The United Arab Emirates consistently strengthens measures against money laundering (AML — Anti-Money Laundering) and the financing of terrorism (CFT — Countering the Financing of Terrorism). The state is not limited to enacting laws — it builds a multilayered control system and actively participates in international cooperation.

For businesses in the UAE, this means one thing: compliance with AML/CFT requirements is not a formality but a mandatory condition for legal and safe operations.

Who is affected by AML/CFT rules in the UAE: regulated activities

The AML/CFT requirements cover a wide range of companies and specialists. The law applies to organizations that could be involved in money laundering or financing terrorism. These include:

• financial institutions;

• certain non-financial businesses and professions (DNFBPs);

• virtual asset service providers (VASPs).

Financial institutions

Financial organizations are under close scrutiny from regulators as they play a key role in the movement of funds. In the UAE, such institutions include:

• banks;

• insurance companies;

• exchange offices;

• other institutions defined by the Central Bank of the UAE (CBUAE).

CBUAE issues separate AML/CFT guidelines for different segments: exchange houses, high cash turnover companies, real estate agencies, precious metal dealers, etc. This approach reflects a deep understanding of risks and the regulator's desire to manage them precisely — rather than in a one-size-fits-all manner.

Certain non-financial businesses and professions (DNFBPs)

DNFBPs are organizations that are not formally considered financial institutions but may also be involved in laundering or financing schemes. In the UAE, they are monitored by the Ministry of Economy and the Ministry of Justice.

DNFBPs include:

• real estate agents and brokers;

• dealers in precious metals and stones;

• auditors and independent accountants;

• lawyers, notaries, and other independent professionals;

• providers of corporate and trust services;

• other categories classified as DNFBPs by competent authorities.

The Ministry of Economy develops AML/CFT guidelines for the DNFBPs under its oversight. Fines already imposed on participants in these markets show how seriously the authorities take their compliance.

List of key DNFBPs and supervisory authorities

This close attention to DNFBPs indicates a systemic shift: the government is closing loopholes outside the banking sector. Around the world, these sectors are considered vulnerable concerning AML/CFT, and the UAE is no exception.

Auditors, corporate consultants, and metal traders have already been fined — the total amount of sanctions has exceeded 22.6 million AED. This is a clear signal to the market: previous leniency is no longer acceptable.

Stricter rules in the real estate and precious metals sectors (economically significant for the UAE) could change the market. Small players will find it difficult to meet the requirements, and demand for external expertise will increase. Compliance with AML/CFT requirements now requires not only goodwill but real resources.

VASPs (crypto business)

Virtual assets and virtual asset service providers (VASPs) are under close scrutiny. VASPs are required to register in the goAML system, and payment token services are considered high risk.

The list of regulated companies is changing

The list of activities covered by AML/CFT is not final. It is regularly supplemented — especially after changes in laws and Cabinet resolutions.

Companies must keep an eye on news from:

• the National Committee for Combating Money Laundering and the Financing of Terrorism (NAMLCFTC),

• the Central Bank of the UAE (CBUAE),

• the Ministry of Economy,

• the Ministry of Justice,

• the management bodies in free zones.

Regulators often publish circulars, update classifications, and introduce new obligations. If businesses do not track these changes, they risk breaching the requirements — even unintentionally.

Compliance in the UAE is not a one-time task but an ongoing process. The AML/CFT regime is dynamic: rules may change several times a year. Therefore, monitoring legislation is an essential part of the internal control system.

AML Regulation System in the UAE: who controls and what laws are in effect

Key laws and regulations in the UAE in the field of AML/CFT

• Federal Decree-Law No. 20 of 2018 "On Combating Money Laundering and the Financing of Terrorism and Illegal Organizations" (as amended in 2021 and 2024) is the foundation of the AML/CFT system in the UAE. The law aims to combat the practice of money laundering, create a legal framework supporting competent authorities, and counter the financing of terrorist operations and suspicious organizations.

• Cabinet Resolution No. 10 of 2019, concerning the Executive Resolution to Decree-Law No. 20 of 2018 — is detailed operational guidance that specifies duties and procedures related to the application of the law.

Federal laws and regulations apply both on the mainland of the UAE and in financial free zones (FFZ), although FFZ have their own specialized supervisory authorities and enforcement procedures.

Main regulators

The UAE government has established a comprehensive system of specialized bodies responsible for implementing AML/CFT policy. Key authorities include:

• The National Committee for Combating Money Laundering and Financing of Terrorism and Illegal Organizations (NAMLCFTC) — the main coordinating body. It develops national policy, issues regulatory acts, and ensures the consistency of actions among all system participants.

• The Central Bank of the UAE (CBUAE) — supervises banks and other financial institutions, including exchange offices. Its Federal Financial Monitoring Unit (Financial Intelligence Unit — FIU) receives, analyzes, and disseminates suspicious transaction reports (STRs). FIU uses the goAML platform.

• The Ministry of Economy (MoE) — oversees certain categories of non-financial businesses and professions (DNFBPs), including real estate agents, auditors, corporate service providers, and dealers in precious metals and stones.

• The Ministry of Justice (MoJ) — supervises lawyers and other participants in DNFBPs.

• The Securities and Commodities Authority (SCA) — regulates participants in the securities and capital markets.

• Authorities of financial free zones:

  • Dubai Financial Services Authority (DFSA) — supervises within the Dubai International Financial Centre (DIFC).

  • Financial Services Regulatory Authority (FSRA) — supervises within the Abu Dhabi Global Market (ADGM), including the ADGM Registration Authority (with respect to DNFBPs).

The UAE applies a federative but specialized model of AML supervision. Federal laws set the overall framework, but each department and zone has its own control mechanisms. This structure allows for individual supervision with overall coordination by NAMLCFTC.

AML/CFT in the free zones of the UAE

Federal regulations regarding AML/CFT apply both on the mainland of the UAE and in free zones. However, financial free zones (FFZs), such as the Dubai International Financial Centre (DIFC) and the Abu Dhabi Global Market (ADGM), are separate legal jurisdictions with their own civil and commercial laws, courts, and specialized supervisory authorities.

Key supervisory authorities:

• DFSA — regulates AML/CFT in DIFC;

• FSRA — regulates AML/CFT in ADGM. The ADGM Registration Authority also participates in monitoring DNFBPs (based on delegated powers from FSRA).

! Important: The Federal Financial Monitoring Unit (FIU) accepts reports of suspicious activity from both the mainland of the UAE and free zones.

Entities in DIFC and ADGM are required to comply with UAE federal laws regarding AML/CFT, but day-to-day supervision and interaction are carried out by free zone authorities — DFSA or FSRA. These regulators may impose higher or specific requirements based on international standards and the complexity of operations in these zones.

FFZs are aimed at attracting international participants and generally adapt their AML guidelines to best global practices. Therefore, organizations operating in these zones must consider the differences in enforcement and expectations from regulators compared to mainland authorities (CBUAE, MoE).

Monitoring changes in regulated activities

The list of regulated activities and organizations subject to AML/CFT requirements is regularly updated. UAE authorities are actively improving the regulatory framework — new laws and cabinet resolutions are adopted.

Organizations must keep an eye on updates from:

• The National Committee (NAMLCFTC),

• The Central Bank of the UAE (CBUAE).

• The Ministry of Economy (MoE),

• The Ministry of Justice (MoJ),

• Regulators of the FFZ.

Regular monitoring allows for timely adaptation of internal compliance procedures and avoids unintentional violations. The dynamic nature of the regulatory environment means that compliance with AML/CFT requirements is a continuous process, not a one-time task.

Key regulatory bodies in the UAE in the field of AML/CFT and their core functions

Key obligations in AML/CFT: establishing a robust compliance program

All accountable organizations in the UAE, including financial institutions and DNFBPs, are required to implement and maintain comprehensive anti-money laundering and counter-terrorism financing programs. These programs are built on key obligations defined by legislation.

Risk-Based Approach (RBA): adapting your protection

Companies must adopt a risk-based approach to identify, assess, and mitigate AML/CFT risks inherent in their activities. This includes risk assessment at both the enterprise level and individual client level. Factors considered include: client type, geography, products, services, distribution channels, and jurisdictions.

Special attention should be paid to new products and technologies — they must be analyzed for AML/CFT risks prior to launch.

Customer Due Diligence (CDD): know your customer

CDD includes the identification and verification of the client as well as the beneficial owner (UBO), ultimate beneficiaries, and controlling persons — using independent and reliable sources.

The organization must understand the purpose and nature of the business relationship and conduct ongoing monitoring of transactions.

For high-risk clients — politically exposed persons (PEPs), clients from high-risk jurisdictions, and those with complex structures — enhanced due diligence (EDD) is required.

In low-risk cases, simplified due diligence (SDD) may be applied, if justified. Additionally, special rules apply for the verification of legal entities and formations.

AML/CFT Compliance Officer: appointment, key roles, and responsibilities

It is a mandatory requirement to appoint a qualified AML/CFT compliance officer (also MLRO — Money Laundering Reporting Officer).

His responsibilities include:
– developing and implementing AML/CFT policies,
– conducting risk assessments,
– monitoring transactions,
– reporting suspicious transactions (STRs) and suspicious activities (SAR) to the Federal Financial Monitoring Unit (FIU),
– training personnel,
– interacting with regulators.

The officer must have sufficient authority and be independent in decision-making.

Internal policies, procedures, and control mechanisms for AML/CFT

Organizations are required to develop, document, and regularly update internal AML/CFT policies and procedures.

They must reflect the individual risk assessment and cover all key compliance components, including:
– CDD,
– submitting STRs,
– record-keeping,
– training.

Documents are reviewed as new risks emerge, changes in legislation or business processes occur.

Training staff on AML/CFT: empowering your team

All employees, including management and board members, must undergo regular AML/CFT training.

The program should cover:
– current legislation,
– typologies of money laundering,
– detecting suspicious activities,
– procedures for submitting STRs and SARs.

The organization must keep records of all training and update programs as needed.

Record-keeping: the foundation of demonstrable compliance

Organizations must maintain records for:
– CDD,
– transactions,
– risk assessments,
– staff training,
– reports to FIU.

The minimum retention period is 5 years. Documentation must be readily available for regulatory review.

Reporting suspicious transactions (STRs): procedures and using the goAML system

Financial institutions and DNFBPs are required to promptly submit STRs to the Federal Financial Monitoring Unit (FIU) via the goAML system.

This includes:
– detecting suspicious schemes,
– gathering corroborative data,
– submitting STRs in the prescribed format,
– maintaining complete confidentiality (including a prohibition on notifying the client — the so-called tipping-off).

For a complete step-by-step guide, see the article "Registration in goAML in the UAE".

Summary of key AML/CFT obligations for financial institutions and DNFBPs

Detailed guidelines issued by the Ministry of Economy for DNFBPs and by the Central Bank for financial institutions (FIs) emphasize that regulators expect accountable organizations to not only have formal policies but also to create highly detailed, documented, and operational AML/CFT programs.

It is not enough to have documentation — the implementation and actual effectiveness will be evaluated, supported by records, assessments, and internal control. Recent fines for "not taking necessary measures" and "not creating internal policies" demonstrate the seriousness of these requirements.

Compliance in the area of AML/CFT is viewed as an ongoing process requiring continual risk assessment and daily monitoring. This is emphasized by phrases regularly appearing in official documents: "dynamic and adaptable," "reviewed and updated." This approach requires dedicated resources, management involvement, and fostering a compliance culture — which can pose a challenge for smaller DNFBPs.

Unsure if your compliance meets AML/CFT requirements?

Get advice from licensed lawyer Irina Ryzhakova — taking into account the specifics of your jurisdiction and business in the UAE.

Submit Inquiry

It is particularly important that the risk assessment of new products and technologies is conducted before their launch, not retrospectively. This makes compliance not just a control function but a part of the operational DNA of the company. The AML/CFT program must be a living system integrated into business processes, rather than a static set of documents "for show."

Common violations and their consequences

Non-compliance with AML/CFT requirements entails significant financial and reputational risks. UAE legislation establishes strict requirements for DNFBPs and financial institutions, and supervisory authorities impose sanctions for their violations.

In March 2023, the Ministry of Economy imposed fines totaling 22.6 million AED on 29 companies categorized as DNFBPs. Among the fined were companies dealing with precious metals and stones, corporate service providers, and audit firms. The main reasons were the absence of internal policies and procedures for client and transaction verification, failure to take necessary measures to identify risks, and ignoring sanction lists.

The Cabinet Resolution No. 16 of 2021 establishes a comprehensive list of administrative violations and corresponding fines. Here are the most common:

Examples of fines:

• 1,000,000 AED — for dealing with fictitious banks, accounts in fictitious names and clients on sanction lists;

• 200,000 AED — for failing to apply EDD to high-risk clients, failing to notify the FIU of suspicious activity, informing the client of a check ("tipping-off");

• 100,000 AED — for failure to conduct risk assessments, not identifying UBO, failing to conduct CDD before establishing business relationships;

• 50,000 AED — for absence of internal policies and procedures, failure to maintain records, not training staff, not appointing a compliance officer.

Common AML/CFT violations and the associated administrative fines for DNFBPs (according to Cabinet Resolution No. 16 of 2021)

goAML: a separate risk area

Additional fines are provided for violations related to the goAML system. Non-registration, late submission of reports, or evasion of duties in the system entails:

• from 50,000 to 1,000,000 AED — for each violation related to registration and reporting;

• up to 5,000,000 AED — for severe or repeat violations of general AML/CFT procedures.

The goAML system is not optional — participation in it is mandatory. The AML unit applies a zero-tolerance approach to DNFBPs and financial institutions that fail to meet registration requirements or fail to submit reports. Even in the absence of suspicious transactions, obligations regarding interaction with goAML remain.

Repeat violations and intensified control

In cases of repeat violations, the fine may be doubled. This underscores the regulators' position: low tolerance for deficiencies and refusal to instill a compliance culture. Fines are not merely the cost of doing business but a warning of the urgent need for change.

In 2023, the Ministry of Economy announced the intensification of field inspections of high-risk companies. This is a signal about the transition to systemic control and the inevitability of inspections.

Conclusion: the cost of non-compliance

The fine regime in the UAE encompasses all elements of compliance — from basic client identification to regular staff training. It focuses not only on the result but also on the process: absence of a procedure, document, or appointed responsible person is already a violation.

For businesses, this means not only adhering to the letter of the law but also demonstrating demonstrable compliance: through training, documentation, monitoring, and policies. Instilling a culture of compliance is key to reducing risk and protecting reputation.

Ensuring AML/CFT compliance: proactive measures for 2025 and beyond

In the rapidly changing regulatory environment of the UAE, a proactive approach to compliance is not a recommendation but a necessity. For sustainable business development, it is essential not only to react to AML/CFT requirements but to build a systemic, flexible risk management strategy.

Keep an eye on legislative updates

The AML/CFT legislation in the UAE is evolving dynamically. Regulators including NAMLCFTC, the Central Bank of the UAE, and the Ministry of Economy regularly publish updates, guidelines, and clarifications. Timely incorporation of these into corporate procedures is key to reducing regulatory risks.

Implement technologies

Modern tools help automate and strengthen AML processes. These include transaction monitoring systems, client screening against sanction lists, digital record keeping of KYC/UBO, and the mandatory goAML platform. Additionally, intelligent solutions, such as Fawri Tick — an AI-based system for analyzing suspicious transactions, are being utilized.

Do not overlook internal audits

Independent audits allow gaps in the system to be identified before regulators do. They demonstrate how well policies and procedures are working in practice and help to proactively eliminate vulnerabilities.

Consider new sources of risk

The focus of regulators is shifting toward virtual assets and providers of such services (VASPs). These companies are required to register in the goAML system and comply with additional requirements. High risk is associated with payment tokens, cryptocurrency transactions, and operations in the metaverse. Even traditional businesses interacting with such players must assess potential AML/CFT risks.

A compliance culture is a key asset

Further tightening of requirements is inevitable. Regulators expect not only formal compliance with procedures but also evidence that compliance is embedded in the company's operational model. Investments in training, technology, ongoing monitoring, and adapting policies are essential conditions for stable operations in the UAE in 2025 and beyond.

Compliance is not a reaction to a rule but a strategy that shapes business resilience and protects against risks, fines, and reputational loss.

Conclusion

The UAE has built a complex, well-thought-out, and effective system to combat money laundering and the financing of terrorism. For businesses, this means strict compliance with AML/CFT norms — a basic condition for legal, sustainable, and reputably clean operations in the country.

Key points:

• National priority. AML/CFT is a strategic task for the state. The UAE is strengthening supervision, creating specialized bodies, publishing guidelines, and conducting active checks.

• Broad coverage. The scope of regulation includes not only banks and insurance companies but also DNFBPs, VASPs, and any organizations exposed to financial crime risks.

• Technological transformation. Mandatory registration in the goAML system, implementation of digital solutions and AI tools are becoming standard.

• Accountability for non-compliance. Violations lead to fines of up to 5 million AED. In cases of repeat violations, sanctions can be doubled.

• Future orientation. Compliance must be embedded in the business DNA: regular updates, adaptation to new crime typologies, and continuous training are key to reducing risks.

AML/CFT in the UAE is not a formality but a reputational filter through which every market player must pass. A proactive approach is not only a means of avoiding sanctions but also an opportunity to strengthen trust from partners, clients, and the state.

The AML/CFT system in the country is dynamic and evolving. The establishment of specialized courts and executive bodies, integration of new risks and technologies, and compliance with FATF international standards all confirm the strategic aim of the UAE to become a reliable, transparent, and secure jurisdiction for global business and investment.