Skip to main content
  • Part III – Anti-Money Laundering and Combating the Financing of Terrorism

    • Introduction

      Part III of this Compliance and Risk Management Rulebook sets out requirements which aim to prevent the use of Virtual Assets and services relating to them in furtherance of illicit activities. VARA considers such illicit activities to include money laundering and the financing of terrorism, as well as proliferation financing and sanctions non-compliance.
       
    • A. Appointment and Duties of Money Laundering Reporting Officer

      1. VASPs shall appoint a Money Laundering Reporting Officer who—
       
        a. possesses at least two [2] years of experience handling AML/CFT matters; and
        b. is a Fit and Proper Person [MLRO].
        Such appointment shall be reviewed annually to ensure that the MLRO remains a Fit and Proper Person capable of discharging all relevant duties. VARA has the sole discretion to request a VASP to provide such evidence as VARA may require which shows that the above requirements are satisfied. In addition, VARA shall take into consideration any failures by an individual to comply with Part III of this Compliance and Risk Management Rulebook when assessing whether an individual is a Fit and Proper Person.
       
      2. The MLRO shall be responsible for—
       
        a. ensuring the Board and Staff are properly and adequately trained in respect of their understanding and compliance with all applicable AML/CFT laws and regulatory requirements, particular those relevant to VA Activities;
        b. developing and implementing AML/CFT policies and procedures as required under Rule III.B of this Compliance and Risk Management Rulebook;
        c. conducting AML/CFT risk assessments in accordance with Rule III.D of this Compliance and Risk Management Rulebook and implementing all necessary changes to the VASP’s relevant policies and procedures to address such issues and risks;
        d. monitoring and reporting Suspicious Transactions in accordance with Rule III.F of this Compliance and Risk Management Rulebook;
        e. if necessary, ensuring appropriate corrective actions are taken in response to non-compliance with any Federal AML-CFT Laws;
        f. reporting to the Board on a quarterly basis on the effectiveness of the VASP’s AML/CFT policies and procedures, identifying any failures in such policies and procedures and/or any non-compliance with any Federal AML-CFT Laws;
        g. ensuring the quarterly reports required under Rule III.A.2.f of this Compliance and Risk Management Rulebook include a summary of all Anonymity-Enhanced Transactions and clients involved during that quarter; and
        h. making the reports required under Rule III.A.2.f of this Compliance and Risk Management Rulebook available to VARA on request.
       
      3. AML/CFT activities may be delegated to appropriate Entities, provided that—
       
        a. the MLRO shall continue to be held accountable for all responsibilities and obligations in relation to the implementation of the relevant policies and procedures; and
        b. all applicable requirements in the Company Rulebook, including Outsourcing management requirements, are complied with.
       
      4. Subject to relevant requirements in the Company Rulebook and if deemed appropriate by the VASP, the MLRO may hold more than one [1] non-client facing role within the VASP, provided such roles do not create conflicting duties, including but not limited to, the CO and the head of the risk function. VARA will take into account other roles held by the MLRO in determining whether the individual is a Fit and Proper Person.
       
    • B. Policies and Procedures

      1. VASPs will establish and implement policies and procedures to comply with all AML/CFT requirements and existing applicable laws, regulatory requirements and guidelines, including but not limited to—
       
        a. the Federal AML-CFT Laws;
        b. the Financial Action Task Force’s [FATF] 12-Month Review of the Revised FATF Standards on Virtual Assets and Virtual Asset Service Providers [June 2020];
        c. FATF’s Second 12-Month Review of the Revised FATF Standards on Virtual Assets and Virtual Asset Service Providers [July 2021];
        d. FATF’s Updated Guidance for a Risk-Based Approach to Virtual Assets and Virtual Asset Service Providers [October 2021];
        e. the International Standards on Combating Money Laundering and the Financing of Terrorism & Proliferation, The FATF Recommendations [March 2022];
        f. Cabinet Resolution No. [74] of 2020 regarding the Terrorist List System and The Implementation of Security Council Resolutions Related to Preventing and Suppressing Terrorism and its Financing, Counter of Proliferation and its Financing, and the Relevant Resolutions;
        g. the UAE Executive Office for Control & Non-Proliferation [EOCN] Guidance on Counter Proliferation Financing for FI’s, DNFPBs, and VASPs [March 2022]; and
        h. the EOCN’s Local Terrorist List, as may be amended from time to time.
       
      2. To ensure compliance with the Federal AML-CFT Laws, such policies and procedures must establish courses of action allowing VASPs to—
       
        a. refrain from opening or conducting any financial or commercial transaction under an anonymous or fictitious name or by pseudonym or number, and maintaining a relationship or providing any services to it;
        b. ensure prompt application of the directives when issued by the competent authorities in the UAE for implementing United Nations Security Council Resolutions relating to the suppression and combating of terrorism, terrorist financing and proliferation of weapons of mass destruction and its financing, and other related directives, as well as compliance with all other applicable laws, regulatory requirements and guidelines in relation to economic sanctions;
        c. notwithstanding all relevant requirements in this Compliance and Risk Management Rulebook, maintain all records, documents, and data for all transactions, whether local or international, and make this information available to VARA upon request; and
        d. ensure full compliance with any other AML/CFT requirements and applicable laws, regulatory requirements and guidelines as may be promulgated by VARA, UAE federal government bodies, FATF or the Middle East and North Africa Financial Action Task Force from time to time.
       
      3. VASPs shall establish adequate risk rules to screen clients, UBOs, Virtual Asset transactions and VA Wallet addresses to—
       
        a. identify potential illicit activities, potentially adverse information in higher risk situations [e.g. criminal history] and applicability of targeted or other international financial sanctions; and
        b. alert operation and compliance teams to impose relevant restriction and conduct further investigation.
       
      4. All policies and procedures established and implemented pursuant to Rule III.B.1 of this Compliance and Risk Management Rulebook must be attested by a competent third party and shall be submitted to VARA in the licensing process and no more than twenty-one [21] calendar days after any changes coming into effect.
       
    • C. AML/CFT Controls

      1. VASPs should have effective AML/CFT controls and systems in place which can adequately manage the AML/CFT risks relevant to their VA Activities, including the use of distributed ledger analytics tools, as well as other investigative tools or capabilities to monitor and screen transactions.
      2. In respect of any distributed ledger analytics tools used, VASPs should review and document their review of the capabilities and weaknesses of such tools and design controls to monitor clients’ interaction with their VA Activities.
      3. Information about Virtual Asset transactions and VA Wallet addresses are dynamic in nature. VASPs should review and document their review of the performance and function of any distributed ledger analytics tools used to for ongoing monitoring.
      4. VASPs shall, if applicable, implement internal controls to address the FATF Report Virtual Assets Red Flags Indicators of Money Laundering and Terrorist Financing [September 2020] when designing transaction monitoring scenarios and thresholds to monitor clients’ interaction with their VA Activities.
       
    • D. Risk Assessment

      1. In implementing adequate and appropriate AML/CFT policies, procedures, and controls to detect and prevent illicit activities, VASPs must conduct AML/CFT business risk assessments.
      2. The AML/CFT business risk assessments must be designed and implemented to assist VASPs to better understand their risk exposure and areas in which they should prioritise allocation of resources in their AML/CFT activities. This includes identifying and assessing the AML/CFT risks in relation to the development and use of new or existing—
       
        a. Virtual Assets [in particular, Anonymity-Enhanced Cryptocurrencies];
        b. Virtual Asset related products or services [in particular, methods in which Anonymity-Enhanced Transactions can be conducted];
        c. Virtual Asset related business and professional practices; and
        d. technologies associated with VA Activities.
       
      3. VASPs enabling Anonymity-Enhanced Transactions as part of their VA Activities must implement proportionately enhanced controls to ensure compliance with all applicable laws and regulations [including all Federal AML-CFT Laws], Regulations, Rules and Directives, as well as effectively monitor and prevent illicit uses. Such controls shall include conducting enhanced CDD on each client using those services, which shall be verified every six [6] months. In the case where the AML/CFT risks cannot be adequately mitigated, such products or services should not be offered.
       
    • E. Client Due Diligence

      1. VASPs shall adopt a risk-based application of CDD measures in accordance with the Federal AML-CFT Laws.
      2. VASPs are required to undertake CDD measures to verify the identity of the client and the UBO[s] before or during the establishment of a business relationship for the purposes of providing services relating to VA Activities, or before executing a transaction [whether or not denominated in Virtual Assets] for a client with whom there is no business relationship.
      3. VASPs shall undertake CDD measures in the following circumstances—
       
        a. when establishing a business relationship with a client for the purposes of providing services relating to VA Activities;
        b. when carrying out occasional transactions in favour of a client for amounts equal to or exceeding AED 3,500, whether the transaction is carried out in a single transaction or in several transactions that appear to be linked;
        c. where there is an instruction from a client to handle a potential Suspicious Transaction;
        d. where there are doubts about the veracity or adequacy of previously obtained identification information of a client; and
        e. when carrying out any transaction for high-risk clients as characterised in the Federal AML-CFT Laws.
       
      4. VASPs should undertake CDD measures in their ongoing supervision of business relationships with clients, including—
       
        a. auditing transactions that are carried out throughout the period of the business relationship, to ensure that the transactions conducted are consistent with the information on file regarding clients and the risks they pose, including, where necessary, the source of funds; and
        b. ensuring that the documents, data or information obtained from CDD measures are up-to-date and appropriate by regularly reviewing such records, particularly those of high-risk clients as characterised in the Federal AML-CFT Laws.
       
      5. As part of the CDD process, VASPs shall verify clients’ identity by reference to the following documents, data or information from a reliable and independent source—
       
        a. For individuals
       
          i. full name as shown on an identification card or a travel document [along with a copy of the original and valid identification card or travel document];
          ii. nationality;
          iii. address;
          iv. place of birth;
          v. name and address of employer; and
          vi. if the client is a Politically Exposed Person, approval from the MLRO and a member of the Senior Management is required prior to establishing a business relationship with such client.
       
        b. For Entities which are not individuals
       
          i. full name of the Entity;
          ii. type of Entity;
          iii. constitutional documents [e.g. memorandum of association and articles of association] attested by competent authorities within the UAE;
          iv. principle place of business;
          v. names of individuals holding Senior Management positions in the Entity; and
          vi. if the UBO is a Politically Exposed Person, approval from the MLRO and a member of the Senior Management is required prior to establishing a business relationship with such client.
       
      6. VASPs are further required to—
       
        a. verify that any Entity purporting to act on behalf of the client is so authorised, and verify the identity of that Entity in accordance with Rule III.E.5 of this Compliance and Risk Management Rulebook;
        b. understand the intended purpose and nature of the business relationship with the client, and obtain, when necessary, information related to this purpose; and
        c. where the VASP’s client is a business or otherwise provides services to other clientele, understand the nature of the client’s business as well as the client’s ownership and control structure, including but not limited to the following—
       
          i. the identity of UBO[s];
          ii. whether such structure includes any DAOs and, if so, the intended purpose of such DAOs;
          iii. the type, nature and pursuits of the clientele of a prospective client and where necessary carry out appropriate due diligence on the client’s clientele in order to ensure compliance with the Federal AML-CFT Laws.
       
      7. If a VASP is unable to conduct appropriate CDD on a client, it shall not—
       
        a. establish or maintain a business relationship with such client; or
        b. execute any transaction for such client.
       
      8. If a VASP relies on third parties to perform CDD, it shall remain liable for ensuring such third parties perform CDD in accordance with all relevant Rules and Directives. VASPs that rely on third parties to undertake CDD on their behalf must therefore implement adequate measures in keeping with the nature and size of their businesses [including VA Activities] to ensure that such third parties’ performance of CDD is in accordance with all relevant Rules and Directives.
       
    • F. Suspicious Transaction Monitoring and Reporting

      1. VASPs shall employ methods which are appropriate to their particular circumstances and VA Activities to continuously monitor business relationships with clients to identify any Suspicious Transactions. Such methods shall ensure that no “tipping-off” or similar offence occurs. Such methods shall also ensure all Suspicious Transactions are immediately reported to the MLRO, in order for the MLRO to meet the requirements of this Rule III.F. VASPs are required to document, obtain Senior Management approval for, and periodically review and update such methods to ensure their effectiveness.
      2. VASPs shall put in place and regularly update indicators that can be used to identify possible Suspicious Transactions.
      3. Upon suspicion or reasonable grounds to suspect that the proceeds of a transaction are related to a crime, or the attempt or intention to use funds or proceeds for the purpose of committing, concealing or benefitting from a crime, the MLRO shall be responsible for—
       
        a. immediately reporting to the UAE FIU and VARA such Suspicious Transactions in accordance with Rule III.F.4 of this Compliance and Risk Management Rulebook;
        b. responding to all additional information requests from the UAE FIU and/or VARA promptly and in any event within forty-eight [48] hours of such requests;
        c. undertaking any additional actions as may be requested by the UAE FIU and/or VARA within any specified timeframe in such requests; and
        d. in the event the MLRO is not the same individual as the CO, immediately reporting to the CO that a Suspicion Transaction report has been made, provided that the provision of any such report would not be considered “tipping-off” or a similar offence under any applicable laws or regulations.
       
      4. All reports regarding Suspicious Transactions shall be made—
       
        a. to the UAE FIU and VARA on the GoAML platform or by any other means approved by the UAE FIU and/or VARA; and
        b. in accordance with any Guidance which may be issued by VARA from time to time.
       
      5. VASPs shall continue monitoring [on a near real time basis where appropriate] any transactions which are the subject of a Suspicious Transaction report.
       
    • G. FATF Travel Rule

      1. Prior to initiating any transfer of Virtual Assets with an equivalent value exceeding AED 3,500, VASPs must obtain and hold required and accurate originator information and required beneficiary information and make it available on request to VARA and/or other appropriate authorities.
      2. Prior to permitting any clients access to Virtual Assets received from a transfer with an equivalent value exceeding AED 3,500, a beneficiary VASP must obtain and hold required originator information and required and accurate beneficiary information and make it available on request to VARA and/or other appropriate authorities.
      3. Required originator information shall include, but not be limited to, the originator’s—
       
        a. name;
        b. account number or VA Wallet address; and
        c. residential or business address.
       
      4. Required beneficiary information shall include, but not be limited to, the beneficiary’s—
       
        a. name; and
        b. account number or VA Wallet address.
       
      5. Prior to entering into any transaction with a counterparty VASP or virtual asset service provider in any other jurisdiction, VASPs must complete risk-based due diligence on such counterparty in order to mitigate AML/CFT risks. This due diligence does not need to be completed for every subsequent transaction with the counterparty unless a heightened counterparty risk is assessed or identified.
      6. In complying with the Travel Rule, VASPs must consider how they will handle the risks associated with—
       
        a. deposits or withdrawals [including those which are compliant with the Travel Rule and those which are not];
        b. non-obliged entities [i.e. unhosted VA Wallets]; and
        c. Anonymity-Enhanced Transactions.
       
      7. VASPs shall be required to demonstrate to VARA how they comply with the Travel Rule during the licensing process and submit to VARA relevant policies and controls. VASPs should also include their plan to comply with the Travel Rule with virtual asset service providers in jurisdictions where the Travel Rule is not a legislative requirement [i.e. the “sunrise issue”].
      8. In implementing policies and controls to comply with the Travel Rule and AML/CFT Rules, VASPs shall be guided by FATF Interpretive Note to Recommendation 15 and all applicable laws, regulatory requirements and guidelines as may be in force from time to time. VASPs must monitor for any transaction or series of transactions that seeks to circumvent any regulatory thresholds to bypass Travel Rule requirements.
      9. VARA may require VASPs to report on their compliance with the Travel Rule and the effectiveness of their implementing policies and controls, at any time.
       
    • H. Record Keeping

      1. VASPs shall retain the following types of records relating to AML/CFT in accordance with the Federal AML-CFT Laws—
       
        a. Virtual Asset transaction records, including operational and statistical records, documents and information [whether or not recorded on public distributed ledgers] concerning all transactions executed or processed by the VASP;
        b. CDD records, including records, documents, and information about clients [e.g. account files and business correspondence], and results from the investigation and analysis of clients’ activities;
        c. information relating to third parties engaged by the VASP to undertake CDD;
        d. records relating to ongoing monitoring of business relationships with clients; and
        e. Suspicious Transaction reports made in accordance with Rule III.F of this Compliance and Risk Management Rulebook.
       
      2. VASPs shall retain all records required in Rule III.H.1 for a period of no less than eight [8] years.
       
    • I. Enforcement

      1. VASPs which fail to comply with Rules in this Part III of this Compliance and Risk Management Rulebook may be subject to enforcement actions taken by VARA or other penalties as set out in the Regulations and the Federal AML-CFT Laws.