With the increasing global attention paid to virtual asset regulation, the Dubai Virtual Asset Regulatory Authority (VARA) recently issued new compliance regulations aimed at improving the transparency and security of virtual asset service providers (VASPs). These new regulations not only affect the operating environment of the local market, but also put forward higher compliance requirements for international virtual asset trading platforms. As a global digital asset center, Dubai's regulatory policies are at the forefront of the industry and provide important reference for the regulatory frameworks of other regions.

Dubai’s Virtual Asset Regulatory Authority (VARA) announced new, stricter guidelines for the marketing of virtual assets on September 26, 2024. The new regulations will come into effect on October 1, 2024. The new regulations aim to address the inherent risks associated with crypto investments by requiring clearer communication from companies involved in promoting these digital assets.

In March 2022, UAE Prime Minister Sheikh Mohammed officially launched VARA to oversee the growth, development, and security of the Web3 sector. All Web3 participants who wish to conduct business in Dubai must be identified through VARA.

This article will delve into the key aspects of Dubai VARA compliance and analyze the effective strategies that VASPs should adopt when dealing with regulatory challenges. By understanding these requirements, virtual asset service providers can better avoid potential risks, maintain their own legal and compliant operations, and promote the healthy development of the entire industry.

Compliance and risk control

Part I - Compliance Management

1. Principles:

VASPs should abide by the principles of integrity, diligence, efficient capabilities, robust technology, adequate protection, accurate accounting, effective disclosure, compliance, openness and transparency when conducting business and providing services in the UAE.

2. Compliance Management System CMS:

VASPs should establish and maintain an effective compliance management system that can analyze key performance and risk indicators, monitor and test risks, identify potential violations, and promptly notify the CO and provide relevant personnel with unrestricted access to necessary records and documents.

3. Compliance Policies & Procedures:

VASPs should establish, maintain and implement clear and detailed compliance policies and procedures, including anti-money laundering policies, business activity policies, record keeping procedures, employee compliance policies, complaint response procedures, etc.

4. Risk Management Policies & Procedures:

VASPs should establish risk management functions, policies and procedures that are appropriate to their nature, size, complexity and risk profile, and apply effective risk measurement and reporting methods. Risk function managers must submit risk exposure reports at least quarterly. Risk categories include financial stability risk, market risk, credit risk, liquidity risk, market behavior risk, compliance and risk control risk, customer protection risk, etc.

5. Operation Management:

VASPs should establish and maintain effective operational policies and procedures to protect their virtual assets and customer virtual assets from theft, fraud and/or misappropriation and ensure that there are safeguards in place to prevent any of their personnel from exploiting confidential or insider information.

6. Books and records:

VASPs should keep proper books and records, and keep appropriate records and tracks of all records from third-party services and customers, customer transaction records, communications and documents, and conflict of interest registers to demonstrate compliance with all applicable legal and regulatory requirements at all times. These records will be retained for no less than 8 years, and all records that may involve the national security of the UAE need to be retained indefinitely.

7. Audit:

External Audit - VASPs should appoint independent third-party auditors to audit their financial statements and understand the reasonableness of the auditor's valuation. VARA may require VASPs to change auditors if their original auditors are deemed inappropriate for the size and complexity of their business and reputation. Internal Audit - The internal audit department shall conduct audits at least quarterly and inform senior management of the findings and recommendations and follow up and resolve related issues or risks.

8. Regulatory Reporting:

- Submit to VARA at least monthly its balance sheet and a list of all off-balance sheet items, profit and loss statements, income statements, cash flow statements, virtual asset wallet addresses, a complete list of investment portfolios, and a complete record of all transactions, including but not limited to any transactions in loans or other virtual asset activities.

- Submit to VARA at least quarterly the minutes of the meetings of the Board of Directors committees, statements demonstrating compliance with legal financial requirements, financial forecasts and strategic business plans, and risk exposure reports - Submit to VARA at least annually the audited annual report, senior management's assessment of the annual report, formal certification verifying the accuracy of the annual report, authentic account opening documents for the first 100 customers, product descriptions, group structure chart, resumes of board members, identification of independent directors, any committees and members, and minutes of board meetings.

9. Regulatory notifications:

VASPs shall notify VARA in writing of any rule changes, any significant events, and any criminal or significant civil lawsuits, charges, or bankruptcy proceedings. Any violations of any laws, regulations, or rules related to VA activities shall be reported to VARA immediately. Promptly notify VARA of incidents related to cybersecurity breaches, including but not limited to incidents involving loss of information or affecting personal data.

10. Staff management and training:

VASPs should adopt appropriate recruitment processes to ensure that there are an appropriate number of qualified personnel with the necessary skills, knowledge and expertise to perform their duties. It is not mandatory to be based in the UAE, provided that all regulatory and enforcement functions are effectively implemented and meet the requirements of VARA. VASPs should train employees on operational policies and procedures within 30 days of their first employment, and conduct anti-money laundering/counter-terrorist financing training on a regular basis thereafter, and monitor their compliance with all established procedures.

Part II - Tax reporting and compliance

VASPs must at all times comply with all tax reporting obligations under all applicable laws, regulations, rules or guidance and national, international and industry best practices, including, where applicable, the U.S. Foreign Account Tax Compliance Act (FATCA).

Part III - Anti-Money Laundering and Terrorism

1. Appointment of Money Laundering Reporting Officer

VASPs should appoint a Money Laundering Reporting Officer with at least two years’ experience in AML/CTF matters and review their continued suitability annually.

2. MLRO shall be responsible for

a. Ensure that the Board and staff understand and comply with all applicable AML/CTF laws and regulatory requirements and arrange appropriate and adequate training;

b. Develop and implement anti-money laundering/counter-terrorist financing policies and procedures

c. Conduct AML/CTF risk assessments and implement any necessary changes to VASPs’ relevant policies and procedures;

d. Monitor and report suspicious transactions and ensure appropriate corrective actions are taken for violations of any federal anti-money laundering-anti-terrorism laws.

Criminals are constantly developing new money laundering techniques and strategies to circumvent monitoring and identification. Beosin KYT uses blockchain big data analysis and advanced AI technology to identify suspicious transactions, conduct comprehensive risk assessments, and identify risks in on-chain relationships through billions of address tags and black address libraries. It can detect risky behaviors such as security attacks, dark web transactions, mixer use, fraud, extortion activities, and gambling.

e. Report to the Board on a quarterly basis on the effectiveness of the VASPs’ AML/CTF policies and procedures, identifying any deficiencies in such policies and procedures and any violations of AML/CTF Laws;

f. Submit compliance reports every quarter. Contains Privacy Coins:

Anonymity-Enhanced Cryptocurrencies and their usage by their users.

3. Anti-Money Laundering Policies and Procedures

a. Comply with FATF’s standards for VASPs and the second revision, risk-based guidance, international anti-money laundering standards and other relevant regulations;

b. Relevant guidelines from the EOCN Office, local terrorist lists, etc.;

c. comply with the United Nations Security Council resolutions and other relevant directives on combating the financing of terrorism, the proliferation of weapons of mass destruction and their financing, and comply with all other applicable laws, regulatory requirements and guidance relating to economic sanctions;

d. Avoid customers opening or conducting any financial or business transactions with anonymous or fake names and numbers, and avoid providing any services to them;

e. Keep all records, documents and data of local or international transactions;

f. VASPs should establish corresponding risk rules to scan their customers, actual controllers, virtual transfers, and virtual wallet addresses to identify potential illegal activities and alert operations and compliance teams for further investigation;

g. All policies and procedures must be verified by a qualified third party and submitted to VARA for approval within 21 days of any changes.

4. AML/CTF Control:

a. VASPs should have effective AML/CFT controls and systems in place to adequately manage the AML/CFT risks associated with their VA activities, including the use of distributed ledger analytics tools, and other investigative tools or capabilities to monitor and scan transactions.

b. For any distributed ledger analysis tools used, VASPs should review and document their review of the functionality and vulnerabilities of such tools and design controls to monitor customer transaction activity.

c. Because information about virtual transactions and wallet addresses is dynamic, VASPs should review and maintain the performance of analytical tools that provide ongoing monitoring.

d. The requirements of FATF Virtual Assets Red Flag Indicators should be met when designing transaction monitoring and threshold adjustments;

The details are as follows:

https://www.fatf-gafi.org/content/dam/fatf-gafi/brochures/Handout-Red-Flags-VA-VASP.pdf

5. Risk Assessment:

a. VASPs must conduct risk assessments on their businesses, including virtual assets (especially Anonymity-Enhanced Cryptocurrencies), virtual asset-related products and services, and technologies related to virtual asset activities;

b. VASPs that support enhanced anonymity transactions (privacy coin transactions) must implement enhanced risk controls to ensure compliance with all applicable laws and regulations. ECDD should be conducted every six months for customers using such privacy coins. If VASPs are unable to implement appropriate risk controls, they should not provide privacy coin products or services.

6. Customer Due Diligence:

a. VASPs must conduct due diligence on customers to identify the customer and the ultimate beneficiary before providing services (e.g. single or related cumulative transactions exceeding AED 3,500, any suspicious behavior, etc.) and should adopt a risk-based due diligence strategy.

b. VASPs should implement appropriate due diligence in their ongoing monitoring, including auditing customer transactions (not limited to fund source review) to ensure that they are consistent with the purpose of opening the account;

c. Review high-risk customer information regularly to ensure their documents, data and information are current and accurate.

d. For individual users: The following documents, data or information should be verified through reliable and independent sources: full name, nationality, address, place of birth, employer name and address, and if any politically exposed person is involved, approval by the Anti-Money Laundering Reporting Officer and at least one senior management is required.

e. For non-individual entity users: The following documents, data or information should be verified through reliable and independent sources: full name, type, articles of incorporation, principal place of operation, names of senior executives, and if the ultimate beneficial owner is a politically exposed person, approval from the Anti-Money Laundering Reporting Officer and at least one senior management member is required.

f. Verify that the entity claiming to act on behalf of the person is authorized and identified in the same manner.

g. understand the intended purpose and nature of engagement with the client and, where necessary, obtain information relevant to that purpose;

h. If the client is an enterprise or provides services to other clients in other ways, it is necessary to understand the nature of its business and actual controller, ultimate beneficiary, client type, nature and purpose.

i. If VASPs are unable to perform appropriate CDD for a customer, they must not establish or maintain a business relationship with that customer or execute any transactions for that customer. If VASPs rely on a third party to perform CDD, they remain responsible for ensuring that the third party performs CDD in accordance with all relevant rules and directives.

7. Monitoring and reporting of suspicious transactions

a. VASPs should adopt methods appropriate to their business activities to continuously monitor their business relationships with customers to identify any suspicious transaction activities. Such methods should ensure that "whistleblowing" or similar illegal activities do not occur, and should also ensure that all suspicious transactions are reported immediately to the Anti-Money Laundering Reporting Officer. These methods need to be documented and approved by senior management, and should be reviewed and updated regularly to ensure their effectiveness.

b. VASPs should develop and regularly update indicators that can identify suspicious transactions.

c. If there is any suspicion or reasonable grounds to believe that the proceeds of a transaction are related to a crime, or that there is an attempt to use the funds or proceeds to commit, conceal or benefit from a crime, the competent office shall immediately report such suspicious transactions to the UAE FIU and VARA and respond to any requests for assistance in the investigation and cooperate with any instructions within 48 hours.

d. All suspicious transaction reports shall be reported to the UAE FIU and VARA through the GoAML platform in accordance with the guidelines issued by VARA. All transactions in the suspicious transaction reports shall continue to be monitored.

8. FATF Travel Rule

a. Before initiating any virtual asset transfer exceeding AED 3,500 (or approving any customer to receive a virtual asset transfer exceeding AED 3,500), VASPs must obtain and maintain the required accurate sender and recipient information.

b. The required payee information shall include, but not limited to: full name, account number or wallet address, residential or business address. The payee information shall include, but not limited to: full name, account number or wallet address.

c. Before entering into any transaction with a counterparty VASP or virtual asset service provider in any other jurisdiction, VASPs must complete a risk-based due diligence on that counterparty to mitigate AML/CTF risks. Due diligence does not need to be performed on every subsequent transaction with a counterparty unless an increased counterparty risk is assessed or determined.

d. When complying with the Travel Rule, VASPs must consider how to address risks associated with deposits and withdrawals (including whether VASPs implement the Travel Rule), non-custodial wallets, privacy coins, etc.

e. VASPs should demonstrate to VARA how they comply with the Travel Rule during the licensing process and submit relevant policies and management measures to VARA. VASPs should also submit their plans for the "Sunrise Issue".

9. Record keeping requirements

a. VASPs shall retain the following records for no less than 8 years;

b. Virtual asset transaction records, including operational and statistical records, documents and information involving all transactions executed or processed by VASPs;

c. CDD records, including records, documents and information about clients, and the results of investigations and analyses of client activities;

d. Information about third parties that VASPs have entrusted to perform CDD;

e. OCDD-related records;

f. All suspicious transaction report records;

10. Customer Virtual Assets Rules

a. Customer Virtual Assets means all virtual assets held or controlled by VASPs on behalf of customers in the course of or in connection with any virtual asset activity.

b. VASPs should store customer virtual assets separately in separate virtual asset wallets.

c. VASPs must hold customer virtual assets on a one-to-one basis and may not authorize or allow the re-hypothecation of customer virtual assets.

d. All proceeds related to the Client’s VASPs, such as “airdrops”, “staking proceeds” or similar proceeds, shall belong to the Client;

e. In addition to the reserve asset requirements in the rulebook, VASPs shall comply with all requirements prescribed from time to time by VARA to demonstrate that the reserve assets they hold cover all of their liabilities to customer assets.

f. VASPs must maintain a system to ensure accurate reconciliation of virtual assets owned by each customer on a daily basis. If there is a material discrepancy with the reconciliation and it is not corrected, VASPs must notify VARA.

How do VASPs respond to regulatory challenges?

In the rapidly developing field of Web3 cryptocurrency, compliance has become a crucial keyword. The "Beosin KYT Virtual Asset Anti-Money Laundering Compliance and Analysis Platform" has functions including real-time monitoring of transactions, identification of potential risky transactions and addresses, risk alerts for money laundering transactions, sanctions list and blacklist checks, transaction behavior analysis and compliance reports. It analyzes massive on-chain transaction information, identifies transaction and account types, and then uses the massive entity address library in the system and machine learning analysis technology to evaluate risky transactions. It has currently provided services to multiple customers around the world to enable them to comply with anti-money laundering regulatory requirements.

Beosin KYT can also provide comprehensive and continuous monitoring of the token ecosystem. You can get real-time insights into the distribution of token holders, capital flows, and large transactions. Whether it is tracking the circulation of tokens or identifying potential risky transactions, Beosin KYT can help you accurately grasp the overall operating status of tokens and stablecoins, and provide strong data support for your decision-making.

Beosin KYT currently provides data, software, services and research to institutions, exchanges, wallet companies, etc. in many countries and regions. It can provide excellent compliance support for virtual asset service providers (VASPs) and provide strong protection for the security and trusted development of encrypted assets.

About Dubai VARA Regulation

Virtual Assets Regulatory Authority (VARA)

1. The Dubai Virtual Asset Management Law issued by VARA applies to all virtual assets and virtual asset activities within the UAE.

2. has the sole and absolute discretion to interpret, waive, modify or otherwise adjust these Regulations.

Powers and functions of VARA.

a. VARA shall have the functions, powers and objectives conferred upon it by the (Dubai VA Law) and any amendments thereto.

b. VARA may take any action it deems necessary or relevant

22 companies approved

1. Approved VASPs (22): https://www.vara.ae/en/licenses-and-register/public-register/

2. Approved lending service providers (4): OKX Middle East Fintech FZE, Aquanow ME FZE, Binance FZE, Foris DAX Middle East FZE (Crypto.com)

3. Approved management and investment service providers (8): OKX Middle East Fintech FZE, Web 3 Innovations FZE (AYA), Aquanow ME FZE, HT Markets MENA FZE, Binance FZE, Foris DAX Middle East FZE (Crypto.com), Nine Blocks Capital Management FZE, Laser Digital Middle East FZE

4. Approved virtual currency exchanges (5): Bybit Fintech FZE, Bybit Fintech FZE(Crypto.com), OKX Middle East Fintech FZE, Trek Labs Ltd FZE (Backpack), TOKO FZE

5. Approved custodial service provider (1): Hex Trust MENA FZE

6. Approved custody service (staking) provider (1): Komainu MEA FZE

7. Approved Broker-Dealer service providers (14): Aquanow ME FZE, Varni Labs FZE (Roma), MEX Digital FZE, HT Markets MENA FZE, WPME Technology LLC (WadzPay), Binance FZE, Foris DAX Middle East FZE (Crypto.com), Fasset FZE, CoinMENA FZE, GC Exchange FZE (GCEX), Morpheus Software Technology FZE (FUZE), TOKO FZE, Laser Digital Middle East FZE, BitOasis Technologies FZE