UAE fintech & payments: CBK federal licensing, VARA Dubai, FSRA ADGM, DFSA DIFC
The United Arab Emirates maintains a multi-layered regulatory framework for fintech and payments, with the Central Bank of the UAE (CBK) serving as the primary federal supervisor for payment services, exchange businesses, and open finance under Federal Decree-Law No. 6 of 2025. The CBK mandates licensing for payment token services, currency exchange, and money transfers, while explicitly prohibiting certain activities such as retail banking for restricted license banks.
In the financial free zones, distinct regulators oversee specific activities: the Virtual Assets Regulatory Authority (VARA) regulates virtual asset issuance and services in Dubai; the Financial Services Regulatory Authority (FSRA) governs virtual assets, fiat-referenced tokens, and digital investment management in the Abu Dhabi Global Market (ADGM); and the Dubai Financial Services Authority (DFSA) regulates crypto tokens and money services within the Dubai International Financial Centre (DIFC).
Recent regulatory developments emphasize strict compliance, including the CBK's 2025 Exchange Business and Payment Token Services Regulations, VARA's three-tier virtual asset issuance framework, and FSRA's 2026 amendments designating it as the AML supervisory authority for ADGM. The landscape is characterized by rigorous capital, governance, and AML/CFT requirements across all jurisdictions.
Central Bank of the UAE (CBK)
Federal regulator for payment services, exchange businesses, open finance, and general financial institutions.
[1][2][3][4]Virtual Assets Regulatory Authority (VARA)
Regulator for virtual assets and related activities in Dubai.
[5][6][7]Financial Services Regulatory Authority (FSRA)
Regulator for financial services, virtual assets, and fiat-referenced tokens in the Abu Dhabi Global Market (ADGM).
[8][9][10][11]Dubai Financial Services Authority (DFSA)
Regulator for financial services, including crypto tokens and money services, in the Dubai International Financial Centre (DIFC).
[12][13]Federal Decree-Law No. 6 of 2025 Regarding the Central Bank, Regulation of Financial Institutions and Activities, and Insurance Business (2025)
Establishes the CBK as an independent federal public institution with autonomy, defining its core objectives including currency stability and financial system integrity.
[1]Payment Token Services Regulation (2024)
Establishes the licensing and registration framework for digital payment token services, defining issuance, conversion, and custody/transfer categories.
[3]Exchange Business Regulation (2025)
Establishes a comprehensive licensing and supervisory framework for entities conducting currency exchange and money transfer activities.
[2]Virtual Assets and Related Activities Regulations 2023 (2023)
Enacted by VARA to govern virtual assets and related activities across all Dubai zones, mandating licensing and AML/CFT compliance.
[6]Financial Services and Markets (Amendment No. 1) Regulations 2026 (2026)
Amends the 2015 ADGM framework, designating the FSRA as the AML Supervisory Authority and imposing strict compliance obligations.
[8]Payment Token Services
The CBK mandates licensing for digital payment token services, covering issuance, conversion, and custody/transfer, with explicit prohibitions on certain activities.
[3]Exchange Business
Entities conducting currency exchange and money transfer activities must obtain specific license categories from the CBK as defined in the 2025 Regulation.
[2]Virtual Asset Services (VARA)
VARA requires licensing for virtual asset service providers, with a three-tier classification system for issuers (Category 1 requiring reserve assets) and strict marketing approvals.
[5][6][7]Virtual Assets & Fiat-Referenced Tokens (FSRA ADGM)
FSRA requires authorization for virtual asset activities, fiat-referenced token intermediation, and digital investment management, with specific capital requirements for token intermediation.
[9][14][10]Crypto Tokens & Money Services (DFSA DIFC)
DFSA regulates crypto tokens and money services under the DIFC framework, requiring licensing and compliance with updated conduct and prudential modules.
[12][13]The CBK's Payment Token Services Regulation explicitly prohibits certain activities, and Restricted Licence Banks are prohibited from providing retail banking services to natural persons.
[3][15]VARA mandates that businesses obtain approval or a no-objection confirmation before offering regulated virtual asset activities, and Category 1 issuers must maintain reserve assets.
[7][5]FSRA requires specific permissions for staking activities and mandates robust internal policies and client consent for asset encumbrance in transfer and settlement services.
[16][17]The regulatory landscape is evolving with the CBK's Open Finance Regulation establishing an API Hub and licensed ecosystem, and FSRA introducing frameworks for fiat-referenced tokens and digital investment management.
[4][11]Regulators are strengthening AML/CFT supervision, with FSRA designated as the AML supervisory authority in ADGM and CBK issuing guidance on correspondent banking risks.
[8][18]Email alerts for United Arab Emirates updates
New circulars, rules and guidance — a digest in your inbox, same day.