As the global hub for innovation and digital transformation, Dubai has taken a proactive approach to regulating virtual assets (VAs) with the establishment of Dubai’s VARA, Virtual Asset Regulation Compliance, under Law No. (4) of 2022.
VARA aims to build trust, transparency, and consumer protection while enabling a thriving ecosystem for virtual asset service providers (VASPs) and users alike.
For businesses operating in this space, the role of a Data Protection Officer (DPO) is essential in ensuring compliance with VARA’s requirements and broader data protection laws.
Firstly, what is Dubai VARA?
VARA is the dedicated regulatory body for virtual assets in Dubai, tasked with developing and enforcing a comprehensive framework for VA-related activities. Headquartered at the Dubai World Trade Centre (DWTC), VARA’s jurisdiction extends to Dubai’s mainland and free zones (excluding the DIFC).
What is the purpose of the VARA regulation?
VARA’s mission is to establish Dubai as a leading destination for responsible innovation in the VA sector by:
- Providing a transparent legal framework for VASPs.
- Protecting investors and consumers.
- Mitigating risks related to money laundering, fraud, and cybersecurity threats.
- Promoting responsible growth in the virtual asset ecosystem.
How Dubai VARA Shapes the Role of a Data Protection Officer (DPO)?
VARA regulates all entities engaged in VA-related activities, including but not limited to:
- Issuance, trading, and exchange of VAs.
- Custody and storage services.
- Advisory, lending, and borrowing services.
- Marketing and promotional activities involving VAs.
What are the Key Regulations and Rulebooks under VARA?
VARA’s regulatory framework comprises Administrative Orders, Resolutions, and Rulebooks, each addressing specific aspects of the VA sector.
Administrative Order No. 01/2022: Regulation of Marketing, Advertising, and Promotions
Scope: Applies to all VA marketing activities in Dubai, including social media, blogs, events, and promotional materials.
Requirements:
- Marketing must be fair, clear, and non-misleading.
- Disclaimers about VA volatility and risks are mandatory.
- Paid content must be clearly labelled.
- VARA’s prior approval is required for all marketing campaigns.
Record-Keeping: Marketing records must be retained for at least two years.
Administrative Order No. 02/2022: Penalties for Marketing Violations
Administrative Resolution No. (03) of 2023: Grievance Committee Formation
- Establishes a formal mechanism for addressing grievances related to VARA’s decisions or penalties.
- Empowers the Committee to amend or revoke sanctions based on evidence.
Compulsory and Activity-Specific Rulebooks
Compulsory Rulebooks
- Company Rulebook: Corporate governance and financial prudence for VASPs.
- Compliance and Risk Management Rulebook: Requirements for AML/CFT measures and operational risk controls.
- Technology and Information Rulebook: Emphasises robust cybersecurity and data protection practices.
- Market Conduct Rulebook: Prohibits deceptive practices, ensuring fair trading and market integrity.
Activity-Specific Rulebooks
These rulebooks address specialised VA services, including:
- Advisory Services Rulebook: Standards for providing VA-related advice.
- Custody Services Rulebook: Requirements for safeguarding and segregating client assets.
- Exchange Services Rulebook: Rules governing VA trading platforms.
- Lending and Borrowing Rulebook: Regulatory standards for VA-based loans.
The Role of Data Protection and the Need for a DPO
Why Data Protection Is Critical Under VARA?
The VA ecosystem involves significant data processing, including sensitive financial and personal information. Ensuring data protection compliance is essential to maintain consumer trust and regulatory alignment.
Mandatory Appointment of a Data Protection Officer (DPO)
Entities operating within VARA’s jurisdiction must appoint a qualified DPO to oversee data protection practices. The DPO’s responsibilities include:
- Compliance Oversight: Ensures alignment with UAE Personal Data Protection Law (PDPL), VARA’s Technology Rulebook, and other applicable laws (e.g., GDPR for entities engaging with EU clients).
- Breach Management: Manages data breaches, mitigating risks to customers and regulatory exposure.
- Cross-Border Transfers: Facilitates secure and lawful international data transfers, critical in a globalised industry.
- Privacy by Design: Embeds data protection principles into business operations and technology solutions.
Broader Data Protection Considerations
- Retention Policies: Adhere to strict data retention guidelines to ensure compliance with VARA and UAE PDPL requirements.
- Data Minimisation: Limit data collection to what is necessary for VA services.
- Transparency: Ensure privacy notices clearly inform consumers about data usage and their rights.
- Consumer Protection: Align with UAE consumer protection laws, especially when marketing VA products.
- Technology Governance: Secure VA platforms through encryption, access controls, and regular audits, as mandated by VARA’s Technology Rulebook.
Challenges and Strategic Recommendations for Compliance
To effectively navigate VARA’s requirements and data protection laws, entities should:
- Appoint a DPO: Establish clear roles and responsibilities for overseeing compliance.
- Conduct Regular Audits: Identify and address gaps in compliance through frequent reviews.
- Invest in Training: Equip employees with the knowledge to handle VA operations responsibly.
- Integrate VARA Rules with Global Frameworks: Align VARA compliance with other applicable laws, such as GDPR, DIFC data laws, and international AML/CFT standards.
- Seek VARA Approvals Proactively: Avoid penalties by obtaining necessary marketing and operational authorizations in advance.
Fines for Non-Compliance and Enforcement Under VARA
Fines for Non-Compliance
Non-compliance with VARA’s marketing regulations can lead to significant fines, aimed at ensuring proper marketing practices and consumer protection in the virtual asset market. The fines are as follows:
Investigation by VARA
VARA has the power to investigate any entity at any time to ensure compliance with the Dubai’s Virtual Asset Law.
For example: If a VASP displays irregular trading patterns, VARA may initiate an investigation into its activities.
Entities are required to cooperate fully during investigations by providing all necessary records and information.
Regulatory Period
VASPs and issuers remain subject to VARA’s regulations for 10 years after they stop being regulated by VARA.
Examination Process
Entities must allow VARA to examine their operations whenever requested.
For example: If VARA suspects a VASP is not complying with regulations, it may conduct an examination into the provider’s financial health and operational practices.
VASPs and issuers are also required to assist VARA in evaluating their financial status and ensuring compliance with the law.
Entities must obtain clients’ consent before sharing transaction information with VARA. They are also expected to respond to VARA’s document requests promptly, unless they can demonstrate that the request is unreasonable.
During the examination, VARA may require verification of any information provided by the entity.
TenIntelligence Thoughts
VARA’s regulatory framework underscores Dubai’s leadership in a transparent and secure virtual asset ecosystem. However, compliance is a multifaceted endeavour that extends beyond VA-specific activities to encompass robust data protection practices.
The appointment of a DPO is not only a regulatory requirement but also a strategic investment in building consumer trust and mitigating risks. By aligning VARA compliance with broader data protection laws, businesses can ensure sustainable growth in the dynamic virtual asset landscape.
For entities operating in Dubai’s VA sector, data protection isn’t just a regulatory checkbox—it’s the cornerstone of responsible innovation. Reach out with your queries to navigate VARA’s compliance requirements and implement effective data protection strategies for your organisation.
Written by
Lynsey Hanson
