Custody Services Under VARA’s Regulatory Framework
The custody of virtual assets — the safekeeping and administration of digital assets on behalf of clients — sits at the intersection of traditional financial services custodianship and the unique technical requirements of blockchain-based asset management. VARA’s Custody Services Rulebook, included within the Virtual Assets and Related Activities Regulations 2023 and updated to Version 2.0 in May 2025, establishes a comprehensive framework for how licensed VASPs must manage client assets.
The August 2023 amendment to the Custody Services Rulebook was particularly significant, as it explicitly permitted “Staking from Custody Services” — allowing custody providers to stake client virtual assets while maintaining regulatory compliance. This amendment opened a significant revenue stream for custody providers while establishing guardrails to protect client interests.
The Custody Licence Framework
Custody services constitute one of the seven regulated virtual asset activity categories under VARA’s licensing framework. Entities seeking to provide custody services must obtain a specific VARA licence authorizing this activity, following the standard two-step MVP licensing process.
Several entities have received VARA licensing for custody-related activities. Hex Trust received an MVP licence in November 2022, specifically for custody and related services. Komainu, described as “a regulated digital asset custody provider built by institutions for institutions,” received its MVP licence in November 2022 as well. These institutional-grade custody providers operate alongside exchange-integrated custody services provided by Binance Dubai and other licensed exchanges.
Asset Segregation Requirements
The cornerstone of VARA’s custody framework is the mandatory segregation of client assets from the custodian’s proprietary assets. This requirement operates at multiple levels:
Legal Segregation
Client virtual assets held in custody must be legally distinct from the custodian’s own assets. In the event of the custodian’s insolvency, client assets must not form part of the custodian’s estate. This requires appropriate legal structures, including trust arrangements or equivalent legal mechanisms recognized under applicable law.
Operational Segregation
Custody providers must maintain separate systems, processes, and controls for client assets versus proprietary assets. This includes separate wallet infrastructure, separate reconciliation processes, and separate reporting. The operational segregation must be sufficient to ensure that client assets can be identified and returned at all times.
Record-Keeping for Segregation
Custody providers must maintain detailed records of all client assets held in custody, including the specific virtual assets, quantities, and the blockchain addresses where they are held. These records must be updated in real-time or near-real-time and must be reconciled regularly against on-chain data.
Key Management Requirements
The management of cryptographic keys is the core operational challenge for virtual asset custody providers. VARA’s framework addresses key management through several requirements:
Key Generation and Storage
Private keys used to control client virtual assets must be generated using cryptographically secure methods and stored in secure environments. VARA’s requirements align with industry best practices regarding hardware security modules (HSMs), multi-party computation (MPC), or other secure key management technologies.
Access Controls
Access to private keys must be restricted through robust access control mechanisms, including multi-signature requirements, role-based access controls, and segregation of duties. No single individual should have the ability to unilaterally access client assets.
Key Recovery
Custody providers must maintain secure key recovery procedures to ensure that client assets remain accessible in the event of key loss, key compromise, or operational disruption. Recovery procedures must be tested regularly.
Key Ceremony Procedures
The generation, distribution, and destruction of cryptographic key material must follow documented procedures (key ceremonies) with appropriate security controls and audit trails.
Staking from Custody — The August 2023 Amendment
The August 2023 publication of the revised Custody Services Rulebook permitting staking from custody services marked a significant evolution in VARA’s approach to custody regulation. The amendment recognized that staking — the process of committing virtual assets to a proof-of-stake blockchain network to earn rewards — is a natural extension of custody services and a material value proposition for institutional clients.
Regulatory Rationale
VARA’s announcement of the amendment emphasized that staking from custody was being permitted “in accordance with the prescribed requirements of the amended rulebook.” This language signaled that the permission was not unconditional — it came with specific regulatory requirements that custody providers must meet.
Requirements for Staking from Custody
Custody providers offering staking services must comply with additional requirements including:
Client Consent: Staking of client assets requires explicit client consent, including disclosure of the risks associated with staking (including slashing risk, lock-up periods, and potential illiquidity).
Risk Management: Staking activities must be incorporated into the custody provider’s risk management framework, including assessment of validator risk, network risk, and smart contract risk.
Reward Distribution: Clear procedures for calculating and distributing staking rewards to clients, including transparent fee disclosure.
Withdrawal Management: Procedures for managing client withdrawal requests, including communication about unstaking periods and potential delays.
Slashing Risk Management: Controls to manage the risk of slashing (penalties imposed by proof-of-stake networks for validator misbehavior), including validator selection criteria, performance monitoring, and client compensation procedures in the event of slashing losses.
Market Impact
The staking amendment had immediate market significance. It enabled custody providers in Dubai to offer institutional-grade staking services within a regulated framework — a competitive advantage relative to jurisdictions where the regulatory treatment of staking remained uncertain. For custody providers like Hex Trust and Komainu, it expanded the scope of permissible services and potential revenue.
Operational Standards
Business Continuity
Custody providers must maintain comprehensive business continuity and disaster recovery plans that specifically address the unique requirements of virtual asset custody, including secure key backup, failover procedures for custody infrastructure, and communication protocols for informing clients of operational disruptions.
Insurance
VARA’s framework addresses insurance requirements for custody providers, including coverage for theft, loss, or unauthorized access to client assets. The specific insurance requirements and minimum coverage levels are designed to provide meaningful protection for client assets while remaining commercially achievable for custody providers.
Technology Infrastructure
Custody providers must maintain technology infrastructure that meets VARA’s standards for security, availability, and performance. This includes requirements for network security, data encryption, access logging, and regular security assessments.
Comparative Context
VARA’s custody framework is frequently compared with custody requirements in ADGM and DIFC/DFSA. All three jurisdictions recognize custody as a regulated activity, but the specific requirements differ in areas such as insurance mandates, key management standards, and the treatment of staking.
Internationally, VARA’s custody framework aligns broadly with standards emerging in Singapore, Hong Kong, and the EU (under MiCA), though the specific requirement sets and supervisory approaches differ.
For an overview of all VARA compliance requirements, see our compliance obligations map. For information on the licensing process for custody providers, see our licensing guide. For entity profiles of licensed custody providers, see our entities section.
For broader context on custody regulation across the UAE, visit UAE Tokenization Regulations. For real-world asset custody considerations, see UAE Tokenized RWA.
The August 2023 Custody Amendment
VARA’s publication of the revised Custody Services Rulebook in August 2023 marked a significant expansion of the regulatory framework, permitting staking from custody services within prescribed requirements. The announcement noted that VARA “has published a revised Custody Services Rulebook, permitting Staking from Custody Services in accordance with the prescribed requirements.”
What Staking Involves
Staking in proof-of-stake blockchain networks involves locking virtual assets to participate in network validation and consensus, earning rewards in return. When a custody provider offers staking from custody, it deploys customer assets held in custody for staking purposes — earning staking rewards that are distributed to or credited for the benefit of the customer.
Regulatory Requirements for Staking from Custody
The revised rulebook establishes requirements specific to staking activities:
Customer Consent: Custody providers must obtain explicit customer consent before deploying assets for staking. Customers must understand the risks involved, including potential slashing penalties (loss of staked assets due to validator misbehaviour) and liquidity constraints (lock-up periods during which staked assets cannot be immediately accessed).
Risk Disclosure: Clear disclosure of staking risks including slashing risk, lock-up periods, reward variability, and the smart contract risks associated with staking mechanisms.
Asset Segregation: Staked customer assets must remain identifiable and segregated from the custody provider’s own assets, even while deployed for staking.
Validator Management: Requirements for how custody providers select and manage validators, including due diligence on validator performance, security, and reliability.
Reward Distribution: Transparent procedures for calculating and distributing staking rewards to customers, including disclosure of any fees retained by the custody provider.
Insurance and Protection: Appropriate financial protections against losses from staking activities, including slashing losses.
Impact on Licensed Entities
Licensed entities with custody authorisation — potentially including Binance Dubai, OKX Middle East, Crypto.com Dubai, and Bybit Dubai — can offer staking services to customers within the parameters established by the revised rulebook. This expands the revenue opportunities available to licensed entities while maintaining the consumer protection standards that VARA requires.
DeFi Considerations
The staking rulebook operates in a context where decentralised staking services are also available. The regulatory framework applies to licensed custody providers that offer staking — not to customers who independently stake their own assets through DeFi protocols. However, the boundary between custodial and non-custodial staking arrangements is an evolving regulatory question.
Connection to the Broader Framework
Custody and staking activities sit within VARA’s broader compliance framework:
- AML/CFT requirements apply to customer interactions in staking services
- Qualified investor classification may affect which customers can access staking services
- The v2.0 rulebooks (May 2025) strengthened risk oversight requirements applicable to custody operations
- FATF high-risk jurisdiction screening applies to customers using staking services
Risk Framework for Custody and Staking
Custody-Specific Risks
Virtual asset custody presents distinct risks that VARA’s rulebook addresses:
- Private Key Compromise: The risk of unauthorised access to private keys controlling customer virtual assets. Mitigation includes multi-signature arrangements, hardware security modules (HSMs), geographic distribution of key shares, and regular security audits.
- Operational Risk: System failures, software bugs, or human errors in custody operations. Mitigation includes comprehensive testing, change management procedures, and business continuity arrangements.
- Smart Contract Risk: For custody of tokens on smart contract platforms, the risk that contract vulnerabilities could be exploited. Mitigation includes smart contract auditing and monitoring.
- Regulatory Risk: Changes in VARA’s requirements or broader regulatory developments that affect custody operations. The v2.0 rulebooks strengthened operational requirements, and ongoing circular issuance may introduce additional obligations.
Staking-Specific Risks
Staking activities introduce additional risk categories:
- Slashing Risk: Loss of staked assets due to validator misbehaviour or downtime. Custody providers must disclose this risk to customers and may need to maintain reserves or insurance to cover slashing losses.
- Liquidity Risk: Staked assets may be subject to lock-up periods during which they cannot be immediately withdrawn. Customers must understand and consent to these liquidity constraints.
- Reward Variability: Staking rewards fluctuate based on network conditions, validator performance, and protocol changes. Custody providers must avoid guaranteeing specific reward rates.
- Protocol Risk: Changes to the underlying blockchain protocol (including hard forks, consensus mechanism changes, or validator requirement changes) may affect staking operations.
Comparison with International Custody Standards
Custody regulation varies across jurisdictions: