How to Build a VARA-Compliant AML/CFT Programme

Overview

Building an AML/CFT programme that meets VARA’s expectations requires integrating three layers of requirements: VARA rulebook standards, UAE federal AML/CFT law, and FATF international standards. This guide provides a practical framework for designing and implementing a programme that addresses all three layers.

Step 1: Establish Governance

Appoint a Money Laundering Reporting Officer (MLRO) with appropriate qualifications and authority. The MLRO must have direct access to senior management and the board.

Establish board-level oversight of AML/CFT compliance. The board or a dedicated committee should receive regular reports on AML/CFT programme effectiveness, risk assessments, and suspicious activity trends.

Define roles and responsibilities for all staff involved in AML/CFT compliance, including first-line operational staff, second-line compliance staff, and third-line internal audit.

Step 2: Conduct Risk Assessment

Perform an enterprise-wide AML/CFT risk assessment covering:

• Customer risk: Risk profiles of your customer base, including geographic distribution, transaction patterns, and customer types
• Product/service risk: Inherent AML/CFT risks of each virtual asset product or service offered
• Channel risk: Risks associated with delivery channels, including online platforms, mobile applications, and API access
• Geographic risk: Risks associated with jurisdictions where customers, counterparties, or transactions originate, with specific attention to FATF high-risk jurisdictions

Integrate the UAE National Risk Assessment findings as required by the June 2025 VARA circular.

Follow the November 2025 Guidance on Rule III D Risk Assessments for detailed risk assessment methodology.

Step 3: Implement Customer Due Diligence

Design CDD procedures that address three tiers:

• Standard CDD: Identity verification, beneficial ownership identification, purpose of business relationship assessment
• Simplified CDD: For lower-risk customers meeting specified criteria
• Enhanced CDD: For high-risk customers, PEPs, customers from FATF-listed jurisdictions, and complex or unusual transactions

Implement ongoing monitoring of business relationships to ensure transactions are consistent with the VASP’s knowledge of the customer.

Establish qualified investor classification procedures per the January 2026 circular.

Step 4: Deploy Transaction Monitoring

Implement automated transaction monitoring systems capable of detecting:

• Unusual transaction patterns
• Structuring and layering behavior
• Transactions involving high-risk jurisdictions
• Transactions inconsistent with customer profiles
• Rapid movement of funds through multiple accounts or wallets

Calibrate monitoring rules to your specific business model and risk assessment. Over-alerting reduces effectiveness; under-alerting creates compliance risk.

Monitor both on-chain and off-chain activity where applicable to your virtual asset activities.

Step 5: Implement Sanctions Screening

Register on the EOCN system for sanction alerts (mandatory since September 2024).

Deploy real-time sanctions screening covering:

• Customer onboarding (name screening)
• Ongoing screening against updated lists
• Transaction screening for sanctioned addresses and entities
• FATF high-risk jurisdiction screening

Follow EOCN Updated Guidance on Targeted Financial Sanctions from November 2025.

Step 6: Establish Reporting Mechanisms

Register on the UAEFIU IEMS platform for suspicious transaction reporting (mandatory per May 2025 circular).

Design STR filing procedures that ensure:

• Prompt identification and escalation of suspicious activity
• Quality STR preparation with sufficient detail
• Timely filing through the IEMS system
• Retention of filing records

Step 7: Implement Travel Rule Compliance

Deploy Virtual Assets Travel Rule systems per the February 2026 circular:

• Collect originator and beneficiary information for qualifying transfers
• Implement counterparty VASP identification procedures
• Select and integrate a Travel Rule compliance solution
• Establish procedures for cross-border transfer compliance

Step 8: Develop Policies and Procedures

Document comprehensive AML/CFT policies covering all programme components. Policies should be:

• Board-approved
• Regularly reviewed and updated
• Accessible to all relevant staff
• Aligned with both VARA and federal requirements

Step 9: Training

Develop and deliver AML/CFT training for all staff, with specialized training for compliance staff. Training should cover:

• Regulatory obligations and their sources
• CDD procedures and red flags
• Transaction monitoring and alert handling
• STR identification and filing procedures
• Sanctions screening and compliance
• Record keeping obligations

Step 10: Internal Audit and Testing

Establish internal audit coverage of the AML/CFT programme, including:

• Regular testing of controls effectiveness
• Independent review of suspicious activity identification and reporting
• Assessment of sanctions screening system accuracy
• Review of training programme adequacy

The MORPHEUS/FUZE case demonstrates that VARA will enforce compliance programme failures. Regular internal audit reduces enforcement risk.

For the complete AML/CFT requirements analysis, see our AML/CFT deep dive. For entity profiles of licensed VASPs, see our entities section.

For broader compliance context, visit UAE Tokenization Regulations. For the VARA licensing process, see our licensing guide.

Programme Architecture

A VARA-compliant AML/CFT programme must be built on a structured architecture that addresses governance, risk assessment, policies and procedures, technology, training, and independent review. This guide provides practical steps for constructing each component.

Governance Framework

Board Responsibility: Your board of directors (or equivalent governance body) must have documented responsibility for oversight of AML/CFT risk. This includes approving the AML/CFT policy framework, reviewing risk assessments, and receiving regular compliance reports.

Money Laundering Reporting Officer (MLRO): Appoint a qualified MLRO with sufficient seniority, independence, and access to information. The MLRO must be physically present in Dubai and must have direct reporting lines to senior management and the board.

Compliance Function: Staff the compliance function with personnel who have appropriate AML/CFT qualifications, experience, and ongoing training. The size of the compliance team should be proportionate to your business complexity and transaction volumes.

Risk Assessment

Your enterprise-wide risk assessment must identify, assess, and mitigate the money laundering and terrorist financing risks specific to your operations. The assessment should incorporate:

• UAE National Risk Assessment findings: The June 2025 NRA identifies sector-specific risks that must be reflected in your assessment
• VARA’s Risk Assessment Guidance: The November 2025 guidance on Rule III D risk assessments establishes VARA’s expectations
• Customer Risk Factors: Geography, product usage, transaction patterns, and customer type
• Product Risk Factors: Which of your products and services present higher ML/TF risk
• Geographic Risk Factors: Countries of customer residence, transaction origin/destination, and FATF high-risk jurisdiction exposure
• Delivery Channel Risk Factors: Online-only vs in-person, direct vs intermediated access

Customer Due Diligence (CDD) Procedures

Design CDD procedures that cover the full customer lifecycle:

Onboarding CDD:

• Customer identification: Collect government-issued identification, proof of address, and source of funds information
• Beneficial ownership: Identify and verify the beneficial owners of corporate customers
• Risk scoring: Assign an initial risk score based on the information collected
• Screening: Check customer against EOCN sanctions lists, PEP databases, and adverse media sources

Enhanced Due Diligence (EDD): Apply EDD to higher-risk categories:

• Politically exposed persons and their family members and close associates
• Customers from FATF high-risk jurisdictions
• High-value or unusual transactions
• Complex corporate structures with opaque beneficial ownership
• Customers flagged through your risk assessment process

Qualified Investor Classification: Per the January 2026 circular, implement investor categorisation procedures alongside AML CDD.

Transaction Monitoring

Implement automated transaction monitoring systems calibrated to your risk profile:

• Rule-Based Monitoring: Alerts triggered by specific transaction characteristics (high value, rapid frequency, unusual patterns, structuring indicators)
• Blockchain Analytics: Deploy blockchain analytics tools to trace the provenance and destination of virtual asset transactions, identifying connections to sanctioned addresses, darknet markets, mixers, and other high-risk services
• Behavioural Analysis: Monitor for deviations from expected customer behaviour based on their stated purpose of relationship and transaction history
• Travel Rule Integration: Per the February 2026 circular, ensure transaction monitoring captures originator and beneficiary information for qualifying transfers

Suspicious Activity Reporting

Establish procedures for the complete reporting lifecycle:

1. Alert Generation: Transaction monitoring or staff referral generates an alert
2. Alert Triage: Initial assessment to determine if investigation is warranted
3. Investigation: Detailed review of the customer, transaction, and circumstances
4. Escalation: Referral to the MLRO for reporting determination
5. Filing: Submission of Suspicious Activity Report to the UAE Financial Intelligence Unit via the IEMS platform (per the May 2025 circular)
6. Record-Keeping: Documentation of the entire process regardless of reporting outcome

Sanctions Screening

Integrate sanctions screening across multiple touchpoints:

• Customer onboarding and periodic re-screening
• Real-time transaction screening for all virtual asset transfers
• EOCN system registration and alert handling
• Screening against UN, OFAC, and other applicable sanctions lists
• Procedures for asset freezing when matches are confirmed

Record-Keeping

Maintain comprehensive records including:

• Customer identification and verification documents
• Transaction records with full audit trails
• Alert investigation files and outcomes
• SAR filing records
• Training records for all staff
• Risk assessment documentation
• Policy versions and amendment history

Technology Infrastructure

An effective AML programme for a VASP requires technology infrastructure that combines traditional financial compliance tools with blockchain-specific capabilities:

• KYC Platform: Identity verification, document authentication, and screening
• Transaction Monitoring System: Rule engine and case management for investigating alerts
• Blockchain Analytics: Tools for tracing virtual asset flows, identifying high-risk addresses, and supporting investigations
• Sanctions Screening: Automated screening against EOCN and other sanctions lists
• Travel Rule Solution: Messaging infrastructure for exchanging originator/beneficiary information with counterparty VASPs
• Case Management: Workflow tools for managing investigations, approvals, and regulatory filings

Lessons from the FUZE Enforcement Case

The FUZE case (August 2025) provides direct guidance on what VARA expects from AML programmes. FUZE was penalised for “failures in AML programme controls, related governance, compliance and internal systems and controls.” To avoid similar enforcement action:

• Ensure your AML programme is genuinely operational, not merely documented
• Maintain governance structures that actively oversee AML compliance
• Invest in compliance systems that are proportionate to your business scale
• Disclose material compliance issues to VARA proactively — FUZE’s “failure to disclose material information to the Regulator” was treated as an aggravating factor

Independent Review

Conduct periodic independent reviews of your AML programme to assess effectiveness. The review should be performed by qualified professionals independent of the compliance function and should assess:

• Whether policies and procedures are implemented as documented
• Whether transaction monitoring systems generate appropriate alerts
• Whether alert investigation and reporting processes are effective
• Whether staff training is adequate and current
• Whether the risk assessment reflects current business activities and risk factors

Ongoing Programme Maintenance

An AML programme is not a static document — it requires continuous maintenance and adaptation:

Circular Implementation Process

When VARA issues a new circular (41 to date, with four in January-March 2026 alone), your AML programme may require updates. Establish a process for:

1. Receipt and Review: Assign responsibility for monitoring VARA circular publications
2. Impact Assessment: Evaluate how the circular affects your existing programme
3. Gap Analysis: Identify any gaps between current practices and new requirements
4. Implementation Planning: Define actions, responsibilities, and timelines
5. Execution: Implement changes to policies, procedures, systems, and training
6. Documentation: Record the changes and their rationale
7. Validation: Test that changes are effective and properly implemented

Annual Programme Review

Conduct a comprehensive annual review of your AML programme that assesses:

• Whether your risk assessment remains current given business changes and the evolving risk environment
• The effectiveness of transaction monitoring rules (alert quality, false positive rates, detection capability)
• The quality and timeliness of suspicious activity reporting
• Staff training currency and comprehension
• Technology system adequacy and performance
• Governance and oversight effectiveness