UAE’s November 2025 AML/CTF/CPF Overhaul (Decree-Law No. 10)

Introduction

In Q4 2025 alone, UAE regulators issued more than AED 150 million in AML penalties across the virtual asset sector – a signal that the country has entered a zero-tolerance era for crypto-linked illicit flows. With Federal Decree-Law No. 10 of 2025 taking effect on 14 October 2025, the compliance landscape has permanently changed. 

This landmark overhaul repeals the older Federal Decree-Law No. 20/2018, expands the AML/CTF framework to formally include CPF (Countering Proliferation Financing), and – crucially – creates explicit legal definitions and penalties for terrorism financing (TF) via virtual assets and digital systems. For the first time, the UAE directly names blockchain tools, privacy-enhancing technologies, and virtual asset transfers as high-risk TF vectors.

This post breaks down the new crypto-specific TF penalties, how they reshape obligations for VASPs, and what actions firms must take now to avoid severe administrative and criminal exposure – including fines up to AED 100 million for entities.

Whether you’re a Dubai-based exchange, token issuer, custodian, or wallet provider, Cryptoverse Legal Consultancy offers tailored VASP advisory to help you transition into full compliance before 2026’s enforcement cycle intensifies.

Background: Why the Overhaul Now?

The UAE’s AML transformation did not occur in isolation. The country’s exit from the FATF grey list in 2024 triggered a multi-year regulatory modernisation roadmap, reflected in the National AML/CFT/CPF Strategy (2023–2027). Coupled with global concerns about virtual assets being weaponized for illicit finance, the UAE’s position demanded a decisive legal shift.

According to FATF’s 2025 assessments, 20% of global TF cases involve virtual assets, driven by factors such as anonymity-enhancing technology, cross-border speed, and the increasing use of mixers/tumblers. For a financial hub positioning itself as a compliant and trusted crypto jurisdiction, ignoring these risks was not an option.

Key Drivers Behind the Overhaul

1. Evolving Threat Vectors
Terrorist groups have turned to privacy coins, P2P transfers, and encrypted wallets to bypass traditional banking rails. The 2025 law acknowledges this reality by explicitly targeting TF enabled via blockchain and cryptographic tools.

2. Legislative Evolution (2018–2025)
The new decree builds on the 2021 and 2023 amendments but goes further by cementing CPF obligations, expanding definitions of predicate offenses (e.g., tax evasion), and removing limitation periods for ML/TF/CPF crimes. This ensures prosecutors can pursue offenses that unfold over long blockchain chains.

3. Explicit Digital and Crypto Scope
For the first time, terrorism financing through “digital systems, encrypted technologies, or virtual assets” is criminalized directly – closing the interpretive gaps that existed in earlier laws.

2018 Law → 2023 Strategy → Oct 2025 Decree-Law No. 10 → 2027 Strategy Review

Key Provisions: Crypto-Specific Terrorism Financing Penalties

The heart of the 2025 overhaul lies in its revision of terrorism financing definitions and related penalties. This is where VASPs face the most significant compliance exposure.

A. Updated Core Definitions (Article 3)

Decree-Law No. 10 introduces sweeping changes by explicitly stating that TF offenses include:

• Funding, transferring, facilitating, or managing assets – including virtual assets – intended to support terrorism.
• Providing funds via digital systems, encryption technologies, or any virtual asset mechanism.
• Liability based on the actor “knowing or should have known” that assets may be used for terrorism.

The shift from actual knowledge to implied/expected knowledge dramatically lowers the evidentiary threshold. This places significant responsibility on VASPs to detect suspicious transfers – even if users attempt to conceal their intentions.

Example:
A VASP processes a Monero (XMR) withdrawal to a wallet linked to a sanctioned militia. Under the old law, prosecutors had to prove intent. Under the new law, failure to detect “red flags” is enough to trigger criminal liability.

B. Penalties: What VASPs Must Know

Crypto-Specific TF Penalties Under Decree-Law No. 10 (2025)

Offense Type	Key Changes	Penalties (AED)	Implications for VASPs
Individual TF via Crypto	“Should have known” standard; dual-use encrypted tools included	Imprisonment 10 years + AED 5M–50M	Founders, MLROs, compliance heads face personal liability
Entity-Level (VASPs)	Penalties tied to criminal property value; ban on anonymity-enhancing services	Up to AED 100M + license cancellation	Exchanges/custodians liable for weak KYC or EDD failures
Proliferation Financing (PF)	Covers WMD/arms via tokenization or crypto transfers	AED 10M–100M + asset freeze	Affects RWA tokenizers, DeFi bridges, liquidity providers

Contrast with 2018 Law:
No explicit reference to virtual assets, lower penalties, and no CPF framework.

C. Enhanced Enforcement Tools (Article 5)

The decree strengthens capabilities of the UAE’s Financial Intelligence Unit (FIU):

• Real-time case triggers through the goAML platform
• Authority to demand instant VASP reporting for suspicious VA flows
• Mandatory UBO disclosure with fines exceeding AED 1 million for misreporting
• Power to freeze wallets linked to high-risk TF/PF indicators

For VASPs, this means monitoring must be continuous, not event-based.

Implications for VASPs and Crypto Businesses

1. Direct Exposure to Criminal and Administrative Risk

VASPs are now expected to conduct TF-specific risk assessments, separate from their ML risk models. Gaps in these assessments can result in:

• Administrative penalties
• Suspension of operations
• Revocation of VARA or CBUAE licenses

2. Operational Changes Required

Decree-Law No. 10 pushes VASPs toward a surveillance-first model:

• Deploy blockchain analytics tools (e.g., Chainalysis, TRM Labs)
• Initiate enhanced due diligence (EDD) for transfers above USD 1,000 in alignment with Travel Rule expectations
• Strengthen onboarding for high-risk jurisdictions
• Monitor for privacy coins, mixers, and P2P pathways

3. Cross-Border Reporting Duties

If a VASP operates in both the UAE and Europe, it must comply with:

• UAE’s AML/CTF/CPF requirements
• EU MiCA compliance regimes
• Potential double reporting to two FIUs for cross-border transactions

4. Opportunities Amid Regulatory Tightening

The UAE’s clarity around crypto-TF risk positions compliant firms as premium, trusted operators. Institutional players – including tokenized sukuk and RWA issuers – benefit from improved legal stability.

Case Example:
A Dubai-based VASP received an AED 20M penalty in mid-2025 after failing to trace privacy coin flows through a multi-hop chain. The issue could have been prevented with proactive audits and analytics.

5. Broader Impact

The law applies not only to centralized exchanges but also to:

• DeFi protocols
• NFT marketplaces
• DAOs operating infrastructure in the UAE
• Self-custody wallet providers (when meeting VARA’s licensed activity criteria)

Compliance Roadmap: What VASPs Must Do in 2026

To avoid severe penalties, VASPs must adopt a structured compliance transformation.

✓ Step 1: Conduct a Decree-Law No. 10 Gap Assessment

Evaluate AML/CTF controls against new requirements:

• TF via virtual asset protocols
• CPF oversight for tokenization projects
• Screening for dual-use goods

Cryptoverse Legal Consultancy offers specialized VASP GAP Assessments tailored to VARA and CBUAE expectations.

✓ Step 2: Upgrade Monitoring and Reporting Systems

• Integrate AI-driven monitoring that detects encryption-based TF indicators
• Configure goAML reporting pipelines for <24-hour submission
• Enable wallet-level sanctions screening and clustering analytics

✓ Step 3: Strengthen Governance and Training

• Mandatory TF/PF training for all operational staff
• Update board charters to include CPF oversight
• Implement annual simulator exercises for FIU investigations

✓ Step 4: Refresh Core Documentation and Disclosures

Update:

• AML/CTF/CPF manuals
• VASP risk matrices
• UBO registers
• Token whitepapers and disclosures

✓ Step 5: Launch Continuous Review Cycles

Align quarterly internal audits with National Strategy metrics.

Budgeting Tip:
Set aside AED 500K–2M for initial implementation, depending on business size and licensing scope.

Conclusion 

Decree-Law No. 10 is not a minor amendment – it is a fundamental restructuring of the UAE’s fight against terrorism financing, especially within the virtual asset ecosystem. With 2026 expected to bring a surge in enforcement, VASPs must transition from baseline compliance to proactive, intelligence-driven oversight.

The UAE aims for full FATF white-listing by 2027, meaning enforcement will only strengthen. Now is the time for VASPs to reinforce governance, implement technology upgrades, and document every stage of their AML/CTF/CPF frameworks.

Cryptoverse Legal Consultancy has supported 50+ VASPs through regulatory transitions across VARA, ADGM, and CBUAE regimes. If you want to safeguard your license, reputation, and long-term scalability:

➡️ Book Your Compliance Consultation

FAQs