The Dubai Virtual Assets Regulatory Authority has published good practice guidance on anti-money laundering and counter-terrorist financing business risk assessments for licensed virtual asset service providers. Drawing on supervisory observations from its 2026 BRA thematic review, the paper sets out what VARA considers robust practice in building, maintaining and using a BRA as the foundation of a VASP’s financial crime framework. It also restates that, under VARA’s Compliance and Risk Management Rulebook, VASPs must maintain a BRA, review it at least every three months and update it whenever significant changes occur, with outcomes feeding directly into AML/CFT policies, procedures, systems, controls and resource allocation. The guidance focuses on the substance of a strong BRA framework. It calls for board approval and challenge, supported by a three lines of defence model that includes independent validation of methodology and control effectiveness. Methodology should be documented, transparent and repeatable, with clear treatment of inherent risk, control effectiveness, residual risk and aggregation to an overall risk view. VARA also expects BRAs to be grounded in operational data and external risk sources, to cover virtual asset specific exposures such as unhosted wallets, anonymity enhanced transactions, DeFi, cross-border transfers, stablecoins and emerging fraud typologies, and to assess proliferation financing separately from money laundering and terrorist financing with an explicit link to targeted financial sanctions controls, including screening, freezing and goAML reporting processes. The paper also stresses operationalisation and maintenance. BRA findings should drive concrete decisions such as transaction monitoring calibration, sanctions screening enhancements, enhanced due diligence measures and compliance staffing priorities. Trigger-based updates should follow developments such as new products, customer or geographic shifts, supervisory findings, sanctions events or key AML/CFT personnel changes. VARA said it will continue to assess BRA quality through ongoing supervisory engagement.
Dubai Virtual Assets Regulatory Authority2026-06-12
Dubai Virtual Assets Regulatory Authority issues AML CFT business risk assessment guidance for licensed VASPs based on 2026 thematic review
The Dubai Virtual Assets Regulatory Authority has issued good practice guidance on AML/CFT business risk assessments for licensed VASPs, based on findings from its 2026 thematic review. The guidance sets expectations for board oversight, documented and data-driven risk methodologies, separate proliferation financing assessment, and clear links between BRA outcomes and day-to-day AML/CFT controls. It also reinforces the requirement to review BRAs at least every three months and update them when material changes occur.