On 13 February 2026, the UAE Capital Markets Authority (CMA)—the newly established federal regulator replacing the Securities and Commodities Authority (SCA)—issued Decision No. 4/R.M/2026, completely replacing the 2023 Federal VASP Framework. This is the most significant overhaul of the UAE’s crypto regulatory landscape since the sector first came under formal regulation.

The Decision establishes a new three-module framework that every crypto exchange, custody provider, broker, adviser, and portfolio manager operating in or from the UAE must now comply with. Understanding these changes is critical for any business with UAE exposure—and for any compliance officer screening counterparties in the region.

Licensed Activity Categories

From dealing to advisory

Concurrent Regulatory Regimes

CMA, VARA, ADGM, DIFC, CBUAE

AED 4M

Maximum Capital Requirement

For dealing as principal

6 Years

Record Retention Period

Increased from 5 years

The New Regulator: CMA Replaces SCA

The Capital Markets Authority (CMA) replaces the Securities and Commodities Authority (SCA) as the primary federal regulator for virtual asset activities conducted onshore in the UAE. This is not a cosmetic rebrand—the CMA operates under a new institutional mandate with expanded enforcement powers.

Critically, the CMA’s jurisdiction operates alongside, not instead of, four other regulatory regimes:

CMA — Federal/onshore UAE (Decision 4/R.M/2026)
VARA — Dubai mainland and free zones (VARA Rulebook v2.0)
ADGM/FSRA — Abu Dhabi Global Market financial free zone
DIFC/DFSA — Dubai International Financial Centre
CBUAE — Central Bank of UAE (payment tokens, DeFi, stablecoins)

Key Takeaway

Meeting one framework’s requirements does not satisfy the others. A VASP licensed by VARA in Dubai still needs CMA authorization for federal activities, and vice versa. Multi-regulator compliance is now the baseline requirement for UAE operations.

Eight Licensed Activity Categories

Decision 4/R.M/2026 defines eight distinct financial activities requiring CMA licensing, each with its own minimum capital floor:

Dealing as Principal (AED 4,000,000) — Buying and selling virtual assets using own capital
Dealing as Agent (AED 1,000,000) — Executing trades on client behalf without own capital risk
Providing Custody (AED 3,000,000) — Safeguarding assets via private key control or ledger registration
Arranging Custody (AED 1,000,000) — Facilitating custodian access without holding assets directly
Multi-Party Trading Platform (AED 500,000) — Non-discretionary, rules-based automated marketplace
Investment Advice (AED 1,000,000) — Personalized recommendations to identified investors
Portfolio Management (AED 1,000,000) — Managing client holdings on discretionary or non-discretionary basis
Arranging Investment Transactions (AED 1,000,000) — Creating arrangements that enable virtual asset trades

The CMA applies whichever capital calculation produces the highest figure: the Article 21 minimum, 25–35% of projected annual expenses, or a risk-based calculation. Operating any of these activities without a valid license triggers sanctions under Cabinet Resolution No. 99 of 2024.

Absolute Prohibition: Privacy Tokens and Algorithmic Tokens

This is arguably the most consequential provision for compliance teams. Decision 4/R.M/2026 establishes absolute federal-level prohibitions on two categories of virtual assets:

Privacy Tokens

No person may provide financial services related to privacy tokens, issue or promote them, conduct any activities involving them, or offer them to the public in or from the UAE. The ban extends to any technique or digital wallet designed to anonymize, hide, or prevent the tracking of transaction data, holder identities, or asset values. Monero (XMR), Zcash (ZEC), and Dash are explicitly named.

Algorithmic Tokens

Virtual assets “generated algorithmically to stabilize the price of, or modify supply and demand for, another virtual asset” are banned across the board. This provision is a direct response to the Terra/Luna collapse—algorithmic stablecoins are prohibited at the federal level.

Compliance Impact

Previously, the privacy token ban was limited to Dubai under VARA rules. Decision 4/R.M/2026 extends this to all of the UAE at the federal level. Any wallet interaction with Monero, Zcash, Dash, Tornado Cash, or similar privacy-enhancing services now constitutes a federal regulatory violation—not just a VARA compliance issue.

AML/CFT and Governance Requirements

Decision 4/R.M/2026 imposes comprehensive governance and AML/CFT obligations that go beyond the previous framework:

Mandatory Personnel (All CMA-Accredited)

Chief Executive — Must reside in the UAE
Senior Executive Officer — Residency exception possible with oversight demonstration
Compliance Officer — Must reside in the UAE
Money Laundering Reporting Officer (MLRO) — Must reside in the UAE
Finance Director
Internal Auditor

Client Classification

All clients must be classified as Retail, Professional, or Counterpart before any service is provided. Classification must be reviewed at least every three years. Suitability assessments are mandatory for investment advice and portfolio management.

Record Retention

All records must be retained for a minimum of six years from the date of completion of the transaction or termination of the business relationship. This is an increase from the five-year requirement under the previous AML framework.

Cybersecurity

A board-approved risk management framework is required. Multi-factor authentication on all internet-facing systems, annual penetration testing, and material cyber incident reporting within 72 hours are all mandatory.

Compliance Deadlines

The clock started running on 13 February 2026. Key deadlines:

13 February 2027 — Existing licensees must comply with the Business Regulation and Alternative Trading modules
6 months from preliminary approval — Complete all licensing requirements (one extension possible)
45 days after quarter-end — Submit quarterly financial reports
72 hours — Report material cybersecurity incidents
15 working days — Notify CMA before bankruptcy filing

What This Means for Compliance Screening

For compliance teams using blockchain analysis tools, Decision 4/R.M/2026 has immediate practical implications:

Mixer exposure is now a federal violation, not just a VARA issue. Any wallet interaction with Tornado Cash, Wasabi Wallet CoinJoin, or similar privacy-enhancing services triggers obligations under the CMA framework—regardless of whether the VASP is VARA-licensed.
Counterparty screening must check for CMA licensing. With eight distinct activity categories, compliance teams need to verify that UAE counterparties hold the correct CMA license for the specific activity being conducted.
Multi-regulator compliance is the new baseline. A single screening report must now consider CMA, VARA, ADGM, DIFC, and CBUAE requirements depending on the counterparty’s location and activity type.
Record retention is six years, not five. Archive all screening reports, STRs, and supporting documentation accordingly.

How BlockchainAnalysis Handles This

Our legal engine has been updated to reflect Decision 4/R.M/2026. UAE screenings now include three new CMA-specific regulation rules (AE-CMA-PRIVACY, AE-CMA-ALGO, AE-CMA-VASP), updated record retention requirements, and a revised disclaimer reflecting all five concurrent regulatory regimes. The AI Legal Reasoning Engine automatically qualifies mixer exposure as a federal prohibition under the CMA framework, not just a VARA Dubai rule.

ShareLinkedIn X / Twitter Telegram

Screen wallets against UAE regulatory requirements

Screen wallets, monitor entities, and generate compliance reports with 1B+ labeled addresses and 305+ data sources.

Start Screening

UAE Decision 4/R.M/2026: The New Federal Crypto Rulebook Explained