UAE Taxation & Regulatory Compliance · Economic Substance & AML Compliance
AML/CFT Compliance Programme Design
AML/CFT compliance in the UAE is not a policy document that sits in a drawer until an inspector asks for it.
Chartered Accountants · Dubai · Since 1986
An AML/CFT Compliance Programme is the documented and operational framework through which a UAE business identifies, assesses, mitigates, and reports the money laundering, terrorist financing, and proliferation financing risks it is exposed to. It is mandated under Federal Decree-Law No. 20 of 2018 on Anti-Money Laundering and Combating the Financing of Terrorism and Illegal Organisations (as amended by Federal Decree-Law No. 26 of 2021), its Cabinet Decision No. 10 of 2019 executive regulations (as amended), and sector-specific guidance issued by the relevant supervisory authority. For Designated Non-Financial Businesses and Professions (DNFBPs) — a category that includes real estate agents and brokers, dealers in precious metals and stones, corporate service providers, independent legal and accounting professionals conducting specified activities, and trust and company service providers — the Ministry of Economy is generally the primary supervisor, alongside emirate-level and free-zone-level regulators such as DMCC for precious metals and stones businesses operating in that free zone. For licensed financial institutions and certain regulated entities, the Central Bank of the UAE, the Securities and Commodities Authority, DIFC's regulator, or ADGM's regulator may be the relevant supervisor depending on licence type and jurisdiction.
A compliant programme is built around a documented Business Risk Assessment (BRA) that evaluates the entity's exposure to money laundering and terrorist financing risk across its customer base, products and services, delivery channels, and geographic footprint. From that risk assessment flows a risk-based Customer Due Diligence (CDD) framework — including simplified due diligence for lower-risk relationships and Enhanced Due Diligence (EDD) for higher-risk customers, Politically Exposed Persons (PEPs), and relationships involving higher-risk jurisdictions. The programme must also include ongoing transaction monitoring calibrated to the entity's risk profile, sanctions and UN Consolidated List screening procedures, a documented process for identifying and filing Suspicious Transaction Reports (STRs) and Suspicious Activity Reports (SARs) through the goAML platform administered by the UAE's Financial Intelligence Unit, record-keeping procedures compliant with the minimum retention periods prescribed under the law, an appointed and adequately resourced Compliance Officer (often referred to as the MLRO — Money Laundering Reporting Officer), and a documented staff training programme delivered at onboarding and at appropriate refresher intervals.
The distinction between having AML policies and having an AML compliance programme is where most businesses fall short. A policy document copied from a template, signed once, and never operationalised does not satisfy regulatory expectations and will not withstand an inspection. Supervisors — whether the Ministry of Economy's inspection teams, DMCC's compliance department, or a free zone authority — increasingly test whether the documented risk assessment matches the entity's actual customer base and transaction patterns, whether CDD files show real evidence of identity verification and source-of-funds enquiry (not just a checklist tick), whether the entity can demonstrate it screened customers against sanctions lists at onboarding and periodically thereafter, and whether the Compliance Officer can articulate how the programme actually functions day to day. Registered entities are also generally required to complete the annual AML/CFT return through the relevant portal, and DNFBPs must register on the goAML platform even where no STR has ever been filed.
Getting the programme design wrong carries real consequences. Administrative penalties under Cabinet Decision No. 10 of 2019 (as amended) can run into hundreds of thousands of dirhams per violation, and enforcement action can extend to licence suspension, restriction, or revocation by the relevant licensing authority — DED, a free zone authority, or a financial regulator — in serious or repeated cases. Beyond direct penalties, an inadequate AML programme is now a standard due diligence item for banks opening or maintaining corporate accounts, for investors conducting deal diligence, and for larger corporate counterparties conducting vendor onboarding. PNPC designs programmes that are proportionate to your actual risk profile — neither a generic template that collapses under inspection, nor an over-engineered framework that a small business cannot realistically operate.
When you need a formal AML/CFT compliance programme
Your business falls within the DNFBP definition — real estate brokerage or development, dealing in precious metals/stones above the prescribed cash threshold, corporate/trust service provision, or independent legal/accounting professional services involving specified activities (buying/selling real estate, managing client funds or accounts, company formation, or managing companies/trusts)
You hold a financial services licence from the Central Bank of the UAE, the Securities and Commodities Authority, DIFC's regulator, or ADGM's regulator, and are subject to that authority's AML/CFT rulebook
You are onboarding your first customers/clients and need a defensible CDD and risk-scoring framework before you can demonstrate compliance to your supervisor or to a bank during account opening
Your free zone authority (DMCC, JAFZA, or others with active AML supervisory functions) has flagged your entity for an AML/CFT inspection, compliance return, or remediation notice
You have never registered on the goAML platform despite falling within a DNFBP category — registration and an operative reporting capability are baseline expectations regardless of transaction volume
Your existing AML policy was drafted years ago, purchased as a generic template, or has never been tested against an actual transaction or customer file, and you need it rebuilt to reflect how the business actually operates
A bank, investor, or large corporate counterparty has requested evidence of your AML/CFT programme as part of their own due diligence or KYC-on-you process
When a full programme build may not be the immediate priority
Your activity does not fall within the DNFBP definitions and you hold no AML-regulated licence — confirm applicability first with a scoping review rather than commissioning a full programme build; PNPC offers this as an initial diagnostic
You are a very early-stage entity that has not yet commenced the regulated activity (e.g., a real estate brokerage licence obtained but no transactions yet conducted) — a lighter-weight readiness framework may be more appropriate than a full operational programme, to be scaled up before go-live
You already have a functioning, recently reviewed AML/CFT programme with a documented BRA, active goAML registration, and evidenced CDD files — what you likely need is an independent AML/CFT audit or gap assessment rather than a full programme redesign
Your immediate need is a single overdue filing (an annual AML return or a specific STR) rather than the underlying programme architecture — PNPC can address the urgent filing while scoping the broader programme work separately
Your entity is a pure holding company with no customer-facing transactions, no cash handling, and no activity that falls within any DNFBP category — confirm non-applicability in writing from your licensing authority rather than building an unnecessary programme
AML/CFT obligation comparison by UAE entity type and sector exposure
| Entity Type | Primary AML Supervisor | goAML Registration | CDD/EDD Obligation | STR/SAR Filing Duty | Typical Inspection Trigger |
|---|---|---|---|---|---|
| Real estate broker/agent | Ministry of Economy (or Dubai Land Department-linked framework in Dubai) | Mandatory | Full CDD on buyer/seller; EDD for high-value or PEP-linked deals | Yes — on suspicion, regardless of deal size | Cash transactions, high-value deals, foreign buyer volume |
| Dealer in precious metals/stones (DPMS) | Ministry of Economy / DMCC (if DMCC-licensed) | Mandatory | Full CDD above cash threshold; EDD for high-value cash deals | Yes | Cash-heavy trade, cross-border shipments, DMCC compliance return |
| Corporate/trust service provider (CSP/TCSP) | Ministry of Economy | Mandatory | Full CDD on ultimate beneficial owners of every entity formed/managed | Yes | Company formation volume, nominee arrangements, UBO opacity |
| Independent accountant/auditor (specified activities) | Ministry of Economy | Mandatory if performing specified activities | Full CDD when managing client funds/accounts or forming companies | Yes | Client money handling, company formation services offered |
| Independent legal professional (specified activities) | Ministry of Economy | Mandatory if performing specified activities | Full CDD on real estate, company formation, and client fund transactions | Yes | Conveyancing, escrow handling, entity formation work |
| Bank / licensed financial institution | Central Bank of the UAE | Mandatory | Full CDD/EDD framework under Central Bank AML/CFT regulations | Yes — highest scrutiny | Routine supervisory examination, transaction monitoring alerts |
| DIFC-regulated entity | DIFC regulator (DFSA) | Mandatory where applicable | DFSA AML Module requirements | Yes | DFSA thematic reviews, licence renewal |
| ADGM-regulated entity | ADGM regulator (FSRA) | Mandatory where applicable | FSRA AML rulebook requirements | Yes | FSRA supervisory cycle, licence renewal |
| General trading LLC (non-DNFBP activity) | None directly under AML law — DED licensing oversight only | Not required unless activity crosses into a DNFBP category | Standard KYC for banking relationship, not statutory AML CDD | No statutory STR duty absent DNFBP status | Bank account opening/renewal KYC only |
| Free zone trading company (non-DNFBP) | Free zone authority licensing oversight | Not required unless activity crosses into a DNFBP category | Standard KYC for banking relationship, not statutory AML CDD | No statutory STR duty absent DNFBP status | Free zone compliance renewal, bank KYC |
This table is directional. Whether a specific entity is a DNFBP, and the precise scope of its CDD/EDD and reporting obligations, depends on the actual activities licensed and performed — not merely the trade licence category. A scoping review against your specific licensed activities and transaction patterns is the correct first step, and PNPC provides this as a standalone engagement before recommending the scope of a full programme.
| # | Stage & What PNPC Does | What Generic Template Providers Miss | Timeline |
|---|---|---|---|
| 1 | Applicability Scoping — Confirm DNFBP status and supervisory authority | We map your actual licensed activities against the DNFBP definitions in Cabinet Decision No. 10 of 2019 (as amended) — not just your trade licence description. A company with a broad 'general trading' licence that also brokers property deals is a DNFBP for that activity regardless of what the licence certificate says. We also confirm whether Ministry of Economy, a free zone authority, or a financial regulator is your effective supervisor. | Week 1 |
| 2 | Business Risk Assessment (BRA) — Entity-specific ML/TF/PF risk evaluation | A template BRA scores generic risk categories without reference to your actual customer base, deal sizes, payment methods, and geographic exposure. We build a BRA from your real transaction history and customer profile — the document a supervisor actually tests during inspection is whether the BRA matches reality, not whether it exists. | Week 1–2 |
| 3 | AML/CFT Policy & Procedures Manual — Drafted to your operating model | We draft the manual around how your business actually processes a transaction from first customer contact to file closure — not a generic 40-page document copied from a different sector. Includes CDD/EDD procedures, PEP screening protocol, sanctions screening cadence, record-retention schedule, and escalation pathway to the Compliance Officer. | Week 2–3 |
| 4 | Compliance Officer / MLRO Appointment — Role definition and resourcing | The appointed Compliance Officer must have genuine authority, access to senior management, and adequate time allocation — a nominal appointment where the 'MLRO' has no real visibility into transactions is a common inspection failure point. We define the role, draft the appointment letter and reporting lines, and brief the appointee on statutory duties including STR filing authority. | Week 2–3 |
| 5 | goAML Portal Registration — FIU registration for the entity and Compliance Officer | Registration on the goAML platform (administered by the UAE Financial Intelligence Unit) is mandatory for DNFBPs regardless of whether an STR has ever been filed. We handle the registration, entity profile setup, and Compliance Officer credentialing — a step many entities discover they never completed until an inspection asks for the registration number. | Week 3 |
| 6 | Customer Due Diligence (CDD) Framework Build — Risk-scored onboarding workflow | A tiered CDD framework — simplified, standard, and enhanced — mapped to concrete risk triggers specific to your sector: cash thresholds, PEP status, high-risk jurisdiction exposure, complex ownership structures. We build the actual onboarding form, UBO identification methodology, and documentary evidence checklist your staff will use. | Week 3–4 |
| 7 | Sanctions & PEP Screening Setup — Screening tool selection and screening cadence | Screening against the UN Consolidated List and the UAE Local Terrorist List must happen at onboarding and on an ongoing basis, not as a one-time check. We advise on appropriate screening tools proportionate to your transaction volume and set the review cadence — daily list-update checks for higher-volume entities, periodic re-screening for the full customer book. | Week 4 |
| 8 | Transaction Monitoring Design — Thresholds and red-flag indicators for your sector | Generic red-flag lists copied from a bank's AML manual do not fit a real estate brokerage or a precious metals dealer. We calibrate monitoring thresholds and red flags to your actual product/service and payment patterns — structuring, unusual cash volumes, third-party payments, rapid resale patterns for real estate, and sector-specific indicators. | Week 4–5 |
| 9 | STR/SAR Filing Protocol — Internal escalation to goAML submission | We build the internal decision pathway: what triggers an internal report to the Compliance Officer, how the Compliance Officer evaluates and documents the decision to file (or not file) an STR, and the actual mechanics of submitting through goAML — including the tipping-off prohibition under the Decree-Law that staff must understand before any customer interaction follows a report. | Week 5 |
| 10 | Staff Training Programme — Role-specific training and evidenced completion | Training that is not documented, dated, and tied to specific staff by name does not satisfy inspection evidence requirements. We design onboarding training and an annual refresher programme, deliver an initial training session, and set up the record-keeping (attendance, materials, assessment) that demonstrates the training actually happened. | Week 5–6 |
| 11 | Record-Keeping & File Structure Setup — Retention-compliant documentation system | The law prescribes minimum retention periods for CDD records, transaction records, and STR-related documentation. We set up a file structure — physical or digital — that meets retention requirements and can be produced intact and complete during an inspection, including UBO documentation trails for company formation service providers. | Week 6 |
| 12 | Independent Review & Sign-Off — Pre-launch programme test | Before we consider the programme live, we run a mock file review — testing whether a sample customer file would actually pass inspection scrutiny. Gaps identified here are fixed before your supervisor finds them, not after. | Week 6–7 |
| 13 | Annual AML/CFT Return & Ongoing Advisory — Continuing compliance support | The programme does not end at design. Annual AML/CFT returns to the relevant portal, periodic BRA refresh, ongoing screening list updates, and STR advisory as live situations arise are all part of keeping the programme operative. PNPC remains engaged as your compliance advisory partner, not a one-time document vendor. | Ongoing — annually and as needed |
Realistic end-to-end timeline for a full programme build: 6–8 weeks from applicability scoping to a fully operative, inspection-ready programme, depending on entity complexity and the volume of historical customer files that need retrospective CDD remediation. Entities with an existing but deficient programme can often be remediated faster where the core documentation exists and only specific gaps need closing.
Trade licence copy showing all licensed activities — not just the primary activity — as this determines DNFBP classification
Certificate of Incorporation / Commercial Registration extract
Memorandum and Articles of Association or equivalent constitutional document
Free zone or DED licence renewal history, if applicable, to confirm continuous licensing status
Shareholding/ownership structure chart identifying Ultimate Beneficial Owners (UBOs) down to natural persons
Organisational chart identifying who will be appointed Compliance Officer/MLRO and their reporting line to senior management
Any existing AML/CFT policy or procedures manual, however outdated, for gap analysis against current requirements
Any prior Business Risk Assessment document
goAML registration confirmation, if the entity has previously registered
Record of any prior STR/SAR filings, including goAML reference numbers
Any correspondence from Ministry of Economy, a free zone authority, or a financial regulator relating to AML/CFT inspections, notices, or remediation requirements
Staff training records or certificates from any prior AML training delivered
Description of actual services offered and how a typical transaction/engagement flows from first client contact to completion
Sample customer/client files (anonymised if needed for initial review) showing current onboarding documentation practices
Transaction volume and value data for the past 12 months, broken down by payment method (cash, bank transfer, cheque, other)
List of jurisdictions from which customers/clients typically originate, to assess geographic risk exposure
Details of any customers or transactions involving Politically Exposed Persons (PEPs), if known
Payment and banking relationship details — which banks the entity uses for customer-related transactions
Sample sale/purchase agreement templates currently in use
Details of typical deal values and the proportion involving cash or third-party payment
Escrow account arrangements, if the entity holds client funds
RERA or equivalent local real estate regulatory registration details, where applicable
List of entities currently formed/managed on behalf of clients, with UBO identification status for each
Nominee director/shareholder arrangements currently in place, if any, and the disclosure documentation held
Standard company formation engagement letter and client onboarding forms currently used
Details of typical transaction values and cash-handling volume against the prescribed reporting threshold
Supplier and customer base geographic profile
DMCC or relevant free zone compliance return history, if applicable
AML/CFT Policy & Procedures Manual, tailored to the entity
Business Risk Assessment document
CDD/EDD onboarding forms and UBO identification methodology
Sanctions and PEP screening protocol document
Transaction monitoring red-flag and escalation matrix
STR/SAR internal reporting and goAML filing protocol
Staff training materials and attendance/record templates
Record-retention schedule and file structure guide
| Phase | Triggered By | PNPC Compliance Guidance | Risk If Ignored |
|---|---|---|---|
| Applicability Determination | New licence issued or activity expansion | Scope the entity's actual activities against DNFBP definitions under Cabinet Decision No. 10 of 2019 (as amended); confirm supervisory authority; determine whether goAML registration is required. | Operating as an unregistered DNFBP is itself a compliance failure — supervisors do not accept 'we did not know we qualified' as a defence during inspection. |
| Programme Design & Build | Confirmed DNFBP status or regulator direction | Business Risk Assessment, policy manual, CDD/EDD framework, screening protocols, STR pathway, and training programme built and documented. | A missing or template-only programme is the single most common finding in Ministry of Economy and free zone AML inspections, and typically triggers the largest administrative penalties. |
| goAML Registration & Compliance Officer Appointment | Programme design phase / regulator notice | Entity and Compliance Officer registered on the goAML platform; appointment formalised with clear authority and reporting lines to senior management. | Unregistered entities cannot file STRs even when a suspicious transaction is identified — creating a compounding compliance failure on top of the underlying detection gap. |
| Live Operations — Ongoing CDD | Every new customer/client relationship | Risk-scored onboarding applied consistently; UBO identification completed and documented for every corporate customer; EDD triggered automatically for PEPs and high-risk profiles. | Inconsistent or undocumented CDD is the most frequent file-level inspection failure — supervisors sample customer files and test whether the paper trail supports the risk rating assigned. |
| Live Operations — Screening & Monitoring | Every transaction and periodic review cycle | Sanctions/PEP screening at onboarding and on a defined ongoing cadence; transaction monitoring against sector-calibrated red flags; internal escalation logged even where no STR results. | Failure to screen against updated sanctions lists exposes the entity to dealing with a designated person — a serious violation carrying both AML and broader legal consequences beyond administrative fines. |
| Suspicious Transaction Identified | Red flag triggers internal review | Compliance Officer evaluates, documents the decision, and files an STR/SAR via goAML where warranted — without alerting the customer (tipping-off prohibition under the Decree-Law). | Failure to file, or tipping off the customer, is a standalone offence under Federal Decree-Law No. 20 of 2018 (as amended) independent of the underlying suspected activity. |
| Annual Review Cycle | 12-month anniversary of programme / calendar deadline | Business Risk Assessment refreshed against the past year's actual customer and transaction data; annual AML/CFT return filed through the relevant portal; staff refresher training delivered and evidenced. | A stale BRA that no longer reflects the business is treated by supervisors as equivalent to having no risk assessment at all; missed annual returns attract separate penalties from the licensing/supervisory authority. |
| Regulatory Inspection | Scheduled cycle or risk-triggered by supervisor | Pre-inspection file review, Compliance Officer briefing, and representation support during the inspection; remediation plan drafted for any findings. | Unaddressed inspection findings escalate to formal notices, larger administrative penalties, and in serious or repeated cases, licence suspension or revocation by the relevant licensing authority. |
| Programme Remediation | Inspection finding or internal gap discovery | Root-cause gap analysis; policy and procedure amendment; retrospective CDD remediation for affected customer files; evidence pack prepared for supervisor follow-up. | Repeat findings on the same issue are treated far more seriously by supervisors than a first-time finding — indicating a systemic, not isolated, compliance failure. |
What is a DNFBP and how do I know if my UAE business qualifies?
DNFBP stands for Designated Non-Financial Business or Profession — a category defined under UAE AML/CFT law that captures specific business activities considered higher-risk for money laundering even though they are not financial institutions. Under Cabinet Decision No. 10 of 2019 (as amended), the DNFBP categories broadly include: real estate agents and brokers when involved in transactions concerning the buying and selling of real estate; dealers in precious metals and stones when engaged in cash transactions above a prescribed threshold; independent legal professionals and accountants when preparing for or carrying out transactions involving buying/selling real estate, managing client money/securities/assets, managing bank/savings/securities accounts, organising contributions for company formation/operation/management, or forming/operating/managing legal persons or arrangements; and corporate and trust service providers offering company formation and management services (including registered agents and nominee arrangements). What matters is the activity actually performed, not the label on your trade licence.
What is the legal basis for AML/CFT obligations in the UAE?
The primary statute is Federal Decree-Law No. 20 of 2018 on Anti-Money Laundering and Combating the Financing of Terrorism and Illegal Organisations, as amended by Federal Decree-Law No. 26 of 2021. The executive regulations are set out in Cabinet Decision No. 10 of 2019, as subsequently amended, which details DNFBP categories, CDD requirements, and administrative penalties. Various Ministerial Decisions and supervisory-authority-specific guidance (from the Ministry of Economy, individual free zone authorities, and financial regulators such as the Central Bank, DFSA, and FSRA) provide operational detail applicable to specific sectors.
What is goAML and why do I need to register even if I've never filed a report?
goAML is the electronic platform administered by the UAE's Financial Intelligence Unit (FIU) through which reporting entities register, submit Suspicious Transaction Reports (STRs), Suspicious Activity Reports (SARs), and other statutory reports. Registration on goAML is a standalone obligation for DNFBPs and other reporting entities — it is required regardless of whether the entity has ever identified a suspicious transaction. Supervisors treat an unregistered entity as non-compliant on its face, independent of its actual transaction history.
What does a Business Risk Assessment (BRA) actually need to contain?
A BRA is a documented evaluation of the money laundering, terrorist financing, and proliferation financing risks the specific entity is exposed to, assessed across at least four dimensions: customer risk (types of customers, PEP exposure, beneficial ownership complexity), product/service risk (which of your services carry higher inherent ML/TF risk), delivery channel risk (face-to-face versus remote/digital onboarding), and geographic risk (jurisdictions your customers and counterparties are based in or transact with, including any exposure to higher-risk jurisdictions). The BRA should conclude with an overall risk rating and specific mitigating controls tied to each identified risk — not just a generic risk statement.
What is the difference between CDD and EDD, and when does EDD apply?
Customer Due Diligence (CDD) is the baseline identity verification and risk assessment performed on every customer or client before or during onboarding — verifying identity, understanding the nature of the business relationship, and identifying beneficial ownership for corporate customers. Enhanced Due Diligence (EDD) is a more intensive version applied to higher-risk relationships: Politically Exposed Persons (PEPs) and their close associates/family members, customers from higher-risk jurisdictions, complex or opaque ownership structures, unusually large or structured transactions, and any relationship the risk assessment otherwise flags as elevated risk. EDD typically requires additional identity verification, source-of-funds and source-of-wealth enquiry, senior management approval to onboard, and more frequent ongoing monitoring.
Who can be appointed as Compliance Officer / MLRO, and what does the role actually require?
The Compliance Officer (often referred to functionally as the Money Laundering Reporting Officer or MLRO) should be a person with sufficient seniority, independence, and access to be able to receive internal reports, make STR filing decisions, and engage directly with senior management and, where necessary, the regulator. The role requires genuine time allocation — not a title added to an existing job description with no practical change in duties — and direct access to customer files and transaction data. For smaller entities, the role can be combined with another senior function, but the AML responsibilities and authority must be real and demonstrable.
What is an STR, and what happens after we file one?
A Suspicious Transaction Report (STR) — or Suspicious Activity Report (SAR) where no specific transaction has yet occurred — is a mandatory report filed via goAML when a reporting entity has reasonable grounds to suspect that funds or a transaction is connected to money laundering, terrorist financing, or proceeds of a predicate crime. Once filed, the FIU reviews and may request further information from the reporting entity. Crucially, the entity must not disclose to the customer, or to anyone outside the permitted internal escalation chain, that an STR has been or will be filed — a prohibition known as 'tipping off,' which is itself an offence under the Decree-Law.
How often does the AML/CFT programme need to be reviewed or updated?
At minimum, the Business Risk Assessment should be reviewed annually, or sooner if there is a material change in the business — new products/services, new customer segments, entry into new geographic markets, or a significant change in transaction volume or type. Policies and procedures should be reviewed against the current version of the law and any updated supervisory guidance at least annually. Staff training should include an annual refresher, in addition to onboarding training for new hires. Sanctions and PEP screening lists should be checked for updates on an ongoing basis, not merely at the annual review point.
What are the penalties for non-compliance with UAE AML/CFT requirements?
Cabinet Decision No. 10 of 2019 (as amended) sets out a schedule of administrative penalties for specific violations — including failure to register, failure to appoint a Compliance Officer, failure to conduct or maintain CDD records, failure to file STRs, and tipping off — with penalties that can run into the hundreds of thousands of dirhams depending on the violation and its severity, and which can be levied per violation. Beyond administrative fines, the relevant licensing authority (DED, a free zone authority, or a financial regulator) can suspend or revoke the trade licence in serious or repeated non-compliance cases, and certain violations carry criminal exposure under the broader provisions of the Decree-Law.
Does a free zone company need a separate AML/CFT programme from a mainland company?
The underlying federal AML/CFT law applies across the UAE regardless of mainland or free zone status — what differs is the day-to-day supervisory authority. A mainland DNFBP typically falls under Ministry of Economy supervision. A free-zone-licensed entity performing a DNFBP activity may fall under both the Ministry of Economy framework and, for some free zones with an active compliance function (DMCC being a prominent example for dealers in precious metals and stones), an additional free-zone-level compliance return and inspection regime. The substantive programme requirements are broadly consistent, but the registration, reporting, and inspection touchpoints can differ by free zone.
We are a small company service provider with only a handful of clients. Do we really need a full programme?
Yes, in substance, though the programme should be proportionate to your size and risk profile — proportionality is itself a recognised principle in a risk-based AML framework. A company service provider forming even a small number of entities is handling UBO identification, nominee arrangements, and company formation activity that sits squarely within the DNFBP definition regardless of client count. The core obligations — registration, a risk assessment, CDD on every client, a Compliance Officer, and the capacity to file an STR — apply irrespective of scale, though the sophistication of your monitoring systems and the depth of documentation can reasonably scale with your size.
What is the tipping-off prohibition and how does it affect how we handle a suspicious customer?
The tipping-off prohibition, set out in the Decree-Law, prohibits a reporting entity or its staff from disclosing to the customer (or to any third party) that an STR has been filed, is being considered, or that an investigation is underway, where that disclosure could prejudice an investigation. In practice, this means frontline staff should not confront a customer about suspected activity, should not explain a delay or account restriction by referencing an AML concern, and should escalate internally through the defined pathway to the Compliance Officer rather than acting independently.
How does UAE Corporate Tax or VAT registration interact with AML/CFT obligations?
They are separate regulatory regimes administered by different authorities — the Federal Tax Authority for Corporate Tax and VAT, and the Ministry of Economy or sector regulators for AML/CFT — and compliance with one does not substitute for the other. However, in practice they intersect operationally: proper AML CDD and UBO identification records often support the ownership and beneficial-interest disclosures relevant to tax registration and Economic Substance Regulations assessments, and a business with disorganised AML files often also struggles with clean tax documentation, since both stem from the same underlying record-keeping discipline.
What sanctions lists must we screen against, and how often?
UAE reporting entities are required to screen customers and transactions against the UN Security Council Consolidated List (sanctions relating to terrorism, proliferation financing, and specific country regimes) and the UAE's Local Terrorist List maintained under domestic legislation. Screening should occur at the point of onboarding and on an ongoing basis thereafter, since sanctions lists are updated periodically and a previously clear customer can be added to a list after the relationship begins. Entities should also be alert to relevant international sanctions regimes (such as those administered by the UN, and applicable regional or bilateral sanctions frameworks) where their customer base or transaction flows have cross-border exposure.
Can PNPC act as our outsourced Compliance Officer / MLRO?
PNPC's role is primarily to design, build, remediate, and periodically review your AML/CFT programme, train your team, and provide ongoing advisory support — including guidance to your appointed Compliance Officer on specific STR decisions and inspection responses. Depending on the engagement and your specific regulatory category, outsourced or fractional compliance officer arrangements may be structured, but the appropriateness of an outsourced MLRO arrangement depends on your specific regulator's expectations and entity type — this is assessed and agreed explicitly as part of scoping, not assumed by default.
What triggers an AML/CFT inspection from the Ministry of Economy or a free zone authority?
Inspections can be routine (scheduled as part of a supervisor's ongoing oversight cycle across licensed DNFBPs), risk-triggered (following a sector-wide concern, a specific complaint, or an unusual pattern flagged through other regulatory touchpoints), or prompted by a renewal cycle where AML compliance documentation is requested as part of trade licence renewal. Free zones with active compliance functions, such as DMCC for precious metals and stones dealers, may run their own periodic compliance return process that itself can surface issues warranting a closer inspection.
What happens during an actual Ministry of Economy or free zone AML inspection?
Typically, the inspector requests the entity's AML/CFT policy and procedures manual, the Business Risk Assessment, evidence of goAML registration, a sample of customer/client files to test CDD and EDD application, records of any STRs filed (or a documented basis for none having been filed), staff training records, and confirmation of the Compliance Officer's appointment and role. The inspection tests whether the documented programme reflects actual practice — mismatches between policy and observed file evidence are the most common source of findings.
How does PNPC price AML/CFT compliance programme design?
PNPC agrees a fixed, written scope and fee before any work begins, based on the applicability scoping outcome — the fee for a small CSP with a handful of clients differs meaningfully from a real estate brokerage with high transaction volume or a DPMS with significant cash handling. The fee covers the full programme build as scoped: BRA, policy manual, CDD/EDD framework, goAML registration, screening protocol, STR pathway, training delivery, and a pre-launch mock review. Ongoing annual review and advisory support is quoted separately as a retainer, agreed only once the client has seen the value of the initial build.
We already have an AML policy from a template provider. Can PNPC just review it instead of starting fresh?
Yes — this is a common and often more cost-effective starting point. We run a gap analysis comparing the existing document against current regulatory requirements and, more importantly, against how the business actually operates. In many cases the core policy structure can be retained with targeted amendments, while the operational gaps — goAML registration, actual CDD file evidence, Compliance Officer resourcing, and training records — are what genuinely need building out, since a template document is rarely the whole problem.
What is proliferation financing, and why does it appear alongside money laundering and terrorist financing in UAE AML law?
Proliferation financing refers to the provision of funds or financial services used, in whole or in part, for the manufacture, acquisition, development, or use of weapons of mass destruction and their delivery systems, often in connection with international sanctions regimes targeting specific states or entities. The UAE's AML/CFT framework, aligned with FATF standards, requires reporting entities to consider proliferation financing risk alongside money laundering and terrorist financing risk within their Business Risk Assessment and screening procedures — particularly relevant for entities with cross-border trade, precious metals dealing, or exposure to sanctioned jurisdictions.
How does beneficial ownership (UBO) identification work for corporate customers?
For a corporate customer, CDD requires identifying and verifying the Ultimate Beneficial Owner(s) — the natural person(s) who ultimately own or control the customer entity, typically through a specified ownership threshold (commonly 25% or more, though the applicable threshold and methodology should be confirmed against current regulatory guidance) or through other means of control such as voting rights or the ability to appoint senior management. Where a corporate customer has a layered ownership structure — one company owned by another, owned by another — CDD requires looking through the layers to the natural persons at the top, not stopping at the first corporate layer.
Do we need AML/CFT training for all staff, or just the Compliance Officer?
All staff who have customer-facing responsibilities or who could plausibly encounter a red flag in the course of their role — sales, operations, finance, and client-facing management — should receive AML/CFT awareness training, not only the appointed Compliance Officer. The training should be role-appropriate: frontline staff need to recognise red flags and know the internal escalation process, while the Compliance Officer needs deeper training on risk assessment methodology, EDD decision-making, and the STR filing process itself.
What records must we retain, and for how long?
The Decree-Law and its executive regulations prescribe minimum retention periods for CDD documentation, transaction records, and records relating to any STR filed — generally requiring retention for a period of years following the end of the business relationship or the completion of the transaction, sufficient to allow reconstruction of individual transactions if required by a competent authority. The precise retention period should be confirmed against the current executive regulations and any sector-specific guidance, as retention requirements can be refined by subsequent Cabinet or Ministerial decisions.
Is there a difference between AML/CFT obligations and Economic Substance Regulations (ESR) obligations?
Yes, these are distinct regimes with different purposes and different administering authorities. AML/CFT, under Federal Decree-Law No. 20 of 2018 (as amended), addresses money laundering and terrorist financing risk and is supervised by the Ministry of Economy, free zone authorities, or financial regulators depending on entity type. Economic Substance Regulations, administered by the Ministry of Finance, required certain UAE entities conducting defined 'Relevant Activities' to demonstrate adequate economic substance in the UAE and to file an annual ESR notification and, where applicable, an ESR report — however, the ESR notification and report filing obligation was discontinued for financial years commencing on or after 1 January 2023, under Cabinet Decision No. 98 of 2024, meaning ESR is now a historical-compliance and legacy-exposure matter (confirming past filings were made correctly) rather than a live ongoing filing obligation for current financial years. A business can still be subject to AML/CFT obligations independent of whatever its historical ESR position was.
Our business has grown quickly and our customer base has changed significantly. Does our AML programme need updating mid-cycle, or can it wait for the annual review?
It should be updated as soon as the material change occurs, not deferred to the next scheduled annual review. A significant shift in customer profile, geographic exposure, transaction volume, or the introduction of a new product/service line changes the underlying risk profile that the Business Risk Assessment is meant to reflect. Operating on a stale BRA that no longer matches the business, even for a few months, creates exactly the mismatch between documented risk assessment and actual operations that inspectors focus on.
What is the relationship between our AML/CFT Compliance Officer and our bank's own KYC/AML requirements?
These are related but distinct. Your bank conducts its own KYC and AML due diligence on you as its customer, under the Central Bank's regulatory framework applicable to the bank — this is separate from your own statutory AML/CFT obligations toward your customers if you are a DNFBP. However, having a robust, evidenced AML/CFT programme of your own materially strengthens your position during bank account opening and renewal KYC reviews, since banks increasingly ask corporate customers — particularly those in DNFBP sectors — to demonstrate their own compliance framework as part of the bank's enhanced due diligence on higher-risk customer categories.
Can our AML/CFT programme be shared or standardised across multiple group entities in the UAE?
A group-level policy framework can provide consistency, but each licensed entity that independently qualifies as a DNFBP or regulated entity typically needs its own entity-specific Business Risk Assessment, its own goAML registration, and evidence that CDD is being applied to that entity's actual customers — a shared policy document alone, without entity-specific risk assessment and operational evidence, does not satisfy each entity's individual obligations.
What should we do if we discover, during our own review, that we may have missed filing an STR on a past transaction?
This situation should be addressed directly and promptly rather than left unaddressed — a documented internal review that identifies a historical gap, followed by appropriate escalation and, where warranted, a late filing with clear documentation of the discovery and remediation process, is viewed far more favourably by a supervisor than a gap that is only found during an external inspection. The specific handling depends heavily on the facts and should be discussed with your compliance advisor and, where appropriate, legal counsel before any filing decision is finalised.
Does PNPC only design AML/CFT programmes, or can you also help if we are already mid-inspection or have received a remediation notice?
PNPC supports clients at every stage — from ground-up programme design for a new DNFBP, through gap remediation for an existing but deficient programme, to active representation and remediation planning during or after a regulatory inspection. If you have received a notice from the Ministry of Economy, a free zone authority, or another supervisor, the priority is understanding the specific findings and timeline first, then building a remediation plan that addresses both the immediate finding and the underlying programme gap that caused it.
How does PNPC's AML/CFT work relate to the firm's broader UAE tax and regulatory compliance services?
AML/CFT compliance programme design sits within PNPC's broader UAE Taxation & Regulatory Compliance practice, alongside legacy Economic Substance Regulations assessment (confirming historical filing positions for years before the regime was discontinued for financial years starting on or after 1 January 2023), AML/CFT risk assessment and customer risk profiling, goAML portal registration and reporting assistance, KYC and customer due diligence advisory, and AML/CFT regulatory remediation support. For clients also engaging PNPC for Corporate Tax or VAT compliance, we coordinate the entity, ownership, and record-keeping work across all regimes rather than treating each as a siloed engagement.
What is the practical first step if we are not sure whether we need this service at all?
Engage PNPC for a standalone applicability scoping review — a focused assessment of your licensed activities, actual services performed, and customer/transaction profile against the DNFBP definitions and any sector-specific regulatory framework applicable to you. This produces a clear written determination of whether you are a DNFBP or otherwise AML-regulated entity, which supervisory authority applies, and — if applicable — a scoped recommendation for the programme design work that follows. This is a smaller, faster, and lower-cost engagement than committing directly to a full programme build.
| Feature | Template/Online Provider | Generic Compliance Consultant | PNPC Global |
|---|---|---|---|
| Applicability Scoping | Not offered — assumes you already know | Basic — may rely on trade licence description alone | Activity-level scoping against actual services performed, cross-checked against DNFBP definitions |
| Business Risk Assessment | Generic template, same for every client | Customised but often desk-based only | Built from your actual transaction and customer data — the document inspectors actually test |
| goAML Registration | Often left to the client to complete separately | Usually handled, sometimes as an afterthought | Handled end-to-end as a core milestone, including Compliance Officer credentialing |
| CDD/EDD Framework | Checklist-based, minimal sector calibration | Reasonable but rarely sector-specific | Sector-calibrated onboarding workflow with real UBO methodology and documentary evidence standards |
| Staff Training | Slide deck only, no evidenced delivery | Delivered but records often incomplete | Role-tiered training delivered and documented with attendance and assessment records |
| Pre-Inspection Readiness | Not offered | Rarely offered proactively | Mock file review before programme is considered live — gaps found and fixed before an inspector finds them |
| Ongoing Advisory | None — one-time document sale | Reactive — responds to requests only | Proactive annual BRA refresh, screening updates, and live STR advisory as situations arise |
| Cross-Regime Coordination | AML only, siloed | AML only, siloed | Coordinated with ESR, VAT, and Corporate Tax compliance where the client also engages PNPC on those fronts |
| Access When It Matters | Support ticket queue | Depends on consultant availability | Direct access to your engagement advisor — including for time-sensitive STR or inspection situations |
What the PNPC package includes
- 01
Applicability scoping — activity-level DNFBP determination and supervisory authority confirmation
- 02
Business Risk Assessment built from your actual customer, transaction, and geographic data
- 03
AML/CFT Policy & Procedures Manual tailored to your specific operating model
- 04
Compliance Officer / MLRO role definition, appointment documentation, and briefing
- 05
goAML platform registration for the entity and Compliance Officer
- 06
Risk-tiered CDD/EDD onboarding framework with UBO identification methodology
- 07
Sanctions and PEP screening protocol, calibrated to your transaction volume and risk profile
- 08
Transaction monitoring red-flag matrix and internal escalation pathway
- 09
STR/SAR internal reporting protocol and goAML filing support
- 10
Role-tiered staff training programme, delivered and evidenced
- 11
Record-retention schedule and inspection-ready file structure
- 12
Pre-launch mock file review to test the programme before it goes live
- 13
Ongoing annual BRA refresh, screening list monitoring advisory, and inspection representation support
Speak directly with a PNPC compliance advisor who has built AML/CFT programmes across real estate, precious metals, corporate services, and professional services sectors in the UAE — and who will still be available when an inspector calls, a suspicious transaction needs a decision, or your risk profile changes.
Jurisdiction
Free zone, mainland & offshore
Ready to get started?
Tell us about your requirement — a UAE specialist responds within 24 hours.