UAEServicesIPR & AML ComplianceAML / CFT ServicesAML Risk Assessment

IPR & AML Compliance · AML / CFT Services

AML Risk Assessment

AML Risk Assessment is the foundation document every other piece of a UAE AML/CFT programme is built on — the written, entity-specific evaluation of customer risk, geographic risk, product/service risk, and delivery-channel risk that Federal Decree-Law No.

Chartered Accountants · Dubai · Since 1986

What AML Risk Assessment is

An AML/CFT risk assessment is the documented process by which a UAE entity identifies, analyses, and rates its exposure to money laundering, terrorist financing, and proliferation financing risk, and uses that rating to calibrate the rest of its compliance programme. The obligation is set out in Federal Decree-Law No. 20 of 2018 on Anti-Money Laundering and Combating the Financing of Terrorism, as amended, together with Cabinet Decision No. 10 of 2019 and its subsequent amendments, which require regulated entities — Designated Non-Financial Businesses and Professions (DNFBPs) under Ministry of Economy supervision, financial institutions under the UAE Central Bank, securities firms under the Securities and Commodities Authority, and Virtual Asset Service Providers under VARA or the relevant emirate regulator — to understand and document their own risk profile rather than apply a uniform, undifferentiated level of due diligence to every customer and transaction. A risk assessment is not a one-time compliance artefact produced to satisfy a registration checkbox; it is the analytical basis that determines which customers get standard due diligence, which get simplified treatment, and which require enhanced scrutiny.

The assessment is built across four recognised risk dimensions. Customer risk considers the nature of the customer — individual versus corporate, complexity of ownership structure, cash-intensive business activity, and whether the customer or its beneficial owners are Politically Exposed Persons (PEPs). Geographic risk considers the jurisdictions a customer, its beneficial owners, or its transaction counterparties are connected to, weighed against countries the Financial Action Task Force (FATF) has identified as having strategic AML/CFT deficiencies, and against the UAE's own designated high-risk jurisdiction guidance. Product and service risk considers which of the entity's own offerings carry elevated laundering potential — real estate transactions, company formation and nominee services, dealing in precious metals and stones, and other activities the AML/CFT Law specifically flags. Delivery-channel risk considers how the relationship is established and conducted — face-to-face onboarding with document verification carries different risk than fully remote, non-face-to-face onboarding, and cash-heavy delivery channels carry different risk than bank-transfer-only relationships.

The output of a properly built risk assessment is not a single number or a pass/fail label. It is a risk rating methodology — a defined, documented basis for classifying individual customers as standard, simplified, or enhanced risk — plus an entity-level risk statement that supervisory authorities and, increasingly, correspondent banks reviewing a business customer's compliance posture will expect to see. The methodology then drives the rest of the CDD programme: which customers require senior management sign-off before onboarding, how frequently a relationship is re-screened, what triggers a file refresh, and what evidence a Compliance Officer needs before escalating a concern toward a Suspicious Transaction Report filed through goAML, the reporting platform operated by the UAE's Financial Intelligence Unit.

What regulators actually test on inspection is not whether a risk assessment document exists in a folder — it is whether the document describes the business that is actually operating. A risk assessment written once at company formation, describing an intended customer base that the business subsequently outgrew or pivoted away from, is treated on inspection almost the same as having no risk assessment at all, because the document no longer reflects reality. Equally common is a risk assessment copied from an industry template with the company name substituted in, where the stated risk factors bear no relationship to the entity's actual geography, customer mix, or transaction pattern. PNPC's approach starts from your licensed activity, your real customer categories, your actual jurisdiction exposure, and your delivery channels, and produces a risk methodology your own staff can apply consistently — because a risk assessment that only the compliance consultant who wrote it understands is not one the business can actually run day to day.

When an AML Risk Assessment engagement is the right starting point

Your business is a newly licensed DNFBP — real estate brokerage or development, dealing in precious metals and stones above the prescribed cash threshold, corporate service provision, independent legal or accounting practice — and has not yet documented a risk assessment ahead of onboarding its first customers

You are registering, or preparing to register, on the goAML platform and need the risk assessment that should sit behind (or alongside) that registration, not a bare portal sign-up with nothing supporting it

Your existing risk assessment was written at incorporation and has never been revisited, while your customer base, product mix, or jurisdiction exposure has since changed materially

You have received a Ministry of Economy, Central Bank, DFSA, FSRA, or VARA inspection notice or finding that specifically flags an absent, outdated, or generic risk assessment

You are onboarding at growing volume and no longer have a defensible basis for deciding which customers get standard, simplified, or enhanced due diligence — decisions are being made ad hoc rather than against a documented methodology

You handle customers, beneficial owners, or counterparties connected to jurisdictions the Financial Action Task Force has flagged, or to politically exposed persons, and need the risk rating that determines when enhanced due diligence is triggered

A correspondent bank or banking partner has asked to see your AML risk assessment as part of its own periodic review of your business account, and you need a document that will actually satisfy that request

You are acquiring or merging with another regulated entity and need its historical risk assessment methodology diligenced before completion, since a weak or absent assessment is inherited exposure

Your annual review cycle is due, or overdue, and the risk assessment needs to be refreshed against the current customer base, current FATF guidance, and any recent Cabinet Decision updates

You are expanding into a new product line, customer segment, or jurisdiction and need the risk assessment updated before the new activity goes live, not retrofitted after exposure has already been taken on

Where a different engagement fits better

You already have a current, well-documented risk assessment and specifically need the CDD onboarding procedures, screening design, or staff training built around it — that sits under KYC & Customer Due Diligence Advisory rather than a fresh risk assessment

You need the goAML portal registration itself completed with credentials issued — that is the mechanical registration step, though PNPC generally recommends the risk assessment accompany or precede it rather than standing alone

Your business does not fall within any DNFBP, financial institution, or VASP category under UAE AML law — confirm applicability first through a scoping call before commissioning a formal risk assessment

You have already identified a specific suspicious transaction and need to file an STR/SAR now — that is an urgent reporting matter to escalate immediately, with the risk assessment review following afterward, not before

You are under active investigation for money laundering or terrorist financing offences — that requires criminal defence legal representation as the primary engagement

You want a risk assessment produced without sharing your actual customer base, ownership structure, or transaction data — a document built on assumptions rather than your real business will not satisfy the risk-based standard the law requires and will not survive inspection

You are looking for a one-page generic risk statement to satisfy a box on a form, with no intention of using the methodology to actually differentiate customer treatment — that approach is precisely what supervisory authorities flag as compliance theatre on inspection

You need only sanctions/PEP screening software configured, with the underlying risk methodology already settled elsewhere — that is closer to a screening implementation engagement

Structure Comparison

AML Risk Assessment vs related UAE AML/CFT engagements

FeatureAML Risk AssessmentKYC & CDD AdvisorygoAML Portal RegistrationAML Training & Capacity BuildingTransaction Monitoring & Reporting
Primary purposeIdentify, analyse, and document entity-wide money laundering and terrorist financing risk across customer, geographic, product, and delivery-channel dimensionsDesign and implement the full onboarding, screening, and monitoring programme built on top of the risk assessmentRegister the entity and its Compliance Officer on the FIU's goAML platform to enable STR/SAR filingBuild staff capability to execute the risk assessment and CDD programme correctly day to dayOperate ongoing screening and escalation once onboarding and the risk methodology are in place
Legal basisFederal Decree-Law No. 20 of 2018 and Cabinet Decision No. 10 of 2019 (as amended) — risk-based approach requirementSame law — the CDD procedures the risk assessment feeds intoSame AML/CFT framework — the reporting mechanism specificallyAML/CFT Law's requirement for competent, trained staff able to execute the programmeAML/CFT Law's ongoing monitoring and reporting obligation
OutputA written, entity-specific risk assessment document plus a documented customer risk-rating methodologyOnboarding forms, CDD/EDD procedures, screening workflow, policy manualRegistered organisation and Compliance Officer profile with FIU filing accessTrained staff with attendance and competency recordsScreening alerts adjudicated, transaction anomalies escalated, STRs/SARs filed where warranted
SequencingFirst — everything else in the programme is calibrated against itFollows the risk assessment; cannot be properly built without itCan run in parallel, but registration without a risk assessment behind it is incomplete on inspectionFollows once the risk assessment and CDD procedures exist to train staff onOngoing, continuous — depends on the risk assessment's triggers being correctly set
Who typically needs it firstAny DNFBP, financial institution, or VASP without a current, documented risk assessmentEntities with a risk assessment but no operational CDD programme built on itEntities that have a risk assessment and CDD programme but lack platform accessEntities with policies and procedures that staff have not yet been trained to executeEntities with a live onboarding book that needs ongoing screening and escalation discipline
Regulatory inspection focusWhether the document reflects the business's actual customer base, geography, and activity todayWhether onboarding files match what the risk assessment and policy say should happenWhether the organisation and Compliance Officer profiles are both active and correctly linkedWhether staff can answer specific questions about red flags and escalation procedureWhether alerts were adjudicated and suspicious activity reported without delay

These engagements are almost always sequential rather than alternative — a risk assessment with no CDD programme built on it, or a CDD programme with no risk assessment behind it, both read as incomplete on inspection. PNPC typically scopes the risk assessment first, then the CDD/screening/training build, either as one combined engagement or as a phased sequence depending on how much of the surrounding programme already exists.

How it works
#Stage & What PNPC DoesWhat Generic Risk Templates MissTimeline
1Applicability & Scoping Call — confirm DNFBP, financial institution, or VASP status and the correct supervisory authorityA template risk assessment does not ask which specific DNFBP category you fall under, whether you are mainland (Ministry of Economy) or free zone (DFSA in DIFC, FSRA in ADGM), or whether virtual asset exposure brings VARA into scope. These answers change which rulebook the assessment is measured against.1–2 working days
2Customer Base Profiling — categorising the actual customer mix by type, structure complexity, and typical transaction sizeGeneric templates assume a customer profile; we document the real one — individual versus corporate, direct versus layered ownership, cash-intensive versus bank-transfer-only relationships — because the risk rating methodology has to be built from what actually walks through the door.2–4 working days
3Geographic Risk Mapping — assessing exposure to customer, beneficial owner, and counterparty jurisdictions against current FATF and UAE high-risk jurisdiction guidanceA template's list of 'high-risk countries' is often stale by the time it is downloaded — FATF's own lists are updated periodically. We map your actual jurisdiction exposure against current guidance at the time of the assessment, not a remembered list.2–3 working days
4Product & Service Risk Analysis — rating each offering the entity provides against known laundering typologies for that activityA real estate brokerage, a corporate service provider, and a precious metals dealer face materially different product-risk profiles even though all three are DNFBPs — we analyse the specific services rendered, not a category label.2–4 working days
5Delivery Channel Risk Assessment — evaluating how relationships are established (face-to-face, remote, intermediary-introduced) and how funds move (cash, bank transfer, third-party payment, virtual asset)Remote and cash-heavy delivery channels carry meaningfully higher risk than face-to-face, bank-transfer-only relationships — a template that does not differentiate these misses a core input into the overall rating.1–3 working days
6Risk Rating Methodology Design — building the defined basis for classifying individual customers as standard, simplified, or enhanced riskThis is the step most templates skip entirely, leaving the entity with a risk narrative but no actual mechanism for rating a new customer walking in the door tomorrow. We build the scoring or classification logic your onboarding staff can apply consistently.3–5 working days
7Entity-Wide Risk Statement Drafting — the documented conclusion on overall inherent risk, residual risk after controls, and the rationale behind bothA one-line risk conclusion with no supporting analysis does not survive a supervisor's question of 'how did you arrive at this.' We document the reasoning chain from raw risk factors to final rating.2–3 working days
8Alignment with CDD/EDD Triggers — mapping the risk rating output directly to standard, simplified, and enhanced due diligence requirements the entity will applyA risk assessment that does not connect to a concrete due-diligence action for each rating band is an academic exercise, not an operating tool — we tie the rating directly to what onboarding staff do differently for each category.2–3 working days
9Management/Board Review and Sign-OffAML/CFT governance expects senior management or board ownership of the risk assessment, not just a compliance officer's private working document — we prepare the assessment for formal review and documented approval.1–2 working days, subject to internal availability
10Integration with goAML Registration and Wider ProgrammeA risk assessment produced in isolation from the goAML registration and the broader CDD build is a missed opportunity for consistency — we hand the finished assessment directly into the registration and policy-drafting workstream where those are also engaged.Concurrent with registration where both are in scope
11Annual Review Scheduling — the risk assessment is diarised for at least an annual refresh, or sooner on material business changeA risk assessment that is filed away and never revisited is the single most common inspection finding on this specific document — we build the review date into the client's compliance calendar from day one.Ongoing — annual, or on material change

Realistic timeline for a complete, entity-specific risk assessment from scoping call to board-approved document: typically 2–4 weeks depending on the complexity of the customer base and how readily existing customer and transaction data can be pulled together. Entities with clean, accessible records move faster; those needing to reconstruct customer categorisation from scratch will take longer. This timeline runs independently of, but is often scoped alongside, goAML registration and the wider CDD programme build.

Document Checklist
Entity & Licensing Information

Trade licence copy — mainland DED licence or free zone licence, showing licensed activities in full, since risk exposure follows actual licensed activity

Organisational chart identifying who will own and approve the risk assessment (senior management, board, or designated Compliance Officer)

Details of all UAE and overseas branches, subsidiaries, or related entities sharing a customer base or referral relationship

Any existing risk assessment or risk-related documentation, however outdated, for gap review against current requirements

Customer Base Data

A representative sample or full listing of current customer categories — individual, corporate, trust, government — with indicative transaction value ranges and frequency

Breakdown of customer ownership structures — direct individual ownership versus layered corporate, trust, or nominee arrangements

Any existing customer segmentation, tiering, or informal risk categorisation currently in use

Volume and growth trend of onboarding over recent periods, to gauge whether manual risk judgement is still practical at current scale

Geographic & Counterparty Exposure

List of jurisdictions where customers, beneficial owners, or transaction counterparties are based or connected

Details of any dealings with jurisdictions the business is aware may carry elevated AML/CFT risk under FATF or UAE guidance

Cross-border transaction patterns, including frequency and typical routing, where relevant to the business activity

Product, Service & Delivery Channel Detail

Full description of products and services offered, including any that involve cash handling, real estate, precious metals, company formation, or nominee arrangements

Description of onboarding channels used — face-to-face, remote/digital, intermediary-introduced — and the proportion of business conducted through each

Payment methods accepted — bank transfer, cash, cryptocurrency/virtual assets, third-party payment — since each carries different risk weighting

Details of any outsourced or intermediary-based customer introduction arrangements

Existing Compliance Infrastructure

Details of any sanctions or PEP screening tool currently in use, including vendor and configuration

Records of any prior Suspicious Transaction Reports filed, or internal escalations raised, relevant to understanding realised risk

Correspondence from the Ministry of Economy, Central Bank, DFSA, FSRA, or VARA relating to any prior inspection, finding, or guidance specific to risk assessment expectations

Existing goAML registration status and reference details, where already registered

Governance & Sign-Off Materials

Designated Compliance Officer or MLRO details, or confirmation that this role is still to be assigned

Prior board or management meeting minutes referencing AML/CFT risk, if any exist

Confirmation of who within the business holds authority to approve the finished risk assessment on behalf of senior management or the board

Ongoing obligations
PhaseTriggered ByPNPC GuidanceRisk If Ignored
Initial Risk Assessment BuildNew DNFBP licence, first formal AML/CFT programme build, or discovery of an absent/outdated assessmentCustomer, geographic, product, and delivery-channel risk analysed from actual business data and documented into a formal risk statement and rating methodology, presented for management/board sign-off.Onboarding without a documented risk basis means every due-diligence decision is effectively ad hoc, and the entity cannot demonstrate a risk-based approach if challenged on inspection.
Integration into CDD ProgrammeRisk assessment completed or nearing completionThe risk rating methodology is wired directly into onboarding procedures — determining which customers get standard, simplified, or enhanced due diligence, and what triggers senior management approval.A risk assessment that sits unused, disconnected from actual onboarding decisions, is functionally indistinguishable from not having one when a supervisor tests real customer files against it.
Ongoing ApplicationEvery new customer onboardedThe risk rating is applied consistently to classify each new relationship, with the classification driving the depth of due diligence performed and documented.Inconsistent application — the same customer type rated differently depending on who onboarded them — is a recurring, easily-spotted inspection finding.
Periodic Monitoring for Rating DriftOngoing relationship activity that deviates from the customer's original risk profileTransaction patterns and customer information are periodically checked against the original risk rating; a customer whose activity no longer matches their stated profile is flagged for re-rating.A customer onboarded as low-risk who has since begun exhibiting higher-risk activity, with no re-rating trigger in place, represents undetected exposure the original assessment cannot catch on its own.
Annual ReviewAnniversary of the risk assessment, or sooner on material business changeThe full assessment is refreshed against the current customer base, current FATF and UAE guidance, and any relevant Cabinet Decision updates, with changes documented and re-approved by management.A stale risk assessment is one of the most commonly cited findings in DNFBP inspections — 'when was this last updated' is a standard question with an easy pass or fail answer.
Business Change TriggerNew product line, new customer segment, new jurisdiction exposure, M&A, or ownership changeThe risk assessment is revisited and updated before the new activity goes live, incorporating the new risk factors rather than retrofitting the assessment after exposure has already been taken on.A new business line onboarded under an unrevised risk assessment is effectively unassessed activity — the document on file no longer describes what the business actually does.
Regulatory InspectionScheduled or unannounced supervisory visit from the Ministry of Economy, Central Bank, DFSA, FSRA, or VARAPNPC supports document production and can walk the inspecting officer through the risk assessment's methodology and how it connects to actual onboarding files.An entity unable to explain how its risk rating was derived, or whose files do not match the stated methodology, faces findings that typically escalate from a corrective directive to administrative fines.
Finding or Remediation DirectiveInspection outcome specifically citing the risk assessment as deficientPNPC rebuilds or substantially revises the assessment against the specific finding, with a documented corrective action plan and timeline for supervisor follow-up.An unaddressed finding on the risk assessment — the foundation document — tends to cascade into follow-on findings across CDD, screening, and training, since those all depend on it.
Frequently asked
What exactly is an AML risk assessment, and how is it different from an AML policy?

The risk assessment is the analytical document that identifies and rates the entity's exposure to money laundering and terrorist financing risk across customer, geographic, product, and delivery-channel dimensions. The AML policy is the procedural document that sets out what the entity does in response to that risk — CDD steps, screening cadence, escalation procedures. The risk assessment answers 'what is our risk profile'; the policy answers 'what do we do about it.' A policy without a risk assessment behind it is not properly risk-based, since there is no documented analysis driving its calibration.

Practitioner noteWe are frequently asked to review an existing 'AML policy' that turns out to be a procedures document with no underlying risk assessment at all — the procedures exist, but nobody can explain why they were set at that level. We build the risk assessment first specifically to answer that question.
Is having a documented risk assessment legally mandatory, or is it just good practice?

It is a legal requirement, not a discretionary best practice, for entities within scope of Federal Decree-Law No. 20 of 2018 and its implementing Cabinet Decisions. The risk-based approach is a core structural expectation of the UAE's AML/CFT framework — regulated entities are expected to understand and document their own risk exposure rather than applying uniform treatment to every customer regardless of actual risk.

Practitioner noteClients sometimes assume the risk assessment is an optional add-on to the 'real' requirement of goAML registration. In practice, supervisors treat the absence of a documented risk assessment as seriously as an absent registration — arguably more so, because it undermines the credibility of everything else in the file.
How is customer risk actually assessed — what factors go into the rating?

Customer risk considers factors including whether the customer is an individual or corporate entity, the complexity and transparency of its ownership structure, whether it or its beneficial owners are Politically Exposed Persons, the nature and cash-intensity of its business activity, and how long and how transparently the relationship has operated. These factors are combined into a documented rating — typically standard, simplified, or enhanced — that then determines the depth of due diligence applied.

Practitioner noteWe push clients to move beyond a gut-feel rating to a documented scoring or classification logic — not because a number is magic, but because a documented methodology is defensible on inspection in a way that 'we just knew' is not.
What does geographic risk mean in practice, and which jurisdictions count as higher-risk?

Geographic risk considers the jurisdictions connected to a customer, its beneficial owners, or its transaction counterparties, weighed against countries the Financial Action Task Force (FATF) has identified as having strategic AML/CFT deficiencies, and against any UAE-specific high-risk jurisdiction guidance. Because FATF's own list is periodically updated, a risk assessment needs to reference current guidance at the time it is prepared rather than a fixed list assumed to still be accurate.

Practitioner noteWe verify the current FATF list status at the point of each engagement rather than relying on a remembered or previously-downloaded list — this is exactly the kind of detail that goes stale silently if nobody checks it.
Why does the delivery channel — how a customer is onboarded — affect the risk rating?

Face-to-face onboarding with original document verification allows more direct identity confirmation than fully remote or non-face-to-face onboarding, which carries a higher inherent risk of impersonation or misrepresentation absent additional controls. Similarly, cash-heavy relationships carry different risk than relationships conducted entirely through traceable bank transfers. The delivery-channel dimension captures these differences so the risk rating reflects not just who the customer is, but how the relationship is actually conducted.

Practitioner noteBusinesses that shifted from in-person to remote onboarding during any period of disrupted operations sometimes never revisited their risk assessment to reflect that channel change — we specifically ask how onboarding actually happens today, not how it happened when the last assessment was written.
What is the difference between inherent risk and residual risk in a risk assessment?

Inherent risk is the level of money laundering and terrorist financing risk a business faces before any mitigating controls are applied — essentially the raw exposure created by its customer base, geography, products, and delivery channels. Residual risk is what remains after the entity's actual controls — CDD procedures, screening, monitoring, staff training — are factored in. A properly built risk assessment documents both, because residual risk is what should actually drive ongoing due-diligence decisions, while inherent risk shows why those controls are necessary in the first place.

Practitioner noteWe deliberately show both figures in the assessments we build, because a business that only sees a 'low residual risk' conclusion can lose sight of why the controls producing that low residual figure need to keep running — the controls are doing the work, not the business's inherent nature.
How does the risk assessment connect to enhanced due diligence triggers?

The risk rating methodology defines, in advance, which combinations of customer, geographic, product, and delivery-channel factors push a relationship into the enhanced due diligence category — for example, a Politically Exposed Person connected to a FATF-flagged jurisdiction transacting through a complex offshore ownership structure. Building this connection explicitly means onboarding staff have a documented, consistent basis for escalating a relationship to enhanced treatment, rather than relying on individual judgement case by case.

Practitioner noteThe single most valuable output of a good risk assessment, in our experience, is a clear, written answer to 'what specifically triggers enhanced due diligence here' — vague assessments that never define this leave staff guessing exactly when it matters most.
How often does the risk assessment need to be updated?

At minimum annually, and additionally whenever there is a material change in the business — a new product or service line, entry into a new customer segment or geographic market, a change in ownership or control, a shift in onboarding channels, or a relevant new Cabinet Decision, Ministerial Decision, or FATF guidance update. An assessment that has not been revisited in several years, however well-drafted originally, no longer reflects the business as it currently operates.

Practitioner noteWe build the annual review into the ongoing advisory relationship rather than leaving it to the client to remember — a calendar-driven review catches drift in the customer base before a supervisor does.
Can we use a downloaded or generic risk assessment template instead of a bespoke one?

A template can be a useful starting structure, but it must be populated with the entity's actual customer, geographic, product, and delivery-channel data to function as a genuine risk-based assessment. A template with the company name substituted in, describing risk factors that do not match the entity's real business, is a recognised inspection finding — supervisors test whether the document reflects the business operating under it, not whether a document exists.

Practitioner noteWe ask new clients to send any existing risk assessment first — nine times out of ten it was adapted from a template and never actually calibrated to the specific customer base and geography the business deals with.
Who inside the business should own and sign off the risk assessment?

AML/CFT governance expects the risk assessment to be reviewed and formally approved by senior management or the board, not treated as a private working document maintained solely by a compliance officer with no wider organisational buy-in. The sign-off matters because it evidences that the entity's leadership has actually engaged with and accepted the documented risk profile, rather than delegating the entire question downward with no oversight.

Practitioner noteWe build a formal sign-off step into every engagement — a risk assessment with no evidenced management approval reads, on inspection, as a document nobody with real authority has actually reviewed.
Does having a risk assessment protect the business if a customer later turns out to be involved in money laundering?

A properly built and consistently applied risk assessment is the standard against which a business's conduct is judged — it demonstrates the entity took a documented, risk-based approach in good faith. It does not guarantee that criminal activity will never occur through the business, but an entity that can show it followed its documented methodology is in a materially different position, from a regulatory and reputational standpoint, than one with no risk basis for its decisions at all.

Practitioner noteWe are candid with clients: the assessment's purpose is defensible, demonstrable good-faith compliance, not a guarantee against ever encountering a bad actor. Understanding that distinction shapes how seriously the document needs to be built and maintained.
What happens if a Ministry of Economy inspector asks how a specific customer's risk rating was determined and we cannot explain it?

An inability to explain the basis for a specific customer's rating — beyond 'that's what the system said' or 'that felt right' — signals that the documented methodology either does not exist in enough detail or is not actually being applied consistently by staff. This is one of the most direct tests an inspector can run, walking through a handful of actual files and asking staff to justify the rating against the written methodology.

Practitioner noteWe run exactly this test internally before a client goes live — pulling sample files and asking staff to explain the rating using only the documented methodology, no outside knowledge — because it surfaces gaps between the written policy and what people actually understand faster than anything else.
How does the risk assessment differ for a real estate broker versus a corporate service provider versus a precious metals dealer?

All three are DNFBP categories under UAE AML law, but their product and delivery-channel risk profiles differ substantially — a real estate broker's risk centres on high-value, sometimes cash-adjacent transactions and layered purchasing vehicles; a corporate service provider's risk centres on undisclosed beneficial ownership behind formed entities and nominee arrangements; a precious metals dealer's risk centres on cash-transaction thresholds and portability of value. A generic risk assessment that does not differentiate these activity-specific risk factors misses what actually drives exposure in each sector.

Practitioner noteWe build sector-specific risk factor libraries into each assessment rather than a one-size-fits-all DNFBP checklist — the typologies that matter for a jeweller are not the ones that matter for a company formation agent, even though both are DNFBPs on paper.
Do free zone entities in DIFC or ADGM need a different risk assessment approach than mainland entities?

DIFC entities regulated by the Dubai Financial Services Authority and ADGM entities regulated by the Financial Services Regulatory Authority operate under their own AML rulebooks, which sit alongside and are generally aligned in substance with the federal AML/CFT framework, but the specific expectations and any sector-specific guidance can differ from the Ministry of Economy's approach for mainland DNFBPs. The risk assessment methodology should be built against the entity's actual governing rulebook.

Practitioner noteWe scope this explicitly at the outset — a risk assessment built against Ministry of Economy expectations for a DIFC-regulated entity may not fully satisfy its actual DFSA supervisor, even though the underlying AML principles are broadly similar.
How does accepting cryptocurrency or virtual asset payments change the risk assessment?

Accepting or facilitating virtual asset transactions introduces a distinct risk dimension — pseudonymity, cross-border speed, and potential exposure to unregulated counterparties — that a traditional-payment risk assessment does not capture, and can also bring the entity within Virtual Asset Service Provider (VASP) regulatory scope, which carries its own generally more stringent AML/CFT expectations. A risk assessment needs to be revisited, not just amended, when virtual asset acceptance is introduced.

Practitioner noteWe treat any mention of virtual asset acceptance as a trigger for reassessing regulatory scope entirely, not just adding a line item to an existing risk assessment — the VASP framework is materially different and still evolving.
Can a small business with only a handful of customers use a simplified, shorter risk assessment?

The depth and formality of the risk assessment can reasonably scale to the size and complexity of the business — a sole practitioner's assessment will be shorter and less elaborate than a large real estate developer's — but every regulated entity, regardless of size, needs a documented assessment covering the same substantive dimensions: customer, geographic, product, and delivery-channel risk, with a defined rating methodology. 'Too small to need one' is not a recognised exemption.

Practitioner noteWe right-size the document to the client's actual scale rather than imposing an enterprise-length assessment on a small business — a proportionate, well-reasoned two-page assessment for a small firm passes inspection; an unused fifty-page document copied from elsewhere does not.
What is the relationship between the risk assessment and goAML registration — do we need both, and in what order?

goAML registration is the mechanical step that gives an entity access to file Suspicious Transaction Reports and Suspicious Activity Reports; the risk assessment is the analytical foundation that determines when a customer relationship or transaction should raise concern in the first place. Both are required, and PNPC generally recommends the risk assessment be built alongside or ahead of registration, since a registered entity with no documented risk basis for its due-diligence decisions presents an incomplete file on inspection even though the portal registration itself is technically complete.

Practitioner noteWe have taken on clients who registered on goAML themselves years ago and never built a risk assessment behind it — the registration was fine; the absence of everything that should sit behind it was the actual finding on their last inspection.
What does PNPC actually deliver in an AML Risk Assessment engagement?

A typical engagement covers: applicability and scoping confirmation; customer base profiling; geographic risk mapping against current FATF and UAE guidance; product and service risk analysis specific to the entity's activities; delivery-channel risk assessment; a documented risk rating methodology classifying customers as standard, simplified, or enhanced risk; an entity-wide risk statement covering inherent and residual risk; and a management/board sign-off package. The finished assessment is handed off ready to integrate into CDD procedures, goAML registration, and staff training where those are also in scope.

Practitioner noteWe scope every engagement in writing before starting, so clients know exactly what the deliverable includes and how it is meant to plug into the wider AML/CFT programme, whether PNPC is building that programme too or the client's own team is.
How much does an AML Risk Assessment engagement cost?

PNPC agrees a fixed, written fee before work begins, scoped to the complexity of the business — a single-office corporate service provider with a narrow customer base requires materially less analytical work than a multi-branch real estate brokerage with diverse geographic exposure. Ongoing annual review pricing is quoted separately and is also fixed and agreed in writing.

Practitioner noteWe do not publish a single number here because risk assessment complexity varies significantly by customer base size, geographic spread, and product mix — a fixed generic price would either overcharge simple businesses or undercharge complex ones. Ask us for a scoped, written quote.
Why engage PNPC rather than writing the risk assessment ourselves using a free template?

Writing a risk assessment mechanically is straightforward once a template exists — the harder, higher-stakes work is building a rating methodology that actually reflects your real customer base and that your own staff can apply consistently, referencing current FATF and UAE guidance rather than a stale downloaded list, and producing a document that will hold up when a supervisor tests it against your actual files rather than just reading it in isolation. A self-written assessment with no connection to real onboarding decisions is the pattern we most often see corrected after an inspection finding.

Practitioner noteWe have rebuilt multiple clients' risk assessments after a Ministry of Economy inspection flagged the existing document as generic or disconnected from actual practice — rebuilding under a remediation deadline costs materially more in time and stress than building it correctly the first time.
Why PNPC Global

PNPC AML Risk Assessment vs generic template providers

DimensionGeneric Template / Downloaded DocumentPNPC Global
Risk assessment basisGeneric industry boilerplate with the company name substituted in, not specific to your customer base or jurisdiction exposureBuilt from your actual licensed activity, customer categories, transaction profile, and geographic exposure
Rating methodologyOften a narrative statement with no defined mechanism for classifying an individual new customerA documented, applicable classification logic staff can use to rate standard, simplified, and enhanced-risk customers consistently
Geographic risk dataA fixed list, frequently stale by the time it is downloadedMapped against current FATF and UAE high-risk jurisdiction guidance at the time of the engagement
Connection to CDD triggersRarely wired to concrete due-diligence actions — the rating exists but nothing follows from itExplicitly linked to standard, simplified, and enhanced due diligence triggers your onboarding team applies
Management sign-offNo formal approval step — a compliance officer's private working documentBuilt for and presented at formal senior management or board review and sign-off
Inspection readinessNot tested before the actual inspection is the first testReviewed against how a supervisor would test it — asking staff to justify a real file's rating from the documented methodology
Ongoing currencyStatic document, not updated as FATF guidance or Cabinet Decisions evolveAnnual review built into the relationship, refreshed on material business change
Cross-disciplinary contextRisk assessment in isolation from tax, accounting, and corporate structureIntegrated view across UAE tax, accounting, corporate structuring, and AML — inconsistencies more likely caught internally
Presence beyond deliveryDocument handed over; engagement ends therePNPC Dubai office, practising CA firm since 1986, available for the CDD build, goAML registration, and ongoing advisory that follows

What the PNPC package includes

  1. 01

    Applicability scoping to confirm DNFBP, financial institution, or VASP status and the correct supervisory authority

  2. 02

    Customer base profiling across ownership complexity, transaction size, and relationship type

  3. 03

    Geographic risk mapping against current FATF and UAE high-risk jurisdiction guidance

  4. 04

    Product and service risk analysis specific to your actual licensed activities

  5. 05

    Delivery-channel risk assessment covering onboarding method and payment/fund-movement patterns

  6. 06

    Documented customer risk-rating methodology (standard, simplified, enhanced) staff can apply consistently

  7. 07

    Entity-wide risk statement covering both inherent and residual risk with supporting rationale

  8. 08

    Explicit linkage between the risk rating and CDD/EDD triggers used in onboarding

  9. 09

    Management/board review package and formal sign-off support

  10. 10

    Integration hand-off into goAML registration and the wider CDD/screening/training build where in scope

  11. 11

    Annual review scheduling built into the compliance calendar

  12. 12

    Direct support drafting corrective updates if a supervisory finding specifically cites the risk assessment

Talk to PNPC's Dubai team before your onboarding decisions rest on assumptions rather than a documented, defensible risk assessment.

Jurisdiction

🇦🇪
United Arab Emirates

Free zone, mainland & offshore

Ready to get started?

Tell us about your requirement — a UAE specialist responds within 24 hours.

← Back to AML / CFT Services