What changed on 12 January 2026
Until the amendments came into force, the DFSA maintained a list of Recognised Crypto Tokens against which DIFC-authorised firms could provide regulated services. That list functioned as a regulatory pre-clearance mechanism: a token on the list was, for DIFC purposes, presumptively in scope; a token not on the list was either out of scope or subject to specific firm-by-firm engagement with the regulator.
That pre-clearance has now been removed. Under the amended Crypto Token Rules, DIFC firms must determine, on a reasoned and documented basis, whether each Crypto Token they intend to bring within their regulated activity meets the DFSA's suitability criteria. The criteria themselves remain familiar — token classification, governance, technology resilience, market integrity, and investor-protection considerations — but the accountability for the determination has shifted decisively from regulator to firm.
The structural implications
This is, on the face of it, a removal of one administrative step. In practice, it is one of the most significant supervisory shifts the DIFC virtual asset perimeter has seen since the Crypto Token regime was introduced. Three implications are worth dwelling on.
1. The firm is now the documented gatekeeper
A reasoned and documented determination is not a one-line file note. The DFSA has been clear, in commentary surrounding the amendments, that it expects firms to maintain a per-token assessment file with a defined evidence schedule, refreshed at a defined cadence, and reviewed under a Token Acceptance governance forum that sits within the firm's documented risk management framework. The expectation is comparable to a product-governance file under traditional financial-services regimes, but tailored to crypto-token-specific risks.
2. Reasoned determinations require a methodology
"Reasoned" is the operative word. A determination that simply asserts that a token meets the suitability criteria is not reasoned. The expectation is that the firm has a written methodology — the Token Suitability Methodology — that defines the criteria, the evidence sources, the assessment scoring (or qualitative equivalent), the governance forum, the conflicts management around the determination, and the escalation path for borderline cases. The methodology itself is expected to be reviewed and challenged by the second line of defence at a defined cadence.
3. The supervisory record can be tested at any moment
Because the determination accountability sits with the firm, the supervisory record sits with the firm too. Firms should expect that any specific Crypto Token within the regulated activity may be the subject of a supervisory question — and should be able to produce, on short notice, the per-token assessment file, the methodology that supported it, and the governance trail that approved it.
What "reasoned and documented" looks like in practice
From our work with DIFC firms in the first weeks following the amendments, the per-token assessment file is converging on a recognisable structure:
| Section | What good looks like |
|---|---|
| Token classification | Documented assessment against the DFSA Crypto Token definition; reasoned conclusion on whether the token sits within the regulated perimeter and, if so, on what basis. |
| Governance & control | Identification of the issuer or sponsor; assessment of governance arrangements; identification of concentration, control and influence risks. |
| Technology resilience | Documented review of the underlying protocol, recent material upgrades, known vulnerabilities, and operational resilience considerations. |
| Market integrity | Trading-venue analysis, liquidity assessment, market-abuse surveillance considerations, and price-formation integrity. |
| Investor protection | Documented assessment of disclosures, suitability for the firm's intended client base, and the firm's marketing and communications discipline around the token. |
| AML / sanctions / financial crime | Blockchain analytics review, address-cluster risk, sanctions exposure, and the firm's counterparty due diligence on the issuer or sponsor. |
| Ongoing review schedule | Defined cadence for refresh, defined trigger events that bring forward a refresh, and the documented decision rights for delisting. |
The DFSA has not created a heavier suitability test. It has removed the option for firms to outsource the test to the regulator.
Operating-model implications
Beyond the per-token file, three operating-model implications follow:
Token Suitability Committee
Most firms we work with are establishing — or formalising — a Token Suitability Committee with documented membership, terms of reference, quorum and minute-taking discipline. The Committee typically draws on legal, compliance, risk, technology and front-office representation; conflicts policy is documented; and decisions are recorded with a clear approve / decline / refer rationale.
Methodology ownership in the second line
The Token Suitability Methodology itself sits naturally with second-line risk and compliance, with first-line input on commercial considerations. Sitting the methodology in the first line concentrates conflicts; sitting it solely in the second line risks operational disconnection. The standard model is second-line ownership with documented first-line consultation.
Marketing and communications discipline
Where a token is on the firm's regulated perimeter, marketing and communications discipline must align with the per-token assessment file. References to a token in client-facing materials should be traceable to a current, approved assessment, with a documented reviewer for each communication. Firms should expect that a piece of dated marketing referencing a token whose assessment has subsequently changed will surface as an inspection finding.
What CASA is doing for DIFC firms
We are delivering three productised work streams to DIFC firms post-12 January 2026:
- Token Suitability Methodology design — a fixed-fee build of the firm's methodology, governance forum, scoring framework and escalation path.
- Per-token assessment file remediation — capacity-based delivery to bring an existing token book within the new evidence standard, with a defined cadence for refresh.
- Independent review under our Compliance Framework Attestation — for boards or counterparties who want an independent attestation that the firm's Token Suitability Methodology and per-token files meet the standard.
Want a 30-minute call on how the January 2026 amendments affect your DIFC perimeter?
Brief our teamReferences: DFSA Crypto Token Rules (as amended 12 January 2026); DFSA General Rulebook; DFSA Conduct of Business Rulebook; DFSA PIB Rulebook.
This briefing is general commentary by CASA and does not constitute regulated legal, financial or investment advice. Firms should confirm specific positions with retained counsel and the relevant supervisory authority.