Insights AML
EDD vs CDD vs SDD UAE: Which AML Diligence Tier Applies
Enhanced due diligence UAE explained alongside CDD and SDD under Cabinet Decision 10 of 2019 — triggers, evidence, retention and DNFBP-specific tier mapping.

Key takeaways
- Three diligence tiers — CDD, EDD and SDD — sit inside Cabinet Decision 10 of 2019 and apply across all seven DNFBP categories.
- EDD is mandatory for foreign PEPs, FATF grey/black list jurisdictions, complex transactions, and many cash-intensive sectors.
- SDD is permitted only where risk is demonstrably low — never as a default shortcut for small clients.
- AED 55,000 (DPMS cash) and AED 3,500 (wire transfer) thresholds trigger occasional-transaction CDD even without a relationship.
- Penalties for inadequate CDD or EDD range from AED 50,000 to AED 5,000,000 per breach, with files retained for five years.
- A specialist accounting firm can draft the risk matrix, CDD/EDD templates and file audits — advisory support, not regulated AML officer roles.
UAE supervisors do not recognise a single, uniform anti-money-laundering customer file. Three tiers of due diligence sit inside Cabinet Decision 10 of 2019, the executive regulation under Federal Decree-Law 20 of 2018: Customer Due Diligence (CDD), Enhanced Due Diligence (EDD) and Simplified Due Diligence (SDD). The framework is risk-based on purpose. It expects DNFBPs to think before they paper. What we see instead is most firms applying CDD blindly to every onboarding — which both misses the high-risk relationships that should have escalated to EDD and buries SDD-eligible counterparties under documentation they never needed. The result is protection that’s uneven where it matters, and inspection findings that read almost identically across the sector. Our AML compliance advisory work starts by rebuilding the risk-based customer classification before touching any individual file.
The three tiers, defined
CDD — the default baseline
Customer Due Diligence is the floor everything else builds on, set out in Articles 6 to 8 of Cabinet Decision 10/2019. The firm identifies the customer and verifies that identity using reliable, independent source documents — passport, Emirates ID, trade licence, articles of association. It identifies the beneficial owner and takes reasonable measures to verify them, drilling through the legal arrangements until the natural persons exercising ultimate ownership or control are on record. It understands, and where relevant documents, the purpose and intended nature of the relationship. And it monitors the relationship on an ongoing basis, checking transactions against the customer profile and refreshing documents as they change. None of that is a tick-box exercise.
EDD — for higher-risk clients
Enhanced Due Diligence stacks extra layers on top of CDD. The firm establishes the source of funds for the specific transaction and the source of wealth behind the customer’s overall financial position. Senior management, not the relationship handler, signs off the onboarding or its continuation. Monitoring gets more frequent and more searching, with lower transaction thresholds tripping a review. And the firm goes looking for documentation to corroborate the customer’s story — bank statements, tax filings, audited accounts, asset valuations, contracts. This is the tier where a UAE DNFBP shows it has genuinely understood a complex or sensitive relationship rather than just filed it.
SDD — for demonstrably low-risk relationships
Simplified Due Diligence reduces the depth, timing and intensity of CDD measures without removing them. The firm still identifies the customer and beneficial owner, still understands the relationship, still monitors. What eases is the evidentiary burden, the refresh cadence and the scrutiny applied to ordinary-course transactions. But SDD has to rest on a documented low-risk assessment, and supervisors will push back on any firm that reaches for it without a written rationale on file.

What pushes a file into EDD
The following relationships and circumstances move a customer into EDD under Cabinet Decision 10/2019 and the Ministry of Economy supervisory guidance:
- Foreign politically exposed persons (PEPs) — always EDD, including family members and close associates. Domestic PEPs are risk-based but most firms default to EDD.
- Customers based in high-risk third countries — FATF grey-list and black-list jurisdictions, and any country the UAE has independently designated as higher risk.
- Complex or unusual transactions with no apparent economic or lawful purpose, or transactions structured to avoid reporting thresholds.
- Cash-intensive businesses — the gold and jewellery sector (see our gold and jewellery accounting guide), real estate (covered in our real estate accounting guide), and other DPMS categories where physical value moves with limited paper trail.
- Correspondent banking relationships — though most DNFBPs are not directly exposed, downstream service providers may be.
- Non-face-to-face onboarding without compensating controls such as video verification, certified-copy notarisation, or trusted-introducer routing.
- Customers or sectors flagged by Ministry of Economy AML/CFT supervisory guidance, FIU typology bulletins, or adverse media indicating ML/TF concern.
- Sanctions exposure — any nexus to OFAC SDN, UN 1267, UK OFSI or UAE local sanctions list triggers immediate EDD even where no direct match occurs.
When CDD has to be done
CDD must be performed — not just on relationship opening — in the following circumstances:
- Establishing a business relationship, whether ongoing or one-off, regardless of value.
- Occasional transaction above AED 55,000 for designated non-financial businesses including dealers in precious metals and stones (the DPMS cash threshold).
- Wire transfer of AED 3,500 or more, with originator and beneficiary information obligations.
- Suspicion of money laundering or terrorism financing, regardless of any threshold or apparent customer status — and accompanied by a suspicious transaction report to the FIU via goAML.
- Doubt about the veracity or adequacy of previously obtained customer identification data — refresh is mandatory, not optional.
When SDD is genuinely allowed
SDD is the most over-claimed tier in UAE practice. Firms reach for it when documentation is hard to obtain, then describe the customer as “low risk” without a supporting analysis. That position fails on inspection. SDD is genuinely available in narrow scenarios:
- Regulated financial institutions licensed in jurisdictions with FATF-compliant AML/CFT regimes, where the firm has confirmed the regulatory status.
- Listed companies on regulated stock exchanges subject to disclosure requirements consistent with international standards.
- UAE federal and local government entities, including wholly-owned government companies, where ownership is transparent.
- Public administrations or enterprises in low-risk jurisdictions with appropriate transparency.
Even where SDD applies, the firm must still identify the beneficial owner if the ownership or control structure is complex, must apply ongoing monitoring proportionate to the relationship, and must escalate to standard CDD or EDD if any trigger event arises. The reduction is in depth and frequency — never in the existence of controls. Documenting the low-risk conclusion is a hard requirement.
3 tiers
CDD, EDD and SDD under Cabinet Decision 10 of 2019

CDD vs EDD vs SDD, requirement by requirement
| Requirement | CDD | EDD | SDD |
|---|---|---|---|
| Customer identification | Required | Required | Required |
| Identity verification (independent source) | Required | Required, with additional corroborating documents | Required, may use single reliable source |
| Beneficial owner identification | Required | Required, drilled to natural persons with corroboration | Required where structure is complex |
| Source of funds | Risk-based | Mandatory | Not required unless triggered |
| Source of wealth | Not required | Mandatory | Not required |
| Ongoing monitoring frequency | Standard | Intensified with lower review thresholds | Reduced but not eliminated |
| Senior management approval | Not required | Required to onboard and to continue | Not required |
| Refresh cadence (working baseline) | 2 years | Annual or 6 months | 3 years |
| Retention period | 5 years from end of relationship | 5 years from end of relationship | 5 years from end of relationship |
| Documented rationale on file | Risk rating | Risk rating + EDD justification + approvals | Risk rating + low-risk justification |
How the seven DNFBP categories map
The seven DNFBP categories supervised by the Ministry of Economy each have characteristic patterns. The split between CDD and EDD reflects the inherent risk profile of the work:
- Real estate brokers and agencies — EDD on all cash-heavy transactions, transactions involving offshore corporate buyers, and high-value residential or commercial deals. Beneficial ownership of corporate purchasers must be drilled to natural persons.
- Dealers in precious metals and stones (DPMS) — EDD on any single or linked cash transaction at or above AED 55,000, and on relationships with high-volume traders regardless of payment method. The gold and jewellery sector remains under intensive Ministry of Economy focus.
- Auditors — risk-based EDD driven by client portfolio composition. Auditors with concentrated exposure to cash-intensive sectors, offshore structures, or higher-risk jurisdictions should expect to operate substantial EDD volume.
- Independent accountants — EDD when the client uses complex group structures, nominee arrangements, multiple jurisdictions, or operates in higher-risk sectors. Bookkeeping engagements still fall within scope where the accounting and bookkeeping work touches transactional records.
- Tax consultants — EDD where the engagement involves aggressive tax planning, cross-border structuring or any arrangement whose primary purpose appears to be obscuring beneficial ownership. Standard corporate tax compliance work for resident UAE businesses typically sits at CDD level.
- Lawyers, notaries and independent legal professionals — EDD on trust and foundation formation, asset transfers without clear commercial rationale, escrow arrangements, and any client managing money or assets for third parties.
- Corporate service providers — EDD on any nominee shareholder or director arrangement, any structure where the beneficial owner is concealed by the legal form, and any high-volume incorporation client.
Tier misclassification is the most common inspection finding we see, not missing files. Firms apply standard CDD to a foreign PEP routed through an offshore structure, then bury a regulated bank counterparty in the same paperwork. The risk-based approach in Cabinet Decision 10/2019 expects you to triage before you paper.
Where an accounting firm fits in
Velmont Crest is positioned as advisory support — we are not appointed as your AML officer and we do not represent your firm to supervisors. Within that boundary, the work we typically undertake on a DD programme covers:
- Risk-based customer classification matrix — drafting a written methodology that scores each customer across geographic, sectoral, transactional, ownership-structure and delivery-channel risk dimensions, with documented thresholds for CDD, EDD and SDD assignment.
- CDD, EDD and SDD templates — building the standardised checklists, evidence requirements, approval routings and refresh schedules each tier demands, mapped to Cabinet Decision 10/2019.
- Staff training — onboarding, refresher and role-specific training for relationship handlers, finance teams and senior management on tier triggers and red flags.
- File audits — sampling open customer files against the matrix, identifying tier-misclassification and remediation gaps before supervisors do.
- MLRO escalation support — assisting your appointed officer with structuring escalation logs, internal suspicion routing and goAML report drafting.
We do not perform regulated AML functions and we do not hold a designated supervisor role. Where a programme gap requires a licensed activity, we say so and refer.
A practical checklist before inspection day
- Document a written risk-based methodology approved by senior management, covering all five risk dimensions and tier-assignment thresholds.
- Build a customer risk-rating matrix that produces a defensible score on every onboarding and every periodic refresh.
- Train relationship handlers on EDD triggers, with a particular focus on PEP identification, jurisdiction screening and complex-structure escalation.
- Implement screening against OFAC SDN, UN 1267, UK OFSI, EU sanctions and the UAE local sanctions list — at onboarding and on a rolling basis.
- Capture beneficial ownership for every corporate customer, drilled to natural persons with verification evidence retained.
- Establish source of funds and source of wealth files for every EDD customer, with documented corroboration.
- Route EDD onboardings through senior management approval with the approval recorded on the customer file.
- Set risk-based refresh cycles — annual minimum for EDD, two years for standard CDD, three years for SDD — with trigger-event override.
- Retain all CDD, EDD and SDD records, including rationale, for at least five years from the end of the relationship or completion of the occasional transaction.
- Audit a sample of files quarterly against the matrix and remediate findings before the next supervisory inspection cycle.
UAE supervisors are no longer testing whether DNFBPs have an AML policy. That battle was won. The current inspection focus is whether the policy is applied with discipline at the file level, whether tier classification is defensible, and whether EDD actually intensifies scrutiny rather than producing the same CDD paperwork with a different cover sheet.
The bar keeps rising. Ministry of Economy supervisory visits across 2025 and into 2026 have shown more willingness to test the underlying rationale on individual files, not just confirm a policy exists. Inspectors ask why a particular customer was rated standard rather than enhanced, who reviewed the rating, and how the conclusion was evidenced. Firms relying on a generic policy document with no file-level reasoning have found the gap difficult to close mid-inspection.
If you would like a review of how your current programme classifies clients across CDD, EDD and SDD, our team can sample your open files against Cabinet Decision 10/2019 expectations and produce a remediation matrix you can work through internally. Start a conversation through our AML compliance support page.
Frequently asked questions
- What automatically triggers Enhanced Due Diligence in the UAE?
- A handful of things flip a customer into EDD with no judgement call involved under Cabinet Decision 10/2019. Foreign politically exposed persons — plus their family and close associates — always require it. So does anyone, customer or beneficial owner, resident in a FATF grey- or black-list jurisdiction. Complex or oddly large transactions with no clear economic purpose pull you into enhanced scrutiny too, as do non-face-to-face onboarding without compensating controls, correspondent banking, and sectors the Ministry of Economy has flagged. Domestic PEPs are technically risk-based, but honestly, most firms just default them to EDD.
- When is Simplified Due Diligence actually permissible?
- Far less often than firms wish. SDD only applies where ML/TF risk is demonstrably low, and you have to write down why you reached that conclusion. The clean examples are UAE government entities, listed companies on well-regulated exchanges, and regulated financial institutions sitting in FATF-compliant jurisdictions. Even then it isn't a free pass. You still identify the beneficial owner where the structure is complex, and you still monitor, just less intensively. What you're dialling down is depth and frequency, not the controls themselves.
- Who decides which due diligence tier applies to a client?
- You do — the DNFBP itself, working from a documented risk-based methodology that senior management has signed off. There's no government list that classifies your clients for you. Cabinet Decision 10/2019 expects you to assess ML/TF risk across customers, countries, products, services, transactions and delivery channels, then apply controls that fit. In practice the compliance function (with an advisory firm helping where in-house capacity is thin) builds a risk-rating matrix, scores each onboarding, and pushes the higher-risk files up for senior management approval before the file opens. Inspectors then check the matrix exists, gets applied consistently, and that the reasoning is on record.
- Does every PEP automatically require Enhanced Due Diligence?
- Foreign PEPs, yes — non-negotiable under Cabinet Decision 10/2019, and the same goes for their immediate family and close associates. Domestic PEPs and people entrusted with prominent functions by international organisations are the grey area: they're handled on a risk-sensitive basis, so EDD where higher risk shows up, and enhanced standard CDD with PEP-specific monitoring where it doesn't. Most well-run DNFBPs don't bother litigating that line internally and just apply EDD across the board. For any PEP, EDD means senior management approval, established source of wealth and funds, and tighter ongoing monitoring.
- How often should we refresh CDD and EDD documentation?
- It's driven by risk. The working baseline most UAE DNFBPs run is three years for low-risk customers, two for standard, and at least annually for EDD — dropping to every six months for the riskiest files. But the schedule is only a floor. A change in beneficial ownership, an odd transaction pattern, a shift in country risk, adverse media, a change in PEP status — any of these forces an immediate refresh regardless of where you are in the cycle. And every CDD, EDD and SDD record, evidence and rationale included, stays on file for at least five years after the relationship ends or the occasional transaction completes.
Filed under: EDD, CDD, SDD, AML compliance, DNFBP, due diligence
Published · Updated


