Dubai's Virtual Assets Regulatory Authority (VARA) has moved a cluster of anti-financial-crime obligations from principle to enforceable practice for virtual asset service providers (VASPs). The Travel Rule Circular issued to all Dubai-licensed VASPs on 24 February 2026, the AML/CFT Business Risk Assessment (BRA) Guidance published in June 2026, and the UAE Proliferation Financing National Risk Assessment (PF NRA) 2026 together raise the compliance bar for originator and beneficiary information, counterparty due diligence, and firm-level risk assessment. These build on VARA's Version 2.0 activity Rulebooks, which required full compliance by 19 June 2025.
Who should read this
Compliance officers, MLROs and boards of VARA-licensed virtual asset service providers in Dubai; exchanges, custodians, brokers and OTC desks handling qualifying transfers; and legal and risk teams at financial institutions with virtual asset exposure or counterparty relationships with Dubai VASPs.
Directly affected
Key facts
- Regulator: Virtual Assets Regulatory Authority (VARA), the Dubai virtual asset regulator. This is a Dubai (Emirate-level) framework, distinct from the ADGM (FSRA), DIFC (DFSA) and the federal Securities and Commodities Authority regimes.
- Travel Rule Circular: issued to all Dubai-licensed or authorised VASPs on 24 February 2026, setting out supervisory expectations for implementing the UAE Virtual Assets Travel Rule.
- AML/CFT BRA Guidance: published in June 2026 following VARA's 2026 thematic review of Business Risk Assessments, addressing governance, methodology, data integration, proliferation financing and operationalisation of findings.
- UAE PF NRA 2026: the national Proliferation Financing National Risk Assessment and required actions, published in 2026, which VASPs must feed into their own risk assessments.
- Underlying framework: builds on VARA's Version 2.0 activity Rulebooks (issued 19 May 2025), with full compliance required by 19 June 2025 after a 30-day transition.
- Travel Rule threshold: full originator and beneficiary information requirements apply to qualifying transfers above AED 3,500 (approximately USD 950).
- Record retention: AML/CFT records must be kept for a minimum of eight years; client AML/CFT risk ratings must be refreshed at least every three months.
Instrument names and issue dates are as published by VARA and reported in practitioner analyses; where a precise article or clause is engaged, the enacted Arabic-language text of the relevant VARA Rulebook or Circular prevails.
Executive summary
VARA has consolidated its anti-financial-crime expectations for Dubai VASPs into a set of instruments that are now operative rather than aspirational. The 24 February 2026 Travel Rule Circular tells firms how VARA expects the UAE Virtual Assets Travel Rule to be applied in practice: verified originator and beneficiary data for qualifying transfers, a prohibition on sending to unregulated counterparties, and no dealings in privacy tokens. The June 2026 AML/CFT BRA Guidance sets the standard against which VARA will judge each firm's Business Risk Assessment, and the UAE PF NRA 2026 supplies national-level proliferation financing findings that firms must reflect in their own assessments. For a licensed VASP, the practical effect is that supervisory scrutiny, and the risk of enforcement, now attach to how these controls are actually implemented and evidenced.
What changed
Three shifts matter most. First, on the Travel Rule, VARA's 2026 Circular moves firms from generic FATF alignment to specific supervisory expectations. For qualifying transfers above AED 3,500 (approximately USD 950), the sending and receiving VASPs must collect, hold and transmit verified information on both the originator and the beneficiary. The Circular raises the counterparty bar: a counterparty VASP must be appropriately regulated in its home jurisdiction, and transfers to unregulated counterparties are prohibited. Transfers involving privacy tokens are not permitted because their obfuscation features are treated as an unacceptable financial-crime risk, and self-hosted (unhosted) wallet transfers require enhanced due diligence, including additional customer identification and source-of-funds verification.
Second, on firm-level risk assessment, the June 2026 BRA Guidance follows VARA's thematic review and describes what a mature Business Risk Assessment looks like. VARA expects a "three lines of defence" structure, board-level approval, independent challenge of the methodology and residual-risk conclusions, transparent and repeatable scoring, documented aggregation of individual risk inputs, and clear traceability from inputs to overall ratings. The guidance reinforces existing obligations, including quarterly BRA review and the requirement that BRA findings actually drive AML/CFT controls and resource allocation, rather than sitting on file.
Third, on proliferation financing, the UAE PF NRA 2026 and its required actions oblige firms to treat proliferation financing as a distinct risk area. VARA's guidance signals that many firms will need to strengthen both their risk assessment and their controls in this area, not merely map it into a broader money-laundering assessment.
Practical implications
The operational load falls on compliance, technology and governance functions in parallel. On the technology side, Travel Rule messaging must reliably capture and transmit verified originator and beneficiary data at the AED 3,500 threshold, and screening must be able to identify and block privacy-token activity and unregulated counterparties. On the counterparty side, firms need a defensible process for assessing whether a receiving VASP is appropriately regulated in its home jurisdiction before a transfer proceeds; the prohibition on transfers to unregulated counterparties turns this from a commercial preference into a compliance control.
On governance, the BRA Guidance means a board minute approving the methodology and residual-risk conclusions is no longer optional window-dressing; it is evidence VARA will expect to see. Client risk ratings must be refreshed at least every three months, with enhanced measures for high-risk clients and for clients whose ultimate beneficial owner is a politically exposed person. AML/CFT records must be retained for at least eight years. Firms that treated the June 2025 Rulebook 2.0 compliance date as the end of the project should now treat 2026 as a supervisory maturity check, because VARA is assessing implementation quality, not just the existence of policies.
Directly affected: VARA-licensed virtual asset service providers in Dubai, their compliance and MLRO functions and boards, and counterparties and financial institutions transacting with Dubai VASPs.
Action points
- Reconcile your Travel Rule implementation against the 24 February 2026 Circular, confirming verified originator and beneficiary data capture at the AED 3,500 threshold and end-to-end transmission with counterparties.
- Implement or tighten controls that block privacy-token transfers and transfers to counterparties that are not appropriately regulated in their home jurisdiction, and document the counterparty regulatory-status assessment.
- Apply enhanced due diligence to self-hosted wallet transfers, including additional identification and source-of-funds verification.
- Refresh the Business Risk Assessment against the June 2026 guidance: three-lines-of-defence structure, board approval, independent challenge, quantitative scoring and documented traceability, and a discrete proliferation financing analysis informed by the UAE PF NRA 2026.
- Confirm client risk ratings are reviewed at least quarterly, that PEP and high-risk clients receive enhanced measures, and that AML/CFT records are retained for at least eight years.
- Prepare a supervisory-engagement pack evidencing how BRA findings drive controls and resourcing, so the firm can respond credibly to VARA queries or inspections.
Enforcement and supervisory exposure
Because these instruments are already operative, the exposure is enforcement-led rather than transitional. VARA can pursue supervisory action, financial penalties and licence conditions where Travel Rule, counterparty or BRA obligations are not met, and gaps in verified transfer data or counterparty due diligence are readily evidenced from transaction records. A documented, board-approved compliance framework is the most reliable defence in any supervisory challenge or subsequent dispute; where a precise obligation is engaged, the enacted Arabic text of the relevant VARA Rulebook or Circular prevails and should be reviewed for the specific matter.
Sources and authorities
VARA — Virtual Assets Regulatory Authority (Dubai). Primary instruments: the Travel Rule Circular to Dubai-licensed VASPs (24 February 2026); the AML/CFT Business Risk Assessment Guidance (June 2026); the UAE Proliferation Financing National Risk Assessment 2026; and the Version 2.0 activity Rulebooks (issued 19 May 2025, compliance by 19 June 2025), which update and consolidate VARA's earlier activity Rulebooks and compliance and risk management requirements.
https://www.vara.ae/en/news/ · VARA Rulebook — FATF Travel Rule
Cross-checked against leading practitioner analyses · Captured: 2026-06-23T23:16Z · Last reviewed: 2 July 2026
Instrument details
Regulator: Virtual Assets Regulatory Authority (VARA), Emirate of Dubai. Jurisdiction: Dubai virtual asset activities (distinct from ADGM/FSRA, DIFC/DFSA and the federal SCA regimes).
Instruments referenced:
- Travel Rule Circular to Dubai-licensed / authorised VASPs — issued 24 February 2026; supervisory expectations for the UAE Virtual Assets Travel Rule.
- AML/CFT Business Risk Assessment Guidance — published June 2026, following VARA's 2026 BRA thematic review.
- UAE Proliferation Financing National Risk Assessment (PF NRA) 2026 and required actions.
- VARA activity Rulebooks, Version 2.0 — issued 19 May 2025; full compliance required by 19 June 2025 (30-day transition).
Core obligations captured above: verified originator/beneficiary data for transfers above AED 3,500; prohibition on transfers to unregulated counterparties and on privacy-token transfers; enhanced due diligence for self-hosted wallets; quarterly client risk-rating review; eight-year record retention; board-approved BRA with three-lines-of-defence governance and discrete proliferation financing analysis.
This summary is for orientation only. Instrument names and dates follow VARA publications and practitioner reporting; the enacted Arabic-language text of each Rulebook or Circular is authoritative and prevails.
Based on VARA's Travel Rule Circular (24 February 2026), the AML/CFT Business Risk Assessment Guidance (June 2026), the UAE PF NRA 2026 and the Version 2.0 activity Rulebooks, and cross-checked against leading practitioner analyses. General information only — it does not constitute legal advice, and the enacted Arabic text prevails. For advice on a specific matter, please contact us. Last updated: 2 July 2026.