Back to Insights

Insights

Crypto Wallet Licence UAE 2025: CBUAE, VARA, and DFSA Requirements

March 20265 min read

Regulation last updated

June 2025 — VARA Rulebook Version 2.0 Official source

A crypto wallet in the UAE may require authorisation from the CBUAE, VARA, or DFSA depending on whether the wallet holds customer assets, what currencies it supports, and in which jurisdiction it operates. The key regulatory question is whether the wallet is custodial or non-custodial — this determines whether you need a licence at all.

Custodial vs Non-Custodial: The Core Distinction

A custodial wallet holds private keys on behalf of users, meaning the operator controls the assets. This is a regulated custody activity requiring a licence. A non-custodial or self-custody wallet gives users full control of their own private keys. The operator never holds assets, and this falls outside the scope of custody regulations in most cases. Most retail and institutional wallets built for financial institutions are custodial.

Which Licence You Need

  • Dubai (excluding DIFC): VARA Custody Services licence — minimum capital AED 4 million
  • UAE mainland and payment wallets: CBUAE Stored Value Facility or payment licence
  • DIFC-based operations: DFSA licence with custody endorsement
  • ADGM-based operations: FSRA virtual asset custody permission
  • Wallets handling AED stablecoins: CBUAE oversight regardless of jurisdiction

Technical Requirements for a Licensed Crypto Wallet

  • Hardware Security Module (HSM) for private key storage
  • Multi-signature architecture with configurable approval thresholds
  • Hot and cold wallet segregation with defined transfer protocols
  • Full asset segregation between client assets and operational funds
  • Real-time balance reconciliation and immutable audit trail
  • AML/CFT transaction monitoring with blockchain analytics integration
  • Travel Rule compliance for transfers above regulatory thresholds
  • Incident response plan with VARA or CBUAE notification within defined timeframes

Documentation You Will Need

  • System architecture blueprint: full wallet infrastructure, key management, security controls
  • Custody policy and procedures manual
  • Business continuity and disaster recovery plan for key management systems
  • Third-party security audit of smart contracts and custody infrastructure
  • AML/CFT programme specific to virtual asset custody activities
  • Insurance arrangements for assets under custody

Need a regulatory readiness assessment?

Stablus generates tailored regulatory readiness reports, architecture blueprints, and project delivery packs in hours — built around your regulator, your stack, and your specific compliance gaps.

Get your regulatory readiness assessment →