Dubai’s VARA Puts VASPs on Notice: Q2 2026 Review to Enforce Data-Driven AML
Dubai’s Virtual Assets Regulatory Authority (VARA) has issued warnings to several Virtual Asset Service Providers (VASPs) for significant weaknesses in their Anti-Money Laundering (AML) and Countering the Financing of Terrorism (CFT) Business Risk Assessments (BRA). The issues include lack of proper documentation, unrealistic residual risk ratings, and neglecting emerging risks like proliferation financing, targeted financial sanctions, and misuse of artificial intelligence. VARA mandates transparent, Board-approved methodologies with clear risk categories and quarterly reassessments to align with UAE's National Risk Assessment findings. Firms must integrate BRA outcomes into their policies and conduct quarterly reviews to ensure compliance. VARA plans a thematic review in Q2 2026, with non-compliant firms given a 30-day rectification window before facing enforcement actions.
VARA Issues Warning to Virtual Asset Service Providers
Dubai’s Virtual Assets Regulatory Authority (VARA) has issued a formal warning to several Virtual Asset Service Providers (VASPs). This warning was issued following supervisory reviews conducted in 2024 and 2025, which uncovered major weaknesses in their Anti-Money Laundering (AML) and Countering the Financing of Terrorism (CFT) Business Risk Assessments (BRA).
VASPs Fail to Address Emerging Risks
VARA identified several deficiencies in the operations of VASPs, including their failure to maintain proper documentation and employ data-driven methodologies for risk assessments. Many firms were found relying on unrealistic residual risk ratings, ignoring threats such as:
- Proliferation Financing (PF)
- Targeted Financial Sanctions (TFS)
- Misuse of Artificial Intelligence (AI)
VARA stressed the importance of addressing these emerging risks immediately.
Compliance Obligations Under Rule III.D
To strengthen compliance, VARA’s new circular outlined requirements under Rule III.D of the Compliance and Risk Management Rulebook. Key mandates include:
- Developing a transparent, Board-approved methodology for assessing risks.
- Clearly defining risk categories, scoring scales, and weighting logic.
- Incorporating sectoral and national findings into VASP internal systems.
Integration with National Risk Assessments
The circular requires alignment with the UAE National Risk Assessment (NRA) and other sectoral reports. VARA stated that outcomes from the NRA must directly influence:
- AML/CFT policies
- Client risk models
- Transaction monitoring systems
VASPs must also conduct quarterly reviews of all risk assessments, documenting outcomes and maintaining version control for transparency and accountability.
Quarterly Reviews and Thematic Review in 2026
VARA has mandated quarterly reassessments to ensure risk frameworks remain up-to-date. These updates must consider:
- Client activity
- New product launches
- Jurisdictional exposure
Looking ahead, VARA confirmed a thematic review of all BRA frameworks in Q2 2026. Firms failing to provide credible, data-driven assessments will face a 30-day deadline to rectify issues, with potential supervisory or enforcement measures for non-compliance.
Disclaimer
Disclaimer: The information presented in this article is for informational and educational purposes only. It does not constitute financial advice or advice of any kind. Readers are encouraged to exercise caution before making any decisions related to the companies or services mentioned.