VARA Raises AML Expectations for Dubai Crypto Firms After 2026 Review

Dubai’s Virtual Assets Regulatory Authority has issued new guidance that pushes licensed crypto firms toward more data-driven and board-level oversight of financial crime risk, marking another step in the emirate’s shift from licensing expansion to active supervision of the virtual asset sector.

The guidance, titled AML/CFT Business Risk Assessment Guidance, sets out what VARA considers strong practice for Business Risk Assessments, or BRAs, following its 2026 thematic review of licensed virtual asset service providers. While the document is framed as good practice guidance, it gives the market a clear view of how the regulator expects VASPs to assess money laundering, terrorism financing, proliferation financing and related risks.

At the center of the document is a simple message: AML risk assessments can no longer operate as static compliance files. VARA expects them to be live, evidence-based documents that shape how firms allocate compliance resources, calibrate controls and respond to changing threats.

VARA Moves Deeper Into Supervisory Testing

The guidance reflects a more advanced phase in Dubai’s virtual asset regulatory model. After building one of the region’s most visible licensing frameworks for crypto companies, VARA is now placing greater emphasis on whether licensed firms can demonstrate that their controls work in practice.

Under VARA’s Compliance and Risk Management Rulebook, VASPs must conduct and maintain an AML/CFT Business Risk Assessment, review it at least every three months and update it whenever significant changes occur. The new guidance expands on this requirement by showing what strong implementation looks like across governance, methodology, data inputs, control testing and operational follow-through.

This places pressure on firms to move beyond generic risk language. A VASP that classifies its residual risk as medium, for example, must be able to explain how it reached that rating, what data supported it, which controls reduced the inherent risk and whether those controls were independently tested.

Board Oversight Becomes a Core Expectation

One of the strongest signals in the guidance is the emphasis on board accountability.

VARA says strong practice requires the BRA to be formally approved by the Board of Directors, or an equivalent governing body, with the approval date clearly documented. Approval by senior management alone is not presented as enough.

The regulator also expects the Board to challenge the methodology, residual risk conclusions, control effectiveness assumptions and remediation priorities. This effectively turns the BRA into a governance document, not only a compliance document owned by the Money Laundering Reporting Officer.

The guidance also points to the three lines of defence model. The compliance or MLRO function may prepare the BRA, but independent challenge should come from the Board or risk function, while internal audit or an independent external party should validate the methodology and control effectiveness assumptions.

For licensed firms, this raises the cost of weak documentation. If the BRA is not reviewed, challenged and supported by evidence, it may expose not only the compliance function but also senior governance structures.

Data Becomes the Foundation of AML Risk Assessment

VARA makes clear that strong BRAs should be built on operational evidence.

The guidance identifies several data points that should inform risk scoring, including customer risk rating distribution, transaction monitoring alerts, SAR and STR trends, sanctions screening results, transaction volumes, product activity, geographic exposure, enhanced due diligence statistics, offboarding data, audit findings and supervisory feedback.

This is a notable shift from narrative-based compliance assessments toward measurable risk management. VARA is effectively asking firms to show how customer behavior, transaction flows, alert quality and external risk developments affect their risk ratings.

The strongest BRAs, according to the guidance, use numerical scoring models, defined likelihood and consequence scales, control effectiveness ratings and documented heat maps to calculate residual risk. Where firms use qualitative ratings, VARA expects clear narrative support explaining the rationale behind each conclusion.

This approach gives supervisors a clearer way to test whether a firm’s stated risk profile matches its actual business activity.

Stablecoins, DeFi and Unhosted Wallets Enter the Risk Lens

The guidance is especially relevant because it goes beyond traditional AML categories and focuses on risks specific to virtual assets.

VARA says strong BRAs should assess exposure to unhosted wallets, anonymity-enhanced virtual assets, mixing services, DeFi activity, smart contract interactions, cross-border virtual asset transfers and Travel Rule risks.

Stablecoins are also specifically highlighted. VARA expects VASPs to assess stablecoin transaction volumes, counterparty exposure, sanctions evasion risk and proliferation financing risk.

This is important for the UAE market, where stablecoin activity is developing across both foreign and dirham-linked initiatives. VARA’s guidance shows that stablecoins will not only be viewed through the lens of payments innovation or market efficiency. They will also be assessed as part of the financial crime risk environment, especially where cross-border flows, sanctions exposure or counterparty risks are involved.

The inclusion of DeFi and unhosted wallets also signals that VARA expects centralized VASPs to understand risks that may sit beyond their immediate platform perimeter but still affect their customers, transactions and counterparties.

Proliferation Financing Receives Separate Treatment

Another major element in the guidance is the treatment of proliferation financing as a distinct risk category.

VARA says PF should be assessed separately from money laundering and terrorism financing, with its own inherent risk score, control effectiveness assessment and residual risk rating. The regulator links this directly to targeted financial sanctions and expects firms to show how PF risk affects screening, freezing and reporting procedures.

The guidance refers to risk vectors such as customers with links to proliferation-sensitive jurisdictions, complex corporate structures, nested accounts, intermediary VASPs, layered blockchain transactions, front companies and cross-chain bridge mechanisms.

This is a significant supervisory signal. VARA is making clear that crypto firms in Dubai must treat proliferation financing as an operational risk, not a theoretical compliance category. Screening, blockchain analytics, escalation procedures and reporting obligations must all connect back to the firm’s PF risk assessment.

Geographic Exposure Must Be More Granular

VARA also calls for more detailed geographic risk assessment.

The guidance says VASPs should assess geographic risk at the level of individual jurisdictions and use actual KYC nationality data to identify the proportion of customers exposed to higher-risk jurisdictions. This is particularly relevant in the UAE, where virtual asset firms often serve international customer bases and operate across multiple markets.

For firms with regional or global customer reach, the message is clear: broad references to “high-risk countries” are not enough. VARA expects jurisdiction-by-jurisdiction analysis, supported by internal data and linked to the firm’s residual risk conclusions.

From Risk Assessment to Operational Decisions

The most practical part of the guidance is its focus on operationalization.

VARA expects firms to document how BRA findings affected real compliance decisions during the review cycle. These may include changes to transaction monitoring thresholds, enhanced sanctions screening, increased blockchain analytics coverage, jurisdiction-specific enhanced due diligence, revised onboarding rules or additional compliance resources for higher-risk business lines.

This requirement is important because it tests whether the BRA has any real influence on day-to-day controls. A firm may have a well-written document, but if the assessment does not change monitoring rules, staffing decisions, escalation procedures or customer risk treatment, VARA may view it as weakly embedded.

The guidance also identifies trigger events that should prompt BRA updates. These include new products, new virtual asset listings, material changes in customer risk distribution, FATF updates, VARA supervisory communications, audit findings, sanctions designations, law enforcement developments, MLRO changes or material changes to the AML/CFT program.

A Clearer Compliance Benchmark for Dubai’s Crypto Sector

The guidance gives licensed VASPs a clearer benchmark for what VARA considers a mature AML/CFT framework.

It also gives the wider market insight into the regulator’s supervisory priorities. VARA is paying close attention to stablecoins, DeFi, unhosted wallets, cross-border transfers, sanctions exposure, proliferation financing, geographic concentration and AI-enabled fraud typologies. It is also looking at whether firms can support their risk ratings with evidence and connect those ratings to operational controls.

For Dubai’s virtual asset sector, this marks a more demanding phase. Licensing remains important, but the test is increasingly about whether firms can prove that their governance, data, controls and risk decisions are aligned.

As VARA continues to supervise a growing licensed market, the question for crypto firms is no longer whether they have a Business Risk Assessment in place. It is whether that assessment can withstand regulatory scrutiny, board challenge and the realities of a fast-changing financial crime environment.