Dubai’s Virtual Assets Regulatory Authority (VARA) has issued updated anti-money laundering (AML) rules for licensed crypto firms, tightening compliance requirements across the emirate’s digital asset sector. The framework, released on June 12, applies to virtual asset service providers operating under its supervision.
The guidance requires firms to strengthen data-driven risk assessments and improve systems used to detect money laundering, terrorism financing and proliferation financing. VARA also said companies must enhance transaction monitoring and increase senior management oversight of compliance processes.
The regulator further highlighted emerging risks linked to artificial intelligence and anonymous transactions, urging firms to update their controls to address these threats.
VARA pushes data-based compliance standards
VARA’s new AML/CFT Business Risk Assessment guidance focuses on making compliance decisions more accurate and evidence-based. The regulator said licensed VASPs must review their risk assessments at least every three months.
Further, the regulator is pushing virtual asset firms in Dubai to tighten how they assess financial crime risks as digital asset activity grows. The body requires firms to update their Business Risk Assessments whenever major business changes or regulatory shifts occur. It also wants companies to base decisions on real operational data rather than assumptions.
The guidance follows VARA’s 2026 thematic review of risk assessment practices across the virtual asset sector. The review found that stronger data use and better governance remain key gaps in many firms’ compliance systems. As a result, VARA is pressing for more structured and evidence-based risk management frameworks.
Firms must now factor in customer profiles, geographic exposure, business activities, and broader UAE financial crime risks when building their assessments. This means companies need to take a more detailed view of where risks come from and how they change over time.
Dubai strengthens crypto market supervision
The latest guidance comes as UAE regulators step up enforcement across the financial sector. Since early 2025, the Central Bank of the UAE has imposed more than AED370.3 million ($101 million) in fines on banks, insurers, money exchange houses and other financial firms. The penalties have also included license suspensions, cancellations and operational restrictions.
VARA has taken similar action in the crypto sector. In October 2025, the regulator fined 19 companies for offering virtual asset services without authorization, with penalties ranging from AED100,000 to AED600,000. The firms were also ordered to stop operations and cease advertising.
The regulator has also been tightening its rulebook. In March, VARA introduced an Exchange Services Rulebook setting stricter requirements for licensed virtual asset service providers. The framework covers governance, risk management, disclosures, margin trading and exchange-traded derivatives.
Under the rules, margin trading is only allowed where it is explicitly approved in a firm’s license. Companies seeking approval must submit detailed documentation, including operational procedures, agreements and evidence of control systems.
The measures reflect a broader tightening of financial oversight in the UAE, as regulators increase enforcement across both traditional finance and the digital asset sector.
Also Read: GAO Presses FDIC to Close Gaps in Crypto and Blockchain Risk Oversight
