UAEServicesIPR & AML ComplianceAML / CFT ServicesSetup of AML Software

IPR & AML Compliance · AML / CFT Services

Setup of AML Software

Setup of AML Software is the engagement through which PNPC selects, configures, and operationalises the sanctions/PEP screening, transaction-monitoring, and case-management technology that sits underneath a UAE entity's AML/CFT programme required under Federal Decree-Law No.

Chartered Accountants · Dubai · Since 1986

What Setup of AML Software is

Setup of AML Software is the technical implementation layer of a UAE entity's anti-money laundering and counter-terrorist financing (AML/CFT) compliance function — the sanctions and Politically Exposed Person (PEP) screening tool, the transaction-monitoring system, and the case-management workflow that a Designated Non-Financial Business and Profession (DNFBP) or regulated financial entity uses to actually execute the customer due diligence, ongoing monitoring, and suspicious-activity escalation obligations set out in Federal Decree-Law No. 20 of 2018 on Anti-Money Laundering and Combating the Financing of Terrorism and Cabinet Decision No. 10 of 2019 (as amended). The law itself is technology-neutral — it does not mandate a specific vendor or platform — but it does require that screening and monitoring actually happen, that they happen consistently and at an appropriate frequency, and that the entity can produce evidence of what was screened, when, and with what outcome. For most entities beyond a handful of customers, that evidence trail is not realistically achievable through manual, spreadsheet-based checks; it requires software.

An AML software setup engagement typically covers three connected layers. The first is sanctions and PEP screening — configuring the tool to check customers, beneficial owners, and transaction counterparties against the UN Security Council Consolidated Sanctions List, the UAE Local Terrorist List, and any other lists relevant to the entity's cross-border exposure, both at onboarding and on a recurring basis thereafter, since a name that screens clean today can be listed tomorrow. The second is transaction monitoring — where relevant to the entity's activity (higher transaction volumes, financial institutions, exchange houses, or DNFBPs handling client funds), configuring rules and thresholds that flag activity inconsistent with a customer's expected profile, so unusual patterns surface for review rather than passing unnoticed inside routine volume. The third is case management and audit trail — ensuring that every screening hit, monitoring alert, and its disposition (cleared, escalated, filed as a Suspicious Transaction Report through the FIU's goAML platform) is logged, timestamped, and retrievable, because the record of how an alert was handled is often what a supervisory authority tests most closely.

The practical failure mode PNPC sees most often is not the absence of software — many entities have purchased a screening tool — but misconfiguration that leaves the tool doing far less than the entity believes. A subscription screening against only one list source when the entity's exposure calls for several; screening run once at onboarding with no periodic re-screening scheduled, so a customer sanctioned eighteen months into the relationship is never caught; monitoring thresholds copied from a vendor's generic template that bear no relationship to the entity's actual transaction sizes; or an alert queue that accumulates unreviewed because no one owns triage. Each of these leaves the entity with a screening tool that exists on paper and a written AML policy that claims a monitoring cadence the software is not actually running — precisely the mismatch between documented procedure and operating reality that Ministry of Economy and Central Bank inspections are designed to surface.

Under Federal Decree-Law No. 47 of 2022 on Corporate Tax and the broader Federal Tax Authority compliance landscape, AML software setup is a separate obligation from tax registration and filing, but the underlying discipline is related: both require the entity to maintain systems and records that can be produced to a regulator on request, in the format and timeframe the regulator specifies. PNPC treats AML software setup as inseparable from the policy and risk-assessment work that defines what the software should actually be configured to do — a tool is only as good as the risk methodology behind its settings, and a risk methodology with no operating tool behind it is a document, not a control.

When Setup of AML Software is the right engagement

Your business is a DNFBP or regulated financial entity under UAE AML/CFT law and does not yet have a sanctions/PEP screening tool in place, or is currently relying on manual, ad hoc name checks

You have a screening subscription already but have never had its list sources, screening frequency, and match-handling workflow reviewed against your actual risk assessment and written policy

Your customer or transaction volume has grown to the point where manual review is no longer defensible, and screening or monitoring alerts are accumulating faster than they can be triaged

You are newly licensed in a regulated sector — financial services, a Virtual Asset Service Provider, or a DNFBP category — and need the screening infrastructure built before you can lawfully onboard customers at scale

A Ministry of Economy, Central Bank, DFSA, FSRA, or VARA inspection has flagged that your screening tool's configuration does not match your documented AML/CFT policy or risk assessment

You need transaction-monitoring rules and thresholds calibrated to your actual customer base and transaction sizes rather than a vendor's generic out-of-the-box template

Your existing screening tool only checks at onboarding with no periodic re-screening scheduled, leaving customers who screened clean initially unmonitored against subsequent sanctions-list updates

You need a case-management and audit-trail workflow so that every alert, its investigation, and its disposition (cleared or escalated to an STR/SAR filed through goAML) is logged and retrievable on request

You are evaluating multiple screening or transaction-monitoring vendors and need independent advisory input on selection criteria matched to your transaction volume, budget, and risk profile before committing to a subscription

Where a different engagement may fit better

You do not yet have a documented AML/CFT risk assessment or written policy — configuring screening software before that foundation exists means the tool has nothing calibrated to configure against; a KYC & CDD Advisory engagement to build the policy and risk methodology should come first or alongside

You have not yet confirmed whether your business actually falls within a DNFBP or regulated category under UAE AML law — an applicability assessment should precede any technology purchase

You need standalone goAML portal registration completed with no wider screening or monitoring technology decision in scope — that is a narrower registration engagement

You are looking for PNPC to act as the ongoing designated Compliance Officer or MLRO who reviews and dispositions alerts day to day — PNPC configures and advises on the system; the entity's own empowered Compliance Officer must own live alert triage

You want a specific vendor product guaranteed or endorsed without an independent needs assessment — PNPC advises on selection criteria matched to your risk profile and is not tied to a single vendor

You are seeking a guarantee that a configured tool will catch every future suspicious relationship — no screening or monitoring system eliminates risk; it reduces the chance that a red flag passes unnoticed, and a documented, well-configured system is judged on whether it was reasonably designed and operated, not on a guaranteed outcome

Your requirement is limited to general company incorporation or trade licensing with no AML/CFT compliance dimension currently in scope

You already have a fully configured, independently reviewed screening and monitoring system and simply want ongoing subscription renewal — that is a vendor-management matter, not an implementation engagement

Structure Comparison

AML software components compared — what each layer actually does

ComponentWhat It Screens or MonitorsTypical Trigger PointWho Uses the OutputLeft Unconfigured, the Risk Is
Sanctions list screeningCustomer and beneficial-owner names against the UN Consolidated Sanctions List and UAE Local Terrorist ListOnboarding, plus periodic re-screening on a defined cadenceCompliance Officer / MLRO reviewing hits before onboarding proceedsA customer who was clean at onboarding but is later listed goes undetected until the next manual check, if any
PEP screeningCustomers and beneficial owners against Politically Exposed Person reference data, domestic and foreignOnboarding, plus periodic re-screeningSenior management approving or declining enhanced due diligence onboardingA PEP relationship is onboarded under standard rather than enhanced due diligence, missing the mandatory extra scrutiny
Adverse media / negative news screeningCustomers and beneficial owners against publicly reported adverse media relevant to financial crime, fraud, or sanctions evasionOnboarding, plus periodic re-screeningCompliance Officer assessing whether reported allegations affect the risk ratingReputationally and legally significant public information about a customer is never surfaced through the formal process
Transaction monitoringTransaction patterns against rules and thresholds calibrated to the customer's expected profileContinuously, as transactions occurCompliance Officer triaging generated alerts for investigationStructuring, rapid movement of funds, or activity inconsistent with the stated business purpose passes unnoticed inside routine volume
Case management / audit trailEvery screening hit and monitoring alert, its investigation notes, and its final dispositionGenerated automatically whenever a hit or alert occursCompliance Officer for day-to-day work; inspectors and auditors for evidence reviewThe entity cannot produce evidence of how a specific hit was handled, which reads on inspection as if the check never happened
goAML integration / escalation workflowThe handoff point where an investigated alert is assessed against the STR/SAR thresholdWhenever an alert investigation concludes suspicion is reasonably foundedCompliance Officer preparing and submitting the report through the FIU's goAML platformA genuinely suspicious alert sits in the case-management queue without a clear path to filing, delaying the 'without delay' reporting obligation

Not every entity needs every component at the same intensity — a small corporate service provider's screening needs differ from a financial institution's transaction-monitoring needs. PNPC scopes which components apply, and at what depth, based on the entity's actual risk assessment rather than installing a uniform package regardless of size.

How it works
#Stage & What PNPC DoesWhat a Default Vendor Install MissesTimeline
1Requirements & Risk-Profile Review — confirming what the entity's existing risk assessment and AML policy actually require the software to doA vendor sales process typically starts from what the product does, not from what your documented risk methodology requires it to screen and how often — we start from the policy, not the product brochure.Week 1
2Vendor / Tool Selection Support (where no tool exists) — matching screening and monitoring needs to appropriate options by transaction volume, budget, and list-source coverageEntities frequently select a tool based on price or a peer recommendation without checking whether its list sources and update frequency actually cover their specific exposure (for example, cross-border customers requiring broader sanctions-list coverage than a single-jurisdiction tool provides).Week 1–2
3List Source & Screening Cadence Configuration — setting which sanctions, PEP, and adverse-media sources are checked, and how often re-screening runsDefault installs commonly screen only at onboarding with no periodic re-screening scheduled — the single most common gap PNPC finds when reviewing an existing tool.Week 2
4Transaction-Monitoring Rule & Threshold Calibration (where applicable) — setting alert triggers to the entity's actual transaction sizes and customer profile mixGeneric out-of-the-box thresholds either generate an unmanageable volume of false-positive alerts that staff learn to ignore, or are set so high that genuinely unusual activity never triggers a review.Week 2–3
5Alert-Triage Workflow Design — defining who reviews an alert, within what timeframe, and how the decision (clear, escalate, or file) is recordedA tool with no defined triage ownership accumulates an unreviewed alert backlog — the alerts exist, but no one is accountable for actioning them.Week 3
6Case-Management & Documentation Setup — ensuring every hit, investigation note, and disposition is logged, timestamped, and retrievableEntities that can show a screening hit occurred but cannot show how it was investigated or resolved face the same inspection outcome as if the screening never ran.Week 3–4
7goAML Escalation Path Integration — defining the handoff from a confirmed suspicious alert to STR/SAR preparation and submission through the FIU's goAML platformSoftware and the goAML reporting obligation are frequently treated as unconnected — the alert sits investigated but with no clear procedural bridge to the actual filing.Week 4
8Staff Training on the Configured System — training the Compliance Officer and front-line staff on how to use the tool as configured, not the vendor's generic manualVendor-provided generic training covers the software's features; it does not cover how your specific risk assessment maps onto your specific configuration — staff need both.Week 4–5
9Test Run & Calibration Review — running a sample of existing or test customer data through the configured system to confirm outputs are sensible before full go-liveGoing live without a test pass risks discovering miscalibration (excessive false positives, or worse, missed genuine hits) only after real customer data has already gone unreviewed.Week 5
10Go-Live and Documentation Close-Out — configuration document, screening/monitoring policy annex, and training records compiled into the AML programme fileA configured tool with no written record of what was configured and why leaves the next reviewer, or an inspector, unable to verify the setup matches the policy without reverse-engineering the settings.Week 5–6
11Post-Go-Live Support & Periodic Recalibration — reviewing alert volumes, false-positive rates, and list-source currency after the system has been live for a period, and adjusting thresholdsThresholds set correctly at launch drift out of calibration as transaction volumes and customer mix change; a system never revisited after go-live degrades quietly over time.Scheduled review at 60–90 days, then periodic thereafter

Realistic timeline for a full sanctions/PEP screening and transaction-monitoring configuration, from requirements review to a documented, staff-trained go-live: roughly 4–6 weeks, depending on whether a tool already exists (reconfiguration) or needs to be selected and onboarded from scratch, and on the complexity of the entity's transaction-monitoring needs. A screening-only setup for a lower-volume DNFBP can move faster; a full transaction-monitoring build for a financial institution or exchange house typically takes longer.

Document Checklist
Existing AML Programme Foundation

Current AML/CFT risk assessment and written policy — the software configuration must map to what this document already says the entity does

Existing goAML registration confirmation and Compliance Officer / MLRO designation details

Any prior Ministry of Economy, Central Bank, DFSA, FSRA, or VARA inspection findings relating to screening or monitoring gaps

Existing Technology (Where a Tool Already Exists)

Current screening/monitoring vendor name, subscription tier, and list of sources it screens against

Screening frequency currently configured (onboarding only, or periodic re-screening, and at what interval)

Sample export of recent alerts and how they were resolved, to assess current triage practice

Administrator access or a designated point of contact who can implement configuration changes

Customer & Transaction Profile Inputs

Customer base breakdown — individual versus corporate, resident versus non-resident, and approximate volumes in each category

Typical transaction value ranges and frequency, to calibrate monitoring thresholds realistically

Geographic spread of customers and counterparties, including any exposure to higher-risk jurisdictions

Payment and delivery channel details — cash, bank transfer, third-party payment, or virtual assets — since each affects which monitoring rules are relevant

Governance & Staffing

Name and role of the individual(s) who will own day-to-day alert triage under the configured system

Escalation authority — who approves onboarding a flagged higher-risk customer, and who signs off filing an STR/SAR

Existing staff training records relevant to any current screening tool, if applicable

Budget & Procurement Inputs (Where Selecting a New Tool)

Indicative budget range for subscription and implementation cost

Any procurement or IT security requirements the entity's own policies impose on new software vendors

Data residency or data protection considerations relevant to where customer screening data will be processed and stored

AML governance file

Business risk assessment and customer-risk methodology

AML/CFT policies, procedures and MLRO appointment records

Sanctions/PEP screening settings and evidence

Staff training logs and board/management approvals

Ongoing obligations
PhaseTriggered ByPNPC GuidanceRisk If Ignored
Requirements & SelectionNew DNFBP licence, growth beyond manual-check capacity, or an existing tool reviewMatch screening and monitoring needs to the entity's documented risk assessment before evaluating vendor options, rather than starting from a product feature list.A tool selected on price or convenience alone may not cover the list sources or monitoring depth the entity's actual risk profile requires.
Configuration & CalibrationTool selected, or existing tool flagged for reconfigurationSet list sources, screening cadence, and monitoring thresholds to reflect the written AML policy and the entity's real transaction profile, not vendor defaults.Default settings commonly under-screen (onboarding-only checks) or generate unmanageable false-positive volumes that staff learn to ignore.
Go-Live & Staff TrainingConfiguration complete and testedTrain the Compliance Officer and relevant staff on the system as configured, and document attendance and content as evidence.Untrained staff either misuse the tool or bypass it in practice, leaving the documented procedure disconnected from daily operations.
Ongoing Alert TriageEvery screening hit or monitoring alert generatedAlerts reviewed and dispositioned within a defined timeframe by an accountable individual, with the decision and reasoning logged.An unreviewed alert backlog is functionally identical, on inspection, to having no screening system at all.
Suspicious Alert ConfirmedInvestigation concludes reasonable grounds for suspicion existEscalate promptly to STR/SAR preparation and filing through the FIU's goAML platform, maintaining the no-tipping-off discipline throughout.A confirmed alert that sits uninvestigated or unfiled is a standalone breach of the 'without delay' reporting obligation under the AML/CFT Law.
Periodic Recalibration60–90 days post-go-live, then on a recurring cycle or after a material change in business activityReview alert volumes, false-positive rates, and list-source currency; adjust thresholds and list sources so the system tracks the entity's current profile rather than the profile it had at go-live.Thresholds set once and never revisited drift out of alignment with actual transaction patterns as the business grows or changes.
List-Source & Vendor Currency ReviewAnnual review, vendor contract renewal, or a Cabinet Decision / FIU guidance update affecting screening expectationsConfirm the screening tool's list sources remain current and complete, and that the vendor relationship still matches the entity's needs as it has grown.A stale list source or an outgrown tool is a recognised inspection finding — 'is this still fit for purpose' is a standard supervisory question.
Regulatory InspectionScheduled or unannounced supervisory visitProduce the configuration documentation, alert logs, and training records demonstrating the software operates as the written policy describes.A mismatch between the documented AML policy and the actual software configuration is treated as evidence the programme is not genuinely operative.
System Change or MigrationVendor discontinuation, contract renewal decision, or a business need for expanded capabilityPlan data migration, reconfiguration, and staff retraining so there is no gap in screening or monitoring coverage during the transition.A poorly planned migration can leave a screening gap during the changeover, exactly when continuity of coverage matters most.
Frequently asked
Does UAE AML law require us to use a specific software product?

No. Federal Decree-Law No. 20 of 2018 and its Cabinet Decision implementing regulations are technology-neutral — they require that screening, monitoring, and record-keeping obligations are actually met, not that a specific vendor's product is used. In practice, meeting those obligations consistently and at scale is very difficult without software once an entity has more than a handful of customers, but the choice of tool is the entity's own, subject to it actually covering the entity's risk profile.

Practitioner noteWe are vendor-neutral in our advisory role — our job is matching the tool's capability to your documented risk assessment, not steering you toward a particular product.
We already have a screening subscription — why would we need a setup engagement?

Having a subscription and having a correctly configured tool are different things. The most common gap PNPC finds when reviewing an existing screening tool is that it only checks at onboarding with no periodic re-screening scheduled, or that its thresholds were left at generic vendor defaults never calibrated to the entity's actual customer base and transaction sizes. A setup or reconfiguration engagement reviews what the tool is actually doing against what your written AML policy says it should be doing.

Practitioner noteIn most reviews of an existing tool, the subscription itself is fine — the configuration underneath it is where the gap sits. We rarely recommend switching vendors; we usually recommend reconfiguring the one already in place.
What is the difference between sanctions screening and transaction monitoring?

Sanctions and PEP screening checks a customer's or counterparty's identity against reference lists — the UN Consolidated Sanctions List, the UAE Local Terrorist List, and PEP databases — typically at onboarding and periodically thereafter, to confirm you are not dealing with a designated or high-risk individual. Transaction monitoring is a separate, ongoing function that watches the pattern of a customer's actual activity — transaction size, frequency, and structuring — against their expected profile, to flag behaviour inconsistent with what was expected at onboarding, regardless of whether the customer's identity screens clean.

Practitioner noteEntities sometimes assume screening alone covers their obligation. A customer can pass every sanctions and PEP check and still exhibit transaction behaviour that warrants a closer look — the two functions catch different risks.
How often should sanctions and PEP screening actually run?

At minimum, screening should run at onboarding and then on a periodic re-screening cycle thereafter, since sanctions and PEP designations change and a name that was clean at onboarding can be listed later. The appropriate cadence depends on the entity's risk assessment — higher-risk customer categories may warrant more frequent re-screening than lower-risk ones — but onboarding-only screening with no ongoing cycle is a recognised gap.

Practitioner noteWe calibrate re-screening frequency to the entity's own risk tiers rather than applying one blanket cadence to every customer — a periodic re-screen for a low-risk long-standing customer and a more frequent one for a higher-risk relationship is a defensible, risk-based approach.
Do smaller DNFBPs with few customers really need transaction-monitoring software, or is screening enough?

It depends on the entity's activity and risk profile rather than headcount alone. A corporate service provider with a modest customer base may reasonably rely on sanctions/PEP screening plus manual review of the limited transaction volume it actually sees, while a financial institution, exchange house, or high-volume DNFBP handling client funds typically needs configured transaction-monitoring rules because manual review of volume at that scale is not realistically consistent. PNPC scopes this based on the entity's documented risk assessment, not a fixed rule.

Practitioner noteWe do not oversell transaction-monitoring software to entities whose actual volume does not warrant it — right-sizing the technology to the real risk and volume profile is part of the advisory value, not just implementation.
What happens to a screening hit once it is generated — does the software resolve it automatically?

No. Screening and monitoring software generates alerts — potential matches or unusual patterns — but a human, typically the Compliance Officer or a delegated reviewer, must investigate each alert, determine whether it is a genuine match or a false positive, and record the disposition. Software flags; it does not decide. The investigation and documented decision are what a supervisory authority actually reviews.

Practitioner noteWe build the alert-triage workflow explicitly into every setup engagement, because a tool generating alerts nobody reviews is arguably worse than no tool at all — it creates a paper trail of ignored red flags.
How do we avoid being overwhelmed by false-positive alerts?

False-positive volume is usually a calibration problem, not an inherent feature of screening software — overly broad name-matching thresholds, screening against irrelevant list categories, or monitoring rules set without reference to actual transaction sizes all inflate false positives. Proper calibration to the entity's real customer base and transaction profile, combined with periodic recalibration as volumes and patterns change, keeps the alert queue manageable enough that genuine reviews actually happen.

Practitioner noteAn alert queue so large that staff start clearing hits without genuine review is a common and dangerous failure mode — we treat persistently high false-positive rates as a configuration problem to fix, not a cost of doing business.
Does the software file the Suspicious Transaction Report (STR) for us?

No. Screening and monitoring software identifies and helps investigate potential concerns, but the actual STR or SAR filing is submitted through the FIU's goAML platform by the entity's designated Compliance Officer, based on a human judgement that reasonable grounds for suspicion exist. PNPC configures the internal workflow so that a confirmed suspicious alert has a clear, documented path to goAML filing, but the filing decision and submission remain the Compliance Officer's responsibility.

Practitioner noteWe design the handoff from 'alert confirmed' to 'STR prepared and filed' explicitly, because a gap between an investigated alert and an actual filing is where the 'without delay' obligation is most often missed in practice.
What list sources should our screening tool cover at a minimum?

At minimum, the UN Security Council Consolidated Sanctions List and the UAE Local Terrorist List. Depending on the entity's cross-border customer or transaction exposure, additional coverage of other major international sanctions regimes may form part of a properly risk-calibrated setup. The right combination depends on the entity's actual customer geography, not a fixed universal list.

Practitioner noteWe confirm current list-source coverage against the entity's actual cross-border exposure at setup, since an entity with purely domestic UAE customers has different list-coverage needs than one dealing regularly with counterparties abroad.
Can PNPC recommend a specific screening or monitoring vendor?

PNPC advises on selection criteria — list-source coverage, screening cadence capability, monitoring rule flexibility, case-management and audit-trail functionality, and cost proportionate to the entity's volume — and can coordinate with vendors during implementation, but final vendor selection and contracting is the entity's own commercial decision. We are not a technology reseller and do not receive vendor commissions on any recommendation.

Practitioner noteWe deliberately keep vendor selection advisory rather than transactional — our incentive is a configuration that actually matches your risk profile, not a referral fee tied to a specific product.
How does the software configuration connect to our written AML policy?

The written AML/CFT policy states, in narrative form, what screening and monitoring the entity performs, at what frequency, and how alerts are escalated. The software configuration is the technical implementation of that same narrative. When the two are built together, an inspector reviewing the policy document and then testing the actual system finds them consistent; when they are built separately — often because the policy was drafted by one adviser and the software configured independently, or years apart — the mismatch is a recurring and easily identified inspection finding.

Practitioner noteWe insist on reviewing the entity's existing AML policy before configuring any tool, precisely to avoid building a system that technically works but describes a different process than the one written down.
What documentation should we retain specifically around the software setup?

Keep a configuration record describing which list sources are active, the screening cadence, the transaction-monitoring rules and thresholds applied and why, staff training records on the configured system, and a sample of alert investigation logs demonstrating the triage workflow in practice. This sits alongside, and should cross-reference, the broader AML risk assessment and policy documentation.

Practitioner noteWe compile a standalone configuration document at close-out specifically so the next person reviewing the file — whether internal staff, an auditor, or an inspector — does not have to reverse-engineer the settings from the software's admin panel.
How often should the software configuration be reviewed and recalibrated?

PNPC recommends an initial review at 60–90 days post-go-live to catch early miscalibration (excessive false positives or an unexpectedly quiet alert queue), followed by at least an annual review aligned with the broader AML/CFT risk assessment refresh, and an ad hoc review whenever there is a material change in transaction volume, customer mix, or applicable list-source guidance.

Practitioner noteWe tie the software recalibration review to the same annual cycle as the risk assessment refresh wherever possible — reviewing the two together, rather than on separate schedules, keeps the policy and the technology from drifting apart over time.
Is a spreadsheet-based manual screening process ever acceptable instead of software?

For a genuinely very small entity with a small, stable, low-risk customer base, a documented manual process can be defensible if it is actually followed consistently, evidenced, and re-run at an appropriate cadence — the law does not mandate software specifically. In practice, manual processes degrade quickly as volume grows or staff turn over, and the evidentiary burden of proving consistent manual checks were performed is harder to satisfy on inspection than a system-generated log.

Practitioner noteWe are honest with very small clients that a well-run manual process can suffice initially, but we flag the volume or complexity threshold at which we would recommend moving to software, so the transition happens proactively rather than after a gap is found.
Does PNPC provide the software itself, or only the configuration and advisory work?

PNPC's engagement is the advisory, selection-support, and configuration work — assessing needs, advising on vendor options, calibrating settings to the entity's risk profile, designing the alert-triage and goAML escalation workflow, and training staff. The software subscription itself is contracted directly between the entity and the chosen vendor; PNPC is not the software provider.

Practitioner noteKeeping the advisory and the vendor relationship separate means our recommendations are driven by what your risk profile actually needs, not by which product we happen to resell.
Why PNPC Global

PNPC-configured AML software vs a default vendor install

DimensionDefault Vendor InstallPNPC Engagement
Starting pointProduct feature list and vendor sales demoThe entity's own written AML risk assessment and policy
List-source coverageWhatever the default subscription tier includesMatched specifically to the entity's actual cross-border customer exposure
Screening cadenceOften onboarding-only by defaultPeriodic re-screening cadence set and diarised
Monitoring thresholdsGeneric out-of-the-box settingsCalibrated to the entity's real transaction sizes and customer mix
Alert triage ownershipUndefined — alerts accumulate unreviewedNamed owner, defined timeframe, and logged disposition for every alert
Connection to written policyConfigured independently of any AML policy documentBuilt to match the entity's documented risk assessment and policy line for line
goAML escalation pathNot defined — alert investigation and STR filing are disconnectedDocumented handoff from confirmed alert to STR/SAR preparation and filing
Post-launch reviewRarely revisited after initial setupScheduled 60–90 day review, then annual recalibration tied to the risk-assessment refresh

What the PNPC package includes

  1. 01

    Requirements review against the entity's existing AML/CFT risk assessment and written policy

  2. 02

    Vendor-neutral selection support for sanctions/PEP screening and, where relevant, transaction-monitoring tools

  3. 03

    List-source configuration covering the UN Consolidated Sanctions List, UAE Local Terrorist List, and other relevant sources

  4. 04

    Screening-cadence setup including periodic re-screening, not just onboarding-only checks

  5. 05

    Transaction-monitoring rule and threshold calibration matched to actual transaction sizes and customer mix, where applicable

  6. 06

    Alert-triage workflow design with a named owner, review timeframe, and documented disposition process

  7. 07

    Case-management and audit-trail configuration so every hit and its resolution is logged and retrievable

  8. 08

    goAML escalation-path design connecting confirmed alerts to STR/SAR preparation and filing

  9. 09

    Staff training on the system as configured, with attendance and content records maintained

  10. 10

    Test-run and calibration review before full go-live

  11. 11

    60–90 day post-go-live review and adjustment of thresholds and list sources

  12. 12

    Annual recalibration aligned with the broader AML/CFT risk-assessment refresh

  13. 13

    Configuration documentation compiled into the entity's AML programme file for inspection readiness

  14. 14

    Coordination with the entity's Compliance Officer / MLRO on live alert triage responsibilities

  15. 15

    Support reconfiguring an existing screening or monitoring tool found to be misaligned with the written AML policy

Get your AML screening and monitoring software configured to match your actual risk profile, not the vendor's defaults — talk to PNPC's Dubai compliance team.

Jurisdiction

🇦🇪
United Arab Emirates

Free zone, mainland & offshore

Ready to get started?

Tell us about your requirement — a UAE specialist responds within 24 hours.

← Back to AML / CFT Services