What CARF and UAE AML Rules Mean for Crypto Compliance

Share
What CARF and UAE AML Rules Mean for Crypto Compliance
Photo by Dallas Penner / Unsplash

The global framework for crypto tax reporting and anti-money laundering compliance is moving from policy design into implementation. For UAE-licensed virtual asset firms, the direction is now clearer: tax transparency, Travel Rule compliance, risk assessments, and suspicious activity reporting are becoming more connected parts of the same compliance picture.

What CARF Changes

The Crypto-Asset Reporting Framework, known as CARF, was developed by the OECD to create a common system for reporting and exchanging tax-related information on crypto-asset activity.

Traditional financial accounts are already covered by the Common Reporting Standard. Crypto activity created a separate challenge because transfers can happen through exchanges, custodians, brokers, wallets, and other service providers across borders. CARF is designed to close that reporting gap by requiring relevant crypto-asset service providers to collect due diligence information and report certain transactions to their domestic tax authority.

That information can then be exchanged automatically with the tax authority in the user's jurisdiction of tax residence, depending on the participating countries and local implementation rules.

For firms, the practical issue is not only reporting. It is whether customer onboarding, tax-residency checks, transaction records, wallet-transfer data, and internal systems are ready to support that reporting accurately.

UAE Timeline and Regulatory Context

The UAE Ministry of Finance announced in September 2025 that the UAE had signed the Multilateral Competent Authority Agreement for automatic exchange of information under CARF. The Ministry said CARF implementation in the UAE is scheduled to go live in 2027, with the first exchanges of information expected in 2028.

The Ministry also opened a public consultation from 15 September to 8 November 2025 to gather feedback from stakeholders including advisory service providers, intermediaries, traders, custodians, exchange platforms, and others active in the crypto-asset sector.

This matters because UAE virtual asset activity already sits across several regulatory touchpoints. VARA regulates virtual assets in Dubai outside DIFC. ADGM's FSRA, DIFC's DFSA, the CBUAE, and the Securities and Commodities Authority also form part of the wider UAE financial and virtual asset regulatory environment depending on the activity and location.

CARF does not replace AML rules. It adds another layer of reporting expectations. In practice, the same customer and transaction data may become relevant for tax reporting, AML monitoring, sanctions screening, Travel Rule checks, and regulatory supervision.

AML Law and VARA Risk Requirements

The UAE also updated its federal AML/CFT framework through Federal Decree-Law No. 10 of 2025 on anti-money laundering, combating terrorism financing, and combating proliferation financing. The decree-law took effect in October 2025, while Cabinet Resolution No. 134 of 2025, the executive regulation, took effect in December 2025.

For virtual asset firms, this federal framework operates alongside sector-specific rules from the relevant regulator.

VARA's public regulatory notices in 2026 show continued supervisory focus on AML/CFT controls. Its June 2026 AML/CFT Business Risk Assessment Guidance sits alongside VARA's Compliance and Risk Management Rulebook, which requires licensed VASPs to conduct business and client risk assessments at intervals no longer than every three months. The rulebook also requires firms to consider risks linked to virtual assets, anonymity-enhanced transactions, emerging technologies such as artificial intelligence and machine learning, and other emerging risks.

That makes AML compliance more than a one-time policy document. Firms need documented, current, and evidence-based risk assessments that can be linked to their controls, staffing, monitoring, escalation, and board-level oversight.

Travel Rule and UAEFIU Reporting

The FATF's June 2025 targeted update on virtual assets again highlighted uneven global implementation of the Travel Rule. The Travel Rule requires originator and beneficiary information to accompany qualifying virtual asset transfers, helping regulated firms and authorities understand who is sending and receiving funds.

In the UAE, ADGM's FSRA issued Notice No. 25 of 2026 referring to the National Anti-Money Laundering and Combatting Financing Terrorism and Financing of Illegal Organisations Committee's decision on the UAE Virtual Assets Travel Rule. VARA also published a February 2026 notice on implementation of the UAE Virtual Assets Travel Rule requirements.

The scale of reporting is also increasing. The UAEFIU's December 2025 public report on virtual assets said registered entities on goAML associated with virtual asset services had submitted more than 4,000 suspicious reports as of June 2025. The same report analysed 804 STRs and SARs received between 1 July 2023 and 30 June 2025, with a focus on blockchain tracing.

This is a more reliable public figure than the previously cited 512 reports, which should not be used without direct confirmation from UAEFIU.

Why This Matters for Crypto Firms

The UAE crypto market is large enough for compliance gaps to become a material business risk. Chainalysis estimated that the UAE received more than USD 56 billion in crypto value during the 2024 to 2025 reporting window, up 33 percent period-on-period.

For licensed VASPs, the practical priority is preparation. CARF reporting, AML monitoring, sanctions controls, Travel Rule implementation, suspicious activity reporting, and governance records should not be treated as separate paperwork exercises. They depend on many of the same data points and controls.

Firms should check whether their systems can collect tax-residency information, preserve transaction records, identify wallet-transfer risks, apply updated risk ratings, monitor higher-risk activity, and produce evidence for regulators when required.

The regulatory direction is clear. UAE virtual asset firms are moving into a phase where compliance needs to be documented, data-supported, and regularly reviewed, not handled only when a filing deadline or inspection arrives.


Key Takeaways

  • The UAE has committed to CARF implementation, with go-live expected in 2027 and first exchanges of information expected in 2028.
  • The UAEFIU public report cites more than 4,000 suspicious reports submitted by goAML-registered entities associated with virtual asset services as of June 2025, and an analysed sample of 804 STRs and SARs for July 2023 to June 2025.
  • UAE crypto firms should treat CARF, AML/CFT controls, Travel Rule requirements, sanctions screening, and suspicious activity reporting as connected compliance obligations.

Sources: OECD, UAE Ministry of Finance, UAE Legislation, UAEFIU, VARA, ADGM FSRA, FATF, Chainalysis.


Disclaimer: This content is for educational and informational purposes only. It is not legal, financial, investment, cybersecurity, medical, business, career, or other professional advice. Verify important information with official sources or qualified professionals before acting.

Read more