The Dubai Virtual Assets Regulatory Authority (VARA) issued a circular to all regulated Virtual Asset Service Providers (VASPs) clarifying expectations under Part III Rule III.D of the Compliance and Risk Management Rulebook on AML/CFT Business Risk Assessments (BRA), following supervisory inspections in 2024 and 2025 that identified significant design and execution deficiencies. VASPs are required to maintain a documented, data-driven BRA covering inherent money laundering, terrorist financing and proliferation financing risks across business model, customer base, products and services, delivery channels, geographic exposure and technology use, including emerging risks such as Targeted Financial Sanctions, anonymity-enhanced transactions, AI-enabled processes and new or evolving virtual asset products. The assessment must demonstrate consideration of UAE National Risk Assessment results and cascade relevant national and sectoral findings into internal frameworks, including the BRA and Client Risk Assessment (KYC/KYB), supported by a transparent, Board-approved methodology (risk categories, scoring and weighting, control effectiveness testing, and residual risk derivation). BRA outcomes must feed into AML/CFT policies and procedures, customer risk assessment and transaction monitoring calibration, and resourcing, internal audit and compliance monitoring plans, with quarterly reviews and material-change updates evidenced through documented records, version control and governance minutes. Compliance is mandatory with immediate effect, and VASPs must complete their first quarterly reassessment under this guidance by 30 November 2025. VARA will run a thematic review of BRA frameworks in Q2 2026, and firms that cannot evidence a credible, data-driven and quarterly-maintained BRA may be required to re-perform the assessment within 30 days and face supervisory or enforcement action.

Original source View in tracker