UAEServicesUAE Taxation & Regulatory ComplianceEconomic Substance & AML ComplianceAML/CFT Compliance Programme Design

UAE Taxation & Regulatory Compliance · Economic Substance & AML Compliance

AML/CFT Compliance Programme Design

AML/CFT compliance in the UAE is not a policy document that sits in a drawer until an inspector asks for it.

Chartered Accountants · Dubai · Since 1986

What AML/CFT Compliance Programme Design is

An AML/CFT Compliance Programme is the documented and operational framework through which a UAE business identifies, assesses, mitigates, and reports the money laundering, terrorist financing, and proliferation financing risks it is exposed to. It is mandated under Federal Decree-Law No. 20 of 2018 on Anti-Money Laundering and Combating the Financing of Terrorism and Illegal Organisations (as amended by Federal Decree-Law No. 26 of 2021), its Cabinet Decision No. 10 of 2019 executive regulations (as amended), and sector-specific guidance issued by the relevant supervisory authority. For Designated Non-Financial Businesses and Professions (DNFBPs) — a category that includes real estate agents and brokers, dealers in precious metals and stones, corporate service providers, independent legal and accounting professionals conducting specified activities, and trust and company service providers — the Ministry of Economy is generally the primary supervisor, alongside emirate-level and free-zone-level regulators such as DMCC for precious metals and stones businesses operating in that free zone. For licensed financial institutions and certain regulated entities, the Central Bank of the UAE, the Securities and Commodities Authority, DIFC's regulator, or ADGM's regulator may be the relevant supervisor depending on licence type and jurisdiction.

A compliant programme is built around a documented Business Risk Assessment (BRA) that evaluates the entity's exposure to money laundering and terrorist financing risk across its customer base, products and services, delivery channels, and geographic footprint. From that risk assessment flows a risk-based Customer Due Diligence (CDD) framework — including simplified due diligence for lower-risk relationships and Enhanced Due Diligence (EDD) for higher-risk customers, Politically Exposed Persons (PEPs), and relationships involving higher-risk jurisdictions. The programme must also include ongoing transaction monitoring calibrated to the entity's risk profile, sanctions and UN Consolidated List screening procedures, a documented process for identifying and filing Suspicious Transaction Reports (STRs) and Suspicious Activity Reports (SARs) through the goAML platform administered by the UAE's Financial Intelligence Unit, record-keeping procedures compliant with the minimum retention periods prescribed under the law, an appointed and adequately resourced Compliance Officer (often referred to as the MLRO — Money Laundering Reporting Officer), and a documented staff training programme delivered at onboarding and at appropriate refresher intervals.

The distinction between having AML policies and having an AML compliance programme is where most businesses fall short. A policy document copied from a template, signed once, and never operationalised does not satisfy regulatory expectations and will not withstand an inspection. Supervisors — whether the Ministry of Economy's inspection teams, DMCC's compliance department, or a free zone authority — increasingly test whether the documented risk assessment matches the entity's actual customer base and transaction patterns, whether CDD files show real evidence of identity verification and source-of-funds enquiry (not just a checklist tick), whether the entity can demonstrate it screened customers against sanctions lists at onboarding and periodically thereafter, and whether the Compliance Officer can articulate how the programme actually functions day to day. Registered entities are also generally required to complete the annual AML/CFT return through the relevant portal, and DNFBPs must register on the goAML platform even where no STR has ever been filed.

Getting the programme design wrong carries real consequences. Administrative penalties under Cabinet Decision No. 10 of 2019 (as amended) can run into hundreds of thousands of dirhams per violation, and enforcement action can extend to licence suspension, restriction, or revocation by the relevant licensing authority — DED, a free zone authority, or a financial regulator — in serious or repeated cases. Beyond direct penalties, an inadequate AML programme is now a standard due diligence item for banks opening or maintaining corporate accounts, for investors conducting deal diligence, and for larger corporate counterparties conducting vendor onboarding. PNPC designs programmes that are proportionate to your actual risk profile — neither a generic template that collapses under inspection, nor an over-engineered framework that a small business cannot realistically operate.

When you need a formal AML/CFT compliance programme

Your business falls within the DNFBP definition — real estate brokerage or development, dealing in precious metals/stones above the prescribed cash threshold, corporate/trust service provision, or independent legal/accounting professional services involving specified activities (buying/selling real estate, managing client funds or accounts, company formation, or managing companies/trusts)

You hold a financial services licence from the Central Bank of the UAE, the Securities and Commodities Authority, DIFC's regulator, or ADGM's regulator, and are subject to that authority's AML/CFT rulebook

You are onboarding your first customers/clients and need a defensible CDD and risk-scoring framework before you can demonstrate compliance to your supervisor or to a bank during account opening

Your free zone authority (DMCC, JAFZA, or others with active AML supervisory functions) has flagged your entity for an AML/CFT inspection, compliance return, or remediation notice

You have never registered on the goAML platform despite falling within a DNFBP category — registration and an operative reporting capability are baseline expectations regardless of transaction volume

Your existing AML policy was drafted years ago, purchased as a generic template, or has never been tested against an actual transaction or customer file, and you need it rebuilt to reflect how the business actually operates

A bank, investor, or large corporate counterparty has requested evidence of your AML/CFT programme as part of their own due diligence or KYC-on-you process

When a full programme build may not be the immediate priority

Your activity does not fall within the DNFBP definitions and you hold no AML-regulated licence — confirm applicability first with a scoping review rather than commissioning a full programme build; PNPC offers this as an initial diagnostic

You are a very early-stage entity that has not yet commenced the regulated activity (e.g., a real estate brokerage licence obtained but no transactions yet conducted) — a lighter-weight readiness framework may be more appropriate than a full operational programme, to be scaled up before go-live

You already have a functioning, recently reviewed AML/CFT programme with a documented BRA, active goAML registration, and evidenced CDD files — what you likely need is an independent AML/CFT audit or gap assessment rather than a full programme redesign

Your immediate need is a single overdue filing (an annual AML return or a specific STR) rather than the underlying programme architecture — PNPC can address the urgent filing while scoping the broader programme work separately

Your entity is a pure holding company with no customer-facing transactions, no cash handling, and no activity that falls within any DNFBP category — confirm non-applicability in writing from your licensing authority rather than building an unnecessary programme

Structure Comparison

AML/CFT obligation comparison by UAE entity type and sector exposure

Entity TypePrimary AML SupervisorgoAML RegistrationCDD/EDD ObligationSTR/SAR Filing DutyTypical Inspection Trigger
Real estate broker/agentMinistry of Economy (or Dubai Land Department-linked framework in Dubai)MandatoryFull CDD on buyer/seller; EDD for high-value or PEP-linked dealsYes — on suspicion, regardless of deal sizeCash transactions, high-value deals, foreign buyer volume
Dealer in precious metals/stones (DPMS)Ministry of Economy / DMCC (if DMCC-licensed)MandatoryFull CDD above cash threshold; EDD for high-value cash dealsYesCash-heavy trade, cross-border shipments, DMCC compliance return
Corporate/trust service provider (CSP/TCSP)Ministry of EconomyMandatoryFull CDD on ultimate beneficial owners of every entity formed/managedYesCompany formation volume, nominee arrangements, UBO opacity
Independent accountant/auditor (specified activities)Ministry of EconomyMandatory if performing specified activitiesFull CDD when managing client funds/accounts or forming companiesYesClient money handling, company formation services offered
Independent legal professional (specified activities)Ministry of EconomyMandatory if performing specified activitiesFull CDD on real estate, company formation, and client fund transactionsYesConveyancing, escrow handling, entity formation work
Bank / licensed financial institutionCentral Bank of the UAEMandatoryFull CDD/EDD framework under Central Bank AML/CFT regulationsYes — highest scrutinyRoutine supervisory examination, transaction monitoring alerts
DIFC-regulated entityDIFC regulator (DFSA)Mandatory where applicableDFSA AML Module requirementsYesDFSA thematic reviews, licence renewal
ADGM-regulated entityADGM regulator (FSRA)Mandatory where applicableFSRA AML rulebook requirementsYesFSRA supervisory cycle, licence renewal
General trading LLC (non-DNFBP activity)None directly under AML law — DED licensing oversight onlyNot required unless activity crosses into a DNFBP categoryStandard KYC for banking relationship, not statutory AML CDDNo statutory STR duty absent DNFBP statusBank account opening/renewal KYC only
Free zone trading company (non-DNFBP)Free zone authority licensing oversightNot required unless activity crosses into a DNFBP categoryStandard KYC for banking relationship, not statutory AML CDDNo statutory STR duty absent DNFBP statusFree zone compliance renewal, bank KYC

This table is directional. Whether a specific entity is a DNFBP, and the precise scope of its CDD/EDD and reporting obligations, depends on the actual activities licensed and performed — not merely the trade licence category. A scoping review against your specific licensed activities and transaction patterns is the correct first step, and PNPC provides this as a standalone engagement before recommending the scope of a full programme.

How it works
#Stage & What PNPC DoesWhat Generic Template Providers MissTimeline
1Applicability Scoping — Confirm DNFBP status and supervisory authorityWe map your actual licensed activities against the DNFBP definitions in Cabinet Decision No. 10 of 2019 (as amended) — not just your trade licence description. A company with a broad 'general trading' licence that also brokers property deals is a DNFBP for that activity regardless of what the licence certificate says. We also confirm whether Ministry of Economy, a free zone authority, or a financial regulator is your effective supervisor.Week 1
2Business Risk Assessment (BRA) — Entity-specific ML/TF/PF risk evaluationA template BRA scores generic risk categories without reference to your actual customer base, deal sizes, payment methods, and geographic exposure. We build a BRA from your real transaction history and customer profile — the document a supervisor actually tests during inspection is whether the BRA matches reality, not whether it exists.Week 1–2
3AML/CFT Policy & Procedures Manual — Drafted to your operating modelWe draft the manual around how your business actually processes a transaction from first customer contact to file closure — not a generic 40-page document copied from a different sector. Includes CDD/EDD procedures, PEP screening protocol, sanctions screening cadence, record-retention schedule, and escalation pathway to the Compliance Officer.Week 2–3
4Compliance Officer / MLRO Appointment — Role definition and resourcingThe appointed Compliance Officer must have genuine authority, access to senior management, and adequate time allocation — a nominal appointment where the 'MLRO' has no real visibility into transactions is a common inspection failure point. We define the role, draft the appointment letter and reporting lines, and brief the appointee on statutory duties including STR filing authority.Week 2–3
5goAML Portal Registration — FIU registration for the entity and Compliance OfficerRegistration on the goAML platform (administered by the UAE Financial Intelligence Unit) is mandatory for DNFBPs regardless of whether an STR has ever been filed. We handle the registration, entity profile setup, and Compliance Officer credentialing — a step many entities discover they never completed until an inspection asks for the registration number.Week 3
6Customer Due Diligence (CDD) Framework Build — Risk-scored onboarding workflowA tiered CDD framework — simplified, standard, and enhanced — mapped to concrete risk triggers specific to your sector: cash thresholds, PEP status, high-risk jurisdiction exposure, complex ownership structures. We build the actual onboarding form, UBO identification methodology, and documentary evidence checklist your staff will use.Week 3–4
7Sanctions & PEP Screening Setup — Screening tool selection and screening cadenceScreening against the UN Consolidated List and the UAE Local Terrorist List must happen at onboarding and on an ongoing basis, not as a one-time check. We advise on appropriate screening tools proportionate to your transaction volume and set the review cadence — daily list-update checks for higher-volume entities, periodic re-screening for the full customer book.Week 4
8Transaction Monitoring Design — Thresholds and red-flag indicators for your sectorGeneric red-flag lists copied from a bank's AML manual do not fit a real estate brokerage or a precious metals dealer. We calibrate monitoring thresholds and red flags to your actual product/service and payment patterns — structuring, unusual cash volumes, third-party payments, rapid resale patterns for real estate, and sector-specific indicators.Week 4–5
9STR/SAR Filing Protocol — Internal escalation to goAML submissionWe build the internal decision pathway: what triggers an internal report to the Compliance Officer, how the Compliance Officer evaluates and documents the decision to file (or not file) an STR, and the actual mechanics of submitting through goAML — including the tipping-off prohibition under the Decree-Law that staff must understand before any customer interaction follows a report.Week 5
10Staff Training Programme — Role-specific training and evidenced completionTraining that is not documented, dated, and tied to specific staff by name does not satisfy inspection evidence requirements. We design onboarding training and an annual refresher programme, deliver an initial training session, and set up the record-keeping (attendance, materials, assessment) that demonstrates the training actually happened.Week 5–6
11Record-Keeping & File Structure Setup — Retention-compliant documentation systemThe law prescribes minimum retention periods for CDD records, transaction records, and STR-related documentation. We set up a file structure — physical or digital — that meets retention requirements and can be produced intact and complete during an inspection, including UBO documentation trails for company formation service providers.Week 6
12Independent Review & Sign-Off — Pre-launch programme testBefore we consider the programme live, we run a mock file review — testing whether a sample customer file would actually pass inspection scrutiny. Gaps identified here are fixed before your supervisor finds them, not after.Week 6–7
13Annual AML/CFT Return & Ongoing Advisory — Continuing compliance supportThe programme does not end at design. Annual AML/CFT returns to the relevant portal, periodic BRA refresh, ongoing screening list updates, and STR advisory as live situations arise are all part of keeping the programme operative. PNPC remains engaged as your compliance advisory partner, not a one-time document vendor.Ongoing — annually and as needed

Realistic end-to-end timeline for a full programme build: 6–8 weeks from applicability scoping to a fully operative, inspection-ready programme, depending on entity complexity and the volume of historical customer files that need retrospective CDD remediation. Entities with an existing but deficient programme can often be remediated faster where the core documentation exists and only specific gaps need closing.

Document Checklist
Entity & Licensing Documents

Trade licence copy showing all licensed activities — not just the primary activity — as this determines DNFBP classification

Certificate of Incorporation / Commercial Registration extract

Memorandum and Articles of Association or equivalent constitutional document

Free zone or DED licence renewal history, if applicable, to confirm continuous licensing status

Shareholding/ownership structure chart identifying Ultimate Beneficial Owners (UBOs) down to natural persons

Organisational chart identifying who will be appointed Compliance Officer/MLRO and their reporting line to senior management

Existing Compliance Materials (If Any)

Any existing AML/CFT policy or procedures manual, however outdated, for gap analysis against current requirements

Any prior Business Risk Assessment document

goAML registration confirmation, if the entity has previously registered

Record of any prior STR/SAR filings, including goAML reference numbers

Any correspondence from Ministry of Economy, a free zone authority, or a financial regulator relating to AML/CFT inspections, notices, or remediation requirements

Staff training records or certificates from any prior AML training delivered

Operational & Transaction Data

Description of actual services offered and how a typical transaction/engagement flows from first client contact to completion

Sample customer/client files (anonymised if needed for initial review) showing current onboarding documentation practices

Transaction volume and value data for the past 12 months, broken down by payment method (cash, bank transfer, cheque, other)

List of jurisdictions from which customers/clients typically originate, to assess geographic risk exposure

Details of any customers or transactions involving Politically Exposed Persons (PEPs), if known

Payment and banking relationship details — which banks the entity uses for customer-related transactions

For Real Estate Brokers/Developers Specifically

Sample sale/purchase agreement templates currently in use

Details of typical deal values and the proportion involving cash or third-party payment

Escrow account arrangements, if the entity holds client funds

RERA or equivalent local real estate regulatory registration details, where applicable

For Corporate/Trust Service Providers Specifically

List of entities currently formed/managed on behalf of clients, with UBO identification status for each

Nominee director/shareholder arrangements currently in place, if any, and the disclosure documentation held

Standard company formation engagement letter and client onboarding forms currently used

For Dealers in Precious Metals & Stones Specifically

Details of typical transaction values and cash-handling volume against the prescribed reporting threshold

Supplier and customer base geographic profile

DMCC or relevant free zone compliance return history, if applicable

Post-Design Operational Documents (PNPC Prepares)

AML/CFT Policy & Procedures Manual, tailored to the entity

Business Risk Assessment document

CDD/EDD onboarding forms and UBO identification methodology

Sanctions and PEP screening protocol document

Transaction monitoring red-flag and escalation matrix

STR/SAR internal reporting and goAML filing protocol

Staff training materials and attendance/record templates

Record-retention schedule and file structure guide

Ongoing obligations
PhaseTriggered ByPNPC Compliance GuidanceRisk If Ignored
Applicability DeterminationNew licence issued or activity expansionScope the entity's actual activities against DNFBP definitions under Cabinet Decision No. 10 of 2019 (as amended); confirm supervisory authority; determine whether goAML registration is required.Operating as an unregistered DNFBP is itself a compliance failure — supervisors do not accept 'we did not know we qualified' as a defence during inspection.
Programme Design & BuildConfirmed DNFBP status or regulator directionBusiness Risk Assessment, policy manual, CDD/EDD framework, screening protocols, STR pathway, and training programme built and documented.A missing or template-only programme is the single most common finding in Ministry of Economy and free zone AML inspections, and typically triggers the largest administrative penalties.
goAML Registration & Compliance Officer AppointmentProgramme design phase / regulator noticeEntity and Compliance Officer registered on the goAML platform; appointment formalised with clear authority and reporting lines to senior management.Unregistered entities cannot file STRs even when a suspicious transaction is identified — creating a compounding compliance failure on top of the underlying detection gap.
Live Operations — Ongoing CDDEvery new customer/client relationshipRisk-scored onboarding applied consistently; UBO identification completed and documented for every corporate customer; EDD triggered automatically for PEPs and high-risk profiles.Inconsistent or undocumented CDD is the most frequent file-level inspection failure — supervisors sample customer files and test whether the paper trail supports the risk rating assigned.
Live Operations — Screening & MonitoringEvery transaction and periodic review cycleSanctions/PEP screening at onboarding and on a defined ongoing cadence; transaction monitoring against sector-calibrated red flags; internal escalation logged even where no STR results.Failure to screen against updated sanctions lists exposes the entity to dealing with a designated person — a serious violation carrying both AML and broader legal consequences beyond administrative fines.
Suspicious Transaction IdentifiedRed flag triggers internal reviewCompliance Officer evaluates, documents the decision, and files an STR/SAR via goAML where warranted — without alerting the customer (tipping-off prohibition under the Decree-Law).Failure to file, or tipping off the customer, is a standalone offence under Federal Decree-Law No. 20 of 2018 (as amended) independent of the underlying suspected activity.
Annual Review Cycle12-month anniversary of programme / calendar deadlineBusiness Risk Assessment refreshed against the past year's actual customer and transaction data; annual AML/CFT return filed through the relevant portal; staff refresher training delivered and evidenced.A stale BRA that no longer reflects the business is treated by supervisors as equivalent to having no risk assessment at all; missed annual returns attract separate penalties from the licensing/supervisory authority.
Regulatory InspectionScheduled cycle or risk-triggered by supervisorPre-inspection file review, Compliance Officer briefing, and representation support during the inspection; remediation plan drafted for any findings.Unaddressed inspection findings escalate to formal notices, larger administrative penalties, and in serious or repeated cases, licence suspension or revocation by the relevant licensing authority.
Programme RemediationInspection finding or internal gap discoveryRoot-cause gap analysis; policy and procedure amendment; retrospective CDD remediation for affected customer files; evidence pack prepared for supervisor follow-up.Repeat findings on the same issue are treated far more seriously by supervisors than a first-time finding — indicating a systemic, not isolated, compliance failure.
Frequently asked
What is a DNFBP and how do I know if my UAE business qualifies?

DNFBP stands for Designated Non-Financial Business or Profession — a category defined under UAE AML/CFT law that captures specific business activities considered higher-risk for money laundering even though they are not financial institutions. Under Cabinet Decision No. 10 of 2019 (as amended), the DNFBP categories broadly include: real estate agents and brokers when involved in transactions concerning the buying and selling of real estate; dealers in precious metals and stones when engaged in cash transactions above a prescribed threshold; independent legal professionals and accountants when preparing for or carrying out transactions involving buying/selling real estate, managing client money/securities/assets, managing bank/savings/securities accounts, organising contributions for company formation/operation/management, or forming/operating/managing legal persons or arrangements; and corporate and trust service providers offering company formation and management services (including registered agents and nominee arrangements). What matters is the activity actually performed, not the label on your trade licence.

Practitioner noteWe regularly encounter entities with a broad 'general trading' or 'business consultancy' trade licence that are, in practice, performing company formation or real estate brokerage services and are therefore DNFBPs without realising it. The activity governs the obligation — not the licence category printed on the certificate.
What is the legal basis for AML/CFT obligations in the UAE?

The primary statute is Federal Decree-Law No. 20 of 2018 on Anti-Money Laundering and Combating the Financing of Terrorism and Illegal Organisations, as amended by Federal Decree-Law No. 26 of 2021. The executive regulations are set out in Cabinet Decision No. 10 of 2019, as subsequently amended, which details DNFBP categories, CDD requirements, and administrative penalties. Various Ministerial Decisions and supervisory-authority-specific guidance (from the Ministry of Economy, individual free zone authorities, and financial regulators such as the Central Bank, DFSA, and FSRA) provide operational detail applicable to specific sectors.

Practitioner noteThe framework is periodically updated in response to FATF (Financial Action Task Force) evaluation cycles and UAE-specific action plans. We track amendments as they are issued rather than relying on a static reading of the original 2018/2019 texts — a programme built against an outdated version of the regulations will have gaps.
What is goAML and why do I need to register even if I've never filed a report?

goAML is the electronic platform administered by the UAE's Financial Intelligence Unit (FIU) through which reporting entities register, submit Suspicious Transaction Reports (STRs), Suspicious Activity Reports (SARs), and other statutory reports. Registration on goAML is a standalone obligation for DNFBPs and other reporting entities — it is required regardless of whether the entity has ever identified a suspicious transaction. Supervisors treat an unregistered entity as non-compliant on its face, independent of its actual transaction history.

Practitioner noteThis is one of the most common gaps we find at first engagement — a business that has operated for years, has a reasonable customer base, but never completed goAML registration because nobody flagged it as a distinct step from having an AML policy. We handle the registration as a discrete early milestone in every engagement.
What does a Business Risk Assessment (BRA) actually need to contain?

A BRA is a documented evaluation of the money laundering, terrorist financing, and proliferation financing risks the specific entity is exposed to, assessed across at least four dimensions: customer risk (types of customers, PEP exposure, beneficial ownership complexity), product/service risk (which of your services carry higher inherent ML/TF risk), delivery channel risk (face-to-face versus remote/digital onboarding), and geographic risk (jurisdictions your customers and counterparties are based in or transact with, including any exposure to higher-risk jurisdictions). The BRA should conclude with an overall risk rating and specific mitigating controls tied to each identified risk — not just a generic risk statement.

Practitioner noteThe BRA is the document supervisors interrogate first during an inspection, because everything else in the programme — CDD tiering, monitoring thresholds, EDD triggers — should trace back to it. A BRA that reads like it was written for a different type of business (a common symptom of purchased templates) is an immediate red flag to an inspector.
What is the difference between CDD and EDD, and when does EDD apply?

Customer Due Diligence (CDD) is the baseline identity verification and risk assessment performed on every customer or client before or during onboarding — verifying identity, understanding the nature of the business relationship, and identifying beneficial ownership for corporate customers. Enhanced Due Diligence (EDD) is a more intensive version applied to higher-risk relationships: Politically Exposed Persons (PEPs) and their close associates/family members, customers from higher-risk jurisdictions, complex or opaque ownership structures, unusually large or structured transactions, and any relationship the risk assessment otherwise flags as elevated risk. EDD typically requires additional identity verification, source-of-funds and source-of-wealth enquiry, senior management approval to onboard, and more frequent ongoing monitoring.

Practitioner notePEP screening is not a one-time check at onboarding — a customer can become a PEP after the relationship begins (a change in political office, for example), and ongoing screening needs to catch that. We build periodic re-screening into every CDD framework, not just point-in-time onboarding checks.
Who can be appointed as Compliance Officer / MLRO, and what does the role actually require?

The Compliance Officer (often referred to functionally as the Money Laundering Reporting Officer or MLRO) should be a person with sufficient seniority, independence, and access to be able to receive internal reports, make STR filing decisions, and engage directly with senior management and, where necessary, the regulator. The role requires genuine time allocation — not a title added to an existing job description with no practical change in duties — and direct access to customer files and transaction data. For smaller entities, the role can be combined with another senior function, but the AML responsibilities and authority must be real and demonstrable.

Practitioner noteInspectors frequently test this by asking the appointed Compliance Officer direct questions about specific customer files or recent transactions. A nominal appointee who cannot answer basic questions about the business's actual customer base is treated as evidence the programme is not genuinely operative, regardless of what the policy document says.
What is an STR, and what happens after we file one?

A Suspicious Transaction Report (STR) — or Suspicious Activity Report (SAR) where no specific transaction has yet occurred — is a mandatory report filed via goAML when a reporting entity has reasonable grounds to suspect that funds or a transaction is connected to money laundering, terrorist financing, or proceeds of a predicate crime. Once filed, the FIU reviews and may request further information from the reporting entity. Crucially, the entity must not disclose to the customer, or to anyone outside the permitted internal escalation chain, that an STR has been or will be filed — a prohibition known as 'tipping off,' which is itself an offence under the Decree-Law.

Practitioner noteWe build the internal escalation and documentation process specifically so that frontline staff know what to observe and report internally, while only the Compliance Officer makes the actual filing decision and interacts with goAML — this keeps the tipping-off risk contained to a small, trained group rather than spread across the whole team.
How often does the AML/CFT programme need to be reviewed or updated?

At minimum, the Business Risk Assessment should be reviewed annually, or sooner if there is a material change in the business — new products/services, new customer segments, entry into new geographic markets, or a significant change in transaction volume or type. Policies and procedures should be reviewed against the current version of the law and any updated supervisory guidance at least annually. Staff training should include an annual refresher, in addition to onboarding training for new hires. Sanctions and PEP screening lists should be checked for updates on an ongoing basis, not merely at the annual review point.

Practitioner noteA programme frozen at its initial design date and never revisited is functionally equivalent, from a supervisor's perspective, to having no programme at all after enough time has passed. We build the annual review into the engagement scope rather than treating programme design as a one-time deliverable.
What are the penalties for non-compliance with UAE AML/CFT requirements?

Cabinet Decision No. 10 of 2019 (as amended) sets out a schedule of administrative penalties for specific violations — including failure to register, failure to appoint a Compliance Officer, failure to conduct or maintain CDD records, failure to file STRs, and tipping off — with penalties that can run into the hundreds of thousands of dirhams depending on the violation and its severity, and which can be levied per violation. Beyond administrative fines, the relevant licensing authority (DED, a free zone authority, or a financial regulator) can suspend or revoke the trade licence in serious or repeated non-compliance cases, and certain violations carry criminal exposure under the broader provisions of the Decree-Law.

Practitioner noteWe deliberately avoid quoting a single specific fine figure for a given violation in general advisory conversations, because penalty amounts and their application depend on the specific violation, its severity, and the supervisor's assessment at the time — a business should get its actual exposure assessed against its specific facts rather than working from a generic figure.
Does a free zone company need a separate AML/CFT programme from a mainland company?

The underlying federal AML/CFT law applies across the UAE regardless of mainland or free zone status — what differs is the day-to-day supervisory authority. A mainland DNFBP typically falls under Ministry of Economy supervision. A free-zone-licensed entity performing a DNFBP activity may fall under both the Ministry of Economy framework and, for some free zones with an active compliance function (DMCC being a prominent example for dealers in precious metals and stones), an additional free-zone-level compliance return and inspection regime. The substantive programme requirements are broadly consistent, but the registration, reporting, and inspection touchpoints can differ by free zone.

Practitioner noteWe check the specific free zone's own compliance department requirements in addition to the federal framework — DMCC in particular runs its own periodic AML compliance return process for its licensed DPMS and related entities that is distinct from, but complementary to, the federal goAML registration.
We are a small company service provider with only a handful of clients. Do we really need a full programme?

Yes, in substance, though the programme should be proportionate to your size and risk profile — proportionality is itself a recognised principle in a risk-based AML framework. A company service provider forming even a small number of entities is handling UBO identification, nominee arrangements, and company formation activity that sits squarely within the DNFBP definition regardless of client count. The core obligations — registration, a risk assessment, CDD on every client, a Compliance Officer, and the capacity to file an STR — apply irrespective of scale, though the sophistication of your monitoring systems and the depth of documentation can reasonably scale with your size.

Practitioner noteWe design programmes for small CSPs and boutique advisory firms that are genuinely operable by a two- or three-person team — the goal is a programme the business can actually run day to day, not a large-firm framework transplanted onto a small operation that then gets ignored because it is unworkable.
What is the tipping-off prohibition and how does it affect how we handle a suspicious customer?

The tipping-off prohibition, set out in the Decree-Law, prohibits a reporting entity or its staff from disclosing to the customer (or to any third party) that an STR has been filed, is being considered, or that an investigation is underway, where that disclosure could prejudice an investigation. In practice, this means frontline staff should not confront a customer about suspected activity, should not explain a delay or account restriction by referencing an AML concern, and should escalate internally through the defined pathway to the Compliance Officer rather than acting independently.

Practitioner noteWe train staff specifically on this point because the natural instinct — especially for client-facing staff — is to explain a delay or ask the customer directly about a concern. We build simple, non-disclosing language into training materials for situations where a customer asks why a transaction or onboarding is taking longer than usual.
How does UAE Corporate Tax or VAT registration interact with AML/CFT obligations?

They are separate regulatory regimes administered by different authorities — the Federal Tax Authority for Corporate Tax and VAT, and the Ministry of Economy or sector regulators for AML/CFT — and compliance with one does not substitute for the other. However, in practice they intersect operationally: proper AML CDD and UBO identification records often support the ownership and beneficial-interest disclosures relevant to tax registration and Economic Substance Regulations assessments, and a business with disorganised AML files often also struggles with clean tax documentation, since both stem from the same underlying record-keeping discipline.

Practitioner noteWe generally recommend a business address its AML/CFT, Economic Substance Regulations, and tax registration obligations as a coordinated compliance calendar rather than as disconnected projects handled by different advisors — the underlying entity, ownership, and transaction data overlaps significantly across all three.
What sanctions lists must we screen against, and how often?

UAE reporting entities are required to screen customers and transactions against the UN Security Council Consolidated List (sanctions relating to terrorism, proliferation financing, and specific country regimes) and the UAE's Local Terrorist List maintained under domestic legislation. Screening should occur at the point of onboarding and on an ongoing basis thereafter, since sanctions lists are updated periodically and a previously clear customer can be added to a list after the relationship begins. Entities should also be alert to relevant international sanctions regimes (such as those administered by the UN, and applicable regional or bilateral sanctions frameworks) where their customer base or transaction flows have cross-border exposure.

Practitioner noteWe advise on a screening cadence proportionate to transaction volume — for higher-volume or higher-risk entities, this typically means checking for list updates far more frequently than an annual review cycle, since a gap between a list update and your next screening cycle is exactly the kind of gap an inspector will test for.
Can PNPC act as our outsourced Compliance Officer / MLRO?

PNPC's role is primarily to design, build, remediate, and periodically review your AML/CFT programme, train your team, and provide ongoing advisory support — including guidance to your appointed Compliance Officer on specific STR decisions and inspection responses. Depending on the engagement and your specific regulatory category, outsourced or fractional compliance officer arrangements may be structured, but the appropriateness of an outsourced MLRO arrangement depends on your specific regulator's expectations and entity type — this is assessed and agreed explicitly as part of scoping, not assumed by default.

Practitioner noteSome supervisory frameworks are comfortable with a properly structured outsourced compliance function; others expect the Compliance Officer to be an internal appointee with direct employment ties to the entity. We confirm the position for your specific supervisor before proposing an outsourcing structure.
What triggers an AML/CFT inspection from the Ministry of Economy or a free zone authority?

Inspections can be routine (scheduled as part of a supervisor's ongoing oversight cycle across licensed DNFBPs), risk-triggered (following a sector-wide concern, a specific complaint, or an unusual pattern flagged through other regulatory touchpoints), or prompted by a renewal cycle where AML compliance documentation is requested as part of trade licence renewal. Free zones with active compliance functions, such as DMCC for precious metals and stones dealers, may run their own periodic compliance return process that itself can surface issues warranting a closer inspection.

Practitioner noteWe recommend treating every trade licence renewal as an implicit AML compliance check-point even where the licensing authority does not explicitly request AML documentation at renewal — building the habit of an annual internal review ahead of renewal avoids being caught unprepared if the authority does ask.
What happens during an actual Ministry of Economy or free zone AML inspection?

Typically, the inspector requests the entity's AML/CFT policy and procedures manual, the Business Risk Assessment, evidence of goAML registration, a sample of customer/client files to test CDD and EDD application, records of any STRs filed (or a documented basis for none having been filed), staff training records, and confirmation of the Compliance Officer's appointment and role. The inspection tests whether the documented programme reflects actual practice — mismatches between policy and observed file evidence are the most common source of findings.

Practitioner noteWe prepare clients for inspections with a mock file review beforehand — pulling a representative sample of actual customer files and testing them exactly as an inspector would, so that any gaps are found and fixed by us first, not flagged for the first time by the regulator.
How does PNPC price AML/CFT compliance programme design?

PNPC agrees a fixed, written scope and fee before any work begins, based on the applicability scoping outcome — the fee for a small CSP with a handful of clients differs meaningfully from a real estate brokerage with high transaction volume or a DPMS with significant cash handling. The fee covers the full programme build as scoped: BRA, policy manual, CDD/EDD framework, goAML registration, screening protocol, STR pathway, training delivery, and a pre-launch mock review. Ongoing annual review and advisory support is quoted separately as a retainer, agreed only once the client has seen the value of the initial build.

Practitioner noteWe do not price AML programme design as a flat, one-size-fits-all package advertised online — the actual scope of work depends heavily on transaction volume, existing documentation quality, and whether retrospective remediation of historical customer files is needed. We provide a written fee proposal after the applicability scoping step, not before.
We already have an AML policy from a template provider. Can PNPC just review it instead of starting fresh?

Yes — this is a common and often more cost-effective starting point. We run a gap analysis comparing the existing document against current regulatory requirements and, more importantly, against how the business actually operates. In many cases the core policy structure can be retained with targeted amendments, while the operational gaps — goAML registration, actual CDD file evidence, Compliance Officer resourcing, and training records — are what genuinely need building out, since a template document is rarely the whole problem.

Practitioner noteWe have reviewed template AML policies that were technically comprehensive on paper but had never been operationalised — no goAML registration, no CDD files matching the stated procedures, no training records. The document was fine; the operating programme behind it did not exist. We assess both separately.
What is proliferation financing, and why does it appear alongside money laundering and terrorist financing in UAE AML law?

Proliferation financing refers to the provision of funds or financial services used, in whole or in part, for the manufacture, acquisition, development, or use of weapons of mass destruction and their delivery systems, often in connection with international sanctions regimes targeting specific states or entities. The UAE's AML/CFT framework, aligned with FATF standards, requires reporting entities to consider proliferation financing risk alongside money laundering and terrorist financing risk within their Business Risk Assessment and screening procedures — particularly relevant for entities with cross-border trade, precious metals dealing, or exposure to sanctioned jurisdictions.

Practitioner noteFor most DNFBPs with a purely domestic UAE customer base and no cross-border trade exposure, proliferation financing risk will typically be assessed as low — but the BRA still needs to document that this risk category was considered and why it was rated as it was, rather than omitting it entirely.
How does beneficial ownership (UBO) identification work for corporate customers?

For a corporate customer, CDD requires identifying and verifying the Ultimate Beneficial Owner(s) — the natural person(s) who ultimately own or control the customer entity, typically through a specified ownership threshold (commonly 25% or more, though the applicable threshold and methodology should be confirmed against current regulatory guidance) or through other means of control such as voting rights or the ability to appoint senior management. Where a corporate customer has a layered ownership structure — one company owned by another, owned by another — CDD requires looking through the layers to the natural persons at the top, not stopping at the first corporate layer.

Practitioner noteLayered offshore ownership structures are exactly where CDD files most often fall short — a file that verifies only the immediate corporate shareholder, without looking through to the natural person UBO, will not satisfy an inspector and is one of the most common findings we see when reviewing client files at other firms.
Do we need AML/CFT training for all staff, or just the Compliance Officer?

All staff who have customer-facing responsibilities or who could plausibly encounter a red flag in the course of their role — sales, operations, finance, and client-facing management — should receive AML/CFT awareness training, not only the appointed Compliance Officer. The training should be role-appropriate: frontline staff need to recognise red flags and know the internal escalation process, while the Compliance Officer needs deeper training on risk assessment methodology, EDD decision-making, and the STR filing process itself.

Practitioner noteWe tier training by role rather than delivering one generic session to everyone — a receptionist and a deal-closing broker need different depths of AML training, and inspectors increasingly ask to see role-appropriate training records rather than a single blanket certificate for the whole company.
What records must we retain, and for how long?

The Decree-Law and its executive regulations prescribe minimum retention periods for CDD documentation, transaction records, and records relating to any STR filed — generally requiring retention for a period of years following the end of the business relationship or the completion of the transaction, sufficient to allow reconstruction of individual transactions if required by a competent authority. The precise retention period should be confirmed against the current executive regulations and any sector-specific guidance, as retention requirements can be refined by subsequent Cabinet or Ministerial decisions.

Practitioner noteWe build the record-retention schedule as part of the programme documentation itself, cross-referenced to the current regulations at the time of design, and flag it for review at each annual programme refresh rather than treating it as a fixed figure set once and forgotten.
Is there a difference between AML/CFT obligations and Economic Substance Regulations (ESR) obligations?

Yes, these are distinct regimes with different purposes and different administering authorities. AML/CFT, under Federal Decree-Law No. 20 of 2018 (as amended), addresses money laundering and terrorist financing risk and is supervised by the Ministry of Economy, free zone authorities, or financial regulators depending on entity type. Economic Substance Regulations, administered by the Ministry of Finance, required certain UAE entities conducting defined 'Relevant Activities' to demonstrate adequate economic substance in the UAE and to file an annual ESR notification and, where applicable, an ESR report — however, the ESR notification and report filing obligation was discontinued for financial years commencing on or after 1 January 2023, under Cabinet Decision No. 98 of 2024, meaning ESR is now a historical-compliance and legacy-exposure matter (confirming past filings were made correctly) rather than a live ongoing filing obligation for current financial years. A business can still be subject to AML/CFT obligations independent of whatever its historical ESR position was.

Practitioner noteWe assess AML/CFT applicability and any legacy ESR exposure together at the outset of any engagement, since the underlying activity classification exercise overlaps significantly, even though ESR filing itself is no longer a live ongoing obligation for financial years starting on or after 1 January 2023. PNPC's Economic Substance Regulations service now focuses on confirming historical compliance and closing out any legacy exposure rather than ongoing annual filing.
Our business has grown quickly and our customer base has changed significantly. Does our AML programme need updating mid-cycle, or can it wait for the annual review?

It should be updated as soon as the material change occurs, not deferred to the next scheduled annual review. A significant shift in customer profile, geographic exposure, transaction volume, or the introduction of a new product/service line changes the underlying risk profile that the Business Risk Assessment is meant to reflect. Operating on a stale BRA that no longer matches the business, even for a few months, creates exactly the mismatch between documented risk assessment and actual operations that inspectors focus on.

Practitioner noteWe ask clients to flag material business changes to us proactively — a new product line, entry into a new market, or a large new client segment — rather than waiting for us to catch it at the next scheduled annual review. The gap between the change and the update is where exposure sits.
What is the relationship between our AML/CFT Compliance Officer and our bank's own KYC/AML requirements?

These are related but distinct. Your bank conducts its own KYC and AML due diligence on you as its customer, under the Central Bank's regulatory framework applicable to the bank — this is separate from your own statutory AML/CFT obligations toward your customers if you are a DNFBP. However, having a robust, evidenced AML/CFT programme of your own materially strengthens your position during bank account opening and renewal KYC reviews, since banks increasingly ask corporate customers — particularly those in DNFBP sectors — to demonstrate their own compliance framework as part of the bank's enhanced due diligence on higher-risk customer categories.

Practitioner noteWe have seen bank account opening or renewal delayed or declined specifically because a DNFBP applicant could not produce evidence of its own AML/CFT programme when the bank's relationship manager asked for it. A well-documented programme is now a practical banking relationship asset, not just a regulatory box to tick.
Can our AML/CFT programme be shared or standardised across multiple group entities in the UAE?

A group-level policy framework can provide consistency, but each licensed entity that independently qualifies as a DNFBP or regulated entity typically needs its own entity-specific Business Risk Assessment, its own goAML registration, and evidence that CDD is being applied to that entity's actual customers — a shared policy document alone, without entity-specific risk assessment and operational evidence, does not satisfy each entity's individual obligations.

Practitioner noteWe design a consistent group-wide policy architecture where a client has multiple UAE entities, but we build a distinct BRA and CDD evidence trail for each entity separately, since that is what each entity's own supervisor will test independently.
What should we do if we discover, during our own review, that we may have missed filing an STR on a past transaction?

This situation should be addressed directly and promptly rather than left unaddressed — a documented internal review that identifies a historical gap, followed by appropriate escalation and, where warranted, a late filing with clear documentation of the discovery and remediation process, is viewed far more favourably by a supervisor than a gap that is only found during an external inspection. The specific handling depends heavily on the facts and should be discussed with your compliance advisor and, where appropriate, legal counsel before any filing decision is finalised.

Practitioner noteWe treat this as a priority advisory conversation, not a routine filing task — the facts of each case (why the gap occurred, what has changed since, what the underlying transaction actually involved) materially affect the right course of action, and we do not recommend a generic 'just file it now' approach without first understanding the full picture.
Does PNPC only design AML/CFT programmes, or can you also help if we are already mid-inspection or have received a remediation notice?

PNPC supports clients at every stage — from ground-up programme design for a new DNFBP, through gap remediation for an existing but deficient programme, to active representation and remediation planning during or after a regulatory inspection. If you have received a notice from the Ministry of Economy, a free zone authority, or another supervisor, the priority is understanding the specific findings and timeline first, then building a remediation plan that addresses both the immediate finding and the underlying programme gap that caused it.

Practitioner noteClients who reach out only after receiving a formal notice are working against a compressed timeline that a proactive engagement would have avoided. If you have any live notice or deadline, tell us immediately when we scope the engagement so we can prioritise accordingly — this is not a case where a standard 6–8 week build timeline applies.
How does PNPC's AML/CFT work relate to the firm's broader UAE tax and regulatory compliance services?

AML/CFT compliance programme design sits within PNPC's broader UAE Taxation & Regulatory Compliance practice, alongside legacy Economic Substance Regulations assessment (confirming historical filing positions for years before the regime was discontinued for financial years starting on or after 1 January 2023), AML/CFT risk assessment and customer risk profiling, goAML portal registration and reporting assistance, KYC and customer due diligence advisory, and AML/CFT regulatory remediation support. For clients also engaging PNPC for Corporate Tax or VAT compliance, we coordinate the entity, ownership, and record-keeping work across all regimes rather than treating each as a siloed engagement.

Practitioner noteThe overlap in underlying entity and ownership data across AML/CFT, ESR, and tax compliance means a coordinated engagement is usually more efficient and more consistent than separate advisors working from separate, potentially inconsistent, entity information.
What is the practical first step if we are not sure whether we need this service at all?

Engage PNPC for a standalone applicability scoping review — a focused assessment of your licensed activities, actual services performed, and customer/transaction profile against the DNFBP definitions and any sector-specific regulatory framework applicable to you. This produces a clear written determination of whether you are a DNFBP or otherwise AML-regulated entity, which supervisory authority applies, and — if applicable — a scoped recommendation for the programme design work that follows. This is a smaller, faster, and lower-cost engagement than committing directly to a full programme build.

Practitioner noteWe recommend this scoping step for any business that is uncertain, rather than either assuming no obligation exists or over-investing in a full programme before confirming it is actually required. It is the single highest-value first conversation we can have with a new AML/CFT client.
Why PNPC Global
FeatureTemplate/Online ProviderGeneric Compliance ConsultantPNPC Global
Applicability ScopingNot offered — assumes you already knowBasic — may rely on trade licence description aloneActivity-level scoping against actual services performed, cross-checked against DNFBP definitions
Business Risk AssessmentGeneric template, same for every clientCustomised but often desk-based onlyBuilt from your actual transaction and customer data — the document inspectors actually test
goAML RegistrationOften left to the client to complete separatelyUsually handled, sometimes as an afterthoughtHandled end-to-end as a core milestone, including Compliance Officer credentialing
CDD/EDD FrameworkChecklist-based, minimal sector calibrationReasonable but rarely sector-specificSector-calibrated onboarding workflow with real UBO methodology and documentary evidence standards
Staff TrainingSlide deck only, no evidenced deliveryDelivered but records often incompleteRole-tiered training delivered and documented with attendance and assessment records
Pre-Inspection ReadinessNot offeredRarely offered proactivelyMock file review before programme is considered live — gaps found and fixed before an inspector finds them
Ongoing AdvisoryNone — one-time document saleReactive — responds to requests onlyProactive annual BRA refresh, screening updates, and live STR advisory as situations arise
Cross-Regime CoordinationAML only, siloedAML only, siloedCoordinated with ESR, VAT, and Corporate Tax compliance where the client also engages PNPC on those fronts
Access When It MattersSupport ticket queueDepends on consultant availabilityDirect access to your engagement advisor — including for time-sensitive STR or inspection situations

What the PNPC package includes

  1. 01

    Applicability scoping — activity-level DNFBP determination and supervisory authority confirmation

  2. 02

    Business Risk Assessment built from your actual customer, transaction, and geographic data

  3. 03

    AML/CFT Policy & Procedures Manual tailored to your specific operating model

  4. 04

    Compliance Officer / MLRO role definition, appointment documentation, and briefing

  5. 05

    goAML platform registration for the entity and Compliance Officer

  6. 06

    Risk-tiered CDD/EDD onboarding framework with UBO identification methodology

  7. 07

    Sanctions and PEP screening protocol, calibrated to your transaction volume and risk profile

  8. 08

    Transaction monitoring red-flag matrix and internal escalation pathway

  9. 09

    STR/SAR internal reporting protocol and goAML filing support

  10. 10

    Role-tiered staff training programme, delivered and evidenced

  11. 11

    Record-retention schedule and inspection-ready file structure

  12. 12

    Pre-launch mock file review to test the programme before it goes live

  13. 13

    Ongoing annual BRA refresh, screening list monitoring advisory, and inspection representation support

Speak directly with a PNPC compliance advisor who has built AML/CFT programmes across real estate, precious metals, corporate services, and professional services sectors in the UAE — and who will still be available when an inspector calls, a suspicious transaction needs a decision, or your risk profile changes.

Jurisdiction

🇦🇪
United Arab Emirates

Free zone, mainland & offshore

Ready to get started?

Tell us about your requirement — a UAE specialist responds within 24 hours.

← Back to Economic Substance & AML Compliance