- Dubai’s Virtual Assets Regulatory Authority (VARA) has warned VASPs of “major weaknesses” in their AML/CFT risk assessments.
- The regulator found firms were failing to address new threats like AI, Proliferation Financing (PF), and Targeted Financial Sanctions (TFS).
- VARA is now mandating quarterly reviews of these assessments and will conduct a thematic review in Q2 2026, with enforcement to follow.
Dubai’s Virtual Assets Regulatory Authority (VARA) has issued a formal warning to several Virtual Asset Service Providers (VASPs). The warning follows supervisory reviews in 2024 and 2025 that found “major weaknesses” in their Anti-Money Laundering (AML) and Countering the Financing of Terrorism (CFT) Business Risk Assessments (BRA).
Related: VARA Penalizes 19 Crypto Firms for Operating Without Licenses in Dubai
Firms Failed to Address AI, Proliferation Financing Risks
VARA stated that multiple VASPs failed to maintain proper documentation and data-driven methodologies for their risk assessments. Several entities were found using unrealistic residual risk ratings.
Crucially, the regulator noted that firms were disregarding new and emerging threats. These include proliferation financing (PF), targeted financial sanctions (TFS), and the misuse of artificial intelligence (AI).
The new circular clarifies obligations under Rule III.D of the Compliance andRisk Management Rulebook. It mandates that every VASP must develop a transparent, Board-approved methodology for assessing these risks. This framework must define clear risk categories, scoring scales, and weighting logic.
Related: VARA Volume Hits Dh2.5 Trillion as Dubai Targets Top Three Global Hub Status
Mandate Requires NRA Integration, Quarterly Reviews
VARA also stated that these risk assessments must align with national and sectoral findings. Each VASP is now required to incorporate outcomes from the UAE National Risk Assessment (NRA) and other sectoral reports into its internal BRA and client risk frameworks.
The circular mandates that these BRA outcomes must “feed directly” into all AML/CFT policies, client risk models, and transaction monitoring systems. VASPs must also document all quarterly reviews and maintain version control of their assessments.
VARA Sets Q2 2026 Deadline for Thematic Review
These quarterly reassessments are now mandatory to ensure each BRA remains current. VARA expects providers to review all recent data, including client activity, new product launches, and jurisdictional exposure, at least quarterly.
VARA confirmed it will conduct a thematic review of all BRA frameworks in the second quarter of 2026. Firms that fail to provide a credible, data-driven assessment will be given 30 days to rectify deficiencies before facing potential supervisory or enforcement measures.
Disclaimer: The information presented in this article is for informational and educational purposes only. The article does not constitute financial advice or advice of any kind. Coin Edition is not responsible for any losses incurred as a result of the utilization of content, products, or services mentioned. Readers are advised to exercise caution before taking any action related to the company.
