What this guide covers
- The Legal Framework: FDL 10/2025, Cabinet Decision 134/2025 and FATF Recommendation 16
- The AED 3,500 Threshold: Calculation, Aggregation and Minimum Data Fields
- Regulatory Divergence: VARA (Mainland/Dubai) vs ADGM FSRA vs DIFC
- Cross-VASP Transfer Mechanics: Unhosted Wallets, Sunrise Issues and Counterparty Due Diligence
- Enforcement Exposure: Administrative, Civil and Criminal Liability Under FDL 10/2025
- Record-Keeping, STR Obligations and the UAEFIU Reporting Regime
- Implementation Strategy: Technology, Governance and Regulatory Engagement
- Practical checklist
- What we'd typically advise
- Frequently asked questions
Cabinet Decision 134/2025 brought the FATF Travel Rule into UAE domestic law with binding force from 14 December 2025. Every licensed VASP — whether under VARA, ADGM or DIFC — must now collect, verify and transmit originator and beneficiary data on virtual asset transfers at or above AED 3,500, or face personal and institutional liability under Federal Decree-Law 10/2025.
The Legal Framework: FDL 10/2025, Cabinet Decision 134/2025 and FATF Recommendation 16
The UAE Travel Rule for virtual assets is now anchored in two instruments that together form the operative AML/CFT/CPF regime. Federal Decree-Law 10/2025 (in force 14 October 2025) repealed Federal Decree-Law 20/2018 in its entirety and reconstructed the UAE's anti-money laundering, counter-terrorist financing and counter-proliferation financing architecture from the ground up. Critically, FDL 10/2025 expanded the list of predicate offences to include proliferation financing and tax evasion, introduced personal liability for senior managers and compliance officers who fail to prevent violations, and raised the maximum administrative fine to AED 100 million. It also removed any statute of limitations for money laundering offences — a provision with direct relevance to any VASP that fails to maintain Travel Rule records because there is no time bar beyond which a regulator or prosecutor cannot act.
Cabinet Resolution 134/2025 (the Executive Regulations, in force 14 December 2025) provides the operational detail. It is the instrument that sets the AED 3,500 threshold for Travel Rule data obligations and specifies the minimum data fields that originating VASPs must collect, verify and transmit. The Regulation applies to all financial institutions and designated non-financial businesses and professions (DNFBPs) as defined, but its Travel Rule provisions are specifically directed at virtual asset service providers licensed under any UAE regulatory framework — including the Virtual Assets Regulatory Authority (VARA), the Abu Dhabi Global Market Financial Services Regulatory Authority (ADGM FSRA) and the Dubai International Financial Centre (DIFC). The legal basis for imposing FATF Recommendation 16 obligations on virtual assets is therefore no longer merely regulatory guidance but primary legislation backed by criminal and administrative sanctions.
The UAE's removal from the FATF grey list in February 2024, and the EU's subsequent removal of the UAE from its high-risk third-country list in 2025, were predicated in part on the UAE demonstrating effective implementation of Recommendation 16 for virtual assets. With a FATF mutual evaluation scheduled for 2026, regulators have every institutional incentive to enforce these obligations robustly. VASPs operating in the UAE should treat Cabinet Decision 134/2025 not as a compliance formality but as a live enforcement risk.
For completeness, the criminal procedure framework governing any prosecution arising from Travel Rule failures is Federal Decree-Law 38/2022 (in force 1 March 2023, as amended by FDL 45/2023) — not FDL 35/2022, which is the Evidence Law and governs a distinct regime. Practitioners must be precise on this distinction when advising on procedural rights in enforcement proceedings.
The AED 3,500 Threshold: Calculation, Aggregation and Minimum Data Fields
Cabinet Decision 134/2025 fixes the Travel Rule trigger at AED 3,500 per transfer or series of linked transfers. The aggregation principle is critical: a VASP cannot avoid the obligation by structuring a single economic transfer into multiple sub-threshold transactions. Where a VASP has reason to believe that transfers are linked — by common originator, beneficiary, wallet address or transaction timing — it must treat them as a single transfer for threshold purposes. This mirrors the anti-structuring principle already embedded in FDL 10/2025 and aligns with FATF's own guidance on transaction splitting.
At or above AED 3,500, the originating VASP must collect and transmit, at minimum: (i) the originator's full legal name; (ii) the originator's account number or virtual asset wallet address used for the transaction; (iii) the originator's physical address, national identity number, customer identification number or date and place of birth; (iv) the beneficiary's full legal name; and (v) the beneficiary's account number or virtual asset wallet address. These fields must travel with the transaction — they cannot be held back and provided only on request. The obligation is one of contemporaneous transmission, not deferred disclosure.
The beneficiary VASP carries a complementary obligation: it must obtain and hold the required originator information and verify the beneficiary information. Where the beneficiary VASP cannot obtain or verify the required data, it must consider whether to execute, suspend or reject the transfer and file a Suspicious Transaction Report (STR) with the UAE Financial Intelligence Unit (UAEFIU) if there are grounds to suspect money laundering, terrorist financing or proliferation financing under FDL 10/2025. Below the AED 3,500 threshold, VASPs are still required to collect and hold beneficiary name and wallet address — the threshold determines what must be transmitted, not what must be collected.
For cross-border transfers, the AED 3,500 threshold applies to the UAE-leg VASP regardless of the denomination in which the virtual asset is transferred. VASPs must therefore maintain live AED conversion rates or use a methodology approved by their licensing regulator. VARA's Compliance and Risk Management Rulebook (updated May 2025 as part of VARA Rulebooks 2.0) provides specific guidance on conversion methodology for threshold calculations, and VASPs licensed by VARA should ensure their policies explicitly reference and adopt that methodology.
Regulatory Divergence: VARA (Mainland/Dubai) vs ADGM FSRA vs DIFC
The UAE crypto travel rule VASP framework operates across three distinct regulatory perimeters, and the interaction between them is a live compliance challenge. VARA is the competent authority for virtual asset activities conducted in or from the Emirate of Dubai (outside the DIFC), operating under Dubai Law 4/2022 as the world's first dedicated standalone virtual asset regulator. VARA Rulebooks 2.0 (issued May 2025, with the Issuance Rulebook following in June 2025) supersede all prior VARA rulebooks and represent the current operative framework. VARA's Travel Rule obligations are now expressly aligned with Cabinet Decision 134/2025, removing any prior ambiguity about whether VARA's own rulebook provisions or the federal Executive Regulations took precedence — federal law prevails and VARA has incorporated the AED 3,500 threshold and data fields accordingly.
The ADGM FSRA governs virtual asset activities within Abu Dhabi Global Market, a federal financial free zone on Al Maryah Island. The FSRA has its own Virtual Asset Framework under which VASPs are licensed as 'Virtual Asset Services' under the FSRA's Financial Services and Markets Regulations. The ADGM framework has long required Travel Rule compliance as part of its AML requirements and has historically applied a USD 1,000 equivalent threshold consistent with earlier FATF guidance. Following Cabinet Decision 134/2025, ADGM-licensed VASPs must apply the AED 3,500 threshold — which at current exchange rates is approximately USD 953 — meaning the federal threshold is actually more restrictive than the prior ADGM standard in USD terms. ADGM VASPs should update their policies to reflect the AED 3,500 federal threshold as the operative trigger.
The DIFC operates under its own legislative framework, including the DIFC Digital Assets Law No. 2/2024, which established crypto assets as property capable of being owned, transferred and held as collateral under DIFC law — an important characterisation for insolvency and enforcement purposes. DIFC-regulated firms conducting virtual asset activities are subject to DFSA oversight and must comply with DFSA's AML module, which incorporates FATF standards. The DIFC's Travel Rule obligations interact with Cabinet Decision 134/2025 in that transfers between a DIFC-regulated VASP and a UAE mainland or ADGM VASP must comply with the federal threshold and data requirements on the UAE-side leg of the transaction. Cross-perimeter transfers therefore require both VASPs to have interoperable data transmission capabilities.
A practical compliance challenge arises where a VASP licensed in one perimeter transacts with a counterpart in another. There is currently no unified UAE inter-VASP messaging protocol mandated across all three regulators. VASPs are therefore using a combination of IVMS101 (the inter-VASP messaging standard developed by the FATF and adopted by most Travel Rule solution providers), bilateral data-sharing agreements and third-party Travel Rule technology solutions. The absence of a mandated common protocol does not reduce the legal obligation — it merely increases the operational risk of non-compliance for VASPs that have not invested in compliant infrastructure.
Cross-VASP Transfer Mechanics: Unhosted Wallets, Sunrise Issues and Counterparty Due Diligence
The most operationally complex aspect of UAE Travel Rule compliance for VASPs arises in cross-VASP transfers — particularly where the counterparty is not a licensed VASP, where it is located in a jurisdiction that has not yet implemented FATF Recommendation 16 (the so-called 'sunrise issue'), or where the transfer involves an unhosted (self-custodied) wallet.
Unhosted wallets present a structural gap in the Travel Rule architecture. Cabinet Decision 134/2025, consistent with FATF guidance, does not exempt transfers to or from unhosted wallets from the data collection obligation. Where an originating VASP sends virtual assets to an unhosted wallet at or above AED 3,500, it must collect the required beneficiary information from its customer and retain it, even though there is no counterpart VASP to transmit to. The VASP must also apply enhanced due diligence where the unhosted wallet cannot be verified as belonging to the customer — this is not merely a Travel Rule issue but a Know Your Customer obligation under FDL 10/2025 and the VASP's applicable rulebook. VARA Rulebooks 2.0 specifically address unhosted wallet risk and require VASPs to assess whether such wallets represent elevated ML/TF/PF risk.
The sunrise issue — where a UAE VASP transacts with a VASP in a jurisdiction that has not yet enacted Travel Rule legislation — does not relieve the UAE VASP of its obligations. UAE law requires the UAE-side VASP to transmit the required data regardless of whether the recipient VASP can receive or process it. Where the counterpart jurisdiction has not implemented the Travel Rule, the UAE VASP must document that it has attempted to transmit the required information, assess the ML/TF risk of proceeding, apply enhanced due diligence proportionate to that risk, and consider whether to suspend or reject the transaction. VASPs should build sunrise-issue workflows into their transaction monitoring systems and maintain a jurisdiction risk matrix.
Counterparty VASP due diligence is a distinct obligation that sits alongside the per-transaction data transmission requirement. Before establishing a correspondent-style relationship with another VASP — whether onshore, in a free zone or cross-border — a UAE VASP must conduct due diligence on that counterpart's AML/CFT/CPF controls, licensing status and Travel Rule capabilities. This is analogous to the correspondent banking due diligence obligations that apply to banks under the CBUAE framework (see CBUAE Law No. 6/2025 for the current Central Bank supervisory architecture, with maximum administrative fines of AED 1 billion for licensed financial institutions). For VASPs, failure to conduct counterparty due diligence is an independent compliance failure under Cabinet Decision 134/2025, separate from any failure in per-transaction data transmission.
Enforcement Exposure: Administrative, Civil and Criminal Liability Under FDL 10/2025
Travel Rule failures engage multiple overlapping liability regimes. At the administrative level, FDL 10/2025 gives UAE regulators — including VARA, the ADGM FSRA, the DFSA and the Central Bank — the power to impose fines of up to AED 100 million on VASPs for AML/CFT/CPF compliance failures, which expressly include failures to implement customer due diligence, record-keeping and reporting obligations. Cabinet Decision 134/2025 Travel Rule obligations are Executive Regulation requirements under FDL 10/2025, and a breach of those obligations is therefore a breach of the primary legislation itself. Regulators may additionally suspend or revoke VASP licences, prohibit individuals from holding compliance or senior management roles, and require remediation programmes at the VASP's expense.
Personal liability is a material change introduced by FDL 10/2025. Senior managers and compliance officers who knew of, or failed to prevent, a compliance failure can now be personally fined and, in serious cases, prosecuted. This is not a vicarious liability provision — it is direct personal exposure for natural persons in governance roles. For GCs and Chief Compliance Officers at VASPs, this means that maintaining documented evidence of having escalated Travel Rule implementation deficiencies to the board is not merely good governance practice but a potential personal legal defence.
At the criminal level, a pattern of Travel Rule failures that facilitates money laundering, terrorist financing or proliferation financing engages the full offence provisions of FDL 10/2025 and the Federal Decree-Law 31/2021 (Penal Code, in force 2 January 2022, as amended by FDL 36/2022). The Penal Code's ML provisions, read with FDL 10/2025's removal of the statute of limitations, mean that there is no temporal safety net: a VASP that systemically failed to comply with Travel Rule obligations in 2026 remains exposed to criminal investigation indefinitely. Prosecutorial proceedings would be conducted under Federal Decree-Law 38/2022 (the Criminal Procedure Law, in force 1 March 2023, as amended by FDL 45/2023), and cross-border asset tracing and freezing can be pursued under the mutual legal assistance framework in Federal Law 39/2006 as amended by FDL 38/2023.
For institutions with cross-perimeter operations, the DIFC Courts' expanded jurisdiction under DIFC Court Law 2/2025 — which, together with the ADGM authority in A17 v B17 [2025], now permits worldwide freezing orders in support of foreign proceedings without requiring a local asset nexus — means that enforcement action initiated abroad can rapidly translate into asset freezes affecting UAE-held virtual assets or fiat balances. This is a systemic risk for any VASP with international counterparties.
Record-Keeping, STR Obligations and the UAEFIU Reporting Regime
Cabinet Decision 134/2025 and FDL 10/2025 together impose a five-year minimum record-keeping obligation on all Travel Rule data collected in connection with a virtual asset transfer. This includes not only the transmitted data fields but also the internal due diligence records, counterparty VASP assessments, transaction monitoring alerts and any compliance decisions taken in respect of a specific transfer (including decisions to proceed, suspend, reject or file a report). Records must be maintained in a form that enables their rapid retrieval in response to a regulatory request or judicial order — VASPs that hold Travel Rule data in fragmented legacy systems or manual logs are at material risk of failing this obligation even if the underlying data collection was performed correctly.
The Suspicious Transaction Report obligation under FDL 10/2025 applies where a VASP, in the course of processing a transfer, identifies grounds to suspect that the transaction is connected to money laundering, terrorist financing, proliferation financing or any other predicate offence — including, now, tax evasion. The STR must be filed with the UAE Financial Intelligence Unit (UAEFIU) via the goAML platform before or contemporaneously with any decision to proceed with the transaction, or promptly upon the formation of suspicion where the transaction has already been executed. Tipping off the customer that an STR has been filed is a criminal offence under FDL 10/2025. VASPs must therefore train transaction monitoring and customer-facing staff on tipping-off risk, particularly where a customer queries a delay in processing a transfer that is in fact the subject of a pending STR.
Travel Rule data has a secondary evidentiary value in STR investigations: where a VASP files an STR arising from a cross-VASP transfer, the Travel Rule data package accompanying that transfer — originator name, wallet address, beneficiary details — becomes part of the intelligence available to the UAEFIU and, on referral, to the Public Prosecution. VASPs should treat their Travel Rule infrastructure not merely as a compliance checkbox but as a front-line financial intelligence tool. Regulators reviewing a VASP's AML programme during a supervisory examination will assess the quality and completeness of Travel Rule data as a direct indicator of the effectiveness of the broader CDD and transaction monitoring framework.
Implementation Strategy: Technology, Governance and Regulatory Engagement
Operationalising Cabinet Decision 134/2025 Travel Rule compliance requires simultaneous action across technology, governance and regulatory engagement workstreams. On the technology side, VASPs should implement a Travel Rule solution that supports the IVMS101 data standard, covers both the originating and beneficiary VASP functions, integrates with the VASP's existing transaction monitoring and sanctions screening systems, and maintains a real-time or near-real-time data transmission capability. The solution must handle threshold calculations in AED with a documented conversion methodology, flag unhosted wallet transfers for enhanced due diligence, and produce audit-ready logs of every Travel Rule data exchange. VARA Rulebooks 2.0 set out specific technology risk management expectations that apply to all technology systems used in regulated virtual asset activities, and the Travel Rule system must satisfy those expectations as part of the VASP's overall technology governance framework.
On the governance side, boards and senior management of VASPs should formally adopt a Travel Rule Policy that is reviewed at least annually, designate a named senior manager as accountable for Travel Rule compliance, and ensure that the compliance function has sufficient resources and independence to escalate Travel Rule implementation gaps directly to the board. Given FDL 10/2025's personal liability provisions, board minutes should record that Travel Rule compliance has been reviewed, that any identified deficiencies have been escalated, and that remediation timelines have been approved. The Compliance Officer should maintain a contemporaneous log of Travel Rule-related escalations and board decisions as a personal liability management record.
On regulatory engagement, VASPs that identify material Travel Rule implementation gaps should consider whether voluntary disclosure to their licensing regulator is appropriate. UAE regulators — including VARA — have historically treated proactive disclosure as a mitigating factor in enforcement proceedings, and FDL 10/2025 expressly contemplates cooperation as a factor in penalty assessment. This is analogous to the voluntary disclosure incentive in the corporate tax regime under Cabinet Decision 129/2025 (1–4% penalty on voluntary disclosure vs 15% on audit discovery), and the underlying principle — that early transparency reduces penalty exposure — applies across regulatory domains. Legal advice should be obtained before any voluntary disclosure to ensure that the disclosure is appropriately scoped and does not inadvertently create wider admissions.
Practical checklist
- Map every transfer flow against the AED 3,500 threshold and aggregation rules immediately
- Update AML/CFT policies to cite Cabinet Decision 134/2025 and FDL 10/2025 expressly
- Deploy an IVMS101-compatible Travel Rule solution with AED conversion methodology
- Conduct documented due diligence on all counterparty VASPs before enabling transfers
- Build unhosted wallet enhanced due diligence workflows into transaction monitoring systems
- Train compliance and customer-facing staff on tipping-off prohibition under FDL 10/2025
- Ensure five-year record retention in rapidly retrievable, audit-ready format
- Designate a named board-accountable senior manager for Travel Rule compliance with documented escalation log
What we'd typically advise
In our experience advising VASPs across VARA, ADGM and DIFC, the most significant implementation risk is not awareness of the AED 3,500 threshold — it is the gap between policy adoption and operational readiness. Cabinet Decision 134/2025 is in force now, and VARA supervisory examinations in 2026 will assess Travel Rule implementation as a primary indicator of AML programme effectiveness. VASPs should conduct an immediate gap analysis against the data field and transmission requirements, remediate technology gaps before the next scheduled regulatory interaction, and ensure that governance documentation reflects personal accountability at senior management level. Where material gaps exist, early regulatory engagement — carefully scoped with legal advice — is generally preferable to discovery on examination.
Frequently asked questions
Does the AED 3,500 threshold apply to each individual transfer or to aggregated transfers with the same counterparty?
Cabinet Decision 134/2025 applies an aggregation principle: where a VASP has grounds to believe that multiple transfers are economically linked — by common originator, beneficiary, wallet or timing — they must be treated as a single transfer for threshold purposes. This mirrors the anti-structuring rule in FDL 10/2025 and means that deliberate transaction splitting to avoid the AED 3,500 trigger is itself a compliance violation, not a legitimate workaround.
We are licensed by ADGM FSRA. Our prior policies used a USD 1,000 threshold. Do we need to update?
Yes. Cabinet Decision 134/2025 is federal Executive Regulation with force throughout the UAE including ADGM. At current exchange rates, AED 3,500 is approximately USD 953 — marginally lower than your prior threshold in USD terms, making the federal standard more restrictive. Your AML policies, system configurations and staff training must be updated to reflect AED 3,500 as the operative trigger, and you should document the policy change with board or senior management approval.
What happens if we send a transfer to a VASP in a country that has not yet implemented the Travel Rule?
The sunrise issue does not suspend UAE obligations. Under Cabinet Decision 134/2025, the UAE originating VASP must still collect and attempt to transmit the required data fields. Where the recipient VASP cannot receive or process them, the UAE VASP must document the transmission attempt, assess the elevated ML/TF/PF risk under FDL 10/2025, apply enhanced due diligence, and consider whether to proceed, suspend or reject. A jurisdiction risk matrix and documented decision trail are essential for demonstrating regulatory compliance in a subsequent examination.
Can our Compliance Officer face personal criminal liability for a Travel Rule failure?
Yes. FDL 10/2025 introduced direct personal liability for senior managers and compliance officers who knew of, or failed to prevent, AML/CFT/CPF compliance failures. This is not vicarious corporate liability — it is personal exposure for natural persons in governance roles. Compliance Officers should maintain contemporaneous records of Travel Rule escalations to the board, remediation requests and board decisions as evidence that they discharged their personal duty. Where material gaps are identified, legal advice on disclosure strategy is advisable before the next regulatory interaction.
Is there a statute of limitations on a prosecution arising from historic Travel Rule failures?
No, for money laundering. FDL 10/2025 expressly removes the statute of limitations for money laundering offences. A VASP that systematically failed to comply with Travel Rule obligations — thereby facilitating transfers that turned out to be connected to money laundering — remains indefinitely exposed to investigation and prosecution under FDL 10/2025 and the Penal Code (FDL 31/2021 as amended by FDL 36/2022). There is no temporal safe harbour, which is why remediation of historic gaps should be addressed urgently rather than deferred.
Do transfers to unhosted (self-custodied) wallets below AED 3,500 require any data collection?
Yes. Cabinet Decision 134/2025 distinguishes between the transmission threshold (AED 3,500) and the collection obligation. Below AED 3,500, VASPs must still collect and hold beneficiary name and wallet address for transfers to unhosted wallets. Above AED 3,500, the full data set must be collected, and where the wallet cannot be verified as belonging to the customer, enhanced due diligence is required under FDL 10/2025 and VARA Rulebooks 2.0. The absence of a counterpart VASP to transmit to does not reduce the collection obligation.
How does DIFC Digital Assets Law 2/2024 interact with the Travel Rule framework?
DIFC Digital Assets Law No. 2/2024 establishes that crypto assets are property capable of ownership and transfer under DIFC law — a characterisation relevant to insolvency, collateral and enforcement proceedings. It does not create a separate Travel Rule regime: DIFC-regulated VASPs remain subject to DFSA AML requirements, which incorporate FATF standards including Recommendation 16, and to Cabinet Decision 134/2025 on the UAE-side leg of any transfer touching a UAE counterparty. The practical significance of the property characterisation is in cross-border freezing: courts can freeze crypto assets as property under DIFC Court Law 2/2025 without requiring a fiat-equivalent local asset nexus.
What is the maximum fine a regulator can impose on a VASP for Travel Rule non-compliance?
Under FDL 10/2025, the maximum administrative fine is AED 100 million for AML/CFT/CPF violations by VASPs and other regulated entities. For licensed financial institutions under CBUAE Law No. 6/2025, the maximum administrative fine is AED 1 billion — a figure applicable to any financial institution (including banks acting as on-ramps for virtual asset transactions) that fails its AML obligations. These figures are in addition to licence suspension or revocation, personal fines on individuals, and potential criminal prosecution under the Penal Code (FDL 31/2021).
Related guides
Published 15 July 2026. General information only — not legal advice. Contact us for matter-specific advice.