Most business owners in the UAE think AML compliance is a banking problem. Banks have AML departments. Banks have AML officers. Banks get audited for AML. So the assumption is that it stops there.
It does not.
AML compliance applies across real estate, accounting, law, gold trading, company formation, and several other sectors. Many SME owners in these industries do not know the rules apply to them. That gap is expensive. Fines start at AED 50,000 and go up to AED 1,000,000. In serious cases, the result is full licence revocation.
This guide explains the UAE AML framework, who it applies to, what it requires, and how to build the basics of a compliant operation.
The Legal Framework: What Changed in 2025
The UAE's AML landscape changed significantly at the end of 2025. The primary legislation now governing anti-money laundering, Counter-Terrorism Financing (CTF), and Counter-Proliferation Financing (CPF) is Federal Decree-Law No. 10 of 2025. This was supplemented by Cabinet Resolution No. 134 of 2025. Both came into force on December 14, 2025.
The 2025 law introduced several material changes that every regulated business needs to understand.
What changed under the 2025 framework:
- Each of the three prevention objectives — money laundering, terrorism financing, and financing of weapons of mass destruction — must now be addressed as a separate, discrete obligation. They are no longer bundled together under a single compliance framework.
- Commercial gaming operators are now explicitly included as regulated entities for the first time.
- Virtual Asset Service Providers must comply with the same AML requirements as conventional financial institutions, including the Travel Rule for cross-border virtual asset transfers.
- The enforcement powers of the UAE Financial Intelligence Unit (FIU) were significantly expanded — immediate asset freezing powers extended from seven days to 10 working days, extendable to 30 days.
- Liability now attaches on a constructive knowledge basis — meaning organisations can be held liable if they should have known funds were illicit, not only if they had actual knowledge.
The practical implication is direct. Any AML policies, procedures, or customer due diligence processes last reviewed before December 31, 2025 are likely out of date. They need to be updated now.
For context on how AML obligations connect to your broader compliance picture, see our guide on UAE compliance obligations for businesses.
Who Must Comply: FIs, DNFBPs, and VASPs
The UAE AML framework creates obligations across three broad categories of entities.
Entity Category
Who Is Included
Primary Regulator
Financial Institutions (FIs)
Banks, currency exchange bureaus, insurance companies, finance companies, hawala operators
DNFBPs
Real estate agents, precious metals dealers, auditors, accountants, tax advisors, company formation agents, lawyers, notaries, gaming operators
VASPs
Crypto exchanges, digital asset brokerages, virtual asset platforms
Who specifically falls under DNFBP obligations:
- Real estate agents and brokers — including those facilitating property transactions above AED 55,000 in cash
- Dealers in precious metals and stones
- Auditors, accountants, and tax advisors — including outsourced accounting firms
- Company service providers and formation agents
- Lawyers and notaries in specific circumstances
- Commercial gaming operators (added under the 2025 law)
The common misconception is that only banks are affected. That is not how the law works. Whether your trade licence looks simple or your structure is complex, whether you handle client funds, facilitate company formation, or deal in high-value goods — AML compliance obligations may apply. The determining factor is your business activity, not your company size.
Businesses using financial management platforms like Alaan for corporate spend can use transaction-level data to support sanctions screening and suspicious activity identification — particularly useful for businesses with high transaction volumes across multiple counterparties.
The Core Obligations: What Compliance Actually Requires
Regulated entities across all sectors share the same foundational obligations.
1. Customer Due Diligence (CDD)
You must verify the identity of every customer at onboarding. You must understand the nature of the business relationship and assess the customer's risk profile. This is not a one-time exercise. CDD must be maintained and updated on an ongoing basis throughout the relationship.
For higher-risk customers, Enhanced Due Diligence (EDD) applies:
Customer Type
CDD Level Required
Standard customers
Basic CDD — identity verification, business purpose
Politically Exposed Persons (PEPs)
EDD — deeper documentation, senior management approval
Customers from FATF high-risk jurisdictions
EDD — additional scrutiny and ongoing monitoring
Complex ownership structures
EDD — UBO identification and verification
2. Beneficial Ownership (UBO) Identification
Beyond identifying named directors and shareholders, you must identify and verify the Ultimate Beneficial Owner of any legal entity you deal with. The UBO is the actual human being who owns or controls the entity — who may or may not appear on the official company documents. This is a distinct requirement and one of the most common compliance gaps found during inspections.
The UAE Ministry of Economy's UBO requirements apply to all mainland and free zone companies and must be maintained in a current, accessible register.
3. Transaction Monitoring and Sanctions Screening
Regulated entities must screen customers against:
- UAE local sanctions lists
- UN Security Council sanctions lists
- FATF high-risk and monitored jurisdictions
Screening must happen at onboarding and on an ongoing real-time basis. Circular No. 3 of 2025 requires processes to be updated every time these lists change. Screening at onboarding alone is not sufficient.
4. Suspicious Transaction Reporting
If you have reasonable grounds to suspect a transaction involves proceeds of crime or terrorism financing, you are legally required to file a Suspicious Transaction Report (STR) via goAML. Key points:
- There is no minimum transaction value
- The duty is triggered by suspicion, not certainty
- You must not inform the customer that a report has been filed — this is called "tipping off" and is itself a criminal offence
goAML: What It Is and Why Registration Is Non-Negotiable
goAML is the official reporting platform of the UAE Financial Intelligence Unit. It was developed by the United Nations Office on Drugs and Crime (UNODC). The UAE was the first country in the GCC to implement it.
All regulated entities must register on goAML. This is mandatory regardless of sector. It is mandatory even if no suspicious transactions have ever occurred in your business. Failing to register is treated as an automatic internal controls failure during inspections. There is no defence available for an unregistered entity.
How goAML registration works:
- Register with the protection system (SACM) to obtain a username
- Configure two-factor authentication via Google Authenticator
- Log in and complete your entity profile
- Await verification from your supervisory authority
- Once approved, submit STRs, SARs, and targeted financial sanctions reports through the platform
The Ministry of Economy and other supervisory authorities check for goAML registration during inspections. It is one of the first things they verify. If you are not registered, everything else you have done on AML compliance becomes secondary.
Reports you can submit through goAML:
Report Type
When Required
Suspicious Transaction Report (STR)
When a transaction raises suspicion of money laundering
Suspicious Activity Report (SAR)
When activity — not a specific transaction — raises suspicion
Targeted Financial Sanctions reports
When a customer matches a sanctions list
The Role of the Money Laundering Reporting Officer
Every regulated entity in the UAE must appoint a Money Laundering Reporting Officer (MLRO).
Under the 2025 law, the MLRO must:
- Be a UAE resident
- Hold sufficient seniority to make decisions independently
- Have direct access to senior management and the board
- Be responsible for all STR decisions, AML record maintenance, and regulator responses during inspections
In smaller businesses, the MLRO is typically a senior manager or director. The title alone is not enough. The person must have genuine authority within the organisation.
Appointing an MLRO who cannot make real decisions — or who has no direct line to leadership — is one of the most repeated compliance failures seen during inspections. It renders the entire AML function ineffective and provides no protection during enforcement.
Enforcement: What Penalties Look Like in Practice
The UAE has moved firmly into enforcement mode. The numbers reflect it.
Enforcement Action
Amount
Entity Type
CBUAE fine — AML and sanctions breaches
AED 3,000,000
UAE-based bank
CBUAE fines — AML deficiencies
AED 4,100,000+ combined
Three exchange houses
MOE administrative fines
AED 50,000–1,000,000
DNFBPs
Repeated or serious breaches
Licence cancellation
All regulated entities
These are not isolated cases. They reflect a systematic enforcement posture across the financial sector and a clear signal to DNFBPs that the same standard of scrutiny is coming.
The 2025 law also raised the liability standard. Previously, liability attached if an organisation had actual knowledge that funds came from an illegal source. Now, constructive knowledge is sufficient — meaning an organisation can be held liable if it should have known. Having AML policies written in a manual is no longer enough. You must document that those policies are being implemented and followed. A generic template sitting in a folder provides no protection under the current law.
Common Mistakes to Avoid
Most AML breaches come down to a small number of avoidable errors.
Assuming AML does not apply to your sector. Consulting firms, professional services businesses, and many others outside traditional finance make this assumption. The law does not make exceptions based on how non-financial your trade licence looks.
Appointing an MLRO without real authority. If the MLRO cannot make independent decisions or access senior management, the function is broken before it starts. Regulators identify this immediately during inspections.
Using generic or copied AML policies. Policies must reflect the actual risks of your specific business — your customers, your geographies, your transaction types. A downloaded template does not meet the current standard under the 2025 law.
Treating CDD as a one-time exercise. Customer due diligence becomes stale. Changes in business activity, updates to sanctions lists, and changes in ownership all require your CDD records to be updated. Ongoing monitoring is a legal requirement, not optional best practice.
Failing to register on goAML or failing to file STRs. Both are separate, serious breaches with direct consequences. Non-registration is an automatic internal controls failure. Failure to file an STR when required is a criminal offence.
A Practical Starting Point
If you are a regulated business in the UAE and have not yet systematically addressed AML compliance, start with an Enterprise-Wide Risk Assessment (EWRA).
An EWRA is a structured evaluation of your exposure to money laundering, terrorism financing, and proliferation financing risks. It looks at your customers, geographies, products, and transaction types. It identifies where your risk is highest and where your controls need to be strongest.
From the EWRA, build your compliance framework in this order:
- Complete your goAML registration if not already done
- Appoint or confirm your MLRO — with real authority and board access
- Build or update written AML policies and procedures based on your risk assessment
- Implement CDD and EDD procedures for customer onboarding
- Set up ongoing sanctions screening — not just at onboarding
- Train all relevant staff on their AML obligations
- Schedule regular compliance reviews — at minimum annually
Everything in your compliance framework flows from that initial risk assessment. A generic policy template cannot substitute for it. The FATF's guidance on risk-based approaches and the CBUAE's AML guidance both confirm that documented, implemented, risk-specific controls are the standard — not paper policies.
Conclusion
The UAE's AML framework is one of the most actively enforced financial crime regimes in the region. The 2025 legislative overhaul made it broader, stricter, and harder to sidestep.
For SMEs in regulated sectors, the question is no longer whether to take AML compliance seriously. The enforcement environment has already answered that. The question is whether your current compliance function — your EWRA, your policies, your MLRO, your goAML registration, your CDD processes — is genuinely fit for purpose under the 2025 law.
For most businesses that last reviewed their AML setup before December 2025, the honest answer is: probably not yet. The time to address that is before the next inspection — not during it.
For a broader view of how AML compliance connects to your overall financial governance, read our guide on outsourced accounting and compliance services in the UAE.
Frequently Asked Questions
Does AML compliance apply to my UAE business if I am not a bank? Yes — if your business falls into the DNFBP category. This includes real estate agents, accountants, auditors, tax advisors, lawyers, company formation agents, precious metals dealers, and now gaming operators under the 2025 law. The determining factor is your business activity, not your licence type or company size.
What is goAML and do I need to register? goAML is the UAE FIU's official platform for submitting suspicious transaction and activity reports. Registration is mandatory for all regulated entities — regardless of whether any suspicious transactions have occurred. Failure to register is treated as an automatic internal controls failure during inspections.
What changed under Federal Decree-Law No. 10 of 2025? The 2025 law expanded the regulated entity list (adding gaming operators and VASPs), raised the liability standard to constructive knowledge, separated the three compliance objectives (ML, TF, CPF) into distinct obligations, and expanded the FIU's asset freezing powers. Any AML policies last reviewed before December 14, 2025 need to be updated.
What is the minimum fine for AML non-compliance in the UAE? For DNFBPs supervised by the Ministry of Economy, fines start at AED 50,000 and go up to AED 1,000,000. Repeated or serious breaches can result in trade licence cancellation.
What is an MLRO and does my business need one? Yes. Every regulated entity must appoint a Money Laundering Reporting Officer. Under the 2025 law, the MLRO must be a UAE resident, hold sufficient seniority to act independently, and have direct access to senior management and the board. The role must have genuine decision-making authority — a title without authority does not satisfy the requirement.
What is an Enterprise-Wide Risk Assessment? An EWRA is a structured evaluation of your business's exposure to money laundering, terrorism financing, and proliferation financing risks. It is the foundation of your AML compliance framework. Your policies, CDD procedures, and staff training should all flow from your specific risk profile — not from a generic template.
What is Customer Due Diligence and how often must it be done? CDD is the process of verifying customer identity and assessing their risk profile at onboarding. It is not a one-time exercise — it must be maintained and updated throughout the business relationship. When a customer's circumstances change, when sanctions lists are updated, or when business activities shift, your CDD records must reflect those changes.
What happens if I file a Suspicious Transaction Report? You file the STR through goAML. The UAE FIU receives, analyses, and acts on the information. You must not inform the customer that a report has been filed — doing so is tipping off, which is a separate criminal offence. There is no minimum transaction value that triggers the duty — suspicion alone is the threshold.
Are free zone businesses subject to UAE AML laws? Yes. The UAE AML framework applies to regulated entities operating in free zones as well as on the mainland. Free zone businesses in DIFC and ADGM are also subject to those zones' own AML frameworks, which operate alongside — not instead of — federal law.
Where do I start if my business has never addressed AML compliance? Start with a goAML registration and an Enterprise-Wide Risk Assessment. From there, build your written policies, appoint your MLRO, and implement CDD procedures. The CBUAE's AML guidance and FATF's risk-based approach guidance are the authoritative references for what your compliance function should look like.
Your AML Compliance Shouldn't Be the Last Thing You Fix
Here is the reality: inspectors do not give credit for intentions. They check registration, documentation, and implementation — in that order. A well-meaning business with an outdated policy manual, an MLRO who cannot make decisions, and no goAML registration will fail every time.
The Finanshels compliance team works with UAE businesses across mainland and free zones to build AML frameworks that are fit for purpose under the 2025 law — not just on paper, but in practice.
We handle compliance reviews, help structure your EWRA, and ensure your financial records and reporting obligations are aligned with the current regulatory standard.
Your books, your compliance, your peace of mind — all in one place.
Talk to Finanshels about your AML and compliance obligations — and find out exactly where your business stands today.
