UAE Federal Decree-Law on AML/CFT/CPF 2025 — Mandatory GAP Assessment Brief

Summary

On November 24, 2025, VARA issued a circular regarding the “Publication of UAE Federal Decree-Law on AML/CFT/CPF (2025) — Mandatory GAP Assessment for VASPs.” This circular requires all licensed VASPs to conduct a formal gap assessment comparing their existing AML/CFT programmes with the updated federal requirements, and to implement remediation plans for any identified gaps.

The federal decree-law represents one of the most significant legislative developments affecting Dubai’s virtual asset sector, as it updates the foundational AML/CFT legal framework under which all regulated entities in the UAE — including VARA-licensed VASPs — must operate.

Federal Law Context

The UAE’s AML/CFT legal framework operates at the federal level, applying across all seven emirates and their respective regulatory zones. The updated Federal Decree-Law on AML/CFT/CPF (2025) supersedes previous federal AML legislation and incorporates enhanced requirements reflecting the UAE’s continued commitment to international AML/CFT standards following the country’s exit from the FATF grey list.

For VARA-licensed VASPs, the federal law creates a layer of AML/CFT obligations that operates alongside — and in some areas extends beyond — the requirements in VARA’s own rulebooks and circulars.

GAP Assessment Requirements

VARA’s mandatory gap assessment requirement obligates licensed VASPs to:

Analyze the New Federal Requirements: Review the full text of the updated Federal Decree-Law to identify all requirements applicable to virtual asset activities, including customer due diligence, transaction monitoring, suspicious activity reporting, sanctions compliance, record keeping, and governance obligations.

Compare Against Current Programmes: Map the federal requirements against the VASP’s existing AML/CFT programme, identifying areas where current practices meet, exceed, or fall short of the updated requirements.

Identify Gaps: Document all areas where the current programme does not fully comply with the updated federal requirements, including specific requirements that are new, enhanced, or modified from the previous federal law.

Develop Remediation Plans: For each identified gap, develop a documented remediation plan with specific actions, responsible parties, and implementation timelines.

Implement Remediation: Execute the remediation plans within the specified timeframes, ensuring that all programme updates are properly documented, tested, and embedded in operational procedures.

Document the Process: Maintain comprehensive records of the gap assessment process, findings, remediation plans, and implementation outcomes for VARA review.

Implications for VASP Compliance Programmes

The gap assessment requirement has several practical implications:

Programme Architecture Review: VASPs may need to restructure their AML/CFT programme documentation to explicitly address both VARA-specific and federal requirements, ensuring comprehensive coverage.

Enhanced CDD Procedures: The updated federal law may introduce new or enhanced customer due diligence requirements that exceed the current VARA rulebook standards, requiring VASPs to upgrade their CDD procedures.

Technology System Updates: Changes to monitoring thresholds, screening requirements, or reporting formats may require updates to AML/CFT technology systems, including transaction monitoring platforms and sanctions screening tools.

Governance Updates: The gap assessment process itself must be overseen by appropriate governance structures, with findings and remediation plans reviewed and approved by senior management or board-level committees.

Relationship to VARA’s AML/CFT Framework

This circular is part of VARA’s progressive strengthening of AML/CFT requirements:

• February 2025: Reminder on UAE National AML/CFT Obligations
• June 2025: UAE National Risk Assessment integration requirements
• November 2025: This circular on Federal Decree-Law GAP Assessment
• January 2026: Enhanced FATF High-Risk Jurisdiction Measures
• February 2026: Virtual Assets Travel Rule implementation
• March 2026: Comprehensive AML/CFT/CPF implementation circular

The cumulative effect of these circulars is a layered AML/CFT framework that combines VARA-specific requirements, UAE federal obligations, and international FATF standards into a comprehensive compliance obligation set.

Enforcement Risk

The gap assessment requirement is not advisory — it is a regulatory obligation with enforcement consequences. VASPs that fail to conduct the assessment, that conduct an inadequate assessment, or that fail to implement remediation plans face potential supervisory action.

The MORPHEUS/FUZE enforcement case demonstrates that VARA penalizes AML programme failures: that entity was cited specifically for “Failures in AML programme controls, related governance, compliance and internal systems and controls.” A failure to conduct the mandatory gap assessment could expose a VASP to comparable enforcement risk.

For the complete enforcement record, see our enforcement section.

Recommendations

1. Prioritize the gap assessment as a compliance project with board-level visibility
2. Engage qualified AML/CFT professionals for the assessment if internal resources are insufficient
3. Coordinate with VARA if the gap assessment reveals significant compliance shortfalls requiring extended remediation timelines
4. Maintain documentation of the entire process for regulatory review
5. Integrate findings into the VASP’s ongoing compliance programme maintenance

For comprehensive AML/CFT analysis, see our AML/CFT requirements deep dive. For licensing requirements and entity profiles, see the relevant sections.

For federal regulatory intelligence, visit UAE Tokenization Regulations. For broader UAE compliance context, see our VARA vs ADGM comparison.

The Federal AML Decree-Law Update

In November 2025, VARA issued a circular directing all licensed VASPs to conduct a mandatory GAP assessment following the publication of the updated UAE Federal Decree-Law on Anti-Money Laundering, Counter-Terrorism Financing, and Counter Proliferation Financing. This federal legislation establishes the overarching AML/CFT legal framework within which VARA’s own AML requirements operate.

Significance of the Federal Update

The UAE Federal AML Decree-Law provides the primary legal basis for AML/CFT obligations across all regulated sectors in the UAE, including virtual assets. The 2025 update reflects the UAE’s ongoing efforts to strengthen its AML/CFT framework in response to:

• FATF Mutual Evaluation: The UAE’s position on FATF lists and the need to demonstrate effective AML/CFT implementation
• Evolving Threats: New and emerging money laundering and terrorist financing methodologies, including those involving virtual assets
• International Standards: Updated FATF recommendations and guidance that member countries are expected to implement

Mandatory GAP Assessment

The VARA circular requires each licensed VASP to conduct a systematic comparison between its existing AML/CFT programme and the updated federal law requirements. The GAP assessment must identify:

• New Requirements: Obligations introduced by the updated law that are not addressed by the entity’s current compliance programme
• Enhanced Requirements: Existing obligations that have been strengthened or expanded in the updated law
• Modified Definitions: Changes to key definitions (such as predicate offences, designated categories, or reporting thresholds) that may affect compliance procedures
• Timeline Requirements: New or modified deadlines for compliance actions

Interaction with VARA’s Framework

The federal AML decree-law and VARA’s own AML framework operate as complementary layers:

• Federal Law: Establishes the overarching legal obligations, offences, and penalties for AML/CFT non-compliance
• VARA Rulebooks: Translate federal requirements into sector-specific obligations for VASPs, including the March 2026 implementation circular on UAE AML requirements
• VARA Circulars: Provide operational guidance on implementing specific aspects of AML compliance

VASPs must comply with both layers. A compliance programme that satisfies VARA’s rulebooks but fails to address federal law requirements would expose the entity to enforcement risk from both VARA and federal authorities.

Impact on Licensed Entities

For licensed VASPs including Binance Dubai, OKX Middle East, BitOasis, Crypto.com Dubai, Bybit Dubai, and Rain Financial, the GAP assessment requirement involves:

• Engaging qualified compliance personnel or external advisors to conduct the assessment
• Reviewing all AML/CFT policies, procedures, systems, and controls against the updated law
• Developing remediation plans for identified gaps
• Implementing changes within the timeframes specified by VARA
• Documenting the assessment and remediation for regulatory review

Enforcement Context

The FUZE case (August 2025) provides a cautionary precedent. FUZE was penalised for “failures in AML programme controls, related governance, compliance and internal systems and controls.” This enforcement action pre-dated the federal law update, suggesting that VARA already held entities to high AML compliance standards. The updated federal law raises the compliance baseline further.

Connection to FATF and the UAE’s International Standing

The UAE’s AML framework is subject to periodic FATF assessment. The country’s placement on or removal from FATF monitoring lists directly affects the operating environment for VASPs:

• FATF High-Risk Jurisdiction Screening: VASPs must apply enhanced measures to transactions involving countries on FATF lists
• UAE’s Own Position: The strength of the UAE’s AML framework affects international perceptions of VARA-licensed entities and their ability to maintain correspondent banking relationships and counterparty relationships with VASPs in other jurisdictions
• National Risk Assessment: The NRA published in June 2025 informs how the federal law’s requirements should be calibrated for the virtual asset sector