In May, the Central Bank of UAE (CBUAE) issued a comprehensive ‘guidance’ for licensed financial institutions (LFI), such as banks, finance companies, exchange houses, payment service providers and others, when dealing with virtual assets (VAs) (also called crypto assets) and virtual assets service providers (VASPs).
The guidance is aligned with the UAE’s approach towards regulating the VA sector with cautious optimism. We like to call it the UAE Falcon’s “open-arms-but-sharp-claws” approach, where the UAE seeks to provide an enabling framework to the VA sector but does not at any cost compromise on screening and weeding out bad actors.
The move has been welcomed by all stakeholders, including the VA as well as the traditional financial sectors.
It provides a nuanced understanding of what the VA sector is and how it interfaces with LFIs in the traditional financial space, balances the desire for operational clarity with the need for risk mitigation, and (sets out clear guardrails for LFIs when dealing with VA/VASPs in terms of what is and isn’t acceptable in line with global best practices set forth by the Financial Action Task Force. We unpack these in detail below.
Nuanced understanding
The guidance offers a clear understanding of the VA sector. It states that most VASPs operating in the UAE operate as exchanges, brokers, or provide transmission services. This leaves little room for differential interpretation.
Notably, the guidance states that VAs should be assessed by their features and not their nomenclature, and clarifies that, “No asset should be considered a virtual asset and a traditional financial asset (for example, a security) at the same time”.
Further, it provides that NFTs (non-fungible tokens) will not be treated as VAs, and stablecoins may be considered VAs, depending on their characteristics. This is a step in the right direction for ensuring regulatory predictability for assets that have remained in the regulatory grey area.
Then, the guidance details various ways in which VA/VASPs interface with LFIs, and may thus be exposed to AML/CFT risks.
The interaction between VASPs and LFIs could be direct (say through a customer-service provider relationship between a VASP and a bank). It could also be indirect, say through the exposure of bank customers that engage with VASPs, or through a bank’s own proprietary investments in VAs.
Balancing operational clarity with risk management
The guidance recognises two kinds of accounts – operational accounts (such as accounts used by VASPs for administrative purposes) and transactional accounts (such as accounts opened to hold client funds).
It clarifies that operational accounts may be opened by LFIs without submitting a request for non-objection to the CBUAE. This enhances ease of doing business for VASPs. On the other hand, for opening a transactional account, a VASP will be required to take an NOC from CBUAE, which will be granted on a case-by-case basis.
The guidance also requires LFIs to have formal written agreements and policies when dealing with VASPs to mitigate any reputational risk, or risk of loss. This ensures high standards of risk management built in by design.
Obligations and guardrails
The guidance prohibits LFIs from establishing any relationships or processing any transactions with a VASP without an appropriate license from the competent UAE authorities (even if the VASP is licensed outside the UAE).
This reduces the risk at the first level itself by limiting the VASPs LFIs can deal with to those who have already met the stringent licensing criteria set out by the VA regulatory authorities in the UAE, such as the Securities and Commodities Authority, Virtual Assets Regulatory Authority, Financial Services Regulatory Authority and Dubai Financial Services Authority.
The guidance also sets out red flags which LFIs must bear in mind when assessing VASPs. These include transaction structuring, transaction values, transaction volumes, transaction frequency, transaction patterns, anonymity, sources of funds or wealth, and geographical risks, among others.
This creates a risk-based sifting mechanism and mandates LFIs to monitor, screen and act upon high-risk transactions.
Demystifying the environment
The guidance came into effect on July 1, and the industry players are in the process of engaging with commercial banks.
It remains to be seen how the guidance will impact LFIs and VASPs operationally, on a day-to-day basis. The industry is hopeful that the impact will be positive.
As regards the long-term horizon, the guidance has to be seen in conjunction with the other recent developments. The UAE has become an attractive yet credible destination for some of the largest crypto players in the world. This comes at the back of curated enabling regulations combined with targeted enforcement action by bespoke regulators – the same open-arms-but-sharp-claws approach.
The UAE is also wary of the cross-border implications of VAs and has begun engaging with other regulators.
For example, CBUAE and the Hong Kong Monetary Authority agreed to strengthen cooperation in three major areas including financial infrastructure, financial market connectivity and virtual asset regulations and developments.
Such novel approaches to international collaboration can truly make the UAE a global hub for the VA sector.