Skip to content
AML compliance services UAE — advisor reviewing a DNFBP KYC file, business risk assessment template and goAML registration checklist at a Dubai office desk

AML COMPLIANCE SERVICES UAE

AML compliance services UAE — registered, documented, monitored.

Velmont Crest handles UAE anti-money-laundering (AML / CFT) compliance for DNFBPs: goAML registration, MLRO outsourcing, the compliance officer function, Business Risk Assessment, AML policy preparation and ongoing sanctions screening for real-estate brokers, gold dealers, corporate service providers and other FCAML-mandated entities.

DED-licensed Dubai practice 0+ years UAE accounting Meydan + RAKEZ authorised partner

0+

UAE SMEs served

0%

Fixed monthly pricing

AED 0

Surprise fees, ever

0 UAE day

Reply window

Overview

goAML registration through to MLRO — the full programme.

The UAE's AML / CFT regime under Federal Decree-Law No. 20 of 2018 reaches every Designated Non-Financial Business and Profession. Real estate brokers. Gold and precious-metals dealers. Corporate service providers, auditors, lawyers. If you're on that list, you register on the UAE goAML portal and run a documented, board-approved control framework. No exceptions.

And the obligations stack up fast. A Business Risk Assessment. A Money Laundering Reporting Officer. Customer due-diligence files, screening against sanctions and PEP lists, Suspicious Transaction Reports submitted via goAML. Get it wrong and the penalties run from AED 50K to 5M, with criminal liability sitting behind a Ministry of Economy inspection programme. If you want the regulatory detail first — DNFBP categories, deadlines, penalty tables — start with our full DNFBP rules guide, then come back for the programme that answers it.

That's a lot to carry in-house, and frankly most SMEs we work with don't have the headcount for it. So we carry it. goAML registration, MLRO outsourcing, the Business Risk Assessment, the policy and procedures manual, ongoing CDD and EDD support, sanctions screening, STR drafting, the annual independent review, staff training. All of it maps to the FATF Recommendations and the Ministry of Economy rulebook, because whatever doesn't map is precisely what an inspector writes up.

We sequence the work to the UAE inspection cycle. Registration first. BRA and policy within 30 days. Training and CDD onboarding inside 60 days. Then continuous monitoring, a quarterly review, an annual report. When an unannounced Ministry of Economy or FIU inspection lands, and it will be unannounced, the officer opens a live, documented control environment rather than a weekend of panic clean-up.

The full picture

Every piece of the AML programme, explained.

Twelve components make up a defensible UAE AML programme. Here is what each one is, what the supervisor expects of it, and where Velmont Crest fits.

What anti-money-laundering rules actually require in the UAE

Anti-money-laundering compliance in the UAE rests on Federal Decree-Law No. 20 of 2018 and its implementing regulation. For a DNFBP, the law translates into six standing duties: register on the goAML portal, appoint a Money Laundering Reporting Officer, document a business-wide risk assessment, run customer due diligence with sanctions and PEP screening, keep records for at least five years, and report suspicious activity to the UAE Financial Intelligence Unit. None of these is optional and none of them expires — compliance in the UAE is a continuing state, not a certificate on the wall. The Ministry of Economy checks all six in an inspection, and the gaps compound: a missing BRA usually means the CDD scoring behind it is arbitrary too.

Who is a DNFBP in the UAE — and why goAML registration is step one

A DNFBP (Designated Non-Financial Business or Profession) in the UAE is any of five activity groups: real-estate brokers and agents, dealers in precious metals and stones, auditors and accountants, lawyers and notaries handling client transactions, and corporate service providers. The test follows the trade-licence activity, not the company's size or jurisdiction — a two-person brokerage in a free zone is as much in scope as a fifty-person firm on the mainland. If your licence carries one of those activities, goAML registration is the first legal obligation that attaches, and operating unregistered is itself a finding that starts at AED 50,000. Our free scope review confirms your category and supervisor before anything else is built.

goAML and EOCN registration, walked through

Two registrations, not one. The goAML portal, run by the UAE FIU, is where the entity profile, MLRO account and suspicious-transaction reports live. The EOCN system (the Executive Office for Control and Non-Proliferation) is where you subscribe to targeted-financial-sanctions notifications so list changes reach you the day they happen. We prepare both applications with your team: trade licence, activity classification, authorised-signatory documents, MLRO details, and the supervision linkage to the Ministry of Economy. The accounts are created in your entity's name and stay there; we support the process rather than hold the credentials. Once live, your MLRO uses the goAML login for filings — our step-by-step goAML registration and login guide walks through every screen if you want to see what's involved before we start. One navigation note, because it trips people constantly: the goAML login UAE firms search for is the FIU portal sign-in itself — there is no separate "AML login" anywhere else. Every filing, every FIU message and every profile update happens behind that one account.

The business risk assessment that anchors everything

The business risk assessment for AML (the BRA) is the document every other control hangs off. It scores your exposure across customer types, geographies, products and services, delivery channels and transaction patterns, then records the residual risk after controls. Inspectors read it first because it tells them whether your CDD thresholds, EDD triggers and monitoring rules were designed or improvised. We build the BRA on the Ministry of Economy methodology, score it with your management team so the judgements are genuinely yours, and refresh it annually or whenever the business changes shape — a new branch, a new customer segment, a new product line all move the numbers.

AML policy, procedures and controls — drafted for your licence

A downloaded template is the most common failure we see in inspection files. A defensible AML policy in the UAE names your entity, your DNFBP category, your risk appetite and your actual escalation lines; the procedures behind it tell a staff member exactly what to collect at onboarding, when to escalate, and who signs off a high-risk relationship. We draft the policy suite — AML / CFT policy, CDD and EDD procedures, sanctions-screening rules, record-keeping and training plans — version-controlled and board-approved, in the format the Ministry of Economy inspector reads. Your team adopts and operates it; we keep it current as guidance changes.

CDD, EDD and identifying the ultimate beneficial owner

Customer due diligence starts with identity, but the question that decides most files is ownership: who is the ultimate beneficial owner behind the company in front of you? UAE rules require identifying every natural person holding 25% or more, directly or indirectly, and Cabinet-level UBO regulations separately require most companies to file a UBO declaration and maintain a register of beneficial owners with their licensing authority — the UBO registration runs through the same authority that issued the trade licence, and it has to be kept current as ownership changes. We build UBO identification into your onboarding forms — ownership charts, nominee declarations, source-of-funds questions for higher-risk files — and set the customer-risk scoring that decides when standard CDD steps up to enhanced due diligence. The result is a customer file an inspector can follow from ID copy to risk rating without asking you to explain it.

MLRO outsourcing and the compliance officer role

Every in-scope entity needs a named compliance officer for AML — the MLRO — with the seniority and independence to stop an onboarding, question a transaction and file a report the owner might not like. Most UAE SMEs don't have that person on payroll, which is why MLRO outsourcing exists: under a written delegation, a Velmont Crest engagement partner carries the day-to-day function — alert review, escalation decisions, STR drafting, supervisor correspondence — where your supervisor permits the arrangement for your sector. Where it doesn't, or where you'd rather build in-house, we train and back up your internal designate instead. Either way the appointment letter, reporting lines and accountability boundaries go on file in writing.

STRs and SARs — filed through goAML, owned by your MLRO

When activity trips a red flag — unexplained funds, structuring, a customer who won't evidence ownership — the law requires a Suspicious Transaction Report or Suspicious Activity Report through goAML, promptly and without tipping off the customer. The judgement call is the hard part: file too little and you're exposed; file defensively on everything and the FIU learns to ignore you. We work each alert with the reasoning written down, draft the report with the supporting documents attached, and route it to your MLRO for sign-off and submission. The filing log we maintain becomes one of the first artefacts an inspector asks for, and one of the easiest to get right continuously rather than reconstruct.

Name screening, sanctions lists and UAE sanctions risks

Managing UAE sanctions risks and compliance means screening every customer — and the UBOs behind them — against the UN Consolidated List, the UAE Local Terrorist List, and in practice OFAC, EU and UK HMT lists too, both at onboarding and continuously afterwards. Designations change weekly; a customer who screened clean in January can be a frozen-assets obligation by March, and the UAE regime expects freezing without delay and a report to the EOCN. We configure the screening tool, set the fuzzy-matching thresholds so Arabic-to-English transliterations don't slip through, clear the false positives with documented reasoning, and escalate true hits the same UAE business day.

The annual AML review — independent and documented

Once a year the framework expects an independent review of the whole programme: are the policies live, is the MLRO functioning, is CDD applied consistently, is screening running, is training current, were STRs filed where they should have been. This is an independent programme review — not a statutory financial audit, and it doesn't require a licensed audit firm — but it does require distance from whoever runs the programme day to day. We perform the review for DNFBPs where we aren't already the outsourced MLRO; where we are, we arrange an appropriately independent reviewer so the file holds. If your entity also needs its financial statements audited, our audit assistance service prepares that separate workstream.

Sector notes: gold, real estate and corporate service providers

The rulebook is one law, but the risk profile isn't. Dealers in precious metals and stones (DPMS) carry cash-intensity risk and a specific duty to report cash transactions of AED 55,000 or more; their files lean heavily on source-of-funds evidence. Real-estate brokers sit on layering risk — property is a classic placement vehicle — so their CDD concentrates on buyer ownership and funding trails. Corporate service providers face the sharpest UBO questions because opaque structures are precisely what they're asked to build; their EDD triggers have to be tighter than anyone's. We weight each BRA and procedure set to the sector, which is also why a generic template fails: the typologies an inspector tests you against are sector-specific.

UAE money laundering law — and the punishment for getting it wrong

The UAE money laundering law is Federal Decree-Law No. 20 of 2018 on Anti-Money Laundering and Combating the Financing of Terrorism, together with its implementing regulation — the same UAE AML law that defines the DNFBP duties on this page. The punishment for money laundering in the UAE runs on two tracks. The administrative track is what most DNFBPs actually face: supervisor fines from AED 50,000 to AED 5,000,000 per violation for programme failures — no goAML registration, no MLRO, missing risk assessment, absent CDD files — escalating to trade-licence suspension or revocation for repeat findings, with personal liability reaching directors and the appointed MLRO. The criminal track covers the underlying offence of laundering itself and carries imprisonment alongside criminal fines. Our work sits squarely on the prevention side: a documented programme is what keeps a routine inspection from becoming either track.

AML software and screening tools — what to buy, what to skip

No AML software subscription satisfies the UAE framework by itself — the supervisor inspects a programme, not a licence key. What screening software does earn its keep on is the list-matching work: Refinitiv World-Check, Dow Jones and LexisNexis are the AML screening software names most UAE DNFBPs land on, and each handles the daily watchlist refresh and fuzzy-matching that manual spreadsheet checks get wrong. Whether you need a subscription at all depends on volume. A brokerage onboarding a handful of buyers a month is often better served by per-check screening than an annual anti-money-laundering compliance software contract; a high-volume gold dealer is not. We stay vendor-neutral, configure whichever tool the volume justifies, and wire its output into your CDD files — because the tool is one component of the compliance solution, never the solution itself.

AML training, courses and training materials

Annual AML training for staff is a standing legal duty, and it is one of the first things an inspector tests — usually by asking a front-desk employee what they would do with a suspicious cash offer. Our training pack covers what the framework expects: the AML training materials themselves (slides and case studies built on your sector's typologies, not generic ones), a short assessment, and the signed attendance log that proves delivery. One distinction worth being clear on: this is in-house competency training, not a certification. If a team member wants a formal AML course — ACAMS, ICA or a diploma-level programme — that sits with accredited training providers, and we'll tell you when a role genuinely warrants it. For most DNFBP teams, well-run annual training plus documented refreshers after any rule change is exactly what the file needs to show.

AML consulting services, priced by component

Most AML consulting services in Dubai quote a lump sum and leave you guessing what's inside it. We price by component so you only buy the gaps you actually have. The business risk assessment, the AML policy and CDD documentation pack, outsourced MLRO support, the annual AML review and third-party screening are each priced by scope — your DNFBP category, customer book and transaction volume set the number, so we quote them once we've seen what you need. Request a quote and full component pricing sits on our pricing page alongside every other service.

Where AML meets the rest of your finance function

AML rarely travels alone. The record-keeping duty leans on the same ledgers our accounting and bookkeeping services maintain, so source-of-funds questions get answered from reconciled books rather than memory. New entities choosing a licence activity should know before incorporation whether it lands them in DNFBP scope — that's a standard check inside our business setup advisory. And because Velmont Crest is an accounting practice, we're a DNFBP ourselves: the programme we run for you is the same discipline we're supervised under. Advisory boundaries stay honest throughout — we prepare, document and support; the registered obligations, the MLRO sign-offs and the regulator relationship remain with your licensed entity.

What you get

What an MoE inspector should find.

When the officer opens your file, here's what we want them to see. Four things, all in place.

goAML registration complete

Your entity is on the goAML portal, classified to the right DNFBP category, with the MLRO and deputy accounts live. Most rejections we see come from one thing: the trade-licence activity not matching the category picked. We get that right the first time.

An MLRO who actually answers

We act as your outsourced Money Laundering Reporting Officer where your sector permits it, or we train and back up your in-house designate. Either way, when a screening hit lands at 4pm on a Thursday, someone who knows the file picks up.

A BRA that survives inspection

Business Risk Assessment scored across customer, geography, product and channel. AML policy, CDD and EDD procedures, sanctions and PEP rules, training records. Dated, version-controlled, written in the format a Ministry of Economy inspector reads.

Screening that doesn't sleep

Every customer run against UN, OFAC, EU and the UAE Local Terrorist List, plus PEP checks. When a pattern looks off, it gets flagged and worked. If it crosses the line, the STR goes to your MLRO for sign-off and on to goAML.

Compare approaches

goAML only, in-house team, or outsourced?

UAE AML obligations split across two regulators (Ministry of Economy for DNFBPs, Central Bank / CBUAE for financial institutions) and three operating models. Pick the wrong model and you carry full enforcement risk personally as the Compliance Officer.

CriteriagoAML register onlyFull in-house AML programmeVelmont Crest outsourced Compliance Officer recommended
CoverageRegistration only, with no programme behind itProgramme, policy, training, MLRO appointment in-houseProgramme + MLRO + Compliance Officer outsourced under written agreement
Compliance Officer / MLRO appointmentNamed on the register but rarely functionalInternal employee you have to train and resourceVelmont Crest engagement partner appointed under written delegation
Risk assessment (mandatory)Usually absentBuilt once, maintained internallyBuilt, signed and refreshed annually with documented changes
Customer due diligence (CDD)Ad-hoc by sales staffProcess-driven if trained team is in placeDocumented CDD form, sanctions screening, PEP screening, risk score, file
Sanctions screeningOften missedSubscribed tool required (Refinitiv, Dow Jones, LexisNexis)Screening run on every onboarding and on schedule after that, tool included
Suspicious Transaction Reports (STR / SAR)Founder unsure when to fileMLRO escalation channel must existEscalation channel + STR template + goAML filing handled
Training to staffSkippedAnnual training requiredAnnual training delivered + attendance log
Best fit forSingle-shareholder DNFBPs with no employee touchpoints, which is rareMid-market regulated entities with internal compliance teamReal-estate, gold / precious metals, accountants, lawyers, auditors, corporate-services providers

Penalties for AML breach under Federal Decree-Law 20/2018 range from AED 50k to AED 5M plus personal liability for the appointed Compliance Officer. goAML registration alone does not satisfy the obligation.

Velmont Crest supports our monthly bookkeeping, external audit assistance, and corporate tax preparation with professionalism.

Happy Field Consultancy FZCO

Consultancy · Dubai · 2025

How to start

Which of these sounds familiar?

Three sentences we hear most weeks from DNFBP owners. If one of them is yours, the response and the first deliverable are already worked out.

Trigger 01 · Registration

"I'm a DNFBP but never registered on goAML."

Broker, gold dealer, CSP, any FCAML-mandated entity. You're past the deadline and you know it. That's a penalty risk of AED 50K–500K sitting on the licence.

  • goAML + EOCN sanctions-list registration completed
  • MLRO appointed (in-house or outsourced)
  • Initial BRA + AML policy delivered

Compliant in 3 weeks

MOST COMMON

Trigger 02 · Inspection

"An MoE inspector is visiting next month."

The notice is in your inbox. Your records, policies and CDD files have to hold up to scrutiny, and you don't have the weeks it would take to fix them yourself.

  • Document audit + gap remediation sprint
  • BRA / policy / training records brought current
  • CDD files reviewed and re-papered where needed

Inspection-ready in 2 weeks

Trigger 03 · Ongoing

"I'm registered but compliance is haphazard."

The files exist, but they're inconsistent. STRs go in when someone remembers. Screening is still a manual scan of a list. Any one of those is an audit finding waiting to happen.

  • Monthly screening + STR review programme
  • Outsourced MLRO function (where permitted)
  • Quarterly compliance review + record refresh

Stable monthly cycle from month 1

Velmont Crest AML compliance officer running a customer KYC file review and DNFBP risk-assessment workpaper for a UAE Designated Non-Financial Business

How we work

How the compliance year actually runs.

It's a year, not a one-off setup. Here's how the four phases land, and who carries them.

  1. 1

    Week 1

    Free AML readiness review

    First we figure out which DNFBP category you actually fall under and who supervises you. Then we look at what exists: goAML status, MLRO, BRA, policies, how your team handles CDD when a customer walks in. We tell you where the gaps are and roughly what each one would cost you in a penalty.

  2. 2

    Weeks 2-3

    Registration and setup

    This is the build. We get you registered on goAML, appoint the MLRO, and run the Business Risk Assessment using the Ministry of Economy methodology. Out come the AML policy, the sanctions and PEP rules, and a CDD procedure your staff can actually follow. Then we sit the team down and train them on it.

  3. 3

    Monthly

    The programme running

    New customers get screened on the way in. Activity gets watched against the risk thresholds your BRA set. If something trips a trigger, we draft the STR and route it to your MLRO. Quietly, in the background, so your AML obligations don't pile up into a year-end scramble.

  4. 4

    Annual

    BRA refresh and the independent review

    Once a year we re-score the BRA, re-read the policies against any rule changes, and run training again. We also document the independent review the regulator expects. The point of all of it: if an inspector turns up unannounced, the file is already ready. No panic week.

Real deliverables

The documents that sit on your file.

AML compliance is not a binder on a shelf. Below is the full file list a Velmont Crest AML client receives, each one version-controlled and dated for a Ministry-of-Economy or CBUAE inspection.

goAML registration

FIU goAML portal registration completed; admin user issued.

Business risk assessment (BRA)

Customer, geography, product, channel and transaction risk scored and documented.

AML / CFT policy

Written policy approved by the board / directors; covers CDD, EDD, training, screening, STR.

Customer due-diligence (CDD) procedure

Step-by-step CDD process with templates, required documents and decision tree.

Enhanced due-diligence (EDD) procedure

Triggered for high-risk customers, PEPs and high-risk geographies.

Sanctions screening tool subscription

Refinitiv / Dow Jones / LexisNexis screening configured; daily watchlist refresh.

PEP screening schedule

Customers screened on onboarding and on schedule, with the log retained.

Annual AML training pack + attendance log

Slides, assessment, signed register of attendees.

Suspicious Transaction Report (STR / SAR) template

Pre-built template; escalation channel defined to MLRO.

MLRO / Compliance Officer appointment letter

Board-signed appointment; Ministry-of-Economy notification filed.

Quarterly Compliance Officer report

Sent to the board — customers onboarded, EDD cases, STRs filed, training delivered.

Customer file / onboarding pack

Per customer — CDD form, ID, ownership chart, screening evidence, risk score.

STR filing log

Every STR filed via goAML, with date, customer, reason and acknowledgement.

Annual independent review / audit file

Programme effectiveness review documented for the board.

All AML records retained per Federal Decree-Law 20/2018 — minimum 5 years from the end of the customer relationship or transaction date.

UAE AML compliance documentation pack showing Business Risk Assessment, policies and CDD files prepared for Ministry of Economy inspection

Why Velmont

Why DNFBPs hand us the AML file.

We've sat through the inspections

We know what a Ministry of Economy officer pulls first, what they photograph, and which gap turns a routine visit into a fine. That's not theory. It's the difference between a file that holds and one that doesn't.

A screening hit isn't an emergency here

When a name pings on a sanctions or PEP list, you message us and we work it the same UAE business day. False positive cleared, or escalated to your MLRO with the reasoning written down. You're never left guessing whether to file.

We know your sector's rulebook

A gold dealer's BRA is not a real-estate broker's, and neither matches a corporate service provider's. The risk weightings differ. The thresholds differ. We write to the supervisor and the typologies that actually apply to your trade licence, not a generic template.

The obligation stays yours, properly

We draft the STR. Your MLRO reads it and signs it. It files under your entity on goAML, exactly as the law intends. We do the heavy lifting and the documentation without ever stepping into a role that has to sit inside your licensed entity.

Recent insights

Reading on AML and economic substance.

The AML rulebook, goAML registration walkthrough and the parallel economic-substance regulation that often applies alongside.

All insights
AML compliance UAE — DNFBP rules, goAML registration and MLRO appointment for Dubai SMEs

AML rules

AML compliance in the UAE — the complete guide

Who is in scope (DNFBP vs FI), what the BRA must cover, plus MLRO appointment, training and STR rules. Written for SME directors.

Read more
Compliance officer reviewing AML monitoring dashboard on screen — goAML portal login, DNFBP registration, MLRO appointment and STR/SAR filing workflow at the UAE FIU

goAML

goAML registration login — UAE guide

Step-by-step goAML registration walkthrough, admin user setup, role assignment and the document pack you need ready.

Read more
ESR UAE 2026 — Economic Substance Regulations status, 2024 repeal under Cabinet Decision 98 of 2024, historical filings and Corporate Tax substance overlap

ESR

UAE economic-substance regulation explained

When ESR applies, the relevant-activities test, the substance test and how it sits alongside AML obligations.

Read more

Pricing

AML compliance priced by component.

Priced by component, so you only pay for the gaps you have. The business risk assessment, policy pack, outsourced MLRO, annual AML audit and screening are each quoted to your DNFBP category and volume. You'll never get an hourly invoice for a phone call.

Talk to our experts

Tell us where your AML file stands.

Tell us where you stand and we'll reply within one UAE business day. We confirm your DNFBP classification, look at whatever AML setup you've got, and come back with a fixed annual retainer. No hourly meter running while you decide.

Reply within 1 UAE business day · Data stored in UAE · Not shared

The DNFBP list

Five business types the UAE AML rules name directly.

If your licence covers one of these activities, you are a Designated Non-Financial Business or Profession — and everything on this page is a legal obligation, not a best practice.

Real estate agents & brokers

Brokerages executing purchase or sale transactions for clients are DNFBPs — with goAML registration, real estate activity reports (REAR) for qualifying cash and virtual-asset deals, and CDD on both sides of a transaction. Dubai's regulators actively inspect this sector.

Dealers in precious metals & stones

Gold traders, jewellers and stone dealers fall in scope when cash transactions reach AED 55,000 — a threshold Dubai's gold souk crosses hourly. DPMSR reporting on qualifying cash deals, source-of-funds checks and sanctions screening are the daily reality.

Auditors & accountants

Firms providing accounting, audit or tax services are themselves DNFBPs — which is why we run our own registered AML programme and know the obligations from the inside: risk assessment, CDD files, STR escalation and annual training, all inspected by the Ministry of Economy.

Corporate service providers

TCSPs — firms forming companies, providing registered offices, or acting as nominee directors or shareholders — carry full DNFBP obligations, including beneficial-owner verification on every structure they touch and enhanced due diligence on complex ones.

Lawyers & notaries

Independent legal professionals enter scope when they prepare or execute transactions for clients: buying and selling real estate or companies, managing client money, or creating legal arrangements. Privilege does not exempt the CDD and reporting duties for those activities.

Not sure whether your licence puts you in scope?

Send us your trade licence activities and we'll tell you plainly whether the DNFBP obligations apply — and which reports your sector files.

Check your scope

goAML registration

From nothing to a working goAML login, in four steps.

Registration is the obligation inspectors check first, and the one with the least excuse for missing — the whole sequence is administrative once the documents are right.

  1. 1

    Step 01

    Appoint the AML compliance officer

    Every DNFBP appoints an AML officer / MLRO — a named individual with the authority and competence to receive internal reports, decide on escalation and face the regulator. The appointment is documented and notified as part of registration; 'the accountant, informally' does not satisfy it.

  2. 2

    Step 02

    Pre-register on SACM

    goAML registration starts on the FIU's Services Access Control Manager (SACM): the entity's details, trade licence, and the compliance officer's passport, Emirates ID and authorisation letter are uploaded to create the secure access credentials the goAML portal itself requires.

  3. 3

    Step 03

    Complete goAML registration

    With SACM approval, the goAML login is activated and the entity's profile completed on the portal — regulator, activity type and reporting entity classification. This is the registration the Ministry of Economy checks first in a DNFBP inspection, and the one the fines schedule attaches to.

  4. 4

    Step 04

    Subscribe to EOCN sanctions notices

    Registration with the Executive Office for Control and Non-Proliferation (EOCN) notification system delivers targeted financial sanctions updates — the UN consolidated list and UAE local terrorist list changes you are required to screen against without delay whenever they are issued.

Step-by-step screenshots in our goAML registration and login guide.

The programme

Five elements every compliant AML programme contains.

This is the file an inspector opens. Each element exists in writing, matches your actual operations, and shows evidence of use.

Business risk assessment

The written, entity-specific assessment of your money-laundering and terrorist-financing exposure — customers, geography, products, channels — refreshed annually. Every other control calibrates to it, and inspectors ask for it first.

AML policies and procedures

The manual that turns the law into your firm's rules: CDD triggers, EDD escalation, PEP handling, record-keeping, tipping-off prohibition and STR workflow. Written for your business, not photocopied boilerplate — inspectors can tell.

KYC, CDD and EDD

Identify and verify every customer, map beneficial owners past 25% thresholds, and apply enhanced due diligence to PEPs, high-risk jurisdictions and complex structures. The files must show the work, not just the conclusion.

Screening & monitoring

Sanctions and PEP screening at onboarding and against every EOCN list update, plus ongoing transaction monitoring calibrated to your risk assessment. AML compliance software helps at volume; the obligation exists with or without it.

Training & the MLRO cycle

Annual staff training with attendance records, internal reporting lines to the MLRO, and STR/SAR filing on goAML where suspicion arises — with the strict no-tipping-off rule governing everything that happens after.

Honest scope

Where we'd push back — what's not in scope.

AML is a regulated activity. Some pieces sit with the regulator or with specialist counsel, not with us.

Need legal opinion, regulatory representation or sanctions advisory? Specialist referrals on request.

  • We are not a UAE-licensed law firm

    Legal opinion on AML / sanctions matters, regulator representation in enforcement action and litigation belong with a licensed law firm.

  • We do not investigate suspected fraud or money laundering for prosecution

    Forensic investigation, asset tracing and evidence preparation for prosecution sit with specialist forensic / law-firm partners.

  • We do not provide regulated financial-crime training certifications

    ACAMS, ICA and Diploma-level certification is delivered by accredited training providers; our annual programme is in-house competency training.

  • We do not replace Central Bank / SCA / IA-licensed compliance functions

    Regulated financial-institution compliance functions (CBUAE, SCA, IA / DFSA / FSRA) require named, regulated CO / MLRO appointments inside the licensed entity.

  • We do not file STRs or SARs in your name without your sign-off

    Every STR is reviewed and approved by your appointed MLRO before filing via goAML — the obligation remains in your name, by design.

FAQs

What DNFBP owners keep asking.

What do AML and CFT mean for UAE businesses?

AML is Anti-Money Laundering; CFT is Combating the Financing of Terrorism. Together they're the framework UAE businesses classified as DNFBPs (Designated Non-Financial Businesses and Professions) have to comply with under Federal Decree-Law No. 20 of 2018. In day-to-day terms, that means registering on the goAML portal, appointing a Money Laundering Reporting Officer (MLRO), running customer due diligence and sanctions screening, keeping records, and filing Suspicious Activity and Suspicious Transaction Reports (SARs/STRs) when something looks off. We handle AML in Dubai end to end — goAML registration, policy drafting, risk assessment, screening setup and ongoing MLRO support — so the compliance side is covered and the documented programme is there when the supervisor asks for it.

Who needs to register on goAML in the UAE?

DNFBPs — Designated Non-Financial Businesses and Professions — have to register on the UAE Financial Intelligence Unit's goAML portal under Federal Decree-Law No. 20 of 2018. That's real-estate brokers and agents, dealers in precious metals and stones, independent auditors, accountants and accounting firms, lawyers and notaries acting as independent legal professionals, and corporate service providers like formation agents, registered-office providers and nominee director services. Registration happens once; after that your MLRO uses the goAML login to file reports and manage the entity account. Financial institutions aren't DNFBPs — banks, exchange houses, finance companies and insurance sit under the UAE Central Bank's separate regime.

Do I need an MLRO in the UAE, and can the role be outsourced?

The Money Laundering Reporting Officer is the named senior person who owns AML compliance — running the programme, signing off higher-risk onboarding, reviewing alerts, filing STRs on goAML and being the contact point for the Ministry of Economy supervisor. Yes, it's required: every in-scope DNFBP has to appoint an MLRO and a deputy with enough seniority, independence and AML knowledge to do the job. And yes, MLRO outsourcing is common for smaller DNFBPs in the UAE: if the role doesn't exist in-house yet, we can provide an outsourced MLRO function on retainer, subject to your supervisor accepting it for your sector.

How often do I need to update KYC on existing customers?

It's driven by the customer's risk rating. High-risk customers — those scoring high on geography, business activity, PEP status or transaction patterns — get re-reviewed at least once a year. Medium-risk every two to three years, low-risk every three to five. Sanctions and PEP screening is the part people forget: it has to run continuously, not just at onboarding, because designations change and a customer who was clean last month can become a sanctioned party. We build the review schedule into the AML programme so re-KYC happens on its own rather than by exception.

What triggers a Suspicious Transaction Report (STR)?

Anything that doesn't fit the customer's known profile and reasonably points to money laundering, terrorist financing or other financial crime. In practice that's an unexplained source of funds, structured transactions designed to slip below reporting thresholds, dealings with high-risk jurisdictions, beneficial ownership you can't see through, a refusal to hand over standard KYC, or large cash that doesn't match the business model. Patterns matching known typologies count too — trade-based laundering, real-estate layering, hawala-style remittance. Two things worth remembering: the bar is suspicion, not proof, and tipping-off rules mean you can't tell the customer an STR is being prepared.

What does AML compliance cost for a UAE DNFBP?

We price it by component, not as one bundle, so you only pay for what you need. The business-wide risk assessment, the AML policy and CDD procedure pack, outsourced MLRO support, the annual AML audit and sanctions screening are each priced by scope — the size of your customer book, risk profile and sector all move the number — so we quote once we've seen what you need. We also guide you through goAML registration and the MLRO appointment. Put it next to the AED 50,000-plus floor for a single supervisor finding of non-compliance and the maths makes itself.

Is AML compliance required for free-zone companies too?

Yes — DNFBP status follows the activity, not the jurisdiction. A real-estate broker, precious-metals dealer, accountant, auditor, lawyer or corporate service provider in a free zone like DMCC, DIFC, ADGM, JAFZA, IFZA, RAKEZ or SHAMS is in scope for goAML registration and the full programme. What changes is the supervisor: most free-zone DNFBPs answer to the Ministry of Economy, DIFC firms to the DFSA, ADGM firms to the FSRA, and certain activities to the SCA. We pin down your supervisor in the scope review and shape the programme around it.

What's enhanced due diligence (EDD) and when is it required?

Enhanced due diligence is the higher-intensity customer verification applied to higher-risk relationships. The list covers Politically Exposed Persons (PEPs) and customers from high-risk jurisdictions on the FATF grey or black list. It also covers customers whose ultimate beneficial owner (UBO) sits behind opaque ownership structures, cash-intensive business profiles, and transaction volumes inconsistent with their stated activity. EDD typically includes source-of-funds and source-of-wealth documentation, senior management approval before onboarding, more frequent monitoring, transaction-by-transaction review and structured re-KYC. We design the EDD trigger criteria into the customer-risk scoring so EDD applies consistently across the book.

Does my AML programme need an annual AML audit in the UAE?

Yes — the UAE AML framework requires DNFBPs to run an independent annual review of the AML programme. On the language: this is an independent programme review, not a statutory financial audit, so it doesn't need a licensed audit firm. The review tests whether policies are documented, the MLRO is appropriately empowered, CDD is being applied consistently, and sanctions screening is operational. It also tests whether training is current, STRs are being filed where appropriate, and the business-wide risk assessment is up to date. The independent reviewer should be sufficiently independent of the day-to-day AML function (often an external advisor or an internal-audit team where the entity has one). We can perform this annual independent review for DNFBPs where Velmont Crest isn't already the outsourced MLRO, since independence rules apply.

What about the Ministry of Economy AML self-assessment portal?

DNFBPs supervised by the Ministry of Economy are required to complete an annual AML / CFT self-assessment on the Ministry's portal, separate from the goAML platform. The self-assessment covers the AML programme design, MLRO appointment, CDD framework, training, screening, STR filing history, business-wide risk assessment status and corrective-action plan against any prior supervisor findings. Late or inaccurate self-assessment submissions are themselves a supervisor finding and trigger penalty exposure. We complete the annual self-assessment as part of the ongoing AML retainer, drawing directly from the documented programme rather than scrambling the data at submission time.

What is the punishment for money laundering in the UAE?

Under the UAE money laundering law — Federal Decree-Law No. 20 of 2018 — the punishment runs on two tracks. The administrative track is what DNFBPs most commonly face: supervisor fines from AED 50,000 to AED 5,000,000 per violation for programme failures such as missing goAML registration, no MLRO, an absent business risk assessment or inadequate CDD, escalating to trade-licence suspension or revocation for repeat non-compliance, with personal liability extending to directors and the appointed MLRO. The criminal track covers the offence of laundering itself and carries imprisonment together with criminal fines. Our role sits on the prevention side of both: we build and document the compliance programme so a routine Ministry of Economy inspection stays routine. Enforcement defence and legal opinion belong with a licensed law firm, and we say so plainly when a matter has moved that far.

What are the UBO declaration and UBO registration requirements in the UAE?

Cabinet-level UBO regulations require most UAE companies — mainland and the majority of free zones — to identify every ultimate beneficial owner holding 25% or more of shares or voting rights, directly or indirectly, file a UBO declaration with their licensing authority, and keep a register of beneficial owners that stays current as ownership changes. That's a separate obligation from goAML, but the two meet inside your AML programme: the same ownership charts and nominee declarations that support the UBO registration are what your CDD files need to see through the companies you onboard. We prepare the ownership analysis and register format, build UBO identification into the onboarding forms, and flag when a structure change means the declaration needs re-filing with the authority.

What does AML/CFT actually mean?

Anti-money laundering and countering the financing of terrorism — the framework under Federal Decree-Law No. 20 of 2018 and Cabinet Decision No. 10 of 2019 that obliges UAE financial institutions and DNFBPs to identify customers, assess risk, screen against sanctions lists, keep records and report suspicion. AML CFT compliance in the UAE is inspected and fined per violation, which is why the programme has to exist on paper and in practice.

Who counts as a DNFBP in the UAE?

Designated Non-Financial Businesses and Professions: real estate agents and brokers, dealers in precious metals and precious stones, auditors and accountants, trust and company service providers, and lawyers or notaries when executing client transactions. If your licence covers one of these activities, the AML obligations apply regardless of company size — a two-person brokerage carries the same core duties as a large firm.

What is goAML and who must register?

goAML is the UAE Financial Intelligence Unit's reporting platform — the system where suspicious transaction reports and the sector-specific reports (REAR for real estate, DPMSR for gold and stones) are filed. Every DNFBP and financial institution must register: first on the SACM pre-registration portal to obtain secure credentials, then on goAML itself. Operating in a DNFBP sector without a goAML registration is itself a finable violation.

What is the EOCN and why do I need to subscribe?

The Executive Office for Control and Non-Proliferation administers the UAE's implementation of targeted financial sanctions. Businesses subscribe to its automated notification system so that every update to the UN consolidated list and the UAE local terrorist list reaches them immediately — and the legal expectation is screening against those updates without delay, with freezing and reporting obligations if a match appears. Subscription is part of our registration package.

What does an AML compliance officer do?

The AML officer — often called the MLRO — owns the programme day to day: receiving internal suspicion reports, deciding what gets filed on goAML, maintaining the risk assessment and the policies and procedures, running sanctions screening, keeping training records and facing the regulator at inspection. The role needs documented appointment and genuine authority. We support appointed officers with the tools and files; the statutory role itself stays in-house.

What should AML policies and procedures contain?

At minimum: the business risk assessment methodology, customer due diligence and verification standards, beneficial ownership rules, enhanced due diligence triggers (PEPs, high-risk jurisdictions, unusual structures), sanctions screening procedure, transaction monitoring approach, STR escalation and filing workflow, the tipping-off prohibition, record-keeping periods and the training programme. Each element mapped to your actual operations — a generic template fails inspection precisely because it ignores them.

Do I need AML compliance software?

The law requires outcomes — screening, monitoring, records — not a specific tool. A low-volume DNFBP can run compliant screening with structured manual checks against the EOCN and UN lists; volume changes the answer, and anti-money laundering compliance software earns its licence fee when customers or transactions grow past what a person can screen reliably. We scope the honest answer for your volume rather than reselling a platform.

When must a suspicious transaction report be filed?

As soon as there are reasonable grounds to suspect funds are the proceeds of crime or linked to terrorist financing — there is no monetary threshold on suspicion. The report goes to the FIU through goAML, the customer must not be tipped off, and the internal deliberation (who suspected what, when, and what was decided) must be documented even where the decision is not to file. That paper trail is what protects the firm and the MLRO.

What are the penalties for AML non-compliance in the UAE?

Administrative fines are levied per violation under the published Cabinet penalty schedule — failing to register on goAML, missing policies, absent risk assessments and unscreened customers each attract their own fine, and totals for an inspected firm with multiple gaps routinely run into hundreds of thousands of dirhams, with licence suspension available for serious cases. Criminal exposure sits above that for actual laundering. The programme is cheaper than any single line of that schedule.

Is AML compliance different in Dubai versus other emirates?

The law is federal — Decree-Law 20 of 2018 applies across the UAE, with the Ministry of Economy supervising most DNFBPs and financial free zones (DIFC, ADGM) running their own supervisors within the same framework. What differs in Dubai is intensity: real estate and gold concentrate here, so inspection campaigns do too. Our AML compliance engagements in Dubai run identically for Sharjah or Abu Dhabi clients — same law, same goAML, same files.

Velmont Crest accounting advisor — Dubai SME engagement

Book a consultation

Free 30-minute call. Pressure-free.

Reply within 1 UAE business day · Data stored in UAE · Not shared