Rulebook; and
	•	All Rulebooks specific to the VA Activities that a VASP is Licensed by VARA to carry out.
Capitalised terms in this Technology and Information Rulebook have the meanings ascribed to them in the Regulations or as otherwise defined herein or provided in Schedule 1.
Unless otherwise stated, all requirements in this Technology and Information Rulebook are Rules and have binding effect.

Part I – Technology Governance, Controls and Security

A. Overview

1.	VASPs must ensure that they implement systems and controls necessary to address the risks, including cybersecurity-related risks, to their business and VA Activities. Such systems and controls should take into account a number of factors including, the nature, scale and complexity of the VASP’s business, the diversity of its operations, the volume and size of its transactions and the level of risk inherent with its business.
2.	VASPs must implement a technology governance and risk assessment framework which must be comprehensive and proportionate to the nature, scale, and complexity of the risks inherent in their business model and VA Activities. The technology governance and risk assessment framework should apply to all technologies relevant to a VASP’s business and VA Activities and clearly set out the VASP’s cybersecurity objectives, including the requirements for the competency of Staff and, as relevant, end users and clients and clearly defined systems and procedures necessary for managing risks.
3.	VASPs must ensure that their technology governance and risk assessment is capable of determining the necessary processes and controls that they must implement in order to adequately mitigate any risks identified. In particular, VASPs must ensure that their technology governance and risk assessment framework includes consideration of international standards and industry best practice codes.
4.	VASPs must ensure that their technology governance and risk assessment framework addresses appropriate governance policies and system development controls, such as a development, maintenance and testing process for technology systems and operations controls, back-up controls, capacity and performance planning and availability testing.
5.	As prescribed by Rule I.I.1 of this Technology and Information Rulebook, VASPs must appoint a Chief Information Security Officer who is responsible for ensuring that the VASP complies with Part I and Part III of this Technology and Information Rulebook.

B. Cybersecurity Policy

1.	VASPs must create and implement a policy which outlines their procedures for the protection of their electronic systems and client and counterparty data stored on those systems [Cybersecurity Policy]. VASPs must submit their Cybersecurity Policy to VARA for assessment as part of the licensing process and at any subsequent time upon request from VARA.
2.	VASPs must ensure that their Cybersecurity Policy is reviewed and updated at least annually by their CISO.
3.	VASPs must ensure that their Cybersecurity Policy contains sound procedures and security mechanisms in accordance with best industry practices that will enable them to comply with all applicable information security, data protection and data privacy laws and regulations, including but not limited to Part II of this Technology and Information Rulebook and the PDPL, whilst maintaining the confidentiality of data at all times. The Cybersecurity Policy must address the following minimum criteria—
	a.	information security;
	b.	data governance and classification;
	c.	access controls;
	d.	capacity and performance planning;
	e.	systems operations and availability concerns;
	f.	systems and network security, consensus protocol methodology, code and smart contract validation and audit processes;
	g.	systems and application development and quality assurance;
	h.	physical security and environmental controls, including but not limited to procedures around access to premises and systems;
	i.	procedures regarding their facilitation of Virtual Asset transactions initiated by a client including, but not limited to. considering multi-factor authentication or any better standard for Virtual Asset transactions that—
		i.	exceed transaction limits set by the client, such as accumulative transaction limits over a period of time; and
		ii.	are initiated after a change of personal details by the client, such as the address of a VA Wallet;
	j.	procedures regarding client authentication and session controls including, but not limited to, the maximum incorrect attempts for entering a password, appropriate time-out controls and password validity periods;
	k.	procedures establishing adequate authentication checks when a change to a client’s account information or contact details is requested;
	l.	in addition to all applicable requirements in Part II of this Technology and Information Rulebook, client data privacy, including but not limited to—
		i.	the security and authentication of the means of transfer of information;
		ii.	the minimisation of the risk of data corruption and unauthorised access to data; and
		iii.	the prevention of information leakage;
	m.	vendor and third-party service provider management;
	n.	monitoring and implementing changes to core protocols not directly controlled by the VASP, as applicable;
	o.	incident response, including but not limited to root cause analysis and rectification activities to prevent reoccurrence;
	p.	supplier probity and Staff vetting procedures;
	q.	governance framework and escalation procedures for effective decision-making and proper management and control of risks and emergency incidents, including but not limited to responses to ransomware and other forms of cyberattacks; and
	r.	hardware and infrastructure standards, including but not limited to network lockdown, services/desktop security and firewall standards.

C. Cybersecurity – other Legal and Regulatory Obligations

1.	VASPs must ensure that their technology governance and risk assessment framework complies with, to the extent applicable, cybersecurity laws, regulatory requirements and guidelines, including but not limited to—
	a.	the electronic security requirements and standards adopted by the Dubai Electronic Security Center per Law No. [9] of 2022 Regulating the Provision of Digital Services Provided in the Emirate of Dubai;
	b.	the Federal-Decree Law No. [45] of 2021 on the Protection of Personal Data, its executive regulations and any other cybersecurity regulatory requirements as may be imposed by the UAE Data Office from time to time; and
	c.	the Consumer Protection Regulation issued pursuant to Central Bank Notice No. [444] of 2021 and any other cybersecurity regulatory requirements as may be imposed by the CBUAE from time to time.

D. Cryptographic Keys and VA Wallets Management

1.	VASPs must ensure that their technology governance and risk assessment framework addresses, to the extent necessary, the generation of cryptographic keys and VA Wallets, the signing and approval of transactions, the storage of cryptographic keys and seed phrases, VA Wallet creation and management thereof.
2.	VASPs must—
	a.	safeguard access to Virtual Assets in accordance with industry best practices and, in particular, ensure that there is no single point of failure in the VASP’s access to, or knowledge of, Virtual Assets held by the VASP;
	b.	adopt industry best practices for storing the private keys of clients, including ensuring that keys stored online or in any one physical location are insufficient to conduct a Virtual Asset transaction, unless appropriate controls are in place to render physical access insufficient to conduct such Virtual Asset transaction. VASPs must further ensure that backups of the key and seed phrases are stored in a separate location from the primary key and/or seed phrase;
	c.	adopt strict access management controls to manage access to keys, including an audit log detailing each change of access to keys. In particular, if Staff with access to a key [including a multi-signature arrangement key] leaves the employment of that VASP, the VASP must conduct an assessment to determine whether a new key must be generated;
	d.	adopt procedures designed to immediately revoke a key signatory’s access. In particular, a VASP must—
		i.	ensure that the key generation process ensures that revoked signatories do not have access to the backup seed phrase or knowledge of the phrase used in the key’s creation;
		ii.	perform internal audits on a quarterly basis concerning the removal of user access by reviewing access logs and verifying access as appropriate;
		iii.	implement and maintain a procedure for documenting the onboarding and offboarding of Staff;
		iv.	implement and maintain a procedure for documenting a VASP’s permission to grant or revoke access to each role in its key management system; and
	e.	regularly assess the security of their information technology systems or software integrations with external parties and ensure that the appropriate safeguards are implemented in order to mitigate all relevant risks.
3.	VASPs should provide information to clients on measures they can take to protect their keys and/or seed phrases from misuse or unauthorised access, and the consequences of sharing their private keys and other security information.
4.	VASPs must ensure that access to their systems and data may only be granted to individuals with a demonstrable business need and implement safeguards to ensure the proper identification of all individuals, including the maintenance of an access log.

E. Testing and Audit

1.	VASPs must engage a qualified and independent third-party auditor to conduct vulnerability assessments and penetration testing [including, to the extent relevant to the VASP’s business and VA Activities, comprehensive audits of the effectiveness, enforceability and robustness of all smart contracts] at least on an annual basis and prior to the introduction of any new systems, applications and products. VASPs must provide the results of any such assessments and tests to VARA upon VARA’s request.
2.	VASPs should maintain effective internal functions and measures for continuous monitoring of their operations and processes. In particular, on a regular basis and on request by VARA, VASPs must perform—
	a.	security testing on both infrastructure and applications; and
	b.	internal system and external system vulnerability audits.
3.	Evidence of tests and audits must be documented by VASPs and made immediately available by them for inspection by VARA upon request.
4.	VASPs shall ensure that they are regularly audited by independent auditors to examine their management processes for ensuring the effectiveness of their systems, controls, policies and procedures and their compliance with regulatory requirements. VASPs must provide the results of any such audit to VARA upon VARA’s request.

F. Virtual Asset Transactions

1.	VASPs must implement controls that prevent the manipulation or coordinated collusion or attacks of automated systems.
2.	In addition to all applicable requirements in the Compliance and Risk Management Rulebook, VASPs must implement and maintain distributed ledger tracing software to screen incoming and outgoing Virtual Asset transactions and VA Wallet addresses. How VASPs will respond to any Suspicious Transactions must be set out in their AML/CFT policies in accordance with the Compliance and Risk Management Rulebook.

G. Algorithm Governance

1.	If a VASP conducts VA Activities using algorithms [in whole or in part], it must establish policies and procedures that enable its Board and Senior Management to have robust oversight and control over the design, testing, performance, deployment and ongoing maintenance of such algorithms.
2.	VASPs must maintain documentation and records of the design, testing, performance, deployment and ongoing maintenance of such algorithms, including but not limited to the logic used by the algorithm, any data or assumptions upon which decisions are based and any potential or actual biases in such data or assumptions and any results produced by the algorithm.
3.	VASPs must ensure that they have qualified and competent Staff to ensure the proper functioning and supervision of such algorithms on an ongoing basis.

H. Business Continuity, Cybersecurity Events and Risk

1.	VASPs must adopt sufficient procedures and controls to manage the risks relating to their business, VA Activities and systems. In particular, VASPs must implement an audited risk management programme in accordance with applicable laws and regulations [including those related to cybersecurity] and the requirements of VARA from time to time. The risk management programme shall include—
	a.	strategies to identify, assess, monitor and manage operational risk;
	b.	procedures concerning operational risk management;
	c.	an operational risk assessment methodology; and
	d.	a risk reporting system for operational risk.
2.	VASPs must monitor and assess operational risk management procedures on a continuous basis. In particular, VASPs must review, update and arrange for the testing of their procedures and controls aimed at managing risks on a periodic basis, having regard to the macroeconomic environment in which the VASP operates, as well as emerging technology risks relating to their systems.
3.	VASPs must implement, maintain, test and update on an annual basis an adequate Business Continuity and Disaster Recovery Plan [BCDR Plan] to minimise disruption to their operations. The BCDR Plan must address, but not be limited to—
	a.	events that may trigger the implementation of the BCDR Plan, such as cybersecurity events and technical failures, and procedures to be taken to assess the nature, scope and impact of the event;
	b.	resource requirements, including but not limited to Senior Management and Staff, systems and other assets;
	c.	recovery priorities for the VASP’s operations, including but not limited to the preservation of essential data and critical functions and the maintenance of those data and functions;
	d.	communication arrangements for affected internal and external parties;
	e.	processes to validate the integrity of information affected by any interruption;
	f.	procedures to mitigate operational impact and/or to transfer operational functions including, but not limited to, escalation of response and recovery activities to designated personnel and management;
	g.	an alternative site sufficient to recover and continue operations for a reasonable period; and
	h.	procedures to remediate identified and/or exploited vulnerabilities or upgrade relevant protocols once stable operations are resumed to prevent similar events.
4.	The BCDR Plan should take into consideration and address factors and issues specific to Virtual Assets and DLT including, but not limited to, network malfunction, loss of data or compromise in data integrity, and key storage and maintenance of authorisation layers.

I. Chief Information Security Officer and Management

1.	VASPs must appoint a Chief Information Security Officer [CISO] who is responsible for ensuring that the VASP complies with Part I and Part III of this Technology and Information Rulebook. The CISO must be a separate individual from the CO however the CISO may also take on the responsibilities of the Data Protection Officer under Rule II.B.2 of this Technology and Information Rulebook.
2.	The CISO must be of sufficiently good standing and appropriately experienced.
3.	Senior Management must regularly assess and review the effectiveness of the VASP’s systems, controls, policies and procedures in relation to the VASP’s compliance with this Technology and Information Rulebook and all applicable laws and regulatory requirements, as well as allocate duties and apportion roles and responsibilities within the VASP to prevent conflicts of interests.

J. Staff Competency

1.

In addition to relevant requirements in the Compliance and Risk Management Rulebook, VASPs must ensure that all Staff are aware of the latest cybersecurity risks and developments [including those specific to Virtual Assets and DLT], taking into account the type and level of cyber risks that they may face in their respective roles.

K. Notification to VARA

1.

In addition to relevant requirements in the Compliance and Risk Management Rulebook, upon the detection of an occurrence of a cybersecurity event or other event triggering the implementation of the BCDR Plan that materially impacts a VASP’s business operations, the VASP shall report such event to VARA as soon as reasonably practicable, and in any event no later than seventy-two [72] hours from detection, with all relevant details of the nature, scope and impact of such event and the steps the VASP is or will be taking to mitigate such impact including, but not limited to, whether any notifications or reports have been made to authorities other than VARA.

Part II – Personal Data Protection

A. Compliance with Applicable Data Protection Law

1.	VASPs must comply with all applicable data protection and data privacy requirements in all relevant jurisdiction[s] as follows—
	a.	within the UAE, including the PDPL and any sectoral or free zone laws and regulations that may apply to the VASP; and
	b.	any data protection laws outside of the UAE that may apply to the VASP’s activities wheresoever conducted.
2.	Compliance with all applicable data protection and data privacy requirements under Rule II.A.1 of this Technology and Information Rulebook shall include, but not be limited to, where data may be stored or located and how such data is transferred.

B. Compliance Programme

1.	VASPs shall produce and implement a written compliance programme to protect the privacy of Personal Data, in accordance with all applicable data protection laws.
2.	Notwithstanding the requirements of any applicable data protection laws, VASPs shall at a minimum comply with the following VARA requirements—
	a.	appoint a Data Protection Officer who has the appropriate competencies and experience to perform the statutory duties and responsibilities associated with this role under applicable data protection laws [including under Article 11 of the PDPL] [Data Protection Officer]. The Data Protection Officer can be the same individual as the CISO of the VASP; and
	b.	establish a function in their organisation that is responsible for the management and protection of Personal Data in accordance with all applicable law and is appropriate for the level of risk involved with such Personal Data, including responsibility for implementing and maintaining appropriate policies, procedures, systems and controls.

C. Provision of Information to VARA

1.	Notwithstanding any other requirement elsewhere in the Regulations, Rulebooks or Directives, VASPs shall take all steps, including where applicable provide all notifications, contractual provisions and obtain all consents, that are necessary to enable VARA to have access to any information relating to the VASP’s compliance with this Part II of this Technology and Information Rulebook, regardless of where such information is stored. Access to such information shall be provided by VASPs in the manner and within the timelines communicated by VARA to the VASP.
2.	VASPs shall notify VARA as soon as possible and in any event within twenty-four [24] hours following notification by them to either—
	a.	any data regulator, including in the UAE; or
	b.	a Data Subject
	of any incident affecting, or potentially affecting, Personal Data and shall provide VARA with a summary of such report and, where the relevant data regulator is located in the UAE, a copy of such report, unless and to the extent prohibited by applicable law as demonstrated by the VASP to VARA’s satisfaction.

Part III – Confidential Information

A. Use and Protection of Confidential Information by VASPs

1.	VASPs shall take all reasonable steps to protect the ongoing confidentiality of all information related to their clients and all related properties and records. Such steps shall include implementing and enforcing appropriate policies, procedures and mechanisms to protect the confidential nature of any information shared with them, whether under the terms of a confidentiality agreement or otherwise.
2.	Such policies, procedures and mechanisms shall require that use of any information related to a VASP’s clients is only made for the purposes for which the information is provided and in compliance with relevant confidentiality agreements which shall be consistent with applicable laws and regulatory requirements, including with respect to acceptance of such agreements.
3.	VASPs shall—
	a.	familiarise Staff with—
		i.	their internal policies on the collection and processing of confidential information; and
		ii.	requirements in this Part III of this Technology and Information Rulebook as applicable to relevant Staff; and
	b.	periodically certify their Staffs’ compliance with such internal policies.
4.	Staff must not share confidential information within the VASP or with any other Entities unless it is absolutely necessary for the purposes of conducting VA Activities related to such confidential information.
5.	Neither VASPs nor their Staff shall use or share confidential information for the purpose of the trading of Virtual Assets by any Entity.

Schedule 1 – Definitions

Term	Definition
“AML/CFT”	has the meaning ascribed to it in the Regulations.
“BCDR Plan”	has the meaning ascribed to it in Rule I.H.3 in this Technology and Information Rulebook.
“Board”	has the meaning ascribed to it in the Company Rulebook.
“CBUAE”	means the Central Bank of the United Arab Emirates.
“Chief Information Security Officer” or “CISO”	has the meaning ascribed to it in Rule I.I.1 of this Technology and Information Rulebook.
“Compliance and Risk Management Rulebook”	means the Compliance and Risk Management Rulebook issued by VARA pursuant to the Regulations, as may be amended from time to time.
“Compliance Officer” or “CO”	has the meaning ascribed to it in the Compliance and Risk Management Rulebook.
“Cybersecurity Policy”	has the meaning ascribed to it in Rule I.B.1 in this Technology and Information Rulebook.
“Data Protection Officer” or “DPO”	has the meaning ascribed to it in Rule II.B.2 of this Technology and Information Rulebook.
“Data Subject”	has the meaning ascribed to it in the PDPL.
“Distributed Ledger Technology” or “DLT”	has the meaning ascribed to the term “Distributed Ledger Technology” in the Dubai VA Law.
“Dubai VA Law”	means Law No. [4] of 2022 Regulating Virtual Assets in the Emirate of Dubai, as may be amended from time to time.
“Emirate”	means all zones across the Emirate of Dubai, including Special Development Zones and Free Zones but excluding the Dubai International Financial Centre.
“Entity”	means any legal entity or individual.
“Licence”	has the meaning ascribed to it in the Regulations.
“Licensed”	means having a valid Licence.
“PDPL”	means the Federal Decree-Law No. [45] of 2021 on the Protection of Personal Data.
“Personal Data”	has the meaning ascribed to it in the PDPL.
“Regulations”	means the Virtual Assets and Related Activities Regulations 2023, as may be amended from time to time.
“Rule”	has the meaning ascribed to it in the Regulations.
“Rulebook”	has the meaning ascribed to it in the Regulations.
“Senior Management”	has the meaning ascribed to it in the Company Rulebook.
“Staff”	has the meaning ascribed to it in the Company Rulebook.
“Suspicious Transactions”	has the meaning ascribed to it in the Compliance and Risk Management Rulebook.
“Technology and Information Rulebook”	means this Technology and Information Rulebook issued by VARA pursuant to the Regulations, as may be amended from time to time.
“UAE”	means the United Arab Emirates.
“UAE Data Office”	means the UAE Data Office established by virtue of Federal Decree-Law No. [44] of 2021 Establishing the UAE Data Office.
“VA Activity”	means the activities listed in Schedule 1 of the Regulations, as may be amended from time to time.
“VA Wallet”	has the meaning ascribed to the term “Virtual Asset Wallet” in the Dubai VA Law.
“VARA”	means the Dubai Virtual Assets Regulatory Authority.
“VASP”	means an Entity Licensed by VARA to conduct VA Activity[ies] in the Emirate.
“Virtual Asset” or “VA”	has the meaning ascribed to it in the Dubai VA Law.

Market Conduct Rulebook

Introduction

The Dubai Virtual Assets Regulatory Authority [VARA] was established and authorised by Law No. [4] of 2022 Regulating Virtual Assets in the Emirate of Dubai [Dubai VA Law] to regulate Virtual Asset Service Providers [VASPs].
This Market Conduct Rulebook is issued pursuant to, and forms part of, the Virtual Assets and Related Activities Regulations 2023 [the Regulations] issued by VARA and applies to all VASPs Licensed by VARA to carry out any VA Activity in the Emirate.
This Market Conduct Rulebook applies in addition to all other requirements in the Regulations as may be in force from time to time. As such, VASPs Licensed by VARA to carry out any VA Activity must also comply with the following Rulebooks applicable to all VASPs:
	•	Company Rulebook;
	•	Compliance and Risk Management Rulebook;
	•	Technology and Information Rulebook; and
	•	All Rulebooks specific to the VA Activities that the VASP is Licensed by VARA to carry out.
Capitalised terms in this Market Conduct Rulebook have the meanings ascribed to them in the Regulations or as otherwise defined herein or provided in Schedule 1.
Unless otherwise stated, all requirements in this Market Conduct Rulebook are Rules and have binding effect.

Part I – Marketing, Advertising and Promotions

A. Marketing Regulations

1.

VASPs must comply with The Regulations on the Marketing of Virtual Assets and Related Activities 2024 [Marketing Regulations], issued by VARA and as may be amended, updated or supplemented from time to time [the Marketing Regulations].

Part II – Client Agreements

A. Requirement for Written Agreements

1.	VASPs shall enter into written agreements with each client which specify the VASP’s duties and responsibilities when providing services including all VA Activities [Client Agreements].
2.	VASPs must comply with Client Agreements at all times.
3.	VASPs must ensure that, in addition to all applicable laws, including but not limited to consumer protection laws, all Client Agreements comply with the general requirement to act honestly, fairly and in the best interests of its clients and the integrity of the market.
4.	Client Agreements must at all times be fair, transparent, accurate and not misleading. Client Agreements must be sufficiently clear to the client, having regard to the nature of the services and the intended market for such services.
5.	VASPs must obtain valid acceptance from all clients entering into Client Agreements, which must be given in a form which is compliant with all applicable laws and prior to the VASP providing any VA Activities to the client.
6.	VASPs must send a copy of the Client Agreement to each client after it has been entered into.
7.	VASPs must notify clients of any change to Client Agreements at least thirty [30] calendar days prior to any change taking effect.
8.	If VASPs have the right in any Client Agreement to be able to change a service, or any part of a service, or VA Activity, this must be made explicit in the Client Agreement.
9.	VASPs must maintain a record of all versions of Client Agreements and be able to identify all changes made between versions.

B. Content of Client Agreements

1.	Client Agreements shall include, but not be limited to—
	a.	the identities of the client and the VASP, including the legal name and registered address of the VASP;
	b.	a description of the VASP’s Group;
	c.	a description of the services to be provided;
	d.	the methods that the VASP and client will use to communicate regarding the services;
	e.	all fees charged by the VASP for the services;
	f.	the law applicable to the Client Agreement;
	g.	identification of third-party service providers, or any Entities within the VASP’s Group, utilised by the VASP and necessary for the services provided under the Client Agreement, which may be provided in the form of a description of the services they perform;
	h.	clearly identify if and when any Virtual Assets are no longer under the control of the VASP during the provision of any VA Activity and describe the Entity[ies] liable for Virtual Assets at all times, including but not limited to where such Entity[ies] are located; and
	i.	a clear statement that neither Client VAs nor Client Money benefit from any form of deposit protection.
2.	When forming Client Agreements, VASPs must also consider and include to the extent applicable to the services being provided, provisions covering the following—
	a.	specify what Virtual Assets are, or will be, supported;
	b.	a description of how the VASP will respond to newly created Virtual Assets [e.g. from an “airdrop”], or in the event a previously supported Virtual Asset is no longer supported [e.g. as a result of a “fork”, or other change that would affect the VASP’s ability to support the Virtual Asset], which shall include, but not be limited to obligations for the VASP to—
		i.	assess the impact of such change as soon as possible upon becoming aware of the nature and impact of such change; and
		ii.	communicate clearly with all affected clients throughout the process; and
	c.	address risk of loss which may result from a failure of the services provided by the VASP, including any Custody Services [if provided], and outline all measures in place to mitigate risk of loss where appropriate.
3.	VASPs may provide the information required under Rule II.B.2 of this Market Conduct Rulebook by directing clients to where such information is contained in any published policies or procedures, provided that—
	a.	such policies or procedures comply with Rule II.A.4 of this Market Conduct Rulebook; and
	b.	all links or other references to such policies or procedures are maintained and accurate at all times.

Part III – Complaints Handling

A. Complaints Handling Requirements

1.	Complaints handling. VASPs shall investigate all complaints promptly and resolve complaints as soon as practicable within a reasonable period of time, in accordance with the following requirements—
	a.	VASPs shall acknowledge all complaints within one [1] week of a complaint being made; and
	b.	VASPs shall resolve all complaints within four [4] weeks of the complaint being made, except in extraordinary circumstances in which case VASPs must provide the client an update on the status of the complaint, and explain the extraordinary circumstances delaying its resolution, within four [4] weeks of the complaint being made and resolve the complaint no later than eight [8] weeks from when the complaint was made.
2.	VASPs shall make available to their clients an easy-to-use template form for filing complaints and provide accessible means, along with clear instructions, on where such complaints can be submitted, however shall not limit customers to only submitting complaints through one channel or in one form in order to be recognised as a complaint.
3.	Where the provision of services relating to VA Activities involve any third-party Entities, VASPs shall establish procedures to facilitate the handling of such complaints between their clients and such third-party Entities. VASPs shall remain responsible for the resolution of such complaints.
4.	VASPs shall not impose any fees or charges for the submission or handling of any complaints.
5.	VASPs shall keep a record of—
	a.	all complaints received from their clients;
	b.	all measures they have taken in response to complaints; and
	c.	the resolution of all complaints.

B. Complaints Handling Procedures

1.	VASPs shall establish and maintain effective procedures for the prompt, fair and consistent handling of complaints received from their clients in accordance with Rule III.A of this Market Conduct Rulebook. Such procedures shall be disclosed on their website in a clear and easy-to-understand manner.
2.	Such procedures must establish when a VASP will consider a complaint to have been made and the mediums and channels through which it will monitor and recognise complaints.
3.	When establishing and maintaining such procedures, VASPs must take reasonable steps to ensure that in handling complaints they identify and remedy any recurring or systemic problems, including but not limited to—
	a.	analysing the causes of complaints so as to identify common root causes of complaints;
	b.	considering whether such root causes may also affect other processes, services [including but not limited to VA Activities] or products, including those not directly complained of; and
	c.	correcting such root causes.

Part IV – Investor Classifications

A. Investor Classifications

1.	General provision. VASPs shall only carry out a VA Activity, or attempt to carry out a VA Activity, in relation to the classifications of investors permitted by VARA, subject at all times to all restrictions imposed by VARA in any of the following—
	a.	Regulations, Rules or Directives as amended from time to time;
	b.	the VASP’s Licence and applicable licensing conditions; and
	c.	further conditions imposed by VARA from time to time.
2.	Retail Investor. A Retail Investor means an Entity that is not an Institutional Investor or a Qualified Investor.
3.	Qualified Investor. A Qualified Investor means—
	a.	an individual—
		i.	maintaining a cash holding of AED 500,000 supported by documentary proof of funds [e.g. bank statements] that illustrate relevant assets have remained, and will remain, liquid for a reasonable period of time and which shall be checked periodically; and
		ii.	has relevant knowledge in respect of Virtual Assets for the nature of the VA Activities to be provided, the manner of demonstration of which shall be defined by the VASP prior to offering any products or services and shall be demonstrated to VARA on request; or
	b.	a legal entity validly incorporated in the jurisdiction in which it is located—
		i.	maintaining a cash holding of AED 500,000 supported by documentary proof of funds [e.g. bank statements] that illustrate relevant assets have remained, and will remain, liquid for a reasonable period of time and which shall be checked periodically; and
		ii.	whose directors have relevant knowledge in respect of Virtual Assets for the nature of the VA Activities to be provided, the manner of demonstration of which shall be defined by the VASP prior to offering any products or services and shall be demonstrated to VARA on request.
4.	Institutional Investor. An Institutional Investor means—
	a.	any Entity regulated by a competent financial services regulator in the jurisdiction in which it is located [including but not limited to CBUAE, the UAE Securities and Commodities Authority, the Dubai Financial Services Authority and the Financial Services Regulatory Authority of the Abu Dhabi Global Market];
	b.	any VASP;
	c.	any government with relevant knowledge in respect of Virtual Assets for the nature of the VA Activities to be provided, the manner of demonstration of which shall be defined by the VASP prior to offering any products or services and shall be demonstrated to VARA on request;
	d.	any institution which performs the functions of a central bank; or
	e.	any multilateral agency with relevant knowledge in respect of Virtual Assets for the nature of the VA Activities to be provided, the manner of demonstration of which shall be defined by the VASP prior to offering any products or services and shall be demonstrated to VARA on request.

Part V – Public Disclosures

VASPs shall ensure the information listed in this Part V of this Market Conduct Rulebook is provided in an easily accessible location on their website in a machine-readable format and is kept accurate and up-to-date at all times.

A. Licence Details and Authorised VA Activities

1.	VASPs shall publish the Licence number issued to them by VARA.
2.	VASPs shall publish all VA Activities they are Licensed by VARA to carry out in the Emirate [including any restrictions stated by VARA as a condition of their Licence] and the validity period of such Licences.
3.	VASPs shall publish the names of all Responsible Individuals.

B. Risk Disclosure Statement

1.	VASPs shall publish a detailed description of all material risks associated with Virtual Assets, including but not limited to a specific statement that Virtual Assets—
	a.	may lose their value in part or in full and are subject to extreme volatility at times;
	b.	may not always be transferable and some transfers may be irreversible;
	c.	may not be liquid;
	d.	some transactions are not private and may be recorded on public DLTs; and
	e.	may be subject to fraud, manipulation, theft, including through hacks and other targeted schemes and may not benefit from legal protections.

Part VI – Market Transparency

A. Insider Lists

1.	VASPs must maintain complete and up-to-date lists of all Entities, including their Board, Staff, Group, advisors, accountants or other third-party agents and service providers, and those of their Group, that have or may have access to Inside Information in the course of the VASP’s business or carrying out their respective roles for the VASP [Insider List]. VASPs shall update Insider Lists accordingly while such information remains Inside Information.
2.	VASPs shall retain the Insider List for a period of at least eight [8] years after it is drawn up or updated and shall provide VARA with any Insider List upon request.
3.	The Insider List shall include at least—
	a.	the identity of any Entity having access to Inside Information;
	b.	the reason for including that Entity in the Insider List;
	c.	the date and time at which that Entity obtained access to Inside Information; and
	d.	the date on which the Insider List was drawn up.
4.	VASPs shall update all Insider Lists promptly, including the date of the update, where—
	a.	there is a change in the reason for including an Entity already on the Insider List;
	b.	there is a new Entity who has access to Inside Information and needs, therefore, to be added to the Insider List; and
	c.	an Entity ceases to have access to Inside Information.
	Each update shall specify the date and time when the change triggering the update occurred.
5.	VASPs shall take all reasonable steps to ensure that any Entity on the Insider List acknowledges in writing the legal and regulatory duties entailed and is aware of the sanctions applicable to Insider Dealing and unlawful disclosure of Inside Information.

B. Board and Staff Positions

1.	In addition to applicable requirements in the Company Rulebook, VASPs shall, for the purposes of promoting fair and transparent markets, preventing conflicts of interest and ensuring compliance with all relevant Regulations, Rules and Directives, implement policies to govern and monitor the transactions and positions of their Board members and Staff. Such policies shall, as a minimum, specify—
	a.	any Virtual Assets which Board members and Staff cannot transact or have a position, or any other economic interests, in;
	b.	any legal entities of which Board members and Staff cannot have any shareholding or hold a directorship; and
	c.	the forms in which Board members and Staff shall—
		i.	obtain prior approvals under Rule VI.B.2 of this Market Conduct Rulebook; and
		ii.	provide notifications under Rule VI.B.3 of this Market Conduct Rulebook.
2.	All Board members and Staff shall obtain written approval from the VASP prior to taking any of the following actions which is reasonably likely to cause actual or potential conflicts of interest—
	a.	opening, modifying or closing any Virtual Asset positions held directly or indirectly on their own account;
	b.	increasing or decreasing their shareholding [held directly or indirectly on their own account] in a legal entity other than the VASP;
	c.	taking up a directorship in a legal entity other than the VASP; or
	d.	all additional actions stated by the VASP in the policy established under Rule VI.B.1.
3.	VASPs shall, at least every six [6] months, require Board members and Staff to notify them of—
	a.	in relation to all Virtual Asset positions held directly or indirectly on their own account—
		i.	a description and the identifier of each Virtual Asset and/or related investments;
		ii.	the size of positions for each Virtual Asset and/or related investments;
		iii.	the nature of the transaction[s]; and
		iv.	transaction history relevant to positions held.
	b.	in relation to their shareholding, held directly or indirectly on their own account, or director roles in any legal entities other than the VASP—
		i.	the full name and place of organisation of the legal entity;
		ii.	the purpose of such shareholding and directorship;
		iii.	the shareholding percentage [if applicable]; and
		iv.	full details of any renumeration for such director roles.
4.	If a VASP has any information or reason to believe any Board member or Staff is likely to cause, or has caused, an actual or potential conflict of interest, it must take all necessary actions to ensure such conflict of interest is removed, including but not limited to—
	a.	procuring the relevant Board member or Staff to divest the relevant Virtual Asset positions or shareholding;
	b.	resign from the board of the other legal entity; or
	c.	any other action required to remove the conflict of interest, either with respect to the other Entity or the VASP.
5.	VASPs shall notify all Board members and Staff of their obligations under Rule VI.B of this Market Conduct Rulebook in writing prior to the start of their employment by the VASP.

Part VII – Trading Own Account

A. General Prohibition

1.	VASPs are prohibited from actively investing their own, or their Group’s, portfolio of Virtual Assets or any other assets.
2.	The general prohibition in Rule VII.A.1 of this Market Conduct Rulebook above does not prevent VASPs from entering into transactions in Virtual Assets or any other assets for the purpose of prudent management of Net Liquid Assets required to be held by the VASP, provided that VASPs must maintain full records of all transactions and such records must be held for a period of eight [8] years.
3.	VARA shall have sole and absolute discretion in determining whether any transactions in Virtual Assets, or any other assets, made by a VASP constitute actively investing with their own portfolio of Virtual Assets or any other assets. In making such determination VARA will take into account the following—
	a.	frequency of transactions;
	b.	the Virtual Assets or other assets involved in the transactions;
	c.	volume of transactions;
	d.	nature of transactions including duration; and
	e.	nature of any profits generated by such transactions and significance in relation to the financial condition of the VASP.

B. Group Entities

1.	All Entities in the Emirate, including those which are in the same Group as a VASP, must comply with Regulation IV.A.7 [if applicable].
2.	Irrespective of the applicability of Rule VII.B.1 of this Market Conduct Rulebook, VASPs must comply with the reporting requirements set out in the Compliance and Risk Management Rulebook in respect of all Entities in their Group that actively invests their own, or the Group’s, portfolio of Virtual Assets or any other assets.

Part VIII – VA Standards

A. Requirement to have VA Standards

1.	VASPs shall establish standards for the Virtual Assets it provides VA Activities in relation to [VA Standards].
2.	VASPs shall take all reasonable steps including, but not limited to, conducting relevant due diligence to ensure all Virtual Assets meet its VA Standards prior to, and at all times during, the VASP providing any VA Activities in relation to such Virtual Assets.
3.	VASPs shall disclose their VA Standards on their website.
4.	VA Standards shall, to the extent relevant to the VA Activity, include but not be limited to the following considerations in respect of all Virtual Assets—
	a.	its market capitalisation, fully diluted value and liquidity, and whether such metrics have trended downwards over time;
	b.	its design, features and use cases, whether or not intended by the Issuer or relevant developers;
	c.	whether there are features which may materially affect a VASP’s compliance with applicable laws, Regulations, Rules or Directives, including but not limited to those relating to AML/CFT, sanctions, securities, intellectual property;
	d.	regulatory treatment by VARA and other appropriate authorities [including those outside of the Emirate], in particular whether the issuance of the Virtual Asset has received any regulatory approvals;
	e.	whether a Virtual Asset is prohibited by VARA or any other appropriate authorities [both inside or outside the UAE] in jurisdictions in which the VASP will provide VA Activities, or equivalent activities, in relation to such Virtual Asset;
	f.	the security and immutability of the underlying DLT protocol;
	g.	its future development [e.g. “roadmap”] as communicated by the Issuer and/or relevant developers;
	h.	whether it may be susceptible to price manipulation for any reason and relevant mitigations that will be implemented by the VASP;
	i.	whether potential or actual conflicts of interest may arise should a VASP provide any VA Activities in relation to the Virtual Asset and relevant mitigations;
	j.	the background of its Issuer including, but not limited to, relevant experience in the Virtual Asset sector and whether it has been subject to any investigations or claims in relation to fraud or deceit;
	k.	if the Virtual Asset represents rights to any other assets, the enforceability of such rights;
	l.	sufficient assets are available to satisfy any obligation with respect to any VA Activities;
	m.	VASPs shall ensure that Virtual Asset terms and conditions reflect, to the extent possible, the operation of any existing underlying physical market and avoid adverse impacts to such market [if applicable]; and
	n.	VASPs should review Virtual Asset terms and conditions on a periodic basis for appropriate correlation with any physical market to ensure such terms and conditions conform to standards and practices in that physical market [if applicable].

B. Implementation and Control

1.	VASPs shall regularly, and on an ongoing basis, assess relevant information to ensure that a Virtual Asset that it provides VA Activities in relation to continues to meet its VA Standards.
2.	VASPs must maintain all records relevant to such assessments for eight [8] years and provide such records for VARA’s inspection upon request.
3.	VASPs shall set conditions under which VA Activities in relation to a Virtual Asset may be suspended, including where a Virtual Asset no longer meets its VA Standards. VASPs shall have and implement all necessary operational procedures and controls in the event such conditions are met.
4.	VASPs shall notify VARA as soon as possible after becoming aware that a Virtual Asset no longer meets its VA Standards and shall take such steps as VARA may direct to minimise any adverse impact on clients arising as a result.
5.	VARA shall have the right to require the suspension of a VA Activity in respect of any Virtual Asset upon reasonable grounds it deems appropriate.

Schedule 1 – Definitions

Term	Definition
“AML/CFT”	has the meaning ascribed to it in the Regulations.
“Board”	has the meaning ascribed to it in the Company Rulebook.
“CBUAE”	means the Central Bank of the United Arab Emirates.
“Client Agreements”	has the meaning ascribed to it in Rule II.A.1 of this Market Conduct Rulebook.
“Client Money”	has the meaning ascribed to it in the Compliance and Risk Management Rulebook.
“Client VAs”	has the meaning ascribed to it in the Compliance and Risk Management Rulebook.
“Company Rulebook”	means the Company Rulebook issued by VARA pursuant to the Regulations, as may be amended from time to time.
“Custody Services”	has the meaning ascribed to it in Schedule 1 of the Regulations.
“Directive”	has the meaning ascribed to it in the Regulations.
“Distributed Ledger Technology” or “DLT”	has the meaning ascribed to the term “Distributed Ledger Technology” in the Dubai VA Law.
“Dubai VA Law”	means Law No. [4] of 2022 Regulating Virtual Assets in the Emirate of Dubai, as may be amended from time to time.
“Emirate”	means all zones across the Emirate of Dubai, including Special Development Zones and Free Zones but excluding the Dubai International Financial Centre.
“Entity”	means any legal entity or individual.
“Group”	has the meaning ascribed to it in the Company Rulebook.
“Guidance”	has the meaning ascribed to it in the Regulations.
“Inside Information”	has the meaning ascribed to it in the Regulations.
“Insider Dealing”	has the meaning ascribed to it in the Regulations.
“Insider List”	has the meaning ascribed to it in Rule VI.A.1 of this Market Conduct Rulebook.
“Institutional Investor”	has the meaning ascribed to it in Rule IV.A.4 of this Market Conduct Rulebook.
“Issuer”	has the meaning ascribed to it in the Regulations.
“Licence”	has the meaning ascribed to it in the Regulations.
“Licensed”	means having a valid Licence.
“Market Conduct Rulebook”	means this Market Conduct Rulebook issued by VARA pursuant to the Regulations, as may be amended from time to time.
“Marketing Regulations”	has the meaning ascribed to it in Rule I.A.1 of this Market Conduct Rulebook.
“Net Liquid Assets”	has the meaning ascribed to it in the Company Rulebook.
“Qualified Investor”	has the meaning ascribed to it in Rule IV.A.3 of this Market Conduct Rulebook.
“Regulations”	means the Virtual Assets and Related Activities Regulations 2023, as may be amended from time to time.
“Responsible Individuals”	has the meaning ascribed to it in the Company Rulebook.
“Retail Investor”	has the meaning ascribed to it in Rule IV.A.2 of this Market Conduct Rulebook.
“Rule”	has the meaning ascribed to it in the Regulations.
“Rulebook”	has the meaning ascribed to it in the Regulations.
“Staff”	has the meaning ascribed to it in the Company Rulebook.
“UAE”	means the United Arab Emirates.
“VA Activity”	means the activities listed in Schedule 1 of the Regulations, as may be amended from time to time.
“VA Standards”	has the meaning ascribed to it in Rule VIII.A.1 of this Market Conduct Rulebook.
“VARA”	means the Dubai Virtual Assets Regulatory Authority.
“VASP”	means an Entity Licensed by VARA to conduct VA Activity[ies] in the Emirate.
“Virtual Asset” or “VA”	has the meaning ascribed to it in the Dubai VA Law.

Compulsory Rulebooks

Company Rulebook

Introduction

Part I – Company Structure

Introduction

A. Company Ownership Structure

B. The Board

C. Responsible Individuals

D. Senior Management

E. Company Secretary

Part II – Corporate Governance

A. Competence

B. Segregation of Duties

C. Conflicts of Interest

D. Information Disclosure

E. Group Governance

F. Insiders’ Transactions

G. Transactions with Related Parties

H. Loans to the Board or Staff

Part III – Fit and Proper Requirements

A. General Principles

B. Qualification

C. Industry Experience

D. Management Experience

E. Financial Status or Solvency

F. Honesty, Integrity and Reputation

G. Continuing Requirements

Part IV – Outsourcing Management

Introduction

A. Application & Scope

B. Risk Assessment, Due Diligence and Controls

C. Internal Governance – Outsourcing Policy and Register

D. Outsourcing Agreements

E. Sub-Outsourcing

F. Cross-Border Outsourcing

G. Audit Rights

H. Regulatory Notifications

Part V – Environmental, Social and Governance

Introduction

A. Application

B. ESG Disclosure Levels

C. Voluntary ESG Disclosure Requirements

D. Compliance ESG Disclosure Requirements

E. Mandatory ESG Disclosure Requirements

F. Virtual Asset Mining and Data-Intensive Activities

G. Confidentiality

H. Service Providers to VASPs

Part VI – Capital and Prudential Requirements

A. Application

B. Paid-Up Capital

C. Net Liquid Assets

D. Insurance

E. Reserve Assets

F. Notifications and other Requirements

Part VII – Insolvency and Wind Down

Introduction

A. Wind Down Plan

B. Insolvency

Part VIII – Material Change to Business or Control

A. No Material Change

B. Cessation of Business

C. Change of Control

D. Mergers and Acquisitions

Schedule 1 – Definitions

Compliance and Risk Management Rulebook

Introduction

Part I – Compliance Management

Introduction

A. General Principles

B. Compliance Management System

C. Duties of the Compliance Officer

D. Risk Management

E. Operation Management

F. Books and Records

G. Audit

H. Regulatory Reporting

I. Regulatory Notifications

J. Staff Management and Training

Part II – Tax Reporting and Compliance

Part III – Anti-Money Laundering and Combating the Financing of Terrorism