• Dubai’s Digital Property Regulatory Authority (VARA) has warned VASPs of “important weaknesses” of their AML/CFT danger assessments.
• Regulators have discovered that firms are failing to deal with rising threats similar to AI, proliferation finance (PF) and focused monetary sanctions (TFS).
• VARA presently requires these assessments to be reviewed quarterly, with a thematic assessment scheduled for Q2 2026 and implementation thereafter.

Dubai’s Digital Property Regulatory Authority (VARA) has issued formal warnings to a number of digital asset service suppliers (VASPs). The warning follows supervisory critiques in 2024 and 2025 that discovered “important weaknesses” in anti-money laundering (AML) and countering terrorist financing (CFT) enterprise danger assessments (BRAs).

Associated: VARA penalizes 19 crypto firms working with out license in Dubai

Firms failed to deal with AI, proliferation monetary dangers

VARA mentioned a number of VASPs failed to keep up ample documentation and data-driven methodologies for danger assessments. We discovered a number of firms utilizing unrealistic residual danger assessments.

Importantly, regulators discovered that firms have been ignoring new threats. These embody proliferation finance (PF), focused monetary sanctions (TFS), and the abuse of synthetic intelligence (AI).

The brand new round clarifies the obligations below Rule III.D of the Compliance and Danger Administration Rulebook. The regulation requires all VASPs to develop a clear, board-approved methodology for assessing these dangers. This framework requires defining clear danger classes, scoring scales, and weighting logic.

Associated: VARA transaction worth reaches Dh2.5 trillion as Dubai goals to change into one of many world’s prime three hubs

Mandate Requires NRA Integration, Quarterly Overview

VARA additionally mentioned these danger assessments have to be in line with nationwide and sectoral findings. Every VASP is now required to include the outcomes of the UAE Nationwide Danger Evaluation (NRA) and different sectoral stories into their inside BRA and buyer danger frameworks.

The round mandates that these BRA findings have to be “instantly mirrored” in all AML/CFT insurance policies, buyer danger fashions, and transaction monitoring programs. VASPs should additionally doc all quarterly critiques and preserve model management of their assessments.

VARA units deadline for thematic critiques to Q2 2026

These quarterly reassessments are actually obligatory to maintain every BRA updated. VARA expects suppliers to assessment all latest information, together with buyer exercise, new product launches, and jurisdictional publicity, a minimum of quarterly.

VARA has confirmed that it’s going to perform a thematic assessment of all BRA frameworks in Q2 2026. Firms that fail to supply dependable, data-driven assessments can have 30 days to appropriate deficiencies earlier than dealing with potential oversight or enforcement motion.