Insights AML
OFAC Screening UAE 2026: DNFBP Sanctions Checklist
How UAE DNFBPs screen against the OFAC sanctions list, UN 1267 and the local terrorism list — tools, tiers, PEP, adverse media and a 12-point checklist.

Key takeaways
- Three lists matter: OFAC SDN, UN 1267 and the UAE local terrorism list — screening one is not enough.
- Free official portals work for low-volume firms; fuzzy matching and PEP coverage require paid tools.
- Mid-tier vendors (ComplyAdvantage, Sanctions.io, ScreenIT) suit most UAE DNFBPs at sensible cost.
- Adverse media scoring closes the gap between a clean hit and a real-world risk signal.
- PEP screening extends to family members and close associates — not just the named official.
- Retain screening evidence for 5 years under Cabinet Decision 10 of 2019 record-keeping rules.
Three lists govern sanctions screening for every UAE DNFBP: the OFAC SDN List published by the US Treasury, the UN 1267 consolidated list issued under Security Council resolutions, and the UAE local terrorism list maintained by the Cabinet of Ministers. Most firms we advise on AML compliance screen one of the three at onboarding, file the printout, and never look at the customer again. That’s the single most common gap our audits surface. The lists overlap but aren’t interchangeable, the update cadences differ, and a sanctioned counterparty hiding behind a transliteration variant won’t appear on a free portal with no fuzzy logic. Sanctions screening is one of the easiest AML controls to do badly and one of the most expensive to get wrong. Penalty bands under Cabinet Decision 10 of 2019 start at AED 50,000 per breach and run to AED 5 million for serious or repeated failures.
Three lists, three different sources
UAE DNFBPs work against a layered sanctions regime. Each list has its own issuing authority, its own legal basis, and its own reach. You need to understand the distinctions before you can design a defensible screening policy.
The OFAC SDN List is maintained by the US Treasury’s Office of Foreign Assets Control. SDN stands for Specially Designated Nationals: individuals, companies, vessels, and aircraft that US persons cannot transact with. Its reach into the UAE is indirect but heavy. Any AED-to-USD conversion routes through a US correspondent bank, and that bank screens every counterparty against OFAC. A DNFBP that processes payments for an SDN-listed customer will lose its USD banking relationship before any UAE regulator gets involved. For real estate brokers, dealers in precious metals and stones (DPMS), and corporate service providers with international clients, OFAC exposure is operational reality even though it isn’t formally a UAE legal requirement.
The UN Security Council 1267 consolidated list is binding under UNSC resolutions 1267 (1999), 1989 (2011) and 2253 (2015). It targets individuals and entities associated with Al-Qaida, ISIL (Da’esh) and the Taliban. The UAE adopts the list through Ministry of Foreign Affairs notifications and circulars from the Executive Office of the Committee for Goods and Materials Subjected to Import and Export Control. Every UAE DNFBP must freeze without delay any funds or assets belonging to a listed person and file an immediate report through goAML — see our goAML registration and login guide for the mechanics.
The UAE Local Terrorist List is issued by the Cabinet of Ministers under Federal Decree-Law 20 of 2018 on Anti-Money Laundering and Countering Financing of Terrorism. It is distributed through the Executive Office and includes individuals and entities designated by UAE authorities — sometimes in parallel with international designations, sometimes in advance. The local list carries direct domestic enforcement consequences. A DNFBP that fails to freeze listed assets faces both AML penalties under Cabinet Decision 10 of 2019 and potential criminal exposure under the parent decree-law.

Why one feed won’t cover you
The legal floor under Federal Decree-Law 20 of 2018 and Cabinet Decision 10 of 2019 requires screening against the UN consolidated list and the UAE local terrorism list at minimum. OFAC sits above that floor as a commercial necessity rather than a UAE regulatory mandate. For any firm with USD touchpoints the practical effect is the same: your bank will enforce OFAC whether or not the FIU does. Stacking all three sources is the only defensible posture.
The deeper issue is match quality. A free portal returns hits only on exact string matches. Real sanctioned persons routinely show up in transliterated form, with diacritics dropped, with surname-first ordering reversed, or with middle names omitted. “Mohammed” and “Muhammad” and “Mohamed” are the same name; a free OFAC search treats them as three different people. Fuzzy matching algorithms (Jaro-Winkler, Levenshtein distance, phonetic encoders like Soundex or Metaphone) close that gap. They’re standard in paid tools and absent from free ones.
The third gap is monitoring, and it’s the one firms underestimate most. Sanctions lists aren’t static. OFAC publishes updates weekly, sometimes daily during a sanctions wave; the UN issues amendments through the 1267/1989/2253 Sanctions Committee; the UAE Cabinet adds and removes names on its own cycle. A one-time onboarding screen only captures a snapshot. Rescreening the customer file every time a list updates is what captures the moving picture, and the Ministry of Economy’s DNFBP supervisory framework expects exactly that, proportionate to risk.
How we’d pick a screening tool tier for an SME
Tool choice should follow your actual risk profile, transaction volume and budget rather than which vendor name you recognise. Three tiers cover most of the UAE DNFBP market.
Free official sources. The OFAC SDN Search portal (sanctionssearch.ofac.treas.gov) returns exact-match results against the SDN, consolidated and sectoral lists. The UN 1267 consolidated list is published as XML and PDF on the Security Council Sanctions Committee site. The UAE Cabinet list is distributed by the Executive Office to registered entities. They’re free, authoritative and straight from the primary source, which is the whole appeal. What they don’t give you is fuzzy matching, PEP coverage, adverse media, an API or any kind of rescreening — everything runs by hand. That’s fine only for the lowest-volume DNFBPs with simple domestic counterparty profiles and the discipline to document every search.
Mid-tier paid tools. ComplyAdvantage, Sanctions.io and ScreenIT sit in the AED 1,000 to AED 8,000 per month range depending on volume. They aggregate sanctions, PEP and adverse media feeds, support fuzzy matching, expose REST APIs for integration with practice management or CRM systems, and provide audit trails. ComplyAdvantage is the most widely adopted across the GCC mid-market. Sanctions.io offers a lower entry point and cleaner pricing for small firms. ScreenIT is a regional player with local support. Suitable for most UAE DNFBPs handling more than a handful of new counterparties a month, and for any firm with international or higher-risk client profiles.
Enterprise tier. World-Check One (LSEG Risk Intelligence, formerly Refinitiv), Dow Jones Risk & Compliance, and LexisNexis Bridger Insight occupy the top end. Annual licences typically start north of AED 100,000 and scale by user count and module. They offer the deepest PEP and RCA coverage, the broadest adverse media corpus, enhanced due diligence reports on demand, and integration with case management workflows. Suitable for Big Four-tier audit firms, top-25 law firms, corporate service providers managing thousands of beneficial owners and any DNFBP under regulatory remediation orders.
Scoring adverse media properly
Adverse media (negative news linking a counterparty to financial crime, corruption, sanctions evasion, fraud or terrorism) is the connective tissue between a sanctions list and a real risk picture. A counterparty may not yet appear on any official list but still feature prominently in credible investigative reporting. UAE FIU expectations, communicated through goAML guidance and Ministry of Economy supervisory notes, have moved toward structured adverse media review at onboarding and at each periodic refresh.
Scoring adverse media needs a weighting framework. Start with source credibility — a Reuters, Financial Times, OCCRP or ICIJ investigation carries far more weight than an anonymous blog. Layer on jurisdiction risk, because adverse media on a counterparty operating in a country near the bottom of Transparency International’s Corruption Perceptions Index should raise your priors before you read a word of it. Then look at the transactional pattern: the same adverse media report means something different when it sits next to cash-intensive transactions, complex ownership chains or rapid fund movement, and at that point it should trigger enhanced due diligence rather than a comment in the file.
Document the negative outcomes too. When you review adverse media and discount it (wrong person, dated coverage, civil dispute rather than criminal conduct), the rationale must be in the file. Regulators don’t penalise firms for finding nothing. They penalise firms for not looking.
AED 50K–5M
Penalty range per AML breach under Cabinet Decision 10 of 2019
PEPs, RCAs and the family-member trap
Politically exposed persons (PEPs) carry inherently elevated money laundering risk because of their access to public funds, their ability to influence procurement and licensing, and their exposure to bribery and corruption. UAE rules under Cabinet Decision 10 of 2019 distinguish three PEP categories. Foreign PEPs — heads of state, ministers, senior judges, military officers and senior executives of state-owned enterprises in jurisdictions other than the UAE — are automatically higher-risk and require enhanced due diligence by default. Domestic PEPs — UAE officials in equivalent roles — require EDD where the relationship presents higher risk. International organisation PEPs — directors and senior officers of UN bodies, the IMF, the World Bank, the OECD and similar — sit alongside domestic PEPs on the risk-based test.
The obligation extends beyond the named PEP. Family members — spouse, parents, children, siblings — and known close associates (referred to as RCAs in screening tools) are treated as PEP-adjacent and screened on the same basis. Business partners, joint shareholders and trustees of structures controlled by a PEP all fall into the RCA net.
Enhanced due diligence for a PEP relationship requires senior management sign-off before onboarding or continuation, source-of-funds documentation, source-of-wealth narrative supported by independent evidence, more frequent ongoing review (typically annually rather than triennially), and explicit transaction monitoring thresholds. The PEP register is a living document — update it at every periodic review and capture the rationale for any change in PEP status or risk rating.

The seven DNFBP categories and where each one screens
Federal Decree-Law 20 of 2018 and its implementing decisions identify seven DNFBP categories. Each one has its own risk surface and its own pattern of when screening has to happen.
- Real estate brokers and agents — screen every buyer, seller, landlord and tenant at onboarding; rescreen at contract signature and at funds receipt. Cross-border purchasers and cash-equivalent settlements raise the priority. Our real estate accounting in UAE briefing covers the broader compliance picture.
- Dealers in precious metals and stones (DPMS) — screen every counterparty for any single or linked transaction at or above the AED 55,000 threshold; for high-value clients and recurring suppliers, screen at onboarding and quarterly. See our gold and jewellery accounting in UAE guide for the DPMS context.
- Auditors — screen audit clients, beneficial owners and significant suppliers visible in the books; rescreen on engagement renewal and on material ownership changes.
- Accountants and bookkeepers — screen new clients, their beneficial owners and any counterparty appearing in payment files where the firm has visibility; rescreen on engagement renewal.
- Tax consultants — screen advisory clients, beneficial owners and structuring counterparties; rescreen on assignment of new work involving cross-border flows.
- Lawyers, notaries and other independent legal professionals — screen clients, beneficial owners of corporate clients, and counterparties to transactions where the firm acts on a client’s behalf for property transfer, company formation, trust administration or asset management.
- Corporate service providers — screen at company formation, on every shareholder change, on every director appointment, and on registered agent renewal.
The DNFBPs that survive a Ministry of Economy inspection are not the ones with the most expensive tool — they are the ones whose screening logs, escalation memos and STR rationales tell a coherent story.
The 12-point screening checklist
The following twelve-point checklist captures what a defensible UAE DNFBP sanctions screening programme looks like in practice. Treat it as a baseline; layer additional controls where the risk profile demands.
- Onboarding screen — every new customer, beneficial owner (25%+ ownership or control), and authorised signatory screened against OFAC SDN, UN 1267 and the UAE local list before contract signature or fee receipt.
- Ongoing rescreening cadence — automated daily or weekly for paid tool users; documented monthly manual review for free-portal users. Capture the rescreen date and result for every counterparty.
- List source URLs in the policy — name the exact source (sanctionssearch.ofac.treas.gov, scsanctions.un.org/consolidated, Executive Office circulars) so any inspector can verify the source.
- Fuzzy matching tolerance — document the tool’s matching threshold (typically 80–90%) and the protocol for reviewing borderline hits.
- PEP register — separate register for PEPs and RCAs with status, risk rating, senior management approval date and next review date.
- Adverse media protocol — defined sources, scoring framework and disposition recorded for every counterparty flagged.
- Hit escalation path — first-line review by the analyst, second-line review by the compliance officer, escalation to senior management for confirmed true positives.
- STR trigger thresholds — clear criteria for filing a Suspicious Transaction Report through goAML; document the rationale even where no STR is filed.
- Freeze and report protocol — written procedure for immediate freeze of funds belonging to a listed person and immediate report to the FIU.
- Record retention 5 years — all screening evidence, hit reviews, EDD files and STR filings retained for at least five years from the end of the business relationship or the date of the occasional transaction.
- Annual policy review — sanctions and PEP screening policy reviewed and approved by senior management at least annually, and following any material regulatory change.
- Training register — every staff member with screening responsibility receives initial and annual refresher training; attendance and content logged.
How Velmont Crest helps
Velmont Crest works alongside DNFBP compliance officers and senior management as an advisory partner. We help firms evaluate sanctions and PEP tool vendors against actual risk profile and transaction volume: a vendor scorecard, structured demos, fuzzy-match thresholds validated against your real counterparty population. We help draft the sanctions screening policy, the PEP policy, and the adverse media protocol so they meet Cabinet Decision 10 of 2019 expectations and your supervisor’s published guidance. We support the bookkeeping and reconciliation layer underneath (see our accounting and bookkeeping services) so the customer master in the ledger and the customer master in the screening tool stay in sync. Where corporate tax registration and screening intersect for high-net-worth or international clients, our corporate tax services team coordinates the workstreams. We don’t act as your compliance officer of record. The compliance officer role, the freeze decision and the STR filing stay with your designated person and senior management. That’s the regulator’s expectation and ours. What we deliver is the documentation, the audit trail, and the training that lets your compliance officer do the job without surprises during a supervisory inspection.
FAQs
These are the questions DNFBPs put to us most often when they sit down and stress-test their own screening programme against where the Ministry of Economy and the FIU are now.
Sanctions screening is one of those areas where a small process gap sits harmlessly for months and then turns existential the day it matters. The lists move weekly, the tools vary wildly, and the regulator now expects continuous monitoring and documented adverse media review — not a one-time onboarding printout filed and forgotten. If you’d like us to review your current setup, benchmark your tool against the alternatives, or draft a defensible policy aligned to Cabinet Decision 10 of 2019, our AML compliance advisory service is the place to start.
Frequently asked questions
- What is the difference between the OFAC SDN list, UN 1267 and the UAE local sanctions list?
- They come from different authorities and reach different things. The OFAC SDN List comes from the US Treasury's Office of Foreign Assets Control and captures Specially Designated Nationals — the individuals, entities and vessels US persons can't deal with. UN 1267 is the consolidated list under Security Council resolutions 1267, 1989 and 2253, aimed at Al-Qaida and ISIL affiliates, and it binds every UN member state. The UAE local terrorism list is issued by the Cabinet of Ministers, circulated through the Executive Office, and carries domestic enforcement weight under Federal Decree-Law 20 of 2018. They overlap a lot in practice, but they're not the same list and they don't update on the same clock.
- Do UAE DNFBPs need to screen against all three lists?
- Legally, two of them. Federal Decree-Law 20 of 2018 and Cabinet Decision 10 of 2019 require screening against the UN consolidated list and the UAE local terrorism list at minimum. OFAC isn't a UAE regulatory requirement on its face. But the moment you touch USD correspondent banking, US-domiciled clients or US dollar settlement, OFAC becomes a commercial necessity — the correspondent bank will walk at the first sign of a sanctioned counterparty, and it won't wait for the FIU. So in practice nearly every UAE DNFBP screens all three anyway, and the policy just needs to spell out each source, how often it's checked, and what happens when a name comes back.
- Which sanctions screening tools do UAE firms actually use?
- It splits roughly by size. Smaller DNFBPs lean on the free official portals — the OFAC SDN Search at sanctionssearch.ofac.treas.gov, the UN 1267 consolidated list, and the UAE Cabinet list circulated by the Executive Office. They work, but there's no fuzzy match, no PEP coverage, no adverse media. Mid-market firms graduate to ComplyAdvantage, Sanctions.io or ScreenIT for API access, fuzzy matching and integrated PEP feeds. At the top end — big auditors, top-tier law firms, corporate service providers sitting on thousands of beneficial owners — you'll find World-Check (Refinitiv), Dow Jones Risk & Compliance or LexisNexis Bridger. The tool should track your risk, not your letterhead.
- How does adverse media screening fit into the AML programme?
- Adverse media — negative news tying a counterparty to financial crime, fraud, corruption or sanctions evasion — fills the gap between a clean sanctions hit and a real risk picture. Someone can be off every official list and still be all over credible investigative reporting. UAE FIU expectations have shifted toward structured adverse media checks at onboarding and at each periodic review. Score what you find by source credibility, recency, jurisdiction risk (the Transparency International CPI is a useful cross-reference) and relevance to the actual transactions. And here's the part firms keep getting wrong: write down why the adverse media did or didn't trigger enhanced due diligence. Regulators flag the missing documentation, not the judgement call.
- What are UAE DNFBP obligations for PEP screening?
- It depends which kind of PEP you're dealing with. UAE rules treat foreign PEPs as automatically higher-risk, so enhanced due diligence is the default there; domestic PEPs (UAE officials) and international organisation PEPs only need EDD where the relationship itself is higher-risk. The obligation doesn't stop at the named person either. It reaches family members and known close associates — spouses, parents, children, siblings, business partners — who screen on the same basis. Source-of-funds and source-of-wealth checks become mandatory, and you need senior management sign-off to onboard or keep a PEP. Re-screen the register at least every 12 months, and write down why any risk rating changed.
Filed under: OFAC, AML compliance, DNFBP, sanctions screening, UN 1267, PEP
Published · Updated


