On this page
- What Is AML Compliance and Why Does It Matter in the UAE?
- Who Must Comply? DNFBP Categories
- Core Obligations Under Federal Law No. 10 of 2025
- Penalty Schedule for Non-Compliance
- Worked Example: Calculating a Penalty Exposure
- What Changed Under Federal Law No. 10 of 2025
- AML Obligations for Accounting and Consulting Firms
- Common Mistakes That Trigger Inspection Findings
- What the FATF 2026 Evaluation Means for Your Business
- Official References
Every business classified as a Designated Non-Financial Business and Profession (DNFBP) in the UAE is now subject to one of the most demanding anti-money laundering frameworks in the Gulf. Under Federal Law No. 10 of 2025, which replaced Federal Decree-Law No. 20 of 2018 and came into force on 14 October 2025, AML compliance UAE obligations now explicitly cover money laundering, the financing of terrorism, and — for the first time — countering weapons proliferation financing. Fines reach AED 5 million per violation, and 2026 is a FATF evaluation year, which means enforcement activity is at its peak.
This guide explains who must comply, what the practical obligations are, how to register on goAML, what penalties apply, and what the new law changed.
What Is AML Compliance and Why Does It Matter in the UAE?
Anti-money laundering (AML) is the body of laws and controls that prevent criminals from disguising illegally obtained funds as legitimate income. Money laundering typically moves through three stages: placement, where criminal proceeds enter the financial system; layering, where the origin is concealed through complex transactions; and integration, where the cleaned funds re-enter the economy.
The UAE’s AML framework is now governed by Federal Law No. 10 of 2025, supplemented by Cabinet Resolution No. 134 of 2025 (effective 14 December 2025, which repealed Cabinet Decision No. 10 of 2019) and circulars from the Ministry of Economy and Tourism, the Central Bank, and the Financial Intelligence Unit. The framework explicitly targets money laundering, the financing of terrorism, and proliferation financing as separate but related threats.
The UAE was placed on the FATF grey list in 2022 and successfully exited in 2024 after completing 15 action points. With another FATF evaluation scheduled during 2026, the government is enforcing compliance harder than ever. In March 2023, authorities announced fines of AED 22.6 million imposed on 29 DNFBP companies under the 2023 inspection plan. By mid-2025, that figure for the first half of the year alone had reached AED 42 million.
[[chart:enforcement-escalation]]
Who Must Comply? DNFBP Categories
AML obligations apply to two groups: financial institutions (banks, insurance companies, exchange houses) and DNFBPs. The DNFBP category is where many business owners are caught unprepared.
| DNFBP Category | Examples | Supervisory Authority |
|---|---|---|
| Real Estate Agents and Brokers | Brokers buying and selling property | Ministry of Economy and Tourism (MoET) |
| Dealers in Precious Metals and Stones | Gold traders, jewellery stores, diamond dealers (transactions ≥ AED 55,000) | Ministry of Economy and Tourism (MoET) |
| Auditors and Accountants | Chartered accountants, accounting firms, independent accountants | Ministry of Economy and Tourism (MoET) |
| Company Service Providers | Business formation agents, registered office providers, nominee directors | Ministry of Economy and Tourism (MoET) |
| Legal Consultancy Firms | Legal consultants (excluding practising lawyers) | Ministry of Economy and Tourism (MoET) |
| Lawyers and Notary Publics | Practising lawyers and licensed notaries | Ministry of Justice (MoJ) |
| Virtual Asset Service Providers | Crypto exchanges, token issuers, wallet providers | VARA / SCA / FSRA / DFSA (by jurisdiction) |
| Commercial Gaming Operators (new from 2025) | Gaming halls, online gaming, sports betting, lottery operators | Relevant licensing authority |
If your business falls under any category above, the obligations are the same regardless of company size. A small consulting firm has identical registration, CDD, and reporting requirements to a large group.
Core Obligations Under Federal Law No. 10 of 2025
Meeting the UAE’s anti-money laundering requirements involves nine documented obligations. These are legal duties, not recommendations.
Step 1: Register on the goAML Portal
Every DNFBP must register on goAML, the official suspicious transaction reporting platform run by the UAE Financial Intelligence Unit. Registration is a two-stage process.
First, register on the SACM (Sanctions and Compliance Monitoring) system and configure Google Authenticator for secure access. Second, log in to the goAML portal using your SACM credentials, select your supervisory authority, enter your company details exactly as they appear on your trade licence, and upload the required documents: trade licence, MLRO authorisation letter, and Emirates ID of the appointed compliance officer. Registration for a complete, accurate application typically takes 5 to 10 working days.
Step 2: Appoint a Money Laundering Reporting Officer (MLRO)
You must appoint a qualified compliance officer who understands UAE AML law and is actively responsible for your firm’s compliance programme. The MLRO handles suspicious transaction reports, staff training, and liaison with the FIU. Appointing an untrained staff member as a formality is no longer accepted.
Step 3: Conduct an Enterprise-Wide Risk Assessment
Your business must document a risk assessment covering your customer profiles, transaction types, geographic exposure, delivery channels, and service offerings. This assessment forms the foundation of your entire AML framework and must be reviewed and updated regularly. It must also address proliferation financing risks under the 2025 law.
Step 4: Implement Customer Due Diligence (CDD)
Before onboarding any client, verify their identity, identify the Ultimate Beneficial Owner (UBO), and understand the business relationship. For standard-risk clients, basic CDD applies. For high-risk clients — Politically Exposed Persons, clients from high-risk jurisdictions, or unusually complex transactions — Enhanced Due Diligence (EDD) is required, including deeper verification and ongoing monitoring.
UBO details must now be updated within 15 working days of any change, and bearer shares are expressly prohibited under the 2025 law.
Step 5: Develop Documented AML Policies and Procedures
Internal policies must cover customer acceptance, risk categorisation, ongoing monitoring, record-keeping, sanctions screening, and suspicious activity reporting. Generic downloaded templates do not pass inspection — policies must reflect your actual business activities and risk profile.
Step 6: File Suspicious Transaction Reports (STRs)
If a transaction or client behaviour appears unusual or inconsistent, submit a Suspicious Transaction Report through goAML. You must never inform the client that a report has been filed. This act — known as tipping off — is a criminal offence under UAE law.
Step 7: Screen Against Sanctions Lists
Conduct ongoing screening of clients and transactions against UAE, UN, and relevant international sanctions lists. This includes screening for terrorism financing and proliferation financing designations, not only traditional money laundering watchlists.
Step 8: Retain Records for at Least Five Years
All CDD records, transaction documents, risk assessments, STR copies, and training logs must be kept for a minimum of five years after the end of the business relationship or transaction. Records must be secure, retrievable, and ready for inspection without delay.
Step 9: Submit the Annual AML Risk Assessment Report to the Ministry of Economy
All registered DNFBPs must submit an annual report to MoET covering your internal and external risk environment, the controls you have implemented, and the effectiveness of your compliance programme. The Ministry uses this report to assign your firm a risk score, which determines the intensity of future supervision.
Penalty Schedule for Non-Compliance
| Violation | Penalty |
|---|---|
| Failure to register on goAML | Administrative fines + potential licence suspension |
| Failure to implement AML policies and procedures | AED 50,000 to AED 5 million per violation |
| Failure to appoint a qualified MLRO | Administrative fines + increased scrutiny |
| Failure to conduct or document a risk assessment | Administrative fines; inspection findings on record |
| Failure to file Suspicious Transaction Reports | Criminal offence + fines + potential imprisonment |
| Tipping off a client about an STR | Criminal offence under UAE law |
| Failure to apply Enhanced Due Diligence for high-risk clients | Administrative fines |
| Failure to maintain records for five years | Administrative fines + increased regulatory scrutiny |
| Corporate entity — aggregate penalties | Up to AED 100 million depending on severity and pattern |
| Personal liability for directors and managers | Criminal prosecution, travel bans, asset freezing |
⚠️ Warning:
Beyond financial penalties, enforcement action can trigger licence suspension, business closure, and asset freezing. UAE banks also close accounts of companies that lack a credible, documented AML framework — and without a bank account, operations become impossible.
Worked Example: Calculating a Penalty Exposure
A mid-sized company service provider in Dubai is inspected by the Ministry of Economy in Q1 2026 and found to have three separate violations: no registered MLRO, no documented risk assessment, and no annual report filed for the prior year.
Each violation is treated independently under the penalty framework:
| Violation Found | Fine Range Applied | Illustrative Fine |
|---|---|---|
| No MLRO appointed | AED 50,000 – AED 500,000 | AED 150,000 |
| No enterprise-wide risk assessment | AED 50,000 – AED 500,000 | AED 200,000 |
| Annual report not filed | AED 50,000 – AED 200,000 | AED 75,000 |
| Total exposure | AED 425,000 |
[[chart:penalty-worked-example]]
This example uses conservative mid-range figures. In repeat-violation or high-severity cases — or where the firm has previously been warned — the Ministry regularly applies fines toward the upper end of each band, pushing total exposure well above AED 1 million for a single inspection cycle.
The lesson: a professionally implemented compliance programme typically costs a fraction of a single inspection penalty.
What Changed Under Federal Law No. 10 of 2025
Federal Law No. 10 of 2025 is the most comprehensive AML legislation the UAE has introduced. Its executive regulations — Cabinet Resolution No. 134 of 2025 — comprise 71 articles and close to 300 enforceable requirements. The key changes affecting UAE businesses are:
| Change | Previous Position | New Position Under 2025 Law |
|---|---|---|
| Proliferation financing | Not a formal standalone obligation | Explicitly required; all DNFBPs must identify and document proliferation financing risks |
| VASP obligations | Lighter requirements than banks | Full alignment with financial institution standards, including Travel Rule |
| DNFBP scope | Did not include gaming operators | Commercial gaming operators now formally classified as DNFBPs |
| UBO update deadline | No defined timeline | Changes must be reported within 15 working days |
| Bearer shares | Restricted but not expressly prohibited | Expressly prohibited; 30-day conversion requirement |
| Director/manager liability | Corporate liability primary | Personal criminal liability extended to individual directors and managers |
💡 Key Point:
The addition of countering the financing of terrorism and proliferation financing as explicit obligations means your enterprise-wide risk assessment must now address three distinct threat categories, not just one. Firms that have not updated their risk assessments since October 2025 are already non-compliant with the new framework.
AML Obligations for Accounting and Consulting Firms
Accounting firms and financial consultancies in the UAE are classified as DNFBPs with the Ministry of Economy and Tourism as their supervisory authority. MoET has issued sector-specific guidance for accountants and auditors covering known money laundering typologies, red flag indicators, and examples of how professional services are abused.
As a firm that works with clients’ financial records, you are in a position to identify irregularities that others cannot. Professional scepticism is expected. Unusual transactions, inconsistent funding sources, or clients who refuse to provide UBO information are all potential triggers for an STR. Failing to report when you have reasonable grounds is not a regulatory breach alone — it is a criminal offence.
For accountants helping clients meet their own UAE compliance obligations, the connections between AML and corporate tax services, VAT filing, and audit assistance are practical: the same books, the same transactions, and the same client relationships are reviewed across all of them. A well-run AML framework improves the quality of all downstream compliance work.
Common Mistakes That Trigger Inspection Findings
These are the most frequently identified gaps during MoET inspections:
No documented enterprise-wide risk assessment. Operating without a written, current risk assessment means your compliance programme has no foundation. This is the single most common inspection finding.
Generic policies not tailored to the business. A template policy downloaded from the internet does not describe your actual clients, transaction types, or risk exposure. Regulators know the difference.
Weak or incomplete CDD records. Missing identification documents, unsigned approvals, incomplete UBO records, or undated verification forms are regularly flagged. Scanned documents alone — without verification notes — are insufficient.
No evidence of ongoing monitoring. AML compliance is not a one-time onboarding process. Regulators expect documented evidence that client relationships and transactions are being actively monitored beyond the initial CDD stage.
Untrained compliance officer. Appointing an MLRO as a formality without providing substantive training is a red flag. The compliance officer must be able to explain the firm’s risk assessment and STR procedure under questioning.
Missing annual MoE report. This is a yearly obligation and a standalone violation if missed. Submitting an incomplete or generic report is treated nearly as seriously as not submitting at all.
What the FATF 2026 Evaluation Means for Your Business
The FATF evaluation scheduled for 2026 focuses on whether the UAE’s reforms are embedded in practice across sectors, not whether rules exist on paper. This is why the Ministry of Economy increased inspections and penalties throughout 2025 — regulators are building their enforcement record ahead of the assessment window.
For any DNFBP, this means the practical bar for compliance is the highest it has ever been. Regulators are not waiting until an evaluation report is due; they are acting now. If your firm has not updated its risk assessment or policies to reflect Federal Law No. 10 of 2025, an inspection before year-end is the most likely way you will find out.
The practical answer is straightforward: treat your AML framework as a live operational document, not a filing cabinet exercise. If you need help reviewing your current programme against the 2025 requirements, our AML compliance service covers the full process from goAML registration through to annual MoE reporting.
For businesses working through broader UAE compliance questions — including VAT registration, corporate tax obligations, and financial record-keeping requirements — the same structured approach applies: understand the law, document the controls, and keep the evidence ready.
Official References
Frequently asked questions
Common questions, answered
What is AML compliance UAE and who does it apply to?
AML compliance in the UAE refers to the obligations under Federal Law No. 10 of 2025 to prevent money laundering, terrorism financing and proliferation financing. It applies to all financial institutions and to Designated Non-Financial Businesses and Professions (DNFBPs), including accountants, real estate agents, gold dealers, company service providers, lawyers and — from 2025 — commercial gaming operators.
What is the goAML portal and why does my business need to register?
goAML is the official suspicious transaction reporting platform developed by the UN Office on Drugs and Crime and adopted by the UAE Financial Intelligence Unit. Every DNFBP is legally required to register on goAML before it can file Suspicious Transaction Reports. Operating without registration is itself a violation and carries administrative fines plus the risk of licence suspension.
How long does goAML registration take for a DNFBP?
Registration typically takes 5 to 10 working days for complete and accurate submissions. Delays usually occur when the trade licence details entered do not match the portal records, or when the MLRO authorisation letter or Emirates ID documents are missing or unclear.
What are the penalties for non-compliance with AML regulations in the UAE?
Fines for failure to implement AML policies range from AED 50,000 to AED 5 million per violation. Corporate penalties can reach AED 100 million in serious cases. Non-registration, failure to report suspicious transactions and tipping off a client are treated as criminal offences and can lead to licence suspension, asset freezing, travel bans and personal prosecution of company managers.
Does AML compliance apply to small accounting or consulting firms?
Yes. If your firm falls under any DNFBP category, the obligations apply regardless of company size. A sole-practitioner accountant has the same registration, CDD, record-keeping and reporting obligations as a large audit firm. The Ministry of Economy conducts both on-site and desk-based inspections and does not distinguish by company size when issuing fines.
What changed under Federal Law No. 10 of 2025 compared to the 2018 decree?
The 2025 law formally added countering the financing of terrorism and weapons proliferation as explicit obligations, expanded the DNFBP category to include gaming operators, aligned virtual asset service providers with bank-level requirements, required UBO updates within 15 working days of any change, prohibited bearer shares, and extended personal criminal liability to directors and managers of non-compliant entities.
How often must AML training be conducted for staff?
Training must be conducted at least annually and updated whenever significant regulatory changes occur. The enactment of Federal Law No. 10 of 2025 in October 2025 is a major trigger — all relevant staff should have received updated training before or shortly after the law came into effect.
What records must be kept and for how long under UAE AML law?
All CDD documents, transaction records, risk assessments, STR copies and training logs must be retained for a minimum of five years after the end of the business relationship or the completion of the relevant transaction. Records must be secure, easily retrievable and available for regulatory inspection without delay.