Securing a license from the Dubai Virtual Assets Regulatory Authority (VARA) is only the beginning of a VASP’s regulatory responsibilities. Licensed Virtual Asset Service Providers (VASPs) are subject to a wide range of ongoing compliance obligations, governed by the Company Rulebook, Compliance and Risk Management Rulebook, Market Conduct Rulebook, Technology and Information Rulebook, and the specific rulebook applicable to their VA Activity. These obligations are designed to uphold financial integrity, operational resilience, consumer protection, and market confidence within the Emirate’s virtual asset ecosystem.
VASPs must maintain a clear and transparent legal and governance structure at all times. This includes preserving an accurate ownership register, disclosing material changes to shareholders or control entities, and seeking VARA’s prior written approval for any restructuring involving Controlling Entities or Ultimate Beneficial Owners (UBOs). The Board must continue to evaluate its members and Senior Management on an annual basis and ensure their continued status as “Fit and Proper” Persons under Part III of the Company Rulebook. All Board changes, especially involving Responsible Individuals, require notification to and approval by VARA.
Regulated firms are required to operate a fully functional compliance framework that is appropriately staffed, documented, and subject to internal audit. This includes maintaining and implementing policies related to Anti-Money Laundering and Combating the Financing of Terrorism (AML/CFT), risk management, client onboarding, transaction monitoring, sanctions screening, recordkeeping, and suspicious activity reporting. The Compliance and Risk Management Rulebook obliges VASPs to implement a risk-based approach to all activities and conduct periodic Business Risk Assessments in line with FATF principles.
Licensed VASPs must also comply with strict technology and cybersecurity standards, including secure IT infrastructure, incident response plans, data protection measures, and business continuity frameworks. The Technology and Information Rulebook mandates the safeguarding of client data, protection of private keys, and ongoing penetration testing to validate system resilience. Any material cyber incidents, service interruptions, or data breaches must be promptly reported to VARA, and failure to do so may trigger supervisory action.
Client asset protection remains a fundamental obligation. Where custody services are provided, VASPs must segregate client assets from proprietary holdings, reconcile holdings regularly, and ensure that all third-party custodians meet VARA’s due diligence requirements. The Custody Rulebook and Company Rulebook further require VASPs to implement disclosure protocols regarding rehypothecation (if permitted), and to maintain transparent client reporting mechanisms.
Marketing and promotional activities must remain compliant with the Marketing Regulations 2024, which require that all advertising and promotional content be fair, clear, not misleading, and approved (where necessary) by VARA. VASPs are required to retain records of all marketing materials and their distribution for a minimum of eight years. Unauthorized use of influencers, social media channels, or promotional incentives without prior clearance may result in significant penalties.
Finally, VASPs must cooperate fully with VARA in its ongoing supervisory activities. This includes responding to information requests, participating in inspections, maintaining audit trails, and submitting periodic reports on business activity, client volume, financial condition, and risk exposures. Where material breaches or compliance failures are identified, VARA may impose remedial directives, civil penalties, or, in serious cases, suspend or revoke the license.