Regulatory Update June 2026 – ME Region

      DIFC AND DFSA LATEST DEVELOPMENTS

      DFSA Issues Dear SEO Letter on AI image/svg+xml Atoms / Icons / plusExpand

      On 4 June, the Dubai Financial Services Authority (‘DFSA’) issued a Dear SEO letter, “DFSA regulatory expectations on artificial intelligence risk management in the DIFC”, setting out its expectations for Authorised Firms using artificial intelligence (‘AI’) in the Dubai International Financial Centre (‘DIFC’), against the backdrop of continued acceleration in AI adoption, particularly in relation to generative AI.

      The DFSA emphasised that firms remain fully accountable for their use of AI, including where third-party solutions are used, and that such reliance does not diminish their regulatory responsibilities. Senior management, including Senior Executive Officers (‘SEOs’), are expected to exercise appropriate oversight and ensure that AI is implemented and operated in a controlled and responsible manner.

      The DFSA highlights the need for robust governance arrangements, including clear roles and responsibilities, appropriate policies and procedures, and the integration of AI into existing risk management frameworks. Firms are expected to identify, assess, and manage key risks associated with AI, including model, operational, conduct, and financial crime risks, on a proportionate basis.

      Firms should also ensure transparency and explainability in the use of AI, particularly where outcomes may impact clients or markets. Strong data governance is required to maintain data quality and integrity, alongside consideration of ethical risks, including the potential for bias or unfair outcomes. Where AI involves outsourcing or third-party providers, firms must maintain effective oversight and remain accountable for the services provided. The DFSA also expects appropriate testing, validation, and ongoing monitoring of AI systems to ensure they remain reliable and fit for purpose.

      The DFSA refers firms to the 2021 UAE Guidelines for Financial Institutions adopting Enabling Technologies and confirms that it will continue to monitor developments in AI and consider whether further regulatory action is required.

      You can read the Dear SEO Letter in full here.

      Read more
      DFSA Issues New Business Continuity Measures Form image/svg+xml Atoms / Icons / plusExpand

      On 9 June, the DFSA issued a communication to SEOs of DFSA Authorised Firms, Senior Officers (‘SO’) of Registered Auditors, Money Laundering Reporting Officers (‘MLRO’) of Designated Non-Financial Businesses and Professions (‘DNFBPs’) and Principal Representatives of Representative Offices in relation to business continuity measures.

      The DFSA announced further revisions to the Business Continuity Measures Form, following the Dear SEO Letter dated 11 March 2026. All Firms were required to complete the updated Business Continuity Measures Form v4 (6/2026) via the DFSA ePortal by Tuesday, 16 June 2026. This requirement applied to all Firms, regardless of whether a prior Business Continuity Plan notifications were submitted.

      This update reinforces the DFSA’s emphasis on operational resilience and preparedness, ensuring that Firms maintain effective continuity measures in line with regulatory expectations.

      Read more
      DFSA Publishes Dear MLRO Letter on UAE PF NRA image/svg+xml Atoms / Icons / plusExpand

      On 10 June, the DFSA issued a Dear MLRO Letter titled “The UAE Proliferation Financing National Risk Assessment Report 2026”, announcing the publication of the UAE Proliferation Financing National Risk Assessment Report 2026 (‘UAE PF NRA 2026’) by the National Anti-Money Laundering and Combatting Financing of Terrorism and Financing of Illegal Organisations Committee (‘NAMLCFTC’).

      The DFSA clarified that Relevant Persons are not expected to replicate the findings of the UAE PF NRA 2026 in their business AML risk assessments under Rule 5.1.1 of the AML Module. Instead, they are required to take the findings into account as part of their ongoing AML risk assessment processes and incorporate them appropriately, reflecting the nature, size, and complexity of their business activities.

      The DFSA also reminded Relevant Persons of their obligations to comply with Federal AML Legislation, the DIFC Regulatory Law 2004 as it relates to AML, and the AML Module of the DFSA Rulebook.

      This communication reinforces the DFSA’s expectation that firms remain vigilant in updating their AML frameworks and risk assessments in line with national findings and regulatory requirements.

      You can read the UAE PF NRA 2026 in full

      Read more
      DIFC Published Consultation on Amended DIFC Arbitration Law image/svg+xml Atoms / Icons / plusExpand

      On 11 June, the Dubai International Financial Centre Authority (‘DIFCA’) issued Consultation Paper No. 2 inviting public comment on proposed amendments to the Arbitration Law (DIFC Law No. 1 of 2008). These changes will be enacted through the forthcoming Arbitration and Mediation Law, DIFC Law No. 1 of 2026.

      The consultation seeks feedback on draft amendments designed to modernise and strengthen the DIFC’s arbitration framework. The comments were welcome until 6 July.

      You can read the DIFC consultation paper in full here.

      Read more
      DIFC Launches Consultation on Data Protection Regulations image/svg+xml Atoms / Icons / plusExpand

      On 18 June, the DIFC issued Consultation Paper No. 3 of 2026, proposing amendments to the DIFC Data Protection Regulations under DIFC Law No. 5 of 2020.

      Key proposed changes include:

      • updating Regulation 10 to strengthen requirements for embedding safety into systems, particularly when processing personal data in an AI‑native jurisdiction
      • clarifying obligations around systems certification and the role of the Autonomous Systems Officer (‘ASO’).
      • introducing a new Regulation 11, granting the Commissioner powers to recognise accreditation and certification schemes.

      The consultation seeks public feedback on the Proposed Regulations to ensure enhanced governance and accountability in data protection practices.

      You can read the DIFC consultation paper in full here, and comments were welcome until 18 July.

      Read more
      DFSA Issues Annual Report 2025 image/svg+xml Atoms / Icons / plusExpand

      On 26 June, the DFSA published its Annual Report for 2025, highlighting a third consecutive year of sustained growth in firm registrations within the DIFC.

      Key highlights include:

      • 182 new firms licensed and registered in 2025, representing a 16% increase on 2024 and bringing the total number of regulated entities to 1,050
      • fund management sector expansion to 121 Authorised Firms and 276 funds, with assets under management rising to US$ 176Bn (+4% year‑on‑year) and assets under advisory reaching US$ 220Bn (+22%)
      • insurance sector growth of 15%, particularly in reinsurance, reinforcing DIFC’s role as a regional hub
      • banking sector strength, with combined balance sheets of DIFC banks reaching US$ 251Bn (+19% year‑on‑year, +195% since 2015)
      • OTC market surge, with transaction value and volume more than doubling to US$ 13Tn in Q4 2025.

      You can read the DFSA announcement in full here.

      Read more
      DFSA Publishes an Update on Personal Account Dealing image/svg+xml Atoms / Icons / plusExpand

      On 29 June, the DFSA published its first Conduct Supervisory Pulse outlining key observations from a thematic review of Personal Account Dealing (‘PAD’) arrangements across brokerage firms in the DIFC.

      The Conduct Supervisory Pulse forms part of a broader programme of deep‑dive supervisory engagement sessions being undertaken jointly by DFSA Conduct Supervision and Markets teams throughout 2026 under the thematic review on oversight of the trading environment.

      Key highlights include:

      • since 2022, authorised brokerage firms in DIFC have increased by more than 60%, alongside significant rises in headcount, profitability, and transaction volumes
      • firms are expected to ensure PAD frameworks remain aligned to their business scale, complexity, products, employee roles, and risk profile.

      Positive indicators observed by the DFSA included:

      • comprehensive and tailored PAD policies and procedures
      • centralised pre‑trade approval processes
      • periodic compliance monitoring
      • clear escalation and breach management
      • use of management information for senior management and board oversight.

      The DFSA also noted areas requiring enhancement, such as over‑reliance on employee declarations, limited post‑trade monitoring, and poor record‑keeping practices.

      The publication set out practical examples of both positive indicators and areas for improvement across six domains such as policies and procedures, governance and oversight, monitoring and surveillance, compliance, training and awareness, and record keeping.

      The DFSA encouraged all relevant firms to review the observations and assess whether enhancements to their PAD frameworks are warranted. Subsequent phases of the thematic review will address best execution and communication channels/record keeping, with further findings to be published in due course.

      You can read the DFSA publication in full here.

      Read more
      DFSA Publishes Dear SEO Letter and Survey on Cyber Security image/svg+xml Atoms / Icons / plusExpand

      On 30 June, the DFSA issued, via email, a Dear SEO letter titled “Cyber Risk Self-Assessment 2026”, announcing the launch of a survey on cyber risk management practices across firms in the DIFC.

      The assessment is intended to evaluate:

      • the maturity of Authorised Firms, Authorised Market Institutions, and Registered Auditors in managing cyber risks
      • emerging risk trends and systemic issues influencing overall cyber resilience within the DIFC.

      The assessment will be conducted through an online questionnaire accessible via the DFSA ePortal. The questionnaire is primarily composed of closed-ended questions designed to capture each firm’s technology profile and cybersecurity practices.

      The DFSA reminded Authorised Firms that its cyber risk management requirements, effective from 1 January 2024, are set out in General Module Rule 5.5. Compliance with these requirements is mandatory for all Firms, who must establish and maintain a cyber risk management programme proportionate to the nature, scale, and complexity of their operations.

      The deadline for submission of responses to the Assessment is 24 July 2026.

      Read more
      DFSA Publishes Two Alerts and One Regulatory Clarification image/svg+xml Atoms / Icons / plusExpand

      In June 2026, the DFSA issued two alerts concerning fraudulent activities involving impersonation and false claims of regulatory status, as well as one clarification regarding the authorised status of a firm.

      On 11 June, the DFSA issued a clarification regarding the regulatory status of Galloway Investment Group. The DFSA confirmed that the firm is not located in the DIFC. It further stated that Galloway Investment Group is not, and has never been, authorised by the DFSA to provide financial services or make financial promotions in or from the DIFC. The clarification underscores that DFSA Authorised Firms are subject to strict financial services laws and rules designed to protect consumers and users of the DIFC financial system. The DFSA highlighted that these protections apply only when engaging with properly authorised firms.

      On 22 June, the DFSA issued an alert regarding the impersonation of Fortrade (DIFC) Limited, a legitimate DFSA Authorised Firm. Scammers established a fraudulent website (fortradedifc.ae) that misused the firm’s name, address, and details to falsely suggest DFSA regulation. The site referred to entities called “ForTradeDifc” and “ForTradeD IFC,” which are not authorised firms. The DFSA confirmed that these entities are not associated with Fortrade (DIFC) Limited and that the fraudulent website is unauthorised. The DFSA strongly urged the public not to engage with communications from the scam and never to send funds to parties connected with it.

      On 26 June, the DFSA issued an alert regarding Tasenovass LTD and Akanivutar, two firms falsely claiming DFSA authorisation. The scammers created a fake website resembling the DFSA Public Register, misrepresenting Tasenovass LTD as licensed. They also established two fake trading platform websites, asserting regulation by the DFSA and other international regulators. The DFSA confirmed that neither Tasenovass LTD nor Akanivutar have ever been authorised, and their trading platforms are not regulated. The Authority strongly advised the public to exercise extreme caution, avoid responding to communications from these firms, and refrain from using their platforms.

      You can read the DFSA alerts in full here.

      Read more

      ADGM AND FSRA LATEST DEVELOPMENTS

      FSRA Publishes 2026 LPA Risk Assessment Update image/svg+xml Atoms / Icons / plusExpand

      On 1 June, the Financial Services Regulatory Authority (‘FSRA’) issued Notice No. FSRA/FCCP/91/2026 titled “Publication of the ADGM Legal Persons and Arrangements (‘LPA’) Risk Assessment – 2026 Update”. The notice announces the release of the updated assessment, which provides a jurisdiction-specific view of money laundering and terrorist financing risks associated with legal persons and arrangements in ADGM.

      The 2026 update follows the previous assessment published in March 2024 and reflects significant growth in the number and complexity of legal entities within ADGM, necessitating a reassessment of risk exposure, vulnerabilities, and mitigating measures. It also incorporates developments at the national level, including alignment with the UAE National Risk Assessment.

      The LPA Risk Assessment forms part of the ADGM’s risk-based regulatory and supervisory framework, and the FSRA encourages all Relevant Persons to review the report and consider its findings as part of their ongoing risk management and compliance practices.

      You can read the FSRA announcement in full here.

      Read more
      FSRA Issues Regulatory Alert image/svg+xml Atoms / Icons / plusExpand

      On 5 June, the FSRA issued a warning regarding several fraudulent domains falsely claiming association with Sarwa Digital Wealth (Capital) Limited. These websites are not linked to Sarwa and appear to be used for scam recruitment activities. Individuals are advised to exercise caution and avoid sharing personal or financial information. Sarwa has confirmed its only official careers site is

      You can read the FSRA alert in full here.

       

      Read more
      FSRA Publishes Notice on UAE FIU Regulation image/svg+xml Atoms / Icons / plusExpand

      On 10 June, the FSRA issued Notice No. FSRA/FCCP/96/2026 to SEOs and MLROs, drawing attention to the UAE Financial Intelligence Unit (‘UAEFIU’) Regulation No. (1) of 2026 (the ‘Regulation’). This Regulation establishes the system governing the postponement or suspension of suspicious transactions and the freezing of funds, pursuant to Federal Decree-Law No. (10) of 2025 on Anti-Money Laundering and Combating the Financing of Terrorism and Proliferation, and Cabinet Decision No. (134) of 2025.

      The FSRA emphasised that all ADGM Relevant Persons, including Financial Institutions (‘FIs’), Virtual Asset Service Providers (‘VASPs’), and Designated Non-Financial Businesses and Professions (‘DNFBPs’), must comply with obligations under the UAEFIU Regulation.

      These obligations include:

      • urgent reporting of suspicions to the UAEFIU
      • implementation of Suspension Orders, Freezing Orders, and Monitoring Orders
      • maintenance of internal procedures and controls to ensure compliance with UAEFIU requirements.

      The FSRA underscored that timely, accurate, and effective compliance with UAEFIU reporting obligations and orders is critical to safeguarding the UAE’s AML/CFT/CPF framework and preventing the dissipation of suspected criminal proceeds. Relevant Persons are therefore required to review and, where necessary, update their policies, procedures, systems, and governance arrangements to ensure adherence to the Regulation.

      The FSRA reiterated that it will take appropriate enforcement action against Relevant Persons for contraventions of applicable legislation.

      You can read the FSRA Notice in full here.

      Read more
      FSRA Issues Reminder on Exposure to Unlicensed Virtual Asset Activities image/svg+xml Atoms / Icons / plusExpand

      On 22 June, the FSRA issued a reminder to SEOs, MLROs, and Principal Representatives on the importance of managing exposure to unlicensed VASP activities.

      Building on its earlier notice issued in 2025, the FSRA emphasises that firms must maintain robust systems and controls to identify, assess, and mitigate risks arising from unlicensed virtual asset (‘VA’) activity. Relevant persons are expected to ensure that such activities are neither conducted nor facilitated through their products, services, or client relationships unless proper authorisation is in place.

      You can read the FSRA alert in full here.

      Read more
      FSRA Issues Notice on IEMS image/svg+xml Atoms / Icons / plusExpand

      On 26 June, the FSRA, further to FSRA/FCCP Notice No. 96 of 2026, issued a formal notification regarding integration with the Integrated Enquiry Management System (‘IEMS’).

      The FSRA acknowledged operational challenges affecting the IEMS integration and confirmed that it is actively engaging with the UAE FIU to assess the underlying causes and identify any recent developments.

      For context, the IEMS integration is being implemented on a phased basis across relevant sectors. Initial connectivity has been established for certain sectors, with further integrations progressing in line with the broader implementation roadmap. The FSRA requested that firms which have not previously escalated such matters to their supervisory authorities confirm whether access to IEMS has been affected and, if so, whether the issues continue to persist.

      Read more
      ADGM Publishes Amendments to Commercial Legislation image/svg+xml Atoms / Icons / plusExpand

      On 26 June, the Abu Dhabi Global Market (‘ADGM’) published amendments to its commercial legislation, further to enactments made by the Board of Directors on 4 June 2026:

      • regulations:
        • Administrative Regulations (Amendment No. 2) 2026
        • Beneficial Ownership and Control Regulations (Amendment No. 2) 2026
        • Commercial Licensing Regulations (Amendment No. 1) 2026
        • Companies Regulations (Amendment No. 2) 2026
        • Distributed Ledger Technology Foundations Regulations (Amendment No. 2) 2026
      • rules:
        • Commercial Licensing Regulations (Conditions of Licence and Branch Registration) Rules 2026(A)
        • Limited Liability Partnerships Rules 2026.

      You can read the ADGM updated legislation here.

      Read more

      MIDDLE EAST REGULATORY UPDATES

      VARA Issues Circular on the UAE PF NRA image/svg+xml Atoms / Icons / plusExpand

      On 1 June, the Virtual Assets Regulatory Authority (‘VARA’) issued a circular on the publication of the UAE Proliferation Financing National Risk Assessment (‘PF NRA’) 2026 and the required follow-up actions. The circular aims to communicate the key findings of the PF NRA, reinforce regulatory expectations in relation to proliferation financing risk management, and require VASPs to update their Business Risk Assessments and associated controls. It also seeks to ensure that firms remain fully aligned with their obligations under the Targeted Financial Sanctions (‘TFS’) regime.

      The key threats relevant to VASPs include:

      • the PF NRA identifies state-linked actors, primarily the DPRK and Iran, as key proliferation financing threats leveraging financial systems, including virtual assets
      • DPRK-related typologies include state-sponsored cyberattacks targeting VASPs to steal virtual assets, the use of cryptocurrencies to bypass the formal financial system, and the use of intermediaries and layering techniques to obscure the flow of funds
      • Iran-related typologies involve the use of cryptocurrencies and intermediaries to evade detection, as well as the use of front companies and trade-based schemes to procure controlled goods.

      Key vulnerabilities relevant to VASPs include:

      • the sector is identified as having the highest exposure to proliferation financing risk (rated high risk in the mainland), primarily due to the speed and pseudo-anonymity of virtual asset transactions, as well as increased exposure to state-sponsored cybercrime, including activities linked to DPRK hacking groups
      • additional vulnerabilities arise from exposure to unregulated or offshore VASPs, which heightens the risk of sanctions evasion and reflects generally weaker compliance standards
      • the assessment also notes limited industry awareness of proliferation financing-specific typologies and risks related to the evasion of TFS
      • broader systemic vulnerabilities include the use of front companies and complex ownership structures, the exploitation of trade and transshipment activity to mask illicit financial flows, and geographic proximity to sanctioned jurisdictions.

      VASPs are required to review the PF NRA and update their institutional risk assessments, as well as their policies, procedures, controls, and governance arrangements, to reflect its findings, within thirty (30) calendar days from the date of the circular.

      Firms must also retain documented evidence of the PF NRA review, including updates to risk assessments, control enhancements, remediation actions, and staff training activities. These records should be maintained and made available to VARA upon request.

      You can read the VARA announcement in full here.

      Read more
      CMA Issues Warning on Unlicensed Entities image/svg+xml Atoms / Icons / plusExpand

      In June, the Capital Markets Authority (‘CMA’) issued three warnings against entities falsely presenting themselves as licensed providers of financial services.

      On 8 June, the CMA confirmed that Pemaxx Liquidity (Website: pemaxx.com) was not licensed or authorised to conduct regulated financial activities.

      On 18 June, the CMA issued a warning against Capital Nexus Management L.L.C-FZ / Capital Legacy FZ (Website: dubai.platforms.app), stressing that these entities are unlicensed and unauthorised to provide financial services.

      On 24 June, the CMA advised investors not to deal with VIE Finance SEY LTD (Website: ar.200invest.com), confirming it is not licensed or authorised to conduct regulated financial activities in Dubai.

      In each case, the CMA highlighted that it accepts no liability for transactions involving these firms and urged investors to consult the official list of licensed entities on the CMA’s website before entering into agreements or transferring funds. These warnings reinforce the CMA’s commitment to safeguarding investors against fraud and unlicensed activity.

      You can read the CMA warning in full here.

       

      Read more
      FIU Publishes Environmental Crime Typologies Report image/svg+xml Atoms / Icons / plusExpand

      On 1 June, the UAE FIU published a report on environmental crime typologies, highlighting the growing threat of environmental crime as a transnational activity and a key predicate offence to money laundering.

      The report is based on a strategic analysis of data spanning 2019 to 2025, conducted in collaboration with the Federal Authority for Identity, Citizenship, Customs and Port Security (‘ICP’). It identifies illegal wildlife trade as the most prevalent typology, followed by illicit oil trade and illegal mining activities.

      The FIU notes that these crimes generate significant illicit proceeds and often involve complex financial and trade-based schemes to conceal and move funds. The publication provides Reporting Entities with key risk indicators to support the identification, detection, and reporting of environmental crime and related money laundering activities.

      You can read the FIU report in full here.

      Read more
      CMA Publishes Updates to Regulation image/svg+xml Atoms / Icons / plusExpand

      On 2 June, the CMA issued Chairman’s Decision No. (13/Chairman) of 2026, introducing an amendment to the Regulations Manual of Financial Activities.

      The amendment revises the rules applicable to brokers, requiring that any financing used for the purchase of financial products, or financing secured against financial products already owned by a client, must be supported by a valid agreement between the financing entity and the client.

      This change enhances oversight of financing arrangements by formalising the requirement for documented agreements, thereby promoting greater transparency, strengthening regulatory control, and reinforcing investor protection within the UAE’s capital markets.

      The amendment will take effect the day following its publication in the Official Gazette.

      You can read the updated CMA regulation in full here.

      Read more
      CMA Publishes Updates to Manual of Financial Activities image/svg+xml Atoms / Icons / plusExpand

      On 2 June, the CMA issued Chairman’s Decision No. (11/Chairman) of 2026, introducing an amendment to the Regulations Manual of Financial Activities, originally approved in 2021 with significant updates to capital adequacy requirements for licensed financial entities in the UAE.

      Key amendments include:

      • core capital (Tier 1)
      • common equity Tier 1 (‘CET1’) includes
        • fully paid-up capital
        • retained profits (approved annually)
        • current period profits/losses (auditor-approved)
      • additional Tier 1 (‘AT1’) includes
        • unconditional capital contributions
        • non-voting equity
        • capital increases not yet completed (excluding joint-stock companies)
      • minimum capital requirements
        • CET1 must be ≥ 7% of risk-weighted assets (‘RWA’)
        • AT1 reflects resilience against total risks
        • licensed entities must continuously maintain minimum capital per Authority-approved models
      • credit risk
        • capital allocated must be ≥ 16.5% of weighted risk amounts
        • applied gradually as per Authority circulars
      • operational risk
        • certain clauses deleted (e.g., “First,” “Second,” and standard method references)
        • streamlined approach to operational risk capital allocation
      • new clause introduced in excessive leverage risk
        • Tier 1 capital must be ≥ 3% of total assets (on/off balance sheet)
        • designed to limit over-lending and over-financing
      • liquidity risk
        • licensed bodies must comply with updated liquidity requirements (details in Authority models)
      • disclosure and reports
        • references to Tier III (expanded capital) deleted.

      The amendments took effect on 30 April 2026.

      You can read the updated CMA regulation in full here.

      Read more
      FIU Hosts Webinar on Suspension and Freezing Powers image/svg+xml Atoms / Icons / plusExpand

      On 3 June, the FIU hosted a webinar to introduce Regulation No. (1) of 2026 (the ‘Regulation’), outlining its new suspension and freezing powers and reinforcing the UAE’s commitment to strengthening its AML/CFT framework. The FIU Regulation is based on the recently implemented Federal Decree by Law No. (10) of 2025 on Anti-Money Laundering and Combating the Financing of Terrorism and Proliferation (the “Decree-Law”) and Cabinet Decision No. (134) of 2025 regarding the Executive Regulation of Federal Decree-Law No. (10) of 2025 on Anti-Money Laundering and Combating the Financing of Terrorism and Proliferation (the “Executive

      Regulation”). The FIU Regulation will be published in the Official Gazette soon, and will enter into force within 60 days after the date of its publication.

      The session emphasised the urgency of timely reporting by Reporting Entities and the critical role of Financial Institutions in detecting and preventing suspicious fund movements.

      Key highlights include:

      • global alignment
        • the UAE’s measures are consistent with evolving FATF Recommendations and international best practices, ensuring stronger cooperation in asset recovery across jurisdictions
      • new reporting category
        • a Postponement Suspicious Transaction Report (‘PSTR’) must be filed within 24 hours when there is imminent risk of fund transfer or dissipation
        • Reporting Entities must hold the transaction for up to three business days to allow FIU review
      • suspension orders
        • delivered via the IEMS, these orders are binding for up to 10 business days
        • Reporting Entities must acknowledge within two hours and provide real-time fund status updates
      • freezing orders
        • valid for up to 30 days, extendable only by the public prosecutor
        • Reporting Entities must immediately freeze funds and notify both the FIU and the customer
      • monitoring orders
        • allow enhanced surveillance of high-risk customers for up to 30 days, coexisting with suspension or freezing orders where necessary
      • operational safeguards
        • confidentiality, risk-based thresholds, and strong operational powers (without prior court approval) were highlighted as best practices adopted from international benchmarking.

      The FIU outlined the following compliance expectations for Reporting Entities

      • establish robust governance frameworks and escalation procedures with 24/7 coverage
      • maintain segregation of duties and ensure compliance officers oversee order implementation
      • document all actions related to PSTRs, suspension, freezing, and monitoring orders, with records retained for at least five years
      • provide written explanations within two hours in cases of non-execution or delay of FIU orders.

      The FIU also presented a draft Standard Operating Procedure (‘SOP’), including templates for freezing, suspension, and monitoring orders. Severity classifications (P1- Critical, P2 – High, P3 – Medium) will guide urgency and escalation.

      The FIU will shortly publish Guidance for Reporting Entities under Regulation No. (1) of 2026, offering practical examples and implementation principles. It will include overarching principles for the effective implementation of the Regulation, illustrative examples tailored to each category of Reporting Entities, and feedback received from UAE Reporting Entities on practical implementation considerations.

      Reporting Entities are advised to monitor IEMS and official FIU communications for its release.

      You can read the FIU Regulation No. (1) of 2026 in full here.

      Read more
      VARA Issues Guidance on AML/CFT Business Risk Assessment image/svg+xml Atoms / Icons / plusExpand

      On 12 June, the VARA issued Good Practice Guidance for licensed VASPs on conducting Business Risk Assessments (‘BRA’).

      Under Rule III.D of the VARA Compliance and Risk Management Rulebook, VASPs are required to establish, maintain, and regularly review their BRA. The newly published Guidance sets out good practice characteristics for AML/CFT BRA, drawing on supervisory insights from VARA’s 2026 thematic review.

      The Guidance is intended to assist VASPs in strengthening their BRA frameworks and to provide a clear benchmark for effective practice within the UAE’s virtual assets sector.

      Key regulatory expectations include:

      • mandatory BRA reviews
        • VASPs must review their BRA at least every three months and update it promptly upon significant business changes
      • integration with AML/CFT framework
        • BRA outcomes must directly inform AML/CFT policies, procedures, systems, and resource allocation
      • risk coverage
        • the BRA must address money laundering, terrorism financing, proliferation financing, and other risks relevant to the VASP’s business model, customer base, product set, and geographic footprint
      • alignment with UAE threat environment
        • BRA frameworks should reflect national and sectoral risk assessments, as well as FATF guidance.

      Supervisory findings indicate that while BRA capability across the licensed population is developing, several VASPs have adopted sophisticated, data‑driven frameworks that demonstrate genuine risk‑based thinking calibrated to the UAE threat environment. This guidance highlights those practices to illustrate what robust compliance looks like in the virtual assets sector.

      You can read the VARA BRA Guidance in full here.

      Read more
      SSC Hosts an Outreach Session on UAE's 2025 Sectoral Risk Assessment image/svg+xml Atoms / Icons / plusExpand

      On 12 June, the Supervisory Sub-Committee (‘SSC’) held an outreach session on the UAE’s 2025 Sectoral Risk Assessment, inviting SEOs and MLROs of Relevant Persons to participate.

      This outreach initiative reflected the SSC’s ongoing commitment to engaging with Relevant Persons and ensuring that firms remain aligned with national AML/CFT priorities. It also provided an opportunity to better understand the findings of the Sectoral Risk Assessment (‘SRA’) and incorporate them into business risk management frameworks.

      The SSC emphasised the importance of proactive participation in such sessions to strengthen compliance practices and reinforce the UAE’s collective resilience against financial crime risks.

      Read more
      CBUAE and CBK Sign Strategic MoU image/svg+xml Atoms / Icons / plusExpand

      On 24 June, the Central Bank of the UAE (‘CBUAE’) and the Central Bank of the Republic of Kosovo (‘CBK’) signed a strategic Memorandum of Understanding (‘MoU’). The agreement aims to strengthen supervisory collaboration, enhance financial and FinTech cooperation, and promote the exchange of expertise across key areas of mutual interest. The amendment will take effect the day following its publication in the Official Gazette.

      You can read the updated CBUAE announcement in full here.

      Read more
      CMA Issues Resolution on Virtual Assets and Alternative Trading Systems image/svg+xml Atoms / Icons / plusExpand

      On 25 June, the CMA, acting under Federal Decree‑Law No. (32) of 2025 concerning the Capital Market Authority, Federal Decree‑Law No. (33) of 2025 concerning the Regulation of the Capital Market, and Cabinet Resolution No. (51/2 C) of 2025 restructuring the SCA Board, has issued the Chairman’s Resolution No. (04/Chairman) of 2026. This resolution regulates Virtual Assets Service Providers and the Alternative Trading System Operator.

      Entities licensed by the Central Bank of the UAE, excluding insurance companies, are permitted to practice activities stipulated under the Chairman’s Resolution No. (04/Chairman) of 2026.

      The resolution will be published in the Official Gazette and enters into force on the date of issuance.

      You can read the updated CMA regulation in full here.

      Read more
      CMA Conducts Awareness Session on Sanctions Screening image/svg+xml Atoms / Icons / plusExpand

      On 30 June, the CMA held an awareness session on sanctions screening systems, following the completion of a thematic review across the UAE capital markets sector. The review encompassed 26 Licensed Financial Institutions (‘LFIs’) and evaluated 46 name and transaction screening systems. Its primary objective was to assess whether these systems are effective in detecting sanctioned individuals and entities, particularly in cases where names are deliberately altered through misspellings, rearrangements, abbreviations, or translations. In addition to technology solutions, the review examined governance structures, operational effectiveness, testing methodologies, data quality, and management oversight, providing a comprehensive view of the sector’s sanctions screening capabilities.

      The main findings from the review communicated during the awareness session were as follows:

      • basic screening controls are generally established
        • most institutions successfully identified direct matches during onboarding and routine screening
        • this indicates that foundational screening controls are largely in place across the sector
      • performance declines when names are manipulated
        • while many systems detected exact matches, performance was less consistent when names were misspelled, rearranged, abbreviated or translated or formatted differently
        • this represents a material risk because sanctioned individuals may intentionally alter their names to avoid detection
      • system calibration is critical
        • the CMA observed significant differences in how institutions configured their systems
        • overly restrictive systems configured with very high matching thresholds failed to identify potential sanctions matches
        • overly sensitive systems generated excessive alerts and false positives, creating operational burdens for compliance teams
      • transaction screening results were mixed
        • transaction screening frameworks were generally established across all institutions
        • many systems demonstrated strong capability in identifying sanctions indicators within payment information
        • however, results varied considerably due to differences in system calibration and configuration
        • some institutions missed sanctions records even under direct-match testing scenarios.

      Based on the CMA’s findings and expectations, firms should:

      • perform a gap analysis against the CMA thematic review
      • review and document screening system configuration, thresholds, and matching logic
      • conduct periodic effectiveness testing using exact-match, variation, and clean-data scenarios
      • reassess threshold settings and document the rationale for chosen calibration
      • establish clear screening effectiveness KPIs for management reporting
      • maintain evidence of testing, validation results, and remediation actions
      • ensure sanctions list updates are implemented promptly and accurately
      • review customer and transaction data quality controls
      • provide regular training to screening and compliance staff
      • develop sufficient internal expertise to challenge vendors and understand system performance.
      Read more

      INTERNATIONAL UPDATES

      FATF Updates Grey List image/svg+xml Atoms / Icons / plusExpand

      On 19 June, the Financial Action Task Force (‘FATF’) updated its list of jurisdictions under increased monitoring by adding Bosnia and Herzegovina and Iraq to the grey list, and removing Algeria and Namibia.

      You can read the amended FATF Grey List here.

      Read more
      FATF Updates Recommendation 6 image/svg+xml Atoms / Icons / plusExpand

      On 23 June, FATF amended Recommendation 6 to incorporate a humanitarian exemption, ensuring that targeted financial sanctions do not impede humanitarian assistance or access to basic human needs. This aligns with relevant UN Security Council resolutions.

      The updated Standards will require countries to comply with the humanitarian exemption contained in UNSCRs 2664 and 2761, as well as 2615. The updated Standards ensure that sanctions measures do not block the flow of funds, assets, resources, goods, and services necessary for humanitarian assistance and basic human needs in line with the UN framework.

      You can read the updated FATF Recommendation 6 in full here.

      Read more
      FATF Launches Consultation on Payment Transparency image/svg+xml Atoms / Icons / plusExpand

      On 24 June, the FATF launched a public consultation on draft guidance to support implementation of strengthened Recommendation 16 (payment transparency).

      The proposed guidance aims to enhance the transparency and security of cross-border payments, including by improving the information accompanying transactions and introducing measures to mitigate fraud and errors. The updated standards, originally agreed in June 2025, are expected to be implemented globally by end-2030.

      FATF is seeking feedback from a wide range of stakeholders, including financial institutions, payment service providers, and civil society, with particular emphasis on input from emerging markets. Key areas of focus include application to new payment methods (such as digital wallets), alignment with financial inclusion objectives, and managing data protection requirements.

      Stakeholders are invited to submit comments by 21 August 2026.

      You can read the FATF consultation paper in full here.

      Read more
      FATF Publishes Report on Emerging Terrorist Financing Risks in Digital Platforms image/svg+xml Atoms / Icons / plusExpand

      On 26 June, the FATF published a report examining the growing misuse of social media, instant messaging applications, and streaming platforms (‘SMSPs’) for terrorist financing.

      The report identifies evolving typologies, including the use of digital platforms for fundraising through fraudulent charitable campaigns, exploitation of monetisation features (such as live-streaming and tipping), and the use of virtual assets, QR codes, and encrypted communications to obscure financial flows.

      FATF also notes that these platforms increasingly integrate financial services, raising regulatory challenges, and highlights that less than 30% of jurisdictions currently assess these risks in their national frameworks.

      To address these risks, FATF emphasises the need for enhanced public-private sector cooperation, improved information sharing, stronger risk assessments, and better alignment between financial and digital intelligence capabilities.

      You can read the FATF report in full here.

      Read more

      ENFORCEMENT ACTIONS

      CBUAE Imposes a Financial Penalty on a Branch of a Foreign Bank image/svg+xml Atoms / Icons / plusExpand

      On 24 June, the CBUAE imposed a financial penalty of AED 20,000,000 on a branch of a foreign bank, in accordance with the provisions of the Federal Decree Law Regarding the Central Bank and Organisation of Financial Institutions and Activities, and its amendments.

      This penalty follows examinations conducted by the CBUAE, which revealed significant and repeated deficiencies in the branch’s Anti-Money Laundering (‘AML’), Combating the Financing of Terrorism (‘CFT’), and Sanctions compliance framework.

      In addition, the CBUAE levied an individual penalty of AED 300,000 on the Head of Compliance and Money Laundering Reporting Officer of the branch, pursuant to the same Federal Decree Law, due to his failure to adequately discharge his responsibilities and duties.

      Through its supervisory and regulatory mandate, the CBUAE remains committed to ensuring that all banks, their authorised decision-makers, and staff comply with UAE laws, regulations, and standards. These measures are designed to safeguard transparency, integrity, and the stability of the UAE’s banking sector and financial system.

      You can read the CBUAE enforcement notice in full here.

      Read more
      VARA Issues Fines and Enforcement Measures Against MX Global LTD image/svg+xml Atoms / Icons / plusExpand

      On 22 June, VARA issued a notice of fines against MX Global LTD (‘MEXC’), also following its March 2026 Investor and Marketplace Alert. Investigations revealed that MX Global had provided unlicensed Broker‑Dealer and/or Exchange Services between 2022 and April 2026, and had onboarded customers without meeting Know‑Your‑Customer (‘KYC’) obligations under UAE law. These breaches were likewise found to contravene Federal Decree Law No. (10) of 2025, Dubai Law No. (4) of 2022, Cabinet Resolution No. 111/2022, and VARA’s Regulations and Rulebooks.

      VARA imposed enforcement measures and financial penalties, directing MX Global LTD to cease and desist all unlicensed activities. MEXC cooperated fully, complied with enforcement orders, and has expressed its intention to pursue licensing with VARA. The enforcement action applies exclusively to MX Global LTD.

      You can read the VARA enforcement notice in full here.

      Read more
      VARA Issues Enforcement Action Against Licensed VASP image/svg+xml Atoms / Icons / plusExpand

      On 22 June, VARA issued a notice of fines against CoinMENA FZE (Ref: VL/23/09/001), a licensed Virtual Asset Service Provider authorised since November 2023 to provide Broker‑Dealer services.

      Following supervisory inspections across full market operations through FY 2025, VARA identified administrative deficiencies in CoinMENA’s internal systems and controls, resulting in compliance failures within its AML programme. Consequently, VARA imposed enforcement measures, including a financial penalty.

      VARA notes that CoinMENA cooperated fully, accepted the findings, and initiated a coordinated remediation plan to strengthen its compliance framework and uphold assurance standards.

      You can read the VARA enforcement notice in full here.

      Read more
      VARA Issues Fine and Enforcement Measures Against Unlicensed VASP image/svg+xml Atoms / Icons / plusExpand

      On 24 June, the VARA issued a Notice of Fines against Peken Global Limited (‘Peken’), commercially operating as KuCoin, following its earlier Investor and Marketplace Alert of 5 March 2026. VARA’s investigations determined that Peken had been providing Virtual Asset Broker‑Dealer and/or Exchange Services to customers in Dubai without the required VARA licence. These activities were deemed to be in breach of:

      • Federal Decree Law No. (10) of 2025 on Anti‑Money Laundering and Combating the Financing of Terrorism and Proliferation Financing
      • Dubai Law No. (4) of 2022 regulating Virtual Assets in the Emirate of Dubai
      • Cabinet Resolution No. 111/2022 on Virtual Assets and related service providers
      • VARA Regulations and Rulebooks.

      As a result, VARA directed Peken to cease and desist all unlicensed Virtual Asset activities in or from Dubai. The Peken cooperated fully with VARA, complied with enforcement actions, and has expressed its intention to enter VARA’s licensing process, subject to approvals, to serve customers in the UAE. Importantly, the enforcement action applies exclusively to Peken Global Limited, and not to other legal entities associated with KuCoin identified in the March 2026 alert.

      You can read the VARA enforcement notice in full here.

      Read more

      Stay informed with our Regulatory Update

      Navigate the ever-evolving regulatory landscape with our Regulatory Update. Our team of compliance experts provide a monthly review of a wide range of global regulatory compliance matters including, news, guidelines and significant updates. To sign-up please follow the link below.

      Find out more

      About Waystone Compliance Solutions

      Waystone Compliance Solutions offers a new and unique approach to compliance services at a corporate level.

      As a truly global partner, we have the capabilities to help you manage regulatory risk right across your organisation.

      We can provide key services from initial registration and licensing to compliance programme integration. Our compliance solutions span business strategies, market activities, and operational and technology infrastructure, not to mention sales and marketing procedures. And we can do so anywhere in the world.

      Our aim at Waystone is simple: to enable our clients to navigate the complex regulatory environment with confidence.

      At Waystone, we have brought together the experience, the expertise, and the global reach to give you the certainty you need to address the ever-changing regulatory world. And by doing so, provide you with a secure route on the road to success.

      Contact us

       Next post
      Share

      More like this

      DFSA PIB Amendments: Key Changes and Impact from 1 July 2026

      As previously highlighted in the Dubai Financial Services Authority’s (‘DFSA’) feedback statement on Consultation Paper No. 161, issued on 21…
      Read more

      Regulatory Update May 2026 – ME Region

      This edition includes – DIFC Proposes Amendments to Prescribed Company Regulations, DFSA Publishes Amendments to Its Regulatory Framework, FSRA Finalises…
      Read more

      Do Representative Offices need to comply with the DIFC Data Protection Law?

      In the course of our work, we occasionally encounter the view that the Dubai International Financial Centre (‘DIFC’) Data Protection…
      Read more

      Regulatory Update April 2026 – ME Region

      This edition includes – DFSA Publishes Summary of Consultation Paper 170, FSRA Implements Enhancements to Insurance Regulatory Framework, FSRA Issues…
      Read more

      What Recent DFSA Enforcement Activity Teaches Us About Brokerage Risk

      Recent enforcement activity by the Dubai Financial Services Authority (‘DFSA’) serves as a timely reminder for firms operating in the…
      Read more

      Regulatory Update March 2026 – ME Region

      Stay informed with our Regulatory Update Navigate the ever-evolving regulatory landscape with our Regulatory Update. Our team of compliance experts…
      Read more
      Contact us