During the Paris Blockchain Week, at the Global regulatory Landscape Panel session, Mathew White, CEO of Dubai’s VARA (Virtual Asset Regulatory Authority) discussed the cost of compliance for smaller crypto and Blockchain firms and the solution he is proposing where big players sponsor the cost of compliance for smaller ones.

White in his contribution during the panel made several points with regards to how he views VARA’s regulatory standpoint.

Firstly, VARA wants to regulate without damaging the presence of nearly 2000 Web3 and crypto companies already present in Dubai UAE. He states, “We seek to set a regulation that we feel anybody can be part of and is not exclusive by nature. We engage with the industry, governments, and continue to do that. While it is still not perfect, there are a number of things we are looking into to make the regime fit for everybody, one of which is how we deal with cost of compliance for small entities.”

According to White, compliance is a costly exercise and not many players have the resources to go and get regulated. His proposal is “looking towards a structure where larger market participants host smaller ones, where the cost of compliance can be borne by the large players.” He adds, “We are on this journey of allowing innovation whilst being able to regulate it.”

White explains that two years ago when he was part of the team building VARA, the Dubai government decided as part of their economic diversification project to prioritize technology and in specific virtual assets.

VARA was established to be able to position Dubai as a hub with financial stability and investor protection in mind.

When the topic of self-regulation through technology came up White acknowledge that he believes that this will one day be possible. He also stated he would be looking into piloting this idea at VARA.

He stated, “No doubt some point in the future it will be available. For the short to medium there will be regulation and it will be significant.”

Earlier this week, Crypto.com became the first international crypto exchange to receive a full license from VARA, while OKX is still awaiting final requirements to receive its full VASP operational license.

UAE based AYA, a regulated fundraising platform focused on the intersection of Blockchain and sustainability has partnered with Blockpass, Web3 OG identity verifier, to strengthen AYA’s compliance procedures.

Through the partnership Blockpass will provide risk assessment and risk classification of onboarding customers, customized forms based on the customer’s and regulator’s requirements, regular rigorous wallet compliance checks to protect user transactions, and evaluation of risks associated with wallets to ensure the absence of fraudulent and suspicious transactions.

This will involve the gamut of Blockpass’ products, including KYC, KYB and AML solutions, the new Advanced KYC Bot™, ongoing monitoring, and Blockpass’ Unhosted Wallet KYC™.

Blockpass, has pioneered reusable identities and crypto-native KYC/AML solutions. Its turnkey suite of compliance tools is designed to lower onboarding costs, automate remediation, prove humanity and protect against malicious actors, fraudulent activities, bots, and AI.

Businesses can set up services quickly, test them for free, and start verifying users. With around one million verified identity profiles, Blockpass facilitates instant onboarding, and to date over a thousand businesses have taken advantage of this opportunity to benefit from Blockpass’ compliant network.

AYA is the Middle East and North Africa region’s first regulated Climate Finance Platform, regulated by Dubai’s Virtual Assets Regulatory Authority (VARA) in 2023. Built on blockchain technology, AYA focuses on helping climate tech projects raise capital from its community of investors, utilizing carbon and nature-based credits as assets. AYA will leverage its team’s experience from building and running Enjinstarter – an extensive crowdfunding platform focused on gaming, entertainment, and the metaverse – to curate a nurturing ecosystem of mentorship, funding and collaboration where trailblazers can leave a lasting legacy of sustainability for future generations.

“Through our strategic partnership with Blockpass, we at AYA reaffirm our commitment to upholding the highest standards of AML and KYC practices in the industry. This collaboration underscores our dedication to fostering a secure, compliant, and trustworthy environment for our users, laying the foundation for a more responsible and sustainable future in the virtual asset space.” said Vasseh Ahmed, Managing Director of AYA.

“We’re delighted to be working with a company that is so focused on the future of both blockchain technology and the planet.” said Blockpass CEO Adam Vaziri. “We have previously worked with Enjinstarter and it’s an honor to be chosen once again to work with such a visionary team on such an important project.”

By working together, Blockpass and AYA will ensure that the sustainable futures of blockchain technology and the world are secured against identity fraud and money laundering. In ensuring regulatory compliance, Blockpass will help AYA grow and flourish as it seeks to nourish suitable projects and innovate in a responsible manner.

Navin Gupta, former Managing Director for South Asia and MENA at Ripple has left Ripple to join Crystal, a blockchain intelligence firm focused on compliance and risk monitoring for cryptocurrencies, Gupta will become the new CEO of Crystal while Marina Khaustova moves into the new position of Chief Operations Officer at Crystal.

Crystal is a blockchain intelligence firm empowering financial institutions, law enforcement and regulators with real-time blockchain analysis, investigative and compliance solutions.

Gupta joins Crystal from Ripple, where he successfully drove growth for the firm in the MEA and South Asian markets. His roles at HSBC and CitiBank, and entrepreneurial experience as co-founder of a commercial transport technology platform, makes Gupta the perfect candidate to steer this next phase of expansion for Crystal. Ripple has grown over the past years in MENA region with 20% of its customers coming from MENA.

With crypto assets becoming increasingly mainstream due to key regulatory and market developments, Crystal appointed Gupta to expand its blockchain intelligence solutions to a global audience of regulators, VASPs, TradFi sectors, and stakeholders in cryptocurrencies.

“Recent developments like the Bitcoin ETF approval have set the stage both for an increased appetite for digital assets and for compliance tools to keep pace with regulatory expectations,” said Brian Brooks, Bitfury Board member and former head of the Office of the Comptroller of the Currency. “It is imperative that regulators and financial institutions worldwide equip themselves with the best toolset and intelligence to keep pace and be fully prepared to tackle any potential risks from this asset class.”

Gupta said, “Marina and Crystal has been at the forefront of developing an exceptional blockchain intelligence solution. As we continue to see adoption grow, we are committed to leveraging new-age tech to stay ahead of the curve. Regulators need superior intelligence and cutting-edge tools to navigate these changes, and TradFi institutions are seeking to manage risks effectively as they enter the digital assets market. Our goal is to stay insanely customer-centric, bringing our solutions to every corner of the world.”

Since 2019, Crystal has expanded its presence into key financial hubs including North America, UK, Europe and MEA, empowering financial institutions, investigators, and regulators with blockchain analysis, compliance and risk monitoring solutions. Crystal’s customer base doubled in 2023 by focusing on delivering its unique solution to enforcement and supervisory bodies. The product offers real-time indirect risk assessment, monitoring over 50,000 entities and organizations and offers proprietary training programs for professional cybercrime investigators.

The UAE Central Bank has issued its long awaited virtual assets and virtual assets service provider framework under the umbrella of a new guidance on anti-money laundering and combating the financing of terrorism (AML/CFT) for licensed financial institutions (LFIs) with a focus on the risks of dealing with virtual assets.

The actual document is more telling than the initial press release. In reality the UAE Central Bank has clarified what is considers as virtual assets and who can offer services in this realm, as well as how banks and financial institutions will work with VASPs when it comes to opening accounts for them and meeting compliance requirements. It also makes clear that virtual assets are not considered a legal tender in the UAE.

Now a lot has been made clear. Earlier this month, there was a position for a Fintech virtual assets senior manager job at a UAE Bank who was required to be specialized in Fintech and virtual assets compliance from a finance crime perspective, which was eye catching because there wasn’t anything yet announced from the UAE Central Bank. Yet now one thing is for certain, banks in the UAE will be scrambling to hire talents who understand the virtual asset ecosystem so they will be able to comply with the recent guidance.

Definition of virtual assets and VASPs

First the UAE Central Bank has defined as they mention in alignment with FATF definitions, what virtual assets are, leaving out of the definition CBDCs and security tokens, as well as some NFTs. As per the guidance, “A virtual asset is a digital representation of value that can be digitally traded, or transferred, and can be used for payment or investment purposes, excluding digital representations of fiat currencies, securities, and other funds (such as those separately regulated by the competent authorities of the UAE, including the CBUAE, SCA, VARA, FSRA, and the Dubai Financial Services Authority (“DFSA”).”

It goes on to explain, “Virtual assets, so defined, typically include assets commonly referred to as cryptocurrencies, cryptocoins, payment tokens, exchange tokens, and convertible virtual currencies. Without prejudice to the definitions in the laws and regulations referred to above, stablecoins may be considered either virtual assets or traditional financial assets depending on their exact nature. No asset should be considered a virtual asset and a traditional financial asset (e.g., a security) at the same time.”

The guidance also discusses payment tokens offered and licensed by payment token service providers. Payment Tokens are defined as a type of Crypto-Asset that is backed by one or more Fiat Currency, can be digitally traded, and functions as a medium of exchange and/or a unit of account and/or a store of value, but does not have legal tender status in any jurisdiction. A Payment Token is neither issued nor guaranteed by any jurisdiction and fulfills the above functions only by agreement within the community of users of the Payment Token. Payment Token Service Providers, in turn, are defined as persons engaged in Payment Token issuing, Payment Token buying, Payment Token selling, facilitating the exchange of Payment Tokens, enabling payments to Merchants and/or enabling peer-to-peer payments, and Custodian Services related to Payment Tokens.

What Virtual assets are not

As for NFTs, they are not considered virtual assets, but this does depend on the nature of the NFT and its function. As stated, “Some NFTs that on their face do not appear to constitute VAs may fall under the VA definition if they are used for payment or investment purposes in practice.”

The guidance makes it clear that the Central Bank of the UAE does not accept or acknowledge virtual assets as a legal tender/currency in the UAE; rather, the only legal tender in the UAE is the UAE dirham. As such, those accepting VAs as payment for goods and services or in exchange for other assets bear any risk associated with the future acceptance or recognition of VAs.

The guidance adds,  by definition VAs cannot be digital representations of fiat currencies, securities, or other separately regulated financial assets, a bank record maintained in digital format, for instance, that represents a person’s ownership of fiat currency is not a VA. However, a digital asset that is exchangeable for another asset, such as a stablecoin that is designed to be exchangeable for a fiat currency or a VA at a fixed rate, could still qualify as a VA, depending on the relevant features of such a stablecoin.

VASP activities overview

There are five basic activities that fall under VASPs as per the UAE Central Bank, but these are not considered as comprehensive only meant for illustrative purposes. They include virtual asset exchange, virtual asset brokers, who transfer ownership of VA from one user to another, virtual asset custodians, P2P exchanges, remittance payments, payment for nonfinancial g goods or services, or payment of wages. A provider offering such a service will likely be a VASP.

The UAE Central Bank has even considered decentralized virtual assets Exchanges or decentralized finance (“DeFi”) application creators, owners, and operators as VASPs given they maintain control or sufficient influence in the DeFi arrangements, even if those arrangements seem decentralized, may fall under the definition of a VASP where they are providing or actively facilitating VASP services. For example, there may be control or sufficient influence over assets or over aspects of the service’s protocol, and the existence of an ongoing business relationship between themselves and users; even if this is exercised through a smart contract or in some cases voting protocols.

Even entities that provide related financial services to issuer’s who offer or sell virtual assets through participation in and provision of financial services related to an issuer’s offer or sale of a Virtual asset through activities such as initial coin offerings (“ICOs”) are considered as VASPs.

Licensed Financial Institutions AML CFT

Finally as per the AML-CFT Decision, every natural or legal person who carries out any VASP activities, provides VASP products or services, or carries out VASP operations from the state must be licensed, enrolled, or registered by a competent supervisory authority in the UAE.

LFIs are strictly prohibited from establishing relationships or processing transactions with individuals or entities that perform covered VASP activities and are not licensed to do so by UAE authorities. It is therefore essential that LFIs form an understanding of whether its customers perform covered VASP activities and, if so, whether they have fulfilled applicable UAE licensing requirements. LFIs are not permitted to establish relationships or process transactions with foreign VASPs that have not secured a license to operate as a VASP from UAE authorities, even if the foreign VASP is duly licensed or registered outside the UAE.

The guidance warns that LFIs may be indirectly exposed to VA or VASP activity through its customers that use their account or relationship with the LFI to provide downstream financial services to VASPs. In the case of VASP customers, this may include the provision of accounts or custodial wallets that can be used directly by customers of a third-party VASP to transact business on the customer’s own behalf.

The AML-CFT Law brings virtual assets and virtual asset service providers within the scope of the UAE’s AML/CFT legal, regulatory, and supervisory framework. Under Articles 9 and 15 of the AML-CFT Law, VASPs must report suspicious transactions and information relevant to such transactions to the UAE FIU, and under Articles 13 and 14, supervisory authorities are authorized to assess the risks of VASPs, conduct supervisory operations (including inspections) of VASPs, and impose administrative penalties on VASPs for violations of applicable laws and regulations.


In conclusion this is the first comprehensive framework that the UAE Central Bank has published which will allow a select number of VASPs to be able to deal with the licensed financial institutions in the UAE. It will not be easy for the financial sector as the AML and CFT requirements are exhaustive, but it will also not be easy for the VASPs.

Moreover, there is one gap that seems huge and over looked by the UAE Central Bank, and that is what if licensed financial institutions actually want to offer Virtual asset services. So what if a bank actually wants to offer VA custodial services, or VA payment services, or brokerage services, can they both be the provider and the client and what happens to AML and CFT requirements then.

In Bahrain for example the Central Bank is allowing crypto entities to move into the other financial arenas and has even allowed the first digital bank which deals in digital assets to make their base in the country.

Another question that can be raised, is that in a country which has called for more international cooperation and coordination when it comes to regulating virtual assets, then concurrently does not allow any of its financial institutions to deal with any VASP not regulated in the UAE even if they are regulated in other jurisdictions, what precedence is the UAE making in this regards and is reciprocity the new name of the game?

With regulations taking force in UAE especially when it comes to virtual assets, the country that once boasted of having 1800 blockchain and crypto entities might see that number dwindle as most of these companies will not be able to comply to the regulatory requirements rendering them unable to receive services from the banking sector. 

We can already see this decline in number on the new website for VARA, where there were once dozens of names listed as on the course of receiving licenses, today there is a handful.

Next to be published will definately be the payments rulebook under VARA which was missing before. Can’t wait to see what that will bring to the table. 

During DACOM (The Digital Asset Compliance and Market Integrity Summit) hosted by Solidus Labs, a crypto-native market surveillance and risk monitoring hub tailored for digital assets, in Abu Dhabi on May 4th 2023, Dubai’s virtual asset regulator CEO stated that only 50 percent of Dubai’s legacy VASPs (those who were operating before VARA was set up) applying for license at VARA will need to be regulated. He also talked about the opportunity to launch regulation and compliance as a service for small business and entrepreneurs.

Henson Orser, CEO of Dubai’s Virtual Asset Regulatory Authority, VARA, discussing VARA’s licensing journey with strong legal risk compliance, stated, “Currently we have three cohorts that are passing through several processes and routes to being fully licensed, the Minimum Viable product cohort that includes global operators who were with us from day one.  There are also legacy VASPs (Virtual Asset Service Providers), several hundred of them who have been performing virtual asset activities in Dubai before VARA came along. We are in the process of registering them and believe half of them will need regulatory licenses.” He mentions that there are also new applicants who will join the regulatory process going forward.

Orser added, “VARA is offering a nuanced approach to virtual asset regulation that does not need to define a token or coin as a security or commodity to fall into an existing framework but covers any activity in a way that affords investor protection and have compliance in such a way that we hope other global regulators would be comfortable with by design and principle.”

According to Orser, VARA is currently looking at several hundred VASPs within their ecosystem which entails a lot of compliance and risk officers, as well as general counsels and legal advisors. He mentions given the fact that there are many micro businesses and entrepreneurs there is a great opportunity for regulation and compliance as a service offering. As he states, “Regulation and compliance as a service offering will mutualize cost and leverage expertise.” 

Orser believes the most important thing is that VARA is building a hub of global financial services with innovation and technology at the cross roads of the world including within it a strong compliance risk management and legal framework which he says “ VARA will stand out as a foundational principle and will be a thriving fixture of the community.”

As for the future, Orser states that from a regulatory standpoint once there is a steady state on licensing, supervision, and enforcement for the three existing cohorts today, VARA given it is technology agnostic and a promoter of innovation, will launch a regulatory sandbox to have a framework for product development of the future.

He states that the future will include tokenization of real world assets, including real estate, as well as micro financing, royalty rights for creators and publishers, with smart contracts for movies /music, permissioned DeFi (Decentralized Finance), gaming and the metaverse. Here he sees, “A billion users will start to challenge the boundaries of title and value” and finally interoperability, transfers identity and more.

In his final words he believes that many innovators and developers are coming to Dubai because of the growth oriented environment and open minded regulator which encourages compliant operators without sacrificing core principle of investor protection, FATF Compliance and risk. Accordingly he believes, “Blockchain technology is here to stay and its applications will infiltrate more than we can imagine same goes for gaming metaverse and all things Web3.”