In February 2022, the Government of Dubai enacted a new law creating the Virtual Assets Regulatory Authority (VARA) to oversee virtual assets and related service providers.¹ A year later, in 2023, VARA launched a set of regulations and 13 rulebooks, including the Compliance and Risk Management Rulebook, which established the original Travel Rule framework for Dubai VASPs.²

On 24 February 2026, VARA issued a Circular to all VASPs licensed or authorised in the Emirate of Dubai setting out its supervisory expectations for implementation of the UAE Virtual Asset Travel Rule, issued pursuant to Cabinet Decision No. (134) of 2025 on the Implementing Regulation of Federal Decree-Law No. (10) of 2025 on Combating Money Laundering, Countering the Financing of Terrorism, and Countering the Financing of Proliferation of Weapons.^{3 4}

‍

Timeline of regulatory action

• February 28, 2022: The Government of Dubai passed Law No. (4) of 2022 Regulating Virtual Assets in the Emirate of Dubai, establishing VARA.¹
• March 11, 2022: Law No. (4) of 2022 entered into force.¹ ‍
• February 7, 2023: VARA issued the Virtual Assets and Related Activities Regulations 2023. The Compliance and Risk Management Rulebook specified Crypto Travel Rule requirements for Dubai VASPs.²‍
• 2025: UAE Cabinet Decision No. (134) of 2025 issues the Implementing Regulation of Federal Decree-Law No. (10) of 2025, establishing a federal Virtual Asset Travel Rule.³‍
• 24 February 2026: VARA issues its Circular to VASPs on Implementation of the UAE Virtual Assets Travel Rule Requirements, setting supervisory expectations for compliance across Dubai (including Free Zones).⁴

‍

1. Is cryptocurrency legal in Dubai?

Yes — it is legal to hold, sell, and trade cryptocurrency in Dubai.

‍

2. Are there any AML crypto regulations in Dubai?

Yes. Dubai VASPs must implement policies and procedures to comply with all AML/CFT requirements and applicable laws, including Federal AML/CTF Laws, FATF's guidance on VAs, and the UAE's regulations on terrorism financing. VASPs must also follow the UAE Executive Office for Control & Non-Proliferation (EOCN)'s guidance on counter-proliferation financing and its local terrorist list.²

The AML/CFT framework now operates under Federal Decree-Law No. (10) of 2025 and Cabinet Decision No. (134) of 2025.^{3 4}

‍

3. Who regulates cryptocurrency in Dubai?

The Virtual Assets Regulatory Authority (VARA) is the crypto regulator in Dubai.¹

‍

4. Are there licensing or registration requirements for VASPs in Dubai?

Yes. No person can conduct the following virtual asset activities in the Emirate without obtaining a permit from VARA:^{1 5}

• virtual asset platform operation and management services
• virtual asset exchange services
• virtual asset transfer services
• virtual asset safekeeping, management, or control services
• virtual asset wallet services
• services related to offering and trading in virtual tokens

‍

FATF Travel Rule Requirements in Dubai‍

‍1. Is the Crypto Travel Rule mandated in Dubai?

Yes. VASPs must not execute a qualifying Virtual Asset Transfer unless the applicable Travel Rule requirements are satisfied.⁶

‍

2. What is the minimum threshold for the Crypto Travel Rule in Dubai?

Travel Rule information-transmission obligations apply to any Virtual Asset Transfer, regardless of the amount. Under Article 28 of Cabinet Decision No. (134) of 2025³, financial Institutions shall verify the accuracy of originator information in all international transfers equal to or exceeding AED 3,500. Conversely, for transfers below AED 3,500, institutions are not required to verify the accuracy of the transmitted data, unless there are suspicions of a crime.

‍

3. What personally identifiable information is required to be shared for the Crypto Travel Rule in Dubai?

Under Before executing a qualifying Virtual Asset Transfer, the Originator's VASP must transmit the required Originator and Beneficiary information set out below⁷:

a. The full name of the originator and the beneficiary. 

b. The account number of the originator and the beneficiary, or, where no account number exists, the transfer shall include a unique transaction reference number that enables the Financial Institutions to trace it. 

c. The address of the originator, or the originator’s identity number or travel document number, or the date and place of birth, or the customer identification number held by the originating Financial Institution, which shall refer to a record containing such data

‍

Batched transfers: Where multiple Virtual Asset Transfers are batched, the required information must accompany each individual transfer within the batch.

‍

‍Domestic transfers: Where verified Originator and Beneficiary data is already available to the Beneficiary's VASP or relevant authorities by other means, a limited dataset may be transmitted, provided the full dataset can be made available within three (3) working days upon request by the Beneficiary's VASP or a competent authority.

‍

4. What are the non-custodial or self-hosted wallet requirements in Dubai?

VASPs must apply enhanced due diligence (EDD) to transfers involving unhosted wallets, including additional customer identification and source-of-funds verification. Where the required information is not provided, or where risks cannot be adequately mitigated, the VASP must decline, delay, or return the transfer in line with its risk-based policies and procedures.⁴

‍

5. What are the counterparty due diligence requirements for Dubai VASPs?

Before entering into any transaction with a counterparty VASP, VASPs must complete risk-based due diligence on the counterparty to mitigate AML/CFT risks.

Particularly, prior to executing a Virtual Asset Transfer, the Originator's VASP must confirm that the Beneficiary's VASP is appropriately regulated in its jurisdiction of incorporation or operation. VASPs must not execute transfers to counterparties that are not appropriately regulated in the UAE or in a foreign jurisdiction.⁴

Where a counterparty VASP is unable to receive required information, the Originator's VASP must use best efforts to establish alternative secure communication channels, and must reassess the relationship and associated risks where such issues persist. Additionally, systemic failures by counterparties to provide required information must be documented and reported to VARA, together with details of remedial actions taken.⁴

‍

6. How does VARA approach the sunrise issue?

VARA's Compliance and Risk Management Rulebook explicitly mentions the Sunrise Issue, stating that VASPs should include their plan to comply with the Travel Rule with VASPs in jurisdictions where the Travel Rule is not a legislative requirement.⁹

Under the 2026 Circular, the bar is now higher in practice: counterparty VASPs must be appropriately regulated in their home jurisdiction, and transfers to unregulated counterparties are prohibited. Additionally, VASPs are required to reassess the relationship and associated risks when issues to establish secure communication channels for Travel Rule compliance purposes persist.⁴

‍

Why choose Notabene for Crypto Travel Rule Compliance in Dubai?

Counterparty due diligence is an essential component of Travel Rule compliance, and with VARA's 2026 Circular raising the stakes on counterparty regulatory status verification, the operational burden on Dubai VASPs is only increasing.

As the crypto industry's only pre-transaction decision-making platform, Notabene integrates the industry-standard VASP due diligence questionnaire (DDQ), enabling 1:1 sharing between counterparties and removing friction from an already complex process.

Notabene Network members can:

• Request access to a VASP's DDQ within the Notabene Network.
• Share and decline access to the questionnaire.
• Revoke access at any time.
• View the document's share history.

Additionally, the Notabene Network includes profiles of 2000+ VASPs featuring incorporation details and verified, real-time regulatory status information provided through our VASPNet integration. 

‍

‍Click here to access the Notabene Network.