UAEServicesIPR & AML ComplianceAML / CFT ServicesDocumentation

IPR & AML Compliance · AML / CFT Services

Documentation

Documentation is the engagement through which PNPC builds, organises, and maintains the written record every UAE Designated Non-Financial Business and Profession and regulated financial entity must be able to produce on demand under Federal Decree-Law No.

Chartered Accountants · Dubai · Since 1986

What Documentation is

AML/CFT Documentation is the discrete but essential discipline of converting a business's anti-money laundering obligations under Federal Decree-Law No. 20 of 2018 and its implementing Cabinet Decision No. 10 of 2019 (as amended) into a written, organised, and retrievable evidence file. The AML/CFT Law and its regulations do not merely require an entity to behave correctly — they require the entity to be able to prove, on request from the Ministry of Economy, the UAE Central Bank, or the relevant free zone financial regulator (DFSA in DIFC, FSRA in ADGM), that it behaved correctly, and to produce that proof within a stated timeframe. Documentation is the bridge between an AML/CFT programme that genuinely operates and a programme that can withstand a supervisory inspection, a bank's own AML due diligence request, or a court or regulator's after-the-fact review.

The documentation set spans several distinct categories that together form the entity's compliance record. At the governance level: the board-approved AML/CFT policy and procedures manual, the appointment record and authority delegation for the designated Compliance Officer or Money Laundering Reporting Officer (MLRO), and the business-wide risk assessment covering customer, geographic, product, and delivery-channel risk. At the customer level: Customer Due Diligence and Enhanced Due Diligence files, beneficial ownership identification and verification records maintained consistent with Cabinet Decision No. 58 of 2020 on beneficial ownership procedures, and evidence of sanctions and Politically Exposed Person (PEP) screening at onboarding and on an ongoing basis. At the operational level: staff training attendance and content records, transaction-monitoring logs and alert-disposition notes, and the internal escalation trail showing how a concern moved from a front-line observation to a Compliance Officer decision to, where warranted, a Suspicious Transaction Report (STR) or Suspicious Activity Report (SAR) filed through the goAML platform operated by the UAE's Financial Intelligence Unit.

What makes documentation its own discipline, rather than a byproduct of doing the underlying compliance work, is that a supervisory inspection tests the paper trail specifically — not the business's general good faith. An inspector reviewing a sample of customer files is checking whether the risk rating assigned matches the documented methodology, whether the beneficial ownership look-through was actually recorded and not just performed informally, whether screening was run at the frequency the policy states, and whether training that staff plainly received was ever logged with dates, content, and attendee names. A business that performed all of the underlying work correctly but never wrote it down is, from the inspector's vantage point, indistinguishable from a business that never did the work — because there is nothing to examine. This is the single most common gap PNPC finds when reviewing another firm's AML file: the compliance activity happened, but the record of it did not survive in a form a third party could verify.

Documentation also has a retention and retrievability dimension that is frequently underestimated. The AML/CFT Law requires customer identification records, CDD documentation, and transaction records to be retained for a minimum prescribed period following the end of the business relationship or the transaction date, and produced to the competent authority within the timeframe it sets. Retaining a record technically, in an unindexed folder or a departed employee's inbox, satisfies the retention obligation in name only if the entity cannot locate and produce it inside the window given — which, on inspection, reads almost identically to not having kept the record at all. A properly built documentation function therefore designs for retrieval from the outset: a consistent filing structure, a clear index by customer and by document category, and a named owner responsible for keeping the file current as roles, policies, and regulatory guidance change.

Finally, documentation is not a one-time deliverable. The AML/CFT Law and its Cabinet Decisions are periodically amended, the FIU and Ministry of Economy issue updated guidance, and a business's own customer base, products, and risk exposure change over time. A risk assessment or policy manual drafted once at the point of registration and never revisited drifts out of alignment with both the current regulatory text and the entity's actual current activity — and a stale document is one of the most reliably flagged inspection findings PNPC sees, because 'when was this last reviewed' is a question every inspector asks and every out-of-date file answers badly. PNPC's Documentation engagement is built to produce a file that is accurate on day one and stays defensible through the annual review cycle that follows.

When a dedicated Documentation engagement is the right fit

You have a functioning AML/CFT compliance practice — CDD is performed, screening happens, staff are briefed — but none of it is written down in a form that could be produced to an inspector today

Your existing AML policy manual, risk assessment, or MLRO appointment record was drafted years ago, has never been reviewed, and no longer reflects your current business activity or the current Cabinet Decision text

You have received a Ministry of Economy, Central Bank, DFSA, FSRA, or VARA inspection notice and need your documentation set assembled, indexed, and inspection-ready on a compressed timeline

Your goAML registration is complete but the risk assessment, policies, and procedures behind it were never formally drafted or were built from an unadapted template

You need staff training records, screening evidence, and escalation logs reconstructed retrospectively because they were performed informally without being logged at the time

A correspondent bank or partner has asked to see your AML/CFT policy, beneficial ownership register, or risk assessment as part of its own AML due diligence on you as a business customer

Your Compliance Officer or MLRO has changed and the appointment record, authority delegation, and succession documentation need to be brought current on the goAML profile and internally

You are consolidating documentation across multiple UAE entities in a group structure and need a consistent filing methodology and index across all of them

You have completed remediation following an inspection finding and need the corrective documentation — updated policy, refreshed training log, closed-out action plan — formally compiled as evidence the finding was addressed

Where a different engagement fits better

You do not yet have any AML/CFT compliance activity to document — no risk assessment has been performed, no CDD methodology exists, and no Compliance Officer has been appointed; that is a full KYC & Customer Due Diligence Advisory build, not a documentation exercise layered on top of nothing

You have not yet confirmed whether your business falls within a DNFBP or regulated Financial Institution category at all — an applicability assessment should come first, since documenting an obligation that does not actually apply wastes effort

You need the goAML organisation and Compliance Officer portal registration itself completed and have not yet registered — that is the goAML Portal Registration & Reporting Assistance engagement, though it is frequently paired with documentation work

Your requirement is to design or redesign the underlying CDD/EDD risk methodology itself, not simply record an existing one in writing — that is advisory work, and documentation should follow it rather than substitute for it

You are under active investigation for a specific suspected money-laundering or terrorist-financing offence — that requires criminal defence legal representation as the lead engagement, with documentation support playing a secondary role

You want a template policy dropped into your file without any review of whether it reflects your actual business — a document that does not match reality is a liability on inspection, not an asset, regardless of how complete it looks

You are looking for a one-time document set with no plan to review or update it — documentation that is accurate today and never revisited again predictably drifts out of date within a year or two as guidance and the business itself change

Structure Comparison

Documentation engagement vs adjacent UAE AML/CFT service scopes

FeatureDocumentation (this service)KYC & CDD AdvisorygoAML Portal Registration & ReportingAML Risk Assessment (standalone)AML Training and Capacity Building
Primary purposeBuild, organise, and maintain the written evidence file proving the AML/CFT programme operates as requiredDesign and implement the full risk-based CDD programme, of which documentation is one outputRegister the entity and its Compliance Officer on the FIU goAML platform and support STR/SAR filingProduce the entity-specific risk assessment document that documentation later indexes and maintainsDeliver staff training itself; documentation then records that it happened
Typical starting pointCompliance activity already happens informally; the paper trail is missing or disorganisedNo CDD methodology yet exists and needs to be designed from the ground upEntity is in scope and has not yet obtained goAML platform accessNo documented risk methodology exists yet, or the existing one is out of dateStaff have not received formal, logged AML/CFT training
Core deliverableIndexed, retrievable evidence file: policies, CDD/EDD records, screening logs, training records, escalation trailFull programme — risk assessment, policy, CDD/EDD procedures, screening design, training, goAML registrationActive goAML organisation and Compliance Officer registration with filing accessA single written, entity-specific risk assessment documentDelivered training sessions with attendance and competency records
Inspection relevanceDirectly what an inspector reviews file-by-file during a supervisory visitBuilds the substance the documentation later has to prove existedNecessary precondition for reporting capability, not sufficient alone for inspection readinessOne required document within the larger file, not the whole fileOne required record within the larger file, not the whole file
Who typically commissions itEntities with an operating but unrecorded, or disorganised and stale, compliance practiceEntities building a compliance function from scratch or substantially rebuilding oneEntities that are in scope but have never registered, or whose registration lapsedEntities that need the foundational risk document specifically, often as a first stepEntities with a written policy but no evidence staff were ever trained on it
Engagement cadenceInitial build plus scheduled annual refresh and event-driven updatesInitial build, typically 6–10 weeks, then ongoing advisoryOne-time registration, ongoing platform use thereafterOne-time drafting, reviewed and refreshed at least annuallyInitial delivery, refresher sessions on an annual or trigger-driven cadence

These engagements are frequently combined and PNPC scopes them together where a client's need spans more than one — a documentation build is most effective when it sits on top of a genuinely functioning CDD programme, and PNPC will flag where the underlying substance needs building or repair before the paper trail can honestly reflect it.

How it works
#Stage & What PNPC DoesWhat a Self-Assembled File Typically MissesTimeline
1Documentation Scoping & Gap Assessment — review of what currently exists against the full required document setBusinesses often believe their file is more complete than it is because individual documents exist somewhere, but no one has checked the full set against what the AML/CFT Law and Cabinet Decision actually require category by category.Week 1
2Governance Document Compilation — board/management approval records, AML/CFT policy and procedures manual, Compliance Officer/MLRO appointment and authority delegationA policy manual with no recorded board or senior-management approval reads as an unadopted draft on inspection, regardless of how well it is written — approval evidence is a specific, separate document, not implied by the policy's existence.Week 1–2
3Risk Assessment Indexing — the current business-wide risk assessment reviewed for currency and formally filed as the reference document the CDD procedures applyA risk assessment that exists but is not clearly dated, versioned, and cross-referenced to the policies built on it creates ambiguity about which methodology was actually in force at a given point in time.Week 1–2
4Customer File Structure & Indexing — a consistent CDD/EDD file format applied across the existing customer base, organised for retrieval by risk categoryCustomer files accumulated organically over time rarely share a consistent structure, making a sample review by an inspector slower and more likely to surface inconsistencies that a uniform format would have prevented.Week 2–4
5Beneficial Ownership Register Reconciliation — the Register of Beneficial Owners checked for completeness and currency against Cabinet Decision No. 58 of 2020 requirements and formally filedBeneficial ownership registers are frequently accurate at the point they were first compiled but never updated as ownership changes occur — an inspector testing the register against current shareholding finds a stale document.Week 2–3
6Screening Evidence Compilation — sanctions and PEP screening records, including disposition notes for partial or possible matches, organised as retrievable evidenceScreening tools generate alerts, but without a documented disposition of each alert — cleared, escalated, or confirmed a false positive — the alert log shows activity happened without showing a decision was actually made.Week 2–4
7Training Record Assembly — attendance, content, and date records for all delivered AML/CFT training, including any historical sessions that were run but never loggedVerbal or informal briefings that staff genuinely received are treated on inspection as if they never happened if there is no dated record of who attended and what was covered.Week 3–4
8STR/SAR and Escalation Trail Documentation — the internal record of how any suspicion was raised, escalated to the Compliance Officer, assessed, and — where filed — submitted through goAMLA filed STR with no accompanying internal escalation log looks, on review, like an isolated event rather than evidence of a functioning escalation process staff can be expected to repeat.Week 3–4
9Retention & Retrieval System Design — a filing structure and index that lets any document category be located and produced within a stated timeframeRecords that are technically retained but not indexed for retrieval fail the practical test of an inspection request with a deadline, even though the underlying obligation to keep the record was met.Week 4–5
10Version Control & Review Cycle Set-Up — a documented schedule for when each category of document is next due for review, tied to the compliance calendarA document set that is accurate at delivery but has no built-in review trigger drifts out of date exactly the way the original, unmanaged file did — the fix has to include a maintenance mechanism, not just a one-time refresh.Week 4–5
11Inspection-Readiness Walkthrough — a mock review of the completed file as if a Ministry of Economy or Central Bank inspector were testing itThe gaps that surface in a genuine walkthrough — a missing signature, an undated training log, a beneficial owner never updated after a share transfer — are rarely visible from a checklist review alone.Week 5–6
12Ongoing Documentation Maintenance — ongoing support keeping the file current as the business, its customers, and the regulatory text changeA completed file left untouched after handover begins the same drift it was built to correct; ongoing maintenance is what keeps it inspection-ready a year or two later, not just at the point of delivery.Ongoing, retainer basis

Realistic timeline for a full documentation build on an existing but disorganised compliance practice: 4–6 weeks depending on customer base size and how much of the underlying record already exists in some form. A narrower engagement responding to a specific inspection notice on a compressed timeline can move faster, prioritising the categories most likely to be tested first.

Document Checklist
Governance & Appointment Records

Board or senior management resolution formally adopting the AML/CFT policy and procedures manual

Compliance Officer / MLRO appointment letter or resolution, evidencing seniority and delegated authority

Organisational chart showing the Compliance Officer's reporting line to senior management or the board

Record of any Compliance Officer succession, including handover documentation and updated goAML profile confirmation

Version history of the AML/CFT policy manual, showing dates of adoption and each subsequent revision

Risk Assessment & Methodology

Current business-wide AML/CFT risk assessment covering customer, geographic, product/service, and delivery-channel risk

Risk-rating methodology applied to customers, cross-referenced to the CDD/EDD procedures it supports

Record of the most recent risk assessment review date and any changes made since the prior version

Documentation of any material business change (new product, new customer segment, new jurisdiction exposure) and the corresponding risk assessment update

Customer Due Diligence Evidence

Standard CDD files: identity verification documents, business relationship purpose, and risk rating assigned

Enhanced Due Diligence files for higher-risk customers: source-of-funds/wealth documentation and senior management approval records

Beneficial ownership identification records and the current Register of Beneficial Owners, reconciled to actual shareholding

Evidence of ongoing monitoring and periodic file refresh for higher-risk relationships, per the schedule the risk assessment sets

Screening & Monitoring Records

Sanctions and PEP screening logs, including screening date, list source, and result

Disposition notes for every partial or possible match, showing whether it was cleared, escalated, or confirmed

Evidence of periodic re-screening cadence, not just onboarding screening

Transaction-monitoring alert logs and the outcome of each alert reviewed

Training & Escalation Records

Staff training attendance sheets, content summaries, and dates for all delivered sessions

Refresher training records showing the annual or trigger-driven training cadence has been maintained

Internal escalation logs showing how a concern moved from initial observation to Compliance Officer review

STR/SAR filing records and the goAML submission confirmations for any reports actually filed

Regulatory Correspondence & Remediation

Any correspondence from the Ministry of Economy, Central Bank, DFSA, FSRA, or VARA relating to a prior inspection, query, or directive

Corrective action plans addressing any prior finding, with evidence of completion and sign-off

goAML organisation and Compliance Officer registration confirmations

Confirmation of the periodic goAML profile re-registration/confirmation cycle, where applicable

Ongoing obligations
PhaseTriggered ByPNPC GuidanceRisk If Ignored
Initial File Assembly (Week 1–6)First structured documentation build, or a gap assessment revealing a materially incomplete fileGovernance records, risk assessment, CDD/EDD files, screening evidence, and training logs compiled, indexed, and cross-referenced into a single retrievable file structure.An entity that performs the underlying AML work but cannot produce the paper trail is treated on inspection as if the work never happened, regardless of actual practice.
Ongoing Document CaptureEvery new customer onboarded, screening run, or training session deliveredEach compliance activity logged at the point it occurs — onboarding decision, screening result, training attendance — rather than reconstructed retrospectively from memory.Retrospective reconstruction is rarely as accurate or as credible on inspection as a contemporaneous record, and some detail is inevitably lost or disputed.
Annual Review CycleAnniversary of the documentation build, or a material change in the business or regulatory guidanceRisk assessment, policy manual, and beneficial ownership register formally reviewed and updated, with the review itself dated and recorded as evidence the cycle occurred.A file that is accurate at delivery but never revisited becomes stale within a year or two, and 'when was this last reviewed' is a standard inspection question with an easy pass or fail answer.
Compliance Officer or Ownership ChangeChange in the designated Compliance Officer, or a change in beneficial ownershipUpdated appointment records, revised goAML profile, and a reconciled beneficial ownership register produced promptly, closing any gap in the documentation trail.An outdated Compliance Officer record or an unreconciled beneficial ownership register is a governance gap an inspector identifies quickly and treats as an aggravating factor.
Bank or Partner AML Due Diligence RequestA correspondent bank, partner, or counterparty requests evidence of your AML/CFT programme as part of its own due diligenceThe current, indexed documentation set produced promptly, without needing to be assembled from scratch under time pressure.A slow or incomplete response to a bank's AML due diligence request can affect banking relationships independent of any regulatory inspection outcome.
Regulatory InspectionScheduled or unannounced visit from the Ministry of Economy, Central Bank, DFSA, FSRA, or VARAPNPC supports document production against the inspector's specific requests, drawing on the indexed file built and maintained for exactly this purpose.An entity unable to produce requested documentation within the given timeframe faces findings that typically escalate from a corrective action directive to administrative fines and, in serious or repeat cases, licence-level consequences.
Finding or Remediation DirectiveInspection outcome identifying a documentation gapA corrective action plan drafted addressing the specific finding, with the remediation itself documented and formally closed out for the record.An unaddressed or undocumented remediation response risks the same finding recurring at the next inspection cycle, now compounded as a repeat issue.
Retention Period Expiry ReviewApproach of the minimum prescribed retention period for a given record following the end of a business relationship or transactionRecords reviewed before any disposal decision to confirm the minimum retention period has genuinely elapsed and no other reason (open query, litigation hold) requires continued retention.Premature disposal of a record still within its required retention period is itself a compliance breach, separate from any underlying transaction issue.
Frequently asked
Why do I need a separate Documentation engagement if we already do our AML compliance work properly?

Because UAE supervisory authorities inspect the written record, not your general good-faith conduct. An inspector reviewing a customer file checks whether the risk rating, beneficial ownership look-through, and screening result were actually recorded — not whether you personally believe the work was done well. A business that performs CDD correctly but never documents it is, from the inspector's perspective, indistinguishable from a business that skipped CDD altogether, because there is no evidence to examine either way.

Practitioner noteThis is the single most common reason clients come to us after a first inspection finding — the work was genuinely being done, but nothing survived on paper that an outsider could verify. We treat documentation as equally important to the underlying compliance activity, not as an afterthought.
What is the minimum document set every DNFBP needs to be able to produce?

At minimum: a board-approved AML/CFT policy and procedures manual, a documented business-wide risk assessment, the Compliance Officer/MLRO appointment record, CDD files for customers with beneficial ownership identification, sanctions/PEP screening evidence, staff training attendance records, and — where applicable — the internal escalation trail and goAML submission confirmation for any STR/SAR filed. The exact depth expected scales with the size and complexity of the business, but every category above should exist in some form for any in-scope entity.

Practitioner noteWe run every new documentation client through this exact checklist first, category by category, before drafting anything — it is faster to identify the true gaps up front than to discover them mid-inspection.
How is documentation different from the risk assessment or the CDD advisory work itself?

The risk assessment and CDD advisory engagements design and implement the underlying methodology — what risk factors matter, how customers are categorised, what triggers enhanced due diligence. Documentation is the discipline of capturing, organising, and maintaining the written evidence that this methodology was actually applied to real customers and real decisions, in a form that can be retrieved and produced on request. You can have a well-designed methodology and a poorly documented file, or vice versa — the two are related but distinct pieces of work.

Practitioner noteWe are occasionally asked to 'just do the documentation' for a business that, on closer look, has no real underlying methodology to document. In that situation we say so directly — documenting a gap does not close it, and a beautifully organised file describing an inadequate process fails inspection just as surely as no file at all.
We have all our AML records, just not organised — is that enough for an inspection?

Not necessarily. Retention alone does not satisfy the obligation if the entity cannot locate and produce the relevant record within the timeframe a supervisory authority gives during an inspection. A record technically kept somewhere — in an unindexed folder, a departed employee's inbox, or scattered across different staff members' files — that cannot be retrieved on request reads, on inspection, almost identically to a record that was never kept.

Practitioner noteWe design every documentation build around retrievability specifically, not just storage — a consistent index by customer and document category, with a named internal owner, so a request can be answered in hours rather than days of searching.
How long do we need to retain AML/CFT records under UAE law?

UAE AML law requires customer identification records, CDD documentation, and transaction records to be retained for a minimum prescribed period following the end of the business relationship or the date of the transaction, and produced to the competent authority on request. The precise retention period and any sector-specific variation should be confirmed against the current Cabinet Decision text and any applicable sector-regulator rulebook, since retention requirements are refined periodically through amendments.

Practitioner noteWe deliberately avoid quoting a fixed number of years without checking the current text at the time of engagement — retention periods are exactly the kind of regulatory detail that should be verified fresh, not recalled from memory.
What happens if our beneficial ownership register is out of date when an inspector reviews it?

An outdated Register of Beneficial Owners — one that does not reflect a share transfer, new investor, or change in control that has already happened — is a common and specifically-tested inspection finding under Cabinet Decision No. 58 of 2020 and the AML/CFT framework more broadly. It signals that the entity's documentation is not being maintained in step with actual business events, which supervisors treat as a governance gap in its own right, separate from any issue with the underlying transaction record.

Practitioner noteWe tie beneficial ownership register updates to a specific trigger — any share transfer or control change — rather than relying on an annual review alone to catch it, since a year is a long time for a register to drift from reality.
Do we need to document sanctions screening even when there is never a match?

Yes. The absence of a match is itself something that needs to be recorded — the fact that screening was run, on what date, against which list, and with what result — because an inspector cannot distinguish 'screening happened and found nothing' from 'screening never happened' unless the negative result is logged as clearly as a positive one would be.

Practitioner noteWe build screening logs to capture clean results by default, not just flagged matches — clients sometimes assume only alerts need recording, but a complete audit trail requires evidence of every screening run, not only the exceptions.
What is a disposition note and why does every screening alert need one?

A disposition note is the documented decision made about a specific sanctions or PEP screening alert — whether it was cleared as a false positive, escalated for further review, or confirmed as a genuine match requiring action. Without it, an alert log shows that the screening tool generated a warning but does not show that a human being actually reviewed and decided what to do about it, which is the substantive step an inspector is testing for.

Practitioner noteWe have reviewed screening logs with hundreds of alerts and zero disposition notes — the tool was working, but nobody could tell us, or an inspector, what happened to any individual alert. We treat disposition-note completeness as a specific line item in every documentation review.
How do we document staff training that happened but was never formally logged?

Where genuine training occurred without contemporaneous documentation, PNPC works with the entity to reconstruct as accurate a record as possible — confirmed dates, content covered, and attendee names based on available evidence such as calendar invites, presentation materials, or attendee recollection — while being transparent that a reconstructed record is weaker evidence than a contemporaneous one, and building a forward process so this gap does not recur.

Practitioner noteWe are candid with clients that reconstruction is a repair, not a substitute for logging training at the time it happens going forward — we always pair a reconstruction exercise with a simple, low-friction logging process so the next session is captured properly from the outset.
Does PNPC draft our AML policies from scratch, or only organise documents we already have?

Both, depending on scope. Where a genuine policy and methodology already exist but the supporting paper trail is missing or disorganised, the engagement focuses on capture, indexing, and retrieval design. Where the underlying policy itself is missing, outdated, or was copied from an unadapted template, PNPC drafts or substantially revises it as part of the same engagement — documentation and the substance behind it are scoped together where the gap analysis shows both are needed.

Practitioner noteWe scope this explicitly at the outset so there is no ambiguity about whether we are organising your existing work or building new policy content — clients sometimes assume it is purely an organisational task until the gap assessment shows otherwise.
What does an inspector actually do with our documentation during a visit?

A typical inspection involves reviewing the policy and risk assessment documents for currency and completeness, then pulling a sample of individual customer files to test whether the documented procedure was actually followed — checking the risk rating assigned, the beneficial ownership look-through, the screening evidence, and any escalation trail. Inconsistency between the written policy and what the sampled files actually show is the most common and most damaging type of finding.

Practitioner noteWe run an internal mock walkthrough using this same sample-file methodology before any client goes live or faces a real inspection — it is far better to find the inconsistency ourselves than to have an inspector find it first.
How quickly can PNPC assemble documentation if we've already received an inspection notice?

PNPC prioritises the document categories most likely to be tested first — the policy manual, risk assessment, MLRO appointment record, and a representative sample of customer files — and can typically produce an inspection-ready core file within one to two weeks on a compressed timeline, with the fuller file (complete customer base indexing, full training history reconstruction) continuing in parallel.

Practitioner noteWe tell clients who arrive after a notice has already landed exactly what is realistically achievable before the inspection date and what will need to be flagged honestly as in-progress remediation — overpromising completeness on a compressed timeline does more harm than a candid, prioritised plan.
Is documentation a one-time deliverable or an ongoing service?

Both models exist. A one-time build is appropriate where a business needs its current gap closed and is confident it can maintain the file going forward. Most PNPC clients, however, take the ongoing retainer option, since the annual review cycle, event-driven updates (Compliance Officer changes, ownership changes, new Cabinet Decisions), and continuous capture of new customer files and screening results are what keep a documentation set from drifting back into disorganisation within a year or two of the initial build.

Practitioner noteWe are transparent that a one-time build, left entirely unmaintained, tends to look very similar to the original gap within twelve to eighteen months — the ongoing option is not an upsell so much as an acknowledgment of how documentation actually decays without a maintenance mechanism.
Does having complete documentation guarantee we will pass a Ministry of Economy inspection?

No. Complete, accurate, and current documentation materially improves the entity's position on inspection and is the strongest evidence a business can offer that its programme actually operates, but the inspecting authority retains full discretion over its findings, and even well-documented programmes can receive observations or findings based on the specific facts reviewed. No adviser can guarantee a regulatory outcome that depends on the supervisor's own judgment.

Practitioner noteWe are candid with every client on this point — our role is to make the file as strong and defensible as it can genuinely be, not to promise a result that is ultimately the inspector's call, not ours.
How does documentation work connect to our goAML registration?

goAML registration and Compliance Officer activation give the entity the ability to file reports; documentation is the separate record proving the risk assessment, policies, CDD, screening, and training that should sit behind that registration actually exist and are current. The two are commonly engaged together, since a goAML registration with no documented programme behind it is precisely the 'registered but hollow' pattern supervisory authorities flag most often on inspection.

Practitioner noteWe routinely find clients whose goAML portal shows as fully registered while the documentation file behind it is close to empty — the registration and the paper trail need to be built, or at least reviewed, together.
What does PNPC's Chennai/Bangalore/Hyderabad/Dubai presence add to a documentation engagement?

For clients with entities spanning both India and the UAE, our Dubai team leads the UAE AML/CFT documentation build directly, while our India offices coordinate any parallel India-side compliance record-keeping under the same engagement — so a group operating in both jurisdictions maintains a consistent documentation methodology rather than two disconnected filing systems built by unrelated advisers.

Practitioner noteCross-border groups often discover their India and UAE compliance files were built years apart by different advisers with different filing conventions — bringing them under one coordinated methodology makes both files easier to maintain and easier for either regulator to review.
Why PNPC Global

PNPC Documentation build vs a self-assembled or unmaintained AML file

DimensionSelf-Assembled / Unmaintained FilePNPC Global
Document set completenessIndividual documents exist, but no one has checked them against the full required category listStructured gap assessment against every governance, risk, CDD, screening, and training category required under the AML/CFT Law
RetrievabilityRecords technically kept, scattered across folders, inboxes, and individual staff membersConsistent index by customer and document category, designed to be produced within the timeframe an inspector gives
Screening evidenceAlerts logged by the tool; no record of what was decided about each oneEvery partial or possible match adjudicated and recorded with a documented disposition
Beneficial ownership currencyRegister compiled once at onboarding, not reconciled against later ownership changesRegister reconciled to current shareholding and updated on every triggering change
Training evidenceSessions delivered informally with no attendance, content, or date recordAttendance, content, and date logged for every session, with a scheduled refresher cadence
Currency of policy documentsDrafted once at registration and never revisited as Cabinet Decisions or guidance evolveAnnual review cycle built into the engagement, updated as regulatory text and business activity change
Inspection response readinessFile assembled reactively once an inspection notice arrivesMaintained continuously so production on request is a retrieval exercise, not a scramble
Cross-disciplinary consistencyAML file built in isolation from tax, accounting, and corporate recordsCoordinated with PNPC's tax, accounting, and corporate structuring work so records are internally consistent
Presence beyond deliveryDocument handed over once, no further supportPNPC Dubai office, practising CA firm since 1986, available for live inspection support and ongoing maintenance

What the PNPC package includes

  1. 01

    Full documentation gap assessment against the required AML/CFT governance, risk, CDD, screening, and training categories

  2. 02

    Board/management approval record and Compliance Officer/MLRO appointment documentation compiled or reconciled

  3. 03

    Risk assessment reviewed, dated, and formally indexed as the reference document behind the CDD procedures

  4. 04

    Consistent CDD/EDD customer file structure applied across the existing customer base

  5. 05

    Beneficial ownership register reconciled to current shareholding and aligned to Cabinet Decision No. 58 of 2020

  6. 06

    Sanctions/PEP screening evidence compiled with disposition notes for every partial or possible match

  7. 07

    Staff training records assembled or reconstructed, including attendee, date, and content detail

  8. 08

    Internal escalation and STR/SAR filing trail organised and cross-referenced to goAML submission confirmations

  9. 09

    Retention and retrieval system designed for production within an inspector's stated timeframe

  10. 10

    Documented annual review schedule tied to PNPC's ongoing compliance calendar

  11. 11

    Mock inspection walkthrough of the completed file before it is relied upon in a live inspection

  12. 12

    Direct support producing documentation during an actual Ministry of Economy, Central Bank, DFSA, FSRA, or VARA inspection

  13. 13

    Coordination with PNPC's tax, accounting, and corporate secretarial teams for cross-referential consistency

Talk to PNPC's Dubai AML/CFT team before an inspector asks for a file you cannot produce.

Jurisdiction

🇦🇪
United Arab Emirates

Free zone, mainland & offshore

Ready to get started?

Tell us about your requirement — a UAE specialist responds within 24 hours.

← Back to AML / CFT Services