• UAE — CMA Licensing Pathway

CMA Crypto Licence Application Process

A practical guide to the CMA crypto licence application process in the UAE — how the in-principle approval stage works, what the Authority evaluates, how the full licence application is submitted, when approval can be conditioned or rejected, and why successful applications depend on operating-model credibility rather than form completion alone.

Book a Licensing Strategy Call
Get CMA Application Readiness Pack
CMA Licensing Process — At a Glance

🗺️

Two-stage pathway for most VASP activities: In-Principle Approval → Full Licence Application

⏱️

IPA decision: 45 working days. Full licence decision: 60 working days — from complete submission

🚫

IPA is not a licence — any act carried out on IPA alone is null and void under the rulebook

6 months (extendable once) to satisfy full licensing requirements after IPA is granted

⚖️

CMA may approve, condition, or reject — even where requirements appear met, on public interest grounds

🏛️

MTF licensing is not covered by the General Framework Module — it falls under the ATS Module separately

We help VASPs structure the application pathway from activity classification and in-principle approval through governance, capital, AML, cyber, and full licence readiness — producing regulator-facing files that reflect how the business will actually operate.

Overview & Step 1 — Define the Correct Financial Activity

The CMA Licensing Pathway Is Two Stages — and Classification Is the Prerequisite That Determines Everything That Follows

The CMA licensing process is not a one-step filing exercise. For most VASP financial activities the pathway moves through In-Principle Approval and then a Full Licence Application — and the entire structure of both stages depends on correctly identifying the financial activity or activities the business intends to conduct before the application is prepared.

How the Two-Stage Pathway Works

01

In-Principle Approval

Tests whether the applicant is fit to enter the licensing process at all — financial eligibility, competence, integrity, compliance standing, and a realistic business plan. Decided within 45 working days of a complete application.

02

Full Licence Application

Requires proof that the applicant has actually met all continuing licensing requirements — governance, capital, AML, cyber, controls, and key personnel. Decided within 60 working days of a complete application.

⚠️

Credibility Cannot Be Manufactured at Application Stage. A business may be conceptually licensable but still fail if it cannot prove operational readiness, governance integrity, prudential adequacy, or compliance capability. The CMA process tests whether the business can actually operate inside the rulebook — not just whether the form is complete.

Step 1 — The Eight Regulated Financial Activities

Before an application can be prepared properly, the applicant must identify the financial activity or activities it intends to conduct. The selected activity determines the legal scope of the licence, the capital category, the applicable prudential obligations, and the systems and controls the Authority will expect to see.

Regulated Financial Activity

Category + Capital

Dealing in virtual assets as principal

Cat 1 — AED 4M

Dealing in virtual assets as agent

Cat 2 — AED 1M

Providing custody

Cat 3 — AED 3M

Arranging custody

Cat 4 — AED 1M

Operating a multilateral trading facility

Cat 6 — AED 500K

Providing investment advice

Cat 4 — AED 1M

Portfolio management

Cat 5 — AED 1M

Arranging investment deals

Cat 4 — AED 1M

💡

Misclassification Creates Cascading Problems. Getting the activity classification wrong at the beginning can create unnecessary capital burden, trigger the wrong rulebook, slow the CMA’s review, and require avoidable remediation after applications are filed. Classification must be resolved before any licensing strategy or capital commitment is made.

🗺️

2 Stages

In-Principle Approval then Full Licence — most VASP activities require both stages before operations can lawfully commence

⏱️

45 / 60 Days

CMA must decide IPA within 45 working days and full licence within 60 working days — from a complete application

📋

8 Activities

Eight regulated financial activities — the selected activity or activities determine capital, rulebook, controls, and licence scope

6 Months

Applicant has 6 months after IPA (extendable once) to satisfy full licensing requirements — or must reapply for IPA

The Full Application Pathway — Steps 2 Through 6

From In-Principle Approval Through Full Licence Readiness, CMA Evaluation, and the Decision — Every Stage Explained

The following stages set out the complete CMA licensing journey after activity classification is confirmed — from what must be demonstrated at IPA through the full licensing readiness build-out, the complete application, the CMA's evaluation framework, and the three possible decision outcomes.

2

Stage 2

In-Principle Approval (IPA)

The IPA stage tests whether the applicant is fit to enter the licensing process at all. Most VASP activities require IPA before the full application can proceed. The chapter does not apply where a licensed entity is adding a new activity, and it also does not apply to the operation of an MTF — which is addressed under the ATS Module.

What the Applicant Must Demonstrate at IPA

Financial eligibility — no material default history and sufficient financial capacity for urgent and future obligations

Experience and competence — relevant prior experience and the ability to conduct the activity and manage risks effectively

Honesty and integrity — accurate disclosures and absence of findings, claims, or investigations that may harm the CMA or the State

Compliance standing — absence of sanctions, serious regulatory or criminal issues, and exclusion from sanctions lists

No prior rejection or licence — cancellation by other authorities that has not been disclosed and addressed

A realistic and logical business plan — projected revenues and expenses for the first three years and the assumptions underlying them

The correct legal form, where specified by the Authority for the relevant activity category
Submission
Authority’s prescribed form + supporting documents + non-refundable review fee
CMA Powers at IPA
Verify financial resources, assess board/controller suitability, assess activity risks, request further information, conduct independent inquiries
Decision Timeline
Within 45 working days of a complete application — with reasons given in case of rejection
Critical Legal Effect
IPA is NOT a licence. Any act or procedure carried out on the basis of IPA alone is null and void under the rulebook
 

03

Stage 3 — Where Licensing Strategies Succeed or Fail

Build Full Licensing Readiness

Once IPA is granted, the applicant has six months to satisfy the licensing requirements in Part Three of the General Framework Module. The Authority may extend this period once only for an equal duration. If the applicant fails to meet requirements within that window, it must reapply for IPA. The CMA expects the applicant to convert a conceptual business into a fully defensible licensed entity.

What Must Be Built and Documented in This Phase

📋 Governance architecture and board structure

📋 Allocation of significant responsibilities

📋 Systems and controls framework

📋 Risk management architecture

📋 Compliance arrangements

📋 Internal audit function

📋 Business plan and strategy documentation

📋 Management information systems

📋 Employee competence framework

📋 Outsourcing governance policies

📋 Business continuity planning

📋 Recordkeeping systems

📋 Complaints handling procedures

📋 Cybersecurity risk management

📋 Required key personnel structures

⚖️

The Licensing File Must Show How the Business Will Actually Operate. The CMA is not looking for intentions. It expects documented evidence of a functioning governance and control infrastructure — not aspirational policy statements. A licensing file that demonstrates real operational design, real controls, and real governance is materially stronger than one built from generic templates.
 

04

Stage 4

Full Licence Application Submission

The full licence application chapter applies to any person submitting an application to conduct one or more VASP financial activities in or from within the UAE mainland. It does not apply to the operation of a Multilateral Trading Facility, which is separately addressed under the ATS Module. This is a significant stage shift from IPA — the question is no longer whether the applicant looks potentially licensable, but whether it can prove full compliance.
What Must Be Submitted
Evidence demonstrating compliance with the licensing requirements specified in Chapter Three of the General Framework Module, plus adoption of the legal form specified by the Authority where required
Fees
A fee is payable for the licence application or approval request — as determined by the Authority. Amount is set under Cabinet Resolution No. (83) of 2025
MTF Exclusion
Operation of a Multilateral Trading Facility is not governed by this chapter — MTF licensing is handled separately under the CMA’s ATS Module

05

Stage 5 — Evidence-Driven and Discretionary

CMA Evaluation of the Licence Application

The CMA's evaluation of the full licence application is evidence-driven and discretionary. Formal completion of the application form is not enough. The Authority applies three interconnected evaluation tests — financial resources, competence and suitability, and practical compliance capability — and retains broad powers to request information, conduct inquiries, and require verification by any method it determines.

💰

Test 1 — Financial Resources

  • Ability to comply with financial adequacy standards
  • Ability to meet obligations without exposing clients to undue risk
  • Compliance with regulatory capital or liquidity requirements

👤

Test 2 — Competence & Suitability

  • Board member competence and individual suitability
  • Controller suitability and background
  • Effect of controllers on the firm's compliance capacity
  • Activities or risks threatening the Authority's objectives

⚙️

Test 3 — Practical Compliance

  • Conduct independent inquiries
  • Request further information and clarifications
  • Require verification of information by any method
  • Request any other information relevant to the application

06

Stage 6

Approval, Conditions, or Rejection

The CMA must issue its decision on a complete licence application within 60 working days. Three outcomes are possible — and the Authority's power to reject even where requirements appear to be met, on public interest grounds, underlines why operating-model credibility and supervisory fit matter throughout the entire application.

Licence Approved

Full licence granted — regulated activities may lawfully commence within the approved scope from the date of authorisation

⚠️

Approved with Conditions

Licence granted subject to conditions or restrictions — the firm must satisfy all conditions before or during the conduct of the licensed activities

Rejected

CMA may reject even where requirements appear met if rejection is necessary in the public interest — reasons must be given in writing

Decision Timeline*
60 working days from a complete licence application submission
Key Person Accreditation
Runs in parallel — entity licensing and key-person accreditation should be planned together. CMA must decide accreditation within 60 working days

Adding Activities Later
Already-licensed entities may apply to add activities — treated as an approval process, not a fresh licence application. Full CMA evaluation powers still apply

What the Process Is Really Testing & What a Strong Application Looks Like

One Consistent Supervisory Question — and the Elements That Distinguish a Defensible Application from a Speculative Filing

Although the process is formally split into application stages, the CMA's underlying supervisory question is consistent throughout: can this business safely, competently, and honestly conduct the proposed regulated activity within the UAE market? Every element of a strong application file is an answer to that question.

The Six Things the CMA Process Tests Consistently

⚖️

Whether the Activity Classification Is Correct

The selected activity determines capital, rulebook, and controls — and a wrong classification undermines the entire application structure.

📊

Whether the Business Model Is Credible

The capital category follows the activity classification — and a wrong classification produces a wrong capital figure. Classification must be resolved before capital planning begins.

💰

Whether Capital and Resources Are Sufficient

Solvency, ongoing capital adequacy, and the ability to meet obligations without exposing clients or related parties to undue risk are all verified.

👤

Whether Controllers and Senior Personnel Are Fit and Proper

Board members, controllers, and key personnel are individually assessed for competence, integrity, financial soundness, and regulatory history at both stages.

🏛️

Whether Governance and Internal Controls Are Real

The CMA distinguishes between aspirational governance (policies that describe intentions) and real governance (documented controls that operate in practice). Only the latter satisfies the licensing requirements.

🚀

Whether the Applicant Can Actually Operate After Go-Live

The IPA provisions allow the CMA to verify the ongoing ability to comply — not just the starting position. The application must demonstrate sustainable compliance, not just launch readiness.

What a Strong CMA Application File Includes

A defensible activity-classification analysis — mapping the proposed business through all three CMA licensing layers before the application is built

A realistic business plan with financial assumptions — three-year revenue and expense projections that withstand CMA scrutiny at IPA

Prudential and capital analysis — full three-part higher-of test modelled for all categories in scope, including expense-based and risk-based positions

Documented governance and board structure — accountability maps, role descriptions, and decision-making frameworks that reflect actual operations

Compliance and risk-management architecture — live policy frameworks, control procedures, and compliance monitoring that go beyond template documents

AML/CFT and reporting controls — risk-based AML programme, CDD/EDD procedures, Travel Rule architecture, and STR reporting framework

Complaints and client-protection arrangements — client classification, suitability and appropriateness processes, and escalation procedures

Outsourcing and operational resilience policies — third-party governance, business continuity, and disaster recovery frameworks

Cybersecurity governance — technology risk management, incident response, and system integrity controls aligned to CMA expectations

A clearly sequenced implementation plan — showing how each licensing requirement is satisfied and when, aligned to the six-month post-IPA window

What CRYPTOVERSE Legal Delivers

CMA Licensing Strategy, Application Pack Assembly, and End-to-End Process Management — From Classification Through Go-Live

We help businesses turn the CMA licensing process into a structured, defensible project rather than a speculative filing exercise — managing the complete pathway from activity classification and IPA preparation through governance design, full application assembly, key-person accreditation, clarification-round strategy, and go-live readiness.

🔍

CMA Activity Classification & Scope Analysis

We confirm the correct financial activity or activities for the proposed business model — mapping through all three CMA licensing layers before any application is prepared. Classification determines capital, rulebook, and controls, and getting it wrong at the beginning creates problems that are difficult and expensive to remediate after filing.

📋

In-Principle Approval Preparation

We prepare the complete IPA file — the Authority's prescribed form, supporting documentation demonstrating financial eligibility, experience, integrity, compliance standing, and a realistic business plan with three-year financial projections. We manage the IPA submission and all CMA clarification rounds through to the IPA decision.

📊

Business Plan Drafting & Regulatory Narrative

We draft the regulatory business plan — covering the nature and scope of proposed activities, the activity classification rationale, target markets, revenue model, three-year financial projections with assumptions, operational structure, risk assumptions, and capital analysis — in a format designed to satisfy the CMA's IPA and full application credibility tests.

🏛️

Governance, Capital & Control-Framework Design

We design the full governance and control architecture required for the full licensing readiness phase — board structure, allocation of significant responsibilities, risk management framework, compliance function, internal audit design, capital adequacy monitoring, management information systems, and the full range of operational policies and procedures required by Part Three of the General Framework Module.

👤

Key-Person Accreditation Support

We plan and manage the key-person accreditation process in parallel with entity licensing — advising on which positions are subject to accreditation, preparing the individual accreditation submissions, managing CMA evaluation interactions, and ensuring the accreditation timeline is sequenced to align with the entity licence approval date and the planned go-live date.

📂

Full Application Pack Assembly & Submission Management

We assemble and manage the complete full licence application — all licensing requirement evidence, legal form documentation, and supporting materials required by Chapter Three of the General Framework Module — in a format that presents the business as a fully defensible licensed entity. We manage submission, fee arrangements, and the CMA review process through to the licensing decision.

🔄

Clarification-Round Strategy

We manage every CMA clarification round — anticipating likely information requests based on the activity classification and application content, preparing substantive responses that address the CMA's underlying supervisory concerns rather than just answering the surface question, and maintaining submission momentum to avoid delays in the review timeline.

🚀

Implementation Planning Through Go-Live Readiness

We build the post-IPA implementation plan and go-live readiness programme — sequencing the delivery of governance documents, system and control builds, AML framework implementation, key-person accreditation, and capital arrangements within the six-month post-IPA window, so the business can move to full licence application and go-live without delay or re-application.

From Activity Classification and IPA Preparation Through Governance Build, Full Application, Clarification Rounds, and Go-Live — Complete CMA Licensing Support

  • We confirm the correct financial activity classification before any application is prepared — because classification determines capital, rulebook, controls, and the entire structure of both licensing stages
  • We prepare the IPA file and the full application pack — producing regulator-facing documents that reflect how the business will actually operate, not how it intends to operate in general terms
  • We design the governance, capital, AML, cyber, and operational architecture required for the full licensing readiness phase — built to satisfy Part Three of the General Framework Module, not drawn from generic templates
  • We manage the complete process and all CMA interactions — from IPA submission through clarification rounds, key-person accreditation, full application, and post-approval go-live implementation
The CMA process tests whether the business can safely, competently, and honestly conduct the proposed regulated activity. The application must prove that — not just assert it.

FAQs

Frequently Asked Questions — CMA Crypto Licence Application Process (UAE)

Is in-principle approval enough to start operating?

No — and the rulebook is explicit on this point. In-principle approval is not a licence and does not authorise the applicant to conduct the financial activity. Any act or procedure carried out on the basis of in-principle approval alone is treated as null and void under the General Framework Module. The firm may only commence regulated activities once the full licence has been granted. The IPA stage confirms that the applicant is fit to enter the full licensing process — it is the starting gate, not the finishing line.

How long does the CMA take to issue an in-principle approval decision?

The CMA must issue its decision on a complete in-principle approval application within 45 working days. The clock starts from the date the application is complete — not from the date of initial submission. If the CMA requests additional information or clarifications during the review, the timeline may be affected by the time taken to respond. Reasons must be given in writing in case of rejection. The non-refundable application fee is payable regardless of the outcome of the IPA decision.

How long does the full licence application take?

The CMA must issue its decision on a complete full licence application within 60 working days. As with the IPA, the timeline runs from the date the application is complete. The evaluation process is evidence-driven and discretionary — the CMA may conduct independent inquiries, request further information, and require verification of information by any method it determines. Incomplete submissions or substantive clarification requests can extend the practical timeline beyond the 60-working-day period. A separate fee is payable at this stage.

Can the CMA approve a licence subject to conditions?

Yes. The CMA has three possible responses to a complete licence application: it may approve the licence, approve it subject to conditions or restrictions, or reject it. Conditions or restrictions can relate to the scope of permitted activities, operational requirements, capital thresholds, or other supervisory expectations. Critically, the CMA may also reject an application even where the requirements appear to have been met, if rejection is necessary in the public interest — with reasons given in writing. The discretionary nature of the approval decision underlines why operating-model credibility and supervisory fit matter throughout the entire application process, not just at formal submission.

Does this process apply to MTF licences?

No. The General Framework Module’s in-principle approval and full licence application chapters expressly exclude the operation of a Multilateral Trading Facility. MTF licensing is addressed separately under the CMA’s Alternative Trading System (ATS) Module, which carries its own application requirements, market infrastructure standards, rulebook obligations, market surveillance requirements, and governance framework. Firms intending to operate a crypto exchange or trading platform in the UAE mainland should assess their obligations under the ATS Module — not the General Framework Module’s licence application process.

Ready to Structure Your CMA Licensing Journey?

Book a Licensing Strategy Call

Whether you are preparing for IPA, building the full licensing readiness file, or navigating a multi-activity application — we manage the complete CMA licensing pathway from activity classification through go-live readiness.

Speak to a Crypto Lawyer