- In March 2022, the UAE landed on the gray list of the Financial Action Task Force (FATF) – the global watchdog for money laundering and terrorism financing.
- The UAE decided to tighten AML and CFT regulations and impose hefty fines for non-compliance resulting in delisting from FATF’s gray list in 2024.
- In 2021, the CBUAE imposed financial sanctions on 11 banks for failing to achieve appropriate levels of compliance with AML regulations.
Think of money as water flowing through a massive network of pipes. If everything’s clean, the flow is smooth and uninterrupted. But if dirty water starts seeping in, the whole system gets contaminated.
That’s why the UAE’s Anti-Money Laundering (AML) and Countering the Financing of Terrorism (CFT) laws exist – to keep the financial “pipes” clean.
The message is clear:
businesses need to play by rules if they want to function in the UAE.
This guide is all about those rules which need to be followed if you want to scale (or say survive) in UAE.
UAE’s AML/CFT Legal Framework
The foundation of UAE AML laws is Federal Decree-Law No. 20 of 2018, which was further improved by amendments in Federal Decree Law No. 26 of 2021. This legislation forms the core of AML regulations in the country, outlining what financial institutions and designated non-financial businesses and professions (DNFBPs) must do to fight money laundering and terrorist financing.
Important parts of this law include:
- Required reporting of suspicious transactions
- Implementing customer due diligence measures
- Keeping records and having a dedicated compliance officer
- Setting up internal AML/CFT policies and procedures
The implementing regulations, detailed in Cabinet Decision No. 10 of 2019 (amended by Cabinet Resolution No. 24 of 2022), offer practical guidance on how businesses should apply these laws. These regulations have significantly improved the UAE’s AML compliance framework, bringing it more in line with international standards.
Essential AML/CFT Guidelines for UAE Businesses
The UAE’s AML/CFT guidelines apply to a wide range of entities, but requirements can vary based on the type of business.
1. Financial Institutions (FIs)
Banks, exchange houses, and insurance companies fall under this category. These institutions serve as the first line of defense, and consequently, face the most rigorous AML compliance requirements across the UAE.
For these financial entities, Customer Due Diligence (CDD) is a thorough process of understanding their customers and their business purposes. This involves:
- Identity verification using official documents
- Finding beneficial owners of corporate structures
- Understanding each business relationship’s nature.
The process continues after customer onboarding. Financial institutions are required to monitor transactions for any strange activity. This ongoing monitoring is especially important for high-risk customers, where Enhanced Due Diligence (EDD) measures are necessary. Senior management approval might be necessary in certain situations, and the source of assets and wealth needs to be closely investigated.
2. Designated Non-Financial Businesses and Professions (DNFBPs)
This category includes real estate agents, precious metals dealers, lawyers, and accountants. While their requirements are similar to FIs, there are some differences:
- While FIs are primarily regulated by the Central Bank of UAE, most DNFBPs fall under the supervision of the Ministry of Economy or other sector-specific regulators.
- DNFBPs often have higher thresholds for triggering due diligence.
- While all entities must report suspicious transactions, the types of transactions that are considered suspicious may vary significantly between DNFBPs and FIs.
For example, a jewelry store owner in Dubai needs to undertake CDD or EDD for sales over AED 55,000. Real estate agents need to be aware of specific risks in their field, such as property-based money laundering methods.
Despite sector-specific differences, the main principle remains: know your customer and report suspicious activities. The definition of “suspicious” may vary by sector, but the reporting obligation is constant.
3. Virtual Asset Service Providers (VASPs)
With the rise of cryptocurrencies, the UAE has introduced specific guidelines for VASPs:
VASPs must register and obtain licenses before beginning operations. Once active, they must comply with the “Travel Rule”, ensuring that specific information about the sender and recipient accompanies virtual asset transfers.
VASPs must also be alert to risks specific to their field. The potential anonymity of some cryptocurrencies and rapid technological changes in this sector require constant attention and flexibility.
4. Free Zone Companies
Companies in UAE free zones, like the Dubai International Financial Centre (DIFC) or Abu Dhabi Global Market (ADGM), have a unique position.
- These companies must comply with both federal UAE AML laws and the specific regulations of their free zone.
- They may need to report to both federal authorities and free zone regulators.
Regardless of the entity type, all businesses subject to UAE AML regulations must:
- Appoint a compliance officer
- Maintain proper records for at least 5 years
- Conduct regular staff training on AML/CFT matters
- Implement internal controls and independent audit functions
Key Regulatory Bodies and Their Guidelines
The UAE’s AML/CFT regulation involves multiple supervisory bodies, each overseeing specific types of entities. Find which regulator governs your business:.
| Entity Type | Primary Regulator | AML/CFT Guidance Resources |
| Financial Institutions (FIs) | Central Bank of UAE (CBUAE) |
|
| Designated Non-Financial Businesses and Professions (DNFBPs) | Ministry of Economy (for most DNFBPs)
Ministry of Justice (for lawyers and other legal professionals) |
|
| Virtual Asset Service Providers (VASPs) | Virtual Asset Regulatory Authority (VARA) for mainland and some free zones |
|
| Free Zone Companies | Respective Free Zone Authority (e.g., DFSA for DIFC, FSRA for ADGM) |
|
| Securities and Commodities Businesses | Securities and Commodities Authority (SCA) |
|
Reporting Requirements and Procedures
UAE AML laws ask you to report suspicious transactions.
The Financial Intelligence Unit (FIU) of the UAE Central Bank has implemented the goAML system for this purpose. Key points about reporting include:
- All financial institutions and DNFBPs must register on the goAML platform.
- Suspicious Transaction Reports (STRs) must be filed “without delay” when there’s suspicion of money laundering or terrorist financing.
- STRs should include detailed information about the suspicious activity, the parties involved, and the reasons for suspicion.
- The fact that an STR has been filed must be kept confidential from the subject of the report.
- It’s illegal to inform a customer or any third party that an STR has been or will be filed.
- All decisions related to filing or not filing an STR must be retained for a minimum 5 years.
- In addition to STRs, entities may need to file regular reports to their respective regulators on their AML/CFT efforts.
Failure to report suspicious activities can result in severe penalties under UAE AML regulations.
How to Comply with AML/CFT Laws and Guidelines in UAE
Financial institutions and DNFBPs should focus on creating a compliance program that addresses all aspects of the regulatory framework.
Key steps to ensure compliance are as follows:
- Conduct regular risk assessments
- Implement Customer Due Diligence (CDD) procedures
- Detect and report suspicious activities promptly.
- Maintain records for at least 5 years.
While these steps are crucial, implementing them manually can be resource-intensive. Many organizations are turning to technological solutions to enhance efficiency and accuracy in their compliance efforts.
Some examples include:
Automated document verification systems that can quickly validate identity documents from multiple countries
AI-powered risk assessment tools that analyze customer data to flag potential high-risk individuals or transactions
Integrated platforms that combine KYC, AML screening, and ongoing monitoring in one solution
Signzy provides these user-friendly tools, helping businesses streamline their compliance processes while meeting UAE regulatory requirements. If you are looking to enhance your AML/CFT efforts efficiently, mitigate risks, and dedicate more resources to core business activities, Signzy can help you.
FAQs
- What are the penalties for non-compliance with UAE AML/CFT regulations?
A: Penalties can be severe, including hefty fines ranging from AED 50,000 to AED 5 million for institutions, potential imprisonment for individuals, and possible license revocation for repeated violations. The exact penalty depends on the nature and severity of the violation.
- How does Customer Due Diligence (CDD) differ from Enhanced Due Diligence (EDD)?
A: CDD involves verifying customer identity and understanding their business. EDD is more rigorous, required for high-risk customers or transactions. It includes additional steps like verifying source of funds and obtaining senior management approval.
- Are there specific AML requirements for dealing with Politically Exposed Persons (PEPs)?
Yes, PEPs are considered high-risk and require Enhanced Due Diligence. This includes getting senior management approval, establishing the source of wealth and funds, and conducting enhanced ongoing monitoring of the business relationship.
- Do free zone companies have different AML/CFT obligations?
While free zone companies must comply with federal UAE AML laws, they may also be subject to additional regulations specific to their free zone. They often need to report to both federal authorities and free zone regulators.
