March 22, 2026
Methodology About Contact
DUBAI TOKENISATION
The Vanderbilt Terminal for Dubai Tokenization Ecosystem
INDEPENDENT GLOBAL INTELLIGENCE FOR DUBAI TOKENISATION
VARA Licensed VASPs: 21 ▲ +3 YTD | Enforcement Actions: 36 ▲ +2 in 2026 | VARA Rulebook Version: v2.0 ▲ May 2025 | Licensed Activities: 7 Categories ▲ Full Market | VARA Applications Pending: 147 ▲ +12 | AML/CFT Circulars: 41 ▲ +4 in 2026 | Free Zone Partners: DWTCA + DET ▲ Active | Unlicensed Firms Listed: 36+ ▲ Growing | VARA Licensed VASPs: 21 ▲ +3 YTD | Enforcement Actions: 36 ▲ +2 in 2026 | VARA Rulebook Version: v2.0 ▲ May 2025 | Licensed Activities: 7 Categories ▲ Full Market | VARA Applications Pending: 147 ▲ +12 | AML/CFT Circulars: 41 ▲ +4 in 2026 | Free Zone Partners: DWTCA + DET ▲ Active | Unlicensed Firms Listed: 36+ ▲ Growing |
Home VARA Framework FATF High-Risk Jurisdictions and Dubai VASPs — Enhanced Due Diligence Requirements
Layer 2 deep dive

FATF High-Risk Jurisdictions and Dubai VASPs — Enhanced Due Diligence Requirements

Analysis of VARA's requirements for VASPs dealing with FATF high-risk and increased monitoring jurisdictions, based on the January 2026 circular and ongoing FATF list updates.

Advertisement

FATF List Obligations for Dubai’s Licensed VASPs

The Financial Action Task Force maintains two lists that directly impact the operations of every VARA-licensed Virtual Asset Service Provider in Dubai. The January 22, 2026 circular on “Enhanced Measures for High-Risk Jurisdictions — Updated FATF Lists (October 2025)” is the most recent VARA communication requiring VASPs to incorporate these lists into their compliance operations, but the underlying obligation is continuous: VASPs must monitor FATF list changes and adjust their controls accordingly.

This analysis maps the specific obligations arising from FATF list classifications and their practical implications for Dubai VASPs, including customer onboarding, transaction monitoring, and enhanced due diligence requirements under VARA’s AML/CFT framework.

The Two FATF Lists

Jurisdictions Subject to a Call for Action (the “Blacklist”)

The FATF’s blacklist identifies countries or jurisdictions with significant strategic deficiencies in their anti-money laundering, counter-terrorism financing, and counter-proliferation financing frameworks. The FATF calls on all member jurisdictions — and by extension, all regulated entities including VASPs — to apply countermeasures to protect the international financial system from the ML/TF/PF risks emanating from these jurisdictions.

For Dubai VASPs, the practical effect of a jurisdiction’s blacklist designation is severe: transactions involving customers or counterparties connected to blacklisted jurisdictions may require the most intensive enhanced due diligence measures, and in some cases, VASPs may need to decline to process transactions or establish business relationships.

Jurisdictions Under Increased Monitoring (the “Greylist”)

The greylist identifies countries or jurisdictions that have committed to resolve strategically important deficiencies in their AML/CFT/CPF regimes but have not yet fully remediated them. These jurisdictions are subject to increased monitoring by the FATF.

For Dubai VASPs, greylist designations require enhanced due diligence proportionate to the identified risks. The enhanced measures may include additional identity verification, enhanced transaction monitoring, senior management approval for new business relationships, and ongoing monitoring requirements.

The UAE’s own experience with the FATF greylist — listed in March 2022 and subsequently removed following intensive remediation — provides direct context for understanding the significance of these designations. The UAE’s exit from the greylist reflected substantial regulatory and operational improvements, including the strengthening of VARA’s framework and the enforcement actions that VARA has taken against unlicensed entities.

VARA’s January 2026 Circular Requirements

The January 2026 circular requires VASPs to implement specific measures in response to the October 2025 FATF list updates:

Immediate screening updates: VASPs must update their customer and transaction screening systems to reflect the current FATF list compositions. Any changes to list membership — additions, removals, or status changes — must be reflected in screening systems promptly.

Customer review: VASPs must review their existing customer base to identify customers with connections to newly listed jurisdictions and apply appropriate enhanced due diligence measures.

Policy updates: VASPs must update their AML/CFT policies and procedures to reflect any changes in the risk profile of transactions involving listed jurisdictions.

Staff training: Compliance staff must be informed of FATF list changes and trained on the applicable enhanced due diligence requirements.

Reporting: VASPs must be prepared to report to VARA on the measures taken in response to FATF list updates, including the number of affected customers, enhanced due diligence actions taken, and any suspicious activity identified.

Enhanced Due Diligence Measures

The specific enhanced due diligence measures required for transactions involving FATF-listed jurisdictions include:

For Blacklisted Jurisdictions

  • Application of countermeasures proportionate to the risks
  • Enhanced identity verification using multiple independent sources
  • Enhanced monitoring of all transactions
  • Senior management approval for establishing and continuing business relationships
  • Consideration of whether to decline or terminate business relationships
  • Reporting to VARA of any identified risks or suspicious activity

For Greylisted Jurisdictions

  • Enhanced customer due diligence measures proportionate to the risks
  • Enhanced transaction monitoring with lower thresholds for alerts
  • Additional information gathering about the purpose and intended nature of business relationships
  • Regular review and update of customer risk assessments
  • Senior management awareness of the jurisdiction’s status and associated risks

Operational Implementation

Customer Onboarding

During customer onboarding, VASPs must screen new customers against current FATF list data. The screening must cover:

  • The customer’s nationality and country of residence
  • The country of incorporation or registration for legal entity customers
  • The jurisdiction of the customer’s business operations
  • The jurisdictions of beneficial owners and controllers

Where connections to FATF-listed jurisdictions are identified, the VASP must apply the appropriate level of enhanced due diligence before establishing the business relationship.

Ongoing Monitoring

FATF list status is not static. VASPs must implement processes for:

  • Monitoring FATF list updates (typically issued three times per year following FATF plenary meetings)
  • Reviewing existing customers against updated lists
  • Adjusting enhanced due diligence measures when jurisdictions are added to or removed from lists
  • Documenting the monitoring process and actions taken

Transaction Monitoring Adjustments

Transaction monitoring systems must incorporate FATF list data, including:

  • Enhanced monitoring thresholds for transactions involving listed jurisdictions
  • Alerts for transaction patterns suggesting potential circumvention of enhanced measures
  • Correlation of FATF list data with other risk indicators

Relationship to Broader AML/CFT Framework

The FATF high-risk jurisdiction requirements complement other elements of VARA’s AML/CFT framework, including:

  • The Virtual Assets Travel Rule, which requires originator and beneficiary information that can be used to identify jurisdictional connections
  • The National Risk Assessment integration requirements, which identify specific risks associated with cross-border transactions
  • The sanctions screening obligations under EOCN coordination, which overlap with but are distinct from FATF list obligations

For comprehensive coverage of all AML/CFT obligations, see our AML/CFT/CPF deep dive. For the broader compliance framework, see our compliance requirements analysis.

For comparative analysis of how AML/CFT requirements differ across UAE regulatory zones, see our VARA vs ADGM comparison. For the latest enforcement actions related to AML/CFT failures, see our enforcement section.

For federal-level AML/CFT intelligence, visit UAE Tokenization Regulations. For definitions of regulatory terms, see our glossary.

FATF List Structure

The Financial Action Task Force maintains two lists that directly affect how licensed VASPs must handle transactions with specific jurisdictions:

Call for Action List (Black List)

Jurisdictions identified by FATF as having strategic deficiencies in their AML/CFT frameworks and that have not made sufficient progress. FATF calls on all member countries to apply counter-measures to these jurisdictions. For VASPs, this means:

  • Prohibition or severe restriction on transactions with entities in these jurisdictions
  • Enhanced due diligence for any permitted interactions
  • Heightened scrutiny of customers with connections to these jurisdictions
  • Reporting obligations to VARA when transactions involving these jurisdictions are identified

Increased Monitoring List (Grey List)

Jurisdictions that have committed to address identified strategic deficiencies within agreed timeframes. For VASPs, grey-listed jurisdictions trigger:

  • Enhanced due diligence requirements (beyond standard CDD)
  • More intensive transaction monitoring for connections to these jurisdictions
  • Source of funds and source of wealth verification for customers from these jurisdictions
  • Periodic reporting to VARA on exposure to grey-listed jurisdictions

The January 2026 Circular

The January 2026 circular on enhanced measures for high-risk jurisdictions — based on October 2025 FATF list updates — requires all VARA-licensed VASPs to:

  • Update their screening systems to reflect the current FATF lists
  • Review existing customer relationships for exposure to newly-listed jurisdictions
  • Apply appropriate enhanced measures to identified exposures
  • Document compliance actions and maintain records for VARA review

Practical Implementation

For entities like Binance Dubai, OKX Middle East, BitOasis, and Crypto.com Dubai processing high volumes of cross-border virtual asset transactions, FATF list compliance requires:

  • Automated Screening: Integration of FATF lists into customer onboarding and transaction monitoring systems
  • Blockchain Analytics: Tracing the geographic origin of virtual asset flows using blockchain analytics tools, since blockchain transactions may originate from jurisdictions that cannot be determined from customer information alone
  • Correspondent VASP Assessment: Evaluating the FATF risk profile of counterparty VASPs when processing inter-VASP transfers under the Travel Rule
  • Regular Updates: FATF lists are updated periodically (typically three times per year after FATF plenary meetings), requiring regular system updates and customer base reviews

Connection to Other AML Requirements

FATF high-risk jurisdiction screening is one component of the broader AML/CFT framework:

The UAE’s Own FATF Position

The UAE’s relationship with FATF assessments directly affects the operating environment for VARA-licensed VASPs. The strength of the UAE’s AML/CFT framework — including VARA’s regulatory and enforcement activities — contributes to the UAE’s FATF assessment outcomes, which in turn affect international perceptions of UAE-licensed VASPs.

Impact on Counterparty VASP Relationships

FATF high-risk jurisdiction screening extends to the assessment of counterparty VASPs. When a VARA-licensed entity conducts inter-VASP transfers — as required under the Travel Rule — it must assess whether the counterparty VASP is domiciled in or has significant connections to FATF-listed jurisdictions. This counterparty assessment affects operational decisions about which VASPs to maintain transfer relationships with and what enhanced measures to apply.

The interaction between FATF screening and Travel Rule compliance creates a layered due diligence requirement: licensed VASPs must not only exchange originator and beneficiary information but also assess the regulatory and geographic risk profile of their counterparty VASPs.

Technology Requirements for FATF Screening

Effective FATF high-risk jurisdiction screening requires:

  • Geographic Data Integration: Systems that cross-reference customer addresses, transaction origins, and IP geolocation data against FATF lists
  • Blockchain Analytics: Tools that trace the geographic patterns of virtual asset flows, identifying connections to addresses associated with high-risk jurisdictions
  • Dynamic List Management: Capability to update screening parameters within hours of FATF list changes, given that FATF publishes updates after each plenary meeting
  • Case Management: Workflow systems for investigating and dispositioning alerts generated by FATF screening, with escalation paths to senior compliance and the MLRO

Periodic Updates and VARA Circular Cadence

VARA has issued multiple circulars on FATF high-risk jurisdictions, reflecting the periodic nature of FATF list updates. The January 2026 circular (based on October 2025 FATF assessments) is the most recent, but prior circulars in November 2024 and earlier addressed preceding FATF list updates. Licensed VASPs should anticipate additional circulars following each FATF plenary session (typically February, June, and October), requiring regular compliance programme updates.

For the broader AML/CFT framework within which FATF screening operates, see our AML/CFT requirements analysis. For EOCN sanctions screening requirements, see our briefs section.

FATF Assessment Process and UAE Impact

How FATF Lists Are Determined

FATF’s Plenary meetings (typically held in February, June, and October) review jurisdictions’ progress in addressing strategic AML/CFT deficiencies. The assessment process involves:

  1. Mutual Evaluation: On-site assessment of a jurisdiction’s AML/CFT framework
  2. Follow-Up Process: Monitoring of progress against identified deficiencies
  3. Listing Decision: Placement on (or removal from) the Call for Action or Increased Monitoring lists

Impact on UAE-Based VASPs

The UAE’s own FATF assessment directly affects VARA-licensed entities:

  • Correspondent VASP Relationships: VASPs in other jurisdictions assess the UAE’s FATF standing when deciding whether to maintain transfer relationships with UAE-based VASPs
  • Banking Relationships: International banks consider the UAE’s FATF assessment when evaluating banking relationships with VARA-licensed entities
  • Institutional Credibility: The strength of the UAE’s AML/CFT framework — including VARA’s enforcement record and regulatory output — contributes to positive FATF assessments

VARA’s Contribution to UAE FATF Standing

VARA’s regulatory framework contributes positively to the UAE’s FATF assessment through:

  • Comprehensive AML/CFT regulations and rulebooks
  • Active enforcement (36+ actions demonstrating effective supervision)
  • Travel Rule implementation (February 2026 circular)
  • Sanctions screening requirements (EOCN system registration)
  • International standard alignment (FATF Recommendations 15 and 16)
Advertisement
fatfhigh-riskamldue-diligencevara
Related Articles
AML/CFT/CPF Requirements for Dubai VASPs — The 2026 Implementation Framework
The UAE Virtual Assets Travel Rule — VARA Implementation Requirements
VARA Compliance Requirements for Licensed VASPs — Complete Obligation Map
VARA Custody and Staking Rules — The Revised Framework for Digital Asset Safekeeping
Advertisement
Network Intelligence
UAE Tokenisation
UAE Virtual Asset Intelligence
UAE DeFi
Decentralized Finance Data
Dubai Stablecoins
Stablecoin Regulation & Data
Dubai RWA
Real World Asset Tokenization

Institutional Access

Coming Soon