IPR & AML Compliance · AML / CFT Services
AML Risk Assessment
AML Risk Assessment is the foundation document every other piece of a UAE AML/CFT programme is built on — the written, entity-specific evaluation of customer risk, geographic risk, product/service risk, and delivery-channel risk that Federal Decree-Law No.
Chartered Accountants · Dubai · Since 1986
An AML/CFT risk assessment is the documented process by which a UAE entity identifies, analyses, and rates its exposure to money laundering, terrorist financing, and proliferation financing risk, and uses that rating to calibrate the rest of its compliance programme. The obligation is set out in Federal Decree-Law No. 20 of 2018 on Anti-Money Laundering and Combating the Financing of Terrorism, as amended, together with Cabinet Decision No. 10 of 2019 and its subsequent amendments, which require regulated entities — Designated Non-Financial Businesses and Professions (DNFBPs) under Ministry of Economy supervision, financial institutions under the UAE Central Bank, securities firms under the Securities and Commodities Authority, and Virtual Asset Service Providers under VARA or the relevant emirate regulator — to understand and document their own risk profile rather than apply a uniform, undifferentiated level of due diligence to every customer and transaction. A risk assessment is not a one-time compliance artefact produced to satisfy a registration checkbox; it is the analytical basis that determines which customers get standard due diligence, which get simplified treatment, and which require enhanced scrutiny.
The assessment is built across four recognised risk dimensions. Customer risk considers the nature of the customer — individual versus corporate, complexity of ownership structure, cash-intensive business activity, and whether the customer or its beneficial owners are Politically Exposed Persons (PEPs). Geographic risk considers the jurisdictions a customer, its beneficial owners, or its transaction counterparties are connected to, weighed against countries the Financial Action Task Force (FATF) has identified as having strategic AML/CFT deficiencies, and against the UAE's own designated high-risk jurisdiction guidance. Product and service risk considers which of the entity's own offerings carry elevated laundering potential — real estate transactions, company formation and nominee services, dealing in precious metals and stones, and other activities the AML/CFT Law specifically flags. Delivery-channel risk considers how the relationship is established and conducted — face-to-face onboarding with document verification carries different risk than fully remote, non-face-to-face onboarding, and cash-heavy delivery channels carry different risk than bank-transfer-only relationships.
The output of a properly built risk assessment is not a single number or a pass/fail label. It is a risk rating methodology — a defined, documented basis for classifying individual customers as standard, simplified, or enhanced risk — plus an entity-level risk statement that supervisory authorities and, increasingly, correspondent banks reviewing a business customer's compliance posture will expect to see. The methodology then drives the rest of the CDD programme: which customers require senior management sign-off before onboarding, how frequently a relationship is re-screened, what triggers a file refresh, and what evidence a Compliance Officer needs before escalating a concern toward a Suspicious Transaction Report filed through goAML, the reporting platform operated by the UAE's Financial Intelligence Unit.
What regulators actually test on inspection is not whether a risk assessment document exists in a folder — it is whether the document describes the business that is actually operating. A risk assessment written once at company formation, describing an intended customer base that the business subsequently outgrew or pivoted away from, is treated on inspection almost the same as having no risk assessment at all, because the document no longer reflects reality. Equally common is a risk assessment copied from an industry template with the company name substituted in, where the stated risk factors bear no relationship to the entity's actual geography, customer mix, or transaction pattern. PNPC's approach starts from your licensed activity, your real customer categories, your actual jurisdiction exposure, and your delivery channels, and produces a risk methodology your own staff can apply consistently — because a risk assessment that only the compliance consultant who wrote it understands is not one the business can actually run day to day.
When an AML Risk Assessment engagement is the right starting point
Your business is a newly licensed DNFBP — real estate brokerage or development, dealing in precious metals and stones above the prescribed cash threshold, corporate service provision, independent legal or accounting practice — and has not yet documented a risk assessment ahead of onboarding its first customers
You are registering, or preparing to register, on the goAML platform and need the risk assessment that should sit behind (or alongside) that registration, not a bare portal sign-up with nothing supporting it
Your existing risk assessment was written at incorporation and has never been revisited, while your customer base, product mix, or jurisdiction exposure has since changed materially
You have received a Ministry of Economy, Central Bank, DFSA, FSRA, or VARA inspection notice or finding that specifically flags an absent, outdated, or generic risk assessment
You are onboarding at growing volume and no longer have a defensible basis for deciding which customers get standard, simplified, or enhanced due diligence — decisions are being made ad hoc rather than against a documented methodology
You handle customers, beneficial owners, or counterparties connected to jurisdictions the Financial Action Task Force has flagged, or to politically exposed persons, and need the risk rating that determines when enhanced due diligence is triggered
A correspondent bank or banking partner has asked to see your AML risk assessment as part of its own periodic review of your business account, and you need a document that will actually satisfy that request
You are acquiring or merging with another regulated entity and need its historical risk assessment methodology diligenced before completion, since a weak or absent assessment is inherited exposure
Your annual review cycle is due, or overdue, and the risk assessment needs to be refreshed against the current customer base, current FATF guidance, and any recent Cabinet Decision updates
You are expanding into a new product line, customer segment, or jurisdiction and need the risk assessment updated before the new activity goes live, not retrofitted after exposure has already been taken on
Where a different engagement fits better
You already have a current, well-documented risk assessment and specifically need the CDD onboarding procedures, screening design, or staff training built around it — that sits under KYC & Customer Due Diligence Advisory rather than a fresh risk assessment
You need the goAML portal registration itself completed with credentials issued — that is the mechanical registration step, though PNPC generally recommends the risk assessment accompany or precede it rather than standing alone
Your business does not fall within any DNFBP, financial institution, or VASP category under UAE AML law — confirm applicability first through a scoping call before commissioning a formal risk assessment
You have already identified a specific suspicious transaction and need to file an STR/SAR now — that is an urgent reporting matter to escalate immediately, with the risk assessment review following afterward, not before
You are under active investigation for money laundering or terrorist financing offences — that requires criminal defence legal representation as the primary engagement
You want a risk assessment produced without sharing your actual customer base, ownership structure, or transaction data — a document built on assumptions rather than your real business will not satisfy the risk-based standard the law requires and will not survive inspection
You are looking for a one-page generic risk statement to satisfy a box on a form, with no intention of using the methodology to actually differentiate customer treatment — that approach is precisely what supervisory authorities flag as compliance theatre on inspection
You need only sanctions/PEP screening software configured, with the underlying risk methodology already settled elsewhere — that is closer to a screening implementation engagement
AML Risk Assessment vs related UAE AML/CFT engagements
| Feature | AML Risk Assessment | KYC & CDD Advisory | goAML Portal Registration | AML Training & Capacity Building | Transaction Monitoring & Reporting |
|---|---|---|---|---|---|
| Primary purpose | Identify, analyse, and document entity-wide money laundering and terrorist financing risk across customer, geographic, product, and delivery-channel dimensions | Design and implement the full onboarding, screening, and monitoring programme built on top of the risk assessment | Register the entity and its Compliance Officer on the FIU's goAML platform to enable STR/SAR filing | Build staff capability to execute the risk assessment and CDD programme correctly day to day | Operate ongoing screening and escalation once onboarding and the risk methodology are in place |
| Legal basis | Federal Decree-Law No. 20 of 2018 and Cabinet Decision No. 10 of 2019 (as amended) — risk-based approach requirement | Same law — the CDD procedures the risk assessment feeds into | Same AML/CFT framework — the reporting mechanism specifically | AML/CFT Law's requirement for competent, trained staff able to execute the programme | AML/CFT Law's ongoing monitoring and reporting obligation |
| Output | A written, entity-specific risk assessment document plus a documented customer risk-rating methodology | Onboarding forms, CDD/EDD procedures, screening workflow, policy manual | Registered organisation and Compliance Officer profile with FIU filing access | Trained staff with attendance and competency records | Screening alerts adjudicated, transaction anomalies escalated, STRs/SARs filed where warranted |
| Sequencing | First — everything else in the programme is calibrated against it | Follows the risk assessment; cannot be properly built without it | Can run in parallel, but registration without a risk assessment behind it is incomplete on inspection | Follows once the risk assessment and CDD procedures exist to train staff on | Ongoing, continuous — depends on the risk assessment's triggers being correctly set |
| Who typically needs it first | Any DNFBP, financial institution, or VASP without a current, documented risk assessment | Entities with a risk assessment but no operational CDD programme built on it | Entities that have a risk assessment and CDD programme but lack platform access | Entities with policies and procedures that staff have not yet been trained to execute | Entities with a live onboarding book that needs ongoing screening and escalation discipline |
| Regulatory inspection focus | Whether the document reflects the business's actual customer base, geography, and activity today | Whether onboarding files match what the risk assessment and policy say should happen | Whether the organisation and Compliance Officer profiles are both active and correctly linked | Whether staff can answer specific questions about red flags and escalation procedure | Whether alerts were adjudicated and suspicious activity reported without delay |
These engagements are almost always sequential rather than alternative — a risk assessment with no CDD programme built on it, or a CDD programme with no risk assessment behind it, both read as incomplete on inspection. PNPC typically scopes the risk assessment first, then the CDD/screening/training build, either as one combined engagement or as a phased sequence depending on how much of the surrounding programme already exists.
| # | Stage & What PNPC Does | What Generic Risk Templates Miss | Timeline |
|---|---|---|---|
| 1 | Applicability & Scoping Call — confirm DNFBP, financial institution, or VASP status and the correct supervisory authority | A template risk assessment does not ask which specific DNFBP category you fall under, whether you are mainland (Ministry of Economy) or free zone (DFSA in DIFC, FSRA in ADGM), or whether virtual asset exposure brings VARA into scope. These answers change which rulebook the assessment is measured against. | 1–2 working days |
| 2 | Customer Base Profiling — categorising the actual customer mix by type, structure complexity, and typical transaction size | Generic templates assume a customer profile; we document the real one — individual versus corporate, direct versus layered ownership, cash-intensive versus bank-transfer-only relationships — because the risk rating methodology has to be built from what actually walks through the door. | 2–4 working days |
| 3 | Geographic Risk Mapping — assessing exposure to customer, beneficial owner, and counterparty jurisdictions against current FATF and UAE high-risk jurisdiction guidance | A template's list of 'high-risk countries' is often stale by the time it is downloaded — FATF's own lists are updated periodically. We map your actual jurisdiction exposure against current guidance at the time of the assessment, not a remembered list. | 2–3 working days |
| 4 | Product & Service Risk Analysis — rating each offering the entity provides against known laundering typologies for that activity | A real estate brokerage, a corporate service provider, and a precious metals dealer face materially different product-risk profiles even though all three are DNFBPs — we analyse the specific services rendered, not a category label. | 2–4 working days |
| 5 | Delivery Channel Risk Assessment — evaluating how relationships are established (face-to-face, remote, intermediary-introduced) and how funds move (cash, bank transfer, third-party payment, virtual asset) | Remote and cash-heavy delivery channels carry meaningfully higher risk than face-to-face, bank-transfer-only relationships — a template that does not differentiate these misses a core input into the overall rating. | 1–3 working days |
| 6 | Risk Rating Methodology Design — building the defined basis for classifying individual customers as standard, simplified, or enhanced risk | This is the step most templates skip entirely, leaving the entity with a risk narrative but no actual mechanism for rating a new customer walking in the door tomorrow. We build the scoring or classification logic your onboarding staff can apply consistently. | 3–5 working days |
| 7 | Entity-Wide Risk Statement Drafting — the documented conclusion on overall inherent risk, residual risk after controls, and the rationale behind both | A one-line risk conclusion with no supporting analysis does not survive a supervisor's question of 'how did you arrive at this.' We document the reasoning chain from raw risk factors to final rating. | 2–3 working days |
| 8 | Alignment with CDD/EDD Triggers — mapping the risk rating output directly to standard, simplified, and enhanced due diligence requirements the entity will apply | A risk assessment that does not connect to a concrete due-diligence action for each rating band is an academic exercise, not an operating tool — we tie the rating directly to what onboarding staff do differently for each category. | 2–3 working days |
| 9 | Management/Board Review and Sign-Off | AML/CFT governance expects senior management or board ownership of the risk assessment, not just a compliance officer's private working document — we prepare the assessment for formal review and documented approval. | 1–2 working days, subject to internal availability |
| 10 | Integration with goAML Registration and Wider Programme | A risk assessment produced in isolation from the goAML registration and the broader CDD build is a missed opportunity for consistency — we hand the finished assessment directly into the registration and policy-drafting workstream where those are also engaged. | Concurrent with registration where both are in scope |
| 11 | Annual Review Scheduling — the risk assessment is diarised for at least an annual refresh, or sooner on material business change | A risk assessment that is filed away and never revisited is the single most common inspection finding on this specific document — we build the review date into the client's compliance calendar from day one. | Ongoing — annual, or on material change |
Realistic timeline for a complete, entity-specific risk assessment from scoping call to board-approved document: typically 2–4 weeks depending on the complexity of the customer base and how readily existing customer and transaction data can be pulled together. Entities with clean, accessible records move faster; those needing to reconstruct customer categorisation from scratch will take longer. This timeline runs independently of, but is often scoped alongside, goAML registration and the wider CDD programme build.
Trade licence copy — mainland DED licence or free zone licence, showing licensed activities in full, since risk exposure follows actual licensed activity
Organisational chart identifying who will own and approve the risk assessment (senior management, board, or designated Compliance Officer)
Details of all UAE and overseas branches, subsidiaries, or related entities sharing a customer base or referral relationship
Any existing risk assessment or risk-related documentation, however outdated, for gap review against current requirements
A representative sample or full listing of current customer categories — individual, corporate, trust, government — with indicative transaction value ranges and frequency
Breakdown of customer ownership structures — direct individual ownership versus layered corporate, trust, or nominee arrangements
Any existing customer segmentation, tiering, or informal risk categorisation currently in use
Volume and growth trend of onboarding over recent periods, to gauge whether manual risk judgement is still practical at current scale
List of jurisdictions where customers, beneficial owners, or transaction counterparties are based or connected
Details of any dealings with jurisdictions the business is aware may carry elevated AML/CFT risk under FATF or UAE guidance
Cross-border transaction patterns, including frequency and typical routing, where relevant to the business activity
Full description of products and services offered, including any that involve cash handling, real estate, precious metals, company formation, or nominee arrangements
Description of onboarding channels used — face-to-face, remote/digital, intermediary-introduced — and the proportion of business conducted through each
Payment methods accepted — bank transfer, cash, cryptocurrency/virtual assets, third-party payment — since each carries different risk weighting
Details of any outsourced or intermediary-based customer introduction arrangements
Details of any sanctions or PEP screening tool currently in use, including vendor and configuration
Records of any prior Suspicious Transaction Reports filed, or internal escalations raised, relevant to understanding realised risk
Correspondence from the Ministry of Economy, Central Bank, DFSA, FSRA, or VARA relating to any prior inspection, finding, or guidance specific to risk assessment expectations
Existing goAML registration status and reference details, where already registered
Designated Compliance Officer or MLRO details, or confirmation that this role is still to be assigned
Prior board or management meeting minutes referencing AML/CFT risk, if any exist
Confirmation of who within the business holds authority to approve the finished risk assessment on behalf of senior management or the board
| Phase | Triggered By | PNPC Guidance | Risk If Ignored |
|---|---|---|---|
| Initial Risk Assessment Build | New DNFBP licence, first formal AML/CFT programme build, or discovery of an absent/outdated assessment | Customer, geographic, product, and delivery-channel risk analysed from actual business data and documented into a formal risk statement and rating methodology, presented for management/board sign-off. | Onboarding without a documented risk basis means every due-diligence decision is effectively ad hoc, and the entity cannot demonstrate a risk-based approach if challenged on inspection. |
| Integration into CDD Programme | Risk assessment completed or nearing completion | The risk rating methodology is wired directly into onboarding procedures — determining which customers get standard, simplified, or enhanced due diligence, and what triggers senior management approval. | A risk assessment that sits unused, disconnected from actual onboarding decisions, is functionally indistinguishable from not having one when a supervisor tests real customer files against it. |
| Ongoing Application | Every new customer onboarded | The risk rating is applied consistently to classify each new relationship, with the classification driving the depth of due diligence performed and documented. | Inconsistent application — the same customer type rated differently depending on who onboarded them — is a recurring, easily-spotted inspection finding. |
| Periodic Monitoring for Rating Drift | Ongoing relationship activity that deviates from the customer's original risk profile | Transaction patterns and customer information are periodically checked against the original risk rating; a customer whose activity no longer matches their stated profile is flagged for re-rating. | A customer onboarded as low-risk who has since begun exhibiting higher-risk activity, with no re-rating trigger in place, represents undetected exposure the original assessment cannot catch on its own. |
| Annual Review | Anniversary of the risk assessment, or sooner on material business change | The full assessment is refreshed against the current customer base, current FATF and UAE guidance, and any relevant Cabinet Decision updates, with changes documented and re-approved by management. | A stale risk assessment is one of the most commonly cited findings in DNFBP inspections — 'when was this last updated' is a standard question with an easy pass or fail answer. |
| Business Change Trigger | New product line, new customer segment, new jurisdiction exposure, M&A, or ownership change | The risk assessment is revisited and updated before the new activity goes live, incorporating the new risk factors rather than retrofitting the assessment after exposure has already been taken on. | A new business line onboarded under an unrevised risk assessment is effectively unassessed activity — the document on file no longer describes what the business actually does. |
| Regulatory Inspection | Scheduled or unannounced supervisory visit from the Ministry of Economy, Central Bank, DFSA, FSRA, or VARA | PNPC supports document production and can walk the inspecting officer through the risk assessment's methodology and how it connects to actual onboarding files. | An entity unable to explain how its risk rating was derived, or whose files do not match the stated methodology, faces findings that typically escalate from a corrective directive to administrative fines. |
| Finding or Remediation Directive | Inspection outcome specifically citing the risk assessment as deficient | PNPC rebuilds or substantially revises the assessment against the specific finding, with a documented corrective action plan and timeline for supervisor follow-up. | An unaddressed finding on the risk assessment — the foundation document — tends to cascade into follow-on findings across CDD, screening, and training, since those all depend on it. |
What exactly is an AML risk assessment, and how is it different from an AML policy?
The risk assessment is the analytical document that identifies and rates the entity's exposure to money laundering and terrorist financing risk across customer, geographic, product, and delivery-channel dimensions. The AML policy is the procedural document that sets out what the entity does in response to that risk — CDD steps, screening cadence, escalation procedures. The risk assessment answers 'what is our risk profile'; the policy answers 'what do we do about it.' A policy without a risk assessment behind it is not properly risk-based, since there is no documented analysis driving its calibration.
Is having a documented risk assessment legally mandatory, or is it just good practice?
It is a legal requirement, not a discretionary best practice, for entities within scope of Federal Decree-Law No. 20 of 2018 and its implementing Cabinet Decisions. The risk-based approach is a core structural expectation of the UAE's AML/CFT framework — regulated entities are expected to understand and document their own risk exposure rather than applying uniform treatment to every customer regardless of actual risk.
How is customer risk actually assessed — what factors go into the rating?
Customer risk considers factors including whether the customer is an individual or corporate entity, the complexity and transparency of its ownership structure, whether it or its beneficial owners are Politically Exposed Persons, the nature and cash-intensity of its business activity, and how long and how transparently the relationship has operated. These factors are combined into a documented rating — typically standard, simplified, or enhanced — that then determines the depth of due diligence applied.
What does geographic risk mean in practice, and which jurisdictions count as higher-risk?
Geographic risk considers the jurisdictions connected to a customer, its beneficial owners, or its transaction counterparties, weighed against countries the Financial Action Task Force (FATF) has identified as having strategic AML/CFT deficiencies, and against any UAE-specific high-risk jurisdiction guidance. Because FATF's own list is periodically updated, a risk assessment needs to reference current guidance at the time it is prepared rather than a fixed list assumed to still be accurate.
Why does the delivery channel — how a customer is onboarded — affect the risk rating?
Face-to-face onboarding with original document verification allows more direct identity confirmation than fully remote or non-face-to-face onboarding, which carries a higher inherent risk of impersonation or misrepresentation absent additional controls. Similarly, cash-heavy relationships carry different risk than relationships conducted entirely through traceable bank transfers. The delivery-channel dimension captures these differences so the risk rating reflects not just who the customer is, but how the relationship is actually conducted.
What is the difference between inherent risk and residual risk in a risk assessment?
Inherent risk is the level of money laundering and terrorist financing risk a business faces before any mitigating controls are applied — essentially the raw exposure created by its customer base, geography, products, and delivery channels. Residual risk is what remains after the entity's actual controls — CDD procedures, screening, monitoring, staff training — are factored in. A properly built risk assessment documents both, because residual risk is what should actually drive ongoing due-diligence decisions, while inherent risk shows why those controls are necessary in the first place.
How does the risk assessment connect to enhanced due diligence triggers?
The risk rating methodology defines, in advance, which combinations of customer, geographic, product, and delivery-channel factors push a relationship into the enhanced due diligence category — for example, a Politically Exposed Person connected to a FATF-flagged jurisdiction transacting through a complex offshore ownership structure. Building this connection explicitly means onboarding staff have a documented, consistent basis for escalating a relationship to enhanced treatment, rather than relying on individual judgement case by case.
How often does the risk assessment need to be updated?
At minimum annually, and additionally whenever there is a material change in the business — a new product or service line, entry into a new customer segment or geographic market, a change in ownership or control, a shift in onboarding channels, or a relevant new Cabinet Decision, Ministerial Decision, or FATF guidance update. An assessment that has not been revisited in several years, however well-drafted originally, no longer reflects the business as it currently operates.
Can we use a downloaded or generic risk assessment template instead of a bespoke one?
A template can be a useful starting structure, but it must be populated with the entity's actual customer, geographic, product, and delivery-channel data to function as a genuine risk-based assessment. A template with the company name substituted in, describing risk factors that do not match the entity's real business, is a recognised inspection finding — supervisors test whether the document reflects the business operating under it, not whether a document exists.
Who inside the business should own and sign off the risk assessment?
AML/CFT governance expects the risk assessment to be reviewed and formally approved by senior management or the board, not treated as a private working document maintained solely by a compliance officer with no wider organisational buy-in. The sign-off matters because it evidences that the entity's leadership has actually engaged with and accepted the documented risk profile, rather than delegating the entire question downward with no oversight.
Does having a risk assessment protect the business if a customer later turns out to be involved in money laundering?
A properly built and consistently applied risk assessment is the standard against which a business's conduct is judged — it demonstrates the entity took a documented, risk-based approach in good faith. It does not guarantee that criminal activity will never occur through the business, but an entity that can show it followed its documented methodology is in a materially different position, from a regulatory and reputational standpoint, than one with no risk basis for its decisions at all.
What happens if a Ministry of Economy inspector asks how a specific customer's risk rating was determined and we cannot explain it?
An inability to explain the basis for a specific customer's rating — beyond 'that's what the system said' or 'that felt right' — signals that the documented methodology either does not exist in enough detail or is not actually being applied consistently by staff. This is one of the most direct tests an inspector can run, walking through a handful of actual files and asking staff to justify the rating against the written methodology.
How does the risk assessment differ for a real estate broker versus a corporate service provider versus a precious metals dealer?
All three are DNFBP categories under UAE AML law, but their product and delivery-channel risk profiles differ substantially — a real estate broker's risk centres on high-value, sometimes cash-adjacent transactions and layered purchasing vehicles; a corporate service provider's risk centres on undisclosed beneficial ownership behind formed entities and nominee arrangements; a precious metals dealer's risk centres on cash-transaction thresholds and portability of value. A generic risk assessment that does not differentiate these activity-specific risk factors misses what actually drives exposure in each sector.
Do free zone entities in DIFC or ADGM need a different risk assessment approach than mainland entities?
DIFC entities regulated by the Dubai Financial Services Authority and ADGM entities regulated by the Financial Services Regulatory Authority operate under their own AML rulebooks, which sit alongside and are generally aligned in substance with the federal AML/CFT framework, but the specific expectations and any sector-specific guidance can differ from the Ministry of Economy's approach for mainland DNFBPs. The risk assessment methodology should be built against the entity's actual governing rulebook.
How does accepting cryptocurrency or virtual asset payments change the risk assessment?
Accepting or facilitating virtual asset transactions introduces a distinct risk dimension — pseudonymity, cross-border speed, and potential exposure to unregulated counterparties — that a traditional-payment risk assessment does not capture, and can also bring the entity within Virtual Asset Service Provider (VASP) regulatory scope, which carries its own generally more stringent AML/CFT expectations. A risk assessment needs to be revisited, not just amended, when virtual asset acceptance is introduced.
Can a small business with only a handful of customers use a simplified, shorter risk assessment?
The depth and formality of the risk assessment can reasonably scale to the size and complexity of the business — a sole practitioner's assessment will be shorter and less elaborate than a large real estate developer's — but every regulated entity, regardless of size, needs a documented assessment covering the same substantive dimensions: customer, geographic, product, and delivery-channel risk, with a defined rating methodology. 'Too small to need one' is not a recognised exemption.
What is the relationship between the risk assessment and goAML registration — do we need both, and in what order?
goAML registration is the mechanical step that gives an entity access to file Suspicious Transaction Reports and Suspicious Activity Reports; the risk assessment is the analytical foundation that determines when a customer relationship or transaction should raise concern in the first place. Both are required, and PNPC generally recommends the risk assessment be built alongside or ahead of registration, since a registered entity with no documented risk basis for its due-diligence decisions presents an incomplete file on inspection even though the portal registration itself is technically complete.
What does PNPC actually deliver in an AML Risk Assessment engagement?
A typical engagement covers: applicability and scoping confirmation; customer base profiling; geographic risk mapping against current FATF and UAE guidance; product and service risk analysis specific to the entity's activities; delivery-channel risk assessment; a documented risk rating methodology classifying customers as standard, simplified, or enhanced risk; an entity-wide risk statement covering inherent and residual risk; and a management/board sign-off package. The finished assessment is handed off ready to integrate into CDD procedures, goAML registration, and staff training where those are also in scope.
How much does an AML Risk Assessment engagement cost?
PNPC agrees a fixed, written fee before work begins, scoped to the complexity of the business — a single-office corporate service provider with a narrow customer base requires materially less analytical work than a multi-branch real estate brokerage with diverse geographic exposure. Ongoing annual review pricing is quoted separately and is also fixed and agreed in writing.
Why engage PNPC rather than writing the risk assessment ourselves using a free template?
Writing a risk assessment mechanically is straightforward once a template exists — the harder, higher-stakes work is building a rating methodology that actually reflects your real customer base and that your own staff can apply consistently, referencing current FATF and UAE guidance rather than a stale downloaded list, and producing a document that will hold up when a supervisor tests it against your actual files rather than just reading it in isolation. A self-written assessment with no connection to real onboarding decisions is the pattern we most often see corrected after an inspection finding.
PNPC AML Risk Assessment vs generic template providers
| Dimension | Generic Template / Downloaded Document | PNPC Global |
|---|---|---|
| Risk assessment basis | Generic industry boilerplate with the company name substituted in, not specific to your customer base or jurisdiction exposure | Built from your actual licensed activity, customer categories, transaction profile, and geographic exposure |
| Rating methodology | Often a narrative statement with no defined mechanism for classifying an individual new customer | A documented, applicable classification logic staff can use to rate standard, simplified, and enhanced-risk customers consistently |
| Geographic risk data | A fixed list, frequently stale by the time it is downloaded | Mapped against current FATF and UAE high-risk jurisdiction guidance at the time of the engagement |
| Connection to CDD triggers | Rarely wired to concrete due-diligence actions — the rating exists but nothing follows from it | Explicitly linked to standard, simplified, and enhanced due diligence triggers your onboarding team applies |
| Management sign-off | No formal approval step — a compliance officer's private working document | Built for and presented at formal senior management or board review and sign-off |
| Inspection readiness | Not tested before the actual inspection is the first test | Reviewed against how a supervisor would test it — asking staff to justify a real file's rating from the documented methodology |
| Ongoing currency | Static document, not updated as FATF guidance or Cabinet Decisions evolve | Annual review built into the relationship, refreshed on material business change |
| Cross-disciplinary context | Risk assessment in isolation from tax, accounting, and corporate structure | Integrated view across UAE tax, accounting, corporate structuring, and AML — inconsistencies more likely caught internally |
| Presence beyond delivery | Document handed over; engagement ends there | PNPC Dubai office, practising CA firm since 1986, available for the CDD build, goAML registration, and ongoing advisory that follows |
What the PNPC package includes
- 01
Applicability scoping to confirm DNFBP, financial institution, or VASP status and the correct supervisory authority
- 02
Customer base profiling across ownership complexity, transaction size, and relationship type
- 03
Geographic risk mapping against current FATF and UAE high-risk jurisdiction guidance
- 04
Product and service risk analysis specific to your actual licensed activities
- 05
Delivery-channel risk assessment covering onboarding method and payment/fund-movement patterns
- 06
Documented customer risk-rating methodology (standard, simplified, enhanced) staff can apply consistently
- 07
Entity-wide risk statement covering both inherent and residual risk with supporting rationale
- 08
Explicit linkage between the risk rating and CDD/EDD triggers used in onboarding
- 09
Management/board review package and formal sign-off support
- 10
Integration hand-off into goAML registration and the wider CDD/screening/training build where in scope
- 11
Annual review scheduling built into the compliance calendar
- 12
Direct support drafting corrective updates if a supervisory finding specifically cites the risk assessment
Talk to PNPC's Dubai team before your onboarding decisions rest on assumptions rather than a documented, defensible risk assessment.
Jurisdiction
Free zone, mainland & offshore
Ready to get started?
Tell us about your requirement — a UAE specialist responds within 24 hours.