Proxima Eight FZE LLC
Business Centre, Sharjah Publishing City Free Zone, Sharjah, United Arab Emirates
Business Centre, Sharjah Publishing City Free Zone, Sharjah, United Arab Emirates
Close
AML/CTF Compliance Framework for Virtual Asset Businesses in UAE
Under UAE Federal Decree-Law No. 10 of 2025, VASPs are now held to the same AML, CFT, and counter-proliferation financing standards as conventional financial institutions. We design and implement the compliance framework that satisfies both federal law and your regulator's specific requirements.
9+ Years of Compliance Expertise
End-to-End Execution
The Legal Foundation: What Changed in 2025
UAE Federal Decree-Law No. 10 of 2025 on Anti-Money Laundering, Combating the Financing of Terrorism and Countering Proliferation Financing entered into force on 14 October 2025, replacing Federal Law No. 20 of 2018. Cabinet Resolution No. 134 of 2025 (the implementing executive regulations) entered into force on 14 December 2025.
Key changes for VASPs:
Key changes for VASPs:
- VASPs are now explicitly regulated at the same standard as conventional financial institutions - no more lighter-touch regime
- Counter-Proliferation Financing (CPF) is now a mandatory pillar alongside AML and CTF - new obligation not in the 2018 law
- Senior management bears explicit personal responsibility for AML-CFT-CPF compliance
- New offence: misuse of accounts - individuals allowing third parties to exploit accounts are criminally liable
- FIU powers expanded: can suspend transactions for up to 10 working days, freeze funds for up to 30 days
- Record-keeping obligation: minimum 5 years after end of business relationship or transaction completion
Source: UAE Federal Decree-Law No. 10 of 2025 (effective 14 October 2025); Cabinet Resolution No. 134 of 2025 (effective 14 December 2025); Al Tamimi & Company AML Framework analysis March 2026.
The Two-Layer Framework: Federal + Regulator
UAE virtual asset businesses operate under two simultaneous AML frameworks. Both must be satisfied:
-
Federal — Federal Decree-Law No. 10 of 2025 + Cabinet Resolution No. 134 of 2025Baseline AML/CFT/CPF obligations applying to all VASPs in the UAE regardless of which regulator licenses them - Regulator-specific — VARA, ADGM/FSRA, CMA, DFSAAdditional requirements specific to your licensing authority — e.g. VARA's Compliance and Risk Management Rulebook, VARA January 2026 circular on high-risk jurisdictions
Compliance with one layer does not substitute for the other. A VARA-licensed VASP must comply with both VARA's Rulebook and the federal AML law — whichever sets the higher standard applies.
Core AML Framework Components
MLRO Appointment
Every regulated VASP must appoint a Money Laundering Reporting Officer (MLRO) with a minimum of 2 years' experience in AML/CFT compliance. The MLRO bears legal responsibility for the firm's AML programme and is the primary contact with the UAE Financial Intelligence Unit (FIU). Under VARA requirements, the MLRO must be a UAE resident.
Business Risk Assessment (BRA)
A documented ML/TF/PF Business Risk Assessment identifying and assessing risk exposure from the firm's virtual asset activities — by product, client type, geography, delivery channel, and transaction size. Must be reviewed and updated annually or upon material changes.
AML/CTF Policies and Procedures
Comprehensive written policies aligned with UAE Federal Decree-Law No. 10 of 2025, VARA Compliance and Risk Management Rulebook, and FATF Recommendations for virtual assets. Policies must cover:
Customer Acceptance Policy
Customer Due Diligence (CDD) and Enhanced Due Diligence (EDD) procedures
Ongoing monitoring and periodic review
Suspicious Activity Reporting (SAR) and Suspicious Transaction Reporting (STR) procedures
Sanctions screening and PEP identification
Travel Rule implementation
Counter-Proliferation Financing (CPF) controls — mandatory under 2025 law
Record-keeping procedures (minimum 5 years)
Customer Acceptance Policy
Customer Due Diligence (CDD) and Enhanced Due Diligence (EDD) procedures
Ongoing monitoring and periodic review
Suspicious Activity Reporting (SAR) and Suspicious Transaction Reporting (STR) procedures
Sanctions screening and PEP identification
Travel Rule implementation
Counter-Proliferation Financing (CPF) controls — mandatory under 2025 law
Record-keeping procedures (minimum 5 years)
Customer Due Diligence (CDD)
Risk-based CDD applied to all clients before establishing a business relationship or executing a transaction:
Identity verification — individual or entity
Ultimate Beneficial Owner (UBO) identification — 25% ownership threshold
Source of funds verification
PEP screening — domestic and foreign politically exposed persons
Sanctions screening — UAE local lists, OFAC, EU, UN sanctions
Enhanced Due Diligence (EDD) for high-risk clients and high-risk jurisdictions
Ongoing monitoring and periodic review of client risk profiles
Identity verification — individual or entity
Ultimate Beneficial Owner (UBO) identification — 25% ownership threshold
Source of funds verification
PEP screening — domestic and foreign politically exposed persons
Sanctions screening — UAE local lists, OFAC, EU, UN sanctions
Enhanced Due Diligence (EDD) for high-risk clients and high-risk jurisdictions
Ongoing monitoring and periodic review of client risk profiles
Transaction Monitoring
Continuous, real-time monitoring of all transactions. Wire transfers and virtual asset transactions exceeding AED 3,500 require full originator and beneficiary details. Automated red flag detection for:
Structuring and smurfing patterns
High-risk wallet addresses (mixers, darknet markets, sanctions-linked wallets)
Unusual volume, frequency, or geographic patterns
Transactions involving high-risk jurisdictions (FATF grey/black lists)
Structuring and smurfing patterns
High-risk wallet addresses (mixers, darknet markets, sanctions-linked wallets)
Unusual volume, frequency, or geographic patterns
Transactions involving high-risk jurisdictions (FATF grey/black lists)
Blockchain Analytics
All UAE VASPs are expected to deploy blockchain analytics tools for wallet screening and transaction monitoring. Standard tools accepted by VARA and ADGM/FSRA:
Chainalysis — industry standard, VARA-referenced in guidance
Elliptic — widely used, integrated with major exchanges
TRM Labs — strong for institutional and DeFi-facing businesses
Crystal (BitRank) — popular for smaller VASPs
Chainalysis — industry standard, VARA-referenced in guidance
Elliptic — widely used, integrated with major exchanges
TRM Labs — strong for institutional and DeFi-facing businesses
Crystal (BitRank) — popular for smaller VASPs
goAML Registration and Reporting
Registration on the UAE FIU's goAML platform is mandatory for all regulated VASPs regardless of size or activity level. Failure to register is treated as an automatic internal controls failure by inspectors. STRs must be submitted immediately upon forming a suspicion — no delay is permitted.
Staff Training
Ongoing, role-based AML training is a compulsory obligation — not a one-time exercise. The CBUAE's October 2025 best practices guidance establishes a role-based training framework. Generic annual e-learning delivered uniformly to all staff is unlikely to satisfy an inspector. Training must be documented with logs available for inspection.
What We Build for You
- Regulatory-ready documentationAll documentation formatted for VARA, ADGM/FSRA, or CMA review as part of licensing application or supervisory inspection
- AML/CTF/CPF Policy SuiteComplete policy framework: customer acceptance policy, CDD/EDD procedures, sanctions screening, STR procedures, Travel Rule policy, record-keeping, CPF controls
- Travel Rule implementationSolution selection (Notabene, Sygna, TRP), policy for non-compliant counterparties, sunrise issue protocol
- Business Risk AssessmentDocumented ML/TF/PF BRA aligned with your activity categories, client types, geographies, and products
- Training programmeRole-based AML training designed for your team: compliance officers, relationship managers, front-line operations
- CDD ProceduresCustomer onboarding workflows, UBO identification procedures, risk-based CDD tiers, EDD triggers, ongoing monitoring schedule
- Blockchain analytics integrationTool selection and integration: Chainalysis, Elliptic, TRM Labs, or Crystal — matched to your transaction profile and budget
- goAML registration and setupFIU registration, STR/SAR reporting procedures, first-report preparation
Frequently Asked Questions
Federal Decree-Law No. 10 of 2025 (effective October 2025) and its executive regulations (Cabinet Resolution No. 134 of 2025, effective December 2025) replace the 2018 AML law. For VASPs specifically: you are now formally held to the same standards as banks and financial institutions, with explicit CPF obligations, mandatory goAML reporting, 5-year record retention, and real-time transaction monitoring requirements.
For a standard VASP licence application: 4–6 weeks for a complete AML policy suite and BRA. More complex models (multi-activity, cross-border, DeFi-adjacent) take longer. We run the AML build in parallel with the entity setup phase to avoid delays in the overall licensing timeline.
Under VARA requirements, the MLRO must be a UAE resident. The role can be filled by a dedicated employee or by an outsourced MLRO-as-a-Service provider — provided the individual meets the fit-and-proper and experience requirements and is genuinely accountable for the compliance programme. See our MLRO-as-a-Service page for details.
VARA supervisory inspections assess effectiveness, not just documentation. Inspectors look for: evidence that policies are actually followed, documented training records, functioning transaction monitoring systems, goAML registration and STR logs, and calibrated risk assessments. Paper frameworks with no operational evidence will fail.
Related
Start Your AML/CTF Compliance Process
By submitting this form, I acknowledge that I have read and agree to the Privacy Policy, and I consent to the processing of my personal data.
Please note: We do not provide any personalized investment advice, token selection guidance, or transaction recommendations. AMLzone is a compliance consultancy and project management services provider, not a Virtual Asset Advisor.
Please note: We do not provide any personalized investment advice, token selection guidance, or transaction recommendations. AMLzone is a compliance consultancy and project management services provider, not a Virtual Asset Advisor.