Crypto Custody Agreement (UAE)

A Crypto Custody Agreement in the UAE is a formal service contract under which a licensed virtual asset custodian agrees to hold, safeguard, and administer virtual assets on behalf of a client, in exchange for a custody fee, subject to the regulatory requirements of Federal Decree-Law No. 4 of 2022 on the Regulation of Virtual Assets and the operational standards of the Virtual Assets Regulatory Authority (VARA) or the Abu Dhabi Global Market Financial Services Regulatory Authority (ADGM FSRA). Crypto custody is a regulated virtual asset activity in the UAE: any entity providing custody services for third-party virtual assets in Dubai outside the DIFC must hold a VARA custody licence, while entities in the ADGM must hold an ADGM FSRA authorisation, and entities in the DIFC must hold a Dubai Financial Services Authority (DFSA) licence.

The agreement defines the foundational terms of the custody relationship: the specific virtual assets to be held, the custody technology used (cold storage, hot wallet, multi-signature, or multi-party computation), the fee structure, the withdrawal procedure, the notice period for releasing assets, and the authorised persons who may give instructions. These terms are not merely commercial: they directly determine the security and accessibility of the client's assets, and VARA's VASP Regulations require them to be clearly documented in a written agreement before any assets are accepted into custody.

Asset segregation is the most important legal protection the agreement provides. Under VARA's regulatory framework, licensed custodians must hold all client virtual assets in segregated wallets that are separately identified from the custodian's proprietary assets. This segregation ensures that client assets are recoverable in the event of the custodian's insolvency and are not available to the custodian's creditors. The UAE Civil Code (Federal Law No. 5 of 1985) treats the custody relationship as a deposit of fungibles under Articles 744 to 764, and the custodian's obligation to return the assets on demand is a primary contractual duty. The agreement must confirm the segregation arrangement explicitly, because clients cannot otherwise verify whether their assets are in fact segregated.

AML/CFT compliance forms the regulatory underpinning of the agreement. Federal Decree-Law No. 20 of 2018 on Anti-Money Laundering, Cabinet Decision No. 10 of 2019, and VARA's VASP AML regulations require custodians to conduct full KYC on each client, screen all wallet addresses against sanctions lists maintained by the Executive Office for Anti-Money Laundering and Counter Terrorism Financing (EOCN), monitor ongoing transactions for suspicious activity, and report to the Financial Intelligence Unit (FIU) via the goAML platform. The custody agreement records the client's AML/KYC status and contains representations about the lawful origin of deposited assets, creating the compliance record that VARA may inspect during its ongoing supervision of the custodian's licence.

Insurance, security standards, and technology represent the operational protections that supplement the legal framework. Best-in-class UAE custodians maintain crime and cyber insurance policies covering client assets, use hardware security modules (HSMs) for key storage, and operate multi-factor authentication for all system access. The agreement should reference these protections so clients can verify them and hold the custodian contractually accountable if they are not maintained. The DIFC Courts and ADGM Courts are the preferred dispute forums for institutional custody disputes in the UAE, given their financial services expertise and efficient interim relief procedures for urgent asset freezes.

A Crypto Custody Agreement is needed in the UAE whenever a licensed custodian accepts virtual assets from a client for safekeeping, regardless of the size of the holding or the duration of the arrangement. Institutional investors, family offices, hedge funds, and high-net-worth individuals who hold significant virtual asset portfolios need a formal custody agreement that documents the security arrangements, the fee structure, and the client's rights to withdraw or transfer assets, rather than relying on exchange terms of service or informal arrangements.

VARA-licensed exchanges and trading platforms that also offer custodial wallet services to clients need a separate custody agreement that is distinct from their trading terms, because the regulatory obligations for custody under VARA's VASP Regulations differ from those for trading and brokerage. Conflating the trading and custody relationship in a single document creates regulatory confusion and can result in VARA requiring separate documentation as a condition of ongoing licence compliance. ADGM FSRA-authorised firms providing custody to their investment management clients similarly need standalone custody agreements that satisfy the FSRA's client asset protection requirements.

Corporate treasury departments that hold virtual assets as part of their treasury management strategy need a custody agreement to satisfy the requirements of their auditors, who will require evidence that the assets are held by a licensed custodian with documented security and segregation arrangements. Under Federal Decree-Law No. 47 of 2022 (Corporate Tax), companies must document the basis on which virtual assets are held and the fee structures applicable, and the custody agreement provides that documentation. Family offices and trusts holding virtual assets for beneficiaries need a custody agreement that addresses the client's status as a fiduciary and the custodian's obligations in relation to the ultimate beneficial owners.

Startups and project teams holding treasury assets in virtual currencies after a token generation event need a custody arrangement that protects the project's funds during the development phase, when the risks of internal fraud and external cyber attack are highest. Cross-border transactions — where assets are transferred into UAE custody from a foreign holder, or where a UAE custodian accepts assets on behalf of a foreign client — need an agreement that addresses the applicable AML/CFT screening, the relevant sanctions regime, and the governing law, because VARA's framework applies to activities with a UAE nexus irrespective of where the client is located. In all these situations, a properly executed Crypto Custody Agreement is the instrument that formally establishes the legal and regulatory framework for the safekeeping of virtual assets.

A UAE Crypto Custody Agreement must contain specific elements to satisfy VARA's VASP Regulations, the ADGM FSRA Digital Asset Framework, and the contractual requirements of the UAE Civil Code (Federal Law No. 5 of 1985). Full party identification opens the document: the custodian's full legal name, VARA or ADGM FSRA custody licence number, registered address, and the identity of the authorised signatory whose authority derives from a board resolution or power of attorney under the Commercial Companies Law (Federal Decree-Law No. 32 of 2021). The client must be identified to the same standard, with Emirates ID or passport number for individuals and trade licence number for corporate clients, reflecting the KYC obligations under Federal Decree-Law No. 20 of 2018.

The scope of services clause must specify the virtual assets that will be held in custody, either by listing specific assets or by defining a category, and must state the custody technology used. VARA distinguishes between different custody methods — cold storage, hot wallet, multi-signature, and MPC — and clients should understand which method applies to their assets, because different methods carry different security profiles and withdrawal timelines. The fee schedule must be set out with precision, including the basis for calculation (typically a percentage of assets under management), the frequency of charging, the currency of invoicing, and any transaction or administration fees. VARA requires fee disclosure in advance of the client depositing assets.

The segregation and title clause is legally critical. VARA's VASP Regulations require licensed custodians to hold client assets in segregated wallets, separately identified from the custodian's own assets, and the custody agreement must confirm this arrangement explicitly. The title clause must state unambiguously that the client retains legal and beneficial ownership of the custodied assets and that the custody arrangement does not transfer title. The prohibition on rehypothecation — or the terms under which it is permitted with informed written consent — must be clearly stated, because the risks of rehypothecation are a major concern for institutional clients.

Withdrawal procedures are an operational key element. The agreement must specify the withdrawal notice period, the authentication method (multi-factor authentication, biometrics, or hardware token), the number of authorised signatories required to approve a withdrawal, and the time lock policy for large transfers. The list of authorised persons must be maintained and updated in a documented process. The conditions under which the custodian may delay or refuse a withdrawal instruction — AML/CFT suspicion, regulatory freeze, suspected fraud, or court order — must be clearly stated, giving the custodian the legal basis to withhold assets when required by law. The forms-legal.com Crypto Custody Agreement template structures these elements as wizard fields that produce a complete, VARA-compliant document when filled.

Insurance, reporting, and governing law complete the key elements. The insurance coverage for custodied assets — type of policy, coverage limit, and insured perils — should be described so clients can verify it and benchmark it against industry standards. The custodian's obligation to provide regular custody statements, on-chain proof of asset holdings, and audit reports should be set out. A governing law clause selecting UAE law and a specific forum — DIFC Courts, ADGM Courts, Dubai Courts, or Dubai International Arbitration Centre (DIAC) — gives the agreement its enforcement foundation consistent with the UAE Civil Code (Federal Law No. 5 of 1985).

Completing a UAE Crypto Custody Agreement begins with the custodian confirming that its VARA or ADGM FSRA custody licence is current and that its AML/CFT programme is documented and operational. A custody agreement entered into by an unlicensed custodian is not only unenforceable but exposes the custodian to criminal liability under Federal Decree-Law No. 4 of 2022. Before any client assets are accepted, the custodian must complete the KYC process for the client, obtaining certified copies of identity documents, proof of address, corporate documents for legal entities, and source of funds declarations.

In the parties section, enter the custodian's full legal name exactly as it appears on the VARA or ADGM FSRA licence, the licence number, and the registered address. For the client, enter the same level of detail, using the trade licence number for corporate clients and the Emirates ID number for individuals. In the custody terms section, describe the assets to be held in precise terms — listing specific virtual assets by name and ticker or defining a class — and select the custody type from the dropdown. Enter the annual fee accurately, as this will appear in the final document and form the basis of fee invoices.

Answer the segregation confirmation field affirmatively only if the custodian's systems actually maintain segregated wallets for each client. VARA may inspect custody arrangements, and a false confirmation of segregation would be a serious regulatory misrepresentation. Enter the withdrawal notice period that reflects the custodian's operational capability — hot wallet assets can typically be processed within one business day, while cold storage withdrawals may require two to five business days because of the physical process required to access offline key storage. Enter the insurance coverage details accurately so the client can independently verify the policy.

In the governance section, enter the client's authorised persons for withdrawal instructions: this list controls who can instruct the custodian to release assets, and its accuracy is critical for preventing unauthorised withdrawals. Select the appropriate dispute forum. Review the complete document in preview mode to confirm that all regulatory licence numbers, asset descriptions, fee terms, and security details are accurate. Execute with wet signatures and retain the signed agreement, together with the KYC file, onboarding records, and initial asset transfer documentation, as the foundation of the regulatory record that VARA may review during its ongoing supervision of the custodian's licence under Federal Decree-Law No. 4 of 2022.

Legal requirements for a UAE Crypto Custody Agreement arise from the intersection of VARA's licensing framework, the UAE Civil Code, and mandatory AML/CFT obligations. Federal Decree-Law No. 4 of 2022 on the Regulation of Virtual Assets is the primary statute, and VARA's VASP Regulations set specific requirements for custodians: written custody agreements with each client, documented segregation arrangements, regular custody statements, and audited financial accounts. VARA's Technology and Information Security Policies impose cybersecurity standards including key management requirements, penetration testing obligations, and incident response procedures. Failure to comply with VARA's ongoing requirements can result in licence suspension or revocation, administrative penalties, and orders to return client assets.

For custody arrangements in the ADGM, the FSRA's Financial Services and Markets Regulations 2015, as amended, and the ADGM Client Money and Asset Rules impose equivalent obligations. ADGM custodians must hold client assets under a trust structure that provides clear client ownership rights in an insolvency, and must comply with the FSRA's rules on asset reconciliation and custody statement frequency. In the DIFC, the DFSA Client Assets Sourcebook applies.

The UAE Civil Code (Federal Law No. 5 of 1985) Articles 744 to 764 on deposit of fungibles provide the baseline contractual framework, treating the custodian as a depository obliged to return equivalent assets on demand. Federal Decree-Law No. 20 of 2018 on Anti-Money Laundering and Cabinet Decision No. 10 of 2019 impose mandatory AML/KYC obligations on custodians that cannot be waived by contract. Federal Decree-Law No. 45 of 2021 on Personal Data Protection applies to all personal data collected and processed in connection with the custody onboarding and ongoing monitoring process. The UAE Personal Data Protection Law requires proper consent, purpose limitation, and data subject rights to be addressed in the custody terms or a separate privacy notice.

Common mistakes in UAE Crypto Custody Agreements frequently arise from treating custody as a purely commercial arrangement without recognising its regulatory dimensions. The most serious error is accepting client assets before obtaining a VARA or ADGM FSRA custody licence, or while an application is pending. Federal Decree-Law No. 4 of 2022 makes this a criminal offence, and VARA has pursued enforcement actions against unlicensed custodians, requiring assets to be transferred to licensed custodians at the custodian's expense. Even a short period of unlicensed custody, such as accepting assets during a 'soft launch' before the licence is issued, carries this risk.

Failing to maintain genuine segregation of client assets is the second most critical mistake. Custodians who commingle client assets with their own — even temporarily, for operational convenience — violate VARA's VASP Regulations and expose client assets to the custodian's creditors in an insolvency. The custody agreement must reflect the actual segregation practice, not an aspirational one: a gap between the contractual representation and the operational reality is a major regulatory and litigation risk. Related to this, custodians who permit rehypothecation without explicit informed written consent from each client violate both VARA's framework and the general prohibition on using another person's property without consent under UAE Civil Code (Federal Law No. 5 of 1985) Article 252.

Outdated AML/KYC records are a persistent problem. VARA requires custodians to conduct periodic re-verification of existing clients, particularly when the client's risk profile changes or the client initiates a large unusual transaction. Custodians who rely on an initial KYC check without ongoing monitoring face regulatory findings during VARA inspections. Finally, custody agreements that do not specify the authorised persons and authentication method for withdrawals create a governance gap that fraudsters exploit through social engineering, and the absence of a documented withdrawal authorisation procedure makes it difficult to establish liability before the DIFC Courts or ADGM Courts if a fraudulent withdrawal is processed.