Dubai has positioned itself as a virtual asset hub for the world and considers itself a progressive market. It is important to note that the United Arab Emirates consists of 7 emirates, each with its own emir. Therefore, the regulations discussed below are only applicable to Dubai.
Dubai has adopted the Financial Action Task Force’s Recommendation 16 (Travel Rule) along with additional regulations and guidelines of its own. Moreover, as per Law No. [4] of 2022 Regulating Virtual Assets, it has set up its own authority - the Virtual Assets Regulatory Authority (VARA) - responsible for regulating virtual assets, which are defined as:
A digital representation of value that may be digitally traded, transferred or used as an exchange or payment tool, or for investment purposes. This includes Virtual Tokens, and any digital representation of any other value as determined by VARA. [Law No. (4) of 2022 Article (2)]
The Emirate has provided a comprehensive list of guidelines with the goals of remaining technology-agnostic, offering complete consumer protection, socio-economic stability, and furthering itself as a global crypto hub.
Download the Dubai Travel Rule Overview
What is the scope of the Travel Rule in Dubai?
Per Law No. (4) of 2022 Regulating Virtual Assets in the Emirate of Dubai, the Travel Rule applies to all Virtual Asset Service Providers (VASPs) operating within the UAE, including free zones, and requires the collection, verification, secure transmission, monitoring, and retention of originator and beneficiary information for qualifying virtual asset transfers.
For the avoidance of doubt, the concept of “execution” is interpreted broadly and includes initiating, facilitating, effecting, or otherwise contributing to a transfer, with the following activities requiring permits and falling under VARA’s supervision:
- Provision of virtual asset platform operation and management services;
- Provision of services for the exchange between virtual assets and national or foreign currencies;
- Provision of services for the between one or more forms of virtual assets;
- Provision of virtual asset transfer services;
- Provision of virtual asset safekeeping, management, or control services;
- Provision of services related to virtual asset wallets; and
- Provision of services related to offering, and trading in, virtual tokens.
Additionally, as per article 16, VARA has the authority to
- classify and define the activities mentioned above, and define the regulations and rules required to govern them.
- extend this list to include any activity, business, practice, or service related to virtual assets.
- define all virtual asset activities, businesses, practices, services, and products prohibited in Dubai.
In summary, the Travel Rule applies to any VASP acting on behalf of an originator, transferring virtual assets to a VASP acting on behalf of a beneficiary; or when virtual assets are received by a VASP acting on behalf of a beneficiary from a VASP acting on behalf of an originator.
Who is the supervisory body for VASPs in Dubai?
Virtual Asset Regulatory Authority (VARA)
What is the Travel Rule threshold in Dubai (VARA)?
AED 3500 (Roughly USD 950)
What are VARA’s requirements for Travel Rule information to be exchanged?
The Travel Rule applies to all transactions; Travel Rule data must be obtained and transmitted with all transactions. If criminal activity or any other ML/TF type of behaviour is suspected, this data must be verified.
However, for transfers of, accumulated to, or above AED 3,500 daily, Travel Rule data must always be verified.
Required originator information:
- originator’s name,
- originator’s account number or wallet address,
- originator’s residential or business address.
Required beneficiary information:
- beneficiary’s name,
- beneficiary's account number or wallet address.
VARA has the right to request to view this information at any time.
Obligations of all virtual asset service providers
Before VASPs can transact with any counterparty VASP, irrespective of jurisdiction, a complete risk-based due diligence process is to be completed. This process need not be repeated for each transaction, only if a risk is identified.
VARA further requires that VASPs illustrate how they would comply with the Travel Rule when licensed. VASPs must submit all policies and controls related to the process to VARA. In addition, VASPs are to include a solution for dealing with the “sunrise issue”.
VASPs will be responsible for risk management and must consider all risks associated with non-obliged entities, all transactions, anonymity-enhanced transactions, and any transaction or series of transactions that try to circumvent the Travel Rule
All VASPs are required to:
- review the Travel Rule in full and assess its impact on virtual asset transfer-related controls;
- update policies, procedures, systems, and controls governing virtual asset transfers, counterparty due diligence, exception handling, and record keeping;
- ensure alignment between Travel Rule obligations and applicable VARA Rulebooks; and
- provide appropriate training to relevant staff on Travel Rule requirements. VARA may assess implementation through supervision engagements, inspections, and thematic reviews.
In line with implementation and supervision expectations, VASPs are expected to implement all necessary updates without delay, proportionate to the nature, scale, and risk profile of their virtual asset transfer activities.
Where deficiencies or implementation challenges are identified, VASPs should take timely remedial action and engage proactively with VARA.
Failure to comply with the Travel Rule may result in supervision or enforcement action in accordance with VARA’s regulatory mandates and applicable UAE law.
All VASPs should take into account the information from both the originator and beneficiary sides of a transfer when assessing whether a suspicious transaction or activity report is required. Where the applicable legal threshold is met, reports must be submitted to the UAE Financial Intelligence Unit in accordance with applicable AML/CFT requirements.
VASPs must not execute virtual asset transfers involving privacy tokens, due to their inherent obfuscation features and associated financial crime risks. This prohibition applies specifically to the execution of virtual asset transfers and does not affect other licensed activities that do not involve such execution.
VASPs are to also maintain customer records for a minimum of 8 years, and ensure that clients’ virtual assets are separated from their virtual assets and hold clients’ virtual assets on a 1-to-1 basis.
Obligations of originator virtual asset service providers
Prior to executing a transfer, the originator VASP must confirm that the beneficiary VASP is appropriately regulated in its jurisdiction of incorporation or operation. VASPs are forbidden from executing transfers to counterparties that are not appropriately regulated in the UAE or in a foreign jurisdiction.
Before executing a transfer, the originator VASP must collect, verify, and securely transmit the required originator and beneficiary information.
Where multiple virtual asset transfers are batched, the required information must accompany each individual transfer within the batch.
For domestic transfers where verified originator and beneficiary data is already available to the beneficiary VASP by other means, less data can be transmitted alongside the transaction, provided the full dataset is made available within 3 workings upon request.
Where a counterparty VASP is unable to receive required information, the originator VASP must use best efforts to establish alternative secure communication channels and must reassess the relationship and associated risks where such issues persist.
Obligations of intermediary virtual asset service providers
VASPs acting as Intermediary Providers must:
- confirm and verify the regulatory status of both originator and beneficiary VASPs;
- transmit all required originator and beneficiary information through the transfer chain, or retain such information where technical limitations apply;
- detect and address Transfers with missing required information; and maintain logs and records of all virtual asset transfers, including rejected or failed attempts, in accordance with applicable record-keeping requirements.
Obligations of beneficiary virtual asset service providers
Beneficiary VASPs must implement risk-based measures to identify transfers that are missing information and determine appropriate responses, which include deciding whether to:
- reject (where technically possible),
- delay,
- permit, or
- return the virtual asset transfer; and/or
- report the matter to the relevant authority, where systemic failures by counterparties to provide required information must be documented and reported to the relevant regulatory authority, together with details of remedial actions taken.
Does Dubai's Travel Rule apply to self-hosted wallets?
VASPs must apply enhanced due diligence for virtual asset transfers involving self-hosted wallets, including additional customer identification and source of funds verification.
Where the required information is not provided, or where risks cannot be adequately mitigated, the VASP must decline, delay, or return the transfer in accordance with its risk-based policies and procedures.
Become Travel Rule Compliant with 21 Analytics
When do you need to comply with the Travel Rule in Dubai?
Immediately
Which regulations are applicable to the Travel Rule in Dubai?
VARA has established a set of rulebooks to guide and support VASPs in meeting their regulatory obligations. These include four compulsory rulebooks which set the foundational requirements for all licensed entities.
In addition, VARA has developed a range of activity-specific rulebooks. Together, these frameworks are designed to help VASPs implement consistent, risk-based controls while ensuring compliance across different business models and activities.
