Skip to content

Insights AML

Corporate Service Provider UAE AML Programme and goAML Registration

Corporate service provider UAE — AML programme template, goAML registration, MLRO appointment and CDD for company formation agents in 2026.

UAE corporate service provider compliance team mapping beneficial owners and reviewing AML policy ahead of goAML registration with the Financial Intelligence Unit
UAE corporate service provider compliance team mapping beneficial owners and reviewing AML policy ahead of goAML registration with the Financial Intelligence Unit Photo: Velmont Crest Editorial

Key takeaways

  1. CSPs are scoped DNFBPs under FDL 20/2018 and CD 10/2019 regardless of mainland or free zone licence type
  2. Registered agents handling Beneficial Ownership filings must register on goAML through MoE SACM
  3. CDD applies to the incorporating client AND every UBO above the 25 percent threshold
  4. EDD triggers for PEP exposure, opaque ownership chains and FATF high-risk jurisdictions
  5. Sanctions screening against OFAC, UN consolidated, UK HMT and UAE Local Terrorist lists
  6. Five-year retention of CDD files, MLRO assessments and STR filings under CD 10/2019

A UAE corporate service provider AML programme is where most of the ownership questions regulators care about get answered: who the beneficial owner really is, whether anyone in the chain is sanctioned or politically exposed, and where the formation money came from. Every UAE company formation agent, registered agent, PRO services firm, nominee directorship provider and registered office provider is a Designated Non-Financial Business and Profession (DNFBP) under Federal Decree-Law No. 20 of 2018 and Cabinet Decision No. 10 of 2019. In practice that means a Business Risk Assessment, an appointed MLRO, goAML registration through the UAE Financial Intelligence Unit, CDD on every incorporation, and monitoring that continues for the lifetime of the registered-agent relationship.

This guide covers the scope, the AML programme template a Dubai, DMCC, JAFZA, ADGM or RAKEZ CSP needs in 2026, the CDD layers, sanctions screening, common STR triggers, and what your external AML compliance adviser is expected to prepare behind the scenes.

Why the Ministry watches CSPs first

The Ministry of Economy treats corporate service providers as one of the highest-risk DNFBP categories, and the logic is hard to argue with: every UAE legal entity passes through a CSP at incorporation. That makes CSPs the gatekeepers for beneficial ownership transparency and the first line of defence against shell-company misuse. The FATF mutual evaluation of the UAE flagged CSP supervision as a priority, and on-site inspection activity has stepped up noticeably since 2023.

The DNFBP scoping language in CD 10/2019 captures, by way of business:

  • Acting as a formation agent for legal persons (mainland LLCs, free zone companies, foundations, partnerships)
  • Acting as or arranging for another person to act as a director or secretary of a company or partner of a partnership
  • Providing a registered office, business address or accommodation for a company or other legal person
  • Acting as or arranging for another person to act as a trustee of an express trust
  • Acting as or arranging for another person to act as a nominee shareholder for another person

The scope catches the full UAE company-formation ecosystem — DMCC company set-up consultants, JAFZA registered agents, ADGM and DIFC corporate service providers, mainland incorporation specialists working with the Department of Economic Development, PRO services firms handling licence renewal and beneficial ownership filings, and registered office providers offering virtual or shared address services.

Velmont Crest is a DED-licensed accounting firm and authorised channel partner with Meydan Free Zone and RAKEZ, with eight-plus years of UAE practice supporting AML compliance for corporate service providers and other DNFBPs.

UAE corporate service provider compliance officer reviewing incorporation file beneficial ownership chain and source of funds evidence before client onboarding

Six pieces inspectors expect to find

A defensible UAE CSP programme has six interlocking components. Inspectors look for all six on a Ministry of Economy on-site visit.

1. Business Risk Assessment (BRA)

The CSP BRA scores firm-level exposure across five dimensions: customer risk (categories of incorporating clients, PEP exposure, complex ownership structures), product or service risk (formation work, registered agent services, nominee arrangements, trustee services), geographic risk (jurisdictions of incorporating clients and ultimate beneficial owners, FATF high-risk countries, sanctioned territories), delivery channel risk (face-to-face client meetings versus remote onboarding via intermediaries) and transaction risk (capital deployment patterns, source of funds, payment methods used at incorporation). The BRA is refreshed annually and whenever the CSP enters a new service line or jurisdiction.

2. Client and Entity Risk Matrix

A CSP matrix typically scores incorporation engagements across four bands:

  • Low risk — UAE-resident individual incorporator forming a single-shareholder operating company in a stable jurisdiction
  • Standard risk — established UAE entrepreneur forming a new operating subsidiary or holding company with documented capital
  • High risk — non-resident client from a medium-risk jurisdiction, multi-tier corporate ownership, registered office service without operational presence
  • Enhanced risk — PEP exposure in the ownership chain, FATF high-risk jurisdiction connection, nominee arrangements requested, opaque source of capital, refusal to disclose UBO

Each band determines whether standard CDD, enhanced due diligence (EDD), or refusal applies. The matrix is reviewed at engagement opening and refreshed periodically across the lifetime of the registered-agent relationship.

3. CDD Across Three Layers

A CSP collects CDD across three layers that build on one another.

The first is the incorporating client: passport, Emirates ID for UAE residents, proof of residential address, occupation, source of funds for the formation, and evidence that identity has actually been verified.

The second is the legal entity being formed. Here you capture intended business activities, expected operating jurisdictions and counterparties, expected sources and uses of funds, expected payment methods, and the planned ownership and management structure.

The third is every ultimate beneficial owner — every natural person controlling 25 percent or more of the entity directly or indirectly, with identification, residency, PEP screening, a source-of-wealth narrative and supporting documentation. Where the ownership chain runs through multiple corporate layers, you trace upward until a natural person is identified. Where no natural person controls 25 percent under the ownership test, the senior managing official is recorded as the UBO under the alternative control test set out in Cabinet Decision No. 58 of 2020 on the Beneficial Owner Procedures.

4. Sanctions and PEP Screening

Every incorporating client and every UBO is screened against the UAE Local Terrorist List, the UN Security Council Consolidated Sanctions List, the OFAC Specially Designated Nationals list, the UK HM Treasury Consolidated List and adverse-media databases. Screening is captured in writing with source, date, reference and clearance decision. Re-screening runs whenever a list is materially updated and at least quarterly across the active client base.

5. MLRO Appointment and goAML Registration

The MLRO is appointed in writing before the goAML registration is submitted. The MLRO has direct authority to file STRs and reports straight to senior management. The CSP then completes the Ministry of Economy SACM registration, the goAML enrolment and the linked EmaraTax records. See our goAML registration guide for the step-by-step portal walkthrough.

6. Training, Record Retention and Annual Reporting

All client-facing staff and management complete annual AML training documented with attendance logs. All CDD files, UBO records, MLRO assessments and STR filings are retained for five years from the end of the registered-agent relationship under CD 10/2019. The CSP files an annual self-assessment report with the Ministry of Economy through SACM.

AED 50,000

Starting penalty for a UAE CSP failing to register on goAML, under Cabinet Decision 16 of 2021 — minimum band, escalating quickly for missing CDD or UBO records

Compliance team mapping ultimate beneficial owner chain across multiple jurisdictions and screening senior managing officials against OFAC and UN sanctions lists

Tracing the UBO until you hit a person

UBO tracing is where most CSP inspection findings concentrate. A defensible UBO trace meets four tests:

  1. Documentary evidence at every layer — share registers, MoA, share certificates or equivalent corporate records for every entity in the chain, not just the client’s statement of ownership
  2. Natural person identification — the trace terminates at one or more natural persons, with full CDD on each
  3. Alternative test where no 25 percent owner exists — the senior managing official is named and CDD’d, not left blank
  4. Periodic refresh — the UBO file is refreshed at least annually and whenever the registered agent files an updated UBO declaration

CSPs that file UBO declarations with the UAE Ministry of Economy on behalf of clients have to hold supporting evidence for what they file. A declaration filed on the client’s word alone, with no share registers and no ID behind it, is an inspection finding waiting to happen — and in our experience it’s the single most common one.

When to escalate to the MLRO

Ownership and Structure Red Flags

  • Client refuses to disclose the ultimate beneficial owner or insists on bearer-share equivalents
  • Ownership chain runs through three or more jurisdictions including known opacity centres for no commercial reason
  • Sudden change of beneficial owner shortly after incorporation
  • Request for nominee shareholders or directors without documented economic justification
  • Beneficial owner appears on a sanctions list — OFAC, UN, UK HMT, UAE Local Terrorist List

Source of Funds Red Flags

  • Incorporation capital materially out of proportion with the disclosed business activity
  • Capital arriving from a third party not previously disclosed in the engagement
  • Source of funds story that does not reconcile with the UBO’s age, occupation or financial profile
  • Cash injection of capital above reportable thresholds
  • Capital wired from a jurisdiction the CSP cannot evidence due diligence on

Behavioural Red Flags

  • Insistence on completing incorporation at unusual speed or in unusual secrecy
  • Repeated changes to the identity of the apparent principal during onboarding
  • Reluctance to attend in person for identity verification where the client claims UAE residency
  • Vague or shifting explanations for the choice of UAE jurisdiction
  • Request for a shelf company or pre-incorporated entity without economic rationale

Post-Incorporation Red Flags

  • Entity becomes inactive immediately after incorporation
  • UBO refresh declaration cannot be verified against new evidence
  • Bank account opening fails on AML grounds and the client requests a different jurisdiction
  • Sanctions screening hit develops mid-relationship on a previously cleared UBO
  • Adverse media linking the entity or UBO to investigations

When any of these triggers appear, the staff member escalates to the MLRO without tipping off the client. Tipping off is a criminal offence under Article 25 of Federal Decree-Law 20/2018.

A CSP’s strongest defence in an inspection is the continuous-monitoring record — a dated log showing every quarterly screening refresh, every annual UBO confirmation and every MLRO sign-off on continuing exposure across the active book. Most CSPs have a strong onboarding file and a weak monitoring trail. Inspectors notice the gap.

UAE Ministry of Economy AML inspector reviewing corporate service provider client risk matrix and ongoing beneficial owner refresh declarations

Where we see CSP programmes break down

The most common failure is a strong onboarding file and nothing after it. A robust CDD pack is assembled at incorporation and then the relationship is never looked at again, when the Ministry of Economy expects monitoring to continue for the lifetime of the registered-agent relationship.

Close behind sits the UBO declaration filed without evidence. A client says they own 100 percent, the CSP files the declaration on that basis, and the supporting share register is never collected. An inspection finds the declaration unsupported, and there is nothing to fall back on.

Nominee work is its own trap. Acting as a nominee shareholder or director without a documented economic reason, and without enhanced due diligence on the ultimate principal, is one of the highest-risk things a CSP can do. The Ministry expects EDD, MLRO sign-off and quarterly review on every nominee engagement.

Training tends to be too generic. Annual sessions that skip the risks specific to formation work — UBO tracing, source of funds for capital, nominee arrangements, shelf companies — are exactly what inspectors mean when they say training is generic. They want role-specific content, not a slide deck downloaded off the internet.

Then there is sanctions screening that runs only at onboarding. Lists update continuously, so a CSP that screens once at incorporation is one list update away from holding an active relationship with a sanctioned UBO and having no idea. In firms of more than ten staff, we also see the MLRO doubling as a front-line onboarder, which the Ministry doesn’t accept — it expects the MLRO to be independent of client onboarding, because conflating the two roles undermines the integrity of the whole assessment.

If you’re running a CSP without a programme

If your UAE corporate service provider has not yet completed a Business Risk Assessment, drafted a client and entity risk matrix or registered an MLRO on goAML, you are operating outside the federal AML/CFT framework — irrespective of whether your operating base is mainland, DMCC, JAFZA, ADGM, DIFC or RAKEZ. The starting fine for non-registration alone is AED 50,000 and the per-violation bands for missing CDD, missing UBO evidence and undocumented MLRO assessments escalate quickly.

If you have a manual but it has not been refreshed against current Ministry of Economy expectations, the gap is usually in three places: the UBO tracing files are thin on documentary evidence, the post-incorporation monitoring log is missing or sparse, and sanctions re-screening has not run since onboarding.

Velmont Crest’s UAE compliance team provides advisory support across the CSP DNFBP programme lifecycle — from Business Risk Assessment through MLRO appointment support, goAML registration assistance, policy drafting, UBO tracing methodology and inspection-readiness reviews. We pair this with bookkeeping and business setup advisory work so the AML evidence trail aligns with the underlying financial records.

For a clean review of where your CSP AML programme stands today, book a free consultation.


Disclaimer: Velmont Crest is a DED-licensed accounting firm. We provide advisory, preparation and compliance support services. We are not a licensed MLRO of record, registered legal consultant or FTA tax agent. AML/CFT rules and DNFBP obligations change frequently — verify all requirements with the UAE Financial Intelligence Unit, the Ministry of Economy and your sector regulator, and engage a licensed legal or AML professional for advice specific to your circumstances.

References

Frequently asked questions

Is every UAE corporate service provider in scope as a DNFBP?
Yes. Cabinet Decision 10 of 2019 catches anyone who, by way of business, acts as a formation agent for legal persons, acts as (or arranges for someone else to act as) a director, secretary or partner, provides a registered office or business address, acts as a trustee of an express trust, or acts as a nominee shareholder. If your firm does any one of those, you are a DNFBP. There is no minimum size or transaction count that lets you out.
What CDD does a CSP collect on every incorporation?
You're really building three files at once. There's the incorporating client — passport, Emirates ID for UAE residents, proof of address, source of funds for the formation. There's the entity being formed, where you record intended activities, the planned ownership and management structure, and the source of capital. And there's every UBO at or above 25 percent, with ID, residency, PEP screening and a source-of-wealth narrative. When ownership runs through layers of companies, keep tracing upward until you reach a real person. If nobody controls 25 percent, the senior managing official goes in as UBO under the alternative test.
Does the CSP file the goAML registration, or does the client?
The CSP registers itself. The formation firm is the DNFBP here — not the companies it sets up. But the new entities have their own question to answer. If a company you incorporate is itself a DNFBP (real estate broker, precious-metals dealer, auditor, lawyer, accountant, tax consultant, another CSP, virtual asset service provider), it registers on goAML in its own name once licensed. You can walk them through it, but they are the registrant of record, not you.
What STR triggers should a CSP escalate?
Watch for a client who won't name the ultimate beneficial owner, an ownership chain threading three or more jurisdictions with no commercial logic, incorporation capital that can't be evidenced, a request for nominees with no documented reason, a UBO who turns up on a sanctions or adverse-media list, and a beneficial owner who changes shortly after incorporation. Shelf-company requests sit in the same bucket. The MLRO weighs each escalation and files an STR on goAML where there are reasonable grounds for suspicion.
What does an external AML adviser actually do for a CSP?
The drafting, mostly. They write the Business Risk Assessment that scores your client types, jurisdictions and entity structures, build the client and entity risk matrix, and produce the CDD and EDD manual covering source-of-funds, UBO tracing and nominee work. They support the MLRO appointment and the goAML registration, then run ongoing screening, training and the annual self-assessment to the Ministry of Economy. The one thing they can't do for you is file STRs — that has to be the appointed MLRO, personally, through goAML.

Filed under: AML compliance, DNFBP, corporate service provider, MLRO, goAML, UBO

Published · Updated