- UAE — CMA Regulated Activities
Crypto Activities Regulated by CMA — UAE
A precise guide to the virtual asset activities regulated by the Capital Market Authority (CMA) in the UAE — how the regulatory perimeter is defined, how activities map into licensable financial services, and why correct classification is critical to capital, compliance, and licensing outcomes.
CMA Activity Framework — At a Glance
⚖️
Activity-based perimeter — authorisation is required per activity, not per entity
📋
Three-layer structure: VA Activities (what) → Financial Activities (how) → Licence Categories (capital and prudential)
🏛️
8 core VA activities, 8 financial activities, 6 licensing categories — misalignment across layers is a key licensing risk
💰
Capital ranges from AED 500K (MTF) to AED 4M (Dealing as Principal) — most VASPs operate across multiple categories
⚠️
Custody is separate — exchange licences do not automatically cover client asset custody
The Three-Layer CMA Structure
Authorisation Is Required Per Activity — and Three Distinct Layers Must Align for Correct Classification
The CMA adopts a strict activity-based regulatory model. A person must not carry out any virtual asset activity in or from within the UAE unless licensed by the Authority. The framework operates across three sequential layers — misalignment across these layers is a key licensing risk that affects capital requirements, applicable rulebooks, and supervisory exposure.
The Three-Layer CMA Architecture
L1
Layer 1 — Virtual Asset Activities
Perimeter — Defines What the Business Does
L2
Layer 2 — Financial Activities
Licensing Classification — Defines How the Activity Is Regulated
L3
Layer 3 — Licensing Categories
Capital & Prudential — Defines Thresholds and Requirements
Does it operate within a closed ecosystem — is the non-transferability genuinely enforced in practice?
⚠️
Misalignment Across Layers Is a Key Licensing Risk. Incorrect mapping between the VA activity performed, the financial activity it constitutes, and the licence category it falls into can increase capital unnecessarily, trigger the wrong rulebook, delay approval, and create enforcement risk. Early classification — before any licensing strategy is committed to — is the most consequential structuring decision.
Layer 1 — The 8 Core VA Activities
#
Virtual Asset Activity
Maps To
1
Operating and managing virtual asset platforms
Cat 6 / MTF
2
Exchange between virtual assets
Cat 1 / 2
3
Transfer of virtual assets
Multi-Cat
4
Brokerage for trading in virtual assets
Cat 2
5
Custody and management of virtual assets
Cat 3
6
Financial services related to issuance/sale of VAs
Cat 4
7
Participation in VA investment activities
Cat 5
8
Other activities determined by the Authority
CMA Designated
Layer 2 — The 8 Financial Activities
#
Financial Activity
CATEGORY & CAPITAL
1
Dealing as Principal
Cat 1 — AED 4M
2
Dealing as Agent
Cat 2 — AED 1M
3
Providing Custody
Cat 3 — AED 3M
4
Arranging Custody
Cat 4 — AED 1M
5
Operating an MTF
Cat 6 — AED 500K
6
Investment Advice
Cat 4 — AED 1M
7
Portfolio Management
Cat 5 — AED 1M
8
Arranging Investment Deals
Cat 4 — AED 1M
📋
3 Layers
VA Activities → Financial Activities → Licence Categories — all three must align for correct classification
🔢
8 + 8 + 6
8 VA activities, 8 financial activities, and 6 licensing categories — each layer must map correctly to the next
💰
AED 500K–4M
Capital range across six categories — misclassification can trigger the wrong threshold and unnecessary capital lock-up
⚠️
Per Activity
Authorisation is required per activity — a firm performing multiple activities must map and licence each one correctly
Layer 3 — The Six Licensing Categories
Six Categories, Activity-Based and Capital-Driven — Each with Distinct Business Fit, Capital Requirement, and Compliance Obligations
The CMA's six licensing categories are the output of correctly mapping the VA activity and financial activity layers. Each category carries a minimum paid-up capital requirement, ongoing capital adequacy obligations, and a defined scope of permitted activities. Most VASPs operate across multiple categories — and capital requirements combine when they do.
Category 1
AED 4M
Dealing as Principal
Trading virtual assets on own account. The highest-capital category — reflects the principal risk the firm takes on its own balance sheet in each transaction.
Best Suited For
- Proprietary trading firms
- Market makers and liquidity providers
- Institutional trading desks
⚠️
High-risk, capital-intensive trading model — typically requires the most robust governance and risk management architecture
Category 2
AED 1M
Dealing as Agent (Broker)
Executing or facilitating trades on behalf of clients without taking principal risk. Agent model — the firm acts as intermediary, not counterparty.
Best Suited For
- Brokerage platforms and OTC desks
- Execution intermediaries
- Institutional brokers
💡
Ideal for firms — that facilitate trading without taking principal balance-sheet risk
Category 3
AED 3M
Providing Custody
Safekeeping and control of client virtual assets — holding private keys, controlling access, or administering client wallets. Separate from exchange or brokerage licences.
Best Suited For
- Institutional custodians
- Wallet service providers
- Exchanges holding client assets
- Asset safeguarding platforms
⚠️
Critical distinction — custody is not included in exchange or broker licences. It requires its own Category 3 authorisation
Category 4
AED 1M
Advisory & Arranging Activities
Investment advice, arranging deals, and arranging custody. Covers non-custodial, non-execution advisory and facilitation models — without taking on principal risk or client asset control.
Best Suited For
- Crypto advisory firms
- Token structuring consultants
- Placement agents and introducers
- Deal arrangers
💡
Suitable for non-custodial, non-execution business models — lowest operational intensity of the six categories
Category 5
AED 1M
Portfolio Management
Managing virtual assets on behalf of clients on a discretionary basis. Requires fiduciary responsibility and investment decision-making authority — distinct from advisory or execution functions.
VA Activity 02Best Suited For
- Crypto funds and asset managers
- Discretionary portfolio managers
- Managed staking providers
⚠️
Requires fiduciary responsibility — client suitability, conflict management, and investment decision governance all apply
Category 6
AED 500K
Operating an MTF / Exchange
Operating trading platforms that match buyers and sellers. Regulated as market infrastructure under the ATS Module — carries the most extensive operational obligations despite the lowest capital threshold.
Best Suited For
- Crypto exchanges and trading venues
- Order-book platforms and matching engines
💡
Lowest capital — but heaviest operational, governance, and market infrastructure obligations under the ATS Module
⚖️
How Activities Map in Practice & Critical Distinctions
Real-World Business Model Mappings — and the Structural Distinctions That Most Commonly Cause Classification Errors
The following examples show how common crypto business models map through the three-layer CMA structure — from the VA activity performed through the financial activity it constitutes to the licensing category that applies. The critical distinctions that follow are the most common sources of misclassification and structuring risk in CMA applications.
How Common Business Models Map Through the Three Layers
- Crypto Exchange
VA Activity
Platform operation + exchange
Financial
Operating an MTF
Category
6 — and often also 3 (Custody)
- Broker / OTC Desk
VA Activity
Brokerage for trading
Financial
Dealing as Agent
Category
2 — AED 1M
- Custodial Platform
VA Activity
Custody + Platform operation
Financial
Providing Custody + MTF
Category
3 + 6 — AED 3.5M minimum
- Crypto Fund / Asset Manager
VA Activity
Investment participation
Financial
Portfolio Management (+ Advice)
VA Activity
5 + 4 — AED 2M minimum
- Exchange + Custody + Brokerage
VA Activity
Platform + exchange + brokerage + custody
Financial
MTF + Agent + Custody
Category
6 + 2 + 3 — AED 4.5M minimum
- Token Advisory / Placement
VA Activity
Financial services related to issuance
Financial
Arranging deals + Investment Advice
Category
4 — AED 1M
Critical Distinctions — Most Common Classification Errors
Platform ≠ MTF
Not all platforms are MTFs. An MTF exists where multilateral trading occurs — where multiple buyers and sellers interact through the platform to execute trades. A platform that facilitates peer-to-peer transactions or operates as an intermediary without multilateral matching may not constitute an MTF. This distinction affects whether Category 6 applies.
Custody Is a Separate Licence
Custody requires its own Category 3 licence — it is not included within an exchange (Cat 6), broker (Cat 2), or any other licence category. A firm that holds client private keys, controls client wallets, or administers client assets in any form is performing custody and must be separately authorised for it. This is one of the most frequently missed classification requirements in CMA applications.
Transfer Is Regulated — with AML and Travel Rule Implications
Transfer of virtual assets is a regulated activity — covering settlement, AML/CFT obligations, and Travel Rule compliance. Firms whose business model includes transfer functionality must ensure the relevant licence category is included and the Travel Rule transaction information architecture is in place before operations commence.
Issuance Services Are Regulated
Providing financial services related to the issuance or sale of virtual assets constitutes a regulated activity — typically mapped to Category 4 (Advisory/Arranging). Firms providing advisory, structuring, or placement services in connection with token launches must assess whether this activity triggers a CMA licensing requirement.
💡
Prudential Expectations & Why Early Classification Matters
What the CMA Expects Across All Categories — and the Structuring Risks of Getting Classification Wrong
Across all six licensing categories, the CMA expects paid-up capital, ongoing capital adequacy, governance and controls, risk management systems, cybersecurity frameworks, and client asset protection. Getting the classification wrong — or committing to a multi-category strategy without modelling the combined obligations — creates structuring risks that are difficult and expensive to remediate after applications are filed.
What the CMA Will Scrutinise
🔍
🔍
🔍
🔍
🔍
🔍
🔍
🔍
Why Early Classification Matters — The Cost of Getting It Wrong
✕
✕
✕
✕
✕
✕
The CMA Framework — Key Takeaway
⚖️ Activity-based— your exposure is determined by what you actually do
📋 Layered — three layers must align: VA activity, financial activity, licence category
💰 Capital-driven — capital is central to licensing, not a filing formality
⚙️ Compliance-intensive — governance, AML, custody, and cyber obligations apply across all categories
What CRYPTOVERSE Legal Delivers
CMA Activity Classification, Capital Optimisation, and End-to-End Licensing Support — Across All Three Layers and All Six Categories
We advise on CMA regulatory perimeter analysis, activity classification, capital structuring, and full licensing readiness — ensuring alignment between the business model, rulebook obligations, and supervisory expectations across all three layers of the CMA framework.
🔍
CMA Activity Classification
We map the proposed business model through all three CMA layers — identifying the applicable VA activities (Layer 1), the financial activities they constitute (Layer 2), and the licence categories and capital requirements that result (Layer 3). Classification is resolved before any application strategy is committed to — the most consequential pre-filing decision.
⚖️
Licensing Strategy & Activity Mapping
We design the licensing strategy — advising on which categories are required for the business model, how combination models affect combined capital and compliance obligations, and how to structure the activity scope to manage supervisory intensity without unnecessarily triggering higher-capital categories or broader rulebook obligations.
💰
Capital Optimisation
We model the capital requirement for single and multi-category licensing structures — identifying the most capital-efficient combination of categories for the actual business model, applying ongoing capital adequacy requirements and prudential overlays, and advising on capital uplift obligations where client assets are held under Category 3.
📋
Regulatory Business Plans
We draft the regulatory business plan for CMA licensing — covering the nature and scope of activities mapped to the correct categories, target markets and client types, revenue model, operational structure, risk assumptions, and financial projections — in a format designed to demonstrate credibility to the CMA across the IPA and full application stages.
🛡️
AML / Travel Rule Frameworks
We design the AML/CFT framework and Travel Rule transaction information architecture — tailored to the specific CMA categories in scope, covering risk-based policies, CDD/EDD frameworks, sanctions screening, transaction monitoring, STR procedures, counterparty VASP due diligence, and unhosted wallet controls aligned to UAE-wide AML obligations.
🔒
Custody Architecture
For Category 3 applicants and firms with custody components, we design the custody framework — covering client asset segregation, private key governance, reconciliation architecture, third-party custodian due diligence, independent audit requirements, and failure planning — aligned to CMA custody rules and operational expectations.
🏛️
ATS / MTF Market Infrastructure Design
For Category 6 Exchange/MTF operators, we design the market infrastructure regulatory architecture — including the formal platform rulebook, market surveillance and manipulation controls, pre- and post-trade transparency frameworks, asset admission and disclosure standards, and technology and system integrity controls under the CMA's ATS Module.
📂
End-to-End Licensing Support
We manage the complete CMA licensing journey — from IPA through full application, regulatory review and clarification rounds, capital readiness confirmation, and final licence approval. We also build the post-authorisation compliance infrastructure so the business is ready for CMA supervision across all licensed categories from the first day of operations.
From Three-Layer Activity Classification Through to CMA Licence Approval and Post-Authorisation Compliance — Complete UAE VASP Activity Structuring Support
- We map all proposed activities through the three CMA layers — VA activity, financial activity, and licence category — before any application strategy or capital commitment is made
- We model single and multi-category capital requirements, identify the most capital-efficient licensing structure, and advise on how combination models affect combined obligations
- We design AML/Travel Rule frameworks, custody architecture, and ATS market infrastructure — each tailored to the specific CMA categories in scope, not drawn from generic templates
- We manage the end-to-end CMA licensing process and build post-authorisation go-live readiness — so the business operates within correctly scoped licences from day one of authorised activity
FAQs
Frequently Asked Questions — CMA Crypto Activities (UAE Mainland)
Yes, if multiple regulated virtual asset activities are performed. The CMA’s authorisation model is per activity — a firm performing dealing as principal, custody, and MTF operation would need Category 1, Category 3, and Category 6 licences respectively. Capital requirements combine across categories: Category 1 (AED 4M) + Category 3 (AED 3M) + Category 6 (AED 500K) = AED 7.5M minimum before prudential overlays. Combination models must be mapped and modelled before the licensing strategy is committed to — post-application expansion to additional activities requires a separate approval process.
No. Custody is a separate regulated activity requiring its own Category 3 licence. An exchange (Category 6 — MTF) licence covers the operation of the trading platform and the matching of buyers and sellers. It does not cover the safekeeping and control of client virtual assets, holding client private keys, or administering client wallets. Any exchange that holds client assets — rather than requiring clients to self-custody — is performing custody and must be separately authorised for it under Category 3. This is one of the most common classification gaps in CMA applications from exchange operators.
Yes — but each expansion requires CMA approval before the new activity commences. Operating outside the scope of the approved licence is a regulatory breach, not an administrative matter. If the business intends to expand from advisory (Category 4) to brokerage (Category 2) or custody (Category 3), a formal application to amend the licence scope is required — including updated capital, governance, and compliance documentation for the additional category. The correct approach is to map all anticipated activities before the initial licence application and consider whether to apply for the full intended scope from the outset rather than expanding incrementally.
The minimum paid-up capital varies by licence category: Category 1 (Dealing as Principal) — AED 4M; Category 2 (Dealing as Agent) — AED 1M; Category 3 (Providing Custody) — AED 3M; Category 4 (Advisory/Arranging) — AED 1M; Category 5 (Portfolio Management) — AED 1M; Category 6 (MTF/Exchange) — AED 500K. These are minimum thresholds — not the effective capital floor. Capital adequacy is an ongoing requirement, capital uplift applies where client assets are held, and multi-category firms face combined capital requirements across all licensed categories. The headline minimum is rarely the total capital commitment required in practice.
In practice, “activity-based” means that what the business actually does — not what it calls itself or how it describes its model — determines the licensing requirement. A firm that describes itself as a “technology platform” but matches buyers and sellers of virtual assets is operating an MTF and requires Category 6. A firm that describes itself as a “wallet provider” but holds client private keys is performing custody and requires Category 3. The CMA assesses the substance of the activity across all three layers — VA activity, financial activity, and licence category — not the label applied to it. Early, honest activity mapping through all three layers is the foundation of a defensible CMA licensing strategy.
Ready to Map Your Business Model Through the CMA's Three-Layer Framework?
Book a CMA Structuring Call
Whether you are classifying a new business model, re-evaluating an existing structure, or preparing a multi-category application — we map all activities through all three layers and build the licensing strategy around what you actually do.