- UAE — CMA General Framework Module
CMA Crypto Licensing Requirements
A practical guide to the core licensing requirements applicable to Virtual Asset Service Providers under the CMA framework in the UAE — governance, systems and controls, AML/CFT, cybersecurity, complaints handling, recordkeeping, and the mandatory roles required across different VASP business models.
CMA Licensing Requirements — At a Glance
📋
11 core licensing requirements — from governance and controls through to cybersecurity and complaints
👤
7 mandatory roles for all VASPs — 4 of which must be performed by UAE residents
🏛️
ATS/Exchange operators carry an expanded 8-role staffing matrix including a dedicated Risk Officer
⏱️
Cyber incidents must be reported to the CMA within 72 hours of awareness
🗂️
Records — including governance allocations, complaints, and marketing — must be retained for at least 6 years
⚠️
Roles are required at all times — not just at the point of licensing application
What CMA Is Really Licensing & The 11 Core Requirements
The CMA Licenses a Business That Can Operate Safely, Compliantly, and Continuously — Not One That Has a Product Concept and Paid-Up Capital
Under the General Framework Module, a person must not conduct VASP financial activities in or from within the UAE unless licensed. The rulebook then imposes an ongoing set of licensing conditions that go far beyond incorporation and capital — covering governance, controls, risk, compliance, audit, conduct, continuity, recordkeeping, and personnel. All eleven must be satisfied before the first licence is granted and maintained throughout the licence period.
01
Correct Activity Classification
02
Governance & Allocation of Responsibilities
03
Systems and Controls
04
Risk Management
05
Compliance Function
06
Internal Audit
07
Business Plan & Strategy
08
Employees, Training & Competence
09
AML / CFT Compliance
10
Business Continuity, Records & Complaints
11
Cybersecurity Risk Management
⚖️
📋
11 Requirements
Core licensing conditions — from activity classification through cybersecurity — all must be satisfied before licence issuance
⏱️
72 Hours
Hard deadline for reporting material cyber incidents to the CMA — from the moment of awareness, not discovery
🗂️
6 Years
Minimum retention period for all records — governance allocations, complaints, marketing materials, and client agreements
📅
15 Hours CPD
Annual continuing professional development required for certain senior control roles — a specific, measurable obligation
Mandatory Roles — Core VASP, Accreditation & Technical Positions
Seven Mandatory Roles for All VASPs — With Four Residency Requirements, Five Accreditation Requirements, and Technical Roles by Activity Type
The General Framework Module requires licensed entities to designate persons to specific positions — at all times, not just at application. The mandatory role framework operates across three layers: core roles required of all VASPs, residency obligations for specific roles, accreditation requirements for positions subject to CMA approval, and technical roles that apply to specific activity types.
A. Mandatory Roles for All VASPs (Article 54)
#
Mandatory Role
Residency
Accreditation
1
Members of the Board of Directors (or equivalent)
—
—
2
Senior Manager
UAE Resident
CMA Accredited
3
Chief Executive Officer
UAE Resident
CMA Accredited
4
Chief Financial Officer
—
CMA Accredited
5
Compliance Officer
UAE Resident
CMA Accredited
6
Anti-Money Laundering Reporting Officer
UAE Resident
CMA Accredited
7
Internal Auditor
—
—
💡
The Senior Manager may, in limited circumstances, be performed without permanent UAE residence — provided effective internal control, direct communication with the Authority, and governance integrity are maintained. This exception is narrow and must be assessed on its specific facts before being relied upon in a licensing strategy.
C. Technical Roles by Activity Type (Article 56)
Technical Role
Activity Trigger
Status
Broker Representative
Dealing as Agent / Brokerage
Activity-Specific
Financial Analyst
Providing Investment Advice
Activity-Specific
Portfolio Manager
Portfolio Management
Activity-Specific
B. Additional Mandatory Roles for ATS / Exchange Operators
#
Mandatory Role
Framework
1
Members of the Board of Directors (or equivalent)
ATS Module
2
Senior Manager
ATS Module
3
Senior Executive Officer
ATS Module
4
Chief Financial Officer
ATS Module
5
Compliance Officer
ATS Module
6
Money Laundering Reporting Officer
ATS Module
7
Risk Officer
ATS Module
8
Internal Auditor
ATS Module
⚠️
Note on Terminology Inconsistency.
There is a translation inconsistency in the English text of the General Framework Module between “Chief Executive Officer” in Article 54 and “Senior Executive Officer” in Article 55. For licensing strategy, these positions should be reviewed against the final Arabic text and CMA application forms before submission to ensure the correct title is used in the accreditation application.
Role Combination — Allowed, But Not Freely
Permitted Combinations
- Compliance Officer + AML Reporting Officer (where appropriate)
- Proportionate combinations in smaller models with no conflict
Prohibited or Restricted
- Executive + financial control role combinations that create conflicts
- Any combination where independence of audit or compliance is compromised
Role-by-Role Business Fit & What the CMA Will Test on Staffing
Mandatory Staffing Mapped by VASP Business Model — and the Six Staffing Tests the CMA Will Apply at Application and Supervision
The mandatory role requirements are not uniform across all VASP types. The core roles apply universally, but the technical roles and ATS-specific obligations depend on the activity classification and business model. The following maps each major VASP type to its expected role set — and sets out what the CMA is likely to examine in practice.
Mandatory Staffing by VASP Business Model
- All VASP Applicants
Core Roles — Always Required
- Board / equivalent governance
- Senior Manager (UAE resident)
- CEO / Senior Executive (UAE resident)
- Chief Financial Officer
- Compliance Officer (UAE resident)
- AML Reporting Officer (UAE resident)
- Internal Auditor
- Dealing / Brokerage Models
Core Roles + Potential Technical Role
- All 7 core VASP roles
- + Broker Representative (where business model requires)
- Advisory Models
Core Roles + Potential Technical Role
- All 7 core VASP roles
- + Financial Analyst (where model requires)
- Portfolio Management Models
Core Roles + Mandatory Technical Role
- All 7 core VASP roles
- + Portfolio Manager (typically required)
- Exchange / MTF Models
Full ATS Module Staffing Matrix
- Board / equivalent governance
- Senior Manager + Senior Executive
- Chief Financial Officer
- Compliance Officer
- AML Reporting Officer
- + Risk Officer (ATS-specific requirement)
- Internal Auditor
- Custody-Only / Arranging-Only Models
Core Roles — Technical Roles May Not Apply
- All 7 core VASP roles
- Technical roles (Broker Rep, Financial Analyst, Portfolio Manager) unlikely to be required unless model expands
What the CMA Will Test on Staffing — In Practice
🔍
🔍
🔍
🔍
🔍
🔍
⚖️
Staffing Is Proportionate — But Not Casual
⚖️ Proportionality applies to size and complexity — not to the existence of mandatory roles
👤 Each combined role must be appropriate — and the individual must be genuinely competent for each function
🔒 Compliance and audit independence cannot be sacrificed in the name of cost efficiency
📋 The staffing matrix in the application must reflect how the business will actually be structured at go-live
What CRYPTOVERSE Legal Delivers
CMA Licensing Readiness — Governance Architecture, Mandatory Staffing, AML Controls, and Regulator-Facing Application Packs
We help VASPs convert the CMA rulebook into a licensing-ready operating structure — building every element of the eleven licensing requirements into a coherent, documented, and CMA-facing compliance framework that reflects how the business will actually operate from the first day of authorised activity.
🔍
Activity Classification & Licensing Scope Analysis
We confirm the correct financial activity classification for the proposed business model — identifying all regulated activities present and mapping them through the three CMA licensing layers. Classification is resolved before any licensing strategy is committed to, because it determines every downstream requirement: capital, staffing, conduct rules, and prudential obligations.
👥
Mandatory Role Mapping by VASP Type
We map the mandatory staffing matrix for the specific business model — identifying all core roles, residency obligations, accreditation requirements, and activity-specific technical positions. We design the staffing structure, advise on permissible role combinations, flag prohibited combinations, and produce a role-allocation document that demonstrates to the CMA a complete and operationally defensible staffing model.
🏛️
Board and Control-Function Design
We design the board and control-function architecture — governance allocation documents, accountability maps, board terms of reference, compliance function charter, internal audit mandate, and risk management framework — all produced to the standard required by Part Three of the General Framework Module and in a format the CMA expects to see in the licensing file.
👤
Approval / Accreditation Planning for Key Persons
We plan and manage the CMA accreditation process for all positions subject to approval — advising on individual eligibility, preparing the accreditation submissions, managing CMA evaluation interactions, and ensuring accreditation timelines are sequenced to align with the entity licence approval date and the planned go-live date.
🛡️
AML / Travel Rule Framework Implementation
We design and implement the AML/CFT framework — risk-based AML policies, CDD/EDD procedures, sanctions screening, transaction monitoring architecture, STR reporting procedures, Travel Rule counterparty VASP due diligence, and unhosted wallet controls — aligned to the CMA's licensing requirements and the wider UAE AML/CFT framework, and operational before the final licence is granted.
🔒
Cybersecurity & Complaints Architecture
We design the board-approved cybersecurity risk management framework — covering ICT asset protection, third-party cyber risk management, incident detection and response procedures, and the 72-hour material incident reporting mechanism. We also design the complaints handling procedures, escalation architecture, and complaints recordkeeping system required under the Business Regulation Module.
📋
Policy Pack Drafting
We draft the complete policy framework required under the eleven licensing requirements — governance allocation documents, risk management policies, compliance monitoring procedures, business continuity and disaster recovery plans, recordkeeping policies, employee competence and training frameworks, outsourcing governance policies, and complaint handling procedures — tailored to the specific activity classification and business model.
📂
Full CMA Submission Support
We assemble and manage the complete CMA licensing submission — ensuring that all eleven licensing requirements are evidenced in the application file, all mandatory roles are mapped and accreditation submissions are prepared, and all governance, AML, cyber, and operational documentation meets the CMA's standard. We manage all clarification rounds and maintain submission momentum through to the final licence decision.
From Activity Classification and Mandatory Role Mapping Through Governance Architecture, AML Implementation, Cybersecurity, and Full CMA Application — Complete Licensing Readiness Support
- We confirm the correct activity classification before any licensing strategy is committed to — because classification drives every downstream requirement across all eleven licensing conditions
- We map the mandatory staffing matrix for the specific business model — identifying all core, residency, accreditation, and technical role obligations and designing a staffing structure the CMA will accept as operationally defensible
- We build the governance architecture, AML framework, cybersecurity programme, and policy pack — aligned to the eleven requirements and produced in the format the CMA expects to see in the licensing file
- We manage the complete CMA submission and accreditation process — so the application file demonstrates a business that can operate safely, compliantly, and continuously inside the rulebook from day one
FAQs
Frequently Asked Questions — CMA Crypto Licensing Requirements (UAE)
Not exactly. All VASPs must designate persons to the seven core management and control roles — Board, Senior Manager, CEO, CFO, Compliance Officer, AML Reporting Officer, and Internal Auditor. However, some business models also require activity-specific technical roles: Broker Representative for dealing-as-agent models, Financial Analyst for advisory models, and Portfolio Manager for portfolio management models. ATS and exchange operators are subject to a wider mandatory role set under the ATS Module — which includes a dedicated Risk Officer not required under the core VASP framework. The staffing matrix for each firm must be built around the specific activity classification and business model, not applied as a universal template.
No. The rulebook requires the licensed entity to have these persons designated and performing their roles at all times throughout the licence period — not just at the point of the licensing application. A vacancy in a mandatory role is a live regulatory breach, not an administrative gap. The CMA’s ongoing supervision model tests whether these roles are filled and functioning continuously. Firms must build succession planning, vacancy management, and notification procedures into their governance framework to ensure compliance is maintained throughout the licence period.
Yes. Positions subject to CMA approval or accreditation may not be performed unless the relevant person has been accredited, subject to limited temporary coverage exceptions. The positions requiring accreditation include at minimum: Senior Manager, Senior Executive Officer, Chief Financial Officer, Compliance Officer, and AML/CTF Reporting Officer. The accreditation process is separate from the entity licensing process but should be planned and managed in parallel — the individual must be accredited before performing the role, and timing misalignment between entity approval and individual accreditation can delay go-live. CMA must issue its accreditation decision within 60 working days of a complete application.
Sometimes — but not freely. The General Framework Module allows role combination where it is appropriate to the nature, size, and complexity of the business; the individual is genuinely competent and suitable for each role; and conflicts of interest are absent or properly managed. The rulebook also includes a combination matrix showing specific combinations that are permitted and others that are prohibited. For example, the Compliance Officer and AML Reporting Officer roles may be combined in appropriate circumstances — but combinations involving executive and financial control roles, or any combination that compromises the independence of the compliance or audit function, are restricted or prohibited. The staffing model must be reviewed against the combination matrix before being submitted to the CMA.
Ready to Convert the CMA Rulebook Into a Licensing-Ready Operating Structure?
Book a Licensing Strategy Call
Whether you are building a licensing readiness programme from scratch, designing your mandatory staffing matrix, or preparing the governance and AML framework for a CMA application — we build the operating structure around your specific activity classification and business model.