The virtual asset landscape is ever-changing across the UAE and this does not appear to be slowing down. The Virtual Assets Regulatory Authority (VARA) recently published its virtual assets regulations and associated rulebooks (see VARA issues Regulations for Dubai Virtual Assets Regime) and the UAE Securities and Commodities Authority recently repealed and replaced its crypto asset regulations (see UAE Securities and Commodities Authority introduces two new virtual asset regulations).
Now, to add to the developments, the Central Bank of the UAE (CBUAE) has issued guidance to Licensed Financial Institutions (LFIs) on the risks related to virtual assets and Virtual Asset Service Providers (VASPs). VARA has also been busy with the publication of the Transfer and Settlements regulatory Rulebook and the establishment of its own “Grievance Committee”.
CBUAE VA Guidance
On May 31, the CBUAE issued Guidance for Licensed Financial Institutions on Risks related to Virtual Assets and Virtual Asset Service Providers (CBUAE VA Guidance) which is due to come into force in July 2023. This CBUAE VA Guidance is not regulation but rather sets out the expectations of the CBUAE for LFIs in demonstrating their compliance with their statutory obligations when dealing in virtual assets or with VASPs. The CBUAE VA Guidance applies to licensed and/or CBUAE registered natural and juridical persons including banks, finance companies, payment service providers, insurance companies, agencies and brokers.
The CBUAE VA Guidance focuses on anti-money-laundering and counter-terrorist-financing compliance and as such, the CBUAE recommends the CBUAE VA Guidance is read alongside the Procedures for Anti-Money Laundering and Combating the Financing of Terrorism and Illicit Organizations (issued by Notice No. 74/2019 dated 19/06/2019) and Guidelines on Anti-Money Laundering and Combating the Financing of Terrorism and Illicit Organizations for Financial Institutions (issued by Notice 3090/2021 dated 29/06/2021)”, for a full understanding of the statutory obligations of LFIs, and the CBUAE’s expectation for such LFIs to demonstrate their compliance with these requirements.
In summary, the CBUAE VA Guidance covers the following points:
- VASP business models – the CBUAE VA Guidance gives examples of VASP business models for LFIs to familiarise themselves with, which include exchange between virtual assets and fiat, virtual assets and virtual assets, transfers of virtual assets, escrow services, virtual asset payment processors, virtual asset kiosks, and DeFi protocols amongst others.
- Threats by VASPs and specific vulnerabilities – the CBUAE VA Guidance confirms that LFIs must be aware of the key consumer and investor risks which are presented by virtual assets which include (but are not limited to) hacks, fewer protections, cost and scams. Other vulnerabilities raised by the CBUAE include decentralisation, privacy, immutability and anonymity. LFIs engaging in virtual asset activity or onboarding VASPs under correspondent relationships must carry out their risk assessment of any underlying client or asset to fully appreciate the risks and vulnerabilities.
- LFI specific exposure – interestingly, the CBUAE VA Guidance confirms that LFIs may face exposure to virtual assets and VASPs through relationships or transactions. Examples provided include direct services to VASP customers, downstream services to third-party (ie, non-customer) VASP, services to other customers that transact in virtual assets and LFIs’ proprietary investments in virtual assets. Clearly LFIs must consider all angles of their client’s business to understand the legal and regulatory risks that they may present.
- Regulatory framework – the CBUAE VA Guidance confirms that there are multiple regulatory frameworks that are applicable to VASP business models, depending on the jurisdiction in scope (ie onshore, DIFC or ADGM). LFIs should ensure that they understand what regulatory framework impacts a VASP framework or their own framework, should they decide to directly engage in virtual asset related activity.
- Substance over form – the CBUAE reminds LFIs that virtual assets should be assessed by their features and not their name or how they are described. The CBUAE VA Guidance reiterates that a virtual asset can also not be a financial asset at the same time.
- Payment related services – a VASP business model may include service providers that facilitate virtual asset backed/powered personal remittances, payments for non-financial goods or services, or payment of wages. The mere acceptance of virtual assets as payment for goods and services does not constitute a VASP activity (as is the case in the UK for example); however, a business model that facilitates companies accepting virtual assets as payment would be considered to be within scope. Stablecoins may also be within scope depending on the exact business model.
- DeFi – the CBUAE VA Guidance is not limited to centralised propositions. Creators, owners, and operators who control or influence DeFi arrangements may qualify as VASPs where they are providing or actively facilitating VASP services. With the DeFi space being complex, LFI’s should consider what training its staff need to understand centralised and decentralised business models.
- NFTs – NFTs are unlikely to be considered to be virtual assets, however, LFIs should determine this as part of their due diligence on a VASP and/or virtual asset to ensure that this is the case. For example, the CBUAE VA Guidance confirms that NFTs that are fractionalised or issued as part of a large series or collection may be subject to securities regulation. As such, LFIs will need to obtain token opinions prior to onboarding VASPs who deal within this space, to better understand the nature of the virtual asset within scope.
- Operational matters – the nature and type of accounts available to VASPs will depend on whether the VASP is appropriately licensed. Strict due diligence must be completed by LFIs along with entering into written agreements, reputational checks, AML assessments and an understanding of third party relationships associated with the VASP. LFIs will need to engage with multiple service providers to understand each of these elements and ensure their legal and operational operations are fit for purpose.
- Crypto ATMs – crypto ATMs are subject to AML/CFT and KYC requirements, meaning that users must submit personally identifiable information before creating an account at a virtual asset kiosk in the same way that customers using ATMs for cash withdrawals would need to undergo KYC and customer due diligence processes at a financial institution. With crypto ATMs being a touchy subject worldwide, LFIs will need to consider what level of resources they provide to assessing these types of businesses, and how they continue to monitor such business models.
The CBUAE VA Guidance is a positive step forward in assisting LFI’s to understand and assess the risks associated with virtual assets and doing business with VASPs. The CBUAE VA Guidance does, however, serve as a reminder of the stringent compliance obligation on LFIs engaging in or with virtual assets or VASPS. The CBUAE makes it clear that the expectation is that LFIs complete extensive due diligence on their VASP clients to ensure that their operations do not give rise to AML concerns and comply with all FATF recommendations.
Transfer and settlement
On June 5, 2023, VARA published the hotly anticipated Transfer and Settlement Services Rulebook (Settlement Rulebook). This is the final piece of the puzzle for the VARA regulatory rulebooks and the Settlement Rulebook forms a part of the Virtual Assets and Related Activities Regulations 2023 (Regulations). The Settlement Rulebook applies to all VASPs licenced by VARA to carry out virtual asset transfer and settlement services in or out of Dubai (excluding the DIFC).
The Regulations define virtual asset transfer and settlement services as “the transmission or transfer, and/or settlement of virtual assets from one Entity to another Entity or from one Entity to another VA Wallet, address or location.” This broad definition will likely capture a wide range of VASPs and the exemptions available are limited and include only UAE Government entities and all public, non-profit, not-for-profit and charitable entities of a UAE Government entity.
Prime facie there does not appear to be any intra-group exemptions and as such transmission or transfer within a group appears to be caught by the Regulations. VASPs who are caught by the Settlement Rulebook must also comply with other VARA rulebooks, which include:
- company Rulebook;
- compliance and Risk Management Rulebook;
- technology and Information Rulebook;
- market Conduct Rulebook; and
- all Rulebooks specific to the virtual asset activities that a VASP is licensed to carry out by VARA.
The Settlement Rulebook implements a number of compliance obligations on VASPs providing virtual asset Transfer and Settlement Services, such as, establishing, implementing and enforcing appropriate internal policies outlining how such VASPs can rectify any erroneous virtual asset transmissions or transfers and provide refunds to customers if needed.
These policies and procedures are required to be reviewed annually, placing an onerous but much needed compliance obligation on the particular VASP. Firms should seek legal advice to ensure that their policies are in line with regulatory requirements and the guidance issued by the regulator on an ongoing basis.
With the publication of the Settlement Rulebook, the question is how this Rulebook interplays with the CBUAE’s Stored Value Facilities Regulation, which captures remittances and transfers of virtual assets. It will be interesting to see how the supervision of such activity is carried out in practice.
Grievance Committee
On June 1, 2023, VARA issued Administrative Resolution No.1 of 2023 (Resolution) to establish its Grievance Committee (Committee). According to the Resolution, the Committee has been formed in order to consider and determine all grievances submitted by industry participants in the virtual asset market in Dubai. This includes penalties or sanctions related to breaches of the VARA Rulebook and/or applicable legislation in the Emirate of Dubai.
The Resolution confirms that the Committee will comprise of the following representatives, each of whom may appoint an authorised representative that is pre-approved by the Committee:
- Managing Director, Vice Chairperson – Executive Board, VARA (Chairperson);
- Member – Executive Board, VARA and CEO, Regulatory Policy and Governance, DET (Member); and
- Chief Executive Officer, VARA (Member).
The Resolution also details the Committee meeting and decision-making requirements and other administrative requirements.
The establishment of the Grievance Committee is a helpful recourse for firms and shows the UAE continuously establishing a strong and fair legal and regulatory framework.
Comment
Given the ever-evolving regulatory landscape in the UAE in respect of virtual assets, firms in the region that operate in this space should endeavour to stay informed of such changes and seek legal advice to ensure current and future compliance with all regulatory requirements relating to virtual asset activities and the impact to their business. With five regulatory regimes within the UAE, and three different legal jurisdictions, this puzzle requires detailed legal and commercial analysis to stay abreast and in compliance with the virtual asset space in the UAE regions.
Gabriella Savastano is head of Financial Services for the UAE. Yasmin Johal is an associate, specialising in FinTech and sits in the Financial Services Regulation team. Co-authored by Theodora Okocha. CMS