Anti-Money Laundering (AML)
Anti-Money Laundering (AML) refers to the laws, regulations, procedures, and controls designed to prevent the use of financial systems — including virtual asset networks — for money laundering, terrorist financing, and proliferation financing. In the UAE context, AML compliance for VASPs operates under a multi-layered framework spanning federal law, regulator-specific rules, and international standards.
Legal Framework
Federal Law: UAE Federal Decree-Law No. 20 of 2018 on Anti-Money Laundering and Combating the Financing of Terrorism and Illegal Organisations establishes the national AML/CFT framework. Cabinet Decision No. 10 of 2019 provides implementing regulations.
Regulator Rules: VARA issues VA-specific AML circulars (March 2026 AML/CFT/CPF circular). ADGM-FSRA applies its AML Rules. DFSA applies its AML module.
International Standards: The FATF Recommendations, particularly Recommendation 15 (virtual assets) and Recommendation 16 (travel rule), provide the international baseline. The UAE’s FATF grey list exit in February 2024 reflects strengthened AML/CFT implementation.
AML Program Components
A compliant AML program for UAE VASPs includes governance and oversight (board accountability, MLRO appointment), enterprise-wide risk assessment, KYC/CDD procedures, transaction monitoring (using blockchain analytics from Chainalysis, Elliptic, Crystal Blockchain), sanctions screening, suspicious transaction reporting through goAML, travel rule compliance, record keeping, and staff training.
Each component serves a specific function within the overall AML framework:
Governance and Oversight: The board of directors bears ultimate responsibility for AML compliance. UAE regulators expect board-level accountability through appointment of a Money Laundering Reporting Officer (MLRO) with direct board reporting lines, regular board reporting on AML program status, and board approval of the enterprise-wide risk assessment and AML policies.
Enterprise-Wide Risk Assessment (EWRA): The EWRA identifies and assesses the money laundering, terrorist financing, and proliferation financing risks specific to the VASP’s business model, customer base, product offerings, geographic exposure, and delivery channels. The EWRA informs the calibration of all other AML program components. UAE regulators expect the EWRA to be updated at least annually and whenever material changes occur in the business or risk environment.
Transaction Monitoring: Licensed VASPs must implement systems capable of identifying transactions that are unusual, suspicious, or inconsistent with the customer’s known profile and expected activity. For virtual asset firms, this requires both traditional transaction monitoring (fiat currency flows, customer behavior patterns) and blockchain-specific monitoring (on-chain transaction tracing using platforms such as Chainalysis, Elliptic, or Crystal Blockchain). Our transaction monitoring guide covers implementation details.
Suspicious Transaction Reporting: When monitoring identifies a transaction that is suspicious or that the VASP has reasonable grounds to suspect involves proceeds of crime, terrorist financing, or proliferation financing, the VASP must file a suspicious transaction report through the goAML portal operated by the UAE Financial Intelligence Unit. The reporting obligation is absolute — it cannot be overridden by customer confidentiality or other considerations. See our STR workflow guide.
Record Keeping: UAE AML law requires VASPs to maintain records of customer identification documents, transaction records, and AML program documentation for a minimum period specified by the applicable regulator. Records must be maintained in a format accessible to regulators upon request and must support audit preparation.
For the complete AML program design framework, see our AML program design guide.
The UAE’s FATF Grey List Experience
The UAE’s placement on the FATF’s increased monitoring list and subsequent removal in February 2024 has had a direct impact on AML regulatory expectations for VASPs. During the grey list period, UAE regulators intensified AML enforcement and supervisory activity to demonstrate progress to the FATF. Following the exit, regulators have maintained the elevated compliance standards established during the grey list period.
For VASPs, this means that UAE AML expectations are calibrated at a level significantly above the minimum FATF standards. The regulatory circulars issued by VARA in early 2026 — including the March 2026 AML/CFT/CPF circular, the February 2026 travel rule circular, and the January 2026 FATF high-risk jurisdictions circular — reflect this elevated standard.
Enforcement Context
AML compliance failure is the most serious regulatory breach for licensed VASPs. The Morpheus Software (Fuze) case — the only published VARA enforcement action citing AML programme control failures — resulted in cease-and-desist orders, financial penalties, and appointment of a skilled person.
The Morpheus case involved three categories of violation: AML programme control failures (governance, compliance, and internal systems), engaging in unlicensed VA activities, and failure to disclose material information to the regulator. The skilled person appointment — a measure not applied in any other published enforcement action — demonstrates the severity with which VARA treats AML programme deficiencies.
For the full enforcement landscape, see the enforcement action dashboard and enforcement analysis. For maintaining ongoing compliance, see the compliance calendar.
Related Terms
For regulatory context, visit UAE Tokenization Regulations and Dubai Tokenisation.