
Binance's public tussle over a US Department of Justice cooperation memo puts a sharp question in front of every VASP with UAE operations: what happens when a foreign law enforcement request lands on your Dubai or Abu Dhabi desk?
Why this matters now
The reporting around Binance and the DOJ memo concerns the appetite of US prosecutors and the FBI for direct cooperation from crypto platforms — subpoenas, preservation requests, account freezes, and requests for KYC data on specific wallets or users. Binance's structure spans multiple jurisdictions, including UAE-licensed entities under VARA and the Securities and Commodities Authority regime. Any UAE-based exchange, custodian, OTC desk or even a DIFC/ADGM-incorporated crypto fund faces the same operational question: when a US federal agency or grand jury subpoena arrives, can it simply be answered, or does UAE law require a different route?
The starting position: you cannot simply comply
A UAE-incorporated company — onshore, in a commercial free zone, or in DIFC/ADGM — is not obliged, as a matter of UAE law, to respond directly to a foreign government's subpoena, grand jury request or civil discovery demand. Producing personal data, transaction records or account information to a foreign authority without a lawful UAE gateway risks two separate exposures: a breach of the Federal Decree-Law on the Protection of Personal Data (or the DIFC and ADGM data protection regimes, which apply to entities licensed in those free zones), and potential liability under the federal cybercrime law, which criminalises unauthorised disclosure of data obtained through licensed platforms. Banking and payments entities carry an additional secrecy overlay under the Central Bank's regulatory framework.
The correct channel is a formal mutual legal assistance request. The UAE and the United States are parties to bilateral arrangements permitting law enforcement cooperation, and the UAE's Ministry of Justice acts as the central authority receiving and vetting incoming MLA requests before any UAE entity is directed to produce material. A subpoena issued by a US court or grand jury, served directly on a UAE company with no MLA process behind it, generally has no automatic domestic enforceability in the UAE — it must be channelled through that treaty mechanism, or through the Financial Intelligence Unit if the request concerns suspicious transaction reporting, before any UAE-regulated entity should act on it.
A subpoena served directly from Washington does not, by itself, create a UAE production obligation — the treaty channel does.
What VARA and Central Bank licensing adds
VARA-licensed VASPs and Central Bank-supervised institutions sit inside a supervisory relationship that runs through the UAE authority first. Practically, this means:
- Internal escalation on receipt of any foreign law enforcement request should go to the company's MLRO and compliance function, not directly to the business line handling the customer.
- The regulator (VARA, the SCA, or the Central Bank, depending on licence) should typically be notified, since disclosure obligations and supervisory expectations are set out in the applicable rulebook and AML/CFT regulations.
- Where the request concerns a suspected predicate offence — fraud, sanctions evasion, market abuse — a parallel or preceding report through the UAE's goAML platform to the Financial Intelligence Unit may be the more appropriate and legally protected route than direct foreign disclosure.
- DIFC- or ADGM-incorporated entities face a further layer: their own data protection regulators (the DIFC Commissioner of Data Protection or the ADGM's equivalent office) expect a documented lawful basis and, in many cases, prior notification or consent mechanics before cross-border transfer of personal data to a US authority.
Practical steps for a GC
Treat any US DOJ, FBI, SEC or civil litigant subpoena addressed to a UAE entity as a trigger for a structured response, not a customer-service enquiry: confirm the requesting party's authority, check whether an MLA request has actually been lodged with the Ministry of Justice, assess data protection exposure under the applicable federal or free-zone regime, and consult the licensing regulator before any data leaves the UAE. Voluntary cooperation beyond what UAE law permits — even where well-intentioned — can itself become a regulatory and criminal exposure domestically, independent of whatever the US proceeding concludes.
Instruments referenced: Federal Decree-Law on the Protection of Personal Data; Federal Decree-Law on Combating Rumours and Cybercrimes; DIFC Data Protection Law (DIFC Law No. 5 of 2020); ADGM Data Protection Regulations; VARA rulebooks; Central Bank AML/CFT regulations; UAE Financial Intelligence Unit (goAML) framework; applicable UAE–US mutual legal assistance arrangements. General information, not legal advice.