Dubai’s new VARA compliance rules: How virtual asset service providers can meet the challenges

Author: Beosin

With the increasing global attention to virtual asset regulation, the Dubai Virtual Asset Regulatory Authority (VARA) recently issued new compliance regulations aimed at improving the transparency and security of virtual asset service providers (VASPs). These new regulations not only affect the operating environment of the local market, but also impose higher compliance requirements on international virtual asset trading platforms. As a global digital asset center, Dubai's regulatory policies are at the forefront of the industry and provide an important reference for regulatory frameworks in other regions.

The Dubai Virtual Asset Regulatory Authority (VARA) announced new, stricter guidelines for the marketing of virtual assets on September 26, 2024. The new regulations will take effect on October 1, 2024. The new regulations aim to address the inherent risks associated with crypto investments by requiring clearer communication from companies involved in promoting these digital assets.

In March 2022, UAE Prime Minister Sheikh Mohammed officially launched VARA to oversee the growth, development and security of the Web3 sector. All Web3 participants who wish to do business in Dubai must be identified through VARA.

This article will delve into the key aspects of Dubai VARA compliance and analyze the effective strategies that VASPs should adopt when responding to regulatory challenges. By understanding these requirements, virtual asset service providers can better avoid potential risks, maintain their own legal and compliant operations, and promote the healthy development of the entire industry.

Compliance and Risk Control Section

Part I - Compliance Management

1. Principles:

VASPs should abide by the principles of integrity, diligence, efficient capabilities, robust technology, adequate protection, accurate accounting, effective disclosure, compliance, openness and transparency when conducting business and providing services in the UAE.

2. Compliance Management System CMS:

VASPs should establish and maintain an effective compliance management system that can analyze key performance and risk indicators, monitor and test risks, identify potential violations, and promptly notify the CO and provide relevant personnel with unrestricted access to necessary records and documents.

3. Compliance Policies & Procedures:

VASPs should establish, maintain and implement clear and detailed compliance policies and procedures, including anti-money laundering policies, business activity policies, record keeping procedures, employee compliance policies, complaint response procedures, etc.

4. Risk Management Policies & Procedures:

VASPs should establish risk management functions, policies and procedures that are appropriate to their nature, scale, complexity and risk profile, and apply effective risk measurement and reporting methods. The head of the risk function must submit a risk exposure report at least quarterly. Risk categories include financial stability risk, market risk, credit risk, liquidity risk, market behavior risk, compliance and risk control risk, customer protection risk, etc.

5. Operation Management:

VASPs should establish and maintain effective operational policies and procedures to protect their virtual assets and customer virtual assets from theft, fraud and/or misappropriation, and ensure that there are precautions to prevent any of their staff from using confidential information or insider information.

6. Books and records:

VASPs should keep proper books and records, and keep appropriate records of all records from third-party services and customers, customer transaction records, communications and documents, and conflict of interest registers to demonstrate compliance with all applicable legal and regulatory requirements at all times. These records will be retained for no less than 8 years, and all records that may involve the national security of the UAE need to be retained indefinitely.

7. Audit:

External Audit - VASPs should appoint an independent third-party auditor to audit their financial statements and understand the reasonableness of the auditor's valuation. If the original auditor of VASPs is deemed to be unsuitable for the size and complexity of its business and its reputation, VARA may require VASPs to change auditors. Internal Audit - The internal audit department conducts audits at least quarterly and informs senior management of the findings and recommendations and follows up and resolves related issues or risks.

8. Regulatory Reporting: - Submit to VARA at least monthly its balance sheet and a list of all off-balance sheet items, profit and loss statements, income statements, cash flow statements, virtual asset wallet addresses, a complete list of investment portfolios, and a complete record of all transactions, including but not limited to any transactions in loans or other virtual asset activities.

- Submit to VARA at least quarterly the minutes of the board committee meetings, statements proving compliance with the financial requirements of the law, financial forecasts and strategic business plans, and risk exposure reports - Submit to VARA at least annually an audited annual report, an assessment of the annual report by senior executives, a formal certification verifying the accuracy of the annual report, authentic documents on the account opening of the first 100 customers, product descriptions, group structure charts, resumes of board members, identification of independent directors, any committees and members, and minutes of board meetings.

9. Regulatory notifications:

VASPs shall notify VARA in writing of any rule changes, any significant events, and any criminal or significant civil lawsuits, charges or bankruptcy proceedings. Any violation of any law, regulation or rule related to VA activities shall be reported to VARA immediately. Notify VARA of incidents related to cybersecurity breaches in a timely manner, including but not limited to incidents involving loss of information or affecting personal data.

10. Staff management and training:

VASPs shall adopt appropriate recruitment processes to ensure that there are an appropriate number of qualified personnel with the necessary skills, knowledge and expertise to perform their duties. It is not mandatory to work locally in the UAE, provided that all regulatory and enforcement functions are effectively implemented and meet the requirements of VARA. VASPs should train employees on operational policies and procedures within 30 days of joining the company, and regularly conduct AML/CTF training thereafter, and monitor their compliance with all established procedures.

Part II - Tax Reporting and Compliance

VASPs must always comply with all tax reporting obligations under all applicable laws, regulations, rules or guidelines and national, international and industry best practices, including the applicable U.S. Foreign Account Tax Compliance Act (FATCA).

Part III - Anti-Money Laundering and Counter-Terrorism Financing

1. Appointment of Money Laundering Reporting Officer

VASPs should appoint a Money Laundering Reporting Officer with at least two years’ experience in handling AML/CTF matters and review his/her suitability annually.

2.  The MLRO shall be responsible for

a. Ensuring that the Board and employees understand and comply with all applicable AML/CTF laws and regulatory requirements and arrange for appropriate and adequate training;

b. Developing and implementing AML/CTF policies and procedures

c. Conducting AML/CTF risk assessments and implementing all necessary changes to VASPs’ policies and procedures;

d. Monitoring and reporting suspicious transactions and ensuring that appropriate corrective actions are taken for violations of any federal AML/CTF laws.

Criminals are constantly developing new money laundering techniques and strategies to circumvent detection and identification. With the help of blockchain big data analysis and advanced AI technology, Beosin KYT can identify suspicious transactions, conduct comprehensive risk assessments, and identify risks of on-chain relationships through billions of address tags and black address libraries. It can detect risky behaviors such as security attacks, dark web transactions, the use of mixers, fraudulent behavior, extortion activities, and gambling. e. Report to the board of directors on the effectiveness of VASPs' anti-money laundering/counter-terrorist financing policies and procedures on a quarterly basis, identify any deficiencies in such policies and procedures and any violations of anti-money laundering-counter-terrorist financing laws; f. Submit compliance reports on a quarterly basis. Contains privacy coins: Anonymity-Enhanced Cryptocurrencies and their use by users.

3.  Anti-money laundering policies and procedures

a.   Comply with FATF's standard setting and second revision for VASPs, risk-based guidelines, international anti-money laundering standards and other relevant regulations;

b.   Relevant guidelines of the EOCN Office, local terrorist lists, etc.;

c.  Comply with the resolutions and other relevant directives of the United Nations Security Council on combating terrorist financing, proliferation of weapons of mass destruction and their financing, and comply with all other applicable laws, regulatory requirements and guidelines related to economic sanctions;

d.  Avoid customers opening or conducting any financial or business transactions under anonymous or pseudonymous names and fake numbers, and avoid providing any services to them;

e.  Keep all records, documents and data of local or international transactions;

f.  VASPs should establish corresponding risk rules to scan their customers, actual controllers, virtual transfers, and virtual wallet addresses to identify potential illegal activities and alert operations and compliance teams for further investigation;

g.  All policies and procedures should be verified by a qualified third party and submitted to VARA for approval within 21 days of any modification.

4.  AML/CTF Control:

a.  VASPs should have effective AML/CFT controls and systems to adequately manage the AML/CFT risks associated with their VA activities, including the use of distributed ledger analysis tools, and other investigation tools or the ability to monitor and scan transactions.

b.  For any distributed ledger analysis tools used, VASPs should review and document their review of the functionality and vulnerabilities of such tools and design controls to monitor customer transaction activities.

c.  Because the information of virtual transactions and wallet addresses is dynamic, VASPs should review and preserve the performance of analysis tools that provide continuous monitoring.

d.  When designing transaction monitoring and threshold adjustment, the requirements of FATF Virtual Assets Red Flag Indicators should be met;

Specifically:

https://www.fatf-gafi.org/content/dam/fatf-gafi/brochures/Handout-Red-Flags-VA-VASP.pdf

5.  Risk Assessment:

a.  VASPs must conduct risk assessments on their businesses, including virtual assets (especially Anonymity-Enhanced Cryptocurrencies), virtual asset-related products and services, and technologies related to virtual asset activities;

b.  VASPs that support enhanced anonymity transactions (privacy coin transactions) must implement enhanced risk controls to ensure compliance with all applicable laws and regulations. ECDD should be conducted every six months for customers using such privacy coins. If VASPs are unable to implement appropriate risk controls, they should not provide privacy coin products or services.

6. Customer Due Diligence:

a. VASPs must conduct appropriate due diligence on customers to identify customers and ultimate beneficiaries before providing services (such as single or related cumulative transactions exceeding 3,500 dirhams, any suspicious behavior, etc.), and should adopt a risk-based due diligence strategy,

b. VASPs should implement appropriate due diligence in continuous monitoring: including auditing customer transactions (not limited to reviewing the source of funds) to ensure that they are consistent with the purpose of opening the account;

c. Regularly review the information of high-risk customers to ensure that their documents, data and information are up-to-date and accurate.

d.  For individual users: the following documents, data or information should be verified through reliable and independent sources: full name, nationality, address, place of birth, name and address of employer, if any politically exposed person is involved, the approval of the anti-money laundering reporting director and at least one senior management is required.

e.  For non-individual entity users: the following documents, data or information should be verified through reliable and independent sources: full name, type, articles of association, main place of operation, names of senior executives, if the ultimate beneficiary is a politically exposed person, the approval of the anti-money laundering reporting director and at least one senior management is required.

f.  Verify that the entity claiming to act on behalf is authorized and identified in the same manner.

g. Understand the intended purpose and nature of the relationship with the customer and, if necessary, obtain information related to that purpose;

h. If the customer is a business or otherwise provides services to other customers, it is necessary to understand the nature of its business and actual controller, ultimate beneficiary, customer type, nature and purpose.

i. If VASPs cannot perform appropriate CDD for a customer, they shall not establish or maintain a business relationship with that customer or perform any transaction for that customer. If VASPs rely on a third party to perform CDD, they remain responsible for ensuring that the third party performs CDD in accordance with all relevant rules and instructions.

7.  Suspicious Transaction Monitoring and Reporting

a.  VASPs should adopt methods appropriate to their business activities to continuously monitor their business relationships with customers to identify any suspicious transaction activities. Such methods should ensure that "snitching" or similar violations do not occur, and should ensure that all suspicious transactions are reported immediately to the Anti-Money Laundering Reporting Officer. These methods need to be documented and approved by senior management and should be reviewed and updated regularly to ensure their effectiveness.

b.  VASPs should develop and regularly update indicators that can identify suspicious transactions.

c.  If there is any suspicion or reasonable grounds to believe that the proceeds of a transaction are related to a crime, or that the funds or proceeds are intended to be used to commit, conceal or benefit from a crime, the competent office shall immediately report such suspicious transactions to the UAE FIU and VARA and respond to all requests for assistance in the investigation within 48 hours and cooperate with all instructions.

d.  All suspicious transaction reports shall be reported to the UAE FIU and VARA through the GoAML platform under the guidance issued by VARA. All transactions in the suspicious transaction reports shall continue to be monitored.

8.  FATF Travel Rule

a.  Before initiating any virtual asset transfer of more than AED 3,500 (or approving any customer to receive a virtual asset transfer of more than AED 3,500), VASPs must obtain and maintain the required accurate sender and recipient information.

b.  The required sender information shall include, but is not limited to: full name, account number or wallet address, and residential or business address. The recipient information shall include, but is not limited to: full name, account number or wallet address.

c.  Before entering into any transaction with a counterparty VASP or virtual asset service provider in any other jurisdiction, VASPs must complete a risk-based due diligence on that counterparty to mitigate AML/CFT risks. Unless an increased counterparty risk is assessed or determined, due diligence is not required for each subsequent transaction with the counterparty.

d.  In complying with the Travel Rule, VASPs must consider how to address risks associated with deposits and withdrawals (including whether VASPs counterparties implement the Travel Rule), non-custodial wallets, privacy coins, etc.

e.  VASPs should demonstrate to VARA how they comply with the Travel Rule during the licensing process and submit relevant policies and management measures to VARA. VASPs should also submit their plans for the "Sunrise Issue".

9. Record keeping requirements

a. VASPs shall retain the following records for no less than 8 years;

b. Virtual asset transaction records, including operational and statistical records, documents and information, and all transactions executed or processed by VASPs;

c. CDD records, including records, documents and information about customers, and the results of investigations and analyses of customer activities;

d. Information related to third parties entrusted by VASPs to conduct CDD;

e. Records related to OCDD;

f. All suspicious transaction report records;

10. Customer Virtual Asset Rules

a. Customer virtual assets refer to all virtual assets held or controlled by VASPs on behalf of customers in the course of or in connection with any virtual asset activities.

b. VASPs should store customer virtual assets separately in separate virtual asset wallets.

c. VASPs must hold customer virtual assets on a one-to-one basis and may not authorize or allow re-hypothecation of customer virtual assets.

d. All proceeds associated with customer VASPs, such as "airdrops", "staking proceeds" or similar proceeds, shall belong to the customer;

e. In addition to the reserve asset requirements in the rulebook, VASPs shall comply with all requirements prescribed by VARA from time to time to demonstrate that the reserve assets they hold cover all their liabilities to customer assets.

f. VASPs must maintain a system to ensure accurate reconciliation of virtual assets owned by each customer on a daily basis. If there is a material discrepancy with the reconciliation and it is not corrected, VASPs must notify VARA.

How do VASPs respond to regulatory challenges?

In the rapidly developing Web3 cryptocurrency field, compliance has become a crucial keyword. 『Beosin KYT Virtual Asset Anti-Money Laundering Compliance and Analysis Platform』, the functions include real-time monitoring of transactions, identification of potential risky transactions and addresses, risk alerts for money laundering transactions, sanctions list and blacklist checks, transaction behavior analysis and compliance reports, by analyzing massive on-chain transaction information, identifying transaction and account types, and then using the massive entity address library in the system and machine learning analysis technology to evaluate risky transactions. Currently, it has provided services to multiple customers around the world to meet anti-money laundering regulatory requirements.

Beosin KYT can also provide comprehensive continuous monitoring of the token ecosystem. You can get real-time dynamic insights into the distribution of token holders, capital flows, and large transactions. Whether it is tracking the circulation of tokens or identifying potential risky transactions, Beosin KYT can help you accurately grasp the overall operating status of tokens and stablecoins, and provide strong data support for your decision-making.

Beosin KYT currently provides data, software, services and research for institutions, exchanges, wallet companies, etc. in many countries and regions, providing excellent compliance support for virtual asset service providers (VASPs) and providing strong protection for the security and trusted development of crypto assets.

About Dubai VARA Supervision

Virtual Assets Regulatory Authority (VARA)

1. The Dubai Virtual Asset Management Law issued by VARA applies to all virtual assets and virtual asset activities in the UAE.

2. It has the sole and absolute discretion to interpret, waive, modify or otherwise adjust this regulation.

Powers and functions of VARA.

a.VARA shall have the functions, powers and objectives conferred on it by the Dubai VA Law and any amendments thereto.

b. VARA may take any measures it deems necessary or related thereto

22 approved

1. Approved VASPs (22): https://www.vara.ae/en/licenses-and-register/public-register/

2. Approved lending service providers (4): OKX Middle East Fintech FZE, Aquanow ME FZE, Binance FZE, Foris DAX Middle East FZE (Crypto.com)

3. Approved management and investment service providers (8): OKX Middle East Fintech FZE, Web 3 Innovations FZE (AYA), Aquanow ME FZE, HT Markets MENA FZE, Binance FZE, Foris DAX Middle East FZE (Crypto.com), Nine Blocks Capital Management FZE, Laser Digital Middle East FZE

4. Approved virtual currency exchanges (5): Bybit Fintech FZE, Bybit Fintech FZE(Crypto.com), OKX Middle East Fintech FZE, Trek Labs Ltd FZE (Backpack), TOKO FZE

5. Approved custody service provider (1): Hex Trust MENA FZE

6. Approved custody service (staking) provider (1): Komainu MEA FZE

7.  Approved Broker-Dealer service providers (14): Aquanow ME FZE, Varni Labs FZE (Roma), MEX Digital FZE, HT Markets MENA FZE, WPME Technology LLC (WadzPay), Binance FZE, Foris DAX Middle East FZE (Crypto.com), Fasset FZE, CoinMENA FZE, GC Exchange FZE (GCEX), Mor pheus Software Technology FZE (FUZE), TOKO FZE, Laser Digital Middle East FZE, BitOasis Technologies FZE