Insights AML
goAML Renewal UAE 2026: Annual Data Refresh Process
How UAE DNFBPs maintain goaml registration through annual data refresh, MLRO updates and FIU notifications to avoid AED 50,000 penalty exposure.

Key takeaways
- goAML registration does not expire, but the data within must stay current under FIU supervision.
- Seven DNFBP categories plus financial institutions must complete the annual refresh cycle.
- Material changes (MLRO, UBO, address, activity) trigger immediate updates outside the annual window.
- Cabinet Decision 10 of 2019 sets penalties from AED 50,000 to AED 5,000,000 per breach.
- Common failures: stale MLRO email, missed share transfers, undocumented sanctions tool changes.
- A specialist accountant prepares the data pack, drafts the BRA and reconciles UBO to ledger.
Most Designated Non-Financial Businesses and Professions in the UAE assume goAML registration is a one-time exercise. Portal account created, MLRO appointed, welcome email filed, done. That assumption drives most of the avoidable AML penalties we see when supporting clients through Ministry of Economy supervisory visits and Financial Intelligence Unit follow-ups.
Under Federal Decree-Law 20 of 2018 and Cabinet Decision 10 of 2019, goAML registration is a living record. The portal profile, the business risk assessment, the MLRO appointment and the sanctions screening attestations all need refreshing annually, and again whenever a material change happens in the licensee. For firms juggling trade licence renewals, corporate tax registration and VAT reporting, that continuous control is exactly the thing that falls through the cracks. Our AML compliance advisory practice exists to close that gap with a structured annual refresh discipline.
What “renewal” actually means here
The word “renewal” is doing a lot of damage here, so let’s clear it up first. The goAML account has no fixed expiry the way a trade licence does. No annual fee, no automatic suspension, no portal lockout on some anniversary. What you do have is an AML/CFT obligation to keep every data point inside the portal profile accurate at all times — which is a quieter, easier-to-miss duty than a hard deadline would be. The Ministry of Economy, as AML/CFT supervisor for the DNFBP sector, has been explicit in its inspection circulars: stale data is treated as no data. The Financial Intelligence Unit, which operates the goAML portal at goaml.uaefiu.gov.ae, expects licensees to run an internal annual refresh discipline that re-attests every field, refreshes every supporting document and re-signs the MLRO appointment.
In practice, that means scheduling a fixed annual review window, walking the portal screen by screen, validating each field against current trade licence and shareholder records, and producing a dated refresh certificate that sits in the AML file next to the original registration evidence. Skip the discipline and the portal account still works. The compliance posture does not.
Who has to do this every year
The obligation falls on every entity that was required to register on goAML in the first place. Under the UAE framework that means two broad populations. The first is financial institutions, which sit under Central Bank supervision and have their own parallel reporting expectations. The second, and the one that this article focuses on, is the seven DNFBP categories defined under Cabinet Decision 10 of 2019. Those seven categories are: real estate brokers and agents involved in transactions for clients; dealers in precious metals and precious stones (DPMS) handling single transactions or linked transactions at or above the AED 55,000 threshold; auditors; accountants and tax consultants providing specified services; lawyers, notaries and other independent legal professionals when carrying out specified financial transactions; and corporate service providers and trust service providers involved in company formation, nominee director services or registered office provision. Every entity holding a trade licence that activates any of these regulated activities must hold a live goAML registration and must operate the annual refresh discipline against that registration. For sector-specific context on how this interacts with day-to-day operations, our notes on gold and jewellery accounting in the UAE cover the DPMS angle in depth, while our real estate accounting guide addresses the broker AML overlay.

Pin the refresh to the same month your trade licence renews
If we could get every client to do one thing, it would be this: fix the refresh to a predictable point in the calendar. The cleanest anchor is your trade licence renewal month, because the underlying corporate records — shareholder register, registered address, business activities — are already being pulled and refreshed then for the Department of Economic Development or your free zone authority. Align the goAML refresh to that same window and the data pack gets assembled once, the directors sign once, and the MLRO gets pulled in once. Less rework, fewer gaps. Within the refresh window, the items that must be reviewed and re-attested include: the MLRO contact details (full name, Emirates ID, mobile, professional email, appointment letter date); the deputy MLRO where one has been appointed; the registered office address and licence number; the full list of beneficial owners holding twenty-five per cent or more, with passport and address evidence retained; a refreshed business risk assessment that reflects the current customer mix, geographic exposure and product or service risk; the customer due diligence procedure document with version control; the sanctions screening tools currently in use, typically a combination of the OFAC SDN list, the UN 1267 consolidated list and the UAE local sanctions list maintained by the Executive Office for Control and Non-Proliferation; and the suspicious transaction report retention log confirming the five-year archive obligation. Each of these items should produce a dated artefact that the MLRO signs off, and the full pack should live in a single AML folder that any future supervisor can review in a single sitting.
When you can’t wait for the annual window
The annual cycle is the floor, not the ceiling. There is a parallel obligation to update the portal promptly whenever a material change occurs in the underlying licensee. Waiting until the next annual window in these cases is not acceptable and creates penalty exposure independent of the annual cycle. The triggering events that we coach clients to watch for include: MLRO resignation, replacement, prolonged absence or change of contact details, where the new appointment letter must be uploaded and the portal profile updated within fifteen working days; any beneficial ownership change above twenty-five per cent, whether through share transfer, inheritance, corporate restructuring or the addition of a new shareholder; change of the registered office address, including moves within the same emirate; any addition or deletion of business activities on the trade licence, particularly where a new activity brings the licensee within a new DNFBP category; opening of a branch in another emirate or free zone, where the branch may need its own profile linkage; any change to the EmaraTax registration, including VAT or corporate tax linkage; and any change to the sanctions screening tool or vendor, which requires a fresh attestation. The discipline we recommend is a single internal trigger log, owned by the company secretary or the engaged accountant, where every corporate change is flagged with a goAML implication column. That column either confirms no update is needed or generates a workflow ticket to update the portal.
AED 50K
Starting fine for non-registration or stale data per FIU notice
What stale data actually costs
Cabinet Decision 10 of 2019 is the operative penalty framework for DNFBP AML breaches, and it is worth reading in full at least once because the bracketing is wider than most directors assume. The starting penalty for failure to register, or for maintaining registration data that is materially inaccurate, is AED 50,000 per breach. The framework allows the supervisor to escalate the penalty to AED 5,000,000 per breach for serious cases, repeat offenders or licensees whose size and risk profile justify a higher fine. In practice, the Ministry of Economy and the Financial Intelligence Unit do issue grace warnings to first-time offenders where the breach is technical and quickly remediated. However, those warnings are recorded against the licensee file, and a second finding within the same supervisory cycle typically triggers the full administrative penalty without further warning. We have also seen cases where a single inspection produces multiple linked findings (stale MLRO, missing UBO refresh, outdated BRA) each attracting its own penalty bracket, with the cumulative fine quickly clearing AED 200,000 from a single visit. In serious cases the framework also permits suspension of the trade licence, which for an operating business effectively stops trade until it’s resolved. For licensees who also hold corporate tax obligations, these AML findings interact with broader FTA-supervised compliance, and our corporate tax services team coordinates the cross-references so that one supervisory event does not cascade into another.

Five patterns we see go wrong
Across the supervisory cases we have supported, the same five failure patterns appear repeatedly. The first is a stale MLRO email, where the appointed officer has changed roles internally or left the firm and the portal still routes notifications to a dormant inbox. The FIU treats this as a notification failure and the licensee misses any subsequent supervisory correspondence. The second is a forgotten ownership change during a share transfer, where the corporate records have been updated with the Department of Economic Development or the free zone authority but the goAML UBO declaration has been left untouched. The third is a new free zone branch added to the licensee group, where the head office goAML registration is assumed to cover the branch but no separate evaluation has been done. The fourth is a sanctions screening tool change, where the licensee has switched vendors or upgraded software but the portal attestation still references the previous tool. The fifth is a suspicious transaction report retention gap, where the five-year retention obligation has not been documented in the AML manual and the supervisor cannot evidence that the archive exists. Each of these failures is individually easy to fix, but in combination they produce the kind of supervisory finding that triggers the full AED 50,000 starting penalty. The annual refresh discipline catches all five in a single workflow.
The biggest myth in UAE AML is that the hard work ends at registration. In supervisory practice, the opposite is true: the registration is the easy part, and the annual refresh is where the regulated discipline is actually tested.
Where the accountant sits in the renewal
A specialist accounting firm sits behind the annual refresh as infrastructure, not as the regulated representative. The MLRO is the appointed officer of the licensee. The directors carry ultimate responsibility under the AML regime. What we provide on the advisory side is the data pack, the workflow and the documentation discipline that turns the MLRO’s sign-off into a two-hour exercise rather than a two-week scramble. Concretely, that means we reconcile the ultimate beneficial ownership declaration against the share register, the memorandum of association and the underlying ledger; we draft the updated business risk assessment using the current customer mix, transaction volume and geographic exposure data drawn from the accounting and bookkeeping records we maintain; we compile the sanctions screening evidence log with date-stamped screenshots and tool version references; we prepare the board-level documentation in the format the MLRO needs for sign-off; we coordinate the trade licence and EmaraTax cross-references so that all three registrations tell the same story; and we produce a single dated refresh certificate that lives in the AML file. The MLRO remains the regulated person, signs the portal submission and retains decision authority over any suspicious transaction reporting. We do not act as the MLRO, we do not represent the licensee before the FIU, and we do not hold the regulated appointment. That separation is deliberate and protects both the licensee and the advisory relationship.
A 30-day checklist before you sign off
The cleanest way to operationalise the annual refresh is a thirty-day pre-renewal checklist that the company secretary or engaged accountant works through in the month before the chosen refresh anchor date. The ten items we use across our client base are as follows:
- Confirm the MLRO appointment letter is current, signed within the last twelve months and reflects the actual person in role today.
- Validate MLRO and deputy MLRO contact details against current HR records, including professional email, mobile and Emirates ID.
- Pull the latest shareholder register from the trade licence authority and reconcile every UBO holding at or above twenty-five per cent.
- Refresh the business risk assessment using the most recent twelve months of customer mix, transaction volume and geographic exposure data.
- Update the customer due diligence procedure document with version control, change log and MLRO sign-off page.
- Compile the sanctions screening evidence log confirming OFAC SDN, UN 1267 consolidated and UAE local list coverage with dated screenshots.
- Confirm the suspicious transaction report retention archive meets the five-year obligation and is accessible to the MLRO on request.
- Cross-check the trade licence activities against the seven DNFBP categories to confirm no new regulated activity has been added without portal update.
- Verify the EmaraTax linkage and registered office address match the goAML profile exactly, character for character.
- Produce and sign the dated annual refresh certificate and file it in the AML folder alongside the previous year’s certificate.
Sister reading on the initial registration side is available in our goAML registration and login guide for the UAE, which covers the first-time setup workflow that the annual refresh builds on top of.
FAQs
Velmont Crest supports DNFBP licensees across the UAE with the structured annual data refresh discipline that the Financial Intelligence Unit expects but does not actively remind firms to perform. Our role is advisory and infrastructure-led: we build the data pack, run the reconciliations, draft the documentation and hand the MLRO a clean file to sign off. The regulated appointment, the portal submission and the supervisory liaison remain with the licensee and the appointed officer. If your goAML profile has not been refreshed in the last twelve months, or if a material change has occurred without portal update, the exposure under Cabinet Decision 10 of 2019 starts at AED 50,000 per breach and compounds quickly across linked findings. Explore how our AML compliance support plugs into your existing licence renewal calendar to make the annual refresh a predictable, two-hour MLRO sign-off rather than a year-end scramble.
Frequently asked questions
- What does goAML annual renewal actually mean?
- It's not what the name suggests, and that's where most of the market confusion comes from. The goAML registration has no fixed annual expiry. What the Financial Intelligence Unit expects is an annual data refresh — a documented review and re-attestation of every field in your portal profile, plus your business risk assessment, MLRO appointment, beneficial ownership declaration and sanctions screening procedures. If any of that is materially wrong when a supervisor looks, the FIU and Ministry of Economy treat the whole registration as non-compliant, and you're into the AED 50,000 starting bracket under Cabinet Decision 10 of 2019.
- When does the obligation to update goAML data trigger?
- Two triggers run side by side. One is the annual cycle, best pinned to your trade licence renewal month so the work is bundled and predictable. The other is event-driven, and it overrides the annual cycle: any material change has to hit the portal promptly, usually within fifteen working days. That covers an MLRO resignation or replacement, a beneficial ownership shift above twenty-five per cent, a change of registered address, a new business activity on the licence, a new free zone branch, or any change to the EmaraTax linkage. Sitting on those until your annual window creates exposure you didn't need to carry.
- What needs updating each year?
- The MLRO contact details and appointment letter, the deputy MLRO if you've appointed one, every beneficial owner at twenty-five per cent or more, the business risk assessment with refreshed sectoral and geographic scoring, the CDD procedure attestation, the sanctions screening tools in use (typically OFAC SDN, UN 1267 consolidated and the UAE local list), the five-year STR retention confirmation, and the registered address and licence details. Put it all in one dated pack the MLRO signs, with the supporting evidence kept on file for inspection.
- What are the penalties for late or missed goAML updates?
- Cabinet Decision 10 of 2019 runs the penalty framework. Failure to register or to keep your registration data accurate starts at AED 50,000, and the framework allows up to AED 5,000,000 per breach depending on severity, repetition and the size of the licensee. First-time offenders sometimes get a grace warning where the breach is technical and fixed quickly — but it's recorded against your file, and a second finding in the same cycle usually brings the full fine. Worse, a single inspection can produce several linked findings at once, so one stale record genuinely does cascade.
- How can an accountant support the renewal?
- By building the file, not by becoming the regulated person. We reconcile the UBO declaration against the share register and ledger, draft the updated business risk assessment from current customer-mix data, compile the sanctions screening evidence log, prepare the board-level documentation for the MLRO, and line up the trade licence and EmaraTax cross-references. The MLRO stays the appointed officer and signs the submission. That line never moves, and it's the reason the whole arrangement holds up under inspection.
Filed under: goAML, AML compliance, DNFBP, FIU, renewal, annual refresh
Published · Updated


