Verifying VASP status: the diligence duty behind the UAE's crypto licence maze
A private tracker of licensed virtual asset service providers is useful, but it does not discharge a bank, exchange or investor's own legal duty to verify licensing status before onboarding a crypto counterparty — and that duty is becoming sharper, not softer.
NeosLegal's newly launched tracker, aggregating licensed virtual asset service providers (VASPs) across VARA, ADGM, DIFC, CBUAE and the Securities and Commodities Authority, responds to a genuine market problem: the UAE now runs five parallel crypto-licensing regimes with no central register and no automatic mutual recognition between them. That fragmentation is not merely an inconvenience for market-watchers. It creates a live compliance exposure for any UAE-regulated entity — a bank, a payment institution, a DNFBP, a fund manager — that onboards, transacts with, or invests alongside a crypto business without independently confirming its licensing status in the correct jurisdiction.
The duty does not sit with the tracker
A commercial database, however comprehensive, is not a legal shield. Under the UAE's anti-money laundering framework — Federal Decree-Law No. 20 of 2018 on AML/CFT as amended, and its Cabinet Decision implementing regulations — regulated entities carry an independent, non-delegable obligation to conduct customer due diligence, including verifying that a counterparty engaged in virtual asset activity holds a valid licence from the competent regulator for that specific activity in that specific jurisdiction. Relying on a third-party aggregator without primary-source confirmation from the regulator's own register does not satisfy that standard. Compliance officers should treat such tools as a first-pass screening aid, not as the evidential basis for a due diligence file.
Non-recognition between regimes is the trap
The UAE's crypto architecture is genuinely siloed. A VASP licensed by Dubai's Virtual Assets Regulatory Authority under Dubai Law No. 4 of 2022 is authorised for onshore Dubai activity; it has no automatic standing in the DIFC, where the Dubai Financial Services Authority regulates crypto tokens as a distinct category of financial service, nor in the ADGM, where the Financial Services Regulatory Authority operates its own virtual asset framework. Abu Dhabi mainland and the other emirates fall outside VARA's remit entirely. Meanwhile the Central Bank of the UAE licenses payment token issuers and stablecoin activity under its own regime, and the SCA/CMA retains residual jurisdiction over onshore activity outside VARA's Dubai footprint. A firm holding a VARA licence marketing into Abu Dhabi mainland, or a DIFC-licensed token issuer transacting with a CBUAE-regulated payment institution, is not automatically compliant simply because it is licensed somewhere. Each cross-border or cross-zone touchpoint requires a fresh jurisdictional analysis.
A VARA licence answers the Dubai question. It does not answer the DIFC, ADGM, CBUAE or SCA questions — and treating it as if it does is the single most common error we see in crypto onboarding files.
Practical consequences for practice
This matters in three recurring scenarios:
- Banking and correspondent relationships: UAE banks onboarding crypto exchanges as clients must map the client's actual licensed activities against the bank's own risk appetite statement, not accept a licence certificate at face value. Activity creep — a licensed custodian quietly offering unlicensed exchange or broker-dealer services — is a recurring red flag regulators are now pursuing actively.
- M&A and investment due diligence: Acquiring or taking equity in a UAE crypto business requires confirming that every revenue line maps to a corresponding licence category. Undisclosed unlicensed activity is a warranty-breach and indemnity issue that surfaces routinely in crypto M&A term sheets, and increasingly drives price adjustment mechanisms.
- Enforcement exposure: Dealing knowingly with an unlicensed VASP, or facilitating its access to UAE banking rails, carries regulatory and in some cases criminal exposure under the AML framework and VARA's own enforcement powers, which include significant administrative fines and referral for criminal prosecution in serious cases.
The strategic takeaway
Tools like the NeosLegal tracker will proliferate as the UAE's crypto sector matures, and they are genuinely useful for initial screening and market mapping. But the underlying legal reality they surface — five distinct regulators, no passporting, and independent verification obligations resting on each regulated counterparty — is the point that should shape onboarding policies, transaction structuring and M&A diligence checklists. The tracker is a map; the compliance duty to check the terrain in person remains entirely with the regulated entity.
Key instruments: Dubai Law No. 4 of 2022 (VARA); Federal Decree-Law No. 20 of 2018 on AML/CFT (as amended) and Cabinet Decision No. 10 of 2019; DIFC crypto token regime (DFSA); ADGM virtual asset framework (FSRA); Central Bank of the UAE payment token/stablecoin regulation; SCA/CMA onshore securities and commodities regulations. General information, not legal advice.