• UAE — CMA Regulatory Perimeter

Do You Need a CMA Crypto Licence?

A clear guide to determining whether your business falls within the CMA regulatory perimeter in the UAE mainland — which crypto activities trigger licensing, when authorisation is mandatory, and how to assess your exposure before launch.

Book a Regulatory Structuring Call
Check Your Licensing Requirement

The Core Rule

⚖️

A person must not carry out virtual asset activities in or from within the UAE unless licensed by the CMA

📋

9 activity types trigger licensing — from exchange operation through to transfer and token services

🔍

The CMA looks at what you actually do — not what you call your business

🔗

Combination models are common — exchange + custody + brokerage means multiple licence categories

⚠️

Even indirect UAE nexus — clients, marketing, or operations — can trigger licensing requirements

🚫

Incorrect classification delays licensing, increases capital, and triggers enforcement risk

We help founders, exchanges, and financial institutions determine whether their business requires CMA authorisation, map activities to licence categories, and design compliant operating models from day one.

When a CMA Licence Is Required

Nine Activity Types That Trigger CMA Licensing — and How Each Maps to a Regulated Financial Activity

You need a CMA licence if your business conducts virtual asset activities by way of business. The following nine activity types are the most common triggers — each maps to a specific regulated financial activity and licensing category under the CMA framework. If your business falls into any of these categories, a licence is required before operations commence.

Trigger 01

You Operate a Crypto Platform or Exchange

  • Operate a trading platform
  • Match buyers and sellers
  • Provide order-book functionality

Classified as

Operating a Multilateral Trading Facility (MTF)

Trigger 02

You Facilitate or Execute Trades

  • Execute trades for clients
  • Act as an intermediary
  • Operate a brokerage or OTC desk

Classified as

Dealing as Agent (Broker)

Trigger 03

You Trade on Your Own Account

  • Trade virtual assets as principal
  • Act as a market maker
  • Provide liquidity

Classified as

Dealing as Principal

Trigger 04

You Hold or Control Client Assets

  • Control private keys
  • Hold client funds or tokens
  • Operate custodial wallets

Classified as

Providing Custody

Trigger 05

You Manage Client Investments

  • Manage portfolios on behalf of clients
  • Execute discretionary trading
  • Operate crypto funds

Classified as

Portfolio Management

Trigger 06

You Provide Investment Advice

  • Give personalised recommendations
  • Advise on crypto investments
  • Structure client portfolios

Classified as

Providing Investment Advice

Trigger 07

You Arrange Deals or Services

  • Introduce clients to crypto services
  • Arrange custody or trading
  • Facilitate investment opportunities

Classified as

Arranging Activities

Trigger 08

You Provide Token-Related Financial Services

  • Support token issuance
  • Distribute or place tokens
  • Provide financial services linked to token sales

Classified as

Financial Services Related to Issuance

Trigger 09

You Transfer Virtual Assets

  • Facilitate transfers between wallets or users
  • Operate payment or settlement infrastructure
  • Move virtual assets on behalf of others

Classified as

Transfer of Virtual Assets

👉

If Your Business Touches Any of the Above — A Licence Is Required Before You Start. The CMA framework does not allow a grace period for unlicensed operation. If your business falls within the regulatory perimeter, the licence must be in place before the regulated activity commences — not after launch or when the business scales.

📋

9 Triggers

Nine activity types that require CMA licensing — any one of them is sufficient to bring a business within the perimeter

🔍

Substance

The CMA looks at what you actually do — not the label you apply to your business model or technology

🔗

Multi-Cat

Most crypto businesses trigger multiple categories simultaneously — each requires its own licence and capital

⚠️

Before Launch

Authorisation must be in place before the regulated activity begins — not applied for post-launch

When You May Not Need a CMA Licence

Three Circumstances Where CMA Licensing May Not Apply — and Why the Boundaries Are Narrower Than Most Businesses Assume

There are three circumstances in which a CMA licence may not be required. Each has a specific and limited scope — and none of them provides a safe harbour for businesses that are uncertain about their position. If there is any doubt, a regulatory perimeter analysis is required before relying on any of the three.

🏠

You Are Not Operating "By Way of Business"

Licensing is triggered by virtual asset activities conducted by way of business. Purely personal or non-commercial activity falls outside the perimeter.

  • Purely personal crypto activity with no commercial intent
  • Non-commercial usage with no third-party involvement

⚙️

You Do Not Perform a Regulated Activity

Software-only infrastructure with no control, intermediation, or client interaction may fall outside the perimeter — but the substance test applies strictly.

  • Software-only infrastructure with no asset control
  • Non-custodial tools with no client interaction or intermediation

🌍

You Operate Entirely Outside UAE Mainland

If no virtual asset activity is conducted in or from within the UAE mainland, the CMA perimeter does not apply — but nexus is assessed on substance, not location alone.

  • Regulated exclusively in another jurisdiction
  • No activity conducted in or from the UAE mainland

⚠️

Even Indirect UAE Nexus Can Trigger Licensing. Clients based in the UAE, marketing directed at UAE residents, operations with a UAE component, or staff located in the UAE mainland can all create sufficient nexus to trigger CMA licensing requirements — even where the firm is incorporated elsewhere or describes itself as a technology company rather than a financial services provider. Indirect nexus is assessed on substance, not on the label the firm applies to its UAE-connected activities.

High-Risk Models, the Tech Platform Misconception & Combination Licensing

The Business Models That Almost Always Require Licensing — and Why "We're Just a Tech Platform" Is the Most Dangerous Assumption

Certain business models are so consistently within the CMA's regulatory perimeter that licensing should be assumed unless a formal perimeter analysis confirms otherwise. The most common reason firms incorrectly believe they fall outside the perimeter is the "tech platform" misconception — the belief that providing technology rather than financial services places the business outside the CMA's reach.

Models That Almost Always Require CMA Licensing

⚠ Crypto Exchanges

⚠ Custodial Wallets

⚠ Brokerage Platforms

⚠ Crypto Funds

⚠ Market-Making Firms

⚠ Token Distribution Platforms

The Most Common Misconception

"We're just a tech platform"

This is the most common and most costly misconception in CMA regulatory analysis. The CMA assesses what the business actually does — not what it calls itself. A firm that describes itself as a technology provider but matches buyers and sellers of virtual assets is operating an MTF. A firm that describes itself as a wallet provider but holds client private keys is performing custody.

CMA Does NOT Look At

What you call your business — “tech platform,” “protocol,” “infrastructure provider,” “software company”

CMA DOES Look At

What you actually do — the functions performed, assets controlled, clients served, and intermediation provided

Combination Models — Most Businesses Need Multiple Licences

Most crypto businesses perform multiple regulated activities simultaneously — not just one. A business that operates an exchange, holds client assets, and facilitates trades needs three separate licence categories, each with its own capital requirement and compliance obligations.

Example: Exchange + Custody + Brokerage

Activity

Exchange operation → Cat 6 (MTF)

Activity

Holding client assets → Cat 3 (Custody)

Activity

Facilitating trades → Cat 2 (Dealing as Agent)

Result

3 licence categories — higher combined capital — expanded compliance obligations

Combination Models — How the Rulebook Treats Multi-Activity Firms

⚖️

Nature of the activity — what function is actually being performed in each transaction

🔒

Control over client assets — whether the firm holds, controls, or safeguards client funds or tokens

🔄

Role in the transaction — principal, agent, arranger, adviser, or infrastructure provider

📡

Level of intermediation — how directly the firm connects clients to virtual asset markets or services

💼

Business model and revenue structure — how the firm generates revenue from virtual asset-related activities

🌐

UAE nexus — presence, clients, marketing, operations, or staff with any UAE mainland connection

Why Classification Matters & How to Determine Your Position

The Consequences of Incorrect Classification — and the Four-Step Assessment Every Business Must Complete

Incorrect or deferred regulatory analysis is one of the most consequential decisions a crypto business can make before UAE launch. The consequences of wrong classification flow through every dimension of the business — capital, compliance, operations, and enforcement exposure. A proper assessment requires four distinct steps, completed before any licensing commitment or operational launch.

Why This Analysis Matters — The Cost of Getting It Wrong

Delays licensing — misclassification is identified during CMA review and requires resubmission with correct classification and revised documentation

Increases capital requirements — a wrong category can trigger a higher capital floor than the actual business model requires

Triggers enforcement risk — operating under an incorrectly scoped licence or without a licence is a regulatory breach, not an administrative error

Restricts operations post-launch — each new regulated activity requires CMA approval before it can lawfully commence, even if the business is already live

Quick Self-Assessment — Four Questions

If the answer is yes to any of the following, a CMA licence is likely required. This is not a substitute for a formal perimeter analysis — but it identifies the businesses that should treat licensing as a starting assumption rather than an open question.

02

Do we handle client funds or assets?

Holding, controlling, or safeguarding virtual assets on behalf of others triggers custody licensing

02

Do we facilitate or execute trades?

Intermediating, matching, or executing transactions between buyers and sellers triggers broker or MTF licensing

02

Do we provide advice or manage investments?

Personalised recommendations or discretionary portfolio management trigger advisory and portfolio management licensing

02

Do we operate a platform or marketplace?

Running infrastructure where multiple parties trade or interact with virtual assets typically triggers MTF licensing

How to Determine Your Position — The Four-Step Assessment

01

Activity Mapping

Map every function the business performs against the nine CMA activity triggers — identifying all regulated activities present in the business model, not just the primary commercial activity. Many businesses discover additional regulated activities at this stage that were not identified in initial planning.

02

Regulatory Classification

Classify each identified regulated activity through the CMA's three-layer framework — confirming the virtual asset activity performed (Layer 1), the financial activity it constitutes (Layer 2), and the licence category that applies (Layer 3). Misalignment across layers is a common source of incorrect classification.

03

Licence Category Alignment

Confirm which licence categories are required — including all combination categories for businesses performing multiple regulated activities. Assess whether the business model can be structured to optimise the licensing scope without triggering unnecessary additional categories or higher capital obligations.

04

Capital and Compliance Analysis

Model the capital requirements for all confirmed licence categories — including expense-based and risk-based tests — and assess the compliance obligations, governance architecture, AML/Travel Rule framework, and operational controls required to obtain and maintain each licence. This step determines whether the business is licensable in its current form.

👉

The Key Takeaway. If your business touches trading, custody, intermediation, or investment — you are likely within the CMA regulatory perimeter. The question is not whether licensing applies, but which categories, which capital thresholds, and what compliance architecture your specific operating model requires.

What CRYPTOVERSE Legal Delivers

CMA Regulatory Perimeter Analysis, Activity Classification, and Compliant Operating Model Design — From Day One

We help founders, exchanges, and financial institutions determine whether their business requires CMA authorisation, map all activities to the correct licence categories, and design compliant operating models — so that when the licensing application is filed, the business model, capital structure, and compliance architecture are all aligned to what the CMA will actually assess.

🔍

CMA Regulatory Perimeter Analysis

We assess whether the proposed business model falls within the CMA's regulatory perimeter — mapping every function the business performs against the nine activity triggers, applying the substance-over-label test the CMA uses, and confirming whether licensing is required and on what basis before any licensing commitment or operational decision is made.

📋

Activity Classification and Mapping

We map all identified regulated activities through the CMA's three-layer framework — from the virtual asset activity performed through the financial activity it constitutes to the licence category and capital requirement that results. We identify all categories triggered by the business model, including combination categories that are frequently overlooked in initial assessments.

⚖️

Licensing Strategy and Structuring

We design the licensing strategy — advising on which categories are required, whether the business model can be structured to optimise the licensing scope, how combination models affect combined capital and compliance obligations, and how to phase the licensing pathway to align the launch timeline with the regulatory approval process.

💰

Capital and Compliance Planning

We model the capital requirements for all confirmed licence categories — including the full three-part higher-of test across the flat minimum, expense-based floor, and risk-based requirement — and design the compliance architecture, governance framework, and AML/Travel Rule infrastructure required to obtain and maintain each licence.

🚀

Compliant Operating Model Design

We design the operating model around the confirmed licence scope — ensuring that the activities the business intends to perform, the revenue model it intends to operate, and the client relationships it intends to maintain are all structured within the boundaries of the applicable licence categories from day one of authorised operations.

📂

End-to-End Licensing Support

We manage the complete CMA licensing process — from IPA preparation and full application assembly through clarification-round management, key-person accreditation, and post-authorisation go-live implementation — so that the business moves from regulatory perimeter analysis to authorised operations as a single, structured programme rather than a series of disconnected filing exercises.

From Regulatory Perimeter Analysis and Activity Classification Through Licensing Strategy, Capital Planning, and Operating Model Design — Complete CMA Authorisation Support

  • We assess every function the business performs against the CMA's nine activity triggers — applying the substance-over-label test before any licensing or operational commitment is made
  • We map all regulated activities through the three-layer CMA framework — confirming every licence category triggered, including combinations that are frequently missed in initial assessments
  • We design the licensing strategy and operating model around the confirmed licence scope — so the business model, capital structure, and compliance architecture are aligned before the first CMA interaction
  • We manage the complete licensing process from IPA through go-live — so regulatory analysis translates into authorised operations rather than delayed or conditioned approvals
If your business touches trading, custody, intermediation, or investment in the UAE mainland — you are likely within the CMA regulatory perimeter. The question is which categories, which capital, and what compliance architecture your model requires.

FAQs

Frequently Asked Questions — Do You Need a CMA Crypto Licence?

Do I need a CMA licence for a crypto startup?

If your startup performs regulated virtual asset activities by way of business in or from within the UAE mainland, yes — a CMA licence is required before those activities commence. The CMA framework does not provide a startup exemption, a de minimis threshold, or a grace period for early-stage businesses. The relevant question is not the size of the business but the nature of the activities it performs. Exchanges, custodial wallets, brokerage platforms, crypto funds, market-making firms, and token distribution platforms are among the models that almost always require licensing regardless of their stage of development.

Do non-custodial platforms need a CMA licence?

It depends on whether the platform performs regulated intermediation or control functions — not on whether it holds private keys. A platform that does not take custody of client assets can still be within the CMA perimeter if it matches buyers and sellers (MTF trigger), facilitates or executes trades as an intermediary (broker trigger), or arranges investment deals (arranging trigger). The CMA applies a substance-over-label test: a non-custodial platform that performs any of the nine regulated activity functions is within the perimeter regardless of its non-custodial architecture. A formal perimeter analysis is required before relying on a non-custodial model as a basis for operating without a licence.

Does marketing alone trigger CMA licensing requirements?

Marketing can trigger CMA obligations — and in certain circumstances can create UAE nexus that brings a business within the regulatory perimeter — depending on how closely the marketing is linked to regulated activity. Under the Business Regulation Module, promotions that invite or incentivise persons to enter into agreements relating to a virtual asset or financial service are treated as marketing materials subject to the CMA’s conduct standards. Where marketing is directed at UAE residents in connection with regulated activity, and particularly where the underlying activity also has a UAE connection, the combination of marketing and activity nexus can be sufficient to engage the licensing perimeter. Marketing alone, without any regulated activity connection, is less likely to trigger full licensing — but the boundary is narrow and should be assessed formally.

Ready to Determine Whether Your Business Needs a CMA Licence?

Book a Regulatory Structuring Call

Whether you are assessing a new business model, reviewing an existing operating structure, or preparing for UAE launch — we map every activity against the CMA perimeter and give you a clear, defensible answer before any licensing or operational commitment is made.

Speak to a Crypto Lawyer