IEMS And VASPs: VARAs' Next Step In AML Enforcement

KEY TAKEAWAYS

• In May 2025, VARA mandated all VASPs to be fully registered and responsive on the FIU's Integrated Enquiry Management System portal.
• The IEMS platform will serve as a secure digital channel of communication amongst FIU, law enforcement agencies and VASPs.
• VASPs must maintain 24/7 monitoring, escalation chains, and case-management systems to respond instantly to FIU orders.
• While goAML handled outbound suspicious reporting, IEMS introduced inbound oversight.
• While the U.S., U.K., and Singapore have introduced systems for rapid regulatory access, the UAE's IEMS stands apart by combining information requests and enforceable directives on a single
• This directive, coupled with the recent VARA Rulebook amendments, reflects a coordinated effort to entrench stronger AML/CFT controls across the virtual asset sector.

INTRODUCTION

"At 9 AM, a compliance officer at a Dubai crypto exchange logs into a government portal and sees an urgent message: freeze wallet XYZ linked to a suspected ransomware payment. There are no calls or emails; it is just a digital directive through the UAE Financial Intelligence Unit's ("FIU") Integrated Enquiry Management System ("IEMS"). The order must be executed immediately."

This is no longer a hypothetical. In May this year, Dubai's Virtual Assets Regulatory Authority ("VARA") mandated that all Virtual Asset Service Providers ("VASPs") be fully registered and responsive on IEMS. In 2019, IEMS was introduced to provide a secure digital channel for communication between the FIU, law enforcement, and financial institutions¹. While goAML remains the portal for reporting suspicious transaction reports ("STRs"), IEMS is used by the FIU and domestic law enforcement authorities to send requests or instructions to reporting entities and receive their responses². This change coincided with amendments introduced under VARA's Rulebooks, which brought a suite of reforms to enhance market security and integrity. By mandating VASPs to integrate into the FIU's IEMS at the same time, the regulators signalled that these amendments are part of a coordinated effort to hardwire stronger AML/CFT controls.

UNDERSTANDING THE IEMS PLATFORM

IEMS is a centralised tool for the management of AML/CFT inquiries and communications. Through IEMS, the FIU or other domestic authorities can electronically send inquiries and orders, for example, requests for customer account information, investigative requests, or instructions to freeze assets/accounts, and the concerned institution can respond within the same portal. The system provides structured data input fields and document upload tools for firms to supply the requested information in a standardised manner. It also provides real-time visibility to both parties on the status of requests and applicable deadlines, so compliance officers can track pending inquiries and when they are due. In short, IEMS automates what used to be ad hoc or paper-based queries, creating an auditable, secure channel for AML/CFT-related correspondence. This improved workflow facilitates end-to-end communication among the FIU, law enforcement agencies, and reporting entities (including VASPs) for financial crime investigations.

The rationale behind IEMS is to strengthen the execution and monitoring of AML directives. Instead of relying on emails or manual letters, authorities can use IEMS to send official requests and receive data promptly, which is critical when dealing with money laundering or terrorism financing cases. From the perspective of a VASP, being connected to IEMS means that any government directives will arrive officially through this system. This integration of VASPs into IEMS reflects the UAE's commitment to subject crypto-asset businesses to the same AML/CFT standards as traditional financial institutions.

NEW FIU REQUIREMENTS FOR VASPS TO USE IEMS

The FIU's expectations of VASPs under this mandate include several obligations:

• Ensure that the firm's personnel, the Money Laundering Reporting Officer (MLRO) and other Compliance Officers are registered on the IEMS. This registration is done using their existing goAML credentials.
• The FIU expects VASPs to assign roles such as Administrator, Maker, and Checker in line with their internal compliance workflow. This mirrors good governance practice. One user might draft a response (maker), another reviews/approves it (checker), and an admin oversees the account.
• As time-sensitive law enforcement requests will come through IEMS, firms must have a procedure to continuously monitor the IEMS dashboard and message tabs for any incoming requests, directives, or updates from the FIU.
• Each inquiry will come with a due date or turnaround time. VASPs must provide the requested information or take the required action within that period. The FIU specifically noted that supporting documents (e.g., account statements, transaction records) should be attached in the requested formats (e.g., PDF or CSV) when submitting the response.
• Immediately implement any account freeze instructions received via IEMS, notwithstanding any customer liabilities or pending transactions. VASPs should therefore have internal escalation procedures to act on freeze notices immediately (24/7), as failure to freeze assets in a timely manner could allow funds to be dissipated.
• Maintain a complete and accurate audit trail of all actions taken through the IEMS platform. The platform itself will record exchanges, but the firm should also ensure its compliance staff documents their actions. This audit trail may be reviewed by regulators. It evidences that the VASP responded appropriately and on time. In the event of any future inspection or investigation, the firm can demonstrate a history of compliance with IEMS tasks.
• Regularly review and update the "account review" sections in IEMS with any relevant money laundering or terrorism financing risk information. The IEMS interface includes a section for reporting entities to note concerns about specific accounts. After responding to a request or upon detecting a risk internally, the MLRO might add a note in IEMS about that account or customer³.

All of the above requirements are mandatory for VASPs. The FIU is fully integrating VASPs into its inquiry management workflow, requiring them to be both technically and operationally prepared to engage with the system. This includes completing system registration and user setup, ensuring continuous monitoring, and responding promptly to any actions or requests. VASPs are directed to the circular "IEMS User Guide for Reporting Entities (Version 2.1.2 – March 2023)", which sets out detailed operational guidance and role-based functionalities.

IMPLICATIONS ON VASPS

Regulators would want to consider how quickly VASPs: (a) acknowledge an enquiry; (b) assemble complete evidence packs – KYC, transaction trails, chain-analysis, screenshots of wallet control, off-platform comms; and (c) submit the correct IEMS workflow. For VASPs, the implications are immediate and tangible. The IEMS mandate effectively forces firms to maintain 24/7 compliance readiness. This means staffing on-call compliance officers and investing in case-management systems that can handle IEMS workflows. It also needs to include building escalation chains that work across weekends and holidays. Inevitably, compliance costs will rise. Certain actions, including wallet freeze, may lead to customer pushback or reputational challenge. Thereby, VASPs are required to add adequate disclosure and anticipated operations in their policies.

HOW DOES THIS COMPARE GLOBALLY?

Other jurisdictions have taken steps in a similar direction, but none quite match the UAE's approach. In the United States, FinCEN's 314(a) program allows law enforcement to circulate suspect names via a secure portal to financial institutions. The institutions have to search their records and report matches for potential lead information in terrorist financing and money laundering matters⁴. The U.K.'s Information Orders under the Economic Crime and Corporate Transparency Act 2023 empower the FIU to demand additional information from entities that have filed suspicious reports, compelling time-bound responses backed by statutory force⁵. The Monetary Authority of Singapore has launched COSMIC, a platform where banks share customer risk information with each other in real time under regulatory oversight, but it does not provide a connection between financial institutions and regulatory authorities⁶. These mechanisms share IEMS's focus on structure and accountability, but stop short of its breadth. What sets the UAE apart is that IEMS not only delivers enquiries and compels responses, but also enables operational directives, such as transaction details and immediate freeze orders, all within the same digital channel. In that sense, IEMS is unique; it is both a regulator's inbox and an enforcement lever, making it one of the most integrated compliance platforms of its kind worldwide.

CONCLUSION

The UAE's removal from the FATF grey list in 2024 marked a significant milestone, creating a clear imperative to demonstrate the durability and effectiveness of the reforms undertaken. The FIU's mandate applicable to VASPs must be understood within this broader regulatory context.

Historically, VASPs have engaged with the FIU primarily through goAML, the platform used to submit STRs. The introduction of IEMS materially alters this dynamic by incorporating an inbound supervisory dimension. It enables regulators to initiate queries directly and to monitor, with precision, the timeliness and adequacy of responses.

Accordingly, compliance is no longer limited to STR filings. It now also encompasses a VASP's ability to demonstrate prompt, structured, and verifiable cooperation in response to regulatory inquiries.

Footnotes

1. UAE Financial Intelligence Unit (FIU), Annual Report 2019, Page 5 <https://www.namlcftc.gov.ae/media/nejdg4go/uae-fiu-annual-report-2019.pdf UAE's>

2. Virtual Asset Regulatory Authority (VARA), Government of Dubai, "To: All Virtual Asset Service Providers (VASPs) in the Emirate of Dubai", 20 May 2025 < https://media.umbraco.io/dwtc/pq2mku34/vasp-circular-on-iems-introduction.pdf >

3. Virtual Asset Regulatory Authority (VARA), Government of Dubai, "To: All Virtual Asset Service Providers (VASPs) in the Emirate of Dubai", 20 May 2025.< https://media.umbraco.io/dwtc/pq2mku34/vasp-circular-on-iemFinCEN'sUAE'ss-introduction.pdf >

4. Financial Crimes Enforcement Network, "FinCEN's 314(a) Fact Sheet", < https://www.fincen.gov/system/files/shared/314afactsheet.pdf >

5. Government of UK, "Economic Crime and Corporate Transparency Act: Overarching Factsheet", < https://www.gov.uk/government/publications/economic-crime-and-corporate-transparency-act-2023-factsheets/economic-crime-and-corporate-transparency-act-overarching-factsheet >

6. Monetary Authority of Singapore, COSMIC, < https://www.mas.gov.sg/regulation/anti-money-laundering/cosmic >

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.