Quick Overview: AML Compliance in the UAE
● Applies to banks, financial institutions, DNFBPs (real estate, legal, accounting), and VASPs.
● Governed by Federal Decree‑Law No. 10 of 2025, CBUAE guidance, and Cabinet Decision No. 10 of 2019.
● Key requirements: risk assessments, customer due diligence (CDD/EDD), transaction monitoring, goAML reporting, record-keeping, internal controls, and sanctions screening.
● Common challenges: complex ownership structures, evolving regulations, and reporting burdens.
● Partnering with UAE-based experts like Fintrack Tax Consultants ensures compliance, reduces risk, and allows focus on business growth.
What Is AML, and Why It’s Crucial in the UAE
AML (Anti‑Money Laundering) refers to the systems and policies that prevent criminals from disguising illegally obtained funds as legitimate business. In the UAE, AML is not just about “following rules” — it’s deeply embedded in legal, financial, and reputational risk.
The UAE Financial Intelligence Unit (FIU) is the main body responsible for collecting and analysing suspicious transaction reports (STRs). Failure to comply can lead to severe penalties, including fines, license revocations, and criminal liability.
Key Legal and Regulatory Framework in the UAE
1. Main AML Laws and Guidelines
● The Federal Decree‑Law No. 10 of 2025 strengthened the UAE’s AML/CFT (Counter‑Terrorism Financing) rules.
● The Central Bank of the UAE (CBUAE) issues AML/CFT guidance for financial institutions, including on transaction monitoring, risk assessment, and dealing with virtual assets.
● For non-financial businesses (DNFBPs), Cabinet Decision No. 10 of 2019 remains highly relevant.
2. Reporting via goAML
All regulated entities must register on the goAML platform, the FIU’s mandatory portal for reporting STRs, SARs, and other required reports.
If you identify suspicious activity, your Compliance Officer or MLRO (Money Laundering Reporting Officer) must submit an STR via goAML.
There are different report types, including STRs, SARs, high-risk country reports, and specialty reports for real estate or precious metals.
Who in the UAE Is Regulated Under AML Rules
AML obligations in the UAE aren’t limited to banks — a wide range of businesses fall under the regulatory scope, including:
● Financial Institutions: banks, insurers, exchange houses, money services, etc.
● DNFBPs (Designated Non-Financial Businesses & Professions): real estate brokers, legal and accounting firms, company service providers, and dealers in precious metals and stones.
● Virtual Asset Service Providers (VASPs): explicitly covered under the 2025 AML law, with obligations for customer due diligence, record‑keeping, and STR reporting.
Core AML Obligations for UAE Businesses
To meet AML requirements, businesses must build and maintain a robust compliance programme. Key elements include:
Customer Due Diligence (CDD) & Enhanced Due Diligence (EDD)
● Collect identity data for individuals and companies, including ultimate beneficial owners (UBOs).
● Screen customers against sanctions lists and politically exposed persons (PEPs).
● For high-risk clients, apply enhanced due diligence.
Ongoing Monitoring
● Continuously monitor transactions to detect unusual or suspicious activity that deviates from the customer’s profile.
● Update customer risk profiles over time, especially after major changes.
Reporting Suspicious Activities
● Submit a Suspicious Transaction Report (STR) to the FIU via goAML if you detect suspicious activity.
● Include relevant background, parties involved, suspicion reasons, and red-flag indicators in the STR.
● Maintain confidentiality: disclosing that an STR has been filed can be unlawful.
Record-Keeping
● Maintain records of customer identification, risk assessments, CDD documentation, STRs, and monitoring activity.
● Retain records for at least five years or as required by law/regulator.
Governance & Internal Controls
● Appoint a Compliance Officer / MLRO with clear responsibilities and direct access to senior management.
● Draft and maintain internal AML policies and procedures (KYC, risk assessment, screening, escalation).
● Provide regular training to staff on AML red flags, reporting lines, and internal processes.
Sanctions and Freezing Obligations
● Screen for targeted financial sanctions (TFS) and freeze assets when required.
● Use confirmatory reporting for partial matches with sanction lists.
Challenges to Expect — and How to Handle Them
- Complex ownership structures: Identify UBOs using clear policies and require documentation.
- Technical reporting burden: Have a well-trained MLRO handle goAML submissions.
- Constant regulatory change: Stay updated and work with local AML experts.
- Resource constraints: Outsource or partner with AML specialists for assessments, reporting, and training.
How to Build a Practical AML Compliance Programme: A Checklist
| Step | Action | Responsibility |
|---|---|---|
| Risk Assessment | Map business risk (customers, products, geographies) | Compliance / Risk Team |
| Policy Development | Create AML policies (KYC, CDD, escalation, sanctions) | Compliance Officer |
| Onboarding | Perform CDD and classify customer risk | Front Office + Compliance |
| Transaction Monitoring | Set up systems (manual or automated) | Compliance / Operations |
| STR Reporting | Submit via goAML, document rationale | MLRO / Compliance Officer |
| Training | Regular AML training and refreshers | HR + Compliance |
| Review & Audit | Internal / external audit of AML programme | Senior Management / External Advisor |
| Record Retention | Keep required AML records for required period | Operations / Compliance |
Frequently Asked Questions (FAQs)
Do all UAE companies need an AML programme?
Not all, but many do. Financial institutions, DNFBPs, and VASPs are clearly regulated.
How do I report suspicious transactions?
File an STR via the goAML platform, following FIU guidelines.
What types of reports exist in goAML?
STRs, SARs, high-risk country reports, partial name match reports, fund-freeze reports, and more.
How long must AML records be kept?
At least five years is standard for many entities.
What happens if I fail to comply?
Penalties include fines, license suspension, or criminal liability for managers.
Why Local Expertise Makes a Big Difference
Navigating AML compliance in the UAE isn’t just about checking boxes — it’s about addressing local risks, meeting regulators’ expectations, and building practical control frameworks.
Experienced local AML consultants can:
- Translate UAE-specific laws into actionable steps
- Help set up and maintain goAML registration and reporting
- Design AML policies tailored to your business model
- Provide hands-on staff training
- Keep you updated when regulations change
Partnering with Fintrack Tax Consultants adds an extra layer of confidence. Our team of UAE-based experts combines deep regulatory knowledge with practical, hands-on support, helping businesses stay compliant while focusing on growth and building trust with clients and partners.
Final Thoughts
AML compliance in the UAE is more demanding than ever. But getting it right isn’t just a legal obligation — it's a way to protect your business, build trust, and demonstrate integrity to partners and clients.
Meeting AML obligations, implementing a risk-based approach, keeping a close eye on transactions, and submitting accurate reports through goAML enables companies to maintain a strong and effective compliance programme.
Partnering with experienced local AML experts not only ensures that all regulatory requirements are met but also provides peace of mind, allowing businesses to focus on growth, build trust with partners and clients, and operate confidently in the UAE market.
