AML Compliance in Abu Dhabi 2026: DNFBP, goAML, FSRA and ADGM Anti-Money Laundering Rules
AML compliance in Abu Dhabi for DNFBPs, FSRA-regulated ADGM firms, real estate brokers, gold dealers and corporate service providers — goAML, sanctions screening and SAR reporting.
Key Takeaways
- 1 DNFBP registration with the Ministry of Economy is mandatory for real estate brokers, dealers in precious metals/stones, auditors, accountants, tax consultants and corporate service providers
- 2 goAML portal registration with the UAE Financial Intelligence Unit is required for all reporting entities — SARs and STRs file through goAML
- 3 FSRA-regulated ADGM entities sit under the FSRA AML/CFT rulebook with risk-based KYC, ongoing monitoring and quarterly returns
- 4 ADGM non-regulated entities carry their own AML obligations under the ADGM AML Rulebook administered by the Registration Authority
- 5 Sanctions screening against UN, OFAC, UK HMT, EU and UAE Local Terrorist List is required at onboarding and on an ongoing basis
- 6 Penalties for non-compliance range from AED 50,000 to AED 5,000,000 per breach under federal AML/CFT law, plus FSRA enforcement powers for ADGM regulated firms
AML compliance in Abu Dhabi operates under three overlapping regimes. The federal AML/CFT framework — Federal Decree-Law No. 20 of 2018 and the implementing Cabinet Decision No. 10 of 2019 — applies to all reporting entities in the UAE, administered for non-financial professions by the Ministry of Economy and the Executive Office for Anti-Money Laundering and Countering the Financing of Terrorism. FSRA-regulated ADGM firms sit under the FSRA AML Rulebook with quarterly returns and on-site supervision. ADGM non-regulated entities sit under the ADGM AML Rulebook administered by the Registration Authority.
This guide is written for MLROs, compliance officers, owners and operations leads of Abu Dhabi DNFBPs, ADGM-registered entities and small-to-mid financial firms designing, reviewing or rebuilding their AML programmes in 2026. It covers what the rules actually require, what supervisors actually inspect, what penalties have actually been imposed, and how Velmont Crest scopes engagements for clients in the capital.
Why AML in Abu Dhabi Looks Different
Abu Dhabi’s AML environment in 2026 differs from Dubai’s in three structural ways even though the federal framework is uniform.
ADGM regulatory cluster. Abu Dhabi hosts ADGM, with FSRA-regulated banks, fund managers, broker-dealers, payment service providers, custodians and virtual asset service providers. The FSRA AML Rulebook applies to these firms with quarterly returns, on-site inspections and integrated capital-adequacy-with-AML supervision. Dubai’s DIFC equivalent (DFSA) operates similarly but with different rule numbering and supervisor process.
Real estate concentration. Abu Dhabi has a smaller real estate transaction volume than Dubai but a higher proportion of high-value commercial and institutional transactions. Real estate brokers and developers in Abu Dhabi face DNFBP AML obligations under federal rules and additional licensing obligations from the Department of Municipalities and Transport. The threshold for source-of-funds verification on cash real estate transactions (AED 55,000) applies federally.
Gold and precious metals trade. Abu Dhabi hosts an active gold trade including Madinat Zayed Souk and the Abu Dhabi Gold Souk. Dealers in precious metals and stones are federal DNFBPs with cash-transaction thresholds, ongoing SAR reporting obligations and Ministry of Economy supervision.
Government-related counterparties. Abu Dhabi SMEs supplying ADNOC, ADNEC, EGA, EDGE Group, Aldar, Mubadala portfolio companies and the Abu Dhabi government conduct AML screening on these counterparties as standard. While government counterparties are generally low-risk, the AML programme must still document the screening discipline.
AED 5,000,000
Upper-end federal AML penalty per breach for serious failures including dealing with sanctioned parties, failure to file SARs or systemic AML programme breakdown
Who Must Comply — DNFBPs and Regulated Entities
The federal AML regime defines reporting entities in two broad groups.
Financial Institutions
Banks, finance companies, exchange houses, insurance companies, securities firms and other financial institutions regulated by the UAE Central Bank, the Securities and Commodities Authority, the FSRA (in ADGM) or the DFSA (in DIFC). These entities sit under their primary regulator’s AML rulebook with the most intensive supervisory regime.
Designated Non-Financial Businesses and Professions (DNFBPs)
Per Cabinet Decision No. 10 of 2019:
- Real estate brokers and agents — any party involved in real estate transactions including brokerage, agency, valuation and developer sales activity
- Dealers in precious metals and stones — gold, silver, platinum, diamonds, jewellery, gemstones; cash transactions above AED 55,000 trigger SAR consideration
- Auditors and audit firms — including Ministry of Economy-accredited audit firms and ADGM Recognised Auditors
- Accountants and accounting firms — including Velmont Crest and similar firms providing bookkeeping, financial reporting and accounting services
- Tax consultants and tax agents — including FTA-registered tax agents
- Corporate service providers — including company formation agents, registered agents and trust and company service providers
- Lawyers and legal consultants — in specific activities including real estate transactions, management of client money, formation of companies, asset transfers and certain other activities
- Trust and company service providers — including ADGM and DIFC TCSPs
Each DNFBP must register with the Ministry of Economy through the AML/CFT supervisory portal, appoint an MLRO, prepare a written AML risk assessment, implement KYC and CDD procedures, conduct ongoing sanctions screening, train staff annually, file SARs through goAML when warranted, and complete the annual AML/CFT supervisory return.
The MLRO Role — What Supervisors Inspect
The Money Laundering Reporting Officer is the senior individual responsible for the firm’s AML/CFT compliance. Supervisors inspect the MLRO function as a central indicator of programme quality.
Seniority and independence. The MLRO must be sufficiently senior to act independently of operational management and must have direct reporting line to the board or governance body. In smaller DNFBPs, the MLRO is often the managing partner or compliance director.
Outsourcing. The MLRO role can be outsourced to a third-party compliance firm for smaller DNFBPs, but the firm retains ultimate responsibility for AML compliance. The outsourced MLRO must be named, registered with the supervisor and accessible for inspection.
Documented decisions. The MLRO maintains documented evidence of risk assessment decisions, KYC and CDD reviews, SAR/STR filings (and decisions not to file where suspicion was considered and rejected), training delivery, sanctions screening output and supervisory liaison. Supervisors inspect this documentation on-site.
Annual training. The MLRO delivers (or arranges) annual AML/CFT training for all relevant staff. Training records must be maintained.
Supervisory liaison. The MLRO is the primary contact for the Ministry of Economy, the Executive Office for AMLCTF, the FIU (FIU UAE) and the activity-specific regulator (FSRA for ADGM-regulated, etc.).
Written Risk Assessment and AML Policy
The foundation of any AML programme is the written risk assessment and corresponding AML/CFT policy.
Risk assessment. Identifies and documents the AML and CFT risks the firm faces by customer type, jurisdiction, product/service, delivery channel and transaction profile. The assessment is risk-based — higher-risk segments receive higher controls. For a real estate brokerage, the risk dimensions include cash-buyer profile, source-of-funds verification thresholds, foreign investor jurisdictions and beneficial ownership complexity. For an accounting firm, the risk dimensions include client industry sectors, beneficial ownership structures, jurisdictions served and transaction patterns. The risk assessment is reviewed annually and updated for material changes.
AML/CFT policy. Translates the risk assessment into operational procedures — customer onboarding, KYC and CDD procedures, sanctions screening process, transaction monitoring approach, SAR/STR escalation and filing procedures, record-keeping standards, staff training programme, governance and reporting lines. The policy is board-approved and reviewed annually.
Tailored, not template. Supervisors are critical of generic template risk assessments and policies that do not reflect the firm’s actual business profile. The risk assessment must show evidence of actual analysis of the firm’s customer base, transaction patterns and jurisdictional exposure.
KYC, CDD and Beneficial Ownership
Customer due diligence is the operational core of any AML programme.
Customer identification and verification. Standard CDD requires verified identification documents (passport for individuals, trade licence + MoA + UBO declaration for entities), proof of address, verified contact details and understanding of the customer’s business and source of funds.
Beneficial ownership. The ultimate beneficial owner (UBO) is the natural person who ultimately owns or controls 25%+ of the customer or otherwise exercises effective control. UBO identification is mandatory under federal AML rules and is also subject to ADGM, DIFC and mainland UBO disclosure requirements that apply at company-formation level.
Enhanced due diligence (EDD). Applies to higher-risk customers including politically exposed persons (PEPs), customers from higher-risk jurisdictions per FATF and UAE assessments, customers with complex ownership structures (multi-jurisdictional holding chains), high-value transactions and unusual patterns. EDD typically involves senior management approval, additional source-of-funds verification, and enhanced ongoing monitoring.
Simplified due diligence (SDD). May apply to lower-risk customer types subject to documented justification — typically large listed companies, certain government entities and regulated financial institutions from FATF-equivalent jurisdictions. SDD is not a default; it must be justified case by case.
Ongoing monitoring. CDD is not just at onboarding. Transactions are monitored throughout the relationship against the customer’s stated profile, and material deviations trigger review. The CDD record is updated periodically (typically every 1-3 years depending on risk rating).
Record retention. CDD records and transaction records must be retained for at least 5 years from end of the relationship (or longer for jurisdictions like ADGM that require longer).
Sanctions Screening — UN, OFAC, UK HMT, EU and UAE Lists
Sanctions screening is mandatory at customer onboarding and on an ongoing basis.
Lists to screen. UN Consolidated Sanctions List, US OFAC SDN List, UK HM Treasury Consolidated List, EU Consolidated Financial Sanctions List, and the UAE Local Terrorist List published by the UAE Executive Office for AMLCTF. Some sectors and risk profiles add further lists (Singapore, Australia, Switzerland).
Screening tools. Sanctions screening tools range from free supervisor portals for low-volume DNFBPs (manual lookup against the public lists) to enterprise screening platforms with API integration for high-volume regulated firms. Common providers include Refinitiv World-Check, LexisNexis, Dow Jones Risk & Compliance and Acuris. Choice depends on volume, jurisdiction coverage and integration needs.
Match handling. Confirmed positive matches require immediate freezing of funds, no further transactions, and prompt reporting to the FIU and the relevant supervisor. False positives are documented and dismissed. The screening log evidences both true and false positive handling.
Ongoing screening. Customer base must be re-screened periodically (typically daily for high-risk, monthly for medium-risk, quarterly for low-risk) and on every customer profile change. New screening targets added to the lists must be reflected in re-screening within the SLA.
goAML portal
UAE Financial Intelligence Unit's reporting portal — mandatory registration for all reporting entities, channel for SARs, STRs and supervisor returns
goAML, SARs and STRs
The goAML portal is the FIU’s reporting infrastructure for the UAE.
Registration. All reporting entities must register on goAML with their commercial documents, MLRO appointment details, supervisor information and authorised user credentials. Registration takes typically 2-6 weeks depending on entity type and supervisor processing.
Suspicious Activity Reports (SARs). Filed when the firm has reasonable grounds to suspect that funds are the proceeds of crime, that a customer is involved in financing of terrorism, or that a transaction is otherwise suspicious. SARs file through goAML with supporting narrative, transaction details and customer identification. Filing is event-driven — no minimum periodic SAR requirement, but failure to file when suspicion arises is a serious breach.
Suspicious Transaction Reports (STRs). Specific transaction-level reports for transactions meeting the suspicion threshold.
Other goAML reports. Currency transaction reports for high-value cash transactions in regulated sectors, real estate transaction reports for above-threshold real estate deals, and other specialist returns by sector.
Tipping off. Disclosure to the customer or any other party (other than supervisors and law enforcement) that a SAR has been filed is a criminal offence. SAR filings are confidential.
The single most consistent supervisor finding in 2024-2026 AML inspections in the UAE is firms with strong onboarding KYC but weak ongoing monitoring and sanctions screening discipline. Onboarding is visible. Ongoing monitoring is invisible until inspected. Build the monitoring discipline before the inspection lands.
FSRA AML for ADGM-Regulated Firms
ADGM-regulated firms sit under the FSRA AML Rulebook in addition to federal AML/CFT law.
Quarterly Prudential and AML returns filed through the FSRA’s e-services portal covering AML/CFT controls, transaction monitoring exceptions, sanctions screening output, SAR filing statistics and material AML events.
On-site supervisory inspections typically annually for higher-risk firms, biennially for lower-risk, with focused thematic reviews when supervisor priorities shift.
Senior management responsibility. The Senior Executive Officer and the MLRO carry direct responsibility for AML controls; the FSRA can impose individual disqualifications and fines on senior management for systemic failures.
Capital and AML overlay. For prudentially-regulated FSRA firms, the AML controls form part of the operational risk capital assessment. Weak AML can translate to higher capital requirements.
Virtual asset firms. FSRA-licensed virtual asset service providers face enhanced AML obligations reflecting FATF Travel Rule, blockchain analytics requirements and crypto-specific risk typologies.
ADGM Non-Regulated AML — Often Underweighted
ADGM non-regulated entities — SPVs, holding companies, foundations, trading companies, Tech Startup-licensed firms — carry AML obligations under the ADGM AML Rulebook administered by the Registration Authority.
SPVs and holding companies with passive asset-holding activity carry lower-intensity obligations focused on UBO disclosure, sanctions screening of counterparties and incoming funds, and record-keeping. The annual AML/CFT statement to the Registration Authority confirms ongoing compliance.
Trading entities and Tech Startups with active customer relationships carry full CDD, ongoing monitoring and SAR reporting obligations.
Registered agents and corporate service providers serving ADGM clients carry their own DNFBP obligations under federal law in addition to ADGM rules.
The common error is for ADGM SPV and holding-company directors to assume that non-regulated status means no AML obligations. The Registration Authority has enforcement powers including fines, restrictions on activity and ultimately licence withdrawal for non-compliance. UBO updates must be filed promptly; sanctions screening of incoming funds is mandatory; records must be maintained.
Fee Benchmarks for Abu Dhabi AML Compliance in 2026
| Scope | Boutique / specialist | Mid-tier | Big-4 / specialist |
|---|---|---|---|
| Small DNFBP outsourced AML support (policy + MLRO support + annual return) | AED 18,000 – 35,000/yr | AED 30,000 – 60,000/yr | AED 60,000 – 120,000/yr |
| Mid-tier DNFBP (real estate brokerage, mid-size accounting/audit firm) | AED 40,000 – 80,000/yr | AED 70,000 – 140,000/yr | AED 120,000 – 250,000/yr |
| FSRA-regulated ADGM firm (small) | AED 60,000 – 150,000/yr | AED 120,000 – 280,000/yr | AED 250,000 – 600,000/yr |
| FSRA-regulated ADGM firm (mid) | AED 150,000 – 350,000/yr | AED 280,000 – 600,000/yr | AED 500,000 – 1,500,000/yr |
| In-house MLRO (total package) | AED 18,000 – 30,000/mo | AED 30,000 – 50,000/mo | AED 50,000 – 90,000/mo |
| Sanctions screening tooling | AED 3,000 – 8,000/mo | AED 8,000 – 18,000/mo | AED 15,000 – 40,000/mo |
| Independent AML audit (annual, by licensed AML auditor) | AED 25,000 – 60,000 | AED 50,000 – 120,000 | AED 100,000 – 300,000 |
Add 30-50% for first-year engagements where the AML programme needs significant rebuild before steady-state support can start. Subtract 10-20% for well-established programmes already passing supervisor inspection.
How Velmont Crest Scopes Abu Dhabi AML Engagements
Velmont Crest, a Dubai accounting firm is a DED-licensed accounting and advisory firm based in Dubai and provides AML compliance support to Abu Dhabi DNFBPs — real estate brokers, dealers in precious metals, accountants, tax consultants, corporate service providers — and to ADGM-registered non-regulated entities.
A standard engagement covers AML/CFT policy and procedure drafting, written risk assessment preparation and annual update, MLRO outsourcing or support to in-house MLROs, goAML registration support, sanctions screening implementation (process design and tool selection support), KYC and CDD procedure design and review, annual staff training delivery, supervisory return preparation, and SAR/STR drafting and filing support.
We are not a licensed AML auditor and do not perform independent AML audits — we provide first-line implementation and second-line monitoring support. We are not a Ministry of Economy-accredited audit firm and do not sign audit opinions. We are not an FSRA-authorised compliance advisor for FSRA-regulated firms — those firms must work with FSRA-authorised compliance advisors for FSRA-specific work. We are not a Federal Tax Authority registered tax agent.
For service detail see our AML compliance service page. For sibling-market context see AML compliance in Sharjah, AML compliance UAE and accounting companies in Abu Dhabi.
What This Means for Your Business
AML compliance in Abu Dhabi is a programme, not a project. The federal framework, the FSRA Rulebook (for ADGM-regulated firms) and the ADGM AML Rulebook (for non-regulated ADGM entities) all require ongoing, documented, board-overseen AML disciplines — not a one-off policy drafted at incorporation and never updated.
The Abu Dhabi DNFBP or ADGM entity that passes supervisor inspection cleanly is the one whose MLRO can produce, on the day, the current written risk assessment, the latest sanctions screening logs, the year-to-date training records, the goAML registration confirmation, the SAR filing log (including documented decisions not to file), the CDD files for any sample customer requested, and the board-approved annual AML report.
Build that discipline before the inspection lands. The penalty schedule is real, the supervisors are active, and the cost of a clean programme is a fraction of the cost of a serious breach.
Disclaimer: Velmont Crest is a DED-licensed accounting and advisory firm. We provide advisory, preparation and compliance support services for UAE businesses, including AML policy drafting, risk assessment preparation, MLRO outsourcing support, KYC and CDD procedure design, sanctions screening implementation support, training delivery and supervisory return preparation. We are not a licensed AML auditor and do not perform independent AML audits. We are not a Ministry of Economy-accredited audit firm and do not sign statutory audit opinions. We are not an FSRA-authorised compliance advisor for FSRA-regulated firms; FSRA-regulated firms must work with FSRA-authorised compliance advisors for FSRA-specific work. We are not a Federal Tax Authority registered tax agent. Fees, regulatory requirements, AML/CFT rules, sanctions lists and supervisory priorities change frequently — verify the current position with the relevant authority and take advice from a licensed AML professional for matters specific to your circumstances.
References
Frequently Asked Questions
Who must comply with AML rules in Abu Dhabi?
Three categories of reporting entity carry AML obligations in Abu Dhabi. Federal DNFBPs under [Cabinet Decision No. 10 of 2019](https://uaelegislation.gov.ae/en/legislations) and the underlying [Federal Decree-Law No. 20 of 2018](https://uaelegislation.gov.ae/en/legislations) — real estate brokers and agents, dealers in precious metals and stones (gold, diamonds, jewellery), auditors and audit firms, accountants and accounting firms, tax consultants and tax agents, corporate service providers, lawyers and legal consultants in certain activities, trust and company service providers. Financial institutions regulated by the UAE Central Bank (commercial banks, finance companies, exchange houses, insurance companies).
How does AML compliance in Abu Dhabi differ from Dubai?
The federal AML regime is uniform across the UAE — same law, same Ministry of Economy supervision for DNFBPs, same goAML portal for SARs and STRs, same sanctions lists, same penalty schedule. The differences in Abu Dhabi cluster around the regulators and regulated populations specific to the emirate. ADGM has its own AML Rulebook administered by the Registration Authority for non-regulated entities and the FSRA AML Rulebook for FSRA-regulated firms — Dubai's equivalents are DIFC AML Rulebook and DFSA AML Rulebook. Real estate AML in Abu Dhabi sits under the Abu Dhabi Department of Municipalities and Transport for brokerage licensing, alongside federal Ministry of Economy DNFBP rules.
What is goAML and who must register?
[goAML](https://www.uaefiu.gov.ae/) is the UAE Financial Intelligence Unit's reporting portal for suspicious activity reports (SARs) and suspicious transaction reports (STRs). All federal DNFBPs, Central Bank-regulated financial institutions, FSRA-regulated ADGM firms and DFSA-regulated DIFC firms must register on goAML and file SARs and STRs through the portal. Registration requires the firm's commercial documents, MLRO appointment details, supervisor information and authorised user credentials. SAR/STR filing is event-driven (file when suspicion arises) — there is no minimum periodic return on SARs alone, but the broader supervisory returns (annual AML/CFT risk return, ongoing risk assessment updates) are calendar-driven.
What does an MLRO do in an Abu Dhabi DNFBP?
The Money Laundering Reporting Officer (MLRO) is the senior individual responsible for the firm's AML/CFT compliance. The role is mandatory under federal AML rules for DNFBPs and under FSRA rules for ADGM-regulated firms.
What is the difference between FSRA AML and federal DNFBP AML?
Both regimes derive from the same FATF Recommendations and federal AML/CFT law, so the substantive obligations are broadly aligned. The differences are supervisor, reporting cadence and intensity. FSRA AML for ADGM-regulated firms sits under the FSRA AML Rulebook administered by the [Financial Services Regulatory Authority](https://www.adgm.com/) — covers banks, fund managers, broker-dealers, payment service providers, custodians, virtual asset service providers. Quarterly Prudential and AML returns, ongoing supervisory engagement, on-site inspections, capital adequacy requirements with AML overlay, board AML committee in larger firms.
What KYC and customer due diligence does Abu Dhabi AML require?
Customer due diligence (CDD) under federal AML rules requires identification and verification of the customer, identification of the beneficial owner (ultimate natural person controlling 25%+ or otherwise), understanding of the nature and purpose of the business relationship, and ongoing monitoring of transactions and customer profile. Enhanced due diligence (EDD) applies to higher-risk customers including politically exposed persons (PEPs), customers from higher-risk jurisdictions, complex ownership structures and high-value transactions. Simplified due diligence (SDD) may apply to lower-risk customer types subject to documented justification. The CDD process must be documented and retained for the prescribed period (typically 5 years from end of relationship).
How does AML apply to ADGM-registered entities that are not FSRA-regulated?
ADGM non-regulated entities — SPVs, holding companies, foundations, trading companies, Tech Startup-licensed firms — sit under the [ADGM AML Rulebook](https://www.adgm.com/) administered by the Registration Authority. The rulebook applies risk-based AML obligations proportionate to the entity's activity. SPVs and holding companies with passive asset-holding activity carry lower-intensity obligations focused on UBO disclosure, sanctions screening of counterparties and incoming funds, and record-keeping. Trading entities and Tech Startups with active customer relationships carry full CDD, ongoing monitoring and SAR reporting obligations. Corporate service providers and registered agents serving ADGM clients carry their own DNFBP obligations under federal law in addition.
What does AML compliance cost for an Abu Dhabi DNFBP?
Outsourced AML compliance for a small-to-mid Abu Dhabi DNFBP typically runs AED 18,000-60,000 per year covering AML/CFT policy and risk assessment drafting, MLRO outsourcing or support, annual staff training, sanctions screening tooling, goAML registration support, and supervisory return preparation. AED 60,000-180,000 per year for mid-tier DNFBPs (real estate brokerages with significant transaction volume, mid-size audit and accounting firms, established corporate service providers). AED 150,000-500,000+ per year for FSRA-regulated ADGM firms depending on regulatory category and AML intensity. In-house MLRO at a small DNFBP typically costs AED 18,000-30,000 per month total package; at a regulated firm, AED 30,000-70,000 per month.
What are the penalties for AML breaches in Abu Dhabi?
Federal AML/CFT penalties under [Cabinet Decision No. 10 of 2019](https://uaelegislation.gov.ae/en/legislations) and amending instruments range from AED 50,000 to AED 5,000,000 per breach, with the upper end applied for failure to file SARs, failure to apply CDD, dealing with sanctioned parties or systemic AML programme failure. Repeat breaches and serious failures can escalate to criminal liability for the MLRO and senior management, licence suspension or revocation, restrictions on the firm's activity, and public naming on the supervisor's enforcement register. The FSRA imposes its own enforcement schedule on ADGM-regulated firms with fines, restrictions, censures and disqualifications.
Does Velmont Crest provide AML compliance support in Abu Dhabi?
Yes. Velmont Crest is a DED-licensed accounting and advisory firm based in Dubai and provides AML compliance support to Abu Dhabi DNFBPs — real estate brokers, dealers in precious metals, accountants, tax consultants, corporate service providers — and to ADGM-registered non-regulated entities. Our scope covers AML/CFT policy and procedure drafting, written risk assessment preparation and annual update, MLRO outsourcing or support to in-house MLROs, goAML registration support, sanctions screening implementation, KYC and CDD procedure design, annual staff training delivery, supervisory return preparation, and SAR/STR drafting and filing support.
