Virtual Assets

VARA Rulebooks 2.0 and Crypto Licensing in Dubai (AML for VASPs)

Virtual Assets

What this guide covers

  1. The Legal Architecture: VARA, Federal Law, and Where They Intersect
  2. VARA Rulebooks 2.0: Activity-Based Licensing in Practice
  3. VA Issuance, FRVAs, ARVAs, and the Stablecoin Regulatory Regime
  4. AML Obligations Under FDL 10/2025: What VASPs Must Do
  5. Personal Liability, Enforcement Exposure, and the Compliance Officer's Position
  6. Travel Rule Implementation and Transaction Monitoring: Operational Requirements
  7. Post-Grey-List UAE, FATF 2026, DIFC Tools, and Strategic Risk Management
  8. Practical checklist
  9. What we'd typically advise
  10. Frequently asked questions

Dubai's VARA Rulebooks 2.0 (May 2025) and the new AML regime under Federal Decree-Law 10/2025 fundamentally reshape what a licensed VASP must do — and what executives personally risk if they fall short.

Dubai's Virtual Assets Regulatory Authority derives its mandate from Law No. 4 of 2022 (the Dubai Virtual Assets Law), which established VARA as the emirate-level regulator with jurisdiction over all VA activities conducted in or from Dubai, excluding the DIFC. VARA operates under a dual-layer structure: its overarching regulations set the policy perimeter, while activity-specific rulebooks — now in their second generation as of May 2025 — govern the precise obligations attaching to each licensed service. The Issuance Rulebook, released in June 2025, sits alongside the activity rulebooks and specifically governs the creation, offering, and secondary-market facilitation of virtual assets, including fiat-referenced and algorithmic stablecoins.

At the federal level, the primary AML/CFT/CPF instrument is now Federal Decree-Law 10/2025, which entered into force on 14 October 2025 and expressly repealed Federal Decree-Law 20/2018. This is a critical distinction: a significant portion of competitor guidance in the market still references the repealed law. Cabinet Resolution 134/2025 (effective 14 December 2025) serves as the Executive Regulations to FDL 10/2025, and it is Cabinet Resolution 134/2025 that introduces the AED 3,500 Travel Rule threshold applicable to virtual asset transfers — a threshold VASPs must hard-code into their transaction monitoring systems. Where a VASP is also conducting activity that qualifies as a capital markets service, Federal Decree-Law 32/2025 establishes the Capital Markets Authority replacing the SCA from 1 January 2026, and Federal Decree-Law 33/2025 codifies market abuse and insider-dealing offences with penalties reaching AED 200 million.

The DIFC layer merits separate mention. The DIFC Digital Assets Law No. 2 of 2024 confirms that crypto assets constitute property under DIFC law — a legally significant classification for insolvency, tracing, and proprietary injunction purposes. Entities licensed by VARA but contracting with counterparties in the DIFC, or holding assets through DIFC-registered structures, must map both regulatory perimeters carefully. The interaction between VARA's activity-based rulebooks and DFSA requirements for any cross-centre activity is an area of live structuring risk that boards and GCs must resolve at the entity-design stage, not post-licensing.

Beneficial ownership obligations under Cabinet Decision 109/2023 (the 25% threshold test) apply to all licensed entities including VASPs. This means every VARA-licensed entity must maintain and file accurate UBO registers, and the AML obligations in FDL 10/2025 expressly require that customer due diligence extend to identifying and verifying the beneficial owners of corporate clients, including layered structures using free-zone holding companies or offshore vehicles. VARA's own compliance notifications cross-reference the UBO framework, creating a dual regulatory exposure for breaches.

VARA Rulebooks 2.0: Activity-Based Licensing in Practice

VARA Rulebooks 2.0, released in May 2025, consolidate and restructure the prior rulebook suite into a streamlined activity-based framework. Each of the seven regulated VA activities — VA Issuance, VA Broker-Dealer, VA Exchange, VA Lending and Borrowing, VA Management and Investment, VA Transfer and Settlement, and Advisory Services — now has a dedicated rulebook containing its own conduct, disclosure, operational resilience, and AML requirements. A VASP may be licensed for one or more activities; each activity licence carries its own compliance appendix, and VARA has made clear through supervisory guidance that holding a licence for Activity A does not authorise incidental conduct that falls within Activity B.

Practically, this creates a matrix-mapping obligation at the business-model level. Before any product launch or feature expansion, the compliance function must formally assess which rulebook(s) are engaged, and whether an additional activity licence or a variation of the existing licence is required. VARA's enforcement posture under Rulebooks 2.0 has moved toward thematic reviews: VARA has signalled it will conduct periodic assessments of whether VASPs' actual revenue-generating activities remain within licensed parameters. Executives who approve product expansions without a prior regulatory perimeter analysis carry personal exposure under FDL 10/2025's personal manager liability provisions, discussed below.

The capital adequacy and prudential requirements under Rulebooks 2.0 are activity-specific and, for exchange and broker-dealer licences, materially higher than under the prior framework. VASPs are required to maintain minimum own funds, hold client assets in segregated custody arrangements, and submit audited financial statements to VARA on a prescribed cycle. For larger VASPs and those handling fiat on-ramps, VARA also requires a Systems and Controls Assurance report from an approved external reviewer — a requirement that should be built into the annual audit and assurance timetable from day one of licensing.

Technology and cybersecurity obligations under Rulebooks 2.0 are now expressly linked to the AML framework. VASPs must maintain transaction monitoring systems capable of real-time screening against designated lists (UN Security Council consolidated list, local UAE designations, and OFAC where relevant to counterparty nationality), and must ensure their systems generate Suspicious Transaction Reports (STRs) that can be filed with the UAE Financial Intelligence Unit (FIU/goAML platform) within the statutory timeframe under FDL 10/2025. A gap between the technology obligation in the VARA rulebook and the STR obligation in FDL 10/2025 is the single most common compliance deficiency identified in regulatory reviews of early-stage VASPs.

VA Issuance, FRVAs, ARVAs, and the Stablecoin Regulatory Regime

The VARA Issuance Rulebook (June 2025) introduces a structured classification for virtual assets offered to the public, with distinct regulatory treatments for what VARA terms Fiat-Referenced Virtual Assets (FRVAs) and Algorithmic-Referenced Virtual Assets (ARVAs). FRVAs are tokens whose value is pegged or referenced to one or more fiat currencies — the category colloquially known as stablecoins. ARVAs are tokens that maintain or attempt to maintain value by reference to algorithmic mechanisms, whether or not backed by a reserve pool. The regulatory treatment diverges sharply: FRVAs are subject to a reserve-backing, custody, and redemption-rights regime; ARVAs face additional risk-disclosure obligations and, in certain configurations, may require VARA's prior written consent before issuance.

For FRVA issuers, the Issuance Rulebook mandates that reserves be held in high-quality liquid assets (HQLAs) — specifically, cash or near-cash instruments in the pegged currency — held in segregated accounts with VARA-approved custodians. Commingling of reserve assets with operating capital is prohibited. The rulebook further requires that FRVA issuers publish a verified whitepaper containing reserve composition data, audit attestation from an approved auditor on a quarterly cycle, and a clear redemption mechanism that allows retail holders to redeem at par on demand (or within a stated short window). Any gate or delay mechanism on redemptions must be pre-approved by VARA and disclosed prominently.

ARVA issuers face the most acute regulatory scrutiny. The events of 2022 in global crypto markets — specifically the collapse of algorithmic stablecoin structures — are explicitly referenced in VARA's supervisory rationale for the ARVA framework. Issuers must demonstrate stress-tested stability mechanisms, provide a detailed technical white paper reviewed by an approved independent assessor, and obtain VARA's explicit pre-issuance consent. Post-issuance, continuous monitoring reports must be filed with VARA at intervals VARA prescribes. An ARVA that de-pegs beyond a threshold specified in the VARA consent conditions triggers immediate mandatory notification obligations to VARA and may activate a supervised wind-down protocol.

From an AML perspective, both FRVA and ARVA issuers bear the full VASP AML obligations under FDL 10/2025. This includes customer due diligence on all purchasers above the relevant thresholds, ongoing transaction monitoring for structuring and layering patterns, and Travel Rule compliance for any transfer of the issued asset between VASPs. The intersection of the Issuance Rulebook and the AML framework means that the whitepaper itself must contain AML disclosures — specifically, the jurisdictions in which the token may and may not be offered, the sanctions-screening methodology applied at the primary issuance stage, and the mechanism by which the issuer will block or freeze wallets identified in connection with designated persons or suspicious activity.

AML Obligations Under FDL 10/2025: What VASPs Must Do

Federal Decree-Law 10/2025 is the governing AML/CFT/CPF statute for all financial institutions and designated non-financial businesses and professions (DNFBPs) in the UAE, and VASPs are expressly captured as a regulated category. The law materially expands the prior regime in four areas of direct relevance to VASPs. First, it adds proliferation financing (financing the proliferation of weapons of mass destruction) and tax evasion as predicate offences to money laundering — meaning that a VASP that processes transactions connected to either activity faces money laundering exposure, not merely a regulatory breach. Second, it imposes personal manager liability: senior managers and compliance officers who knew or ought to have known of a breach and failed to act may be prosecuted individually, with criminal penalties in addition to administrative sanctions. Third, administrative fines reach AED 100 million. Fourth, and critically, there is no statute of limitations for money laundering offences — a provision that carries profound implications for historical compliance gaps in entities seeking to restructure or exit the market.

Cabinet Resolution 134/2025 (the Executive Regulations) operationalises the Travel Rule for virtual asset transfers. Any VA transfer between VASPs where the transfer value equals or exceeds AED 3,500 requires the originating VASP to transmit — simultaneously with or before the transfer — the originator's full name, wallet address or account number, and (where available) national identity or passport number, alongside the beneficiary VASP's name and wallet address. The beneficiary VASP must verify the received data against its own CDD records and must not execute the transfer if it cannot do so. This is a hard technical and operational requirement: it cannot be satisfied by post-transfer data requests or batch reconciliations.

Customer due diligence under FDL 10/2025 for VASPs follows a risk-based tiered approach, but the baseline obligations are stringent. For natural persons, VASPs must verify identity using original government-issued documents, screen against designated lists at onboarding and on an ongoing basis, and obtain source-of-funds information for transactions above prescribed thresholds. For corporate clients, the 25% beneficial ownership threshold under Cabinet Decision 109/2023 applies, and VASPs must look through layered structures to identify ultimate beneficial owners. Enhanced due diligence (EDD) is mandatory for: Politically Exposed Persons (PEPs) and their associates; clients from higher-risk jurisdictions; and transactions that by nature, size, or pattern present elevated risk indicators identified in VARA's risk guidance or the National Risk Assessment.

STR filing obligations under FDL 10/2025 require VASPs to file with the UAE FIU via the goAML platform without delay upon forming a suspicion — and critically, without tipping off the subject of the report. The tipping-off prohibition is absolute: a VASP that informs a client that an STR has been filed, or that takes any step that could reasonably lead the client to infer it, commits a separate criminal offence. Internal escalation procedures must therefore be designed so that the compliance team can freeze or decline a transaction and manage the client relationship without revealing the regulatory action being taken. VARA's Rulebooks 2.0 require VASPs to document their STR escalation procedures in their AML programme and to test them in annual compliance reviews.

Personal Liability, Enforcement Exposure, and the Compliance Officer's Position

The personal manager liability provision in FDL 10/2025 represents the sharpest change in the risk landscape for VASP executives and compliance officers. Under the prior regime (FDL 20/2018), enforcement action was primarily directed at the licensed entity. FDL 10/2025 expressly provides that a manager, director, or compliance officer who was aware of — or who ought reasonably to have been aware of — an AML/CFT breach and who failed to take adequate steps to prevent or report it may be held personally criminally liable. This is not merely a regulatory censure or disqualification mechanism: it is criminal prosecution, with the prospect of custodial sentences under the Penal Code (Federal Decree-Law 31/2021, as amended by FDL 36/2022).

For compliance officers specifically, this creates a documented-opinion obligation. Every material compliance decision — a risk-acceptance decision for a high-risk client, a determination not to file an STR, a decision to proceed with a transaction flagged by the monitoring system — must be recorded in writing with the reasoning at the time. Oral approvals, undocumented committee decisions, and retrospective justifications will not provide adequate legal protection if a regulator or prosecutor later scrutinises the decision. External legal advice obtained at the time of a material compliance decision, properly documented and retained, is a meaningful mitigant to personal liability exposure, though it is not a complete defence if the conduct was objectively unreasonable.

VARA's own enforcement powers include licence suspension or revocation, public censure, and referral to public prosecution. For market abuse and manipulation — increasingly relevant as VASP-listed tokens are scrutinised — FDL 33/2025 (in force from 1 January 2026 alongside the CMA restructure under FDL 32/2025) creates codified offences of insider dealing and market manipulation with penalties to AED 200 million and criminal exposure for individuals. A VASP whose market-making or treasury operations in its own listed token cross into conduct that influences the token's price without disclosure will face scrutiny under both VARA's rulebooks and FDL 33/2025.

The no-statute-of-limitations rule in FDL 10/2025 for money laundering means that VASPs with compliance gaps in their pre-2025 history cannot assume those gaps will age out of regulatory relevance. Entities planning M&A transactions, secondary offerings, or regulatory expansions should conduct forensic AML compliance reviews covering historical transaction records, customer files, and STR decisions before presenting to VARA or a sophisticated counterparty in due diligence. A voluntary disclosure to VARA of a historical gap — supported by a remediation plan — is typically treated more favourably than a gap discovered in a VARA inspection, though VARA retains full discretion on outcomes.

Travel Rule Implementation and Transaction Monitoring: Operational Requirements

The Travel Rule obligation in Cabinet Resolution 134/2025 at the AED 3,500 threshold is operationally demanding because it requires real-time data transmission, not post-settlement reconciliation. VASPs must implement a Travel Rule solution — typically a TRUST-compatible or TRISA-protocol messaging layer — that can transmit originator and beneficiary data to counterparty VASPs simultaneously with the blockchain transaction. Where the counterparty VASP is not a registered participant in a recognised Travel Rule protocol, the originating VASP must take additional steps to verify the counterparty's identity and obtain written confirmation of receipt of the required data before releasing the transfer. Transfers to unhosted wallets (wallets not associated with a regulated VASP) above the threshold trigger enhanced due diligence and documentation obligations.

Transaction monitoring systems must be calibrated to the specific risk profile of the VASP's product and client base. A VASP operating an exchange with high retail volume will require a rule-set that flags structuring patterns (multiple transactions just below the AED 3,500 Travel Rule threshold), rapid cycling of funds between wallets, and transactions involving mixing or tumbling protocols. A VASP providing custody or asset management to institutional clients will need a monitoring rule-set calibrated to large single transactions, unusual counterparty wallet histories, and transactions involving jurisdictions on the UAE's high-risk country list. VARA's Rulebooks 2.0 require that monitoring systems be reviewed and updated at least annually, and following any material change in the VASP's product offering or client base.

Blockchain analytics tools — on-chain transaction tracing software capable of assigning risk scores to wallet addresses — are effectively mandated by the VARA and FDL 10/2025 frameworks, even where not stated in those exact words. A VASP that cannot demonstrate, upon VARA inspection, that it screens incoming and outgoing wallet addresses against known illicit-activity clusters (darknet markets, sanctioned entities, ransomware wallets) will be found to have inadequate transaction monitoring regardless of its other controls. VARA has engaged with leading blockchain analytics providers as part of its supervisory framework, and compliance functions should ensure their chosen tool's data sources are consistent with the risk indicators referenced in VARA's published guidance.

Post-Grey-List UAE, FATF 2026, DIFC Tools, and Strategic Risk Management

The UAE's removal from the FATF grey list in February 2024 — and the EU's subsequent removal of the UAE from its high-risk third-country list in 2025 — was the result of substantial legislative and enforcement reform, of which FDL 10/2025 and the VARA regulatory framework are central components. However, the UAE's next FATF Mutual Evaluation is scheduled for 2026, which creates a supervisory environment in which regulators — including VARA — are actively demonstrating the effectiveness of their frameworks through enforcement action and thematic reviews. VASPs should treat the 2025-2026 period as one of heightened scrutiny, not regulatory calm.

For VASPs and their counterparties involved in cross-border asset recovery or fraud disputes, the DIFC Court's expanded jurisdiction under DIFC Court Law No. 2 of 2025 and the ADGM precedent in A17 v B17 [2025] are significant strategic tools. Both frameworks now support worldwide freezing orders in support of foreign proceedings without requiring a local asset nexus — meaning that a foreign judgment creditor or a VARA-regulated entity seeking to freeze assets of a counterparty can engage the DIFC or ADGM courts even where the assets are not located in the UAE. Conversely, VASPs holding client assets that become the subject of such orders must have clear legal protocols for responding to freezing injunctions, including tipping-off risk management when an STR has already been filed on the same counterparty.

For HNW individuals and corporate groups using VARA-licensed VASPs as part of their treasury or investment infrastructure, the intersection of the beneficial ownership regime (Cabinet Decision 109/2023), the corporate tax framework (Federal Decree-Law 47/2022 and Cabinet Decision 129/2025 penalties), and the AML predicate offence of tax evasion under FDL 10/2025 creates a compliance triangle that must be managed holistically. A structure that uses a VARA-licensed VASP to hold or transact in virtual assets but that has not properly disclosed UBO information to the VASP — or that uses virtual asset transactions to obscure income that ought to be declared for corporate tax purposes — creates exposure not only under the tax regime but as a money laundering predicate. General Counsel and tax advisers working on such structures must coordinate with AML counsel from the design stage.

Practical checklist

  • Map every revenue-generating activity to the specific VARA Rulebooks 2.0 activity licence required before launch.
  • Hard-code the AED 3,500 Travel Rule threshold into transaction monitoring and payment systems per Cabinet Resolution 134/2025.
  • Conduct a UBO analysis to 25% threshold under Cabinet Decision 109/2023 for all corporate VASP clients at onboarding.
  • Ensure all senior managers and compliance officers have written, dated records of material AML compliance decisions.
  • Implement blockchain analytics screening for all wallet addresses — incoming and outgoing — against known illicit-activity clusters.
  • Verify FRVA reserve assets are held in segregated HQLA accounts with VARA-approved custodians and audited quarterly.
  • Review historical AML compliance gaps before any M&A, secondary offering, or VARA licence variation — no statute of limitations applies under FDL 10/2025.
  • Test STR escalation procedures annually to ensure tipping-off prohibition is operationally respected at every client-touchpoint.

What we'd typically advise

Our immediate counsel to any VASP or VASP applicant is to treat Rulebooks 2.0 and FDL 10/2025 as a unified compliance obligation, not two separate workstreams. The personal manager liability provisions in FDL 10/2025 mean that compliance failures are no longer contained at the entity level — executives carry individual criminal exposure. We advise establishing a documented compliance decision log from day one, covering every material risk-acceptance, STR determination, and Travel Rule exception. For stablecoin issuers, the FRVA reserve and redemption framework in the Issuance Rulebook should be reviewed by external legal counsel before the first token is issued, not after. The 2026 FATF Mutual Evaluation makes regulatory tolerance for gaps materially lower than in prior years.

Frequently asked questions

Do we need a separate VARA licence for each VA activity, or does one licence cover everything?

Under VARA Rulebooks 2.0 (May 2025), each regulated VA activity — exchange, broker-dealer, lending, issuance, transfer and settlement, management and investment, and advisory — requires its own activity licence or an explicit multi-activity licence from VARA. Conducting an unlicensed activity, even incidentally to a licensed one, constitutes a regulatory breach and may trigger enforcement action. Any product or feature expansion must be assessed against the activity taxonomy before launch.

What is the AML threshold that triggers the Travel Rule for crypto transfers in the UAE?

Cabinet Resolution 134/2025 (the Executive Regulations to FDL 10/2025, effective 14 December 2025) sets the Travel Rule threshold for virtual asset transfers between VASPs at AED 3,500. At or above this amount, originator and beneficiary data must be transmitted simultaneously with or before the transfer. This applies to both inbound and outbound transfers and to transfers involving unhosted wallets, where enhanced due diligence applies.

We issued a stablecoin before the Issuance Rulebook came into force. Do we need to restructure?

The VARA Issuance Rulebook (June 2025) applies to ongoing issuance activity, not only to tokens first issued after its effective date. Existing FRVA issuers must review reserve composition, custody arrangements, and redemption mechanisms for compliance with the rulebook's requirements and obtain any required VARA consent or variation. Continued non-compliant issuance following the rulebook's effective date constitutes a breach of licence conditions and creates AML exposure under FDL 10/2025 if the non-compliant structure obscures reserve adequacy.

Can a senior manager be personally prosecuted for an AML breach by the licensed entity?

Yes. Federal Decree-Law 10/2025 introduces express personal manager liability: a senior manager, director, or compliance officer who knew or ought to have known of an AML/CFT breach and failed to take adequate preventive or corrective action may be individually prosecuted. Criminal penalties apply under Federal Decree-Law 31/2021 (Penal Code, as amended by FDL 36/2022), in addition to administrative fines reaching AED 100 million at the entity level. Written records of compliance decisions are an essential personal liability mitigant.

Is there a time limit on prosecuting historic money laundering connected to our VASP's early operations?

No. Federal Decree-Law 10/2025 explicitly provides that there is no statute of limitations for money laundering offences. Historic compliance gaps — including inadequate CDD, undetected suspicious transactions, or failure to file STRs in prior years — remain within prosecutorial reach indefinitely. VASPs planning any change of control, licence variation, or public market activity should commission a forensic AML compliance review of their full operating history before proceeding.

Does the UAE's removal from the FATF grey list in 2024 reduce our compliance obligations?

No. Grey-list removal reflects legislative and institutional reform, not a relaxation of obligations on regulated entities. The 2026 FATF Mutual Evaluation — which will assess effectiveness of implementation rather than legal adequacy — is actively shaping VARA's supervisory posture. VASPs should expect thematic inspections, enhanced STR scrutiny, and increased enforcement referrals in the 2025-2026 period as regulators demonstrate operational effectiveness to international assessors.

Can we use the DIFC Courts to freeze a counterparty's crypto assets held outside the UAE?

Yes, subject to jurisdictional gateways. DIFC Court Law No. 2 of 2025 and the ADGM precedent in A17 v B17 [2025] confirm that the DIFC and ADGM courts can grant worldwide freezing orders in support of foreign proceedings without requiring a UAE asset nexus. For crypto asset recovery, this is a powerful tool — particularly where assets are held across multiple wallets or exchanges in different jurisdictions. Early engagement with disputes counsel is essential, as freezing order applications are typically made without notice and require detailed evidence of dissipation risk.

Tax evasion is now a predicate offence for money laundering — what does that mean for a VASP's client acceptance?

Under FDL 10/2025, proceeds of tax evasion are proceeds of crime for money laundering purposes. A VASP that knowingly processes transactions involving funds derived from tax evasion — including corporate tax evasion under Federal Decree-Law 47/2022 — faces money laundering exposure in addition to any regulatory breach. Client acceptance procedures must include source-of-funds analysis calibrated to tax-evasion risk indicators, particularly for high-value or complex-structure clients, and must be documented as part of the AML programme reviewed by VARA under Rulebooks 2.0.

Related guides


Published 15 July 2026. General information only — not legal advice. Contact us for matter-specific advice.

Need this matter handled?

A partner can review the specifics and respond with a scoped engagement note within one working day.

Speak to us →