On June 12, the Virtual Asset Regulatory Authority (VARA) of Dubai published the “Good Practice Guide for VASP AML/CFT Business Risk Assessments,” which clearly requires that all licensed Virtual Asset Service Providers (VASPs) complete an AML/CFT Business Risk Assessment (BRA) review every three months and obtain formal approval from the Board (or an equivalent governance body)—approval by senior management alone does not meet the requirement.
Legal obligations for BRA confirmed by VARA Section III.D
Under the legal requirements confirmed by Section III.D of the “VARA Compliance and Risk Management Rules Manual”:
Maximum review interval: no more than three months (Rule III.D.3)
Material change triggers an update: any material changes in any of the areas listed in Rule III.D.2 must be updated immediately
Effectiveness validation obligation: a VASP must demonstrate to VARA that the BRA results directly inform the formulation and updates of its AML/CFT policies, procedures, systems, and controls (Rule III.D.4)
Scope: the BRA must reflect the VASP’s specific business activities, customer base, product suite, geographic distribution, and the threat environment reflected in the United Arab Emirates National Risk Assessment (NRA)
VARA confirms that approval by senior management alone cannot provide equivalent independent challenge or governance accountability; the BRA must be formally approved by the Board, and the record must include the specific approval dates and the substance of the Board’s discussions or challenges.
Three Lines of Defense model and confirmation requirements for MLRO ownership
Governance structure requirements confirmed in VARA’s guidance:
First line of defense: compliance and the MLRO function are responsible for preparing the BRA and for ownership of its content
Second line of defense: risk functions or the Board provide independent challenge
Third line of defense: internal audit independently verifies the BRA methodology and the effectiveness of controls; if internal audit capacity is limited, the function may be delegated to an external independent party to execute it on a risk cycle
The guidance also confirms that VARA’s 2026 BRA topic review uses a dual approach— a structured questionnaire (covering eight topics, including governance and senior management accountability, scope and methodology, and data sources and evidence basis) and detailed regulatory analysis of the BRA documents submitted by VASPs.
Requirements for quantitative assessment methodology and data integration
Good-practice methodology requirements confirmed in VARA’s guidance:
Quantitative scoring framework: use a numerical scoring matrix (typically a five-point likelihood and consequence scale); control effectiveness uses a defined multi-level scoring approach; individual risk category scores are aggregated into an overall BRA risk rating via recorded heatmap summaries
Data integration requirements: must include the distribution of customer risk ratings, transaction monitoring alert data, STR/SAR trends and volumes, sanctions screening results, product transaction volumes and geographic distribution, and exposure to high-risk jurisdictions
External reference sources: UAE NRA, FATF lists of high-risk jurisdictions, FATF typologies reports, MENAFATF guidance, and UAE FIU strategic analysis documents must be explicitly cited in the BRA
FAQ
How soon, at the latest, must a quarterly BRA update required by VARA be completed?
Under Section III.D.3 of the “VARA Compliance and Risk Management Rules Manual,” the BRA review interval must not exceed three months (i.e., at least once per quarter). In addition, if a material change occurs in an area specified in Rule III.D.2, an update must be made immediately regardless of how long it has been since the last review.
Why does Board approval of the BRA by senior management only not meet VARA requirements?
According to VARA’s guidance, the Board’s core role is to provide independent challenge to the MLRO’s conclusions (particularly the adequacy of the residual risk ratings, assumptions about control effectiveness, and the sufficiency of the risk appetite framework). Approval by senior management alone cannot provide an independent challenge of the same quality or governance accountability, and therefore does not meet the requirement.
Does VARA’s BRA topic review cover all licensed VASPs?
As explained in the guidance, VARA conducts periodic industry-wide BRA topic reviews across all licensed VASPs using a dual approach: a structured questionnaire (covering eight topic areas) and a detailed regulatory analysis of the BRA documents submitted by VASPs. This guidance is issued based on the regulatory observations from the 2026 BRA topic review.
