The Four Pillars of a VASP for VARA Compliance

Core Compliance Roles in VASPs

For Virtual Asset Service Providers (VASP) under Dubai’s Virtual Assets Regulatory Authority (VARA), compliance begins right at the licensing stage. VARA requires aspiring VASPs to submit 25 compliance-related documents as part of the application process. They also need to inform about the three roles that a VASP operating under VARA must fill, including:

1. Compliance Officer (CO)
2. Money Laundering Reporting Officer (MLRO)
3. Head of the Risk Function (HRF)

Overseen by the Senior management and the Board, these three roles are jointly responsible for managing compliance and risks of a VASP.

It’s important to remember, however, that CO, MLRO and HRF do not always need to be filled by different individuals. A single qualified person can serve in different compliance roles if there are no conflicts of interests and the individuals are deemed by VARA to be fit and proper to assume the responsibilities of their prescribed role.

Responsibilities of CO, MLRO and the HRF

It is easy for new entrants in the UAE’s virtual asset space to think compliance is only about manuals and policies. However, VARA places equal emphasis on people, because accountability sits with individuals who can be assessed for independence, competence, and judgment.

Let’s look at some of the important responsibilities of each of these roles:

 

Role	Overview	Key Responsibilities	Additional Notes
Compliance Officer (CO)	Architect of the Compliance Management System (CMS). Ensures the CMS is independent, well-resourced, risk-based, and up to date with evolving regulations.	Train staff and senior management on regulatory obligations Draft and maintain compliance policies Keep CMS updated with changes in business models/regulations Report compliance activities and audits to the Board Escalate material non-compliance to the Board and notify VARA immediately Take corrective actions on CMS deficiencies	Must have at least 5 years of relevant experience. Subject to annual review by VARA.
Money Laundering Reporting Officer (MLRO)	Responsible for AML/CFT compliance in line with UAE laws and FATF Standards.	Develop and maintain AML/CFT policies and risk assessments Conduct CDD and EDD on customers appropriately Train Board and staff on AML/CFT requirements Ensure sanctions screening and impose targeted financial sanctions, if needed Implement FATF Travel Rule for VA transfers above AED 3,500 (capture and retain originator and beneficiary details) Monitor transactions and file STRs via goAML Maintain records (CDD files, monitoring data, STRs) for at least 8 years (longer if national security cases)	Must have at least two years of AML/CFT experience and be deemed fit and proper by VARA, subject to annual review.
Head of Risk Function (HRF)	Leads the risk management function within the VASPs to identify, quantify, and mitigate risks across multiple categories. Must be appropriately qualified	Build a risk management function with qualified staff Establish policies, procedures, and methodologies for risk measurement Submit quarterly risk exposure reports to the Board Trigger risk policy reviews when material business/product/management changes occur	Risk Categories: Financial Stability: capital adequacy, market volatility, liquidity shortfalls, credit exposures Market Conduct: weak strategy, poor onboarding, cyber threats Compliance & Risk Management: AML/CFT breaches, fraud, outsourcing risks, poor continuity planning Consumer Protection: misleading promotions, unfair contracts, weak disclosures, mismanaged assets

Internal Audit: The Fourth Pillar

An independent Internal Audit function is a regulatory requirement for VASPs under VARA. It reviews operations, risk, and compliance across multiple verticals. While the CO, MLRO, and HRF build and manage frameworks, Internal Audit acts as the independent assessor, the third line of defence that tests whether those frameworks are truly effective. The Internal Audit function can be outsourced to competent and appropriate professionals having expertise over a wide range of operations.

Why Internal Audit matters:

• Unbiased perspective: The Internal Audit function is outside operations and provides an objective view to senior management
• Breadth of coverage: Because VASPs face risks across markets, custody, technology, finance, and operations, audits can extend into every corner of the business.

The importance of compliance goes far beyond an individual company. A major cybersecurity breach or AML failure can irreparably damage not only a single firm but also wider market confidence, with severe long-term consequences. For a city like Dubai, already a major hub for crypto companies with a large user base and positioning itself as a leader in Web3 adoption, it is not surprising that compliance is treated as central to its reputation. Also, with each passing year, the UAE continues to place a stronger emphasis on safeguarding the integrity of its financial system. In fact, this year by mid-August 2025, total AML/CFT fines imposed by the UAE authorities across FIs and DNFBPs had crossed AED 400 million. In this context, a strong Compliance Function within a VASP acts as the guardrail not only against diverse risks but also against the escalation of potential breaches.

The Internal Audit function, fully independent from operations and management, forms the fourth pillar by providing the objectivity needed to test and validate operations as well as compliance and risk management systems across the organisation.

A Lesson from VARA’s Enforcement Action

On 18th August 2025, VARA issued a public notice of fines against a licensed VASP for serious governance and AML breaches. The failures included weaknesses in the AML programme, non-disclosure of material facts, and conducting unlicensed activity. A “Skilled Person” was appointed to oversee remediation, and the firm was placed under ongoing supervision by VARA.

These failures highlighted breakdowns at multiple levels: compliance, risk management, and internal audit, all of which failed to prevent or detect the breaches. This is not uncommon. Compliance for VASPs is more complex than in many other sectors because of the deep integration of technology with regulatory requirements. Compliance Officers and MLROs must be familiar not only with legal frameworks but also with blockchain, wallets, token flows, and exchange operations. Monitoring systems and investigative tools require equally deep technical understanding. Conversely, blockchain technologists and enthusiasts also need to familiarise themselves with regulatory obligations. Without this, a gap emerges that very few organisations are able to bridge.

The Dual Expertise of AKW Consultants

AKW Consultants is a regulatory compliance firm recognised as a global brand in AML/CFT compliance. Alongside our compliance expertise, we have a dedicated technology team developing AI-driven solutions for traceability, transaction monitoring, and advanced risk detection. We have also developed and executed smart contracts across multiple projects. Our deep expertise in both regulations and technology has positioned us as one of the foremost RegTech firms in the Middle East. These initiatives have already delivered significant breakthroughs for clients across high-risk sectors, giving us a unique edge in supporting the virtual asset industry.

In addition:

• We designed the AML framework for the UAE’s first licenced cryptocurrency trading company.
• We have worked as outsourced MLRO for VASPs.
• We are among the industry’s leading firms in conducting comprehensive Internal Audits of operational, technological, and compliance functions of a VASP.
• In the precious metals sector, we serve as a UAE Good Delivery Auditor and a Ministry of Economy–approved reviewer of gold refineries, bringing deep expertise from another high-risk industry where we are already recognised globally.
• Our team has long-standing relationships with regulators and first-hand knowledge of how VARA, MoE, FATF, OECD, and MENAFATF standards shape compliance.

The UAE’s National Risk Assessment, published in 2025, has identified the virtual assets sector as high risk. With the FATF/MENAFATF mutual evaluation onsite period scheduled for June 2026, enforcement measures are set to intensify. In this context, discover how our dual expertise in technology and compliance can not only help you meet regulatory requirements but also future proof your business in a competitive virtual assets’ ecosystem.