AML Regulations for Virtual Asset Service Providers in the UAE – Crypto AML Regulations in the UAE

Table of Contents

As Virtual Assets continue to gain acceptance and blockchain technology grows increasingly influential across various industries, the Virtual Assets sector is rapidly expanding. This segment significantly impacts the financial sector and the broader economy.

With this growth, the demand for intermediaries to facilitate Virtual Asset transactions is also on the rise. These intermediaries are known as “Virtual Asset Service Providers” (VASPs).

Understanding the terms “Virtual Assets” and “Virtual Asset Service Providers” is crucial in navigating this industry.

What are Virtual Assets?

Before delving into Virtual Asset Service Providers, it’s important to clarify what is meant by a Virtual Asset (VA). While many equate Virtual Assets with cryptocurrencies, the term is much broader and continues to evolve.

The Financial Action Task Force (FATF) defines a Virtual Asset as:

“a digital representation of value that can be digitally traded or transferred and used for payment or investment purposes.”

Similarly, UAE’s Cabinet Resolution No. (111) of 2022 defines a Virtual Asset as:

“a digital representation of value that can be traded or transferred digitally, used for investment purposes, and excludes digital representations of paper currencies, securities, or other funds.”

From these definitions, the core elements of a Virtual Asset include:

  • It must be digital.
  • It must be tradable and transferable digitally.
  • It must carry value for use in payment or investment.

These characteristics are enabled by Distributed Ledger Technologies (DLT), which have transformed the financial services landscape. Common examples of VAs include virtual currencies like Bitcoin, Ether, Dogecoin, and Stablecoins.

It’s essential to note that Virtual Assets do not include digital representations of fiat currencies, shares, or securities. These digital assets, often classified as e-money, do not meet the criteria for VAs, as they lack the inherent ability for digital trading or transfer in the same way as Virtual Assets.

For an asset to be considered a VA, it must have the intrinsic quality of being digitally tradable and transferable.

Virtual Assets vs. Digital Assets

While discussing VAs, it’s important to distinguish them from “Digital Assets” (DAs), as the two terms are often used interchangeably. However, not every DA qualifies as a VA. Digital Assets include a broader category, such as Non-Fungible Tokens (NFTs), which are unique digital assets typically used as collectibles rather than for payment or investment purposes. Therefore, NFTs are not classified as VAs under FATF guidelines, as they do not fulfill the primary function of payment or investment.

Understanding these definitions is vital for Virtual Asset Service Providers to ensure compliance with AML regulations in the UAE, as they navigate this evolving landscape.

What is a Virtual Asset Service Provider (VASP)?

Now that we have an understanding of Virtual Assets, it’s essential to define what a Virtual Asset Service Provider (VASP) is. According to the Financial Action Task Force (FATF), a VASP is:

“a business that conducts one or more of the following activities or operations for or on behalf of another natural or legal person:”

  1. Exchange between Virtual Assets and Fiat Currencies:
    A business that converts fiat currency to Virtual Assets (or vice versa) as part of its operations is considered a VASP.
  2. Exchange between Different Types of Virtual Assets:
    Businesses that exchange one form of Virtual Asset for another are also classified as VASPs.
  3. Transfer of Virtual Assets:
    VASPs can facilitate the transfer of Virtual Assets on behalf of others. This means transferring assets from one address or account to another.
  4. Safekeeping and Administration of Virtual Assets or Instruments Enabling Control Over Virtual Assets:
    Providers offering custodial services or managing Virtual Assets and their control mechanisms for clients are also classified as VASPs. Custodial wallet services are a typical example here.
  5. Financial Services Related to an Issuer’s Offer or Sale of a Virtual Asset:
    This includes services related to Initial Coin Offerings (ICOs), such as purchasing and distributing Virtual Assets on behalf of the issuer or providing underwriting services.

It is important to note that the term “conducts” implies that any entity actively facilitating these services, even as an intermediary, can be considered a VASP. Furthermore, VASPs operate as a business, meaning they engage in these activities for commercial purposes and on behalf of others. Those who engage in such activities sporadically, for their own benefit, or without a commercial motive are not classified as VASPs.

Activities Under Each VASP Category

  • Exchange and Transfer of Virtual Assets:
    Exchanges that facilitate trading between Virtual Assets and fiat currencies, as well as between different types of Virtual Assets, are VASPs. Decentralized applications (DApps) that support these activities may not themselves be VASPs, but the operators of such platforms are, as they actively facilitate transactions. Additionally, Crypto-ATM operators and brokers involved in Virtual Asset transactions fall under this category.
  • Safekeeping and Control of Virtual Assets:
    Custodial wallet providers, which hold clients’ Virtual Assets or the private keys enabling access to these assets, are VASPs. This does not include auxiliary services like data storage or internet services, as they do not engage directly with the Virtual Assets or their owners.
  • Financial Services for ICOs:
    Entities that participate in or provide services for ICOs are VASPs. This includes those who purchase Virtual Assets from issuers to resell or distribute them, as well as those providing underwriting or book-building services.

UAE Blockchain Strategy 2021

In 2018, the UAE government launched its Blockchain Strategy 2021, aimed at shifting 50% of government transactions onto blockchain platforms by 2021. The strategy aims to leverage blockchain technology to reduce routine transaction costs, cut down on printed documents, and save work hours significantly.

Regulatory Frameworks for Virtual Assets in the UAE

In response to the growing popularity of Virtual Assets globally, the UAE government has issued various regulations to promote the establishment of Virtual Asset companies. These regulations support market growth while setting clear standards and compliance requirements for the industry. As the Virtual Assets sector continues to expand, these frameworks ensure proper oversight and mitigate risks associated with Virtual Asset transactions and services.

UAE Crypto Regulatory Authorities

The financial and capital markets in the UAE are primarily overseen by two main entities: the Central Bank of the UAE (CBUAE) and the Securities and Commodities Authority (SCA). These authorities play a significant role in regulating the Virtual Asset industry and ensuring compliance with local and international standards.

  1. Central Bank of the UAE (CBUAE)
    • The CBUAE supervises the overall banking and monetary systems in the UAE. As part of its strategy for 2023-2026, the CBUAE announced plans to launch its own digital currency by 2026. This initiative aims to integrate digital currency into the UAE’s financial ecosystem.
  2. Securities and Commodities Authority (SCA)
    • The SCA is responsible for licensing Virtual Asset activities within the UAE, outside of the designated Financial Free Zones. Cabinet Resolution No. (111) of 2022, issued by the Prime Minister, established a framework for regulating Virtual Assets and their service providers. Effective from January 13, 2023, this resolution mandates that specific Virtual Asset activities must be licensed by the SCA or relevant local authorities, except within Financial Free Zones.
  3. Dubai Multi Commodities Centre (DMCC)
    • The DMCC has established a dedicated crypto center that hosts Virtual Asset Service Providers (VASPs) engaged in the offering, issuing, listing, and trading of crypto assets. The center also welcomes companies involved in developing blockchain trading platforms, thereby fostering innovation within the industry.
  4. Dubai Financial Services Authority (DFSA)
    • The DFSA regulates companies based in the Dubai International Financial Centre (DIFC). It sets and enforces standards specific to Virtual Assets and other financial activities conducted within the DIFC.
  5. Financial Services Regulatory Authority (FSRA)
    • The Abu Dhabi Global Market (ADGM), another key financial center in the UAE, is supervised by the FSRA. The FSRA regulates Virtual Asset activities within the ADGM, ensuring that companies comply with financial regulations specific to this jurisdiction.
  6. Virtual Asset Regulatory Authority (VARA)
    • Established to oversee Virtual Asset Service Providers operating in the Emirate of Dubai, VARA regulates entities outside the DIFC. This authority ensures that VASPs adhere to the required standards for Virtual Asset activities within Dubai, except for those under DFSA regulation within the DIFC.

These regulatory bodies collectively ensure that Virtual Asset activities in the UAE are conducted within a secure and compliant environment, fostering the growth of the Virtual Asset industry while protecting market integrity.

UAE Crypto Regulations for Onshore Companies

The UAE’s financial and capital markets are governed primarily by the Central Bank of the UAE (CBUAE) and the Securities and Commodities Authority (SCA). For onshore companies engaged in Virtual Asset activities, the regulatory framework is outlined in the SCA’s Decision No. 23 of 2020 concerning Crypto Assets Activities Regulation (CAAR). These regulations set forth the requirements for Anti-Money Laundering (AML) and Combating the Financing of Terrorism (CFT) to ensure that companies operate within a secure and compliant environment.

Key Requirements under CAAR

According to CAAR, reporting entities must adhere to the following AML/CFT requirements:

  • Establish a Robust AML/CFT Compliance Framework: Companies must implement effective measures to detect and prevent money laundering and terrorism financing.
  • Define KYC and AML Policies and Procedures: Entities are required to establish clear policies for Know Your Customer (KYC) processes and ongoing AML monitoring.
  • Designate Bank Accounts for Transactions: Deposits and withdrawals must be made exclusively to and from designated bank accounts maintained with authorized financial institutions. If a foreign financial institution is involved, explicit approval from the SCA is required.
  • Traceability of Crypto Assets: Companies must ensure that all Virtual Assets are traceable to meet regulatory standards.

In addition, onshore companies must comply with the CBUAE’s Stored Value Facilities (SVF) Regulation 14, which governs entities handling stored value facilities. Additionally, the Retail Payment Services and Card Schemes Regulation (RPSCSR) applies to entities offering payment token services, further regulating Virtual Asset transactions.

Licensing Requirements under Cabinet Resolution No. (111) of 2022

Effective from January 13, 2023, Cabinet Resolution No. (111) of 2022 mandates that specific Virtual Asset activities must be licensed by either the SCA or relevant Local Licensing Authorities. These activities include:

  1. Operation and Management of Virtual Asset Platforms
  2. Exchange Services between Various Forms of Virtual Assets
  3. Virtual Asset Transfer Services
  4. Brokerage Services for Virtual Asset Trading
  5. Custody, Management, and Control of Virtual Assets
  6. Financial Services Related to Issuing and Selling Virtual Assets

Compliance and Oversight

The resolution also emphasizes the need for regulatory approval and licensing for all Virtual Asset Service Providers operating within the UAE. The SCA is responsible for overseeing these activities and ensuring compliance with the following:

  • Licensing Requirements: No entity may offer Virtual Asset services without proper licensing from the SCA or Local Licensing Authorities.
  • Verification of Compliance: The SCA will assess applicants’ compliance with capital requirements, credit guarantees, AML regulations, and other obligations before issuing licenses.
  • AML Compliance: Licensed Virtual Asset providers must comply with Federal Decree Law No. (20) of 2018 and its executive regulations, in alignment with FATF recommendations for Virtual Assets.

These regulations reflect the UAE’s commitment to fostering a safe and regulated environment for Virtual Asset activities, ensuring that all service providers adhere to stringent AML/CFT protocols and operate within legal boundaries.

UAE Crypto Regulations: Compliance and Risk Management

Emirate of Dubai (excluding DIFC)

On March 11, 2022, Virtual Assets Law No. 4 of 2022 came into effect, establishing the Virtual Asset Regulatory Authority (VARA) as the supervisory body for Virtual Asset Service Providers (VASPs) in Dubai, excluding those within the Dubai International Financial Centre (DIFC).

VARA has issued a comprehensive compliance and risk management Rulebook that outlines mandatory frameworks for VASPs, particularly around Anti-Money Laundering (AML) and Combating the Financing of Terrorism (CFT). The key AML compliance requirements include:

  • Appointing a Money Laundering Reporting Officer (MLRO) with at least two years of AML/CFT experience.
  • Conducting AML Business Risk Assessments to identify and mitigate risks.
  • Establishing AML/CFT Policies and Procedures in alignment with VARA, Federal Laws, and FATF standards.
  • Client Due Diligence to screen clients, Ultimate Beneficial Owners (UBOs), Virtual Asset transactions, and wallet addresses.
  • Transaction Monitoring and Suspicious Transaction Reporting to the Financial Intelligence Unit (FIU) and VARA.
  • Compliance with the FATF Travel Rule for Virtual Asset transfers.
  • Record Keeping for at least eight years for all AML-related documents.

Dubai International Financial Centre (DIFC)

The Dubai Financial Services Authority (DFSA) oversees crypto regulations within the DIFC. In March 2022, DFSA issued Consultation Paper No. 143, outlining regulatory frameworks for crypto tokens. These complement previous guidelines under Consultation Paper No. 138, which focuses on investment tokens, setting standards for businesses operating in the DIFC.

Abu Dhabi Global Market (ADGM)

The Financial Services Regulatory Authority (FSRA) supervises ADGM-based companies. Since 2015, the FSRA has regulated crypto assets under the Financial Services and Markets Regulations (FSMRs) and introduced a Crypto Asset Legislative Framework in 2018. In 2022, FSRA issued six guiding principles to outline its approach to Virtual Asset regulation, which include:

  1. A Robust and Transparent Risk-Based Regulatory Framework: FSRA’s framework includes activity-specific rules to protect customers and ensure market stability.
  2. High Standards for Authorization: FSRA sets stringent entry standards for VASPs, requiring applicants to demonstrate effective controls and align with FSRA’s risk appetite.
  3. Preventing Money Laundering and Financial Crime: ADGM’s AML/CFT standards align with federal and FATF guidelines, ensuring transparent ownership and prohibiting transactions with anonymous entities.
  4. Risk-Sensitive Supervision: FSRA conducts continuous risk assessments tailored to each firm’s size, nature, and complexity.
  5. Commitment to Enforce Regulatory Breaches: FSRA has authority to investigate and penalize non-compliance within ADGM.
  6. International Cooperation: FSRA collaborates with global regulators and supports international standards for sustainable Virtual Asset growth, participating in organizations like FATF and IOSCO.

These frameworks reflect the UAE’s commitment to establishing a secure and well-regulated environment for Virtual Assets across all its jurisdictions, supporting both local and international best practices.

AML/CFT Regulations and Obligations for Virtual Asset Service Providers (VASPs) in the UAE

With the inherent anonymity and decentralized nature of Virtual Assets, the Financial Action Task Force (FATF) has emphasized the need for robust Anti-Money Laundering (AML) and Combating the Financing of Terrorism (CFT) regulations for Virtual Asset Service Providers (VASPs). In line with FATF recommendations, the UAE has implemented a comprehensive regulatory framework to govern VASPs. Key regulations include:

  • Cabinet Resolution No. (111) of 2022: Regulates Virtual Assets and their service providers in the UAE.
  • Federal Decree-Law No. (20) of 2018: Establishes the UAE’s AML/CFT framework, which has been expanded by subsequent amendments to apply to VASPs.
  • Federal Decree-Law No. (26) of 2021: Extends AML/CFT obligations to VASPs, previously applicable only to financial institutions and designated non-financial businesses.
  • Cabinet Decision No. (10) of 2019 and Resolution No. (24) of 2022: Updates AML/CFT regulations and implements UN resolutions on combating terrorism financing.
  • Cabinet Decision No. (74) of 2020: Enforces compliance with international standards for combating terrorism and proliferation financing.
  • VARA Compliance & Risk Management Rulebook: Sets specific AML/CFT compliance obligations for VASPs in Dubai.

Key AML/CFT Obligations for VASPs

(a) AML/CFT Compliance Requirements

VASPs are required to:

  • Appoint a Compliance Officer to oversee the AML/CFT program.
  • Establish an AML/CFT Policy tailored to address risks related to Virtual Assets, including red-flag indicators for potential money laundering or terrorism financing.
  • Conduct Risk-Based Business Assessments to identify and mitigate risks specific to Virtual Asset transactions.
  • Screen Customers and Perform Enhanced Due Diligence based on the risk associated with Virtual Asset activities.
  • Monitor Virtual Asset Transactions and Wallet Addresses for suspicious activities.
  • Report Suspicious Transactions to relevant authorities.
  • Train Employees and Management on AML/CFT protocols.
  • Conduct Periodic Audits of the AML/CFT framework by an independent party.
  • Submit Annual Risk Assessment Reports to demonstrate ongoing compliance.

(b) Virtual Asset AML/CFT Compliance Policy

A VASP’s compliance policy is essential for adhering to regulatory requirements. This policy should be in line with the AML/CFT regulations set by VARA and other UAE authorities and provide a clear framework for managing risks related to Virtual Asset activities.

(c) Technology-Driven KYC, Screening, and Transaction Monitoring

VASPs are encouraged to utilize advanced technology for AML/CFT compliance:

  • Know Your Customer (KYC): Authorities suggest using digital tools to facilitate remote KYC, such as requiring customers to upload a “selfie” along with a photo ID, and employing facial recognition to verify identity.
  • Real-Time Screening: VASPs should implement tools to screen customers against international and local sanctions lists continuously, monitor Virtual Asset transactions, and verify wallet addresses.
  • Know Your Transaction (KYT): VASPs are advised to use KYT measures to track the entire transaction lifecycle, gathering details on the transaction’s origin, parties, and Virtual Asset types involved.
  • Enhanced Monitoring and Documentation: Additional information, such as the IP address and wallet details, should be collected to provide a comprehensive transaction record.

The UAE’s comprehensive regulatory approach aims to integrate advanced technologies into AML/CFT compliance for VASPs, ensuring that Virtual Asset transactions are transparent and that VASPs operate within a secure, regulated environment.

ML/FT Typologies and Red-Flag Indicators Related to Virtual Assets (VA)

Given the risks associated with Virtual Assets, understanding common Money Laundering (ML) and Financing of Terrorism (FT) typologies is essential for Virtual Asset Service Providers (VASPs) to recognize and mitigate potential threats.

1. ML/FT Typologies Related to Virtual Assets

  • Frequent Cash Withdrawals: Repeated, large withdrawals from bank accounts, especially when paired with cashless transactions from Virtual Asset sales, can indicate suspicious activity.
  • Virtual Currency Purchases with Suspicious Characteristics: Indicators include using cash for purchases, avoiding identity checks, offering unusually high exchange rates, or conducting exchanges in public places.
  • Use of Mixers: Using mixers or tumblers during Virtual Asset transactions to obscure the transaction trail is a red flag.
  • Non-Compliant Exchanges: Utilizing unregistered or non-compliant exchanges for fiat-to-Virtual Asset conversions.
  • Cryptocurrency ATMs: Frequent use of ATMs to convert fiat into Virtual Assets and vice versa can be indicative of illicit activities.
  • Cross-Wallet Activities: Transactions involving multiple customers and wallets without clear business explanations.

2. ML/FT Red-Flag Indicators for VASPs

A. Red Flags Related to Transaction Size and Frequency
  • Smurfing: Structuring transactions to avoid reporting thresholds.
  • High-Frequency Transactions: Rapid, large-value transactions within a short timeframe, or using dormant accounts.
  • International Transfers: Transferring VAs to jurisdictions lacking AML/CFT regulations, or with no connection to the user’s location.
  • Redundant Deposits and Withdrawals: Depositing and quickly withdrawing without any apparent business purpose.
B. Red Flags Related to New User Transactions
  • Inconsistent Large Deposits: Large deposits during account setup inconsistent with the user’s profile.
  • Quick Withdrawals or Trades: Deposits and immediate withdrawals or trading in substantial amounts, raising concerns about layering or potential fraud.
C. Red Flags Related to General Transaction Patterns
  • Multiple Account Activities: Transactions across multiple accounts with no apparent reason.
  • Repetitive Transfers to a Single Wallet: Frequent transfers to the same wallet from different accounts or IP addresses.
  • Immediate Conversion and Withdrawals: Converting VAs to fiat at a loss or rapidly moving funds between wallets, which can indicate attempts to obscure the transaction path.
D. Red Flags Related to Anonymity in VA Transactions
  • Preference for High-Anonymity VAs: Users consistently opting for privacy-centric Virtual Assets, despite higher fees.
  • Use of Unlicensed VASPs: Engaging with P2P exchanges that are unregistered, especially those charging high fees for anonymity.
  • Mixing Services: Usage of services that provide mixing/tumbling, or VA transfers associated with darknet markets or gambling sites.
E. Red Flags Related to Account Creation and User Identity
  • Irregular Account Creation Activities: Frequent account creation from the same IP address, or accounts registered from high-risk jurisdictions.
  • Unusual KYC Behaviors: Hesitancy or refusal to provide KYC documents, or submitting false information or forged documents.
F. Red Flags About User Profiles and Potential Money Mules
  • Suspicious User Profiles: Public associations with illegal activities or inconsistent user behavior suggestive of financial exploitation.
  • Inexperienced Users in High-Risk Transactions: Individuals with little understanding of VAs conducting high-risk transactions, possibly as victims of fraud or money muling.
G. Red Flags About Source of Funds or Wealth
  • Suspicious Funding Sources: Usage of pre-paid cards, mixing services, or rapid conversions of fiat to VA without clear fund origins.
  • Investments in Questionable ICOs: Sourcing funds from fraudulent ICOs, or using cash deposits on credit cards to purchase VAs.
H. Geographical Risks
  • High-Risk Jurisdictions: Preference for exchanges in countries with weak AML/CFT regulations or trading in jurisdictions unrelated to the user’s primary location.

How NAM Accountants Can Assist

VASPs in the UAE must adhere to both UAE-specific and FATF guidelines on AML/CFT. Services can include:

  • Assessing VASP Activities: Determining if your activities fall under FATF-defined VASP obligations.
  • Documentation Support: Helping with AML/CFT policy documentation and ensuring compliance.
  • Training Programs: Offering training for staff on AML/CFT requirements and recognizing ML/FT indicators.

By understanding and adhering to these regulations and implementing proper compliance frameworks, VASPs can mitigate ML/FT risks and contribute to a safer Virtual Asset environment.

 

Share

Book Consulation Now

Enter the Captcha

Related Blog & Article