The Virtual Assets Regulatory Authority (VARA) has declared a new regulation, which would force all Virtual Asset Service Providers (VASPs) licensed by the authority to undertake quarterly Anti-Money-Laundering (AML) and Counter-terrorist Financing (CFT) risk-assessment procedures. The compliance deadline is Q2 2026, representing a significant increase from the previous annual review standard.
VARA stated that the quarterly review mandate is intended to enhance Dubai’s regulatory framework for virtual assets. It makes sure that the companies are actively addressing financial crime risks by having their Business Risk Assessment (BRA) programs reviewed independently and incorporation new risks and the exploitation of sophisticated monitoring tools.
Key Requirements of the Quarterly Review Mandate
Effective immediately, VASPs must:
- Conduct Quarterly AML/CFT Reviews: BRA programs must be reviewed and updated every three months. Findings and mitigation plans should be submitted to VARA.
- Incorporate Emerging Risks: The risk assessments should comprise AI misuse, proliferation financing, exposure to sanctions, and new virtual asset products.
- Maintain Board-Approved Methodologies: All the risk scoring, their weighting, and mitigation measures should be documented, version-controlled and board-sanctioned.
VARA’s directive makes clear that risk frameworks must be dynamic, data-driven, and continuously updated to remain effective in a fast-evolving virtual asset ecosystem.
Why Quarterly Reviews Are Essential
VARA inspections in 2024–25 revealed gaps in AML/CFT frameworks across several VASPs. Common issues included:
- Risk assessment is obsolete and not in tandem with the contemporary market and technology.
- Inconsistent documentation and internal controls.
- Limited board oversight or formal approval of risk methodologies.
Quarterly BRA reviews help firms:
- Identify emerging risks promptly.
- Maintain transparent, verifiable records for regulator audits.
- Respond quickly to regulatory updates and global financial crime trends.
VARA emphasizes that BRA reviews should be conducted on a continuous basis to remain effective, and risk management has to become a process in real-time and not a one-off activity.
Compliance Requirements Ahead of the Q2 2026 Deadline
- Review Existing BRA Frameworks: Ensure that every type of risk, including AI misuse, adherence to sanctions, and proliferation financing, is considered.
- Update Risk Scoring and Weighting: Give definite scores and weightings to the risks, and provide a reason as to why they have been done to show that the risks were managed in a structured manner.
- Schedule Quarterly Reviews: Create a regular schedule or calendar, revise the BRA quarterly and track mitigation measures approved by the board.
- Integrate External Risk Data: Incorporate comments of national risk assessment, industry reports and international regulatory developments.
- Maintain Detailed Documentation: Audit trail is required, and this is conducted through version-controlled records, board approvals and internal notes.
- Train Compliance Teams: Ensure staff understand BRA methodology and quarterly review procedures to prevent inconsistencies or errors.
Strategic and Operational Implications
The transition to quarterly review adds to the workload of compliance with VASPs, necessitating more resources, staff, and supervision. Other analysts have pointed out that small VASPs might have difficulties complying with the new requirements, and this may influence market forces.
Industry experts suggest that technology, including AI-powered monitoring tools, may support more efficient risk assessment processes. These tools are constantly used to track transactions, screen clients, and indication of suspicious activity, which will assist in maintaining a timely update of BRA and regulatory reporting.
The Takeaways
VARA’s quarterly AML review mandate reinforces Dubai’s commitment to robust, proactive virtual asset regulation. To remain compliant, VASPs must:
- Conduct data-driven, quarterly BRA updates with formal board approvals.
- Consider new risks, such as AI misuse, sanctions, and new products of virtual assets.
- Have a clear and verifiable auditing trail on regulatory checks.
Firms that implement the quarterly review framework as outlined may better align with regulatory expectations, according to compliance experts.
Keepers Compliance provides VASPs with a professional consultancy to overcome the requirements of VARA in the context of its changes, provide assistance in the development of the AML/CFT program, integration of BRA-AI, and continuous compliance monitoring. Professional support may assist businesses in aligning their risk management processes with regulatory expectations and consistent with the Q2 2026 deadline.
