DFSA’S CP168 Enhancements to the Regulation of Crypto Tokens – Final Rules

In October 2025, the DFSA published Consultation Paper 168 on the proposed enhancements to the Crypto Token regulatory framework. The consultation paper focused on shifting from a DFSA-maintained list of Recognised Crypto Tokens to a firm-led “Suitable Crypto Token” framework, along with broader enhancements to how Crypto Tokens are assessed, monitored, and used in the DIFC.

In this briefing note, we explore the final rules published in December 2025 and how the changes, effective from 12 January 2026, will impact all Authorised Firms in the DIFC that provide, or intend to provide,  any service in relation to Crypto Tokens.

Doing away with the Recognised List, the new framework places onus on Firms to ensure the Tokens they use in the DIFC remain suitable and are subject to ongoing oversight. You may have noticed the language has changed from “recognised” to “suitable”, and below is an overview of the key changes.

Suitable Crypto Tokens

The DFSA has expanded the list of activities in or from the DIFC in relation to a Crypto Token from carrying on a Financial Service relating to the Crypto Token, making or approving a Financial Promotion relating to the Crypto Token and Offering to the Public the Crypto Token to include (GEN 3A.2.1):

• Managing a Collective Investment Fund;

• Providing Trust Services; or

• Acting as the Trustee of a Fund.

The DFSA no longer maintains a list of Recognised Crypto Tokens. Instead, Firms must now assess and conclude on reasonable grounds, that a Crypto Token (non-Fiat) is suitable for use in the DIFC, provided the conditions below are met and must document the reasons justifying suitability.

• Characteristics & Purpose:
  What the Token is, how it works, what it is designed to do, its use, whether governance arrangements are credible and whether responsible persons are identifiable.

• Regulatory Status in Other Jurisdictions:
  The regulatory status of the Crypto Token in other jurisdictions, including whether it has been assessed or approved for use by a Financial Services Regulator and whether any regulatory concerns have been raised previously.

• Size, Liquidity and Trading:
  The size, liquidity and trading history of the market for the Crypto Token, considering volatility, susceptibility to manipulation, and reliability of market data.

• Technology & Security:
  Strength and resilience of the underlying blockchain or DLT, risks of forks or validator concentration, cybersecurity vulnerabilities, and any past technical incidents.

• Financial Crime & Compliance Risks:
  AML/CFT risks, sanctions exposure, anonymity‑enhancing features, and whether the token can be effectively monitored using blockchain analytics.

The DFSA communicates its expectations of Firms in its Supervisory Guidelines on Assessing the Suitability of Crypto Token. Each Firm must assess each Crypto Token it wishes to use in the DIFC for suitability and tailor that assessment to its own business model and the specific context in which the Token will be used.

Different Firms may reach different conclusions on the same Token, meaning suitability cannot be assumed for another activity or Firm. However, a Firm may take another’s assessment into account when conducting a suitability assessment. 

Firms must:

• Prominently disclose a list of Crypto Tokens it has assessed as suitable on a durable medium, for example, a webpage or email. The disclosure must present the name and identifier of the Crypto Token and its underlying technology. Changes to the list—including additions, reassessments, or the removal of Crypto Token deemed unsuitable—must be made promptly;

• Continuously monitor every token they use, reassessing suitability at least every six months or when it's necessary to identify, assess and address any emerging issues. Activity must cease immediately if a Crypto Token becomes unsuitable, or reasonable steps must be taken where immediate cessation is not possible. Any changes must be reflected in the monthly return to the DFSA and in the firm’s public disclosures.

• Demonstrate and justify the grounds upon which it has assessed the Crypto Token to be suitable; and

• Report to the DFSA via a Monthly Crypto Token Information Return within 14 days of each month‑end on all Crypto Tokens they have assessed as suitable or ceased use of from their token inventory, and any material developments affecting token suitability.

Fund Exposure

 The CIR rulebook has updated its definition of when a Fund is considered to invest in a Crypto Token. A Fund is now treated as investing in a Crypto Token not only when it holds the Token directly, but also when it has indirect exposure through another Fund or investment vehicle. However, this indirect exposure is only classified as a Crypto Token investment where the exposure exceeds 5% of the gross asset value of the underlying Fund, unless the underlying Fund’s exposure arises solely from tracking an index that does not itself track the Crypto Token. If a Fund investing in a Crypto Token deems the Crypto Token as unsuitable, the DFSA expects that the Fund will divest to eliminate its exposure to the Crypto Token.

Firms must therefore assess both direct and indirect holdings, monitor exposure levels on an ongoing basis, and ensure that any Fund investing in Crypto Tokens complies with the new framework.

Privacy / Algorithmic Tokens

Remain strictly prohibited for use in the DIFC under the new framework.

Money Services Provider

Remain restricted from carrying on Crypto activities under the new framework.

Transition Period

Firms may continue use of Crypto Token recognised under the previous framework, during the three‑month Transitional Period, while they implement the systems and controls required under the new framework. However, if during this period a Firm becomes aware of any reason why the Crypto Token may no longer be compatible with the new framework, it must immediately conduct a suitability assessment and cease using the token or take reasonable steps where immediate cessation is not possible (such as removing from disclosure and notifying the DFSA).

Removal of Recognised Jurisdictions

Previously, a Crypto Token could only be recognised if it was issued, traded or regulated in jurisdictions that met DFSA‑specified standards. The DFSA’s has removed this concept entirely and expects Firms to conduct Token‑specific suitability assessment based on the criteria in GEN 3A.2.1. Further, if a Firm incorporated outside the DIFC wants to apply for a licence involving Crypto Tokens, it can only do so if its head office is already authorised and supervised by the financial regulator in its home country.

Fiat Crypto Tokens

The DFSA retains responsibility for assessing and approving Fiat Crypto Tokens. A Token may only be used in DFSA‑regulated activities if the DFSA is satisfied that it meets the required standards of stability, backing, governance, transparency and regulatory equivalence.

As of 12 January 2026, the DFSA recognises three Fiat Tokens – Circle Euro Coin (EURC), Circle USD Coin (USDC) and Ripple USD (RLUSD).

The DFSA have made it clear, that its assessment of a Fiat Crypto Token does not relieve an Authorised Firm of its obligations to maintain adequate systems and controls, when considering whether to carry on an activity or service with reference to that Fiat Crypto Token.

Application Fees

The FER Rulebook has removed the previous requirement for Firms to pay a fee of $5,000 to the DFSA when applying for a Recognised Crypto Token.

Custody

• Key Features Document: is no longer needed for Firms Providing or Arranging Custody in relation to Investment (Crypto) Tokens to carry out either of the licensed activities.

• Holding or Arranging Custody with Third Party Agents- Appointed Agents are subject to a suitability assessment under new COB rules (A 6.5.3 (2)) in addition to existing Custodian provisions. The assessment includes:

  • Whether the Third-Party Agent (including non-DIFC-based) is specifically authorised and supervised by a Financial Services Regulator to provide custody of Crypto Token;

  • An evaluation of the Custodian’s policies and procedures for secure storage of Crypto Token, including the type of storage, safety of the keys and the measures put in place to protect the keys from hacking, theft or fraud; and

  • Firms must also consider the robustness and resilience of the Custodian’s technological systems and custodial architecture.

The new framework marks a significant shift in the DFSA’s approach to regulating Crypto Token, moving from a risk-averse recognition model to an innovative, Firm‑led suitability framework. This transition places greater responsibility on Authorised Firms to understand, assess, and continuously monitor the Crypto Token they use, while aligning the DIFC more closely with global regulatory expectations around governance, market integrity, and financial crime risk.

The three‑month Transitional Period provides Firms with an opportunity to adapt their systems, update internal policies or align closer with Group standards, to ensure that all tokens they engage with meet the new suitability criteria.

By enabling Firms to tailor assessments to their business model and client base—rather than relying on a static regulatory list—the framework strengthens market integrity and fosters competition and innovation.