VARA VA management and investment

Dubai’s Virtual Assets Regulatory Authority, formed in 2022, has rolled out a licensing framework that covers every link in the crypto-asset value chain. This includes everything in scope, from custody to borrowing to market-making. One of its most sophisticated permissions, the VARA VA management and investment services license, targets firms that run discretionary portfolios, advise high-net-worth clients, or structure token-based collective investment schemes. In essence, if a business opts to allocate cryptocurrencies, stablecoins, security tokens or tokenised real-world assets on behalf of others, it must secure this license before onboarding a single dirham of external capital.

This post goes over the scope of the permission. That includes the standards that scale with assets under management, the conduct rules designed to protect retail and professional investors, and the approval process from pre-application to final VARA sign-off. It also explores how Dubai’s approach compares with regimes in Europe, Singapore and the United States. We also highlight common problems that trigger supplementary information requests, and practical tips for building robust governance. The kind that handles the authority’s regular inspections. Finally, we outline how Aston VIP supports clients, from creating the regulatory business plan to operating an outsourced compliance desk once the VA management and investment license goes live.

Why VARA created specific permissions for VA management and investment services

Virtual-asset markets have matured from speculative trading toward long-term capital allocation. Sovereign funds in the Gulf, family offices from Mumbai to Riyadh, and pension endowments in Europe all seek regulated managers who can dedicate a sliver of various portfolios to digital assets. Without a clear supervisory regime, those allocators hesitate to wire money. VARA therefore designed a VA management and investment services license that mirrors traditional fund-management monitoring yet knows the unique custody, liquidity and smart-contract risks of blockchain instruments.

By ring-fencing client assets, forcing clear-capital thresholds and demanding quarterly disclosure of portfolio concentration, the authority aims to protect investors while giving clients confidence to build cross-border products domiciled in Dubai. The VA management and investment permission from VARA also allows managers to tap MENA wealth pools that prefer on-shore booking centres to Cayman or Luxembourg. Keep reading to get a better idea of what the services entail, and what getting a VARA license means for your firm as we go through every important detail.

The VARA VA management and investment services license is required for firms managing crypto portfolios, providing token-based investment advice, or operating tokenised collective investment schemes in or from Dubai.

Activities captured by the license

VARA defines management as exercising discretionary authority to trade, stake, lend or otherwise deploy a virtual asset portfolio owned by another person. Investment services cover non-discretionary advice, research and arrangement of deals in virtual assets provided to a client with the expectation that the recommendation will be acted upon. The license therefore encompasses three core business models:

Discretionary portfolio management

For institutions or qualified individuals, where the manager has a power-of-attorney to execute token trades, rebalance exposures, stake coins for yield, or enter DeFi liquidity pools within agreed risk limits.

Collective investment scheme management

Which includes tokenised feeder funds, actively managed certificates (AMCs) referencing crypto baskets, or on-chain venture structures that issue LP tokens representing ownership in start-up equity deals.

Advisory and research services

Delivered to clients who then trade through their own wallets or third-party brokerages but rely on the VARA-licensed firm for model portfolios, asset-allocation tactics and risk-monitoring dashboards.

Any entity performing any of these functions in or from Dubai must obtain the permission. Non-custodial software developers or purely educational research publishers remain outside the scope so long as they do not receive remuneration linked to client investment decisions.

Prudential capital requirements

VARA links base capital to assets under management (AUM) and the nature of the mandate. It sets three progressive bands:

Managers whose average monthly AUM remains below AED 50 million must hold paid-up capital of AED 2 million.
Between AED 50 million and AED 500 million, capital rises to the greater of AED 5 million or 0.5 percent of AUM.
Above AED 500 million, capital equals AED 15 million plus 0.25 percent of AUM in excess of five hundred million, capped at AED 50 million.

Capital must be high-quality Tier 1 equity, free from redemption rights, deposited in a UAE bank and available to absorb operational losses. VARA reviews the buffer annually, but applicants must update projections if AUM grows faster than forecast by more than twenty percent within any rolling quarter.

Phone number

Prefer messaging? Contact us through messengers or simply give us a call:

Client-asset safeguarding and segregation

A hallmark of the Dubai regime is mandatory segregation between proprietary and client assets at the blockchain level and in ledger systems. Licensees must maintain dedicated wallet clusters per client, or in the case of pooled funds, per fund entity. Hot-wallet limits apply: no more than fifteen percent of total managed tokens may reside in hot storage unless the manager demonstrates real-time risk controls and instant reconciliation.

In addition to on-chain segregation, managers must appoint a VARA-approved auditor to verify quarterly that blockchain balances tie to off-chain NAV calculations. Discrepancies greater than AED 10,000 or one basis point of fund NAV, whichever is lower, trigger immediate senior-management review and, if unresolved within ten business days, mandatory notification to VARA.

Governance and fit-and-proper leadership

The authority expects a governance structure akin to DIFC or ADGM standards. At minimum:

An independent board director or advisory committee member experienced in asset management or capital markets.
A chief executive resident in the UAE with at least five years’ experience in portfolio management, trading or risk oversight.
A chief investment officer (CIO) designated as an authorised individual, responsible for investment decisions and methodology documentation.
A chief compliance officer (CCO) and money-laundering reporting officer (MLRO), who may be the same person for firms with AUM under AED 250 million but must nonetheless demonstrate deep knowledge of blockchain AML typologies.
A head of technology risk if the manager deploys smart-contract strategies or runs proprietary staking infrastructure.

Each authorised individual submits a detailed personal questionnaire, background check, reference letters and police clearance.

"VARA interviews each of the members before they adopt their roles to confirm grasp of rulebook obligations."

Technology-risk and smart-contract governance

Managers who invest in DeFi pools, yield-optimisers or tokenised real-world asset protocols must implement a smart-contract risk-assessment framework. Elements include:

Code audits by at least one independent firm before deploying client capital.
Real-time monitoring of oracle feeds, collateral ratios and governance-vote outcomes that could alter pool parameters.
Pre-approved whitelist of protocols, subject to annual review.
Emergency withdrawal runbooks if exploits emerge.

Where managers run validator nodes or provide staking services, they must demonstrate key-management segregation and operational procedures to prevent slashing.

Conduct of business and disclosure

Suitability and risk assessment

Before accepting a discretionary mandate from a retail-capable customer, a manager must gather financial-knowledge questionnaires, investment objectives and loss tolerance. For professional clients, defined as individuals with portfolios above USD 1 million or institutions meeting net-asset tests, the suitability threshold is lower, but managers still must provide clear risk-disclosure statements covering volatility, protocol failure, regulatory change and counterparty risk.

Fair allocation

If the manager operates both collective funds and segregated mandates, it must maintain policies ensuring fair trade allocation. Block trades should allocate fills proportionally by order size unless documented reasons justify deviation.

Fees and performance arrangements

All fees, management, performance, custody pass-throughs, DeFi gas reimbursement, must be disclosed in writing. Performance fees may not exceed fifty percent of net gains and must incorporate high-water marks per international best practice. VARA reserves the right to challenge fee models it considers excessive or insufficiently transparent.

Marketing restrictions

Licensees may market products to retail investors only if they secure a retail endorsement and implement additional disclosures, leverage caps and stress tests. Otherwise marketing must target professional investors solely, and promotional material must carry a legend stating that VARA does not endorse investment outcomes.

AML and sanctions controls

Given that crypto transactions can obscure origin, VARA compels managers to adopt chain-analytics screening for every inbound token deposit. Effective risk scoring must consider:

Source wallet age and transaction history.
Linkage to sanctioned addresses or mixers.
Exposure to darknet markets or ransomware wallets.

Where risk scores exceed thresholds, tokens may only be accepted after enhanced due diligence, often requiring source-of-wealth documentation that ties to off-chain identity. Transactions involving privacy-enhanced coins such as Monero are prohibited unless the manager obtains a case-by-case no-objection from VARA.

Application roadmap

Pre-application engagement

Founders submit a two-page concept note detailing intended strategies, target investors, and anticipated AUM over three years. VARA provides informal feedback within ten working days, flagging any show-stopper concerns.

Phase one: Regulatory business plan

The formal submission begins with a thirty-to-fifty-page business plan covering governance, investment process, target protocols, leverage usage, liquidity risk and stress scenarios. It includes three-year financial projections, capital-adequacy worksheets and a detailed description of the technology stack.

Phase two: Policies and manuals

Applicants upload AML manuals, compliance monitoring programs, risk-assessment matrices, smart-contract governance procedures, valuation policies, best-execution policies and client-asset segregation documents.

Phase three: Personal-fitness files

Each controlled function holder completes a personal-questionnaire, and notarised IDs plus police clearances are submitted.

VARA review

A case officer conducts iterative queries. Common topics include DeFi exposure limits, valuation of illiquid tokens, and insurance cover for cold-wallet theft.

Management interviews

C-suite executives join a deep-dive meeting to defend strategy, liquidity controls and cybersecurity posture.

In-principle approval

Upon passing the review, VARA issues a conditional letter requiring the applicant to:

Incorporate a Dubai entity and deposit capital.
Sign office lease.
Activate insurance cover (minimum AED 5 million crime and cyber).
Demonstrate live reconciliation between on-chain and ledger balances.

Final licence

Once proof is filed, VARA grants the VA management and investment services licence, along with any retail endorsement or staking endorsement if applied for.

"Total time from initial engagement to final licence ranges from four months for vanilla discretionary managers to eight months for complex DeFi-rich strategies."

Periodic reporting and inspections

Licensees submit quarterly prudential returns, semi-annual client-asset attestations signed by the auditor, and annual financial statements. VARA reserves the right to conduct on-site inspections with five-business-day notice, including wallet-sweep tests and review of transaction-monitoring alerts.

Comparison with global regimes

Dubai’s licence resembles the UK FCA’s Investment Firm Prudential Regime for crypto managers but imposes heavier hot-wallet limits. Singapore’s MAS requires a capital-markets licence plus a specialised digital-payment-token permission for managers who also custody. The European Union’s MiCA permits asset-management activities but currently lacks detailed DeFi guidance, something VARA addresses head-on with smart-contract and staking rules. Compared with New York’s BitLicense, Dubai’s approach is more granular, segregating custody, exchange and management rather than issuing a single catch-all authorisation.

Common stumbling blocks

New applicants often underestimate technology-risk evidence. A whitepaper description of “institution-grade cold storage” is insufficient; VARA asks for vendor certificates, signing diagrams and testnet demonstrations. Another pitfall is incomplete stress-testing. The authority expects scenario analysis such as a fifty percent overnight drop in Bitcoin and a fourteen-day Ethereum chain halt, translated into liquidity impact and capital buffer usage.

Practical readiness checklist

Draft investment committee charter early, showing quorum, voting thresholds and conflict-management steps.
Secure a Memorandum of Understanding with an external auditor experienced in on-chain balance substantiation.
Integrate chain-analytics API before submitting AML manual to prove data fields match policy promises.
Negotiate crime-and-cyber insurance well ahead, as underwriters often require a VARA policy review.
Build an investor-reporting template aligned with International Crypto Fund Reporting Standards to simplify approval.

Ongoing obligations include quarterly prudential returns, semi-annual asset attestations, and ad hoc VARA inspections.

Governance demands include a resident CEO, an authorised CIO, a compliance/AML officer, and if applicable, a head of technology risk for DeFi or staking strategies.
Smart-contract investing requires whitelisted protocols, real-time oracle monitoring, and emergency withdrawal procedures, with audited code before client deployment.
Application involves a three-phase process: business plan submission, policy and manual uploads, and personal vetting of senior personnel, followed by interviews and dry-run system tests.

Emerging themes: tokenised real-world assets and ESG reporting

VARA anticipates a surge in managers launching funds that hold tokenised treasury bills, carbon credits or real-estate income streams. It will shortly release supplemental guidance on valuation mechanisms for such hybrid tokens. In parallel, the authority is drafting sustainability reporting expectations for funds that market themselves as ESG-compliant, including disclosure of mining-energy usage and protocol-level governance inclusivity.

Aston VIP: Your gateway to swift licensing and resilient operations

Navigating a 200-plus-page rulebook while simultaneously raising capital can overwhelm even seasoned portfolio managers. Aston VIP bridges the gap. Our regulatory consultants craft the business plan in language that addresses VARA’s risk-matrix directly. Cyber engineers design wallet-segregation architectures using UAE-hosted MPC solutions. Compliance officers prepare AML systems, transaction-monitoring rules, and quarterly return templates. Post-licence, we can provide outsourced MLRO support, conduct board-level risk workshops, and coordinate annual audits.

From concept to first trade, Aston VIP ensures your Dubai-based virtual asset management firm meets the highest standards, wins investor confidence and scales seamlessly in a jurisdiction that has placed itself at the vanguard of digital-asset regulation. Reach out today and let us turn regulatory ambition into operational reality.