COMPLIANCE & RISK MANAGEMENT RULEBOOK REQUIREMENTS UNDER VARA
Your first line of defence: from the Compliance Officer’s mandate and the risk framework to AML/CFT (incl. Travel Rule), Client Money/Client VA rules, anti-bribery controls, and Sponsored VASP oversight — all in one operating blueprint.
We translate Part I–VII obligations into policies, registers, testing plans, Travel-Rule controls, daily reconciliations, and board-level MI — ready for licensing and inspections.
SCOPE & CUMULATIVE APPLICATION (OVERVIEW)
The CRM Rulebook applies to all VARA-Licensed VASPs and is cumulative to the Company, Technology & Information, Market Conduct, and activity-specific rulebooks. (Introduction & Contents)
PART I —
COMPLIANCE MANAGEMENT (CMS, CO, RISK, OPS, RECORDS, AUDIT, REPORTING, NOTIFICATIONS, TRAINING)
Compliance principles
integrity, diligence, capabilities, safeguarding client assets, effective disclosures, and openness with regulators.
CMS
independent, risk-based testing/monitoring; CO notified of material non-compliance; policies for licensing conditions, recordkeeping, AML/CFT & complaints.
Compliance Officer (CO)
≥5 years’ experience; Fit-&-Proper; UAE-resident/UAE-passport; full-time; reports to Board. Can (if no conflicts) also be MLRO/head of risk.
Risk management
staffed function; head reports to Board; quarterly Board risk reports; framework covers financial stability (capital/liquidity/market/credit), market-conduct, compliance/BCP, consumer-protection & cybersecurity risks.
Operations
Fair dealing; VA/Client VA protection; reconciliations vs. ledgers and third-party statements; insider-information safeguards.
Books & records
Native/original format; audit trails; general ledger; Board minutes; retain ≥8 years (indefinite if national-security related).
Audit
Annual external audit; internal audit (independent) reporting to senior management, at least quarterly.
Regulatory reporting
Monthly (financials, wallet addresses, Group VA dealings, related parties), quarterly (Board minutes, reserves/financial compliance, strategy, Board risk report), annual (audited FS with IC attestation, onboarding samples, UBOs/structure/BIOS, committee data).
Notifications
Immediate reporting of breaches; changes to annual-pack items; incident notifications (incl. T&I cybersecurity).
Staff management/training
Qualified staffing, onboarding of policies within 30 days, ongoing AML/CFT training.
PART II —
TAX REPORTING & COMPLIANCE
Maintain
Maintain compliance with all applicable tax regimes (e.g., FATCA, where relevant) and best practices.
PART III —
AML/CFT (MLRO, POLICIES, CONTROLS, RISK ASSESSMENTS, CDD, STRS, TRAVEL RULE, SANCTIONS, RECORDS, ENFORCEMENT)
MLRO
≥2 years’ AML/CFT experience; Fit-&-Proper; quarterly AML/CFT report to Board incl. anonymity-enhanced transactions; accountable even when tasks are delegated.
Policies & controls
Align to Federal AML-CFT Laws, FATF guidance, EOCN materials; third-party attestation on adoption and within 21 days of changes.
Risk assessments
Business AML/CFT risk — every ≤3 months and on significant change (covering AECs, new tech/AI/ML, emerging risks). Client AML/CFT risk — every ≤3 months with documented methodology & audit trails.
CDD
Risk-based; trigger at onboarding and ≥ AED 3,500 occasional transactions; verify UBOs; PEP/ECDD measures; inability to CDD → no relationship/transaction.
STR workflow
Near-real-time monitoring; immediate GoAML report to UAE FIU on suspicion; respond to FIU/VARA within 48 hours.
Travel Rule
Obtain/hold originator & beneficiary data for > AED 3,500; due-diligence of counterparty VASPs; manage unhosted wallets and sunrise issues.
Targeted financial sanctions
Automated screening vs UNSC & UAE lists; freeze/block; 8-year records.
AML/CFT records
Transactions, CDD, ongoing monitoring, STRs — retain ≥8 years.
Enforcement
actions may target the VASP, directors, RIs, MLRO, or SM.
PART IV —
CLIENT MONEY RULES
Client Money
Client Money held in Client Accounts (title includes “Client Account”), separate from firm funds; deposit within 1 day; UAE client money with UAE banks; DvP exceptions with tight timelines; daily identification and controls.
Third-Party Banks:
Written acknowledgments; no set-off/lien; stop deposits if bank won’t acknowledge.
Client reporting
monthly statements within 25 days.
Daily reconciliation
Daily reconciliation and defect remediation; notify VARA on material unresolved discrepancies; 1-day notice of any non-compliance.
PART V —
CLIENT VIRTUAL ASSETS RULES
Proof-of-Reserves
Proof-of-Reserves as directed by VARA; daily reconciliation; notify VARA on material unresolved discrepancies.
PART VI —
ANTI-BRIBERY & CORRUPTION
Zero-tolerance policy
Zero-tolerance policy, prohibited payments/facilitation; hotline & investigation protocol; CO monitors effectiveness; training for Board/Staff; public disclosures of stance; severe consequences and VARA reporting for unlawful conduct.
What CRYPTOVERSE Legal delivers
|
Licensing & CMS |
CO/MLRO charters, risk appetite, testing calendar, breach playbooks. |
|
AML/CFT suite |
Business & client risk-assessment templates (≤3-month cadence), CDD/PEP/ECDD SOPs, STR runbooks, Travel-Rule policy with sunrise approach. |
|
Client Money/Client VA packs |
Bank acknowledgments, Client Account SOPs, daily recon workpapers, Client VA 1:1 wallet labelling, PoR documentation. |
|
AB&C programme |
Policy, hotline workflow, investigation file templates, training. |
|
Sponsored VASP kit |
Sponsor agreement, governance/MI, RO approvals, disclosures. |
FAQs
Yes — full-time, UAE-resident/UAE-passport, VARA-approved; changes require approval (with emergency notice allowances)
Yes, but the individual remains accountable to VARA; VARA can require in-house staffing.
NLA ≥ 1.2× monthly opex, plus activity-based PUC, mandated insurance, and reserves = 100% 1:1 same VA.
Anything that could significantly affect the model/operations/VA activities or compliance posture (incl. scope changes, control shifts) — needs prior approval.