VARA Sets A Board Test For VASP Risk Reviews

Dubai’s Virtual Assets Regulatory Authority has issued AML/CFT business risk assessment guidance that turns a compliance document into a supervisory test for licensed virtual asset service providers.

The guidance draws on VARA’s 2026 BRA thematic review and describes what the regulator considers stronger practice across governance, methodology, evidence and control decisions.

The document says licensed VASPs must conduct and maintain an AML/CFT business risk assessment under Rule III.D of the VARA Compliance and Risk Management Rulebook.

VARA says the assessment must be reviewed at intervals of no longer than three months and updated when significant changes occur in the areas listed in the rulebook.

The regulator is not treating the BRA as a static filing.

VARA says VASPs must be able to show that risk-assessment outcomes inform AML/CFT policies, procedures, systems, controls and the prioritisation of resources.

That standard links the written assessment to daily control decisions, rather than leaving it as a standalone compliance artifact.

Senior Managers Must Challenge Residual Risk

VARA identifies board engagement as one of the strongest indicators of maturity.

The regulator describes stronger practice as formal sign-off from the governing body, a recorded approval date and evidence that directors or equivalent decision-makers tested the conclusions before accepting them.

The guidance keeps the money laundering reporting officer at the center of preparation and maintenance, but it separates MLRO ownership from board accountability.

VARA says board review should test remaining risk conclusions, assumptions about controls and whether the risk-appetite framework is strong enough for the business model.

The guidance also points VASPs toward a three-lines-of-defence model.

Compliance and the MLRO prepare the assessment, a risk function or board provides independent challenge, and internal audit validates the methodology and the assumptions behind control ratings.

Where internal audit capacity is limited, VARA says an independent external party may perform that role on a risk-based cycle.

VARA also describes escalation as part of the governance design.

Adverse inspection findings, new financial-crime patterns or changes to the UAE sanctions environment should move to the board and trigger an updated assessment, rather than waiting for the next scheduled review.

Evidence Must Drive Scoring And Updates

VARA’s review methodology covered governance, scope, data sources, inherent risk categories, proliferation-financing treatment, control effectiveness, operational use and review cycles.

The regulator also examined how VASPs integrate quantitative evidence into risk scoring, treat proliferation financing as a distinct risk category and translate findings into operational AML/CFT decisions.

The guidance says a BRA should map the whole licensed footprint: each legal entity in the group, each VARA-approved activity, each product line and each jurisdiction where the firm operates or serves clients.

For international groups, the UAE assessment should explain the relationship between group-wide controls and the local entity’s risk profile.

VARA also asks firms to document how risk categories are scored, how control effectiveness is rated, how inherent risk and controls produce residual risk, and how category ratings are aggregated into an overall position.

The methodology has to be repeatable enough for later review cycles and clear enough for independent validation.

Licensed firms now have a clear supervisory checklist: board approval, evidence-backed scoring, a separate proliferation-financing analysis, independent validation and an update cycle that changes when the risk environment changes.