Custody Services Rulebook
Introduction
The Dubai Virtual Assets Regulatory Authority [VARA] was established and authorised by Law No. [4] of 2022 Regulating Virtual Assets in the Emirate of Dubai [Dubai VA Law] to regulate Virtual Asset Service Providers [VASPs].
This Custody Services Rulebook is issued pursuant to, and forms part of, the Virtual Assets and Related Activities Regulations 2023 [the Regulations] issued by VARA and applies to all VASPs Licensed by VARA to carry out Custody Services in the Emirate.
This Custody Services Rulebook applies in addition to all other requirements in the Regulations as may be in force from time to time. As such, VASPs Licensed by VARA to carry out Custody Services must also comply with the following Rulebooks applicable to all VASPs:
1. Company Rulebook; 2. Compliance and Risk Management Rulebook; 3. Technology and Information Rulebook; 4. Market Conduct Rulebook; and 5. All Rulebooks specific to the VA Activities that a VASP is Licensed by VARA to carry out.
As stated in Rule III.B.5 of this Custody Services Rulebook, VASPs providing Custody Services must be an independent legal Entity - separate from any member of their Group that provides other VA Activities or linked services. Where a VASP’s Group is Licensed by VARA to carry out other VA Activities in the Emirate in addition to Custody Services, it must comply with all Rulebooks that apply to each of those other VA Activities. Unless otherwise stated, the Rules in VA Activity-specific Rulebooks apply collectively for each VA Activity the VASP carries out.Capitalised terms in this Custody Services Rulebook have the meanings ascribed to them in the Regulations or as otherwise provided in Schedule 1.
Part I – Additional Board Requirements
A. Board Constitution
1. The Board of a VASP providing Custody Services shall consist of executive directors and non-executive directors, with a minimum of one [1] director qualifying as an independent director as set out below. 2. The Board of a VASP providing Custody Services shall convene at least on a quarterly basis. 3. VASPs providing Custody Services shall mandate the length of each term, and number of terms each Board member may serve on the Board. 4. A Board member is not regarded as an independent director of a VASP if—
a. they or any of their first-degree relatives are working or have worked as a member of the Senior Management, or held a role in the VASP’s Group equivalent to Senior Management within the two [2] years preceding the date of their nomination to the Board; b. they or any of their first-degree relatives have a direct or indirect interest in the contracts and projects concluded with the Group during the preceding two [2] years, provided that the aggregate value of such contracts and projects do not exceed the lower of [i] ten percent [10%] of the Paid-Up Capital of the VASP, or [ii] the amount of AED 5,000,000 or its equivalent in other foreign currency, unless such contracts and projects relate to the ordinary course of business of the VASP and do not contain any preferential conditions; c. they are working or have worked for the Group during the two [2] years preceding the date of their appointment to the Board; d. they work for, or are a partner of a company that performs consultancy services for the VASP or any members of its Group, or has performed such services during the preceding two [2] years; e. they have any personal service contracts with the VASP or any members of its Group, or have had such contract during the preceding two [2] years, excluding any contract under which they are appointed as a non-executive director; f. they are directly or indirectly linked to any Entity that receives substantial funding from the VASP’s Group; g. they or any of their first-degree relatives are a partner or an employee of the auditor of the VASP, or if, during the two [2] years preceding the date of their Board membership, were a partner or an employee of the auditor of the VASP; h. the ownership held by them and their first-degree relatives reaches ten percent [10%] or more of the share capital of the VASP; i. they have served more than seven [7] years as a Board member of the VASP; or j. they are the representative of an investor in the VASP holding ten percent [10%] or more of the share capital of the VASP.
B. Board Committees
1. The Board of a VASP providing Custody Services shall establish remuneration, nomination and audit committees, and may establish additional committees, to perform certain delegated functions on behalf of the Board. The Board may delegate specific authority, but not its responsibilities, to such committees, provided that it continuously monitors and oversees the work conducted by all committees. 2. Each committee created by the Board of a VASP providing Custody Services shall—
a. have a charter or other instrument that sets out its membership, mandate, scope, working procedures and means of accountability to the Board; and b. report to the Board on findings and recommendations relating to the work entrusted by the Board to it regularly.
3. The Board and its committees shall keep minutes to record details of the matters discussed, recommendations made, decisions taken, resolutions passed, and any dissenting opinions at a Board meeting for a period, notwithstanding any requirements in any law or regulations, of not less than eight [8] years.
C. Board Remuneration Reporting Requirements
1. On an annual basis, VASPs providing Custody Services shall submit to VARA the following information—
a. details of all compensation and/or remuneration of all members of the Board and its committees, including but not limited to salaries, allowances, expenses, bonuses, benefits, or other incentive programmes [whether or not denominated in Virtual Assets]. Such details shall include the type, nature and conditions of all such compensation and/or remuneration; and b. reasons for all such compensation and/or remuneration.
2. All information submitted by VASPs in compliance with Rule I.C.1 of this Custody Services Rulebook shall be kept confidential by VARA, except to the extent that disclosure is required to comply with any applicable laws or regulations.
Part II – Policies, Procedures and Public Disclosures
A. Policies and Procedures
1. In addition to all other requirements in the Regulations and Rulebooks, VASPs providing Custody Services shall establish, implement and enforce appropriate written internal policies and procedures relating to the following—
a. the ability of clients to have access to and withdraw their Virtual Assets including, but not limited to, during periods of high uncertainty and/or extreme volatility; and b. such other policies or procedures as VARA may require from time to time.
2. VASPs providing Custody Services shall assess and, in any case, at least yearly review the effectiveness of their policies and procedures, and take appropriate measures to address any deficiencies.
B. Public Disclosures
1. VASPs providing Custody Services shall publish on their website in a prominent place or make available by other publicly accessible means—
a. a detailed description of any actual or potential conflicts of interest arising out of their activities, and how these are managed; b. their policies and procedures relating to data privacy, whistleblowing and handling of client complaints; and c. a statement of whether the VASP has accounts, funds or Virtual Assets maintained by a third party and if so, provide the identity of that third party.|
2. Other disclosable matters. To the extent permissible under applicable laws, VASPs providing Custody Services shall publish on their website or by other publicly accessible means—
a. details of any past convictions or prosecutions of any member[s] of their Senior Management or Board, whether before the courts of the UAE or the courts of another jurisdiction; and b. any such other information relating to their business or activities as VARA may reasonably require.
3. The disclosure requirements set out in this Rule II.B of this Custody Services Rulebook are in addition to all disclosures required under the Market Conduct Rulebook, and to all notifications to VARA required under the Compliance and Risk Management Rulebook.
Part III – VA Storage and Custody Rules
A. General Requirements
1. VASPs that provide Custody Services must comply with the provisions in this Part III of this Custody Services Rulebook. 2. To the extent any provisions are inconsistent with the Client VA Rules in the Compliance and Risk Management Rulebook, this Part III of this Custody Services Rulebook shall have precedence. 3. VASPs must ensure that all Custody Services are only provided in accordance with verified client instructions.
B. Segregation and Control
1. Virtual Assets held by a VASP providing Custody Services are not depository liabilities or assets of the VASP. 2. VASPs shall not authorise or permit rehypothecation of Virtual Assets for which they provide Custody Services [regardless of whether they have obtained a client’s consent], and VASPs providing Custody Services shall not seek or attempt to obtain such consent as part of the Custody Services they provide. 3. VASPs providing Custody Services shall segregate the Virtual Assets of each client in separate VA Wallets containing the Virtual Assets of that client only. 4. VASPs must maintain control of each Virtual Asset at all times while providing Custody Services. 5. VASPs providing Custody Services must be a separate legal Entity from any member of their Group that provides services relating to VA Activities other than Custody Services, and must implement and strictly enforce policies and procedures to achieve necessary segregation between operations relating to Custody Services, and all other businesses. 6. VASPs must have adequate policies and procedures to ensure that there is sufficient operational and physical segregation between individuals handling operations for Custody Services, and their other core businesses and operations including, but not limited to, other VA Activities conducted by their Group. Such policies and procedures shall establish a separate team to handle the VASP’s Custody Services only, consisting of individuals who have no conflicting duties or access to information which may give rise to any conflicts of interest.
C. VA Wallet Management
1. Hot and cold Virtual Asset storage.
a. VASPs providing Custody Services shall at all times maintain appropriate certifications as may be required under industry best practices applicable to the safekeeping of Virtual Assets. b. VASPs providing Custody Services should conduct a risk-based analysis to determine the method of Virtual Asset storage including different types of VA Wallets [e.g. hot versus cold storage]. c. VASPs providing Custody Services should document in detail, the methodologies and behaviour determining the transfer of Virtual Assets between different types of VA Wallets [e.g. hot, cold and warm wallets]. The mechanisms for transfer between different types of VA Wallets should be well documented, and subject to internal controls and audits performed by an independent third-party auditor, ensuring compliance with Rule III.C.1.a of this Custody Services Rulebook.
2. Seed or key generation, storage, and use.
a. When creating any seed, asymmetric private and public key combinations, or other similar mechanisms required for providing Custody Services, VASPs shall use industry best standards to create the seed, asymmetric private and public key combinations, or other similar mechanisms to ensure a secure generation mechanism. In addition, all VASPs providing Custody Services shall consider all risks associated with producing a private key or seed for a signatory including whether the signatory should be involved in the generation process or whether creators of the seed, private key, or other similar mechanism should be prohibited from cryptographically signing any transaction or from having access to any relevant systems. b. VASPs providing Custody Services shall adopt industry best practices when using encryption, and secure device storage for a client’s private keys when not in use. VASPs must ensure that any keys stored online or in one physical location are not capable of conducting a Virtual Asset transaction, unless appropriate controls are in place to ensure that physical access itself by an individual is insufficient to conduct a transaction. c. All key and seed backups must be stored in a separate location from the primary key and seed. Key and seed backups must be stored with encryption at least equal to the encryption used to protect the primary seed and key. If VASPs use mnemonic back-up seed phrases, it should ensure that the mnemonic back-up seed phrase is broken into at least two [2] parts. Any backups that when combined could facilitate a transaction, must not be stored in a single point of access. d. VASPs providing Custody Services should consider using multi-signature approaches where appropriate. VARA reserves the right to require VASPs to use multi-signature approaches in specific situations, including for specific types of Virtual Assets. If a VASP has multi-signature arrangements that vary depending on the risk of the transaction, the VASP must have well-documented and audited procedures. e. VASPs providing Custody Services must mitigate the risk of collusion between all authorised parties or signatories who are able to authorise the movement, transfer or withdrawal of Virtual Assets held under custody on behalf of clients. The risk of collusion and other internal points of failure should be evaluated for materiality and probability, and effectively addressed during recurring operational risk assessments.
3. Lost or stolen keys.
a. VASPs providing Custody Services shall establish, and maintain effective policies and procedures in the event that any seed or cryptographic keys of any VA Wallet are lost or otherwise compromised. Such policies and procedures shall address matters including but not limited to—
i. recovery of affected Virtual Assets; ii. timely communications with all clients and counterparties regarding consequences arising from relevant incidents, and measures being taken to remedy such consequences; iii. cooperation with law enforcement agencies and regulatory bodies; and iv. if applicable, preparation of wind-down arrangements and public disclosure of such arrangements.
D. Additional Obligations
1. Written agreements with clients.
a. In addition to all applicable requirements in the Market Conduct Rulebook, Client Agreements entered into between VASPs providing Custody Services and clients should include the following—
i. description of the overall custodial framework used by the VASP when providing Custody Services, including but not limited to security, risk mitigation, safeguarding procedures; ii. address what will happen when source code versions underlying a Virtual Asset supported by the VASP materially change in a way that may affect the Custody Services provided [e.g. a “fork” of the network protocol], including but not limited to—
1. notification requirements if the VASP will not support the original source code version; 2. notification requirements if the VASP will support the original source code version; 3. notification requirements if the original source code version will no longer exist, or is not reasonably expected to continue to exist, or if the original source code version will no longer function securely and/or as originally intended; and 4. actions that will be taken by the VASP if any/all of the above were to take place;
iii. when and how the Virtual Assets under custody will be returned; iv. settlement finality, including when a Virtual Asset will be deemed fully transferred, and the VASP discharged of any obligations upon transfer of the Virtual Asset [including but not limited to withdrawals initiated by the client]; v. the frequency of account statements to be provided to clients, and the content of those statements; vi. who [e.g. the VASP, its agent or another third party] is responsible for securing the Virtual Assets, and protecting them from theft or loss; vii. the VASP’s Outsourcing practices including, if the VASP Outsources some or all of the Custody Services to third parties, the qualifications of those third parties; viii. the VASP’s cybersecurity and data privacy policies, procedures, controls and systems, including how the VASP will respond to data breaches and cyberattacks, and notification, reimbursement and remediation policies; and ix. the VASP’s policies and procedures for safeguarding access to Virtual Assets, including policies and procedures related to multi-signature/multi-key safeguards, access management controls, and revocation of key signtories’ access.
2. Relationship between a VASP and client, for the provision of Custody Services.
a. The provision of Custody Services shall be a contractual arrangement between a VASP and a client, under which a client lawfully in control of, or entitled to control, a Virtual Asset, transfers control of the Virtual Asset to a VASP, solely for the purpose of receiving Custody Services, and does not in any way transfer to the VASP, any legal interest in the Virtual Asset, or any discretionary authority not explicitly authorised in the Client Agreement or otherwise agreed to by the client. b. In addition to all Reserve Assets requirements in the Company Rulebook, VASPs providing Custody Services will keep a register, and record of reconciliation of each client’s positions that correspond to the client’s rights to the Virtual Assets that are subject to the Custody Services.
3. Outsourcing and third-party suppliers.
a. If a VASP Outsources some or all of the Custody Services to third parties, the VASP is responsible for ensuring that all applicable laws, Regulations, Rules and Directives are complied with. b. VASPs must have established roles and responsibilities for its Custody Services operations, and its operational risk management. The responsibility for manually executed core functions of Custody Services, should only be performed by authorised employees.
4. Account statements. VASPs providing Custody Services must provide at least every month, and promptly at the request of a client, a statement with all Virtual Asset transactions specific to each client account, the dates and transaction amounts of the corresponding transactions, and balances and value for each type of Virtual Asset. 5. Audit. VASPs should maintain a full audit trail of all transaction activities that occur on a client’s account for at least eight [8] years. The audit trail should include specific information regarding each transaction, such as the date and time, the transaction type, the relevant signatories, and the Virtual Assets involved.
Part IV – Staking from Custody Services Rules
A. Compliance with Staking from Custody Services Rules
1. VASPs Licensed by VARA to carry out Custody Services may only provide Staking from Custody Services, if explicitly authorised to do so by VARA, and such authorisation is expressly stipulated in their Licence. VASPs will be subject to licensing and/or supervision fees incremental to the fees for Custody Services in Schedule 2 of the Regulations, or other fees published by VARA, as amended from time to time, in order to be able to undertake the regulated activity of Staking from Custody Services. 2. VASPs that are authorised to provide Staking from Custody Services must comply with this Part IV of this Custody Services Rulebook, at all times, when providing these services. 3. Staking from Custody Services is regarded by VARA to form part of the Custody Services that a VASP provides. As such, all VASPs providing Staking from Custody Services must continue to comply with all other Rules relating to Custody Services throughout the provision of Staking from Custody Services, for all Virtual Assets to which the Staking from Custody Services relate. 4. For the avoidance of doubt, VASPs Licensed by VARA to carry out Custody Services that are also authorised to provide Staking from Custody Services, may only provide Staking from Custody Services for Virtual Assets for which they are providing Custody Services. 5. VASPs Licensed by VARA to carry out Custody Services that are also authorised to provide Staking from Custody Services, may provide Staking from Custody Services through the same legal Entity. For avoidance of doubt, such authorisation for, and provision of Staking from Custody Services is considered to be sub-set of the Custody Services Activity, and is hence not subject to the requirement for a separate legal Entity stipulated under Rule III.B.5 of this Custody Services Rulebook. 6. VARA shall have the right to suspend or revoke any authorisation granted to a VASP to provide Staking from Custody Services, in respect of any specific DLT, or in its entirety across all DLTs, upon reasonable grounds VARA deems appropriate. B. Client instructions
1. VASPs providing Staking from Custody Services must comply with Rule III.A.3 of this Custody Services Rulebook, and continue to act only on explicit instructions received from their clients throughout the provision of such services, including when they are required to vote or otherwise participate in the governance of any DLT on behalf of their clients. 2. If a VASP wishes to obtain and rely on any pre-authorised instruction from a client, the VASP must consider all reasonably foreseeable circumstances where such instruction is likely to be used by the VASP as authorisation, and the VASP must communicate all such circumstances clearly to the client, prior to the client providing such instruction. All pre-authorised instructions sought or obtained by a VASP must be sufficiently detailed, accurate and relevant for the client to understand both the circumstances in, and actions for which such instructions will be relied upon by the VASP. 3. Staking from Custody Services cannot be provided on an ‘opt-out’ basis, and the activity may only be initiated after the VASP has received a client’s specific instruction to do so. C. Segregation and safekeeping of Virtual Assets
1. Segregated client VA Wallets. VASPs providing Staking from Custody Services must ensure that each client’s Virtual Assets remain segregated in separate VA Wallets containing the Virtual Assets of that client only, throughout the provision of such Staking from Custody Services, as required under Rule III.B.3 of this Custody Services Rulebook. 2. Single client per node. VASPs providing Staking from Custody Services must ensure that no client’s Virtual Assets are pooled or otherwise combined with Virtual Assets of any other clients of the VASP or any other party[ies], whether to meet any minimum requirements of a given DLT or otherwise, and each node or instance of a DLT managed, operated or otherwise made available by the VASP may only hold, be delegated, or have committed to it, Virtual Assets belonging to that client only. 3. Safekeeping of Virtual Assets. VASPs providing Staking from Custody Services remain responsible to their clients for the safekeeping of the Virtual Assets for which Staking from Custody Services is being provided. 4. Control of withdrawal keys. VASPs providing Staking from Custody Services must maintain control of the cryptographic keys and/or other mediums or methods through which the Virtual Assets may be withdrawn, or otherwise no longer ‘staked’. D. Node management
1. VASPs providing Staking from Custody Services must use all commercially reasonable endeavours to ensure all operational, maintenance or other requirements for participation [including, but not limited to, hardware, software, connectivity and upgrades of the same] determined by the relevant DLT are met in respect of Staking from Custody Services, in order to minimise the risk of ‘slashing’ or other penalties being incurred in respect of the Virtual Assets, for which the VASP is providing such Staking from Custody Services. 2. VA Wallet management. VASPs providing Staking from Custody Services shall continue to comply with all requirements in Rule III.C of this Custody Services Rulebook, and the above Rule IV.D.1 of this Custody Services Rulebook applies in addition to those requirements. 3. Outsourcing. In addition to the requirements in Rule III.D.3 of this Custody Services Rulebook, VASPs shall ensure that all third-party services used by the VASP in the provision of Staking from Custody Services, comply with Part IV of the Company Rulebook. E. DLT Standards
1. VASPs providing Staking from Custody Services shall establish standards for the DLTs for which it provides, or the DLTs it uses to provide Staking from Custody Services [DLT Standards]. 2. DLT Standards shall include, but not be limited to—
a. security and immutability of the DLT protocol, including its level of centralisation, reliance on a single Entity, or any potential single points of failure; b. operating history of the DLT, including any periods of disruption or downtime; c. soundness of the staking protocol and operation, including the duration for which it has successfully been active; d. source of any rewards being offered by the DLT or any other party for a user’s participation, including whether such rewards are derived from the fees paid by users of the DLT, or from other means; e. the VASP’s ability to maintain all operational, maintenance or other requirements for participation; f. its design, features and use cases, whether or not intended by relevant developers; g. any features that present a risk of materially affecting a VASP’s compliance with applicable laws, Regulations, Rules or Directives, including but not limited to those relating to AML/CFT, sanctions, security and intellectual property; h. regulatory treatment by VARA and other appropriate authorities [including those outside of the Emirate]; i. future development plans [e.g. “roadmap”] of the DLT as communicated by relevant developers, and whether such developments may have an impact [positive or negative] on, or relevance to, any of the above factors; j. potential or actual conflicts of interest that may arise should a VASP provide any Staking from Custody Services in relation to the DLT, and relevant mitigations provisioned for such instances; k. background of the founders, management, and current core developers of the DLT, including, but not limited to, relevant experience in the Virtual Asset sector, and whether they have been subject to any investigations, penalties, or claims in relation to fraud or deceit etc.; and l. any additional factors that the VASP may require to be considered.
3. VASPs providing Staking from Custody Services shall take all reasonable steps, including but not limited to conducting relevant due diligence, prior to the provision of such services in respect of a DLT, to ensure the DLT meets all their prescribed DLT Standards. 4. VASPs providing Staking from Custody Services must actively monitor all DLTs for which Staking from Custody Services is provided, for continued compliance with their DLT Standards. 5. Upon becoming aware that a DLT no longer meets a VASP’s prescribed DLT Standards, the VASP must—
a. notify all affected clients and VARA immediately; b. cease accepting new Virtual Assets for Staking from Custody Services in respect of that DLT immediately; c. determine a course of action with such affected clients to cease all Staking from Custody Services for that DLT, as soon as practicable; d. continue to provide such Staking from Custody Services in accordance with this Part IV of this Custody Services Rulebook throughout the agreed course of action, and until such services have been effectively concluded; e. keep VARA informed of all actions being taken throughout such course of action; and f. take all other steps as VARA may direct.
6. VASPs providing Staking from Custody Services shall also set and implement conditions, under which the VASP will suspend accepting new Virtual Assets for Staking from Custody Services which, as required under Rule IV.E.5 of this Custody Services Rulebook above, must include where a DLT no longer meets the VASP’s DLT Standards. 7. VASPs must maintain all records relevant to such assessments under this Rule IV.E of this Custody Services Rulebook for eight [8] years, and provide such records for VARA’s inspection upon request.
F. Risk disclosure statement
1. VASPs providing Staking from Custody Services must provide each client with a risk disclosure statement explaining (i) that Virtual Assets for which Staking from Custody Services is being provided, may be at risk of loss, reduction or penalty, (ii) the types and nature of such risks, (iii) the circumstances in which such risks may arise, and (iv) the likelihood and severity of consequences that may be suffered. 2. The risk disclosure statement required under Rule IV.F.1 above, of this Custody Services Rulebook must be separate from the Client Agreement, and VASPs must independently obtain confirmation of the acceptance of such risk disclosure statement from each client, prior to the VASP providing Staking from Custody Services to that client.
G. Client Agreements
1. In addition to all requirements in respect of Client Agreements in the Market Conduct Rulebook, and under Rule III.D of this Custody Services Rulebook, VASPs providing Staking from Custody Services shall include the following, to the extent applicable, in Client Agreements in respect of Staking from Custody Services—
a. a description of the Virtual Assets for which Staking from Custody Services is being provided to such extent that the details are sufficient to identify them; b. operational, maintenance or other requirements for participation [including but not limited to hardware, software and connectivity] of the DLT[s], for which Staking from Custody Services is being provided, and that the VASP undertakes the responsibility to meet those requirements when providing such services. This Rule IV.G.1.b of this Custody Services Rulebook can be largely met by providing links to publicly available sources of where such information is officially maintained, for example DLT website or source code repository etc.; c. respective rights of the VASP, the client and any other Entity involved in the Staking from Custody Services, in respect of Virtual Assets that are the subject of the Client Agreement; d. a detailed description of the source of all rewards received by clients from the Staking from Custody Services, including whether such rewards are generated solely from fees paid by users of the DLT, or whether such rewards are derived from any other source; e. proceeds to be paid or become payable, and in the case of variable proceeds, the method of calculation, factors that impact the amount, volatility and timing of the proceeds, and how and when such variations will be communicated by the VASP to its clients, including all rights that the client has to influence decisions at each stage; f. all fees to be charged for Staking from Custody Services, and the calculation thereof; g. rights of the client to withdraw or directly control decisions pertaining to any Virtual Assets, in respect of which Staking from Custody Services is provided, and any conditions/ circumstances under which the client may be unable to do so; h. statement explaining that Virtual Assets in respect of which Staking from Custody Services is provided may be at risk, including the types and nature of such risks, as well as the likelihood and severity of any losses that may be suffered; i. rights, if any, of the VASP to vary the terms of the Client Agreement; j. rights of the VASP and the client to terminate the Client Agreement, circumstances under which these rights can be activated, and the consequences of such termination; k. full details of the VASP’s client complaints procedure; and l. statement explaining whether the VASP receives any remuneration, discount or other benefit for using any third party [with a disclosure of specific Entities where applicable], in the course of the provision of the Staking from Custody Services. Schedule 1– Definitions
Term Definition “Client Agreements” has the meaning ascribed to it in the Market Conduct Rulebook. “Company Rulebook” means the Company Rulebook issued by VARA pursuant to the Regulations, as may be amended from time to time. “Compliance and Risk Management Rulebook” means the Compliance and Risk Management Rulebook issued by VARA pursuant to the Regulations, as may be amended from time to time. “Custody Services” has the meaning ascribed to it in Schedule 1 of the Regulations. “Custody Services Rulebook” means this Custody Services Rulebook issued by VARA pursuant to the Regulations, as may be amended from time to time. “Directive” has the meaning ascribed to it in the Regulations. “DLT Standards” has the meaning ascribed to it in Rule IV.E.1 of this Custody Services Rulebook. “Dubai VA Law” means Law No. [4] of 2022 Regulating Virtual Assets in the Emirate of Dubai, as may be amended from time to time. “Emirate” means all zones across the Emirate of Dubai, including Special Development Zones and Free Zones but excluding the Dubai International Financial Centre. “Entity” means any legal entity or individual. “Group” has the meaning ascribed to it in the Company Rulebook. “Licence” has the meaning ascribed to it in the Regulations. “Licensed” means holding a valid Licence. “Market Conduct Rulebook” means the Market Conduct Rulebook issued by VARA pursuant to the Regulations, as may be amended from time to time. “Outsourcing” has the meaning ascribed to it in the Company Rulebook. “Paid-Up Capital” has the meaning ascribed to it in the Company Rulebook. “Regulations” means the Virtual Assets and Related Activities Regulations 2023, as may be amended from time to time. “Reserve Assets” has the meaning ascribed to it in the Company Rulebook. “Rule” has the meaning ascribed to it in the Regulations. “Rulebook” has the meaning ascribed to it in the Regulations. “Staking from Custody Services” means ‘staking’ or otherwise using, committing, pledging or locking up Virtual Assets, for which the VASP is providing Custody Services, for the purposes of participating in the consensus mechanisms or other maintenance, operation or functioning of a DLT to which those Virtual Assets relate, and may include receiving rewards generated and distributed for that participation. “Senior Management” has the meaning ascribed to it in the Company Rulebook. “UAE” means the United Arab Emirates. “VA Activity” means the activities listed in Schedule 1 of the Regulations, as may be amended from time to time. “VARA” means the Dubai Virtual Assets Regulatory Authority. “VASP” means an Entity Licensed by VARA to conduct VA Activity[ies] in the Emirate. “Virtual Asset” or “VA” has the meaning ascribed to it in the Dubai VA Law. “VA Wallet” has the meaning ascribed to the term “Virtual Asset Wallet” in the Dubai VA Law.