Part IV – Compliance Obligations of Issuers
A. Licensed Distributors
1. In addition to any other legal or regulatory requirements applicable to a Virtual Asset, issuing a Virtual Asset and/or the Issuer, Issuers must comply with Rules IV.A-G of this VA Issuance Rulebook. 2. If the issuance of a Virtual Asset is carried out on behalf of the Issuer by a Licensed Distributor, compliance with Rules IV.B and IV.C of this VA Issuance Rulebook is adequately demonstrated by the Issuer, provided that the Issuer must take all reasonable steps to ensure the Licensed Distributor is appropriately Licensed and maintain a record of the appointment and the steps it has taken. 3. Licensed Distributors who have been appointed on behalf of an Issuer must comply with Rules IV.B and IV.C of this VA Issuance Rulebook as a minimum, to the extent such requirements are not already met through compliance with all Regulations, Rules, Directives or conditions of the Licence applicable to the Licensed Distributor.
B. Technology and Security
1. Risk assessment and controls. Issuers must ensure that they implement systems and controls necessary to address risks including, but not limited to, cybersecurity-related risks to the Virtual Asset and the issuance of such Virtual Asset. Such systems and controls should address a number of factors including, but not limited to, the nature, scale and complexity and the level of risk inherent with the Virtual Asset. 2. Issuers must implement a technology governance and risk assessment framework which must be comprehensive and proportionate to the nature, scale, and complexity of the risks inherent to all Virtual Assets they issue. The technology governance and risk assessment framework should apply to all technologies relevant to the Virtual Asset. 3. Issuers must ensure that their technology governance and risk assessments are capable of determining the necessary processes and controls that they must implement in order to adequately mitigate any risks identified. In particular, Issuers must ensure that their technology governance and risk assessment frameworks include a consideration of the applicability of international standards, or industry best practice codes. 4. Issuers must ensure that their technology governance and risk assessment frameworks address governance policies and system development controls for ongoing development and maintenance, such as a development, maintenance and testing process, back up controls, capacity and performance planning and availability testing. 5. Testing and audit. Issuers must engage a qualified and independent third-party auditor to conduct—
a. comprehensive audits of the effectiveness, enforceability and robustness of all smart contracts used for the purposes of a Virtual Asset; and b. vulnerability assessments and penetration testing.
6. Issuers should maintain effective internal functions and measures for continuous monitoring of their operations and processes. In particular, Issuers must perform the following on a regular basis, and as may be requested by VARA—
a. security testing on both infrastructure and applications; and b. internal system and external system vulnerability audits.
7. Evidence of tests and audits must be documented by Issuers and be made immediately available for inspection by VARA upon request.
C. Anti-Money Laundering and Combating the Financing of Terrorism [AML/CFT]
1. Issuers must comply with all Federal AML-CFT Laws as well as all other laws, regulation, rules and guidelines in respect of AML/CFT applicable to their business or operations in any jurisdiction at all times. 2. Controls and systems. Issuers should have effective AML/CFT controls and systems in place which can adequately manage the AML/CFT risks relevant to all Virtual Assets that they issue. 3. Risk assessment. In implementing adequate and appropriate AML/CFT policies, procedures, and controls to detect and prevent illicit activities, Issuers must conduct AML/CFT business risk assessments. The AML/CFT business risk assessments must be designed and implemented to assist the Issuer to better understand its risk exposure, and areas in which it should prioritise allocation of resources in its AML/CFT activities. This includes identifying and assessing the AML/CFT risks arising from the development and use of new or existing—
a. Virtual Assets [in particular, Anonymity-Enhanced Cryptocurrencies]; b. Virtual Asset related products or services [in particular, methods in which Anonymity-Enhanced Transactions can be conducted]; c. Virtual Asset related business and professional practices; and d. technologies associated with VA Activities.
D. Marketing Regulations
1. Issuers must comply with The Regulations on the Marketing of Virtual Assets and Related Activities 2024 [Marketing Regulations], issued by VARA and as may be amended, updated or supplemented from time to time [the Marketing Regulations].
E. Personal Data Protection
1. Issuers must comply with all applicable data protection and data privacy requirements in all relevant jurisdiction[s]—
a. within the UAE including, but not limited to, the PDPL and any sectoral or free zone laws and regulations that may apply to the Issuer; and b. any data protection laws outside of the UAE that may apply to the Issuer’s activities wheresoever conducted.
F. Tax Reporting & Compliance
1. Issuers must, at all times, comply with all tax reporting obligations under applicable laws including, but not limited to, under the Foreign Account Tax Compliance Act [FATCA] where applicable.
G. Books and Records
1. Issuers must keep and preserve adequate books and records relating to all Virtual Assets that they issue and, as a minimum, all necessary information to demonstrate compliance with this VA Issuance Rulebook. 2. Notwithstanding any requirements in other applicable laws or regulations regarding the retention of data or information, such records must be kept for a period of eight [8] years from their date of creation and in a condition that will allow VARA to determine the Issuer’s compliance with its obligations under this VA Issuance Rulebook.