Anti-money laundering (AML) and counter-financing of terrorism (CFT) compliance is the single largest operational burden on UAE crypto businesses. It is also the area where regulatory enforcement is most active. A licensed exchange can be technically perfect, commercially successful, and still face supervisory action if its AML controls fail in practice.
The UAE’s removal from the FATF grey list in early 2024 reflected substantial improvement in the country’s AML framework. The standards have continued to tighten since then, with Federal Decree-Law No. 10 of 2025 on Combating Money Laundering further strengthening the regime. This guide sets out what UAE crypto businesses need in their AML programs.
The legal framework
The principal AML and CFT legislation in the UAE consists of Federal Decree-Law No. 20 of 2018 on Combating Money Laundering and the Financing of Terrorism and Illegal Organisations, as amended by Federal Decree-Law No. 10 of 2025, and the associated Cabinet decisions including Cabinet Decision No. 10 of 2019 and Cabinet Decision No. 74 of 2020 on terrorism lists.
For VARA-licensed entities, AML and CFT requirements are also embedded in the Compulsory Rulebook on AML and the Compulsory Rulebook on Combatting Financing of Terrorism, alongside the activity-based rulebooks. For DFSA-licensed entities, the DFSA AML Module applies. For FSRA-licensed entities, the FSRA’s AML rules and guidance apply.
All three frameworks are aligned with the standards of the Financial Action Task Force (FATF), particularly Recommendation 15 on virtual assets and virtual asset service providers, and the associated FATF guidance. UAE supervision has converged on the FATF standards, which means that international best practice is also the local benchmark.
Customer due diligence and KYC
Customer due diligence (CDD) is the foundation of every AML program. UAE crypto businesses must implement CDD that identifies and verifies the customer, identifies and verifies the ultimate beneficial owner (where the customer is a legal entity), understands the purpose and intended nature of the relationship, and conducts ongoing monitoring of the relationship.
Enhanced due diligence (EDD) applies in higher-risk situations: politically exposed persons, customers from high-risk jurisdictions, customers with complex ownership structures, and customers whose activity is inconsistent with their stated profile. EDD involves more detailed documentation, more frequent review, and senior management approval.
Simplified due diligence is available in genuinely low-risk situations but must be justified and documented. The risk-based approach requires the firm to know its customers in proportion to the risk, not to apply a one-size-fits-all standard.
The Travel Rule applies to virtual asset transfers above the prescribed threshold. UAE crypto businesses must collect and transmit beneficiary information for relevant transfers, in line with FATF Recommendation 16 as adapted for virtual assets.
Transaction monitoring and surveillance
Static rule-based transaction monitoring is no longer sufficient under VARA’s 2025 Rulebook 2.0. Crypto businesses must implement dynamic, behaviour-based monitoring that incorporates both on-chain and off-chain signals into a unified picture of client behaviour.
Effective monitoring identifies typologies like structuring (breaking large transactions into smaller ones to avoid reporting thresholds), layering (rapid movement of funds across multiple wallets to obscure origin), placement (introducing illicit funds into the system through nominally legitimate transactions), and integration (returning laundered funds to the legitimate economy).
Crypto-specific typologies require crypto-specific monitoring: use of mixers, transactions involving sanctioned addresses, transactions involving wallets associated with known fraud or theft, and patterns consistent with ransom payments or sanctions evasion. Tools from Chainalysis, TRM Labs, Elliptic, and similar providers are now standard in UAE crypto AML programs.
Suspicious Transaction Reports and goAML
Suspicious Transaction Reports (STRs) must be filed through the UAE’s goAML portal, which is operated by the Financial Intelligence Unit (FIU). An STR is required whenever the firm has reasonable grounds to suspect that a transaction is connected to money laundering, terrorism financing, or other predicate offences.
The standard is reasonable suspicion, not certainty. Firms that wait for certainty before reporting are likely to be in breach. Firms that report defensively without genuine suspicion swamp the FIU and reduce the effectiveness of the regime. The judgment is professional, documented, and subject to supervisory review.
STRs must be filed promptly, with full supporting documentation. Late STRs, incomplete STRs, and STRs lacking analytical substance are all common findings in supervisory examinations. The expectation under the 2025 framework is that STRs are filed quickly, completely, and with analytical quality that supports the FIU’s downstream investigations.
Sanctions compliance
UAE crypto businesses must screen against the UAE local terrorist list (maintained under Cabinet Decision No. 74 of 2020) and the UN Security Council consolidated sanctions list. International sanctions regimes including OFAC, EU, and UK sanctions are also relevant in practice, particularly for businesses with international counterparties or correspondent banking relationships.
Sanctions screening covers customers, ultimate beneficial owners, transaction counterparties, and wallet addresses linked to sanctioned entities. The screening must be conducted at onboarding, on an ongoing basis, and before specific transactions. Tools that screen blockchain addresses against known sanctioned wallets are now standard.
Hits require investigation and, where confirmed, blocking of the relevant transaction and STR filing. Sanctions breaches are among the most serious AML violations and carry significant supervisory and reputational consequences.
Governance and the MLRO function
Every UAE crypto business must appoint a Money Laundering Reporting Officer (MLRO), a senior officer with documented authority to oversee the AML program and file STRs without business interference. The MLRO must be fit and proper, with appropriate qualifications and experience, and must be approved by the regulator.
The board and senior management have clear governance responsibilities for the AML program. They must approve the firm’s AML policies, ensure adequate resources for the AML function, and respond to MLRO escalations. Governance failures, including senior management interference with the MLRO, are among the most serious AML compliance breaches.
Frequently Ask Question
What AML laws apply to UAE crypto businesses?
The principal legislation is Federal Decree-Law No. 20 of 2018, as amended by Federal Decree-Law No. 10 of 2025, on Combating Money Laundering and the Financing of Terrorism. Additional requirements apply under the VARA Compulsory Rulebooks, the DFSA AML Module, the FSRA AML rules, and aligned FATF standards. The framework is detailed and continuously updated.
What is goAML and when do I have to file an STR?
goAML is the UAE Financial Intelligence Unit’s electronic reporting platform for Suspicious Transaction Reports. An STR must be filed whenever a UAE crypto business has reasonable grounds to suspect that a transaction is connected to money laundering, terrorism financing, or predicate offences. The standard is reasonable suspicion rather than certainty, and STRs must be filed promptly with full supporting documentation.
Does the Travel Rule apply to UAE crypto businesses?
Yes. UAE crypto businesses must collect and transmit beneficiary information for virtual asset transfers above the prescribed threshold, in line with FATF Recommendation 16 as adapted for virtual assets. The Travel Rule applies to transfers between licensed VASPs and creates compliance challenges where the counterparty VASP is in a jurisdiction with weaker implementation.
Who needs to be the MLRO of a UAE crypto business?
The MLRO must be a senior officer of the firm with documented authority to oversee the AML program and file STRs without business interference. The MLRO must be fit and proper, with appropriate qualifications and experience, and must be approved by the relevant regulator (VARA, DFSA, or FSRA). The MLRO function cannot be outsourced wholly to a third party, though external consultants can support the role.
What happens if a UAE crypto business has weak AML controls?
Consequences include supervisory action by the relevant regulator (warnings, fines, conditions on the licence, suspension of activities, or licence revocation), referral for criminal prosecution where breaches are serious or wilful, personal liability for the MLRO and senior management, civil claims from affected customers, and effective inability to maintain banking relationships. AML failures are the most common cause of serious supervisory action against UAE crypto businesses.
Is the UAE still on the FATF grey list?
No. The UAE was removed from the FATF grey list in February 2024 in recognition of substantial improvements to its AML and CFT framework. The standards have continued to tighten since the removal, particularly with Federal Decree-Law No. 10 of 2025. UAE crypto businesses are now expected to meet international best practice standards on AML and CFT, not just to satisfy minimum local requirements.
Speak to Lexorium Legal Consultancy
Lexorium Legal Consultancy advises UAE crypto businesses on AML and CFT compliance, including policy design, MLRO function support, transaction monitoring implementation, STR preparation, sanctions screening, and response to supervisory enquiries and enforcement action.
Whether you are building an AML program from scratch, responding to a supervisory finding, or facing an enforcement enquiry, get in touch with Lexorium Legal Consultancy for specialist advice grounded in UAE regulatory practice.