VARA’s Compliance and Risk Management Rulebook
Dubai, recent adopters of the Financial Action Task Force’s (FATF’s) Recommendation 16 (Travel Rule), have sought to make compliance as straightforward as possible for crypto entities with the development of their Rulebooks, for example, VARA's Compliance and Risk Management Rulebook.
This Rulebook was compiled according to and forms part of the Virtual Assets and Related Activities Regulations 2023 issued by Dubai’s Virtual Assets Regulatory Authority (VARA). It applies to all virtual asset service providers (VASPs) in Dubai and is where Travel Rule duties are outlined. VARA has the authority to regulate all VASPs in the Emirate and was established as per Law No.  of 2022 Regulating Virtual Assets in the Emirate of Dubai.
Below, we will provide a breakdown of VARA’s Compliance and Risk Management Rulebook. As with all summaries provided by 21 Analytics, the intention is to capture the essence of the text and in no way constitutes legal advice.
If you are only interested in learning about VARA’s take on the Travel Rule, scroll down to Anti-money Laundering and Combating the Financing of Terrorism.
The first section of the Rulebook sets out the following:
the general principles for regulatory compliance
the implementation of a compliance management system, including appointing a compliance officer
management, operations and information risk
record-keeping and audit, and
employee management and training
This section clearly explains the role of a compliance officer within a VASP, how VASPs are to maintain an effective compliance management system, the expected communications to occur between the VASP and VARA, the auditing process, as well as how the VASP is to shape and maintain their risk management plan.
Interestingly, all VASPs are to appoint a compliance officer according to VARA's stipulated standards. One of these requirements is that the compliance officer needs VARA’s approval and must have at least 5 years of experience in a compliance role.
Tax Reporting and Compliance
VASPs must comply with tax reporting requirements under all laws, regulations and guidelines, including local and international best practices. Additionally, when applicable, VASPs in the Emirate are to follow practises under FATCA (the US Foreign Account Tax Compliance Act).
Anti-money Laundering and Combating the Financing of Terrorism
This section of the Rulebook covers how VASPs are to prevent the use of virtual assets in illicit activities, such as terrorism financing, sanctions non-compliance and so forth.
Steps include appointing a money laundering reporting officer (MLRO) responsible for compliance with all anti-money laundering and counter-terrorism financing (AML/CFT) laws and regulatory requirements for VASP activities. Examples of MLRO responsibilities include assessing risks per this Rulebook and ensuring that the VASP’s staff are trained on compliance and AML/CFT laws.
In addition, VASPs must establish and implement appropriate AML/CFT controls, which include the use of analytics and additional appropriate tools to screen transactions. Moreover, VASPs must enforce policies that meet existing recommendations, such as the:
Lastly, VASPs must maintain records according to Federal AML/CFT laws. All records are to be kept for a minimum of 8 years.
1. Client Due Diligence
VASPs are to undertake client due diligence (CDD) when:
establishing a business relationship for all services related to virtual asset activities
for all transactions equal to or greater than AED 3500 or in the case of multiple transactions equaling AED 3500
when suspicious activity is suspected or previously obtained information’s validity is doubted
all transactions conducted for high-risk clients
VASPs are to verify individual and entity identification as part of the CDD process. The documents obtained for verification need to be reliable and from an independent source. All suspicious transactions are to be reported to the UAE FIU and VARA.
2. VARA's Travel Rule
individual transactions equal to or exceeding AED 3500
group transactions equal to or exceeding AED 3500
Before allowing customers to access the virtual assets received that are equivalent to or exceeding AED 3500, VASPs are also to obtain and hold the required originator and beneficiary information.
Prior to transacting with a counterparty VASP, risk-based due diligence is to be performed irrespective of jurisdiction. This action need not be repeated for every transaction with the counterparty after that, only if the VASP suspects a risk.
VASPs must comply with the FATF Interpretive Note to Recommendation 15 when implementing compliance policies directed at the Travel Rule and AML/CFT policies.
Client Virtual Asset Rules
VARA explicitly states client virtual assets are all virtual assets controlled or held by a VASP on behalf of a client. All virtual assets held by a VASP must be held in a client account and should have systems in place to identify these assets and keep them secure at all times. To further safeguard clients, VARA has mandated that virtual assets must be held on a 1-to-1 basis by the VASP, and, when requested by VARA, VASPs are to present proof of reserves.
Anti-bribery and Corruption
In the final section of the Rulebook, VARA has provided VASPs with clear guiding principles as to what constitutes bribery and corruption. Breaking this policy will result in severe repercussions.
VARA’s Compliance and Risk Management Rulebook is the most important Rulebook for VASPs who want to learn how to comply with the Emirate’s new crypto regulations and implementation of the Travel Rule, and understand their role as a virtual asset service provider to clients.
Find out more about VARA in our previous blog, What Is Dubai’s Virtual Assets Regulatory Authority? Here we discussed VARA’s objectives, what falls under its scope, and its new definitions.