A Guide to AML Laws for VASPs in UAE: At a Glance
Virtual Asset Service Providers in the UAE are expected to implement a robust AML/CFT/CPF framework under Federal Decree-Law No. (10) of 2025 and Cabinet Resolution No. (134) of 2025, with supervisory expectations shaped by the relevant licensing and regulatory perimeter. For VASPs, compliance is not limited to onboarding checks, but it requires total compliance with AML laws for VASPs in UAE. It must cover wallet and counterparty risk, sanctions exposure, ongoing monitoring, escalation quality, and defensible recordkeeping throughout the customer lifecycle.
Virtual Asset Services Covered Under the AML Laws in UAE
This guide is for UAE-based or UAE-facing virtual asset businesses that fall within a VASP compliance perimeter, including leadership, MLROs, compliance teams, operations, and product owners.
The AML Laws are applicable to Virtual Asset Services Providers engaged in the following activities:
- Exchange between Virtual Assets and fiat currencies.
- Exchange between one or more types of Virtual Assets.
- Transfer of Virtual Assets.
- Safekeeping or administration of Virtual Assets or instruments enabling control over Virtual Assets.
- Provision of financial services or activities related to an issuer’s offer or sale of Virtual Assets, or participation therein.
- Any other activities or operations as may be determined by a resolution issued by the Supervisory Authority, in coordination with the National Committee.
Get in touch with us to avail GRC Services in UAE.
AML Laws Applicable to VASPs:
Here is the list of AML Laws applicable to VASPs:
Federal AML/CFT Laws:
UAE National Risk Assessment:
UAE ML/FT National Risk Assessment
FATF Guidance Applicable to VASPs:
Updated Guidance for a Risk-Based Approach to Virtual Assets and VASPs (October 2021)
Second 12-Month Review of the Revised FATF Standards on Virtual Assets and VASPs (July 2021)
Common Guidance for All Reporting Entities including VASPs:
Terrorist and Proliferation Financing Red Flags Guidance, December 2023
Guidance on Counter Proliferation Financing for FIs, DNFBPs and VASPs, November 2022
Joint Guidance (Satisfactory/Unsatisfactory Practice), June 2021
FIU Strategic Analysis Report on Terrorist Financing, May 2025
AML/CFT/CPF Legal Framework for VASPs in the Emirate of Dubai:
The Virtual Asset Regulatory Authority (VARA) is the Supervisory Authority for VASPs operating in or from Dubai. These entities must follow the VARA’s Compliance and Risk Management Rulebook, in addition to the Federal Decree Law, Cabinet Resolutions, the UAE National Risk Assessment, and FATF guidance.
AML/CFT/CPF Legal Framework for VASPs in the UAE (Except in the Emirate of Dubai):
The VASPs operating from the UAE (except for Dubai) are subject to AML supervision by the Capital Market Authority. These entities must follow the following guidelines in addition to the Federal Decree Law, Cabinet Resolutions, the UAE National Risk Assessment, and FATF guidance:
- CMA Guidelines for Combating Money Laundering, Counter-Terrorism Financing, and Funding of Illegal Organisations (Chapter 5 of the Board of Directors’ Decision No. (13/Chairman) of 2021)
- Anti-Money Laundering and Combating the Financing of Terrorism and Illegal Organisations Guidelines for Financial Institutions – July 2023
- Guidelines: Regulations of Virtual Assets and VASPs (2023)
- Circular on CMA’s Examination Observation Report
- Minimum Standards for Semi-Annual Anti-Money Laundering and Counter-Terrorism Financing Report 2023
- CMA Instructions: 2024 Annual Return AML/CFT and TFS Risk Assessment
- CMA Questions and Answers – NRA
AML/CFT/CPF Compliance Requirements for VASPs
For Virtual Asset Service Providers, legal compliance should be translated into an operating framework with five control layers.
1. Governance and oversight
Clear accountability, policy ownership, approval governance, and management information reporting.
2. Risk assessment architecture
Enterprise-Wide Risk Assessment and customer risk assessment methodology aligned to UAE legal and risk guidance.
3. Preventive controls
CDD, EDD, screening, and onboarding controls with documented rationale.
4. Detective and escalation controls
Monitoring, alert handling, internal escalation, and suspicious reporting readiness.
5. Assurance and evidence
Recordkeeping, training, periodic testing, issue tracking, and remediation proof.
This is the most effective way to operationalise AML Regulations for VASPs in UAE and demonstrate control effectiveness.
Step-by-Step Implementation Framework for VASPs
Step 1: Build a VASP legal obligations register
Map each obligation to source instrument, control objective, owner, and evidence standard.
Step 2: Create a VASP risk methodology
Design enterprise and customer risk scoring that reflects virtual asset-specific risks.
Step 3: Operationalise onboarding controls
Translate policy into workflow steps with clear EDD triggers and approvals.
Step 4: Calibrate monitoring and screening
Implement risk-based scenarios and clear disposition standards for alerts.
Step 5: Strengthen escalation quality
Use structured case narratives and documented decision governance.
Step 6: Test and remediate
Perform periodic control testing and close findings with evidence.
Step 7: Build management information discipline
Track metrics such as alert ageing, false positive ratios, review backlog, and escalation outcomes.
FAQs: UAE Cabinet Resolution No. 134 of 2025 under Federal Decree Law No. 10 of 2025
What are AML Laws for VASPs in UAE in practical terms?
AML Laws for VASPs in the UAE require VASPs to implement a risk-based AML/CFT/CPF framework covering due diligence, monitoring, screening, escalation, reporting, and recordkeeping with clear governance and evidence.
What is the difference between AML Laws and AML Regulations for VASPs in UAE?
In operational terms, laws set the legal duty and enforcement basis, while regulations and supervisory frameworks guide how duties should be implemented and evidenced.
Do VASP obligations stop at onboarding?
No. Ongoing monitoring, screening, escalation, and reporting quality across the full customer lifecycle are critical.
Why should VASPs align to NRA and SRA direction?
Because the NRA and SRA provide risk intelligence which supports risk-based control design and helps justify enhancements to certain controls.
