Virtual Asset Service Agreement (UAE)

A Virtual Asset Service Agreement in the UAE is the foundational contract between a Virtual Assets Regulatory Authority (VARA)-licensed or Abu Dhabi Global Market Financial Services Regulatory Authority (ADGM FSRA)-authorised Virtual Asset Service Provider (VASP) and a client who wishes to access one or more regulated virtual asset services. Federal Decree-Law No. 4 of 2022 on the Regulation of Virtual Assets established VARA as the single complete regulator for virtual asset service providers operating in Dubai outside the DIFC, replacing the fragmented approach of earlier years and creating a clear, internationally recognised regulatory framework. The ADGM FSRA operates a parallel framework for virtual asset activities within the ADGM on Al Maryah Island in Abu Dhabi, and the Dubai Financial Services Authority (DFSA) regulates digital asset activities within the DIFC.

VARA identifies seven categories of regulated virtual asset activity, each requiring a specific licence: virtual asset exchange (converting between virtual assets and fiat or between virtual assets), virtual asset transfer services, virtual asset custody, virtual asset brokerage, virtual asset portfolio management, virtual asset advisory services, and virtual asset issuance. A Virtual Asset Service Agreement must specify which of these services the VASP is providing, because each service category has its own regulatory obligations under VARA's suite of rulebooks — the Market Conduct Rulebook, the Exchanges Rulebook, the Custody Rulebook, and the Brokerage and Investment Management Rulebook — and the agreement must accurately reflect the obligations that flow from the services provided.

AML/CFT compliance is the regulatory core of the client onboarding process and the service agreement. Federal Decree-Law No. 20 of 2018 on Anti-Money Laundering, Cabinet Decision No. 10 of 2019, and VARA's VASP AML/CFT Regulations impose a complete framework of obligations on VASPs: Know Your Customer (KYC) verification before providing any service, ongoing transaction monitoring, screening against sanctions lists maintained by the Executive Office for Anti-Money Laundering and Counter Terrorism Financing (EOCN), application of the FATF Travel Rule to virtual asset transfers above threshold, and suspicious transaction reporting to the Financial Intelligence Unit (FIU) via the goAML platform. The Virtual Asset Service Agreement records the client's KYC status and contains representations about the lawful origin of assets and funds, creating the compliance record that VARA may inspect during its ongoing supervision of the VASP.

Client classification — whether the client is retail, professional, or institutional — drives the intensity of consumer protection obligations. VARA's Market Conduct Rulebook and Consumer Protection provisions impose extensive risk disclosure requirements for retail clients, including mandatory risk warnings, cooling-off rights, and restrictions on marketing practices. Professional and institutional clients receive fewer procedural protections but can access a wider range of products and higher transaction limits. The agreement must record the client's classification and the basis for it.

Fees, transaction limits, service level commitments, and data protection under the UAE Personal Data Protection Law (Federal Decree-Law No. 45 of 2021) are the commercial and operational elements that complete the agreement. The fee schedule must comply with VARA's requirement for transparent disclosure of all costs before the client commits to using the service. The forms-legal.com Virtual Asset Service Agreement template for the UAE provides a wizard that guides the VASP through all these elements, generating a compliant agreement that reflects the specific services and assets covered by the VASP's VARA or ADGM FSRA licence.

A Virtual Asset Service Agreement is needed in the UAE before a VARA-licensed or ADGM FSRA-authorised VASP provides any regulated virtual asset service to a client, whether that service is an exchange transaction, a transfer, a custody arrangement, a managed portfolio, or an advisory engagement. VARA's VASP Regulations make written client agreements a condition of the VASP's licence, and operating without documented agreements is a licence condition breach that can result in regulatory action. The agreement is therefore not merely a commercial best practice but a mandatory regulatory requirement.

Crypto exchanges and OTC desks operating in the UAE need a Virtual Asset Service Agreement with each client before processing the first trade. Institutional clients — hedge funds, family offices, corporate treasuries, and investment managers — require formal service agreements as part of their own governance and audit requirements, and their legal teams will review the VASP's agreement before approving a relationship. Retail clients require agreements that meet VARA's Consumer Protection Rulebook requirements, including plain-language risk disclosures and all mandatory terms.

Virtual asset fund managers and portfolio managers who hold client assets and exercise discretion over their management must have a Virtual Asset Service Agreement that describes the investment mandate, the fee structure, the risk disclosure, and the client's rights to give and withdraw instructions. VARA's Investment Management and Advisory Rulebook specifies the minimum terms required for portfolio management agreements, and non-compliance results in VARA's Market Conduct team issuing deficiency findings during inspections.

Blockchain and DeFi infrastructure providers who offer institutional clients access to decentralised exchange protocols, yield farming strategies, or liquidity provision services through a managed or advisory model need a service agreement that addresses the specific risks of on-chain protocols — smart contract risk, liquidity risk, and regulatory uncertainty — alongside the standard VASP disclosure requirements. Cross-border clients who access UAE VASP services from outside the UAE need a service agreement that addresses applicable AML/KYC requirements under Federal Decree-Law No. 20 of 2018, the jurisdiction of the client, and any sanctions considerations. In all these cases, the Virtual Asset Service Agreement is the primary legal document that defines the regulated relationship between the VASP and its client.

A UAE Virtual Asset Service Agreement must contain specific elements to satisfy VARA's VASP Regulations, the UAE Civil Code (Federal Law No. 5 of 1985), and the applicable rulebook requirements for each service type. Full party identification opens the document: the VASP's full legal name, VARA or ADGM FSRA licence number, and registered address; and the client's full legal name, Emirates ID or trade licence number, and address. The licence number is particularly important because it enables the client to verify the VASP's regulatory standing before committing assets to the platform — clients should always cross-check the VARA licence number against VARA's public register.

The services and scope clause must specify each regulated virtual asset activity that the VASP will provide, selecting from VARA's defined activity categories. For exchange services, the agreement should describe the supported trading pairs; for custody, the custody technology and segregation arrangements; for portfolio management, the investment mandate and discretion level; and for advisory services, the scope and nature of the advice. The supported virtual assets must be listed — VARA requires VASPs to list only assets that have been assessed under VARA's Virtual Asset Issuance Rulebook, and the VASP's agreement should confirm that listed assets meet this standard.

The fee schedule must be disclosed in full before the client accesses any service, as VARA's Consumer Protection Rulebook requires transparent upfront disclosure of all fees and charges. The schedule should state the fee basis (percentage of transaction value, flat fee, or percentage of assets under management), the currency (AED for all reportable amounts), the frequency of charging, and any variable fee components. The transaction limits and service level commitments set out the operational parameters of the service and are the benchmarks against which the VASP's performance can be measured.

KYC completion and client classification are mandatory elements. The agreement must record the client's KYC status, the classification as retail, professional, or institutional, and the basis for the classification. VARA's Market Conduct Rulebook's risk disclosure section requires retail clients to receive and acknowledge a complete list of virtual asset investment risks before opening an account, and this acknowledgment must appear in the agreement. The forms-legal.com Virtual Asset Service Agreement captures these elements through structured wizard fields.

Compliance, data protection, liability, and governing law complete the key elements. The AML/CFT clause must cover the VASP's Travel Rule compliance obligations, EOCN sanctions screening, and FIU reporting duties. The data protection clause must address the UAE Personal Data Protection Law (Federal Decree-Law No. 45 of 2021). The liability clause must reflect VARA's requirements on client asset protection and must not exclude liability for the VASP's own fraud or negligence in a way that violates the UAE Civil Code (Federal Law No. 5 of 1985) Article 296. A governing law clause selecting UAE law and a specific forum — DIFC Courts, ADGM Courts, Dubai Courts, or DIAC — gives the agreement its enforcement foundation.

Completing a UAE Virtual Asset Service Agreement requires the VASP to confirm its VARA or ADGM FSRA licence status and the specific activities it is authorised to conduct before selecting the services to include in the agreement. A VASP may not include services in the agreement that fall outside its licence scope, even at the client's request. The client onboarding team must complete the KYC process and classify the client as retail, professional, or institutional before proceeding, because the classification drives several mandatory provisions in the agreement.

In the parties section, enter the VASP's full legal name and VARA or ADGM FSRA licence number exactly as they appear on the regulatory certificate. For the client, enter the trade licence number for corporate clients and the Emirates ID number for individual clients, along with the registered or residential address verified during KYC. In the services section, select all activities the VASP will provide to this client from the checkbox group, checking each selected activity against the VASP's licence scope before including it. Enter the supported virtual assets, confirming that each listed asset is on the VASP's VARA-approved asset list.

Enter the fee schedule in detail, specifying each fee component, the calculation basis, and the billing frequency. Enter the transaction limits that apply to this client account, reflecting the risk assessment conducted during KYC and the client's verification tier. Enter the service level commitment as a percentage uptime figure with the measurement period and maintenance exclusion terms. In the compliance section, confirm the KYC completion status, the professional investor classification if applicable, and the risk warning acknowledgment. The risk warning acknowledgment is mandatory for all clients under VARA's Consumer Protection Rulebook and must be answered affirmatively only if the client has actually received and reviewed the risk disclosure.

Select the governing forum appropriate to the VASP's registration and the client's preference. DIFC and ADGM Courts are commonly used for institutional disputes; Dubai International Arbitration Centre (DIAC) is preferred for confidential resolution. Review the preview document to confirm that all regulatory references, service descriptions, fee terms, and compliance elements are accurate. Execute with wet or electronic signatures and retain alongside the KYC file, classification assessment, and risk disclosure as a complete VARA-compliant client onboarding record under Federal Decree-Law No. 4 of 2022.

Legal requirements for a UAE Virtual Asset Service Agreement arise from Federal Decree-Law No. 4 of 2022 on the Regulation of Virtual Assets, VARA's suite of rulebooks, mandatory AML/CFT obligations, and general contract law. Federal Decree-Law No. 4 of 2022 establishes VARA's authority to set conduct standards for VASPs in Dubai, and VARA's published rulebooks — the Market Conduct Rulebook, the Exchanges Rulebook, the Custody Rulebook, the Brokerage and Investment Management Rulebook, and the Consumer Protection Provisions — each specify minimum terms that must appear in client service agreements. Non-compliant agreements are grounds for VARA to issue a formal deficiency finding and, in serious cases, to suspend or revoke the VASP's licence.

AML/CFT obligations under Federal Decree-Law No. 20 of 2018 on Anti-Money Laundering and Cabinet Decision No. 10 of 2019 are mandatory and cannot be waived by contract. VASPs must conduct full KYC on each client, apply the FATF Travel Rule to transfers above threshold, screen against EOCN sanctions lists, and report to the FIU via goAML. VARA's AML/CFT Regulations set specific requirements for the client agreement's AML/CFT provisions, including the client's representations about the lawful origin of assets and the VASP's right to suspend the account if AML/CFT concerns arise.

The UAE Personal Data Protection Law (Federal Decree-Law No. 45 of 2021) requires VASPs to process client personal data lawfully, to provide a compliant privacy notice, and to respect client data rights. Tax obligations under Federal Decree-Law No. 8 of 2017 (VAT at 5%) and Federal Decree-Law No. 47 of 2022 (Corporate Tax at 9%), administered by the Federal Tax Authority (FTA), apply to the VASP's service fees and must be reflected in the fee schedule and invoicing provisions. The UAE Civil Code (Federal Law No. 5 of 1985) Articles 125 to 129 on contract formation and Articles 282 to 298 on civil liability provide the baseline contractual validity and remedies framework.

Mistakes in UAE Virtual Asset Service Agreements frequently arise from VASPs using generic financial services templates that do not reflect VARA's specific requirements, or from including services in the agreement that are not covered by the VASP's current licence scope. The most consequential error is including exchange, custody, or portfolio management services in the agreement when the VASP holds only a transfer services licence, for example. VARA's inspection team reviews client agreements as part of its ongoing supervision, and agreements that go beyond the VASP's licensed activities result in regulatory action and can expose the VASP's directors to personal liability under the Commercial Companies Law (Federal Decree-Law No. 32 of 2021).

Omitting or diluting the mandatory risk disclosure is a common mistake for VASPs who worry that conspicuous risk warnings will deter clients. VARA's Consumer Protection Rulebook requires specific, prominent risk disclosures, and agreements that bury risk warnings in small print or use qualified language — 'virtual assets may be risky' rather than 'you may lose the entire amount invested' — will fail VARA's consumer protection review. The risk warning must be presented as a standalone, clearly visible section that the client acknowledges separately from the general terms.

Failing to document the client's KYC status and classification in the agreement itself — relying instead on a separate onboarding system without cross-referencing the agreement — creates a gap in the regulatory record that VARA may treat as a documentation deficiency. The agreement must confirm on its face that KYC has been completed and the client's classification confirmed, because this record is what VARA reviews during inspections. Finally, fee schedules that do not separately identify VAT-inclusive and VAT-exclusive components, or that fail to specify the billing currency as AED, create tax compliance and commercial disputes under Federal Decree-Law No. 8 of 2017 and the Federal Tax Authority's (FTA) VAT invoicing requirements.