Skip to main content

Are virtual asset service providers prepared to combat financial crime?

ME PoV Spring 2026 issue

On 27 September 2021, the United Arab Emirates (UAE) formally brought virtual asset service providers (VASPs)1 into the national anti-financial crime2 (AFC) regime. Prior to this, VASPs in the UAE had been operating, much like the rest of the world, without any AFC regulatory requirements. The AFC controls arbitrage between VASPs and other financial service providers offered an opportunity for the largescale laundering of illicit funds through virtual assets3 (VAs). It is estimated that on-chain money laundering (ML) grew from US$10 billion in 2020 to US$82 billion in 2025, representing a 720% increase in just one form of VA-related financial crime (FC)4

UAE authorities have been active in regulating this burgeoning sub-sector. In 2022, Dubai established the Virtual Assets Regulatory Authority5 (VARA) to regulate and oversee the provision, use, and exchange of VAs in and from Dubai. 

Legislatively, Federal Decree-Law No. (10) of 2025 (the New AML Law) has placed VASPs on the same statutory footing as licensed banks, significantly increasing the regulatory onus on VASPs in terms of their AFC efforts. 

In less than five years, the UAE’s AFC regime has become almost unrecognizable. The rising FC risks associated with VAs have led to an everevolving AFC regulatory landscape, and with the UAE's next Financial Action Task Force (FATF) Mutual Evaluation (ME) scheduled for the second half of 2026, regulators are increasingly scrutinizing VASPs' AFC programs. As a result, VASPs now function in an environment where establishing and maintaining an effective AFC program to protect themselves, their customers, and the UAE is paramount. 

Key elements of an effective AFC program

There are several factors that contribute to an effective AFC program: 

  1. Strong governance is fundamental. Without it, every other element risks becoming performative rather than protective. A VASP's board of directors and senior management must set the tone at the top. This includes appointing a Money Laundering Reporting Officer (MLRO) with the necessary mandate, resources, and oversight to execute their respective responsibilities effectively. Without adequate empowerment, the MLRO and compliance function are reduced to check-box exercises rather than actual FC defenses.
  2. A risk-based approach (RBA) is the guiding principle that shapes the design of every element of an AFC program. The foundational layer of the RBA is the Financial Crime Business Risk Assessment (FCRA). Through the FCRA, VASPs understand their FC risk exposure, the strengths and vulnerabilities of their AFC program, and their next areas of risk mitigation effort. Regulators expect VASPs to conduct FCRAs at least quarterly.6 Hence, the FCRA approach, methodology, and model must be designed with risk factor coverage, reusability, and time efficiency in mind. 
  3. Customer due diligence (CDD) takes on additional complexity in the context of VAs. VASPs must identify, screen, and risk-assess their customers and the wallet addresses they transact through, since a wallet can be linked to illicit activity or a sanctioned entity independent of the customer's own identity.

    The FATF Travel Rule requires that when a customer sends or receives VAs, the VASP must collect, verify, and transmit originator and beneficiary information to the counterparty VASP. Where that information cannot be obtained, the transfer must not proceed. The customer risk assessment (CRA) methodology and the CDD policies and procedures require expansive yet practical coverage of these considerations for effective FC risk management at customer onboarding and throughout the customer lifecycle.

  4. Transaction monitoring: Unlike other financial institutions, VASPs must monitor for suspicious activity across both fiat and on-chain flows, with red flags such as wallet clustering, chain-hopping, and layering across blockchains, rather than depending on conventional account-based patterns. The selection and calibration of transaction monitoring scenarios and technology are essential for VASPs to effectively identify, investigate, and report suspicious activity.

Extensive enforcement record 

Between August 2024 and August 2025, VARA issued enforcement notices against 36 firms, with financial penalties ranging from AED50,000 to AED600,000 per entity.7 While many of the violations were related to unlicensed VA activity and unauthorized marketing, others involved failures in AFC program controls, governance deficiencies, and failures to disclose material information to the regulator.8 In one case, a Skilled Person was appointed to oversee remediation, and the firm was placed under ongoing VARA supervision.9

In December 2024, the Dubai Public Prosecution referred 30 individuals and three companies to the specialist ML Court for cryptocurrency-based laundering valued at AED180 million,10 illustrating criminals’ affinity to VAs and, simultaneously, the UAE government’s zero tolerance for FC. 

Enforcement action against VASPs is only increasing, and regulators have already shown the depth of their enforcement arsenal which includes issuance of cease-and-desist orders, enhanced supervision (i.e. through the appointment of Skilled Person), public disclosures of wrongdoing, financial penalties, and criminal action against liable senior management stakeholders. These consequences can carry significant reputational, legal, and financial costs. 

Are VASPs FATF ready? 

In the upcoming FATF Mutual Evaluation (ME), the FATF will assess not only whether AFC programs exist on paper, but whether they function in practice. For VASPs, this means assessors will look beyond policy documents by interviewing MLROs, reviewing Suspicious Transaction Reports (STRs) filing rates, testing whether FCRAs are genuinely quarterly, and examining whether CDD decisions reflect real risk judgment. A VASP that cannot demonstrate the operational effectiveness of its AFC program will reflect poorly on itself and will negatively impact the UAE's overall effectiveness score. The UAE has positioned itself as a leading hub for VASPs with a mature AFC regime. The regulatory architecture is clear, the AFC obligations are explicit, and the consequences of falling short are real. 

With enforcement intensifying and the FATF ME approaching, the time for gap assessments, remediation, and honest self-reflection is now. Are VASPs prepared to protect us from FC? Only time will tell.

By Karthik Prabhakar, Partner, and Humaid Hussain, Manager, Forensic & Financial Crime

 

Endnotes
  1. Any natural or legal person who, as a commercialactivity, conducts one or more of the virtual asset activities specified in the Executive Regulations of this Decree-Law, or conducts transactions related thereto, on behalf of or for the benefit of another natural or legal person. Definition as per Federal Decree-Law No. (10) of 2025 on Anti-Money Laundering, Combating the Financing of Terrorism and Proliferation Financing, effective 14 October 2025.
  2. An umbrella term collectively referring to MoneyLaundering ('ML'), Terrorism Financing ('TF'),Proliferation Financing ('PF'), and Targeted Financial Sanctions ('Sanctions').
  3. Digital representation of value that may bedigitally traded or transferred and may be usedfor payment or investment purposes, excludingdigital representations of fiat currencies, securities, or other funds. Definition as perFederal Decree-Law No. (10) of 2025.
  4. Chainalysis, 'The Chinese-language Underground Crypto Money Laundering Ecosystem', 2026 Crypto Crime Report, January 2026. 
  5. Dubai Law No. (4) of 2022 Regulating Virtual Assets in the Emirate of Dubai.
  6. VARA Compliance and Risk Management Rule book, Part III AML and CFT, Section D.
  7. https://www.vara.ae/en/regulations/regulatory-notices/vara-steps-up-enforcementto-safeguard-dubai-s-virtual-asset-market-19-unlicensed-firms-penalised-and-publicwarning-issued/.
  8. https://www.vara.ae/en/regulations/regulatorynotices/vara-notice-of-fines-morpheus-softwaretechnology-fze/;https://www.adgm.com/media/announcements/adgms-fsra-imposes-fines-of-USD-8-85-million-on-hayvn.
  9. https://www.vara.ae/en/regulations/regulatorynotices/vara-notice-of-fines-morpheus-softwaretechnology-fze/.
  10. https://www.mediaoffice.ae/en/news/2024/december/27-12/dubai-authorities-dismantletwo-major-international.

Did you find this useful?

Thanks for your feedback