UAEServicesBusiness Transformation & Technology ConsultingIT Risk & Technology AssuranceAML/CFT Software Advisory & Setup

Business Transformation & Technology Consulting · IT Risk & Technology Assurance

AML/CFT Software Advisory & Setup

AML/CFT Software Advisory & Setup helps UAE Designated Non-Financial Businesses and Professions (DNFBPs), financial institutions, and other regulated entities select, configure, and embed the right anti-money-laundering and counter-terrorism-financing technology into their day-to-day compliance workflow — not just install a tool and leave the policy manual untouched.

Chartered Accountants · Dubai · Since 1986

What AML/CFT Software Advisory & Setup is

AML/CFT Software Advisory & Setup is the practice of assessing a regulated UAE entity's money-laundering and terrorist-financing risk profile, then selecting, configuring, and operationalising the screening, monitoring, and reporting technology needed to meet its obligations under UAE AML/CFT law. The UAE framework rests on Federal Decree-Law No. 20 of 2018 on Anti-Money Laundering and Combating the Financing of Terrorism and Illegal Organisations (as amended by subsequent decree-laws), its Cabinet Decision executive regulations, and sector-specific guidance issued by the relevant supervisory authority — the UAE Central Bank for banks, insurers, and finance companies; the Securities and Commodities Authority (SCA) for capital markets participants; the Ministry of Economy for Designated Non-Financial Businesses and Professions (DNFBPs) operating on the mainland; and individual free zone authorities (including DMCC for precious metals and stones traders, DIFC and ADGM through their own regulators) for entities licensed within their jurisdictions. The Financial Intelligence Unit (FIU), housed within the UAE Central Bank, operates the goAML platform through which registered entities file Suspicious Transaction Reports (STRs), Suspicious Activity Reports (SARs), and other statutory disclosures.

At the core of any AML/CFT technology stack are three functional layers. The first is customer screening — checking new and existing customers, beneficial owners, and connected parties against UN Security Council sanctions lists, the UAE's Local Terrorist List, and Politically Exposed Persons (PEP) databases at onboarding and on an ongoing basis, since sanctions lists change continuously and a customer clean at onboarding may appear on a list months later. The second is transaction monitoring — applying rules or risk-scoring logic to flag transactions that deviate from a customer's expected pattern, structuring behaviour, unusual counterparties, or activity inconsistent with the customer's declared business, so that a human compliance officer reviews a manageable, prioritised list of alerts rather than every transaction. The third is case management and regulatory reporting — recording the investigation, evidence, and decision behind each alert, and where a transaction or attempted transaction is genuinely suspicious, filing the STR/SAR through goAML within the timeframe the law requires, without tipping off the customer.

Software selection is not one-size-fits-all. A small real estate brokerage handling a modest volume of high-value property transactions has fundamentally different screening and monitoring needs than a precious metals trading house processing daily cash-intensive transactions, a company service provider incorporating entities and acting as registered agent, or a law firm handling client funds. Enterprise-grade platforms built for banks bring monitoring sophistication that most DNFBPs neither need nor can justify on cost; a bare sanctions-list-checking tool with no case management or audit trail leaves a DNFBP unable to demonstrate to an inspector that alerts were actually investigated. PNPC's role is to size the right tool to the entity's actual risk-based assessment — the risk profile the business is legally required to document under its own AML/CFT policy — rather than defaulting to whichever vendor is best marketed.

Software alone does not satisfy the law. UAE AML/CFT regulations require a documented risk-based approach, a designated Compliance Officer (MLRO — Money Laundering Reporting Officer) registered with the relevant supervisor, an AML/CFT policy and procedures manual, ongoing staff training, independent audit of the AML/CFT programme, and registration on the goAML and, where applicable, the UAE's sanctions-screening portals. Technology is the operational engine that makes these obligations executable at scale and defensible under inspection — it does not replace the governance, the documented risk assessment, or the judgement of a trained compliance officer. PNPC positions software setup as one component of a broader AML/CFT compliance programme, coordinated with the entity's policy documentation, training, and audit cycle so the technology, the paperwork, and the actual practice all tell the same story when a supervisor asks to see it.

When a UAE business needs AML/CFT software advisory and setup

The business is a Designated Non-Financial Business or Profession (DNFBP) under UAE law — real estate brokers and agents, dealers in precious metals and stones, company service providers, independent lawyers, notaries, and accountants providing specified services — and is legally required to maintain an AML/CFT programme, including screening and monitoring capability

The business is currently relying on manual sanctions-list checks (spreadsheet lookups, ad hoc web searches) that cannot keep pace with list updates, growing customer volumes, or a supervisory inspection's expectation of a documented, repeatable screening process

A supervisory authority inspection, external auditor, or bank has flagged the absence of automated screening or monitoring as a control gap, or the business has received a finding requiring remediation within a specified timeframe

Transaction volumes or customer numbers have grown to the point where manual review of every transaction for suspicious patterns is no longer realistic, and a risk-scoring or rules-based alert system is needed to prioritise the compliance officer's attention

The entity is registering, or should already be registered, on the goAML platform and needs its internal alert and investigation workflow to feed cleanly into STR/SAR filing without gaps or duplicated manual work

The business is expanding into a higher-risk customer segment or geography (cash-intensive trade, high-net-worth real estate, cross-border remittance-adjacent activity) where its existing manual controls were adequate at a smaller or lower-risk scale but no longer are

A new Compliance Officer / MLRO has been appointed and needs a properly configured, documented technology environment to inherit rather than a fragmented set of manual processes with no institutional record

When a lighter-touch approach may be appropriate first

The business has not yet completed its own documented AML/CFT risk assessment and does not have a Compliance Officer or AML/CFT policy in place — software selection should follow the risk assessment and policy design, not precede it, since the risk assessment determines what the software actually needs to screen and monitor for

A very small, low-transaction-volume DNFBP where a well-documented manual screening and record-keeping process, reviewed periodically by PNPC, may satisfy the risk-based proportionality principle at the current scale, with software introduced as volumes grow

The business is not a DNFBP or otherwise regulated entity under UAE AML/CFT law and has no supervisory obligation to maintain AML/CFT controls — in this case, the priority is confirming regulatory scope, not procuring software

An entity that already operates a mature, properly configured AML/CFT technology stack — PNPC's role there is typically a periodic effectiveness review or independent audit rather than a fresh selection and setup exercise

The business needs urgent remediation of a specific inspection finding with a tight deadline — in that scenario, a focused gap-closure engagement addressing the specific finding is often the right first step, with broader software modernisation sequenced afterward

Structure Comparison

AML/CFT Technology Approaches for UAE Regulated Businesses

FeaturePNPC-Advised Configured PlatformOff-the-Shelf Software, Self-ConfiguredManual / Spreadsheet-Based ScreeningNo Formal Screening or Monitoring
Sized to entity's documented risk-based assessmentYes — selection driven by the entity's own risk profileRarely — vendor's default configuration typically applied as-isN/A — no systematic sizing exerciseN/A
Sanctions and PEP list screeningAutomated, continuously updated, applied at onboarding and ongoingAutomated but often left at default sensitivity, generating noisy or missed alertsManual lookup, dependent on staff remembering to check and list currencyNot performed
Transaction monitoring / alert generationRules and thresholds calibrated to the entity's actual transaction patternsDefault vendor rules, frequently generating high false-positive or false-negative ratesNot systematically performedNot performed
Case management and audit trailStructured investigation record for every alert, defensible under inspectionDepends on module purchased and whether it is actually usedInformal notes at best, rarely centralisedNone
goAML integration / reporting workflowInternal alert-to-STR/SAR workflow mapped and testedLeft to the compliance officer to bridge manuallyEntirely manual, high risk of missed filing deadlinesNot in place
Staff training on the configured toolIncluded as part of setup and rolloutOften skipped after purchase, leaving the tool under-usedN/AN/A
Alignment with AML/CFT policy manual and MLRO roleCoordinated so technology, policy, and practice matchFrequently misaligned — software purchased separately from policy documentationPolicy and practice diverge over time without a technology anchorNo alignment to assess
Inspection-readinessConfigured and documented to withstand supervisory reviewDepends heavily on internal configuration discipline post-purchaseWeak — manual processes are difficult to evidence systematicallyHigh exposure to findings and penalties
Cost profileRight-sized licence plus advisory fee for configuration and trainingLicence cost with hidden configuration and integration effort absorbed internallyLow direct cost, high compliance and reputational riskNo direct cost, highest regulatory exposure
Ongoing effectiveness reviewPeriodic review built into the engagementRarely revisited unless a problem surfacesNo structured review mechanismNone

The right technology choice depends entirely on the entity's regulatory category, transaction volume, customer risk profile, and existing AML/CFT governance maturity. A documented risk-based assessment should precede software selection, not follow it — PNPC's advisory process is built around that sequencing.

How it works
#Stage & What PNPC DoesWhat a Vendor-Led Sales Process MissesTimeline
1Regulatory Scoping & Risk-Based Assessment Review — Confirming obligations before any tool is discussedWe ask what a software vendor's sales team never asks: which supervisory authority actually regulates this entity — Ministry of Economy, DMCC, a specific free zone regulator, the Central Bank, or SCA? Has the entity completed its own documented risk-based assessment? Is there an appointed, registered Compliance Officer? These answers determine whether software procurement is even the right next step, or whether policy and governance work needs to happen first.Week 1
2Customer & Transaction Profile Analysis — Understanding actual exposure, not assumed exposureWe review the entity's actual customer base, transaction sizes, payment methods (cash, wire, escrow), geographic spread, and any existing red flags — before recommending a screening sensitivity or monitoring rule set that either misses real risk or drowns the compliance officer in false positives.Week 1–2
3Software Shortlisting Against Risk Profile — Matching capability to actual need, not vendor scaleEnterprise platforms built for banks are frequently oversized and overpriced for a DNFBP's actual risk; a bare sanctions-checker with no case management leaves the entity unable to evidence investigations. We shortlist 2–3 options genuinely proportionate to the entity's size, sector, and risk category, with a clear cost-benefit comparison in writing.Week 2
4Configuration Design — Screening lists, PEP sensitivity, monitoring rules, and thresholdsDefault vendor settings are calibrated for a generic customer base, not this entity's actual risk profile. We design the specific sanctions and PEP list sources to be screened, the ongoing re-screening frequency, and the transaction monitoring thresholds and typologies relevant to the sector — real estate structuring patterns differ materially from precious metals cash-intensive typologies.Week 2–3
5Case Management & Escalation Workflow DesignWe design the internal alert-to-investigation-to-decision workflow — who reviews an alert, within what timeframe, what evidence is recorded, and how an alert escalates to a suspicion assessment — so the software's case log is a defensible record, not just a list of unresolved flags.Week 3
6goAML Registration & Reporting Pathway IntegrationFor entities not yet registered on the FIU's goAML platform, we coordinate registration. For those already registered, we map the internal case management workflow directly to the STR/SAR filing process so a genuine suspicion identified in the software translates into a timely filing without a manual, error-prone handoff.Week 3–4
7System Configuration & Testing — Live setup against real (anonymised where needed) dataThe configured platform is tested against a sample of the entity's actual historical customer and transaction data before go-live, to confirm the alert volume is manageable and genuinely risk-relevant — not a theoretical configuration that floods the compliance officer on day one.Week 4–5
8Policy & Procedure Alignment — Technology matched to the written AML/CFT manualA configured tool that does not match the entity's written AML/CFT policy and procedures manual creates an inspection contradiction. We review and, where needed, update the policy document so it accurately describes how the software is actually used.Week 4–5
9Compliance Officer & Staff Training — Practical, tool-specific training, not generic AML awarenessWe train the Compliance Officer / MLRO and relevant frontline staff on the configured platform specifically — how to clear a false positive, how to escalate a genuine alert, how to document a decision — rather than generic AML awareness training disconnected from the actual tool in use.Week 5
10Go-Live & Initial Monitoring PeriodThe system goes live with PNPC monitoring the initial alert volume and false-positive rate closely, adjusting thresholds where the early data shows the configuration is either too noisy or too permissive.Week 5–6
11Post-Go-Live Calibration ReviewRoughly 4–8 weeks after go-live, we review actual alert patterns against the initial configuration assumptions and recalibrate thresholds, list sources, or workflow steps based on real operating experience rather than the original theoretical design.Week 10–14
12Periodic Independent Effectiveness ReviewUAE AML/CFT regulations expect periodic independent review of the AML/CFT programme's effectiveness. PNPC can conduct this review — assessing whether the configured software, the policy, and actual practice remain aligned and proportionate to the current risk profile — on an annual or otherwise agreed cycle.Annually, or per supervisory expectation
13Ongoing Advisory — Regulatory change, business growth, and inspection supportAML/CFT obligations evolve with regulatory updates, business growth, and new typologies. PNPC remains available to recalibrate the technology and policy as the business scales, enters new customer segments, or faces a supervisory inspection.Ongoing

A properly scoped, configured, and tested AML/CFT software setup — from initial risk-profile review through go-live — typically takes 5–6 weeks for a single-entity DNFBP with a moderate customer base. Entities without an existing documented risk-based assessment or appointed Compliance Officer should expect that foundational governance work to be sequenced before or alongside the technology setup, adding to the overall timeline. Complex, multi-branch, or higher-risk entities (precious metals traders, larger real estate brokerages) typically require 8–10 weeks for full calibration.

Document Checklist
Regulatory Status & Existing Governance

Trade licence confirming the entity's activity classification and licensing authority (DED, specific free zone, or financial free zone regulator)

Confirmation of DNFBP or otherwise-regulated status and the identity of the relevant supervisory authority (Ministry of Economy, a specific free zone authority, UAE Central Bank, or SCA)

Existing AML/CFT risk-based assessment document, if one has been completed

Existing AML/CFT policy and procedures manual, if one exists

Appointment letter or Board resolution confirming the designated Compliance Officer / MLRO, and confirmation of their registration with the relevant supervisor

Customer & Transaction Data (for Configuration Design)

Current customer master list or CRM export, with an indication of customer type (individual, corporate, PEP-adjacent where known)

Sample of recent transaction data — value ranges, payment methods, frequency — sufficient to model realistic monitoring thresholds

Description of typical customer onboarding process and current identity verification / KYC steps

Any existing record of red flags, declined customers, or past suspicious activity considerations, even if informally documented

Existing Systems & Infrastructure

Details of the CRM, accounting, or transaction-processing system(s) currently in use, to assess integration feasibility with a screening or monitoring platform

Any existing sanctions-screening or KYC tool currently in use, including licence terms and configuration documentation if available

IT environment overview — cloud-based or on-premise systems, data residency considerations, and any existing data protection or cybersecurity policy relevant to housing customer screening data

goAML & Regulatory Reporting Status

Confirmation of current goAML platform registration status, including registered Compliance Officer credentials if already registered

Record of any STRs/SARs filed to date, if applicable, for continuity in the new configured workflow

Any correspondence from the FIU, Ministry of Economy, or relevant supervisory authority regarding AML/CFT compliance status or findings

Staffing & Training Readiness

List of staff who will use the screening/monitoring tool directly, with their current AML/CFT training history

Organisational chart showing escalation lines from frontline staff to the Compliance Officer

Any prior AML/CFT training records or certificates held by relevant staff

Budget & Decision-Making Inputs

Indicative budget range for software licensing and advisory setup, to guide realistic shortlisting

Decision-maker(s) and expected timeline for approval, so the software selection and procurement process can be sequenced accordingly

Any existing vendor relationships or contractual constraints (e.g. group-mandated software from a parent company) that should be factored into the recommendation

Ongoing obligations
PhaseTriggered ByPNPC GuidanceRisk If Ignored
Scoping & Risk Assessment Review (Week 1–2)Engagement startConfirm regulatory category and supervisory authority, review or help build the entity's documented risk-based assessment, and confirm Compliance Officer status before recommending any technology.Software procured without a documented risk basis is difficult to justify to a supervisor as proportionate, and may be misconfigured for the entity's actual exposure.
Selection & Configuration Design (Week 2–4)Risk profile confirmedShortlist proportionate software options, design screening list sources, PEP sensitivity, and monitoring thresholds specific to the entity's customer and transaction profile.Default, unconfigured settings either miss genuine risk indicators or generate an unmanageable volume of false positives that overwhelms the compliance function.
Setup, Testing & Go-Live (Week 4–6)Configuration approvedTest the configured system against real historical data, align the AML/CFT policy manual to match actual practice, and train the Compliance Officer and relevant staff on the specific tool.A tool that goes live untested, or that contradicts the written policy manual, creates a documentation gap that a supervisory inspection will flag immediately.
Post-Go-Live Calibration (Week 8–14)Initial operating data availableReview real alert volumes and false-positive rates against the original configuration and recalibrate thresholds and rules based on actual operating experience.An uncalibrated system either continues generating unmanageable noise, causing genuine alerts to be missed in the volume, or remains too permissive and fails to flag real risk.
Ongoing Monitoring & STR/SAR Filing (Continuous)Day-to-day transaction and customer activityAlerts investigated within the entity's documented timeframe, decisions recorded in the case management system, and genuine suspicions filed via goAML without tipping off the customer.Missed or late STR/SAR filings, or an inability to evidence that alerts were properly investigated, exposes the entity and its Compliance Officer to supervisory penalties and potential criminal liability under Federal Decree-Law No. 20 of 2018.
Independent Effectiveness Review (Annual or per supervisory cycle)Scheduled review or regulatory updateAssess whether the software configuration, policy documentation, and actual practice remain aligned and proportionate as the business has grown or regulatory guidance has evolved.A programme that is never independently reviewed drifts out of alignment with the entity's actual current risk profile and with updated regulatory expectations, weakening its defensibility at the next inspection.
Business Change (Growth, New Segment, New Branch, M&A)Expansion, new customer segment, or corporate transactionThe screening and monitoring configuration is reassessed and extended to cover new risk exposure — a new customer segment, a new emirate of operation, or an acquired book of business.A configuration calibrated for the original, smaller risk profile becomes inadequate as the business scales into higher-risk segments or additional jurisdictions, creating a growing control gap.
Supervisory Inspection or FindingMinistry of Economy, free zone regulator, or Central Bank inspectionPNPC supports the entity through the inspection process, and where a finding is issued, designs and implements the specific remediation required within the given timeframe.An inspection finding left unaddressed, or addressed only superficially, escalates to formal enforcement action, which under UAE AML/CFT law can include significant administrative fines and licence-level consequences.
Frequently asked
Which UAE businesses are actually required to have AML/CFT screening and monitoring in place?

Under UAE Federal Decree-Law No. 20 of 2018 and its Cabinet Decision implementing regulations, obligations extend beyond banks and financial institutions to Designated Non-Financial Businesses and Professions (DNFBPs) — real estate brokers and agents involved in property transactions, dealers in precious metals and stones above specified transaction thresholds, company service providers (including those forming companies, acting as registered agents, or providing nominee director/shareholder services), independent lawyers and notaries when conducting specified financial or property transactions on a client's behalf, and accountants providing specified services. The exact obligations and their intensity depend on the entity's specific activity and its own documented risk-based assessment.

Practitioner noteWe see this misunderstood most often by company service providers and real estate brokers who assume AML obligations only apply to banks. If your licence activity falls into a DNFBP category, the obligation exists regardless of how small the business currently is.
Do I need software, or can I meet AML/CFT obligations with a well-documented manual process?

For a very small, low-volume DNFBP, a well-documented and consistently applied manual screening and record-keeping process can, in principle, satisfy the risk-based proportionality principle underpinning UAE AML/CFT regulation. In practice, manual processes struggle to keep pace with continuously updated sanctions and PEP lists, and become genuinely difficult to defend under inspection once transaction or customer volume grows. PNPC assesses proportionality as part of the initial scoping — we do not recommend software procurement as a default answer for every entity regardless of scale.

Practitioner noteA manual process that looked adequate at ten customers a year rarely survives scrutiny at two hundred. We flag the volume threshold at which manual screening stops being defensible during the initial risk-assessment conversation.
What is goAML and does my business need to register on it?

goAML is the electronic platform operated by the UAE's Financial Intelligence Unit (FIU), housed within the UAE Central Bank, through which regulated entities file Suspicious Transaction Reports (STRs), Suspicious Activity Reports (SARs), and other statutory AML/CFT disclosures. Entities falling within scope of UAE AML/CFT law — including DNFBPs — are generally required to register on goAML and designate a Compliance Officer authorised to file reports through the platform. PNPC coordinates registration for entities not yet registered and, for those already registered, ensures the internal alert workflow maps cleanly to the goAML filing process.

Practitioner noteWe regularly encounter entities that registered on goAML at licensing but never actually configured an internal process to feed it — meaning a genuine suspicion identified informally never makes it to a filed report. Registration alone is not the same as an operational reporting capability.
What is a Compliance Officer / MLRO and is it a mandatory appointment?

A Money Laundering Reporting Officer (MLRO), referred to under UAE regulation as the Compliance Officer, is the individual designated within a regulated entity as responsible for the AML/CFT programme, including reviewing internal alerts, deciding whether to file an STR/SAR, and liaising with the FIU and relevant supervisory authority. UAE AML/CFT regulations require regulated entities, including DNFBPs above the applicable scope, to appoint and register a Compliance Officer. The appointment should be senior enough to have genuine authority within the organisation and free from conflicts that would compromise independent judgement on suspicious activity decisions.

Practitioner noteWe advise against appointing a junior staff member to this role purely to tick the compliance box. A Compliance Officer without real authority to escalate concerns or halt a transaction is a control weakness an inspector will identify quickly.
How does PNPC decide which AML/CFT software to recommend for a specific business?

We start from the entity's documented risk-based assessment — its customer base, transaction profile, geographic exposure, and sector-specific typologies — rather than a generic vendor comparison. A real estate brokerage handling occasional high-value transactions has different screening cadence needs than a precious metals trader processing frequent cash transactions. We shortlist 2–3 platforms genuinely proportionate to the entity's actual risk and scale, present a written cost-benefit comparison, and are not tied to a single vendor relationship that would bias the recommendation.

Practitioner noteWe are independent of software vendors — our fee is for the advisory and configuration work, not a referral commission from a platform provider. That independence is deliberate; it keeps the recommendation aligned to the client's actual need rather than a vendor's sales target.
What is the difference between sanctions screening and transaction monitoring?

Sanctions and PEP screening checks a customer's identity — at onboarding and on an ongoing basis — against UN Security Council sanctions lists, the UAE's Local Terrorist List, and databases of Politically Exposed Persons, to confirm the entity is not knowingly dealing with a sanctioned or high-risk individual or organisation. Transaction monitoring is a separate, ongoing function that reviews the pattern of a customer's actual transactions — value, frequency, counterparties, structuring behaviour — for activity inconsistent with their declared profile or indicative of money-laundering typologies, regardless of whether the customer appears on any sanctions list. Both are required components of a functioning AML/CFT programme; neither substitutes for the other.

Practitioner noteWe frequently meet businesses that believe sanctions screening alone satisfies their AML/CFT obligation. A customer can pass every sanctions check and still be moving funds in a pattern that should trigger a suspicion — screening and monitoring answer different questions.
How often do sanctions and PEP lists actually change, and does the software update automatically?

UN Security Council sanctions lists, the UAE's Local Terrorist List, and major commercial PEP databases are updated frequently — sometimes multiple times within a single week. A properly configured screening platform updates its underlying list data automatically and re-screens the existing customer base on a defined cadence (commonly overnight or in near-real-time for continuously updated platforms), not just at the point of onboarding. PNPC confirms the update frequency and re-screening cadence as part of software evaluation, since a platform that only screens at onboarding leaves a business exposed to a customer who becomes designated after the relationship is already established.

Practitioner noteOnboarding-only screening is one of the most common gaps we find in businesses that purchased a tool without proper configuration guidance. Ongoing re-screening of the existing customer book is not optional under a genuinely risk-based programme.
What happens if the software generates a large number of false-positive alerts?

An uncalibrated system — using default vendor thresholds not tailored to the entity's actual customer base — commonly generates a high volume of false-positive alerts, which either overwhelms the compliance officer or, worse, trains staff to dismiss alerts too quickly, increasing the risk that a genuine alert gets missed in the noise. PNPC's configuration process specifically tests the system against a sample of the entity's real historical data before go-live and recalibrates thresholds during the post-go-live review period to bring the false-positive rate to a manageable, defensible level.

Practitioner noteA high false-positive rate is not a sign the software is working too well — it is usually a sign the configuration was never properly tailored. We treat post-go-live calibration as a mandatory step, not an optional add-on.
Does the software file STRs/SARs automatically, or does a person still make that decision?

No properly designed AML/CFT programme allows software to file an STR/SAR automatically without human review. The software's role is to flag alerts for investigation and, where relevant, to structure the case management record; the decision on whether an alert rises to the level of genuine suspicion warranting a filing remains a judgement call made by the trained Compliance Officer, based on the totality of the evidence. PNPC designs the workflow so the software supports that judgement with structured information — it does not replace it.

Practitioner noteWe are occasionally asked whether a fully automated reporting pipeline is possible. It is not appropriate under UAE regulation, and would in any case remove the human judgement element that supervisory authorities expect to see evidenced in every filing decision.
Can PNPC help if we already have AML/CFT software but it was never properly configured?

Yes, this is one of the more common engagements we see. A business purchases a platform, applies the vendor's default settings, and either never trains staff properly on it or never revisits the configuration as the business has grown. PNPC can conduct a configuration and effectiveness review of an existing system, identify gaps against the entity's current risk profile, and recalibrate or reconfigure the platform without necessarily requiring a full new software procurement.

Practitioner noteIn several cases the existing software was capable enough — the problem was that it had been left on default settings since the day it was purchased. Reconfiguration is often materially cheaper than switching platforms entirely.
How does PNPC handle confidentiality of customer and transaction data during the setup engagement?

All customer, transaction, and configuration data reviewed during an AML/CFT software engagement is handled under a signed engagement letter and confidentiality terms, accessed only by the specific PNPC team members assigned to the engagement. Where sample transaction data is used for configuration testing, PNPC works with the entity to anonymise or minimise personally identifiable information wherever the testing objective allows it.

Practitioner noteGiven the sensitivity of the customer data involved in AML testing, we are typically more conservative on data handling than the minimum a client requests — this is an area where we would rather over-protect than under-protect.
What penalties apply for non-compliance with UAE AML/CFT obligations?

Federal Decree-Law No. 20 of 2018 and its implementing Cabinet Decisions provide for a range of administrative and criminal sanctions for non-compliance, including substantial administrative fines that can apply per violation, suspension or revocation of licences for regulated entities, and criminal liability — including imprisonment in serious cases — for individuals involved in money-laundering offences or in wilful failure to report. The precise penalty in any given case depends on the nature and severity of the violation and is determined by the relevant supervisory authority or the courts; PNPC does not quote specific fine amounts as these are set and applied by the regulator based on the facts of each case.

Practitioner noteWe deliberately avoid citing specific fine figures in client conversations because enforcement outcomes are fact-specific and can change with regulatory updates. What we do emphasise consistently is that the cost of a properly configured compliance programme is materially lower than the cost of remediation after a finding.
How long does it take to get an AML/CFT software solution fully operational?

For a single-entity DNFBP with a moderate customer base and an already-completed risk-based assessment, PNPC's engagement — from initial scoping through go-live — typically takes 5–6 weeks. Entities that do not yet have a documented risk-based assessment or an appointed Compliance Officer should expect that foundational governance work to be sequenced first, which extends the overall timeline. Larger or higher-risk entities, such as precious metals traders with high transaction volumes, typically require 8–10 weeks to reach a properly calibrated, tested configuration.

Practitioner noteWe would rather extend the timeline by a few weeks to get the risk assessment and policy foundation right than rush a technology deployment on top of governance gaps that will surface at the first inspection.
Is this service only for DNFBPs, or does it apply to financial institutions too?

While DNFBPs make up a large share of PNPC's AML/CFT software advisory clients, the same advisory and configuration discipline applies to any UAE-regulated entity with AML/CFT obligations, including smaller finance companies, exchange houses, and insurance intermediaries regulated by the UAE Central Bank, and entities within DIFC or ADGM subject to those centres' own AML/CFT frameworks. The specific supervisory authority, reporting channel, and regulatory expectations differ by category, and PNPC scopes the engagement to the entity's actual regulator from the outset.

Practitioner noteDIFC and ADGM entities in particular sit under their own regulator (the DFSA and FSRA respectively) with rulebooks that differ in detail from the mainland Cabinet Decision framework, even though the underlying federal law applies. We confirm the correct regulatory lens before any configuration work begins.
Does PNPC provide the ongoing AML/CFT compliance function, or only the initial software setup?

PNPC's engagement can be scoped either as a defined software selection, configuration, and go-live project, or as an ongoing retainer that includes periodic recalibration, independent effectiveness review, staff training refreshers, and advisory support through supervisory inspections. Many clients start with the initial setup and move to an ongoing advisory retainer once the system is live and the compliance function's needs become clearer in practice.

Practitioner noteWe are transparent that a one-time setup without any ongoing review tends to drift out of alignment with the business within 12–18 months as customer profiles and transaction patterns change. We recommend at minimum an annual effectiveness review even for clients who prefer a project-based initial engagement.
What is a risk-based approach and why does it matter for software configuration?

A risk-based approach — the foundational principle underlying UAE and international AML/CFT regulation — means an entity applies AML/CFT controls proportionate to the actual money-laundering and terrorist-financing risk it faces, rather than applying a uniform, one-size-fits-all control regardless of risk level. In practical terms, a higher-risk customer segment (cash-intensive transactions, complex ownership structures, higher-risk geographies) warrants more intensive screening and monitoring than a lower-risk segment. Software configuration must reflect this — applying uniform default settings across all customers regardless of risk level either wastes compliance resource on low-risk relationships or under-scrutinises genuinely higher-risk ones.

Practitioner noteWe design the monitoring rule set explicitly around the entity's own documented risk categories, not a generic industry template — this is the single biggest factor separating a defensible configuration from one that looks compliant on paper but does not hold up under actual inspection questioning.
Can the AML/CFT software integrate with our existing CRM or accounting system?

Many screening and monitoring platforms offer integration options — API connections, batch data uploads, or plug-ins for common CRM and accounting platforms — that reduce manual re-entry of customer and transaction data. The feasibility and cost of integration depends on the specific platforms involved on both sides. PNPC assesses integration feasibility as part of the software shortlisting process and factors the setup effort into the overall cost-benefit comparison presented to the client.

Practitioner noteA platform with strong integration capability but a poor price-fit is sometimes still the wrong choice if the integration effort itself becomes a significant unplanned cost. We present the full picture, not just the feature list, when comparing options.
What ongoing staff training is required alongside the software?

UAE AML/CFT regulations expect regulated entities to provide ongoing AML/CFT training to relevant staff, not a one-time induction session. PNPC's setup engagement includes tool-specific training for the Compliance Officer and frontline staff who will use the platform directly, and we recommend a periodic refresher — commonly annual — that covers both general AML/CFT awareness and any changes to the configured system, typologies, or regulatory guidance since the last session.

Practitioner noteStaff who were trained once at go-live and never again tend to revert to old habits — clearing alerts too quickly, forgetting escalation steps — within a year. We build a refresher cadence into the ongoing advisory retainer specifically to counter this.
How does PNPC handle AML/CFT software setup for a UAE branch of a foreign company or group?

A UAE branch or subsidiary of a foreign group often already operates under a group-mandated AML/CFT platform selected by the parent company. In this scenario, PNPC's role typically shifts to confirming the group platform's configuration is properly localised to UAE regulatory requirements — UAE-specific sanctions lists, goAML reporting integration, and Ministry of Economy or relevant local supervisor expectations — rather than a fresh platform selection exercise. For groups with an India-linked entity, PNPC can coordinate this localisation review through our Chennai, Bangalore, Hyderabad, and Dubai offices.

Practitioner noteA common gap we find in multinational group platforms is that they are configured well for the group's home jurisdiction but were never specifically localised for UAE goAML reporting or UAE-specific list sources. Group-standard is not automatically UAE-compliant.
What is Know Your Customer (KYC) and how does it relate to AML/CFT software?

KYC is the process of verifying a customer's identity and understanding the nature of their intended relationship with the business, typically at onboarding — collecting identity documents, verifying beneficial ownership for corporate customers, and understanding the customer's expected transaction profile. AML/CFT software builds on the KYC data collected: sanctions and PEP screening checks the identity data gathered during KYC, and transaction monitoring compares actual activity against the expected profile established at KYC. Weak or incomplete KYC data undermines the software's effectiveness regardless of how well the screening and monitoring tool itself is configured.

Practitioner noteWe routinely find that the software configuration is only as good as the underlying KYC data feeding it — a screening tool cannot flag a beneficial owner the business never actually identified at onboarding. We review KYC data quality as part of the scoping phase, not as an afterthought.
Does PNPC assist with Enhanced Due Diligence (EDD) for higher-risk customers?

Yes. Where the risk-based assessment or a screening/monitoring alert identifies a customer requiring Enhanced Due Diligence — a Politically Exposed Person, a customer from a higher-risk jurisdiction, or a complex ownership structure — PNPC advises on the additional verification steps, source-of-funds and source-of-wealth documentation, and senior management approval process that EDD requires under UAE AML/CFT regulation, and helps configure the software's case management workflow to capture this documentation properly.

Practitioner noteEDD is often where we see the weakest documentation in an otherwise reasonable AML programme — a business identifies a PEP correctly through screening but then fails to actually document the enhanced approval and ongoing monitoring EDD requires. We treat this as a distinct workflow, not just a flag.
How does PNPC price an AML/CFT software advisory and setup engagement?

PNPC charges a fixed, agreed advisory fee for the scoping, selection, configuration, and go-live phases of the engagement, scoped to the entity's size, customer volume, and risk complexity, confirmed in writing before work begins. This advisory fee is separate from the software vendor's own licensing cost, which PNPC helps the client evaluate and negotiate but does not itself charge for. Ongoing retainer pricing for periodic review and advisory support is quoted separately once the initial scope is agreed.

Practitioner noteWe are independent of software vendors and do not take referral commissions, so our advisory fee reflects the actual configuration and advisory work involved, not a markup tied to which platform is selected.
What if our business decides, after review, that we do not need automated AML/CFT software at our current scale?

That is a legitimate outcome of a proper scoping exercise for a genuinely small, low-volume entity. PNPC can instead help design and document a proportionate manual screening and record-keeping process, along with clear criteria for when the business should revisit the software question as volumes or risk exposure grow. We do not recommend software procurement where the entity's actual documented risk profile does not justify it.

Practitioner noteWe would rather tell a client honestly that software is not yet necessary than sell an engagement the risk profile does not support. That honesty is part of why clients return to us as they scale.
Can AML/CFT software help with due diligence during a business sale, investor round, or partnership?

Yes, indirectly but materially. A regulated entity that can demonstrate a properly configured, actively used AML/CFT programme — screening records, monitoring history, case management logs, and clean goAML filing history — presents a materially stronger compliance posture to an acquirer, investor, or banking partner during due diligence than one relying on undocumented manual processes. PNPC can format the AML/CFT programme's documentation specifically for a due diligence data room when a transaction is anticipated.

Practitioner noteWe have seen AML/CFT compliance gaps become a genuine deal-slowing issue in due diligence for regulated UAE entities — buyers and investors increasingly ask for this evidence as standard, not as an exception.
How does PNPC stay current on UAE AML/CFT regulatory changes that might affect our software configuration?

PNPC's compliance advisory team monitors updates from the Ministry of Economy, the UAE Central Bank, the Financial Intelligence Unit, and relevant free zone regulators, and factors regulatory changes into the periodic effectiveness reviews conducted for clients on an ongoing retainer. Where a regulatory change materially affects screening obligations, reporting timelines, or supervisory expectations, PNPC proactively flags the change and, where relevant, recommends a configuration update.

Practitioner noteAML/CFT regulation in the UAE has evolved meaningfully over recent years as the jurisdiction has strengthened its framework. A configuration that was compliant at setup can become outdated purely through regulatory evolution, not through any change in the business itself — which is exactly why we build periodic review into every ongoing engagement.
What is the first step if my business has never had any formal AML/CFT programme in place?

The first step is a scoping conversation to confirm the entity's regulatory category, the applicable supervisory authority, and whether a documented risk-based assessment, AML/CFT policy, and Compliance Officer appointment already exist. From there, PNPC proposes a sequenced plan — governance and policy foundation first if it is missing, followed by proportionate software selection and configuration — rather than jumping straight to a technology purchase.

Practitioner noteWe ask more foundational questions in the first meeting than most businesses expect from a 'software setup' engagement, because the software genuinely cannot be scoped correctly until the governance foundation and risk profile are understood.
What is 'tipping off' and how does the software workflow need to guard against it?

Tipping off is the offence of disclosing to a customer, directly or indirectly, that they are or may be the subject of a suspicious transaction report or an ongoing investigation — a prohibition set out under UAE AML/CFT law that applies regardless of the reporting entity's good intentions. Case management workflows must be designed so that alert investigation, escalation, and any subsequent account restriction or relationship review do not reveal to the customer that a report has been or may be filed. PNPC reviews the configured escalation workflow specifically for tipping-off risk — including how customer-facing staff are instructed to behave if a customer questions a delay or additional document request tied to an open investigation.

Practitioner noteThis is one of the more delicate parts of staff training. Frontline staff often want to reassure an anxious customer by explaining why a transaction is delayed — that instinct, if acted on, can itself become a tipping-off breach. We script the permitted, neutral responses during training.
How long must screening records, alerts, and STR/SAR documentation be retained?

UAE AML/CFT regulation requires regulated entities to retain customer due diligence records, transaction records, and records relating to any suspicious transaction analysis and reporting for a minimum retention period set out in Federal Decree-Law No. 20 of 2018 and its implementing regulations, generally running for a period of years from the end of the business relationship or the date of the transaction, whichever is relevant — entities should confirm the current prescribed period with PNPC or the relevant supervisor rather than relying on a remembered figure, as retention requirements can be updated. PNPC configures the software's data retention and archival settings to meet this requirement, including ensuring records remain retrievable, not just stored, for the full retention window.

Practitioner noteRetrievability is the part most businesses overlook — a record technically retained in an old, unsupported software version that nobody can actually export or search is functionally as bad as no record at all. We test retrieval, not just storage, during configuration review.
Does hosting the screening and monitoring data in the cloud raise any UAE-specific data residency concerns?

UAE AML/CFT regulation does not universally mandate that screening and monitoring data be hosted on servers physically located within the UAE, but data protection obligations under UAE federal personal data protection law, sector-specific rules (particularly for DIFC and ADGM entities under their own data protection regimes), and any group-level data governance policy can all bear on where customer and transaction data may be hosted and processed. PNPC reviews the proposed platform's hosting location and data protection terms as part of software shortlisting, flagging any residency or cross-border transfer consideration relevant to the client's specific regulatory position.

Practitioner noteDIFC and ADGM entities in particular should not assume a mainland-appropriate cloud configuration is automatically acceptable under DIFC Data Protection Law or the equivalent ADGM regime — we check this specifically rather than treating data residency as a generic checkbox.
What is the realistic cost range for AML/CFT software licensing, separate from PNPC's advisory fee?

Software licensing costs vary substantially by platform tier, customer volume, and module selection (screening only versus screening plus full transaction monitoring and case management), and are set and quoted directly by the software vendor — PNPC does not mark up or take commission on licence fees. As a general orientation, a bare sanctions/PEP screening tool sized for a small DNFBP typically sits at the lower end of available platforms, while a full monitoring-and-case-management suite for a higher-volume entity commands a materially higher licence cost. PNPC presents the actual vendor quotes for shortlisted options in writing during the selection phase rather than estimating a figure in the abstract.

Practitioner noteWe deliberately avoid quoting a specific licence price range in general conversation because vendor pricing structures (per-user, per-screening-volume, flat annual) differ enough that a generic number would mislead more than it would inform. We get real vendor quotes into your hands before you commit to anything.
How does AML/CFT software setup differ for a DMCC-licensed precious metals and stones dealer versus a mainland real estate broker?

Both fall within DNFBP categories under UAE AML/CFT law, but their risk typologies and supervisory touchpoints differ. A DMCC-licensed precious metals and stones dealer typically faces higher cash-intensity risk, specific transaction-value reporting thresholds relevant to the sector, and DMCC's own compliance oversight alongside the federal framework. A mainland real estate broker under Ministry of Economy oversight typically faces lower transaction frequency but higher per-transaction value, with beneficial ownership and source-of-funds scrutiny on property purchases as the dominant risk theme. PNPC calibrates monitoring rules, screening cadence, and the case management workflow to the specific typology profile of the sector, not a generic DNFBP template.

Practitioner noteWe have configured AML/CFT programmes for both sectors and the underlying red flags are genuinely different — cash-structuring patterns for a precious metals trader versus unusual funding-source patterns for a property purchase. A one-size-fits-all rule set fails both.
Can PNPC support an entity with operations across multiple emirates or multiple free zones under one AML/CFT programme?

Yes. Where a single licensed entity operates across multiple emirates, or a group has related entities licensed in different free zones (each potentially under a different immediate regulator), PNPC designs a coordinated AML/CFT technology and governance approach that respects each entity's specific supervisory requirements while avoiding duplicated, inconsistent, or contradictory screening and monitoring practices across the group. Centralising the underlying platform where feasible, with entity-specific configuration layers, is often more cost-effective and easier to govern than fully separate systems per licence.

Practitioner noteGroups with entities in more than one free zone sometimes end up with two or three different screening tools purchased independently by different branch managers over time. Consolidating onto one properly configured platform, where the group structure allows it, is usually both cheaper and materially easier to defend under inspection.
What should be in the software vendor contract to protect the business, beyond price?

Beyond licence pricing, PNPC reviews proposed vendor contracts for data ownership and portability on termination (can the entity export its full screening and case history if it switches platforms later), service-level commitments on list-update frequency and system uptime, liability and indemnity terms relevant to a compliance-critical system, and any auto-renewal or lock-in clauses that could leave the entity committed to an underperforming platform. These commercial terms sit alongside, not instead of, the configuration and effectiveness questions PNPC evaluates.

Practitioner noteData portability on exit is the clause we flag most often as inadequate in vendor-drafted contracts. An entity that cannot cleanly export its historical screening and case records if it switches providers later effectively loses part of its own compliance history — we push back on this in contract review.
Does PNPC's AML/CFT software advisory connect to the firm's broader internal audit or IT risk assurance work?

Yes, where relevant. AML/CFT software configuration sits within PNPC's broader IT Risk & Technology Assurance practice, and for clients also engaging PNPC for internal audit, IT general controls review, or specialised audit and certification work, the AML/CFT technology environment is assessed as part of that wider control landscape rather than in isolation — avoiding duplicated fieldwork and giving management a single, coherent view of technology-dependent controls across the business.

Practitioner noteWhere a client already has PNPC conducting internal audit or IT risk assurance work, we deliberately reuse the control-environment understanding built there for the AML/CFT engagement rather than starting from a blank page — it shortens the scoping phase and keeps the two workstreams consistent with each other.
Why PNPC Global

PNPC AML/CFT Software Advisory vs Typical Alternatives

DimensionPNPC Global (Dubai)Software Vendor Sales TeamGeneric IT Consultant
Independent of any single software vendorYes — advisory fee only, no referral commissionsNo — inherently incentivised toward their own platformSometimes, but often lacks AML/CFT regulatory depth
Grounded in the entity's documented risk-based assessmentStandard starting point for every engagementRarely assessed — configuration follows generic defaultsDepends entirely on the individual consultant's compliance background
Familiarity with UAE Federal Decree-Law No. 20 of 2018 and sector-specific supervisory expectationsCore practice area, tracked on an ongoing basisGeneric product knowledge, not regulatory expertiseVariable, usually IT-focused rather than regulatory-focused
goAML workflow integrationMapped and tested as part of setupSometimes offered as a technical feature, rarely process-testedNot typically within scope
Policy manual and technology alignmentReviewed and aligned as standardOut of scope for a software vendorOut of scope unless separately engaged
Compliance Officer and staff training on the specific configured toolIncluded in setupBasic product training only, not compliance-judgement trainingNot typically offered
India-UAE group coordination for cross-border entitiesDirect coordination through PNPC's Chennai, Bangalore, Hyderabad, and Dubai officesNot availableNot available
Fixed, written advisory fee agreed upfrontYes, always in writing before work beginsLicence quote only, configuration effort often unclear until underwayVariable, often time-and-materials with uncertain total cost

What the PNPC package includes

  1. 01

    Regulatory scoping to confirm DNFBP or other regulated status and the relevant UAE supervisory authority

  2. 02

    Review of, or support building, the entity's documented AML/CFT risk-based assessment before software is discussed

  3. 03

    Independent, vendor-neutral shortlisting of screening and monitoring platforms proportionate to the entity's actual risk profile

  4. 04

    Configuration design covering sanctions/PEP list sources, screening sensitivity, and transaction monitoring thresholds and typologies

  5. 05

    Case management and escalation workflow design, mapped directly to the entity's goAML reporting pathway

  6. 06

    Testing of the configured system against real historical customer and transaction data before go-live

  7. 07

    Alignment review between the configured technology and the written AML/CFT policy and procedures manual

  8. 08

    Tool-specific training for the Compliance Officer / MLRO and relevant frontline staff

  9. 09

    Post-go-live calibration review based on actual alert volumes and false-positive rates

  10. 10

    Periodic independent effectiveness review, available as an ongoing advisory retainer

  11. 11

    Direct advisory support through supervisory inspections and any resulting remediation findings

Talk to PNPC's Dubai compliance team before your next inspection or your next platform renewal — an AML/CFT technology setup sized to your actual risk profile, not a vendor's default configuration.

Jurisdiction

🇦🇪
United Arab Emirates

Free zone, mainland & offshore

Ready to get started?

Tell us about your requirement — a UAE specialist responds within 24 hours.

← Back to IT Risk & Technology Assurance