Select Page

An overview of the regulation of virtual assets in the Dubai International Financial Centre (DIFC)

UAE Flag

Download PDF | Download Word

Virtual asset laws and regulations in the Dubai International Financial Centre (DIFC)​

Regulation of virtual assets and offerings of virtual assets in the Dubai International Financial Centre (DIFC)

Regulation of VASPs in the Dubai International Financial Centre (DIFC)

Regulation of other crypto-related activities in the Dubai International Financial Centre (DIFC)

Other relevant regulatory information

Pending litigation and judgments related to virtual assets in the Dubai International Financial Centre (DIFC) (if any)

Government outlook on virtual assets and crypto-related activities in the Dubai International Financial Centre (DIFC)

Advantages of setting up a VASP in the Dubai International Financial Centre (DIFC)

1. Virtual asset laws and regulations in the Dubai International Financial Centre (DIFC)​

The Dubai International Financial Centre (DIFC) serves as a significant financial hub in the UAE, providing a range of financial services. Established in 2004, the DIFC operates as an autonomous jurisdiction with its legal and regulatory framework based on English common law. It is home to over 2,500 registered companies, including banks and insurance firms.

As of March 2024, the DIFC has significantly updated its regulatory framework for virtual assets with the enactment of the Digital Assets Law No. 2 of 2024. This law establishes a comprehensive legal framework for digital assets. The regulatory framework for virtual assets in the DIFC also adheres to international best practices and standards, aligning with recommendations from the Financial Action Task Force (FATF). The Dubai Financial Services Authority (DFSA) plays a crucial role in shaping this framework. This regulatory initiative offers guidelines, covering licensing and registration requirements, along with measures for investor protection and risk management.

What is considered a virtual asset in the Dubai International Financial Centre (DIFC)?

Initially, virtual assets in the DIFC were classified as “Crypto Tokens” and were regulated based on their characteristics. DIFC Law No. 4 of 2012 defined crypto tokens as “Securities” if they exhibit traits similar to traditional securities. However, individual consideration was emphasised to avoid a blanket classification.

However, under the newly enacted Digital Assets Law (DIFC Law No. 2 of 2024), the term “virtual asset” in the DIFC is defined as a “Digital Asset.” A Digital Asset is characterised as a notional quantity unit that is created through the active operation of software by a network of participants and is represented by network-instantiated data. It exists independently of any particular person or legal system and is not capable of duplication. This means that the use or consumption of the asset by one person necessarily prevents others from using or consuming it in the same way. Digital Assets are classified as intangible property and are distinct from traditional forms of property, as they are neither physical objects nor rights that must be claimed through legal action. This expansive definition allows the DIFC to properly regulate technological advances and accommodate a growing range of digital assets like cryptocurrencies and non-fungible tokens.

What are the relevant laws and regulations?

  1. DIFC Law No.1 of 2004: It is a law enacted by the Ruler of Dubai for the jurisdiction of the Dubai International Financial Centre. The law has several parts, including general provisions, the structure of the DFSA and its powers, rules, financial market tribunal, proceedings, and enforcement. The Law has provisions for resolvability, which refers to the ability of an authorised firm to be resolved by an orderly resolution. The DFSA has the authority to write down or convert any instrument or liability and to appoint a temporary administrator in the event of resolution. In the context of virtual assets, the Regulatory Law 2004 enables the DFSA to regulate these assets and to ensure they comply with the law’s provisions.
  2. Federal Law No. 8 of 2004: This law serves as the foundation for establishing a Financial Free Zone in any Emirate through a Federal Decree. It plays a pivotal role in granting exemptions to Financial Free Zones and Financial Activities from all Federal civil and commercial laws. While emphasising the application of Federal criminal laws, including Anti-Money Laundering regulations, within the Financial Free Zones, the law also imposes specific restrictions. Notably, it prohibits DIFC authorised firms from engaging in deposit-taking within the State’s markets and using the UAE Dirham.
  3. Federal Decree No. 35 of 2004: This decree marks the establishment of the DIFC as a Financial Free Zone in Dubai, known as the DIFC Law. Accompanied by Cabinet Resolutions, the decree defines the geographic boundaries of the DIFC and permits centre bodies and authorised firms to operate outside the DIFC during its initial construction phase. It forms a crucial part of the legal framework shaping the structure and operations of the DIFC.
  4. Dubai Law No. 5 of 2021: Recognising the establishment of the DIFC, Dubai Law No. 5 of 2021 reinforces the financial and administrative independence of the DIFC. It lays the groundwork for DIFC centre bodies, including the DIFC Authority, DFSA, and DRA.
  5. Cabinet Resolution No. 28 of 2007: Implementing Federal Law No. 8 of 2004 on Financial Free Zones, Cabinet Resolution No. 28 of 2007 offers detailed provisions concerning the Financial Free Zones Law. It serves as a complementary piece, providing clarity and specific guidelines related to the application and enforcement of the aforementioned federal law. The resolution contributes to the comprehensive regulatory framework governing Financial Free Zones.
  6. Consultation Paper No. 143: Issued by DFSA DIFC’s invites public input on potential regulations for entities involved in financial services related to Crypto Tokens. The paper focuses solely on Crypto Tokens and proposes changes to existing laws, including the Regulatory Law, Markets Law, and other relevant modules.Notable proposals in the paper include the prohibition of Privacy Tokens and Devices, as well as Algorithmic Tokens. It describes requirements in areas like acceptable Crypto Tokens, establishing a Crypto Asset Fund, managing crypto assets in funds, market supervision, and procedures for addressing complaints and seeking redress.
  7. DIFC Law No. 1 of 2012 (Markets Law): Oversees securities and crypto tokens. It specifically addresses the application of the law to crypto tokens. The law applies to the offering of securities or crypto tokens and mandates issuers to provide comprehensive information in a prospectus for informed assessments by investors.
    1. The law prohibits any misleading statements or omissions related to investments or crypto tokens, regardless of the location. It also regulates the issuance and offering of securities by investment companies.
    2. It focuses on preventing market abuse and prohibiting fraud and market manipulation by prohibiting individuals from engaging in activities that create a false impression about the supply, demand, or price of investments or crypto tokens. It also bans the use of non-public information that could impact transaction terms for investments or crypto tokens.
  8. The DFSA Rulebook’s General Module (GEN): It is a regulatory guide for authorised financial entities in the Dubai International Financial Centre, offering detailed definitions and rules. It directly applies to specific virtual currency services like investment dealing, custody, and trading facilities. It explains criteria for financial promotions related to virtual currencies, emphasising accurate representation. The Rulebook also prohibits privacy coins and algorithmic tokens in the DIFC due to transparency, market manipulation, and investor protection concerns.
  9. Glossary Module (GLO): The GLO module defines a crypto token as a secure digital representation of value, rights, or obligations, traded electronically through technologies like distributed ledgers. A crypto business covers various financial services related to these tokens, such as buying and selling, managing assets, and operating trading platforms.
    1. The Rulebook provides clear guidance on running crowdfunding platforms for investments, loans, and property. It explains the rules to follow and the requirements for obtaining a license.
    2. Security tokens, as per the Rulebook, are like specific securities or instruments, with similar rights and obligations. It mentions that these tokens might have restrictions affecting how often or how much they can be traded.
  10. The Digital Assets Law (DIFC Law No. 2 of 2024): The Digital Assets Law enacted by the DIFC on March 8, 2024, establishes a comprehensive framework for the regulation of digital assets. This law clearly defines what constitutes a digital asset, describing it as a virtual unit created by software and network data that cannot be copied and exists independently of any person or legal system. The law aims to eliminate uncertainties surrounding the legal status of digital assets, providing clarity on how they can be controlled, transferred, and managed.In addition to defining digital assets, the law amends existing DIFC legislation, including the Contracts Law and the Law of Obligations, to incorporate specific provisions related to digital assets. This ensures that these assets are recognised within the legal system, allowing them to be treated similarly to traditional forms of property.

Who do such laws and regulations apply to?

Under the new Digital Assets Law (DIFC Law No. 2 of 2024), the regulations apply to all entities and individuals engaging in activities involving Digital Assets within or originating from the DIFC. This includes businesses offering financial services related to Digital Assets, such as exchanges, asset managers, brokers, and custodians. These entities are required to obtain the appropriate authorisation or license from the DFSA to operate legally within the jurisdiction.

The law extends to Authorised Persons, individuals or entities seeking authorisation, issuers or developers of digital assets, and any other entity involved in activities associated with digital assets.

Who are the relevant regulatory authorities in relation to virtual assets in the Dubai International Financial Centre (DIFC)?

The Dubai Financial Services Authority (DFSA) is the primary regulatory body overseeing the virtual assets space in the DIFC. The DFSA’s framework includes:

  • Licensing requirements for firms wishing to provide services related to digital assets, which include trading, custody, and advisory services.
  • Regulations addressing various risks such as anti-money laundering, consumer protection, and financial crime.

What are the penalties for breaches of virtual asset laws and regulations in the Dubai International Financial Centre (DIFC)?

Under the Digital Assets Law and the Crypto Token Regime implemented by the DFSA in the DIFC, various penalties are established for non-compliance including fines, sanctions, and potential license revocation:

  1. Under Digital Assets Law enacted on March 8, 2024, the financial penalties can be imposed based on the severity of the violation, starting from AED 20,000 and potentially escalating to AED 500,000 for repeat offenses. In addition to monetary fines, the DIFC has the authority to suspend or revoke licenses of individuals or entities that fail to comply with the regulations governing virtual assets. This includes both the suspension of specific permits related to virtual asset activities and, in coordination with relevant authorities, the potential cancellation of commercial licenses.The DIFC regulatory body is also vested with judicial powers, allowing it to conduct investigations and enforce compliance effectively. This authority enables the regulatory body to access records and documents pertinent to virtual asset operations to ensure adherence to the legal framework. Moreover, in cases of serious misconduct, public censure may be imposed as an additional deterrent, serving to discourage future violations and uphold the integrity of the financial system within the DIFC.
  2. Sanctions may also be applied, depending on the nature and gravity of the infringement. These can encompass restrictions on the types of financial services a firm can provide, termination of client business relationships, and potential damage to the firm’s reputation.
  3. License revocation is a severe consequence for persistent violations of the Crypto Token Regime. This penalty may result in the termination of business operations within the Dubai International Financial Centre, restricting the entity’s ability to conduct financial services activities in the future and adversely impacting its reputation.
  4. Penalties encompass both monetary fines and potential revocation of licenses, with the DFSA having the authority to initiate criminal investigations and impose sanctions for non-compliance. These measures are designed to ensure that individuals and firms operating in the crypto-assets sector adhere to transparent and trustworthy practices.
  5. Also, the DFSA does not recognise crypto-tokens prohibited in the DIFC. Engaging in activities related to these tokens, such as trading and custody, may lead to consequences such as fines, imprisonment, and limitations on business activities.
  6. Furthermore, DIFC Law No. 1 of 2012 (Markets Law) discusses civil compensation that a person may need to pay for contravening the law’s provisions, including those related to the offer of securities or crypto tokens. The law grants the DFSA the authority to issue a stop order if it deems that an offer of securities or crypto tokens breaches the law or its associated rules.
  7. Another part of The Markets law, focusing on proceedings, allows the court, at the DFSA’s request, to issue orders concerning a person, irrespective of whether a violation has occurred. Such measures can be taken if it is deemed in the interest of the DIFC.
  8. Compliance with Anti-Money Laundering/Combating the Financing of Terrorism (AML/CFT) obligations are integral in the crypto-asset industry in the DIFC. Authorised firms and individuals involved in crypto-asset activities must adhere to DFSA-issued guidelines for AML/CFT compliance. Non-compliance with these guidelines may result in penalties and restrictions on business activities.

2. Regulation of virtual assets and offerings of virtual assets in the Dubai International Financial Centre (DIFC)

Are virtual assets classified as ‘investments’ or other regulated financial instruments in the Dubai International Financial Centre (DIFC)?

Under the new Digital Assets Law (DIFC Law No. 2 of 2024), Digital Assets in the DIFC are classified and regulated based on their unique characteristics. The law defines a Digital Asset as a notional quantity unit that exists independently of any person or legal system and is not capable of duplication. This framework distinguishes between different types of Digital Assets, such as securities, utility tokens, and non-fungible tokens, each of which may fall under distinct regulatory regimes depending on their attributes and intended use.

Digital Assets that exhibit traits similar to traditional financial instruments, such as representing ownership rights or providing a return on investment, may be classified as securities. This classification aligns with the broader principles of securities regulation, ensuring that Digital Assets with investment-like characteristics are subject to stringent regulatory oversight. The DIFC does not apply a blanket classification to all Digital Assets; instead, it assesses each asset based on its specific features and use cases to determine the appropriate regulatory treatment.

The DFSA oversees the recognition and regulation of various Digital Assets, including widely recognised cryptocurrencies such as Bitcoin, Ethereum, Litecoin, and XRP. However, the DFSA imposes restrictions on certain types of Digital Assets, such as privacy tokens and algorithmic tokens, due to concerns over transparency and investor protection. Central bank digital currencies (CBDCs) are also excluded from the definition of Digital Assets under the DIFC’s regulatory framework, as they are governed by separate legal provisions.

Are stablecoins and NFTs regulated in the Dubai International Financial Centre (DIFC)?

In the DIFC, both stablecoins and non-fungible tokens (NFTs) are subject to regulation under the newly enacted Digital Assets Law and the Crypto Token regime established by the DFSA.

Regulation of Stablecoins

Stablecoins, defined as fiat-backed crypto tokens, are recognised under the DFSA’s regulatory framework. The DFSA has established specific recognition criteria for stablecoins, allowing them to be classified and regulated as part of the broader category of crypto tokens. This includes compliance with financial crime regulations and transaction monitoring to ensure transparency and investor protection.

Regulation of NFTs

NFTs are also encompassed within the regulatory framework of the DIFC. The Digital Assets Law provides a comprehensive approach to digital assets, including NFTs, which are treated as unique digital representations of ownership or rights. The law addresses how these assets can be controlled, transferred, and dealt with legally. Additionally, NFTs may fall under different regulatory regimes depending on their characteristics and intended use, such as whether they represent an investment or a utility.

Are decentralised finance (DeFi) activities (e.g. lending virtual assets) regulated in the Dubai International Financial Centre (DIFC)?

Decentralised finance (DeFi) activities, including lending virtual assets, are regulated in the DIFC under the Digital Assets Law (DIFC Law No. 2 of 2024) and the Crypto Token regime established by the DFSA.

DeFi activities fall under the general regulatory framework outlined in the DIFC Regulatory Law, specifically within the DFSA Rulebook’s general (GEN) module. This framework mandates that individuals and entities must comply with regulatory provisions when engaging in DeFi activities related to crypto tokens. Individuals are prohibited from engaging in any DeFi activity involving crypto tokens unless those tokens are recognised by the DFSA. The DFSA considers various factors for recognition, including the nature of the hosting platform and the level of investor protection provided.

Activities related to algorithmic tokens are explicitly prohibited due to concerns regarding transparency and investor protection. Also, anyone operating a crypto business in or from within the DIFC, including those involved in DeFi activities such as lending virtual assets, is required to obtain a license from the DFSA. This ensures compliance with regulatory standards and protects consumers. Moreover, DeFi projects may be registered under an Innovation License, but if they involve regulated activities like peer-to-peer lending, additional authorisations from the DFSA will be necessary.

Are there any restrictions on issuing or publicly offering virtual assets in the Dubai International Financial Centre (DIFC)?

The restrictions and requirements on the issuance or publicly offering of virtual assets in DIFC are described in the Digital Assets Law (DIFC Law No. 2 of 2024) and General Module (GEN) of the DFSA Rulebook. The Rulebook specifies requirements that apply to financial services and other activities relating to crypto tokens.

It prescribes that a person must not engage in any of the following activities in or from the DIFC in relation to a crypto token unless it is a recognised crypto token:

  1. carry on a financial service relating to the crypto token;
  2. operate a crypto exchange;
  3. operate a crypto custodian;
  4. offer to the public a crypto token.

Also, an issuer seeking recognition for a crypto token must submit an application for recognition to the DFSA. The application must include a comprehensive proposal clearly identifying how the crypto token complies with the criteria for recognition which requires that the issuer seeking recognition must disclose relevant and accurate information to the DFSA, including the white paper describing the crypto token, any technical specifications, any legal opinions, any contracts and agreements relating to the crypto token, and any other information relevant to the determination that the crypto token meets the recognition criteria.

It should be noted that the Recognition of a crypto token under the Rulebook does not relieve an authorised person or any other person from their responsibility to carry out proper due diligence on a crypto asset before providing a Financial Service or carrying out any other activity relating to the crypto token.

Additionally, it set out stricter requirements and restrictions on Issuing or Publicly Offering of Virtual Assets in DIFC in Digital Assets law,2024. Under the Act, an issuer or promoter who wishes to issue or publicly offer any virtual asset within or from the DIFC would require to fulfil certain requirements as set out below:

  1. The issuer must be incorporated as a limited liability company under DIFC companies’ law.
  2. The virtual asset’s publicly offering must comply with the Chapter 2.0 of the Rules in the Offered Securities and Debentures Module (OSD).
  3. The issuer must provide detailed information about the virtual asset, its technology, its characteristics, and the risks associated with it in the offer document.
  4. The issuer must provide a clear description of the product, its features, and how it can be used.
  5. The issuer must provide a clear explanation of the rights and obligations of the investor.
  6. The issuer must ensure that the virtual asset is suitable for the type of investor it is being offered to, and that the investor has the necessary knowledge and experience to understand the product’s risks and characteristics.
  7. The issuer must disclose the risks associated with the product and any conflicts of interest that may exist.
  8. The issuer must establish proper governance and control procedures to ensure the protection of investor’s rights and interests.
  9. The issuer must provide proper record keeping to enable the DFSA to supervise the issuer’s operations.
  10. The issuer must establish procedures and controls for the safekeeping of any virtual assets, including holding such assets in an appropriate custodian, and ensuring that they are properly accounted for.
  11. The issuer must ensure that it is compliant with all relevant laws and regulations, including anti-money laundering and counter-terrorist financing regulations.
  12. The issuer must submit regular reports to the DFSA on the virtual asset’s performance and any changes to its features.

Are there any exemptions to the restrictions on issuing or publicly offering of virtual assets in the Dubai International Financial Centre (DIFC)?

There are exemptions to the restrictions on issuing or publicly offering virtual assets in DIFC. Specifically, the Digital Assets Law (DIFC Law No. 2 of 2024) and DIFC Rulebook’s General Module (GEN) provides exemptions. The rulebook provides exemptions for virtual assets that are considered Security Tokens. This exemption is granted if the following conditions are met:

  1. The virtual asset must be issued by an Authorised Firm or an entity operating under a financial services regulatory framework that is equivalent to that of the DFSA;
  2. the virtual asset must be offered to (a) Professional Clients (as defined in the DFSA Conduct of Business Module), (b) clients who are knowledgeable in investing in virtual assets, or (c) clients who can invest a minimum of USD 100,000 in the virtual asset;
  3. the virtual asset is listed on an exchange recognised by the DFSA, or is traded via a Multilateral Trading Facility or Organised Trading Facility; and
  4. the virtual asset is registered with the DFSA.

Additionally, General Module (GEN) provides an exemption for virtual assets that are utility tokens. This exemption is granted if the following conditions are met:

  1. The virtual asset must be used to access or purchase goods or services, or to otherwise provide a benefit to its holders;
  2. the virtual asset must be available for use at the time of issuance;
  3. the proceeds from the sale of the virtual asset must be used to develop the network or platform that facilitates its utility, and
  4. The issuer of the virtual asset must disclose clearly that the virtual asset is a utility token and not a security token.

It is important to note that the DFSA may require additional conditions to be met in order to grant an exemption for virtual assets. the DFSA may impose further conditions or restrictions regarding virtual assets, including minimum disclosure requirements, sale limitations, and liquidity requirements.

Furthermore, there are exemptions in relation to the restrictions on offering or issuing Virtual Assets are provided in the Digital Assets Law (DIFC Law No. 2 of 2024), which states that DIFC will allow certain exempted activities which include the following:

  1. Persons who provide auto-conversion service for Virtual Assets which eliminates the involvement of any fiat currency.
  2. Mining pools that operate in DIFC are exempted from seeking regulatory protection for their activities.
  3. Persons that provide services related to Smart Contracts or related to Operating Systems/Protocol Layers do not have to obtain regulatory approval for their functioning.
  4. Persons who are involved in providing services for load balancing, security, or other similar purposes that are not conducted to provide decentralised exchange functions do not need to obtain regulatory permission.
  5. Service providers that are involved in ancillary services such as systems management, data hosting, and server administration do not require regulatory permission.

It is important to note that VASPs operating in these exempted activities are still subject to AML/CFT regulations and must comply with the AML module.

3. Regulation of VASPs in the Dubai International Financial Centre (DIFC)

Are VASPs operating in the Dubai International Financial Centre (DIFC) subject to regulation?

Virtual asset providers operating in or from DIFC are regulated by the Dubai Financial Services Authority DFSA. The specific manner in which they are regulated depends on several factors including the type of VASP activity being conducted, the level of risk associated with that activity, and the nature of the business. The regulation of VASPs is detailed in the Digital Assets Law and the DIFC Rulebook’s General Module (GEN).

The DFSA has set out the regulatory requirements for VASPs to help mitigate the risks associated with virtual assets and ensure compliance with AML/CTF obligations. These requirements include:

  1. The requirement to obtain DFSA authorisation or registration to operate a virtual assets business in DIFC, unless an exemption applies.
  2. Individuals are prohibited from engaging in activities related to crypto tokens unless the token is recognised by the DFSA. This includes carrying on financial services related to the token, operating a crypto exchange or custodian, or offering a crypto token to the public.
  3. An issuer seeking recognition for a crypto token must submit a comprehensive application to the DFSA demonstrating compliance with recognition criteria and providing relevant documents like a white paper and legal opinions.
  4. The requirement to comply with AML/CTF obligations under the DIFC AML/CTF module, which includes conducting due diligence on customers, ongoing monitoring of transactions, and reporting suspicious activities to the Financial Intelligence Unit,
  5. The requirement to ensure the safety, security, and custody of client assets by implementing appropriate safeguards and risk management systems,
  6. The requirement to have appropriate policies and procedures in place to manage the operational risks associated with providing virtual asset services,
  7. The requirement to have appropriate corporate governance arrangements in place,
  8. The requirement to comply with the relevant DIFC data protection regulations,
  9. The requirement to provide customers with appropriate disclosures regarding the risks and nature of virtual asset services, as well as any conflict of interests that may arise in the course of providing such services.

Are VASPs providing virtual asset services from offshore to persons in the Dubai International Financial Centre (DIFC) subject to regulation in the Dubai International Financial Centre (DIFC)?

Virtual Asset Providers providing virtual asset services from offshore to persons in DIFC are subject to regulation in DIFC. Specifically, the regulation of VASPs is detailed in the DIFC Rulebook’s General Module (GEN), which applies to all VASPs regardless of whether they provide services from within or outside the DIFC.

Therefore, if a VASP provides virtual asset services to persons in DIFC from offshore, it must still comply with the regulatory requirements explained in the GEN, which includes obtaining DFSA authorisation or registration, complying with AML/CTF obligations, ensuring the safety and security of client assets, implementing appropriate risk management systems, and providing appropriate disclosures to customers.

What are the main requirements for obtaining licensing / registration as a VASP in the Dubai International Financial Centre (DIFC)?

Under the Digital Assets Law (DIFC Law No. 2 of 2024) and the updated regulatory framework provided by the DFSA, obtaining a license or registration as a VASP in DIFC involves several specific requirements designed to ensure compliance, risk management, and consumer protection. Under the Digital Assets Law, DIFC has established specific licensing and registration requirements for VASPs based on the nature of their business activities. There are different categories of licenses, each tailored to the type of services provided. For instance, entities engaging in high-risk activities such as operating trading platforms for Digital Assets must obtain an Alternative Trading System (ATS) license. This license requires technological infrastructure, advanced cybersecurity measures, and compliance with strict AML/CFT standards. Market makers or credit providers fall under the Category 2 license, which necessitates substantial capital reserves and comprehensive risk management systems. STP brokers dealing on a matched principal basis need a Category 3A license, while discretionary portfolio managers require a Category 3C license. These licenses come with medium-level fees and specific requirements for managing client portfolios and maintaining strong governance frameworks.

For those offering low-risk services such as advisory or arrangement activities, a Category 4 license is required, which involves lower fees and minimal capital requirements. VASPs must ensure they have a physical office in the DIFC, with core functions like compliance and risk management being managed locally. Additionally, the DFSA imposes a range of licensing fees, which include an initial registration fee that can range from AED 50,000 to AED 100,000, and annual renewal fees varying between AED 20,000 and AED 50,000, depending on the license category and scope of activities.

Application process: A VASP must submit a detailed application to the DFSA using the prescribed forms, specifically tailored for Digital Asset activities. The application must include comprehensive information about the proposed business model, governance structure, and the types of Digital Assets the entity plans to handle. This documentation must demonstrate how the VASP will comply with the requirements set out in both the Digital Assets Law and the DFSA Rulebook, including the AML/CFT module.

To be authorised as a VASP, the entity must have a physical place of business within the DIFC, with key management personnel based in the jurisdiction. The core operational functions, such as compliance, risk management, and finance, should be conducted from this location. Also, the VASP must ensure governance arrangements, with clear policies to prevent conflicts of interest in providing Digital Asset services. This includes having independent compliance and risk management functions. Additionally, the entity must demonstrate that it has sufficient financial resources to conduct the proposed Digital Asset business. This includes meeting specific capital requirements, which are calibrated based on the risk profile of the Digital Asset activities being undertaken.

Furthermore, the VASP must have adequate human resources with relevant qualifications and experience in the Digital Asset industry. This includes employing personnel who are knowledgeable in technology, financial services, and regulatory compliance. Also. the VASP must establish systems and controls that are appropriate for the scale, nature, and complexity of its Digital Asset activities. This includes advanced technological infrastructure for managing Digital Assets securely, monitoring transactions, and preventing unauthorised access.

Moreover, the applicant must submit a clear business model that outlines how Digital Assets will be generated, issued, traded, or redeemed. Additionally, the VASP must have well-documented policies and procedures in place for the management of these processes.

The new regulatory framework imposes stringent AML/CFT requirements. VASPs must implement comprehensive AML/CFT policies, including customer due diligence (CDD), transaction monitoring, and suspicious activity reporting. The DFSA requires VASPs to appoint a dedicated AML/CFT officer who is qualified and experienced in handling Digital Asset transactions.

Also, Licensed VASPs are required to comply with ongoing reporting obligations to the DFSA. This includes regular financial reporting, disclosure of any material changes in business operations, and immediate reporting of any security breaches or incidents that could impact clients or the market. Additionally, the DFSA may impose additional requirements on VASPs engaged in high-risk activities, such as operating trading platforms, custody services, or dealing with high-risk Digital Assets like algorithmic or privacy tokens. These may include enhanced due diligence, increased capital requirements, or additional regulatory oversight.

Moreover, VASPs must comply with the entire DFSA Rulebook, including the AML, Conduct of Business (COB), and Prudential – Investment, Insurance Intermediation, and Banking Business (PIB) modules, as applicable. The DFSA may also reference other regulatory instruments, such as the Markets Law and the Data Protection Law, to ensure comprehensive compliance across all aspects of Digital Asset operations.

The DFSA reserves the right to impose additional conditions or requirements on a case-by-case basis, depending on the nature and complexity of the Digital Asset activities proposed. This may include specific restrictions on certain activities, additional reporting requirements, or enhanced regulatory scrutiny.

What are the main ongoing requirements for VASPs regulated in the Dubai International Financial Centre (DIFC)?

Virtual asset providers regulated in DIFC must comply with several ongoing requirements, as per the Digital Assets Law and the DIFC Rulebook’s General Module (GEN). The main ongoing requirements for VASPs regulated in DIFC as per the Rulebook are as follows:

  1. Continuous Compliance: VASPs must continuously comply with the regulatory requirements of the GEN, including all applicable rules and standards, as well as all relevant local and international regulations.
  2. Risk Management Systems: VASPs must establish and implement extensive risk management systems that are appropriate for the nature, scale, and complexity of their virtual asset services. These systems must be reviewed and tested regularly to ensure they are effective and adequate.
  3. AML/CTF Obligations: VASPs must have effective anti-money laundering (AML) and counter-terrorist financing (CTF) policies, systems, and procedures in place to prevent their services from being used for money laundering or terrorist financing activities.
  4. Client Asset Protection: VASPs must take appropriate steps to safeguard client assets held by the provider, and to ensure that these assets are not used for unauthorised purposes or subject to undue risk.
  5. Customer Disclosures: VASPs must make appropriate disclosures to their customers regarding the nature, risks, and costs of their virtual asset services, as well as any limitations or conditions that apply to these services.
  6. Reporting Obligations: VASPs must maintain appropriate records and reporting systems that enable them to report to the DFSA on a regular basis, as well as in response to any specific requests or requirements.
  7. Notification Obligations: VASPs must notify the DFSA promptly of any material changes that occur in their operations or circumstances that could affect their regulatory status or compliance with the requirements of the GEN.
  8. Cybersecurity Obligations: VASPs must establish and maintain extensive cybersecurity systems, policies, and procedures to protect their systems and data from unauthorised access or use, and to ensure the confidentiality, integrity, and availability of these assets.

The new Digital Assets Law (DIFC Law No. 2 of 2024) introduces several additional ongoing requirements, that are not explicitly covered in the General Module (GEN) of the DFSA Rulebook. These additional requirements include:

  1. Enhanced Governance and Oversight: The law mandates the establishment of specialised governance structures specifically for managing Digital Asset risks. This includes appointing compliance and risk officers with expertise in digital assets and forming independent audit committees to oversee the compliance and integrity of Digital Asset activities.
  2. Digital Asset-Specific Risk Management: Beyond the general risk management obligations in the GEN, the new law requires VASPs to implement risk management strategies that specifically address the unique risks associated with Digital Assets. This includes handling issues like market volatility, the security of digital wallets, and technological risks linked to blockchain networks.
  3. Advanced AML/CFT Measures: The Digital Assets Law introduces advanced AML/CFT obligations tailored to Digital Asset activities. VASPs must use blockchain analytics tools to monitor and trace transactions, especially those involving high-risk assets like privacy tokens. Enhanced due diligence is required for customers engaging in high-risk transactions.
  4. Smart Contract Compliance: VASPs involved in the creation or deployment of smart contracts must ensure that these contracts are secure and compliant with the law. This involves conducting thorough audits of the smart contract code to identify and mitigate vulnerabilities, which is not a requirement under the general GEN provisions.
  5. Detailed Cybersecurity Obligations: While the GEN requires basic cybersecurity measures, the new law outlines specific requirements for securing digital wallets, private keys, and distributed ledger systems. VASPs must conduct regular cybersecurity audits, implement multi-layered security controls, and establish comprehensive data protection mechanisms to safeguard digital assets from advanced cyber threats.
  6. Obligations Related to System Integrity: The law requires VASPs to maintain the integrity and reliability of their technology systems. This includes regular system testing, implementing backup and disaster recovery plans, and ensuring that their systems are capable of handling operational disruptions without compromising the security of digital assets.
  7. Consumer Protection and Transparency: VASPs must provide transparent and comprehensive information to consumers about the nature of Digital Asset services, associated risks, and the legal status of Digital Assets across different jurisdictions. This level of consumer protection goes beyond the general disclosure requirements in the GEN module.

What are the main restrictions on VASPs in the Dubai International Financial Centre (DIFC)?

With the implementation of the new Digital Assets Law (DIFC Law No. 2 of 2024), several restrictions have been introduced, building on the earlier Crypto Token Regime. Below is a list of the main restrictions that apply to VASPs, including both existing and new provisions:

  1. VASPs are prohibited from offering any financial services or engaging in activities related to Digital Assets unless they have been duly licensed and authorised by the DFSA. This includes activities such as issuance, trading, custody, and advisory services related to Digital Assets. Unlicensed activities are strictly forbidden and subject to severe penalties.
  2. Only Digital Assets recognised by the DFSA can be offered or traded within the DIFC. Specific categories of Digital Assets, such as algorithmic and privacy tokens, remain restricted due to their high-risk nature. VASPs must ensure that all Digital Assets they deal with comply with these recognition standards.
  3. VASPs are not allowed to engage in financial promotions related to unrecognised Digital Assets. All promotional activities must be approved by the DFSA and must provide clear, accurate, and non-misleading information. The new law emphasises strict oversight of marketing materials to protect investors from deceptive practices.
  4. The new law imposes stricter staffing requirements, requiring VASPs to employ personnel with specialised knowledge in digital asset technology and regulation. This includes mandatory positions such as a Chief Compliance Officer (CCO) and Chief Information Security Officer (CISO), who must have relevant expertise and experience in the digital asset space.
  5. VASPs must maintain strict custody and control of client assets, ensuring that they are segregated from the firm’s own assets. Enhanced measures are required for the protection and secure storage of Digital Assets, including the use of multi-signature wallets and cold storage solutions for client funds.
  6. The new law introduces enhanced AML/CFT obligations. VASPs must implement sophisticated transaction monitoring systems, conduct enhanced due diligence on high-risk clients, and ensure compliance with international sanctions regimes.
  7. The law explicitly prohibits VASPs from engaging in certain high-risk business models, such as decentralised finance (DeFi) lending and activities involving high-risk Digital Assets that are not adequately regulated or pose a significant risk to financial stability.
  8. VASPs are required to adopt corporate governance frameworks that include clear structures for oversight, risk management, and independent auditing. They must also comply with detailed reporting requirements to the DFSA, including disclosure of any material changes to their business model or operations.
  9. Marketing and advertising materials must be fair, clear, and not misleading. The new law requires all promotional content to be pre-approved by the DFSA to ensure that it accurately reflects the risks associated with Digital Assets and the nature of the services provided.
  10. VASPs utilising smart contracts or other advanced technologies must ensure these technologies are secure, transparent, and comply with legal standards. They must conduct regular code audits and have processes in place to rectify any vulnerabilities promptly.
  11. Similar to the previous regime, the new law maintains prohibitions on dealing with certain types of Digital Assets, such as privacy coins and unbacked stablecoins. Additionally, any Digital Asset that poses a significant risk of fraud, market manipulation, or is otherwise deemed high-risk by the DFSA is prohibited.
  12. The law specifies stricter penalties for non-compliance, including substantial fines, license suspension or revocation, and, in severe cases, criminal prosecution. The DFSA is empowered to take swift action against VASPs that breach these restrictions, including initiating criminal investigations and imposing sanctions.

What are the main information that VASPs have to make available to its customers?

The General module (GEN) and the Digital Assets Law lists several pieces of information that regulated virtual asset trading platforms must make available to their customers. Under the GEN Rulebook, such information include:

  1. The risks associated with investing in virtual assets and the applicable fees for products and services.
  2. The regulatory status of the virtual asset.
  3. Whether there is adequate transparency relating to the virtual asset, including sufficient detail about its purpose, protocols, consensus mechanism, governance arrangements, founders, key persons, miners and significant holder.
  4. The size, liquidity and volatility of the market for the virtual asset globally.
  5. The adequacy and suitability of the technology used in connection with the virtual asset.
  6. Whether risks associated with the virtual asset are adequately mitigated, including risks relating to governance, legal and regulatory issues, cybersecurity, and other financial crime.

In addition, regulated virtual asset trading platforms must make arrangements with a custodian that segregates the virtual assets of customers from their own property. They also must make sure that their customers’ virtual assets are subject to a clear and identifiable legal title and provide regular statements on the digital assets held by the custodian to the customers. Furthermore, they have to ensure that reasonable steps are taken to secure the safekeeping of the virtual assets held in custody. They must have effective systems and procedures to monitor and maintain the security of their own systems, and take appropriate measures to safeguard against unauthorised access, breach of confidentiality, and cyber-attacks.

Now, under the new Digital Assets Law (DIFC Law No. 2 of 2024), virtual asset trading platforms have additional obligations beyond those outlined in the General Module (GEN) of the DFSA Rulebook. These platforms must provide comprehensive and detailed information to their customers about the specific risks associated with each type of Digital Asset offered, including potential price volatility, liquidity issues, and technological vulnerabilities. They are also required to disclose detailed technical information about the underlying technology of the Digital Assets, such as consensus mechanisms, smart contract functionality, and any known vulnerabilities. For assets or services that rely on smart contracts, trading platforms must make available audit reports that highlight any vulnerabilities in the smart contracts and the measures taken to address them, ensuring customers are fully informed about the risks involved.

Furthermore, the law mandates that trading platforms offer real-time access to comprehensive market data, including live prices, trading volumes, and order book information, to provide customers with a transparent view of the trading environment. In addition to segregating customer assets, platforms must provide detailed information on how these assets are safeguarded, including the use of third-party custodians, insurance coverage, and contingency plans in case of insolvency or platform failure. Enhanced disclosures are also required about the platform’s governance structure, the roles and responsibilities of key personnel, and the regulatory status, including any conditions or restrictions imposed by the DFSA. Customers must be kept informed of any changes to the platform’s regulatory standing.

The law also imposes stringent requirements on cybersecurity and data protection. Platforms must disclose the specific measures they have in place to protect customer data and Digital Assets, such as encryption protocols, multi-factor authentication, and incident response plans for cyberattacks. In terms of fees and costs, trading platforms must provide a comprehensive breakdown of all associated charges, including hidden fees such as network or custodial fees, to ensure customers are fully aware of the costs involved in trading, withdrawing, or transferring Digital Assets.

Additionally, trading platforms are required to inform customers about their transaction monitoring systems for detecting and reporting suspicious activities, including measures taken when such activities are identified. In case of security breaches, service outages, or other significant disruptions, platforms must promptly notify affected customers, detailing the nature of the incident, its impact on customer assets, and the steps being taken to resolve the issue.

What market misconduct legislation/regulations apply to virtual assets?

In DIFC, the market misconduct legislation and regulations that apply to Virtual Assets are primarily set out in the DFSA’s Market Conduct module (MKT).

The Market Conduct module includes conduct standards and regulatory requirements to ensure that financial intermediaries maintain confidence within the markets in which they operate. It also recognises that it is difficult to regulate virtual assets as their value primarily depends on market forces, and are subject to various risk factors.

The module focuses on the following areas:

  1. The prohibition of insider dealing and market manipulation.
  2. The ban on the use of misleading or false statements and deceptive practices.
  3. The requirement to maintain phone and written records or electronic communications that may relate to transactions in financial instruments, including Virtual Assets.
  4. The power to investigate and enforce the rules and regulations governing virtual asset transactions, which are subject to detection risk and require a high degree of scrutiny.

Another document to consider is the AML/CFT module of the DFSA. This sets out the obligations and requirements of regulated entities, such as Virtual Asset Service Providers (VASPs), to comply with the relevant AML/CFT regulations and provide adequate procedures and controls to tackle money laundering and terrorism financing risks that arise in relation to Virtual Assets.

The Digital Assets Law 2024 introduces additional elements beyond those covered by the DFSA’s Market Conduct (MKT) and AML/CFT modules. It provides a clear legal framework for Digital Assets, including specific definitions of control and ownership, ensuring that individuals or entities holding Digital Assets have legal title when they can prevent others from using or benefiting from the asset. It also mandates thorough audits for smart contracts to prevent fraudulent or deceptive practices. Furthermore, the law enhances rules on taking security over Digital Assets and introduces recovery mechanisms for assets lost due to errors or unauthorised transfers.

4. Regulation of other crypto-related activities in the Dubai International Financial Centre (DIFC)

Are managers of crypto funds regulated in the Dubai International Financial Centre (DIFC)?

In the DIFC, managers of crypto funds are regulated and subject to comprehensive oversight. Any entity or individual offering financial services related to virtual assets, including the management of crypto funds, must obtain authorisation and comply with the regulations established by the DFSA. The DFSA’s regulatory framework governs financial services involving digital assets, allowing firms in the DIFC to apply for and obtain a license to manage and provide related services.

According to the DIFC Markets Law, managers of collective investment funds investing in crypto assets must also comply with the provisions set out for collective investment schemes. These funds include enterprises, such as investment companies or unit trusts, that pool investor funds for collective investment in securities or financial assets, including crypto tokens. The framework emphasises risk-spreading, protecting investors by ensuring adherence to compliance standards like prospectus requirements, disclosure obligations, and rules against misleading statements.

In addition to this, the Digital Assets Law 2024 introduces further obligations specific to managers of crypto funds. This law enhances the regulatory framework by clearly defining the legal ownership and control of digital assets, ensuring that managers handling crypto assets have explicit legal rights and responsibilities. The law also introduces more stringent reporting and disclosure requirements related to how crypto assets are secured, stored, and transferred. Managers are now required to ensure that any smart contracts or blockchain-based protocols used in fund management are secure and regularly audited. Additionally, the law mandates stronger risk management practices, addressing specific risks like market volatility and technological vulnerabilities associated with digital assets. It also establishes mechanisms for recovering assets that may be lost due to errors or unauthorised transfers, further safeguarding investors in the digital asset space.

Are distributors of virtual asset funds regulated in the Dubai International Financial Centre (DIFC)?

Distributors of virtual asset funds in the DIFC are subject to regulatory oversight under the DFSA’s Markets Law, which extends to collective investment funds, including those involving virtual assets. These distributors must comply with specific authorisation and regulatory requirements, such as disclosure obligations, ongoing reporting, and conduct of business standards. The DFSA ensures that distributors adhere to governance and safeguarding measures aimed at protecting investors and maintaining market integrity.

In addition to these provisions, the Digital Assets Law 2024 introduces further regulatory obligations for distributors of virtual asset funds. The new law provides a clearer legal framework for the management and distribution of digital assets, requiring distributors to ensure the security and proper control of digital assets. Distributors are also subject to enhanced transparency obligations, including detailed disclosures about the risks, technology, and processes associated with the digital assets they handle.

Furthermore, the Digital Assets Law mandates that distributors of virtual asset funds implement rigorous AML/CFT measures and other risk management controls to prevent financial crimes and ensure the safe handling of investor assets. These requirements are in addition to the ongoing regulatory standards in the DFSA’s General (GEN) module, which governs Crypto Asset Activities. Distributors engaged in offering, arranging, or advising on virtual asset funds must obtain DFSA authorisation and comply with the specific requirements related to financial services for virtual assets.

Are there requirements for intermediaries seeking to provide trading in virtual assets for clients or advise clients on virtual assets in the Dubai International Financial Centre (DIFC)?

Intermediaries seeking to provide trading or advisory services on virtual assets in the DIFC are subject to strict regulatory requirements under the Markets Law. These intermediaries must obtain authorisation from the DFSA to offer services such as dealing in investments, arranging deals, and providing custody services related to virtual assets. This framework ensures that entities dealing in virtual assets comply with standards similar to those applied to traditional securities, including prudential standards, client money rules, custody requirements, and thorough due diligence on clients.

Advisory services related to virtual assets also require DFSA authorisation. Intermediaries must provide advice that is fair, honest, and independent, ensuring that clients receive full disclosure of relevant information to make informed decisions. This includes advising clients on the risks and characteristics of virtual assets and ensuring that advice is based on accurate and transparent data.

The Digital Assets Law 2024 expands on these existing requirements by introducing enhanced transparency obligations and stricter risk management and AML/CFT controls. Intermediaries now face more detailed rules regarding the security and custody of digital assets, as well as mandatory audits for any smart contracts used in their operations. These additions ensure greater protection for clients and the proper handling of virtual assets, reducing the risk of fraud, mismanagement, or technological vulnerabilities.

5. Other relevant regulatory information

Are there any upcoming regulatory developments in respect of crypto-related activity in the Dubai International Financial Centre (DIFC)?

The DIFC is expected to see several regulatory updates related to digital assets and crypto activities in the near future. Key upcoming areas include more detailed regulations for decentralised finance platforms and stablecoins, with likely emphasis on consumer protection, liquidity requirements, and risk management. Additionally, tokenization of traditional assets such as real estate and securities is anticipated to be a focus, providing clearer legal frameworks for issuing and trading tokenized assets.

The DIFC is also expected to strengthen rules around cross-border digital transactions, enhancing global cooperation and regulatory alignment, particularly concerning AML/CFT.

Has there been any notable events in the Dubai International Financial Centre (DIFC) that has prompted regulatory change recently?

Recently, there have been significant developments in the regulation of virtual assets in the DIFC that have prompted notable changes. On March 8, 2024, the DIFC enacted its Digital Assets Law (DIFC Law No. 2 of 2024), which is considered a significant piece of legislation as it comprehensively defines the legal characteristics of digital assets, including cryptocurrencies and NFTs. This law aims to provide legal clarity and enhance investor protection, ensuring that the DIFC keeps pace with technological advancements in the financial sector.

The new Digital Assets Law also amends several existing laws within the DIFC to incorporate digital assets into various legal frameworks, including contracts, obligations, and securities laws. This comprehensive approach contrasts with previous regulations that may not have fully addressed the complexities associated with virtual assets. The enactment of the Digital Assets Law marks a significant step forward in creating a clear and cohesive regulatory environment for virtual assets in the DIFC.

6. Pending litigation and judgments related to virtual assets in the Dubai International Financial Centre (DIFC)​ (if any)

The case Gate MENA DMCC (formerly Huobi OTC DMCC) and Huobi MENA FZE v. Tabarak Investment Capital Limited and Christian Thurner [2020] DIFC TCD 001 involves a dispute over the theft of 300 Bitcoins. This case is significant because it was the first cryptocurrency case heard by the DIFC courts. The judgment in this case was made on 5th October 2022, and it concluded that Bitcoin is property and fell within the definition of ‘property’ by the Dubai International Financial Centre. The case has been appealed, and there are currently eight grounds for appeal, including breach of confidence, breach of contract, negligence, and breach of fiduciary duty. This appeal will provide valuable insights into custody and escrow services for digital assets.

7. Government outlook on virtual assets and crypto-related activities in the Dubai International Financial Centre (DIFC)

The government outlook on virtual assets and crypto-related activities in the DIFC has evolved with the introduction of the Digital Assets Law (DIFC Law No. 2 of 2024). Established under UAE Federal Decree No. 35 of 2004, the DIFC continues to support economic growth and innovation in the region, while emphasizing the importance of regulatory oversight. The DIFC is recognized as a Financial Free Zone under Federal Law No. 8 of 2004, granting it the authority to develop its own legal and regulatory framework for civil and commercial matters, now encompassing the rapidly growing digital asset sector.

With the enactment of the Digital Assets Law in 2024, the DIFC has expanded its regulatory framework to provide clearer rules for Digital Asset activities, including trading, custody, and advisory services. This law builds upon the previously established Crypto Token Regime, which extended the scope of existing financial services to cover products and services related to crypto tokens. The new law enhances this framework by introducing specific provisions for different types of digital assets, including security tokens, utility tokens, and other asset classes, while also imposing stricter compliance obligations, such as enhanced AML measures and transaction monitoring.

The DFSA remains the regulatory authority overseeing these activities and continues to provide guidance on risk management, ensuring that businesses operating in the digital asset space are compliant with international standards. The DIFC courts, which operate independently of the UAE’s civil and commercial courts, play a crucial role in ensuring the enforceability of judgments within the DIFC and throughout Dubai.

8. Advantages of setting up a VASP in the Dubai International Financial Centre (DIFC)

Setting up a VASP in the DIFC offers several strategic advantages. The DIFC provides a supportive legal framework that allows 100% foreign ownership, unrestricted access to foreign talent, and full repatriation of capital, creating a business-friendly environment for international investors. In terms of taxation, the DIFC offers a favorable regime, with no taxes on profits, capital gains, or employee income, which has been in effect for 50 years since its establishment in 2004.

The DIFC operates with an independent regulator, the DFSA, and is underpinned by a common law judicial system, which provides businesses with transparency, legal certainty, and a risk-based regulatory approach. This structure ensures a balanced approach to regulation, where compliance obligations are proportionate to the risk profile of the business, particularly important for VASPs operating in a complex and evolving sector.

Furthermore, the DIFC offers access to a diverse and dynamic financial ecosystem, with a high concentration of international firms, investment funds, banks, and other financial institutions. This creates ample opportunities for networking, partnership-building, and regional deal-making. As a result, the DIFC has become a favored destination for businesses looking to establish a regional presence in the Middle East, Africa, and South Asia region.