A VARA license India crypto firms can use to operate in Dubai is not a simple registration — it is a multi-stage authorisation under the UAE’s Virtual Asset Regulatory Authority (VARA) framework with specific technology-control, custody, and AML/CFT requirements. The VARA licence is not a simple registration — it is a multi-stage authorisation process with specific technology-control, custody, and AML/CFT requirements. This guide is the advisory reference we use with Indian crypto firms in Bangalore and Mumbai: the VARA category structure, the application stages, the control expectations, and how to maintain dual compliance with FIU-IND and VARA simultaneously.
The article moves top-down: what VARA is, which category applies to your business model, the application stages, the technology-control framework, and common rejection reasons.
What VARA is and why it matters for Indian crypto firms
The Virtual Asset Regulatory Authority (VARA) is the independent regulator for virtual assets in Dubai, established under Dubai Law No. 4 of 2022. VARA licenses Virtual Asset Service Providers (VASPs) across four categories, each with escalating control and capital requirements.
For Indian-origin exchanges, a VARA licence provides a regulated jurisdiction for global operations, access to UAE banking infrastructure, and a compliance benchmark that satisfies institutional investor due diligence. See our CERT-In empanelled auditor list for the India-side security audit requirements, and our UAE VASP compliance page for the Dubai-side programme.
- A regulated jurisdiction for global operations
- Access to UAE banking and payment infrastructure
- A compliance benchmark that satisfies institutional investor due diligence
- A hedge against regulatory uncertainty in India
VARA VASP categories I–IV
| Category | Activities | Minimum capital | Key requirements |
|---|---|---|---|
| Category I | Advisory services | Lower | Qualified staff, compliance programme |
| Category II | Broker-dealer, exchange (non-custodial) | Medium | Order-matching technology, market-surveillance, custody segregation |
| Category III | Custody, proprietary trading | Higher | Cold-wallet custody, insurance, third-party audit |
| Category IV | Full exchange with custody and market-making | Highest | All of the above + liquidity requirements + system resilience |
Most Indian exchanges applying to VARA target Category II or IV, depending on whether they hold customer assets.
The VARA application stages
Stage 1: Provisional approval (2–4 months)
- Submit business plan, ownership structure, and governance framework
- Demonstrate fit-and-proper criteria for directors and senior management
- Provide evidence of minimum capital deposit
Stage 2: Full market product (FMP) licence (4–8 months)
- Implement technology controls as specified in VARA’s Technology and Cyber Risk Management Framework
- Complete penetration testing by a VARA-recognised firm
- Establish custody arrangements (for Category III/IV)
- Implement AML/CFT programme with transaction monitoring
Stage 3: Ongoing supervision
- Quarterly regulatory reporting
- Annual external audit
- Ad-hoc inspections by VARA
Technology-control framework for VARA
VARA’s Technology and Cyber Risk Management Framework requires:
| Control area | VARA expectation | Indian parallel |
|---|---|---|
| Information security governance | Board-approved policy, CISO appointment | Similar to CERT-In / RBI expectations |
| Access control | MFA, role-based access, privileged-account management | Standard ISO 27001 control |
| Network security | Segmentation, intrusion detection, DDoS protection | Standard VAPT scope |
| Application security | Secure SDLC, code review, annual pentest | OWASP ASVS / API Top 10 |
| Data protection | Encryption, backup, retention | DPDP Act 2023 |
| Incident response | 24×7 capability, VARA notification within 24 hours | CERT-In 6-hour window is stricter |
| Business continuity | RTO/RPO defined, annual DR test | RBI BCP guidelines |
| Third-party risk | Due diligence, contract review, audit rights | Similar to RBI outsourcing direction |
Dual compliance: FIU-IND + VARA
Indian crypto firms must maintain compliance with both FIU-IND (for India operations) and VARA (for UAE operations):
| Obligation | FIU-IND (India) | VARA (UAE) |
|---|---|---|
| Registration | FIU-IND VASP registration | VARA VASP licence |
| Reporting | Suspicious transaction reports (STRs) | Suspicious activity reports (SARs) |
| KYC | PMLA-compliant KYC | VARA Customer Due Diligence |
| Travel Rule | Not yet mandated | Required for transfers > $1,000 |
| Security audit | CERT-In empanelled VAPT | VARA-recognised pentest firm |
| Data localisation | Expected for Indian user data | No specific requirement |
Common VARA application rejection reasons
- Inadequate custody architecture. VARA expects cold-wallet segregation, multi-sig, and insurance. Hot-wallet-only architectures are rejected.
- Weak AML/CFT programme. Transaction monitoring must be real-time, not batch. Rule-based systems without ML are often insufficient.
- Insufficient capital. The minimum capital must be deposited and maintained, not just pledged.
- Non-local compliance officer. VARA expects a Dubai-based compliance officer with relevant experience.
- Incomplete penetration-test scope. The pentest must cover trading APIs, custody systems, and admin panels. Scoping gaps cause rejection.
Vendor evaluation rubric for VARA advisory
- Have you guided Indian crypto firms through VARA licensing? The India-UAE dual-compliance context is not generic.
- Do you have relationships with VARA-recognised pentest and custody-audit firms? Coordinated scoping reduces delay.
- Can you map FIU-IND and VARA controls to a single compliance calendar? Dual compliance without coordination creates redundancy.
- Do you fix the advisory fee in INR before kickoff? Variable billing is a red flag.
- Will the partner attend VARA meetings if required? Partner continuity matters for regulator interactions.
We answer all five specifically and in writing during scoping.
Cost of VARA application — what to budget
Indian crypto firms approaching VARA need to budget across multiple cost categories. The headline application fees paid to VARA are only a fraction of the total programme cost.
| Cost category | Typical range (INR) | Timing |
|---|---|---|
| VARA application fees (paid to VARA) | ₹5,00,000–₹15,00,000 | Stage 1 + Stage 2 |
| Minimum capital deposit | ₹3 Crore – ₹40+ Crore | Locked during application; refundable if rejected |
| Legal counsel (UAE) | ₹15,00,000–₹40,00,000 | Across stages |
| Compliance advisory (India + UAE) | ₹20,00,000–₹50,00,000 | 12–18 months |
| Technology controls implementation | ₹25,00,000–₹1,00,00,000 | Custody, monitoring, AML tooling |
| VARA-recognised pentest | ₹15,00,000–₹35,00,000 | Stage 2 |
| Custody insurance | ₹40,00,000–₹2 Crore/year | Ongoing |
| Dubai operating expense (office, staff) | ₹1.5 Crore–₹4 Crore/year | Ongoing |
The total programme cost from initial advisory to VARA licence is typically ₹3–₹10 Crore depending on category target and scale. The minimum capital deposit (held in escrow during application) is the largest line item but is refundable.
Common Bangalore-Mumbai application patterns
The Indian crypto firms approaching VARA fall into three operational patterns we see repeatedly.
Pattern 1 — Bangalore exchange, Dubai legal entity
The technology team and customer-support team remain in Bangalore. A separate Dubai legal entity is established for the VARA-licensed business. The Bangalore parent company provides services to the Dubai entity under intercompany agreements. This pattern preserves engineering velocity (Bangalore team continues to ship) while satisfying VARA’s local-substance requirements through the Dubai entity.
Pattern 2 — Mumbai HFT firm, Dubai market-making
A Mumbai-headquartered high-frequency trading or market-making firm establishes a VARA-licensed entity for liquidity provision. The Mumbai team handles strategy and risk; the Dubai entity handles regulated trading.
Pattern 3 — Indian custody provider, Dubai institutional product
An Indian crypto-custody firm with FIU-IND registration establishes a VARA Category III entity to serve institutional clients (UAE family offices, GCC sovereign wealth funds). The institutional product is materially higher-margin than the Indian retail business; the VARA licence justifies the regulatory investment.
Operating model considerations
Beyond the licence itself, several operating-model considerations affect long-term success.
Banking relationships
VARA-licensed entities can access UAE banking infrastructure that Indian crypto firms typically cannot. Establishing banking relationships in parallel with the application reduces post-licence go-live time. Most VARA-licensed firms eventually establish accounts with one of: Mashreq Bank, ADCB, ENBD, or DIB.
Customer onboarding from India
Indian customers cannot trade on a VARA-licensed exchange unless the exchange holds appropriate Indian permissions. The legal architecture for cross-border customer onboarding is complex; most VARA-licensed Indian-origin firms serve UAE-resident customers and global institutional customers, not Indian retail.
Tax structure
Dubai’s tax environment is favourable but not zero. VARA-licensed entities pay corporate tax (9% on profits above AED 375,000), VAT where applicable (5%), and any sectoral fees. Indian transfer-pricing implications for the parent-subsidiary structure require careful planning.
Talent
VARA-licensed entities require Dubai-resident senior staff (CISO, MLRO, Compliance Officer minimum). Salary expectations are materially higher than Bangalore equivalents; budget approximately AED 30,000–60,000/month per senior role.
Common rejection reasons in detail
Beyond the five high-level rejection reasons listed earlier, more granular failure modes emerge from VARA’s case-by-case feedback.
Failure 1 — Inadequate proof-of-reserves architecture. VARA expects on-chain attestation of reserves matched to customer liabilities, not just accounting-level reconciliation. Implementing this requires changes to the core ledger that take 8–16 weeks of engineering work.
Failure 2 — Compliance officer with insufficient experience. VARA’s fit-and-proper criteria for the compliance officer role are strict; first-time compliance officers without prior regulated-industry experience are typically rejected.
Failure 3 — Custody architecture without insurance. Cold-wallet custody must be insured to specific minimums; “we will get insurance after approval” is not accepted.
Failure 4 — AML transaction monitoring with rules but not analytics. Rule-based transaction monitoring without behavioural analytics typically does not satisfy VARA’s expectation of effective monitoring.
Failure 5 — Inadequate exit planning. VARA expects a documented plan for what happens to customer assets if the licensed entity ceases operation. Most first-time applications lack this entirely.
Practical next steps
If you are scoping a VARA application, start with the category selection table to determine your target tier. If you need a crypto-exchange pentest, see our Crypto Exchange Pentest service page. If you want end-to-end VARA compliance advisory, our UAE VASP service page walks through the programme and pricing.
For organisations that want a thirty-minute scoping conversation with a partner, the contact form in the site footer books the call directly. We commit to written scope, fixed price in INR, and direct partner-level accountability through the engagement.
VARA application FAQ
How long does the VARA application process take end-to-end? 12–18 months from initial engagement to fully-licensed operations. Stage 1 (provisional approval) is 2–4 months; Stage 2 (full market product) is 4–8 months; ongoing onboarding adds 2–6 months.
What is the minimum capital requirement? Varies by category. Category I starts at lower bands; Category IV (full exchange with custody) requires the highest capital. Capital is held in escrow during application; refundable if rejected.
Can I operate in UAE without a VARA licence? No, for activities falling within VARA’s scope. Operating without a licence triggers regulatory action and bars from future application.
Is VARA recognised in other jurisdictions? VARA is a Dubai-specific regulator. Recognition in other jurisdictions varies; some accept VARA licensing as evidence of regulatory maturity, others require local licensing independently.
Can I retain my Indian operations during VARA application? Yes. Most Indian-origin firms maintain Indian operations under FIU-IND while pursuing VARA. The two regimes operate independently.
Does VARA require physical presence in Dubai? Yes. VARA expects local substance — registered office, local staff (compliance officer, MLRO at minimum), and operational presence proportionate to licence category.
What is the typical post-licence operating cost? ₹1.5–4 Crore/year depending on scale. Includes Dubai office, senior staff, compliance tooling, ongoing legal counsel, and regulatory fees.
Can I serve Indian customers from a VARA-licensed entity? Generally no, due to Indian regulatory restrictions on cross-border crypto services. VARA-licensed entities typically serve UAE residents and global institutional customers.
Does VARA accept ISO 27001 certification? As supporting evidence yes, but not as substitute for VARA’s specific Technology and Cyber Risk Management Framework controls. Most applicants hold ISO 27001 alongside meeting VARA-specific requirements.
What happens if my application is rejected? Capital deposit is refundable. The firm can re-apply after addressing the rejection reasons; some rejection categories (fit-and-proper failures for individuals) carry longer cooling-off periods.
Can I use a VARA licence to operate elsewhere in the UAE? VARA is Dubai-specific. Other emirates have separate regulators (e.g., FSRA in Abu Dhabi); a VARA licence does not authorise operations in other emirates.
Are there banking restrictions for VARA-licensed firms? Some restrictions exist on the banking side; VARA-licensed firms typically establish accounts with crypto-friendly UAE banks (Mashreq, ADCB, ENBD, DIB are common). Banking onboarding requires additional due-diligence beyond the VARA licence.
Strategic considerations for Indian-origin VARA applicants
The decision to pursue VARA is strategic, not merely regulatory. Several considerations affect whether VARA is the right path for a given Bangalore or Mumbai crypto firm.
Customer base alignment
VARA-licensed entities serve UAE residents and global institutional customers. Firms whose customer base is predominantly Indian retail face limited operational benefit from VARA. The strongest VARA business cases involve global institutional ambitions or material UAE retail presence.
Capital allocation
The minimum capital deposit ranges from ₹3 Crore (Category I) to ₹40+ Crore (Category IV with custody). For early-stage firms, this capital allocation represents material runway commitment. Most VARA applicants are Series-B or later.
Operational complexity
Maintaining dual jurisdictions (India FIU-IND + UAE VARA) creates ongoing compliance overhead. The compliance team grows; legal counsel costs increase; reporting cadences multiply. Firms should plan for 2–4 additional senior roles to operate the dual-jurisdiction model effectively.
Tax implications
Dubai’s tax environment is favourable but produces transfer-pricing implications for the parent-subsidiary structure. Indian transfer-pricing rules apply to inter-entity transactions; appropriate documentation is essential. CA firms with India-UAE practice depth (Big-4 Dubai offices, specialist mid-tier firms) handle this work routinely.
Geopolitical risk
UAE-India regulatory cooperation is strong and bilateral relationships are warm. The geopolitical risk in this corridor is lower than in many alternatives. However, regulatory cooperation includes information-sharing arrangements that affect firms operating in both jurisdictions.
Comparison: VARA vs other crypto regulatory destinations
Indian-origin firms occasionally consider alternatives to VARA. Brief comparison:
Singapore (MAS). More mature regulator with longer track record. Stricter ongoing supervision. Higher capital requirements. Geographic distance from Indian market. Best for firms with global institutional ambitions and ability to bear higher operating cost.
Hong Kong (SFC). Recent regulatory evolution makes Hong Kong increasingly attractive. Strong banking infrastructure. Higher operational cost than Dubai. Best for firms with East-Asian market focus.
Switzerland (FINMA). Crypto-friendly regulatory environment but operationally remote from Indian operations. Banking infrastructure mature. Best for firms with European institutional clients.
Lithuania / Estonia (EU MiCA). EU MiCA provides a passport-like authorisation across the European Union. Operationally remote from Indian operations but provides EU market access. Best for firms targeting EU consumer markets.
Bermuda / British Virgin Islands. Offshore jurisdictions with lighter regulatory regime. Acceptable for some institutional structures but face increasing scrutiny from major banking partners.
For most Indian-origin firms with global ambitions but operational anchor in India, VARA represents the best balance of regulatory clarity, geographic proximity, and operational viability.
Post-licence operational reality
Beyond the application process, the post-licence operational reality merits planning.
Ongoing supervision. VARA conducts regular inspections (typically annual) plus ad-hoc reviews. Inspection scope evolves; firms maintain ongoing dialogue with VARA’s technical-supervision teams. Inspection readiness requires continuous documentation discipline.
Continuous reporting cadence. Quarterly regulatory submissions including financial reports, compliance attestations, incident summaries, and customer-statistic reports. Reporting infrastructure must produce these reliably.
External-audit cycle. Annual external audit by VARA-recognised firm. Audit scope covers technology controls, AML programme, financial controls, and ongoing compliance.
Capital adequacy monitoring. Capital must be maintained at minimum levels; depletion below threshold triggers regulatory action. Operational planning ensures capital adequacy through profit cycles and growth phases.
Business-continuity testing. Annual DR test with documented evidence; outcomes reported to VARA. Testing must be substantive, not pro-forma.
Customer-asset reconciliation. Continuous reconciliation of customer assets to verified reserves. Discrepancies require immediate investigation and reporting.
Strategic positioning of the VARA-licensed entity
Beyond regulatory compliance, the VARA-licensed entity’s strategic positioning affects long-term viability.
Geographic market focus. UAE retail, MENA institutional, sub-Saharan Africa, parts of Asia. Each market segment has different regulatory, banking, and operational characteristics. Strategic positioning should be deliberate.
Product specialisation. Spot trading, derivatives, custody, lending, market-making. Different product lines have different regulatory categories and different competitive dynamics.
Institutional vs retail mix. Institutional clients are higher-margin but require more sophisticated relationship management; retail is volume-driven with thinner margins. Strategic mix affects organisational design.
Technology differentiation. Trading-engine performance, custody architecture, institutional-grade APIs. Technology differentiation affects competitive positioning in a market with multiple licensed players.
Banking and counterparty relationships. Banking access is the structural advantage of VARA license; deepening banking and counterparty relationships compounds the advantage over time.
VARA-specific implementation patterns observed in Indian-origin firms
Bangalore and Mumbai crypto firms pursuing VARA exhibit specific implementation patterns worth understanding.
Pattern 1 — split entity structure with India tech, UAE compliance. Tech team in Bangalore, compliance and senior executives in Dubai, customer-support distributed. Most-common structure for mid-size Indian-origin firms.
Pattern 2 — Dubai-resident founders. Some Indian-origin founders relocate to Dubai for VARA application; others maintain India residence with frequent travel. The decision affects regulatory perception of management substance.
Pattern 3 — phased product rollout. Initial VARA license for limited product (e.g., spot trading); expanded license categories pursued post-establishment. Reduces application complexity at the cost of product timeline.
Pattern 4 — partnership with established UAE entity. Joint venture with UAE-headquartered institutional partner accelerates banking and regulatory relationships. Trade-off: equity dilution.
Pattern 5 — full incorporation in DIFC vs Dubai mainland. DIFC offers English common-law jurisdiction and stronger institutional reputation; Dubai mainland offers broader operational flexibility. The choice depends on customer base.
Operational learnings from VARA-licensed Indian-origin firms
Firms that have completed VARA licensing share common observations.
Observation 1. Application timeline routinely exceeds initial estimates. Plan for 18-month timeline rather than 12-month.
Observation 2. Banking relationship establishment takes longer than expected. Begin banking conversations 3-6 months before VARA license issuance.
Observation 3. Dubai talent costs are higher than expected. Senior compliance and risk roles command AED 30-60K/month minimums.
Observation 4. Ongoing supervision is more substantive than initial expectations. Annual VARA inspection requires preparation cycle of 4-8 weeks.
Observation 5. Customer onboarding from outside UAE has limitations. UAE-resident customer base development requires local marketing investment.
Observation 6. Cross-jurisdiction tax planning is essential. Engaging tax counsel during application phase prevents post-licence restructuring.