Financial institutions operating in the UAE will soon have to demonstrate compliance with the new anti-money laundering (AML) requirements set out by the Central Bank of UAE (CBUAE), which have a particular focus on risks related to virtual assets and virtual asset service providers.

In a briefing note on 7 June, international law firm Pinsent Masons said the CBUAE's guidance for licensed financial institutions on risks related to virtual assets (VAs) and virtual asset service providers (VASPs) will come into force in July 2023.

The guidance primarily focuses on risks in relation to money laundering and combatting the financing of terrorism (CFT).

Financial services experts Tom Bicknell and Barkha Doshi of Pinsent Masons pointed out that financial institutions licensed to operate in the UAE would only have one month to comply with the requirements contained in the guidance from its effective day.

"The new guidance will apply to all licensed financial institutions and will assist them in understanding the effective implementation of their AML/CFT obligations," said Doshi.

"The guidance also takes the Financial Action Task Force standards into account and discusses the risks arising from dealing with virtual assets and virtual asset service providers, setting out clear descriptions of VAs, VASPs, and VASP business models," she added.

The guidance provides details on the potential threats and risks related to VAs and VASPs and the relevant laws regulating them, including the Securities and Commodities Authority's recently introduced regulations governing virtual assets. It also identifies the existence of professional money laundering schemes that allow criminals to cash out proceeds generated in virtual currency via illicit online markets.

The CBUAE also emphasised in the document that cryptocurrencies, the most common form of virtual assets, are most vulnerable to abuse because they have inherent characteristics that illicit actors can exploit, including decentralisation and anonymity.

In addition to helping financial institutions understand the threats and vulnerabilities related to VAs and VASPs, the guidance, more importantly, suggests steps that they should take to mitigate the risks when dealing with them.

The financial services regulator expects financial institutions to apply specific preventive measures to identify, assess, manage, and mitigate the risks associated with VASPs and VA activity. These controls should be integrated into broader AML/CFT compliance programmes and supported with appropriate governance and training.

According to Doshi, the standards set out in the guidance are not exhaustive and do not set limitations on the measures that should be taken by financial institutions to meet their statutory obligations.

As required by the guidance, financial institutions must perform, document, and regularly update their enterprise-wide risk assessment policies to include risks related to VASP or VA-exposed customers. When conducting general customer due diligence, financial institutions must consider further checks to determine if a customer is a VASP, and if so, which activities it conducts and in which jurisdictions. They are also obliged to determine if a customer provides downstream services to third-party VASPs and try to understand whether and to what extent a customer intends to use the financial institution to facilitate VA activity.

The guidance requires financial institutions to mitigate money laundering and terrorism financing risks related to investments in VAs by conducting specific due diligence for all VASP counterparties and implementing enhanced control measures when dealing with high-risk VASP counterparties.

"The guidance comes at an appropriate time with the Securities and Commodities Authority's recent push to permit the licensing of VAs and VASPs in the onshore UAE. The authorities in the UAE are doing their utmost to lure virtual asset businesses to the region, in part through a welcoming and protective regulatory framework," said Doshi.