Skip to content 
Dubai’s Virtual Assets Regulatory Authority has positioned the emirate at the forefront of global digital-asset oversight. While trading venues tend to attract the headlines, safe and compliant storage underpins every transaction, swap or lending contract that takes place on an exchange. Without a regulated custodian, no institutional participants have a way to meet their own fiduciary duties. The VARA custody services license therefore forms the bedrock of the emirate’s virtual-asset ecosystem. This in-depth guide explains the regulatory rationale, structural prerequisites, capital thresholds, application steps and ongoing obligations. It covers everything that surrounds obtaining and maintaining a VARA custody services license. Firms planning to safeguard billions in crypto, tokenised securities or stablecoins will find a practical blueprint. One that converts governance from a compliance cost into a decisive competitive edge.
Get a better idea of the VARA custody services license
In traditional finance, custodian banks hold trillions in securities and cash, separating client assets from broker liabilities. The same principle applies to virtual assets, although technology changes the risk profile. People can steal private keys in seconds, hot-wallet balances can vanish in automated exploits, and mismanaging multi-signature scripts can strand client deposits forever. Dubai lawmakers decided early that the emirate’s attractiveness as a hub would depend on strict, yet innovation-friendly, segregation and safekeeping rules. The custody services that fall under a VARA license are an example of these safekeeping rules.
When Law No. 4 of 2022 created VARA, custodial activity was carved out as an entirely separate permission set. That means an exchange or broker cannot automatically keep client coins in self-hosted wallets. At least, not without demonstrating dedicated procedures, insurance and board-level oversight. In turn, independent custodians can serve multiple exchanges, lenders and asset managers, giving the local market institutional depth akin to that found in New York or Zurich.
Activities covered by the VARA custody services license
Article 3.1 of VARA’s Custody Services Rulebook defines custody as the business of receiving, safeguarding or controlling a client’s virtual assets for the purpose of holding them on the client’s behalf or enabling transfers at the client’s instruction. The definition captures every operational detail that matters in practice. Safekeeping extends to hot, warm and cold wallets whenever the custodian holds signing control or co-control. The rulebook also covers omnibus or segregated ledger sub-accounts, forcing firms to reconcile on-chain totals with customer ledger balances as part of daily routines.
Beyond pure storage, a licensed custodian may initiate on-chain transfers, off-chain internal transfers or settlement instructions so long as those movements occur strictly under client mandate. The licence therefore acts as the legal passport that lets a provider enforce governance policies for key sharding, recovery protocols, geographic distribution and access-log reviews. It also authorises the custodian to produce statements, audit trails and asset-protection representations that third-party auditors can rely on. What the licence does not allow is brokerage, market making, exchange order matching or lending, those activities require separate VARA approvals.
Prudential capital and insurance requirements
Custody is capital-intensive by design. VARA begins with a base capital requirement of AED 11 million, roughly USD 3 million, that must be fully paid in and maintained in free cash or investment-grade sovereign bonds at all times. From there, risk-based capital comes into play. The authority applies weightings to the amounts kept in hot wallets, the share of assets under direct key control versus sub-custodians, the geographic dispersion of vaults and the concentration of counterparties. If the risk formula produces a number higher than the base minimum, the higher figure becomes binding.
Expense-based capital acts as a third backstop. Every custodian must hold at least six months of projected operating costs in liquid resources. An ambitious start-up that spends heavily on enterprise security software can therefore push its required capital well above the AED 11 million floor even before serving a single client.
Insurance is non-negotiable. VARA insists on a blended programme combining commercial-crime insurance, technology errors and omissions cover and a dedicated wallet-crime or specie policy. Each policy must be underwritten by an insurer on VARA’s approved list and must explicitly cover internal fraud, external theft, collusion and catastrophic technical malfunction. Deductibles have to sit in a ring-fenced bank account so that a single breach cannot erode policy coverage or harm client balances.
Our working hours: Monday to Friday, 9 AM – 6 PM GMT+4
Governance and key-management standards
Board structure and independence
The statutory minimum is a three-member board. At least one director must be an independent non-executive with substantive experience in bank-grade custody or advanced crypto key-management frameworks, think hardware security modules, multi-party computation and Shamir secret sharing. VARA’s fit-and-proper test reviews prior regulatory breaches, bankruptcies or cyber-security failures when assessing suitability.
Required senior managers
VARA expects a resident Chief Executive Officer who has run either a large custody function or a sophisticated security operations centre. A separate Chief Compliance Officer, also resident in the UAE, must oversee AML, sanctions screening and travel-rule implementation. In addition, a Chief Information Security Officer must hold professional designations such as CISSP or CISA and must personally sign off on the annual cyber-audit. When assets under custody exceed USD 1 billion, a Chief Risk Officer becomes mandatory. Dual hatting between compliance and security roles is prohibited because VARA insists on independent challenge and separation of duties.
Key-management checklist
Custodians escrow their reputation within their key-management architecture. VARA issues detailed expectations. Keys must be split into at least three shards, each stored in separate locations. Two shards must reside inside the UAE, while a third must sit in an offshore jurisdiction approved by the board. Multi-signature thresholds may not fall below two-of-three for hot wallets and three-of-five for cold vaults.
Any individual cold-vault withdrawal above a predetermined asset value must require an air-gapped signing ceremony overseen by two authorised signatories and logged on video for audit purposes. Daily reconciliations between on-chain totals and customer ledger balances are mandatory. Exceptions have to be escalated to senior management within twenty-four hours.
"A hopelessly lost or compromised key shard cannot be an excuse. Documented business-continuity plan must outline methodical recovery steps."
AML, sanctions and travel-rule implementation
Custody itself might appear passive, yet money laundering threats remain omnipresent. VARA incorporates the UAE’s Federal AML Decree Law No. 20 of 2018 into its General Rulebook. Custodians must therefore conduct full KYC on every depositor, whether an individual, an exchange, an OTC desk or an asset manager. Incoming on-chain deposits need geo-screening to flag addresses linked to mixers, ransomware or OFAC-sanctioned entities. Blockchain analytics services such as Chainalysis or Elliptic are effectively compulsory so that risky clusters can be labelled and quarantined.
Dubai is also pioneering compliance with the FATF travel rule. For any outgoing transfer above USD 1,000, a VARA-licensed custodian has to append originator and beneficiary information in an agreed messaging standard, such as IVMS101, whenever the receiving wallet belongs to another virtual-asset service provider. Failure to comply can trigger administrative penalties starting at AED 100,000 per breach and escalating for repeated offences.
Technology audits, SOC reports and penetration testing
Within six months of going live, a custodian must appoint an independent IT-security firm to conduct a comprehensive audit. The audit scope covers physical security of cold-storage facilities, firmware checksums on hardware security modules and the segregation of production, test and disaster-recovery environments. VARA refuses to accept in-house reports; independence is a legal requirement.
Penetration testing follows an annual cycle. Custodians submit scoping documents to VARA at least six weeks before the test begins, confirming inclusion of API endpoints, admin consoles and wallet-transaction layers. After remediation, summary findings are filed with the authority. Critical vulnerabilities left unresolved beyond the agreed timeline automatically generate a reportable incident.
Get the most relevant information about business life in Dubai
The staged VARA application process
Firms rarely move from initial concept to full licence overnight. VARA has built a logical, phased journey to prevent early-stage teams from becoming overwhelmed.
The journey begins with an exploratory meeting in which sponsors provide a concise presentation covering corporate background, technology, target client segments, expected peak assets under custody and governance design. The regulator uses this conversation to give indicative capital and insurance ranges so applicants can refine their plans.
A formal Letter of Intent follows, accompanied by a business-model canvas and the non-refundable application fee. VARA then issues a secure portal link for the full submission pack.
At the heart of the dossier sits the Regulatory Business Plan, often sixty pages or more, describing revenue models, risk factors, financial projections and organisational structures. A separate Technology Overview details wallet architecture, key-generation ceremonies, redundancy, latency and vendor dependencies. Custody policies covering reconciliations, emergency freezes, and client-asset segregation appear alongside an AML manual and draft insurance term sheets. Every director and senior manager must complete a Declaration of Suitability form, attaching identification documents, professional certificates and police-clearance letters.
VARA’s case officer issues written questions focusing on governance, insurance carve-outs and risk-weighted capital. Applicants should expect three or four review cycles, each lasting around two weeks, with clarifications required quickly to maintain momentum.
Before an in-principle approval is granted, a technical inspection team visits the proposed data centre or cold-vault site. They witness key-generation or key-import ceremonies, confirm the number of shards, inspect HSM serial numbers, and review access logs. Only after the site passes muster does VARA issue the conditional approval letter.
Conditions tend to include incorporation of the local entity, deposit of paid-up capital, execution of final insurance policies, leasing of a physical office in Dubai and onboarding of named directors.
"Once the applicant satisfies every point, the Financial Services Permission is granted and the new custodian appears on VARA’s public register."
Ongoing obligations and supervisory dialogue
Quarterly prudential returns must list total assets under custody, breakdown of hot versus cold balances, insurance coverage and any compliance breaches. An annual external financial audit under IFRS is obligatory, as is a semi-annual client-asset attestation that proves one-to-one backing for each token or coin. Incident reporting rules require notification within seventy-two hours for unauthorised movements or attempted breaches, and within twenty-four hours for high-impact events. A cyber-resilience self-assessment is due every December, with board minutes showing that directors have challenged and approved the remediation roadmap. VARA can enter the premises with forty-eight hours’ notice to run a supervisory inspection, although truly urgent cases may see shorter lead times.
How Dubai’s model stacks up against other leading jurisdictions
A comparative narrative shows why global custodians are gravitating toward VARA. In New York, the Department of Financial Services imposes a USD 10 million capital floor for chartered trust companies and demands elaborate BSA/AML reporting, making entry expensive. Switzerland’s FINMA offers a FinTech licence with only CHF 300,000 capital, but the scope is limited to deposits below CHF 100 million and leverage disallowed, which curtails scaling.
Singapore’s MAS does not set an explicit capital number for custody, yet licence holders must maintain an enterprise-risk buffer and meet stringent technology notices, which can become costly once audit expenses are factored. Dubai strikes a middle path. Its USD 3 million base capital is accessible to well-funded start-ups, yet the compulsory insurance and risk-based add-ons ensure the regime remains robust enough for pension funds and sovereign wealth entities to entrust assets.
Dubai also leads in mandating travel-rule compliance for outgoing transfers, whereas many Asian centres are still adopting a piecemeal stance. That alignment with FATF recommendations gives global banks further comfort when selecting an appointed custodian.
Practical challenges and mitigation strategies
Balancing liquidity with security emerges as the first operational headache. Clients demand near-instant withdrawals, often through APIs, yet every extra hot-wallet shard increases attack surface. Custodians have responded by establishing dynamic transfer thresholds. Small payments move automatically; larger ones trigger a warm-wallet queue that requires a human-in-the-loop review.
Sub-custody arrangements present the next hurdle. Staking platforms, for instance, may need to delegate validator keys to specialist operators. To preserve regulatory clarity, custodians draft tri-party agreements in which end clients explicitly accept delegation and the scope of insurance coverage.
Key-person dependency can also creep in, particularly among founder-led start-ups where the chief technology officer designs every line of wallet code. VARA expects a succession plan and board-approved procedure in which recovery seeds rest with a regulated trust company.
Banking is often overlooked until late in the timetable. Local banks remain conservative about crypto and require full visibility on governance and insurance.
-
AML, sanctions screening, and the FATF travel rule are enforced rigorously, with custodians expected to integrate blockchain analytics and messaging standards like IVMS101.
-
The application process includes a regulatory business plan, technology overview, site inspections, and a phased review culminating in a Financial Services Permission.
-
Ongoing obligations include quarterly reports, annual cyber audits, incident reporting, and on-site inspections, all to uphold security, transparency, and institutional trust.
-
Dubai’s VARA regime offers a strong yet accessible middle ground between jurisdictions like New York, Switzerland, and Singapore, making it attractive for global custodians.
Aston VIP: Your end-to-end navigator for the VARA custody services license
Achieving and sustaining a VARA custody services license demands a cross-disciplinary approach that blends regulatory law, blockchain engineering, cyber-risk management and commercial insurance. Aston VIP delivers a single-contract solution across every milestone. Initially, we conduct a feasibility workshop that analyses proposed asset mixes, capital structures and governance models.
Next, we draft the regulatory business plan, technology overview, custody policy suite and AML framework, translating technical language into the vocabulary regulators prefer. Our IT security specialists then validate your wallet architecture, oversee penetration testing and align backup strategies with VARA mandates. Capital and insurance often stall projects, yet our long-standing partnerships with regional banks and Lloyd’s brokers unlock competitive credit lines and crime-cover premiums. During the application phase we manage every portal submission, track deadlines and coach senior managers for panel interviews.
Once operational, Aston VIP remains by your side, offering outsourced MLRO or CISO services, compiling quarterly returns and simulating VARA on-site inspections so you never face surprises. By transforming compliance into structured processes and transparent metrics, we help you turn stringent regulation into a badge of institutional trust. Speak with our Dubai team today and secure your clients’ digital wealth under one of the most forward-looking custody regimes in the world.
