March 22, 2026
Methodology About Contact
UAE TOKENIZATION REGULATIONS
The Vanderbilt Terminal for UAE Tokenization Regulatory Frameworks
INDEPENDENT GLOBAL INTELLIGENCE FOR UAE TOKENIZATION REGULATION
VARA Licensed VASPs: 19 ▲ Dubai Active | ADGM FSP Holders: 14 ▲ Digital Asset | DFSA Crypto Tokens: 6 Recognized ▲ DIFC Licensed | SCA Regulated: Federal Scope ▼ Onshore UAE | UAE FATF Rating: Compliant ▲ 2024 MER | Sandbox Programs: 3 Active ▲ VARA+ADGM+DFSA | Cross-Border MoUs: 12+ ▲ Bilateral | Corporate Tax: 9% ▼ Federal Rate | VARA Licensed VASPs: 19 ▲ Dubai Active | ADGM FSP Holders: 14 ▲ Digital Asset | DFSA Crypto Tokens: 6 Recognized ▲ DIFC Licensed | SCA Regulated: Federal Scope ▼ Onshore UAE | UAE FATF Rating: Compliant ▲ 2024 MER | Sandbox Programs: 3 Active ▲ VARA+ADGM+DFSA | Cross-Border MoUs: 12+ ▲ Bilateral | Corporate Tax: 9% ▼ Federal Rate |
Home international alignment aml/cft requirements for virtual asset service providers
Layer 1 deep dive

aml/cft requirements for virtual asset service providers

comprehensive analysis of uae federal aml/cft requirements for vasps under federal decree-law no. 20 of 2018, including customer due diligence, travel rule implementation, suspicious transaction reporting, and sanctions compliance.

Advertisement

table of contents

  1. federal aml/cft architecture
  2. federal decree-law no. 20 of 2018
  3. customer due diligence requirements
  4. ongoing monitoring obligations
  5. suspicious transaction reporting
  6. travel rule implementation
  7. sanctions compliance
  8. record-keeping requirements
  9. supervisory framework
  10. enforcement and penalties

federal aml/cft architecture

The UAE’s AML/CFT framework for virtual asset service providers operates at the federal level, applying uniformly across all UAE jurisdictions regardless of the specific regulatory authority that licenses the VASP. This federal approach ensures that AML/CFT standards cannot be avoided through jurisdictional selection — a critical design feature given the UAE’s multi-authority regulatory architecture.

The framework is anchored by Federal Decree-Law No. 20 of 2018 on Anti-Money Laundering and Combating the Financing of Terrorism and Financing of Illegal Organizations, as amended. The implementing regulations and Cabinet resolutions provide operational detail, and individual regulatory authorities (SCA, CBUAE, VARA, ADGM FSRA, DFSA) issue supplementary guidance specific to their supervised entities.

The federal AML/CFT framework was a central element of the UAE’s remediation program during the FATF grey list period (March 2022 - February 2024). The comprehensive application of AML/CFT requirements to VASPs across all jurisdictions was specifically cited by the FATF as evidence of effective implementation of Recommendation 15.

federal decree-law no. 20 of 2018

Federal Decree-Law No. 20 of 2018 establishes the primary legislative framework for AML/CFT in the UAE. The law applies to all “financial institutions” and “designated non-financial businesses and professions” (DNFBPs), with VASPs explicitly included within the scope of regulated entities.

Key provisions relevant to VASPs include the risk-based approach mandate requiring VASPs to assess and manage their ML/TF risks, CDD requirements for customer identification and verification, enhanced due diligence for higher-risk customers and transactions, STR obligations for reporting suspicious transactions to the UAE FIU, record-keeping requirements for maintaining transaction and CDD records, and internal controls requirements including compliance officer appointment, staff training, and independent audit.

The law establishes criminal penalties for ML/TF violations including imprisonment and fines, alongside administrative sanctions that may be imposed by supervisory authorities.

customer due diligence requirements

VASPs must conduct customer due diligence before establishing a business relationship or conducting a transaction. CDD requirements include identity verification using reliable, independent source documents, data, or information. Identification and verification of the beneficial owners of legal entities and arrangements. Assessment of the purpose and intended nature of the business relationship. Ongoing due diligence including monitoring of transactions conducted throughout the business relationship.

Enhanced due diligence (EDD) is required for higher-risk scenarios including politically exposed persons, customers from high-risk jurisdictions, complex or unusually large transactions, and business relationships involving jurisdictions with inadequate AML/CFT frameworks.

For virtual asset transactions, CDD requirements extend to both the originator and beneficiary of transfers, consistent with the FATF Travel Rule. The pseudonymous nature of blockchain transactions creates specific challenges for CDD implementation that VASPs must address through a combination of on-chain analytics, off-chain verification processes, and technology solutions.

ongoing monitoring obligations

VASPs must maintain ongoing monitoring programs that include transaction monitoring to detect unusual or suspicious patterns, periodic review of customer risk profiles, screening against sanctions and adverse media sources, and monitoring of customer transactions for consistency with stated business purpose.

Transaction monitoring for VASPs must accommodate the specific characteristics of virtual asset transactions including the speed and volume of blockchain transactions, the potential for structuring (breaking transactions into smaller amounts to avoid thresholds), the use of mixing services, privacy coins, and other obfuscation techniques, and cross-chain transfers that may be designed to reduce traceability.

suspicious transaction reporting

VASPs must report suspicious transactions to the UAE Financial Intelligence Unit through the goAML system. STR obligations are triggered when a VASP suspects or has reasonable grounds to suspect that a transaction involves proceeds of crime, is intended for ML/TF purposes, or is otherwise suspicious based on the VASP’s knowledge of the customer and the nature of the transaction.

STR filing is mandatory and must be completed promptly upon identification of suspicious activity. VASPs are prohibited from disclosing to the customer or any third party that an STR has been filed (tipping-off prohibition). The UAE FIU analyzes STR filings and disseminates intelligence to law enforcement and other relevant authorities.

travel rule implementation

The FATF Travel Rule (Recommendation 16) requires VASPs to obtain, hold, and transmit originator and beneficiary information for virtual asset transfers. The UAE has implemented the Travel Rule across all jurisdictions, with each regulatory authority issuing specific guidance on implementation.

Travel Rule requirements apply to virtual asset transfers above applicable thresholds. Required information includes the originator’s name, account number (or virtual asset wallet address), and physical address or national identity number, and the beneficiary’s name and account number (or virtual asset wallet address).

Travel Rule implementation presents technical challenges due to the lack of standardized messaging protocols for virtual asset transfers. VASPs must implement Travel Rule compliance solutions that enable the transmission and receipt of required information, while ensuring data security and privacy compliance.

sanctions compliance

VASPs must screen customers, transactions, and counterparties against applicable sanctions lists including the UAE’s domestic sanctions list, United Nations Security Council sanctions, and other applicable international sanctions lists. The Executive Office for Control and Non-Proliferation (EOCN) coordinates the UAE’s sanctions compliance framework.

Sanctions screening for virtual asset transactions requires real-time screening of wallet addresses against known sanctioned addresses, monitoring for interaction with sanctioned entities or jurisdictions, and procedures for blocking or rejecting sanctioned transactions.

record-keeping requirements

VASPs must maintain records of all CDD documentation and transaction records for a minimum of five years following the end of the business relationship or the date of the transaction. Records must be sufficient to permit reconstruction of individual transactions and must be made available to supervisory authorities and the UAE FIU upon request.

supervisory framework

AML/CFT supervision of VASPs is conducted by the relevant licensing authority: SCA for onshore VASPs, VARA for Dubai VASPs, ADGM FSRA for ADGM VASPs, and DFSA for DIFC VASPs. The CBUAE conducts complementary supervision of banks and financial institutions providing services to VASPs.

Supervisory activities include on-site and off-site assessments of AML/CFT program adequacy, thematic reviews focused on specific AML/CFT risk areas, enforcement actions for identified deficiencies, and coordination with the UAE FIU and law enforcement on financial crime matters.

enforcement and penalties

Non-compliance with AML/CFT requirements can result in administrative sanctions including fines and license restrictions, criminal prosecution under Federal Decree-Law No. 20, reputational damage through public enforcement disclosures, and enhanced supervisory scrutiny.

The severity of enforcement action is calibrated to the nature and extent of the non-compliance, the harm caused or risked, and the firm’s cooperation with supervisory and investigative authorities.

For official AML/CFT guidance, consult the relevant regulatory authority and the UAE FIU. For international standards, visit FATF.

Advertisement
aml-cftfederalcompliancetravel-rule
Related Articles
fatf grey list removal: impact on uae tokenization regulation
Advertisement
Network Intelligence

Institutional Access

Coming Soon