Capital Requirements for VASPs Under the CMA: A Detailed Prudential Analysis (2026)

1) Why capital sits at the centre of the CMA VASP framework

The CMA’s virtual asset regime is designed as a prudential gate—capital is not treated as a mere licensing formality, but as a tool to manage systemic and investor risks and to ensure continuity under stress.

Two anchor ideas in the federal framework are:

1. Minimum licensing requirements are not just “licence fees + documents”. The federal Cabinet framework explicitly expects VASPs to satisfy conditions concerning capital, plus broader safeguards such as credit guarantees/insurance and compliance systems.
2. Capital requirements are intended to support market stability and investor protection and reduce the probability of failure/default of licensed entities (the guidance is explicit about capital adequacy as a pillar of market safety and continuity).

In practical terms, the regulator uses capital to answer one overarching question:

If your revenue drops, markets dislocate, or an operational incident occurs, can your firm continue operating responsibly (or wind down safely) without harming clients or market integrity?

That is why CMA capital is tiered by activity risk, and why certain activities carry an additional liquidity-style obligation (6-month OPEX coverage).

2) The CMA’s activity-based capital tiers (baseline minimums)

The CMA framework applies different minimum paid-up capital depending on the virtual asset activity being licensed. The guidance sets out the following baseline figures:

A. Virtual Asset Platform Operator (Exchange / MTF-equivalent venue)

• AED 1,000,000 paid-up capital if the platform operator activity is conducted alone (i.e., without conducting other VASP activities), plus maintenance of operating capital equivalent to 6 months’ operating expenses.
• AED 5,000,000 paid-up capital if the platform operator carries on platform operations in addition to any other VASP activities, plus maintenance of operating capital equivalent to 6 months’ operating expenses.

B. Safe Custody of Virtual Assets (Custodian)

• AED 4,000,000 paid-up capital plus maintenance of operating capital equivalent to 6 months’ operating expenses.

C. Financial Consulting in Virtual Assets (Advisory)

• AED 500,000 paid-up capital.

D. Managing Portfolios of Virtual Assets (Discretionary management)

• AED 3,000,000 paid-up capital.

E. Virtual Asset Brokerage (Agency execution)

• AED 2,000,000 paid-up capital.

F. Virtual Asset Dealer (Principal trading / own account)

• AED 30,000,000 paid-up capital.

These numbers are the starting point—not the finish line. For higher-risk models (platform + custody, platform + broker, or any model approaching principal risk), the regulator’s prudential expectations typically become more exacting even where the minimum is technically satisfied.

3) The “6-month OPEX” requirement is a liquidity proxy—understand it properly

For platform operators and custodians, the CMA adds a further requirement: maintaining operating capital equivalent to six months of operating expenses.

This is not a symbolic add-on. It is a prudential design choice that recognises two realities:

1. Exchanges and custodians can fail operationally without becoming insolvent on paper.
2. Failure can be sudden (cyber incident, market shock, bank account restrictions, sanctions exposure, liquidity disruptions).

What counts as “operating expenses” for the 6-month test?

The guidance describes operating expenses as including “all general and non-discretionary costs,” and clarifies that exceptional items may be excluded; it also references inclusion of technology-related operational expenses (e.g., servers, platforms, IT storage, equipment, necessary technology services), with a note that certain development/research-style costs may potentially be excluded.

Practical implications for applicants:

• Your 6-month OPEX model should be defensible, conservative, and auditable.
• The CMA will likely scrutinise how you classify costs as “exceptional” or “discretionary.”
• If your platform relies heavily on vendor stack fees (matching engine, custody tech, analytics, surveillance), those costs should typically be treated as operationally non-discretionary.

4) Prudential rationale: why each activity has the capital it has

A useful way to interpret the tiering is to view it through risk transmission channels.

4.1 Advisory (AED 500k): conduct risk > balance sheet risk

Advisory models do not typically custody client assets or operate trading infrastructure. The main risks are:

• Mis-selling / suitability failures
• Conflicts of interest
• Weak AML controls (still relevant)
• Reputational and conduct issues

Hence, baseline capital is relatively lower: AED 500,000.
But in practice, capital adequacy is not the only prudential variable, the federal framework also expects the licensing authority to ensure compliance systems and other controls.

4.2 Brokerage (AED 2m): transactional and market integrity risk

Brokerage sits closer to market plumbing:

• Higher exposure to AML typologies (rapid movement, layering, off-platform transfers)
• Execution quality and best interest / suitability risks
• Client relationship risks (complaints, trade disputes)

Hence AED 2,000,000.

4.3 Portfolio management (AED 3m): fiduciary-like risk and suitability complexity

Discretionary management introduces:

• Investment mandate risk
• Risk model governance and suitability oversight
• Concentration and liquidity risks in client portfolios
• Enhanced governance expectations (strategy controls, risk reporting)

Hence AED 3,000,000.

4.4 Custody (AED 4m + 6-month OPEX): asset safeguarding is systemic

Custody is among the highest-risk functions because it concentrates:

• Key management / wallet governance risks
• Theft/hack exposure
• Operational resilience risk
• Reconciliation and segregation risk

Thus AED 4,000,000 plus 6-month OPEX coverage.

4.5 Platform operator (AED 1m or 5m + 6-month OPEX): market infrastructure risk

An exchange / platform is a market integrity and operational stability node. Even if it does not custody (in theory), in practice it interfaces with:

• Trade execution integrity
• Market abuse controls
• Listing governance
• AML monitoring and travel rule-like considerations (depending on implementation)
• Technology resilience (uptime, incident response, cyber)

The CMA minimum is AED 1,000,000 if platform-only, or AED 5,000,000 if the platform also carries on other VASP activities—both with 6-month OPEX coverage.

4.6 Dealer (AED 30m): principal risk, balance sheet risk, systemic risk

Dealer activity is conceptually different: it entails principal exposure—own account trading, inventory, market-making/liquidity provision. In volatile markets, losses can crystallise rapidly.

Hence the step-change to AED 30,000,000.

This is not merely punitive; it reflects the regulator’s intent to ensure that firms taking principal risk have a meaningful capital base to absorb shocks without disorderly failure.

5) The “hidden prudential layer”: capital + guarantees/insurance + compliance systems

The Cabinet framework emphasises that, on licensing, the regulator should ensure the VASP satisfies not only capital requirements but also requirements/conditions concerning credit guarantees, insurances, compliance management systems and other controls under implementing resolutions.

This matters because it signals that the CMA’s prudential posture is not capital-only. In higher-risk models (platforms, custody, dealer-like operations), capital adequacy is only one piece of a broader prudential toolkit that may include:

• Insurance arrangements (cyber, crime, professional indemnity—structure depends on model and regulator expectations)
• Guarantees or other credit support mechanisms (if required under implementing instruments)
• Compliance systems that are operational, tested, and demonstrably effective

Strategic takeaway: A well-capitalised applicant with weak control systems can still be viewed as high-risk.

6) Common structuring consequences of the capital rules

6.1 Platform-only vs integrated platform: avoid accidental scope creep

The difference between AED 1m and AED 5m for a platform operator is triggered by whether the platform operator carries on other VASP activities.

In practice, “scope creep” often happens when an exchange also:

• Offers embedded custody (even if outsourced)
• Provides brokerage services
• Provides OTC facilitation
• Provides staking/earn-like products (depending on classification)

Even if the business believes these are “features,” the regulator may view them as separate regulated activities. That is why capital planning must be aligned with actual product functionality.

6.2 Broker vs Dealer boundary: a capital cliff edge

The jump from AED 2m (broker) to AED 30m (dealer) creates a major structuring risk: accidental dealer characteristics.

Business behaviours that can push you towards dealer-like risk in substance include:

• Market-making commitments
• Internalising order flow
• Providing guaranteed liquidity
• Holding inventory to facilitate client execution
• Taking counterparty exposure

From a prudential standpoint, the CMA will want comfort that the applicant is not assuming principal risk while capitalised as a broker.

6.3 Custody and platform interplay

Custody has its own capital baseline (AED 4m) and 6-month OPEX overlay.
If a platform operator also provides custody, applicants should assume:

• Enhanced wallet governance expectations
• Stronger operational resilience scrutiny
• Higher “proof of controls” burden

7) Designing a credible “prudential capital story” for the CMA

A sophisticated CMA application typically frames capital not as a static number, but as a prudential narrative supported by modelled evidence.

7.1 Start with a three-layer capital stack

Even where the rules specify a minimum, institutional applicants should plan and document:

1. Regulatory paid-up capital (meets minimum)
2. Operating liquidity reserve (6-month OPEX where applicable)
3. Prudential buffer (commonly 20–30% above minimums, scaled by risk profile)

The prudential buffer is especially important for:

• Exchanges/platforms with high fixed costs
• Custody models with elevated cyber risk
• Any model that could face banking friction (account restrictions can behave like liquidity shocks)

7.2 Stress test what actually breaks VASPs

A credible prudential submission typically stress tests at least:

• Revenue compression / volume drop (bear market scenario)
• Cyber incident response and remediation costs
• Regulatory remediation costs (enhanced audit, external monitors, technology uplift)
• Vendor concentration risk (single custody vendor, single cloud provider)

This aligns with the broader federal approach that expects effective mechanisms around cyber risks and security breaches.

7.3 Align capital with governance and controls

The guidance frames capital adequacy as a pillar of market stability and investor confidence, while also implying the need for continuous monitoring.
Your capital story should therefore be tied to:

• Board-approved capital and liquidity monitoring policy
• Frequency of internal reporting (monthly dashboards, quarterly board review)
• Triggers for capital injection / de-risking actions

8) Activity-by-activity capital planning: practical planning notes

8.1 Advisory (AED 500k)

Key focus: governance, fit & proper, conduct and suitability controls. Capital is lower, but the regulator may be sensitive to:

• Marketing practices
• Conflicts management
• Quality of advice / documentation of suitability

8.2 Brokerage (AED 2m)

Key focus: AML capacity, transaction monitoring capability, and clear boundary against principal risk. Paid-up capital is AED 2m.

8.3 Portfolio management (AED 3m)

Key focus: discretionary authority governance, portfolio risk controls, valuation, mandate compliance, and suitability. Paid-up capital is AED 3m.

8.4 Custody (AED 4m + 6-month OPEX)

Key focus: wallet governance, segregation, reconciliation, cyber resilience, incident response. Paid-up capital AED 4m plus OPEX overlay.

8.5 Platform operator (AED 1m or 5m + 6-month OPEX)

Key focus: market integrity systems (surveillance), listing governance, AML monitoring, cyber resilience, operational continuity. Paid-up capital AED 1m (platform-only) or AED 5m (platform + other VASP activities), plus OPEX overlay.

8.6 Dealer (AED 30m)

Key focus: principal risk controls, risk limits, liquidity risk, market risk, and governance independence. Paid-up capital AED 30m.

9) A short “prudential checklist” for capital readiness

Before submission, a CMA-ready capital pack typically includes:

• Activity classification memo mapping products to licensed activities (and explicitly addressing broker vs dealer boundary)
• Bank evidence showing paid-up capital is deposited, unencumbered, and available
• OPEX model workbook (for platform/custody), with operating expense definitions aligned to the guidance
• 6-month liquidity confirmation (and where held—bank accounts, permitted instruments, etc.)
• Stress test summary including downside cases
• Board approvals (capital plan, dividend/distribution policy, liquidity monitoring, contingency funding triggers)

10) The bottom line: capital is a credibility test, not just a threshold

The CMA capital regime does two things simultaneously:

1. It sets clear baseline minimums by activity (AED 500k → AED 30m).
2. It signals a broader prudential expectation that extends beyond capital into insurance/guarantees and control systems under the implementing instruments.

For serious operators, the winning approach is:

• Choose the right licence category (avoid misclassification)
• Treat 6-month OPEX as a true liquidity reserve, not a spreadsheet line
• Add a prudential buffer aligned to operational and cyber risk
• Stress test the model the way a regulator would.
• Present capital as part of a coherent governance-and-controls story.

FAQs