Twelve components make up a defensible UAE AML programme. Here is what each one is, what the supervisor expects of it, and where Velmont Crest fits.
What anti-money-laundering rules actually require in the UAE
Anti-money-laundering compliance in the UAE rests on Federal Decree-Law No. 20 of 2018 and its implementing regulation. For a DNFBP, the law translates into six standing duties: register on the goAML portal, appoint a Money Laundering Reporting Officer, document a business-wide risk assessment, run customer due diligence with sanctions and PEP screening, keep records for at least five years, and report suspicious activity to the UAE Financial Intelligence Unit. None of these is optional and none of them expires — compliance in the UAE is a continuing state, not a certificate on the wall. The Ministry of Economy checks all six in an inspection, and the gaps compound: a missing BRA usually means the CDD scoring behind it is arbitrary too.
Who is a DNFBP in the UAE — and why goAML registration is step one
A DNFBP (Designated Non-Financial Business or Profession) in the UAE is any of five activity groups: real-estate brokers and agents, dealers in precious metals and stones, auditors and accountants, lawyers and notaries handling client transactions, and corporate service providers. The test follows the trade-licence activity, not the company's size or jurisdiction — a two-person brokerage in a free zone is as much in scope as a fifty-person firm on the mainland. If your licence carries one of those activities, goAML registration is the first legal obligation that attaches, and operating unregistered is itself a finding that starts at AED 50,000. Our free scope review confirms your category and supervisor before anything else is built.
goAML and EOCN registration, walked through
Two registrations, not one. The goAML portal, run by the UAE FIU, is where the entity profile, MLRO account and suspicious-transaction reports live. The EOCN system (the Executive Office for Control and Non-Proliferation) is where you subscribe to targeted-financial-sanctions notifications so list changes reach you the day they happen. We prepare both applications with your team: trade licence, activity classification, authorised-signatory documents, MLRO details, and the supervision linkage to the Ministry of Economy. The accounts are created in your entity's name and stay there; we support the process rather than hold the credentials. Once live, your MLRO uses the goAML login for filings — our step-by-step goAML registration and login guide walks through every screen if you want to see what's involved before we start. One navigation note, because it trips people constantly: the goAML login UAE firms search for is the FIU portal sign-in itself — there is no separate "AML login" anywhere else. Every filing, every FIU message and every profile update happens behind that one account.
The business risk assessment that anchors everything
The business risk assessment for AML (the BRA) is the document every other control hangs off. It scores your exposure across customer types, geographies, products and services, delivery channels and transaction patterns, then records the residual risk after controls. Inspectors read it first because it tells them whether your CDD thresholds, EDD triggers and monitoring rules were designed or improvised. We build the BRA on the Ministry of Economy methodology, score it with your management team so the judgements are genuinely yours, and refresh it annually or whenever the business changes shape — a new branch, a new customer segment, a new product line all move the numbers.
AML policy, procedures and controls — drafted for your licence
A downloaded template is the most common failure we see in inspection files. A defensible AML policy in the UAE names your entity, your DNFBP category, your risk appetite and your actual escalation lines; the procedures behind it tell a staff member exactly what to collect at onboarding, when to escalate, and who signs off a high-risk relationship. We draft the policy suite — AML / CFT policy, CDD and EDD procedures, sanctions-screening rules, record-keeping and training plans — version-controlled and board-approved, in the format the Ministry of Economy inspector reads. Your team adopts and operates it; we keep it current as guidance changes.
CDD, EDD and identifying the ultimate beneficial owner
Customer due diligence starts with identity, but the question that decides most files is ownership: who is the ultimate beneficial owner behind the company in front of you? UAE rules require identifying every natural person holding 25% or more, directly or indirectly, and Cabinet-level UBO regulations separately require most companies to file a UBO declaration and maintain a register of beneficial owners with their licensing authority — the UBO registration runs through the same authority that issued the trade licence, and it has to be kept current as ownership changes. We build UBO identification into your onboarding forms — ownership charts, nominee declarations, source-of-funds questions for higher-risk files — and set the customer-risk scoring that decides when standard CDD steps up to enhanced due diligence. The result is a customer file an inspector can follow from ID copy to risk rating without asking you to explain it.
MLRO outsourcing and the compliance officer role
Every in-scope entity needs a named compliance officer for AML — the MLRO — with the seniority and independence to stop an onboarding, question a transaction and file a report the owner might not like. Most UAE SMEs don't have that person on payroll, which is why MLRO outsourcing exists: under a written delegation, a Velmont Crest engagement partner carries the day-to-day function — alert review, escalation decisions, STR drafting, supervisor correspondence — where your supervisor permits the arrangement for your sector. Where it doesn't, or where you'd rather build in-house, we train and back up your internal designate instead. Either way the appointment letter, reporting lines and accountability boundaries go on file in writing.
STRs and SARs — filed through goAML, owned by your MLRO
When activity trips a red flag — unexplained funds, structuring, a customer who won't evidence ownership — the law requires a Suspicious Transaction Report or Suspicious Activity Report through goAML, promptly and without tipping off the customer. The judgement call is the hard part: file too little and you're exposed; file defensively on everything and the FIU learns to ignore you. We work each alert with the reasoning written down, draft the report with the supporting documents attached, and route it to your MLRO for sign-off and submission. The filing log we maintain becomes one of the first artefacts an inspector asks for, and one of the easiest to get right continuously rather than reconstruct.
Name screening, sanctions lists and UAE sanctions risks
Managing UAE sanctions risks and compliance means screening every customer — and the UBOs behind them — against the UN Consolidated List, the UAE Local Terrorist List, and in practice OFAC, EU and UK HMT lists too, both at onboarding and continuously afterwards. Designations change weekly; a customer who screened clean in January can be a frozen-assets obligation by March, and the UAE regime expects freezing without delay and a report to the EOCN. We configure the screening tool, set the fuzzy-matching thresholds so Arabic-to-English transliterations don't slip through, clear the false positives with documented reasoning, and escalate true hits the same UAE business day.
The annual AML review — independent and documented
Once a year the framework expects an independent review of the whole programme: are the policies live, is the MLRO functioning, is CDD applied consistently, is screening running, is training current, were STRs filed where they should have been. This is an independent programme review — not a statutory financial audit, and it doesn't require a licensed audit firm — but it does require distance from whoever runs the programme day to day. We perform the review for DNFBPs where we aren't already the outsourced MLRO; where we are, we arrange an appropriately independent reviewer so the file holds. If your entity also needs its financial statements audited, our audit assistance service prepares that separate workstream.
Sector notes: gold, real estate and corporate service providers
The rulebook is one law, but the risk profile isn't. Dealers in precious metals and stones (DPMS) carry cash-intensity risk and a specific duty to report cash transactions of AED 55,000 or more; their files lean heavily on source-of-funds evidence. Real-estate brokers sit on layering risk — property is a classic placement vehicle — so their CDD concentrates on buyer ownership and funding trails. Corporate service providers face the sharpest UBO questions because opaque structures are precisely what they're asked to build; their EDD triggers have to be tighter than anyone's. We weight each BRA and procedure set to the sector, which is also why a generic template fails: the typologies an inspector tests you against are sector-specific.
UAE money laundering law — and the punishment for getting it wrong
The UAE money laundering law is Federal Decree-Law No. 20 of 2018 on Anti-Money Laundering and Combating the Financing of Terrorism, together with its implementing regulation — the same UAE AML law that defines the DNFBP duties on this page. The punishment for money laundering in the UAE runs on two tracks. The administrative track is what most DNFBPs actually face: supervisor fines from AED 50,000 to AED 5,000,000 per violation for programme failures — no goAML registration, no MLRO, missing risk assessment, absent CDD files — escalating to trade-licence suspension or revocation for repeat findings, with personal liability reaching directors and the appointed MLRO. The criminal track covers the underlying offence of laundering itself and carries imprisonment alongside criminal fines. Our work sits squarely on the prevention side: a documented programme is what keeps a routine inspection from becoming either track.
AML software and screening tools — what to buy, what to skip
No AML software subscription satisfies the UAE framework by itself — the supervisor inspects a programme, not a licence key. What screening software does earn its keep on is the list-matching work: Refinitiv World-Check, Dow Jones and LexisNexis are the AML screening software names most UAE DNFBPs land on, and each handles the daily watchlist refresh and fuzzy-matching that manual spreadsheet checks get wrong. Whether you need a subscription at all depends on volume. A brokerage onboarding a handful of buyers a month is often better served by per-check screening than an annual anti-money-laundering compliance software contract; a high-volume gold dealer is not. We stay vendor-neutral, configure whichever tool the volume justifies, and wire its output into your CDD files — because the tool is one component of the compliance solution, never the solution itself.
AML training, courses and training materials
Annual AML training for staff is a standing legal duty, and it is one of the first things an inspector tests — usually by asking a front-desk employee what they would do with a suspicious cash offer. Our training pack covers what the framework expects: the AML training materials themselves (slides and case studies built on your sector's typologies, not generic ones), a short assessment, and the signed attendance log that proves delivery. One distinction worth being clear on: this is in-house competency training, not a certification. If a team member wants a formal AML course — ACAMS, ICA or a diploma-level programme — that sits with accredited training providers, and we'll tell you when a role genuinely warrants it. For most DNFBP teams, well-run annual training plus documented refreshers after any rule change is exactly what the file needs to show.
AML consulting services, priced by component
Most AML consulting services in Dubai quote a lump sum and leave you guessing what's inside it. We price by component so you only buy the gaps you actually have. The business risk assessment, the AML policy and CDD documentation pack, outsourced MLRO support, the annual AML review and third-party screening are each priced by scope — your DNFBP category, customer book and transaction volume set the number, so we quote them once we've seen what you need. Request a quote and full component pricing sits on our pricing page alongside every other service.
Where AML meets the rest of your finance function
AML rarely travels alone. The record-keeping duty leans on the same ledgers our accounting and bookkeeping services maintain, so source-of-funds questions get answered from reconciled books rather than memory. New entities choosing a licence activity should know before incorporation whether it lands them in DNFBP scope — that's a standard check inside our business setup advisory. And because Velmont Crest is an accounting practice, we're a DNFBP ourselves: the programme we run for you is the same discipline we're supervised under. Advisory boundaries stay honest throughout — we prepare, document and support; the registered obligations, the MLRO sign-offs and the regulator relationship remain with your licensed entity.