The Dubai Virtual Assets Regulatory Authority (VARA) has provided critical clarifications regarding the scope of Custody Services in its 2023 Regulations and updated rulebooks, ensuring that any entity holding virtual assets on behalf of clients is subject to stringent oversight. Importantly, custody is treated as a distinct regulated activity, separate from trading or exchange services. As such, holding client assets is not automatically covered under existing licences and may require independent regulatory approval.
VARA clarified that firms providing VA Custody Services in or from Dubai excluding the Dubai International Financial Centre (DIFC) must obtain a specific licence, regardless of whether they are traditional finance firms or crypto-native entities. This is required even if custody is not expressly offered as a standalone service. This creates a potential area of inadvertent non-compliance for firms expanding their product offerings or integrating wallet functionalities.
A key feature of the framework is VARA’s substance-over-form approach. Custody is not defined solely by how a service is marketed or labelled, but rather by whether a firm exercises control over client assets or private keys in practice. This marks a significant shift from traditional interpretations adopted by some market participants.
In particular, Virtual Asset Service Provider (VASP) operating trading platforms, brokerage services, or digital asset interfaces may inadvertently engage in custody activities where they:
- Retain access to client wallets;
- Control or influence private keys;
- Facilitate the holding or safekeeping of client assets.
Further, VASPs must ensure that all Custody Services are only provided in accordance with verified client instructions, or instructions from authorised agents of the client for whom the client has provided the VASP with a valid legal authority for the agent to provide instructions on the client’s behalf.
In addition to licensing considerations, VARA places strong emphasis on legal and structural separation. Custody services may need to be conducted through a separate legal entity, particularly where firms operate integrated models combining trading and asset holding functions. Operational separation alone may not be sufficient to satisfy regulatory expectations.
There are certain segregation and control requisitions which need to be complied with by the VASPs providing Custody Services of Virtual Assets as these are not depository liabilities or assets of such VASPs. These are as follows:
- VASPs shall not authorise or permit rehypothecation of Virtual Assets for which they provide Custody Services (regardless of whether they have obtained a client’s consent), and VASPs providing Custody Services shall not seek or attempt to obtain such consent as part of the Custody Services they provide.
- VASPs providing Custody Services shall segregate the Virtual Assets of each client in separate VA Wallets containing the Virtual Assets of that client only.
- VASPs must maintain control of each Virtual Asset at all times while providing Custody Services.
- VASPs providing Custody Services must be a separate legal Entity from any member of their Group that provides services relating to VA Activities other than Custody Services.
- VASPs providing Custody Services may apply to VARA to obtain a Licence for the provision of VA Transfer and Settlement Services, which shall only be granted subject to VARA’s satisfaction of all relevant requirements, including the VASP’s implementation and strict enforcement of policies and procedures to achieve necessary segregation between operations relating to Custody Services and such VA Transfer and Settlement Services.
- VASPs must have adequate policies and procedures to ensure that there is sufficient operational and physical segregation between individuals handling operations for Custody Services, and their other core businesses and operations including, but not limited to, other VA Activities conducted by their Group. Such policies and procedures shall establish a separate team to handle the VASP’s Custody Services only, consisting of individuals who have no conflicting duties or access to information which may give rise to any conflicts of interest.
From a practical standpoint, firms should undertake a detailed review of:
- Their wallet architecture and custody arrangements;
- Internal access to, and control over, private keys;
- Group structures and intra-group service models;
- The nature of services offered to clients, whether explicit or implied.
The implications of misclassification are significant. Firms that fail to recognize custody activities at an early stage may face regulatory exposure, particularly as VARA continues to adopt a more function-driven supervisory approach.
Ultimately, the central question is not whether a firm considers itself a custodian, but whether it performs custodial functions in substance. Early legal and operational alignment with this principle is essential for ensuring compliance within Dubai’s evolving virtual asset regime.
For further guidance on how these rules apply to your operations, please contact Suneer Kumar at suneer@alsuwaidi.ae or Rajiv Suri at r.suri@alsuwaidi.ae.