Dubai’s Virtual Assets Regulatory Authority has issued new anti-money laundering guidelines that push licensed cryptocurrency companies towards more data-driven and frequently updated risk assessments.
The guidance, issued on June 12, requires virtual asset service providers to incorporate the FATF’s high-risk and increasingly supervised jurisdictions into their compliance processes. It also raises expectations around risk monitoring, senior management oversight, risks associated with artificial intelligence, transactions that promote anonymity, and financing proliferation.
The update raises the level of compliance for one of the most active cryptocurrency licensing centers in the world. NeosLegal estimates that more than 100 asset service providers hold permits or approvals across UAE regulators, including VARA, ADGM, DFSA, CBUAE and CMA.
For global exchanges and custodians operating in Dubai, the message is clear: market access now comes with heavier operational liabilities.
VARA pushes cryptocurrency companies towards data-driven risk checks
The updated VARA framework requires licensed businesses to go beyond static compliance checklists and maintain risk assessments that reflect current business activity.
Companies should evaluate risks associated with customer profiles, transaction types, products and services, delivery channels and geographic exposure. Countries identified by the Financial Action Task Force as high risk or subject to increased monitoring should be taken into account in those assessments immediately.
Risk assessments should be reviewed at least quarterly, or sooner if the company changes its products, services, business model, ownership or structure. This makes compliance an ongoing process rather than a periodic licensing exercise.
The guidance also requires companies to distinguish between money laundering, terrorist financing and proliferation financing risks and targeted financial sanctions risks. They cannot treat all financial crime risks as one broad category.
Senior managers, board members and compliance officers are expected to understand the company’s residual risk classification and how to manage it. VARA also expects companies to consider emerging risks associated with artificial intelligence and machine learning, transactions that promote anonymity, and crowdfunding activity.
Dubai’s crypto hub status now comes with rising compliance costs
Dubai has positioned itself as a regulatory hub for global cryptocurrency companies, but new directives show the system is becoming more demanding.
The VARA framework is closely aligned with FATF standards. Its rulebooks include FATF recommendations as enforceable requirements, including travel rule obligations, sanctions screening, customer due diligence, and risk-based monitoring.
This gives global companies some advantages if they already operate under strong compliance regimes in jurisdictions such as the European Union, Singapore, Switzerland, or the United States. Many basic controls overlap.
However, Dubai’s forecasts go further in some areas. Firms are expected to maintain updated sanctions monitoring, automated screening, wallet address analysis, distributed ledger analytics, and more detailed geo-risk controls.
This means that a company with a basic compliance manual will face difficulties. VARA expects companies to demonstrate that their risk models are supported by real operational data and can adapt to business changes.
The UAE app makes ignoring the message more difficult
These directives come as UAE regulators continue to tighten oversight of financial crimes across the broader financial sector.
Since early 2025, the UAE Central Bank has imposed more than 370 million dirhams, or more than $100 million, in anti-money laundering and terrorist financing sanctions on financial institutions, including banks, exchange houses, insurance companies and finance companies.
Regulators in Dubai have also taken a tougher approach to the risks associated with anonymity, with privacy-enhancing assets and transactions subject to more careful scrutiny due to their anti-money laundering implications.
For cryptocurrency companies, the direction of travel is clear. Dubai is still open to virtual asset companies, but it is no longer enough to obtain a license and operate with fixed controls. Companies must continue to demonstrate that their risk systems match the size, complexity and exposure of their business.
