What is the maximum fine for operating without a VARA licence?

Up to AED 50 million per offence under the criminal-tier penalties available through federal AML/CFT prosecution. VARA-administered administrative fines typically range from AED 20,000 to AED 5 million depending on severity. Where each transaction or counterparty constitutes a separate offence, cumulative exposure can substantially exceed AED 50 million.

Can directors be personally fined or imprisoned?

Yes. Both Dubai Law 4/2022 and Federal Decree-Law 20/2018 (AML/CFT) extend liability to natural persons who directed, authorised or knowingly permitted unlicensed activity. Maximum imprisonment under federal AML offences is 10 years. Even where no imprisonment is imposed, a personal 'not fit and proper' bar from future UAE financial-services authorisation is common.

If I voluntarily disclose to VARA, will I avoid a fine?

Voluntary disclosure rarely eliminates a fine but very substantially reduces the penalty tier. From observation, voluntary-disclosure cases typically resolve in Tier 1 (AED 20,000 to AED 500,000) while detection-led cases typically resolve in Tier 2 or 3 (AED 500,000 to AED 50 million). The cost of voluntary disclosure is in the order of 10× lower than enforcement-led resolution.

Can I keep operating while I apply for a VARA licence?

No. If your activity falls within a regulated category, you must stop until authorisation is granted. Operating during the application process is itself unlicensed activity. The only exception is where VARA has expressly granted an Interim Approval (rare; specific use cases) permitting limited continued operation pending full authorisation.

Does the corporate veil protect founders from VARA enforcement?

Not in any meaningful way. UAE corporate law's general veil principle is overridden in Article 17 (Law 4/2022) and the federal AML framework, both of which expressly extend liability to natural persons with decisional involvement. Founders running a Dubai-resident operating model are personally exposed regardless of where the operating entity is incorporated.

What if my activity is genuinely outside VARA's perimeter — am I safe?

If the activity genuinely sits outside all seven VARA categories (typically: pure proprietary trading, pure technology, or activity genuinely conducted outside Dubai), no licence is required and no enforcement attaches. But the perimeter is fact-sensitive and a written perimeter analysis (lawyer's opinion) is materially valuable if VARA later asks. We have provided such opinions where the activity is genuinely outside, and they are accepted.

Dubai VARA Penalties for Unlicensed Operation

Key takeaways

Operating an unlicensed regulated activity in Dubai is a criminal offence under Article 17 of Dubai Law No. 4 of 2022. Penalties scale from administrative fines to criminal prosecution.
Maximum fine: AED 50 million per offence for serious unlicensed activity. Lower-tier administrative fines start at AED 20,000.
Personal liability extends to directors, beneficial owners and senior managers. The corporate veil does not protect individuals from VARA enforcement.
VARA can order activity to cease, freeze assets, publish censures, and refer matters for federal AML/CFT prosecution under Federal Decree-Law No. 20 of 2018 — where fines and imprisonment increase further.
There is a remediation route — VARA prefers compliance to prosecution where the business engages early, voluntarily stops the activity, and submits a credible licensing application. Late or contested enforcement is materially worse.

The legal framework

Unlicensed virtual-asset activity in Dubai engages three overlapping enforcement regimes.

1. Dubai Law No. 4 of 2022 (the founding statute)

Article 17 prohibits the conduct of any Virtual Asset Service within VARA's perimeter without a licence. Breach is a criminal offence punishable by both administrative penalties and criminal sanctions. VARA is the primary enforcement authority and has powers to investigate, issue stop orders, impose fines, and refer to public prosecution.

2. The VARA Regulations 2023 and Rulebooks

The Compliance and Risk Management Rulebook sets out the supervisory framework, including fitness-and-propriety standards, AML/CFT obligations, and the consequences of operating without compliance. Each of the seven activity-specific Rulebooks contains its own offence triggers.

3. Federal AML/CFT framework

Most unlicensed virtual-asset activity also engages Federal Decree-Law No. 20 of 2018 (anti-money laundering and counter-terrorism financing) and Cabinet Decision 10 of 2019 (implementing regulations). Federal AML offences carry separate fines (up to AED 50 million) and imprisonment (up to 10 years), and apply to natural persons including directors and key staff.

The penalty tiers in practice

From observation of VARA's enforcement pattern since 2023:

Tier 1 — Administrative penalty (minor or unintentional breach)

Fines: AED 20,000 to AED 500,000 per breach.
Cease-and-desist order.
Public disclosure on VARA's enforcement register.
Requirement to apply for licence or wind down within a specified period (typically 30-90 days).

Typical fact pattern: a company self-identifies it has crossed into a regulated activity (e.g. its advisory work has grown into a broker-dealer pattern), engages VARA voluntarily, ceases the activity, and applies for the correct licence.

Tier 2 — Substantive enforcement (deliberate or sustained breach)

Fines: AED 500,000 to AED 5 million per offence.
Permanent ban from holding a VARA licence (for the entity and named individuals).
Asset freezes pending investigation.
Director and beneficial-owner liability — fitness-and-propriety bars from future authorisation.
Public censure with reasons published.

Typical fact pattern: a company has been operating an exchange or custody service for months / years without authorisation, has accumulated meaningful client funds or volumes, and has not engaged with VARA voluntarily.

Tier 3 — Criminal prosecution (egregious or fraud-adjacent breach)

Fines: AED 5 million to AED 50 million per offence (each transaction or counterparty potentially a separate offence).
Imprisonment of directors and key personnel (federal AML offences carry up to 10 years).
Asset confiscation.
Referral to UAE Public Prosecution and potential federal-court trial.
Travel bans and Interpol notices in egregious cross-border cases.

Typical fact pattern: unlicensed virtual-asset activity combined with misrepresentation to investors, mishandling of client assets, sanctions breaches, or money-laundering indicators. The criminal lane is reserved for the worst conduct, but the threshold is not high once federal AML/CFT engages.

Personal liability of directors and beneficial owners

UAE corporate law generally provides a corporate veil, but enforcement under Law 4/2022 and Federal Decree-Law 20/2018 explicitly extends to natural persons who directed, authorised or knowingly permitted the breach. This includes:

Directors (including non-resident directors where they had decisional involvement).
Ultimate beneficial owners with effective control.
Senior managers and named "approved persons".
The MLRO, if the breach involves AML/CFT failure.

The practical consequence: a personal "fit and proper" bar from future VARA, DFSA, FSRA or CBUAE authorisation. For founders building a long-term financial-services career in the UAE, the regulatory bar is often more damaging than the fine.

What VARA enforcement actually looks like

From the cases we have observed:

Tip or detection. VARA learns of unlicensed activity via market intelligence, banking-flow signals (CBUAE coordination), regulator-to-regulator referrals (FSRA, SCA), or whistleblower complaints.
Information request. A formal request under VARA's investigatory powers, typically asking for activity scope, client volumes, capital, AML records and corporate-governance documents. Refusing to respond is a separate offence.
Cease-and-desist. If unlicensed activity is confirmed, VARA issues a stop order pending resolution. Continuing to operate after the order is automatically Tier 2 / 3.
Determination. VARA proposes a penalty tier. The company has a right to representations.
Final order. Penalty imposed; published. Right of appeal exists but is rarely successful when the underlying breach is clear.

The remediation pathway — what to do if you're already operating

If a business is already operating an unlicensed regulated activity, the remediation path is materially better than waiting for enforcement. Steps:

Pause the activity. Voluntarily stop the unlicensed conduct pending resolution. Document the stop.
Engage counsel. Get a perimeter analysis and a remediation plan ready before approaching VARA.
Voluntary disclosure. A pre-emptive approach to VARA, with a credible plan to either (a) wind down cleanly, or (b) apply for the correct licence, materially reduces penalty exposure.
Restructure if needed. If the activity does not fit a VARA category but does need to be properly housed (e.g. true proprietary trading) the entity may need re-establishment in DMCC, IFZA, ADGM, DIFC or an offshore structure.
Submit the IDQ. If pursuing a licence, the Initial Disclosure Questionnaire is the formal route.

VARA's enforcement statistics show that voluntary disclosure cases typically resolve in Tier 1, while detection-led cases typically resolve in Tier 2 or 3. The cost differential — both financial and reputational — is in the order of 10×.

What we do

Neo Legal has run perimeter analyses, remediation projects and voluntary-disclosure engagements with VARA since the regime was established. The fastest enforcement-exit route depends on facts: an early conversation costs a fraction of waiting for the cease-and-desist.

VARA penalties for operating without a licence

The legal framework

1. Dubai Law No. 4 of 2022 (the founding statute)

2. The VARA Regulations 2023 and Rulebooks

3. Federal AML/CFT framework

The penalty tiers in practice

Tier 1 — Administrative penalty (minor or unintentional breach)

Tier 2 — Substantive enforcement (deliberate or sustained breach)

Tier 3 — Criminal prosecution (egregious or fraud-adjacent breach)

Personal liability of directors and beneficial owners

What VARA enforcement actually looks like

The remediation pathway — what to do if you're already operating

What we do

Harly Zappino

Have a related matter?
Speak with senior counsel.

The legal framework

1. Dubai Law No. 4 of 2022 (the founding statute)

2. The VARA Regulations 2023 and Rulebooks

3. Federal AML/CFT framework

The penalty tiers in practice

Tier 1 — Administrative penalty (minor or unintentional breach)

Tier 2 — Substantive enforcement (deliberate or sustained breach)

Tier 3 — Criminal prosecution (egregious or fraud-adjacent breach)

Personal liability of directors and beneficial owners

What VARA enforcement actually looks like

The remediation pathway — what to do if you're already operating

What we do

Harly Zappino

Have a related matter?Speak with senior counsel.

Have a related matter?
Speak with senior counsel.