Part I – Compliance Management
Introduction
Part I of this Compliance and Risk Management Rulebook sets out:
• General principles for regulatory compliance; • The implementation of a compliance management system including appointing a Compliance Officer [CO]; • Management, operations and information risk; • Record keeping and audit; and • Employee management and training.
A. General Principles
VASPs shall comply with the spirit of the following principles when conducting all their business from or through, or servicing the Emirate, including all VA Activities.
1. Integrity – honesty and fairness: VASPs should act truthfully, justly and equitably, in good faith serving the best interests of their clients, yet at all times preserving market integrity. 2. Diligence: VASPs should act with due skill, care and diligence reasonably expected of a VASP of a similar nature and/or catering to a similar activity. 3. Capabilities: VASPs should have, and effectively employ necessary resources [financial, technical or otherwise] and procedures for the sound, effective and efficient operation of their business, including VA Activities. 4. Client assets: VASPs should ensure that client assets are promptly and properly accounted for, and adequately safeguarded. 5. Effective disclosures: VASPs should ensure that any disclosure is clear, concise and effective, and contains information necessary for their clients to make an informed decision and be kept up-to-date. VASPs should dispatch information in a timely manner if ongoing disclosure is required by relevant authorities, including VARA, or under any fiduciary duty owed by VASPs to their clients. 6. Compliance: VASPs should devise effective strategies to ensure ongoing compliance with—
a. all legal and regulatory requirements [including any conditions in respect of a Licence] applicable to the conduct of their business, including VA Activities; and b. their own constitutional documents, internal policies and controls, so as to promote the best interests of their clients and for promoting the integrity of the market.
7. Dealings with regulators. VASPs should act in an open and transparent manner with regulators at all times, including VARA.
B. Compliance Management System
1. VASPs shall establish and maintain an effective compliance management system [CMS] which—
a. covers all relevant aspects of their operations, including the unfettered access to necessary records and documentation by the Board and relevant Staff; b. is independent of all operational and business functions; c. ensures that the CO is notified of any material non-compliance promptly; d. comprises technical competence, resources [including financial and non-financial] and experience necessary for the performance of their functions; and e. comprises a testing and monitoring programme that is risk-based and designed to regularly select and review different areas of the business and analyse key performance and risk indicators, in order to allow them to identify potential compliance violations and to ensure that they comply with all applicable laws and regulatory requirements, and their own internal policies and procedures at all times.
2. The CO shall ultimately be responsible for establishing and administering the CMS and notifying VARA and other relevant authorities of the occurrence of any material non-compliance by the VASP, its Board or its Staff with applicable legal and regulatory requirements. 3. VASPs shall establish, maintain and enforce clear and detailed compliance policies and procedures to enable all Staff and the Board to—
a. comply with all applicable legal and regulatory requirements at all times, including all conditions in respect of a Licence, record keeping, business practices, AML/CFT, and compliance with relevant client, proprietary and Staff dealing requirements; b. ensure that client complaints are handled properly with appropriate remedial action. Complaints should be handled and investigated by Staff who are not directly involved in the subject matter of the complaint; and c. have access to all necessary information required to perform a business transaction.
4. The CMS and the compliance policies and procedures shall be reviewed and updated from time to time to ensure that they are aligned with the changing business and regulatory landscape applicable to the global Virtual Asset sector. 5. VASPs shall ensure that all Staff performing compliance functions are Fit and Proper Persons and possess the necessary skills, qualifications and experience for their roles. 6. To the extent that VASPs carry out any VA Activities or similar business activities anywhere other than the Emirate, VASPs shall comply with all applicable law and regulatory requirements in any jurisdiction in which they carry out such VA Activities or similar business activities.
C. Duties of the Compliance Officer
1. VASPs shall appoint a CO who—
a. possesses at least five [5] years of relevant experience in a compliance function; b. is a Fit and Proper Person as approved by VARA; c. is a resident in the UAE or holds a UAE passport; d. is a full-time employee of the VASP; and e. reports directly to the Board. Such appointment shall be reviewed annually to ensure that the CO remains a Fit and Proper Person capable of discharging all relevant duties. VARA has the sole discretion to request a VASP to provide such evidence as VARA may require which shows that the above requirements are satisfied.
2. The CO shall be responsible for—
a. ensuring Staff, including Senior Management, are properly and adequately trained in respect of their understanding and compliance with all applicable laws and regulatory requirements, including those relating to consumer protection and AML/CFT; b. developing and implementing compliance policies and procedures, including a Business Continuity and Disaster Recovery Plan [BCDR Plan] as required in the Technology and Information Rulebook; c. assessing emerging issues and risks; d. reporting compliance activities and compliance audits to the Board; and e. if necessary, ensuring appropriate corrective actions are taken in response to deficiencies in the CMS and/or non-compliance with any applicable laws or regulatory requirements.
3. Compliance activities may be delegated to appropriate professionals, provided that—
a. the CO shall continue to be held accountable for all responsibilities and obligations in relation to the implementation of the CMS; and b. all applicable requirements in the Company Rulebook, including Outsourcing management requirements, are complied with.
4. Subject to relevant requirements in the Company Rulebook and if deemed appropriate by the VASP, the CO may hold more than one [1] non-client facing role within the VASP, provided such roles do not create conflicting duties, including but not limited to, the Money Laundering Reporting Officer [MLRO] and the head of the risk function. VARA will take into account other roles held by the CO in determining whether the individual is a Fit and Proper Person.
D. Risk Management
1. VASPs shall establish and maintain—
a. an effective risk management function; b. policies and procedures; and c. risk measurement and reporting methodologies, commensurate with the nature, size, complexity, and risk profile of the VASP in order to identify, measure, quantify, manage and monitor the risks, whether financial, technological or otherwise, to which they are or may be exposed. Such policies and procedures should be followed strictly to ensure that risks are maintained at acceptable and appropriate levels.
2. The risk management function should consist of a sufficient number of suitably qualified and experienced Staff. The head of the risk function of a VASP must have the appropriate qualifications and authority to oversee and monitor the overall risk exposures of the VASP. The CO may also be the head of the risk function. If the head of the risk function is a separate individual from the CO, the head of the risk function must also report directly to the Board of the VASP. 3. The Board shall ensure that the risk management policies are subject to ongoing comprehensive review, particularly when there is a material change in the VASP’s business, operations or Senior Management or Staff, or to the market conditions and applicable laws and regulations that may affect the risk exposure of the VASP. 4. The head of the risk function of a VASP shall submit risk exposure reports to the Board which identifying and report all actual or potential risks. Such reports must be submitted to the Board at least once every quarter, or more frequently if required for the VASP to address a specific risk which been identified. 5. The effectiveness of the risk management policy of each VASP will depend on the types of risks associated with the VASP and its business operations, including the VA Activities it carries out. The key types of risks that must be considered by all VASPs, and reported in the risk exposure reports under Rule I.D.4 of this Compliance and Risk Management Rulebook above to the extent they are applicable, and the mitigating measures which must be adopted for each type of risk include, but are not limited to—
a. Financial stability risks.
i. Financial soundness: Risks arising when a VASP lacks the necessary capital, liquidity or reserves to run operations [both in the going-concern and wind-down scenario] and meet all commitments to its clients, including but not limited to when a VASP is likely to be unable to comply with any of its Capital and Prudential Requirements in the Company Rulebook. ii. Market risk: Risks arising from the type and nature of market risk undertaken by the VASP [e.g. the nature of market risk exposure of the VASP’s services and VA Activities]. In relation to such risks, VASPs shall adopt mitigating measures including but not limited to—
1. regular control techniques to monitor market risks, including conducting regular reviews of financial statements and the value of their Virtual Asset holdings; and 2. establish and maintain effective risk management measures to quantify the impact of changing market conditions on themselves and their clients. Factors to be considered include—
(a) unspecified adverse market movements [including but not limited to “flash crashes”, catastrophic risk or tail events], by using an appropriate value-at-risk model or other methodology to estimate potential loss; (b) individual market factors, to measure the sensitivity of the VASP’s risk exposure to specific market risk factors; and (c) stress testing, determining the effect of material changes in market conditions [whether or not specific to Virtual Asset markets] on the VASP using quantitative and qualitative variable assumptions.
iii. Credit risks: Risks arising from the type and nature of credit risk undertaken by the VASP [e.g. the nature and level of credit risk exposure of the VASP’s services and VA Activities]. In relation to such risks, VASPs shall adopt mitigating measures, at both an individual account and consolidated account level, including but not limited to—
1. establish and maintain an effective credit rating system to evaluate the creditworthiness of their clients and counterparties; 2. adopt clearly defined objective measures to evaluate potential clients and counterparties and to determine or review the relevant credit ratings which are used to set appropriate credit, trading and position limits for all clients and counterparties, which shall be enforced at all times; 3. use appropriate quantitative risk measurement methodologies to effectively calculate and monitor the credit exposure of VASP in relation to clients and counterparties, including pre-settlement credit exposures and settlement risks. Credit risks posed by all clients and counterparties belonging to the same group of Entities can be aggregated for the purpose of measuring the credit exposure of the VASP; 4. if applicable in respect of the VA Activities of the VASP, establish and maintain all policies in respect of margin required under any Rulebook, which notwithstanding all other requirements in those Rulebooks should include—
(a) the types of margin which may be called, the applicable margin rates and the method of calculating the margin; (b) the acceptable methods of margin payment and forms of collateral; (c) the circumstances under which a client or counterparty may be required to provide margin and additional margin, and the consequences of a failure to meet a margin call, including the actions which the VASP may be entitled to take; and (d) applicable escalation procedures where a client or counterparty fails to meet successive margin calls.
iv. Liquidity risks: Risks arising from the type and nature of the VASP’s liquidity or asset and liability mix. In relation to such risks, VASPs shall adopt mitigating measures including but not limited to—
1. enforce concentration limits with respect to particular products, markets and counterparties, taking into account their liquidity profile and the liquidity profile of the VASP; 2. regularly monitor any maturity mismatch between sources and funding requirements and concentrations of individual Virtual Assets, markets and counterparties; and 3. establish clear default procedures to alert relevant Staff and Senior Management to potential liquidity problems and to provide such Staff and Senior Management with sufficient time to minimise the impact brought by any client’s or counterparty’s liquidity issues.
b. Market conduct risks.
i. Business strategy: Risks arising from the overall strategy and current sources of business of the VASP [e.g. strategic planning process and achievability of strategy]. ii. Client onboarding risks: Risks arising from onboarding clients [individuals and corporates]. This refers to the level of client due diligence [CDD] applied, such as sanction screening, risk rating and watchlist screening. iii. Organisation and regulation: Risks arising from the structure of a VASP, the characteristics and nature of responsibilities of UBOs, Board members and Senior Management responsibilities. iv. Operational risks: Risks arising from type and nature of operational risk involved in the VASP’s activities [e.g. direct or indirect loss from inadequate or failed internal processes, systems or external events]. v. Quality of management & corporate governance: Risks arising from the quality of the VASP’s management, the nature of the corporate governance, management information and compliance culture, including but not limited to non-compliance with relevant requirements in the Company Rulebook. vi. Relationship with regulators: Risk arising from the nature of the VASP’s relationship with other regulators, including recent regulatory history. vii. Cybersecurity risks: Risks of exposure or loss from a cyber-attack, data, system or security breach, including any breach of Personal Data security, not limited to non-compliance with relevant requirements in the Technology and Information Rulebook. VASPs must also include all risks relating or the VASP’s reputation in such events.
c. Compliance and risk management risks.
i. AML/CFT, market abuse & fraud: Risks arising from the VASP’s susceptibility to financial crime risk arising from money laundering, market abuse, terrorism financing, and fraud, including but not limited to non-compliance with relevant requirements in this Compliance and Risk Management Rulebook. ii. Outsourcing & counterparty risks: Risks arising from Outsourcing to third parties, developing relationships or dependencies on counterparties in any transactions, including with any Controlling Entity, Group Entity or UBO. iii. Risk management systems: Risks arising from the nature and effectiveness of the systems and procedures to identify, measure, monitor and control the VASP’s risks [e.g. credit risk, insurance underwriting risk, market risk, operational risk, legal risk and new product risk]. iv. Compliance function and arrangements: Risks arising from the nature and effectiveness of the compliance function of a VASP. These include its mandate, structure, staffing, methodology, reporting lines and effectiveness. v. Business continuity: risks arising from the effectiveness of business continuity arrangements, including but not limited to non-compliance with relevant requirements in this Compliance and Risk Management Rulebook.
d. Consumer protection risks.
i. Communications with clients & financial promotions: Risks arising from the nature of financial promotion and advertising practices employed by the VASP, including but not limited to non-compliance with relevant requirements in the Market Conduct Rulebook. ii. Legal risks: Risks arising from the nature of the VASP’s contractual agreements. iii. Disclosure and reporting: Risks arising from the nature of terms of business, periodic statements and other documentation provided to clients, including but not limited to non-compliance with relevant requirements in the Market Conduct Rulebook. iv. Client assets: Risk arising from the VASP holding or controlling of Client Money and Client VAs.
E. Operation Management
1. VASPs shall establish and maintain effective operational policies and processes to ensure—
a. they have regular exchange of information with their clients, Group and, where appropriate, counterparties; b. the integrity of their dealing practices, including the treatment of all clients in a fair, honest and professional manner; c. the safeguarding of both their assets and all Virtual Assets [including Client VAs] in accordance with applicable requirements in this Compliance and Risk Management Rulebook and the Technology and Information Rulebook; d. the maintenance of proper records and the reliability of the information contained in such records in accordance with applicable requirements in this Compliance and Risk Management Rulebook; and e. the compliance by VASP and all its Staff with all applicable laws and regulatory requirements.
2. Where a VASP may act on behalf of the client in relation to the operation of an account, it shall properly communicate to the client the necessary procedures and terms and conditions under which the VASP may act on its behalf in transactions which are consistent with the stated objectives of the client and strictly follow such procedures. 3. In addition to applicable requirements in the Market Conduct Rulebook, VASPs shall establish and enforce procedures to ensure that there are safeguards against any of their Staff or members of the Board taking advantage of confidential information or Inside Information. 4. In addition to applicable requirements in the Technology and Information Rulebook, VASPs shall establish and maintain robust procedures to protect their Virtual Assets and Client VAs from theft, fraud and/or misappropriation. All Staff and members of the Board should follow all applicable internal protocols to acquire, transfer or otherwise dispose of any of the VASP’s Virtual Assets and Client VAs in accordance with applicable requirements in this Compliance and Risk Management Rulebook and the Technology and Information Rulebook. 5. VASPs shall regularly check all—
a. records and reports, whether issued by third parties, such as banks, other VASPs, or other virtual asset service providers outside of the Emirate; and b. relevant information recorded on all systems including distributed ledgers, and reconcile the above with their internal records for the purpose of identifying any errors, omissions or misplacement of assets, including Virtual Assets.
6. VASPs may establish committees as they deem appropriate in order to ensure compliance with all applicable laws and regulatory requirements. VARA may require a VASP, either as a condition of granting a Licence or at any stage thereafter, to establish any committee[s] determined by VARA as it deems appropriate, and VASPs shall comply with such requirements.
F. Books and Records
1. VASPs shall keep their books and records properly in their original form or native file format [including as recorded on distributed ledgers where appropriate], including—
a. keeping proper audit trails of all transactions, such as the amount, date and time of each transaction, any payment instruction, the total amount of fees and charges, the names, details of accounts or VA Wallets and country of residence of the clients and to the extent practicable, that of any other Entities involved in the transaction, so as to enable the VASP to carry out thorough investigation of any Suspicious Transactions [subject to further requirements set out in Part III of this Compliance and Risk Management Rule book]; b. maintaining and organising all information relating to clients produced by third parties; c. maintaining sufficient records to prove that the VASP is in compliance with all applicable laws and regulatory requirements, including AML/CFT laws and requirements in Part III of this Compliance and Risk Management Rulebook; d. keeping proper records to enable the VASP to carry out an audit in a convenient manner; e. keeping a general ledger containing all assets [including Virtual Assets], liabilities, ownership equity, income and expense accounts; f. keeping statements or valuations sent or provided to clients and counterparties; g. keeping minutes of meetings of the Board; h. retaining communications and documentation related to investigations of client complaints and transaction error resolution or concerning facts giving rise to potential violation of laws and regulatory requirements; and i. maintaining a conflicts of interest register in accordance with the Company Rulebook.
2. VASPs shall retain each such record as set out in Rule I.F.1 of this Compliance and Risk Management Rulebook in accordance with the following timelines—
a. no less than eight [8] years; or b. for an indefinite period for all records which may relate to national security of the UAE.
3. VASPs shall furnish copies of any records to VARA in accordance with all applicable requirements in the Regulations, Rules or Directives.
G. Audit
1. External audit.
a. VASPs shall appoint an independent third-party auditor to perform an audit of the financial statements of the VASP in order to make available an annual report, and promptly notify VARA of the full name and contact details of the auditor upon appointment. b. The annual report of VASPs shall promptly be made available to their clients and VARA upon request. c. VASPs should understand the steps taken by the auditor in proving the existence and ownership of Virtual Assets and ascertaining the reasonableness of the valuation of Virtual Assets. d. The accounting information given in the annual report shall be prepared in accordance with generally accepted accounting principles. e. If requested, VASPs shall procure relevant counterparties to cooperate with the auditor and to provide with the auditor all necessary information for the auditor to conduct the audit. f. VARA may in its sole and absolute discretion require a VASP to appoint alternative auditors if their original auditors are not deemed appropriate for the size and complexity of their business and in terms of reputation.
2. Internal audit.
a. VASPs shall, where applicable, establish and maintain an objective internal audit function which shall be independent of the operational function and submit regular reports directly to the Senior Management. b. VASPs shall establish and maintain clear policies in defining the role and responsibilities of, and the working relationship between, the internal and external auditors. c. The internal audit function shall—
i. perform audit work regularly and at least on a quarterly basis; ii. inform the Senior Management of findings and recommendations; and iii. follow up with and resolve matters or risks highlighted in the relevant reports.
H. Regulatory Reporting
1. On a monthly basis, VASPs shall as a minimum submit to VARA the following information—
a. their balance sheet and a list of all off-balance sheet items; b. their statement of profit and loss; c. their income statement; d. their cashflow statements; e. addresses of their VA Wallets; f. a full list of Entities in their Group that actively invest their own, or the Group’s, portfolio in Virtual Assets, and a complete record of all transactions, including but not limited to loans or any transactions involving any VA Activity for which the VASP is Licensed, with all such Entities identified; and g. transactions with Related Parties as prescribed in the Company Rulebook.
2. On a quarterly basis, VASPs shall as a minimum submit to VARA the following information—
a. the minutes of all Board meetings and Board committee meetings; b. a statement demonstrating compliance with any financial requirements established by VARA including but not limited to Reserve Assets; c. financial projections and strategic business plans; and d. a risk exposure report prepared and submitted to the Board in accordance with Rule I.D.4 of this Compliance and Risk Management Rulebook.
3. On an annual basis, VASPs shall as a minimum submit to VARA the following information—
a. audited annual financial statements, together with an opinion and an attestation by an independent third-party auditor regarding the effectiveness of the VASP’s internal control structure; b. an assessment by Senior Management of the VASP’s compliance with such applicable laws, Regulations, Rules and Directives during the fiscal year covered by the financial statements; c. certification of the financial statements by a member of the Board or a Responsible Individual attesting to the truth and correctness of those statements; d. a representative sample of all documentation relating to client onboarding [including actual documentation of the first one hundred [100] clients onboarded of the year]; e. descriptions of product offerings relating to their VA Activities; f. Group structure chart including shareholding of the VASP and the identity of all UBOs; g. the names of each of the members of the Board and the Senior Management in the VASP, a brief biography of each such member including their qualifications and experience and any position that a member of the Board or the Senior Management holds in other Entities; h. the identification of any independent director[s] if applicable; i. the names of all the members of any committees, the authorities and assignments entrusted thereto, and activities carried out by the committees during that year; and j. the number of meetings held by the Board and the committees, and the names of the attendees.
4. VARA may require upon request to a VASP, information to be provided in addition to those listed in Rule I.F.1 of this Compliance and Risk Management Rulebook.
I. Regulatory Notifications
1. VASPs shall notify VARA in writing of—
a. any changes to items set out in Rule I.H.3 of this Compliance and Risk Management Rulebook; and b. any criminal or material civil action, charge or proceedings or Insolvency Proceedings, or any investigations, inspection or enquiries which may lead to any such action, charge or proceedings, made against the VASP or any of its Board members, UBOs or Senior Management immediately after the commencement of any such action, charge, proceeding, investigation, inspection or enquiry.
2. VASPs shall submit a report to VARA immediately upon the discovery of any violation or breach of any law, Regulation, Rule or Directive related to the conduct of any VA Activity. 3. VASPs shall, upon request from VARA, disclose information regarding their activities in jurisdictions other than the Emirate. 4. VASPs shall comply with all requirements in the Technology and Information Rulebook with regards to notifying VARA of incidents relating to a cybersecurity breach, including but not limited to incidents involving a loss of information or affecting Personal Data.
J. Staff Management and Training
1. VASPs shall implement procedures to ensure that they only employ suitably qualified individuals with the requisite skills, knowledge and expertise to perform the duties for which they are employed and that such individuals are duly registered with all applicable professional bodies as required. 2. VASPs shall employ appropriate numbers of Staff to discharge relevant duties effectively. Unless otherwise stated in the Regulations and Rulebooks, Staff are not required to be physically located in the Emirate, provided that the VASP is able to ensure that all supervisory, monitoring and enforcement functions are effectively implemented to VARA’s satisfaction. 3. VASPs shall ensure that all Staff are provided with adequate and up-to-date information regarding all their policies and procedures. 4. Adequate training suitable for the duties which the Staff is required to perform in their role shall be provided at the beginning of their employment and on an ongoing basis. 5. VASPs shall implement and provide AML/CFT training for all Staff on a regular basis and monitor their compliance with all established procedures. 6. VASPs shall make necessary arrangements to ensure that all operational policies and procedures are communicated to new hires within their first thirty [30] calendar days of starting their employment. 7. In the event that the operational policies and procedures are updated, VASPs shall ensure that—
a. relevant information is promptly communicated to all Staff; and b. any such updated operational policies and procedures are made available to all Staff at all times.