March 22, 2026
Methodology About Contact
DUBAI TOKENISATION
The Vanderbilt Terminal for Dubai Tokenization Ecosystem
INDEPENDENT GLOBAL INTELLIGENCE FOR DUBAI TOKENISATION
VARA Licensed VASPs: 21 ▲ +3 YTD | Enforcement Actions: 36 ▲ +2 in 2026 | VARA Rulebook Version: v2.0 ▲ May 2025 | Licensed Activities: 7 Categories ▲ Full Market | VARA Applications Pending: 147 ▲ +12 | AML/CFT Circulars: 41 ▲ +4 in 2026 | Free Zone Partners: DWTCA + DET ▲ Active | Unlicensed Firms Listed: 36+ ▲ Growing | VARA Licensed VASPs: 21 ▲ +3 YTD | Enforcement Actions: 36 ▲ +2 in 2026 | VARA Rulebook Version: v2.0 ▲ May 2025 | Licensed Activities: 7 Categories ▲ Full Market | VARA Applications Pending: 147 ▲ +12 | AML/CFT Circulars: 41 ▲ +4 in 2026 | Free Zone Partners: DWTCA + DET ▲ Active | Unlicensed Firms Listed: 36+ ▲ Growing |
Home VARA Framework VARA Compliance Requirements for Licensed VASPs — Complete Obligation Map
Layer 2 deep dive

VARA Compliance Requirements for Licensed VASPs — Complete Obligation Map

Detailed analysis of ongoing compliance obligations for VARA-licensed Virtual Asset Service Providers, including AML/CFT programmes, risk management, governance, reporting, and consumer protection requirements.

Advertisement

The Compliance Architecture for Dubai’s Licensed VASPs

Securing a VARA licence is the beginning — not the end — of a regulated entity’s compliance journey. The ongoing obligations imposed by the Virtual Assets and Related Activities Regulations 2023 and the Version 2.0 activity-based rulebooks (May 2025) create a comprehensive compliance architecture that licensed VASPs must maintain at all times. Failure to meet these obligations carries real consequences, as demonstrated by the enforcement action against MORPHEUS SOFTWARE TECHNOLOGY FZE (FUZE) in August 2025, which included penalties specifically for “Failures in AML programme controls, related governance, compliance and internal systems and controls.”

This analysis maps the complete set of ongoing compliance obligations applicable to licensed entities operating under VARA’s supervision.

AML/CFT/CPF Programme Requirements

Anti-money laundering compliance forms the bedrock of VARA’s supervisory expectations. The requirements operate at three levels: VARA’s own rulebooks, UAE federal AML/CFT legislation, and international standards set by the Financial Action Task Force (FATF).

VARA Rulebook AML/CFT Requirements

Every licensed VASP must establish and maintain an AML/CFT programme that includes:

Customer Due Diligence (CDD): Risk-based customer identification and verification procedures, with enhanced due diligence for high-risk customers, politically exposed persons (PEPs), and customers from jurisdictions identified by the FATF as high-risk. The January 2026 circular on “Enhanced Measures for High-Risk Jurisdictions — Updated FATF Lists (October 2025)” requires VASPs to apply specific measures to customers connected to these jurisdictions.

Transaction Monitoring: Automated systems capable of detecting suspicious patterns, including structuring, layering, and unusual transaction volumes or frequencies. Monitoring must cover both on-chain and off-chain activity.

Suspicious Activity Reporting: VASPs must file Suspicious Transaction Reports (STRs) and Suspicious Activity Reports (SARs) through the UAE Financial Intelligence Unit’s Integrated Enquiry Management System (IEMS), as mandated by the May 2025 circular on IEMS requirements.

Sanctions Screening: Real-time screening against applicable sanctions lists, including those maintained by the UAE Executive Office for Control and Non-Proliferation (EOCN). The September 2024 circular mandated registration on the EOCN system for sanction alerts, with updated guidance issued in November 2025.

Record Keeping: Comprehensive retention of customer records, transaction data, and compliance documentation for the periods specified in both VARA rulebooks and UAE federal law.

UAE Federal AML/CFT Requirements

The November 2025 publication of the updated UAE Federal Decree-Law on AML/CFT/CPF imposed additional obligations on VASPs. The associated VARA circular mandated a “Mandatory GAP Assessment” requiring all licensed VASPs to identify and remediate gaps between their existing programmes and the updated federal requirements.

The March 2026 circular on “Implementation of the UAE Anti-Money Laundering, Counter-Terrorism Financing and Proliferation Financing Requirements Applicable to VASPs” provided the most recent and comprehensive guidance on aligning VASP compliance programmes with federal law.

Virtual Assets Travel Rule

The Virtual Assets Travel Rule, implemented through the February 2026 circular, requires VASPs to collect, hold, and transmit specific originator and beneficiary information when processing virtual asset transfers. This rule implements FATF Recommendation 16 in the virtual asset context and represents a significant operational requirement for all licensed entities.

The Travel Rule applies to both domestic transfers (between VARA-licensed VASPs) and cross-border transfers, requiring compliance with the rule regardless of the counterparty’s jurisdiction or regulatory status.

National Risk Assessment Obligations

The June 2025 circular on the UAE National Risk Assessment (NRA) requires VASPs to review and incorporate the NRA findings into their enterprise-wide risk assessments. The NRA, published alongside an annual report, identifies key money laundering and terrorism financing risks relevant to the UAE’s financial sector, including specific risks associated with virtual asset activities.

Risk Management Framework

VARA requires all licensed VASPs to maintain enterprise-wide risk management frameworks. The November 2025 “Guidance on Rule III D Risk Assessments” provides the most detailed articulation of VARA’s expectations in this area.

Required Risk Assessment Components

ML/TF Risk Assessment: A documented assessment of money laundering and terrorism financing risks specific to the entity’s business model, customer base, products, geographic exposure, and delivery channels. This must be updated at least annually and whenever material changes occur in the risk environment.

Operational Risk Assessment: Identification and management of risks arising from failed or inadequate internal processes, people, systems, or external events. For virtual asset businesses, this includes technology risks, cybersecurity risks, and smart contract risks.

Market Risk Assessment: For entities involved in exchange services, proprietary trading, or market-making activities, comprehensive assessment of risks arising from market price movements. The July 2025 circular reminded VASPs of specific licence code requirements for VA proprietary trading.

Liquidity Risk Assessment: Assessment of the entity’s ability to meet financial obligations as they fall due, including management of customer asset segregation and reserve requirements.

Risk Governance Structure

VARA expects licensed VASPs to maintain a governance structure for risk management that includes:

  • Board-level risk oversight committee or equivalent
  • Chief Risk Officer or equivalent senior management role
  • Independent compliance function separate from business operations
  • Internal audit capability with direct reporting line to the board
  • Documented risk appetite statements approved by the board

Governance and Internal Controls

Senior Management Requirements

Licensed VASPs must ensure that individuals performing senior management functions (“Approved Individuals”) meet VARA’s fitness and propriety standards. This includes requirements for relevant experience, qualifications, and personal integrity.

Changes to senior management require prior notification to VARA, and in some cases, prior approval. The obligation extends to beneficial owners and controllers of licensed entities.

Compliance Function

Every licensed VASP must maintain an independent compliance function responsible for:

  • Monitoring compliance with VARA regulations and all applicable laws
  • Advising the business on regulatory requirements
  • Maintaining the entity’s compliance policies and procedures
  • Coordinating with VARA on supervisory matters
  • Managing regulatory reporting obligations

The compliance function must have adequate resources, access to senior management, and sufficient authority to fulfil its mandate.

Internal Audit

VARA expects licensed VASPs to maintain an internal audit function (which may be outsourced for smaller entities) that provides independent assurance on the effectiveness of governance, risk management, and internal controls.

Consumer Protection Obligations

Disclosure Requirements

Licensed VASPs must provide clear, accurate, and timely disclosures to customers regarding:

  • The nature and risks of virtual asset products and services
  • Fee structures and charges
  • Custody arrangements for customer assets
  • Complaint handling procedures
  • The regulatory status of the entity and its activities

Customer Asset Segregation

Customer virtual assets must be segregated from the entity’s own assets. This requirement, emphasized in the custody services rulebook, ensures that customer assets are identifiable and recoverable in the event of the entity’s insolvency.

Complaint Handling

Licensed VASPs must maintain formal complaint handling procedures, including documented processes for receiving, investigating, and resolving customer complaints within specified timeframes. Unresolved complaints may be escalated to VARA.

Qualified Investor Classification

The January 2026 circular on “Onboarding and Classification of Qualified Investors” established specific requirements for how VASPs classify and onboard qualified investors, including documentation requirements and ongoing monitoring obligations. This classification affects the products and services that may be offered to different investor categories.

Marketing and Communications Compliance

The VARA Marketing Regulations, first issued in August 2022, impose strict requirements on how licensed VASPs may advertise and market virtual asset products and services. The enforcement action against THE OPEN NETWORK FOUNDATION in July 2025 for marketing regulation breaches demonstrates VARA’s willingness to enforce these requirements.

Key marketing compliance obligations include:

  • All marketing materials must be fair, clear, and not misleading
  • Risk warnings must be prominently displayed
  • Past performance disclaimers are required where historical returns are referenced
  • Social media marketing must comply with the same standards as traditional advertising
  • Influencer marketing is subject to specific disclosure requirements

Regulatory Reporting

Periodic Reporting

Licensed VASPs must submit regular reports to VARA covering financial position, operational metrics, compliance status, and material events. The specific reporting frequency and content requirements vary by activity category.

Event-Driven Reporting

Certain events trigger immediate notification obligations to VARA, including:

  • Material changes to business operations
  • Significant compliance breaches
  • Cybersecurity incidents
  • Changes in senior management or ownership
  • Legal proceedings involving the entity
  • Any event that could materially affect the entity’s ability to meet its regulatory obligations

CBUAE Payment Token Service Requirements

For VASPs involved in payment or stablecoin activities, the July 2025 circular on “Compliance with CBUAE PTSR — [NoC] Non-Objection Registration Requirement” established additional reporting and registration obligations with the Central Bank of the UAE.

Technology and Cybersecurity Requirements

While detailed technology requirements are embedded within activity-specific rulebooks, common obligations include:

  • Robust cybersecurity frameworks including incident detection, response, and recovery
  • Regular penetration testing and vulnerability assessments
  • Business continuity and disaster recovery planning
  • Data protection controls aligned with applicable data protection regulations
  • Technology change management procedures

Enforcement Consequences for Non-Compliance

The compliance obligations outlined above are not aspirational — they carry enforcement consequences. VARA’s enforcement toolkit includes supervisory warnings, directions and orders, cease-and-desist orders, financial penalties, and licensing measures including suspension or revocation.

The August 2025 action against MORPHEUS SOFTWARE TECHNOLOGY FZE (FUZE) is particularly instructive. That entity faced penalties for “Failures in AML programme controls, related governance, compliance and internal systems and controls” alongside unlicensed activity violations — demonstrating that compliance failures by licensed entities carry consequences distinct from unlicensed operation.

For a complete analysis of VARA’s enforcement approach, see our enforcement section and the enforcement actions dashboard. For information on how compliance requirements compare across Dubai’s regulatory zones, see our VARA vs DFSA comparison.

For additional context on UAE federal compliance requirements affecting VASPs, see UAE Tokenization Regulations. For guidance on navigating the initial compliance setup during the licensing process, see our VARA Licensing Guide.

Comprehensive Compliance Framework

VARA’s compliance requirements for licensed VASPs form a multi-layered framework that extends well beyond AML/CFT to encompass governance, operational resilience, market conduct, and consumer protection. The v2.0 rulebooks published in May 2025 strengthened these requirements, and the 41 circulars issued through early 2026 provide detailed implementation guidance.

Governance Requirements

Licensed VASPs must maintain governance structures that include:

  • Board of directors (or equivalent governance body) with appropriate qualifications and independence
  • Defined committee structures for risk management, audit, and compliance oversight
  • Fitness-and-propriety standards for directors, senior managers, and key function holders
  • Clear reporting lines from the compliance function to senior management and the board
  • Documented governance frameworks covering decision-making processes, delegation of authority, and accountability

Operational Resilience

VARA expects licensed entities to maintain operational continuity:

  • Business continuity planning covering technology failures, cybersecurity incidents, and other disruptions
  • Disaster recovery arrangements for critical systems including trading platforms, custody infrastructure, and compliance systems
  • Cybersecurity frameworks including regular penetration testing, vulnerability management, and incident response
  • IT risk management appropriate to the entity’s scale and complexity

Market Conduct

For entities licensed for exchange or trading activities, market conduct obligations include:

  • Fair and orderly market operation
  • Surveillance for market manipulation, insider trading, and front-running
  • Conflict of interest management (particularly for entities conducting proprietary trading alongside customer-facing activities)
  • Best execution obligations when executing customer orders

Regulatory Reporting

Licensed VASPs must submit periodic reports to VARA covering:

  • Financial position and capital adequacy
  • Trading volumes and activity metrics
  • Compliance programme status and identified issues
  • AML/CFT statistics (SARs filed, alerts investigated, etc.)
  • Technology incidents and cybersecurity events
Advertisement
compliancevaravaspsamlrisk-management
Related Articles
AML/CFT/CPF Requirements for Dubai VASPs — The 2026 Implementation Framework
FATF High-Risk Jurisdictions and Dubai VASPs — Enhanced Due Diligence Requirements
The UAE Virtual Assets Travel Rule — VARA Implementation Requirements
VARA Custody and Staking Rules — The Revised Framework for Digital Asset Safekeeping
Advertisement
Network Intelligence
UAE Tokenisation
UAE Virtual Asset Intelligence
UAE DeFi
Decentralized Finance Data
Dubai Stablecoins
Stablecoin Regulation & Data
Dubai RWA
Real World Asset Tokenization

Institutional Access

Coming Soon