Jurisdictions

Securing the Future: A Legal Overview of Crypto Asset Custody in the UAE

25 September 2024 Steffen Feike

Crypto custody is the digital equivalent of a vault. The UAE has frameworks in place — but gaps in liability, insurance, and cold storage standards remain.

Securing the Future: A Legal Overview of Crypto Asset Custody in the UAE

Demand for secure crypto storage has grown in step with the value of digital assets under management. Custodians now play a role in the digital asset ecosystem analogous to vaults and freeports in the physical world: safeguarding the private keys that grant access to assets that cannot be recovered without them. The UAE has moved to regulate this sector, but gaps remain.

What Crypto Custody Actually Involves

The analogy with traditional wealth storage is accurate and worth taking seriously. Although crypto assets are digital, custody solutions still involve secure physical devices, vaulted hardware, and layered operational controls.

The critical element is the private key. Whoever holds the private key controls the asset. Losing it is equivalent to losing the asset permanently — there is no recovery mechanism. Key management is therefore the core function of any custody arrangement.

Hot versus cold storage. Hot storage keeps keys connected to the internet, offering faster access at higher security risk. Cold storage keeps keys offline, significantly reducing exposure to remote attack at the cost of convenience. Cold storage is the industry standard for significant holdings.

Custody structures. At the basic level, a single individual can memorise a seed phrase — a mnemonic sequence that reconstitutes the private key. This is non-redundant and carries obvious risks. Professional solutions have developed accordingly. Sole custody places full control with the custodian. Collaborative custody distributes control across multiple parties, typically through multi-signature wallets requiring a defined threshold of approvals before any transaction executes.

A practical example: a company adopts a 2-of-3 authorisation structure, requiring any two of three authorised signatories — CFO, CEO, COO — to approve a transaction. This preserves operational continuity while enforcing a four-eyes principle on all outgoing transfers.

Mainland UAE. The Securities and Commodities Authority governs crypto-related activities on the mainland. Under Decision No. 23 of 2020, any entity providing crypto asset services — including custody — must hold an SCA licence. The framework addresses capital requirements, risk management, and cybersecurity standards. The UAE Central Bank has additionally introduced specific licensing requirements for custodians dealing with payment tokens, including stablecoins.

ADGM. The Financial Services Regulatory Authority’s framework for crypto custody is widely regarded as among the most developed in the region, closely aligned with international best practice. Custodians operating in ADGM must comply with strict asset segregation requirements, regular audits, and governance standards.

DIFC. The Dubai Financial Services Authority’s Crypto Token Regime requires firms providing custody services within the DIFC to obtain the relevant DFSA licence. The regime is designed to ensure that custodians meet defined standards on asset security, client confidentiality, and operational integrity.

Where Regulatory Clarity Is Still Needed

The existing frameworks provide a functional foundation. Several areas, however, remain underspecified.

Liability for key loss. Custodians are required to implement stringent key management systems, but the frameworks say little about liability when keys are lost or stolen. How custodians should be held accountable in such scenarios — and what remedies investors hold — is not explicitly addressed.

Crypto insurance. Insurance products for crypto custody exist in the UAE market, but the regulatory position on foreign insurers is unclear. Whether custodians can rely on policies issued outside the UAE, and whether such policies would be enforceable under UAE law, requires further guidance.

Cross-jurisdictional coherence. Custodians frequently operate across mainland UAE, ADGM, and DIFC simultaneously — three distinct regulatory environments with overlapping but not identical requirements. Add foreign jurisdictions into the equation and the compliance complexity multiplies. A more unified approach to custody regulation across these frameworks would reduce friction and reduce the risk of regulatory arbitrage.

Cold storage standards. Despite cold storage being the industry benchmark for security, there is limited regulatory specification of what technical standards UAE custodians must meet when using it. Clearer guidelines would raise the floor and give institutional investors a more reliable basis for custodian due diligence.

The Broader Picture

The UAE’s frameworks — across the mainland, ADGM, and DIFC — are more developed than most. The gaps that remain are real but not unusual for a jurisdiction still calibrating its approach to a rapidly evolving sector. Addressing liability, insurance, and cold storage standards would strengthen investor protection and reinforce the UAE’s position as a credible home for institutional digital asset management.

For investors and businesses making custody decisions now, the framework is navigable — but independent legal advice on which regulatory environment applies to your specific situation remains essential.


This is not legal advice. Consult a qualified legal professional familiar with UAE financial regulation before making decisions about crypto custody arrangements.