November 14, 2025

What VARA’s Latest Circular Means for VASPs: Integrating the UAE’s National Risk Assessment into Practice

by Harshil Agarwal, Pankhuri Malhotra, Soham Jethani, and Hena Ayisha

in Articles
UAE NRA Cover Image

Key Takeaways:

  • The UAE’s second National Risk Assessment, published in April 2025, identifies virtual assets as a high-risk sector alongside banking, real estate, and precious metals.
  • VARA has translated these federal AML/CFT obligations into binding requirements for VASPs, mandating that Business Risk Assessments (BRA) be updated at least every three months and following any material business change.
  • The VARA circular issued on 7 November 2025 reinforces and clarifies these expectations, requiring all VASPs to integrate NRA findings into their BRA and to maintain documented quarterly reviews with Board oversight and version control.
  • Compliance now extends beyond documentation, VASPs must demonstrate tangible alignment between their risk assessments and onboarding, transaction monitoring, and internal audit frameworks.
  • The NRA underscores the UAE’s approach to treating virtual assets as a mature financial service sector, creating both higher compliance expectations and greater long-term stability for the industry.

The United Arab Emirates (“UAE“) has firmly established itself as a global leader in virtual asset regulation with multiple regulators. Dubai’s Virtual Assets Regulatory Authority (“VARA“) has issued 39 active licences and 6 in-principle approvals to virtual asset service providers (“VASPs“) as of the date of this article[1] and numerous other entities are currently navigating the licensing process. The Securities and Commodities Authority (“SCA“) has issued 2 licenses under its VASP regime,[2]  and the Central Bank of UAE (“CBUAE“) granted the first in-principle approval for a payment token service provider in 2024.[3]

Against this backdrop of rapid growth, the UAE’s release of its second National Risk Assessment (“NRA“) in April 2025 provides a clear picture of how regulators view virtual asset risks and what this means for business operations.

What is the UAE National Risk Assessment?

The NRA is essentially a country’s financial crime “health check”, a comprehensive evaluation of a country’s exposure to money laundering, terrorist financing, and proliferation financing risks. This assessment acts as an evidence-based foundational element for the national approach to anti-money laundering (“AML“) and countering terrorism financing (“CTF“), as required by the Financial Action Task Force (“FATF“). The assessment serves multiple critical functions: it guides regulators in making informed policymaking aligned to the country’s risk landscape, and provides the foundation for risk-based compliance approaches across all sectors.[4]

In the UAE, this exercise is led by the National Anti-Money Laundering and Combatting Financing of Terrorism and Financing of Illegal Organizations Committee (“NAMLCFTC“). The first formal NRA was conducted in 2018, and it was updated with sectoral-specific risk assessments in 2019. Chronologically, this coincides with the promulgation of the UAE’s current anti-money laundering laws, specifically the Federal Decree Law No. (20) of 2018[5] (“Federal AML Law“) and the Cabinet Decision No. (10) of 2019[6] (“Implementing Regulation“). This process was initiated again towards the end of 2022, with an updated methodology adopted from the World Bank, culminating in the second NRA’s publication in April 2025.[7]

Key Findings of the 2025 NRA: Where the Risks Lie

While recognising the UAE as a leader in the digital economy, the 2025 NRA highlights virtual assets as a priority area, identifying it as a high-risk sector alongside the banking sector, real estate sector, dealers in precious metals and stones, and exchange houses.

For the virtual asset sector specifically, the NRA highlights the following vulnerabilities:

  • Cyberattacks on blockchain networks;
  • Use of virtual assets by international criminal networks;
  • Regulatory gaps reducing the effectiveness of supervision activities;
  • Geographical risks from simplified cross-border transactions; and
  • Infrastructure risks related to smart contracts (such as malware and data theft).

The NRA’s treatment of virtual assets reflects a nuanced understanding of the sector’s unique risk profile. Rather than viewing all virtual asset activities as uniformly risky, the assessment identifies specific vulnerabilities that VASPs must address.

The Regulatory Response: How Laws Require Integration of the NRA

Understanding the NRA’s findings is only the first step. UAE law explicitly requires VASPs to integrate these findings into their business operations, creating binding obligations that go beyond mere guidance.

Federal Legal Requirements

The foundation of these requirements lies in Article 16 of the Federal AML Law, which requires all financial institutions and designated non-financial businesses and professions to implement AML procedures, taking into account “various risk factors and the results of the national risk assessment”.[8] The specific obligation to consider the findings of the NRA comes from Article 4 of the Implementing Regulation, which requires entities to reduce risks associated with money laundering and terrorism financing, taking into account the results of the NRA.[9] Through the introduction of Article 16bis to the Federal AML Law and Article 33 to the Implementing Regulation, this legal mandate has been extended to all VASPs as well.

On 7 November 2025, VARA issued a circular[10] that directly references Federal Decree Law No. (10) of 2025 and Cabinet Decision No. (10) of 2019 (as amended by Decision No. (24) of 2022), reaffirming the statutory requirement to identify high-risk jurisdictions and apply appropriate enhanced measures.

VARA’s Implementation Framework

VARA’s Compliance and Risk Management Rulebook (“VARA Rulebook”) translates these federal requirements into specific obligations for VASPs by mandating compliance with the UAE’s AML laws, including but not limited to the Federal AML Law and the Implementing Regulations.[11] The VARA Rulebook requires all VASPs to conduct comprehensive business risk assessments that cover the following:[12]

  1. Virtual assets, with particular attention to anonymity-enhanced cryptocurrencies;
  2. Virtual asset-related technologies, products, and services;
  3. Business and professional practices related to virtual assets;
  4. Emerging technologies like artificial intelligence and machine learning; and
  5. Other emerging risks relevant to the sector.

The regulatory framework mandates that this business risk assessment is to be conducted at regular intervals, at least every three (3) months, with event-driven updates whenever significant changes occur in assessed risk areas.[13] VASPs are required to maintain clear documentation showing how the outcomes of the business risk assessment inform policies, procedures, and resource allocation, as well as ensure evidence of implementation demonstrating that risk findings translate into specific mitigation measures.[14]

Under Rule III.D (Risk Assessments) of the VARA Rulebook, all VASPs must maintain a documented, data-driven AML/CFT Business Risk Assessment (“BRA”) that:

  • Identifies and assesses all ML/TF/PF risks inherent in the business model, client base, products, delivery channels, geographic exposure, and technology use;
  • Incorporates emerging risks such as AI-enabled processes, anonymity-enhanced transactions, and new VA products;
  • Demonstrates how UAE National and Sectoral Risk Assessments have been considered and integrated into internal frameworks;
  • Applies a transparent, Board-approved methodology that defines risk categories, scoring scales, control testing, and derivation of residual risk; and
  • Integrates BRA outcomes into AML/CFT policies, customer risk assessments, transaction monitoring, and internal audit planning.

Importantly, the November 2025 circular clarifies that quarterly reviews of the BRA are now mandatory. These reviews must test the assessment against operational data, emerging typologies, and supervisory findings, documenting results even when no rating changes occur.

Practical Implementation: What VARA-Regulated VASPs Must Do

VARA’s 7 November 2025 circular represents a significant tightening of expectations under Rule III.D of the VARA Rulebook. It mandates that:

  1. Quarterly Reviews Are Mandatory: Each VASP must conduct and evidence quarterly reviews of its Business Risk Assessment (BRA), ensuring it remains responsive to operational changes, new products, client demographics, and regulatory developments. Failure to revisit or test the BRA quarterly will now constitute non-compliance with Rule III.D.3(a) of the VARA Rulebook.
  2. Documented Methodologies and Version Control: VASPs must maintain written methodologies for calculating inherent, control, and residual risks; version control for each iteration of the BRA; and documented Board or senior management approval records.
  3. Integration of Emerging Risks: The updated guidance specifically adds Proliferation Financing (PF), Targeted Financial Sanctions (TFS), and AI or new technology-related risks to the list of mandatory considerations.
  4. Data-Driven Assessment: VASPs must implement or strengthen specific measures to mitigate the risks identified in the NRA, especially customer due diligence, transaction monitoring, targeted financial sanctions compliance and reporting of suspicious activity.
  5. Evidence of Review: VARA expects short management memos or committee records showing quarterly review outcomes, even if no risk ratings have changed.
  6. Supervisory Follow-Up in 2026: VARA will conduct a thematic review of BRA frameworks in Q2 2026. Non-compliant VASPs may be required to re-perform their assessments within 30 days and may face enforcement action.

Looking Ahead: The Future of VASP Regulation in the UAE

The UAE’s risk-based regulatory model continues to evolve rapidly. The November 2025 VARA circular transforms the BRA from a routine compliance exercise into a dynamic, data-driven framework that must evolve with every quarter.

The challenges are clear. Compliance requirements are becoming more sophisticated, expectations around risk management are rising, and the cost of non-compliance continues to grow. Recent enforcement actions make it evident that regulators are serious about accountability and consistency in implementation.[15]

Yet, the opportunities are equally compelling. VASPs that proactively align their operations with the UAE’s NRA will not only meet regulatory standards but also strengthen their strategic position in the country’s thriving virtual asset ecosystem.

This shift represents more than just a compliance update, it marks the maturation of the virtual asset industry. By embedding NRA findings into day-to-day operations, VASPs help build trust, reduce systemic risks, and create a stable foundation for long-term innovation and investment.

The message to the market is unmistakable: risk management can no longer be static. VASPs must adopt a culture of continuous reassessment, guided by real-time data, active Board oversight, and transparent documentation. While this undoubtedly raises the compliance bar, it also reinforces the UAE’s leadership in virtual asset regulation.

Ultimately, this evolving framework positions virtual assets as a core component of the formal financial system, governed by the same rigour, oversight, and accountability expected of traditional financial institutions.

***

At TLP Advisors, we are a legal consulting firm specialising in providing cutting-edge solutions to our diverse clientele. With our roots deeply embedded in the financial services, gaming, Web3, and emerging tech sectors, we offer unparalleled knowledge and tailored support to these rapidly evolving industries’ unique challenges and opportunities. TLP Advisors has consistently been the firm of choice for web3, fintech and other financial services companies, and family offices in the UAE. We have built a reputation for excellence through our frequent collaborations with key regulators in this region.

www.techlawpolicy.com

***

[1] See: https://www.vara.ae/en/licenses-and-register/public-register/.

[2] See: https://www.sca.gov.ae/en/open-data/licensed-companies.aspx

[3] UAE Approves In-Principle License to First AED Stablecoin Issuer, Cryptonews (Oct. 14, 2024), https://cryptonews.com/news/uae-approves-in-principle-license-to-first-aed-stablecoin-issuer/.

[4] FATF Guidance – Money Laundering National Risk Assessment Guidance, Financial Action Task Force, https://www.fatf-gafi.org/en/publications/Methodsandtrends/Money-Laundering-National-Risk-Assessment-Guidance.html.

[5] Decree Federal Law No. (20) of 2018 on Anti-Money Laundering and Combating the Financing of Terrorism and Illegal Organisations.

[6] Cabinet Decision No. (10) of 2019 Concerning the Implementing Regulation of Decree Law No. (20) of 2018 on Anti-Money Laundering and Combating the Financing of Terrorism and Illegal Organisations.

[7] Risks Policies, Executive Office Of Anti-Money Laundering And Counter Terrorism Financing, https://amlctf.gov.ae/en/strategic-functions/risks-and-policies

[8] Article (16)(1)(b) of Decree Federal Law No. (20) of 2018 on Anti-money Laundering and Combating the Financing of Terrorism and Illegal Organisations.

[9] Article (4)(2) of Cabinet Decision No. (10) of 2019 Concerning the Implementing Regulation of Decree Law No. (20) of 2018 on Anti-Money Laundering and Combating the Financing of Terrorism and Illegal Organisations.

[10] See: https://media.umbraco.io/dwtc/jyrbl5k5/vasp-circular-amlctf-risk-assessment.pdf

[11] Rule III.B.1 of VARA’s Compliance and Risk Management Rulebook.

[12] Rule III.D.2 of VARA’s Compliance and Risk Management Rulebook.

[13] Rule III.D.3 of VARA’s Compliance and Risk Management Rulebook.

[14] Rule III.D.4 of VARA’s Compliance and Risk Management Rulebook.

[15] To cite from recent events, the CBUAE revoked the licence of an exchange house on 31 July 2025 due to its failure to fully comply with the anti-money laundering laws. See: https://gulfnews.com/business/banking/uae-central-bank-revokes-licence-of-gomti-exchange-1.500217691. Additionally, VARA has fined a broker-dealer for failures in its anti-money laundering programme and related systems and controls. See: https://www.khaleejtimes.com/business/dubai-fine-anti-money-laundering

© 2025 TLP Advisors

Terms and Conditions Privacy Policy