AML/CFT Compliance service

What Virtual Asset Service Providers Need to Know Before the 30 May 2026 Deadline

As Dubai continues to position itself as a leading global hub for digital assets, ESG (Environmental, Social, and Governance) compliance has evolved from a voluntary best practice into a regulatory requirement.

With the introduction of ESG obligations under the Dubai Virtual Assets Regulatory Authority (VARA) framework, alongside the UAE’s Federal Decree-Law No. 11 of 2024 on Climate Change, Virtual Asset Service Providers (VASPs) are now expected to establish formal ESG governance, climate reporting mechanisms, and annual disclosures.

This guide addresses key compliance considerations, reporting obligations, and the implications of non-compliance.

Quick Answer: Is ESG compliance mandatory for crypto businesses in Dubai?

Yes, ESG and climate reporting are now mandatory for all VARA-licensed VASPs under the UAE’s federal and local regulatory frameworks. Firms must implement formal Measurement, Reporting, and Verification (MRV) systems for greenhouse gas emissions and broader governance metrics by the 30 May 2026 deadline. Failure to comply poses significant financial risks, with potential enforcement penalties reaching up to AED 50,000,000 or 15% of annual revenue for corporate entities.

Is ESG reporting mandatories for all VASPs in Dubai?

Yes. Under the VARA Company Rulebook, ESG disclosure forms part of the regulatory expectations for licensed VASPs.

The scope and depth of reporting may vary depending on the size, nature, and complexity of operations, as determined during the licensing and supervisory process. However, most VASPs are expected to establish internal ESG procedures, governance structures, and annual reporting practices.

How does the UAE Climate Change Law impact crypto businesses?

The UAE’s Federal Decree-Law No. 11 of 2024 requires entities operating in the UAE, including free zone entities, to measure, monitor, and report greenhouse gas (GHG) emissions.

Importantly, the regulation applies broadly and does not prescribe a minimum revenue or employee threshold, meaning even early-stage or smaller VASPs may fall within scope.

What Scope 3 emissions are relevant to VASPs?

For VASPs, Scope 3 emissions typically include indirect emissions arising across the value chain, including:

• Cloud infrastructure and third-party data centres
• Mining or staking-related activities facilitated through the platform
• Vendor and outsourced service provider emissions
• Employee business travel and commuting

What environmental metrics should VASPs monitor?

Typical environmental disclosures include:

• Energy consumption, including renewable energy usage percentages
• Carbon emissions and emission intensity, such as energy consumption per transaction or revenue unit
• Electronic waste management, including IT asset procurement and disposal practices

Are social and governance disclosures required?

Yes. ESG obligations extend beyond climate reporting.

VASPs are expected to disclose governance and social metrics including:

• Diversity and Inclusion (D&I) metrics
• Board oversight of sustainability risks
• Ethics and compliance controls, including anti-bribery and anti-corruption frameworks

VARA also expects sufficient public transparency, including website disclosures where applicable.

What is the compliance deadline?

While several VARA ESG requirements became effective in June 2025, the key federal milestone is 30 May 2026

Deadline for full greenhouse gas reporting compliance under the UAE Climate Change Law.

Organizations should have internal Measurement, Reporting, and Verification (MRV) systems operational well in advance.

Which reporting standards should be used?

Entities are generally expected to align with internationally recognized frameworks, including:

• IFRS S1 & IFRS S2 (ISSB Standards)
• Global Reporting Initiative (GRI)
• Task Force on Climate-related Financial Disclosures (TCFD)

Federal submissions must also be completed through the UAE’s designated MRV platform.

What are the penalties for non-compliance?

Failure to comply may result in substantial financial penalties.

Federal penalties:

• AED 50,000 to AED 2,000,000 for initial violations

VARA enforcement powers:

• Up to AED 20,000,000 for individuals
• Up to AED 50,000,000 or 15% of annual revenue for corporate entities in cases of serious breaches

What happens in case of repeat violations?

Repeat violations may trigger escalated enforcement.

Under Federal Decree-Law No. 11:

• Penalties may be doubled for repeat offenses within two years, reaching up to AED 4,000,000

VARA may similarly increase penalties for repeated rulebook breaches.

Are there enforcement actions beyond fines?

Yes. Regulatory consequences may also include:

• Written reprimands
• Corrective action orders or cease-and-desist notices
• License suspension or revocation
• Public censures or mandated disclosure of violations

Is external assurance required?

VARA currently requires annual financial statements to be independently audited.

For ESG and climate disclosures, the UAE regulatory landscape is increasingly moving toward external assurance as a standard practice to strengthen reporting credibility and mitigate greenwashing risk.

How should VASPs begin?

Organizations should begin with a structured ESG readiness assessment, including:

• Gap analysis against VARA and federal requirements
• Identification of required ESG data points
• Design of governance and reporting processes
• Implementation of climate data collection mechanisms

Given the complexity and evolving regulatory expectations, early preparation is critical.

How Affiniax Partners Can Help

At Affiniax Partners, we support VASPs, fintech firms, and regulated digital asset businesses in building practical and regulator-ready ESG compliance frameworks.

Our services include:

•       ESG & Climate Readiness Assessments
•       GHG Emissions Measurement & Reporting
•       ESG Governance Framework Development
•       Reporting & Disclosure Support
•       Independent Assurance & Advisory

Affiniax Partners can help organizations move from compliance uncertainty to regulatory readiness through tailored ESG advisory and implementation support.

In an increasingly complex financial crime landscape, AML screening has evolved from a periodic compliance exercise into a continuous, real-time obligation. Regulators now expect organizations to identify and respond to risks as they emerge, rather than after the fact.

Against this backdrop, the integration of Artificial Intelligence (AI) into AML screening frameworks is redefining how organizations monitor sanctions, identify Politically Exposed Persons (PEPs), and manage financial crime risks proactively.

AI is no longer a futuristic concept; it is rapidly becoming a core component of effective, scalable, and defensible compliance programs.

The Limitations of Traditional AML Screening

Traditional AML screening frameworks were designed for a slower, less complex environment. These models typically rely on:

• Batch-based screening at onboarding
• Periodic re-screening cycles (monthly or quarterly)
• Static, rule-based name matching
• Manual alert review and escalation

While these methods provide a baseline level of compliance, they present critical limitations in today’s environment.

Delayed detection is one of the most significant risks. A customer added to a sanctions list between screening cycles may go undetected for days or even weeks. Similarly, changes in a customer’s PEP status may not be identified in time to trigger enhanced due diligence.

Additionally, high false positive rates generated by basic name-matching algorithms create operational inefficiencies. Compliance teams often spend disproportionate time reviewing low-risk alerts, diverting attention from genuinely suspicious cases.

Perhaps most importantly, traditional systems lack contextual intelligence they are unable to assess risk holistically by considering multiple data points such as geography, transaction behaviour, or adverse media.

The Shift to AI-Driven AML Screening

AI-powered AML screening introduces a dynamic, adaptive, and intelligence-led approach to compliance.

Rather than operating on static rules, AI systems continuously:

• Ingest and update global sanctions and PEP data
• Analyse customer profiles and transaction behaviour
• Learn from historical alert outcomes and investigator decisions
• Adjust risk scoring models based on evolving patterns

This transition enables organizations to move from reactive compliance to proactive risk management. AI systems not only improve detection capabilities but also enhance speed, scalability, and consistency, allowing organizations to manage large volumes of data without compromising on accuracy.

Key Capabilities of AI in AML Screening

1. Real-Time Sanctions Screening

AI enables continuous monitoring against multiple global sanctions lists, including international and local authorities.

Unlike periodic screening, AI systems:

• Instantly reflect updates to sanctions lists
• Trigger alerts as soon as a match or near match is detected
• Enable pre-transaction screening in real time

Why it matters:

Organizations can prevent prohibited transactions before they occur, significantly reducing regulatory and reputational exposure.

2. Advanced Name Matching and Fuzzy Logic

Name screening remains one of the most challenging aspects of AML compliance, particularly in regions with diverse naming conventions.

AI enhances matching capabilities through:

• Fuzzy logic to identify close variations in spelling
• Phonetic algorithms to detect similar-sounding names
• Contextual filters using additional identifiers such as nationality or date of birth

Why it matters:

This significantly reduces false positives while improving detection accuracy, ensuring that high-risk matches are not overlooked.

3. Dynamic PEP Identification

PEP status is not static individuals may become politically exposed due to elections, appointments, or affiliations.

AI-driven systems:

• Continuously monitor global databases and public sources
• Automatically update customer risk classifications
• Differentiate between varying levels of PEP risk

Why it matters:

Organizations can maintain ongoing compliance with enhanced due diligence requirements, rather than relying solely on onboarding checks.

4. Adverse Media and Risk Intelligence

AI leverages natural language processing (NLP) to analyse vast amounts of unstructured data from news outlets, regulatory announcements, and public records.

It can identify:

• Allegations of financial crime
• Links to illicit activities
• Emerging reputational risks

Why it matters:

This provides a broader and more nuanced risk perspective, going beyond traditional sanctions and PEP screening.

5. Intelligent Alert Prioritization

AI helps address one of the biggest operational challenges in AML compliance alert fatigue.

Through machine learning, systems can:

• Assign risk scores to alerts
• Learn from historical decisions to refine prioritization
• Highlight high-risk cases for immediate review

Why it matters:

Compliance teams can focus their efforts on material risks, improving both efficiency and effectiveness.

Integration with Real-Time Compliance Frameworks

AI-driven screening delivers maximum value when embedded into end-to-end compliance ecosystems.

Integration with core systems such as onboarding platforms, transaction monitoring tools, and payment systems enables:

• Real-time screening at customer onboarding
• Continuous monitoring throughout the customer lifecycle
• Immediate escalation or blocking of suspicious transactions

This creates a seamless compliance workflow, where risk detection and response are integrated into everyday operations rather than treated as separate processes.

Regulatory Expectations and Alignment

Regulators in the UAE and globally are increasingly emphasizing:

• Real-time sanctions compliance
• Continuous monitoring of customer risk
• Effective identification and classification of PEPs
• Demonstrable use of technology to enhance compliance frameworks

Importantly, supervisory focus has shifted toward effectiveness and outcomes. Organizations are expected to demonstrate that their systems identify risks accurately, respond promptly, and are supported by robust governance and oversight.

Implementation Challenges

While AI offers significant advantages, its implementation is not without challenges.

Organizations often face:

• Data quality issues, which directly impact model accuracy
• Integration complexities with legacy systems
• Concerns around explainability, particularly in regulatory environments
• Resource and cost considerations

To address these challenges, organizations must adopt a balanced approach, combining technological innovation with strong governance and human oversight.

Best Practices for Successful Implementation

To maximize the benefits of AI-driven AML screening, organizations should focus on:

• Strengthening data quality and standardization
• Adopting a hybrid model that combines AI with expert judgment
• Ensuring transparency and documentation of AI-driven decisions
• Conducting regular model validation and testing
• Investing in training and upskilling compliance teams

A structured implementation approach ensures that AI enhances, not complicates compliance efforts.

The Strategic Advantage of Automation

Organizations that successfully integrate AI into AML screening frameworks benefit from:

• Faster and more accurate risk detection
• Reduced manual workload and operational costs
• Improved regulatory compliance and audit readiness
• Enhanced customer experience through streamlined onboarding

Beyond compliance, AI adoption signals operational maturity and forward-thinking governance, strengthening stakeholder confidence.

Conclusion

The evolution of AML compliance is being driven by speed, complexity, and data  and traditional screening approaches are no longer sufficient. AI-powered AML screening enables organizations to transition toward real-time, intelligence-led compliance, where risks are identified and addressed as they emerge.In this new paradigm, the question is no longer:

“Are you screening your customers?”

But rather:

“Are you equipped to detect and respond to risk in real time?”

Organizations that embrace this shift will not only meet regulatory expectations but position themselves as resilient, efficient, and future-ready in an increasingly demanding compliance environment.

Upgrade to Real-Time AML Compliance Today. Discover how AI can transform your sanctions screening and PEP monitoring with faster, smarter, and more accurate risk detection at Affiniax.

What has changed in the UAE’s AML/CFT/CPF framework for VASPs?

Federal Decree-Law No. (10) 2025 on Anti-Money Laundering, Combating the Financing of Terrorism, and Proliferation Financing took effect on 14 October 2025. It expressly brings VASPs under direct AML/CFT/CPF supervisory oversight, aligning with FATF standards and strengthening virtual asset regulation.

Who does this apply to?

All VASPs operating in the Emirate of Dubai fall within scope and must meet the updated obligations set by VARA.

What are the enhanced expectations for VASPs?

VASPs must comply with:

• Stronger preventive measures
• Expanded beneficial ownership and transparency requirements
• Heightened penalties and exposure
• Formalized supervisory scrutiny by the regulator

What is the mandatory GAP assessment and what should it cover?

It’s a comprehensive, clause-by-clause review of your current compliance framework against the 2025 AML Decree-Law. It must assess:

• Policies and procedures
• Systems and internal controls
• Governance and oversight mechanisms
  The mapping should explicitly reference preventive measures, supervisory obligations, and penalties requirements.

When is the GAP Assessment Report due and what must be submitted?

Within 60 calendar days from the date of the VARA circular/notification, VASPs must submit:

• A clause-by-clause GAP assessment
• A Board-approved remediation plan (with owners, milestones, timelines)
• Evidence of immediate, risk-based mitigation for high-risk gaps

What are the remediation and training timelines?

• Within 90 days:
  • Implement priority control fixes
  • Deliver targeted, role-based AML/CFT training, including for senior management
• Within 120 days:
  • Close remaining gaps
  • Submit a completion confirmation signed by the Compliance Officer
  • Obtain Board / Audit & Risk Committee approval

What records must VASPs maintain for inspection?

• Detailed working papers- Testing and validation evidence
• Board minutes approvals
  All documentation must be readily available for regulatory inspection.

What are the consequences of non-compliance?

Failure to meet these obligations may trigger enforcement actions under the Regulations and Federal AML/CFT laws, including significant penalties and potential operational restrictions.

How can VASPs practically approach the GAP assessment?

Consider the following steps:

• Appoint a project lead and secure Board sponsorship.
• Inventory policies, procedures, systems, and governance documents.
• Perform clause-by-clause mapping against the 2025 AML Decree-Law.
• Identify high-risk gaps and apply immediate risk-based mitigations.
• Develop a remediation plan with clear owners, milestones, and timelines.
• Roll out targeted, role-based training (including senior management).
• Prepare and submit the 60-day package; track 90- and 120-day commitments.
• Maintain complete working papers, testing evidence, and Board approvals for inspection readiness.

How can Affiniax Partners help?

Affiniax Partners specializes in AML, VARA compliance, and risk advisory for virtual asset businesses. We provide end-to-end support for the mandatory GAP assessment, remediation planning, training, and regulatory submission readiness.