top of page

🏆 Nominis just won 1st place at Mastercard's Fintech Forum - Watch now

Executive Report: VARA's compliance updates for Dubai

  • Nominis Intelligence Unit
  • 14 hours ago
  • 9 min read

This report breaks down the latest changes in VARA’s Rulebook 2.0, including mandatory KYT, Travel Rule enforcement, and quarterly AML risk assessments. It outlines who must comply, what penalties apply, and how firms can align operations with new expectations. For VASPs and startups, real-time compliance tools like Nominis offer a scalable, cost-effective way to meet the new standard and thrive in Dubai’s evolving regulatory environment.


Dubai's Crypto Rise and Regulatory Maturity


Dubai is establishing itself as a global hub for digital assets, driven by impressive adoption rates and substantial investment inflows. Currently, over 25% of UAE residents own virtual assets and In 2024 alone, the country recorded 15 million crypto app downloads, a 41% increase from the previous year, and attracted more than $30 billion in crypto-related investments, including a landmark $2 billion injection into Binance by Abu Dhabi’s MGX fund. This remarkable growth is underpinned by a favorable regulatory environment, strong government support, and the UAE’s strategic ambition to diversify its economy and attract international capital.



Central to Dubai’s regulatory landscape is the Virtual Assets Regulatory Authority (VARA), established in 2022 under Law No. 4. VARA’s core purpose is to position Dubai as a safe, progressive jurisdiction for virtual assets by regulating, licensing, and supervising all virtual asset activities, while ensuring investor protection, financial stability, and AML/CFT alignment.

VARA is the world’s first independent regulator focused entirely on virtual assets. It oversees all virtual asset-related activities in Dubai, excluding the DIFC. VARA’s mandate, as outlined in Law No. 4 of 2022, includes enabling innovation while safeguarding the public interest through a regulatory framework aligned with international standards such as those of the FATF.



1. To promote the Emirate as a regional and international hub for Virtual Assets and related services; to boost the competitive edge of the Emirate at the local and international levels; and to develop the digital economy in the Emirate;

2. To increase awareness on investment in the Virtual Asset services and products sector, and encourage innovation in this sector;

3. To contribute to attracting investments and encourage companies operating in the field of Virtual Assets to base their business in the Emirate; 

4. To develop the regulations required for the protection of investors and dealers in Virtual Assets, and to endeavour to curb illegal practices in coordination with the concerned entities; and 

5. To develop the regulations, rules, and standards required for regulating, supervising, and overseeing Virtual Asset Platforms, Virtual Asset Service Providers, and all other matters related to Virtual Assets.



Effective June 19, 2025, Rulebook 2.0 introduces fundamental changes that shift expectations from policy-based oversight to active enforcement and technology-enabled compliance.

All impacted virtual asset service providers have been granted a 30-day transition period to comply with the new requirements by June 19, 2025. VARA's Supervision Teams will provide activity-specific guidance to each licensed entity during this period

The updated Rulebooks introduce enhanced supervisory mechanisms across various regulated virtual asset activities, including advisory services, broker-dealer services, custody, exchange, lending/borrowing, management/investment, and transfer/settlement services.


Key refinements include:

  • Strengthened controls around margin trading and token distribution services

  • Clearer definitions for collateral wallet arrangements

  • Harmonized compliance requirements across all licensed activities

VASPs are now required to conduct dynamic risk assessments every three months, making this a mandatory compliance requirement. These assessments must incorporate emerging risks such as anonymous-enhancing cryptos (AECs), AI/ML systems, and newly evolving virtual asset classes into their AML/CFT controls.


Strengthened Customer Due Diligence (CDD) now applies to high-risk clients, politically exposed persons (PEPs), and ultimate beneficial owners (UBOs), and requires verification of:

  • Source of funds

  • Residential and business addresses

  • Identity of third-party representatives

  • Associated high-risk client networks


Enhanced Suspicious Activity Reporting (SAR) obligations have been added under a new “AML-CTF Report” standard. MLROs must respond to inquiries from the UAE FIU or VARA within 48 hours, significantly increasing the need for rapid internal escalation processes.


Travel Rule enforcement is now explicit. Rulebook 2.0 mandates full compliance with UAE Federal AML-CFT Law and FATF’s Travel Rule. Reporting and data-sharing requirements are now explicitly defined and enforceable across both domestic and international transfers.


Targeted Financial Sanctions (TFS) Compliance measures have also been formalized. All VASPs must:

  • Perform instant sanctions screening

  • Freeze assets immediately upon detection of a match

  • Maintain an eight-year audit trail of all actions taken

These measures are directly aligned with FATF and UNSC requirements. Importantly, non-compliance no longer results only in corporate penalties, and enforcement can now extend to directors, MLROs, and other responsible individuals. These updates mark a clear shift from procedural compliance to real-time, results-based enforcement.


Who Must Comply


All VASPs operating in Dubai, except those in the DIFC, must obtain licensing. Covered activities include:

  • Virtual asset exchanges

  • Custody and wallet services

  • Broker-dealer and lending platforms

  • Market makers and liquidity providers

  • Virtual asset payment and advisory services

  • Issuance of tokens, NFTs, or stablecoins

  • Staking and yield-generating products


Compulsory Rulebooks VARA 2.0



Firms seeking to operate in Dubai’s virtual asset space must undergo a rigorous and multi-layered licensing process. This includes the submission of a comprehensive business model, a dynamic risk assessment framework, internal governance policies, and detailed control systems tailored to their proposed virtual asset services. VARA evaluates these materials to confirm that applicants possess adequate financial resources, operational resilience, technological infrastructure, and senior leadership competency to handle regulatory responsibilities.

Startups must also demonstrate the ability to meet minimum capital requirements starting at AED 100,000 while proving that their systems can handle real-time compliance testing. This includes live demonstrations of wallet screening, transaction risk scoring, and sanctions detection capabilities. These components are no longer considered optional best practices but are evaluated as part of the licensing criteria. The onboarding process effectively filters out firms lacking automated KYT infrastructure or those unable to meet ongoing technological obligations.



The rulebook sets standards to prevent deceptive practices and protect consumers. VASPs must not misrepresent their licensing status and are expected to maintain fair marketing, avoid misleading claims, and act in good faith when dealing with clients. Breaches of conduct rules may lead to investigations and penalties.



Technology expectations have shifted from basic policy to enforced functionality. VASPs must implement real-time surveillance tools with automated alerts, robust encryption, intrusion detection systems, and data integrity frameworks. Monitoring infrastructure must be auditable, updatable, and capable of supporting risk scoring and suspicious transaction escalation in real time.



Rulebook 2.0 expands significantly on this section. VASPs are now required to maintain detailed, immutable audit trails of all transactions, including the amount, date, wallet addresses, and residency data of all involved parties. These records must be securely stored for at least eight years. Regular quarterly compliance and risk reports must be submitted to VARA, and third-party audits must be conducted annually.

Firms must implement controls aligned with FATF Red Flag indicators and review the effectiveness of distributed ledger analytics tools every quarter. Compliance governance must include clear oversight from the board of directors and the appointment of competent MLROs and compliance officers. Risk scoring, client profiling, and monitoring thresholds must be clearly documented and updated based on dynamic risk trends.


KYT (Know Your Transaction)


KYT has become a central pillar of compliance. Under Rulebook 2.0, VASPs must deploy real-time transaction monitoring that screens wallet addresses continuously, tracks behavioral patterns, and analyzes geographic and network-linked indicators. This helps ensure faster detection of illicit activity and more accurate reporting.


Travel Rule Enforcement


Transfers of virtual assets exceeding AED 3,500 are now subject to strict Travel Rule obligations. VASPs must collect and retain originator and beneficiary data, and ensure this information is accessible to VARA and the UAE FIU upon request. These requirements are enforceable under UAE Federal AML-CFT Law and are aligned with FATF guidance. Recordkeeping standards apply to both local and cross-border transactions.


AML/CFT Compliance


VASPs must establish policies that include high-frequency screening of clients and transactions for illicit indicators, adverse media, criminal history, and international financial sanctions. Enhanced CDD measures must be applied to high-risk clients and geographies, including independent verification of identities and transaction sources. AML/CFT risk assessments must be revisited every quarter to incorporate emerging threats.

Internal controls must reference the FATF Red Flags Report (September 2020), and any updates to this guidance. VASPs are also obligated to respond to regulator or FIU requests within 48 hours, reinforcing the need for real-time system alerts and efficient internal communication protocols.


Sanctioned Wallets and TFS Controls


VARA mandates that all clients and transactions be screened against the UNSC and UAE sanctions frameworks. Real-time, automated systems must be in place to flag and freeze assets related to designated entities. These assets must be blocked from use, withdrawal, or transfer, and associated documentation retained for eight years.


Nominis.io delivers automated sanctioned wallet screening and instant risk scoring across multiple chains, allowing firms to freeze high-risk transactions in real-time and comply with enforcement expectations efficiently and reliably.


Penalties for Non-Compliance


Penalties for non-compliance can be harsh. For example, in 2024, a Dubai-based VASP was fined AED 1.5 million for failing to screen wallets in real time, underlining the importance of immediate compliance with KYT requirements.

Schedule 3 of the rulebook outlines a range of financial and administrative penalties:

  • Operating without a license: Up to AED 20 million

  • Breach of AML/CFT obligations: Up to AED 5 million

  • Failure to submit Suspicious Transaction Reports (STRs): Up to AED 2 million

  • Absence of real-time monitoring systems: Up to AED 1 million

  • Daily fines for persistent non-compliance: AED 20,000 to AED 200,000

Enforcement can be applied directly to the firm or to responsible individuals, including MLROs and directors.


How Nominis Supports VASPs Under VARA


Nominis.io offers compliance infrastructure tailored to meet Rulebook 2.0 obligations. It provides:

  • Real-time KYT transaction monitoring

  • Continuous wallet screening across chains

  • Sanctioned wallet identification

  • On-chain and off-chain data integration

  • Automated risk scoring and alerts

  • Dark web and social signal intelligence

  • Case management and audit tools

These features reduce manual effort by up to 80% while delivering results that exceed baseline compliance. Designed for startups and agile firms, Nominis offers a cost-effective alternative to TRM Labs and Chainalysis, enabling better outcomes without enterprise-scale overhead.

Visit https://nominis.io for more details.


Nominis' Compliance Framework image with linked icons and text on KYT Monitoring, Wallet Identification, Risk Scoring, Case Tools, etc.

Preparation Checklist for Compliance Teams


What Startups Must Do Now


Startups planning to enter Dubai’s virtual asset market should prioritize:

  • Securing minimum capital of AED 100,000

  • Establishing automated KYT, SAR, and sanctions screening tools

  • Preparing for Rulebook 2.0 enforcement by Q4 2025

  • Running real-time simulations for audit readiness


Flowchart depicting the VARA & VASP Regulation registration process in 7 steps, shown in blue circles with arrows, on a white background.

Nominis offers tools that support each of these steps affordably, allowing startups to stay lean while fully compliant.

  • Obtain VARA license for each activity

  • Appoint MLRO, compliance officer, and governance board

  • Configure automated KYT and sanctions screening systems

  • Ensure cybersecurity infrastructure aligns with VARA requirements

  • Establish real-time freezing protocols and audit logs

  • Review AML/CFT risks and thresholds quarterly

  • Submit quarterly and annual reports to VARA and FIU


Limitations of VARA


Despite its strengths, VARA’s regulatory regime presents several challenges that can restrict accessibility, hinder adoption, and reduce global interoperability:


  • High Entry Costs: VARA licensing requires over AED 300,000 annually in fees alone, not including minimum capital thresholds (AED 100,000), legal, audit, and tech compliance expenses. These costs are often prohibitive for startups and small businesses.


  • Lengthy Licensing Timelines: The full licensing process may take 10–12 months depending on business complexity, documentation readiness, and fulfillment of regulatory criteria. This delays go-to-market for many firms.


  • Fragmented Oversight: The UAE has five separate regulatory jurisdictions (e.g., VARA, ADGM, DIFC). A VARA license does not guarantee national coverage, and additional approvals may be needed to operate in other emirates.


  • Lack of Provisions for Small Projects: Early-stage ventures may be forced to pursue full licenses even when offering limited functionality. The absence of a simplified, sandbox, or "basic" licensing path discourages grassroots innovation.


  • Enforcement Gaps: Many companies advertising to Dubai users are not locally licensed. This regulatory arbitrage undermines enforcement and creates an uneven playing field for compliant firms.


  • Banking Barriers: Despite regulatory clarity, traditional banks remain hesitant to work with VASPs. This restricts access to fiat payment infrastructure, even for fully compliant entities.


  • Global Misalignment and Travel Rule Friction: While VARA enforces FATF’s Travel Rule, many countries do not. This creates compliance gaps and technical incompatibilities:

    • Dubai-based VASPs may collect and share required sender/receiver information, but have no assurance that counterparties in non-compliant jurisdictions will reciprocate.

    • This limits the effectiveness of global AML protections, introduces cross-border transaction risk, and places a disproportionate compliance burden on firms in Dubai.

    • Bad actors can exploit these gaps by routing funds through weaker jurisdictions with looser standards.


It’s important to acknowledge that these limitations can be overcome by investing in transaction monitoring platforms or compliance companies that evolve alongside regulatory requirements. Platforms that remain stagnant risk your reputation by failing to keep updated with new requirements coming from regulators, but ones that evolve just as the regulators do will ensure the easiest way to remain consistently compliant. 


Final Thoughts: Turning Compliance into Competitive Advantage


Firms that build compliance into their workflows from day one—using flexible platforms like Nominis: won’t just meet the standard. They’ll lead it.

Rulebook 2.0 marks a major step forward in Dubai’s effort to establish itself as a trusted digital asset jurisdiction. The costs of compliance are high, but so too are the benefits for firms that meet the standard. Automated, scalable solutions like those offered by Nominis.io can turn compliance into a strategic advantage: one that ensures regulatory alignment while enabling confident, rapid market growth.


While we strive for accuracy in our content, we acknowledge that errors may occur. If you find any mistakes, please reach out to us at contact@nominis.io Your feedback is appreciated!



bottom of page