Anti-Money Laundering Compliance in the UAE : Legal Overview & Practical Guide

The UAE has recently overhauled its anti-money laundering (AML) framework to align with global standards. At the center is Federal Decree-Law No. 20 of 2018 (as amended by Decree-Law No. 26/2021), which requires businesses to prevent money laundering and terrorism financing. These rules apply broadly – from banks and exchanges to many non-financial sectors – to ensure transparency in financial transactions. In fact, the UAE’s intensified AML efforts were recognized by FATF: the country was removed from the FATF “grey list” in February 2024 after implementing key reforms. This means regulators are now particularly vigilant, and companies should be prepared to meet strict AML standards.

 1. Legal Framework & Scope

Federal AML Law: The cornerstone is Federal Decree-Law No. 20/2018 (and its 2021 amendment), which empowers regulators and the UAE Financial Intelligence Unit (FIU) to oversee compliance and reporting. Cabinet resolutions and Central Bank guidelines flesh out the details (e.g. customer due diligence rules, beneficial-ownership disclosures, UN sanctions screening). In practice, this means every covered business must have a risk-based AML policy in place.

Who Must Comply: AML obligations apply to a wide range of entities. On the financial side, this includes banks, insurance companies, money exchanges, fintechs and other licensed financial institutions. Importantly, the law also covers Designated Non-Financial Businesses and Professions (DNFBPs) – for example, real estate developers/agents (involved in buying/selling property), dealers in precious metals or stones (cash transactions ≥ AED 55,000), lawyers/notaries/accountants handling certain client transactions (e.g. real estate deals, asset management, company formation), and trust or company-service providers (incorporation, director or address services, trustees, nominee shareholders). The law broadly covers any company engaged in those activities, even if not formally licensed as such – “substance over form” means your business must follow AML rules if it performs DNFBP services. In short, if your business deals in large sums or high-risk assets, expect AML rules to apply.

 2. Key Compliance Obligations

Businesses under the UAE AML rules must implement and maintain effective controls. Key requirements include:

• Customer Due Diligence (CDD): Verify every client’s identity (including beneficial owners) before opening an account or transaction, and assess their money-laundering risk. High-risk clients (e.g. Politically Exposed Persons) require extra scrutiny undertaken by way of an Enhanced Due Diligence (EDD).
• goAML Registration: All “reporting persons” (financial institutions and DNFBPs) must register on the UAE FIU’s goAML platform. goAML is the online system for submitting Suspicious Transaction Reports (and related forms). The Ministry of Economy has warned that failure to register (and thereby file STRs) can lead to severe penalties.
• Transaction Monitoring & STRs: Continuously monitor accounts for unusual activity. Any suspicious transaction (no matter the amount) must be reported immediately to the UAE FIU via the goAML portal. Reporting entities must register on the FIU’s goAML system to file Suspicious Transaction Reports without delay.
• Beneficial Owner Disclosure (UBO Register): Every UAE company must maintain a “Real Beneficiary” (UBO) register and requires that a legal person create and keep on file details of its ultimate beneficial owners. Practically, a UAE company has 60 days from incorporation (or from the law’s implementation) to establish its UBO register and the register must be updated promptly whenever ownership changes (typically within 15 days of learning of a change). Keeping the UBO register updated is now a legal obligation in the UAE and forms part of AML/CFT compliance.
• Record-Keeping: Keep detailed records of all transactions and customer data for at least five years (six years in the case of entities incorporated in DIFC and ADGM). These records must be retrievable for audits or regulator reviews.
• Sanctions & Controls: Screen customers and transactions against UAE/UN sanctions lists and block any matches. Entities must subscribe to the national Consolidated Sanctions List (via the EOCN system) and if a UN/terrorism/proliferation list match is found, the funds must be frozen within 24 hours and a Fund Freeze Report (FFR) must be filed through goAML; even a partial match requires a temporary hold and a Partial Name Match Report (PNMR) filing.
• Compliance Officer & Training: Appoint a qualified AML Compliance Officer- MLRO (Money-Laundering Reporting Officer) or team to oversee the program. Provide regular AML training so staff recognize red flags and know how to report concerns.
• Independent Audit: Periodically audit and review the AML policy’s effectiveness, updating policies and procedures as needed.

Each of the above is an ongoing duty – not a one-time setup. Regulators expect continuous diligence, for instance updating risk assessments when markets or customers change, or when laws are updated. Non-compliance can lead to heavy fines, license suspension and reputational harm.

3. Building a Strong AML Policy

To meet these obligations, businesses typically draft a written AML policy/manual. Key components of an AML Policy must include the following:

• Risk Assessment & Governance: A high-level statement of AML commitment, approved by management. Outline how you identify and evaluate money-laundering risks across customers, products and regions.
• CDD/KYC Procedures: Clear rules for client onboarding – what documents to collect (IDs, corporate documents, proof of address), how to verify them, and when to apply Enhanced Due Diligence (e.g. for complex trusts or PEPs).
• Transaction Monitoring: Methods and thresholds for ongoing monitoring (including transaction monitoring software or manual reviews) and the mechanism for alerts triggering investigation.
• Reporting Processes: Step-by-step guidance for staff on identifying suspicious activity and escalating it (internally and via goAML). Specify record-keeping obligations for all reports. If a transaction or account raises “reasonable grounds to suspect” ML/TF, the firm must promptly file a Suspicious Transaction Report (STR) with the FIU within 24–72 hours of detecting a concern. Any tipping-off or disclosure that an STR is being filed is strictly prohibited.
• Sanctions & Prohibited Activities: Procedures to screen against sanction lists and reject or freeze prohibited transactions (covering UN, local and other applicable sanctions).
• Roles & Training: Define AML roles – e.g. Compliance Officer duties, internal audit responsibilities – and a schedule for regular employee AML training.
• Document Retention: Rules for how long and where AML records (customer files, transaction logs, STRs) are stored, ensuring they are readily available for audits.
• Review & Updates: A provision that the policy will be reviewed at least annually (or when laws change) and updated accordingly.

In essence, the policy is your “playbook” for compliance. It should be practical and company-specific (size and industry), not just boilerplate text. While the above elements are standard, each business tailors the details to its operations and risk profile.

4. Penalties & Enforcement Risks

UAE authorities enforce AML rules stringently and the fines could be enormously hefty as below:

• Monetary Fines: Violation fines range from AED 50,000 to AED 5 million per breach; license suspensions or revocations may follow.
• Criminal Liability: Money laundering carries up to 10 years’ imprisonment; failure to report can lead to AED 100,000–1 million fines and jail for responsible individuals.
• Operational & Reputational Damage: Enforcement actions and public sanctions can disrupt banking relationships and erode stakeholder trust.

Staying inspection-ready and demonstrating proactive compliance are your best defenses.

How HLS-Global UAE Helps You Stay Compliant

Navigating AML rules can be complex. This is where HLS-Global UAE comes to the rescue of our clients to assist them in navigating through every step involved in AML compliance:

• Customized Compliance Program: We help design or update your AML policy and procedures to fit UAE law and your business risks. This includes drafting KYC forms, checklists, and internal control manuals.
• Regulator Liaison & Filings: We guide you through FIU/goAML registration and can manage STR filings on your behalf. We also assist with any required filings (e.g. beneficial-ownership data or other regulator reports).
• Training & Monitoring: Our experts conduct on-site or online AML training for your staff, so they know how to spot and report red flags. We can also review your customer database and transaction reports to spot gaps in your monitoring.
• Ongoing Support & Audits: We provide annual compliance reviews and update your AML policy as laws evolve. When authorities audit your business, we can prepare your documentation and represent your interests to the regulators.

Partnering with us ensures your business is protected from AML risks. A strong compliance program helps you avoid fines and build trust with banks, investors and regulators. Contact us to review your AML compliance and develop a tailored strategy. Your peace of mind is our priority.

Connect with us on LinkedIn and Instagram.

Disclaimer: All views expressed in this article are solely for informational purposes and should not be construed as legal advice. This information is for reference only and is bound to change in case of any amendments or changes to applicable laws. We do not assume any responsibility or liability for any errors or omissions in the content of this article, and do not make any warranties about the completeness, reliability and accuracy of the information expressed in this article.