A VARA Business Risk Assessment (BRA) is the AML/CFT risk assessment every Dubai-licensed VASP must conduct and maintain under Rule III.D of the VARA Compliance and Risk Management Rulebook — identifying the money-laundering, terrorism-financing and proliferation-financing risks of its business model, rating the effectiveness of its controls, and directing compliance resources accordingly.
On any reading of VARA's risk-based supervision, the Business Risk Assessment has become the single most scrutinised document in a VASP's financial-crime programme. In 2026 VARA published good-practice guidance on the AML/CFT Business Risk Assessment, drawing directly on the supervisory observations from its sector-wide BRA thematic review. This article breaks that guidance down into what it means in practice — and where, in our experience advising licensed VASPs, the gaps usually are.
What the guidance is — and what it is not
The guidance is illustrative. It does not create new obligations; it describes the characteristics of strong BRA practice observed across the licensed population during VARA's 2026 thematic review. The underlying obligation already exists in the Rulebook, and the guidance is best read as a window into how supervisors will judge whether you have met it. VASPs are expected to build BRA frameworks proportionate to their own business model, risk profile and scale — not to copy a template.
The thematic review itself uses a dual methodology: a structured questionnaire across eight thematic areas, and a detailed supervisory analysis of the actual BRA documents VASPs submit. In other words, VARA tests both what you say your methodology is and whether your document demonstrates it in practice.
The legal basis: Rule III.D of the VARA Rulebook
The BRA obligation sits in Rule III.D of the VARA Compliance and Risk Management Rulebook. In summary, a licensed VASP must:
- Conduct and maintain an AML/CFT business risk assessment that reflects its specific activities, customer base, products, geographic footprint and the broader UAE threat environment (the UAE National Risk Assessment, sectoral risk assessments and FATF guidance).
- Review it at intervals of no longer than three months (Rule III.D.3), and update it whenever a significant change occurs in any area listed in Rule III.D.2.
- Demonstrate that BRA outcomes directly inform the development of AML/CFT policies, procedures, systems and controls, and the prioritisation of compliance resources (Rule III.D.4).
That last point is the one most VASPs underestimate: the BRA is not a standalone compliance artefact. It must be shown to drive the programme.
The eight themes VARA assesses — at a glance
VARA's questionnaire and document review map to eight thematic areas. This table summarises what "good" looks like in each:
| Theme | What strong practice looks like |
|---|---|
| 1. Governance | Dated Board approval; MLRO ownership; three lines of defence; independent audit validation of methodology. |
| 2. Methodology | Documented scope and scoring; quantitative likelihood × consequence scales; residual risk via heat map; transparent aggregation. |
| 3. Data & evidence | Operational data (alerts, SARs, screening, KYC) feeds scoring; NRA, FATF and FIU typologies explicitly referenced. |
| 4. Inherent risk | Standard categories plus VA-specific risks; granular, jurisdiction-level geographic analysis from KYC data. |
| 5. Proliferation financing | Scored as a distinct category, explicitly linked to the targeted-financial-sanctions framework. |
| 6. Control effectiveness | Residual risk based on objective evidence, not self-assessment alone; consistent with the high-risk sector rating. |
| 7. Operationalisation | Documented examples of BRA findings driving real AML/CFT decisions; trigger-based updates. |
| 8. Review & version control | Substantive quarterly reviews; granular change log recording what changed, why, and the impact on ratings. |
1. Governance and senior-management accountability
VARA treats the level of Board engagement as one of the strongest indicators of BRA maturity. Strong practice requires the BRA to be formally approved by the Board (or equivalent governing body), with the approval and its date documented. The MLRO usually owns and prepares the BRA, but MLRO ownership is not a substitute for Board-level approval — the Board's job is to provide independent challenge of residual risk ratings, control-effectiveness assumptions and risk appetite.
The guidance also expects a genuine three lines of defence model: compliance/MLRO prepares and owns the BRA; the risk function or Board challenges it; and internal audit (or an independent external party on a risk-based cycle) validates the methodology and the control-effectiveness assumptions behind the residual-risk ratings. A VASP that relies on Board presentation alone, with no independent technical validation, is operating with a single challenge mechanism — a recurring weakness VARA flags.
2. Methodology: scope, structure and scoring
Methodology determines whether risk conclusions are transparent, repeatable and independently verifiable. In scope, the BRA should cover all legal entities in the licensed group, all licensed activities and product lines, and all jurisdictions of operation. Where group systems (KYC, transaction monitoring, sanctions screening) are relied upon, the BRA should assess the residual risk of that dependency and document how local MLRO oversight verifies the group controls are effective for the UAE entity's specific profile.
On scoring, the strongest submissions use numerical scales — typically a five-point likelihood and five-point consequence scale producing an inherent-risk score per category, with control effectiveness rated on a defined scale and residual risk derived through a documented heat map or conversion table. Category scores are aggregated into an overall rating, with any weighting rationale documented. The best BRAs assess ML and TF separately before aggregation, and where senior compliance judgement overrides a calculated rating, the rationale is written down. Where ratings are qualitative rather than numerical, each must be supported by narrative explaining the drivers — a rating without narrative cannot be challenged.
3. Data integration and evidential support
VARA is blunt on this point: a BRA not informed by quantitative operational evidence is, at best, a judgement. Strong BRAs treat operational data as direct inputs to risk scoring, so ratings move when the data moves. The data categories that should feed the assessment include:
- Customer risk-rating distribution and how it has shifted since the last BRA;
- Transaction-monitoring alert volumes, alert-to-investigation conversion, escalation and SAR/STR conversion ratios;
- STR/SAR trends and the typologies identified;
- Sanctions-screening outcomes — alerts, confirmed matches and dispositions;
- Product and transaction volumes, including the geographic distribution of flows;
- Customer nationality and geographic concentration, with specific exposure to high-risk jurisdictions;
- Internal-audit and supervisory findings affecting specific controls; and offboarding/EDD statistics.
External typologies — the UAE NRA, FATF high-risk-jurisdiction lists and typology reports, MENAFATF guidance and UAE FIU strategic analysis — should be explicitly referenced, with the BRA recording how each development was reviewed and whether it changed any rating.
4. Inherent risk — including virtual-asset-specific categories
Standard categories (customer types, products, delivery channels, geography, transaction volumes) are the baseline. What distinguishes a virtual-asset BRA is the formal scoring of VA-specific risk categories that have no equivalent in traditional finance:
- Unhosted wallets — blockchain-analytics coverage, UAE Travel Rule requirements and the VASP's interaction policy;
- Anonymity-enhanced VAs and transactions (AETs) — privacy coins and mixing services;
- DeFi and complex VA structures — DEX activity, smart-contract interactions, non-custodial intermediaries;
- Cross-border VA transfers — counterparty-VASP exposure to high-risk jurisdictions and Travel Rule data feeding sanctions screening;
- Stablecoin-specific risks — reflecting the prevalence of stablecoins in on-chain illicit activity, with PF and sanctions-evasion exposure;
- Emerging fraud typologies — AI-enabled identity fraud, synthetic identity misuse, deepfake account takeover and investment-scam activity.
Geographic risk in this sector demands more granularity than traditional finance: VARA expects a jurisdiction-by-jurisdiction assessment, identifying the specific proportion of the customer base from each high-risk jurisdiction using actual KYC nationality data — and presenting an honest residual rating, even where that rating is High.
5. Proliferation financing as a distinct category
Proliferation financing (PF) is a distinct financial-crime risk, and FATF Recommendation 7 requires VASPs to implement targeted financial sanctions (TFS) relating to PF without delay. Strong practice scores PF separately from ML and TF, with its own inherent-risk score, control assessment and residual rating. The primary PF vectors in this sector are customer types (corporate structures and customers linked to proliferation-sensitive jurisdictions) and geography (notably DPRK and Iran exposure), with evasion techniques including nested accounts, layered blockchain transactions, front and shell companies, and cross-chain bridges.
The decisive test is whether PF conclusions are operationally linked to the TFS framework. VARA looks for: registration with the UAE Executive Office for Control and Non-Proliferation (EOCN) for designation notifications; screening against the UN Consolidated List, the UAE Local Terrorist List and DPRK/Iran-specific UNSC lists; without-delay asset-freezing procedures consistent with Cabinet Decision No. 74 of 2020; and reporting through goAML via Confirmed and Partial Name Match Reports (CNMRs and PNMRs). The PF inherent-risk rating should be shown to have driven how those controls are configured.
6. Control effectiveness and residual risk
The quality of residual-risk conclusions depends entirely on the quality of the control-effectiveness assessment. VARA expects effectiveness to be judged against objective evidence — internal-audit findings, independent compliance testing (TM tuning, sanctions-screening gap analysis, CDD/EDD quality reviews), supervisory findings and operational performance data — not self-assessment alone. Where control ratings are self-assessed without independent validation, the BRA should acknowledge the limitation and the Board should be told of it when approving.
Crucially, residual ratings should be consistent with the reality that the UAE NRA assesses the virtual-assets sector as high risk for ML, TF and PF. Structural inherent risk cannot be fully engineered away by controls; some residual risk will always remain, and a BRA that scores everything down to Low invites challenge.
7. Operationalisation: turning findings into decisions
A BRA that does not drive operational decisions is not a risk-management tool — it is a filing exercise. VARA expects the BRA to document specific examples from the preceding cycle where findings changed how the programme runs: a TM-threshold change after a product's inherent risk rose; more transaction hops assessed in blockchain analytics after PF risk increased; EDD applied to a jurisdiction after a new FATF listing; resources reallocated where alert volumes outstripped investigation capacity; or a CDD/EDD policy revised for a higher-risk customer type. A dedicated section recording these decisions provides the evidential link between the assessment and the programme.
The BRA should also define the trigger events that force an update — new products or VA listings, material customer-base shifts, regulatory or NRA updates, adverse supervisory/audit/law-enforcement findings, the sanctions designation of a counterparty VASP or a listed asset, and material AML/CFT programme or MLRO changes.
8. Review cycle and version control
Because Rule III.D.3 mandates review at least every three months, each quarterly review should be substantive — incorporating updated operational data, an assessment of external developments and a check on whether any ratings changed. Even where ratings are unchanged, the rationale for stability should be documented. Best practice maintains a granular version-control log recording the date of each version, the author and approver, the specific changes, the development that prompted each change, and the assessed impact on ratings. A change log that records not just what changed but why is what demonstrates a BRA is a genuinely live document.
Where VASPs most often fall short
Reading the guidance against the BRAs we see in practice, the recurring gaps are consistent: a single challenge mechanism (Board sign-off with no internal-audit validation); risk ratings recorded without supporting narrative; control effectiveness self-assessed without independent testing; proliferation financing folded into ML/TF rather than scored separately; no documented link between BRA findings and operational decisions; and a static document with a thin or absent change log. Each of these is individually fixable — and each is exactly what a thematic review is designed to surface.
What we do
Neo Legal advises licensed VASPs on the full VARA compliance lifecycle — including BRA design and independent review, MLRO and governance frameworks, TFS and proliferation-financing controls, and remediation following supervisory engagement. Our regulatory team includes a former member of the VARA framework team, which means we read this guidance the way the supervisor does. If you want a candid read on whether your BRA would withstand a thematic review, that is a conversation worth having before the review, not after.
This article is general information on VARA's AML/CFT Business Risk Assessment guidance as at June 2026 and is not legal advice. Defined terms have the meanings given in the VARA Compliance and Risk Management Rulebook. Speak with qualified counsel about your VASP's specific obligations.
