COMPANY RULEBOOK REQUIREMENTS UNDER VARA

Governance that withstands inspections: ownership transparency, Board & RI fit-and-proper, outsourcing discipline, ESG tiers, capital/NLA/reserves, and change-control — all in one operating blueprint.

Book a Strategy Call
Request the Company Rulebook Readiness Checklist

We translate Part I–VIII obligations into board charters, RI appointments, outsourcing packs, ESG disclosures, capital/NLA/reserve dashboards, and “material change” playbooks.

SCOPE & CUMULATIVE APPLICATION (OVERVIEW)

The Company Rulebook applies to all VARA-Licensed VASPs in Dubai and adds to the other compulsory rulebooks (Compliance & Risk Management; Technology & Information; Market Conduct) and any activity-specific rulebooks.

PART I —
COMPANY STRUCTURE (OWNERSHIP, BOARD, RIS, SM, COMPANY SECRETARY)

Ownership & legal form

You must have a legal entity in Dubai, maintain a clear chain of ownership & UBOs, and seek prior VARA approval before material changes (incl. DAO-style governance).

Board.

Fit-and-proper members; defined appointment/removal processes in constitutional docs; annual Board/committee/self assessments; clear delegation with oversight.

Responsible Individuals (RIs).

Appoint two full-time, UAE-resident (or UAE-passport) Responsible Individuals, approved by VARA; validate annually; seek approval for changes (save emergencies with immediate notice).

Senior Management (SM).

Document roles, reporting lines, authority & accountability; competence aligned to VA sector; CO/head of internal audit must remain independent of ops and report to the Board.

Company Secretary.

Independent of SM, reporting directly to the Board; responsible for minutes, agendas, resolutions tracking, disclosures support; external secretary = outsourcing (Part IV controls apply).

PART II —
CORPORATE GOVERNANCE (COMPETENCE, SEGREGATION, CONFLICTS, DISCLOSURE, GROUP)

Competence

Policy to ensure qualified Board/SM/Staff; only suitably experienced staff in supervisory roles.

Segregation of duties

Separate policy/supervisory/audit from operations; segregate sales/dealing/settlement/safekeeping; CO & internal audit independent and report to Board.

Conflicts of interest

Avoid where reasonable; disclose & manage if unavoidable; maintain conflicts register; special independence rules if you market as “independent.”

Information disclosure

Maintain public website disclosures (plus MCR/other rulebook items) and periodic policy reviews.

Group governance.

Board-approved framework for subsidiaries; verify performance; protect information flows.

Related parties & loans

Board approval & VARA notice for significant related-party transactions; monthly related-party reporting; VARA approval before loans to Board/SM/RIs.

PART III —
FIT & PROPER REQUIREMENTS (BOARD, RIS, SM)

Principles

Qualifications; honesty/integrity; solvency; VA-industry & management experience; regulatory understanding.

Assessment & enforcement

Ongoing “fit & proper” assessments; VARA may suspend/revoke approvals, reprimand, bar, or require additional measures.

PART IV —
OUTSOURCING MANAGEMENT (SCOPE, RISK, AGREEMENTS, CROSS-BORDER)

Scope

Applies to all outsourcing except carved-outs (e.g., statutory audit; utilities); prohibited if it impairs internal controls or supervisory rights.

Specified officers

MLRO/CISO/DPO may be outsourced but remain individually accountable to VARA; VARA may require in-house.

Risk & due diligence

Pre-deal and annual risk assessments; comprehensive provider DD; ongoing monitoring with expert staff.

Policy & register

Maintain an Outsourcing Policy and a register covering scope, locations, whether “material,” and data/confidentiality.

Contracts (mandatory)

Security & BCP, data access/destruction, audit/inspection rights (incl. regulators), termination/exit assistance; extra clauses for Material Outsourcing (SLAs, reporting, insurance, locations, change-notice & objection rights).

Sub-outsourcing & cross-border

Conditional and controlled; include pass-through audit/confidentiality; extra due diligence and client/VARA notifications where required.

PART V —
ESG (DISCLOSURE LEVELS & MINING/STAKING TRANSPARENCY)

Information disclosure

VARA assigns one of three ESG disclosure levels (Voluntary / Compliance / Mandatory). Mandatory may require an annual ESG report and prominent website disclosures; all VASPs involved in mining/staking must publish renewable-energy and decarbonisation information.

PART VI —
CAPITAL & PRUDENTIAL REQUIREMENTS (PUC, NLA, INSURANCE, RESERVES)

Paid-Up Capital (PUC).

Activity-based thresholds; multi-licence VASPs stack PUC per activity using mutually exclusive overhead splits; hold PUC in UAE trust (VARA beneficiary) or surety bond. (VI.B.1–3)

Net Liquid Assets (NLA).

NLA ≥ 1.2× monthly opex; daily recon; monthly report; eligible assets limited to cash/cash equivalents and USD/AED-referenced VAs approved by VARA. (VI.C.1–4)

Insurance.

PII, D&O, crime (hot wallets) and any licence-specific line, with regulated insurers; group policy allowed if VASP is named with stated limit. (VI.D.1–3)

Reserve Assets.

100% of client liabilities, 1:1 same VA, daily recon, semi-annual independent audit filed in the next CRM quarterly report. (VI.E.1–3)

Breach duties

Immediate VARA notice (deficits, causes, remediation, timelines) + daily updates until cured; VARA may uplift prudentials.

PART VII —
INSOLVENCY & WIND-DOWN

Maintain.

Maintain a Wind-Down Plan (client VA return, staff/records, communications, systems redundancy, surety bond maintained, no new clients); weekly reporting during voluntary wind-down; full cooperation in insolvency.

PART VIII —
MATERIAL CHANGE TO BUSINESS OR CONTROL

Prior VARA approval.

Prior VARA approval for any Material Change, cessation of activities, change of control, or M&A of substantial assets; 30 Working-Day standards for VARA decisions (extendable).

What CRYPTOVERSE Legal delivers

Board & RI pack

Board & RI pack charters, decision matrices, annual training & fit-and-proper files.

Outsourcing suite

policy/register, provider DD, contract schedules (audit/exit/locations).

ESG tier implementation

disclosure selection, mining/staking transparency pages.

Prudentials dashboard

PUC stacking workbook, NLA daily recon, reserve 1:1 ledgers, insurance endorsements.

Change-control playbook

no-change covenant, pre-clearance templates for control/M&A.

FAQs

Yes — full-time, UAE-resident/UAE-passport, VARA-approved; changes require approval (with emergency notice allowances)

Yes, but the individual remains accountable to VARA; VARA can require in-house staffing.

NLA ≥ 1.2× monthly opex, plus activity-based PUC, mandated insurance, and reserves = 100% 1:1 same VA.

Anything that could significantly affect the model/operations/VA activities or compliance posture (incl. scope changes, control shifts) — needs prior approval.

Talk to a crypto lawyer