Regulatory Update January 2026 – ME Region

On 9 January, the Dubai Financial Services Authority (‘DFSA’) published its findings from a thematic review examining how Authorised Firms in the Dubai International Financial Centre (‘DIFC’) manage conflicts of interest. The overall results of the thematic review highlighted a clear need for enhancements to policies, procedures, and control environments. In addition, the DFSA held an outreach session on 4 February to present the key themes, findings, and good practices from the review directly to the Authorised Firms.

The key findings were as follows:

• policy gaps
  • although over 90% of firms had policies and procedures addressing conflicts of interest, many were unclear or did not adequately cover the associated risk management requirements
• lack of risk assessment
  • more than one‑third of firms, primarily in wealth management and advisory, had not assessed whether their business model exposes them to conflicts of interest risks
• incomplete scope
  • several firms considered only a narrow range of conflict types, leading most to report very low levels of identified conflicts
• governance weaknesses
  • escalation processes were inconsistent, and board‑level oversight was limited
  • only a small number of firms showed active senior management involvement or periodic reviews of conflicts of interest risks
• over‑reliance on employee disclosures
  • identification practices varied widely, with many firms depending heavily on periodic employee disclosures as their primary control
• informal decision‑making
  • reviews and assessments were often based on informal judgement with minimal documentation, rather than structured and well‑defined decision‑making processes
• inadequate monitoring and reviews
  • conflicts of interest were not sufficiently addressed within second‑line and third‑line monitoring activities
• incomplete registers
  • many firms’ conflicts of interest registers were either incomplete or missing key information needed for informed decision‑making
• variable training and awareness
  • employee awareness levels differed widely, with most firms needing to improve the quality, scope, and frequency of their training
• inconsistent reporting
  • although the DFSA expects firms to engage openly and cooperatively, the thematic review found several discrepancies between Firms’ survey responses and the information provided during the second phase.

The DFSA also highlighted the following examples of good practice observed during the review:

• business specific and detailed conflicts of interest policies
• regular and meaningful management information presented to boards and governance committees,
• scenario based and role specific training
• independent compliance and internal audit testing
• use of technology enabled conflict registers that assess risk impact and document mitigation measures.

You can read the DFSA Thematic Review in full here.

On 12 January, the DFSA implemented an updated regulatory framework for crypto tokens in the DIFC. The revised rules aim to strengthen oversight, improve clarity for firms, and promote a secure and transparent digital assets environment. The update follows a 2025 consultation and builds on the DFSA’s evolving approach since launching the regime in 2022.

A major change is the move from DFSA‑led token assessments to firm‑led suitability evaluations, meaning firms must now justify whether tokens meet regulatory criteria. The reforms also introduce stronger investor protections, improved conduct and operational standards, and reporting requirements aligned with global digital asset market developments.

Following the updated framework, the DFSA will host a webinar on 12 February to help Authorised Firms understand what the updated rules mean for them. It is open to consultants, advisers, law firms and other industry participants wishing to stay informed.

The session will cover:

• the reason the DFSA updated the Crypto Token regime and how it has evolved since its introduction in 2022
• the major changes introduced under the updated framework, such as the shift to firm led suitability assessments
• the impact of the updated rules on existing Authorised Firms and potential new entrants
• how DIFC’s digital assets ecosystem and regulatory framework work together to support responsible innovation and sustainable growth.

You can read the DFSA announcements here and here.

On 14 January, the DIFC announced that Dubai will host the inaugural Dubai Future Finance Week (‘DFFW’) from 11 to 15 May 2026. DFFW will unite global leaders in finance, policy, technology and investment to discuss the future of the international financial ecosystem.

Designed as a citywide platform and led by the DIFC, DFFW will explore critical themes including capital markets, fintech innovation, sustainability led finance, regulatory developments and private wealth. The central anchor event, the Dubai FinTech Summit, will welcome over 10,000 delegates from more than 150 countries, with expanded features such as an investors’ lounge, deal hub and dedicated content streams on digital finance and AI driven technologies.

Additional forums include Seamless FinTech Middle East, the Reg3 Forum, the DIFC Family Wealth Centre Summit, the Future Sustainability Forum, and the Islamic Finance Forum, each addressing emerging opportunities and sector-wide transformation. DFFW will also host sector-specific platforms such as the MENA Banking Excellence Awards, the Solana Economic Zone, IPEM Future Dubai and the Dubai Future District Fund annual meeting.

Collectively, Dubai Future Finance Week will be the region’s most comprehensive gathering focused on the evolution of global finance, reinforcing Dubai’s strategic ambitions under D33 and strengthening its role as a leading global financial hub.

You can read the DIFC announcement in full here.

On 19 January, the DFSA informed Senior Executive Officers (‘SEO’) and Compliance Officers (‘CO’) that the questionnaire for the “DFSA Suitability Thematic Review 2026” was made accessible via the DFSA ePortal. Firms were required to submit its responses by 9 February.

Authorised Firms were previously informed of the Thematic Review in the Dear SEO/CO Letter “2026 Thematic Reviews on Suitability, Fund Platforms and Brokerage: Oversight of Trading Environment” dated 28 February 2025. The DFSA intends to evaluate Authorised Firms’ compliance with suitability requirements, assessing both design and practical implementation of suitability frameworks.

On 22 January, the DFSA circulated an invitation to Finance Officers of DFSA regulated entities for an upcoming outreach session focused on outlining regulatory expectations and providing guidance on good practices relevant to the Finance Officer role. The webinar is scheduled for 12 February 2026, and invitees were asked to submit any questions in advance during registration by 5 February 2026.

The session will outline the DFSA’s expectations for Finance Officers, who play a central role in ensuring financial integrity, transparency, and robust governance within firms. Key areas of focus will include common issues observed in the Electronic Prudential Reporting System (‘EPRS’), submissions and use of the DFSA ePortal, observations linked to fixed penalty notices, and DFSA expectations regarding engagement with auditors.

This initiative forms part of the DFSA’s ongoing commitment to enhancing prudential reporting quality and supporting Finance Officers in meeting their regulatory obligations.

Across January, the DFSA issued multiple alerts involving impersonation of the DFSA, misuse of DFSA logos and senior officials’ names, forged letters, impersonation of DFSA‑authorised firms, fraudulent websites, fake loan schemes, and unauthorised requests for payments. The scams involved both individuals and firms being targeted through fake correspondence, fraudulent digital platforms, and misappropriated regulatory credentials.

You can read the DFSA alerts here.

On 6 January, the Financial Services Regulatory Authority (‘FSRA’) issued an alert to the financial services community regarding suspected fraudulent activity and false and misleading claims made by an entity identifying itself as “SGV Advisory FZ LLC” or “Strategic Global Ventures”. The FSRA identified that the entity’s website () promoted an investment platform targeting general partner investors and made claims suggesting that it offered FSRA regulatory coverage and licensing from inception. The website further represents that a “Resident Director” provides FSRA cover. However, the individual named is an Approved Person of a separate FSRA-licensed entity and confirmed having no affiliation with “Strategic Global Ventures”, nor having authorised the use of their name or image.

The FSRA confirmed that the entity is not authorised, licensed, or incorporated in the Abu Dhabi Global Market (‘ADGM’) and has never been granted permission to conduct any Regulated Activity. The FSRA has advised the public to verify regulatory status via the ADGM public registers before engaging with any firm.

You can read the FSRA alert here.

On 8 January, the ADGM Registration Authority (‘RA’) announced the launch of an expanded suite of digitally enabled and regulated real estate services following the transition of Al Reem Island into the ADGM’s jurisdiction.

Key developments include:

• regulated procedures for off-plan agreement terminations, establishing a clear, transparent mechanism to reduce disputes
• registration of reservation agreements as a new ownership category, formalising future property interests
• SMART Valuation services, enabling indicative property valuations through official evaluation certificates
• enhanced leasing services and broker permitting, improving regulatory oversight and efficiency
• announcement of a forthcoming integrated escrow account service to strengthen transactional security and investor protection.

These initiatives introduced additional real estate services and procedures administered by the ADGM RA, aimed at enhancing transparency, facilitating secure transactions, and supporting investor confidence within the ADGM real estate market.

You can read the ADGM announcement here.

On 22 January, the FSRA issued Dear SEO Letter “Cyber Risk Findings and Recommendations”. The FSRA’s Financial and Cybercrime Prevention Department conducted a cyber risk management survey in Q3 2025. The survey, completed by 263 of 315 regulated entities, assessed firms’ preparedness against cyber risk ahead of the Cyber Risk Management Rules which were effective from 31 January 2026.

Key weaknesses identified included:

• insufficient board-level oversight and unclear governance structures for cyber risk management
• lack of clearly defined roles and responsibilities for operational cyber risk management, leading to accountability gaps during incidents
• incomplete or outdated IT asset inventories, limiting effective identification and prioritisation of cyber risks
• weak or inconsistent vulnerability management processes, increasing exposure to unpatched systems and known attack vectors
• inadequate integration of cyber risk requirements and incident reporting obligations within third-party and outsourcing arrangements
• absence of formal cyber risk assessments, resulting in limited visibility over firms’ security posture
• insufficient cyber security awareness and training programmes, reducing employees’ effectiveness as a first line of defence
• limited adoption of advanced technical controls and encryption measures
• limited use of advanced monitoring and adversarial testing techniques (e.g., penetration testing and red teaming), leaving sophisticated vulnerabilities undetected
• cyber incident response plans that are either informal, incomplete, or not regularly tested, undermining effective detection, response and recovery.

Firms are expected to maintain documented, board-approved cyber frameworks, implement proportionate technical and organisational controls, conduct regular training and testing, and establish formal, tested incident response plans.

You can read the FSRA Dear SEO Letter in full here.

On 23 January, the ADGM RA issued Discussion Paper No. 1 of 2026 “Proposed Guidance on Crypto Mining Activities”, seeking feedback on policy considerations relating to crypto mining activities.

For the purposes of this discussion paper, Crypto Mining is defined as “verifying transactions on a decentralised ledger or infrastructure network, in return for rewards in the form of digital asset generated by a consensus mechanism”. Within ADGM’s framework, Crypto Mining is not a regulated financial service. It is a licensed commercial activity subject to the RA’s commercial licensing and supervision. Crypto Mining entities must obtain and maintain an RA Commercial License.

Key updates of the draft guidance concerned:

• regulatory context and legal status of crypto mining and mined assets
• key definitions
• policy principles for responsible mining operations
• licensing requirements
• license conditions
• ongoing obligations, supervisory and enforcement expectations.

Although crypto mining is not a traditional financial service, it presents risks relating to operational resilience, cybersecurity, ownership and control transparency, health and safety, and cross-border oversight. The proposed framework seeks to mitigate these risks through clear licensing, disclosure, compliance and supervisory expectations, applied in a technology-neutral manner across all consensus mechanisms.

You can read the ADGM RA discussion paper here and comments are welcome until 20 March.

On 29 January, the FSRA issued Dear SEO Letter “Thematic Review on Outsourcing – Overall Observations”, setting out the key findings and observations from its review. The review assessed firms’ compliance with outsourcing requirements under the General Rulebook (‘GEN’), the Funds Rulebook (‘FUNDS’), the Anti-Money Laundering and Sanctions Rulebook (‘AML’) and the Prudential – Investment, Insurance Intermediation and Banking Rulebook (‘PRU’).

A summary of the weaknesses identified were as follows:

• failure to correctly identify outsourcing arrangements, including misclassification of material outsourcing and intra-group outsourcing
• overly narrow or overly broad interpretations of outsourcing rules, leading to regulatory gaps or misapplication
• inadequate or undocumented outsourcing policies, procedures, and risk management frameworks
• underestimation of risks arising from outsourcing, particularly where outsourcing is central to the business model
• insufficient initial due diligence on outsourced service providers, or inability to evidence that due diligence was conducted
• narrow or conflicted due diligence assessments, including reliance on group-level reviews without firm-specific assessment
• inconsistent due diligence approaches across service providers without a clear policy rationale
• weaknesses in written outsourcing agreements, including unclear scope of responsibilities, outdated contracts, and missing regulatory protections
• ineffective ongoing supervision and monitoring of outsourced service providers, including lack of periodic assurance reviews
• absence or inadequacy of contingency planning for failures of material service providers
• inadequate access to records held by outsourced individuals or service providers
• insufficient resourcing of outsourced staff performing key or controlled functions, particularly as firms grow in scale and complexity.

The FSRA reiterated that responsibility for compliance remains with Authorised Persons, regardless of outsourcing, and requested all firms to conduct a gap analysis against the findings and remediate any identified deficiencies. The FSRA noted that outsourcing arrangements, particularly those involving client due diligence (‘CDD’) processes, key control functions, and fund administration, will remain an area of heightened supervisory focus.

You can read the FSRA Dear SEO Letter in full here.

On 29 January, the FSRA issued a notice outlining updates to its IT and cyber‑incident reporting templates and reiterating the applicable reporting obligations. These changes follow the public consultation on cyber risk management. The updated cyber rules under GEN 3.5 came into effect on 31 January 2026.

The updated cyber rules introduce a 24‑hour maximum timeframe for initial incident reporting. Authorised Persons must notify the FSRA as soon as they discover a suspected material cyber incident, and in all cases no later than 24 hours after becoming aware of information that reasonably indicates such an incident may have occurred. In addition, the firms are required to provide “progressive” reporting to support timely and accurate ongoing updates as incidents are being contained and investigated.

You can read the FSRA notice in full here.

On 1 January, the UAE introduced Federal Decree-Law No. 26 of 2025 on Child Digital Safety (‘CDS Law’). Whilst this Decree was effective as of 1 January 2026, in-scope entities benefit from a one-year transitional period, with full enforceability from January 2027.

The CDS Law establishes a high-level framework to enhance the protection of children in the digital environment and increases accountability for providers of digital services operating in or targeting the UAE.

Key features included:

• protections against harmful digital content and online risks
• strengthened privacy and personal data safeguards for children
• standardised age-verification requirements across digital services
• governance measures for proactive monitoring and oversight.

The CDS Law applies to:

• digital platforms operating in or targeting the UAE
• UAE-licensed internet service providers
• custodians of children, subject to specified obligations.

Further guidance is expected through implementing regulations, including a platform risk classification framework that will determine the scope and proportionality of compliance requirements.

You can read the UAE Federal Decree-Law here.

On 1 January, the UAE enacted a new legislative framework establishing the Capital Market Authority (‘CMA’) through Federal Decree‑Law No. 32 of 2025 and Federal Decree‑Law No. 33 of 2025.

This new framework restructures the Securities and Commodities Authority’s (‘SCA’) oversight of capital markets, strengthens governance, and aligns regulatory practices with international standards. By creating an independent authority responsible for supervising and developing the capital markets sector, the UAE aims to enhance investor confidence, reinforce market integrity, and support the growth of a competitive, transparent, and innovation‑driven financial ecosystem.

Key provisions of the new laws include:

• renaming the SCA as the Capital Market Authority
• introducing a broader range of regulated financial activities
• expanding the CMA’s supervisory powers across the capital markets sector
• establishing regulatory oversight of the investor protection fund and the settlement guarantee fund
• clarifying the CMA’s responsibilities for prudential supervision and the management of exceptional circumstances
• empowering the CMA to enter reconciliation before the initiation of criminal proceedings
• granting the CMA authority to designate systemically important entities and regulate early‑intervention, settlement, and resolution mechanisms.

You can read the CMA announcement in full here.

On January 6, the Capital Market Authority of Saudi Arabia announced that it will open the Saudi capital market to all categories of foreign investors, enabling direct investment in Saudi Arabia’s Main Market with effect from 1 February 2026, following approval of the relevant regulatory framework.

These amendments eliminate the Qualified Foreign Investor (‘QFI’) regime and remove the regulatory framework governing swap agreements, thereby allowing non-resident foreign investors to invest directly in listed shares without qualification requirements. The measures are intended to expand the investor base, support market liquidity, and attract additional foreign investment, building on earlier procedural simplifications approved in July 2025.

You can read the Capital Market Authority of Saudi Arabia announcement here.

On 8 January, the Virtual Assets Regulatory Authority (‘VARA’) issued a circular to all licensed Virtual Asset Service Providers (‘VASPs’) setting out requirements for investor onboarding and classification under the VARA Market Conduct Rulebook (Part IV).

The circular requires VASPs to classify clients as Retail, Qualified, or Institutional Investors and to conduct financial eligibility checks, source of wealth verification, and suitability assessments before confirming Qualified Investor status. It also introduces cooling-off periods where there are failed suitability assessments and sets out clear procedures for upgrading client classifications during the client’s lifecycle.

VASPs must retain classification and suitability records for at least eight years and immediately align onboarding and classification processes with the circular. VARA may request evidence of compliance at any time, and non-compliance may result in regulatory action.

You can read the VARA circular in full here.

On 12 January, the UAE Financial intelligence Unit (‘FIU’) issued a short survey to assess the effectiveness of its strategic analysis function as part of national preparations for the upcoming FATF mutual evaluation. The survey was due for submission on 14 January.

Since 2021, the UAE FIU’s Strategic Analysis Unit has issued a series of typology reports and studies designed to enhance stakeholders’ understanding of key financial crime risks. These efforts have been supported by regular outreach sessions, engagement with reporting entities, and the incorporation of industry feedback to strengthen analytical outputs.

You can access the FIU Strategic Reports directly via goAML platform.

On 14 January, the Central Bank of the UAE (‘CBUAE’) hosted the Governor of the Bank of Finland (‘BoF’), at its Abu Dhabi headquarters. The meeting, attended by senior officials from both sides, reinforced a shared commitment to deepening cooperation in financial stability, regulatory development, green finance, and FinTech innovation.

Discussions centred on enhancing supervisory collaboration, advancing digital transformation, and improving cross‑border payment systems with key areas of focus being green finance and FinTech development. Both institutions emphasised the importance of exchanging expertise to build stronger regulatory and supervisory frameworks.

You can read the CBUAE announcement in full here.

On 14 and 15 January, the Supervisory Sub-Committee (‘SSC’) held two outreach sessions focused on beneficial ownership transparency and cash usage. The SSC operates under the umbrella of the National Anti‑Money Laundering and Combatting Financing of Terrorism and Illegal Organisations Committee (‘NAMLCFTC’), which oversees national AML/CFT policy and has several sub‑committees.

The key updates at the first outreach session on the transparency of beneficial ownership were as follows:

• Beneficial Owners (‘BOs’) are natural persons who ultimately own or control 25% or more of a legal person, including through indirect ownership or other means of control
• firms must look beyond legal ownership to identify control via agreements, nominees, or other arrangements
• complex or high-risk ownership structures require enhanced scrutiny and escalation
• common weaknesses include reliance on self-declarations, incomplete identification of indirect ownership, and failure to keep BO information up to date
• supervisors expect a robust risk-based approach, independent verification, ongoing due diligence, and strong governance and record-keeping.

The key updates at the second outreach session on the guidance on cash usage were as follows:

• cash remains a key ML/TF/PF risk, particularly in cash-intensive and high-value sectors
• firms must identify cash-specific risk indicators, including structuring, rapid cash turnover, and cash-to-virtual-asset activity
• enhanced due diligence and effective transaction monitoring are required where cash risk is elevated
• clear escalation, documentation, and compliance with cross-border cash declaration requirements are expected.

This guidance applies to all Financial Institutions (‘FIs’), Virtual Asset Service Provider (‘VASPs’), and Designated Non‑Financial Businesses and Professions (‘DNFBPs’) that are licensed, registered, and regulated by the Supervisory Authorities in the UAE.

On 22 January, the VARA issued a circular to all licensed VASPs remining them of their obligations regarding the publication of National Committee Decision No. (15) of 2025 and the October 2025 Financial Action Task Force (‘FATF’) update on jurisdictions under Increased Monitoring and High-Risk Jurisdictions subject to a Call for Action.

All VASPs must immediately integrate FATF high‑risk and monitored jurisdiction lists into their risk assessments and controls and apply enhanced due diligence to any customer or transaction linked to high‑risk jurisdictions. This includes verifying identity and beneficial ownership, assessing source of funds and wealth, documenting the rationale for the relationship, and applying enhanced monitoring and reporting. VASPs are prohibited from establishing branches or representative offices, or relying on third parties for CDD, in FATF Black‑Listed jurisdictions. All updates to internal policies, procedures, and customer risk‑rating frameworks must be documented.

You can read the VARA circular in full here.

On 22 January, the Gulf Capital Market Association (‘GCMA’) held its annual summit in Dubai. The GCMA is the region’s leading financial industry body, representing the collective voice of the Middle East’s growing capital markets.

The conference served as a high level platform to discuss key developments and challenges affecting capital markets at both regional and international levels, as well as to identify future directions in light of ongoing changes. The event brought together a group of leading investors, intermediaries, regulators, and government policymakers, creating an environment for meaningful dialogue on major capital market issues. The discussions helped deepen collective understanding and support strategic decision making across the sector.

The summit also hosted a regulatory forum that brought together leaders from the UAE’s three key financial regulators, the UAE CMA, the FSRA, and the DFSA, to discuss how they are navigating the country’s rapid growth as an international financial centre.

You can read the GCMA announcement in full here.

On 26 January, the UAE’s CMA issued a direct email notice to licensed financial institutions and VASPs informing them that the UAE has implemented a mandatory Virtual Assets Travel Rule.

The regulation requires all in‑scope institutions to collect, verify, transmit, and retain originator and beneficiary information for qualifying virtual asset transfers. Firms must apply a risk‑based approach (including for unhosted wallets) conduct appropriate screening and monitoring, and file STRs/SARs where necessary.

Key updates include:

• mandatory collection, verification, transmission, and retention of originator and beneficiary information for qualifying virtual asset transfers
• application of a risk-based approach to all transfers, including those involving unhosted wallets and intermediary providers
• beneficiary identity verification for transfers with daily aggregated values of AED 3,500 or more
• enhanced screening, monitoring, record-keeping, and STR/SAR reporting obligations
• express prohibition on transactions involving Privacy Tokens
• potential supervisory and enforcement action in cases of non-compliance.

All licensed entities are expected to review the regulation carefully and ensure that their internal frameworks, systems, and operational processes are fully aligned with its requirements without delay. Failure to comply may result in supervisory or enforcement action in accordance with applicable laws and regulations.

On 26 – 30 January, the UAE FIU participated in the 26th Egmont Group Annual Meeting in Tanzania, joining more than 400 representatives from FIUs worldwide. The meeting provided a platform for member FIUs to exchange expertise, strengthen international cooperation, and advance collective efforts to combat financial crime. Discussions centred on secure information‑sharing, the use of emerging technologies such as artificial intelligence, and strengthening international cooperation to combat money laundering and terrorist financing.

The UAE FIU contributed to several Egmont Working Group initiatives, including co‑leading guidance on FIU funding and resourcing challenges, supporting best‑practice development for strategic intelligence functions, and participating in projects addressing terrorist financing risks and public‑private partnership frameworks. The delegation also joined the MENA FIUs meeting and held bilateral discussions with peer FIUs on shared operational priorities.

You can read the Egmont Group announcement in full here.

On 29 January, the Qatar Financial Centre (‘QFC’) announced that the QFC, DIFC, and ADGM have formally recognised each other’s data protection frameworks, with each jurisdiction now included on the others’ adequacy lists. This mutual recognition enhances regulatory alignment across the GCC’s leading financial centres and facilitates seamless, trusted cross‑border data flows.

This milestone removes the need for additional transfer mechanisms when firms share personal data between DIFC, QFC, and ADGM entities. For businesses operating across multiple jurisdictions, it delivers simplified compliance, reduced administrative and operational burdens, with greater efficiency in cross border operations. The decision reflects a shared commitment to robust, internationally aligned data protection standards and reinforces the Gulf region’s position as a secure, innovation driven hub for financial services.

You can read the QFC announcement here and the adequacy decision by the DIFC Data Protection Commissioner here.

On 29 January, the official English translation of Cabinet Resolution No. (134) of 2025 was published and is accessible via the UAE legislation website, enabling firms to complete detailed impact assessments and implementation reviews.

The update follows the issuance of Federal Decree by Law No. (10) of 2025, which replaces Federal Decree-Law No. (20) of 2018, and Cabinet Resolution No. (134) of 2025, which replaces Cabinet Resolution No. (10) of 2019 and which took effect on 14 December 2025. Together, these instruments introduce significant enhancements to the UAE’s Anti-Money Laundering, Combatting Financing of Terrorism (‘AML/CFT’) and Targeted Financial Sanctions (‘TFS’) framework, reinforcing alignment with international standards.

Various UAE regulators, including the DFSA and FSRA, have issued notices reminding FIs, VASPs, and DNFBPs to review the new legislation, assess its impact on their AML/CFT and TFS frameworks, and update all relevant policies, manuals, systems, tools, and controls accordingly.

You can read the Federal Decree Law here and the Cabinet Resolution here.

Following last year’s release of its report on the misuse of virtual assets, the UAE FIU held an outreach session in January titled “Virtual Assets: Emerging Risks and Misuse in Financial Crime” as part of its ongoing efforts to enhance awareness among reporting entities. The session covered global and domestic virtual asset risks, key typologies, and relevant red flags, and outlined challenges and recommended actions to strengthen detection and reporting.

You can read the FIU report in full here.

On 4 January, the UAE officially assumed the presidency of the Middle East and Europe Joint Working Group of the Financial Action Task Force (‘MENAFATF’) as the organisation prepares to launch its third round of mutual evaluations under the FATF’s fifth‑round methodology.

Under the UAE’s stewardship, the MENAFATF will prioritise improving regional preparedness for evaluations, updating governance systems, enhancing international collaboration, and tackling emerging financial crime threats. The presidency is part of a coordinated two‑year arrangement with Bahrain, which will assume leadership in 2027 to ensure continuity and long‑term capacity building.

You can read the MENAFATF announcement in full here.

On 5–9 January, the UAE hosted a MENAFATF workshop in Abu Dhabi, bringing together international experts and seven national delegations to support jurisdictions undergoing the FATF International Co‑operation Review Group (‘ICRG’) process. The workshop focused on reviewing progress against AML/CFT action plans and assessing effectiveness across key areas, including risk assessment, supervision, financial intelligence, investigations, asset recovery, sanctions implementation, and beneficial ownership transparency.

As part of the UAE’s MENAFATF Presidency, the initiative aimed to strengthen regional preparedness, promote consistent application of FATF standards, and enhance cooperation between Europe and the MENA region, contributing to the integrity and resilience of the global financial system.

On 9 January, the European Commission (‘EC’) added Bolivia, the British Virgin Islands, and the Russian Federation to the EU list of high‑risk third‑country jurisdictions with strategic AML/CFT deficiencies, pursuant to Commission Delegated Regulation (EU) 2026/46, amending Delegated Regulation (EU) 2016/1675.

The EC’s assessment reflects ongoing coordination with international partners, including the FATF, and incorporates findings on jurisdictions with identified strategic weaknesses, particularly those whose FATF membership has been suspended.

You can find the EU consolidated list here.

On 12–13 January, the MENAFATF Advisory Committee (the ‘Committee’) held its inaugural meeting in Abu Dhabi. The first day focused on capacity‑building initiatives, including visits to the Emirates Institute for Financial Studies and the ADGM Academy, alongside discussions on governance and regulatory development.

On the second day, the Committee reviewed progress across its active working groups, explored further enhancements to governance, and prepared for the upcoming MENAFATF Plenary. The agenda also covered MENAFATF’s planned participation in the 15th UN Congress on Crime Prevention and Criminal Justice in April 2026.

You can read the MENAFATF announcement in full here.

On 22 January, the FATF published an updated consolidated ratings table. The table summarises jurisdictions’ progress against the 40 FATF recommendations. The recommendations assess the jurisdiction’s maturity against money laundering, counter terrorist financing and proliferation financing measures.

You can read the consolidated rating table here.

On 9 January, the CMA issued a public warning advising investors to refrain from dealing with “Volcano Capital Marketing Management”, confirming that the company is not licensed to carry out regulated financial activities or provide related services. The CMA stated that it bears no responsibility for any transactions involving the company and advised investors to verify the regulatory and licensing status of entities prior to entering into agreements or transferring funds.

On 28 January, the CMA issued a further public warning advising investors not to engage with “Star Light Marketing Management Services L.L.C.”, as the entity is not licensed or authorised to conduct regulated financial activities or provide related services. The CMA confirmed that it is not responsible for any transactions or dealings involving the entity and urged investors to verify firms’ regulatory status before entering into agreements or transferring funds, in order to mitigate the risk of fraud.

You can read the CMA warnings in full here.

On 8 January, the FSRA issued a Decision Notice, accepting an Enforceable Undertaking from “Wealthface Limited”, following an investigation into regulatory breaches between January 2023 and March 2025. The FSRA found that Wealthface Limited failed to maintain adequate capital and liquid resources, incorrectly calculated its capital requirements, did not prepare or submit financial statements in accordance with IFRS and regulatory deadlines, failed to maintain a registered office in the ADGM, and did not pay supervision fees on time.

Wealthface Limited has admitted to the contraventions and agreed to remedial actions, including appointing an independent director, re-establishing its ADGM office, rectifying capital shortfalls, and providing monthly capital and liquidity reports for one year. The firm also undertook to refrain from onboarding clients without regulatory approval and to comply fully with prudential, reporting, and fee obligations going forward. The FSRA noted that it may take further action, including cancelling the firm’s licence, if the undertakings are breached.

You can read the FSRA Decision notice in full here.

On 22 January, the DFSA issued a Decision Notice against “Ed Broking (MENA) Limited” for multiple breaches of its legislation, including engaging in misleading and deceptive conduct. The penalty comprises US$ 175,343 in disgorgement (including interest) and US$ 279,833 in fines, reduced from US$ 575,104 following a settlement.

The DFSA found that the firm provided different premium figures to cedent insurers and reinsurers for the same reinsurance placements, misled reinsurers about premium deductions and brokerage commissions, and misled a client regarding brokerage earned and premium deductions across 121 placements. The misconduct was enabled by non-disclosure of commissions, failures in internal systems and controls, and the use of altered documents.

The firm was also found to have failed to ensure communications were clear, fair and not misleading, and to have acted without due skill, care and diligence. The DFSA noted mitigating factors, including the firm’s prompt self-reporting, internal investigation, and restitution to affected clients.

You can read the Decision Notice in full here.