Tanjoh Nkengno's OrganizationVisit Website →
← Back to blog

UAE federal AML law: Compliance guide for crypto firms

April 30, 2026
UAE federal AML law: Compliance guide for crypto firms

TL;DR:

  • The UAE's 2025 AML law explicitly includes virtual asset service providers and imposes stricter penalties.
  • VASPs must obtain licensing from VARA, SCA, or CBUAE, depending on their activity and jurisdiction.
  • Mandatory AML controls include customer due diligence, transaction monitoring, Travel Rule compliance, and record-keeping.

The UAE's regulatory landscape shifted decisively on 14 October 2025, when Federal Decree-Law No. (10) of 2025 replaced the previous anti-money laundering framework and imposed significantly stricter obligations on virtual asset service providers (VASPs). For crypto start-ups and established exchanges operating in or from the UAE, the stakes are now considerably higher: fines can reach AED 100 million per entity, and individual compliance officers face direct personal liability. This guide breaks down what has changed, which regulatory authorities govern your licence, and exactly what your firm must do to remain compliant in 2026.

Key Takeaways

PointDetails
Latest AML lawFederal Decree-Law No. (10) of 2025 redefines AML requirements for crypto firms and VASPs in the UAE.
Multiple regulatorsVARA, SCA/CMA, and CBUAE each govern specific VASP activities; choose licensing routes carefully.
Practical compliance stepsRisk assessments, officer appointments, transaction monitoring, and Travel Rule compliance are mandatory.
High penaltiesRecent enforcement means penalties up to AED 100M and personal liability for officers.
Tailored AML programsCrypto start-ups must adapt AML frameworks to virtual asset-specific risks and regulatory nuances.

Decoding UAE federal AML law: What's changed?

The foundational shift begins with the legislation itself. Federal Decree-Law No. (10) of 2025, which repeals and replaces Decree-Law No. (20) of 2018, came into force on 14 October 2025. For any VASP operating in the UAE, this is not a routine amendment. It represents a structural overhaul of the anti-money laundering and combating the financing of terrorism (AML/CFT) framework, with expanded scope, updated definitions, and materially heavier penalties.

What has actually changed under the new law?

The 2025 law broadens the definition of "financial institutions" and "designated non-financial businesses and professions" (DNFBPs) to explicitly capture virtual asset service providers. This removes any ambiguity that existed under the 2018 framework regarding whether certain crypto activities fell within the statutory remit of the law. It also introduces a more granular penalty structure, differentiating between entity-level and individual-level liability in ways the prior law did not.

Key amendments and features of Decree-Law No. (10) of 2025:

  • Explicit inclusion of VASPs as regulated persons under the AML/CFT framework
  • Strengthened provisions on beneficial ownership verification and politically exposed persons (PEPs)
  • Enhanced data-sharing obligations, including mandatory Travel Rule compliance
  • Tiered penalty structure for entities and natural persons, including criminal sanctions
  • Expanded grounds for licence suspension and revocation tied to AML failures
  • Alignment with updated Financial Action Task Force (FATF) recommendations

The timing of this legislation is not coincidental. The UAE's post-FATF grey list exit was a significant milestone, and authorities are now demonstrating sustained enforcement commitment to avoid any regression. Regulators across the Emirates have visibly increased inspection frequency, enforcement actions, and supervisory expectations for VASPs.

Framework elementDecree-Law No. (20) of 2018Decree-Law No. (10) of 2025
VASP inclusionImplicit/limitedExplicit and defined
Individual liabilityLimitedFull personal criminal exposure
Penalty ceiling (entity)AED 50MAED 100M
Travel Rule obligationRegulatory guidance onlyStatutory obligation
Beneficial ownershipGeneral requirementDetailed, enhanced requirement

The practical implication is straightforward: compliance programmes that were technically adequate under the 2018 law may no longer satisfy the 2025 requirements. Any VASP that has not conducted a full gap analysis against the new legislation should treat this as an immediate priority. Our virtual asset AML compliance guide provides a structured starting point for that review.

Regulatory authorities and VASP licensing: Navigating the landscape

Understanding which authority regulates your business is essential before you can build a compliant AML programme. The UAE operates a multi-regulator model for virtual assets, and the correct licensing route depends on your jurisdiction of incorporation, the nature of your activities, and the client base you intend to serve.

Licensing regimes across UAE authorities

1. Virtual Assets Regulatory Authority (VARA) VARA holds statutory remit over virtual asset activities conducted in Dubai onshore (outside financial free zones). It issues licences across seven activity categories, including exchange, broker-dealer, custody, lending, and management and investment services. All VARA licensees must operate under VARA's AML rulebook, which incorporates the obligations under the 2025 Federal AML Law and VARA's own Compliance and Risk Management Rulebook. More detail on VARA's structure is available in our VARA regulator profile.

2. Securities and Commodities Authority (SCA) and Capital Markets Authority (CMA) The SCA governs VASPs operating onshore across the seven emirates outside Dubai, while the CMA label applies in certain policy contexts. SCA-regulated VASPs must comply with SCA's virtual asset regulations and the federal AML law. The SCA licensing and compliance framework has its own application pathway and documentation requirements distinct from VARA.

3. Central Bank of the UAE (CBUAE) The CBUAE supervises payment token service providers and crypto firms that conduct payment-related activities. Its regulatory framework intersects with AML obligations particularly around stored value facilities and licensed exchange businesses.

4. Financial free zones: DIFC and ADGM The Dubai International Financial Centre (DIFC) and Abu Dhabi Global Market (ADGM) operate separate but aligned AML regimes through the Dubai Financial Services Authority (DFSA) and Financial Services Regulatory Authority (FSRA) respectively. While these free zones maintain independent rulebooks, their AML standards are substantively consistent with federal requirements.

Steps to obtain a VASP licence

  1. Determine the appropriate regulatory authority based on your planned activity and jurisdiction
  2. Prepare the corporate structure and verify that entity type meets regulator requirements
  3. Draft AML/CFT policies, governance frameworks, and compliance manuals
  4. Prepare fit-and-proper documentation for key personnel, including the Money Laundering Reporting Officer (MLRO)
  5. Submit a formal licence application with all required annexures and supporting evidence
  6. Respond to regulator queries and complete any requested assessments or interviews
  7. Receive conditional approval and implement any pre-licence conditions
  8. Obtain full licence and commence regulated activity under ongoing supervisory obligations

VASPs must obtain licences from the relevant authority and demonstrate compliance with AML/CFT mandates, including risk-based programmes, customer due diligence, and Travel Rule implementation, before and after approval. Our team guides clients through the full VARA licensing process from pre-application to post-approval.

Pro Tip: Your choice of regulatory authority has long-term operational consequences. VARA is generally favoured by exchanges and custody providers targeting Dubai's retail and institutional markets. If you are structuring a payment token or remittance product, CBUAE licensing may be the primary route, sometimes alongside a VARA licence for the broader virtual asset activity.

Core AML compliance requirements for VASPs

Once licensed, or preparing for licensing, VASPs face a defined set of AML obligations. These are not aspirational standards. They are legally mandated, auditable requirements that regulators actively verify through inspections, data requests, and supervisory reviews.

Analyst monitoring crypto AML alerts at shared desk

Mandatory obligations for licensed VASPs

The key mechanics for VASPs include appointing a qualified Compliance Officer and MLRO, establishing an enterprise-wide risk assessment programme, implementing transaction monitoring systems, conducting thorough sanctions screening, verifying beneficial ownership, and maintaining records for the statutory minimum period.

Breaking this down into actionable requirements:

  • Compliance Officer and MLRO appointment: The individual must meet the fit-and-proper criteria of your licensing authority. Under the 2025 law, this officer carries direct personal liability for systemic compliance failures, not merely the entity.
  • Enterprise-wide risk assessment: For VARA licensees, formal risk assessments are required at least quarterly. These must factor in customer risk, product risk, geographic risk, and delivery channel risk, using a documented methodology.
  • Customer due diligence (CDD) and enhanced due diligence (EDD): Standard CDD applies to all customers. EDD is triggered for PEPs, high-risk jurisdictions, complex ownership structures, and unusually large or atypical transactions.
  • Sanctions screening: All customers and counterparties must be screened against UAE Cabinet Resolution No. (74) of 2020 lists, UN Security Council sanctions, and applicable international lists in real time.
  • Beneficial ownership verification: VASPs must identify and verify the ultimate beneficial owners of corporate clients to at least 25% ownership threshold, and document the full ownership chain.
  • Suspicious transaction reports (STRs): Firms must file STRs with the UAE Financial Intelligence Unit (goAML platform) promptly when suspicion arises. Critically, no tipping-off: you cannot inform the subject of the report or any connected party.
  • Record-keeping: All customer records, transaction data, and due diligence documents must be retained for a minimum of five years from the date of the transaction or the end of the business relationship, whichever is later.

The Travel Rule applies to virtual asset transfers above AED 3,500 and requires originating VASPs to transmit specified customer data to the beneficiary VASP. This includes the originator's full name, account/wallet identifier, and address or national identity number, at minimum.

"A compliance programme that cannot demonstrate measurable controls, documented risk assessments, and verifiable records is not a programme. It is a policy document. Regulators distinguish between the two."

Compliance requirements for virtual asset custodians and platform operator compliance requirements carry additional activity-specific obligations layered on top of the baseline AML duties described here.

Infographic showing core UAE crypto AML compliance requirements

Pro Tip: When building your transaction monitoring ruleset, configure alerts not only for threshold-based triggers but also for behavioural patterns specific to crypto, such as rapid layering across wallets, peel-chain activity, or sudden transaction frequency changes. Generic bank-oriented rulesets will miss crypto-native typologies entirely.

Enforcement, edge cases, and high-risk scenarios

The enforcement climate in 2026 is fundamentally different from even two years ago. Regulators are not issuing warnings where financial penalties and licence suspensions are warranted.

The enforcement reality

Q4 2025 enforcement data shows the CBUAE imposed a fine of AED 3 million on a bank and over AED 4.1 million on licensed exchange houses for AML deficiencies. More significantly, the virtual asset sector as a whole faced penalties exceeding AED 150 million during that same quarter. Entity-level fines under the 2025 law can reach AED 100 million per infringement.

Individual officers face a separate track. Compliance officers, MLROs, and directors who are found personally liable for systematic AML failures can face criminal prosecution, substantial personal fines, and prohibition from holding regulated roles.

High-risk scenarios requiring enhanced controls

Enhanced measures are required when you encounter any of the following:

  • Politically exposed persons (PEPs) and close associates: EDD is mandatory, including senior management approval for onboarding and enhanced ongoing monitoring of the relationship.
  • High-risk jurisdictions: Countries on FATF's grey or black lists require additional verification steps, source of funds documentation, and more frequent relationship reviews.
  • Privacy coins and mixing services: Transactions involving privacy-preserving tokens (such as Monero or Zcash) or coin-mixing protocols present source-of-funds challenges that often cannot be resolved to a satisfactory AML standard. Many VARA licensees have chosen to delist these assets entirely.
  • Trade-based money laundering (TBML): Cross-border transactions that combine virtual assets with trade finance structures require particular scrutiny for over or under-invoicing patterns.
  • Cybercrime proceeds: Where blockchain analytics identify wallet addresses linked to known hacks, ransomware, or darknet markets, the VASP must not process the transaction and must consider filing an STR.
  • Suspicious wallet monitoring: Ongoing screening against updated blockchain analytics databases is required, not a one-time check at onboarding.

"The obligation to file an STR does not remove the obligation to monitor. Filing and then continuing to process transactions with the same counterparty without further action is itself a compliance failure."

Compliance requirements for virtual asset brokers are particularly affected by these edge cases, given the counterparty-intensive nature of brokerage activity and the frequency of cross-border flows.

What most VASPs overlook: Risk tailoring and practical strategies

Many crypto firms approach AML compliance by adapting frameworks designed for traditional finance. This is a structural error. Virtual asset risks are categorically different: pseudonymous wallet addresses, cross-chain swaps, DeFi interactions, and global liquidity pools require controls that generic bank-derived programmes simply do not contemplate.

The most effective approach integrates findings from the UAE's National Risk Assessment (NRA) directly into your firm's own risk methodology. The NRA identifies specific virtual asset typologies the UAE considers highest priority. Ignoring this document means your risk assessment will not reflect the threat landscape regulators expect you to have mapped.

Crypto VASPs must prioritise risk-based AML controls tailored to virtual asset risks, incorporating NRA findings and ensuring Travel Rule compliance is operational before regulators request evidence of it. Blockchain analytics tools, specifically those with wallet-screening and cluster-analysis capabilities, are no longer optional. They are the practical infrastructure behind any credible monitoring programme.

Documentation matters as much as controls. Before a regulator visits, you need to be able to demonstrate, with contemporaneous records, that your controls were applied consistently, that exceptions were escalated, and that your risk assessments are reviewed and updated at defined intervals. Review your AML risk assessment best practices to ensure your methodology is aligned with what regulators expect to see in practice.

Expert guidance for UAE AML compliance and VASP licensing

Navigating the 2025 AML law, selecting the right regulatory authority, and building a compliant operational framework simultaneously is a substantial undertaking for any VASP. CRYPTOVERSE Legal Consultancy provides specialist legal support at every stage of this process.

https://cryptoverselawyers.io

Whether you are applying for a VARA licence or seeking SCA licensing for onshore activities outside Dubai, our team drafts AML/CFT policies, prepares compliance manuals, advises on MLRO appointments, and manages regulatory submissions from first contact through to approval. We also provide ongoing compliance monitoring support and digital asset legal consulting for firms managing complex cross-border operations. Contact CRYPTOVERSE Legal to begin a structured compliance review for your business.

Frequently asked questions

What is the main regulatory authority for AML compliance in Dubai?

The Virtual Assets Regulatory Authority (VARA) oversees AML compliance for VASPs licensed in Dubai onshore, while the DFSA governs firms within the DIFC free zone, and other emirates fall under the SCA's supervisory remit.

What are the main AML requirements for UAE VASPs?

VASPs must implement risk-based AML programmes covering CDD, EDD, transaction monitoring, Travel Rule compliance, STR filing, sanctions screening, beneficial ownership verification, and record retention for a minimum of five years.

What triggers enhanced AML controls for VASPs?

Enhanced due diligence is mandatory when dealing with PEPs, high-risk jurisdictions, privacy coin transactions, mixer-linked wallets, or any customer profile or transaction that presents elevated money laundering or terrorism financing risk.

What penalties can a UAE VASP face for AML breaches?

Entity-level fines can reach AED 100M per infringement, with Q4 2025 virtual asset sector penalties exceeding AED 150 million in total. Individual compliance officers face criminal prosecution and personal fines in cases of systemic failure.