On 27 September 2021, the United Arab Emirates (UAE) formally brought virtual asset service providers (VASPs)1 into the national anti-financial crime2 (AFC) regime. Prior to this, VASPs in the UAE had been operating, much like the rest of the world, without any AFC regulatory requirements. The AFC controls arbitrage between VASPs and other financial service providers offered an opportunity for the largescale laundering of illicit funds through virtual assets3 (VAs). It is estimated that on-chain money laundering (ML) grew from US$10 billion in 2020 to US$82 billion in 2025, representing a 720% increase in just one form of VA-related financial crime (FC)4.
UAE authorities have been active in regulating this burgeoning sub-sector. In 2022, Dubai established the Virtual Assets Regulatory Authority5 (VARA) to regulate and oversee the provision, use, and exchange of VAs in and from Dubai.
Legislatively, Federal Decree-Law No. (10) of 2025 (the New AML Law) has placed VASPs on the same statutory footing as licensed banks, significantly increasing the regulatory onus on VASPs in terms of their AFC efforts.
In less than five years, the UAE’s AFC regime has become almost unrecognizable. The rising FC risks associated with VAs have led to an everevolving AFC regulatory landscape, and with the UAE's next Financial Action Task Force (FATF) Mutual Evaluation (ME) scheduled for the second half of 2026, regulators are increasingly scrutinizing VASPs' AFC programs. As a result, VASPs now function in an environment where establishing and maintaining an effective AFC program to protect themselves, their customers, and the UAE is paramount.
Key elements of an effective AFC program
There are several factors that contribute to an effective AFC program:
Extensive enforcement record
Between August 2024 and August 2025, VARA issued enforcement notices against 36 firms, with financial penalties ranging from AED50,000 to AED600,000 per entity.7 While many of the violations were related to unlicensed VA activity and unauthorized marketing, others involved failures in AFC program controls, governance deficiencies, and failures to disclose material information to the regulator.8 In one case, a Skilled Person was appointed to oversee remediation, and the firm was placed under ongoing VARA supervision.9
In December 2024, the Dubai Public Prosecution referred 30 individuals and three companies to the specialist ML Court for cryptocurrency-based laundering valued at AED180 million,10 illustrating criminals’ affinity to VAs and, simultaneously, the UAE government’s zero tolerance for FC.
Enforcement action against VASPs is only increasing, and regulators have already shown the depth of their enforcement arsenal which includes issuance of cease-and-desist orders, enhanced supervision (i.e. through the appointment of Skilled Person), public disclosures of wrongdoing, financial penalties, and criminal action against liable senior management stakeholders. These consequences can carry significant reputational, legal, and financial costs.
Are VASPs FATF ready?
In the upcoming FATF Mutual Evaluation (ME), the FATF will assess not only whether AFC programs exist on paper, but whether they function in practice. For VASPs, this means assessors will look beyond policy documents by interviewing MLROs, reviewing Suspicious Transaction Reports (STRs) filing rates, testing whether FCRAs are genuinely quarterly, and examining whether CDD decisions reflect real risk judgment. A VASP that cannot demonstrate the operational effectiveness of its AFC program will reflect poorly on itself and will negatively impact the UAE's overall effectiveness score. The UAE has positioned itself as a leading hub for VASPs with a mature AFC regime. The regulatory architecture is clear, the AFC obligations are explicit, and the consequences of falling short are real.
With enforcement intensifying and the FATF ME approaching, the time for gap assessments, remediation, and honest self-reflection is now. Are VASPs prepared to protect us from FC? Only time will tell.
By Karthik Prabhakar, Partner, and Humaid Hussain, Manager, Forensic & Financial Crime