Most UAE founders still believe AML is a banking problem. It is not. Under the 2025 framework, the determining factor is your business activity, not your company size or sector. This guide explains who is regulated, what the law now requires, how goAML and the MLRO function work in practice, and the fastest path to a defensible compliance position.
What Changed in 2025 — The New UAE AML Framework
Federal Decree-Law No. 10 of 2025 replaced the previous AML/CTF regime and introduced five material changes every regulated business must absorb:
- Money laundering, terrorism financing and proliferation financing are now three discrete obligations, no longer bundled.
- Commercial gaming operators are explicitly included for the first time.
- Virtual Asset Service Providers (VASPs) must apply the same controls as banks, including the FATF Travel Rule on cross-border transfers.
- The UAE FIU's asset-freezing powers were extended from 7 days to 10 working days, extendable to 30.
- Liability now attaches on a "constructive knowledge" basis — you can be held liable if you should have known funds were illicit.
If your AML policies were last updated before 14 December 2025, treat them as out of date.
Who Must Comply — FIs, DNFBPs and VASPs
The UAE AML perimeter covers three categories of regulated entity:
DNFBP obligations apply whether you handle client funds directly, structure entities for clients, or trade in high-value goods. Real-estate cash transactions above AED 55,000 automatically trigger CDD obligations.
The Core Obligations — What AML Compliance Actually Requires
Every regulated UAE entity shares five foundational duties.
1. Customer Due Diligence (CDD)
Verify identity at onboarding, understand the business relationship and assess customer risk. CDD is ongoing — not a one-off. Higher-risk customers (PEPs, customers from FATF high-risk jurisdictions, complex ownership structures) trigger Enhanced Due Diligence.
2. Ultimate Beneficial Owner (UBO) Identification
You must look through nominee shareholders and identify the natural person who ultimately owns or controls the entity. The UAE Ministry of Economy's UBO regime applies to mainland and free-zone companies, and the UBO register must be kept current. Inspectors flag UBO gaps more than any other issue.
3. Sanctions Screening
Screen at onboarding and continuously against:
- UAE local terrorist lists
- UN Security Council consolidated list
- FATF high-risk and monitored jurisdictions
Circular No. 3 of 2025 requires processes to refresh every time these lists update. One-off screening at onboarding is no longer compliant.
4. Suspicious Transaction Reporting (STR)
If you have reasonable grounds to suspect a transaction involves proceeds of crime or terrorist financing, you must file an STR via goAML. There is no minimum value. Tipping off the customer is itself a criminal offence.
5. Record-Keeping
Maintain CDD records, transaction records and STR documentation for a minimum of five years.
goAML — The UAE FIU's Reporting Portal
goAML is the UAE Financial Intelligence Unit's mandatory reporting platform, developed by the UN Office on Drugs and Crime. Every regulated entity must register — even if no suspicious activity has occurred. Non-registration is treated as an automatic internal-controls failure during inspections.
How goAML registration works:
- Register on SACM to obtain a username
- Enable two-factor authentication via Google Authenticator
- Complete your entity profile
- Wait for supervisory-authority approval
- Submit STRs, SARs and Targeted Financial Sanctions reports through the portal
The MLRO — Your Compliance Keystone
Under the 2025 law, every regulated entity must appoint a Money Laundering Reporting Officer (MLRO) who:
- Is a UAE resident
- Has sufficient seniority to act independently
- Has direct access to senior management and the board
- Owns STR decisions, AML record-keeping and regulator response
Appointing an MLRO who has the title but not the authority is the single most common failure inspectors find.
Enforcement — What Penalties Look Like
The UAE has moved firmly into enforcement mode:
- A UAE-based bank was fined AED 3,000,000 by CBUAE for AML and sanctions breaches
- Three exchange houses received combined fines exceeding AED 4,100,000
- Ministry of Economy administrative fines on DNFBPs run from AED 50,000 to AED 1,000,000
- Repeated or serious breaches can lead to trade-licence cancellation
Under the new "constructive knowledge" standard, a written policy in a folder is not protection — you must evidence that the policy is being implemented.
Five Mistakes That Get UAE Businesses Fined
- Assuming AML does not apply because you are 'not a bank'
- Appointing an MLRO without genuine authority
- Using a generic, downloaded AML manual
- Treating CDD as a one-time onboarding step
- Skipping goAML registration or failing to file an STR
Where to Start — A Practical 7-Step Plan
- Run an Enterprise-Wide Risk Assessment (EWRA)
- Complete goAML registration
- Appoint or reconfirm your MLRO with board-level access
- Rewrite AML policies based on the EWRA, not a template
- Implement CDD/EDD onboarding workflows
- Set up continuous sanctions screening
- Train all relevant staff and schedule annual reviews
Frequently Asked Questions
1. Does AML compliance apply if my UAE business is not a bank?
Yes, if your business is a DNFBP — real-estate agent, accountant, auditor, tax advisor, lawyer, company-formation agent, dealer in precious metals or gaming operator. The trigger is your activity, not your licence type.
2. What is goAML and is registration mandatory?
goAML is the UAE FIU's reporting platform. Registration is mandatory for every regulated entity, regardless of whether any suspicious activity has occurred.
3. What changed under Federal Decree-Law No. 10 of 2025?
It expanded the regulated perimeter (gaming, VASPs), raised the liability standard to constructive knowledge, separated the three prevention objectives, and extended FIU asset-freezing powers.
4. What is the minimum fine for AML non-compliance?
For Ministry-of-Economy supervised DNFBPs, fines start at AED 50,000 and reach AED 1,000,000, with licence cancellation for serious breaches.
5. Are free-zone businesses subject to UAE AML laws?
Yes. Federal AML rules apply across mainland and free zones. DIFC and ADGM also operate their own AML frameworks alongside federal law.
