A Guide to AML Laws for VASPs in UAE: At a Glance
Virtual Asset Service Providers in the UAE are expected to implement a robust AML/CFT/CPF framework under Federal Decree-Law No. (10) of 2025 and Cabinet Resolution No. (134) of 2025, with supervisory expectations shaped by the relevant licensing and regulatory perimeter. For VASPs, compliance is not limited to onboarding checks, but it requires total compliance with AML laws for VASPs in UAE. It must cover wallet and counterparty risk, sanctions exposure, ongoing monitoring, escalation quality, and defensible recordkeeping throughout the customer lifecycle.
Virtual Asset Services Covered Under the AML Laws in UAE
This guide is for UAE-based or UAE-facing virtual asset businesses that fall within a VASP compliance perimeter, including leadership, MLROs, compliance teams, operations, and product owners.
The AML Laws are applicable to Virtual Asset Services Providers engaged in the following activities:
- Exchange between Virtual Assets and fiat currencies.
- Exchange between one or more types of Virtual Assets.
- Transfer of Virtual Assets.
- Safekeeping or administration of Virtual Assets or instruments enabling control over Virtual Assets.
- Provision of financial services or activities related to an issuer’s offer or sale of Virtual Assets, or participation therein.
- Any other activities or operations as may be determined by a resolution issued by the Supervisory Authority, in coordination with the National Committee.
Get in touch with us to avail GRC Services in UAE.
AML Laws Applicable to VASPs:
Here is the list of AML Laws applicable to VASPs:
- Federal Decree-Law No. (10) of 2025 Regarding Anti-Money Laundering, and Combating the Financing of Terrorism and Proliferation Financing
- Cabinet Resolution No. (134) of 2025 Regarding the Executive Regulations of Federal Decree-Law No. (10) of 2025
- Federal Law No. (7) of 2014 on Combating Terrorism Offences
- Cabinet Resolution No. (74) of 2020 Regulating Terrorist Lists and Implementation of UN Security Council Resolutions
- Cabinet Resolution No. (71) of 2024 Regulating Violations and Administrative Penalties (MoJ and MoE supervised entities)
- Cabinet Decision No. (109) of 2023 on Regulating Beneficial Owner Procedures
- Cabinet Resolution No. (132) of 2023 on Administrative Penalties for Violations of Beneficial Owner Procedures
UAE National Risk Assessment:
UAE ML/FT National Risk Assessment
FATF Guidance Applicable to VASPs:
- Virtual Assets: Targeted Update on Implementation of the FATF Standards on VAs and VASPs (9 July 2024)
- Updated Guidance for a Risk-Based Approach to Virtual Assets and VASPs (October 2021)
- Second 12-Month Review of the Revised FATF Standards on Virtual Assets and VASPs (July 2021)
- Public-Private Partnership Sub-Committee/NAMLCFTC report: Rising Use of Virtual Currencies by Criminals to Launder Their Illegal Profit
Common Guidance for All Reporting Entities including VASPs:
- Guidance on Targeted Financial Sanctions for Financial Institutions, DNFBPs and VASPs (EOCN), July 2025
- Proliferation Finance Institutional Risk Assessment Guidance for FIs, DNFBPs and VASPs, December 2023
- Terrorist and Proliferation Financing Red Flags Guidance, December 2023
- Guidance on Counter Proliferation Financing for FIs, DNFBPs and VASPs, November 2022
- Joint Guidance on Combating the Use of Unlicensed Virtual Asset Service Providers in the UAE, November 2023
- Joint Guidance (Satisfactory/Unsatisfactory Practice), June 2021
- FIU Strategic Analysis Report on Terrorist Financing, May 2025
AML/CFT/CPF Legal Framework for VASPs in the Emirate of Dubai:
The Virtual Asset Regulatory Authority (VARA) is the Supervisory Authority for VASPs operating in or from Dubai. These entities must follow the VARA’s Compliance and Risk Management Rulebook, in addition to the Federal Decree Law, Cabinet Resolutions, the UAE National Risk Assessment, and FATF guidance.
AML/CFT/CPF Legal Framework for VASPs in the UAE (Except in the Emirate of Dubai):
The VASPs operating from the UAE (except for Dubai) are subject to AML supervision by the Capital Market Authority. These entities must follow the following guidelines in addition to the Federal Decree Law, Cabinet Resolutions, the UAE National Risk Assessment, and FATF guidance:
- CMA Guidelines for Combating Money Laundering, Counter-Terrorism Financing, and Funding of Illegal Organisations (Chapter 5 of the Board of Directors’ Decision No. (13/Chairman) of 2021)
- Anti-Money Laundering and Combating the Financing of Terrorism and Illegal Organisations Guidelines for Financial Institutions – July 2023
- Guidelines: Regulations of Virtual Assets and VASPs (2023)
- Circular on CMA’s Examination Observation Report
- Minimum Standards for Semi-Annual Anti-Money Laundering and Counter-Terrorism Financing Report 2023
- CMA Instructions: 2024 Annual Return AML/CFT and TFS Risk Assessment
- CMA Questions and Answers – NRA
AML/CFT/CPF Compliance Requirements for VASPs
For Virtual Asset Service Providers, legal compliance should be translated into an operating framework with five control layers, supported by independent review and advisory oversight from GRC advisors.
1. Governance and oversight
Clear accountability, policy ownership, approval governance, and management information reporting.
2. Risk assessment architecture
Enterprise-Wide Risk Assessment and customer risk assessment methodology aligned to UAE legal and risk guidance.
3. Preventive controls
KYC and CDD framework, EDD, screening, and onboarding controls.
4. Detective and escalation controls
STR and goAML reporting readiness.
5. Assurance and evidence
Recordkeeping, training, periodic testing, issue tracking, and remediation proof.
This is the most effective way to operationalise AML Regulations for VASPs in UAE and demonstrate control effectiveness.
Step-by-Step Implementation Framework for VASPs
Step 1: Build a VASP legal obligations register
Map each obligation to source instrument, control objective, owner, and evidence standard.
Step 2: Create a VASP risk methodology
Enterprise ML/TF/PF risk assessment and customer risk scoring.
Step 3: Operationalise onboarding controls
Translate policy into workflow steps with clear EDD triggers and approvals.
Step 4: Calibrate monitoring and screening
Implement risk-based scenarios and clear disposition standards for alerts.
Step 5: Strengthen escalation quality
Use structured case narratives and documented decision governance.
Step 6: Test and remediate
Perform periodic control testing and close findings with evidence.
Step 7: Build management information discipline
Track metrics such as alert ageing, false positive ratios, review backlog, and escalation outcomes.
FAQs: AML Laws for VASPs in UAE
What are AML Laws for VASPs in UAE in practical terms?
AML Laws for VASPs in the UAE require VASPs to implement a risk-based AML/CFT/CPF framework covering due diligence, monitoring, screening, escalation, reporting, and recordkeeping with clear governance and evidence.
What is the difference between AML Laws and AML Regulations for VASPs in UAE?
In operational terms, laws set the legal duty and enforcement basis, while regulations and supervisory frameworks guide how duties should be implemented and evidenced.
Do VASP obligations stop at onboarding?
No. Ongoing monitoring, screening, escalation, and reporting quality across the full customer lifecycle are critical.
Why should VASPs align to NRA and SRA direction?
Because the NRA and SRA provide risk intelligence which supports risk-based control design and helps justify enhancements to certain controls.
