Crypto regulation: How Dubai is protecting the average investor and fighting AI abuse

Dubai: How does a cutting-edge financial regulator protect everyday users from sophisticated digital fraud?

In this exclusive interview, Ruben Bombardi, General Counsel of the Dubai Virtual Assets Regulatory Authority (VARA), pulls back the curtain on the future of crypto in Dubai. He breaks down how VARA’s framework shields retail investors without requiring them to be regulatory experts, addresses the rising threat of AI-generated deepfakes, and explains why automation will never erase legal accountability in Dubai’s digital asset ecosystem.

Looking beyond the current hype cycle, how will the day-to-day experience of retail crypto investors in Dubai change if VARA’s framework works as intended?

Ruben Bombardi: The most important change is that retail investors should not need to become product or regulatory experts to benefit from the protections in VARA’s framework.

If the framework functions as intended, the average investor in Dubai should experience a market where standards of conduct are built into the platforms and communications they deal with daily. In practice, that means clearer information, fewer exaggerated claims, stronger custody standards, visible risk warnings, and a sharper distinction between licensed and unlicensed activity.

Most retail users will feel regulation indirectly. They may never read our rulebooks, but they should notice that a licensed firm can clearly explain its offerings, the risks a client is taking, how assets are handled, and what happens if something goes wrong. Under VARA’s Marketing Regulations, promotions must be fair, clear, and not misleading. They cannot create a false sense of urgency or fear of missing out (FOMO), nor can they suggest that virtual assets are simple, safe, or guaranteed.

Investor protection is not just about what happens after a loss; it is about shaping the information environment before someone makes a decision. Retail investors must understand that virtual assets can be highly volatile, illiquid, exposed to manipulation, and may lack the protections associated with traditional financial products.

Transparency is a second major change. VARA’s public register shows firms that are fully licensed or hold In-Principle Approval, alongside the specific services they are authorized to provide. This allows investors and the wider ecosystem to easily spot firms using Dubai’s name simply as a credibility signal without actually entering the regulatory perimeter.

A third shift is accountability. In an unregulated environment, responsibility is often diffuse: The platform blames the issuer, the issuer blames the market maker, the marketer blames the influencer, and the consumer is left stranded. VARA’s framework ensures responsibility cannot be easily evaded.

Success does not mean virtual assets become risk-free. It means risk is better disclosed and supervised, proving that Dubai is a market where innovation is welcome, integrity is expected, and compliance is actively monitored.

How is VARA addressing AI-driven deepfakes and automated market manipulation?

Ruben Bombardi: This is one of the defining enforcement challenges of digital finance. The issue is not just that bad actors are using new tools, but that these tools allow them to operate at greater speed, lower cost, and with higher artificial credibility. An AI-generated campaign or a synthetic livestream can manufacture the appearance of legitimacy very quickly, causing immediate market impacts.

VARA’s approach is built around a few key principles:

Technology-aware rules: Our regulations do not need to wait for a specific new technique to be named before they can apply. If a communication is misleading, manipulative, or falsely implies an endorsement, it can be addressed under existing conduct and market abuse principles.

Full-chain responsibility: When a licensed firm, its affiliates, or its third-party marketers are involved, the question isn't simply "who clicked publish?" It is whether the firm maintained adequate approval processes, clear risk disclosures, and properly governed third-party arrangements.

Data-led supervision: Because misconduct is increasingly digital, VARA is strengthening its supervisory model by using on-chain analytics, transaction tracing, and market intelligence to flag risk signals earlier. The goal is to respond faster, rather than relying solely on complaints after the harm is done.

We also expect licensed firms to actively defend themselves and their clients. Deepfakes and AI impersonations are not just marketing headaches; they are serious cybersecurity, fraud, and operational resilience threats. Furthermore, because AI-driven manipulation is cross-border by design, deep cooperation with international regulators, law enforcement, and financial intelligence units is critical.

AI may change the tools used by bad actors, but it does not change the legal expectation. A false endorsement is still false, and automation will never dilute accountability.

How does VARA assess ‘AI-powered’ claims in crypto projects?

Ruben Bombardi: It is important to separate the actual technology from the marketing claim. VARA’s immediate regulatory concern is whether a claim is accurate, balanced, and not misleading, because investors are harmed when tech hype is used to inflate valuations or create unjustified confidence.

VARA does not treat "AI-powered" as a magic phrase that substitutes for governance or risk management. If a firm claims its platform, token, or trading tool uses AI, we expect that claim to be fully substantiated.

In simple terms, the firm must be able to explain what the AI system does, what data it uses, how it is governed, what its limitations are, and where it sits in the service model.

We then look at the substance: Is AI central to the value proposition, or is it just a peripheral feature used as a valuation story? Are investors being led to believe that the presence of AI makes the asset safer or guaranteed to appreciate?

Investor protection is not just about what happens after a loss; it is about shaping the information environment before someone makes a decision.

Ruben Bombardi, General Counsel of the Dubai Virtual Assets Regulatory Authority

On the technical side, where algorithms or AI are used in virtual asset activities, Virtual Asset Service Providers (VASPs) must have appropriate technology governance, testing, and audit frameworks in place. VARA is not trying to become a marketing certifier for every tech claim, but if AI is being used to market to investors without real substance, it becomes a serious conduct issue.

Who is accountable when AI-driven trading systems behave unpredictably?

Ruben Bombardi: Accountability does not disappear just because a system is automated. If a licensed firm deploys an AI-driven trading system, execution engine, or risk model, that firm remains fully responsible for its design, testing, and control. Unexpected behavior might explain an incident, but it is never an excuse.

VARA’s framework evaluates governance across three stages:

• Before deployment: The firm must prove the system was thoroughly designed, tested, and approved.

• During deployment: The system must be continuously monitored by competent staff, backed by strict risk limits and operational kill switches.

• After an incident: The firm must be able to reconstruct what happened, notify VARA, remediate the issue, and protect affected clients.

A firm cannot simply say, "the model did it." We expect to know who approved the system, what its known limitations were, and how quickly the firm intervened when abnormal behavior was detected.

Responsibility sits at multiple levels — from the VASP itself to the Board and Senior Management providing oversight. Even if a firm outsources its systems to a third-party vendor, that outsourcing does not remove its regulatory responsibility. You cannot place critical operations into a technological black box and claim it is out of your hands.

How is VARA keeping pace as exchanges increasingly use AI?

Ruben Bombardi: Regulators cannot supervise digital markets using analogue assumptions. Markets operate continuously and at machine speed, which is why VARA keeps pace through activity-based regulation, strict technology standards, and advanced supervisory tools.

First, we regulate the underlying risk, not just the technology's label. AI might be used across an exchange’s operations — from order routing and liquidity management to fraud detection and sanctions screening. The use cases vary, but the expectations remain identical: Governance, transparency, and market integrity.

Second, VASPs must maintain technology governance frameworks that match the scale of their business. For exchanges, this means rigorous controls around system backups, capacity planning, and cybersecurity. A technology failure can quickly cascade into a market conduct or client asset crisis.

Third, we require automated systems to have built-in defenses against manipulation, collusion, or system attacks. VASPs must also utilize blockchain tracing software to screen transactions and wallet addresses continuously.

To back this up, VARA is actively investing in supervisory technology. We have deployed AI-enabled supervisory capabilities through 'VARA Connect' to support the continuous, data-informed monitoring of market activities. While AI helps us spot anomalies and risk signals early, it doesn't replace human judgment. The regulator must still interpret those signals and take proportionate action. Finally, keeping pace requires the right talent. Our supervisory model intentionally blends expertise in market structure, technology, law, cybercrime, and token economics.

How does VARA balance strict surveillance requirements with startup accessibility?

Ruben Bombardi: Regulation should never become a disguised barrier to entry, but accessibility can never mean lowering standards that protect consumers or market integrity. VARA’s answer is proportionality.

Our framework recognizes that a startup with a narrow focus does not carry the same risk profile as a massive global exchange serving millions of retail clients. The question we ask is not, "can this firm afford the most expensive software on the market?" Instead, we ask, "can this firm prove that its controls and governance are appropriate for the specific risks it creates?"

Sustainable innovation requires credible controls from day one. In crypto, a small firm can still cause significant harm if it has poor custody practices, weak wallet screening, or misleading marketing. Therefore, our stance is not "small means exempt," but rather "small means proportionate, yet still accountable."

Smaller firms can absolutely leverage third-party technology providers for blockchain analytics or transaction monitoring, provided they understand the service, manage the vendor effectively, and remain fully accountable to VARA. Startups can often demonstrate regulatory maturity through robust internal policies, clear escalation workflows, and active board oversight, proving they are ready to operate in a high-standard jurisdiction like Dubai.

How is VARA coordinating with international regulators?

Ruben Bombardi: Because virtual assets and AI ignore physical borders, regulatory cooperation is mandatory. A user can be in one country, the platform in another, the issuer in a third, and the transaction settled on decentralized infrastructure. AI amplifies this by allowing content and code to be distributed globally in seconds.

VARA addresses this cross-border challenge through three main avenues:

Global anti-financial crime alignment: We strictly align with the Financial Action Task Force (FATF) standards, particularly the Travel Rule, to track the cross-border movement of digital value. VARA’s framework ensures all VASPs comply with UAE Federal AML-CFT laws.

Standard-setter collaboration: We closely follow international baselines for market integrity and financial stability set by organizations like IOSCO and the Financial Stability Board (FSB) to address retail protection, custody, and market abuse.

Bilateral and federal partnerships: We actively share information and coordinate on cross-border risks with peer international regulators, while aligning internally with UAE federal authorities on areas like cybercrime and consumer protection.

When it comes to AI specifically, a mature global consensus on supervision is still developing. However, VARA’s immediate position is straightforward: If AI is used to mislead investors, manipulate markets, or conceal financial crime, it is misconduct plain and simple.

Automation does not absolve a firm of its duties. Our goal is never to stifle innovation, but to ensure that innovation remains secure, accountable, and aligned with market integrity.