goAML Registration UAE 2026: Login, DNFBP & STR Guide

goAML registration in the UAE is the single mandatory step every DNFBP and financial institution must complete before it can file suspicious transaction reports — and a goAML login failure is rarely a portal problem. It is almost always a sequencing problem — a registration submitted before the supporting paperwork was ready, an MLRO that was never formally appointed, or an EmaraTax linkage that quietly broke during a free zone renewal. This guide walks through what goAML is, who must register, how goAML registration actually flows in 2026, the most common login errors, the STR and SAR reporting workflow, and what your accounting and compliance advisor (see our AML compliance UAE guide) is expected to prepare behind the scenes.

What Is goAML?

goAML is the UAE Financial Intelligence Unit’s anti-money-laundering reporting platform, hosted at goaml.uaefiu.gov.ae. The software was developed by the UN Office on Drugs and Crime (UNODC) and is used by FIUs in more than 50 countries. In the UAE it sits inside the Central Bank’s FIU and is the single mandatory channel for:

• Suspicious Transaction Reports (STRs) — when a specific transaction looks suspicious
• Suspicious Activity Reports (SARs) — when broader customer behaviour looks suspicious even without a single triggering transaction
• Dealer in Precious Metals and Stones Reports (DPMSR) — for cash transactions above the AED 55,000 threshold
• Real Estate Activity Reports (REAR) — for high-value property transactions paid wholly or partly in cash, virtual assets or other non-bank instruments
• Request for Information (RFI) responses — when the FIU asks a registered entity for further detail

Use of goAML is required under Federal Decree-Law No. 20 of 2018 on Anti-Money Laundering and Combating the Financing of Terrorism and the financing of Illegal Organisations, as implemented by Cabinet Decision No. 10 of 2019 and the supplementary guidance issued by the UAE Ministry of Economy for non-financial sectors.

Velmont Crest is a DED-licensed accounting firm with eight-plus years of UAE practice experience supporting AML compliance for DNFBPs across mainland and free zone setups.

Who Must Register on goAML?

The UAE FIU divides registrants into two broad groups: financial institutions and designated non-financial businesses and professions (DNFBPs). Both must register on goAML — DNFBPs were brought into scope by Cabinet Decision 10/2019 and have been actively enforced against since 2021.

Financial Institutions

• Banks, branches of foreign banks, Islamic banks
• Exchange houses and money services businesses regulated by the Central Bank
• Insurance and reinsurance companies, insurance brokers and agents regulated by the Central Bank
• Finance companies and finance brokers
• Securities, commodities and investment firms regulated by the Securities and Commodities Authority (SCA)
• Virtual asset service providers regulated by SCA or VARA

DNFBPs

• Real estate brokers and agents — and any business involved in buying or selling real estate
• Dealers in precious metals and stones — gold, diamond, jewellery traders dealing in cash above AED 55,000
• Auditors and accountants — registered audit firms and accounting consultancies (including ours)
• Tax consultants and tax agents registered with the FTA
• Lawyers, notaries and other independent legal professionals — when preparing or executing transactions for clients
• Corporate service providers and trust service providers — including company formation specialists, PRO services and registered agents

The trade licence category — commercial, professional, industrial or tourism — does not change the obligation. A free zone real estate brokerage and a mainland real estate brokerage have the same goAML duty. The penalty for failing to register starts at AED 50,000 per Cabinet Decision No. 16 of 2021 on the administrative penalties for AML/CFT violations.

The Registration Walkthrough

goAML registration in 2026 is a multi-stage process that runs across three UAE government systems: Ministry of Economy SACM (for DNFBPs), EmaraTax, and finally the goAML portal itself. Skipping a stage will cause the registration to be rejected without explanation.

Stage 1 — Ministry of Economy SACM Registration (DNFBPs only)

DNFBPs first register on the Ministry of Economy’s SACM platform (Self-Assessment Compliance Management). SACM captures sector, ownership, activities and a self-rated AML risk profile. The MoE then issues a certificate that goAML expects to see. Financial institutions skip SACM and register directly through their primary regulator before approaching goAML.

Stage 2 — Business Risk Assessment (BRA)

Before you touch the goAML registration form, the firm should have a documented Business Risk Assessment covering:

• Customer risk — types of clients, geographic exposure, politically exposed persons
• Product / service risk — which licensed activities create AML exposure
• Geographic risk — sanctioned and high-risk jurisdictions
• Delivery channel risk — face-to-face vs remote onboarding
• Transaction risk — typical sizes, payment methods, cash exposure

The BRA is the document the regulator will ask for first if you are ever inspected. It also informs every other policy in your AML/CFT framework and is referenced inside the goAML registration form.

Stage 3 — Appoint an MLRO in Writing

The Money Laundering Reporting Officer must be appointed by a board or partner resolution before the goAML form is submitted. The appointment letter records:

• Full name, Emirates ID, designation
• Direct line of communication to senior management or the board
• Independence from front-line client onboarding where the firm is large enough to allow it
• Acceptance and acknowledgement of obligations under Federal Decree-Law 20/2018

For small firms (sole practitioner accountants, two-partner brokerages), the owner or managing partner usually takes the MLRO role personally. There is no minimum firm size below which the appointment can be skipped.

Stage 4 — EmaraTax Linkage

The goAML registration is technically initiated through the EmaraTax portal for entities that are also registered for VAT or corporate tax. The system uses the trade licence as the anchor record and pulls company details forward. Mismatches between the EmaraTax registered details and the goAML form are one of the most common rejection reasons — the legal name, trade licence number, registered address and authorised signatory details must align across both systems.

Stage 5 — Complete the goAML Registration Form

The form asks for organisation type, legal form, trade licence details, registered office, MLRO name and Emirates ID, authorised signatory details, plus supporting documents: trade licence, MoA, MoE SACM certificate, MLRO appointment letter, signatory passport and Emirates ID, and BRA attestation. You receive an automated acknowledgement on submission — approval is not instant, the FIU reviews each registration manually.

Stage 6 — Approval and First Login

Once approved, the FIU emails the organisation ID and user ID. Only then will the login screen accept your credentials. From submission to approved login is typically one to three weeks; FATF evaluation periods and year-end backlogs can extend it.

The goAML Login Process

Once your registration is approved, the login process itself is straightforward:

1. Navigate to goaml.uaefiu.gov.ae
2. Click Login and choose your user type (Organisation or Individual)
3. Enter your username and password
4. Complete the multi-factor authentication challenge — usually a one-time password sent to the registered MLRO mobile number
5. Acknowledge the system notices and proceed to the dashboard

The dashboard shows pending RFIs, recent submissions, draft reports and any system messages from the FIU.

Common goAML Login Errors and How to Resolve Them

The portal itself is reasonably reliable. Most login failures trace back to one of a small number of root causes.

”Invalid Username or Password” Despite Correct Credentials

By far the most common failure. The usual cause is that the registration has not yet been approved. The login screen does not distinguish between “wrong password” and “account not yet active” — both produce the same generic error. Check the approval email before assuming the password is wrong.

Account Locked After Failed Attempts

Five failed attempts typically lock the account. The MLRO must request an unlock through the FIU help desk rather than retrying.

MFA / OTP Not Received

If the OTP does not arrive, check that the mobile number registered with goAML is current — UAE numbers that change carrier are a frequent cause. The MFA can be reset, but only after the FIU verifies the MLRO’s identity through the help desk.

”Account Pending Approval”

The registration is still in review. There is no way to accelerate it. Keep the acknowledgement reference number to hand for follow-up.

Browser or Cache Issues

goAML is sensitive to browser cache. Use the latest Chrome or Edge, clear cookies for the goaml.uaefiu.gov.ae domain, and disable extensions that interfere with form submission.

Password Expired

Passwords expire periodically and the system forces a reset. If the reset email goes to a former employee’s mailbox, the login is effectively dead until the FIU revives the account — another reason to register the MLRO with a role-based mailbox.

“

The single change that prevents the most goAML lockouts is registering the MLRO using a role-based email address — mlro@yourdomain — rather than a personal mailbox. When staff change, the inbox stays, the reset emails stay reachable, and the FIU never finds itself emailing a former employee.

The STR / SAR Reporting Workflow

Once logged in, the core operational use of goAML is filing suspicious reports. The workflow has four parts: identification, internal escalation, MLRO assessment, and filing.

Identification. Front-line staff flag a transaction or pattern — unusual cash structuring, mismatched economic rationale, customer reluctance on CDD, structuring just below a reporting threshold, or any indicator in the firm’s policy manual.

Internal escalation. Staff escalate to the MLRO through the firm’s internal SAR mechanism. The staff member must not tip off the customer under Article 25 of Federal Decree-Law 20/2018 — tipping off carries criminal penalties.

MLRO assessment. The MLRO reviews the case, requests supporting documentation, and assesses whether reasonable grounds exist to suspect money laundering, terrorist financing or proliferation financing. The MLRO records the assessment and the decision in writing.

Filing on goAML. If the MLRO concludes that filing is required, they file an STR (for a specific transaction) or SAR (for a pattern) through goAML. The platform records the time, the filer and the reference number. The original transaction may proceed or be blocked depending on the case — but the customer is not informed of the report.

Five-year retention. Under Cabinet Decision 10 of 2019, all records — the transaction, CDD file, SAR escalation, MLRO assessment and goAML filing reference — must be retained for five years from the end of the business relationship or the transaction date, whichever is later.

What Your Accountant Actually Does in the goAML Workflow

The MLRO is the person who files on goAML. The accounting and compliance advisor sits behind the MLRO and prepares much of the underlying material:

• Business Risk Assessment support — pulling client lists, geographic exposure data, activity volumes and payment-method analysis for the BRA
• Transaction monitoring data — extracting customer ledgers, payment patterns and CDD-relevant balances from the bookkeeping system so the MLRO can assess whether a transaction is genuinely anomalous
• Evidence preservation — ensuring the underlying invoices, contracts, bank statements and CDD files are stored to the five-year retention standard
• Policy and procedure manuals — drafting or reviewing the AML/CFT policy, CDD procedures and STR / SAR escalation workflow
• Internal training records — documenting AML training sessions and staff acknowledgements
• Annual MoE AML report — preparing the data and narrative that feeds the firm’s annual self-assessment submission to the Ministry of Economy

What the accountant does not do: file STRs or SARs, act as the MLRO, or represent the firm before the FIU. Those are the MLRO’s personal statutory duties. Our role is to make sure the MLRO has clean, defensible material to work from.

Common goAML Compliance Pitfalls

Treating goAML registration as the only obligation. Registration is the start. Operating an AML programme means quarterly transaction monitoring, ongoing CDD refreshes, annual training, the BRA refresh and the MoE annual report. None of those happen automatically because you have a login.

Letting the MLRO move on without re-appointment. If your MLRO leaves the firm, a new MLRO must be appointed in writing and the goAML record must be updated within days, not months. An inspector who finds an MLRO field showing a former employee will treat the entire AML framework as defective.

Confusing the MoE SACM portal with goAML. They are different systems with different purposes. SACM is the supervisory self-assessment platform; goAML is the operational reporting platform. Both are mandatory for DNFBPs.

Filing reports late. STRs must be filed promptly — typically interpreted as within a few business days of the MLRO forming reasonable suspicion. Delayed filings are themselves an offence.

Tipping off the customer. Even oblique hints — “we are reviewing your file with the bank” — can constitute tipping off. The internal compliance team must be trained on the boundary.

Failing to keep audit-trail evidence for five years. A goAML filing without the underlying CDD file, transaction record and MLRO assessment is not defensible if the FIU later requests an RFI.

What This Means for Your Business

If you are a DNFBP or financial institution and you cannot log in to goAML today, the most likely cause is that one of the upstream stages is incomplete. The fix is rarely a password reset — it is usually a documentation refresh, an MLRO re-appointment, or a missing SACM linkage.

If you can log in but have never filed a report, that is not by itself a problem — many small DNFBPs go years without genuinely suspicious activity. What matters is whether your BRA, CDD files, SAR records and training logs would survive an inspection.

Velmont Crest’s UAE compliance team provides advisory support across the goAML lifecycle — from Business Risk Assessment through MLRO appointment, registration support, policy drafting and ongoing transaction-monitoring preparation. We pair this with bookkeeping and business setup advisory work so the AML evidence trail aligns with the underlying financial records. We are a DED-licensed UAE accounting firm and authorised channel partner with Meydan Free Zone and RAKEZ.

For a clean review of where your goAML setup stands today, book a free consultation.

Disclaimer: Velmont Crest is a DED-licensed accounting firm. We provide advisory, preparation and compliance support services. AML/CFT rules and goAML procedures change frequently — verify all requirements with the UAE Financial Intelligence Unit, the Central Bank of the UAE, the Ministry of Economy and your sector regulator before acting, and engage a licensed legal or AML professional for advice specific to your circumstances.

References

• UAE Financial Intelligence Unit — goAML portal
• Federal Decree-Law No. 20 of 2018 on AML/CFT
• Cabinet Decision No. 10 of 2019 — Implementing Regulations
• Cabinet Decision No. 16 of 2021 — AML Administrative Penalties
• UAE Ministry of Economy — AML/CFT guidance