A look into UAE Central Bank's AML guidance document for virtual assets and what it means for the future of VASPs in UAE

 

The UAE Central Bank has issued its long awaited virtual assets and virtual assets service provider framework under the umbrella of a new guidance on anti-money laundering and combating the financing of terrorism (AML/CFT) for licensed financial institutions (LFIs) with a focus on the risks of dealing with virtual assets.

The actual document is more telling than the initial press release. In reality the UAE Central Bank has clarified what is considers as virtual assets and who can offer services in this realm, as well as how banks and financial institutions will work with VASPs when it comes to opening accounts for them and meeting compliance requirements. It also makes clear that virtual assets are not considered a legal tender in the UAE.

Now a lot has been made clear. Earlier this month, there was a position for a Fintech virtual assets senior manager job at a UAE Bank who was required to be specialized in Fintech and virtual assets compliance from a finance crime perspective, which was eye catching because there wasn’t anything yet announced from the UAE Central Bank. Yet now one thing is for certain, banks in the UAE will be scrambling to hire talents who understand the virtual asset ecosystem so they will be able to comply with the recent guidance.

Definition of virtual assets and VASPs

First the UAE Central Bank has defined as they mention in alignment with FATF definitions, what virtual assets are, leaving out of the definition CBDCs and security tokens, as well as some NFTs. As per the guidance, “A virtual asset is a digital representation of value that can be digitally traded, or transferred, and can be used for payment or investment purposes, excluding digital representations of fiat currencies, securities, and other funds (such as those separately regulated by the competent authorities of the UAE, including the CBUAE, SCA, VARA, FSRA, and the Dubai Financial Services Authority (“DFSA”).”

It goes on to explain, “Virtual assets, so defined, typically include assets commonly referred to as cryptocurrencies, cryptocoins, payment tokens, exchange tokens, and convertible virtual currencies. Without prejudice to the definitions in the laws and regulations referred to above, stablecoins may be considered either virtual assets or traditional financial assets depending on their exact nature. No asset should be considered a virtual asset and a traditional financial asset (e.g., a security) at the same time.”

The guidance also discusses payment tokens offered and licensed by payment token service providers. Payment Tokens are defined as a type of Crypto-Asset that is backed by one or more Fiat Currency, can be digitally traded, and functions as a medium of exchange and/or a unit of account and/or a store of value, but does not have legal tender status in any jurisdiction. A Payment Token is neither issued nor guaranteed by any jurisdiction and fulfills the above functions only by agreement within the community of users of the Payment Token. Payment Token Service Providers, in turn, are defined as persons engaged in Payment Token issuing, Payment Token buying, Payment Token selling, facilitating the exchange of Payment Tokens, enabling payments to Merchants and/or enabling peer-to-peer payments, and Custodian Services related to Payment Tokens.

What Virtual assets are not

As for NFTs, they are not considered virtual assets, but this does depend on the nature of the NFT and its function. As stated, “Some NFTs that on their face do not appear to constitute VAs may fall under the VA definition if they are used for payment or investment purposes in practice.”

The guidance makes it clear that the Central Bank of the UAE does not accept or acknowledge virtual assets as a legal tender/currency in the UAE; rather, the only legal tender in the UAE is the UAE dirham. As such, those accepting VAs as payment for goods and services or in exchange for other assets bear any risk associated with the future acceptance or recognition of VAs.

The guidance adds,  by definition VAs cannot be digital representations of fiat currencies, securities, or other separately regulated financial assets, a bank record maintained in digital format, for instance, that represents a person’s ownership of fiat currency is not a VA. However, a digital asset that is exchangeable for another asset, such as a stablecoin that is designed to be exchangeable for a fiat currency or a VA at a fixed rate, could still qualify as a VA, depending on the relevant features of such a stablecoin.

VASP activities overview

There are five basic activities that fall under VASPs as per the UAE Central Bank, but these are not considered as comprehensive only meant for illustrative purposes. They include virtual asset exchange, virtual asset brokers, who transfer ownership of VA from one user to another, virtual asset custodians, P2P exchanges, remittance payments, payment for nonfinancial g goods or services, or payment of wages. A provider offering such a service will likely be a VASP.

The UAE Central Bank has even considered decentralized virtual assets Exchanges or decentralized finance (“DeFi”) application creators, owners, and operators as VASPs given they maintain control or sufficient influence in the DeFi arrangements, even if those arrangements seem decentralized, may fall under the definition of a VASP where they are providing or actively facilitating VASP services. For example, there may be control or sufficient influence over assets or over aspects of the service’s protocol, and the existence of an ongoing business relationship between themselves and users; even if this is exercised through a smart contract or in some cases voting protocols.

Even entities that provide related financial services to issuer’s who offer or sell virtual assets through participation in and provision of financial services related to an issuer’s offer or sale of a Virtual asset through activities such as initial coin offerings (“ICOs”) are considered as VASPs.

Licensed Financial Institutions AML CFT

Finally as per the AML-CFT Decision, every natural or legal person who carries out any VASP activities, provides VASP products or services, or carries out VASP operations from the state must be licensed, enrolled, or registered by a competent supervisory authority in the UAE.

LFIs are strictly prohibited from establishing relationships or processing transactions with individuals or entities that perform covered VASP activities and are not licensed to do so by UAE authorities. It is therefore essential that LFIs form an understanding of whether its customers perform covered VASP activities and, if so, whether they have fulfilled applicable UAE licensing requirements. LFIs are not permitted to establish relationships or process transactions with foreign VASPs that have not secured a license to operate as a VASP from UAE authorities, even if the foreign VASP is duly licensed or registered outside the UAE.

The guidance warns that LFIs may be indirectly exposed to VA or VASP activity through its customers that use their account or relationship with the LFI to provide downstream financial services to VASPs. In the case of VASP customers, this may include the provision of accounts or custodial wallets that can be used directly by customers of a third-party VASP to transact business on the customer’s own behalf.

The AML-CFT Law brings virtual assets and virtual asset service providers within the scope of the UAE’s AML/CFT legal, regulatory, and supervisory framework. Under Articles 9 and 15 of the AML-CFT Law, VASPs must report suspicious transactions and information relevant to such transactions to the UAE FIU, and under Articles 13 and 14, supervisory authorities are authorized to assess the risks of VASPs, conduct supervisory operations (including inspections) of VASPs, and impose administrative penalties on VASPs for violations of applicable laws and regulations.

Conclusion

In conclusion this is the first comprehensive framework that the UAE Central Bank has published which will allow a select number of VASPs to be able to deal with the licensed financial institutions in the UAE. It will not be easy for the financial sector as the AML and CFT requirements are exhaustive, but it will also not be easy for the VASPs.

Moreover, there is one gap that seems huge and over looked by the UAE Central Bank, and that is what if licensed financial institutions actually want to offer Virtual asset services. So what if a bank actually wants to offer VA custodial services, or VA payment services, or brokerage services, can they both be the provider and the client and what happens to AML and CFT requirements then.

In Bahrain for example the Central Bank is allowing crypto entities to move into the other financial arenas and has even allowed the first digital bank which deals in digital assets to make their base in the country.

Another question that can be raised, is that in a country which has called for more international cooperation and coordination when it comes to regulating virtual assets, then concurrently does not allow any of its financial institutions to deal with any VASP not regulated in the UAE even if they are regulated in other jurisdictions, what precedence is the UAE making in this regards and is reciprocity the new name of the game?

With regulations taking force in UAE especially when it comes to virtual assets, the country that once boasted of having 1800 blockchain and crypto entities might see that number dwindle as most of these companies will not be able to comply to the regulatory requirements rendering them unable to receive services from the banking sector. 

We can already see this decline in number on the new website for VARA, where there were once dozens of names listed as on the course of receiving licenses, today there is a handful.

Next to be published will definately be the payments rulebook under VARA which was missing before. Can't wait to see what that will bring to the table.