March 22, 2026
Methodology About Contact
DUBAI TOKENISATION
The Vanderbilt Terminal for Dubai Tokenization Ecosystem
INDEPENDENT GLOBAL INTELLIGENCE FOR DUBAI TOKENISATION
VARA Licensed VASPs: 21 ▲ +3 YTD | Enforcement Actions: 36 ▲ +2 in 2026 | VARA Rulebook Version: v2.0 ▲ May 2025 | Licensed Activities: 7 Categories ▲ Full Market | VARA Applications Pending: 147 ▲ +12 | AML/CFT Circulars: 41 ▲ +4 in 2026 | Free Zone Partners: DWTCA + DET ▲ Active | Unlicensed Firms Listed: 36+ ▲ Growing | VARA Licensed VASPs: 21 ▲ +3 YTD | Enforcement Actions: 36 ▲ +2 in 2026 | VARA Rulebook Version: v2.0 ▲ May 2025 | Licensed Activities: 7 Categories ▲ Full Market | VARA Applications Pending: 147 ▲ +12 | AML/CFT Circulars: 41 ▲ +4 in 2026 | Free Zone Partners: DWTCA + DET ▲ Active | Unlicensed Firms Listed: 36+ ▲ Growing |

Anti-Money Laundering (AML)

Definition

Anti-Money Laundering (AML) refers to the comprehensive set of laws, regulations, policies, and procedures designed to prevent criminals from disguising illegally obtained funds as legitimate income. Within VARA’s regulatory framework, AML obligations form the cornerstone of compliance requirements for all licensed virtual asset service providers operating in Dubai.

VARA’s AML framework is not a standalone regime — it operates within a layered regulatory structure that combines VARA’s own rulebooks, the UAE Federal AML Decree-Law, FATF international standards, and coordination mechanisms with other UAE authorities including the UAE Financial Intelligence Unit, the Executive Office for Control and Non-Proliferation (EOCN), and the Central Bank of the UAE.

VARA’s AML Framework

VARA’s AML/CFT requirements for VASPs establish detailed obligations across several domains:

Customer Due Diligence (CDD)

Licensed VASPs must verify the identity of all customers before establishing a business relationship or conducting transactions. CDD requirements include:

  • Identification and verification of the customer’s identity using reliable, independent source documents
  • Identification of the beneficial owner and taking reasonable measures to verify their identity
  • Understanding the purpose and intended nature of the business relationship
  • Ongoing monitoring of the business relationship, including scrutiny of transactions to ensure consistency with the VASP’s knowledge of the customer

Enhanced Due Diligence (EDD)

EDD measures must be applied to higher-risk categories, including politically exposed persons, customers from FATF high-risk jurisdictions, unusual or complex transactions, and other situations identified through the VASP’s risk assessment. The January 2026 circular on enhanced measures for high-risk jurisdictions (based on October 2025 FATF lists) specifies particular EDD requirements.

Transaction Monitoring

VASPs must implement systems to monitor transactions for suspicious activity, including unusual patterns, structuring attempts, and transactions involving sanctioned individuals or entities. The EOCN sanctions screening requirements (November 2025 circular) mandate registration on the EOCN system for real-time sanctions alerts.

Suspicious Activity Reporting

When a VASP identifies suspicious activity, it must file a Suspicious Activity Report with the UAE Financial Intelligence Unit. The May 2025 circular on the Integrated Enquiry Management System (IEMS) established specific requirements for how VASPs interact with the UAEFIU reporting infrastructure.

Record-Keeping

VASPs must maintain records of customer identification, transaction data, and compliance actions for prescribed periods, enabling reconstruction of individual transactions for law enforcement purposes.

Key VARA AML Circulars

VARA has issued multiple circulars addressing AML obligations:

Enforcement Cases Involving AML Failures

The Morpheus Software Technology (FUZE) case (August 2025) is the most significant AML-related enforcement action to date. FUZE was penalised for “failures in AML programme controls, related governance, compliance and internal systems and controls,” alongside unlicensed activities and failure to disclose material information. VARA appointed a skilled person to remediate FUZE’s compliance deficiencies — the first use of this remedy.

This case established that VARA examines the substance of AML programmes, not merely their existence. Licensed entities including Binance Dubai, OKX Middle East, BitOasis, and Crypto.com Dubai must maintain genuinely effective AML controls, not just documented policies.

UAE Federal AML Context

VARA’s AML requirements operate within the UAE’s federal AML architecture. The UAE Federal AML Decree-Law updated in November 2025 applies to all VASPs as designated non-financial businesses and professions. The UAE National Risk Assessment (June 2025) identifies specific money laundering and terrorist financing risks associated with the virtual asset sector that VASPs must address.

International Standards

VARA’s AML framework aligns with FATF Recommendations, particularly Recommendations 15 (new technologies) and 16 (wire transfers, extended to virtual assets via the Travel Rule). For comparison with AML approaches in other jurisdictions, see our analyses of VARA vs ADGM FSRA, VARA vs EU MiCA, and Dubai vs Singapore.

For the full AML compliance framework, see our AML/CFT requirements analysis and our guide to building a VARA-compliant AML programme. For related terms, browse our glossary.

AML Programme Components for VASPs

A comprehensive AML programme under VARA’s framework consists of several interconnected components that must work together:

  • Governance Framework: Board-level oversight of AML risk, appointment of a qualified Money Laundering Reporting Officer (MLRO), and clear reporting lines from the compliance function to senior management
  • Risk Assessment: Enterprise-wide assessment of money laundering and terrorist financing risks, informed by the UAE National Risk Assessment and VARA’s November 2025 guidance on Rule III D risk assessments
  • Policies and Procedures: Documented AML policies covering CDD, EDD, transaction monitoring, sanctions screening, PEP management, and suspicious activity reporting
  • Training: Regular AML training for all staff, with specialised training for compliance personnel
  • Independent Audit: Periodic independent testing of AML controls to assess effectiveness
  • Technology Infrastructure: Automated transaction monitoring systems, sanctions screening tools, and blockchain analytics capabilities appropriate for virtual asset operations

Institutional Access

Coming Soon