Regulatory Influencer: Dubai Financial Services Authority Shifts Crypto Token Suitability Assessments to Firms

On January 12, 2026, the Dubai Financial Services Authority (DFSA) implemented significant amendments to its crypto token regime, shifting suitability assessments from the regulator to firms operating in or from the Dubai International Financial Centre (DIFC), Dubai’s special economic zone.

Under the previous framework, firms could only use crypto tokens that appeared on the DFSA’s “Recognised Crypto Token” list when carrying out regulated activities. The updated regime removes that centralised approval model for non-fiat crypto tokens. Firms must now assess and document for themselves whether a crypto token is suitable for use in relation to a particular regulated activity, such as dealing, advising, managing funds, making financial promotions or offering derivatives linked to that token. Fiat-backed crypto tokens remain subject to direct DFSA assessment and continue to be listed in a dedicated policy statement.

The amendments follow the DFSA’s October 2025 consultation and reflect the regulator’s evolving approach since launching its crypto token regime in 2022. The changes are implemented through binding amendments to the DFSA Rulebook and apply across a range of in-scope activities, including dealing, advising, managing, arranging, financial promotions and certain fund and derivative exposures linked to crypto tokens.

The bigger picture

The DFSA’s reform marks a decisive recalibration of regulatory responsibility within the DIFC. Rather than the regulator determining which tokens may be used for regulated activity, the responsibility now sits squarely with firms to justify their own token selections.

From a policy perspective, this shift reflects regulatory maturity. Since 2022, the DFSA has operated a controlled entry model through its recognised list. However, as global digital asset markets have expanded and diversified, maintaining a centralised approval list may have risked limiting innovation or lagging behind market developments. The firm-led model introduces flexibility while preserving supervisory oversight.

This revision by the DFSA aligns the DIFC’s crypto regime more closely with evolving international standards. Across major financial centres, digital asset regulations follow accountability models that embed risk ownership within firms rather than relying on static approval mechanisms. For example, under the European Union’s Markets in Crypto-Assets Regulation (MiCA), compliance obligations sit primarily with authorised issuers and service providers rather than through regulator-maintained token lists. Similarly, the Financial Conduct Authority in the United Kingdom adopts a principles-based framework in which firms are responsible for ensuring that crypto-related activities and promotions meet regulatory standards, without reliance on a formal approved token register. The revised framework reflects this approach and reinforces the DIFC’s positioning as a regulated but innovation-friendly digital assets hub.

How does this change things?

Under GEN 3A.2.1(3), firms must now assess each non-fiat crypto token against mandatory criteria, including:

• Token characteristics such as governance, purpose and founder transparency.
• Regulatory status in other jurisdictions.
• Market capitalisation, liquidity and trading history.
• Underlying technology resilience and incident response capability.
• Whether use of the token permits full compliance with DFSA-administered laws, including anti-money laundering (AML) and sanctions obligations.

The suitability conclusion must be activity-specific. A token deemed appropriate for a professional-only fund may not be suitable for retail-facing brokerage activity. Of note, suitability assessments conducted by another firm may be considered but do not remove the obligation to form an independent conclusion.

Firms must also comply with ongoing obligations under GEN 3A.2.1A. In particular, a person engaging in in-scope activities in relation to a non-fiat crypto token must:

• Prominently disclose a current list of all crypto tokens it has assessed as suitable, including the token’s name, identifier and the distributed ledger technology (DLT) or other technology on which it operates.
• Continuously monitor and regularly review its suitability assessment, and if no longer satisfied that a token is suitable, immediately cease the relevant activity, or where this is not possible, take reasonable steps to cease it and update the disclosed list.
• Be able to demonstrate to the DFSA’s satisfaction the grounds upon which the token was assessed as suitable.
• If an authorised person, complete and submit a monthly crypto token information return via the DFSA electronic portal within 14 days of the following month.

The framework also links directly to broader system and control requirements under GEN 5.3, reinforcing that suitability assessments must be embedded within firms’ governance and compliance infrastructure.

Why should you care?

The DFSA’s reform significantly increases governance and accountability expectations for firms engaged in digital asset activity within the DIFC. Although the updated framework offers greater flexibility and removes reliance on a centralised recognition list, it also introduces heightened documentation, monitoring and reporting obligations.

Firms can no longer rely on regulatory endorsement as implicit validation of a token’s suitability. Instead, boards, compliance functions and risk committees must develop defensible methodologies for token assessment, backed by objective evidence and continuous monitoring.

Key implications include:

• Increased compliance workload driven by initial and ongoing suitability assessments.
• Greater enforcement exposure where documentation or methodology is weak.
• Heightened scrutiny of governance arrangements around digital asset committees and approval processes.
• Operational strain from monthly reporting and real-time suitability monitoring.
• Strategic opportunity for well-governed firms to differentiate themselves through robust risk frameworks.

Actions to consider include:

• Conduct a comprehensive impact assessment to determine how the new suitability model affects each regulated activity involving crypto tokens.
• Develop or formalise a documented suitability assessment framework aligned with GEN 3A.2.1 criteria, policy statement and supervisory guidelines.
• Establish clear governance oversight at board or committee level for crypto token approvals and ongoing monitoring.
• Review client disclosures to ensure the required “suitable token list” and related information is accurate and transparent.
• Enhance monitoring systems to detect liquidity deterioration, governance changes or adverse regulatory developments affecting tokens in use.
• Update fund documentation and risk frameworks where crypto token exposure is present, including indirect or derivative exposure.
• Prepare for DFSA supervisory engagement by ensuring assessments are evidence-based and defensible.

For firms seeking to expand digital asset offerings, the revised framework may offer greater flexibility. However, that flexibility is conditional on demonstrable control and disciplined governance.

The amended regime came into force on January 12, 2026 and applies immediately to relevant persons carrying on in-scope activities in or from the DIFC.