Why Version 2.0 matters

VARA structured its original rulebook stack as a set of activity-specific obligations bolted onto a common compliance, risk and conduct architecture. Version 2.0 retained the architecture but tightened the compliance, risk and conduct expectations across the board, and rebalanced several activity rulebooks to reflect what the regulator had observed during 18 months of supervision. For firms holding a VARA Virtual Asset Service Provider licence — Advisory, Broker-Dealer, Custody, Exchange, Lending and Borrowing, Management and Investment, or Transfer and Settlement — the practical effect is that an evidence pack that was sufficient at initial authorisation is now likely materially below the inspection bar.

Three structural shifts explain most of the post-Version 2.0 remediation work we see in the market:

  • From principles to evidence. Where Version 1.0 set principles, Version 2.0 increasingly sets evidence expectations. Boards are expected not only to govern, but to demonstrate that they have governed — with documented agendas, papers, decisions and follow-through.
  • From periodic to continuous. The supervisory frame has moved from periodic refresh to continuous control. This is most visible in customer due diligence, sanctions screening, transaction monitoring and outsourcing assurance.
  • From firm-led to firm-led-with-second-line-challenge. The second line of defence is expected to challenge, not just document. Inspection findings increasingly target the absence of evidenced challenge as a control failure in its own right.

The seven activity categories — what changed in practice

1. Advisory

The activity perimeter has not moved, but expectations on documentation of suitability assessments, conflicts management and the regulated-perimeter firewall have tightened. Advisory firms are expected to evidence not only that advice was given, but that it was given within a documented suitability methodology, by a person with documented authority to do so, and that conflicts were identified and addressed before the engagement was accepted. The Engagement Acceptance discipline that mature advisory firms already operate is now a baseline expectation, not a differentiator.

2. Broker-Dealer

Order-handling, best-execution and inducements expectations have all been sharpened. Best execution requires a documented venue policy supported by execution-quality evidence, reviewed at a defined cadence by a function independent of the trading desk. Inducements policies require pre- and post-trade challenge, not just a static disclosure file. Broker-dealers should expect to be tested on their ability to reconstruct a specific execution decision from the evidence trail.

3. Custody

The most heavily revised category. Segregation, key management, withdrawal-controls and proof-of-reserves expectations were all tightened. Custodians are now expected to operate clear separation between hot, warm and cold key environments, to evidence threshold and quorum policy in operation rather than only in writing, and to align proof-of-reserves disclosures with an external attestation scope that is independently auditable. The window for firms still relying on a vendor-issued report without an attestation framework behind it is closing.

4. Exchange

Market integrity is the dominant theme. Listing policies, market-abuse surveillance, manipulation thresholds and post-trade reporting have all been sharpened. Exchanges are expected to maintain a documented market-abuse risk assessment that is refreshed as listings change, and to evidence the operational link between surveillance alerts, investigations and STR/SAR-equivalent decisions. The "we run a vendor surveillance tool" defence is no longer sufficient on its own.

5. Lending and Borrowing

Disclosure, collateralisation, rehypothecation and run-risk management received the most attention. Lending firms are expected to evidence stress-testing assumptions, document exposure-limit governance, and provide retail clients with disclosure that is genuinely comprehensible — tested through a documented suitability and clarity assessment.

6. Management and Investment

Investor protection and valuation governance dominate. The Version 2.0 expectations on fund valuation, NAV calculation, liquidity management and conflicts management bring the activity meaningfully closer to traditional asset management benchmarks. Firms operating at the boundary of management activity — model portfolios, segregated mandates, tokenised funds — should re-test their permissions against the revised perimeter rather than assume continuity.

7. Transfer and Settlement

The rulebook tightened around Travel Rule operational discipline, counterparty due diligence, message-handling controls and exception management. Firms are expected to evidence not only that they comply with FATF Recommendation 16, but that they handle failed and incomplete transfers under a documented policy with a clearly defined escalation path. Travel Rule remains the activity most likely to surface operational defects under inspection.

The cross-cutting expectations

Across all activity categories, four themes recur in the Version 2.0 release and in subsequent supervisory commentary:

  • Governance evidence. Board and committee charters, agendas, papers and minutes are expected to demonstrate substantive consideration — not ceremonial sign-off. Quorum, attendance, and follow-through on prior actions are increasingly tested.
  • Outsourcing assurance. Material outsourcing arrangements, including intra-group service agreements, are expected to be governed by a documented outsourcing policy, supported by due diligence packs, SLAs, audit-rights regimes and a RACI library — and reviewed at a defined cadence.
  • Conduct and culture. Conflicts, gifts and entertainment, personal account dealing, whistleblowing and complaints handling all received tightened obligations. Firms are expected to evidence policy in operation, not only on the page.
  • Risk and capital adequacy. Expense-based capital must be monitored on an ongoing basis, with a documented escalation path if the floor is approached. The expectation is for firms to operate above the regulator floor with a defined buffer policy, not at the floor.
The recurring inspection finding, in our experience, is not the absence of policy. It is the absence of evidenced application of the policy.

Practical adjustments most firms still owe their boards

Twelve months on from Version 2.0, the following five adjustments are the ones we most often see deferred:

  1. A refreshed enterprise-wide AML/CFT risk assessment that reflects the post-Version 2.0 typology landscape and the firm's actual customer book — not the assumed customer book that was in the Year-1 application.
  2. An evidenced model-validation cycle for AML, sanctions and TM models. Documentation review, conceptual soundness assessment, ongoing monitoring testing, and outcomes analysis. This is now a baseline supervisory expectation, not a maturity differentiator.
  3. A documented Engagement Acceptance regime for new clients (or new product lines), with a written committee record and a clear acceptance/decline rationale.
  4. A refreshed RACI for the regulated-perimeter firewall — particularly where the firm uses outsourced MLRO, CO or DPO support — with explicit allocation of accountability for binding decisions.
  5. A board-pack template that surfaces the four cross-cutting themes (governance evidence, outsourcing assurance, conduct and culture, risk and capital) at every board meeting, with a defined escalation threshold for each.

How CASA helps

We deliver Version 2.0 inspection-readiness work in three productised forms:

  • Inspection Readiness Assessment — a fixed-fee diagnostic against the Version 2.0 evidence bar across the seven activity categories, with a board-ready remediation plan.
  • Compliance Framework Attestation — an independent attestation deliverable confirming that the AML/CFT/sanctions/data-protection framework meets the relevant standard, suitable for board, regulator and counterparty distribution.
  • Application Readiness Sprint — for firms still in the application window, a fixed-fee bundle of pre-application review, evidence pack, RI mock interviews and policy drafting.

Want a 30-minute call on how Version 2.0 affects your activity category specifically?

Brief our team

References: VARA Compliance and Risk Management Rulebook; VARA Virtual Asset Advisory Services Rulebook; VARA Custody Rulebook; VARA Exchange Rulebook; VARA Broker-Dealer Rulebook; VARA Lending and Borrowing Rulebook; VARA Management and Investment Rulebook; VARA Transfer and Settlement Rulebook; Version 2.0 activity-based Rulebooks (May 2025).

This briefing is general commentary by CASA and does not constitute regulated legal, financial or investment advice. Firms should confirm specific positions with retained counsel and the relevant supervisory authority.