Introduction
The UAE has significantly strengthened its anti-money laundering and counter-terrorist financing (AML/CFT) framework through enhanced regulatory oversight, the introduction of Federal Decree Law No. 10 of 2025, and the country’s removal from the Financial Action Task Force (FATF) grey list. As a result, AML compliance in UAE is a critical obligation not only for financial institutions but also for designated non-financial businesses and professions (DNFBPs), which are subject to many of the same requirements under the anti money laundering law UAE framework.
DNFBPs must implement risk-based AML controls, conduct customer due diligence (KYC), maintain records, monitor transactions, and report suspicious activities where required. Regulators, including the UAE Ministry of Economy and the Financial Intelligence Unit (FIU), continue to increase scrutiny of regulated businesses across multiple sectors.
This guide explains the key AML compliance requirements that apply to DNFBPs and other regulated businesses, including AML policies, goAML registration, KYC requirements, suspicious transaction reporting obligations, and practical compliance measures that help reduce regulatory risk. Because AML obligations vary based on a business’s activities and risk profile, organizations should seek advice from a qualified compliance professional or legal adviser regarding their specific circumstances.
What Are DNFBPs and Who Must Comply?
Under the UAE anti-money laundering and counter-terrorist financing (AML/CFT) framework, designated non-financial businesses and professions (DNFBPs) are regulated non-financial sectors that must comply with AML requirements, including risk assessments, customer due diligence (KYC), record keeping, ongoing monitoring, and suspicious transaction reporting where required.
The UAE Ministry of Economy (MoET) supervises four principal DNFBP categories:
- Real estate brokers and agents
- Dealers in precious metals and precious stones (DPMS)
- Independent accountants and auditors
- Corporate and trust service providers (CTSPs)
Although they are not financial institutions, DNFBPs in UAE are subject to many of the same AML compliance obligations because they may facilitate high-value transactions, corporate structuring activities, or complex ownership arrangements.
Lawyers and legal professionals may also fall within the AML framework when providing regulated services such as company formation, trust and corporate structuring, management of client funds, or certain real estate transactions.
In addition, businesses operating in commercial free zones that fall within the Ministry of Economy’s supervisory remit must comply with the same AML requirements as regulated mainland entities.
If your business falls within one of these categories, understanding your AML obligations is essential for maintaining compliance with UAE AML regulations and reporting requirements.
UAE AML Legal Framework
>
The anti money laundering law UAE businesses must follow is primarily governed by Federal Decree Law No. 10 of 2025 Regarding Anti-Money Laundering, Combating the Financing of Terrorism, and Proliferation Financing. Effective from 14 October 2025, the law repealed and replaced Federal Decree Law No. 20 of 2018, as amended, and now forms the foundation of the UAE AML law framework.
The law is supported by Cabinet Resolution No. 134 of 2025, which introduced the new Executive Regulations. Until the new regulations took effect, Cabinet Decision No. 10 of 2019 remained in force on a transitional basis.
The UAE money laundering law framework is aligned with recommendations issued by the Financial Action Task Force (FATF) and supports the objectives of the National AML/CFT Strategy 2024–2027. Following the UAE’s removal from the FATF grey list, regulators have continued to strengthen supervision, monitoring, and enforcement across regulated sectors.
Key AML Authorities:
Ministry of Economy (MoET): The Ministry of Economy supervises designated non-financial businesses and professions (DNFBPs) under its remit, including real estate brokers and agents, dealers in precious metals and precious stones, independent accountants and auditors, and corporate and trust service providers. MoET issues sector-specific guidance, conducts inspections, reviews compliance programmes, and monitors adherence to AML obligations.
Central Bank of the UAE (CBUAE): The Central Bank supervises licensed financial institutions operating in the UAE, including banks, finance companies, exchange houses, and other regulated financial entities. It plays a central role in implementing AML/CFT requirements across the financial sector and issuing regulatory guidance to supervised institutions.
Financial Intelligence Unit (FIU): The FIU is responsible for receiving, analysing, and disseminating financial intelligence relating to suspected money laundering, terrorist financing, and related criminal activity. Regulated entities submit Suspicious Transaction Reports (STRs), Suspicious Activity Reports (SARs), and other required reports through the goAML platform, which the FIU uses to support investigations and information sharing with competent authorities.
Understanding which authority supervises your business is an important step in meeting AML regulations UAE businesses must follow.
KYC and Customer Due Diligence Requirements
Under AML regulations UAE businesses must identify and verify customers before onboarding or establishing a business relationship. KYC requirements UAE businesses must follow include verifying the customer’s name, identification documents, address, and, where applicable, the nature of their business activities.
Standard Customer Due Diligence (CDD)
Standard Customer Due Diligence (CDD) applies to most customer relationships. Businesses should verify the customer’s identity and obtain sufficient information to understand the purpose of the relationship and the customer’s business activities.
For individual customers, this typically includes:
- Full legal name
- Emirates ID, passport, or other approved identification
- Residential address
For legal entities, businesses should verify:
- Company registration details
- Trade licence information
- Business activities
- Ownership structure
- Authorised signatories
Simplified and Enhanced Due Diligence
The UAE applies a risk-based approach to customer due diligence.
Under MoET Circular No. 6 of 2025, Simplified Due Diligence (SDD) may be applied to customers assessed as presenting a lower money laundering or terrorist financing risk, provided the basis for the assessment is documented.
Enhanced Due Diligence (EDD) is required for higher-risk relationships, including Politically Exposed Persons (PEPs) and customers presenting elevated money laundering or terrorist financing risks.
Ongoing Monitoring, UBO Verification, and Sanctions Screening
Customer due diligence continues throughout the business relationship. Businesses should monitor customer activity and periodically review customer information to ensure it remains accurate and up to date.
CDD records should be refreshed following trigger events, including changes in ownership, changes to authorised representatives, changes in business activities, or other material changes affecting the customer profile.
Businesses must identify and verify Ultimate Beneficial Owners (UBOs) when dealing with legal entities and understand who ultimately owns or controls the customer.
For additional guidance, see Ultimate Beneficial Owner (UBO) registration UAE.
Customers should be screened against applicable sanctions lists during onboarding and on an ongoing basis throughout the business relationship.
goAML Registration and Reporting Obligations
All designated non-financial businesses and professions (DNFBPs) must register as reporting entities on the goAML platform operated by the UAE Financial Intelligence Unit (FIU). Registration is a core requirement of goAML compliance UAE obligations and is mandatory under Ministry of Economy (MoET) Circular No. 8 of 2021 and subsequent guidance issued to regulated sectors.
Failure to register on goAML may constitute a compliance breach, even where no suspicious activity has been identified or reported.
goAML Registration Process
The registration process generally involves four steps:
- Entity Pre-Registration – Submit company information through the goAML registration portal, including licensing details and responsible personnel.
- Submission of Supporting Documents – Provide the documentation required by the FIU for verification and registration.
- FIU Review and Approval – The FIU reviews the application and supporting documents before approving the business as a reporting entity.
- User Account Setup – Once approved, authorised personnel can create individual user accounts and access the platform for reporting and communication purposes.
Businesses should follow the latest registration guidance published by the FIU and Ministry of Economy.
Reporting Obligations Through goAML
The goAML platform is used to submit reports required under UAE AML regulations, including:
- Suspicious Transaction Reports (STRs) – Filed when a transaction is suspected to involve money laundering, terrorist financing, or related criminal activity.
- Suspicious Activity Reports (SARs) – Filed when suspicious behaviour or circumstances are identified, even if a transaction has not been completed.
- Threshold Transaction Reports (TTRs) – Submitted where applicable under sector-specific reporting requirements.
Understanding suspicious transaction reporting UAE obligations is an important part of maintaining UAE AML compliance.
Managing Communications and Follow-Up Requests
All correspondence relating to submitted reports is handled through the goAML platform’s internal message board. The FIU does not use standard email channels for report-related communications.
Businesses should regularly monitor their goAML accounts and ensure authorised personnel can respond promptly to requests for additional information or clarification.
AML Policy and Business Risk Assessment
DNFBPs must maintain a written AML policy and documented risk assessment framework to support compliance with AML regulations UAE businesses must follow. These documents should reflect the business’s activities, customer base, and exposure to money laundering and terrorist financing risks.
AML Policy and Compliance Oversight
An AML policy UAE businesses can rely on should clearly document:
- Risk appetite and risk-management approach
- Internal AML controls
- Roles and responsibilities
- Escalation procedures for suspicious activities or compliance concerns
- Recordkeeping requirements
Maintaining complete and accurate records helps demonstrate compliance during regulatory reviews and supports broader UAE audit requirements for businesses.
Businesses should also appoint a named Money Laundering Reporting Officer (MLRO) or Compliance Officer with sufficient seniority, authority, and independence to oversee AML compliance, manage internal reporting procedures, and coordinate regulatory reporting obligations where required.
Business Risk Assessment (BRA) and Customer Risk Assessment (CRA)
The Business Risk Assessment (BRA) identifies money laundering and terrorist financing risks specific to the business. At a minimum, the assessment should consider:
- Customer types
- Products and services
- Geographic exposure
- Delivery channels
The Customer Risk Assessment (CRA) is the customer-level component of the BRA. It evaluates the risk presented by individual customers and supports decisions regarding standard, simplified, or enhanced due diligence measures.
The BRA and CRA should be reviewed periodically and updated following significant business changes, including changes to products or services, customer profiles, geographic exposure, or delivery channels. Businesses that require support with AML frameworks, risk assessments, and compliance oversight may benefit from professional AML compliance services.
Suspicious Transaction Reporting
Suspicious transaction reporting UAE obligations arise when a business identifies activity that may be linked to money laundering, terrorist financing, or related criminal conduct. A suspicious transaction or activity may involve unusual behaviour, unexplained source of funds, transactions with no apparent economic purpose, or activity that is inconsistent with the customer’s known profile.
Identifying and Reporting Suspicious Activity
Reporting entities are not required to prove criminal conduct before filing a report. The obligation arises when there are reasonable grounds for suspicion.
Once suspicion is identified, the matter should be assessed and reported without delay in accordance with the business’s internal reporting procedures.
STR Filing and Tipping-Off Restrictions
A Suspicious Transaction Report (STR) is submitted through the goAML platform operated by the UAE Financial Intelligence Unit (FIU). The reporting process generally involves:
- Logging into the goAML platform
- Selecting the appropriate report type
- Completing the required information fields
- Submitting the report to the FIU
A key requirement of goAML compliance UAE obligations is the prohibition on “tipping off.” Businesses must not inform a customer that an STR has been filed or that their activities may be subject to review by regulators or law enforcement authorities.
Information relating to filed reports should only be shared with authorised personnel involved in the compliance process.
Penalties for Non-Compliance
Failure to comply with AML regulations UAE businesses must follow can result in administrative, regulatory, and criminal consequences. Penalties vary depending on the offence, the regulator involved, and the circumstances of the breach.
Administrative and Criminal Penalties
For designated non-financial businesses and professions (DNFBPs) supervised by the Ministry of Economy (MoET), administrative penalties are governed by Cabinet Resolution No. 71 of 2024.
Under Federal Decree Law No. 10 of 2025, criminal penalties may include:
- Fines for legal entities ranging from AED 5 million to AED 100 million, or the value of the criminal property involved, whichever is greater
- Fines for regulated entities ranging from AED 200,000 to AED 10 million for certain licensing-related failures
The applicable penalty depends on the specific violation and enforcement authority.
Personal Liability and Enforcement Measures
AML obligations may also create personal liability exposure for directors, managers, MLROs, and other senior personnel responsible for compliance oversight.
In addition to financial penalties, enforcement measures may include licence suspension or revocation, asset-freezing measures, and regulatory investigations.
Under the AML UAE law framework, the Financial Intelligence Unit (FIU) may impose temporary freezing measures for up to 10 working days and may obtain seizure or freezing orders for up to 30 days in circumstances permitted by law.
AML compliance should be considered alongside other regulatory obligations that apply to UAE businesses, including UAE corporate tax return filing, recordkeeping, and governance requirements.
Because penalties vary by offence and regulatory body, businesses should seek guidance from a qualified compliance professional or legal adviser regarding their specific compliance obligations and risk exposure.
AML Compliance Checklist for DNFBPs
Use this AML checklist UAE businesses can apply to assess whether key compliance controls are in place:
- ☐ goAML registration completed and active
- ☐ Written AML policy documented and implemented
- ☐ Money Laundering Reporting Officer (MLRO) or Compliance Officer appointed
- ☐ Business Risk Assessment (BRA) conducted and documented
- ☐ Customer Due Diligence (CDD) and KYC procedures implemented
- ☐ Suspicious Transaction Report (STR) and Suspicious Activity Report (SAR) reporting procedures established
- ☐ AML training delivered to relevant employees
- ☐ Customer and transaction records retained for a minimum of five years
- ☐ Sanctions-screening procedures implemented
This checklist provides a practical starting point for maintaining AML compliance in UAE businesses. Compliance controls should be reviewed regularly to ensure they remain aligned with the business’s risk profile and regulatory obligations.
If you need support with AML frameworks, risk assessments, DNFBP compliance requirements, or regulatory reporting obligations, contact MP Elites.
FAQs
Who is considered a DNFBP in the UAE and what are their AML obligations?
In the UAE, designated non-financial businesses and professions (DNFBPs) include real estate brokers and agents, dealers in precious metals and stones, independent accountants and auditors, and corporate and trust service providers. Certain lawyers and legal professionals may also fall within the AML framework when providing specific services. These businesses must implement customer due diligence, register on goAML, conduct risk assessments, maintain AML policies, and report suspicious activities when required.
How do I register my business on the goAML platform in the UAE?
DNFBPs must register as reporting entities through the UAE Financial Intelligence Unit’s goAML platform. The process generally involves entity pre-registration, submission of supporting documents, FIU approval, and the creation of authorised user accounts. Registration is mandatory under MoET Circular No. 8 of 2021 and related guidance.
What must an AML policy include for a UAE DNFBP?
An AML policy should set out the business’s approach to managing money laundering and terrorist financing risks. This typically includes customer due diligence procedures, internal controls, escalation processes, sanctions screening, recordkeeping requirements, employee responsibilities, and suspicious transaction reporting procedures.
What is the deadline for filing a Suspicious Transaction Report (STR) in the UAE?
Reporting entities are expected to submit a Suspicious Transaction Report without delay once suspicion arises. Businesses should not wait until they have confirmed criminal activity before filing. Reports are submitted through the goAML platform and should be supported by relevant information available at the time.
What are the penalties for failing to comply with AML regulations in the UAE?
Penalties vary depending on the nature of the breach and the applicable regulator. Under Federal Decree Law No. 10 of 2025, legal entities may face fines ranging from AED 5 million to AED 100 million, or the value of the criminal property involved, whichever is greater. Additional administrative sanctions, licensing actions, and enforcement measures may also apply.
Does my UAE business need to conduct a Business Risk Assessment for AML purposes?
Yes. Businesses subject to the UAE AML framework are expected to conduct and document a Business Risk Assessment (BRA). The assessment should evaluate risks associated with customers, products, services, delivery channels, and geographic exposure, and it should be reviewed whenever significant changes occur within the business.
