UAEServicesIPR & AML ComplianceAML / CFT ServicesDrafting of AML policies and procedures

IPR & AML Compliance · AML / CFT Services

Drafting of AML policies and procedures

Drafting of AML policies and procedures is the engagement through which PNPC produces the written, board-approved AML/CFT policy manual and operating procedures that every UAE Designated Non-Financial Business and Profession, financial institution, and Virtual Asset Service Provider must maintain under Federal Decree-Law No.

Chartered Accountants · Dubai · Since 1986

What Drafting of AML policies and procedures is

Drafting of AML policies and procedures is the production of the written compliance framework that Federal Decree-Law No. 20 of 2018 on Anti-Money Laundering and Combating the Financing of Terrorism (the AML/CFT Law), together with Cabinet Decision No. 10 of 2019 and its subsequent amendments, requires every regulated entity to hold and to actually operate under. The obligation applies to Designated Non-Financial Businesses and Professions (DNFBPs) — real estate brokers and developers, dealers in precious metals and stones above prescribed cash thresholds, corporate and trust service providers, independent legal professionals, and independent accountants and auditors carrying out specified services — supervised primarily by the Ministry of Economy, as well as to financial institutions under the UAE Central Bank, securities firms under the Securities and Commodities Authority, and Virtual Asset Service Providers under VARA or the relevant emirate-level regulator. Financial free zone entities in DIFC and ADGM sit under their own AML supervisors, the Dubai Financial Services Authority and the Financial Services Regulatory Authority respectively, each with its own rulebook layered on top of the federal law.

A compliant AML policy manual is not a single document; it is a coordinated set of written procedures that together operationalise the risk-based approach the law requires. At its core sits the business-wide AML/CFT risk assessment, which drives everything that follows — the risk assessment identifies the entity's exposure across customer type, geography, product/service, and delivery channel, and the policy manual then sets out exactly how the business responds to that exposure: standard, simplified, or enhanced Customer Due Diligence triggers; beneficial ownership identification and verification procedures aligned to Cabinet Decision No. 58 of 2020; sanctions and Politically Exposed Persons (PEP) screening cadence and escalation; ongoing transaction monitoring thresholds; record-retention rules; the internal escalation pathway from front-line observation to the Compliance Officer's decision on whether to file; and the mechanics of filing a Suspicious Transaction Report (STR) or Suspicious Activity Report (SAR) through the goAML platform operated by the UAE's Financial Intelligence Unit, together with the strict no-tipping-off discipline that governs any such filing.

The drafting exercise is where most AML programmes succeed or fail on inspection, because the difference between a policy that passes scrutiny and one that does not is rarely the presence or absence of a section heading — most template policies cover the same headings. The difference is whether the content under each heading describes what this specific business actually does. A policy that states simplified due diligence applies to 'low-risk customers' without defining, in terms specific to the entity's own customer base, exactly which customer profile qualifies, is not operable by front-line staff and will not withstand a supervisor asking a nominated Compliance Officer to justify a specific onboarding decision against the written procedure. Equally, a policy copied from a foreign parent group's global template, with UAE-specific references to the AML/CFT Law, goAML, and local sanctions lists never inserted, reads on inspection as evidence the entity has not actually engaged with its UAE obligation.

Policies must also be board-approved or approved by equivalent senior management, since the AML/CFT Law expects governance ownership of the compliance function, not a document produced by a junior staff member and left unsigned. The manual should name the designated Compliance Officer or Money Laundering Reporting Officer (MLRO), describe their authority to escalate and pause transactions independently, and set out the record-keeping and periodic review discipline — at minimum an annual refresh, and sooner if the business, its customer base, or the underlying regulations change materially.

PNPC's approach to drafting starts from the risk assessment and the entity's real operating detail — actual customer categories, actual payment channels, actual jurisdictions dealt with — rather than a headings checklist, and produces a manual that a front-line member of staff can follow under time pressure and that a Compliance Officer can defend, clause by clause, against an actual customer file during an inspection.

When Drafting of AML Policies and Procedures is the right engagement

Your business falls within the DNFBP categories under UAE AML law — real estate brokerage or development, dealing in precious metals and stones above the prescribed cash threshold, corporate service provision, independent legal or accounting practice — and has no written, board-approved AML/CFT policy at all

You are a newly licensed regulated entity (financial institution, VASP, DNFBP) and need the AML/CFT policy manual and CDD procedures drafted before you can lawfully begin onboarding customers

Your existing policy was purchased or copied as a generic template and has never been calibrated to your actual customer base, products, geography, or delivery channels

Your existing policy predates the current Cabinet Decision amendments, FATF guidance updates, or a material change in your business (new product line, new customer segment, new jurisdiction exposure) and is due for a substantive rewrite rather than a light edit

You have received a Ministry of Economy, Central Bank, DFSA, FSRA, or VARA inspection finding specifically citing an inadequate, outdated, or unimplemented AML/CFT policy

A group parent company has a global AML policy that needs to be localised into a UAE-specific manual referencing the AML/CFT Law, goAML, and UAE sanctions lists rather than adopted as-is

Your risk assessment has recently been completed or updated and the policy manual now needs to be drafted, or redrafted, to align with its findings

You need the policy translated into operable escalation scripts, onboarding checklists, and approval-authority matrices that front-line staff can actually follow, not just a narrative compliance statement

Your designated Compliance Officer or MLRO needs a documented procedure that gives the role genuine operating substance and a defensible basis for decisions taken

You are acquiring or merging with a regulated entity and need its existing AML policy diligenced and, where necessary, rebuilt as part of integration

Where a different engagement fits better

You do not yet have a completed AML/CFT risk assessment — the policy should be drafted from the risk assessment's findings, not written in parallel or ahead of it; PNPC generally recommends the risk assessment as the first deliverable, often within the same engagement

You are not a DNFBP, financial institution, or VASP and your business activity does not fall within any AML/CFT-regulated category under UAE law — confirm applicability first through a scoping call before commissioning a policy drafting engagement

You need only the goAML portal registration completed with no policy drafting involved — that is a narrower, standalone registration engagement, though PNPC recommends the risk assessment and policy accompany or precede registration

Your requirement is limited to sanctions screening software selection and configuration with no policy-drafting component — that sits closer to a technology/vendor selection engagement

You already have a properly drafted, board-approved, and implemented policy and need ongoing training delivery, KYC file remediation, or goAML reporting support instead — those are distinct engagements PNPC also provides

You are seeking a signed-off policy overnight with no scoping call and no willingness to share your actual customer base, ownership structure, or transaction profile — a defensible, risk-based policy cannot be drafted from assumptions

You want a guarantee that a drafted policy will prevent any future inspection finding — no advisor can offer that; what a properly drafted policy buys is a defensible, evidenced position and a materially faster remediation path if a finding does arise

You have an active investigation or enforcement matter already underway relating to money laundering or terrorist financing — that requires criminal defence legal representation as the primary engagement, with policy drafting playing a secondary, supporting role

Structure Comparison

AML Policy Drafting vs related UAE AML/CFT compliance engagements

FeatureDrafting of AML Policies & ProceduresAML Risk AssessmentKYC & CDD AdvisorygoAML Portal RegistrationAML Training & Capacity Building
Primary outputBoard-approved written policy manual and operating procedures covering the full AML/CFT programmeA documented risk rating methodology across customer, geography, product/service, and delivery-channel riskThe onboarding, screening, and monitoring discipline built and run day to day, of which the policy is one componentRegistration and activation on the FIU's goAML reporting platformStaff competency in executing the policy correctly, evidenced by attendance and assessment records
Legal basisFederal Decree-Law No. 20 of 2018 and Cabinet Decision No. 10 of 2019, as amendedSame legal framework — the risk-based approach the law mandates as the foundation of any AML programmeSame framework, operational layerAML/CFT Law's reporting-channel requirementAML/CFT Law's expectation that staff can execute the documented procedure
SequencingDrafted from a completed or concurrently produced risk assessment; precedes or accompanies staff trainingShould exist before, or be produced alongside, the policy — the policy operationalises the risk assessment's findingsRuns on top of the policy once drafted and approved — the policy tells staff what to do; CDD advisory is the doingCan run in parallel with policy drafting; registration alone does not satisfy the policy requirementFollows policy drafting — staff cannot be trained on a document that does not yet exist
Typical deliverable formBoard-approved AML/CFT policy manual, CDD/EDD procedures, escalation matrix, screening cadence, record-retention scheduleWritten risk assessment report with a risk-rating methodology and supporting rationaleOnboarding forms, CDD/EDD checklists, ongoing monitoring workflow, file remediationFIU portal credentials for the organisation and the designated Compliance OfficerTraining materials, attendance records, competency sign-off
Who typically commissions itAny DNFBP, financial institution, or VASP without a current, board-approved, entity-specific policyEntities building or refreshing their AML programme, or responding to a materially changed businessEntities with a policy already in place needing the operational layer built or fixedEntities that have a policy and risk assessment but lack platform accessEntities with an approved policy that staff have not yet been formally trained against
Inspection relevanceThe document a Ministry of Economy or Central Bank inspector reviews first and tests customer files againstThe foundation an inspector checks the policy actually reflectsWhat an inspector samples to see if the policy is being followed in practiceNecessary but not sufficient on its own — registration without a policy behind it is an early and common findingAbsence of training records is a standard, easily identified inspection finding

These engagements are frequently bundled — PNPC typically produces the risk assessment and the policy manual as a single coordinated deliverable, then follows with goAML registration, CDD implementation support, and staff training, so the written policy and the operating programme are built to match from day one rather than reconciled after the fact.

How it works
#Stage & What PNPC DoesWhat Generic Templates MissTimeline
1Scoping call and applicability confirmation — confirming the entity's DNFBP or regulated category and which supervisory rulebook governs itA template drafted before applicability is confirmed risks citing the wrong supervisory authority or omitting sector-specific requirements — mainland DED, DIFC/DFSA, ADGM/FSRA, and VARA/VASP entities each sit under a different specific rulebook layered on the federal AML/CFT Law.Week 1
2Risk assessment review or production — confirming an existing risk assessment is current, or producing one where none exists, since the policy is drafted from its findingsA policy drafted without a current risk assessment behind it has no defensible basis for its due diligence tiers, EDD triggers, or monitoring thresholds — an inspector's first question is usually 'what risk assessment supports this clause.'Week 1–2 (if risk assessment already current) or Week 1–3 (if produced concurrently)
3Entity fact-finding — actual customer categories, transaction patterns, payment channels, geographies, and existing controls documented in detailGeneric templates skip this step entirely, which is exactly why they read as generic — the specific customer mix and payment channel detail is what turns a section heading into an operable clause.Week 1–2
4CDD/EDD procedure drafting — standard, simplified, and enhanced due diligence triggers defined against the entity's actual risk tiersTemplates state that EDD applies to 'high-risk customers' without defining, for this specific business, what actually triggers that classification — leaving front-line staff to guess and creating inconsistent files.Week 2–3
5Beneficial ownership identification procedure — the look-through methodology for corporate and trust customer structures, aligned to Cabinet Decision No. 58 of 2020Layered or offshore ownership structures need an explicit look-through rule; a generic clause that stops at the first corporate layer is a recurring inspection gap.Week 2–3
6Sanctions and PEP screening procedure — screening cadence, list sources, and escalation on a match, integrated into onboarding and ongoing monitoringTemplates often describe screening as a one-time onboarding check; the actual obligation includes periodic re-screening against updated lists, which a generic document rarely specifies with a defined cadence.Week 2–4
7Escalation and STR/SAR filing procedure — the internal pathway from a front-line observation to the Compliance Officer's decision and a goAML filing, with the no-tipping-off rule built in explicitlyA policy that does not name who decides, within what timeframe, and how the no-tipping-off obligation is protected leaves staff exposed to making that judgment call alone under pressure.Week 3–4
8Record-keeping and retention schedule — what is retained, in what format, for how long, and how it is retrieved on a supervisory requestRetention clauses in generic templates rarely address retrievability — a retained-but-unlocatable file reads on inspection almost the same as an unretained one.Week 3–4
9Governance and Compliance Officer authority clause — naming the designated Compliance Officer/MLRO, their reporting line, and their independent authority to pause or escalateA policy naming a Compliance Officer with no described authority to actually act independently is a recognised inspection red flag — the clause needs to describe real, exercisable authority, not a title.Week 3–4
10Internal review and stress-test — a sample walkthrough of how the drafted procedure would apply to a handful of real (anonymised) customer scenarios from the entity's own bookThis step catches clauses that read well on paper but do not actually work against a real file — a gap that only surfaces, otherwise, during an actual inspection.Week 4
11Board or senior management approval — the manual is formally adopted, dated, and signed off at the appropriate governance levelAn unsigned, undated policy — even a well-drafted one — does not evidence the governance ownership the AML/CFT Law expects.Week 4–5
12Handover, training briefing, and next-review scheduling — the approved manual is issued, a training session is scoped, and the annual review date is diarisedA policy issued without a scheduled review date is the policy most likely to still be in use, unrevised, three years later when a supervisor tests it against a business that has since changed.Week 5

Realistic timeline from scoping call to a board-approved, issued policy manual: 4–6 weeks where the risk assessment is already current, or 5–8 weeks where the risk assessment is produced concurrently. Complex entities with multiple customer categories, cross-border exposure, or a materially incomplete starting risk assessment take longer. PNPC does not shortcut the fact-finding stage regardless of timeline pressure, since a policy drafted without it is the generic-template problem in a new form.

Document Checklist
Entity & Licensing Information

Trade licence copy — mainland DED licence or free zone licence — showing licensed activities in full, since DNFBP status and policy scope follow actual licensed activity

Memorandum and Articles of Association or equivalent constitutional documents

Organisational chart identifying the proposed or existing Compliance Officer/MLRO and their reporting line to senior management or the board

Details of any UAE or overseas branches, subsidiaries, or related entities sharing customer data or referral relationships

Any existing AML/CFT policy or procedure documents, for gap assessment rather than discarding outright

Risk Assessment & Customer Profile Inputs

Current AML/CFT risk assessment, if one exists, or the underlying data to produce one — customer categories, transaction value ranges and frequency, geographic spread

Description of payment methods accepted — bank transfer, cash, third-party payment, cryptocurrency/virtual assets — since each carries different CDD implications

Any FATF-flagged or otherwise higher-risk jurisdiction exposure in the current customer or counterparty base

Any existing customer onboarding forms, KYC intake templates, or informal checklists currently in use

Beneficial Ownership & Corporate Structure

Shareholder register and, for corporate shareholders, their own ownership structure down to the natural person level

Existing Register of Beneficial Owners, if maintained, for accuracy review against Cabinet Decision No. 58 of 2020

Trust deeds, nominee arrangements, or power-of-attorney documents where ownership or control involves anything other than direct individual shareholding

Existing Compliance Infrastructure

Details of any sanctions or PEP screening tool currently used, including vendor, list sources, and screening frequency

Existing goAML platform registration details, if the entity is already registered

Records of any prior STR/SAR filings or internal escalations raised, with outcome

Correspondence from the Ministry of Economy, Central Bank, DFSA, FSRA, VARA, or any other supervisor relating to a prior inspection, finding, or directive

Staff training records relating to AML/CFT, if any prior training has been delivered

Governance Materials

Board or senior management structure and the appropriate approval authority for adopting a compliance policy

Any group-level or parent-company AML policy that needs to be localised rather than adopted as-is

Confirmation of who holds, or will hold, the designated Compliance Officer/MLRO role and their CV or role description

Post-Draft Sign-Off Pack

Board resolution or management sign-off record formally adopting the policy manual

Version-control record showing the effective date and the review-cycle schedule

Distribution and acknowledgement record confirming relevant staff have received and reviewed the approved policy

Ongoing obligations
PhaseTriggered ByPNPC GuidanceRisk If Ignored
Initial Drafting (Week 1–5)New licence issuance, absence of a current policy, or a material change requiring a full rewriteFact-finding, risk assessment alignment, and drafting of the full policy suite — CDD/EDD, beneficial ownership, screening, escalation, retention, governance — as one coordinated document set.Onboarding or continuing to operate without a current, board-approved policy leaves the entity unable to demonstrate compliance on first inspection and leaves front-line staff without a documented standard to follow.
Board Approval & IssuanceCompletion of drafting and internal reviewThe manual is formally adopted at board or senior management level, dated, version-controlled, and distributed to relevant staff with an acknowledgement record kept.An unsigned or informally circulated policy does not evidence the governance ownership supervisors expect, regardless of how well the content itself is drafted.
Staff Training RolloutPolicy issuanceThe approved manual is the basis for role-specific staff training — front-line onboarding staff, the Compliance Officer, and senior management — with attendance and competency records maintained.A policy that staff have not been trained on is close to worthless on inspection, since supervisors test whether procedures are actually followed, not just documented.
Live OperationOngoing customer onboarding and transaction activityThe policy's CDD/EDD tiers, screening cadence, and escalation pathway are applied consistently across every customer file, with the Compliance Officer exercising the documented authority.Inconsistent application — some files following the policy, others not — is the single most common inspection finding and signals the document is not actually operative.
Annual ReviewAnniversary of adoption, or a material change in business or regulationThe policy is reviewed against the current risk assessment, any Cabinet Decision or FATF guidance updates, and any change in the entity's customer base, products, or geographic exposure, with a formal re-approval.A stale, unrevised policy is a first-line inspection question — 'when was this last reviewed and approved' has an easy pass or fail answer.
Material Business ChangeNew product line, new customer segment, new jurisdiction exposure, M&A, or crypto/virtual-asset acceptanceThe policy is reassessed and updated before the change goes live — new risk exposure is incorporated into the CDD tiers and screening procedure proactively rather than retrofitted after exposure has already been taken on.A new business line onboarded under an unrevised policy is effectively unassessed, creating exactly the gap an inspection is designed to find.
Regulatory UpdateNew Cabinet Decision, Ministerial Decision, or FATF mutual evaluation follow-up guidance affecting AML/CFT obligationsThe policy manual is updated to reflect the change, with the update dated and the revision history maintained.A policy that does not track regulatory amendments drifts out of alignment with current requirements within a year or two, even if it was correctly drafted at issuance.
Regulatory InspectionScheduled or unannounced supervisory visitPNPC supports document production and file walkthroughs, drawing on the same policy and its supporting records built at drafting stage.An entity unable to produce a current, approved policy and matching customer files faces findings that typically escalate from a corrective directive to administrative fines and, in serious cases, licence-level consequences.
Remediation (If a Gap Is Found)Inspection finding or self-identified gap in the policy or its applicationThe specific clause or procedural gap is corrected, re-approved, and the correction evidenced for the next inspection cycle.Unaddressed policy gaps compound at the next inspection and are viewed as an aggravating factor reflecting a pattern rather than an isolated lapse.
Frequently asked
What exactly does 'drafting of AML policies and procedures' include, separate from the risk assessment or the CDD advisory work?

This engagement is the production of the written, board-approved policy manual and operating procedures themselves — the document set covering CDD/EDD tiers, beneficial ownership identification, sanctions/PEP screening, escalation, record-keeping, and STR/SAR filing procedure. It is drafted from a risk assessment (existing or produced alongside) and precedes the day-to-day CDD advisory and staff training work, which apply the policy in practice.

Practitioner noteWe are often asked to draft a policy where no risk assessment exists yet. We can produce both together, but we do not draft the policy first and backfill the risk assessment afterwards — the sequencing matters for a defensible document.
Can we just use a template AML policy and change the company name and logo?

Doing so leaves a document that describes a generic business, not yours — and supervisory authorities specifically test whether the policy's content matches the entity's actual customer base, transaction patterns, and controls. A template with the name changed is a recognised, recurring inspection finding, not a shortcut that saves time in the long run.

Practitioner noteWe ask new clients to send their existing template first, if they have one. Nine times out of ten it was copied from elsewhere and has clauses that plainly do not describe how the business actually operates — those are the first things we flag.
Does the policy need to be board-approved, or can a manager just sign off on it?

UAE AML/CFT expectations are that the policy is adopted at the appropriate senior governance level — typically the board of directors or equivalent senior management for smaller entities — reflecting genuine institutional ownership of the compliance function, not a document produced and filed away by a junior staff member without formal sign-off.

Practitioner noteWe build a formal approval and version-control step into every drafting engagement specifically because an unsigned, undated policy — even a well-written one — does not evidence the governance ownership a supervisor is looking for.
How long does it take to draft a complete AML policy manual?

Where a current risk assessment already exists, a complete, board-approved policy manual typically takes around 4–6 weeks from the initial scoping call, covering fact-finding, drafting, internal review, and formal approval. Where the risk assessment needs to be produced concurrently, the realistic window extends to roughly 5–8 weeks. More complex entities with multiple customer categories or cross-border exposure take longer.

Practitioner noteWe do not shortcut the entity fact-finding stage to compress the timeline — that stage is exactly what turns a generic document into an operable one, and skipping it produces the template problem in a new form.
What sections does a properly drafted AML/CFT policy manual need to cover?

At minimum: the business-wide risk assessment methodology and its findings; standard, simplified, and enhanced Customer Due Diligence procedures with entity-specific triggers; beneficial ownership identification and verification; sanctions and PEP screening cadence; ongoing transaction monitoring; the internal escalation pathway to the Compliance Officer; the goAML STR/SAR filing procedure and the no-tipping-off rule; record-keeping and retention; and the designated Compliance Officer's authority and the annual review cycle.

Practitioner noteSection headings alone do not make a policy defensible. We test every section by asking whether a front-line staff member could actually follow it without calling us — if the answer is no, the clause needs more specificity, not more length.
How is a policy for simplified due diligence customers actually written so it is not misused?

The policy needs to define, in terms specific to the entity's own customer base and risk assessment, exactly which customer profile qualifies for simplified treatment — not a generic reference to 'low-risk customers.' It must also state explicitly that simplified due diligence can never apply automatically as a default, and can never apply to a customer or jurisdiction carrying elevated risk indicators regardless of how the relationship is otherwise structured.

Practitioner noteWe deliberately draft this clause narrowly rather than broadly, because a pattern of unjustified simplified treatment across a customer file sample is a common and easily identified inspection finding.
Our parent company has a global AML policy — can we just adopt it for our UAE entity?

A global group policy is a useful starting reference but rarely satisfies UAE requirements on its own. It needs to be localised to reference the specific provisions of the AML/CFT Law, the goAML reporting channel, the UAE Compliance Officer's specific authority and portal registration, and any UAE-specific risk factors such as local sanctions lists and DNFBP activity thresholds that a global template will not capture.

Practitioner noteWe regularly localise group policies for UAE subsidiaries of international clients. It is faster than drafting from a blank page, but it is not a copy-paste exercise — every clause needing UAE-specific adaptation gets flagged and rewritten.
What is the difference between the policy and the procedures — aren't they the same document?

In practice they are usually issued as one coordinated manual, but conceptually the policy states the entity's principles and risk appetite (for example, the categories of customer requiring enhanced due diligence), while the procedures set out the specific operational steps staff follow to give effect to that policy (for example, the exact documents collected and the approval sign-off required for an enhanced due diligence onboarding). Both need to be present and aligned for the document to be operable.

Practitioner noteWe see policies that state a principle clearly but never translate it into an operable procedure — leaving staff to interpret intent case by case, which produces exactly the file inconsistency an inspection tests for.
How often does the policy need to be reviewed and re-approved?

At minimum annually, and additionally whenever there is a material change in the business — a new product or service line, a new customer segment or geographic market, a change in ownership or control, or a relevant new Cabinet Decision, Ministerial Decision, or FATF guidance update. A policy that has not been revisited in several years is itself a common and easily identified inspection finding.

Practitioner noteWe build the annual review into the ongoing advisory relationship rather than leaving it to the client to remember — a calendar-driven review catches drift in the business before a supervisor does.
Does having a well-drafted policy protect us if a customer turns out to be involved in money laundering?

A properly drafted and consistently implemented policy is the standard against which a business's conduct is judged on inspection — it does not guarantee that criminal activity will never occur through the business, but a business that can demonstrate it followed a documented, board-approved, risk-based programme in good faith is in a materially different position than one with no policy or one that ignored its own documented red flags.

Practitioner noteWe are candid with clients that the goal is defensible, demonstrable good-faith compliance, not a guarantee that no bad actor will ever attempt to use the business — those are different standards and understanding the difference shapes how the policy should be written.
What happens if the policy exists but staff aren't actually following it?

A written policy that is not being followed in practice is treated on inspection as close to equivalent to having no policy at all, since supervisors sample customer files to test whether the documented procedure matches what staff actually did — a strong policy with inconsistent underlying files is a standard, easily identified finding.

Practitioner noteThis is precisely why we recommend staff training and an internal file walkthrough immediately after policy approval — a policy that exists only on paper is the single most common gap we find when reviewing another firm's earlier drafting work.
Do free zone entities in DIFC or ADGM need a different policy structure than mainland entities?

Yes. DIFC entities regulated by the DFSA and ADGM entities regulated by the FSRA operate under their own AML rulebooks specific to those financial free zones, layered on the federal AML/CFT Law. A policy drafted against the mainland Ministry of Economy framework will not directly satisfy a DIFC or ADGM entity's specific supervisor, even though the underlying AML principles are broadly aligned.

Practitioner noteWe scope this explicitly at the start of every drafting engagement — building a mainland-style policy for a DIFC or ADGM entity, or vice versa, produces a document that will not satisfy the entity's actual supervisor.
Who should be named as the Compliance Officer or MLRO in the policy, and what authority does the document need to give them?

The nominee should be sufficiently senior and empowered within the organisation to act independently — able to escalate concerns, request further information, and where necessary pause a transaction pending review, without needing case-by-case sign-off from someone whose interests might conflict with reporting. The policy document needs to describe that authority explicitly, not just assign a title.

Practitioner noteWe ask clients directly during drafting: if this person wanted to stop a transaction tomorrow because they were uneasy about it, could they actually do that without needing three layers of sign-off? If the honest answer is no, the authority clause — or the nomination itself — needs rethinking before the policy is finalised.
How much does drafting a full AML policy manual cost?

PNPC agrees a fixed, written fee before work begins, scoped to the complexity of the business — a single-office corporate service provider and a multi-branch real estate brokerage require materially different depth of drafting. Fees also depend on whether the risk assessment is produced concurrently or already exists.

Practitioner noteWe deliberately do not publish a single number here because policy complexity varies enormously by business type and existing documentation — ask us for a scoped, written quote after the initial call.
Can PNPC draft the policy and also act as our Compliance Officer?

PNPC drafts the policy and can provide ongoing advisory support to a designated internal Compliance Officer, but the statutory Compliance Officer/MLRO role must generally be held by a suitably senior individual within the regulated entity itself, since the role requires day-to-day authority an external adviser cannot exercise. Some sector rulebooks have specific requirements on who can hold the designation, which we scope precisely rather than assuming one model fits every client.

Practitioner noteWe are explicit with clients about this boundary at the drafting stage, since the policy document itself needs to name a real, internally accountable Compliance Officer for the governance clause to be credible on inspection.
Why PNPC Global

PNPC-drafted AML policy vs a generic template or DIY approach

DimensionGeneric Template / DIY PolicyPNPC-Drafted Policy
Basis for the documentDownloaded headings with the company name insertedDrafted from the entity's own risk assessment, actual customer base, and transaction patterns
CDD/EDD triggersGeneric references to 'high-risk' and 'low-risk' customers with no entity-specific definitionSpecific, defensible triggers calibrated to this business's own risk tiers
Beneficial ownership look-throughOften stops at the first corporate layerExplicit look-through methodology for layered or offshore structures, aligned to Cabinet Decision No. 58 of 2020
Governance and approvalFrequently unsigned, undated, or approved informallyBoard or senior management approval built into the drafting process, with version control
UAE-specific groundingGlobal group templates often left unlocalised, with no goAML or local sanctions-list referencesLocalised to the AML/CFT Law, goAML, and current UAE sanctions/PEP list sources
Operability for front-line staffPrinciples stated without a step-by-step procedure to followPolicy and procedure paired, tested against realistic (anonymised) customer scenarios before sign-off
Inspection readinessReads as generic on a file-by-file review, a common and recurring inspection findingDrafted to withstand a supervisor testing the document against an actual customer file
Review disciplineLeft unrevised for years until a finding forces a rewriteAnnual review scheduled into the engagement from day one, updated as regulations and the business evolve

What the PNPC package includes

  1. 01

    Applicability and scoping confirmation against the entity's actual DNFBP or regulated category

  2. 02

    Risk assessment review, or production, as the foundation the policy is drafted from

  3. 03

    Entity fact-finding on actual customer categories, payment channels, and geographic exposure

  4. 04

    Standard, simplified, and enhanced Customer Due Diligence procedures with entity-specific triggers

  5. 05

    Beneficial ownership identification and verification procedure aligned to Cabinet Decision No. 58 of 2020

  6. 06

    Sanctions and PEP screening procedure with a defined cadence and escalation path

  7. 07

    Internal escalation pathway and goAML STR/SAR filing procedure, including the no-tipping-off discipline

  8. 08

    Record-keeping and retention schedule designed for retrievability, not just storage

  9. 09

    Designated Compliance Officer/MLRO authority clause and governance structure

  10. 10

    Internal stress-test against realistic, anonymised customer scenarios before finalisation

  11. 11

    Board or senior management approval process and version-control record

  12. 12

    Post-issuance training briefing scoping and annual review date scheduling

  13. 13

    Coordination with any concurrent goAML registration or CDD implementation engagement

  14. 14

    Ongoing advisory access for policy interpretation questions after issuance

Get an AML/CFT policy manual built from your actual business, not a template — speak to PNPC's UAE compliance team.

Jurisdiction

🇦🇪
United Arab Emirates

Free zone, mainland & offshore

Ready to get started?

Tell us about your requirement — a UAE specialist responds within 24 hours.

← Back to AML / CFT Services