The Virtual Assets Regulatory Authority (VARA) of Dubai has emerged as one of the most rigorous and explicit crypto regulators globally, and Dubai itself is now the dominant regional hub for crypto businesses serving the Middle East, Africa, and parts of Asia. For Indian-origin crypto firms — exchanges, brokers, custodians, payment providers — UAE expansion under VARA is increasingly the path to regulated banking access, regional-market reach, and operational clarity. The structure that works for most Bangalore-headquartered crypto firms is dual-jurisdiction: an India-incorporated entity (FIU-IND registered, addressing the Indian customer base) plus a UAE entity (VARA-licensed, addressing UAE and regional customers), with operations centralised in Bengaluru. This page describes the VARA compliance engagement model.
Why VARA, why now
The case for VARA expansion for an Indian crypto firm comes down to three structural factors. First, banking access — Indian banks have, since the Reserve Bank’s 2022 banking-channel guidance, been highly conservative about servicing crypto businesses. UAE banks remain open to VARA-licensed entities under specific compliance preconditions, restoring the fiat-on-ramp / off-ramp capability that is operationally essential. Second, regulatory clarity — VARA publishes detailed rulebooks covering each major aspect of virtual-asset activity, providing explicit guidance that Indian regulation has not yet matched. Third, regional market — UAE serves as a hub for MENA (a fast-growing crypto market with limited indigenous regulated supply), sub-Saharan Africa (where UAE-based providers have a structural cost advantage), and parts of South Asia / South-East Asia.
The structural argument is not "leave India" — it is "operate from India under appropriate regulatory permissions in each jurisdiction." Most Bangalore engagements maintain Indian operations (subject to FIU-IND), incorporate a UAE entity for VARA license, and run customer-facing operations through the appropriate entity per customer jurisdiction.
VARA license categories I–IV
Category I — Advisory Services
For investment advisers, research providers, and other advisory-only entities. Lower capital requirements, narrower scope. Common for boutique advisory firms; less common for product companies.
Category II — Broker-Dealer Services
For entities executing transactions on behalf of clients. Most exchanges hold Category II as part of their licensing portfolio. Capital and conduct requirements scale with activity volume.
Category III — Custody Services
For entities providing custody of virtual assets on behalf of clients. Specific technology and operational requirements around wallet architecture, key management, segregation, recovery. Generally held alongside Category II or IV.
Category IV — Exchange Services
For entities operating exchange platforms (matching engines, order books). The flagship category for exchanges. High capital, governance, and technology requirements.
Multi-category licensing is the norm for product companies. Each additional category adds rulebook scope and capital requirement; we map activities to required categories during scoping to avoid over-licensing.
Who in Bangalore needs this
- Indian-origin crypto exchanges seeking regulated international expansion
- Custody providers servicing institutional clients with global allocation
- Indian-origin payment / remittance firms with virtual-asset components in their stack
- Crypto fund managers and asset managers serving regional investors
- Web3 product companies with consumer-facing virtual-asset features
- NFT and gaming platforms with virtual-asset transaction components
The seven VARA rulebooks
VARA’s regulatory framework is structured as seven activity-specific rulebooks plus general supervisory and conduct frameworks:
- Compliance and Risk Management Rulebook — governance, risk, compliance officer, internal audit
- Technology and Information Security Rulebook — the rulebook our work concentrates in
- Market Conduct Rulebook — market manipulation prevention, fair dealing, disclosures
- Company Rulebook — corporate governance, disclosures, related-party transactions
- Custody Services Rulebook — custody-specific controls (Category III licensees)
- Broker-Dealer Services Rulebook — broker-dealer-specific controls (Category II)
- Exchange Services Rulebook — exchange-specific controls (Category IV)
Plus the AML / CFT compliance framework (which incorporates the FATF travel rule and UAE-specific AML requirements) and the Marketing rulebook (for any consumer-facing communications).
Technology and information security rulebook
The Technology and Information Security Rulebook is the document our work concentrates on. It specifies controls across:
- Wallet architecture (hot, warm, cold) — segregation, security, key management
- Cryptographic key generation, storage, recovery, rotation
- Multi-signature requirements for high-value transactions
- Application security testing and continuous monitoring
- Infrastructure security (cloud, on-premise, hybrid)
- Identity and access management with separation of duties
- Data protection at rest and in transit
- Logging, monitoring, alerting, and audit trail integrity
- Incident response and breach reporting
- Business continuity and disaster recovery
- Third-party risk management for technology vendors
- Periodic independent audit by qualified auditor
- Data residency and cross-border transfer controls
Our engagement implements each of these against your specific architecture, produces the documentation VARA expects to see in the application file, and maintains the controls through ongoing supervision.
AML / CFT and travel-rule compliance
VARA inherits and extends the UAE’s AML / CFT framework, which is FATF-aligned and includes the travel rule for virtual-asset transactions above specified thresholds. Compliance work covers:
- KYC onboarding with risk-based due diligence
- Enhanced due diligence for higher-risk relationships
- Sanctions screening (UN, OFAC, UAE, other relevant lists) at onboarding and continuously
- Transaction monitoring with rule coverage and alert workflow
- Suspicious-activity reporting to UAE Financial Intelligence Unit
- Travel-rule data exchange with counterparty VASPs
- Independent AML audit annually
- AML compliance officer (UAE-resident, qualified)
For Indian-origin firms operating in both India and UAE, the AML programmes have to be coordinated — FIU-IND requirements for the India operation plus VARA / UAE FIU requirements for the UAE operation. The data flows between the two operations have to be structured carefully under both DPDP Act and UAE data-protection regulations.
Ongoing supervision and reporting
Post-license, VARA operates active supervision rather than light-touch. Specific obligations:
- Annual on-site supervisory visit (typical)
- Periodic regulatory reporting (financial, operational, AML)
- Event-driven reporting (incidents, material changes, new products)
- Annual independent audit (technology + AML)
- Periodic pen-tests against critical systems
- Active engagement with VARA on consultation papers, regulatory updates, sectoral guidance
The supervision relationship is significant operational work; most licensees designate a Head of Compliance who is the primary regulator-facing officer and works with us as the technology / audit overlay.
Twelve-to-sixteen week engagement roadmap
Weeks 1–2 · Scoping and category mapping
Activities → categories mapping, license-category determination, gap analysis against rulebook scope.
Weeks 3–6 · Documentation development
Policy and procedure development across applicable rulebooks; technology architecture documentation; AML programme documentation.
Weeks 7–10 · Technology controls implementation
Wallet architecture build / hardening; key management; security monitoring; incident response. Pre-application audit.
Weeks 11–12 · Application file assembly
Co-ordinate with UAE legal counsel to assemble the application file. Pre-submission review.
Weeks 13–14 · Submission and back-and-forth
VARA submission. Response to VARA initial questions; document supplementation as required.
Weeks 15–16 · Pre-license operational readiness
Final operational readiness — UAE-resident senior management, AML compliance officer, board structure, banking arrangements.
Post-submission · 6–9 months
VARA review, ongoing engagement, conditional approval, license issuance.
Pricing in INR
- One license category
- 12-week pre-application engagement
- Technology workstream
- Legal coordination support
- Categories II, III, IV combined
- 16-week engagement
- Full technology audit
- AML technology implementation
- UAE legal counsel partnership
- Annual technology audit
- AML technology audit
- Regulatory reporting support
- Periodic VAPT
- Incident-response capacity
India ↔ UAE operational context
The dual-jurisdiction structure that works for most Bangalore-origin crypto firms involves an India-incorporated entity (typically Bangalore-headquartered, FIU-IND registered) handling the India customer base and operations, paired with a UAE-incorporated entity (Dubai mainland or DIFC-incorporated depending on regulatory structure, VARA-licensed) handling the UAE and regional customer base. Operations — engineering, customer support, finance, marketing — typically centralise in Bangalore for cost and talent reasons, with UAE-resident senior management and compliance team for regulatory reasons.
Data residency is structured to satisfy both regimes: customer personal data of Indian residents resides in India per DPDP Act; UAE customer data resides per VARA’s and the UAE’s data-protection requirements. Cross-border data transfers between the two operations are structured under DPDP’s permissive cross-border framework and the UAE’s FTZ-specific data-protection rules, with intra-group data-sharing agreements.
Banking is the most operationally consequential aspect. Indian banks are constrained in servicing crypto businesses; UAE banks accessible via the UAE entity provide the operational fiat ramp. Each entity handles fiat in its own jurisdiction.
Firm profiles — who is pursuing VARA and why
The Indian-origin firms pursuing VARA license through 2025–2026 break into a small number of strategic-archetype categories. Each archetype has different driver, different timeline pressure, and different optimal license-portfolio.
Indian-headquartered exchanges seeking regional expansion
The largest single archetype. Indian-domiciled exchange has reached scale within India under FIU-IND registration; growth requires regional-market access; UAE entity with VARA license addresses MENA and adjacent markets. License portfolio typically Category II + III + IV. Timeline pressure: moderate; the entity continues operating in India while UAE entity is established. Most-common engagement structure: bundled engagement with Indian-side cybersecurity work continuing under existing retainer plus UAE-side work as new engagement.
Indian-headquartered custody providers
Custody-focused firms (institutional-grade custody, prime brokerage) with Indian institutional clients seeking regional reach. License portfolio typically Category I + III. Timeline: longer, because custody licensing carries the most-rigorous review. Engagement structure: heavy emphasis on technology-controls implementation, key-management ceremony documentation, and operational-resilience evidence.
Indian-origin payment / remittance firms
Cross-border-payment firms operating digital-asset rails for remittance corridors. License portfolio typically Category II for the broker-dealer activity. Timeline: variable depending on the firm’s existing regulatory footprint; firms with banking-channel relationships in both India and UAE move faster.
Indian-headquartered Web3 product companies
Web3 product companies (DeFi, NFT, gaming, infrastructure) with consumer-facing or institutional-facing virtual-asset features. License requirements depend on activity decomposition; some Web3 architectures avoid licensing requirements entirely, others trigger them. Engagement structure typically begins with activity-licensing-mapping before substantive engagement begins.
Indian-headquartered fund managers
Asset managers running crypto-allocated funds with regional investor base. License portfolio typically Category I + II. Timeline: moderate. Engagement integrates with our broader regulated-fund advisory practice for the parallel SEBI / FIU-IND / ROC compliance.
Post-license supervision in detail
VARA’s post-license supervision is among the most-active regulator-engagement environments in global crypto regulation. Licensees should expect ongoing regulatory engagement at multiple cadences.
Annual on-site supervision
VARA conducts annual on-site supervisory visits — typically 2–5 days for mid-sized licensees, longer for major exchanges. Visit scope covers governance, technology controls, AML compliance, market conduct, financial soundness, and any regulator-identified focus areas. Our retainer prepares the documentation pack, runs pre-visit walkthroughs with the leadership team, attends the visit alongside the client, and supports post-visit response to any observations.
Periodic regulatory reporting
Quarterly financial reporting, monthly transaction-volume reporting, ad-hoc operational reporting on material changes. Format is prescribed; submission is via VARA’s portal. Our retainer includes managed reporting where the client elects to outsource the work.
Event-driven reporting
Material incidents (cybersecurity, financial, operational) trigger reporting obligations within VARA-prescribed timelines. Material business changes (new products, key-personnel changes, ownership changes, address changes) similarly trigger notification. Our incident-response capacity (see our IR retainer page) handles the cybersecurity-event reporting pathway; broader corporate-event reporting is typically handled by UAE legal counsel.
Annual independent audit
Both technology audit and AML audit are required annually by independent qualified auditors. We provide the technology and AML technology audit work; AML programme audit (covering policy, training, governance) is typically performed by a separate UAE-licensed auditor partner.
Periodic VAPT
VARA’s technology rulebook requires periodic security testing of critical systems. Cadence depends on category; Category IV (exchange) typically quarterly external + annual internal-network. Our VAPT methodology — see our VAPT page — applies under VARA’s expectations.
Banking access — the operational reality
The structural advantage of VARA license is regulated-banking access. Several UAE banks (with varying selectivity) service VARA-licensed VASPs under specific compliance preconditions. The preconditions typically include: full VARA license (not pending), enhanced AML / KYC posture, specific source-of-funds documentation for institutional inflows, sometimes specific transaction-volume corridors permitted.
Our engagement does not directly broker banking relationships — that work sits with the client’s UAE corporate-services partner — but we provide the technology and compliance documentation that supports the banking conversation. Specifically: AML-technology audit reports, security-audit reports, transaction-monitoring effectiveness data, and regulatory-engagement history. Banks reviewing the VASP’s file find these artifacts central to their decision.
For Indian-origin firms, the banking-relationship establishment is typically the longest-pole item in the operational stand-up — license issuance is fast (relatively); banking onboarding can take 4–8 months even after license. We strongly recommend beginning the banking conversation in parallel with the license application rather than sequentially.
Cross-jurisdiction reporting and India-UAE coordination
Indian-origin VASPs operating in both jurisdictions face a reporting-coordination challenge. Customer activity in India is reportable to FIU-IND; customer activity in UAE is reportable to the UAE Financial Intelligence Unit; cross-border activity may be reportable to both. Travel-rule data exchange between jurisdictions adds another reporting layer.
Our engagement designs the reporting architecture across both jurisdictions: which transactions are reportable where, what data goes to whom, what audit-trail evidence supports each filing. The architecture is documented in a single reporting-procedures manual reviewed by both Indian and UAE regulatory practice. Operationally, the manual is operationalised via separate reporting workflows that share underlying data sources but produce jurisdiction-specific submissions.
VARA vs ADGM, DIFC, MAS, and other regional frameworks
Indian-origin crypto firms increasingly evaluate multiple regional regulatory options. The shortlist for most Bangalore-based firms in 2026 is VARA (Dubai Mainland), ADGM (Abu Dhabi Global Market), DIFC (Dubai International Financial Centre), MAS (Singapore), and SFC (Hong Kong). Each has different positioning, capital requirements, and operational implications.
VARA is positioned as a comprehensive activity-based licensing regime; it covers most VA activities under one regulator and is geographically convenient for firms serving MENA and India. ADGM operates a similar regime within Abu Dhabi’s financial-free-zone framework, with somewhat lighter capital requirements but less-developed market infrastructure. DIFC is the older Dubai financial-free-zone (operating under English common law) but has historically been less open to crypto activities than mainland VARA; recent DFSA frameworks have evolved this. MAS in Singapore is rigorous but has historically been slow on licensing throughput, with a structurally smaller approved-licensee population. SFC in Hong Kong has emerged as more crypto-positive since 2023 but operational costs are high and the regulatory engagement is intensive.
For most Indian-origin firms with regional ambitions, VARA is the practical choice. The combination of geographic accessibility (4–6 hour flight from major Indian cities), comprehensive scope, structured licensing, and access to UAE banking creates the operational profile that matches what Indian product companies typically need. Firms with primarily Asian-market ambitions sometimes evaluate MAS or SFC instead; firms with Africa-focus sometimes evaluate Mauritius or specific African jurisdictions; firms with European-Union focus may evaluate MiCA-aligned frameworks. Our scoping conversation typically maps the optimal jurisdiction to the firm’s specific market plan rather than defaulting to VARA.
Where firms hold multiple regional licenses (which the largest international platforms typically do), the operational implementation involves a single underlying technology and operations stack with jurisdiction-specific control overlays per license. We deliver multi-jurisdiction compliance work with this architecture in mind; the substrate is unified, the regulatory-facing artifacts are jurisdiction-specific.
Evaluating a VARA compliance vendor — what to ask
VARA preparation work is one of the most-specialised crypto-compliance engagements globally. The vendor population is small — well under 30 firms worldwide deliver substantive VARA preparation, and only a handful do so with Indian-origin client experience specifically. The questions below help separate substance from positioning during selection.
VARA license issuance experience: how many VARA licenses has the firm helped clients obtain? What categories? Indian-origin or other? The most-experienced firms have led 8–15 successful applications across categories; firms with one or two are still climbing the learning curve, which is materially relevant given VARA’s feedback velocity.
Indian regulatory practice: for Indian-origin firms specifically, the vendor needs to operate the Indian-side compliance (FIU-IND registration, PMLA obligations, DPDP Act, CERT-In Direction 20(3)/2022, sectoral regulator engagement) alongside the UAE-side work. Ask whether the firm delivers both Indian and UAE compliance practice; firms strong only in one jurisdiction force you to engage two firms with predictable coordination friction.
UAE legal counsel partnership: the broader licensing application requires UAE-licensed legal counsel for the legal-regulatory submission alongside our technology and AML technology workstream. Ask which UAE legal partners the vendor works with, what the engagement model looks like, and how the workstream coordination is structured.
Banking-relationship support: ask whether the firm provides documentation that supports the banking-relationship establishment (audit reports, AML technology effectiveness data, regulatory engagement history) and what their experience has been with banking onboarding for VARA-licensed clients. The banking relationship is operationally the longest-pole item; vendors with bank-facing experience compress the timeline materially.
Post-license retainer: ask what the post-license supervision support looks like. VARA conducts active supervision; vendors with only license-issuance experience and no post-license retainer practice are structurally less useful for the multi-year operational reality.
We answer all of these specifically and in writing during scoping.
For Indian-origin firms, the VARA path is one of the most consequential strategic decisions of the next two to three years. The compliance engagement is significant but the structural payoff — banking access, regulatory clarity, regional market access — generally justifies the investment for product companies above seed-plus stage with international ambitions. The cost of getting it right is meaningful; the cost of getting it wrong is dramatically higher in operational terms. To start a VARA engagement, the next step is a scoping conversation with our partner who has led several Indian-origin VARA applications. Engagements typically begin within ten business days of contract signing.