The UAE federal AML/CFT framework continues to evolve through amendments to Federal Decree-Law No. 20 of 2018 and its implementing regulations. These amendments enhance requirements for VASPs including strengthened customer due diligence obligations, expanded suspicious transaction reporting categories, refined Travel Rule implementation standards, and enhanced beneficial ownership transparency requirements. This brief examines the amendment trajectory and its operational implications for UAE-licensed VASPs.
amendment context
The federal AML/CFT framework amendments are driven by two converging forces. First, the UAE’s FATF grey list experience (March 2022 to February 2024) created sustained pressure for framework enhancement. The remediation action plan required specific improvements to AML/CFT legislation, regulation, and operational effectiveness. While the grey list removal validated the remediation measures, ongoing FATF monitoring requires that improvements be maintained and deepened.
Second, the growing scale and sophistication of the UAE’s virtual asset sector creates new AML/CFT challenges that the original 2018 framework did not fully anticipate. The rapid expansion of licensed VASPs across all five jurisdictions, the increasing volume and complexity of virtual asset transactions, and the emergence of new service models (DeFi interactions, cross-chain operations, NFT marketplaces) all demand framework adaptation.
key amendment areas
strengthened customer due diligence
Amendments have strengthened CDD requirements for VASPs in several dimensions. Enhanced identification and verification requirements for customers using virtual asset services address the specific challenges of digital onboarding where face-to-face interaction may not occur. Ongoing CDD requirements mandate continuous assessment of customer risk profiles rather than point-in-time onboarding assessments. Beneficial ownership transparency requirements have been enhanced to ensure that the ultimate beneficial owners of entities using VASP services are identified and verified.
These enhanced CDD requirements affect the operational design of VASP onboarding processes. Firms must implement technology solutions capable of robust identity verification, ongoing risk assessment, and beneficial ownership analysis. The CBUAE’s AML/CFT department (established August 2020) assesses whether banks providing services to VASPs conduct adequate CDD on their VASP customers, creating an indirect CDD overlay through the banking relationship.
expanded suspicious transaction reporting
The amendments expand the categories of suspicious activity that VASPs must report to the UAE FIU through the goAML system. Beyond the traditional ML/TF indicators, VASPs must now give enhanced attention to transactions involving jurisdictions identified by FATF as having strategic AML/CFT deficiencies, patterns consistent with sanctions evasion including the use of mixing services or privacy-enhancing technologies, unusual transaction patterns that may indicate layering or structuring, and activity associated with known fraud typologies in the virtual asset sector.
The FIU has enhanced its analytical capacity for virtual asset-related STRs, investing in blockchain analytics capabilities and specialized personnel. The quality of STR filings — not just the quantity — is assessed during supervisory examinations by all five regulatory authorities.
refined travel rule implementation
Amendments have refined Travel Rule implementation standards, addressing several operational challenges identified during initial implementation. Enhanced interoperability requirements aim to ensure that UAE VASPs can exchange Travel Rule information with counterparty VASPs across different technology solutions. Threshold clarification addresses situations where transaction amounts are uncertain at the time of transfer initiation. Unhosted wallet guidance provides clearer standards for VASPs processing transfers to or from self-custodied wallets. Record-keeping requirements specify the duration and format of Travel Rule information retention.
sanctions compliance enhancements
The EOCN sanctions compliance framework has been enhanced through amendments that require real-time or near-real-time sanctions screening for virtual asset transfers, mandate the use of blockchain analytics tools to identify exposure to sanctioned wallet addresses, and strengthen reporting requirements for potential sanctions matches.
authority-level implementation
Each UAE regulatory authority implements the federal amendments through authority-specific regulations and supervisory guidance. VARA integrates the amendments into its activity-specific rulebooks, with enhanced focus on AML/CFT compliance as an enforcement priority. ADGM FSRA updates its AML/CFT rules within the FSMR framework, and the NAFIS compliance programme (launched March 2026) builds the human capital needed for enhanced compliance operations. The DFSA applies the amendments through its AML/CFT rulebook for DIFC-authorized firms. The SCA develops implementing regulations that incorporate the amendments into the onshore VASP framework.
operational implications for vasps
The cumulative effect of the amendments increases the compliance burden for UAE VASPs in several areas. Technology investment requirements grow as enhanced CDD, transaction monitoring, Travel Rule, and sanctions screening standards demand more sophisticated systems. Staffing requirements increase as the volume and complexity of compliance activities expand. Training obligations expand to ensure that staff understand and can implement the enhanced requirements. Documentation requirements grow as expanded record-keeping and reporting standards demand more comprehensive compliance records.
However, the amendments also enhance the value proposition of UAE licensing. By demonstrating robust AML/CFT compliance to international standards, UAE-licensed VASPs benefit from enhanced credibility with banking partners, counterparty VASPs, and institutional clients. The FATF validation of the UAE’s framework provides a quality signal that supports international business development.
forward outlook
Additional amendments are anticipated as the FATF updates its virtual asset guidance and as the UAE’s virtual asset market continues to evolve. The AML/CFT federal requirements analysis provides the comprehensive examination of the current framework. The AML/CFT compliance implementation guide provides practical guidance for VASPs building compliant programs. The regulatory framework tracker dashboard monitors framework developments across all authorities.
emerging risk areas addressed by amendments
The amendments address several emerging risk areas specific to virtual asset operations that the original 2018 framework did not fully contemplate. Decentralized finance (DeFi) interactions present challenges for traditional CDD processes where counterparties are smart contracts rather than identified entities. VASPs facilitating customer interactions with DeFi protocols must assess and manage the ML/TF risks of these interactions within their AML/CFT programs.
Cross-chain and bridge transactions create layering opportunities where virtual assets are moved across multiple blockchain networks to obscure their origin. The amendments strengthen transaction monitoring requirements to detect multi-chain movement patterns that may indicate laundering activity.
Privacy-enhancing technologies including mixing services, privacy coins, and zero-knowledge proof transactions present sanctions screening and transaction monitoring challenges. The amendments clarify the enhanced due diligence required when VASPs encounter transactions involving these technologies.
Non-fungible token (NFT) activity raises questions about whether certain NFT transactions constitute virtual asset activity subject to AML/CFT requirements. The amendments provide guidance on the risk-based assessment of NFT-related activities within the AML/CFT framework.
compliance program evolution
The cumulative effect of the amendments requires VASPs to evolve their compliance programs from initial implementation to ongoing maturity. This evolution involves moving from policy-driven compliance (having the right documents) to outcome-driven compliance (demonstrating effective controls), from manual processes to technology-enabled monitoring and screening, from reactive STR filing (reporting when problems are identified) to proactive risk detection (using analytics to identify emerging risks before incidents occur), and from standalone AML/CFT compliance to integrated risk management that connects AML/CFT controls with broader operational risk, technology governance, and consumer protection frameworks.
The VARA enforcement actions brief demonstrates how authorities assess compliance maturity in practice, with enforcement action targeting firms whose programs exist on paper but fail to function operationally.
international standards alignment
The federal AML/CFT amendments maintain and strengthen the UAE’s alignment with FATF standards. FATF Recommendation 15 and its Interpretive Note set the international baseline for virtual asset AML/CFT requirements. The UAE’s amendments reflect FATF guidance updates including the 2021 Updated Guidance for a Risk-Based Approach to Virtual Assets and VASPs, which expanded the scope of regulated activities and clarified expectations for supervision and enforcement.
The amendments also anticipate potential future FATF guidance on emerging areas including DeFi regulation, NFT treatment, and stablecoin-specific AML/CFT measures. By proactively addressing these areas, the UAE positions its framework to withstand scrutiny during future FATF assessments and demonstrates regulatory leadership within the MENAFATF regional body.
The FATF grey list removal analysis examines how AML/CFT framework effectiveness was demonstrated during the remediation process. The UAE vs EU MiCA comparison examines how the UAE’s AML/CFT approach compares with the EU’s Transfer of Funds Regulation requirements for crypto-asset transfers.
authority-specific supervisory responses
Each authority has responded to the federal amendments through enhanced supervisory practices. VARA’s enforcement actions demonstrate operational assessment of AML/CFT controls, with findings covering CDD inadequacy, transaction monitoring gaps, and STR filing delays. ADGM FSRA’s NAFIS compliance programme builds the human capital needed for enhanced AML/CFT supervision. The DFSA applies its established supervisory methodology to assess AML/CFT compliance for crypto token activities. The SCA develops supervisory tools including the innovative risk-assessment methodology announced in December 2025.
For official regulatory information, visit SCA, CBUAE, VARA, ADGM, and DFSA. For international standards, visit FATF.