VARA issues new AML and CFT guidance for virtual asset providers

The new AML/CFT Business Risk Assessment Guidance published by the Dubai Virtual Assets Regulatory Authority (VARA) establishes best practice for licensed virtual asset service providers (VASPs) when conducting business risk assessments (BRAs) related to anti-money laundering (AML) and counter‑terrorist financing (CFT) following a recent thematic review of the sector.

The guidance (14 pages / 712KB PDF), published after VARA’s 2026 BRA thematic review, outlines supervisory expectations across governance, methodology, data integration, proliferation financing risk, and operationalisation of BRA findings.

VARA reinforces existing obligations under the VARA compliance and risk management rulebook, including quarterly BRA review requirements and the need for BRAs to directly inform AML or CFT controls and resource allocation.

The guidance recommends BRA assessments should follow the ‘three lines of defence’ model: examining operational management control of organisational risks; risk management and compliance functions; and an internal audit to provide assurance. It also says that VASPs should proactively assess their exposure to the Financial Action Task Force (FATF) high risk jurisdictions lists.

VARA highlights growing investment by VASPs in data driven frameworks and says it expects BRAs increasingly to be “grounded in operational data” and subject to independent challenge, whether by the firm’s board or by its audit function.

The guidance emphasises that firms may need to enhance both risk assessment and controls, particularly in relation to distinct areas such as proliferation financing. It also outlines a number of virtual asset specific risks, including unhosted wallets – digital accounts that are not hosted by a third-party system and are notoriously difficult to verify – and potential exposure to decentralised finance and stablecoins.

The guidance also places particular emphasis on governance, noting that board level approval and independent challenge of BRA methodologies and residual risk conclusions are key indicators of framework maturity.

VARA also highlights the importance of transparent and repeatable methodologies, with stronger practices involving quantitative risk scoring, documented aggregation approaches and the ability to trace how individual risk inputs translate into overall risk ratings.

Commenting on the guidance, Marie Chowdhry, a fintech expert with Pinsent Masons in Dubai, said: “VARA’s guidance sets out the importance of aligning AML/CFT compliance with supervisory expectations. In particular, the emphasis on the BRA being a live risk management tool, quantitative data integration, three lines of defence, and board level accountability reflects a maturing regulatory approach aligned with FATF expectations.”

The update follows the recent release of other guidance clarifying how VASPs must collect, verify, transmit and retain data about both the originator and beneficiary for any qualifying virtual asset transfers in relation to the ‘Travel Rule’. The latest guidance outlines that strong BRAs will examine cross-border virtual asset transfers, including Travel Rule data integration into sanctions screening and counterparty VASP exposure to high-risk jurisdictions.

A central theme is that BRA findings should be clearly translated into operational decisions, such as adjustments to transaction monitoring thresholds, enhanced due diligence measures, and the allocation of compliance resources.

For VASPs, the practical impact of the new guidance is significant, said Jessa White, a financial regulation expert with Pinsent Masons in Dubai. “Firms will need to ensure that their BRA frameworks are evidence based, regularly updated, and demonstrably linked to operational decisions, such as transaction monitoring calibration, customer due diligence measures, and sanctions screening,” she said. “Firms that fail to align with these expectations may face increased supervisory scrutiny. A proactive gap analysis against VARA’s ‘good practice’ indicators will be critical for maintaining regulatory compliance and demonstrating framework maturity.”