IPR & AML Compliance · AML / CFT Services
Drafting of AML policies and procedures
Drafting of AML policies and procedures is the engagement through which PNPC produces the written, board-approved AML/CFT policy manual and operating procedures that every UAE Designated Non-Financial Business and Profession, financial institution, and Virtual Asset Service Provider must maintain under Federal Decree-Law No.
Chartered Accountants · Dubai · Since 1986
Drafting of AML policies and procedures is the production of the written compliance framework that Federal Decree-Law No. 20 of 2018 on Anti-Money Laundering and Combating the Financing of Terrorism (the AML/CFT Law), together with Cabinet Decision No. 10 of 2019 and its subsequent amendments, requires every regulated entity to hold and to actually operate under. The obligation applies to Designated Non-Financial Businesses and Professions (DNFBPs) — real estate brokers and developers, dealers in precious metals and stones above prescribed cash thresholds, corporate and trust service providers, independent legal professionals, and independent accountants and auditors carrying out specified services — supervised primarily by the Ministry of Economy, as well as to financial institutions under the UAE Central Bank, securities firms under the Securities and Commodities Authority, and Virtual Asset Service Providers under VARA or the relevant emirate-level regulator. Financial free zone entities in DIFC and ADGM sit under their own AML supervisors, the Dubai Financial Services Authority and the Financial Services Regulatory Authority respectively, each with its own rulebook layered on top of the federal law.
A compliant AML policy manual is not a single document; it is a coordinated set of written procedures that together operationalise the risk-based approach the law requires. At its core sits the business-wide AML/CFT risk assessment, which drives everything that follows — the risk assessment identifies the entity's exposure across customer type, geography, product/service, and delivery channel, and the policy manual then sets out exactly how the business responds to that exposure: standard, simplified, or enhanced Customer Due Diligence triggers; beneficial ownership identification and verification procedures aligned to Cabinet Decision No. 58 of 2020; sanctions and Politically Exposed Persons (PEP) screening cadence and escalation; ongoing transaction monitoring thresholds; record-retention rules; the internal escalation pathway from front-line observation to the Compliance Officer's decision on whether to file; and the mechanics of filing a Suspicious Transaction Report (STR) or Suspicious Activity Report (SAR) through the goAML platform operated by the UAE's Financial Intelligence Unit, together with the strict no-tipping-off discipline that governs any such filing.
The drafting exercise is where most AML programmes succeed or fail on inspection, because the difference between a policy that passes scrutiny and one that does not is rarely the presence or absence of a section heading — most template policies cover the same headings. The difference is whether the content under each heading describes what this specific business actually does. A policy that states simplified due diligence applies to 'low-risk customers' without defining, in terms specific to the entity's own customer base, exactly which customer profile qualifies, is not operable by front-line staff and will not withstand a supervisor asking a nominated Compliance Officer to justify a specific onboarding decision against the written procedure. Equally, a policy copied from a foreign parent group's global template, with UAE-specific references to the AML/CFT Law, goAML, and local sanctions lists never inserted, reads on inspection as evidence the entity has not actually engaged with its UAE obligation.
Policies must also be board-approved or approved by equivalent senior management, since the AML/CFT Law expects governance ownership of the compliance function, not a document produced by a junior staff member and left unsigned. The manual should name the designated Compliance Officer or Money Laundering Reporting Officer (MLRO), describe their authority to escalate and pause transactions independently, and set out the record-keeping and periodic review discipline — at minimum an annual refresh, and sooner if the business, its customer base, or the underlying regulations change materially.
PNPC's approach to drafting starts from the risk assessment and the entity's real operating detail — actual customer categories, actual payment channels, actual jurisdictions dealt with — rather than a headings checklist, and produces a manual that a front-line member of staff can follow under time pressure and that a Compliance Officer can defend, clause by clause, against an actual customer file during an inspection.
When Drafting of AML Policies and Procedures is the right engagement
Your business falls within the DNFBP categories under UAE AML law — real estate brokerage or development, dealing in precious metals and stones above the prescribed cash threshold, corporate service provision, independent legal or accounting practice — and has no written, board-approved AML/CFT policy at all
You are a newly licensed regulated entity (financial institution, VASP, DNFBP) and need the AML/CFT policy manual and CDD procedures drafted before you can lawfully begin onboarding customers
Your existing policy was purchased or copied as a generic template and has never been calibrated to your actual customer base, products, geography, or delivery channels
Your existing policy predates the current Cabinet Decision amendments, FATF guidance updates, or a material change in your business (new product line, new customer segment, new jurisdiction exposure) and is due for a substantive rewrite rather than a light edit
You have received a Ministry of Economy, Central Bank, DFSA, FSRA, or VARA inspection finding specifically citing an inadequate, outdated, or unimplemented AML/CFT policy
A group parent company has a global AML policy that needs to be localised into a UAE-specific manual referencing the AML/CFT Law, goAML, and UAE sanctions lists rather than adopted as-is
Your risk assessment has recently been completed or updated and the policy manual now needs to be drafted, or redrafted, to align with its findings
You need the policy translated into operable escalation scripts, onboarding checklists, and approval-authority matrices that front-line staff can actually follow, not just a narrative compliance statement
Your designated Compliance Officer or MLRO needs a documented procedure that gives the role genuine operating substance and a defensible basis for decisions taken
You are acquiring or merging with a regulated entity and need its existing AML policy diligenced and, where necessary, rebuilt as part of integration
Where a different engagement fits better
You do not yet have a completed AML/CFT risk assessment — the policy should be drafted from the risk assessment's findings, not written in parallel or ahead of it; PNPC generally recommends the risk assessment as the first deliverable, often within the same engagement
You are not a DNFBP, financial institution, or VASP and your business activity does not fall within any AML/CFT-regulated category under UAE law — confirm applicability first through a scoping call before commissioning a policy drafting engagement
You need only the goAML portal registration completed with no policy drafting involved — that is a narrower, standalone registration engagement, though PNPC recommends the risk assessment and policy accompany or precede registration
Your requirement is limited to sanctions screening software selection and configuration with no policy-drafting component — that sits closer to a technology/vendor selection engagement
You already have a properly drafted, board-approved, and implemented policy and need ongoing training delivery, KYC file remediation, or goAML reporting support instead — those are distinct engagements PNPC also provides
You are seeking a signed-off policy overnight with no scoping call and no willingness to share your actual customer base, ownership structure, or transaction profile — a defensible, risk-based policy cannot be drafted from assumptions
You want a guarantee that a drafted policy will prevent any future inspection finding — no advisor can offer that; what a properly drafted policy buys is a defensible, evidenced position and a materially faster remediation path if a finding does arise
You have an active investigation or enforcement matter already underway relating to money laundering or terrorist financing — that requires criminal defence legal representation as the primary engagement, with policy drafting playing a secondary, supporting role
AML Policy Drafting vs related UAE AML/CFT compliance engagements
| Feature | Drafting of AML Policies & Procedures | AML Risk Assessment | KYC & CDD Advisory | goAML Portal Registration | AML Training & Capacity Building |
|---|---|---|---|---|---|
| Primary output | Board-approved written policy manual and operating procedures covering the full AML/CFT programme | A documented risk rating methodology across customer, geography, product/service, and delivery-channel risk | The onboarding, screening, and monitoring discipline built and run day to day, of which the policy is one component | Registration and activation on the FIU's goAML reporting platform | Staff competency in executing the policy correctly, evidenced by attendance and assessment records |
| Legal basis | Federal Decree-Law No. 20 of 2018 and Cabinet Decision No. 10 of 2019, as amended | Same legal framework — the risk-based approach the law mandates as the foundation of any AML programme | Same framework, operational layer | AML/CFT Law's reporting-channel requirement | AML/CFT Law's expectation that staff can execute the documented procedure |
| Sequencing | Drafted from a completed or concurrently produced risk assessment; precedes or accompanies staff training | Should exist before, or be produced alongside, the policy — the policy operationalises the risk assessment's findings | Runs on top of the policy once drafted and approved — the policy tells staff what to do; CDD advisory is the doing | Can run in parallel with policy drafting; registration alone does not satisfy the policy requirement | Follows policy drafting — staff cannot be trained on a document that does not yet exist |
| Typical deliverable form | Board-approved AML/CFT policy manual, CDD/EDD procedures, escalation matrix, screening cadence, record-retention schedule | Written risk assessment report with a risk-rating methodology and supporting rationale | Onboarding forms, CDD/EDD checklists, ongoing monitoring workflow, file remediation | FIU portal credentials for the organisation and the designated Compliance Officer | Training materials, attendance records, competency sign-off |
| Who typically commissions it | Any DNFBP, financial institution, or VASP without a current, board-approved, entity-specific policy | Entities building or refreshing their AML programme, or responding to a materially changed business | Entities with a policy already in place needing the operational layer built or fixed | Entities that have a policy and risk assessment but lack platform access | Entities with an approved policy that staff have not yet been formally trained against |
| Inspection relevance | The document a Ministry of Economy or Central Bank inspector reviews first and tests customer files against | The foundation an inspector checks the policy actually reflects | What an inspector samples to see if the policy is being followed in practice | Necessary but not sufficient on its own — registration without a policy behind it is an early and common finding | Absence of training records is a standard, easily identified inspection finding |
These engagements are frequently bundled — PNPC typically produces the risk assessment and the policy manual as a single coordinated deliverable, then follows with goAML registration, CDD implementation support, and staff training, so the written policy and the operating programme are built to match from day one rather than reconciled after the fact.
| # | Stage & What PNPC Does | What Generic Templates Miss | Timeline |
|---|---|---|---|
| 1 | Scoping call and applicability confirmation — confirming the entity's DNFBP or regulated category and which supervisory rulebook governs it | A template drafted before applicability is confirmed risks citing the wrong supervisory authority or omitting sector-specific requirements — mainland DED, DIFC/DFSA, ADGM/FSRA, and VARA/VASP entities each sit under a different specific rulebook layered on the federal AML/CFT Law. | Week 1 |
| 2 | Risk assessment review or production — confirming an existing risk assessment is current, or producing one where none exists, since the policy is drafted from its findings | A policy drafted without a current risk assessment behind it has no defensible basis for its due diligence tiers, EDD triggers, or monitoring thresholds — an inspector's first question is usually 'what risk assessment supports this clause.' | Week 1–2 (if risk assessment already current) or Week 1–3 (if produced concurrently) |
| 3 | Entity fact-finding — actual customer categories, transaction patterns, payment channels, geographies, and existing controls documented in detail | Generic templates skip this step entirely, which is exactly why they read as generic — the specific customer mix and payment channel detail is what turns a section heading into an operable clause. | Week 1–2 |
| 4 | CDD/EDD procedure drafting — standard, simplified, and enhanced due diligence triggers defined against the entity's actual risk tiers | Templates state that EDD applies to 'high-risk customers' without defining, for this specific business, what actually triggers that classification — leaving front-line staff to guess and creating inconsistent files. | Week 2–3 |
| 5 | Beneficial ownership identification procedure — the look-through methodology for corporate and trust customer structures, aligned to Cabinet Decision No. 58 of 2020 | Layered or offshore ownership structures need an explicit look-through rule; a generic clause that stops at the first corporate layer is a recurring inspection gap. | Week 2–3 |
| 6 | Sanctions and PEP screening procedure — screening cadence, list sources, and escalation on a match, integrated into onboarding and ongoing monitoring | Templates often describe screening as a one-time onboarding check; the actual obligation includes periodic re-screening against updated lists, which a generic document rarely specifies with a defined cadence. | Week 2–4 |
| 7 | Escalation and STR/SAR filing procedure — the internal pathway from a front-line observation to the Compliance Officer's decision and a goAML filing, with the no-tipping-off rule built in explicitly | A policy that does not name who decides, within what timeframe, and how the no-tipping-off obligation is protected leaves staff exposed to making that judgment call alone under pressure. | Week 3–4 |
| 8 | Record-keeping and retention schedule — what is retained, in what format, for how long, and how it is retrieved on a supervisory request | Retention clauses in generic templates rarely address retrievability — a retained-but-unlocatable file reads on inspection almost the same as an unretained one. | Week 3–4 |
| 9 | Governance and Compliance Officer authority clause — naming the designated Compliance Officer/MLRO, their reporting line, and their independent authority to pause or escalate | A policy naming a Compliance Officer with no described authority to actually act independently is a recognised inspection red flag — the clause needs to describe real, exercisable authority, not a title. | Week 3–4 |
| 10 | Internal review and stress-test — a sample walkthrough of how the drafted procedure would apply to a handful of real (anonymised) customer scenarios from the entity's own book | This step catches clauses that read well on paper but do not actually work against a real file — a gap that only surfaces, otherwise, during an actual inspection. | Week 4 |
| 11 | Board or senior management approval — the manual is formally adopted, dated, and signed off at the appropriate governance level | An unsigned, undated policy — even a well-drafted one — does not evidence the governance ownership the AML/CFT Law expects. | Week 4–5 |
| 12 | Handover, training briefing, and next-review scheduling — the approved manual is issued, a training session is scoped, and the annual review date is diarised | A policy issued without a scheduled review date is the policy most likely to still be in use, unrevised, three years later when a supervisor tests it against a business that has since changed. | Week 5 |
Realistic timeline from scoping call to a board-approved, issued policy manual: 4–6 weeks where the risk assessment is already current, or 5–8 weeks where the risk assessment is produced concurrently. Complex entities with multiple customer categories, cross-border exposure, or a materially incomplete starting risk assessment take longer. PNPC does not shortcut the fact-finding stage regardless of timeline pressure, since a policy drafted without it is the generic-template problem in a new form.
Trade licence copy — mainland DED licence or free zone licence — showing licensed activities in full, since DNFBP status and policy scope follow actual licensed activity
Memorandum and Articles of Association or equivalent constitutional documents
Organisational chart identifying the proposed or existing Compliance Officer/MLRO and their reporting line to senior management or the board
Details of any UAE or overseas branches, subsidiaries, or related entities sharing customer data or referral relationships
Any existing AML/CFT policy or procedure documents, for gap assessment rather than discarding outright
Current AML/CFT risk assessment, if one exists, or the underlying data to produce one — customer categories, transaction value ranges and frequency, geographic spread
Description of payment methods accepted — bank transfer, cash, third-party payment, cryptocurrency/virtual assets — since each carries different CDD implications
Any FATF-flagged or otherwise higher-risk jurisdiction exposure in the current customer or counterparty base
Any existing customer onboarding forms, KYC intake templates, or informal checklists currently in use
Shareholder register and, for corporate shareholders, their own ownership structure down to the natural person level
Existing Register of Beneficial Owners, if maintained, for accuracy review against Cabinet Decision No. 58 of 2020
Trust deeds, nominee arrangements, or power-of-attorney documents where ownership or control involves anything other than direct individual shareholding
Details of any sanctions or PEP screening tool currently used, including vendor, list sources, and screening frequency
Existing goAML platform registration details, if the entity is already registered
Records of any prior STR/SAR filings or internal escalations raised, with outcome
Correspondence from the Ministry of Economy, Central Bank, DFSA, FSRA, VARA, or any other supervisor relating to a prior inspection, finding, or directive
Staff training records relating to AML/CFT, if any prior training has been delivered
Board or senior management structure and the appropriate approval authority for adopting a compliance policy
Any group-level or parent-company AML policy that needs to be localised rather than adopted as-is
Confirmation of who holds, or will hold, the designated Compliance Officer/MLRO role and their CV or role description
Board resolution or management sign-off record formally adopting the policy manual
Version-control record showing the effective date and the review-cycle schedule
Distribution and acknowledgement record confirming relevant staff have received and reviewed the approved policy
| Phase | Triggered By | PNPC Guidance | Risk If Ignored |
|---|---|---|---|
| Initial Drafting (Week 1–5) | New licence issuance, absence of a current policy, or a material change requiring a full rewrite | Fact-finding, risk assessment alignment, and drafting of the full policy suite — CDD/EDD, beneficial ownership, screening, escalation, retention, governance — as one coordinated document set. | Onboarding or continuing to operate without a current, board-approved policy leaves the entity unable to demonstrate compliance on first inspection and leaves front-line staff without a documented standard to follow. |
| Board Approval & Issuance | Completion of drafting and internal review | The manual is formally adopted at board or senior management level, dated, version-controlled, and distributed to relevant staff with an acknowledgement record kept. | An unsigned or informally circulated policy does not evidence the governance ownership supervisors expect, regardless of how well the content itself is drafted. |
| Staff Training Rollout | Policy issuance | The approved manual is the basis for role-specific staff training — front-line onboarding staff, the Compliance Officer, and senior management — with attendance and competency records maintained. | A policy that staff have not been trained on is close to worthless on inspection, since supervisors test whether procedures are actually followed, not just documented. |
| Live Operation | Ongoing customer onboarding and transaction activity | The policy's CDD/EDD tiers, screening cadence, and escalation pathway are applied consistently across every customer file, with the Compliance Officer exercising the documented authority. | Inconsistent application — some files following the policy, others not — is the single most common inspection finding and signals the document is not actually operative. |
| Annual Review | Anniversary of adoption, or a material change in business or regulation | The policy is reviewed against the current risk assessment, any Cabinet Decision or FATF guidance updates, and any change in the entity's customer base, products, or geographic exposure, with a formal re-approval. | A stale, unrevised policy is a first-line inspection question — 'when was this last reviewed and approved' has an easy pass or fail answer. |
| Material Business Change | New product line, new customer segment, new jurisdiction exposure, M&A, or crypto/virtual-asset acceptance | The policy is reassessed and updated before the change goes live — new risk exposure is incorporated into the CDD tiers and screening procedure proactively rather than retrofitted after exposure has already been taken on. | A new business line onboarded under an unrevised policy is effectively unassessed, creating exactly the gap an inspection is designed to find. |
| Regulatory Update | New Cabinet Decision, Ministerial Decision, or FATF mutual evaluation follow-up guidance affecting AML/CFT obligations | The policy manual is updated to reflect the change, with the update dated and the revision history maintained. | A policy that does not track regulatory amendments drifts out of alignment with current requirements within a year or two, even if it was correctly drafted at issuance. |
| Regulatory Inspection | Scheduled or unannounced supervisory visit | PNPC supports document production and file walkthroughs, drawing on the same policy and its supporting records built at drafting stage. | An entity unable to produce a current, approved policy and matching customer files faces findings that typically escalate from a corrective directive to administrative fines and, in serious cases, licence-level consequences. |
| Remediation (If a Gap Is Found) | Inspection finding or self-identified gap in the policy or its application | The specific clause or procedural gap is corrected, re-approved, and the correction evidenced for the next inspection cycle. | Unaddressed policy gaps compound at the next inspection and are viewed as an aggravating factor reflecting a pattern rather than an isolated lapse. |
What exactly does 'drafting of AML policies and procedures' include, separate from the risk assessment or the CDD advisory work?
This engagement is the production of the written, board-approved policy manual and operating procedures themselves — the document set covering CDD/EDD tiers, beneficial ownership identification, sanctions/PEP screening, escalation, record-keeping, and STR/SAR filing procedure. It is drafted from a risk assessment (existing or produced alongside) and precedes the day-to-day CDD advisory and staff training work, which apply the policy in practice.
Can we just use a template AML policy and change the company name and logo?
Doing so leaves a document that describes a generic business, not yours — and supervisory authorities specifically test whether the policy's content matches the entity's actual customer base, transaction patterns, and controls. A template with the name changed is a recognised, recurring inspection finding, not a shortcut that saves time in the long run.
Does the policy need to be board-approved, or can a manager just sign off on it?
UAE AML/CFT expectations are that the policy is adopted at the appropriate senior governance level — typically the board of directors or equivalent senior management for smaller entities — reflecting genuine institutional ownership of the compliance function, not a document produced and filed away by a junior staff member without formal sign-off.
How long does it take to draft a complete AML policy manual?
Where a current risk assessment already exists, a complete, board-approved policy manual typically takes around 4–6 weeks from the initial scoping call, covering fact-finding, drafting, internal review, and formal approval. Where the risk assessment needs to be produced concurrently, the realistic window extends to roughly 5–8 weeks. More complex entities with multiple customer categories or cross-border exposure take longer.
What sections does a properly drafted AML/CFT policy manual need to cover?
At minimum: the business-wide risk assessment methodology and its findings; standard, simplified, and enhanced Customer Due Diligence procedures with entity-specific triggers; beneficial ownership identification and verification; sanctions and PEP screening cadence; ongoing transaction monitoring; the internal escalation pathway to the Compliance Officer; the goAML STR/SAR filing procedure and the no-tipping-off rule; record-keeping and retention; and the designated Compliance Officer's authority and the annual review cycle.
How is a policy for simplified due diligence customers actually written so it is not misused?
The policy needs to define, in terms specific to the entity's own customer base and risk assessment, exactly which customer profile qualifies for simplified treatment — not a generic reference to 'low-risk customers.' It must also state explicitly that simplified due diligence can never apply automatically as a default, and can never apply to a customer or jurisdiction carrying elevated risk indicators regardless of how the relationship is otherwise structured.
Our parent company has a global AML policy — can we just adopt it for our UAE entity?
A global group policy is a useful starting reference but rarely satisfies UAE requirements on its own. It needs to be localised to reference the specific provisions of the AML/CFT Law, the goAML reporting channel, the UAE Compliance Officer's specific authority and portal registration, and any UAE-specific risk factors such as local sanctions lists and DNFBP activity thresholds that a global template will not capture.
What is the difference between the policy and the procedures — aren't they the same document?
In practice they are usually issued as one coordinated manual, but conceptually the policy states the entity's principles and risk appetite (for example, the categories of customer requiring enhanced due diligence), while the procedures set out the specific operational steps staff follow to give effect to that policy (for example, the exact documents collected and the approval sign-off required for an enhanced due diligence onboarding). Both need to be present and aligned for the document to be operable.
How often does the policy need to be reviewed and re-approved?
At minimum annually, and additionally whenever there is a material change in the business — a new product or service line, a new customer segment or geographic market, a change in ownership or control, or a relevant new Cabinet Decision, Ministerial Decision, or FATF guidance update. A policy that has not been revisited in several years is itself a common and easily identified inspection finding.
Does having a well-drafted policy protect us if a customer turns out to be involved in money laundering?
A properly drafted and consistently implemented policy is the standard against which a business's conduct is judged on inspection — it does not guarantee that criminal activity will never occur through the business, but a business that can demonstrate it followed a documented, board-approved, risk-based programme in good faith is in a materially different position than one with no policy or one that ignored its own documented red flags.
What happens if the policy exists but staff aren't actually following it?
A written policy that is not being followed in practice is treated on inspection as close to equivalent to having no policy at all, since supervisors sample customer files to test whether the documented procedure matches what staff actually did — a strong policy with inconsistent underlying files is a standard, easily identified finding.
Do free zone entities in DIFC or ADGM need a different policy structure than mainland entities?
Yes. DIFC entities regulated by the DFSA and ADGM entities regulated by the FSRA operate under their own AML rulebooks specific to those financial free zones, layered on the federal AML/CFT Law. A policy drafted against the mainland Ministry of Economy framework will not directly satisfy a DIFC or ADGM entity's specific supervisor, even though the underlying AML principles are broadly aligned.
Who should be named as the Compliance Officer or MLRO in the policy, and what authority does the document need to give them?
The nominee should be sufficiently senior and empowered within the organisation to act independently — able to escalate concerns, request further information, and where necessary pause a transaction pending review, without needing case-by-case sign-off from someone whose interests might conflict with reporting. The policy document needs to describe that authority explicitly, not just assign a title.
How much does drafting a full AML policy manual cost?
PNPC agrees a fixed, written fee before work begins, scoped to the complexity of the business — a single-office corporate service provider and a multi-branch real estate brokerage require materially different depth of drafting. Fees also depend on whether the risk assessment is produced concurrently or already exists.
Can PNPC draft the policy and also act as our Compliance Officer?
PNPC drafts the policy and can provide ongoing advisory support to a designated internal Compliance Officer, but the statutory Compliance Officer/MLRO role must generally be held by a suitably senior individual within the regulated entity itself, since the role requires day-to-day authority an external adviser cannot exercise. Some sector rulebooks have specific requirements on who can hold the designation, which we scope precisely rather than assuming one model fits every client.
PNPC-drafted AML policy vs a generic template or DIY approach
| Dimension | Generic Template / DIY Policy | PNPC-Drafted Policy |
|---|---|---|
| Basis for the document | Downloaded headings with the company name inserted | Drafted from the entity's own risk assessment, actual customer base, and transaction patterns |
| CDD/EDD triggers | Generic references to 'high-risk' and 'low-risk' customers with no entity-specific definition | Specific, defensible triggers calibrated to this business's own risk tiers |
| Beneficial ownership look-through | Often stops at the first corporate layer | Explicit look-through methodology for layered or offshore structures, aligned to Cabinet Decision No. 58 of 2020 |
| Governance and approval | Frequently unsigned, undated, or approved informally | Board or senior management approval built into the drafting process, with version control |
| UAE-specific grounding | Global group templates often left unlocalised, with no goAML or local sanctions-list references | Localised to the AML/CFT Law, goAML, and current UAE sanctions/PEP list sources |
| Operability for front-line staff | Principles stated without a step-by-step procedure to follow | Policy and procedure paired, tested against realistic (anonymised) customer scenarios before sign-off |
| Inspection readiness | Reads as generic on a file-by-file review, a common and recurring inspection finding | Drafted to withstand a supervisor testing the document against an actual customer file |
| Review discipline | Left unrevised for years until a finding forces a rewrite | Annual review scheduled into the engagement from day one, updated as regulations and the business evolve |
What the PNPC package includes
- 01
Applicability and scoping confirmation against the entity's actual DNFBP or regulated category
- 02
Risk assessment review, or production, as the foundation the policy is drafted from
- 03
Entity fact-finding on actual customer categories, payment channels, and geographic exposure
- 04
Standard, simplified, and enhanced Customer Due Diligence procedures with entity-specific triggers
- 05
Beneficial ownership identification and verification procedure aligned to Cabinet Decision No. 58 of 2020
- 06
Sanctions and PEP screening procedure with a defined cadence and escalation path
- 07
Internal escalation pathway and goAML STR/SAR filing procedure, including the no-tipping-off discipline
- 08
Record-keeping and retention schedule designed for retrievability, not just storage
- 09
Designated Compliance Officer/MLRO authority clause and governance structure
- 10
Internal stress-test against realistic, anonymised customer scenarios before finalisation
- 11
Board or senior management approval process and version-control record
- 12
Post-issuance training briefing scoping and annual review date scheduling
- 13
Coordination with any concurrent goAML registration or CDD implementation engagement
- 14
Ongoing advisory access for policy interpretation questions after issuance
Get an AML/CFT policy manual built from your actual business, not a template — speak to PNPC's UAE compliance team.
Jurisdiction
Free zone, mainland & offshore
Ready to get started?
Tell us about your requirement — a UAE specialist responds within 24 hours.