AML Laws for VASPs in UAE: A Quick Overview
- Virtual Asset Service Providers (VASPs) in the UAE are required to establish a strong AML/CFT/CPF compliance framework under Federal Decree-Law No. (10) of 2025 and Cabinet Resolution No. (134) of 2025. Regulatory expectations depend on the entity’s licensing authority and supervisory scope.
- For VASPs, compliance under AML Laws for VASPs in UAE is not limited to customer onboarding checks. It requires end-to-end adherence to AML laws, including wallet and counterparty risk evaluation, sanctions screening, continuous monitoring, escalation quality, and defensible recordkeeping throughout the entire customer lifecycle.
Virtual Asset Services Covered Under AML Laws in UAE
This guide is intended for UAE-based or UAE-facing virtual asset businesses that fall within the VASP compliance perimeter, including leadership teams, MLROs, compliance officers, operations teams, and product owners.
The AML Laws apply to VASPs engaged in the following activities:
- Exchange between Virtual Assets and fiat currencies
- Exchange between one or more types of Virtual Assets
- Transfer of Virtual Assets
- Safekeeping or administration of Virtual Assets or tools that enable control over Virtual Assets
- Provision of financial services related to an issuer’s offer or sale of Virtual Assets, or participation in such services
- Any other activities determined by resolution issued by the Supervisory Authority in coordination with the National Committee
AML Laws Applicable to VASPs in UAE
Federal AML / CFT Laws:
- Federal Decree-Law No. (10) of 2025 Regarding Anti-Money Laundering and Combating the Financing of Terrorism and Proliferation Financing
- Cabinet Resolution No. (134) of 2025 Regarding the Executive Regulations of Federal Decree-Law No. (10) of 2025
- Federal Law No. (7) of 2014 on Combating Terrorism Offences
- Cabinet Resolution No. (74) of 2020 Regulating Terrorist Lists and Implementation of UN Security Council Resolutions
- Cabinet Resolution No. (71) of 2024 Regulating Violations and Administrative Penalties (MoJ and MoE supervised entities)
- Cabinet Decision No. (109) of 2023 on Regulating Beneficial Owner Procedures
- Cabinet Resolution No. (132) of 2023 on Administrative Penalties for Violations of Beneficial Owner Procedures
UAE National Risk Assessment:
- UAE ML/FT National Risk Assessment
FATF Guidance Applicable to VASPs:
- Virtual Assets: Targeted Update on Implementation of the FATF Standards on VAs and VASPs (9 July 2024)
- Updated Guidance for a Risk-Based Approach to Virtual Assets and VASPs (October 2021)
- Second 12-Month Review of the Revised FATF Standards on Virtual Assets and VASPs (July 2021)
- Public-Private Partnership Sub-Committee / NAMLCFTC Report on Rising Use of Virtual Currencies by Criminals
Common Guidance for All Reporting Entities Including VASPs:
- Guidance on Targeted Financial Sanctions for FIs, DNFBPs and VASPs (EOCN), July 2025
- Proliferation Finance Institutional Risk Assessment Guidance – December 2023
- Terrorist and Proliferation Financing Red Flags Guidance – December 2023
- Guidance on Counter Proliferation Financing – November 2022
- Joint Guidance on Combating the Use of Unlicensed VASPs – November 2023
- Joint Guidance (Satisfactory / Unsatisfactory Practice) – June 2021
- FIU Strategic Analysis Report on Terrorist Financing – May 2025
AML/CFT/CPF Legal Framework for VASPs in the Emirate of Dubai:
The Virtual Asset Regulatory Authority (VARA) acts as the Supervisory Authority for VASPs operating in or from Dubai. These entities must comply with the VARA Compliance and Risk Management Rulebook along with Federal Decree Laws, Cabinet Resolutions, UAE National Risk Assessments, and FATF guidance.
AML/CFT/CPF Legal Framework for VASPs in the UAE (Except Dubai):
VASPs operating from other Emirates (outside Dubai) are supervised for AML purposes by the Capital Market Authority. In addition to Federal and Cabinet regulations, they must follow:
- CMA Guidelines for Combating Money Laundering, Counter-Terrorism Financing, and Funding of Illegal Organisations (Chapter 5, Board Decision No. 13/Chairman of 2021)
- AML/CFT Guidelines for Financial Institutions – July 2023
- Regulations of Virtual Assets and VASPs (2023)
- Circular on CMA Examination Observation Report
- Minimum Standards for Semi-Annual AML/CFT Report 2023
- CMA Instructions: 2024 Annual Return AML/CFT and TFS Risk Assessment
- CMA Q&A – National Risk Assessment
Ready to schedule a consultation?
Most inspection findings trace back to execution gaps
AML/CFT/CPF Compliance Requirements for VASPs
For Virtual Asset Service Providers, legal compliance should be translated into an operational framework consisting of five key control layers:
1. Governance and Oversight
Clear accountability structures, policy ownership, approval workflows, and management reporting.
2. Risk Assessment Architecture
Enterprise-wide and customer risk assessment methodologies aligned with UAE legal and risk guidance.
3. Preventive Controls
CDD, EDD, sanctions screening, and onboarding controls supported by documented justification.
4. Detective and Escalation Controls
Transaction monitoring, alert reviews, internal escalation channels, and suspicious activity reporting readiness.
5. Assurance and Evidence
Recordkeeping, training, periodic control testing, issue tracking, and remediation documentation.
This layered approach is the most effective method to operationalise AML regulations for VASPs in the UAE and demonstrate control effectiveness.
Step-by-Step AML Implementation Framework for VASPs
Step 1: Develop a Legal Obligations Register
Map each regulatory obligation to its legal source, control objective, responsible owner, and required evidence.
Step 2: Establish a Risk Methodology
Design enterprise-level and customer-level risk scoring models that reflect virtual-asset-specific risks.
Step 3: Operationalise Onboarding Controls
Convert policy requirements into workflow steps with clearly defined EDD triggers and approval levels.
Step 4: Calibrate Monitoring and Screening
Implement risk-based monitoring scenarios and define alert review standards.
Step 5: Strengthen Escalation Quality
Use structured case documentation and maintain decision governance records.
Step 6: Conduct Testing and Remediation
Perform regular control testing and close findings with proper evidence.
Step 7: Build Management Information Discipline
Track metrics such as alert ageing, false-positive ratios, backlog volumes, and escalation outcomes.
Ready to schedule a consultation?
Most inspection findings trace back to execution gaps
FAQs: AML Laws for VASPs in UAE
What Do AML Laws for VASPs in UAE Mean in Practical Terms?
In practical terms, AML Laws for VASPs in UAE require Virtual Asset Service Providers to implement a risk-based AML/CFT/CPF framework. This framework must cover customer due diligence, transaction monitoring, sanctions screening, escalation procedures, regulatory reporting, and recordkeeping, all supported by clear governance and documented evidence.
What Is the Difference Between AML Laws and AML Regulations for VASPs in the UAE?
From an operational perspective, AML laws establish the legal obligation and enforcement authority, while AML regulations and supervisory frameworks explain how those legal duties should be implemented, monitored, and evidenced within an organisation.
Do VASP Compliance Obligations End at Customer Onboarding?
No. Compliance responsibilities do not end at onboarding. VASPs must maintain continuous monitoring, sanctions screening, escalation processes, and reporting quality throughout the entire customer lifecycle.
Why Should VASPs Align with NRA and SRA Guidance?
VASPs should align with National Risk Assessment (NRA) and Sector Risk Assessment (SRA) guidance because these provide risk intelligence that supports a risk-based compliance design. Alignment also helps justify enhancements or stricter controls where higher risks are identified.
Expert Strategies, Industry Trends & Real Results
