Implementing FATF Recommendation 16 for Virtual Assets in Dubai
The February 24, 2026 circular on “Implementation of the UAE Virtual Assets Travel Rule Requirements” represents one of the most operationally significant compliance obligations imposed on VARA-licensed VASPs. The Travel Rule — derived from FATF Recommendation 16 — requires that specific information about the originator and beneficiary of virtual asset transfers accompanies those transfers, mirroring the wire transfer rules that have governed traditional banking for decades.
This regulatory development positions Dubai among the jurisdictions actively implementing the FATF’s virtual asset standards and has material implications for every licensed VASP operating under VARA’s supervision. The requirement affects exchange operators like Binance Dubai and OKX Middle East, custody providers, broker-dealers like BitOasis, and any entity facilitating virtual asset transfers on behalf of customers.
Regulatory Foundation
The Travel Rule implementation sits within the broader AML/CFT/CPF framework that VARA has progressively strengthened since the issuance of the Virtual Assets and Related Activities Regulations 2023. The rule directly implements FATF Recommendation 16, which the FATF extended to virtual asset transfers through its updated guidance on virtual assets and virtual asset service providers.
The UAE’s implementation reflects the country’s commitment to full FATF compliance — a strategic priority given the UAE’s 2024 exit from the FATF grey list. The January 2026 circular on enhanced measures for FATF high-risk jurisdictions further reinforces this commitment by requiring VASPs to apply enhanced due diligence measures tied to FATF list classifications.
Information Requirements
Originator Information
The originating VASP — the entity initiating the virtual asset transfer on behalf of the originator — must collect and transmit the following information:
Required for all qualifying transfers:
- Full name of the originator
- Account number or wallet address used to process the transaction
- Physical address of the originator, or national identity number, or customer identification number, or date and place of birth
Additional information for cross-border transfers:
- The above information must be accurate and obtained from reliable sources
- Information must be verified before the transfer is executed
Beneficiary Information
The originating VASP must also collect:
- Full name of the beneficiary
- Account number or wallet address used to receive the transaction
Accuracy and Verification
The Travel Rule requires that originator information be accurate, not fabricated or estimated. VASPs must have procedures in place to verify the accuracy of the information collected, drawing on the customer identification and verification procedures established under their broader AML/CFT programmes.
Operational Implementation Challenges
Counterparty VASP Identification
One of the most significant operational challenges in Travel Rule implementation is determining whether the counterparty in a virtual asset transfer is another VASP or an individual using an unhosted (self-custodial) wallet. This determination affects the applicable obligations:
VASP-to-VASP transfers: The full Travel Rule information requirements apply. The originating VASP must transmit the required information to the beneficiary VASP, and the beneficiary VASP must receive and retain it.
Transfers to unhosted wallets: While the Travel Rule’s transmission requirements do not apply in the same way to transfers involving unhosted wallets, VASPs still face obligations regarding risk assessment, enhanced monitoring, and in some cases, collection of beneficiary information from the originator.
Counterparty identification is complicated by the pseudonymous nature of many blockchain protocols. VASPs may employ blockchain analytics tools, counterparty verification services, or industry protocols to identify whether a given address is associated with another VASP.
Technical Infrastructure
Transmitting Travel Rule information alongside virtual asset transfers requires technical infrastructure that does not exist natively on most blockchain protocols. The global industry has developed several approaches to this challenge:
Industry messaging protocols: Solutions such as the Travel Rule Protocol (TRP), OpenVASP, TRUST (Travel Rule Universal Solution Technology), and other industry-developed protocols provide standardized methods for VASPs to exchange Travel Rule information.
Bilateral arrangements: Some VASPs establish direct bilateral connections with counterparties for Travel Rule information exchange.
Compliance service providers: Third-party compliance platforms that aggregate multiple protocols and counterparty networks into a single integration point.
VARA’s circular does not mandate a specific technical solution, allowing VASPs flexibility in their implementation approach. However, the chosen solution must reliably ensure that the required information accompanies qualifying transfers.
Cross-Border Compliance Complexity
The Travel Rule presents unique challenges in cross-border transactions where the counterparty VASP operates in a jurisdiction that has not yet implemented comparable Travel Rule requirements. In these situations, the originating VASP in Dubai faces a compliance obligation that the receiving entity may not be equipped to fulfil.
VARA’s approach requires VASPs to assess and manage the risk associated with cross-border transfers on a case-by-case basis. Where counterparties cannot demonstrate Travel Rule compliance, VASPs may need to apply enhanced due diligence, impose transaction limits, or in some cases decline to process the transfer.
This creates a practical dynamic where Dubai-licensed VASPs may preferentially route transactions through counterparties in jurisdictions with mature Travel Rule implementations — potentially including other UAE jurisdictions such as ADGM and those in jurisdictions like Singapore, Japan, and South Korea that have implemented comparable requirements.
Relationship to the Broader Compliance Framework
The Travel Rule does not operate in isolation. It interconnects with several other compliance obligations:
Sanctions screening: Travel Rule information — particularly originator and beneficiary names — feeds directly into sanctions screening processes. VASPs must screen both originator and beneficiary information against applicable sanctions lists, including those maintained by the EOCN.
Suspicious activity monitoring: Travel Rule data provides additional inputs for transaction monitoring systems. Patterns involving incomplete Travel Rule information, inconsistent originator details, or repeated transfers to or from unverified counterparties may generate suspicious activity alerts.
Risk-based approach: The intensity of Travel Rule compliance efforts should be calibrated to the assessed risk of the transaction, the counterparty, and the customer. Higher-risk situations — such as transfers involving FATF high-risk jurisdictions — warrant enhanced scrutiny.
Record keeping: All Travel Rule information must be retained in accordance with applicable record-keeping requirements, making it available for regulatory review and law enforcement requests.
Compliance Timeline and Expectations
The February 2026 circular established implementation expectations for all licensed VASPs. Entities are expected to have operational Travel Rule systems in place and to demonstrate compliance during VARA supervisory engagements.
For VASPs in the licensing process, Travel Rule implementation capability is now a component of the compliance infrastructure that must be demonstrated as part of the licensing assessment.
International Context
Dubai’s Travel Rule implementation positions the emirate alongside a growing number of jurisdictions that have moved from policy development to practical enforcement of virtual asset Travel Rule requirements. This alignment supports Dubai’s positioning as a well-regulated jurisdiction for virtual asset operations and facilitates cross-border cooperation between VARA and international regulatory counterparts.
For comparison with how other UAE jurisdictions approach the Travel Rule, see our analysis of VARA vs ADGM regulatory frameworks. For the broader UAE federal context, visit UAE Tokenization Regulations.
For information on other AML/CFT compliance requirements, see our comprehensive AML/CFT/CPF analysis and the VASP compliance obligations map. Definitions of key regulatory terms used in this analysis are available in our glossary.
Travel Rule Implementation Details
The February 2026 VARA circular on Virtual Assets Travel Rule implementation mandates specific requirements for how licensed VASPs must exchange originator and beneficiary information with qualifying virtual asset transfers.
FATF Recommendation 16 Background
The Travel Rule for virtual assets extends FATF Recommendation 16 (originally designed for wire transfers in traditional banking) to virtual asset transactions. The rule requires that ordering VASPs transmit required originator and beneficiary information with qualifying transfers, and that beneficiary VASPs obtain this information before making funds available.
Required Information
For qualifying transfers, the originator VASP must transmit:
- Originator Information: Name, account number (or unique transaction reference), and originator address or national identity number, customer identification number, or date and place of birth
- Beneficiary Information: Name and account number (or unique transaction reference)
Technical Implementation
Travel Rule compliance requires technical infrastructure for inter-VASP messaging:
Messaging Protocols: VASPs must implement Travel Rule messaging solutions that enable secure transmission of required information between originator and beneficiary VASPs. Several commercial solutions exist, including TRISA, OpenVASP, and proprietary protocols.
Counterparty VASP Identification: Before transmitting a transfer, the originator VASP must identify the beneficiary VASP and establish a secure communication channel. This counterparty identification process requires VASP registries and verification mechanisms.
Data Matching: Beneficiary VASPs must verify that incoming Travel Rule information matches the customer information in their records, flagging discrepancies for investigation.
Record-Keeping: Both originator and beneficiary VASPs must retain Travel Rule information for prescribed periods, supporting audit trails and regulatory review.
Threshold Considerations
Travel Rule requirements typically apply to transfers exceeding a specified threshold. The threshold level — and whether it applies to individual transactions or cumulative transactions — affects the volume of Travel Rule processing required. For high-volume exchanges like Binance Dubai and OKX Middle East, the threshold level directly impacts operational workload and technology requirements.
Enforcement Implications
While the Travel Rule implementation circular is recent (February 2026), failure to implement Travel Rule requirements could trigger enforcement action. The FUZE case (August 2025) established that VARA penalises compliance system failures, suggesting that Travel Rule non-compliance — as a compliance system deficiency — could attract enforcement attention.
Connection to Other Requirements
The Travel Rule intersects with several other VARA requirements:
- AML/CFT programme: Travel Rule information supports transaction monitoring and customer due diligence
- EOCN sanctions screening: Travel Rule information enables screening of counterparties
- FATF high-risk jurisdiction screening: Geographic information from Travel Rule data supports jurisdiction-based risk assessment
- CARF: Transaction data collected for Travel Rule purposes may overlap with CARF reporting requirements
Travel Rule Operational Challenges
Sunrise Problem
The “sunrise problem” refers to the challenge of implementing the Travel Rule when not all jurisdictions have implemented it simultaneously. A VARA-licensed VASP may send a transfer to a VASP in a jurisdiction where Travel Rule requirements do not yet apply, creating an information exchange mismatch. VARA’s February 2026 circular must address how VASPs should handle transfers to jurisdictions or VASPs that do not yet support Travel Rule messaging.
Unhosted Wallets
Transfers to or from unhosted (self-custodied) wallets present a Travel Rule challenge because there is no counterparty VASP to exchange information with. Regulators globally are addressing this through additional due diligence requirements for unhosted wallet transfers, such as proof-of-ownership attestation or enhanced transaction monitoring.
Technical Interoperability
Multiple Travel Rule messaging protocols exist (TRISA, OpenVASP, Sygna, Notabene, and others), creating interoperability challenges. A VARA-licensed VASP using one protocol may need to communicate with a VASP using a different protocol. Industry efforts to develop interoperability standards are ongoing, but VASPs must currently manage multi-protocol environments or use intermediary services.
Data Privacy Considerations
The Travel Rule requires transmission of personal information (names, addresses, identification numbers) between VASPs across jurisdictions. This creates data protection challenges, particularly when jurisdictions have different data protection standards. VASPs must balance Travel Rule compliance with data minimisation principles and ensure secure transmission of personal information.
Volume and Cost Impact
For high-volume exchanges like Binance Dubai and OKX Middle East, Travel Rule compliance generates significant operational volume. Each qualifying transfer requires Travel Rule messaging, counterparty VASP identification, information exchange, and record-keeping. The cost of Travel Rule compliance — including technology, staffing, and counterparty management — is a meaningful component of overall compliance costs.