The United Arab Emirates (“UAE”) has recently seen several significant regulatory developments in the financial services space, including the following:
(i) The Capital Market Authority (“CMA”) has issued a new regulatory framework governing virtual assets services (the “CMA Regulation”);
(ii) The Virtual Assets Regulatory Authority (“VARA”) has amended its Exchange Services Rulebook, introducing regulations for Exchange Traded Derivatives Services;
(iii) The Central Bank of the UAE (“CBUAE”) has issued Small to Medium Sized Enterprises (SME) Customer Protection Regulation (the “SME Customer Protection Regulation”); and
(iv) The CBUAE has issued Telemarketing Regulation (the “Telemarketing Regulation”).
1. The introduction of a new regulatory framework for VASPs by the CMA
The CMA has overhauled its regulatory framework for Virtual Asset Service Providers (“VASPs”) and Alternative Trading Systems Operator (“ATS”) through the issuance of Chairman Resolution No. (04/Chairman) of 2026 (“CMA Regulation”) , which replaces Decision No. (26/Chairman) of 2023 concerning the regulation of Virtual Asset Platform Operators.
The CMA Regulation is structured across three modules: (i) a General Framework Module; (ii) a Business Regulation Module; and (iii) an ATS Module, and introduces a significantly more prescriptive and comprehensive regime for virtual asset activities carried out in the UAE.
The CMA Regulation applies to any person conducting, or intending to conduct, regulated virtual asset activities or operating an ATS in or from the UAE. This includes, among others, entities dealing in virtual assets as principal or agent, custody providers, investment advisers, portfolio managers, operators of Multilateral Trading Facilities (“MTFs”), and persons arranging virtual asset transactions.
Key Takeaways
Licensing and capital requirements
Eight regulated activities are mapped across six licence categories, with minimum capital thresholds ranging from AED 500,000 to AED 4 million. In practice, capital requirements will be driven by expenses-based and risk-based thresholds rather than the minimum floor.
Trading venue framework
Virtual asset trading is permitted only through MTFs. Organised Trading Facilities (“OTFs”) cannot be used for virtual asset trading or settlement. The ATS Module (101 Articles and four Annexes) forms the core framework for MTF operators.
Governance and key personnel
Licensed entities must maintain a full governance apparatus, with mandatory key personnel functions (seven for VASPs, eight for ATS operators), specified UAE residency requirements, and detailed rules on role combinations.
Token restrictions
Privacy tokens and algorithmic tokens are prohibited. Utility tokens and NFTs are restricted, subject to limited approval-based exceptions.
Each virtual asset must be registered with the CMA.
Governance and compliance
The framework introduces enhanced governance, key personnel, and market conduct requirements, including public consultation obligations for trading rules and strengthened market surveillance. Compliance must be implemented holistically across all three modules.
DLT requirements
Distributed ledger must operate on a permissioned basis with the licensed entity maintaining sufficient control over access and record updates.
Two-stage licensing
A two-step process applies: in-principle approval followed by a full licence application, with prescribed decision periods and a six-month window between stages to satisfy all ongoing requirements.
MTF and OTF framework
The ATS Module governs MTFs (non-discretionary matching) and OTFs (discretionary matching), with OTFs prohibited from trading virtual assets. MTF operators must maintain publicly available business rules, subject to public consultation and CMA approval before amendment.
Existing licensees are granted a transitional period of one year from the effective date to align with, and obtain approval under, the CMA Regulation. Any applications pending as at the effective date that had not received initial approval will be deemed void and must be resubmitted in accordance with the new requirements.
2. VARA Updated Exchange Services Rulebook
VARA has updated its Exchange Services Rulebook (“Rulebook”) to introduce a new Part V, establishing a dedicated regulatory framework for the provision of Exchange Traded Derivatives (“ETD”) Services.
The amendments represent a significant development in VARA’s regulatory regime, emphasizing oversight to more complex virtual asset derivative products.
Only VASPs licensed for Exchange Services may offer ETD Services.
Scope of ETD Services
ETD Services covers the following:
- matching orders between buyers and sellers and conducting the purchase, sale or any other transaction between ETDs and Virtual Asset;
- maintaining an order book in furtherance thereof.
Matching orders between buyers and sellers and conducting the purchase, sale or any other transaction between ETDs and fiat currency is not permitted.
ETDs are defined as derivatives whose value is derived from, or fluctuates based on, the price of one or more underlying virtual assets (or other approved assets), and whose pricing and/or settlement is denominated in a virtual asset.
The framework covers:
- contracts for difference (CFDs);
- futures;
- options; and
- any other instruments designated by VARA from time to time.
Key Takeaways
Client Suitability
VASPs must conduct a comprehensive suitability assessment prior to onboarding clients for ETD services. Access to ETD products must be restricted to clients who have been assessed and approved as suitable.
Retail Investor Protections
Retail clients are subject to a maximum leverage cap of 5:1, corresponding to a minimum initial margin requirement of 20% of the notional exposure.
Institutional and qualified investors may benefit from more flexible leverage arrangements, subject to VARA’s supervisory discretion.
Account Segregation
VASPs must ensure strict segregation of ETD trading accounts from all other client accounts. Non-ETD clients must not be exposed to losses arising from ETD activities, including through any form of loss mutualisation.
Price Feed Integrity
VASPs are required to implement robust price validation mechanisms, including the use of multiple independent and diversified pricing sources. Reliance on a single price feed is not permitted.
Perpetual ETDs
Derivatives without a fixed maturity (i.e. perpetual contracts) are subject to additional requirements, including:
- funding rates must be calculated at least three times per day; and
- funding payments must be exchanged between counterparties on a regular intra-day basis.
The introduction of a formal ETD Services framework signals VARA’s continued development of a comprehensive regulatory regime for sophisticated virtual asset products. Qualified VASPs seeking to offer ETD Services will be required to obtain specific authorisation from VARA on their license. As part of the application process, firms should expect to demonstrate, amongst others:
- appropriate systems and controls;
- detailed product terms and risk disclosures;
- client agreements; and
- arrangements relating to insurance funds and close-out procedures.
VASPs considering the provision of ETD Services should engage early in assessing readiness, particularly in relation to services related documentation, client suitability frameworks, risk management systems, and governance arrangements.
3. CBUAE Telemarketing Regulation
The CBUAE has issued the Telemarketing Regulation, establishing a comprehensive framework governing telemarketing activity conducted by Licensed Financial Institutions (“LFIs”) in the UAE. The Telemarketing Regulation is issued as part of the efforts to comply with the requirements of UAE Cabinet Resolution No.(56) of 2024 Concerning the Telemarketing Regulations.
The Telemarketing Regulation introduces minimum standards aimed at strengthening customer protection, enhancing market conduct, and addressing concerns relating to unwanted telemarketing practices.
Scope
The Telemarketing Regulation applies to all LFIs conducting telemarketing activities in the UAE.
Importantly, LFIs that are part of a group structure (including subsidiaries, affiliates, and foreign branches) are required to ensure compliance with the Telemarketing Regulation on both a solo and group-wide basis, reflecting the CBUAE’s increasing focus on consolidated supervision and conduct risk.
Certain key requirements under the Telemarketing Regulation are explained below:
Board Approval and Regulatory Oversight
LFIs must obtain prior written approval from their Board of Directors before undertaking telemarketing activities. The CBUAE may, at its discretion, require LFIs (or categories of LFIs) to obtain prior regulatory approval.
Governance and Internal Controls
LFIs are required to establish and maintain appropriate internal policies and procedures governing telemarketing activities. These must clearly set out controls applicable to telemarketers and align with applicable legal and regulatory requirements, including those relating to customer protection and data privacy
Training
Telemarketers must complete at least fifteen (15) hours of appropriate training before being authorised to conduct telemarketing, with comprehensive training when products are new or updated, and additional training-related courses and programmes at least once per year covering recent legal updates, including customer privacy and data protection laws.
Scripts and authorised channels
LFIs must use standardised scripts (in relevant languages), maintain an updated list of authorised telemarketers and channels, and clearly display their registered name with the designation “Telemarketing” in all communications. LFIs must use standardised scripts (in relevant languages), maintain an updated list of authorised telemarketers and channels, and clearly display their registered name with the designation “Telemarketing” in all communications.
Customer consent and Do Not Call Registry
Prior express customer consent is required through prescribed methods. Telemarketing is prohibited where customers have opted out or are listed on the Do Not Call Registry maintained by the Telecommunications and Digital Government Regulatory Authority.
Time and frequency restrictions
Calls may only be made between 9:00 AM and 6:00 PM (UAE time), limited to once per day and twice per week, and must not target customers who have previously rejected or not responded to similar offers.
Automated systems and AI
Specific requirements apply to automated dialling systems and AI, including call handling parameters and compliance monitoring capabilities.
Records and reporting
LFIs must maintain telemarketing logs for at least five years and submit annual reports to the CBUAE, with potential for additional reporting requirements.
The Telemarketing Regulation represents a significant strengthening of the conduct and consumer protection framework applicable to telemarketing activities in the UAE and reflects the CBUAE’s continued focus on addressing customer harm and enhancing market discipline.
LFIs should undertake a comprehensive review of their telemarketing frameworks, including governance arrangements, consent mechanisms, scripts, training programmes and monitoring systems, to ensure alignment with the Telemarketing Regulation. Particular attention should be given to group-wide implementation, Do Not Call compliance, and record-keeping and reporting obligations.
Given the prescriptive nature of the Telemarketing Regulation, early remediation and implementation will be critical to mitigating regulatory risk and ensuring compliance.
Representative offices
The applicability of the Telemarketing Regulation to CBUAE-licensed representative offices warrants particular consideration. Marketing the parent entity’s products and services is among the principal permitted activities of such offices, and the Regulation expressly applies to “All Licensed Financial Institutions” — a formulation that, on its face, extends to representative offices. Representative offices should therefore assess their marketing activities against the Regulation’s requirements and take steps to ensure compliance.
4. CBUAE SME Customer Protection Regulation
The CBUAE has issued the SME Customer Protection Regulation (Circular No. 2/2026), replacing the 2021 SME Market Conduct Regulation and forming part of its broader consumer protection framework. This development aims to support other CBUAE efforts to allow alternative financing tools to SMEs including expected amendments to the Finance Companies Regulation to add an additional category targeting SMEs.
The SME Customer Protection Regulation applies to all CBUAE-licensed banks and finance companies (including those operating in accordance with Islamic Shari’ah principles) and will come into force six months following publication in the Official Gazette.
Building on the earlier SME regime, the SME Customer Protection Regulation strengthens governance, transparency and responsible financing standards applicable to financial institutions dealing with SMEs.
Scope and SME definition
The SME Customer Protection Regulation introduces a clearer and more comprehensive definition of SMEs, expressly capturing sole proprietors and aligning SME protections more closely with the broader consumer protection framework.
Governance and accountability
Boards retain ultimate responsibility for ensuring fair treatment of SME customers, with senior management required to embed a strong conduct culture and ensure effective oversight of SME-related business practices.
Enhanced transparency and disclosures
Financial institutions must provide clear, plain-language disclosures in both Arabic and English across the full customer lifecycle. A Key Facts Statement must be provided prior to offering any product, and at least 60 calendar days’ prior notice is required for changes to terms or fees.
Responsible financing and credit assessment
Credit must be extended in a manner consistent with the SME’s repayment capacity, supported by robust solvency assessments. This reflects the CBUAE’s broader focus on preventing over-indebtedness and ensuring responsible lending practices.
Financial institutions are also encouraged to leverage government-backed credit guarantee schemes to support SME access to financing.
Bank account opening timelines
Low-risk SME accounts must be opened within three business days, subject to appropriate financial crime checks, with any delays capped at two weeks. Institutions are required to report periodically to the Board on account opening timelines and delays.
Customers in financial difficulty
Institutions must proactively identify SMEs exhibiting signs of financial stress and provide appropriate support, including restructuring, rescheduling or revised repayment arrangements.
Complaints handling framework
A free, independent complaints process must be maintained, with acknowledgment within two business days and final resolution within 30 business days. Unresolved complaints may be escalated to Sanadak.
Enforcement
Non-compliance may result in supervisory action, financial penalties and restrictions on individuals operating within the financial sector.
The SME Customer Protection Regulation represents a material strengthening of the conduct and consumer protection framework applicable to SME banking in the UAE. It aligns SME protections more closely with retail consumer standards while introducing more prescriptive requirements on governance, disclosures and lending practices.
- matching orders between buyers and sellers and conducting the purchase, sale or any other transaction between ETDs and Virtual Asset;
- maintaining an order book in furtherance thereof.
Financial institutions should undertake a comprehensive review of their SME onboarding, consumer protection, client agreement, disclosures and complaints frameworks to ensure alignment with the SME Customer Protection Regulation.
How can Al Tamimi help?
At Al Tamimi & Company, they assist their clients in assessing the impact of the recent regulatory developments across the UAE financial services landscape, including those introduced by the Capital Market Authority UAE, Virtual Assets Regulatory Authority and the Central Bank of the UAE.
In particular, they support clients with reviewing their existing frameworks, identifying gaps against the new requirements, and implementing the necessary updates. This includes, among other things, enhancements to governance structures, customer-facing documentation and disclosures, onboarding processes, telemarketing practices (including scripts and consent flows), complaints handling frameworks, and broader compliance and risk management arrangements.
Key Contacts
Ali Awad, Partner, a.awad@tamimi.com
Divya Abrol Gambhir, Partner, d.abrol@tamimi.com