Chapter 5
Compliance Obligations
To operate in the UAE, businesses must adhere to a range of compliance obligations. These are designed to ensure transparency, protect the rights of stakeholders, and maintain the integrity of business operations.
Below is a detailed overview of the key compliance requirements
AML & KYC
Companies operating in the UAE’s crypto sector, specifically Virtual Asset Service Providers (VASPs), must comply with Anti-Money Laundering (AML) and Know Your Customer (KYC) regulations.
These regulations require companies to verify customer identities, monitor transactions, maintain records for at least five years, and report suspicious activities to the UAE Financial Intelligence Unit (FIU). Companies are also required to appoint a compliance officer to oversee adherence to AML/CFT rules.
Failure to comply with these regulations can result in significant penalties, including fines, license suspension, or criminal prosecution, making robust AML/KYC frameworks essential for crypto businesses.
UBO Regulations
All companies operating in the UAE, except those registered in Financial Free Zones or government-owned, are required to comply with Ultimate Beneficial Ownership (UBO) regulations.
These regulations mandate companies to maintain and submit the following:
- UBO Register: Listing individuals who own or control 25% or more of shares, voting rights, or control via other means.
- Shareholder Register and supporting documentation.
- Nominee Register, if applicable.
- UAE-based point of contact authorized to disclose company details.
The UBO is defined as a natural person meeting one of the following criteria:
Owns or controls 25% or more of the company’s shares directly or indirectly.
Holds 25% or more of the voting rights.
Has the power to appoint or dismiss the majority of company managers.
If none of the above criteria apply, the UBO can be deemed to be the Senior Management Official of the company.
Non-compliance with UBO regulations can result in penalties, including written warnings, fines up to AED 100,000, or even suspension of the business license. Therefore, it is crucial for companies to follow these regulations carefully to avoid legal consequences.
Personal Data Protection Obligations
Under the UAE Personal Data Protection Law (PDPL), businesses are required to implement strict measures to protect personal data and individuals’ rights. The law applies to all companies processing personal data, except those in Financial Free Zones or explicitly exempted.
Key obligations include:
- Consent: Personal data cannot be processed without the individual’s explicit consent.
- Data Security: Companies must implement robust technical and organizational measures to protect data from unauthorized access, breaches, or misuse.
- Data Subject Rights: Individuals must be informed about how their data is being used and have the right to access, correct, or request deletion of their data.
- Cross-Border Data Transfers: Businesses must ensure that any transfer of personal data outside the UAE complies with PDPL and ensures adequate protection of the data in the destination country.
- Data Breaches: Companies are required to report any significant data breaches to the regulatory authorities within a specified timeframe.
Compliance with PDPL is critical, and failure to do so can result in fines, legal action, and damage to business reputation. Companies must also ensure their privacy policies and terms of service are updated to reflect these obligations.
Economic Substance Regulations
Certain UAE entities are required to fulfil the economic substance test, which consists of three elements:
- The entity must be directed and managed from the UAE in regard to the activity it carries out.
- It should conduct core income-generating activities within the UAE.
- It must meet the adequate requirements concerning the level of relevant activity conducted within the UAE.
This requirement may apply to a crypto business if it is involved in activities such as holding companies, investment fund management, business leasing, or intellectual property business.
Non-compliance with ESR requirements may lead to penalties ranging from AED 20,000 to AED 50,000, as well as business license suspension, revocation, or non-renewal.
Taxation
Chapter 6: Taxation
Accounting and Audit
All UAE companies must maintain accurate accounting records in compliance with the law and International Financial Reporting Standards (IFRS). These records must allow partners and shareholders to verify proper account management and must be stored at the company’s head office for a minimum of five years from the end of the fiscal year.
Companies are also required to have their accounts audited.
For mainland companies, this is mandatory, though the audit report doesn’t need to be submitted to the authorities. In free zones, audit requirements vary, and companies must comply with their respective free zone regulations, usually submitting audit reports within three months after the annual financial close.
Wages Protection System
In the private sector, salaries must be paid through the Wages Protection System (WPS), which enables companies to transfer wages via banks and financial institutions approved by the Central Bank of the UAE. The system ensures that employees are paid in full and on time as per agreed terms, while also maintaining a comprehensive database of wage payments.
The WPS applies to all Mainland registered companies, and some free zones.
Employers registered with the Ministry of Human Resources and Emiratisation (MoHRE) are required to subscribe to WPS and adhere to wage payment deadlines.
Annual Renewal
Renewing a business license is essential for companies in the UAE, as licenses are valid for one year and must be renewed to continue operations.
Before renewal, businesses must settle any outstanding fines and dues. As part of the process, companies need to renew their office leases and provide updated details on shareholders, Ultimate Beneficial Owners (UBOs), and other necessary information.
The annual renewal fee varies based on the license type, business activity, and location of the company (i.e. mainland or free zone). Failure to renew may result in fines, suspension of bank accounts, and inability to apply for employee visas.
