On June 12, 2026, Dubai’s Virtual Assets Regulatory Authority published new anti-money laundering guidance that applies to every licensed crypto firm in the emirate. Quarterly risk reviews. Real-time FATF blacklist screening. Senior management held personally accountable for compliance failures. And a pointed warning about AI-related risks that most of the industry has been ignoring. If you hold a VARA licence or are thinking about one, this is what changed.

What VARA Published and Why It Matters

The Virtual Assets Regulatory Authority is Dubai’s dedicated crypto regulator, covering all virtual asset activity in the emirate outside the DIFC. It has issued licences to more than 100 virtual asset service providers across exchanges, custodians, and broker-dealers since it was established under Dubai Law No. 4 of 2022. It is one of the most active crypto licensing jurisdictions anywhere in the world.

The June 12 guidance came directly out of VARA’s 2026 Business Risk Assessment thematic review, a regulatory audit that examined how licensed firms were actually implementing their anti-money laundering and counter-terrorist financing controls. The review found two systemic gaps across the industry: firms were not using real operational data to drive their compliance decisions, and governance of those decisions was not sitting at a senior enough level. The new guidance is VARA’s response to both gaps.

Between August 2024 and August 2025, VARA issued enforcement notices against 36 separate firms for violations including unlicensed virtual asset activities and AML failures. The June 12 guidance is the regulator signalling that enforcement posture is tightening, not softening.

The AI Risk Warning That Most Coverage Missed

One element of the June 12 guidance received almost no attention in the initial industry coverage: VARA’s explicit flagging of artificial intelligence as an emerging compliance risk category.

The regulator specifically urged firms to update their controls to address AI-related risks and anonymity-enhancing transactions, naming these alongside sanctions, proliferation financing, and terrorism financing as areas requiring enhanced monitoring. This is not boilerplate language. It reflects something real that is happening in crypto compliance: AI tools are being used both by firms trying to detect financial crime and by bad actors trying to evade detection, and the guidance VARA issued is asking firms to be explicit about how they are managing both sides of that dynamic.

The concern about anonymity-enhancing transactions sits alongside this. Privacy coins, mixing services, and zero-knowledge proof-based transactions have always been a regulatory sensitivity in the UAE. The June 12 guidance reinforces that Dubai-licensed firms cannot treat these transaction types as routine without having documented controls around them. Privacy-enhancing assets and transactions are receiving what VARA describes as closer scrutiny because of their AML implications.

VARA is asking firms to treat AI as both a compliance tool and a compliance risk. That is a more sophisticated regulatory position than most jurisdictions have reached publicly. It is also a direct signal that the regulator is watching how AI is being used inside the firms it licenses.

The Broader Context: AED 370 Million in Penalties Since Early 2025

The June 12 guidance does not exist in isolation. It follows a period of intensified enforcement across the UAE financial sector that has not been limited to crypto. Since early 2025, the UAE Central Bank has imposed more than AED 370 million, equivalent to over 100 million dollars, in AML and counter-terrorist financing penalties on financial institutions across the country, covering banks, exchange houses, insurers, and finance companies.

The message is consistent across regulators and asset classes: the UAE is actively shedding the perception that it is a soft-touch jurisdiction for financial crime. The FATF grey listing period, which the UAE exited in 2024 after implementing a comprehensive national AML reform programme, clearly left a lasting mark on how aggressively the country’s regulators are now approaching compliance standards.

For VARA specifically, the direction of travel is explicit. Dubai remains one of the most open crypto licensing environments in the world. More than 100 licences across VARA, ADGM, DFSA, CBUAE, and CMA represent a genuine commitment to being a regulated crypto hub. But open does not mean permissive. The June 12 guidance is the clearest signal yet that access to Dubai’s crypto market comes with operational obligations that are being enforced rather than merely stated.

What This Means If You Hold a VARA Licence

  • Review your Business Risk Assessment immediately if it has not been updated in the last three months. Under the new guidance, a BRA that was last updated six months ago is already non-compliant with VARA’s quarterly expectation.
  • Audit your FATF screening integration. If your transaction monitoring system pulls jurisdiction risk data from a weekly or monthly feed, check whether that feed covers FATF’s grey and black lists and confirm how quickly updates propagate into live screening. Real-time is now the expectation, not a best practice.
  • Document your AI-related controls explicitly. If your firm uses any AI tool in its compliance, transaction monitoring, or onboarding processes, the guidance implies those tools’ capabilities and limitations should be documented and reviewed as part of your risk assessment. An AI-powered KYC tool that has not been assessed for its own failure modes does not satisfy the spirit of what VARA is asking for.
  • Escalate accountability structures. If compliance sign-off on risk assessments currently sits below C-suite level, the personal accountability language in the June 12 guidance is a clear signal to change that before the next regulatory examination.
  • Engage a VARA-familiar compliance adviser if you have not already. The specificity of the June 12 requirements, particularly around data-driven risk models and AI risk integration, is detailed enough that generic AML compliance experience is not sufficient to implement it correctly.
VARA’s June 12 guidance is not a warning shot. It is a detailed specification of what compliant crypto operation in Dubai now looks like, backed by a regulator that has already issued 36 enforcement notices in a single year. The firms that take this seriously and update their systems now are in a significantly better position than the ones that wait for a regulatory examination to find the gaps for them.
Tags