The Dubai International Financial Centre (DIFC) operates a distinct, mature framework for crypto-assets overseen by the Dubai Financial Services Authority (DFSA). Since 2021–2022 the DFSA has implemented an “investment token” regime and a comprehensive “crypto token” regime. In DIFC, regulated firms may only provide financial services in relation to Recognised Crypto Tokens (RCTs), and are subject to detailed conduct, disclosure, prudential, technology and AML/CTF controls. “Excluded Tokens” (utility tokens and NFTs used for non-financial access) sit outside financial-services regulation but trigger AML/CTF registration and separation duties. Privacy and algorithmic “stable” tokens are prohibited. Selected fiat-referenced stablecoins have recently been recognised for use in DIFC. 

Scope note. This article focuses on DIFC/DFSA rules. DIFC is a federal financial free zone with its own regulator and rulebook; onshore Dubai virtual asset supervision by VARA does not apply inside DIFC.

1) Core architecture: what is regulated?

1.1 “Crypto Tokens” vs Excluded Tokens

Under the DFSA Rulebook:

  • A Crypto Token is a token used or intended to be used as a medium of exchange, for payment or for investment. Only Recognised Crypto Tokens may be used for regulated financial services in DIFC.
  • Excluded Tokens – including Utility Tokens and Non-Fungible Tokens (NFTs)  – are outside the financial-services perimeter unless they qualify as an “Investment Token”. They nonetheless attract AML/CTF obligations and a separation rule (see §3.3).
  • A Fiat Crypto Token (DFSA terminology for a fiat-referenced stablecoin) is separately defined in the rulebook.

1.2 Recognition requirement (the “RCT” gateway)

DFSA operates a two-track recognition mechanism:

  1. a one-off Initial List published at regime commencement (GEN 3A.4); and
  2. ad-hoc recognition upon application by an issuer/developer or (prospective) Authorised Firm (GEN 3A.3), assessed against specific recognition criteria. When DFSA recognises a token it publishes a notice and maintains a register.

Consequence. Authorised Firms may only provide financial services in relation to Recognised Crypto Tokens; using unrecognised tokens for regulated services is prohibited (GEN 3A.2.1–3A.2.2; AMI 5.8.1(4) for trading venues).

2) What you can (and cannot) do in DIFC

2.1 Permitted financial services (high level)

DFSA extends existing financial-services permissions to cover crypto, including advising, arranging, dealing (as agent/principal), custody, operating a multilateral trading facility (MTF)/exchange, and managing assets, subject to crypto-specific overlays.

For trading venues (Authorised Market Institutions), only RCTs (and derivatives over RCTs) can be admitted or traded; business rules must include explicit investment criteria.

2.2 Strict prohibitions

DFSA’s GEN 3A.2 creates bright-line prohibitions:

  • Unrecognised tokens. Financial services relating to unrecognised or derecognised crypto tokens are not permitted (custody is the sole exception, subject to conditions).
  • Privacy tokens and privacy-enhancing devices. Use is prohibited in DIFC.
  • Algorithmic tokens. Prohibited due to transparency/efficacy concerns.
  • Money services & crypto. A Money Services Provider may not use crypto tokens in its business except for permitted use of a Fiat Crypto Token; it cannot carry on other financial services relating to crypto tokens.

2.3 Separation of regulated and unregulated business

An Authorised Person must not carry on both regulated Crypto Token business and unregulated NFT/utility-token business (save that a firm permitted to Provide Custody may custody NFTs/utility tokens). This is the GEN 3A.2.4 separation rule designed to avoid consumer confusion.

3) The current Recognised Crypto Token landscape

DFSA publishes recognition notices and maintains a register. The recognised set has expanded over time:

  • Initial List (1 November 2022): BTC, ETH, LTC. Subsequent recognitions added XRP and TON (2 November 2023), and ZETA (15 November 2024).
  • Stablecoins: On 17 February 2025 DFSA recognised USDC and EURC as RCTs – the first fiat-referenced stablecoins approved under the regime (notice under GEN 3A.3.4).
  • Additional recognition: Ripple’s RLUSD was recognised on 3 June 2025.

Trading venues in DIFC may therefore admit and trade only this recognised set (and derivatives thereon), and firms may advise/arrange/deal only in relation to these RCTs.

4) Client-protection and conduct overlays (COB 15)

DFSA has built a dedicated “COB 15” layer for crypto business:

4.1 Information duties

  • Key Features Document (KFD) and white paper dissemination: firms must provide specified disclosures to clients, including product features and risks.
  • Ongoing information for MTFs: venues must publish and maintain token disclosures (COB 15.3).

4.2 General requirements and retail protections

  • Appropriateness assessment. Before dealing, arranging, advising or providing access to a venue in respect of crypto tokens/derivatives, a firm must assess whether the product/service is appropriate for the client (COB 15.6 – Appropriateness Assessment).
  • No incentives. Offering incentives to invest/trade in crypto tokens is prohibited (COB 15.6Offer of incentives prohibited).
  • Use of credit. Firms must not allow or facilitate use of credit for trading in crypto tokens (COB 15.6 – Use of credit for trading in Crypto Tokens).
  • Lending and staking. Additional constraints apply – particularly to Retail Clients – in relation to crypto lending and staking services (COB 15.6 – Lending and staking).
  • Leverage-loss cap (derivatives). Retail Clients’ liability on crypto-token derivatives is capped at the funds in the client’s trading account (COB 15.6.8 and Guidance).
  • Terminology controls & risk warnings. Restrictions on using certain terms and mandatory warnings apply; firms cannot present past performance in a misleading way (COB 15.5 and 15.6 headings; also general COB rules on fair, clear, not misleading).

4.3 Technology governance and audits

Firms must comply with technology and governance requirements tailored to crypto businesses (COB 15.7) and obtain technology audit reports (COB 15.8). These provisions sit alongside broader DFSA operational resilience expectations.

5) AML/CTF and sanctions controls (AML Module)

DIFC’s AML regime applies to Authorised Firms and to DNFBPs (including issuers/platforms dealing with NFTs and utility tokens).

Key crypto-specific obligations include:

  • Travel Rule for transfers. Additional requirements for Crypto Token transfers (AML 9.3A) and for NFT/Utility Token transfers (AML 9.3B) apply alongside general electronic-fund-transfer rules.
  • CDD & ongoing monitoring. Firms must adopt a risk-based approach (AML 4–7), appoint a MLRO (AML 11), and file SARs (AML 13).
  • Group, branches and subsidiaries; record-keeping; annual AML return. (AML 14.) 

Practical point. Even where a token is Excluded (NFTs/utility tokens), issuers or service providers may need to register as DNFBPs for AML supervision, and Authorised Persons must not mix that unregulated activity with regulated crypto business (except custody) (GEN 3A.2.4).

6) Prudential and market-infrastructure considerations

  • Trading venues & clearing. AMIs operating facilities for crypto tokens must embed admission criteria and ensure only RCTs (and derivatives over RCTs) are tradable/clearable (AMI 5.8.1(4)); additional Part 5B requirements apply to facilities for crypto tokens.
  • Prudential (PIB) baseline. The standard DFSA prudential framework (PIB) applies by category, including credit, market and liquidity risk; firms should pay attention to collateral haircuts/valuation, liquidity stress, and operational risk in crypto contexts.

7) Funds and portfolio management with crypto exposure

DFSA restricts fund activity in relation to unrecognised tokens:

  • An Authorised Firm must not manage, offer or promote a Fund that invests in unrecognised crypto tokens (including indirect exposure via derivatives, indices, feeders or ETFs), and may only manage discretionary portfolios referencing Recognised tokens. (GEN 3A.2.1(3); associated Guidance.)

8) Token recognition – process, fees and revocation

  • Who can apply? Issuer/developer, an Authorised Person (e.g., MTF), or an applicant for authorisation. DFSA assesses against GEN 3A.3 criteria; recognition notices are published.
  • Application fee. The DFSA Fees Module prescribes a USD 10,000 application fee for token recognition.
  • Revocation. If a recognised token ceases to meet GEN 3A.3 criteria, DFSA may revoke recognition (with notice), after which the token becomes “derecognised,” and firms must cease regulated activities involving it (custody being the narrow exception).

9) Recent developments: stablecoin recognition

DFSA’s recognition of USDC and EURC on 17 February 2025 materially expanded payment and treasury use-cases in DIFC, followed by recognition of RLUSD (3 June 2025). Firms should assess money-services interfaces (GEN 3A.2.5), settlement flows, and Travel Rule alignment when integrating stablecoins into client offerings.

10) Authorisation routes and sandboxing

Prospective firms have two main routes:

  1. Full authorisation for the relevant financial services (e.g., dealing, custody, operating an MTF), with crypto-specific overlays (COB 15, AMI 5B).
  2. Innovation Testing Licence (ITL) – DFSA’s sandbox permitting time-limited, closely supervised testing of innovative models prior to full licensing.

11) Key compliance checkpoints (practical)

  • Token scoping: confirm each asset is an RCT (GEN 3A.2.1 / AMI 5.8.1(4)). Establish a monitoring mechanism for recognition updates and revocations.
  • Perimeter separation: if you operate any NFT/utility-token platform or issuance activity, segregate it from authorised crypto business; only custodians may handle NFTs/utility tokens within the authorised entity (GEN 3A.2.4).
  • Retail controls: build appropriateness, no-credit, no-incentives, and loss-cap controls into client journeys and venue logic.
  • Disclosures: implement KFD/white-paper provision and on-venue token information (COB 15.3/15.5).
  • Technology assurance: schedule periodic technology audits and maintain crypto-specific operational resilience under COB 15.7–15.8.
  • AML/CTF: embed Travel Rule controls (AML 9.3A/9.3B), CDD and sanctions processes adapted to on-chain risk signals.
  • Funds/mandates: restrict products and discretionary portfolios to RCTs only; prohibit fund exposure to unrecognised tokens (direct/indirect).

12) DIFC vs. onshore Dubai (quick contrast)

  • In DIFC: DFSA’s recognition-based model requiring RCTs, with strict prohibitions (privacy/algorithmic), detailed COB 15 conduct rules, and AML 9.3A/9.3B for crypto/NFT transfers.
  • Onshore Dubai: VARA operates a separate regime for VASPs; it does not apply within DIFC. (This article does not summarise VARA obligations.)

13) Enforcement and supervisory posture

DFSA couples rule-based expectations with public notices, recognition revocations where warranted, and thematic supervision (including cyber/operational risk). Firms should expect close scrutiny of retail protections, technology-change governance, and AML Travel Rule implementation. (See DFSA Rulebook and AML/COB/AMI modules cited throughout.)

DIFC’s crypto framework is deliberately narrow on product scope – only Recognised Crypto Tokens – yet deep on controls. For firms, the operating model begins with token recognition hygiene, then layers COB 15 client protections, AMI venue governance where applicable, PIB prudential discipline, technology audits, and AML 9.3A/9.3B travel-rule compliance. The 2025 recognition of USDC/EURC and 2025 addition of RLUSD extend legitimate payment and treasury rails inside DIFC, but the perimeter and prohibitions remain intact. A successful DIFC build therefore aligns product design with recognition status, retail guardrails, and operational resilience from day one.

Disclaimer:

This publication is for general information only and does not constitute legal advice. It is based on publicly available DFSA materials and notices cited above. Regulatory requirements are subject to change; you should obtain specific legal advice on your facts and proposed activities before taking any action.

FAQs:

1. Who regulates crypto assets in DIFC?

Crypto activities in the Dubai International Financial Centre (DIFC) are regulated by the Dubai Financial Services Authority (DFSA), which operates an independent, recognition-based crypto framework.

2. What are Recognised Crypto Tokens (RCTs)?

Recognised Crypto Tokens are DFSA-approved tokens permitted for regulated financial services in DIFC. Only RCTs like BTC, ETH, XRP, TON, ZETA, USDC, EURC, and RLUSD can be used in DIFC-regulated activities.

3. Are NFTs and utility tokens regulated in DIFC?

NFTs and utility tokens are classified as “Excluded Tokens.” They fall outside financial regulation but still require AML/CTF registration and operational separation from regulated crypto activities.

4. Are stablecoins allowed in DIFC?

Yes. DFSA has recognised USDC, EURC, and RLUSD as fiat-referenced stablecoins for use in regulated DIFC financial services, expanding payment and treasury use-cases.

5. Are privacy or algorithmic tokens permitted in DIFC?

No. DFSA prohibits the use of privacy tokens and algorithmic “stable” tokens due to transparency and reliability concerns.

6. What is the difference between DIFC and onshore Dubai crypto regulation?

DIFC follows DFSA’s recognition-based crypto framework, while onshore Dubai is regulated by VARA. VARA’s rules do not apply inside DIFC.

Newer Crypto Regulations in DIFC (DFSA): A Practitioner’s Guide for Founders, Funds, and Market Infrastructures
Back to list
Older Crypto Regulations in ADGM