Skip to content

Insights AML

AML Compliance UAE 2026 — DNFBP Rules, goAML and What Non-Compliance Costs

AML compliance in the UAE step by step: goAML registration, MLRO appointment and risk reporting under Federal Law 10 of 2025 — before fines reach AED 5M.

AML compliance UAE — DNFBP rules, goAML registration and MLRO appointment for Dubai SMEs
AML compliance UAE — DNFBP rules, goAML registration and MLRO appointment for Dubai SMEs Photo: Velmont Crest Editorial

Key takeaways

  1. DNFBPs include accountants, real estate agents, gold dealers, company service providers and — from 2025 — gaming operators.
  2. Federal Law No. 10 of 2025 replaced the 2018 AML decree and added proliferation financing as a formal obligation.
  3. goAML registration is mandatory; penalties for non-registration include fines and licence suspension.
  4. Records must be retained for 5 years; UBO changes must be updated within 15 working days.
  5. Personal criminal liability now extends to directors and managers of non-compliant entities.

Every business classified as a Designated Non-Financial Business and Profession (DNFBP) in the UAE is now subject to one of the most demanding anti-money laundering frameworks in the Gulf. Under Federal Law No. 10 of 2025, which replaced Federal Decree-Law No. 20 of 2018 and came into force on 14 October 2025, AML compliance UAE obligations explicitly cover money laundering, the financing of terrorism, and, for the first time, countering weapons proliferation financing.

Fines reach AED 5 million per violation. 2026 is a FATF evaluation year, so AML UAE enforcement is at its peak.

This guide explains who must comply, what the practical obligations are, how to register on goAML, what penalties apply, and what the new law changed.

If you would rather hand the build-out to a specialist than work through it yourself, our AML compliance support in the UAE covers the whole DNFBP programme — goAML registration, MLRO appointment, risk assessment and annual reporting.

Why the UAE AML regime keeps tightening

Anti-money laundering (AML) is the body of laws and controls that prevent criminals from disguising illegally obtained funds as legitimate income.

Money laundering typically moves through three stages: placement, where criminal proceeds enter the financial system; layering, where the origin is concealed through complex transactions; and integration, where the cleaned funds re-enter the economy.

The UAE’s AML framework now runs under Federal Law No. 10 of 2025, supplemented by Cabinet Resolution No. 134 of 2025 (effective 14 December 2025, which repealed Cabinet Decision No. 10 of 2019). Circulars from the Ministry of Economy and Tourism, the Central Bank, and the Financial Intelligence Unit add further detail.

The framework targets money laundering, the financing of terrorism, and proliferation financing as separate but related threats.

The UAE was placed on the FATF grey list in 2022 and exited in 2024 after completing 15 action points. With another FATF evaluation scheduled for 2026, the government is enforcing compliance harder than ever.

In March 2023, authorities announced fines of AED 22.6 million imposed on 29 DNFBP companies under the 2023 inspection plan. By mid-2025, that figure for the first half of the year alone had reached AED 42 million.

[[chart:enforcement-escalation]]

Are you a DNFBP, even if you don’t think you are?

AML obligations apply to two groups: financial institutions (banks, insurance companies, exchange houses) and DNFBPs. The DNFBP category is where many business owners are caught unprepared.

DNFBP CategoryExamplesSupervisory Authority
Real Estate Agents and BrokersBrokers buying and selling propertyMinistry of Economy and Tourism (MoET)
Dealers in Precious Metals and StonesGold traders, jewellery stores, diamond dealers (transactions ≥ AED 55,000)Ministry of Economy and Tourism (MoET)
Auditors and AccountantsChartered accountants, accounting firms, independent accountantsMinistry of Economy and Tourism (MoET)
Company Service ProvidersBusiness formation agents, registered office providers, nominee directorsMinistry of Economy and Tourism (MoET)
Legal Consultancy FirmsLegal consultants (excluding practising lawyers)Ministry of Economy and Tourism (MoET)
Lawyers and Notary PublicsPractising lawyers and licensed notariesMinistry of Justice (MoJ)
Virtual Asset Service ProvidersCrypto exchanges, token issuers, wallet providersVARA / SCA / FSRA / DFSA (by jurisdiction)
Commercial Gaming Operators (new from 2025)Gaming halls, online gaming, sports betting, lottery operatorsRelevant licensing authority

If your business falls under any category above, the obligations are the same regardless of company size. A small consulting firm has identical registration, CDD, and reporting requirements to a large group.

The nine obligations, end to end

DNFBP compliance officer working through goAML registration, MLRO appointment and enterprise-wide risk assessment paperwork

Meeting the UAE’s anti-money laundering requirements takes nine documented obligations. These are legal duties, not recommendations.

Step 1: Register on the goAML Portal

Every DNFBP must register on goAML, the official suspicious transaction reporting platform run by the UAE Financial Intelligence Unit. Registration is a two-stage process.

First, register on the SACM (Sanctions and Compliance Monitoring) system and configure Google Authenticator for secure access.

Second, log in to the goAML portal using your SACM credentials, select your supervisory authority, enter your company details exactly as they appear on your trade licence, and upload the required documents: trade licence, MLRO authorisation letter, and Emirates ID of the appointed compliance officer.

Registration for a complete, accurate application typically takes 5 to 10 working days.

Step 2: Appoint a Money Laundering Reporting Officer (MLRO)

You must appoint a qualified compliance officer who understands UAE AML law and is actively responsible for your firm’s compliance programme. The MLRO handles suspicious transaction reports, staff training, and liaison with the FIU. Appointing an untrained staff member as a formality is no longer accepted.

Step 3: Conduct an Enterprise-Wide Risk Assessment

Your business must document a risk assessment covering your customer profiles, transaction types, geographic exposure, delivery channels, and service offerings. This assessment forms the foundation of your entire AML framework and must be reviewed and updated regularly. It must also address proliferation financing risks under the 2025 law.

Step 4: Implement Customer Due Diligence (CDD)

Before onboarding any client, verify their identity, identify the Ultimate Beneficial Owner (UBO), and understand the business relationship. For standard-risk clients, basic CDD applies. For high-risk clients — Politically Exposed Persons, clients from high-risk jurisdictions, or unusually complex transactions — Enhanced Due Diligence (EDD) is required, including deeper verification and ongoing monitoring.

UBO details must now be updated within 15 working days of any change, and bearer shares are expressly prohibited under the 2025 law.

Step 5: Develop Documented AML Policies and Procedures

Internal policies must cover customer acceptance, risk categorisation, ongoing monitoring, record-keeping, sanctions screening, and suspicious activity reporting. Generic downloaded templates do not pass inspection — policies must reflect your actual business activities and risk profile.

Step 6: File Suspicious Transaction Reports (STRs)

If a transaction or client behaviour appears unusual or inconsistent, submit a Suspicious Transaction Report through goAML. You must never inform the client that a report has been filed. This act — known as tipping off — is a criminal offence under UAE law.

Step 7: Screen Against Sanctions Lists

Conduct ongoing screening of clients and transactions against UAE, UN, and relevant international sanctions lists. This includes screening for terrorism financing and proliferation financing designations, not only traditional money laundering watchlists.

Step 8: Retain Records for at Least Five Years

All CDD records, transaction documents, risk assessments, STR copies, and training logs must be kept for a minimum of five years after the end of the business relationship or transaction. Records must be secure, retrievable, and ready for inspection without delay.

Step 9: Submit the Annual AML Risk Assessment Report to the Ministry of Economy

All registered DNFBPs must submit an annual report to MoET covering your internal and external risk environment, the controls you have implemented, and the effectiveness of your compliance programme. The Ministry uses this report to assign your firm a risk score, which determines the intensity of future supervision.

What the fines actually look like

ViolationPenalty
Failure to register on goAMLAdministrative fines + potential licence suspension
Failure to implement AML policies and proceduresAED 50,000 to AED 5 million per violation
Failure to appoint a qualified MLROAdministrative fines + increased scrutiny
Failure to conduct or document a risk assessmentAdministrative fines; inspection findings on record
Failure to file Suspicious Transaction ReportsCriminal offence + fines + potential imprisonment
Tipping off a client about an STRCriminal offence under UAE law
Failure to apply Enhanced Due Diligence for high-risk clientsAdministrative fines
Failure to maintain records for five yearsAdministrative fines + increased regulatory scrutiny
Corporate entity — aggregate penaltiesUp to AED 100 million depending on severity and pattern
Personal liability for directors and managersCriminal prosecution, travel bans, asset freezing

A real CSP inspection — what it cost

Calculator and Ministry of Economy inspection findings showing AED 425,000 illustrative penalty exposure across three AML violations

A mid-sized company service provider in Dubai is inspected by the Ministry of Economy in Q1 2026 and found to have three separate violations: no registered MLRO, no documented risk assessment, and no annual report filed for the prior year.

Each violation is treated independently under the penalty framework:

Violation FoundFine Range AppliedIllustrative Fine
No MLRO appointedAED 50,000 – AED 500,000AED 150,000
No enterprise-wide risk assessmentAED 50,000 – AED 500,000AED 200,000
Annual report not filedAED 50,000 – AED 200,000AED 75,000
Total exposureAED 425,000

[[chart:penalty-worked-example]]

This example uses conservative mid-range figures. In repeat-violation or high-severity cases, or where the firm has previously been warned, the Ministry regularly applies fines toward the upper end of each band, pushing total exposure well above AED 1 million for a single inspection cycle.

A properly implemented compliance programme usually costs a fraction of a single inspection penalty.

What the 2025 law moved

Federal Law No. 10 of 2025 is the most comprehensive AML legislation the UAE has introduced. Its executive regulations — Cabinet Resolution No. 134 of 2025 — comprise 71 articles and close to 300 enforceable requirements. The key changes affecting UAE businesses are:

ChangePrevious PositionNew Position Under 2025 Law
Proliferation financingNot a formal standalone obligationExplicitly required; all DNFBPs must identify and document proliferation financing risks
VASP obligationsLighter requirements than banksFull alignment with financial institution standards, including Travel Rule
DNFBP scopeDid not include gaming operatorsCommercial gaming operators now formally classified as DNFBPs
UBO update deadlineNo defined timelineChanges must be reported within 15 working days
Bearer sharesRestricted but not expressly prohibitedExpressly prohibited; 30-day conversion requirement
Director/manager liabilityCorporate liability primaryPersonal criminal liability extended to individual directors and managers

If you’re an accountant or consultant, read this twice

Dubai accounting firm partner reviewing CDD records and STR procedures during a sector-specific MoET inspection

Accounting firms and financial consultancies in the UAE are classified as DNFBPs with the Ministry of Economy and Tourism as their supervisory authority.

MoET has issued sector-specific guidance for accountants and auditors covering known money laundering typologies, red flag indicators, and examples of how professional services are abused.

As a firm that works with clients’ financial records, you are in a position to identify irregularities that others cannot. Professional scepticism is expected.

Unusual transactions, inconsistent funding sources, or clients who refuse to provide UBO information are all potential triggers for an STR. Failing to report when you have reasonable grounds is not a regulatory breach alone — it is a criminal offence.

For accountants helping clients meet their own UAE compliance obligations, the connections between AML and corporate tax services, VAT filing, and audit assistance are practical. The same books, the same transactions, and the same client relationships are reviewed across all of them.

A well-run AML framework improves the quality of all downstream compliance work.

Where MoET inspectors keep finding gaps

The same gaps come up again and again during MoET inspections. The most common by far is the missing enterprise-wide risk assessment: without a written, current one, the whole programme has no foundation. Close behind are generic policies — a template downloaded off the internet doesn’t describe your actual clients, transaction types or risk exposure, and regulators know the difference at a glance.

CDD records are the next weak spot. Missing identification documents, unsigned approvals, incomplete UBO records or undated verification forms get flagged regularly, and scanned documents without verification notes don’t count. Inspectors also look hard for evidence of ongoing monitoring, because AML isn’t a one-time onboarding step — they expect documented proof that relationships and transactions are being watched well past the initial CDD stage.

Two more round it out. An untrained compliance officer is a red flag on its own: appoint an MLRO as a formality and they won’t be able to explain the firm’s risk assessment or STR procedure under questioning. And the annual MoE report is a yearly obligation that counts as a standalone violation if missed, with an incomplete or generic submission treated nearly as harshly as none at all.

FATF 2026: why the bar is the highest it’s ever been

The FATF evaluation scheduled for 2026 focuses on whether the UAE’s reforms are embedded in practice across sectors, not whether rules exist on paper.

That is why the Ministry of Economy stepped up inspections and penalties throughout 2025. Regulators are building their enforcement record ahead of the assessment window.

For any DNFBP, the practical bar for compliance is the highest it has ever been. Regulators are not waiting until an evaluation report is due; they are acting now.

If your firm has not updated its risk assessment or policies to reflect Federal Law No. 10 of 2025, an inspection before year-end is how you will find out.

Treat your AML framework as a live operational document, not a filing cabinet exercise.

If you need help reviewing your current programme against the 2025 requirements, our AML compliance service covers the full process from goAML registration through to annual MoE reporting.

For businesses working through broader UAE compliance questions — including VAT registration, corporate tax obligations, and financial record-keeping requirements — the same structured approach applies.

Understand the law, document the controls, and keep the evidence ready.

For UAE accounting, VAT and corporate tax support, see Velmont Crest’s bookkeeping and tax practice.

Practical AML Toolkits

For teams building out their programme after reading this guide, these working-document guides go deeper:

Official References

Frequently asked questions

What is AML compliance in the UAE, and who does it apply to?
It's the set of obligations under Federal Law No. 10 of 2025 to stop money laundering, terrorism financing and, since the 2025 law, proliferation financing. It applies to every financial institution and to Designated Non-Financial Businesses and Professions — accountants, real estate agents, gold dealers, company service providers, lawyers, and as of 2025, commercial gaming operators.
What is the goAML portal and why does my business need to register?
goAML is the suspicious-transaction reporting platform built by the UN Office on Drugs and Crime and run here by the UAE Financial Intelligence Unit. Every DNFBP has to register on it before it can file a single Suspicious Transaction Report. And here's the part people underestimate: not registering is itself a violation, with administrative fines and a real risk of licence suspension attached — long before you've actually done anything wrong on a transaction.
How long does goAML registration take for a DNFBP?
Registration typically takes 5 to 10 working days for complete and accurate submissions. Delays usually occur when the trade licence details entered do not match the portal records, or when the MLRO authorisation letter or Emirates ID documents are missing or unclear.
What are the penalties for non-compliance with AML regulations in the UAE?
Fines for failing to implement AML policies run from AED 50,000 to AED 5 million per violation, and corporate penalties can hit AED 100 million in the worst cases. But the figures aren't the scary part. Non-registration, failing to report a suspicious transaction, and tipping off a client are criminal offences — which is how you end up with licence suspension, frozen assets, travel bans and managers personally in the dock.
Does AML compliance apply to small accounting or consulting firms?
Yes, and size is no excuse. If your firm sits in any DNFBP category, the obligations land in full — a sole-practitioner accountant carries the same registration, CDD, record-keeping and reporting duties as a hundred-person audit firm. The Ministry of Economy runs both on-site and desk-based inspections, and it doesn't hand out a discount on fines for being small.
What changed under Federal Law No. 10 of 2025 compared to the 2018 decree?
Quite a lot. The 2025 law wrote countering terrorism financing and weapons proliferation in as explicit obligations, pulled gaming operators into the DNFBP net, and lifted virtual asset service providers up to bank-level requirements. It also put a clock on UBO updates — 15 working days from any change — banned bearer shares, and extended personal criminal liability to the directors and managers of non-compliant firms. That last one is the change that tends to focus minds.
How often must AML training be conducted for staff?
At least once a year, and again whenever the rules move meaningfully. Federal Law No. 10 of 2025 coming into force in October 2025 is exactly that kind of trigger — relevant staff should have been retrained around the time it took effect, not left on a 2024 briefing.
What records must be kept and for how long under UAE AML law?
Five years, minimum, counted from the end of the business relationship or the completion of the transaction. That window covers CDD documents, transaction records, risk assessments, STR copies and training logs. And keeping them means genuinely retrievable — secure, organised, and producible for an inspector without a two-week scramble through old folders.
Do free zone companies (DIFC, ADGM, DMCC, IFZA) need AML compliance?
Yes. AML compliance is mandatory across every UAE jurisdiction. The supervising authority differs by zone — DIFC entities are supervised by the DFSA, ADGM entities by the FSRA, and mainland plus most free zone DNFBPs (DMCC, JAFZA, IFZA, RAKEZ, Meydan, SHAMS, DAFZA, Hamriyah, Sharjah Publishing City) by the Ministry of Economy and Tourism. Virtual asset service providers in Dubai are supervised by VARA. The substantive obligations (goAML registration, MLRO appointment, CDD, record-keeping, STR filing) are identical regardless of jurisdiction — only the regulator changes.
How much does AML compliance cost for a UAE SME?
It depends on your DNFBP category, transaction volume and risk profile, plus whether the MLRO is outsourced or in-house — so the honest answer is that it is priced by scope, not a flat monthly rate. The programme covers the initial enterprise-wide risk assessment, AML policy drafting, MLRO appointment documentation, goAML registration and ongoing monitoring, screening and reporting. What is fixed is the comparison that matters: a single AED 50,000 administrative fine for one missed STR costs more than years of a preventive programme, so non-compliance is the more expensive path. Request a quote or book a free discovery call for a fixed figure scoped to your firm.
Can the same person serve as MLRO and Compliance Officer?
In a small DNFBP it is acceptable in practice — the regulator's expectation is functional separation rather than two distinct individuals. The same senior person can hold both titles provided they have authority independent from operations, can report directly to the board or principal partner, and have no conflict of interest with revenue-generating roles. For larger firms or those above 50 staff, the FIU and MoET typically expect two separate individuals so the MLRO is not also approving their own transactions.
What is an Enhanced Due Diligence (EDD) review and when is it triggered?
It's a deeper-than-standard customer review for high-risk relationships. What triggers it is a fairly familiar set: politically exposed persons and their families and associates, customers from FATF high-risk jurisdictions, complex ownership (multi-jurisdictional holding companies, trusts with concealed UBOs), cash-intensive businesses, customers in high-risk sectors like precious metals, art, gambling and certain real estate, and any transaction that doesn't fit the customer's profile. Once EDD is on, you verify source of funds and source of wealth more thoroughly, get senior management sign-off to onboard or keep the relationship, and monitor the account more often.
How is Velmont Crest different from an FTA-registered tax agent on AML matters?
Velmont Crest provides AML compliance advisory and preparation support — risk assessment templates, policy drafting, MLRO appointment documentation, goAML registration assistance, training delivery, and independent annual audit support where the engagement scope permits. We are not a regulated FTA tax agent and do not act as your appointed MLRO of record. If your case requires formal regulatory representation in front of the Ministry of Economy or the FIU, we coordinate with a licensed firm and stay involved on the documentation and remediation side. This advisory positioning is by design — it keeps our scope clear and our fees small-firm-appropriate.

Published · Updated