Regulatory and banking glossary. Plain-English definitions of the terms our clients ask about.

Predecessor to 6AMLD. First EU directive to bring crypto-asset service providers explicitly into AML scope (mandatory registration with national authorities, KYC obligations on virtual currency exchanges).

EU directive expanding the list of AML predicate offences to 22 categories, introducing criminal liability for legal persons, and harmonising sentencing across member states.

Direct-effect EU regulation replacing significant parts of the AML directive framework. Centralises AML standards across member states and reduces national-transposition variation. Applies from 10 July 2027.

EU regulation imposing ICT risk management, third-party risk management, incident reporting, and operational resilience testing on regulated financial entities. Fully applicable since 17 January 2025.

UK statute that supplements the UK GDPR. Includes specific provisions for law-enforcement processing and intelligence services data handling.

EU directive establishing the EMI authorisation regime, capital requirements, and safeguarding rules for e-money issuance.

EU regulation governing derivatives trading, central counterparty (CCP) requirements, and trade reporting. Out of scope for most fintechs but relevant for structured-product crypto and tokenised derivatives.

UK statute consolidating and modernising financial services regulation post-Brexit. Empowers HM Treasury and the FCA to set the UK's bespoke approach to crypto-assets and stablecoins.

EU regulation governing the processing of personal data. Sets out lawful basis requirements, data subject rights, breach notification obligations, and cross-border transfer mechanisms.

The EU's harmonised regulatory framework for crypto-asset issuers and service providers. Fully applicable since 30 December 2024. Creates passportable CASP authorisation across all 30 EEA member states and imposes specific regimes for asset-referenced tokens and e-money tokens.

EU framework for investment firms and trading venues. Out of scope for crypto-asset services post-MiCA, but still governs digital tokens that qualify as financial instruments under ESMA guidance.

UK regulations governing cookies, marketing communications, and electronic direct marketing consent. Enforced by the ICO alongside UK GDPR.

EU directive governing payment services and EMI authorisations. Introduced strong customer authentication, open banking access via PSD2 APIs, and safeguarding obligations for client funds.

Proposed successor to PSD2. Will tighten fraud-liability allocation, expand SCA exemptions, and modernise the open-banking access framework. Expected to apply from 2026 onwards.

Companion regulation to PSD3. Covers areas requiring direct EU-wide application rather than member-state transposition.

The retained UK version of the EU GDPR, applied alongside the Data Protection Act 2018. Materially aligned with the EU GDPR but enforced by the UK Information Commissioner's Office (ICO).

International framework on bank capital adequacy, stress testing, and market liquidity. Applied through the EU Capital Requirements Regulation/Directive and the UK PRA Rulebook.

OECD/G20 framework to counter tax-avoidance strategies. Drives substance requirements and country-by-country reporting obligations for multinational corporate structures.

The Financial Action Task Force's 40 Recommendations form the global AML/CFT standard. Member jurisdictions are subject to mutual evaluations. Recommendation 16 (Travel Rule) requires originator and beneficiary information to travel with wire transfers above the local threshold.

OECD-led 15% minimum effective corporate tax rate on multinational enterprises with revenue above €750M. Affects holding-company structures and licence-jurisdiction selection for larger fintechs.

Obligation requiring originator and beneficiary information to travel with funds transfers above a threshold (EU €1,000, UK £1,000, US $3,000 generally). Extended in 2019 to virtual asset service providers.

UK-specific term for a fully authorised PI under the Payment Services Regulations 2017. Distinguished from a Small PI (SPI), which has lighter requirements but transaction-volume caps.

New York Department of Financial Services (NYDFS) authorisation for virtual currency businesses serving New York residents. Notoriously demanding application process; required for any VASP with US-state-level New York exposure.

MiCA-defined authorised entity providing one or more of the eight regulated crypto-asset services: custody, trading-platform operation, exchange, execution of orders, placement, reception and transmission, advice, and portfolio management. CASP authorisations passport across the EEA.

MiCA Annex IV groups CASP services into three classes for prudential capital purposes. Class 1: €50,000 minimum (advice, reception/transmission, execution). Class 2: €125,000 (portfolio management, exchange). Class 3: €150,000 (custody, trading platform).

Cyprus Securities and Exchange Commission (CySEC) authorisation for investment firms providing services covered by MiFID II.

Gibraltar Financial Services Commission authorisation regime under the DLT Provider Regulations 2017. Pre-dates MiCA; Gibraltar-licensed firms operate alongside MiCA via passporting where relevant.

Authorised institution permitted to issue electronic money under EMD2 (EU) or the FCA's EMR 2011 (UK). EMIs have specific capital, safeguarding, and ongoing-supervision obligations distinct from full credit institutions.

Singapore Payment Services Act tier for payment institutions exceeding the SPI thresholds. Covers digital payment token services (DPTs), e-money issuance, account issuance, and merchant acquisition.

US state-level authorisation for money-transmission businesses. The 50-state patchwork is the dominant US compliance burden for fintechs, with per-state surety bonds, capital, and reporting.

Authorised institution permitted to provide payment services under PSD2. Lighter regime than an EMI: no e-money issuance, lower capital requirements.

UK lighter-regime payment-institution authorisation. Limited to a monthly transaction threshold (currently €3M) and restricted in passporting rights.

Hong Kong Monetary Authority authorisation for issuers of multi-purpose stored value facilities (closest equivalent to an EU EMI in HK).

FATF-defined category covering exchange between virtual assets and fiat, exchange between virtual assets, transfer of virtual assets, custody, and participation in financial services related to virtual asset offerings. Pre-MiCA, registered with national authorities under 5AMLD; under MiCA, replaced by the CASP regime.

Maltese MFSA authorisation regime introduced in 2018 for crypto-asset service providers. Largely superseded by MiCA but retained for legacy compliance and for certain specialist activities.

MiCA category for tokens referencing the value of multiple fiat currencies, commodities, or other crypto-assets. Subject to a separate authorisation regime distinct from EMTs and standard CASP services.

Storage of cryptographic private keys in a manner not connected to the internet (e.g. air-gapped hardware modules). One element of qualified custody; not by itself sufficient for regulatory compliance.

MiCA Article 19 disclosure document required before public offers of crypto-assets in the EEA. Includes information about the issuer, the project, the token, rights and obligations attached, and risks. Notified to the home-state NCA at least 20 working days before publication.

Singapore Payment Services Act category covering crypto-assets used or intended to be used as a means of payment. DPT services require MAS authorisation under the PSA framework.

MiCA category for tokens referencing the value of a single fiat currency. Issuance restricted to authorised credit institutions or EMIs.

Internet-connected crypto-asset wallet used for operational liquidity. Typically holds only the minimum balance required for client withdrawals and exchange operations.

Service that obscures the on-chain origin of crypto-assets by pooling and redistributing funds across multiple addresses. KYT systems flag mixer-derived funds; sanctions designations have been applied to specific mixers (e.g. Tornado Cash by OFAC in 2022).

Standard for crypto-asset safekeeping that meets regulator expectations (MiCA Article 70, HK SFC framework, UAE VARA): cryptographic key segregation, insurance coverage, internal controls, complete audit trail, and segregation from proprietary assets.

Assets held by an EMT or ART issuer to back the value of issued tokens. Subject to specific composition, custody, segregation, and audit requirements under MiCA Articles 36–47.

MiCA threshold designation triggering enhanced supervisory obligations: more than 10 million holders, reserve assets exceeding €5 billion, or >2.5 million transactions per day. Significant issuers fall under direct EBA supervision.

Bank or licensed institution that processes card payments on behalf of merchants. Settles funds to the merchant after deducting MDR; bears chargeback exposure.

8 or 11-character Business Identifier Code identifying a bank or bank branch on the SWIFT network. Used alongside IBAN to route international payments.

Card-network mechanism allowing the issuing bank to reverse a transaction back to the merchant on behalf of the cardholder. Triggered by fraud, dispute, non-delivery, or cardholder error. Excessive chargeback ratios trigger scheme penalties and potential MATCH listing.

Bank with direct membership of a payment system (e.g. CHAPS, Bacs, FPS in the UK; TARGET2 in the EU) and which can settle payments without an intermediary. Acts as a clearing partner for non-clearing banks and PSPs.

Arrangement under which one bank (the correspondent) holds deposits owned by another bank (the respondent) and provides payment, clearing, and other services on the respondent's behalf. The dominant infrastructure for cross-border payments.

Hierarchy in correspondent relationships. Tier-1 correspondents are global money-centre banks providing clearing in major currencies (USD, EUR, GBP, JPY). Tier-2 correspondents access Tier-1 services and onwards-clear for Tier-3 respondent banks. De-risking pressure flows downwards through the chain.

Account held by a third party (usually a bank or law firm) holding funds on behalf of two contracting parties until specified conditions are met. Common in M&A, real estate, ICOs, and large-volume commercial contracts.

Standardised account-number format used in SEPA and many other jurisdictions. Up to 34 alphanumeric characters; encodes country code, check digits, bank identifier, and account number.

Modern XML-based payment messaging standard replacing legacy SWIFT MT messages. Supports richer remittance data, improved KYC/AML data fields, and structured beneficiary identification. Cross-border SWIFT MT-to-ISO migration completes November 2025.

Bank-issued undertaking to pay a beneficiary against presentation of compliant documents (typically shipping and trade documents). Used to mitigate counterparty risk in international trade. Governed internationally by ICC UCP 600 rules.

Total fee charged to a merchant for accepting a card payment. Composed of interchange (paid to the card-issuing bank), scheme fees (paid to Visa/Mastercard), and the acquirer's mark-up.

SWIFT message type for a single customer credit transfer. Carries originator, beneficiary, payment details, and routing information. Migrating to ISO 20022 as part of CBPR+ reform.

Bank or PSP that accesses a payment scheme through a self-clearing sponsor. Cheaper to operate than direct participation; more dependent on the sponsor's operational and risk-management decisions.

Bookkeeping perspectives on a correspondent relationship. From Bank A's view: a Nostro account is Bank A's account at Bank B ("our account with you"). A Vostro account is Bank B's account at Bank A ("your account with us"). The same account, viewed from each side, has different names.

Technical service provider handling the technical authorisation and clearing of card-payment transactions. Distinct from the acquirer (who holds the merchant relationship and licence).

Acquirer-imposed liquidity cushion held back from a merchant's settlement to cover potential future chargebacks. Common in high-risk merchant categories. Released after a holding period (commonly 90-180 days).

Segregated account at a credit institution holding client funds on behalf of an EMI or PI, ring-fenced from the institution's own funds in the event of insolvency. Required under PSD2 Article 10 and the FCA's safeguarding rules.

Direct participant in a payment scheme that holds and operates its own settlement account at the central bank. No intermediary required for clearing within that scheme.

Real-time euro credit transfer scheme. Mandated for all PSPs in the eurozone from 9 January 2025 (receive) and 9 October 2025 (send). Settlement within 10 seconds, 24/7.

Standard euro credit transfer scheme covering 36 European countries. Standardised IBAN-based addressing; settlement typically next business day.

Final irrevocable transfer of value from payer to payee. Distinct from clearing (the netting and instruction-passing process before settlement).

Chartered bank that fronts payment-scheme access (or in the US, banking services) for a non-bank fintech. The sponsor bank carries the regulatory exposure and the fintech operates as a programme manager.

Letter of credit issued as a payment-of-last-resort guarantee rather than primary payment mechanism. Used in performance guarantees, project finance, and counterparty exposure mitigation.

Member-owned cooperative providing standardised messaging for cross-border payments. SWIFT does not move funds itself; it transmits payment instructions between member banks for settlement via correspondent relationships.

Process by which a bank exits a relationship with a client or category of clients to reduce regulatory or compliance exposure. Often driven by internal risk-appetite policies that are stricter than the formal regulatory baseline.

Non-binding indication from a regulator that an authorisation will be granted subject to specified conditions (capital deposit, hires, systems). Common in MAS (Singapore), HKMA (Hong Kong), and increasingly in MiCA-adjacent EU NCA processes.

Mastercard-operated database of merchants that have been terminated for serious reasons (chargebacks, fraud, AML breaches). Acquirers query MATCH before onboarding; listing makes new merchant-acquiring extremely difficult.

Informal indication from a banking partner that they would accept an applicant before a formal application is submitted. Distinct from a credit pre-approval in retail banking.

Formal compliance question from a bank to a client or applicant, typically during onboarding or periodic review. RFI volume is a leading indicator of how a banking application is likely to resolve.

Categorisation of banking partners by their willingness and process for fintech onboarding rather than balance-sheet size. Tier-1 covers major commercial banks with formal de-risking policies; Tier-2 covers specialist fintech-friendly banks; Tier-3 covers crypto-native and challenger banks.

The full set of obligations to identify, verify, and risk-rate customers. Includes KYC and KYB at onboarding plus ongoing monitoring of transactions and risk indicators.

Strengthened CDD applied to higher-risk relationships (PEPs, high-risk jurisdictions, complex ownership structures). Typically requires senior-management approval, additional source-of-funds documentation, and intensified ongoing monitoring.

Identity verification process applied to legal entities. Covers ultimate beneficial ownership identification, control structure mapping, source-of-funds documentation, and entity-level sanctions screening.

The identity verification process applied to natural persons at onboarding. Includes identity-document verification, address confirmation, sanctions screening, and PEP screening. The customer-onboarding component of a wider customer due diligence (CDD) framework.

Blockchain-analytics-driven monitoring of crypto-asset transactions: source-of-funds attribution via on-chain analysis, mixer detection, and sanctions screening on wallet addresses. Distinct from conventional rule-based transaction monitoring.

Money-laundering stage at which illicit funds are moved through complex transaction chains to obscure their origin. Between placement and integration.

Individual entrusted with prominent public functions, immediate family members, and close associates. Subject to enhanced due diligence in EU and UK AML frameworks. Status persists for at least 12 months after the public function ends.

Underlying criminal activity from which proceeds may be laundered. 6AMLD harmonised the predicate offence list across the EU at 22 categories.

Process of checking customers, counterparties, and transactions against international sanctions lists (UN, EU, OFAC, UK OFSI) at onboarding and on an ongoing basis.

UK term for the report filed with the National Crime Agency under the Proceeds of Crime Act 2002 when suspicion of money laundering or terrorist financing arises. Comparable to STR in other jurisdictions.

Lighter CDD applied to specifically defined low-risk relationships (regulated EU financial institutions, listed companies on regulated markets). Available only when documented risk assessment supports it.

Breaking a large transaction into multiple smaller ones to evade reporting thresholds. Specifically prohibited under most AML frameworks.

The origin of the specific funds being transacted. Documented through bank statements, sale contracts, payslips, or other transactional evidence. Distinct from source of wealth.

The origin of a customer's overall financial standing. Documented through tax returns, business sale documentation, inheritance records, or career history. Required at higher CDD tiers.

Mandatory report to a national Financial Intelligence Unit when a regulated entity identifies a suspicious transaction. Filing protected from civil liability. Tipping off the customer is a separate criminal offence.

Disclosing to a customer that a SAR/STR has been filed about them, or that an investigation is underway. Criminal offence under POCA 2002 (UK) and equivalent statutes across the EU.

Ongoing automated and human review of customer transactions against patterns and rules to detect suspicious activity. Outputs alerts, which are dispositioned as either no action or escalated to a SAR/STR.

Natural person who ultimately owns or controls a legal entity, identified through ownership or control thresholds (typically 25% under EU AML directives). Reportable to UBO registers in most EU member states.

Individual accountable for the institution's information-security programme. Specifically referenced in DORA's ICT-risk-management governance requirements.

Individual responsible for advising on and monitoring GDPR / UK GDPR compliance. Mandatory for public bodies, certain large-scale data processors, and processors of special-category data.

Regulatory test applied to senior individuals at authorisation and on an ongoing basis. Assesses honesty, integrity, reputation, competence, capability, and financial soundness. Reputational issues are routinely the rejection point in late-stage MiCA and EMI applications.

Individual responsible for the institution's overall AML/CTF compliance programme. In some firms identical to the MLRO; in larger firms, a separate role.

Senior individual responsible for receiving internal suspicious activity reports and deciding whether to escalate to the FIU. UK MLROs perform an SMCR-controlled function.

FCA / PRA framework for individual accountability in UK regulated firms. Senior Manager Functions require regulatory approval; certified persons are firm-attested annually.

Complete regulatory submission for a licence application. Includes Programme of Operations, AML policy suite, ICT risk framework (DORA), fitness-and-propriety attestations, capital adequacy report, governance documentation, and third-party-risk register.

Transitional arrangement allowing entities authorised under pre-MiCA national frameworks to continue operating until 1 July 2026 (or sooner, where member states have shortened the period to 18 months) while applying for full MiCA authorisation.

Mechanism allowing a firm authorised in one EEA member state to provide services across the rest of the EEA on a freedom-of-services or freedom-of-establishment basis. Available for EMIs, PIs, MiFID firms, and (post-MiCA) CASPs.

Informal pre-submission meeting offered by some NCAs (notably Bank of Lithuania, Cyprus, Malta) where prospective applicants can preview the proposed business model and receive feedback before formal authorisation file lodgement.

Required document in EU and UK financial-services authorisation applications. Walks through services offered, target customer base, AML framework, governance structure, ICT setup, and capital adequacy. The most common reason for late-stage application rejections.

Narrow MiCA exemption applying when a third-country firm is approached by an EEA customer entirely on the customer's own initiative, with no marketing into the EEA. Easily lost through any EEA-targeted advertising, EEA-language support, app-store storefronts, or affiliate referrals.

Regulatory expectation that an authorised entity has real local presence: directors physically resident in the jurisdiction, real employees, decision-making conducted locally. Increasingly tested by NCAs (notably Bank of Lithuania since 2023).

Automated check for negative news mentions of customers and counterparties. Used during EDD and periodic review cycles. Often packaged with sanctions and PEP screening.

Software platform automating identity verification at customer onboarding. Typically covers identity-document capture and verification, biometric liveness checks, sanctions-list screening, and PEP screening. Common vendors include Sumsub, Onfido, Veriff, and Jumio.

Blockchain-analytics platform monitoring crypto-asset transactions for source-of-funds attribution, mixer-derived funds, and sanctions exposure. Common vendors include Chainalysis, Elliptic, and TRM Labs.

Software platform checking customer and counterparty data against international sanctions lists (UN, EU, OFAC, UK OFSI). Both at onboarding and on a daily-batch ongoing basis.

Procedural and technical framework for the secure storage, rotation, and recovery of cryptographic seed phrases (the 12 or 24-word strings from which crypto-asset wallet keys are derived). Subject to specific operational requirements under BaFin's German crypto-custody licence regime, the Danish FSA's custody supervision, and equivalent frameworks elsewhere.

Rule-based software platform processing customer transactions to flag suspicious patterns. Outputs alerts for human disposition. Commonly built around scenario libraries covering smurfing, structuring, rapid movement, and known typology indicators.

Specialist vendor handling the originator-and-beneficiary information exchange required by FATF Recommendation 16. Common providers include Notabene, Sumsub Travel Rule, Sygna, and Veriscope.

Centuries-old informal value transfer system originating in South Asia and the Middle East. Operates through networks of trusted brokers (hawaladars) who settle through reciprocal trust rather than physical fund movement. Legal in regulated form in many jurisdictions; subject to AML registration in the UK, EU, UAE, and US.

Regulated category covering currency exchangers, money transmitters, cheque cashers, and (in the US under FinCEN rules) virtual currency businesses. The umbrella designation under which most non-bank value transfer activity sits in the United States, Canada, and the United Kingdom.

Hong Kong-specific MSB analogue. Licensed by the Hong Kong Customs and Excise Department under the AMLO. Covers money changers and remittance operators. Crypto-asset firms in Hong Kong are not typically licensed as MSOs (the SFC VATP regime applies instead).

Cross-border transfer of funds, typically by an individual to family in their country of origin. The largest single use case for both formal MSBs and informal hawala networks.

Generic term for unregulated value transfer systems operating outside the formal banking system. Where specifically organised and trust-based, often referred to as hawala (South Asia / Middle East), fei ch'ien (China), or hundi (South Asia).

France's prudential supervisor (within the Banque de France). Supervises EMIs, PIs, credit institutions, and CASPs jointly with the AMF.

Netherlands conduct regulator for financial markets. Joint supervisor of CASPs alongside DNB.

France's market regulator. Co-supervises CASPs alongside the ACPR.

German Federal Financial Supervisory Authority. Authorises crypto-custody licences, EMIs, PIs, and credit institutions. Crypto-custody licence introduced in 2020; an early adopter of regulated digital-asset frameworks in the EEA.

Lithuania's central bank and EMI/PI supervisor. Has been a popular EMI-licensing jurisdiction since 2017 due to its fast authorisation timelines and English-speaking supervision.

Irish central bank and financial-services supervisor. Authorises EMIs, PIs, MiFID firms, and CASPs in Ireland.

Luxembourg financial-services supervisor. Authorises investment firms, PIs, EMIs, and CASPs.

Cyprus financial supervisor for investment firms (CIFs), AIFMs, and CASPs. Cyprus has historically been a popular MiFID II-passportable jurisdiction.

Netherlands central bank and prudential supervisor. Authorises credit institutions, EMIs, PIs, and (jointly with the AFM) CASPs.

EU-level supervisor for the banking sector. Issues MiCA technical standards covering EMTs, supervises significant EMT issuers, and produces AML/CFT guidance.

Central bank of the eurozone and direct supervisor of significant credit institutions through the Single Supervisory Mechanism.

EU-level supervisor for securities markets. Issues MiCA technical standards, maintains the CASP register, and directly supervises significant ART issuers.

United Kingdom conduct regulator for financial services. Authorises EMIs, PIs, investment firms, and (under the FSMA 2023 framework) crypto-asset firms within scope.

Swiss federal financial-services supervisor. Authorises banks, asset managers, and DLT-trading-system operators under Switzerland's standalone (non-EU) DLT framework.

Gibraltar financial-services supervisor. Issues DLT Provider authorisations under the 2017 regulations, a pre-MiCA framework still operating in the British Overseas Territory.

United Kingdom data protection regulator. Enforces UK GDPR, DPA 2018, and PECR.

Malta financial-services supervisor. Authorised the original Virtual Financial Asset (VFA) regime in 2018; now also issues MiCA CASP authorisations.

United Kingdom prudential regulator (part of the Bank of England) for credit institutions, insurance firms, and major investment firms.

United States consumer-protection regulator for financial products. Regulates payment apps, prepaid cards, and (increasingly) digital-asset retail products.

United States federal regulator for derivatives markets. Asserts jurisdiction over crypto-asset commodities (notably Bitcoin and Ether spot markets where derivatives exist).

Council of Canadian provincial and territorial securities regulators. Coordinates the Canada-wide approach to crypto-asset trading platforms via Notices 21-329 and successor guidance.

United States deposit-insurance corporation and supervisor of state non-member banks. Issued joint guidance with the OCC and Federal Reserve on banks' crypto-asset activities.

United States central bank and bank holding company supervisor. Operates Fedwire and FedNow real-time settlement systems and supervises state-member banks.

Bureau of the US Treasury Department responsible for AML/CFT enforcement. Supervises money services businesses, including virtual currency exchanges, under the Bank Secrecy Act.

Canada's financial intelligence unit and AML supervisor. Registers and supervises money services businesses, including virtual currency dealers.

New York State financial-services regulator. Issues the BitLicense for virtual currency businesses serving New York residents and operates a separate trust-charter framework used by several major crypto-asset custodians.

United States federal banking regulator within Treasury. Charters and supervises national banks and federal savings associations. Issues guidance on banks' permissible crypto-asset activities.

United States Treasury sanctions enforcement office. Maintains the Specially Designated Nationals list. Has applied sanctions designations to specific crypto wallets and mixers (Tornado Cash, Blender.io).

Canada's prudential regulator for federally regulated financial institutions.

United States federal securities regulator. Asserts jurisdiction over crypto-assets that meet the Howey test as investment contracts.

Japan's central bank. Operates the BOJ-NET settlement system and supervises payment-service market infrastructure jointly with the JFSA.

Hong Kong's central bank and prudential regulator. Authorises credit institutions and Stored Value Facility (SVF) issuers; jointly supervises stablecoin issuers under the Stablecoins Ordinance.

Hong Kong insurance regulator. Relevant to digital-asset firms providing insurance-linked products.

Japan's integrated financial regulator. Supervises Crypto Asset Exchange Service Providers under the Payment Services Act since 2017.

Self-regulatory organisation for licensed Japanese crypto-asset exchanges. Issues binding self-regulatory rules approved by the JFSA.

Singapore's central bank and integrated financial regulator. Authorises payment institutions (SPI / MPI tiers) and DPT service providers under the Payment Services Act.

Hong Kong securities regulator. Operates the Virtual Asset Trading Platform (VATP) authorisation regime introduced in 2023 for crypto-asset exchanges serving Hong Kong residents.

Abu Dhabi's English-common-law financial free zone, distinct from CBUAE-regulated onshore UAE. Supervised by the FSRA.

United Arab Emirates central bank. Supervises licensed banks, exchange houses, and onshore payment-service providers across the seven Emirates outside the DIFC and ADGM free zones.

Independent regulator of the Dubai International Financial Centre (DIFC) financial free zone. Authorises investment firms, banks, and crypto-asset service providers operating exclusively from the DIFC.

Dubai's English-common-law financial free zone. Operates its own court system and regulator (DFSA). Distinct from VARA-regulated mainland Dubai.

Regulator of the Abu Dhabi Global Market (ADGM) financial free zone. One of the earliest specialist crypto-asset frameworks globally, established in 2018.

United Arab Emirates federal securities regulator. Supervises onshore crypto-asset offerings outside the DIFC, ADGM, and Dubai (under VARA's authority).

Dubai's standalone virtual-assets regulator established in 2022. Authorises Virtual Asset Service Providers operating in the Emirate of Dubai (excluding the DIFC financial free zone).

Basel Committee on Banking Supervision. Sets the global capital, liquidity, and risk-management standards (Basel I, II, III, IV) implemented by national regulators.

International institution serving central banks. Hosts the Basel Committee on Banking Supervision and other standard-setting bodies.

Inter-governmental body setting international standards on AML, CFT, and counter-proliferation financing. Conducts mutual evaluations and maintains the high-risk-jurisdictions list.

International body coordinating national financial-stability work. Issues high-level recommendations for crypto-asset and stablecoin activities to G20 jurisdictions.

International financial institution. Issues policy guidance on crypto-asset frameworks for member countries; co-leads with the FSB on the G20 crypto-asset roadmap.

International standard-setting body for securities regulators. Issues recommendations on crypto-asset markets, decentralised finance, and tokenisation.