AML Compliance UAE: The Ultimate Guide Every Business Must Follow in 2026
AML compliance UAE is no longer just a concern for banks and financial institutions. In 2026, every business classified as a Designated Non-Financial Business and Profession must follow strict anti-money laundering rules or face fines that can reach AED 5 million per violation. Whether you run an accounting firm, a real estate brokerage, a gold trading company, or a corporate services business, the UAE government expects you to register on the goAML portal, appoint a compliance officer, implement customer due diligence procedures, and report any suspicious activity. This guide explains exactly what AML compliance UAE involves, who it affects, what steps you need to take, the penalties for non-compliance, and the major changes introduced under the new Federal Law No. 10 of 2025.
What Is AML Compliance UAE and Why Does It Matter?
Anti-Money Laundering, or AML, refers to the set of laws, regulations, and procedures designed to prevent criminals from disguising illegally obtained funds as legitimate income. Money laundering typically happens in three stages: placement, where criminal money enters the financial system; layering, where the origin is concealed through complex transactions; and integration, where the cleaned money re-enters the economy as seemingly legitimate funds. AML compliance UAE is governed primarily by Federal Decree-Law No. 20 of 2018 (now replaced by Federal Law No. 10 of 2025), Cabinet Decision No. 10 of 2019, and the various circulars and guidelines issued by the Ministry of Economy and Tourism, the Central Bank, and the Financial Intelligence Unit. The UAE was placed on the FATF grey list in 2022 and successfully exited in 2024 after completing 15 action points. However, the upcoming FATF evaluation in 2026 means the government is enforcing compliance harder than ever. In 2024 alone, the authorities fined 29 DNFBP organisations a combined AED 22.6 million. In the first half of 2025, that number jumped to AED 42 million. The message is clear — AML compliance UAE is not optional, and enforcement is accelerating.
Who Must Follow AML Compliance UAE Rules?
AML regulations apply to two main groups of entities in the UAE. The first group is Financial Institutions, which includes banks, insurance companies, exchange houses, and finance companies. The second group is Designated Non-Financial Businesses and Professions, commonly known as DNFBPs. This is the group that catches many business owners off guard.
What Is a DNFBP?
A DNFBP is any business that conducts one or more of the following activities, as defined under Cabinet Decision No. 10 of 2019 and now expanded under the new executive regulations.
| DNFBP Category | Examples | Supervisory Authority |
|---|---|---|
| Real Estate Agents and Brokers | Brokers involved in buying and selling property | Ministry of Economy and Tourism (MoET) |
| Dealers in Precious Metals and Stones | Gold traders, jewellery stores, diamond dealers (transactions ≥ AED 55,000) | Ministry of Economy and Tourism (MoET) |
| Auditors and Accountants | Chartered accountants, audit firms, independent accountants | Ministry of Economy and Tourism (MoET) |
| Company Service Providers | Business formation agents, registered office providers, nominee directors | Ministry of Economy and Tourism (MoET) |
| Legal Consultancy Firms | Legal consultants (excluding lawyers and notary publics) | Ministry of Economy and Tourism (MoET) |
| Lawyers and Notary Publics | Practising lawyers and notaries | Ministry of Justice (MoJ) |
| Virtual Asset Service Providers (VASPs) | Crypto exchanges, token issuers, wallet providers | VARA (Dubai) / SCA / FSRA / DFSA |
| Commercial Gaming Operators (New) | Gaming halls, online gaming, sports betting, lottery operators | Relevant licensing authority |
Key Obligations for AML Compliance UAE
Meeting AML compliance UAE requirements involves several mandatory steps. These are not suggestions — they are legal obligations enforced by the Ministry of Economy and other supervisory bodies.
1. Register on the goAML Portal
Every DNFBP must register on the goAML system, which is the official platform developed by the United Nations Office on Drugs and Crime and adopted by the UAE Financial Intelligence Unit. Registration happens in two stages: first, you register on the SACM (Sanctions and Compliance Monitoring) protection system and set up Google Authenticator for secure access; second, you complete your organisation registration on the goAML portal itself. Without registration, you cannot file Suspicious Transaction Reports, and failure to register is itself a violation of AML compliance UAE regulations.
2. Appoint a Compliance Officer (MLRO)
You must appoint a qualified Money Laundering Reporting Officer who has a solid understanding of AML laws and is responsible for overseeing your firm’s compliance programme. The MLRO handles suspicious transaction reporting, ensures staff are trained, and acts as the primary contact with the FIU. Appointing an untrained internal staff member as a formality is no longer accepted by regulators.
3. Implement Customer Due Diligence (CDD)
Before onboarding any client, you must verify their identity, identify the Ultimate Beneficial Owner of the business, and understand the nature and purpose of the business relationship. For standard-risk clients, basic CDD is sufficient. For high-risk clients — such as Politically Exposed Persons, clients from high-risk jurisdictions, or unusually complex transactions — Enhanced Due Diligence measures must be applied, including deeper verification and ongoing monitoring.
4. Conduct an Enterprise-Wide Risk Assessment
Your business must perform and document a comprehensive risk assessment that evaluates your exposure to money laundering and terrorism financing risks. This includes assessing your customer profiles, transaction types, geographic exposure, delivery channels, and the products or services you offer. The risk assessment must be reviewed and updated regularly, and it forms the foundation of your entire AML compliance UAE programme.
5. Develop AML Policies and Procedures
You must have documented internal policies covering customer acceptance, risk categorisation, ongoing monitoring, record-keeping, sanctions screening, and suspicious activity reporting. These policies cannot be generic templates — they must be tailored to your specific business activities and risk profile. During inspections, if a procedure is not documented, regulators treat it as if it does not exist.
6. Report Suspicious Transactions
If any transaction or activity appears unusual, inconsistent, or suspicious, you must submit a Suspicious Transaction Report through the goAML system. Critically, you must never inform the client that an STR has been filed. This act, known as tipping off, is a criminal offence under UAE law.
7. Maintain Records for at Least 5 Years
All AML-related records must be retained for a minimum of five years after the end of a business relationship or completion of a transaction. This includes copies of identification documents, transaction receipts, risk assessments, CDD records, and any correspondence related to suspicious activity. Records must be secure, easily retrievable, and available for regulatory inspection without delay.
8. Provide Regular AML Training
All relevant staff must receive periodic training on AML obligations, red flag indicators, reporting procedures, and sanctions compliance. Training must be documented and updated to reflect changes in regulations and your firm’s risk profile.
9. File the Annual AML Risk Assessment Report
All DNFBPs registered in the UAE must submit an annual AML/CFT risk assessment report to the Ministry of Economy. This report covers your internal and external risk environment, how your business is implementing controls, and the effectiveness of your compliance measures. Based on this report, the authorities assign your entity a risk score which determines the level of future supervision you receive.
Need Help With AML Compliance UAE?
Velmont Crest helps businesses set up and maintain their AML framework — from goAML registration and MLRO appointment to risk assessments, CDD procedures, and annual reporting. Stay compliant, avoid fines.
How to Register on the goAML Portal — Step by Step
Registration on goAML is mandatory for all DNFBPs and is the first practical step toward AML compliance UAE. Here is how the process works.
Register on the SACM System — Visit the SACM portal, create your account, and set up Google Authenticator on your phone. This generates a time-based one-time password that changes every minute. Without completing this step, you cannot proceed to Stage 2.
Complete Organisation Registration on goAML — Log in to the goAML portal using your SACM credentials, select “Reporting Entity” and “New Company Registration,” choose your supervisory authority (Ministry of Economy for most DNFBPs), enter your company details exactly as they appear on your trade license, and upload the required documents including your trade license, MLRO authorisation letter, and Emirates ID of the appointed compliance officer.
The registration typically takes 5 to 10 working days for complete and accurate submissions. Delays usually happen when the trade license details do not match the portal entries or when documents are missing.
Penalties for Failing AML Compliance UAE
The UAE government enforces AML regulations through a strict penalty regime. In 2026, with the upcoming FATF evaluation, enforcement has reached its highest level. Here is what non-compliance can cost your business.
| Violation | Penalty |
|---|---|
| Failure to register on goAML | Administrative fines + potential license suspension |
| Failure to implement AML policies | AED 50,000 to AED 5 million per violation |
| Failure to report suspicious transactions | Criminal offence + fines + potential imprisonment |
| Tipping off a client about an STR | Criminal offence under UAE law |
| Failure to maintain records | Administrative fines + increased regulatory scrutiny |
| Corporate entity total penalties | Can reach up to AED 100 million depending on severity |
Federal Law No. 10 of 2025 — What Changed?
The UAE enacted Federal Law No. 10 of 2025, which came into effect on 14 October 2025 and replaced the previous Federal Decree-Law No. 20 of 2018. This is the most comprehensive AML legislation the UAE has introduced to date, with 71 articles and nearly 300 enforceable requirements. Here are the key changes that affect AML compliance UAE for businesses. Proliferation financing is now a formal offence. For the first time, the law explicitly includes countering the financing of weapons proliferation alongside money laundering and terrorism financing. All regulated entities must now identify, mitigate, and document proliferation financing risks. VASPs are fully aligned with financial institutions. Virtual Asset Service Providers now have the same AML obligations as banks and exchange houses, including the Travel Rule for virtual asset transfers, continuous sanctions screening, and a CDD threshold of AED 3,500 for single or linked transactions. Commercial gaming operators are now DNFBPs. The new executive regulations have expanded the DNFBP definition to include gaming halls, online gaming, sports betting, and lottery operators. This is a brand new category that did not exist before. Stricter Ultimate Beneficial Ownership requirements. Companies must now update UBO details within 15 working days of any change. Bearer shares are expressly prohibited with a 30-day conversion requirement, and nominee status must be disclosed promptly. Personal criminal liability for managers. Directors and managers of legal entities can now face personal criminal liability if their firm facilitates money laundering. This includes fines, travel bans, and potential prosecution.
AML Compliance UAE for Accountants and Auditors
If you operate an accounting or auditing firm in the UAE, you are classified as a DNFBP and are subject to full AML compliance UAE obligations. The Ministry of Economy and Tourism is your supervisory authority, and they have issued specific supplemental guidance for auditors and accountants covering the risks you may encounter while discharging professional duties, examples of abuse of auditor services, known money laundering typologies, and sector-specific red flag indicators. As an accountant or auditor, you are in a unique position because you have access to your clients’ financial records. This means you can spot irregularities that other professionals might miss. You are expected to apply professional scepticism, monitor for unusual transactions, and report any suspicious activity through the goAML system. Failing to do so is not just a regulatory breach — it is a criminal offence.
Common AML Compliance Mistakes That Trigger Penalties
Based on enforcement trends and inspection findings, here are the most common AML compliance UAE mistakes that businesses continue to make. No documented enterprise-wide risk assessment. Operating without a formal, written risk assessment is one of the most common findings during inspections. Without it, your entire compliance framework has no foundation. Weak or incomplete CDD records. Missing identification documents, unsigned approvals, incomplete beneficial ownership records, and undated verification forms are frequently flagged. Scanned documents alone are no longer considered sufficient. Generic AML policies not tailored to the business. Using a template policy downloaded from the internet without customising it to your actual business activities, client base, and risk profile will not pass an inspection. No evidence of ongoing monitoring. AML compliance UAE is not a one-time setup. Regulators expect evidence that you are actively monitoring client relationships and transactions on an ongoing basis, not just at onboarding. Untrained staff handling compliance. Appointing a compliance officer as a formality without providing proper training is a red flag during inspections. Your MLRO must be competent and actively involved in the compliance programme. Failure to file the annual risk assessment report. This is a yearly obligation to the Ministry of Economy. Missing it or submitting an incomplete report puts your business on the regulators’ radar.
FATF 2026 Evaluation — Why It Matters for Your Business
The Financial Action Task Force is scheduled to evaluate the UAE again in 2026. This evaluation focuses on results, not just whether rules exist on paper. The FATF wants to see that reforms are embedded and sustainable across all sectors. This is why the Ministry of Economy has ramped up inspections, increased penalties, and issued new circulars throughout 2025 and into 2026. For your business, this means the bar for AML compliance UAE is higher than it has ever been. Regulators are documenting their enforcement record ahead of the evaluation, and businesses that are found non-compliant will face consequences quickly. The best thing you can do is get your compliance programme in order now, before an inspection finds you unprepared.
Frequently Asked Questions
Does AML compliance apply to small businesses? Yes. If your business falls under any DNFBP category, you must comply regardless of your size. A sole accountant has the same obligations as a large audit firm. How long does goAML registration take? Typically 5 to 10 working days for complete and accurate applications. Delays are usually caused by mismatched trade license details or missing documents. Can I handle AML compliance myself or do I need a consultant? You can register and implement controls yourself, but many businesses hire professional consultants to ensure their framework meets regulatory standards and passes inspection. Getting it wrong can be far more expensive than hiring expert help. What is the difference between an STR and an SAR? A Suspicious Transaction Report is filed when a specific transaction raises red flags. A Suspicious Activity Report is filed when the overall behaviour or pattern of a client appears suspicious, even without a specific transaction involved. How often should AML training be conducted? Training should be conducted at least annually and whenever there are significant regulatory changes. The recent enactment of Federal Law No. 10 of 2025 is one such change that requires updated training for all relevant staff. What records must be kept and for how long? All CDD records, transaction documents, risk assessments, STR copies, and training records must be retained for a minimum of five years after the end of the business relationship or transaction.
Get Your AML Compliance UAE Sorted — Before the Next Inspection
Velmont Crest provides end-to-end AML compliance support for DNFBPs — goAML registration, risk assessments, policy development, CDD procedures, annual reporting, and staff training. Protect your business and your license.
Official References
- Ministry of Economy and Tourism — Combating Money Laundering and Terrorism Financing
- Ministry of Economy — Does Your Company Fall Under DNFBP?
- Ministry of Economy — Register in goAML
- goAML UAE — Anti Money Laundering Registration
- White & Case — UAE New AML Law Key Changes
- Velmont Crest — How to Open a Business in Dubai
- Velmont Crest — VAT Registration in UAE