Regulation & Policy
Share
MW
Attorney at Law, Senior Associate
As Dubai sharpens its position as a globally compliant hub for virtual assets, the Virtual Assets Regulatory Authority (VARA) has introduced Version 2.0 of its Compliance and Risk Management Rulebook. This updated framework ushers in a new era of proactive, risk-based Anti-Money Laundering (AML) obligations for Virtual Asset Service Providers (VASPs).
Following a request from Unlock Blockchain to clarify the latest updates to VARA’s Rulebook, this article was authored by KARM Legal Consultants. It aims to interpret and simplify the technical amendments while preserving their legal and regulatory depth, making them accessible to crypto builders, compliance professionals, and investors in the MENA region
VARA’s rulebook is designed to align Dubai's virtual asset ecosystem with international AML/CFT standards. Version 2.0 reflects growing global pressures to strengthen compliance, prevent illicit finance, and integrate emerging technologies into regulatory oversight.
A key innovation in the new rulebook is the mandatory frequency of business and client risk assessments. VASPs must now conduct assessments at least once every three months, or immediately following any significant change in operations, technology, or market conditions. The scope has expanded to explicitly include Artificial Intelligence (AI), Money Laundering (ML) technologies, and other emerging risks.
VARA is making it clear that compliance cannot be a paper exercise. The outcomes of risk assessments must now demonstrably shape AML strategies, controls, and resource allocation. VASPs must create a clear audit trail from risk identification to mitigation, subject to VARA scrutiny.
Disclaimer of Warranty
The information provided in this article is for general informational purposes only. We make no warranties about the completeness, reliability, and accuracy of this information. Read full disclaimer
Client-level AML scrutiny has been heightened. VASPs are required to assign risk ratings using defined criteria and take tailored actions based on each client’s profile. For high-risk clients or politically exposed persons (PEPs), Enhanced Due Diligence (EDD) measures are now codified. These include verifying the source of funds and wealth, senior management approval, transaction origination from regulated institutions, and residential address verification.
Suspicious transaction reports (STRs) must now be filed solely with the UAE Financial Intelligence Unit (FIU) via the GoAML platform. While VARA retains oversight through format and guidance requirements, this shift centralizes enforcement under the federal authority, potentially simplifying reporting flows while maintaining accountability.
VARA’s revised rulebook reinforces compliance with the Travel Rule in alignment with UAE Federal AML-CFT laws. VASPs must report on Travel Rule adherence in accordance with both VARA requirements and federal obligations, with VARA retaining the discretion to impose additional reporting and technical standards as needed.
VASPs are now required to screen all clients and transactions against UNSC and UAE sanctions lists using automated, real-time systems. They must immediately freeze assets upon identifying a match, block and prohibit all transactions involving sanctioned individuals or entities, including any attempt to circumvent sanctions, and retain detailed records of all related actions for a minimum of eight years.
In a significant enforcement development, VARA reserves the right to take action not only against VASPs but also against directors, MLROs, and senior management for non-compliance. This accountability layer places a renewed emphasis on compliance culture within organizations.
VARA’s AML/CFT reforms under Version 2.0 represent more than incremental changes—they mark a strategic shift toward a preventative and intelligence-driven compliance regime. VASPs operating in or from Dubai must now demonstrate deep alignment with both federal and international standards, supported by advanced technologies, clear documentation, and accountable leadership. Failure to do so is no longer a matter of internal deficiency, but a potential regulatory breach with personal consequences.
Editor's Picks
UAE Stablecoins: Why They Are Built to Travel, Not Stay Local
Walid Abou Zaki
Feb 28, 2026
8 min
The Central Bank of the UAE Clearing the Noise Around Article 62
Walid Abou Zaki
Feb 25, 2026
5 min
Europe’s Crypto Purge: Did Lithuania Just Kick Out Innovation — and is the UAE the Beneficiary?
Salma Naueihed
Feb 18, 2026
7 min
Read More Articles
In the Same Space
VARA Issues Alert Against MEXC Over Unlicensed Activity
News Desk
Mar 6, 2026
2 min
Binance, Iran, and the Question of Narrative at a Critical Moment
News Desk
Feb 26, 2026
5 min
Trump on Stablecoin Yield Dispute: “Americans Should Earn More Money on Their Money” as Clarity Act Stalls
News Desk
Mar 4, 2026
3 min
Turkey Proposes 10 Percent Crypto Income Tax as Part of Major Regulatory Overhaul
News Desk
Mar 3, 2026
2 min
