The Riffle
The Virtual Assets Regulatory Authority (VARA) has provided valuable insight into what it considers good practice for AML/CFT Business Risk Assessments (BRAs) within the virtual assets sector.
Drawing from supervisory observations during its 2026 thematic review, the guidance reinforces that a BRA should be more than a compliance document. It should function as a living risk management framework that informs decision-making, resource allocation and financial crime controls across the business.
The guidance places particular emphasis on board accountability, quantitative risk assessment methodologies, virtual asset-specific risk factors and the integration of operational data into risk scoring.
Key Highlights
1. Board ownership is non-negotiable
While the MLRO remains responsible for preparing and maintaining the BRA, ultimate accountability rests with the Board.
VARA expects formal Board approval, documented challenge of risk conclusions and independent validation of methodologies. A passive sign-off process is unlikely to meet supervisory expectations.
2. Risk assessments must be supported by data
VASPs are expected to move beyond subjective risk assessments and incorporate measurable operational data into their BRA frameworks.
Examples include:
Customer risk distributions
Transaction monitoring alerts and escalation rates
Sanctions screening outcomes
Geographic exposure analysis
Internal audit and compliance testing results
The objective is to ensure risk ratings are evidence-based, transparent and repeatable.
3. Virtual asset-specific risks must be assessed separately
Thematic review findings indicate that VASPs should explicitly assess risks unique to the sector, including:
Unhosted wallets
Anonymity-enhanced virtual assets (AETs)
DeFi and smart contract activity
Stablecoin-related risks
AI-enabled fraud and synthetic identities
These risks should form part of the inherent risk assessment rather than being treated as peripheral considerations.
4. Proliferation financing requires dedicated attention
VARA expects proliferation financing (PF) to be assessed independently from money laundering and terrorist financing risks.
The guidance highlights the importance of assessing exposure to proliferation-sensitive jurisdictions, sanctions evasion typologies and complex transaction structures, while ensuring alignment with Targeted Financial Sanctions (TFS) obligations and UAE reporting requirements.
5. Business Risk Assessments should drive operational decisions
A BRA should directly influence how compliance resources and controls are deployed.
Examples include:
Revising transaction monitoring thresholds
Enhancing blockchain analytics coverage
Updating CDD and EDD procedures
Reallocating compliance resources to higher-risk activities
VARA also reminds VASPs that BRAs must be reviewed at least every three months and updated whenever material changes occur.
Why It Matters
The guidance provides a clear indication of the standards VARA expects during supervisory reviews and inspections.
For licensed VASPs, the message is straightforward: a Business Risk Assessment is no longer viewed as a static compliance requirement. Regulators increasingly expect it to be evidence-driven, regularly refreshed and integrated into day-to-day risk management practices.
Firms that continue to rely on qualitative assessments, generic methodologies or infrequent reviews may face greater scrutiny, particularly given the UAE’s focus on strengthening financial crime controls within the virtual assets sector.
The Riffle Takeaway
VARA’s thematic review signals a shift towards more mature and operationally integrated AML/CFT risk frameworks. VASPs should ensure their Business Risk Assessments are Board-owned, supported by quantitative data, tailored to virtual asset risks and actively used to inform compliance decisions. The firms that treat the BRA as a strategic risk management tool, not merely a regulatory document, will be best positioned to meet supervisory expectations.
