AML enforcement in the UAE has fundamentally changed
When Federal Decree-Law No. 20 of 2018 came into force, the majority of Designated Non-Financial Businesses and Professions in the UAE treated it as a paper exercise — something to acknowledge and file away. That approach no longer works.
Since 2022, the Ministry of Economy has issued public enforcement notices naming non-compliant firms. Penalties have been assessed and published. Licences have been suspended. The mistakes I see most often are not complex: businesses registering on the wrong goAML portal; completing CDD at onboarding and never revisiting it; using a downloaded AML policy template that does not reflect a single thing about how the business actually operates.
My job is to fix that — before the Ministry of Economy inspector arrives.
What is UAE AML Law?
UAE anti-money laundering obligations are established by Federal Decree-Law No. 20 of 2018 on Anti-Money Laundering and Combating the Financing of Terrorism and Illegal Organisations. The operational detail is set out in Cabinet Decision No. 10 of 2019, which provides the Executive Regulation implementing the 2018 law.
The regulatory framework covers customer due diligence, suspicious transaction reporting, record retention, staff training, and the appointment of a compliance officer. These are statutory obligations with criminal and administrative penalties for non-compliance.
| Legal Instrument | Purpose |
|---|---|
| FDL No. 20 of 2018 | Primary AML/CFT law — establishes core obligations |
| CD No. 10 of 2019 | Executive Regulation — operational detail on CDD, STR, training |
| CD No. 58 of 2020 | UBO Register — 25% ownership threshold |
| CD No. 16 of 2021 | Administrative penalties — AED 1M first / AED 5M repeat |
Who must comply: DNFBP categories
Designated Non-Financial Businesses and Professions are the non-bank categories subject to UAE AML obligations. The Ministry of Economy is the primary supervisory authority for the following categories:
Auditors & Accountants
External auditors and accounting firms preparing financial statements or audits for clients.
Lawyers & Legal Professionals
When carrying out real estate, asset management, bank account, or company formation transactions for clients.
Real Estate Agents & Brokers
When assisting clients in buying and selling real property.
Dealers in Precious Metals & Stones
When conducting cash transactions exceeding the relevant threshold.
Company Service Providers (CSPs)
Providing company formation, registered agent, directorship, nominee shareholder, or registered office services.
Trust Service Providers
Entities providing trustee services or managing trusts on behalf of clients.
Avyanco Group holds DED Licence No. 909402 as a licensed CSP — subject to exactly the same AML obligations as the businesses we advise.
The 6 core AML obligations every DNFBP must have
Each element is required by FDL No. 20 of 2018 and CD No. 10 of 2019 — and each is inspected by the Ministry of Economy.
Written AML/CFT Policy
A documented policy covering CDD, STR filing, TFS screening, record retention, and staff training — tailored to the specific business and approved by senior management. Not a downloaded template.
Appointed Compliance Officer
A named individual designated as AML Compliance Officer, reported to the Ministry of Economy, with sufficient seniority to manage STR filings, inspections, and training.
Customer Due Diligence (CDD)
Identity verification at onboarding and continuous monitoring. Enhanced Due Diligence applies to PEPs, FATF black/grey list jurisdictions, and complex ownership structures.
STR Filing via goAML
Suspicious Transaction Reports filed through the Ministry of Economy goAML portal when reasonable grounds for suspicion arise — regardless of transaction amount. Failure to file is criminal.
TFS Screening
All customers screened against the UN Consolidated Sanctions List and UAE local terrorist designation list before onboarding and ongoing. Screening must be documented.
Documented Staff Training
Periodic, role-specific AML training for all relevant staff — documented with who was trained, when, on what content, and by whom. Undocumented training is treated as absent.
goAML portal registration — the critical distinction
The goAML portal is the UAE Financial Intelligence Unit's platform for receiving Suspicious Transaction Reports and issuing FIU advisories. Registration is mandatory for all UAE DNFBPs.
The critical distinction causing consistent errors in practice: there are two separate goAML portals in the UAE. The CBUAE goAML portal is for financial institutions regulated by the Central Bank. The Ministry of Economy goAML portal is for DNFBPs. Registering on the CBUAE portal does not satisfy the DNFBP obligation — the MoE will find no record of your registration during an inspection.
Most common error:
Registering on the CBUAE goAML portal instead of the Ministry of Economy portal. One of the most frequently identified violations during MoE DNFBP inspections.
UBO Register — Cabinet Decision No. 58 of 2020
All UAE companies must maintain an internal Ultimate Beneficial Owner register and file UBO information with their licensing authority. The register must identify every natural person who ultimately owns or controls 25% or moreof the company's shares or voting rights, or who exercises effective control.
Customer Due Diligence requires a DNFBP to identify and verify the beneficial owners of its corporate customers. A DNFBP that has not maintained its own UBO register cannot demonstrate that its CDD programme captures beneficial ownership accurately. Failure to maintain the UBO register is a separate regulatory violation — an inspection identifying both failures finds multiple grounds for enforcement action.
Business Risk Assessment — the foundation
The Business Risk Assessment is the foundation of any effective AML compliance programme. Without it, every other element — the policy, the CDD framework, the training — lacks a documented basis. The Ministry of Economy expects to see a current, documented BRA as the first output of any compliant programme.
The BRA must assess:
- The nature and size of the business
- The types of customers and counterparties the business deals with
- The products and services offered and the money laundering risks they carry
- The geographies in which the business operates and funds originate from
- The delivery channels through which business is conducted
The BRA must be reviewed and updated at least annually, and whenever a material change occurs. A missing, undated, or generic BRA is treated as an immediate violation during inspection.
Customer Due Diligence & Suspicious Transaction Reporting
CDD — a continuous obligation
CDD must be conducted at onboarding and on an ongoing basis throughout the customer relationship. Existing customers must be monitored and their records updated when risk indicators change.
Simplified CDD applies to UAE government entities, listed companies on recognised exchanges, and regulated financial institutions in low-risk jurisdictions.
Enhanced Due Diligence applies to PEPs, FATF black/grey list jurisdictions, and complex ownership structures — requiring source of funds verification and senior management approval.
All CDD records must be retained for a minimum of five years.
STR filing — not discretionary
The obligation to report arises when a DNFBP has reasonable grounds to suspect funds are proceeds of crime or connected to terrorism financing.
There is no minimum transaction value. STRs are filed through the Ministry of Economy goAML portal as soon as practicable after suspicion arises.
Failure to file an STR is a criminal offence — personal liability applies to the Compliance Officer and senior management.
AML penalties in UAE — Cabinet Decision No. 16 of 2021
First Violation
Up to AED 1 million
Per violation — multiple failures attract multiple penalties
Repeat / Aggravated
Up to AED 5 million
Maximum per repeated or aggravated failure
Wilful Non-Compliance
Criminal Prosecution
Imprisonment and court-imposed fines — individuals and entity
Beyond financial penalties, the Ministry of Economy can suspend the business licence, prohibit regulated activities for a defined period, and publish the enforcement action publicly. Public naming has been used by the MoE since 2022.
How I can help
Every framework I deliver is practical, documented, and built to survive a Ministry of Economy inspection.
AML Policy & Procedures Drafting
A bespoke written AML/CFT policy tailored to the specific business — customer types, geographic exposure, services, and delivery channels. Built to withstand a Ministry of Economy inspection.
goAML Registration & Setup
End-to-end registration on the Ministry of Economy goAML portal — correct portal, Compliance Officer registration, and verification that the registration is active for STR filing.
Business Risk Assessment
A documented, MoE-ready BRA covering nature, size, customer profile, geographic exposure, products, and delivery channels. Dated, signed by senior management, structured for inspection.
CDD & EDD Framework
Customer onboarding checklists, risk-scoring matrices, and ongoing monitoring protocols. Differentiates standard CDD, simplified CDD, and EDD for PEPs and high-risk jurisdictions.
Compliance Officer Support
Outsourced MLRO function or advisory support to an existing internal Compliance Officer — covering STR decisions, FIU correspondence, MoE inspection preparation, and policy updates.
AML Health Check
Gap analysis of the existing AML programme against current MoE expectations — written report with prioritised remediation roadmap, identifying what is missing and what needs correction.
What my AML review covers
Written report with prioritised remediation roadmap delivered within ten business days of initial intake.
Intake Assessment
Structured intake call and document collection: trade licence, current AML policy, org structure, customer profile, and goAML registration status.
Policy Gap Analysis
Every mandatory element of the AML/CFT policy reviewed against Cabinet Decision No. 10 of 2019 and current MoE supervisory expectations.
BRA Review
Confirm whether a documented BRA exists, is current, and accurately reflects the business's actual risk profile.
CDD Framework Review
Assess onboarding procedures, risk-scoring, and periodic review processes. Identify gaps between documented policy and actual practice.
goAML & TFS Status
Confirm correct MoE portal registration, Compliance Officer recording, and documented TFS screening procedures.
Written Remediation Plan
Prioritised report identifying every gap and correction needed before the next inspection, delivered within ten business days.
Common AML mistakes UAE businesses make
These are the patterns I encounter most frequently. Every one is identifiable during a Ministry of Economy inspection.
Not registering on goAML at all
Many UAE DNFBPs have never registered on the goAML portal. Without registration, STR filing is impossible and the reporting obligation is completely unmet — immediately identifiable during any MoE inspection.
Treating AML as a one-time exercise
Many businesses drafted an AML policy in 2018 and have not revisited it since. AML compliance is a continuous, annual obligation — not a one-time exercise.
CDD only at onboarding — never reviewed
Customer Due Diligence is a continuous obligation. A customer who becomes a PEP, whose transaction patterns change, or about whom new information emerges must be subject to updated CDD.
UBO register not linked to CDD
The UBO register and the CDD programme must be aligned. If CDD does not identify and verify the beneficial owners of corporate customers, CDD is incomplete.
No documented training records
Completion certificates, attendance records, training content, and dates must be retained. Undocumented training is treated as training that did not happen.
Generic downloaded AML policy template
The most common single error: a downloaded policy adapted minimally and filed. The MoE expects a policy written for this business — not one with this business's name on it.
Virtual Assets and VARA
Virtual Asset Service Providers operating in the UAE face the same core AML/CFT obligations as DNFBPs under Federal Decree-Law No. 20 of 2018, alongside additional sector-specific requirements.
In Dubai, VASPs are regulated by the Virtual Assets Regulatory Authority (VARA). Federally, the Securities and Commodities Authority (SCA)regulates virtual asset activities outside Dubai. Both require VASPs to maintain AML programmes, conduct CDD, file STRs, and screen for targeted financial sanctions. Compliance with VARA's AML Rulebook is a condition of holding a VARA licence.
Advisory on AML compliance for UAE VASPs is addressed on a case-by-case basis. Contact to discuss your VASP AML requirements.
Frequently asked questions
Do I need to register on goAML if I am a company service provider?+
How quickly must I file an STR after a suspicious transaction?+
Do AML rules apply to small businesses in the UAE?+
What does an AML Compliance Officer do and can I outsource that role?+
How often should I update my AML policy and Business Risk Assessment?+
My business was registered before 2018 — do I need to retrospectively comply?+
As a licensed CSP myself — operating under DED Licence No. 909402 — I am subject to exactly the same AML obligations I advise my clients on. I do not build compliance programmes for other businesses that I would not apply to my own.
AML compliance in the UAE is no longer a theoretical risk.
The enforcement record since 2022 demonstrates that the Ministry of Economy is inspecting, penalising, and publicly naming non-compliant firms. If your business is a DNFBP and you have not reviewed your AML compliance position in the last twelve months, book a free initial call and I will tell you exactly where you stand.
Book a Free Initial Call
Written & reviewed by
Jashvantkumar Prajapati
Founder & CEO, Avyanco Group
21+ years advising founders and investors on UAE company formation, tax structuring, and cross-border expansion. CSP Licensed by the Dubai Economic Department. Direct experience helping 11,000+ businesses across mainland, free zone, and offshore structures.