virtual asset service provider (vasp)

definition

A virtual asset service provider (VASP) is any entity that conducts one or more regulated activities involving virtual assets on behalf of or for the benefit of customers. The FATF definition identifies five core VASP activities: exchange between virtual assets and fiat currencies, exchange between one or more forms of virtual assets, transfer of virtual assets, safekeeping or administration of virtual assets (including custody), and participation in financial services related to a virtual asset offering or sale. Any entity performing one or more of these activities is a VASP and must be licensed or registered under the applicable regulatory framework.

uae regulatory application

The UAE implements the VASP concept through its multi-authority framework, with each regulatory authority defining its own activity categories within the FATF-derived baseline.

VARA defines seven activity categories that map to and extend beyond the FATF VASP definition: advisory services, broker-dealer services, custody services, exchange services, lending and borrowing, VA management and investment, and VA transfer and settlement. Any firm conducting one or more of these activities in or from Dubai must obtain VARA licensing.

ADGM FSRA integrates VASP activities into its Financial Services Permission framework, authorizing specific regulated activities related to digital assets. The FSRA’s approach treats virtual asset activities as a subset of broader financial services regulation rather than a distinct regulatory category.

The DFSA authorizes activities related to recognized crypto tokens only, meaning that a firm can only be a VASP within DIFC to the extent it deals in tokens on the DFSA’s approved list. This creates the narrowest practical VASP scope among UAE regulators.

The SCA regulates VASPs under Cabinet Decision No. 111 of 2022 and SCA Decision No. 23/R.M of 2020, covering onshore UAE operations outside the financial free zones. The SCA also maintains the national VASP register that catalogues all licensed VASPs across all jurisdictions.

licensing triggers and thresholds

The VASP classification triggers licensing obligations. Operating as an unlicensed VASP in the UAE is a regulatory violation that may result in enforcement action, fines, and criminal penalties. The SCA maintains a warnings page identifying entities flagged for operating without authorization.

The determination of whether a firm is a VASP depends on whether it conducts any of the defined activities as a business — meaning on a regular, commercial basis rather than as isolated personal transactions. The multi-authority licensing strategy guide provides guidance on assessing licensing requirements. The licensing activity tracker dashboard tracks licensing activity across all authorities.

compliance obligations

Licensed VASPs across all UAE jurisdictions must implement AML/CFT compliance programs including customer due diligence at onboarding and on an ongoing basis, transaction monitoring calibrated to the specific risks of virtual asset activities, suspicious transaction reporting to the UAE FIU through the goAML system, Travel Rule compliance for originator and beneficiary information, EOCN sanctions screening, and record-keeping for at least five years.

Beyond AML/CFT, VASPs must meet authority-specific requirements covering capital adequacy, technology governance, client asset protection, conduct of business standards, and ongoing supervisory reporting. The VARA complete framework analysis and ADGM FSRA digital asset framework examine authority-specific requirements in detail.

international context

The VASP concept is applied globally, with variations in scope across jurisdictions. The EU’s MiCA framework uses the term Crypto-Asset Service Provider (CASP) with a similar scope. Hong Kong’s VASP licensing regime under its AMLO defines VASPs in line with the FATF definition. Bahrain’s Central Bank Crypto Asset Module uses its own activity taxonomy. The UAE vs EU MiCA comparison and UAE vs Hong Kong comparison examine how VASP definitions and regulatory treatment compare across jurisdictions.

The FATF’s ongoing guidance updates may expand the VASP definition to cover emerging activities including DeFi protocol operation and NFT marketplace operation, which would require corresponding updates to UAE regulatory frameworks.

multi-jurisdiction vasp operations

The UAE’s multi-authority framework means that a firm may need separate VASP authorizations from multiple authorities to operate across jurisdictions. A firm licensed by VARA in Dubai is not automatically authorized to operate in ADGM or under SCA federal regulation. Multi-jurisdiction operations require separate license applications to each authority, compliance with each authority’s specific regulatory requirements, coordinated reporting to multiple supervisory bodies, and unified AML/CFT compliance meeting both federal and authority-specific standards. The cross-emirate regulatory arbitrage analysis examines how firms navigate the competitive dynamics between jurisdictions. The federal vs free zone comparison explains the jurisdictional architecture that creates these multi-licensing requirements.

supervisory expectations

UAE regulatory authorities expect VASPs to maintain governance and operational standards commensurate with the risks they manage. This includes board-level risk oversight, independent compliance functions, adequate technology governance including cybersecurity and operational resilience, and robust client asset protection mechanisms. Supervisory assessments examine operational effectiveness rather than policy documentation alone — authorities want to see that controls actually function as designed. The VARA enforcement actions brief demonstrates how supervisory expectations translate into enforcement outcomes when standards are not met.

related terms

See also virtual asset, financial services permission, regulatory sandbox, and AML/CFT.