- Dubai — VARA Licensing Framework
VARA Arrangement Licensing Requirements
Legal, prudential, governance, AML, technology, and operating requirements every Virtual Asset Service Provider must satisfy before carrying on regulated VA Activities in or from Dubai.
VARA Requirements — At a Glance
⚖️
Activity-based licensing — authorisation required for each specific VA Activity before operations commence
🏦
Capital ranges from AED 100K (Advisory) to AED 1.5M (Exchange without approved custody arrangement)
👥
2 Responsible Individuals required — full-time, fit & proper, UAE resident or passport holder
🛡️
AML is a core licensing pillar — not a post-approval enhancement
📋
Detailed Regulatory Business Plan required — under-capitalised or misaligned RBPs will slow approval
Who Must Obtain a VARA Licence
VARA Licensing Is a Multi-Layered Regulatory Assessment — Not a Single Filing
Any person conducting regulated Virtual Asset Activities in or from Dubai must obtain the relevant VARA authorisation before commencing operations. VARA operates an activity-based framework — a firm must be authorised for each specific VA Activity it intends to undertake, and each added activity increases regulatory scope, capital requirements, compliance obligations, and annual supervision fees.
VARA licensing is not a single filing — it is a comprehensive regulatory assessment across six core pillars. Mandatory requirements span the legal entity structure, capital and prudential adequacy, governance and substance, AML and financial crime controls, technology and operational resilience, and the Regulatory Business Plan. All six must be satisfied simultaneously at submission.
The most common licensing failures are not legal theory errors. They are execution failures — applying under the wrong activity, underestimating capital, weak AML controls, incomplete governance, immature technology, insufficient UAE substance, and poorly drafted RBPs. Getting each pillar right before submission is the entire structuring challenge.
🔴
The Licensing Question Is Never Just “Do We Need a Licence?” It is “Which exact licence scope does the business model require?” — and the answer determines capital, governance, AML depth, technology expectations, and every compliance obligation that follows.
The 6 Core Licensing Requirement Pillars
01
Legal Entity, Ownership & Corporate Structure
Entity formation, UBO transparency, constitutional records, governance documents, outsourcing and wind-down planning
02
Capital & Prudential Adequacy
Paid-up capital, NLA, reserve assets, insurance — activity-specific and continuously maintained
03
Governance, Substance & Fit-and-Proper
RIs, CO, MLRO, CISO, board composition, independence, committee requirements, UAE substance
04
AML / CFT & Financial Crime Controls
EWRA, CDD, EDD, sanctions, STR/SAR, Travel Rule, client money safeguards, ABC controls
05
Technology, Security & Operational Resilience
IT governance, cybersecurity, key management, incident response, BCDR, staff training
06
RBP, Recordkeeping & Ongoing Supervision
Regulatory Business Plan, audit trails, conflict registers, complaint records, ongoing reporting
📋
6 Pillars
Core licensing requirement areas — all must be satisfied simultaneously at submission
👥
2 RIs Required
Responsible Individuals — full-time, UAE resident or passport holder, VARA-approved
🏦
AED 100K–1.5M
Activity-specific paid-up capital — stacked for each additional licensed activity
⚡
Activity-Specific
VARA authorisation is needed for each VA Activity — no single licence covers all activities
The Six Core Pillars — In Depth
VARA Mandatory Requirements Across All Six Licensing Pillars
Every VARA applicant must satisfy requirements across all six pillars — there is no sequencing, no partial credit, and no approval before all conditions are met. Pillars 3 and 4 (Governance and AML) receive the deepest VARA scrutiny and are the most common causes of extended review cycles.
P 01
🏗️
Legal Entity, Ownership & Corporate Structure
A VARA applicant must demonstrate a properly established Dubai/UAE legal entity with a lawful operating structure. In practice, opaque ownership, weak structuring, or governance by nomination without real substance creates immediate regulatory friction.
Required Demonstrations
- Properly established Dubai/UAE legal entity and lawful operating structure
- Full ownership chain and UBO transparency — no unresolved layers
- Corporate governance documents and constitutional records in place
- Fit-and-proper governance arrangements implemented
- Outsourcing controls and material change controls documented
- Wind-down planning and prudential readiness embedded into the entity structure
📄
Opaque ownership or nominal governance arrangements create immediate regulatory friction at submission
P 02
🏦
Capital & Prudential Requirements
VARA applies an activity-specific paid-up capital regime — not a one-size-fits-all threshold. Beyond paid-up capital, four further prudential obligations must be maintained continuously after licensing. Capital planning must be completed before filing — not after.
Paid-Up Capital by Activity
Activity
Minimum PUC
Advisory Services
AED 100,000
VA Mgmt & Investment (with custody)
Higher of AED 280,000 or 15% FAOs
Broker-Dealer (with custody)
Higher of AED 400,000 or 15% FAOs
Transfer & Settlement / Lending
Higher of AED 500,000 or 25% FAOs
Custody / Broker-Dealer (without approved custody arrangement)
Higher of AED 600,000 or 25% FAOs
Exchange Services (with approved custody arrangement)
Higher of AED 800,000 or 15% FAOs
Exchange Services (without approved custody arrangement)
Higher of AED 1,500,000 or 25% FAOs
Additional Prudential Requirements
- Net Liquid Assets of at least 1.2× monthly operating expenses — reconciled daily
- Insurance adequate to size and complexity — PI, D&O, commercial crime
- Reserve Assets equal to 100% of client VA liabilities — held 1:1 in same VA
- Daily and monthly prudential monitoring and reconciliation to VARA
P 03
👥
Governance, Substance & Fit-and-Proper
VARA expects real management substance and approved control persons — not nominal appointments or outsourced governance structures that lack genuine oversight capability. The people behind the business are evaluated as carefully as the documentation.
Responsible Individuals (RIs)
- 2 Responsible Individuals required — VARA-approved during licensing
- Full-time employees — not part-time or shared appointments
- Fit and proper — competence, integrity, and financial soundness assessed
- UAE resident or UAE passport holder
Mandatory Control Functions
- Compliance Officer (CO): full-time, experienced, UAE resident/passport, Board reporting line
- Money Laundering Reporting Officer (MLRO): fit and proper, AML/CFT capable
- Chief Information Security Officer (CISO): cybersecurity governance and Tech & Information compliance
- Risk function and internal audit proportional to size and complexity
Enhanced Board Standards (Exchange & Custody)
- At least one independent director on the board
- Quarterly board meetings held and documented
- Audit, nomination, and remuneration committees established
- Governance record retention requirements satisfied
P 04
🛡️
AML / CFT & Financial Crime Controls
AML is a core licensing pillar — not a post-approval enhancement. For operating models involving transfers, settlement, brokerage, or cross-border counterparties, AML readiness is heavily scrutinised during the licensing review. A generic or template-based AML programme will not satisfy VARA.
Applicants Must Implement
- Enterprise-wide AML/CFT risk assessment (EWRA) — documented and current
- Customer Due Diligence (CDD) and Enhanced Due Diligence (EDD)
- Sanctions screening — real-time, covering all customers and transactions
- STR/SAR processes — documented escalation and reporting procedures
- Travel Rule capability — where applicable to the licensed activities
- Client money and client VA safeguards, reconciliation, and reporting
- Anti-bribery and corruption controls
- Sponsored VASP controls where the regime is used
🛡️
AML readiness is the most scrutinised pillar — weak controls are the leading cause of extended review cycles
P 05
💻
Technology, Security & Operational Resilience
Technology maturity is a licensing condition under VARA — especially for Exchange, Custody, Broker-Dealer, and Transfer & Settlement models. For higher-risk operating models, VARA will expect the tech stack and governance model to match the complexity and risk of the licensed business.
Applicants Must Demonstrate
- Technology governance and IT risk assessment framework in place
- Cybersecurity policy maintained under CISO oversight
- Wallet and key management controls — where applicable to the model
- Incident response procedures and regulatory reporting pathways
- Business continuity and disaster recovery (BCDR) — tested at least annually
- Staff competency programmes and role-based security training
💻
Technology maturity is assessed against the specific risk profile of the licensed activity — aspirational designs are not sufficient
P 06
📊
Regulatory Business Plan, Recordkeeping & Ongoing Supervision
Regulatory Business Plan (RBP) — Minimum Content
VARA applicants must submit a detailed RBP. Under-capitalised models, unrealistic projections, or RBPs that do not align with the actual operating model are likely to slow or weaken the application significantly.
- Revenue projections — realistic and commercially defensible
- Expense forecasts — including prudential and compliance costs
- Capital planning — showing adequacy over the projection period
- Risk profile — material risks identified and mitigated
- Client segmentation — investor types and onboarding criteria
- Product roadmap — current and planned offerings
- Compliance infrastructure — systems, policies, and oversight arrangements
- Governance and operational model — how the business will be managed
Recordkeeping & Disclosure Requirements
VARA's rulebooks are documentation-heavy. If a process exists in practice, the applicant should expect to evidence it in writing — VARA does not accept verbal assurances in place of documented controls.
- Accurate books and records — complete and auditable
- Retention of all marketing materials and disclosures
- Client classification and categorisation documentation
- Conflict-of-interest register — maintained and current
- Complaint handling records — full lifecycle documentation
- Audit trail for all regulatory reporting — complete and retrievable
📋
Documentation Principle: If a process exists in practice, VARA will expect it evidenced in writing. Undocumented controls are treated as absent controls during the licensing review.
Activity-Specific Rulebook Requirements
Beyond the Baseline — Activity-Specific Add-Ons
In addition to the six baseline pillars, applicants must satisfy the activity-specific rulebooks that apply to their exact permission set. These add-on requirements sit on top of the baseline and increase materially for higher-risk or more complex activities.
Exchange Services Add-On
⚡
Exchange Services Rulebook
Exchange operators face the most extensive activity-specific obligations, reflecting the market infrastructure role and the elevated risk of market abuse, volatility, and systemic exposure.
- Market surveillance and market abuse monitoring systems
- Transparent trading rules and disciplinary framework
- Systems resilience and stress testing — evidence required
- Settlement procedures and incident handling protocols
- Margin trading only where expressly authorised by VARA
Custody Services Add-On
🔐
Custody Services Rulebook
Custody carries the strongest safeguarding and asset protection obligations in the VARA framework — reflecting the direct control over client virtual assets and the heightened risk of loss or misappropriation.
- Strongest safeguarding and segregation controls
- Wallet architecture — hot/warm/cold design and key ceremony controls
- Client asset reporting — individual client-level reconciliation
- Enhanced governance standards — independent director, committees
Broker-Dealer Add-On
🤝
Broker-Dealer Services Rulebook
Broker-Dealer activities attract specific conduct obligations — particularly around execution quality, conflict management, and client protection from inducement-driven routing or principal-dealing risks.
- Best execution style standards — quality and consistency of execution
- Inducement and routing conflict restrictions
- Principal dealing controls — limits and disclosure requirements
- Margin safeguards where expressly authorised by VARA
💡
Activity-Specific Scope Grows with Complexity. Transfer & Settlement, Lending & Borrowing, and VA Management & Investment each carry their own activity-specific rulebook requirements on top of the six baseline pillars. The full compliance scope must be mapped before the licensing strategy is designed — not during the application process.
Ongoing Obligations & Common Failure Points
Licensing Is Not a One-Time Approval — and These Are the Most Common Failure Points
Once licensed, a VASP faces a continuous set of ongoing obligations that must be maintained throughout the licence period. Understanding where applications most commonly fail at the pre-submission stage is as important as understanding what the requirements are.
Ongoing Licensing Obligations
- Annual Supervision Fees
Payable in advance for each licensed activity — AED 80,000 (lower tier) or AED 200,000 (higher tier) per activity per year.
- Continuous Capital Adequacy
PUC, NLA, reserves, and insurance must be maintained, reconciled, and reported at all times — daily and monthly obligations apply.
- Regulatory Reporting
Periodic prudential returns, reserve asset audits, and compliance reporting submitted on schedule and in the required format.
- Incident Notification
Material cybersecurity incidents, prudential shortfalls, and operational events must be notified to VARA immediately with follow-up updates until resolved.
- Approval for Material Changes
Changes in ownership, governance, or licence scope require VARA approval before implementation — not notification after the fact.
Common Licensing Failure Points
✕
Wrong Activity Classification
Applying under the wrong activity — or underestimating which activities the operating model requires — creates scope issues, capital miscalculation, and potential enforcement exposure after licensing.
✕
Underestimated Capital Requirements
Failing to model the overhead-based PUC calculation — or not accounting for the stacked capital obligation across multiple activities — produces a capital commitment that was not planned for.
✕
Weak AML and Travel Rule Controls
Generic or template-based AML programmes that are not calibrated to the specific risk profile of the business and the licensed activities — the leading cause of extended VARA review cycles.
✕
Incomplete Governance Documentation
Governance frameworks that exist on paper but are not supported by credible management appointments, real operational substance, and documented decision-making structures in Dubai.
✕
Immature Technology Controls
Technology documentation that describes aspirational designs rather than operational systems — or tech architectures that do not match the risk profile of the licensed activity.
✕
Insufficient UAE Substance
Entities with no genuine local management presence, no operational decision-making in Dubai, or governance that relies entirely on offshore personnel without UAE residency or passport status.
✕
Poorly Drafted Regulatory Business Plan
RBPs with unrealistic projections, misaligned business model descriptions, or financial models that do not demonstrate capital adequacy — frequently the document that exposes weaknesses across all other pillars.
VARA Licensing Readiness & Our Support
The VARA Licensing Readiness Checklist — and How We Help
Before any VARA application is filed, every item on this checklist must be in place — documented, operationally implemented, and capable of evidencing compliance under regulatory scrutiny. We help applicants build toward every item before the application is submitted.
✔
Activity classification confirmed — correct scope identified
✔
UAE legal entity established — proper structure, UBOs transparent
✔
Paid-up capital available and held in VARA-approved form
✔
NLA position modelled — eligible assets ring-fenced
✔
Reserve assets framework designed and operational
✔
Insurance in place — PI, D&O, commercial crime
✔
2 Responsible Individuals identified and ready for VARA approval
✔
CO, MLRO, CISO appointed and fit-and-proper ready
✔
Governance framework — reporting lines, committees, board composition
✔
AML/CFT framework — EWRA, CDD, EDD, Travel Rule operational
✔
Technology governance, BCDR, and cybersecurity policy in place
✔
Regulatory Business Plan — complete, aligned, and credible
What We Deliver
From High-Level Ambition to a VARA-Ready Licensing File
We help applicants move from ambition to a complete, VARA-ready file — translating rulebook requirements into board-grade implementation across every licensing pillar, before submission and through to approval.
🗺️
Regulatory Perimeter Analysis
We confirm which VA Activities the operating model requires authorisation for, identify combination risks, map the full compliance scope across baseline and activity-specific rulebooks, and produce the regulatory perimeter memo that anchors the entire licensing strategy.
💰
Capital Modelling & Prudential Planning
We model paid-up capital, NLA, reserve assets, and insurance requirements — including the overhead-based PUC calculation — across the proposed activity combination, and produce the board-ready capital plan and prudential support pack that VARA expects at submission.
🏗️
Governance Framework Drafting
We design and document the governance framework — board composition, RI appointments, CO/MLRO/CISO roles, committee structures, reporting lines, and outsourcing controls — in the format and depth required to satisfy VARA's governance and substance expectations.
🛡️
AML & Travel Rule Implementation
We design and implement the complete AML/CFT programme — EWRA, CDD/EDD, transaction monitoring, sanctions screening, STR/SAR procedures, Travel Rule compliance architecture, and the MLRO function — calibrated to the specific activities and operating model being licensed.
💻
Technology Governance & Control Architecture
We design the technology governance framework, cybersecurity policies, wallet and key management controls, incident response procedures, and BCDR arrangements — ensuring the technology documentation reflects operational maturity, not aspirational design.
📊
Regulatory Business Plan Drafting
We draft the Regulatory Business Plan — the primary narrative document in the VARA application — presenting a complete, credible, and commercially coherent picture of the business, with projections, capital plan, risk profile, and compliance infrastructure aligned across every section.
📋
Full Application File Preparation
We prepare the complete VARA application file — all documentation across all six pillars, plus activity-specific rulebook requirements — ensuring every document is internally consistent, complete, and evidences the operational readiness VARA expects before granting approval.
🔄
Regulator Engagement & Post-Licensing Support
We manage all VARA interactions throughout the review process — query responses, management meetings, Q&A coordination — and support the transition to operational compliance after licensing, including ongoing compliance buildout and supervisory engagement management.
End-to-End VARA Licensing — From Regulatory Perimeter to Licence Grant
- We confirm the correct activity classification and full regulatory perimeter before any application work begins
- We build the governance framework, AML programme, technology controls, and capital plan across all six pillars simultaneously
- We draft the Regulatory Business Plan and complete application file to VARA's approval standards — consistent, complete, and evidenced
- We manage all VARA engagement through submission, review, query rounds, and post-approval compliance buildout
VARA licensing is a multi-layered regulatory assessment — not a filing exercise. Every pillar must be built before submission, not promised after approval is granted.
FAQs
Frequently Asked Questions — VARA Mandatory Licensing Requirements
Yes. Regulated VA Activities may only lawfully commence after the relevant VARA licence has been issued. Operating without the required authorisation — including running a soft launch, beta product, or limited-access platform — is a regulatory breach if the activity falls within VARA’s licensing perimeter. The licensing obligation applies to activities conducted in or from Dubai, including those delivered digitally or through platforms accessible to UAE users. The correct approach is to complete the full licensing process before any commercial activity begins.
Yes. Capital must be demonstrably available and maintained in the required form before and after licensing. VARA does not approve applications on the basis of a commitment to capitalise after the licence is received — the paid-up capital must be held in an approved form (trust account, surety bond, or VARA-specified method) at the time of submission and continuously thereafter. Capital planning should therefore be completed before filing begins, not discovered as a post-approval requirement.
No. VARA has four baseline rulebooks that apply to all licensed VASPs — covering Company, Compliance and Risk Management, Technology and Information, and Market Conduct standards. In addition, each licensed activity carries its own activity-specific rulebook with additional obligations tailored to the risk profile of that activity. Exchange and Custody activities carry the most extensive add-on requirements. The correct compliance scope can only be determined once the precise activity classification has been confirmed — which is why activity mapping must be completed before the licensing strategy is designed.
No. VARA allows certain outsourcing arrangements for specified functions — such as MLRO, CISO, and Data Protection Officer roles — subject to strict outsourcing controls, documented oversight, and VARA comfort with the arrangement. However, outsourcing a function does not transfer the responsibility for compliance from the licensed entity to the service provider. The licensed VASP retains full accountability, and the control framework — including oversight of the outsourced function — must be credible, documented, and operational. Governance by nomination without real management substance in Dubai will not satisfy VARA’s substance requirements.
The most common causes of extended review cycles — in order of frequency — are: weak or generic AML/CFT frameworks not calibrated to the specific operating model; incomplete or inconsistent governance documentation; a Regulatory Business Plan that does not align with the actual operating model or financial projections; and incorrect activity classification that generates scope questions throughout the review process. Technology controls and UAE substance issues are also common sources of delay, particularly for Exchange and Custody applicants. All of these are execution failures that can be identified and resolved during preparation — before submission — with proper pre-application structuring.
Ready to Build Your VARA Licensing File?
Book a VARA Licensing Structuring Call
Whether you are confirming your regulatory perimeter for the first time or preparing to build the full application file, every VARA licensing strategy starts with the same question — which exact licence scope does the business model require?