AML regulations for Virtual Assets Service Providers in UAE

Blogs

Protect your business with reliable and effective AML strategies with AML UAE.

AML regulations for Virtual Assets Service Providers in UAE - Crypto AML Regulations in UAE

With the growing acceptance and attractiveness of Virtual Assets and the ever-increasing prominence of blockchain technology across various sectors of life, the Virtual Assets industry is booming in leaps and bounds. The virtual assets segment is directly impacting the financial sector and the economy as a whole.

With the increased movement in Virtual Assets, the need for intermediaries is also rising who can support and facilitate these transactions. We generally call them “Virtual Assets Service Providers.”

Given the above, it is critical to understand what the terms “Virtual Assets” and “Virtual Asset Service Providers” mean.

What is Virtual Assets?

Before we go to the phrase – Virtual Asset Service Provider, it is very critical to understand what Virtual Asset (“VA”) is and what all can be classified as such. As laymen for us, Virtual Assets are cryptocurrencies. But in reality, the VA is a broad concept evolving every moment, even as we read this.

Here, we can refer to the definition of “Virtual Asset” as prescribed by FATF, which reads as under:

“ a digital representation of value that can be digitally traded or transferred and used for payment or investment purposes.”

Recently, in the Cabinet Resolution No. (111) of 2022, the phrase “Virtual Asset” has been defined as under:

A digital representation of the value that can be traded or transferred digitally, can be used for investment purposes, and does not include digital representations of paper currencies, securities or other funds.

As apparent from the definition, the critical elements of a Virtual Asset are as under:

VAs must be digital
It should have the ability to be traded digitally and transferred so
Should carry some value, as to be used for payment or investment.

It is all possible and enabled by the use of “Distributed Ledger Technologies” (DLT), which has revamped the financial services sector to a great extent.

The most common example of VA is virtual currencies such as Bitcoin, Ether, Dogecoin, and Stablecoins.

It is critical to note that VA does not include digital representations of fiat currencies, shares, securities, or any such financial asset. These are just e-money and not virtual assets. The reason is that mere digital representation of such assets does not easily imbibe a feature to trade or transfer the same digitally. For example, the fiat currency stored in a bank be easily transferred from one account to another, and ownership can be changed but cannot trade the same as such; thus, it lacks one of the fundamental characteristics of VA.

Accordingly, it is critical to understand and note that for a financial asset to qualify as VA, it should have an inherent quality of being traded and transferred digitally.

As we are discussing VA, it is to be noted that VA and the phrase “Digital Assets” (DA) are being used interchangeably by the public. It is imperative to understand that term “Virtual Asset” cannot be used in the context of every “Digital Asset,” as every DA need not be a VA, but every VA has to be necessarily a DA. Instead, DA is a broader connotation that includes the non-fungible tokens* (NFT) and VAs.

*NFTs are unique (may not be interchangeable amongst the NFT community) digital assets used as collectibles rather than as a mode of payment or investment. As such assets do not satisfy the primary feature of being used for payment/investment purposes, the same is not considered as VA, per FATF guidelines.

What is Virtual Assets Service Provider?

Having had a brief idea about virtual assets, it is pertinent to understand what Virtual Asset Service Provider (VASP) is. Here also, we would refer to the definition of VASP as provided by FATF, as under:

“a business which conducts one or more of the following activities or operations for or on behalf of another natural or legal person:

an exchange between virtual assets and fiat currencies;
exchange between one or more forms of virtual assets;
transfer of virtual assets; (transfer means to conduct a transaction on behalf of another natural or legal person that moves a virtual asset from one virtual asset address or account to another)
safekeeping and administration of virtual assets or instruments enabling control over virtual assets;
participating in and provision of financial services related to an issuer’s offer or sale of a virtual asset;

The use of the word “conducts” in the opening line of the definition indicates that for a service provider to qualify as VASP, it need not necessarily be the primary provider but also includes a person who helps in the active facilitation of services, i.e., the person who assists in carrying out of the services.

Further, the phrase “as a business” in definition clarifies its scope, which is limited to the only person who carries out the VA-related activities for or on behalf of someone else for a commercial reason. It signifies the exclusion of persons carrying out VA activities for their benefit on an irregular or infrequent basis, without any commercial sense or facilitating anyone else.

Now, we will evaluate each of these five subsections of the definition to understand what all sorts of activities related to VA would get covered here.

1. The exchange between virtual assets and fiat currencies

A person, natural or legal, carrying out an activity of converting the fiat currency into virtual assets or vice versa in the course of its business, then such a service provider would be construed as VASP.

2. The exchange between different types of virtual assets

A person carrying out an activity of exchanging one type of virtual assets for another, i.e., a person providing services of offering one form of VA against exchange or payment of a different kind of VA, then such a service provider would be a VASP.

3. Transfer of virtual assets

Here, it is vital to understand the context in which the term “transfer” has been used. As clarified by FATF, “transfer” means to conduct a transaction on behalf of another natural or legal person that moves a virtual asset from one virtual asset address or account to another.

Accordingly, any person conducting a business activity, assisting or facilitating the transfer of ownership of the VA or even transfer of own VA of a person from one wallet to another.

Let us discuss some examples and sample cases around who can be considered as VASP or how to identify VASP in the context of exchange or transfer of VAs.

It is pertinent to note that, most of the time, such exchange or transfer of VA takes place using some decentralized technology, where such VA exchange platforms have been created. Such software programs are “Decentralized or Distributed Application (DApp),” which operates on blockchain technology and facilitates digital assets and their transfer. The name suggests that such software or platforms run on a decentralized ledger. However, generally, these applications have a single authoritative party having specific controls over the software or application, which may include control over creating and launching a VA, enhancing the functionalities of the application and user interfaces, or collecting the fees. Thus, such DApp or software collects specific fees (generally in VAs) from the users for using or interacting with the DApp, which facilitates the exchange or transfer of VAs. These fees collected by applications go to the owner/developer, the application operator, or for the benefit of the community of such DApp.
Such applications or software programs cannot be construed as VASP; however, the creator or operator of such application may be construed as VASP, as they are providing services to the users or facilitating the exchange or transfer of the VA using their software or application.
Services related to Virtual Asset Escrow are used when sending/receiving or transferring the fiat currency in exchange for VAs when the custody of the funds is with the service provider.
Brokerage services, where the provider facilitates issuing VAs and trading the same on behalf of the third person.
Advanced trading and Order-book exchange services enable the parties to find each other, discover prices, access more sophisticated trading techniques (trading on margin or algorithm-based trading), and trade VA.
Note that an application merely providing a platform for the buyers and sellers to find each other without facilitating the transaction between them would not be construed as a VASP.
Virtual Asset Exchanges, which facilitates the exchange of VA for fiat currencies (cash, credit cards, wire transfers, etc.) against fees or commissions.
Service providers offering the Crypto-ATMs would be treated as VASPs as they actively facilitate the exchange of VAs and fiat currencies through the kiosks.

4. Safekeeping or administration of virtual assets or instruments enabling control over virtual assets

Generally, the term “safekeeping” and “administration” of VA can be read in the same context, wherein the service provider would have the custody of the VA or the private key unique to the VA and carry out the transactions as instructed by the owner of the VA or the smart contracts on behalf of the service recipient. Further, as an extension, the term “control” indicates that the provider of such services would have capabilities or the power to trade/transfer the VA on behalf of the recipient.

A few examples of service providers fitting into this basket of services would be the companies providing custodial wallet service as they would be holding someone else’s VA.

It is critical to note that it would not include the providers offering auxiliary services such as providing internet or data storage services or software to the VASP (who is managing or controlling the VAs of the recipient of services), rather than engaging with ultimate recipients and accessing their VA.

5. Participating in and provision of financial services related to an issuer's offer or sale of a virtual assets

This clause covers the services concerning Initial Coin Offerings (ICO), a way to raise funds for new projects from early backers. It includes a person participating in ICO or providing financial services related to ICO. It includes purchasing VAs from an issuer to resell and distribute the same, book building, ICO underwriting, etc.

UAE Blockchain strategy 2021

In 2018, UAE government came up with its blockchain strategy 2021. Given the advantages of blockchain technology, the UAE blockchain strategy aims to transform 50% of government transactions on the blockchain platform by 2021. By adopting blockchain technology, the UAE government intends to save:

AED 11 billion in transactions and documents processed routinely
398 million printed documents annually; and
77 million work hours annually.

Regulatory frameworks in UAE to govern the activities related to Virtual Assets

Given the increased popularity and use of virtual assets across the globe, the UAE government has issued various policies to promote the setting up of virtual asset companies in the UAE. The government has started issuing necessary regulations and forming regulatory authorities to regulate this market.

UAE Crypto Regulatory Authorities

Central Bank of the UAE (CBUAE) and the Securities and Commodities Authority (SCA)

UAE financial and capital markets are primarily governed by the Central Bank of the UAE (CBUAE) and the Securities and Commodities Authority (SCA).

The Dubai Multi Commodities Centre (DMCC) has opened a crypto centre, and it houses VASPs offering, issuing, listing, and trading crypto assets. It also welcomes companies developing blockchain trading platforms.

It is noteworthy that the CBUAE, in July 2021, as a part of its 2023-2026 strategy, decided that it would launch its first digital currency by 2026.

The Hon’ble Prime Minister of the UAE has recently issued Cabinet Resolution No. (111) of 2022 Concerning the Regulation of Virtual Assets and their Service Providers, effective from 13^th January 2023, to regulate the virtual asset sector by mandating the licensing of specific virtual asset activities by the Securities & Commodities Authority (SCA) of the UAE or the local licensing authorities of specific Emirates. The said cabinet resolution does not apply to virtual assets activities regulated in a Financial Free Zone.

The Dubai Financial Services Authority (DFSA)

The Dubai International Financial Centre (DIFC) based companies are regulated by DFSA.

The Financial Services Regulatory Authority (FSRA)

The Abu Dhabi Global Market (ADGM) based companies are supervised by the FSRA.

The Virtual Asset Regulatory Authority (VARA)

The VASPs operating from the Emirate of Dubai (except for the units registered in the Dubai International Financial Centre).

UAE Crypto Regulations

UAE Crypto Regulations for Onshore Companies

UAE financial and capital markets are primarily governed by the Central Bank of the UAE (CBUAE) and the Securities and Commodities Authority (SCA).

UAE Onshore Companies are governed by SCA’s Decision No. 23 of 2020 concerning Crypto Assets Activities Regulation (CAAR).

CAAR also lays down AML/CFT requirements. CAAR provisions require reporting entities to:

Set up a solid AML/CFT compliance framework
Define policies and procedures for KYC and AML monitoring
Ensure that the deposits and withdrawals are made only from and to a designated bank account of the entity, and the bank account must be maintained with an authorized financial institution. The SCA must have explicitly approved it if it’s a foreign financial institution.
Ensure that the crypto assets are traceable

Further, they are also governed by the CBUAE’s Stored Value Facilities (SVF) Regulation 14 (SVF Regulation). The CBUAE has also issued the Retail Payment Services and Card Schemes Regulation (referred to above) (the “RPSCSR”). The RPSCSR applies to those providing payment token service.

The Cabinet Resolution No. (111) of 2022, effective from 13^th January 2023, provides that the following activities related to virtual assets shall be licensed by the SCA or Local Licensing Authorities, as the case may be:

provision of Virtual Asset Platform operation and management services,
provision of exchange services between one or more forms of virtual assets,
provision of Virtual Asset transfer services,
provision of brokerage services in virtual assets trading operations,
provision of Virtual Asset custody, management, and control services, and
provision of financial services related to offering and/or selling by the issuer to the Virtual assets or participating in providing those services.

Moreover, the resolution also provides for the following for better compliance and regulation of the activities related to the virtual asset:

No provider of virtual asset services shall operate in the UAE without necessary approvals and licensing from the Securities & Commodities Authority or Local Licensing Authority,
Oversight of the above-mentioned activities by the Securities & Commodities Authority (SCA),
Before issuing the license, the SCA shall verify the applicant’s fulfilment of the capital requirements, credit guarantees, compliance management system, commitment to AML regulations, etc.
Compliance with AML regulations by the licensed providers of virtual assets services in terms of Federal Decree by Law No. (10) of 2025 and it’s executive regulations, along with FATF recommendations issued explicitly for virtual asset activities.

Compliance and Risk Management Rulebook for VASP – Emirate of Dubai (except DIFC)

On 11th March 2022, Virtual Assets Law No. 4 of 2022 on the Regulation of Virtual Assets in the Emirate of Dubai came into force. It applies to virtual asset services in Dubai, except in the DIFC.

Further, VARA has been named as the supervisory authority for the virtual asset service providers seeking to operate in Dubai, whether mainland or free zones, except DIFC.

Moreover, in line with Virtual Assets Law No. 4 of 2022, VARA recently issued a detailed VASP compliance and risk management Rulebook to be adhered to by the companies providing services related to virtual assets. The AML/CFT section of the Rulebook provides for various mandatory compliance frameworks that a VASP has to follow mandatorily. The principal AML compliance aspects covered in the Rulebook are as under:

Appointment of Money Laundering Reporting Officer (MLRO) with minimum 2 years of experience related to AML/CFT compliance,
Conducting AML Business Risk Assessment,
Designing and implementing the AML/CFT policies & procedures in line with the VARA Rulebook, AML Federal Laws and the FATF Recommendations related to the virtual assets segment,
Client Due Diligence, including screening of clients, UBOs, Virtual Asset transactions and the Virtual Asset Wallet address,
Transaction monitoring and suspicious transaction reporting to the FIU and VARA,
Compliance with FATF Travel Rule,
Maintaining of AML records for a minimum period of 8 years.

UAE Crypto Regulations for Financial Free Zone - Dubai International Financial Centre (DIFC)

The DFSA is a supervisory authority for the companies housed in DIFC. The DFSA has come out with a Consultation Paper No. 138, establishing its own regulatory framework for investment tokens. Very recently, on 8^th March 2022 the DFSA came out with Consultation Paper No. 143 for regulating crypto tokens.

UAE Crypto Regulations for Financial Free Zone - Abu Dhabi Global Market

The Financial Services Regulatory Authority (FSRA) is a supervisory authority for the companies housed in Abu Dhabi Global Market (ADGM). The FSRA came out with a regulatory framework in 2015 concerning the crypto asset businesses. Further, The Financial Services and Markets Regulations (FSMRs) 2015 regulates crypto assets in ADGM.

in 2018 FSRA came up with FSRA Rules (Crypto Asset Legislative Framework).

The rules are:

(a) Conduct of Business Rules (COBS_VER04.250618) (see appendix for detailed amendments);

(b) Market Infrastructure Rules (MIR_VER03.250618) (see appendix for detailed amendments);

(c) Glossary (GLO_VER05.250618) (see appendix for detailed amendments ).

In 2020 Financial Services and Markets (Amendment No 2) Regulations were issued.

Several guidelines have also been issued, including:

Guidance – Regulation of Virtual Asset Activities in ADGM (“Virtual Assets Guidance”)
Guidance – Regulation of Digital Security Offerings and Virtual Assets under the FSMR
Guidance – Regulation of Initial Coin/Token Offerings and Crypto Assets under the FSMR (“ICO Guidance”)

On 21^st March 2022, the ADGM issued a consultation paper No.1 of 2022 seeking proposals for enhancements to capital markets and virtual assets in ADGM.

Guiding Principles for VA Regulations by FSRA

In September 2022, FSRA issued a document laying down the guiding principles around its approach to Virtual Asset Regulation and Supervision for virtual assets companies operating or planning to set up VA units in ADGM.

These guiding principles suggest the high-level approach that FSRA would adopt to regulate the operation of the virtual asset in ADGM, focusing on maintaining the stability of the ADGM’s ecosystem, the risk associated with VA, protection of the customers using VAs and the ease of entry to new VA players in ADGM. Following are the 6 guiding principles laid down for VA regulation in ADGM:

Principle 1 – A Robust and Transparent Risk-Based Regulatory Framework

To oversee the VA activities and mitigate the inherent risk in the VA segment, the FSRA shall regulate the VA operations in ADGM. Its VA regulatory framework includes activity-specific rules and relevant guidance aimed at protecting the customers investing in VA and maintaining the financial stability and integrity of the market.

Principle 2 – High Standards for Authorisation

The authorization standards focus on admitting only such VA operators within ADGM who maintains transparency and meets the regulatory framework to prevent market abuse or any damage to ADGM’s ecosystem. For new applications for setting up a VA business unit in ADGM, FSRA shall grant an “in-principle” approval only to the applicants having the business plan and the controls matching the FSRA’s risk appetite. Final approval shall be provided only when the applicant has successfully completed the operational testing to the satisfaction of the FSRA.

Principle 3 – Preventing Money Laundering and Other Financial Crime

Owing to anonymity and easy access, FSRA mandates the application of AML/CFT regulations to the VA operators in ADGM. It includes adherence to ADGM-specific rules, Federal Laws and Cabinet Decisions on AML/CFT, FATF Guidance and Recommendations around VA. FSRA insists on transparency around the beneficial ownership and mandates the VA firms not to transact with the counterparty whose identity is unknown at any stage during the transaction

Principle 4 – Risk-Sensitive Supervision

FSRA shall follow a risk-based approach to supervise the VA segment, wherein the risk assessment shall be continuously done for the VA firms based on their size, nature and complexity. FSRA aims to ensure that the VA firms have effective controls and adequate risk management strategy, which is commensurate with the size and nature of the firm.

Principle 5 – Commitment to Enforce Regulatory Breaches

FSRA shall dedicatedly work towards addressing the ADGM business units’ non-compliance with regulatory requirements. For this, FSRA has powers to collate the information from the ADGM companies, conduct investigations, and take disciplinary actions to prevent non-compliance with ADGM rules.

Principle 6 – International Cooperation

Given the global spread of the VA operations, to mitigate the risk and support the mutual exchange of information between international regulators, the FSRA has entered into various bilateral and multilateral Memorandum of Understandings (MoUs). Further, FSRA encourages the development of international best practices for VA’s sustainable growth to be sustainable and is ready to support the principles of global organizations like IOSCO, the Basel Consultative Group and FATF.

AML/CFT regulations and obligations on VASP - AML Crypto Regulations in UAE

Given the anonymity involved and lack of central governing authority (as most of the virtual assets-related activities are being carried out through a decentralized platform), the Financial Action Task Force (FATF) recommended that VASPs should also be subject to stringent anti-money laundering and combatting of terrorist financing (‘AML/CTF’) regulations, the way traditional financial institutions are.

Accordingly, in line with FATF’s recommendations and increased activities related to virtual assets in the UAE, the government recognized the need to regulate the virtual assets segment. Here is the list of important regulations, cabinet decisions, and circulars applicable to Crypto Companies and Virtual Asset Service Providers in UAE.

Cabinet Resolution No. (111) of 2022 Concerning the Regulation of Virtual Assets and their Service Providers.
Federal Decree by Law No. (10) of 2025 Regarding Anti-Money Laundering, and Combating the Financing of Terrorism and Proliferation Financing
Cabinet Resolution No. (134) of 2025 Concerning the Executive Regulations of Federal Decree-Law No. (10) of 2025 Concerning Combating Money Laundering, Terrorist Financing, and the Financing of the Proliferation of Weapons.
Cabinet Decision No. (74) of 2020 Regarding Terrorism Lists Regulation and Implementation of United Nations Security Council (UNSC) Resolutions on the Suppression and Combating of Terrorism, Terrorist Financing, Countering the Proliferation of Weapons of Mass Destruction and its Financing and Relevant Resolution.
VASP Compliance & Risk Management Rulebook issued by Virtual Asset Regulatory Authority of Dubai (VARA).

(a) VASP obligations under AML/CFT law

As entities being subject to AML/CFT regulations in UAE, VASP would be required to adhere to the following requirements to identify ML/FT risk and mitigate the same:

Appoint the Compliance Officer to manage the AML/CFT program in the company.
Maintenance of AML/CFT policy designed considering the applicable regulations, money laundering and terrorism financing risk the VASPs are exposed to, VA-related red-flag indicators, etc.
Conducting business risk assessment from ML/FT risk perspective (using a risk-based approach) and identify the risk the VASP is exposed to and the controls in place to mitigate it.
Customer screening, risk categorization, and performance of adequate due diligence (generally enhanced, owing to the inherent nature of the VA).
Screening of Virtual Asset transactions and the Virtual Asset wallet address.
Reporting suspicious transactions and activities to the authorities.
Imparting adequate training to the employees and senior management.
Periodic audit of the AML/CFT framework adopted for the company by an independent team.
Annual risk assessment reporting.

(b) Virtual Assets “AML/CFT” Compliance Policy

Adherence to AML/CFT regulations becomes easy once the entity has set standards and policies to be followed. Accordingly, it is of utmost importance for every VASP to develop and adopt the “Virtual Asset AML/CFT Compliance Policy.” You may refer to the VASP AML Compliance Policy template available on our website.

(c) Technology-driven KYC, Screening, and Transaction monitoring for VASPs

Since the entire VA network operates on the blockchain or similar technology, the authorities also encourage using technology or digital tools to carry out AML/CFT related compliances.

For the “Know Your Customer” (‘KYC’) process, since most of the transactions between the recipient and the VASP would be non-face-to-face, some authorities suggest deploying tools or software that requests users to upload “selfie” as well as a copy of identity document bearing photo ID. Later, this technology should be able to match and verify the user’s ” selfie ” and the photo appearing on the ID.
Further, various guidelines issued by different authorities encourage VASPs to deploy new technologies to enhance the efficiency of the customer onboarding process. It also includes functionality to screen the name of the user or customer against the international and local sanctions list in real-time, along with VA transactions and the VA wallet address.
As part of transaction monitoring, some authorities insist on implementing the “Know Your Transaction” measures, enabling the VASPs to monitor the transactions from their origin to the destination effectively. The VASPs must collect every detail relevant to the transaction, about virtual assets, parties involved, locations, etc.
Additionally, it is also recommended by the authorities to obtain the following details about VA or the customer or the transaction, mainly using the new technologies:
Beneficiary and the originator of the VA
The IP address of the customer, with an associated timestamp
Wallet addresses involved.

ML/FT typologies and red-flag indicators relating to Virtual Assets (VA)

It is critical to understand the key ML/FT typologies associated with VA and VASP, given the great chances of this sector being exploited by the money launderers and for the financing of terrorist activities.

1. ML/FT typologies related to Virtual Assets (VA)

– The repeated withdrawal from one or more bank accounts of substantial amounts in cash, as a whole or in parts and within a relatively short period, without any apparent necessity and in combination with the repeated cashless receipt of sums of money (whereby the amounts received in the case of the trader in virtual currencies originate from the sale of virtual currencies).

– The purchase of virtual currencies whereby at least two of the following characteristics are fulfilled:

the buyer offers his services through the internet through supply and demand sites;
the buyer does not ascertain the identity of the seller;
the buyer screens off his own identity;
the buyer pays in cash;
the buyer charges an unusually high exchange fee percentage;
the transaction takes place in a (public) space where there are many members of the public present, thereby reducing the security risk for the buyer;
there is no plausible legal or economic explanation for the method of exchange;
the scale of the virtual currencies purchased is not likely to concern average private use;
the buyer is not known to the tax authorities for his exchange establishment.

– The buyer or seller uses a so-called ‘mixer’ during the sale of virtual currencies.

– Use non-compliant exchanges to carry out the conversation between fiat and virtual currencies.

– Use cryptocurrency ATMs to convert the money quickly from fiat to virtual assets and vice versa.

– Multi-customer cross-wallet activity.

2. ML/FT red flag indicators for VASP

A. Red flags related to VA Transactions (Size and Frequency of the transactions):

– Manipulating VA transactions (e.g., exchange or transfer) in smaller portions to avoid the reporting requirement.

– Multiple high-value transactions carried out –

Within 24 hours or period with minimal time gaps;
Using a new or very old account not used for a long time.

– Transfer of VAs to multiple VASPs, located across different jurisdictions where

there is no interconnection between the customer’s location, or
there are no AML/CFT regulations.

– Firstly depositing VAs at an exchange and then instantly –

withdrawing the VAs without any further activity, indicating redundant transactions and incurring unnecessary costs;
transfer of one VA to another without logical commercial reason, or
immediate withdrawal of the VAs to a private wallet from an exchange.

– Accepting fraudulent or theft funds.

B. Red flags related to VA Transaction Patterns (Transactions concerning new users):

Depositing a large amount at the time of opening a new account is not consistent with the customer’s profile.
Withdrawal, in a day or two, of the large amount deposited at the time of opening a new account or trades such a large amount on the same day.
Trading the entire amount of VAs or withdrawal of the same to take off the whole funds from the platform by the new user.

C. Red flags related to Virtual Assets Transaction Patterns (Transactions concerning all users):

– Trading through multiple accounts with no reasonable explanation.

– Regular transfers in a day or a week to the same VA wallet –

by more than one person;
from the same IP address; or
involving huge sums.

– Receipt of VAs from multiple unrelated accounts in smaller portions and immediately transferring the accumulated funds to another wallet or exchanging the entire value against fiat currency.

– Exchanging the VA against the fiat currency at a loss, without any business sense.

– Exchanging vast amounts of fiat currency against VAs, or one type of VA, to other kinds of VAs, without any logical rationale.

D. Red flags related to Anonymity associated with Virtual Assets (VA):

Customers prefer VAs providing higher anonymity, even when the transaction cost is high.
Moving a VA from a transparent blockchain to a centralized exchange and immediately trading it for Anonymity Enhanced Coins.
An unregistered/unlicensed VASP operating on peer-to-peer (P2P) exchange websites, handling large amounts of VA on their customer’s behalf and levying high transaction costs.
The abnormal volume of VAs exchanged against fiat currency at exchanges, without any business rationale.
Transactions through accounts associated with VASPs, offering mixing or tumbling services.
Transactions are offering to mix and tumbling services to disguise the movement of illegal funds between known wallets and darknet marketplaces.
A transaction with an account or wallet linked with any known suspicious sources, darknet marketplaces, mixing/tumbling services, gambling sites, or illegal activities.
Using decentralized hardware or physical / paper wallets to move the VAs across the countries.
Users register their internet domain names using proxies or domain name registrars (DNS), which offer suppression of the domain names’ owners.
Users getting themselves registered through an IP address associated with a darknet or software allows communication using encrypted emails and VPNs, providing anonymity.
Transactions where unfamiliar encrypted communication means are used instead of a VASP.
Multiple wallets are being controlled from the same IP address, involving shell wallets registered in the name of various users to hide the linkages.
Using inadequately documented VAs or VAs connected with fraud.
Users transacting through VASPs have weak CDD and KYC processes.
Using VA ATMs/kiosks

Incurring higher costs;
In high-risk jurisdictions, having a criminal background, or
multiple times involving small transactions.

E. Red flags about Sender / Recipients (Irregularities observed during account creation):

– Operating multiple accounts with different names to avoid trading or withdrawal-related restrictions imposed by VASPs.

– Transactions through –

non-trusted IP addresses;
IP addresses from sanctioned jurisdictions; or
IP addresses are flagged as suspicious or “black-listed.”

– Frequent requests to open an account with the same VASP and from the same IP address.

– Corporate users have their Internet domain registrations in a different jurisdiction than their place of establishment.

F. Red flags about Sender / Recipients (Irregularities observed during CDD process):

Inadequate KYC information or a customer hesitates or refuses to share the KYC documents or information on the source of funds.
The customer shares incorrect information about the transaction, the source of funds, or the association with the counterparty.
The customer provides forged documents, fake photographs, or identification documents as part of the KYC process.

G. Red flags about Sender / Recipients (Profile):

A customer provides identification or account records shared by some other account.
Differences in the IP addresses associated with the customer’s profile and the transaction-related IP addresses.
Publicly available information about the customer’s wallet address being associated with illegal activity.
Information about customer’s criminal association.

H. Red flags about Sender / Recipients (Profile of potential money mule or scam victims):

The transferor is unaware of the VA and related blockchain technology. These people could be money mules hired by professional money launderers, or scam victims turned mules who are tricked into transferring illegal funds without knowing their origin.
Significantly aged customers, operating an account and transacting in large volumes, indicating involvement in VA money muling or a victim of elder financial exploitation.
A financially vulnerable person is assisting drug dealers in their illegal business.
Inconsistency between the VA transactions involving significant amounts and the customer’s financial profile indicates the existence of money laundering or a money mule.

I. Red flags about Sender / Recipients (Other unusual behavior):

Frequent changes in the customer’s identification information, email addresses, IP addresses, or financial information.
A customer enters a transaction with multiple VASPs using different IP addresses daily.
Text in VA message box indicating association of the transactions with criminal activity or the purchase of illegal goods.
Repeated transactions by a customer with a subset of users at considerable profit or loss, indicating potential account takeover & removal of victim balances via trade or ML scheme to disguise the funds using VASP infrastructure.

J. Red flags related to Source of Funds or Wealth:

Customers using VA wallets, IP addresses, or bank cards are known to have been associated with fraud, sanctioned addresses, ransomware schemes, darknet marketplaces, or illegal websites.
VA transactions are associated with online gambling services.
Using multiple bank cards connected with a VA wallet to withdraw the considerable value of fiat currency (crypto-to-plastic).
Purchasing VAs using funds sourced from cash deposited into credit cards.
The cycle of depositing the substantially high amount into a VA wallet using unknown sources of funds and subsequently converting the same into fiat currency indicates theft of funds.
No information or incomplete information about the origin and owners of the funds, such as the involvement of shell companies.
Placing funds into an Initial Coin Offering (ICO) without giving personal information about the investors.
Transactions using pre-paid cards and immediate withdrawal after that.
A customer sourcing funds from third-party mixing services or wallet tumblers.
The primary source of customers’ wealth is investments in VAs, fraudulent ICOs, etc

K. Red flags related to Geographical Risks:

Trading on an exchange not registered in the customer’s jurisdiction or not at all registered with any jurisdiction.
The customer prefers a VA exchange or MVTS located in high-risk countries, where there are no or weak AML/CFT regulations for VASP.
The customer is setting up a business in a jurisdiction that lacks strong AML/CFT regulations without any logical business explanation.

AML UAE at Your Service

As required by the UAE authorities and FATF, VASPs must adhere to international standards and manage their business against the ML/FT risk they are exposed to. Here, we can help you understand whether your business activity fits into the VASP activities charted out by FATF and your obligations as VASP from AML/CFT perspective. Also, we can assist you with documentation of the AML/CFT policies, conducting AML training, etc., and ensuring your AML compliance with the regulations.

FAQs On AML Regulations for Virtual Assets Service Providers

A Crypto Asset is a record within an electronic network or distribution database functioning as a medium for exchange, storage of value, unit of account, representation of ownership, economic rights, or right of access or utility of any kind, when capable of being transferred electronically from one holder to another through the operation of computer software or an algorithm governing its use.

Cryptoasset exchange is an important part of the cryptoasset ecosystem, where the exchange provides liquidity to the market participants. Unregulated Cryptoasset exchanges pose significant money laundering risks, while regulated ones can also be targeted in money laundering schemes.

The mainland companies or onshore crypto and other virtual assets companies in UAE are regulated by the Central Bank of UAE (CBUAE) and the Securities and Commodities Authority (SCA). Further, Virtual Assets Regulatory Authority (VARA), CBUAE, and SCA control Dubai-based virtual assets service providers.

The Dubai Financial Services Authority (DFSA) is a supervisory authority for companies housed in DIFC.

The Abu Dhabi Global Market (ADGM) based crypto and other virtual asset companies are supervised by the Financial Services Regulatory Authority (FSRA).

Yes, all Virtual Asset Service Providers (VASPs) have to register with the goAML portal in UAE.

Primarily, the crypto, NFT, and other virtual assets companies in UAE have to adhere to the requirements of the following anti-money laundering (AML) laws and regulations:

Following are the Anti-Money Laundering (AML) compliance requirements that Crypto Companies, NFT, and other Virtual Asset Service Providers (VASPs) in UAE have to follow:

VASPs have to register on the goAML Portal
VASPs are required to appoint the AML Compliance Officer to manage the AML/CFT program.
Virtual Asset Service Providers have to conduct Business Risk Assessment (BRA)
VASPs have to prepare their AML Policy and Procedures Manual
VASPs need to conduct KYC, Screening, Risk Assessment of customers, suppliers, and third-parties
VASPs have to conduct enhanced due diligence of customers, suppliers, and third-parties
Crypto Companies and other virtual asset service providers have to file Partial Name Match Report (PNMR) with FIU UAE
Virtual Asset Service Providers have to file Funds Freeze Report (FFR) with FIU UAE
VASPs have to file Suspicious Activities Report (SAR) with goAML UAE
VASPs have to submit Suspicious Transactions Report (STR) with UAE goAML portal
VASPs have to provide Anti-Money Laundering training to employees and senior management
VASPs have to submit High Risk Country Transaction Report (HRC)
VASPs have to submit High Risk Country Activity Report (HRCA)
VASPs have to get themselves audited for AML purposes by an independent auditor
VASPs have to submit Annual AML Risk Assessment Report
VASPs have to ensure that the entities and individuals they deal with are not engaged in proliferation financing

Our Timely and Accurate AML consulting Services

For your smooth journey towards your goals

Related Blogs

A complete guide to effective customer due diligence feature img

18/12/2025

Customer Due Diligence (CDD): A Complete Guide | AML UAE

17/12/2025

AML/CFT Remedial Action Plan (RAP) Implementation Steps and Best Practices

10/12/2025

AML Implications for Politically Exposed Person (PEP)

Share via :

About the Author

Pathik Shah

FCA, CAMS, CISA, CS, DISA (ICAI), FAFP (ICAI)

Pathik is an ACAMS-certified AML consultant specialising in governance, risk, and compliance for regulated entities in the UAE. He brings over 28 years of experience, with 1,000+ hours of AML training and 200+ advisory engagements across DNFBPs, VASPs, and FIs. He supports businesses in aligning with AML/CFT requirements from the CBUAE, DFSA, MoET, MoJ, VARA, CMA, FSRA, and FATF. Known for translating complex regulations into audit-ready procedures, Pathik enables operational clarity and compliance readiness.

Reach Out to Pathik

AML Transaction Monitoring: A powerful tool to detect financial crimes

Blogs

Protect your business with reliable and effective AML strategies with AML UAE.

AML Transaction Monitoring: A powerful tool to detect financial crimes

Ever received a call from your bank to confirm if you have conducted a specific high-value transaction? If yes, then that is what transaction monitoring means. They know your routine transactions. If they see one unusual transaction and different from your general banking behaviour, they make a confirmation call.

Financial criminals conduct fraudulent activities by harnessing loopholes in regulations. They create an air of legitimacy around their scheme, company, and transactions.

Transaction monitoring can help detect patterns of suspicious behaviour and financial crimes to and from customers. That is why it is a significant step in companies’ and governments’ AML and CFT programs. With transaction monitoring, you can detect crimes before their occurrence or in their early stages. Timely detection saves you from the repercussions.

This article aims to explain the concept of transaction monitoring, its significance, and the best monitoring practices.

What is AML transaction monitoring?

Transaction monitoring means regularly keeping a close watch on the transactions. It involves checking a customer’s historical transactions, customer’s profile, account details, and interactions. These checks enable the identification of possible customer risks and the prediction of their future behaviour.

You can track the transactions in real-time during their occurrence to block them and prevent fraud. Alternatively, you can check transactions to identify any set patterns after their occurrence. Conduct periodic transaction monitoring to check the customer’s behaviour in terms of irregularities or set patterns.

Thus, financial institutions, as well as DNFBPs, must conduct frequent checks of their transactions.

Significance of AML transaction monitoring

Generally, anti-money laundering regulations in countries include the practice of transaction monitoring. It is mandatory for entities to track suspicious customers, suppliers, or transactions.

Entities have started using transaction monitoring systems to detect suspicious transactions. But it also requires human intelligence and experience to separate fraudulent transactions from non-fraudulent ones.

A constant check on customers’ activities is essential to avoid financial crimes. Transaction monitoring allows entities to adopt a risk-based approach, wherein the monitoring is done based on set rules defined considering the customer’s risk profile developed and the nature of transactions executed by the customer.

Based on the risk profile, you must monitor the customers. For a high-risk client, you need to adopt an advanced level of transaction monitoring.

Nowadays, criminals have advanced ways of conducting financial crimes in the times of the online, digital world. The complexity of money laundering and terrorist financing has increased, which requires a measure that can spot right from wrong. So, transaction monitoring with the definition of a clear rule is crucial to identifying criminal activities.

Furthermore, the transaction monitoring framework gives confidence to regulators and stakeholders of the organization. It shows the seriousness of entities toward detection of financial crime. It leads to a safe business ecosystem in the country and builds trust between existing and new partners.

Steps to an effective transaction monitoring program

Transaction monitoring is a risk-based approach with the following steps:

1. Risk assessment of your business

Identifying risks your business faces from customers, products and services, and operating environment is critical for your AML compliance. For this, you must conduct a detailed analysis of the industry in which you operate.

Analysis of risk parameters will determine your business’s risk appetite. A deep understanding of the risks you take as an entity and the measures you use to cover these risks is crucial. Also, you get to know what types of customers you will be handling, types and volumes of transactions and related risks thereof.

2. Define red flags of suspicious transactions

To ensure the correct identification of suspicious transactions, you must know what it looks like. For this, you must define the red flags your employees will look for while reviewing transactions or the rules set in the transaction monitoring solution. Some of the red flags can be:

Transactions involving large amounts of money,
A sudden new transaction unusual for a customer (nowhere like any other transactions done before),
Several small transactions of the same type involving one or more accounts/persons in a short time,
Inconsistency of the transaction with the customer’s economic profile,
The transaction is directed to or from a high-risk country or a jurisdiction featured in the sanction list,
Customer’s insistence on having no face-to-face communication always.

You must feed these red flags into the transaction monitoring system to generate alerts when witnessed. The team handling this system receives an alert notification. The entity can conduct a further investigation based on the alert to classify it as suspicious.

3. Create transaction monitoring rules

You must create transaction monitoring rules based on your risk appetite and red flag indicators. The system for transaction monitoring will have to be aligned with these rules to identify suspicious transactions. The rules may be created around the following:

The maximum amount of a transaction,
Number of unusual transactions from a customer,
Number of small transactions, after which the system generates an alert,
Transaction directed to or from a high-risk jurisdiction.

The monitoring system analyses the transaction against the set rules. Based on the defined rules, the system should be able to identify the suspicious pattern or characteristic and generate a trigger or alert for the same.

You must optimize these rules periodically based on historical results. Changes in rules will make the process more accurate, resulting in fewer false positives.

4. Review the generated alerts

You must review these alerts generated for suspicious transactions. The analysts must conduct a manual evaluation to check if the pattern or behaviour is suspicious. To produce a detailed report, they must collect all relevant information for that transaction.

If you find it suspicious, prepare a report of the investigation conducted, which should be shared with the senior management for sign-off. Basis your evaluation, you may even drop the alert, but document the reason.

Best practices of a robust AML transaction monitoring program

Some of the best practices you can adopt for transaction monitoring include:

Remain up-to-date with regulations

Keep an eye on the local and national regulations for combating money laundering and other financial crimes. Compliance with them is essential. With knowledge of all rules and regulations, you can update your red flags, optimize the monitoring rules and identify suspicious transactions efficiently.

Know about your industry and products/services

You must have deep knowledge of your sector and products/services to ensure effective transaction monitoring. Awareness of industry-specific risks, customer demographics, and product/service weaknesses can help create effective monitoring rules.

Furthermore, keep updating your knowledge on these factors. The updated information helps you improvise your transaction monitoring solution and timely capture all money laundering and terrorist financing activities.

Create an exhaustive list of transaction monitoring rules

Consider all the possible red flags for your industry and product/services while creating transaction monitoring rules. These rules must encompass a range of simple and complex scenarios to detect all possible suspected transactions.

Criminals keep updating their crime techniques to take advantage of your operations, processes, products, customers, etc. Similarly, you must frequently update these rules to stay on top of your criminal typologies.

Ensuring quality of AML transaction monitoring

Entities must try to avoid making transaction monitoring an operational, time-bound task. You must consider it as an action against decreasing or eliminating financial crimes. Accordingly, entities must base the employees’ performance on the quality and efficiency of transaction evaluation, not the volume of transactions handled.

Document the AML monitoring scenarios

The transaction monitoring system generates alerts if a transaction is against any rules fed into the system. Then, the analyst evaluates it comprehensively by collecting all related and relevant information.

You must document all this information, analysis, and insights. Documentation helps develop a precise, comprehensive scenario. And documentation of all these scenarios helps create more rules and logic to better your transaction monitoring process.

Do not assume that one size fits all

Do not oversimplify the risk scenarios. Create detailed, to-the-point, granular-level characteristics to identify risky behaviours or patterns of customers or transactions. The clarity in scenarios enables better comparison with the rules to identify suspicious transactions and reduce the possibility of false positives.

Do not have too many risk scenarios

Entities create an exhaustive list of risk scenarios to capture every possible suspicious transaction. But in this process, they forget to remove duplicates and non-contextual scenarios. With such an extensive list of possible risk scenarios, employees’ workload increases, and the quality of alerts decreases. So, while creating scenarios, avoid overlap and add relevant context to each.

Use artificial intelligence in transaction monitoring

Only rules based on logic will not be sufficient for effective transaction monitoring. You must have AI-based transaction monitoring systems to generate more insights and identify red flags that human eyes can overlook. Artificial intelligence can catch any pattern or behaviour that slips through the manual monitoring rules.

AML UAE’s role in transaction monitoring for entities

Since you understand the importance of transaction monitoring in your AML efforts, make it a part of your AML compliance program. Imbibe the best transaction monitoring practices to be 100% compliant with AML regulations and safeguard your business interest against financial crimes.

AML UAE is a leading provider of AML/CFT consulting services. We help our clients develop an effective AML compliance framework for their operations. Transaction monitoring and suspicious transaction reporting are essential parts of such frameworks.

We help clients with ML/FT risk assessment, determination of red flags, and creation of transaction monitoring rules aligned with your business profile. We can also assist you with selecting effective transaction monitoring software and implementing it with our AML experts’ support.

With AML UAE, you can monitor your transactions with relevant rules, making detecting suspicious transactions easier and smoother. Your chances of true positives increase, and the investigation quality improves.

FAQs on Transaction Monitoring

When an entity identifies a suspicious transaction of financial crime, the Compliance
Officer or the MLRO (Money Laundering Reporting Officer) must file the STR to the
Financial Intelligence Unit (FIU), without any delay.

Suspicious transactions are the ones that constitute the proceeds of financial crime,
are intended to be used in financial fraud activities, or are related to the crimes of
money laundering, terrorism financing, corruption, bribery, drug trafficking, and any
other illicit activities.

In a transaction, from AML perspective, the red flags could be around the change in
the customer’s identification, doubt around the sources of funds involved, transaction
associated with high-risk countries, inconsistencies in the transactional pattern, etc.

Yes, there can be more than one AML red flag indicator in a transaction.

Transaction monitoring is essential to identify suspicious transactions, so that ML/FT
activities can be timely reported. Further, transaction monitoring is also essential to
complete the AML/CFT efforts of the entity.

KYC is related to identification of the customer and verifying the identity. While
transaction monitoring is continuously reviewing the customer’s transaction
executed in course of business relationship.

Transaction monitoring rules are the thresholds and the logic configured by the
entity in its AML program – tools and systems – aimed to analyze the transactions
and generate an alert when the activities match the risk criteria defined in these rules.

Generally, the key challenges around transaction monitoring program are data
integrity, integration of the monitoring system with business’s legacy system,
generation of large number of false positive alerts, not updating the monitoring rules
and systems periodically, etc.

Strengthen your transaction monitoring
capabilities with AML UAE’s expert
AML/CFT consulting services.

Contact AML UAE to get started.

Share via :

About the Author

Dipali Vora

CAMS, ACS

Dipali is an Associate member of ICSI and a Certified Anti-Money Laundering Specialist (CAMS). She has an overall experience of 8 years in the compliance domain, including Anti-Money Laundering, due diligence, secretarial audit, and managing scrutiniser functions. She currently assists clients by advising and helping them navigate through all the legal and regulatory challenges of Anti-Money Laundering Law. She helps companies to develop, implement, and maintain effective AML/CFT and sanctions programs.

Reach Out to Dipali

Use of Digital ID for Customer Due Diligence -New Guidance issued by CBUAE for LFIs

Blogs

Protect your business with reliable and effective AML strategies with AML UAE.

Use of Digital ID for Customer Due Diligence -New Guidance issued by CBUAE for LFIs

The Central Bank of the UAE (CBUAE) has issued new Guidance on anti-money laundering and combatting the financing of terrorism (AML/CFT) for Licensed Financial Institutions (LFIs), which shall be applicable with immediate effect. The Guidance for LFIs on the use of Digital ID for customer due diligence aims to help the Financial Institution to adopt, understand and implement the statutory obligations concerning AML/CFT and considers the standards issued by Financial Action Task Force (FATF).

The Guidance talks about using digital ID systems/mechanisms by LFIs to fulfil their obligations about customer due diligence (“CDD”) in relation to natural persons.

Digital ID for Customer Due Diligence Guidance Applicability

The Guidance applies to all the Natural and legal persons licensed and/or supervised by the Central Bank of UAE in the below-mentioned categories:

National banks
Branches of foreign banks
Exchange houses
Finance companies
Issuers and providers of stored value facilities
Licensed retail payment service providers and card schemes
Registered hawala providers,
Insurance companies, Agencies, and Brokers.
Other LFIs not covered above.

Key Takeaways: Guidance on Digital ID for Customer Due Diligence

1. The Guidance talks about Identity proofing, enrollment, and authentication mechanisms with regard to the usage of digital ID systems. The terminology of “Digital ID systems” is defined as under:

“use electronic means to assert and prove a person’s identity online and/or in in-person environments, including through the use of:

Electronic databases, including distributed databases and/or ledgers, to obtain, confirm, store, and/or manage identity evidence;
Digital credentials to authenticate identity for accessing mobile, online, and offline applications;
Biometrics to help identify and/or authenticate individuals; and
Digital application program interfaces (“APIs”), platforms, and protocols that facilitate online identification and the verification and authentication of identity.”

2. LFIs are directed to use national-level identificationsystems and processes prevalent/under-development in UAE, like UAE Pass, Emirates ID, Emirates Facial Recognition, etc.

3. LFIs may use the online validation gateway of the Federal Authority for Identity and Citizenship and keep a copy of the Emirates ID and its digital verification in their records.

4. LFIs should leverage data generated by authentication for ongoing Customer Due-Diligence and transaction monitoring to identify suspicious customer activity/behavior /transactions with sanctioned or High-Risk jurisdictions.

5. LFIs may rely on customer identification, and verification carried out by a third party but shall make sure to abide by the following.

The LFIs shall obtain all relevant information from the third party.
Take the required steps to ensure that a third party provides copies of customer documentation/information used for CDD.
Third-party complies with the record-retention requirements provided in Cabinet Resolution No. (134) of 2025 and Federal Decree by Law No. (10) of 2025 on Anti-Money Laundering

6. LFIs should take appropriate measures to safeguard and deal with the inherent technology risk and challenges posed by digital ID systems and shall ensure implementation of such processes and systems to reduce the Identity proofing and enrolment risks, e.g. cyberattacks, security/cyber breaches, use of stolen/falsified/synthetic ID details due to the reliance on the open networks like the Internet.

7. The Guidance sets out a strategy for mitigating threats to the identify proofing and enrollment process laid down by the U.S. National Institute of Standards and Technology (“NIST”) Digital Identity Guidelines.

8. The Guidance also talks about the risks at the authentication stage, like credential stuffing, Phishing, man-in-middle (credential interception), PIN code capture and replay, which are exploited without the owner’s knowledge.

9. LFI’s shall ensure that the Digital ID system adopted shall provide complete confidence/assurance and is working efficiently to produce desired results. The same should be protected against internal and external manipulation and shall detect unauthorized users, cyberattacks, and insider fraud.

10. LFIs shall at first conduct Assurance Level Assessmentto understand the assurance levels of the digital ID system based on its governance, technology, and architecture to determine its reliability and independence. The assessment can be performed by themselves, or they may consider obtaining an audit or assurance certificate from an expert body.

11. Post Assurance Level Assessment, the LFIs shall conduct an Appropriateness Assessment to determine whether the digital ID system is reliable to deal with potential Money Laundering, Terrorism Financing, fraud, and other financing risks. LFI’s Assurance and Appropriateness Assessmentof the digital ID system to perform CDD shall be documented and updated periodically.

12. The Guidance has various illustrations adapted from NIST Digital ID Guidelines for technical requirements for

the identity proofing and enrollment
authentication protocols and processes
authenticator lifecycle management

13. This Guidance focuses on the use of digital ID systems for performing Customer Due-Diligence at the time of Onboarding/opening of account and ongoing monitoring, which will help mitigate the potential risks of Money Laundering and Combatting the Financing of Terrorism and safeguarding the financial system of UAE.

How can AML UAE help?

AML UAE is one of the top AML Consulting firms providing end-to-end support services for Anti-Money Laundering and Combatting Terrorism Financing to Financial Institutions, DNFBPs and VASPs. We can assist you in conducting Business Risk assessment, selection and assurance assessment of Digital ID systems, complying with ongoing monitoring of Transactions, and identification and reporting of suspicious transactions.

All-encompassing AML training for
your business just a call away.

Contact us now, and let's get started.

Share via :

About the Author

Dipali Vora

CAMS, ACS

Dipali is an Associate member of ICSI and a Certified Anti-Money Laundering Specialist (CAMS). She has an overall experience of 8 years in the compliance domain, including Anti-Money Laundering, due diligence, secretarial audit, and managing scrutiniser functions. She currently assists clients by advising and helping them navigate through all the legal and regulatory challenges of Anti-Money Laundering Law. She helps companies to develop, implement, and maintain effective AML/CFT and sanctions programs.

Reach Out to Dipali

Uncovering the Red Flags of NFT-Related Money Laundering

Blogs

Protect your business with reliable and effective AML strategies with AML UAE.

Uncovering the Red Flags of NFT-Related Money Laundering

With the increased acceptance of artwork using Non-Fungible Tokens (NFTs), comes the increased risk of money laundering and terrorism financing, induced by anonymity around the origin, mode of transfer, and payment. With this, awareness about the risk indicators associated with NFTs is very pertinent amongst NFT users and society as a whole.

Recently, the Joint Chiefs of Global Tax Enforcement (J5) issued a list of red flags that financial institutions, business organizations, and individuals must be aware of. The document released by J5 is the ‘J5 NFT Marketplace Red Flag Indicators’, which highlights how criminals constantly develop new ways to exploit emerging technologies.

NFT Critical red flags suggesting high ML/FT risk

Collection or organization of the NFTs from the high-risk jurisdictions
Collection of similar kinds of NFTs in large numbers to launder money between related wallets
Distribution or giveaway of fake or forged NFTs
Manipulation of the NFT values (unreasonably high) by the frequent buy-sell transactions between connected wallets (also known as “Wash Trading”)
High turnover of low-valued NFTs
Sell of newly minted NFTs at a very high value, contradictory with the other NFTs and a general trend
A high volume of trading of overpriced/underpriced NFTs within a short time gap
Mismatch in the NFT minting address and the contract address appearing on the exchange portal
A high volume of trading for the NFT collection purchased from a mixer or tumbler
Transaction value exceeding US$ 100,000 for newly minted or secondary market tokens without any apparent community
Request to share the seed phrase (translation of the private key) from the virtual asset wallet to execute the transaction
The same tokens were reacquired from the same party or the third party at a lower price, to whom earlier the said tokens were sold at a higher value
Phishing – flooding the inbox by sharing fake NFT offers
The unreasonably high price gap between the legitimate marketplace and a particular site
Unverified social media presence, with no apparent followers
Unnecessary exchange of NFTs between the same group of people or network

Other Risk Indicators suggesting medium ML/FT Risk related to NFTs

NFT with re-used code
NFT without any thumbnail appearing on the marketplace
No information is available about when and where the NFT was minted
Minting an NFT or buying it at an inflated price and immediately selling it off at a significant loss
The absence of the contract address makes the tracing of NFT difficult in the marketplace
High-volume transactions of the tokens purchased from the same wallet or network of wallets
Unverified accounts on the market profile
Details of the NFT not clearly captured – properties and description of the token missing
High value structured into smaller valued multiple transactions, over a short period, with no observable community

It is essential to understand these red flags and stay alert towards the same to reduce the chances of exploitation of the NFTs for laundering money or financing terrorism.

This list will enable the market participants to improve their fraud detection policies and deploy the necessary mitigation measures. They must implement customized compliance programs to avoid becoming victims of money laundering or other financial crimes.

Let us all fight the risks of the execution of financial crimes using cryptocurrency and virtual assets.

How can AML UAE assist you in AML NFT Compliance?

Awareness of the NFT-induced red flags is critical to safeguard yourself from being vulnerable to financial criminals exploiting the technologies.

AML UAE is a firm offering end-to-end AML consultancy services to Financial Institutions, DNFBPs, and the VASPs. We offer assistance in implementing the AML framework, training the compliance officer and team, offering AML software, managing customer onboarding, etc.

Partner with AML UAE and understand your AML risk better

Safeguard your business now!

Share via :

About the Author

Jyoti Maheshwari

CAMS, ACA

Jyoti has over 11 years of hands-on experience in regulatory compliance, policymaking, risk management, technology consultancy, and implementation. She holds vast experience with Anti-Money Laundering rules and regulations and helps companies deploy adequate mitigation measures and comply with legal requirements. Jyoti has been instrumental in optimizing business processes, documenting business requirements, preparing FRD, BRD, and SRS, and implementing IT solutions.

Reach Out to Jyoti

What is NFT money laundering, and how to combat it?

What is NFT money laundering and how to combat it?

Protect your business with reliable and effective AML strategies with AML UAE.

What is NFT money laundering and how to combat it?

Technology has entered every field of work. The art field is the latest to have been impacted by technology in the form of Non-fungible Tokens (NFTs). NFTs are blockchain-based tokens depicting various art forms – painting, music, and games.

Since technological evolution brought the digitalization of art, money launderers came up with new typologies to exploit the same.

Since technological evolution brought the digitalization of art, money launderers came up with new typologies to exploit the same and transfer the illegally obtained funds through misuse of NFTs.

This article discusses NFT money laundering, why and how it is conducted, and what measures businesses should consider combating.

What are NFTs?

NFTs are tokens, which are data in the form of videos, pictures, artwork, memes, tweets, or any digital asset. These are stored on different forms of distributed ledgers, such as blockchains. These cannot be interchanged with other NFTs. Thus, they are non-interchangeable digital assets but can only be bought and sold using cryptocurrencies.

They have unique identifying codes and are finite in numbers. People can see NFTs for free, but to own them, they must pay the price to the actual owner. The value of an NFT is based on its perceived value, driven by its market demand.

After the purchase, there is a built-in authentication, which the new user can show as proof of ownership. Here, the new owner gets ownership of the NFT and not the physical object, while the original creator owns the intellectual rights of the work. So, NFTs are famous because people value digital bragging rights over an item instead of the actual physical item.

How are NFTs different from cryptocurrencies?

The only similarity between cryptocurrencies and NFTs is that they are built on the same programming. Both are secured in digital wallets. And you need cryptocurrencies to buy NFTs.

Any physical currency and cryptocurrency are fungible. It means that these assets can be interchanged and traded with one another. That is not the case with NFTs because they are non-fungible.

Cryptocurrencies and physical currencies are equal in value. It means one dollar is equal to one dollar. One Ethereum is equal to one Ethereum. In the case of NFTs, each has a digital signature that makes it unique; thus, one NFT cannot be exchanged with another NFT. At any given moment, only one person can own an NFT, and the digital signature gives that ownership value.

Why are NFTs attractive to money launderers?

As it is said, the perceived value of art and its market demand decide an NFT. The perceived value factor makes dealing with NFTs a bit subjective and hence, away from the scrutiny of regulators.

The transfer of ownership of NFT happens in an instant. Buying and selling NFTs is easy and smooth and requires no additional financial cost except the token’s value. Also, there are no geographical restrictions on these transactions; NFTs created in one country can be done in another country without any limitation.

Moreover, NFT is an entirely new concept and a new market. Many different NFT platforms exist with different structures, operations, standards, ownership models, and due diligence rules. Therefore, it becomes challenging for regulators to create standard regulations for the NFT space applicable to various countries across the globe.

Smart contracts in the NFT market are one of the critical reasons money launderers are attracted to it. In smart contracts, the user generates revenue each time a transaction occurs on the blockchain. So, launderers rapidly conduct a transaction to generate revenues. Now, this becomes a significant motivation to execute smart contracts; in the process, forget about the identity verification of buyers. Launderers exploit this loophole to their benefit.

How does NFT money laundering occur?

Wash trading

Generally, criminals use their illicit money (converted into cryptocurrency) to buy an NFT. They use illegal money, but the purchase is a legal one. Later, they can sell the NFT and earn legal cryptocurrencies. This process is called wash trading.

The central concept in wash trading is to increase the value of the transaction. Thus, in this transaction, criminals benefit in two ways: they avoid taxes and convert unlawful funds to legitimate digital assets or currencies. Only a record of this purchase and sale transaction is present on the blockchain, and nothing about the funds obtained to buy this NFT.

Standard money laundering

Another way is to do multiple buying and selling transactions between their accounts or someone known to them to create layers of fake transactions. With each transaction, illegitimate money gets transformed into legitimate money.

Now, since the determination of the fair market value of an NFT depends only on how the appraiser values it, you never get to know the actual price of the NFT. Launderers create multiple accounts and transfer assets from one account to another for any price. These transactions layer the illegal money with legitimacy and cleanse huge funds.

How to combat NFT money laundering?

Whenever there is a new technological innovation, money launderers exploit them. And NFT is the latest technology to become its victim.

Individuals and businesses dealing in NFTs or facilitating NFTs exchanges must find ways to regulate NFT activities – to verify the buyer and seller’s identity and the transaction’s authenticity. They can improve their AML and KYC checks or implement some monitoring software to track all movements. They must trace NFT transactions between wallets and conduct the KYC of wallet holders.

They must know how launderers engage in NFT money laundering and related red flags to identify suspicious transactions. Countries can implement relevant regulatory laws and actions to control this NFT market. It requires efforts globally because NFT transactions can occur globally without border restrictions.

Money launderers exploited the NFT world as countries, and international regulators introduced AML rules in the traditional buying and selling activities of art. So, criminals come up with newer ways and means; businesses must take the help of AML consultants to identify the risks to NFTs.

Key AML Measures and Responsibilities for curbing NFT money laundering

The crypto companies, NFT service providers and facilitators, and other Virtual Asset Service Providers (VASPs) in UAE must implement the following measures to comply with law and protect the NFT ecosystem:

How can AML UAE help?

AML UAE is a leading provider of AML compliance services in the UAE across different sectors, such as corporate service providers, virtual assets service providers, dealers in precious metals and stones, financial institutions, etc. Our AML consultants understand AML laws and money laundering red flags specific to business and transactions and thus can guide you in protecting your business against money laundering threats.

We help assess your business risk and set up an AML Compliance framework aligned with AML/CFT obligations. We implement specific comprehensive screening procedures and help you identify the potential red flags of NFT money laundering for early detection and preventive actions.

FAQs on NFT Money Laundering and ways to combat it

The mainland companies or onshore crypto and other virtual assets companies in UAE are regulated by the Securities and Commodities Authority (SCA). Further,
Virtual Assets Regulatory Authority (VARA) controls Dubai-based virtual assets service providers (except DIFC). While it is Financial Services Regulatory Authority
(FSRA) & Dubai Financial Services Authority (DFSA) for ADGM and DIFC based VASPs respectively.

According to FATF, “virtual asset” refers to any digital representation of value that can be digitally traded, transferred or used for payment.

A cryptocurrency is a type of virtual asset. But not all virtual assets are cryptocurrencies.

A virtual asset is an asset held digitally or virtually. It is a digital value you can virtually trade, transfer, and use for investment and payment.

Virtual assets include digital art, text, videos, in-game items, images, music, cryptocurrencies, and virtual real estate.

Primarily, the crypto, NFT, and other virtual assets companies in UAE have to adhere to the requirements of the following anti-money laundering (AML) laws and regulations:

Federal Decree by Law No. (10) of 2025
Cabinet Resolution No. (134) of 2025
Cabinet Decision No. (74) of 2020
AML/CFT-specific guidelines issued by the Supervisory Authority

The various methods used to launder money include:

Using smurfs, mules, or shell companies
Investing in real estate with cash and then selling it or generating rental income
Investing in jewellery and moving it to other jurisdictions
Online auctions and sales
Virtual assets, including NFTs and cryptocurrencies

Yes, all Virtual Asset Service Providers (VASPs) must register with the goAML Portal in UAE.

Get ready for the fight against money laundering
with AML UAE

Get in touch with our team to discuss how we can help

Share via :

About the Author

Pathik Shah

FCA, CAMS, CISA, CS, DISA (ICAI), FAFP (ICAI)

Pathik is an ACAMS-certified AML consultant specialising in governance, risk, and compliance for regulated entities in the UAE. He brings over 28 years of experience, with 1,000+ hours of AML training and 200+ advisory engagements across DNFBPs, VASPs, and FIs. He supports businesses in aligning with AML/CFT requirements from the CBUAE, DFSA, MoET, MoJ, VARA, CMA, FSRA, and FATF. Known for translating complex regulations into audit-ready procedures, Pathik enables operational clarity and compliance readiness.

Reach Out to Pathik

What is trade-based money laundering?

Blogs

Protect your business with reliable and effective AML strategies with AML UAE.

Trade-based money laundering is one of the most common forms of money laundering. It is an easy way exploited by criminals to launder money between different countries, wherein they misrepresent the quality, value, or amount of goods traded through various channels.

Trade financing processes are misused to facilitate the flow of illicit funds. Trade is conducted across different jurisdictions subject to different regulations, making detecting suspicious transactions difficult. Also, the complexity of trade transactions and the volume of goods traded are the loopholes these launderers exploit to their advantage.

Let’s understand trade-based money laundering, related red flags, and how businesses can mitigate the risk arising from trade-based money laundering.

What is trade-based money laundering?

Trade-based money laundering (TBML) cleans dirty money through trade transactions and activities. The trade transactions are exploited to transfer and convert illicit money into legitimate cash or commodity, avoiding the suspicion from regulatory authorities disguising the process as legitimate trade.

For example, importing and exporting goods is just a cover for the movement of illegal funds, making the trade transaction appear legal between two countries.

It is also a way to evade taxes. Companies show different amounts in invoices, thereby reporting reduced profits and taxes decrease. Alternatively, they show multiple payments for only one set of goods received from the exporter, increasing their procurement expenses.

Why do criminals engage in trade-based money laundering?

Lack of regulations

There are no standard regulations for trading transactions. Import and export of goods are regulated by the agreement between a buyer and seller and the respective countries’ regulations. No global regulator controls these transactions; the two parties entering the contract govern the trade terms.

A rise in the amount and volume of trade

Globalization has resulted in increased trade activities across the world. Countries engage in multiple import and export transactions with several countries. These transactions have increased in number and value over the years. It allows criminals to bypass commercial rules during these humongous trade transactions, avoiding the attention of the authorities.

Increase in free trade zones

Businesses are attracted to free trade zones for their ease of conducting business, as there are fewer regulatory constraints in these zones. The absence of rules is better than circumventing rules. The number of TBML transactions has also increased with a rise in free trade zones.

Use of open account payment method

Open account transactions are the ones where payment is due after a specified time of the occurrence of the trading activity, i.e., the goods are delivered to the party, and the payment is made after 30/90 days. This time gap minimizes the connection between the actual trade and the related payment. These transactions are subject to less oversight from financial institutions; hence, criminals increasingly use these methods.

How is trade-based money laundering conducted?

Understanding the standard techniques of conducting trade-based money laundering is essential to combat the same. The following are the most used TBML techniques:

Over-invoicing of goods

The exporter inflates the price of the goods in the invoice compared to their market value. In this case, exporters receive higher payments from the importer, allowing the importer to launder money and convert/transfer through import/export transactions.

Under-invoicing of goods

The exporter prepares the invoice for the goods at a price lower than the fair market value. Importers get goods at a lower value, resulting in the evasion of import duties.

Multi-invoicing

Exporters create multiple invoices for the same set of goods to be shipped. They can receive multiple payments for the same shipment, using different payment methods adding layers of complexity. Thus, launderers legitimize their illicit money through multiple invoicing.

Changing the quantity of goods

Launderers can also change the quantity or weight of goods being traded. They may report the quantity as more than the actual or less than the actual. In the case of over-quantity, they receive illicit money as payment and convert it to legitimate money. While in the case of under-quantity, they launder money by avoiding the payment of actual import duties.

Alternatively, they might report a specific quantity of goods while there is no shipment done. It is called phantom shipping or ghost shipping. Importers and exporters collaborate to create false invoices and other documentation without the actual shipping of goods. The illicit money is moved from the importer to the exporter without actual trade transactions.

Misrepresentation of goods

The exporters may represent the goods as expensive, though in reality, the goods are cheap. Thus, the invoice and customs documents show a high price while the actual value is less.

It is common in the gems and jewellery sector, where the invoice says raw diamonds and the shipment is of polished diamonds or artificial ones.

Non-documentary trade

For some trading transactions, there are no documents available for investigation. It is not that no documents are prepared for the transaction, but these are not accessible. The regulators have access to only the name, account number, and address of the buyer and seller.

In non-documentary trade transactions, regulators are unaware of the underlying flow of goods and trade activities. It is difficult for them to validate transactions. The absence of due diligence on the volume, type, quantity, and value of goods makes it easier for launderers to launder money.

What are the red flag indicators of trade-based money laundering?

The best option for individuals, companies, and countries is to observe the red flags of trading transactions. With the identification of suspicious transactions, you can investigate them further. Following is an illustrative list of TBML indicators:

Differences in the descriptions of items to be traded in the invoice and the shipping bill.
Differences in the market value of the items and the value mentioned on the invoice.
Involvement of trading entities with registered addresses in residential buildings.
The shipment size does not match the customer’s profile and regular business activities.
Trading of an item from one jurisdiction to another or from one subsidiary to another, whose business activities are in no way related to each other or without logical economic reason.
Involvement of trading entities with no physical presence or an online presence that does not align with its business activities.
The type of goods traded does not align with the regular shipment of customers or the client’s profile and business activities.
Trading transactions involving a third party with no relation to the transaction (either receiving cash payments or managing documents); offshore front companies or shell companies may be involved in such transactions.
Trade deals involve complex trade routes that do not make geographical sense.
Goods are exported from or imported into high-risk jurisdictions or countries with poor AML regulations.
Missing trade documents or false documents.
A sudden increase in trade transactions from or to a company that was dormant for a long time.
Sudden high volumes or value of trade from an entirely new company.

What is the way out for businesses from trade-based money laundering?

Know Your Customer (KYC) and customer due diligence (CDD) are the best solutions for reducing trade-based money laundering. Businesses must implement policies to collect details on all their customers and transactions. Further, ongoing monitoring of the customer’s profile and the transaction is necessary to identify any unusual patterns. If they see any red flag, deeper scrutiny is essential to identify money laundering risks.

Using advanced technology systems or artificial intelligence is also an excellent solution to reduce money laundering risks. These systems can help businesses identify money laundering threats and send alerts. It allows the entities to report the TBML activities to the authorities promptly.

How AML UAE can help

Associating with AML consultants, like AML UAE, can help you understand the red flags better to identify suspicious transactions and take necessary actions to combat the same.

AML UAE also helps clients form an AML compliance department and conduct employee training. Our AML consultants aid in developing relevant AML policies, selecting appropriate AML software, and managing the reporting requirements. We ensure you comply with applicable AML regulations and stay safe from money laundering threats.

AML UAE helps you safeguard your business from money
laundering threats.

Get in touch to know the best preventive and corrective actions.

Share via :

About the Author

Pathik Shah

FCA, CAMS, CISA, CS, DISA (ICAI), FAFP (ICAI)

Pathik is an ACAMS-certified AML consultant specialising in governance, risk, and compliance for regulated entities in the UAE. He brings over 28 years of experience, with 1,000+ hours of AML training and 200+ advisory engagements across DNFBPs, VASPs, and FIs. He supports businesses in aligning with AML/CFT requirements from the CBUAE, DFSA, MoET, MoJ, VARA, CMA, FSRA, and FATF. Known for translating complex regulations into audit-ready procedures, Pathik enables operational clarity and compliance readiness.

Reach Out to Pathik

AML Business Risk Assessment Template for DNFBPs in UAE

Without assessing the inherent ML/FT risk your business is exposed to, it is challenging to deploy the necessary controls to mitigate the money laundering and terrorism financing risk.

To assist you in assessing your business’s exposure to ML risk, we present the AML Business Risk Assessment template, capturing the critical parameters on which such assessment should be based and the recommended methodology. AML Business Risk Assessment is also called Anti-Money Laundering Entity-wide Risk Assessment or Enterprise-wide Risk Assessment.

AML Business Risk Assessment Process

Download Excel-based Entity-wide Risk Assessment Template

AML UAE is committed to helping the designated entities comply with AML regulations and implement the robust AML compliance framework to mitigate the financial crime risk effectively. As the first step to this journey, we help companies in Entity-wide Risk Assessment, design the appropriate control measures to mitigate Enterprise-wide risk, and customize AML policies.

Our Timely and Accurate AML consulting Services

For your smooth journey towards your goals

Share via :

High-Risk Country Reporting: HRC and HRCA

Blogs

Protect your business with reliable and effective AML strategies with AML UAE.

High-Risk Country Reporting – HRC and HRCA

With increased monitoring emphasized on transactions with persons or entities hailing from high-risk countries, the Ministry of Economy provides for filing of a separate report capturing details about such transactions. These reports are:

High-Risk Country Report or High-Risk Country Transaction Report (HRC)
High-Risk Country Activity Report (HRCA)

The reports mentioned above are to be filed by both – Financial Institutions and Designated Non-Financial Businesses and Professions (DNFBPs).

When is HRC/HRCA to be filed?

High-Risk Country Transaction Report: If at the time of establishing or in the course of the customer relationship or when conducting transactions on behalf of a customer, a reporting entity observes transactions related to high-risk countries subject to a Call for Action (access the list of jurisdictions here), then the entity is required to submit an HRC.

High-Risk Country Activity Report: If during the establishment or course of the customer relationship or when conducting an activity on behalf of a customer, a reporting entity identifies activities related to high-risk countries subject to a Call for Action (access the list of jurisdictions here), then the entity should submit an HRCA.

What activities or transactions are to be reported in HRC/HRCA?

Any cross-border transaction involving the transfer of funds through a banking channel or any remittances, either originating from, destined to, or passing through a high-risk country, would be subject to reporting in HRC/HRCA.

It does not necessarily require the physical presence of the person (transferor or transferee of funds) in the high-risk country at the time of remittance or receipt of funds. Instead, association by nationality or place of residence in high-risk countries would also be considered in the case of a natural person. While in the case of a corporate entity, the company’s place of incorporation or operation, as well as the association of the UBOs or authorized signatory or senior management with high-risk jurisdictions, must be considered.

Accordingly, any transaction or activity about transferring funds into or from high-risk countries would be subject to reporting to FIU. Please note that such reporting is irrespective of the amount involved or the currency.

How and to whom is HRC/HRCA to be filed?

As the Financial Intelligence Unit (FIU) is the reporting authority for all AML matters in the UAE, the HRC and HRCA must also be filed with FIU.

Like all other AML reports (such as STR, SAR, DPMSR), HRC and HRCA are also reported through the goAML Portal. While submitting the reports on goAML, the appropriate report type must be selected by the reporting entity. FIU does not accept any report either through physical mode, via email, or as a message on the Message Board available on the goAML Portal.

In the case of a transaction with a person from a high-risk country, if the reporting entity does not have the necessary details related to the transactional attributes mandatory to be captured on goAML, then the reporting entity may choose to file an HRCA. Here, the reporting entity must ensure that all the adequate details of parties, value involved, etc., are adequately captured.

What is the Financial Institution’s and DNFBP’s obligation post-filing HRC/HRCA?

Once HRC or HRCA has been filed with FIU, reporting entity must withhold the execution of the transaction for three (3) days from the date of reporting to FIU, as the FIU is expected to respond to such HRC/HRCA during these days. If, during these three (3) days, FIU does not object to or respond to filed HRC/HRCA, then reporting entity can conduct the transaction basis the due diligence performed for the subject party and the transaction. Such transaction execution will be at the judgment of the reporting entity only.

If the FIU issues any instructions concerning filed HRC/HRCA within the prescribed time, the same needs to be adhered to by the reporting entity.

Transactions and the parties reported in HRC/HRCA should be subject to frequent ongoing monitoring by the reporting entity

Is there any exemption from filing HRC/HRCA?

HRC/HRCA reporting requirement is applicable only in cases of cross-border transfers.

Accordingly, transactions like domestic cheques, payment of domestic utility bills using a card issued in UAE or cash by a person hailing from a high-risk country, etc. are exempted from HRC/HRCA reporting requirements, as no banking or remittance channels have been used for the international transfer of funds.

Illustration:

A. Assume you are a TCSP and a corporate entity with a place of incorporation in the high-risk jurisdiction approaches you for assistance in setting up a branch in UAE. For such a transaction, the person has traveled to UAE from another country. The payment for the said services would be remitted to your account from the company’s account with a bank in another high-risk country.

Since there is cross-border movement of funds by bank transfer, the proposed transaction must be reported in HRC/HRCA. Here, DNFBP shall ensure that the reported transaction shall only be executed if the FIU does not object to the transaction and after three working days after filing an HRC.

B. An individual from high-risk jurisdiction has visited a non-banking financial institution in UAE to get the US Dollars converted to AED. Here, the currency exchange transaction occurs in UAE without any funds transferred through banks. Accordingly, the financial institution would be exempt from reporting this transaction with FIU.

AML UAE

With every increasing reporting requirement and risk of money laundering to businesses, it is always good to have a team of professionals at your resort to safeguard your business from being vulnerable in the hands of launderers and stay compliant with regulatory requirements. If you are looking for such assistance, AML UAE is there for you – your trusted partner for AML Compliance.

FAQs About High-Risk Country Reporting

Yes, DNFBPs and Financial Institutions are required to file HRC with FIU.

The DNFBPs and the Financial Institutions must file HRC or HRCA using their goAML registration credentials. Third parties can assist you in filing these reports with FIU, using the reporting entity’s credentials for the goAML portal.

While establishing business relationships or conducting business activities, if you identify any activity or transaction with a person or entity having an association with high-risk countries, then as DNFBP, you are required to submit the HRC or HRCA with FIU UAE via the goAML Portal.

HRC or HRCA reporting requirement is for high-risk countries classified as “High-risk jurisdictions subject to a Call for Action” by FATF.

FATF has classified the below-mentioned countries as high-risk jurisdictions subject to a “call for action”:

Democratic People’s Republic of Korea (DPRK)
Iran

There is no threshold amount prescribed for filing HRC and HRCA. Every transaction involving high-risk countries must be reported in HRC and HRCA, irrespective of the transaction value.

Transactions not involving any cross-border transfer of funds to or from the high-risk countries are exempted from HRC/HRCA reporting requirements, like domestic cheques, payment of domestic utility bills using a card issued in UAE, cash by a person from a high-risk country, etc.

Once an HRC or HRCA has been filed with FIU, the reporting entity shall keep the execution of the subject transaction on hold for three days from the date of submission of HRC/HRCA.

No, domestic transactions which do not involve any international transfer of funds to high-risk countries are not required to be reported.

The transactions related to trading shares/stocks, forex, crypto assets, bonds, mutual funds, commodities, etc., would also be subject to HRC/HRCA if these transactions are cross-border.

Our timely and accurate AML consulting services

For your smooth journey towards your goals

Add a comment

Related Blogs

18/12/2025

Customer Due Diligence (CDD): A Complete Guide | AML UAE

17/12/2025

AML/CFT Remedial Action Plan (RAP) Implementation Steps and Best Practices

10/12/2025

AML Implications for Politically Exposed Person (PEP)

Share via :

About the Author

Pathik Shah

FCA, CAMS, CISA, CS, DISA (ICAI), FAFP (ICAI)

Pathik is an ACAMS-certified AML consultant specialising in governance, risk, and compliance for regulated entities in the UAE. He brings over 28 years of experience, with 1,000+ hours of AML training and 200+ advisory engagements across DNFBPs, VASPs, and FIs. He supports businesses in aligning with AML/CFT requirements from the CBUAE, DFSA, MoET, MoJ, VARA, CMA, FSRA, and FATF. Known for translating complex regulations into audit-ready procedures, Pathik enables operational clarity and compliance readiness.

Reach Out to Pathik

Risk indicators for DPMS – Strategic Analysis by UAE FIU

Blogs

Protect your business with reliable and effective AML strategies with AML UAE.

Why did UAE FIU perform the strategic analysis of DPMS?

Given the fact that precious metals and stones are being highly exploited by criminals to launder money given their size and high liquidity, and the fact that UAE is one of the biggest marketplaces for precious metals and stones trading, the UAE Financial Intelligence Unit (UAE FIU) has recently conducted a strategic analysis of data about Dealers in Precious Metals and Stones (DPMS).

The Strategic Analysis Report lays down the UAE FIU’s objective for conducting this analysis of the DPMS sector as under:

To enhance the understanding of ML/FT vulnerabilities associated with precious metals and stones,
Developing ML/FT trends, typologies, and red flags indicating exploitation of precious metals and stones and the DPMS sector.

The methodology adopted by the UAE FIU for the strategic analysis of the DPMS sector

The UAE FIU’s strategic analysis is conducted based on the information gathered from the reporting entities operating as DPMS and other relevant stakeholders for January 2021 to June 2022.

The UAE FIU reviewed the below-mentioned data to analyze the ML/FT trends prevalent in the DPMS sector:

Dealers in Precious Metals and Stones Report (DPMSR) filed on the goAML portal indicating cash and wire transfer transactions above the prescribed threshold,
Suspicious Transaction/Activity Report (STR/SAR), filed either by the DPMS entities or with a “Reason for Reporting” indicating the abuse of precious metals and stones,
Information exchanged between UAE FIU and counterparty FIUs around gold smuggling, illegal mining of precious metals, gold theft, etc.),
Information received from domestic authorities – Public Prosecutions, Police Departments, and the Ministry of Interior (MOI) related to an investigation of money laundering and terrorism financing offenses,
Ministry of Economy’s (MOE) information about DPMS registered in the UAE and MOE imposed sanctions, fines, and warnings to DPMS entities,
Information received from the Federal Customs Authority around ‘Cash declarations’ wherein the purpose mentioned is related to precious metals and stones.

Conclusions of the UAE FIU’s strategic analysis of the DPMS sector

The Strategic Analysis Report addresses the ML/FT typologies and red flags associated with the DPMS sector in the UAE. As per the UAE FIU’s analysis, the following are the major ML/FT typologies or patterns abused to launder money through the DPMS sector:

Trade-based money laundering

Using DPMS entities as “front” to launder the illegal money using trade-based money laundering methods like incorrect invoicing, phantom shipment, or fictitious supply transactions.
Use of multiple DPMS entities as a ‘Corporate Vehicle’ to disguise the source of funds by creating multiple layers by way of transferring a large sum of money amongst the entities without any business rationale.

The trade-based money laundering is widely used in the DPMS sector to launder money, wherein the transaction is manipulated to transfer the funds from one person to another and from one country to another.

Other widely exploited trade-based money laundering techniques are:

To move a large sum of illicit funds from one country (importer) to another (exporter) by over-pricing the commodity supplied compared to its market value.
Raising multiple invoices on the importer for the same set of products and receiving the payment using different methods to avoid the attention of the authorities.
Representing the duplicate or fake stones as original and precious stones to bag transfer of large amount from buyer to seller.
Trade-based money laundering often involves tax evasion, either by short declaring the import quantities or under-pricing the imported goods to avoid paying a large sum of taxes on the import of precious metals.

Money laundering through “foreign currency exchange”

Indulging employees or third parties into the conversion of foreign currency exchanges without getting the name of the DPMS entity involved anywhere. Here, multiple individuals are involved to avoid reporting threshold and justify the source of funds and purpose as under:
Source of funds used for currency conversion: salary income or savings
Purpose of currency conversion: travel or family upkeep
DPMS is undertaking many foreign currency transactions, mainly in cash, without any logical business transaction or for a quoted reason like foreign suppliers only accepting cash, etc.

Generally, it has been seen that one currency can be converted into another currency without any involvement of a regulatory authority. Moreover, the conversion of cash currency legitimizes the source of such converted currency, as generally, the party offers receipt of such conversion.

Moreover, with the increased volume of global trades, the cross-border movement of funds has also risen, leading to increased cases of terrorism financing and laundering funds to invest in unregulated financial centers.

Gold/cash smuggling

Smuggling gold or illegally transferring the gold from the conflict-affected or high-risk jurisdiction. This smuggled gold or illegally transported gold is sold in smaller quantities to local DPMS entities against cash or is processed and re-exported illegally to different countries,
Sourcing of gold from miners without adequate due diligence of the miner,
Individuals smuggle cash (importing and exporting) on behalf of DPMS entities.

Using the network of people, gold and other precious metals are increasingly smuggled from illegal miners, wherein quantities of gold are distributed amongst many individuals to avoid the attention of and reporting threshold before the Customs Authority.

ML/FT risk indicators for DPMS sector suggested in the Strategic Analysis Report

The risk indicators or the ML/FT red flags captured in this report can be used by the DPMS and financial institutions to identify and report any suspicious activities involving precious metals and stones. The following is an illustrative list of ML/FT risk indicators captured in the report involving the abuse of precious metals and stones:

DPMS entities with complex legal structures, created either to hide the UBO or disguise the transfer of funds,
DPMS entity formed as a front company to mix the legally obtained funds with the illicit funds,
Unreasonable behavior of or large complex transactions by newly formed DPMS entities,
DPMS entities extensively transact in cash,
Irregular shipping methods inconsistent with the standard business practice of DPMS,
Inconsistent documentation or forged documents to disguise the transaction,
DPMS frequently enters into transactions of an abnormally large amount,
DPMS having multiple bank accounts without any business sense or DPMS entities operating bank accounts in the employee’s name,
Adverse news about the DPMS’ UBO or senior management,
DPMS or its UBO or management having close association with high-risk countries,
Receipt or payment of money to third parties having no connection with the sanctions,
Transaction structuring into smaller value deposits to avoid reporting threshold,
DPMS entities extensively involved in cross-border cash movement,
Frequent deposit of cash amounts into banks or exchange of foreign currencies by DPMS,
DPMS entities importing precious metals from conflict-affected jurisdictions, or the volume of import is inconsistent with the country of import (having limited mining capacity or no mines),
Failure to furnish ‘Customs Declaration’ concerning cash deposit related to precious metals/stones transaction,
DPMS transacting in gold instead of cash/bank transfer,
Transfer of funds amongst unrelated companies, having no business nexus,
DPMS or its employees engaging in frequent foreign currency conversions without any business logic,
Frequent travel to high-risk areas or illegal mining jurisdictions,
DPMS operates on loans and credit facilities, generally settled before due dates through cash.

The primary reason for exploiting the DPMS sector

Given the peculiar nature of precious metals and stones, the same is most vulnerable in the hands of money laundering, using various methods. We have tried to map the main reason for exploitation against the money laundering technique as under:

Characteristic of precious metals and stones	Money laundering method
Global currency – Precious metals and stones are widely accepted as a medium of exchange across the globe	Gold smuggling, wherein gold from illegal mines is smuggled or illegally transferred to other countries to supply it in the local market against cash Trade-based money laundering, wherein gold is imported and exported at a manipulated price
High liquidity – Precious metals and stones can easily be converted into cash	DPMS entities purchase smuggled gold without any adequate KYC and due diligence process Terrorists convert their illegal funds into gold, which can be easily transported and encashed in the country of operations
Over-the-Counter – Precious metals and stones trading in not regulated over an exchange platform	Smuggled gold is sold to the DPMS entities without any adequate KYC and due diligence process Inadequate documentation of the precious metal and stone transaction
Easy transportation – Compact size makes its movement easy	Easy movement of gold without much hassle makes it lucrative for terrorism financing and money laundering Terrorists store their illegal funds in gold and transport the same to the country of operations

How AML UAE can help

AML UAE can help you understand the risk indicators and ML/FT red flags specific to the DPMS sector to identify suspicious transactions and take necessary actions to combat the same (i.e., timely reporting to the FIU).

AML UAE also helps DPMS entities (including other DNFPBs) set up an in-house AML compliance department and impart AML training to the employees. We are committed to ensuring your compliance with applicable AML regulations and safeguarding DPMS entities against money laundering and terrorism financing threats.

AML UAE helps you safeguard your DPMS business from ML/FT threats.

Get in touch to know the best preventive and corrective actions.

Share via :

About the Author

Jyoti Maheshwari

CAMS, ACA

Jyoti has over 11 years of hands-on experience in regulatory compliance, policymaking, risk management, technology consultancy, and implementation. She holds vast experience with Anti-Money Laundering rules and regulations and helps companies deploy adequate mitigation measures and comply with legal requirements. Jyoti has been instrumental in optimizing business processes, documenting business requirements, preparing FRD, BRD, and SRS, and implementing IT solutions.

Reach Out to Jyoti

Decentralized Finance (DeFi) and AML implications in UAE

Blogs

Protect your business with reliable and effective AML strategies with AML UAE.

Decentralized Finance (DeFi) and AML implications in UAE

The scope of Decentralised Finance is growing rapidly as the concept of virtual assets is being widely accepted across the globe. Decentralized finance, popularly known as DeFi, is an emerging finance domain that operates very distinctly from the traditional centralized financial system regulated and controlled by a country’s government.

With anonymity and lack of centralized governing authority, the money laundering risk around the same is also very grave. In this context, let us understand what DeFi is and what AML implications are around DeFi.

What is DeFi?

DeFi is a blockchain technology-based borderless and independent financial network.

Unlike a centralized financial system, there is no central authority governing DeFi, but it is owned by the users who operate and build it. DeFi is an independent system that works autonomously. People trade on the virtual platform, using technology to borrow, lend, invest, or trade without any central authority/intermediary regulating their finances.

DeFi works on blockchain technology in which the financial services are distributed in a series over the blockchain structure. It is monitored using smart contract programs without the involvement of any intermediary. Protocols are created using open-source software managed by a community of developers of DeFi.

With DeFi, financial transactions such as lending or borrowing can be done from any place with internet connectivity. A distributed financial database collates and aggregates data from all users and verifies the same using a consensus mechanism (a mechanism used to obtain agreement, trust, and security over a single value or parameter across a decentralized network).

DeFi is all about peer-to-peer transactions, where two parties come together to exchange cryptocurrency against any supply of goods or services without the involvement of any third parties like banks. Let’s take an example of a loan, where generally you would go to a bank or lending institution and get the money on interest. In the case of DeFi, once you input your loan requirement into the DeFi systems, an algorithm will run to find you a match. Of all the potential peer matches shown, you would agree to the lending terms of one of the peers and get the money on loan. This lending transaction is then recorded in the blockchain. Everything happens at a click of a mouse, and that too in a few seconds.

What are the benefits of DeFi?

It reduces the cost of financial services, which generally the banks and other financial institutions levy for obtaining their services.
Eliminates the intermediaries and establishes direct connections between the parties.
The money is kept in a digital wallet rather than placing it in a bank account.
Transferring funds becomes easy and quick.

What is Virtual Asset Service Provider?

Here, reference should be made to the definition of VASP as given by FATF, which is as under:

"A business which conducts one or more of the following activities or operations for or on behalf of another natural or legal person:

an exchange between virtual assets and fiat currencies,
exchange between one or more forms of virtual assets,
transfer of virtual assets; (transfer means to conduct a transaction on behalf of another natural or legal person that moves a virtual asset from one virtual asset address or account to another),
safekeeping and administration of virtual assets or instruments, enabling control over virtual assets,
participating in and provision of financial services related to an issuer’s offer or sale of a virtual asset.

Can DeFi be construed as VASP or the person controlling it?

As apparent from the definition above and in the context of DeFi, the DeFi arrangement may fit in the definition of VASP as this technology-based network enables the users to enter if smart contract related to financial services using virtual assets. Thus, DeFi provides a platform to transfer virtual assets between parties by way of a transaction executed between the involved parties.

As mentioned above, though DeFi qualifies for VASP per se, it cannot be subjected to AML regulations as it is a technology solution or an application. It is essential to understand that even though the name suggests that such software operates on a decentralized ledger, these applications have an authoritative structure where any person or group of a few individuals influence or control DeFi. This control or influence may be related to enhancing the functionalities of the application, aspects related to user interfaces, say, over the governing protocols, or even earning profits out of this network.

In line with the FATF’s intent to apply the AML regulations to a natural or legal person, the person who is exercising control or has sufficient influence over the DeFi shall be construed as VASP for the purpose of implementing the AML provisions. Accordingly, the owners, developers, or the application operators have to ensure that they undertake due ML/FT risk assessment prior to operating the application as DeFi. This shall also include the implementation of adequate routine AML/CFT procedures and ongoing monitoring measures.

For details on AML/CFT obligation on owners, developers, and operators controlling the DeFi, please refer to our article on Virtual Assets and VASP.

Our timely and accurate AML consulting services

For your smooth journey towards your goals

Share via :

About the Author

Jyoti Maheshwari

CAMS, ACA

Jyoti has over 11 years of hands-on experience in regulatory compliance, policymaking, risk management, technology consultancy, and implementation. She holds vast experience with Anti-Money Laundering rules and regulations and helps companies deploy adequate mitigation measures and comply with legal requirements. Jyoti has been instrumental in optimizing business processes, documenting business requirements, preparing FRD, BRD, and SRS, and implementing IT solutions.

Reach Out to Jyoti

Blogs

AML regulations for Virtual Assets Service Providers in UAE - Crypto AML Regulations in UAE

What is Virtual Assets?

What is Virtual Assets Service Provider?

1. The exchange between virtual assets and fiat currencies

2. The exchange between different types of virtual assets

3. Transfer of virtual assets

Let us discuss some examples and sample cases around who can be considered as VASP or how to identify VASP in the context of exchange or transfer of VAs.

4. Safekeeping or administration of virtual assets or instruments enabling control over virtual assets

5. Participating in and provision of financial services related to an issuer's offer or sale of a virtual assets

UAE Blockchain strategy 2021

Regulatory frameworks in UAE to govern the activities related to Virtual Assets

UAE Crypto Regulatory Authorities

Central Bank of the UAE (CBUAE) and the Securities and Commodities Authority (SCA)

The Dubai Financial Services Authority (DFSA)

The Financial Services Regulatory Authority (FSRA)

The Virtual Asset Regulatory Authority (VARA)

UAE Crypto Regulations

UAE Crypto Regulations for Onshore Companies

Compliance and Risk Management Rulebook for VASP – Emirate of Dubai (except DIFC)

UAE Crypto Regulations for Financial Free Zone - Dubai International Financial Centre (DIFC)

UAE Crypto Regulations for Financial Free Zone - Abu Dhabi Global Market

Guiding Principles for VA Regulations by FSRA

AML/CFT regulations and obligations on VASP - AML Crypto Regulations in UAE

(a) VASP obligations under AML/CFT law

(b) Virtual Assets “AML/CFT” Compliance Policy

(c) Technology-driven KYC, Screening, and Transaction monitoring for VASPs

ML/FT typologies and red-flag indicators relating to Virtual Assets (VA)

1. ML/FT typologies related to Virtual Assets (VA)

2. ML/FT red flag indicators for VASP

AML UAE at Your Service

FAQs On AML Regulations for Virtual Assets Service Providers

What is a Crypto Asset?

What is a Cryptoasset exchange?

Who regulates the crypto, NFT, and virtual assets onshore/mainland companies in UAE?

Who regulates virtual assets companies housed in Dubai International Financial Centre (DIFC)?

Who regulates crypto and other virtual asset companies housed in Abu Dhabi Global Market(ADGM)?

Do Virtual Asset Service Providers (VASPs) have to register with the goAML in UAE?

What are the Anti-Money Laundering (AML) laws and regulations applicable to Virtual Asset Service Providers (VASPs) in UAE?

What AML compliance requirements do Crypto companies, NFT, and other Virtual Asset Service Providers in UAE have to follow?

Blogs

AML Transaction Monitoring: A powerful tool to detect financial crimes

What is AML transaction monitoring?

Significance of AML transaction monitoring

Steps to an effective transaction monitoring program

1. Risk assessment of your business

2. Define red flags of suspicious transactions

3. Create transaction monitoring rules

4. Review the generated alerts

Best practices of a robust AML transaction monitoring program

AML UAE’s role in transaction monitoring for entities

FAQs on Transaction Monitoring

Reach Out to Dipali

Blogs

Use of Digital ID for Customer Due Diligence -New Guidance issued by CBUAE for LFIs

Digital ID for Customer Due Diligence Guidance Applicability

Key Takeaways: Guidance on Digital ID for Customer Due Diligence

How can AML UAE help?

Reach Out to Dipali

Blogs

Uncovering the Red Flags of NFT-Related Money Laundering

NFT Critical red flags suggesting high ML/FT risk

Other Risk Indicators suggesting medium ML/FT Risk related to NFTs

How can AML UAE assist you in AML NFT Compliance?

What is NFT money laundering and how to combat it?

What is NFT money laundering and how to combat it?

What are NFTs?

How are NFTs different from cryptocurrencies?

Why are NFTs attractive to money launderers?

How does NFT money laundering occur?

Wash trading

Standard money laundering

How to combat NFT money laundering?

Key AML Measures and Responsibilities for curbing NFT money laundering

How can AML UAE help?

FAQs on NFT Money Laundering and ways to combat it

Blogs

What is trade-based money laundering?

Why do criminals engage in trade-based money laundering?

Lack of regulations