AML Compliance for VASPs in the UAE

In the UAE, AML and CFT rules and regulations are established at the federal level. Additionally, both federal and local supervisory authorities – such as the UAE Central Bank, the SCA, and the VARA – have the authority to issue rules and guidance that impose further requirements on VASPs.

While additional requirements may be imposed under specific regulatory regimes, the global approach to anti-money laundering and counter-terrorist financing remains consistent. The decentralized nature of virtual asset transactions and the lack of effective AML/CTF controls create opportunities for the misuse of virtual assets for money laundering purposes.

In response to this challenge, there is a globally accepted approach primarily guided by recommendations and guidance from the Financial Action Task Force (FATF).

This approach dictates that VASPs must be regulated for anti-money laundering/counter-terrorist financing purposes, be licensed or registered, and be subject to effective systems for monitoring or supervision (FATF Recommendation 15).

The AML/CFT obligations imposed on VASPs in the UAE are based on the recommendations outlined by the Financial Action Task Force (FATF) and include the following:

Developing AML/CFT Policies and Procedures
VASPs are required to implement robust AML/CFT policies that clearly outline how they will comply with the regulatory framework. These policies must cover all areas of risk management, including customer due diligence (CDD), enhanced due diligence (EDD) for higher-risk clients, and the monitoring of suspicious transactions.

The procedures should include detailed steps for identifying, reporting, and mitigating the risk of financial crimes. The policies must also include regular updates to ensure compliance with evolving regulations and guidance from regulatory authorities such as the UAE’s Financial Intelligence Unit (FIU), CBUAE and VARA.

Personnel
VASPs must appoint qualified personnel to oversee AML/CFT compliance efforts. This includes designating a Compliance Officer (CO) and Money-Laundering Reporting Officer (MLRO) responsible for ensuring that the company complies with regulatory requirements and reports suspicious activities.

Both the CO and MLRO must have expertise in AML/CFT, and preferably have a background in virtual assets space.

Their responsibilities include:

• • • Developing and implementing internal AML/CFT policies and procedures.
    • Reviewing suspicious transactions and deciding whether to report them.
    • Reporting suspicious activities and transactions to senior management and regulatory authorities.
    • Building a compliance culture with well-trained staff.
    • Cooperating with authorities, providing requested documents and access.

The UAE’s AML framework establishes personal liability for COs and MLROs if they fail to fulfil their specified duties. Enforcement actions against individuals may include written warnings, fines, imprisonment, and temporary bans from working in the relevant sector.

Apply a Risk-Based Approach
VASPs are required to apply a risk-based approach with regard to their AML/CTF strategy, which is proportionate to the nature of their business operations and their clientele. A risk-based approach ensures that the VASP can identify, assess, and manage risks associated with VAs and ML/TF. In assessing and identifying risks, VASPs must take the following factors into consideration:

→ Customer Risks
VASP must identify customer risk levels during due diligence and ongoing monitoring processes and apply an appropriate risk-based approach.

→ Products and Services Risks
VASP must be aware of the risks associated with the nature of the products or services it offers.

→ Geographical Risks
VASP must assess the risks posed by each jurisdiction in which it operates and where its customer base originates.

→ Transaction Volume and Complexity Risks
VASP must understand customers’ expected transaction amounts during onboarding to establish an appropriate risk level based on a normal transaction pattern, allowing the company to detect suspicious or abnormal activity.

Conduct CDD
Customer Due Diligence (CDD) is essential for verifying customer identity, understanding business relationships, and assessing risk levels. VASPs operating in the UAE are required to conduct CDD in the following cases:

• • • During the commencement of business relationships;
    • When performing incidental transactions for a customer whenever such transactions are equivalent to or exceeding AED 55,000, whether it is a single transaction or seemingly- related multiple transactions;
    • When performing incidental transactions in the form of wire transfers equivalent to or exceeding AED 3,500;
    • If a crime is suspected; and
    • If there are doubts about the validity or adequacy of customer identification data obtained previously.

Apply Enhanced Measures for High-Risk Customers

For customers or transactions deemed high-risk, enhanced due diligence (EDD) measures should be applied to acquire additional information to scrutinize potential money laundering activities and high-risk individuals linked to such activities.

The following categories of customers may be considered high-risk from ML/FT perspective:

• • • Individuals or entities associated with high-risk countries.
    • Individuals or entities whose behavior or transactions raise suspicions of ML/FT.
    • Customers whose behavior suggests a connection to criminal proceeds, or whose executed transactions do not align with their profile.
    • Politically Exposed Persons (PEPs) and those connected to them.

If such customers are identified, the VASP must apply enhanced due diligence when serving them. EDD actions may include:

• • • Gather more information about the company’s ownership structure, key stakeholders, and business activities.
    • Evaluate the Ultimate Beneficial Owners (UBOs) to reduce risks associated with people who own or control the entity.
    • Confirm the legitimate source of wealth and funds, ensuring they are not derived from illegal activities.
    • Enhance identity verification processes by adding documentation or verification methods such as selfie verification or address verification.
    • Assess specific risk factors related to customers, including their location, industry, transactional behavior, and any past regulatory or legal issues.

Identify and Monitor PEPs

VASPs must have effective procedures in place to identify whether a client or beneficial owner is a Politically Exposed Person (PEP). This involves using databases, screening tools, and external sources to classify individuals as domestic or foreign PEPs, or their close associates and family members.

Since PEPs are considered higher-risk clients due to their potential involvement in corruption or misuse of funds, VASPs must take enhanced measures when onboarding and transacting with them.

For PEPs, VASPs must conduct EDD, which involves stricter scrutiny compared to regular customers. This includes:

• • • Identifying the Source of Funds and Wealth: VASPs must verify the source of wealth and the origin of funds used by PEPs to ensure that they are legitimate and not connected to illicit activities.
    • Ongoing Monitoring: VASPs must continuously monitor transactions involving PEPs to detect any unusual or suspicious activity. This includes regular reviews of the relationship, assessing any changes in the risk profile, and identifying patterns that could indicate money laundering or terrorist financing risks.

Onboarding or maintaining a business relationship with a PEP requires approval from senior management within the VASP. This reflects the elevated risk associated with PEPs and ensures that decisions regarding these clients are made with appropriate oversight.

Follow Travel Rule

The Travel Rule, originally introduced by the FATF, requires VASPs to collect and share information about the parties involved in virtual asset transactions exceeding AED 3,500.

VASPs must gather and verify specific details about both the originator (the person sending the virtual assets) and the beneficiary (the person receiving the virtual assets). 

This information typically includes:

For the Originator:

• • • Full name
    • Account number (or a unique identifier for the virtual asset transaction)
    • Physical address, national ID number, or customer identification number
    • Date and place of birth (where applicable)

For the Beneficiary:

• • • Full name
    • Account number (or a unique identifier for the virtual asset transaction)

The VASP shall retain the information of the originator and beneficiary and make it available to the competent authorities.

Ensure Ongoing Monitoring
Ongoing monitoring is critical for detecting unusual or suspicious activity and ensuring that the customer’s profile remains accurate and updated. This includes monitoring transactions for suspicious patterns, such as:

• • • High volumes of small transactions.
    • Transactions involving high-risk jurisdictions.
    • One-off or unusually structured transactions.

VASPs must implement a robust screening process that checks all customers, beneficial owners, and related parties against relevant sanctions lists. In addition to the onboarding phase, this process should be done at regular intervals throughout the relationship.

For high-risk customers, regular reassessment of their risk profile is necessary. This allows for the timely application of enhanced measures where needed.

Suspicious Transaction Reporting
Filing of Suspicious Transaction Reports (STR) is a mandatory requirement as per the UAE AML Law. VASPs, along with Financial Institutions (FIs) and Designated Non-Financial Businesses and Professions (DNFBPs) are required to submit STR in case of suspecting a suspicious transaction.

A suspicious transaction is defined as any transaction, attempted transaction, or funds for which an obligated entity has reasonable grounds to suspect as constituting any of the following:

1. The proceeds of crime (money laundering and related predicate offenses), or financing of terrorism or illegal organizations.

2. Being related to the crimes of money laundering and related predicate offenses, the financing of terrorism, or illegal organizations.

3. Being intended to be used in an activity related to such crimes.

If a VASP identifies any suspicious transactions, they must promptly report it to the Financial Intelligence Unit (FIU). There is no specific time limit, but entities should submit the STR to the FIU immediately once the suspicious nature of the transaction is evident.