The Dubai Virtual Assets Regulatory Authority (VARA) issued a circular to all regulated Virtual Asset Service Providers (VASPs) clarifying expectations under Part III Rule III.D of the Compliance and Risk Management Rulebook on AML/CFT Business Risk Assessments (BRAs). The circular requires VASPs to maintain a documented, data-driven BRA that is kept current through at least quarterly reviews and updated when there are material changes. The guidance follows supervisory inspections in 2024 and 2025 that identified deficiencies including missing documented methodologies, unrealistic residual risk ratings, and insufficient consideration of emerging risks such as Proliferation Financing (PF), Targeted Financial Sanctions (TFS), and the use of artificial intelligence or new technologies. VARA sets out minimum BRA features, including coverage of ML/TF/PF risks across the business model, customer base, products and services, delivery channels, geographic exposure and technology use, and incorporation of sectoral risks such as anonymity-enhanced transactions and new or evolving virtual asset products. It also expects alignment with the UAE National Risk Assessment and relevant sectoral assessments, a transparent Board-approved methodology (risk categories, scoring scales and weighting, control effectiveness testing or sampling, and entity-level residual risk), and integration of BRA outcomes into AML/CFT policies and procedures, customer risk assessment and transaction monitoring calibration, and audit and compliance monitoring plans, supported by version control and documented review evidence. Compliance is mandatory and takes effect immediately, with the first quarterly reassessment under the guidance to be completed by 30 November 2025. VARA will conduct a thematic review of BRA frameworks in Q2 2026, and VASPs that cannot evidence a credible, data-driven and quarterly maintained BRA may be required to re-perform the assessment within 30 days and may face supervisory or enforcement action.

Original source View in tracker