A Lighthouse in the Crypto Storm: How Dubai’s VARA Combines Market Resilience and Travel Rule Excellence

The October 2025 crypto collapse—when Bitcoin plunged from around USD 123,000 to nearly USD 105,000 within minutes—was a stark reminder that volatility and sudden liquidity shocks remain a core challenge for global regulators, including those in the UAE. Events like this emphasize the importance of strong, coordinated oversight, especially around data transparency and AML/CTF safeguards such as the Travel Rule.

Under VARA’s leadership, the UAE emerged as one of the most crypto-forward yet well-regulated markets in the world, supported by a mature Travel Rule framework aligned with FATF Recommendation 15. 

But implementation is not uniform. Requirements differ between financial zones such as Dubai (VARA) and Abu Dhabi (ADGM), creating licensing and operational complexity for firms operating across jurisdictions. The “sunrise issue”—where cross-border transfers risk delays or failures because counterparties operate in the jurisdictions where the Travel Rule has not yet been implemented—further slows or blocks transfers when counterparties can’t meet data requirements, tightening compliance friction.

Together, these factors reveal both how far the UAE has progressed and where challenges remain, particularly during high-stress market events like the recent crash. To explore how the UAE regulators are closing these gaps and strengthening resilience, we sat down with Andal Seshadri, a Legal Compliance Advisor at Aston VIP and a VARA specialist, to discuss the path forward for VASPs and regulators navigating the next wave of market instability.

THE SUMSUBER: Let’s start with the hot topic, namely the October 2025 crypto collapse. Bitcoin fell significantly from around $123,000 to about $105,000, and many altcoins dropped as much as 30-40% in value within minutes, causing short-term panic and sell-offs. The high volatility and rapid losses affected many retail and institutional crypto investors, including in the UAE. How does VARA view events like this? Do they raise supervisory and systemic risk considerations in the UAE?

ANDAL: It’s nice to start the conversation with stress—it shows us who we are, and regulators are no exception. October 2025 again proved that the crypto market can still suffer abrupt, order-book-driven price breaks and large forced liquidations across venues. Bitcoin dropped from recent intramonth highs of about USD 126,000 to intraday lows near USD 105,000–110,000, and many altcoins plunged even more sharply. Substantial leveraged positions were reportedly wiped out within a single day, creating temporary disorderly conditions on multiple exchanges. From a supervisory point of view, events like this create three main risk areas for the UAE.

First, market integrity and conduct risks increase when liquidity is thin. During these periods, trading venues must have strong supervision and surveillance, as required by VARA’s Market Conduct rulebook.

Second, prudential and operational resilience for VASPs may be challenged. Risk management, collateral, and margin practices can come under pressure, which activates the governance expectations set out in the Compliance & Risk Management rulebook.

Third, financial crime controls face extra strain. High transaction volumes and more on/off-ramp activity require stronger AML/CFT monitoring and effective Travel Rule compliance. Firms licensed in Dubai must be ready to show that their controls work and report information when requested.

At the federal level, the UAE’s AML/CFT framework (Federal Decree-Law No. 20 of 2018 and Cabinet Decision No. 10 of 2019) provides the baseline enforcement toolkit for VASPs and financial institutions during stress events. It includes administrative penalties, supervisory powers, and a minimum five-year record-keeping period to preserve audit trails.

So, VARA sees events like the October 2025 crash as a reminder that crypto markets remain highly volatile and must be supported by strong oversight to protect market integrity, operational resilience, and AML/CFT compliance. Such shocks do test the system, yet they also show that the UAE’s regulatory framework is designed to manage real-world stress and continue building trust in the digital asset sector.

Suggested read: Crypto in the UAE: Regulation, Licensing, and What’s Next

THE SUMSUBER: Given the speed and scale of the collapse, how well-prepared is the UAE’s regulatory framework to handle sharp market shocks like this one? 

ANDAL: It is well-prepared, thanks to the layered regulation and clear mandates. In Dubai, VARA’s 2023 Virtual Assets and Related Activities Regulations create a full licensing stack backed by compulsory rulebooks (the Company, Compliance & Risk Management, Market Conduct, and Technology & Information Rulebooks). So, exchanges, brokers, custodians, and transfer services operate with targeted risk controls that can be tightened during periods of stress. 

At the federal baseline, the AML/CFT law and its executive regulations apply country-wide (including to VASPs), empowering authorities to impose fines, compel information, and enforce the five-year retention of Customer Due Diligence (CDD) and transaction records so that investigations are not impaired by volatility.

When compared to other financial zones, Abu Dhabi ADGM’s FSRA AML Rulebook explicitly extends the Travel Rule to virtual-asset transfers (treating wallet addresses as account numbers) and, importantly, imposes no de minimis threshold: originator and beneficiary information must accompany all transfers. 

Taken together, these layers enhance monitoring of flows, enable coordinated supervisory responses, and preserve evidentiary integrity when market shocks intensify.

THE SUMSUBER: Thank you for turning to the Travel Rule, I was just about to ask. Moments like the October crash really highlight how interconnected and fast-moving the crypto ecosystem is. When volatility spikes, so does the pressure on compliance systems and transaction monitoring. This brings us to the Travel Rule, one of the cornerstones of regulatory oversight in the UAE. Could you walk us through how VARA’s framework for the Travel Rule fits within the broader UAE regulatory architecture for virtual assets?

ANDAL: Sure. The Travel Rule rests on a federal foundation and is then implemented by the competent local regulators. At the federal level, Federal Decree-Law No. 20 of 2018 and Cabinet Decision No. 10 of 2019 impose AML/CFT obligations on financial institutions, DNFBPs, and VASPs, including CDD, suspicious-transaction reporting, and a minimum five-year record retention period. 

Cabinet Resolution No. 111 of 2022 clarifies federal oversight of VASP licensing and coordination among the Securities and Commodities Authority (SCA), local licensing authorities such as VARA, the Central Bank, and others, and also requires VASPs to comply with AML/CFT laws.

In Dubai, VARA’s Compliance & Risk Management Rulebook (Part III.G, FATF Travel Rule) requires originator and beneficiary data for virtual-asset transfers above AED 3,500, mandates counterparty-VASP due diligence, addresses unhosted wallets and anonymity-enhanced transactions, and expressly requires firms to demonstrate Travel Rule effectiveness both at licensing and upon supervisory request, including concrete plans for the “sunrise issue.”

In Abu Dhabi, the ADGM’s FSRA AML Rulebook treats virtual-asset transfers as wire transfers and expects full Recommendation 16 compliance with no threshold, and the Central Bank complements the framework with guidance to licensed financial institutions on VA/VASP risks that cross-reference Cabinet Resolution 111/2022. The net effect is that the Travel Rule operates as a horizontal AML/CFT obligation for all UAE VASPs, implemented vertically through VARA, the SCA, ADGM/FSRA (and the DFSA in DIFC) under a common federal legal baseline.

Together, these rules create a layered but unified Travel Rule framework in the UAE: the federal laws set the baseline AML/CFT obligations, and local regulators such as VARA, the SCA, the FSRA, and the DFSA enforce them in their jurisdictions. The result is a system designed to ensure consistent data sharing, stronger detection of illicit flows, and a coordinated supervisory approach across all virtual-asset activity in the country.

THE SUMSUBER: Can you explain how Travel Rule compliance might differ between, say, Dubai (under VARA) and other emirates governed by SCA or ADGM? How do you ensure interoperability across these frameworks?

ANDAL: There are two main areas to emphasize: thresholds and coordination. On thresholds and scope, VARA in Dubai sets an AED 3,500 trigger for collecting, holding, and consistent with federal law, transmitting originator and beneficiary data, along with detailed expectations for counterparty due diligence and the handling of unhosted-wallet flows. By contrast, ADGM’s FSRA applies no de minimis threshold at all, requiring the full data set to accompany every virtual-asset transfer.

Onshore under the SCA, VASPs fall under the federal AML/CFT regime and Cabinet Resolution No. 111 of 2022, with the SCA coordinating with local authorities, including VARA. On regulatory coordination and interoperability, SCA-VARA cooperation (and subsequent public communications) aims to harmonize licensing and supervision and to clarify jurisdictional boundaries, with authorities signaling progress toward a unified VASP register and coordinated oversight across the UAE.

The DFSA-VARA memorandum of understanding further adds information-sharing between DIFC and the rest of Dubai, reinforcing Dubai-wide consistency. In practice, multinational VASPs operating across multiple UAE frameworks should calibrate controls to the strictest applicable standard, often ADGM’s no-threshold approach, while documenting Dubai-specific AED 3,500 pre-transaction controls where VARA is the competent regulator.

So, despite differing thresholds, the UAE’s regulators are increasingly coordinating to ensure that VASPs apply consistently high Travel Rule standards across all jurisdictions. Firms are, of course, expected to align with the strictest requirements where frameworks overlap.

THE SUMSUBER: Given the fragmented global Travel Rule landscape, how is the UAE ensuring interoperability with international VASPs and different messaging protocols?

ANDAL: UAE supervisors align their expectations with FATF Recommendations 15 and 16 so UAE-licensed VASPs can exchange standardized counterparty data with foreign firms. The interVASP IVMS101 data model (updated in 2023/2024) provides the common schema for originator and beneficiary information, while established messaging frameworks such as the Travel Rule Protocol (TRP) and TRISA offer mature, secure mechanisms for VASP-to-VASP data exchange.

Crucially, VARA requires VASPs to show how they will comply with the Travel Rule even when counterparties are in jurisdictions where it is not yet mandatory: the “sunrise issue.” This drives the adoption of interoperable data standards and formal counterparty due diligence playbooks, together with clear procedures for error handling, fallbacks, and transaction rejection when required.

THE SUMSUBER: I see, the UAE is clearly an early mover in the region. Do you see other GCC countries or MENA jurisdictions following a similar regulatory path if this model proves effective? Which markets might be next?

ANDAL: We need to check out the country-specific picture first. While each jurisdiction will calibrate for local market structure and legal architecture, the direction is clear: the FATF’s continued emphasis on effective implementation of Recommendation 15 (technology risks) and Recommendation 16 (payment transparency/Travel Rule) sustains policy pressure for licensing plus Travel Rule regimes across the region.

UAE authorities deepen SCA-VARA (and DFSA/FSRA) cooperation and demonstrate live supervisory interoperability, including license recognition, unified registers, and information-sharing. Overall, the UAE authorities provide a practical reference architecture that neighbors can adapt, typically by strengthening onshore AML baselines first and then layering dedicated virtual-asset rulebooks and supervisory procedures.

THE SUMSUBER: Looking ahead, how do you see the UAE’s Travel Rule framework evolving as FATF guidance matures and as more countries implement their own regimes? Could the UAE play a standard-setting role in the region and globally?

ANDAL: The short answer is yes, and I’m mostly thinking of three pillars here.

First, data-quality and consistency upgrades: FATF’s 2025 refinements to Recommendation 16 are intended to standardize required information and reduce errors, and UAE regulators already embed those expectations in local rulebooks. So, VASPs should expect more granular supervisory testing of payload completeness, error handling, reconciliation, and end-to-end assurances.

Second, cross-regulator integration: ongoing SCA-VARA and DFSA-VARA cooperation, together with ADGM’s fully specified AML Rulebook, positions the UAE to demonstrate cross-framework operability, from licensing clarity to information-sharing, that other jurisdictions can emulate.

Third, technical interoperability at scale: as global VASP adoption of IVMS101 and TRP/TRISA grows, UAE-licensed firms will increasingly be expected to prove interoperability in production, including the sunrise issue risk management, unhosted wallet governance, and secure transmission controls—the capabilities VARA already requires ex-ante in licensing and ex-post in supervision. Taken together, these dynamics make the UAE a credible regional standard-setter and a global proof-point for Travel Rule implementation at market scale.