Regulatory Update October 2025 – ME Region

On 1 October, the Dubai Financial Services Authority (‘DFSA’) held an outreach session as a follow up on the results of the thematic review on self-custody published in September. The review was directed at fund managers (‘FMs’) in the Dubai International Financial Centre (‘DIFC’) that maintain self‑custody arrangements for domestic funds, including public, exempt, and qualified investor funds (‘QIFs’).

The thematic review was prompted by the significant growth in domestic funds, with 30% operating under self‑custody models, which presented heightened risks such as potential mismanagement or misappropriation of fund property. The DFSA reviewed 23 FMs and tested 46 funds against applicable rules in the collective investment rules (‘CIR’) based on fund type.

The key areas of improvement include:

• operational risk
  • policies and procedures did not include self-custody arrangements
  • policies and procedures were not periodically reviewed and updated to reflect the current self-custody arrangements
• conflict of interest risk
  • policies and procedures did not include conflicts of interest risks in relation to self-custody
  • proper disclosures were not included in the fund’s private placement memorandum (‘PPM’)/prospectus in relation to conflicts of interest
• liquidity risk
  • liquidity risk was only applicable to two FMs who had open-ended domestic funds
  • one FM did not have adequate systems and controls in relation to liquidity risk management in open-ended funds, as required under CIR8.6A.1
• transparency and disclosure risk
  • the review identified that most FMs included appropriate disclosures in relation to self-custody however, some FMs did not include accurate disclosures in relation to current self-custody arrangements in the fund’s PPM/prospectus
  • the review identified in one instance where a FM had not disclosed self-custody arrangements to unitholders in periodic reporting
• risk mitigation
  • some FMs did not include a review of their self-custody arrangements as part of the firm’s compliance monitoring plan (‘CMP’)
  • compliance reports in relation to self-custody arrangements did not include sufficient details to demonstrate how the assessment of the adequacy of such arrangements was made
  • none of the FMs considered subjecting their self-custody arrangements to internal audit reviews.

You can read the DFSA Thematic Review in full here.

On 1 October, the DFSA issued Consultation Paper No.168 “Enhancements to the Regulation of Crypto Tokens”, inviting public comment on proposed amendments to its regulatory regime for financial services involving crypto tokens. These proposals reflect global regulatory developments, supervisory experience, and market feedback. The DFSA began regulating crypto tokens in 2022, issuing initial rules in November the same year. Minor updates followed in 2023, with more significant changes in 2024 addressing custody, staking, and financial crime.

In Consultation Paper No.168, the DFSA is proposing a shift in its recognition approach for crypto tokens (excluding fiat crypto tokens). Under the new model, the responsibility would lie with the individual or entity seeking to conduct a related activity to reasonably determine whether the crypto token is suitable for that specific use.

In addition to assessing the suitability of a crypto token, firms must also consider the nature, scale, and complexity of their financial services activities, the products and services they offer, and their current or intended customer base. For instance, a large global fund manager may reasonably include a low market-cap token in a closed-ended fund for professional clients. In contrast, a smaller firm serving retail clients may not reach the same conclusion, particularly if it lacks adequate systems and controls to monitor the token effectively.

Further, Authorised Persons in the DIFC are expected to establish policies, procedures, and systems in line with General Module (‘GEN’) section 5.3 to ensure effective governance and compliance with the requirements of GEN section 3A.2. These frameworks should be reviewed regularly to account for changes in the market, products, or regulatory landscape.

Given the rapidly evolving nature of the crypto market, it is proposed that firms continuously monitor and regularly reassess the suitability of any crypto token they use. If a firm determines that a token is no longer suitable for a specific activity, it should immediately stop that activity. Where immediate cessation is not feasible, the firm should take all reasonable steps to discontinue the activity as soon as possible.

The consultation invited inputs from Authorised Market Institutions, alternative trading systems operators, custodians, Authorised Firms, crypto token issuers, and related service providers. Stakeholders were encouraged to review the proposals and submit comments by 31 October 2025 through the designated online response form.

You can read the DFSA consultation in full here.

On 8 October, following the publication of its thematic review on high-growth firms in September, the DFSA held an outreach session with Authorised Firms to discuss good practices and areas for improvement. The session featured a presentation by the DFSA covering its approach and methodology, interactive case studies, and a Q&A segment.

Key themes and findings include:

• good practice
  • firms engaging with DFSA on growth plans at an early stage
  • incremental approach to expanding service offerings and launching of new products/services.
  • enhancing governance and oversight arrangements to support expansion and ensure it is managed appropriately.
  • proactively investing in key resources ahead of implementing growth initiatives
• areas for improvements
  • compliance resourcing not keeping pace with growth and nature, scale and complexity of business
  • board discussions lacking sufficient challenge on proposed business strategy and growth plans, including associated risks
  • lack of management information (‘MI’) to monitor impact of new growth areas on business
  • few firms commissioned work by compliance or internal audit on execution of growth plans and impact on/risks to business.

This initiative aligns with the DFSA’s broader strategy to encourage controlled and sustainable growth within the DIFC.

You can access the DFSA presentation here.

On 9 October, the DFSA announced it will co-host the second Joint Climate Finance Conference with the Hong Kong Monetary Authority (‘HKMA’) on 26 November in Dubai. Themed “Transforming Tomorrow,” the event will spotlight innovation, resilience, and cross-border collaboration in sustainable finance. Key topics include climate finance, tokenisation, and sustainable debt, with support from DIFC Authority and Nasdaq Dubai. The conference aims to deepen the Asia – Middle East Corridor and foster inclusive, future-ready financial ecosystems.

You can read the DFSA announcement in full here.

On 13 October, the DFSA launched a proliferation financing (‘PF’) survey to support the revision of the UAE’s Proliferation Financing National Risk Assessment (‘PF NRA’). Authorised firms were required to submit their responses via the DFSA portal by the deadline of 17 October 2025. The initiative forms part of ongoing efforts to strengthen the UAE’s financial crime risk framework.

13 October, the DFSA launched DFSA Connect, a new digital platform designed to simplify and accelerate the authorisation process for financial services firms operating in and from the DIFC.

DFSA Connect marks a significant step forward in regulatory innovation, offering smarter automation, streamlined workflows, and a more intuitive user experience. The platform is expected to deliver a 33% efficiency gain, helping the DFSA manage rising application volumes, up 18% in the first three quarters of 2025 alone.

The platform also lays the groundwork for future Artificial Intelligence (‘AI’) integration, promising personalised applicant journeys and faster turnaround times. As Dubai continues to position itself as a global financial hub, DFSA Connect is set to play a pivotal role in modernising regulatory engagement and supporting sustainable market growth.

You can read the DFSA announcement in full here.

In March, the DFSA consulted on proposed changes to its approach to licensed functions and Authorised Individuals under Consultation Paper No.165. The paper sought feedback on the following changes:

• removal of the requirement for the DFSA’s prior approval for the appointment of compliance officers, finance officers, and senior managers, reclassifying them as designated functions and individuals
• clarification of the assessment criteria that Authorised Firms should apply when selecting individuals for designated and Authorised Individual roles
• clarification of the definition of a compliance officer
• consideration of whether finance officers should remain a mandatory function for certain low-risk firms
• clarification of the definition of a senior manager
• extension of the principles for Authorised Individuals to all staff involved in activities related to financial services or the management of an Authorised Firm.

On 14 October, the DFSA issued Dear SEO Letter to advise Authorised Firms not to act on the proposals included in CP165 until formal updates are made to the DFSA Rulebook, with a notice to be issued in due course.

The DFSA advised that in the interim, firms should continue to meet existing obligations regarding the appointment, fitness, and propriety of all individuals. This includes maintaining robust vetting processes, governance structures, and records in line with GEN Rules 5.3.19 and 7.5.1A. Firms outsourcing licensed functions should ensure those individuals are competent and capable, and that any dual-function roles are justified and manageable. These responsibilities are central to maintaining trust, market integrity, and client protection within the DIFC.

A formal notice will be published on the DFSA website to inform stakeholders when these changes take effect.

You can read the Dear SEO Letter in full here.

On 14 October, following Consultation Paper No. 164 “Capital Requirements for Operational Risk”, the DFSA updated its Prudential – Investment, Insurance Intermediation and Banking Module (‘PIB’). The DFSA has proposed implementing the revised standardised approach for calculating risk-weighted assets (‘RWA’) for operational risk, in line with the Basel III framework. These proposals aim to further align the DFSA’s prudential regime with international standards set by the Basel Committee on Banking Supervision (‘BCBS’), supporting a more resilient and consistent global banking system.

The changes will take effect on 1 January 2026 and should be of interest to Authorised Firms licensed to accept deposits, provide credit, or deal in investments as principal. They are also relevant to potential applicants, auditors, advisers, and other industry participants engaged in these activities.

You can read the updated regulations here.

On 14 October, the DFSA announced amendments to DIFC Law No. 2 of 2025, clarifying its powers, functions, and objectives within the DIFC. The updates reinforce the DFSA’s alignment with the broader strategic goals of the DIFC as set out under Dubai Law. These changes came into effect on 30 October 2025.

You can read the updated regulations here.

On 15 October, the DFSA and the Virtual Assets Regulatory Authority (‘VARA’) signed a Memorandum of Understanding (‘MoU’) to strengthen regulatory collaboration across Dubai’s financial and virtual asset sectors. The agreement establishes a framework for cooperation between the DFSA, which oversees virtual assets in the DIFC, and VARA, which regulates the broader Dubai jurisdiction outside the DIFC. Key areas of joint effort include licensing, supervision, enforcement, anti-money laundering, and information sharing to bolster market integrity and support Dubai’s position as a leading global financial centre.

You can read the DFSA announcement here.

On 20 October, the DIFC issued an update highlighting its continued growth and strengthening position as the leading global financial hub for the Middle East, Africa, and South Asia. The DIFC now hosts over 8,000 active registered companies, including 1,000 regulated entities. Banking assets have reached approximately US$ 240Bn, marking a 200% increase since 2015. DIFC Courts have also processed more than AED 17.5Bn in total case values year-to-date.

You can read the DIFC announcement in full here

On 27 October, the Securities and Commodities Authority (‘SCA’) and the DFSA signed a MoU to strengthen regulatory cooperation on audit oversight across the UAE. The agreement establishes a framework for collaboration on firm registration, inspection, and supervision of audit functions, with the shared goal of improving financial reporting standards, market integrity, and investor confidence.

This strategic partnership reflects the growing complexity of the UAE’s financial markets and supports the development of a more robust and transparent audit environment across both mainland and DIFC jurisdictions.

You can read the DFSA announcement in full here

On 29 October, the DFSA announced it will host a cyber risk webinar on 10 November, focusing on post-quantum cryptography (‘PQC’) and its potential to strengthen the financial sector’s resilience against emerging quantum-era threats. As digital dependency increases, the session will explore the shift toward quantum-safe cryptographic systems and highlight key preparatory steps for financial institutions.

Advance registration was required to receive the webinar access link.

On 29 October, the DIFC and Jebel Ali Free Zone Authority (‘JAFZA’) signed an agreement to establish a dual-zone operational framework linking both free zones. The initiative enables companies to broaden their financial, industrial, and corporate structuring presence in Dubai by combining DIFC’s sophisticated legal and financial platform with JAFZA’s robust trade and industrial ecosystem.

You can read the DFSA announcement here.

On 1 October, the Financial Services Regulatory Authority (‘FSRA’) issued Notice No. FSRA/FCCP/138/2025 to selected ADGM firms, announcing a public consultation on the UAE’s implementation of the crypto-asset reporting framework (‘CARF’). Developed by the OECD, CARF is a global standard designed to enable the automatic exchange of tax information related to crypto-asset transactions.

The framework addresses challenges to international tax transparency posed by the unique nature of crypto-assets, which can be transferred and held without intermediaries. Under CARF, entities providing crypto-asset services, such as exchanges, brokers, and digital platforms, may be classified as reporting crypto asset service providers (‘RCASPs’) and required to report relevant user and transaction data annually.

This initiative marks a significant step in the UAE’s commitment to enhancing global tax transparency and combating tax evasion through international cooperation.

The consultation was open until 8 November 2025.

On 2 October, the FSRA issued a “Dear SEO/MLRO” letter to selected firms along with a mandatory survey supporting the revision of the UAE Proliferation Financing National Risk Assessment (‘PF NRA’).

The survey is confidential and not intended for sharing. It contains several insightful questions that support the assessment of PF risks within AML business risk assessments. These include evaluating both direct and indirect exposure to PF, as well as identifying the main PF threats relevant to the firms in the UAE context. The deadline for submission was on 14 October 2025.

On 9 October, the FSRA held an outreach session at the Abu Dhabi Global Market (‘ADGM’) focused on anti-money laundering (‘AML’), countering the financing of terrorism (‘CFT’), and targeted financial sanctions (‘TFS’).

The session provided participants with practical insights into regulatory expectations, featured expert-led discussions, and encouraged active engagement on key compliance topics:

• reminder on the AML/CFT obligations and key observations from the analysis of the AML return submissions
• overview cyber risk management
• role and responsibility for the AML/CFT
• the AML/CFT national strategy and the AML track tool
• the update on the UAE national initiatives, including the national AML/CFT statistics, AML/CFT strategic objectives and the AML track tool
• update on the upcoming FATF UAE Mutual Evaluation and national preparation
• national risk assessment (‘NRA’)
• key findings observed during the onsite and thematic review of the private sectors
• highlight key findings and observations and recommendations to ensure effectiveness and implementation of the necessary measures to strengthen the AML/CFT obligations
• financial intelligence unit of the UAE (‘UAE-FIU’)
• legal persons and concealment of beneficial ownership risk assessment
• ADGM company service provider framework.

On 10 October, the FSRA released its findings from a thematic review examining AML/CFT compliance across Virtual Assets Service Providers (‘VASPs’) operating in the ADGM.

While firms generally demonstrate awareness of their obligations, the FSRA identified several execution gaps that require attention:

• weak customer due diligence practices
• inadequate transaction monitoring systems
• poor alignment with the travel rule
• gaps in applying risk-based frameworks
• many firms lack independent assurance, with insufficient internal or external reviews of AML/CFT controls
• staff training is not well-tailored to roles or risk exposure, and counterparty due diligence is often weak.

The FSRA expects VASPs to evaluate their existing frameworks in light of the review findings and implement necessary enhancements to meet compliance expectations. Robust and consistent financial crime controls are critical to maintaining a secure business environment. Senior management is expected to take an active role in driving these improvements across all levels of the firm.

You can read the FSRA Dear SEO Letter here.

On 14 October, the ADGM Registration Authority (‘RA’) released Consultation Paper No. 10, outlining proposed enhancements to the Commercial Permits Regulations 2024. The paper invited public feedback on key areas including temporary commercial permits, temporary activity permits, special sales and promotions permits, and related fee structures. The consultation paper closed on 30 October.

The key proposed changes include:

• requiring businesses to obtain a temporary commercial permit from the RA to operate within ADGM for a defined period
• mandating a sales and promotions permit for ADGM-licensed entities or temporary permit holders engaging in promotional or sales-related activities
• introducing a temporary activity permit for events, entertainment, photography, and speaking engagements within ADGM
• setting clear conditions for the issuance of temporary commercial, activity, and sales and promotions permits.

You can read the Consultation Paper here.

On 16 October, the ADGM RA published updates on the Commercial Licensing Regulations (Conditions of Licence and Branch Registration) Rules 2025 (“Conditions of Licence Rules”) and the Commercial Licensing Regulations (Controlled Activities) Rules 2025 (“Controlled Activities Rules”).

The key updates include the following:

• launching a newly regulated activity category for tax-related services
• implementing updated application criteria for obtaining licences to offer legal and tax services
• defining ongoing licensing obligations for approved legal and tax service providers
• strengthening governance requirements for licensed company service providers by mandating conflict of interest policies and procedures
• legal service providers
  • must appoint a managing partner (or equivalent) with a minimum of 8 years post-qualification experience
  • required to maintain a registered office in ADGM
  • must secure professional indemnity insurance
  • obligated to submit an annual return to the RA
  • must adhere to defined regulatory principles
• tax service providers
  • at least 50% of senior management must be suitably qualified professionals
  • must obtain and maintain professional indemnity insurance
  • required to comply with established regulatory principles
• company service providers:
  • must implement robust policies and procedures to manage conflicts of interest.

The newly introduced Conditions of Licence Rules and Controlled Activities Rules officially replace the previous regulatory framework and take immediate effect for both new applicants and existing licence holders. Grace periods have been introduced for current licence holders to ensure adequate time for compliance with the revised requirements.

You can read the updated regulations here.

On 17 October, the Financial and Cyber Crime Prevention Department (‘FCCPD’) issued a Dear SEO Letter addressed to Authorised Persons and Recognised Bodies, outlining updates to national cybersecurity policies released by the UAE Cyber Security Council (‘CSC’). These updates relate to the publication of newly revised policies from the CSC.

The FCCPD reiterated that, although adherence to CSC’s policies is not mandatory, it is essential for APs and RBs to remain informed about the overarching cybersecurity strategies, policies, and best practices adopted at the national level.

You can read the Dear SEO Letter here.

On 22 October, Numou, a subsidiary of ADGM unveiled its flagship Procurement Financing initiative, designed to help Small and Medium Enterprises (‘SMEs’) with government or corporate contracts access funding more efficiently. The solution connects confirmed contract demand with lender support through Numou’s digital platform, bridging the gap between procurement opportunities and financial institutions.

This initiative enables lenders to evaluate SMEs based on verified contracts, helping businesses overcome funding challenges during contract execution.

You can read the ADGM announcement in full here.

On 27 October, the FCCP invited Financial Institutions (‘Fis’), VASPs, and Designated Non-Financial Businesses and Professions (‘DNFBPs’) to attend virtual awareness sessions on 3, 5 and 6 November.

These sessions will focus on key compliance topics including trade-based money laundering (‘TBML’), correspondent banking, customer due diligence (‘CDD’), know your customer (‘KYC’), and record-keeping. The goal is to share best practices and practical guidance to strengthen AML/CFT frameworks across all sectors.

On 28 October, the ADGM RA published new administrative regulations 2025 (the “Admin Regulations”) and consequential amendments to the relevant commercial legislation. The updated administrative regulations and commercial legislation reforms offer a comprehensive and well-structured overhaul of the RA’s statutory framework, strengthening enforcement, sanctions, and contravention procedures while streamlining the previous system and ensuring consistency across ADGM’s commercial laws.

Some of the key updates include:

• enhanced investigative powers of RA
• updates to fines and administrative sanctions
• implementation of a dual-tiered framework for contraventions, with tailored enforcement procedures based on severity
• establishment of a statutory emergency mechanism that allows the RA CEO to act swiftly in urgent situations.

The enactment of the new regulations, along with amendments to applicable ADGM Regulations and the repeal and replacement of the Commercial Licensing Regulations and related ADGM Rules, takes effect immediately upon publication.

You can access the updated regulations here.

On 31 October, the FSRA published regulatory amendments following a public consultation issued in September on activities involving Fiat-Referenced Tokens (‘FRT’). These rules will come into effect on 1 January 2026.

The key updates include:

• conduct of business rulebook (‘COBS’)
  • Authorised Persons involved in holding, controlling, or facilitating custody of FRTs for others are required to comply with the provisions for safe custody rules
  • Authorised Persons providing payment services involving FRT are required to safeguard those tokens held on behalf of payment service users, in accordance with the requirements relevant to payment services, safe custody, resolution rules and additional rules in chapters 16 and 17 of COBS
  • before placing reserve investments (‘RIs’) with a Third-Party Agent (‘TPA’), Authorised Persons must submit written details to the FSRA about the agent’s identity, jurisdiction, financial standing, the RIs, and the intended investments and obtain written non-objection from the Regulator for the proposed TPA
  • prior to transactions, Authorised Persons must disclose to clients in a clear, fair and not misleading way all of the risks associated with its products and services, virtual assets (‘VAs’) and/or FRTs generally, and accepted virtual asset (‘AVAs’) or accepted fiat-referenced Token (‘AFRTs’)
  • Authorised Persons engaged in VAs or FRTs who hold, or control client money must conduct account reconciliations at least weekly and complete reconciliations within five days of the relevant date
  • if a payment service includes holding or transferring FRTs, the provider must explain how the tokens will be held, specify which token is involved, and provide a link to the issuer’s website containing information about the issuer and its reserves
  • a payment account holding FRTs must clearly indicate its purpose as safeguarding tokens under COBS Chapter 15, be used exclusively for payment transactions, and hold only FRTs that belong to payment service users
  • before entering into a transaction to buy or sell FRTs, an Authorised Person providing payment services must establish and disclose a fair commercial policy outlining eligible customer types and any preconditions, provide transparent information to customers on the price or pricing method for the token, all applicable transaction fees, any limits on the amount of tokens that can be exchanged.
• Prudential – Investment, Insurance Intermediation and Banking Rulebook (‘PRU’)
  • providing money services through FRTs intermediation falls under prudential category 4
• Glossary Rulebook (‘GLO’)

You can read the updated regulations here.

On 31 October, following public consultations held in July and September, the FSRA issued Amendment No. 2 to the Financial Services and Markets Regulations (‘FSMR’) 2025 and additional updates to several of its rulebooks. These changes focus on FRTs and aim to further align ADGM’s regulatory framework with the principles set out by the International Organization of Securities Commissions (‘IOSCO’). The rules will come into effect on 1 January 2026.

The key updates to FSMR include:

• powers, functions and objectives of the regulator
  • suspend financial service permission for no longer than 12 months
  • apply conditions, restrictions or limitations to financial services permissions
  • suspend financial services approval for a period of up to 12 months
  • if the FSRA is investigating under section 205 and reasonably suspects misconduct by Authorised Persons that could justify altering their financial services permission, it may suspend or vary that permission for the duration of the investigation and any related proceedings
• restrictions on offering units in a fund
  • a person may only offer a unit within the ADGM in accordance with the relevant regulations and associated rules
  • the FSRA may also define, through rules, circumstances under which a sale or transfer of a unit does not qualify as an offer
• stop orders
  • if the FSRA determines that an offer of a unit breaches the regulations or is contrary to the interests of the ADGM, it may issue a stop order prohibiting the offer, issue, sale, or transfer of the Unit by specified persons for a period it deems appropriate
• warning notices by the FSRA
  • if the FSRA determines that following the procedures in sections 247 and 254 would cause harmful delays to the ADGM financial system or its users, it may bypass those procedures
  • in such cases, the FSRA must still offer the affected person or third party a chance to make representations after the decision is made.

In addition, the updates were made to the COBS, GEN, Market Infrastructure Rulebook (‘MIR’), and the Market Rulebook (‘MKT’).

You can access the updated regulations here and here.

In October, ADGM marked its 10th anniversary as one of the world’s fastest-growing international financial centres. Since its establishment in 2015, the ADGM has attracted more than 300 financial institutions collectively managing US$ 28.6Tn in global assets. These firms include hedge funds, banks, asset managers, private equity firms, venture capital entities, and credit funds. Going forward, the ADGM aims to set new global benchmarks in innovation and resilience across key sectors including regulation, digital assets, artificial intelligence, green finance, and family office services.

You can read the ADGM announcement in full here.

On 2 October, the Central Bank of the United Arab Emirates  (‘CBUAE’) and the Central Bank of the Republic of Turkiye (‘CBRT’) signed a bilateral currency swap agreement between the UAE Dirham and the Turkish Lira (‘TRY’), in addition to two MoUs. One of the MoUs is to promote the use of local currencies (AED – TRY) for cross-border transactions, and the other to interlink their payment and messaging systems. These agreements aim at promoting financial and economic collaboration and strengthen bilateral trade.

You can read the CBUAE announcement in full here.

The UAE has updated its legal regime for combating money laundering, terrorism financing, and proliferation financing through the enactment of Federal Decree-Law No. 10 of 2025 (the “2025 AML Decree-Law”).

The 2025 AML Decree-Law came into force on 14 October 2025. This legislation supersedes Federal Decree-Law No. 20 of 2018 (the “2018 AML Law”), and introduces comprehensive reforms aimed at reinforcing enforcement mechanisms, broadening the scope of criminal accountability, and ensuring closer alignment with evolving global standards.

The key areas of change include the following:

• clarification of key definitions
  • proliferation financing
  • predicate offences
  • digital and virtual assets
  • refined definition of proceeds
  • clarified mens rea standard
• expanded powers of FIU
  • article 5 of the 2025 AML Decree-Law introduces substantial new powers for the head of the FIU, including the authority to suspend transactions for up to ten working days and to freeze funds for up to thirty days, subject to extension by the public prosecutor
  • this represents a notable departure from the 2018 AML Law, where such powers were limited to a seven-day freeze (w held by the governor of the central bank)
• clarification of asset freezing and seizure
  • the 2025 AML Decree-Law introduces clear, separate definitions for “freezing” and “seizure” of funds, improving clarity around the level of control, purpose, and impact of each measure (unlike the 2018 AML Law, which treated both under a single definition)
  • under the new framework, the head of the FIU is authorised to issue both types of orders (1) seizure order (can last up to 10 days and be extended) and (2) freezing order (can last up to 30 days and is also extendable)
• asset recovery
  • this new provision lays out a clear legal framework for recovering criminal assets, with further details to be set by executive regulations from the cabinet of ministers
  • article 22 includes protections for innocent third parties, ensuring their rights are respected when criminal property is confiscated
• voiding evasive contracts
  • under article 6(3) of the new law, any contract or deal is automatically cancelled if one of the parties knew, or should have reasonably known, that it was meant to block authorities from seizing or freezing criminal assets
  • this rule builds on a narrower version found in article 26 of the 2018 AML Law, making it tougher on attempts to hide illicit funds
• increased penalties.

The expected operational compliance impacts include:

• continuous monitoring
  • article 19 of the 2025 AML Decree-Law clearly defines “continuous monitoring” as a key part of due diligence, making it more prominent than in article 16 of the 2018 AML Law
  • this change reinforces the obligation for regulated entities to actively and consistently oversee client relationships, rather than treating monitoring as a one-time or occasional task
• expanded definition of client
  • article 1 of the 2025 AML Decree-Law expands the definition of “client” to include any person, entity, or legal arrangement that either has a business relationship or is about to form one
  • this is a subtle but important shift from the 2018 AML Law, which focused only on those actively conducting or attempting to conduct business
  • as a result, due diligence requirements now clearly apply even before a client is officially onboarded.

Based on article 19(2) of the 2025 AML Decree-Law it is expected that the executive regulations will provide detailed guidance on a wider range of entities and roles in the future, including:

• non-profit organisations
• economic and commercial registries responsible for regulating legal arrangements
• companies, their managers, and nominee shareholders
• legal arrangements, trustees, and persons holding similar positions

The firms are required to:

• review and update AML/CTF policies to reflect expanded definitions and obligations
• strengthen transaction monitoring systems to detect digital and virtual asset risks
• train staff on new liability standards and enforcement powers
• prepare for upcoming executive regulations that may introduce further compliance requirements.

You can read the official announcement here.

On 10 October, VARA launched a public consultation on the implementation of the crypto-asset reporting framework (‘CARF’), a new global standard developed by the Organisation for Economic Cooperation and Development (‘OECD’) for the automatic exchange of tax information related to crypto-asset transactions.

The rapid rise of the crypto-asset industry has reshaped global financial markets by enabling new digital transaction models. However, this evolution poses significant challenges to international tax transparency, largely due to the decentralised nature of crypto-assets, which can be transferred and held without traditional financial intermediaries.

The proposed framework defines reporting crypto-asset service providers (‘RCASPs’) as individuals or entities that, as part of their business activities, facilitate exchange transactions involving crypto-assets. This includes acting as intermediaries, counterparties, or providing access to trading platforms.

The key features of the proposed CARF framework include:

• provisions for reporting obligations being aligned with aligns with the common reporting standard (‘CRS’) deadline of 30 June following the relevant calendar year
• RCASPs are required to collect and validate self-certifications that include key information about crypto-asset users, such as their legal name, tax residency jurisdiction(s), and tax identification numbers (‘TINs’), ensuring the accuracy and credibility of the data provide
• to identify the controlling persons of an entity crypto-asset user, RCASPs may rely on data gathered through AML/KYC procedures, as long as those procedures align with the 2012 FATF Recommendations and subsequent updates from June 2019 and June 2021 specific to virtual asset service providers
• penalties ranging from AED 20,000 to AED 250,000 for submitting inaccurate or incorrect information in self-certifications, failure to submit required self-certifications, and attempts to circumvent CRS obligations.

You can read the VARA announcement here. Comments were welcome until 8 November.

On 7 October, the SCA, in collaboration with the International Organisation of Securities Commissions (‘IOSCO’), hosted a virtual awareness workshop as part of World Investor Week 2025. The session, titled “Investor Protection in the Era of Digital Finance,” was held virtually and focused on enhancing public understanding of financial fraud risks and promoting informed decision-making.

Key objectives included:

• identifying common fraud red flags in financial markets
• strengthening investor protection through regulatory awareness
• encouraging the use of modern communication tools for financial education
• guiding participants on how to prevent and respond to financial fraud.

The SCA underscored the emergence of critical risk typologies and emphasised the need for proactive prevention and effective mitigation strategies, outlined as follows:

• deepfake scams (voice/video vishing) and synthetic identity fraud, buy now, pay later (‘BNPL’) fraud
  • verify via multiple channels (e.g., call back/video call)
  • protect personal data and use secure KYC platforms
• DeFi “Rug Pulls” (anonymous developers, no transparency), pump & dump schemes, and fake airdrops (token frauds: launching tokens without real-world use, fake roadmaps, or false partnerships)
  • research team credibility
  • never share private keys
  • check if the offering is licensed/registered
• phishing, pig butchering (romance scams), malware in trading apps, social media “influencer” scams, and QR code fraud
  • always type URL manually (use official merchant/payment QR codes only)
  • verify influencer licensing by SCA
• operating without a license, ponzi schemes, fake IPOs, and unauthorised overseas platforms.
  • deal only with SCA-licensed or recognised platforms
  • verify licenses on the SCA website.

The event targeted investors, university students, young professionals, and the general public, reinforcing the SCA’s commitment to financial literacy and market integrity in the digital age.

On 27 October, VARA issued a public alert regarding Vesta Prime Portal Co. L.L.C, operating as “Vesta Investments” via www.vesta-investment.com from Business Bay, Dubai. The company is suspected of promoting virtual asset services without the required regulatory approvals and misrepresenting its licensing status.

VARA directed the company to either take down its website or clearly state that it is not authorised to offer virtual asset services. Vesta Investments is not licensed under Dubai Law No. (4) of 2022 or Cabinet Resolution No. 111/2022, and any related activities are non-compliant with VARA regulations.

Investors are cautioned that engaging with unlicensed providers poses serious financial and legal risks. VARA did not approve any promotion or solicitation by this entity, and it is prohibited from marketing virtual asset services in or from Dubai.

You can read the VARA alert here.

The SCA issued a series of warnings throughout October, spotlighting unlicensed financial activity and impersonation of licensed firms in the UAE.

On 7 October, the SCA flagged two separate impersonation incidents. An unknown entity was found posing as CFI Financial Markets L.L.C, and another was misrepresenting Century Financial Consultancy L.L.C. Both are legitimate, licensed firms, but the impersonators are not. The SCA advises investors to confirm company credentials through official channels to avoid falling victim to fraud.

On 22 October, the SCA cautioned against NQD Global Marketing Management L.L.C, stating the company is not authorised to conduct regulated financial services. Investors are urged to avoid engagement and verify licensing status before committing funds.

Additional details on all public warnings issued by SCA are available here.

On 31 October, the General Secretariat of the National Anti-Money Laundering Committee (‘NAMLCFTPC’) and the General Commercial Gaming Regulatory Authority (‘GCGRA’) released a policy paper outlining a robust AML/CFT framework for the UAE’s commercial gaming industry. The GCGRA is the federal body created to oversee every aspect of commercial gaming in the United Arab Emirates.

The policy paper highlights key money laundering and terrorist financing risks in the UAE’s commercial gaming sector, including anonymous transactions, misuse of player accounts, third-party payments, cross-border activity, opaque payment methods, and potential employee involvement. It outlines targeted mitigation strategies based on global best practices, to be implemented after a thorough sectoral risk assessment.

The paper’s main recommendations include completing the ML/TF risk assessment as a foundational step, enhancing coordination among regulators and enforcement bodies, enforcing stricter due diligence for gaming operators, adopting technology-driven supervision tools, and strengthening internal controls and staff training. These measures aim to support the sector’s sustainable growth while protecting the integrity of the UAE’s financial system.

You can read the policy paper here.

On 6 October, the United Nations Security Council (‘UNSC’) Committee, operating under resolutions 1267 (1999), 1989 (2011), and 2253 (2015), amended two entries on its sanctions list related to ISIL (Da’esh) and Al-Qaida. A further amendment was made on 21 October. These updates reflect ongoing efforts to maintain the accuracy and effectiveness of international sanctions targeting terrorist groups and their affiliates.

As a UN member, the UAE is committed to enforcing UNSC resolutions, and all firms are required to report their involvement with sanctioned entities or individuals.

All relevant persons were reminded of their obligations to:

• screen the updated entries against internal databases
• report any confirmed or potential matches via the goAML platform.

Further information can be found here and here.

On 17 October, the Financial Action Task Force (‘FATF’) published an updated consolidated ratings table. The table summarises jurisdictions’ progress against the 40 FATF recommendations. The recommendations assess the jurisdiction’s maturity against money laundering, counter terrorist financing and proliferation financing measures.

You can read the consolidated rating table here.

On 25 October, following its plenary meeting, the FATF released an updated grey list. Burkina Faso, Mozambique, Nigeria, and South Africa were removed from the list and are no longer subject to increased monitoring. No new jurisdictions were added during this session.

You can read the updated grey list here.

On 27 September, the UN reactivated earlier sanctions on Iran that were originally in place before 2015. This means that all the measures from six previous UN resolutions are now back in effect (1696 (2006), 1737 (2006), 1747 (2007), 1803 (2008), 1835 (2008), and 1929 (2010)). These resolutions collectively targeted Iran’s nuclear and ballistic missile programs, restricted arms and technology transfers, and froze assets of key individuals and entities.

On 29 October, the FATF updated its standards to reflect these renewed sanctions. Specifically, FATF Recommendation 7, which deals with stopping the financing of weapons of mass destruction, now applies to these reactivated UN resolutions. Member countries will be evaluated on how well they implement this recommendation.

You can read the announcement here.

As of 31 October, the FATF announced an upcoming webinar in November focused on financial inclusion and the adoption of proportionate, risk-based strategies to combat illicit finance. The event aims to support countries in implementing updated FATF Standards and Guidance.

Earlier this year, FATF enhanced Recommendation 1 to emphasise proportionality and simplified measures under the risk-based approach. It also released new guidance featuring global case studies and best practices for integrating financial inclusion with AML/CFT efforts.

The webinar will feature experts from the FATF global network, financial inclusion advocates, and private sector leaders. Key topics include:

• overview of changes to FATF Standards and Guidance
• practical implementation strategies and case studies
• challenges faced by regulators and financial institutions.

You can read the FATF announcement here.

On 7 October, following a targeted investigation, the VARA imposed financial penalties on 19 firms for conducting unlicensed virtual asset activities and violating VARA’s Marketing Regulations. Sanctions included cease-and-desist orders and fines ranging from AED 100,000 to AED 600,000, based on the severity and scope of each breach.

VARA’s Enforcement Division continues to actively monitor and investigate non-compliant activity. The authority reminded consumers, investors, and institutions that engaging with unlicensed operators poses serious financial, legal, and reputational risks. Only entities licensed by VARA are permitted to offer virtual asset services in or from Dubai.

You can access the VARA enforcement notification here.