Trending:
U.S. based DTCC to acquire Abu Dhabi digital asset infrastructure provider Securrency
Al Tamimi secures $456 million freezing of TrueUSD from Dubai’s Digital Economy Court
Global Blockchain Show 2025 to Spotlight Web3 Innovation in Abu Dhabi
VARA warns multiple VASPs who failed to adhere to AML/CFT assessments
UAE approved QCDT, tokenized market fund deployed on Mantle Blockchain
The Hashgraph Association Unveils its Global Membership Program
Microsoft and G42 to build 200 MW datacenter in UAE
UAE pilots its CBDC Digital Dirham with first government transaction
Sygnum report, 82 percent of investors prefer crypto exposure through existing advisor
UAE Emirates Coin Investment to launch DESK Token
UAE Titan Aviation offers crypto payment services

Search

Published: Wednesday, November 12th, 2025

VARA warns multiple VASPs who failed to adhere to AML/CFT assessments

Dubai's Virtual Asset Regulatory Authority (VARA) recently issued a circular requiring all VASPs to adhere to Rule III Risk Assessments, noting that during supervisory inspections conducted during 2024 and 2025,…
VARA warns multiple VASPs who failed to adhere to AML/CFT assessments

Dubai’s Virtual Asset Regulatory Authority (VARA) recently issued a circular requiring all VASPs to adhere to Rule III Risk Assessments, noting that during supervisory inspections conducted during 2024 and 2025, significant deficiencies were identified in the design and execution of AML/CFT Business Risk Assessments (BRA) across multiple VASPs.

As noted by VARA, ” All Virtual Asset Service Providers (VASPs) need to clarify the requirements under Part III – Rule III.D (Risk Assessments) of the Compliance and Risk Management Rulebook.

It claimed that during previous inspections multiple VASPs failed to document methodologies, as well as unrealistic residual risk ratings, and failure to consider emerging risks such as Proliferation Financing (PF), Targeted Financial Sanctions (TFS), and the use of artificial intelligence or new technologies.

VARA added that under Rule III D, VASPs are required to maintain a documented data driven AML/CFT Business Risk Assessment.

VASPs need to identify and assess all ML/TF/PF risks inherent in the VASP’s business model, customer base, products, services,
delivery channels, geographic exposure and technology use. VASPs also need to incorporate emerging and sectoral risks, including Anonymity-Enhanced Transactions, AI-enabled processes and new or evolving VA products and demonstrate how National Risk
Assessment (NRA) results have been considered.

Trending
BingX to offer Fiat to crypto Peer to Peer trading services in MENA and Turkey

VASPs under VARA rule also need to ensure that the risks and industry findings identified in the UAE NRA and any relevant Sectoral Risk Assessments are cascaded into the VASP’s internal frameworks, including the Business Risk Assessment and Client Risk Assessment (KYC/KYB)

Finally VARA called on VASPs to be able to evidence quarterly review activity for example, through a short management memo or risk or compliance committee record) demonstrating that the BRA remains accurate, relevant and responsive to the evolving risk environment.

The regulator warns that a BRA that has not been revisited or tested against new data, typologies or regulatory changes will not meet the requirements of Rule III.D.3(a).

VARA is giving VASPs until Q2 2026 before it will evaluate BRA and VASPs who fail to demonstrate a credible, data driven and quarterly maintained BRA will be first reguired to re-perform the assessment within 30 days and maybe be subject to supervisory or enforcement action.

Category:Regulations
Tags:AML, CFT, crypto, risk assessments, UAE, VARA Dubai, VASPs, Virtual Assets

Related Articles