Skip to content

Insights AML

AML Consulting Services UAE — What Providers Actually Do and What Drives the Cost

AML consulting services in the UAE — who must comply, what consultants deliver from goAML registration to EWRA and training, and how engagements are priced.

AML consulting services in the UAE shown through a compliance programme review with risk assessment and customer due diligence files
AML consulting services in the UAE shown through a compliance programme review with risk assessment and customer due diligence files Photo: Velmont Crest Editorial

Key takeaways

  1. Who must comply — financial institutions under CBUAE, and DNFBPs (real estate, precious metals/stones dealers, auditors, corporate service providers) supervised largely by the Ministry of Economy.
  2. Core obligations — goAML registration, appointed compliance officer, risk-based CDD/EDD, sanctions and PEP screening, STR/SAR reporting, record-keeping and training.
  3. What consultants deliver — gap assessments, EWRA, tailored policies and procedures, screening-tool selection, training programmes, goAML support and mock inspections.
  4. Penalty reality — published administrative fines for AML violations run from tens of thousands of dirhams into the millions, with licence consequences behind them.
  5. Cost drivers — sector risk, customer volumes and geography, group complexity, existing programme maturity, and whether ongoing support (outsourced compliance function) is included.
  6. Provider red flags — template-only policies, guaranteed outcomes, no sector experience, and silence about who actually staffs the ongoing obligations.

For years, UAE SMEs treated anti-money-laundering rules as a banking problem. Then the Ministry of Economy began inspecting real estate brokerages, gold traders and corporate service providers — the DNFBP categories — applying a published fine schedule that climbs into the millions of dirhams, and the market for AML consulting services grew up almost overnight. The demand is rational: the obligations are genuinely technical, the supervisors are genuinely checking, and most in-scope businesses have no compliance department. This guide, updated July 2026, maps what the law requires, what a competent AML/CFT consultant actually delivers, how engagements are priced, and the red flags that separate programme-builders from binder-sellers.

Who is in scope — the DNFBP surprise

The framework — Federal Decree-Law 20 of 2018 on AML/CFT, its executive regulations and the decisions built on them — covers financial institutions under the Central Bank, and Designated Non-Financial Businesses and Professions supervised largely by the Ministry of Economy (with financial free zone regulators covering their own patches):

  • Real estate agents and brokers — for transactions in property purchase and sale.
  • Dealers in precious metals and precious stones — the gold souk economy, above cash thresholds.
  • Auditors and accountants — including firms like ours, which is partly why we know the regime from the inside.
  • Trust and corporate service providers — company formation and administration businesses.

Lawyers and notaries face equivalent obligations in defined activities. If your licence puts you in these lanes, the full programme applies regardless of size: a two-person brokerage carries the same categories of obligation as a bank, scaled by risk. The sector-by-sector obligations are mapped in our AML compliance UAE overview.

The obligations a programme must cover

  1. goAML registration — the UAE FIU’s reporting platform; registration is mandatory and its absence is independently finable. Portal mechanics are in the goAML registration guide, and the profile needs annual renewal.
  2. A named compliance officer / MLRO — appointed, competent, senior enough to refuse business.
  3. Enterprise-wide risk assessment (EWRA) — the documented map of where ML/TF risk enters your business, refreshed as it changes.
  4. Risk-based CDD/EDD — identify customers and beneficial owners, screen against sanctions lists and PEP status, escalate the high-risk cases; the tiering logic is unpacked in EDD vs CDD vs SDD.
  5. Ongoing monitoring and STR reporting — spot the unusual, document the decision, file through goAML where suspicion holds.
  6. Targeted financial sanctions — screening against the UN and local lists with same-day freeze-and-report duties.
  7. Records and training — five-year retention and a staff training cycle inspectors ask to see evidence of.

AED 50k – 5m

Published administrative fine range for AML violations under the UAE framework — per violation

What a competent AML consultant actually delivers

Build-phase deliverables: a gap assessment against the regulations; the EWRA, built from your real customer and transaction data rather than a generic matrix; policies and procedures written to your operations (the document an inspector reads against what your staff actually do); goAML registration and profile setup; screening-tool selection and configuration — the vendor landscape is compared in our PEP screening tools review; CDD file templates and workflows; and role-based training with attendance evidence.

Run-phase support: periodic file testing and programme reviews, refresher training, EWRA updates, regulatory-change monitoring, and mock inspections — the single highest-value exercise for a DNFBP expecting the Ministry’s questionnaire, rehearsed in full in the MoE inspection preparation playbook.

What no consultant can deliver: the accountability. The law places the programme on the business and its named officer; outsourcing the routine work is legitimate and common, outsourcing the responsibility is neither. Any provider promising “full compliance guaranteed” or “inspection-proof” outcomes is selling something the framework does not permit anyone to sell.

Enterprise wide risk assessment workshop with customer risk categories and control mapping for a UAE DNFBP business

How engagements are priced — the drivers

No honest flat rate exists, so compare quotes on drivers:

  • Sector risk — a gold trader’s programme carries more screening and cash-control weight than a services CSP’s.
  • Volumes and geography — customer counts, transaction values and exposure to higher-risk jurisdictions set the monitoring load.
  • Entity count and structure — group programmes with shared functions price differently from single-licence builds.
  • Existing maturity — a refresh of a real programme costs a fraction of a first build from nothing.
  • Build vs run — one-off programme construction versus ongoing support (file reviews, training cycles, screening operation) are separate lines; get both quoted so year-two costs are not a surprise.

The buying discipline mirrors any professional service: written scope, named deliverables, the CVs of who does the work, and references from your own sector.

Inspectors do not read policies first — they pull five customer files and check whether the policy happened. The gap between the binder and the files is where every fine lives.

— Velmont Crest

Red flags in the UAE’s AML consulting market

  • Template mills — policies with another firm’s name in the metadata, EWRAs that never mention your actual customers.
  • Guaranteed outcomes — nobody can guarantee an inspection result; the claim itself signals unseriousness.
  • No sector footprint — DPMS, real estate and CSP programmes differ materially; ask what the provider has built in your category.
  • Registration-only offers — goAML registration without the programme behind it satisfies one obligation of ten.
  • No answer to “who runs it in month four?” — the programme is a routine, and routines need named owners; a consultant with no ongoing model is handing you a binder and a wave.
Compliance officer reviewing customer due diligence files and sanctions screening results as part of an ongoing UAE AML programme

Where Velmont Crest fits in

We approach AML from an unusual seat: as accountants, we are DNFBPs under the same regime we advise on, inspected against the same standards — our own programme is not theoretical. Our AML compliance services cover the build (EWRA, tailored policies, goAML registration, CDD workflows, training) and the run (file reviews, screening routines, renewal cycles, mock inspections) for real estate, precious metals, CSP and professional-services businesses across the UAE. Because the same team often keeps the client’s books, the AML programme sits on transaction data we already reconcile monthly — which is exactly where unusual patterns actually surface. If an inspection notice has arrived, or you would rather build before one does, start through the contact page — scoped quote within one UAE business day.

Frequently asked questions

What are AML consulting services?
Professional support to build and run the anti-money-laundering programme UAE law requires of your business: assessing your exposure (enterprise-wide risk assessment), writing policies and procedures that fit your actual operations, setting up goAML registration and reporting, designing customer due diligence and sanctions-screening workflows, training staff and the compliance officer, and preparing for supervisory inspections. Good engagements transfer capability; weak ones deliver templates.
Who needs AML compliance in the UAE?
Beyond banks and financial institutions: the DNFBP categories — real estate agents and brokers, dealers in precious metals and precious stones, auditors and accountants, and trust and corporate service providers — carry full obligations under Federal Decree-Law 20 of 2018, supervised largely by the Ministry of Economy (financial free zones have their own supervisors). Registration in goAML, a compliance officer, risk assessment, CDD and reporting apply to a two-person brokerage as much as a bank.
What is goAML and do I need to register?
goAML is the UAE Financial Intelligence Unit's platform through which regulated entities file suspicious transaction and activity reports and receive notices. Every in-scope financial institution and DNFBP must register and maintain its profile — operating without registration is itself a violation with published fines. Registration involves documentation of the entity and its compliance officer; our goAML registration guide walks the portal steps.
What does an AML compliance officer / MLRO do?
The named individual accountable for the programme: approving high-risk relationships, reviewing alerts and deciding whether to file STRs through goAML, maintaining the risk assessment and policies, delivering training and facing the supervisor at inspection. UAE rules require the appointment; the person needs seniority, competence and independence. Smaller DNFBPs often struggle to staff it internally — which is where structured external support for the function's routine work earns its keep, with accountability staying in-house.
What are the penalties for AML non-compliance in the UAE?
The published administrative penalty framework for AML/CFT violations runs from tens of thousands of dirhams per violation into the millions for the most serious breaches, alongside licence suspension and, for wilful cases, criminal exposure under Federal Decree-Law 20 of 2018. Ministry of Economy inspection campaigns against DNFBPs have applied these at scale — missing registration, absent risk assessments and untrained officers are the recurring findings.
How much do AML consulting services cost in the UAE?
Scope decides it. A gap assessment for a single-office brokerage is a different engagement from a group-wide programme build with screening-tool implementation and year-round support. The drivers: your sector's inherent risk, customer volume and geography, entity count, how much programme already exists, and whether you want one-off build or ongoing operation. Ask any provider to quote against a written scope with deliverables named — and be suspicious of flat-fee 'full compliance' packages.
What is an EWRA and why do inspectors ask for it first?
The enterprise-wide risk assessment — your documented analysis of how money-laundering and terrorist-financing risk actually enters your business: customer types, products, delivery channels, geographies — and the controls you apply against each. It is the foundation the risk-based approach stands on, which is why supervisors open with it: a business that cannot show its EWRA has, by definition, no basis for any of its other controls. It must be refreshed as the business changes.

Filed under: AML, CFT, goAML, DNFBP, Compliance Officer, EWRA, Consulting, UAE

Published · Updated