AML/CFT/CPF Requirements for Dubai VASPs — The 2026 Implementation Framework

The Evolving AML/CFT Architecture for Dubai’s Virtual Asset Sector

The anti-money laundering and counter-terrorism financing obligations imposed on Virtual Asset Service Providers in Dubai represent one of the most intensively regulated compliance areas under VARA’s framework. Since the issuance of the Virtual Assets and Related Activities Regulations 2023, VARA has published a continuous stream of circulars strengthening and refining AML/CFT requirements, culminating in the March 4, 2026 circular on “Implementation of the UAE Anti-Money Laundering, Counter-Terrorism Financing and Proliferation Financing Requirements Applicable to VASPs.”

This deep dive traces the complete AML/CFT/CPF obligation framework from VARA rulebook requirements through federal legislation to international FATF standards, providing licensed VASPs and prospective applicants with a comprehensive compliance map.

Three-Layer Regulatory Architecture

AML/CFT compliance for Dubai VASPs operates across three regulatory layers, each imposing distinct but overlapping obligations:

Layer 1: VARA Rulebook Requirements

VARA’s activity-based rulebooks, updated to Version 2.0 in May 2025, establish baseline AML/CFT requirements for all licensed VASPs. These include customer due diligence (CDD) procedures, transaction monitoring systems, suspicious activity reporting mechanisms, sanctions screening, and record-keeping obligations.

The rulebooks require VASPs to adopt a risk-based approach to AML/CFT, calibrating the intensity of controls to the assessed risk level of customers, products, services, delivery channels, and geographic exposures. This approach is consistent with international standards but requires VASPs to demonstrate that their risk assessments are substantive and regularly updated.

Layer 2: UAE Federal AML/CFT/CPF Legislation

The November 2025 publication of the updated UAE Federal Decree-Law on AML/CFT/CPF imposed a new obligation framework at the federal level. VARA’s associated circular mandated a “Mandatory GAP Assessment for VASPs,” requiring all licensed entities to:

1. Analyze the new federal requirements against their existing compliance programmes
2. Identify gaps between current practices and the updated legal requirements
3. Develop and implement remediation plans to close identified gaps
4. Document the assessment process and remediation outcomes for regulatory review

This gap assessment requirement acknowledged that the updated federal law introduced new obligations not previously addressed in VARA’s own rulebooks, requiring VASPs to operate under a combined regulatory standard that incorporates both VARA-specific and federal requirements.

Layer 3: FATF International Standards

The Financial Action Task Force sets the international standards that inform both VARA’s rulebooks and UAE federal legislation. VARA has demonstrated close attention to FATF developments through several circulars:

The January 2026 circular on “Enhanced Measures for High-Risk Jurisdictions — Updated FATF Lists (October 2025)” requires VASPs to apply enhanced due diligence measures to customers and transactions involving jurisdictions on the FATF’s two lists:

• Jurisdictions subject to a Call for Action (the “blacklist”): requiring VASPs to apply countermeasures proportionate to the risks
• Jurisdictions under Increased Monitoring (the “greylist”): requiring VASPs to apply enhanced due diligence proportionate to the risks

For VASPs, tracking FATF list changes is not optional — it is a regulatory obligation that must be incorporated into customer onboarding procedures, ongoing monitoring, and risk assessment frameworks.

The March 2026 AML/CFT/CPF Circular

The most recent and comprehensive AML/CFT guidance was issued on March 4, 2026: “Implementation of the UAE Anti-Money Laundering, Counter-Terrorism Financing and Proliferation Financing Requirements Applicable to VASPs.” This circular consolidates and clarifies the obligations arising from the updated federal law and represents the current definitive statement of VARA’s expectations.

Key requirements include:

Customer Due Diligence Enhancement

VASPs must ensure their CDD procedures meet both VARA rulebook standards and the updated federal requirements. This includes:

• Identity Verification: Using reliable, independent source documents or data to verify customer identity before establishing a business relationship or conducting transactions above specified thresholds
• Beneficial Ownership Identification: Identifying and verifying the beneficial owners of legal entities and legal arrangements, with specific requirements for identifying the natural persons who ultimately own or control the customer
• Ongoing Monitoring: Continuous monitoring of business relationships to ensure that transactions are consistent with the VASP’s knowledge of the customer, their business, and risk profile

Enhanced Due Diligence Triggers

Enhanced due diligence is required for:

• Customers assessed as high-risk under the VASP’s risk assessment framework
• Customers from or with connections to FATF high-risk jurisdictions
• Politically Exposed Persons (PEPs) and their associates
• Complex or unusually large transactions
• Unusual patterns of transactions with no apparent economic or lawful purpose
• Correspondent relationships with foreign VASPs

Suspicious Transaction Reporting

VASPs must file Suspicious Transaction Reports (STRs) through the UAE Financial Intelligence Unit (UAEFIU) using the Integrated Enquiry Management System (IEMS). The May 2025 circular specifically required all licensed VASPs to register on the IEMS platform and established expectations for the quality, timeliness, and completeness of STR filings.

Reports must be filed “promptly” when there are reasonable grounds to suspect that a transaction or attempted transaction involves proceeds of crime, is related to terrorism financing, or is related to proliferation financing.

Targeted Financial Sanctions Compliance

The sanctions compliance requirements for VASPs are substantial and evolving. The Executive Office for Control and Non-Proliferation (EOCN) coordinates UAE implementation of UN Security Council sanctions. VASPs must:

• Register on the EOCN system for sanction alerts (mandatory since September 2024)
• Implement real-time screening of customers and transactions against applicable sanctions lists
• Freeze assets and file reports immediately upon identifying a sanctions match
• Follow updated EOCN guidance on Targeted Financial Sanctions published in November 2025

Record Keeping Requirements

AML/CFT records, including customer identification documents, transaction records, and compliance documents, must be retained for the periods specified in applicable law. These records must be sufficient to permit reconstruction of individual transactions and must be available to VARA and other competent authorities upon request.

The Virtual Assets Travel Rule

The February 24, 2026 circular on “Implementation of the UAE Virtual Assets Travel Rule Requirements” represents a major compliance milestone for Dubai VASPs. The Travel Rule requires VASPs to collect, hold, and transmit specified information about the originator and beneficiary of virtual asset transfers.

Information Requirements

For qualifying transfers, the originating VASP must collect and transmit:

• Originator name
• Originator account number (or wallet address)
• Originator physical address, national identity number, or date and place of birth
• Beneficiary name
• Beneficiary account number (or wallet address)

Operational Implementation

Implementing the Travel Rule presents significant operational challenges for VASPs, particularly regarding:

• Counterparty identification: Determining whether the counterparty in a virtual asset transfer is another VASP (and therefore subject to receiving Travel Rule information) or an unhosted wallet
• Technical infrastructure: Implementing systems capable of transmitting and receiving Travel Rule information, whether through proprietary protocols, industry solutions, or bilateral arrangements
• Cross-border compliance: Managing Travel Rule obligations when the counterparty VASP operates in a jurisdiction that has not yet implemented comparable requirements

National Risk Assessment Integration

The June 2025 circular on the UAE National Risk Assessment (NRA) requires VASPs to integrate NRA findings into their enterprise-wide risk assessments. The NRA identifies specific risks associated with virtual asset activities in the UAE context, including:

• Use of virtual assets for cross-border value transfer
• Risks associated with privacy coins and anonymity-enhancing technologies
• Risks arising from the rapid pace of technological change in the virtual asset sector
• Risks associated with peer-to-peer virtual asset transactions

VASPs are expected to demonstrate that their risk assessments reflect NRA findings and that their AML/CFT controls are calibrated to address the identified risks.

Enforcement of AML/CFT Obligations

VARA’s enforcement actions demonstrate that AML/CFT compliance failures carry significant consequences. The August 2025 action against MORPHEUS SOFTWARE TECHNOLOGY FZE (FUZE) specifically cited “Failures in AML programme controls, related governance, compliance and internal systems and controls” alongside unlicensed activity violations. This case is notable because it combined AML compliance failures with other regulatory breaches, including “Failure to disclose material information to the Regulator,” resulting in the most comprehensive enforcement action in VARA’s history — including cease-and-desist orders, financial penalties, and the appointment of a skilled person to review and remediate the entity’s compliance programme.

The breadth of enforcement actions against unlicensed entities — 36+ as of early 2026 — also reflects the AML/CFT dimension of VARA’s enforcement mandate. Unlicensed entities operating without AML/CFT controls represent a direct risk to the integrity of Dubai’s financial system.

Practical Compliance Roadmap

For licensed VASPs seeking to ensure compliance with the current AML/CFT/CPF framework, the following priority areas warrant immediate attention:

1. Gap Assessment Completion: Ensure the mandatory gap assessment against the November 2025 Federal Decree-Law has been completed and documented
2. Travel Rule Implementation: Verify that systems and procedures are in place to comply with the February 2026 Travel Rule requirements
3. FATF List Updates: Confirm that customer screening systems reflect the October 2025 FATF list updates referenced in the January 2026 circular
4. EOCN Registration: Verify active registration on the EOCN system and implementation of updated TFS guidance from November 2025
5. IEMS Registration: Ensure active registration on the UAEFIU’s IEMS platform for STR filing

For guidance on the broader compliance framework, see our Compliance Requirements analysis. For information on the licensing process and initial compliance setup, see our Licensing Guide.

For federal-level AML/CFT regulatory intelligence, visit UAE Tokenization Regulations. For comparison with AML/CFT requirements in other UAE regulatory zones, see our VARA vs ADGM comparison.

The March 2026 Implementation Circular

The most recent AML/CFT circular — published March 4, 2026 — addresses “Implementation of the UAE Anti-Money Laundering, Counter-Terrorism Financing and Proliferation Financing Requirements Applicable to VASPs.” This circular represents the most comprehensive statement of VARA’s AML expectations to date, incorporating:

• Requirements from the UAE Federal AML Decree-Law updated in November 2025
• Implementation guidance for the Virtual Assets Travel Rule (complementing the February 2026 circular)
• FATF high-risk jurisdiction screening requirements
• EOCN sanctions screening obligations
• Risk assessment expectations

Specific Requirements

The circular requires all licensed VASPs to maintain AML/CFT programmes that address:

Customer Due Diligence: Proportionate to the risk profile of each customer, with enhanced measures for PEPs, customers from high-risk jurisdictions, and high-value/complex transactions.

Transaction Monitoring: Automated systems calibrated to detect suspicious patterns, structuring, and unusual activity. For virtual asset transactions, this includes blockchain analytics capabilities.

Sanctions Compliance: Real-time screening against EOCN lists, UN sanctions, and other applicable regimes.

Record-Keeping: Comprehensive retention of customer identification, transaction data, and compliance documentation.

Reporting: Suspicious activity reporting through the UAE FIU’s IEMS platform, with quality standards for report completeness and timeliness.

The FUZE Precedent

The enforcement action against FUZE (August 2025) — penalised for “failures in AML programme controls, related governance, compliance and internal systems and controls” — established that VARA assesses AML programme effectiveness, not just documentation. The March 2026 circular provides the detailed standards against which this assessment is conducted.

AML Programme Governance Best Practices

Based on VARA’s regulatory expectations and the FUZE enforcement precedent, licensed VASPs should implement AML programme governance that includes:

Board-Level Oversight

The board of directors (or equivalent governing body) should receive regular AML/CFT reports covering:

• Summary of suspicious activity reporting volumes and trends
• Transaction monitoring alert statistics and investigation outcomes
• Results of compliance programme testing and audits
• Status of remediation actions for identified deficiencies
• Regulatory developments requiring programme changes (including new VARA circulars)
• Risk assessment updates reflecting changes in business activities or risk environment

Three Lines of Defence

An effective AML governance model employs three lines of defence:

1. First Line (Business): Operational staff conducting CDD, monitoring transactions, and identifying suspicious activity
2. Second Line (Compliance): The compliance function providing oversight, policies, training, and quality assurance
3. Third Line (Audit): Independent internal audit assessing programme effectiveness and identifying control weaknesses

MLRO Independence

The Money Laundering Reporting Officer must maintain sufficient independence from business functions to exercise objective judgment on suspicious activity reporting decisions. The MLRO’s reporting line to senior management and the board must be direct and unimpeded. Adequate resourcing of the MLRO function ensures that reporting decisions are not influenced by business pressures.