UAE Taxation & Regulatory Compliance · Economic Substance & AML Compliance
AML/CFT Risk Assessment & Customer Risk Profiling
AML/CFT Risk Assessment & Customer Risk Profiling is the engagement through which PNPC builds, documents, and maintains the risk-based compliance programme that UAE Anti-Money Laundering and Counter-Financing of Terrorism law requires of Designated Non-Financial Businesses and Professions and licensed financial entities alike.
Chartered Accountants · Dubai · Since 1986
The UAE's Anti-Money Laundering and Combating the Financing of Terrorism framework is anchored in Federal Decree-Law No. 20 of 2018 on Anti-Money Laundering and Combating the Financing of Terrorism and Illegal Organisations (as amended), together with its Implementing Regulation issued under Cabinet Decision No. 10 of 2019 (as amended by subsequent Cabinet Decisions). The regime is administered federally by the Ministry of Economy for Designated Non-Financial Businesses and Professions (DNFBPs) — a category that includes real estate brokers and agents, dealers in precious metals and stones above prescribed cash thresholds, corporate service providers, auditors, and independent legal and accounting professionals — while the Central Bank of the UAE, the Securities and Commodities Authority, and individual financial free zone regulators such as the DIFC's Dubai Financial Services Authority and ADGM's Financial Services Regulatory Authority supervise licensed financial institutions within their respective perimeters. AML/CFT Risk Assessment & Customer Risk Profiling is the practical discipline of translating this legal framework into a working, risk-based programme specific to one business — not a generic policy binder assembled to satisfy a licence renewal checkbox.
At the centre of the framework is the requirement for every obliged entity to conduct and document an Enterprise-Wide Risk Assessment (also referred to as a Business Risk Assessment) that identifies and rates the money laundering and terrorist financing risks the business is actually exposed to — by customer type, product or service line, delivery channel, and geography. This assessment is not a one-time exercise. The Implementing Regulation and Ministry of Economy guidance expect it to be reviewed periodically and updated whenever the business's risk profile changes materially — a new service line, a new geography of customers, a new delivery channel, or a materially changed customer base. From the Enterprise-Wide Risk Assessment flows Customer Risk Profiling: the methodology by which each customer or transaction is scored against defined risk factors and assigned a risk rating — typically low, medium, or high — that in turn determines the intensity of Customer Due Diligence (CDD) applied, ranging from Simplified Due Diligence for genuinely low-risk relationships, through Standard CDD, to Enhanced Due Diligence (EDD) for higher-risk categories such as Politically Exposed Persons (PEPs), customers from jurisdictions identified by the Financial Action Task Force (FATF) as having strategic AML/CFT deficiencies, or relationships involving complex or opaque beneficial ownership structures.
The programme also has to interlock with the UAE's targeted financial sanctions regime, requiring screening of customers and counterparties against the UAE's Local Terrorist List and the United Nations Security Council Consolidated List, and with Suspicious Transaction Reporting obligations discharged through the goAML platform operated by the UAE Financial Intelligence Unit. A Money Laundering Reporting Officer (MLRO) must be appointed, empowered with independent authority to file Suspicious Transaction Reports (STRs) or Suspicious Activity Reports (SARs) without requiring prior sign-off from business management, and equipped with a documented escalation procedure. Record-keeping obligations require CDD documentation, transaction records, and risk assessment files to be retained for a minimum period prescribed under the Implementing Regulation, available for production to the supervisory authority on request.
AML/CFT Risk Assessment & Customer Risk Profiling sits close to, but distinct from, Economic Substance Regulations compliance and Ultimate Beneficial Owner (UBO) reporting — all three are Ministry of Economy or free-zone-supervised regulatory obligations that frequently apply to the same entity, and PNPC coordinates them under a single engagement where a client's facts call for it, rather than treating each as an isolated filing. For a DNFBP that has never had a proper risk-based programme built — as opposed to a downloaded policy template — the exposure is not merely a documentation gap. It is the practical inability to demonstrate, at inspection, that customer risk is actually being assessed and managed, which is precisely what Ministry of Economy inspectors and financial free zone supervisors are trained to test for.
When an AML/CFT Risk Assessment & Customer Risk Profiling engagement is the right step
Your business falls within a Designated Non-Financial Business and Profession category — real estate brokerage, precious metals and stones dealing above the prescribed cash threshold, corporate service provision, independent audit or accounting practice, or company/trust formation services — and you do not have a documented, risk-based AML/CFT programme in place
You hold a licence in a financial free zone such as the DIFC or ADGM, or are supervised by the Central Bank of the UAE or the Securities and Commodities Authority, and your existing AML/CFT policy has not been substantively reviewed since it was first drafted
You are onboarding higher-risk customer categories — Politically Exposed Persons, customers or counterparties connected to jurisdictions on the FATF list of countries with AML/CFT deficiencies, or complex corporate structures with layered beneficial ownership — and need a defensible Enhanced Due Diligence procedure
A Ministry of Economy inspection, a financial free zone supervisory review, or a bank's correspondent-banking due diligence request has flagged gaps in your AML/CFT documentation, customer risk ratings, or MLRO governance arrangements
You are appointing or replacing a Money Laundering Reporting Officer and need the role properly constituted — independent authority, documented escalation procedure, and goAML platform registration and familiarity
Your existing customer files show CDD collected once at onboarding with no periodic review, no risk-based re-rating, and no clear audit trail of why a customer was assessed as low, medium, or high risk
You are launching a new product, service line, delivery channel, or entering a new customer geography, and need the Enterprise-Wide Risk Assessment updated to reflect the changed risk profile before the new activity goes live
You have identified — or suspect — a transaction pattern that may warrant a Suspicious Transaction Report and need experienced guidance on the goAML filing process and the legal protections available to a reporting entity
When a different or narrower engagement may fit better
You need only historical Economic Substance Regulations record-keeping or a legacy-year query addressed for a Relevant Activity, with no AML/CFT programme gap identified — note that ESR Notification/Report filing was discontinued for financial years starting on or after 1 January 2023 under Cabinet Decision No. 98 of 2024, so this is a narrow, largely historical matter rather than an ongoing filing engagement
Your business is not a Designated Non-Financial Business or Profession and is not licensed by a financial regulator — confirming DNFBP or regulated-sector status is itself part of the initial scoping conversation, and some trading or services businesses fall outside AML/CFT-obliged-entity scope entirely
You need company incorporation or trade licence renewal support with no compliance remediation involved — that sits under company formation or corporate secretarial services, which PNPC can coordinate alongside this engagement
You are looking for general Know Your Customer (KYC) banking support to open a corporate bank account — banks apply their own KYC standards that overlap with but are not identical to DNFBP AML/CFT obligations; PNPC supports both but they are distinct workstreams
You need a criminal defence lawyer because law enforcement or the Public Prosecution has already opened an investigation — at that stage the matter requires UAE-licensed legal counsel; PNPC's compliance advisory complements but does not replace criminal legal representation
Your only requirement is UBO (Ultimate Beneficial Owner) register filing with no wider AML/CFT programme gap — that is a narrower, faster-turnaround filing that PNPC also handles as a standalone service
AML/CFT Risk Assessment & Customer Risk Profiling vs related UAE compliance engagements
| Feature | AML/CFT Risk Assessment & Profiling | Economic Substance Regulations Compliance | UBO Register Filing | Bank KYC Onboarding Support | Statutory Audit |
|---|---|---|---|---|---|
| Primary purpose | Build and maintain a risk-based AML/CFT programme covering business risk assessment, customer due diligence, and MLRO governance | Assess and file Notification/Report obligations for entities carrying on a Relevant Activity under Cabinet Decision No. 57 of 2020 | File and maintain the entity's Ultimate Beneficial Owner register with the licensing authority | Prepare and present the documentation a bank requires to open or maintain a corporate account | Independently opine on financial statements already prepared |
| Governing framework | Federal Decree-Law No. 20 of 2018 and its Implementing Regulation (Cabinet Decision No. 10 of 2019, as amended) | Cabinet Decision No. 57 of 2020 and Ministerial Decision guidance, administered by the Ministry of Finance | Cabinet Decision No. 58 of 2020 on UBO regulations | Central Bank of the UAE KYC circulars and each bank's internal policy | International Standards on Auditing as adopted in the UAE |
| Who it applies to | DNFBPs and financial-sector licensees supervised by Ministry of Economy, Central Bank, SCA, or a financial free zone regulator | UAE entities (mainland and free zone) carrying on a defined Relevant Activity, regardless of AML/CFT-obliged status | Nearly all UAE mainland and most free zone entities, subject to narrow exemptions | Any entity opening or maintaining a UAE corporate bank account | Entities whose shareholders, free zone authority, or lenders require an audit opinion |
| Core deliverable | Enterprise-Wide Risk Assessment, Customer Risk Profiling methodology, CDD/EDD procedures, MLRO appointment and goAML readiness | For financial years up to 31 December 2022: Notification and, where applicable, Economic Substance Report demonstrating adequate UAE substance for the Relevant Activity; ESR filing was discontinued for financial years starting on or after 1 January 2023 under Cabinet Decision No. 98 of 2024 | UBO register entries and supporting declarations filed with the relevant authority | Bank-ready KYC pack — ownership chart, source of funds, business rationale | Audited financial statements with an independent auditor's opinion |
| Ongoing obligation | Yes — periodic review and re-rating, annual or trigger-based Enterprise-Wide Risk Assessment refresh, continuous transaction monitoring readiness | No longer an active annual filing — ESR Notification/Report obligations were discontinued for financial years starting on or after 1 January 2023 under Cabinet Decision No. 98 of 2024; relevance today is largely historical or tied to open prior-year positions | Periodic — updated whenever beneficial ownership changes | As needed — typically at onboarding and periodic bank-driven KYC refresh | Annual, tied to financial year end |
| Regulator interaction it prepares you for | Ministry of Economy DNFBP inspection, financial free zone supervisory review, FIU enquiry following an STR | Ministry of Finance historical ESR compliance review for pre-2023 financial years still open to enquiry | Licensing authority UBO compliance check | Bank's own compliance and KYC refresh cycle | Shareholder, lender, or regulatory review of audited accounts |
| Overlaps with this engagement | Historically run alongside ESR filings and ongoing alongside UBO work where the same entity is subject to both | Historically bundled with AML/CFT programme work for DNFBP clients for financial years up to 2022 | Often bundled as part of the AML/CFT CDD file build | AML/CFT CDD documentation materially overlaps with bank KYC packs | Independent — audit does not assess AML/CFT programme adequacy directly, though weaknesses may surface as an audit finding |
These engagements are frequently combined rather than chosen exclusively. A typical PNPC DNFBP client historically ran AML/CFT Risk Assessment & Customer Risk Profiling alongside Economic Substance Regulations compliance for financial years up to 2022 and continues to run it alongside UBO register maintenance today, since the same underlying corporate and ownership information feeds these obligations. Note that ESR Notification/Report filing was discontinued for financial years starting on or after 1 January 2023 under Cabinet Decision No. 98 of 2024, so ESR is no longer a live ongoing filing obligation for current financial years.
| # | Stage & What PNPC Does | What Generic Template Providers Miss | Timeline |
|---|---|---|---|
| 1 | Applicability Scoping — Confirming DNFBP or regulated status and the specific obligations that follow | We ask what a downloaded template never asks: which DNFBP category, if any, does your licensed activity fall under? Are you supervised by the Ministry of Economy, the Central Bank, the SCA, or a financial free zone regulator? Do you have any legacy pre-2023 ESR position still open (note ESR Notification/Report filing was discontinued for financial years starting on or after 1 January 2023 under Cabinet Decision No. 98 of 2024)? These answers determine which framework — or combination of frameworks — actually applies before a single policy word is drafted. | Week 1 |
| 2 | Business Risk Assessment (Enterprise-Wide) — Structured evaluation of your actual risk exposure | We assess your risk across the dimensions the Implementing Regulation expects: customer types you serve, products and services offered, delivery channels (face-to-face, remote, intermediated), and the geographies your customers and transactions touch — including any exposure to FATF-listed higher-risk jurisdictions. A template policy states generic risk categories; we document risk ratings specific to your actual book of business. | Week 1–3 |
| 3 | Customer Risk Profiling Methodology Design — The scoring model that drives due diligence intensity | We build the specific risk-scoring criteria — ownership complexity, PEP status, geography, transaction size and pattern, source of funds clarity, cash-intensity of the relationship — that assigns each customer a low, medium, or high rating, and defines exactly what CDD, Enhanced Due Diligence, or Simplified Due Diligence each rating triggers. This methodology, not a generic checklist, is what an inspector tests against your actual customer files. | Week 2–4 |
| 4 | Policies & Procedures Drafting — AML/CFT Manual specific to your business | We draft the AML/CFT Policy and Procedures Manual — CDD/EDD procedures, PEP screening protocol, sanctions list screening against the UAE Local Terrorist List and UN Consolidated List, record-keeping schedule, and the internal escalation pathway from front-line staff to the MLRO — in the operational language of your actual business processes, not abstract legal paraphrase. | Week 3–5 |
| 5 | MLRO Appointment & Governance — Constituting the role with real independent authority | We support the appointment (or reconstitution) of the Money Laundering Reporting Officer with a documented mandate confirming independent authority to file STRs/SARs without requiring prior management approval, direct reporting access to senior management or the board, and a defined escalation and decision-record process — a governance detail that generic templates state in one line and rarely operationalise. | Week 4–6 |
| 6 | goAML Platform Registration & Familiarisation | We support registration of the entity and its MLRO on the goAML platform operated by the UAE Financial Intelligence Unit, and walk the MLRO through the STR/SAR filing workflow before it is ever needed under time pressure — so the first real suspicious-activity decision is not also the first time anyone has touched the platform. | Week 4–6 |
| 7 | Existing Customer File Remediation — Retrofitting CDD on the current book | For clients with an existing customer base onboarded without a proper risk-based process, we run a file-by-file remediation exercise — applying the new risk methodology retroactively, identifying files with incomplete CDD or unassessed risk ratings, and prioritising remediation by risk level so the highest-risk gaps close first. | Week 5–10, scaled to book size |
| 8 | Sanctions & PEP Screening Set-Up | We configure (or advise on selecting) a screening process against the UAE Local Terrorist List, the UN Security Council Consolidated List, and PEP databases, and define the frequency of re-screening for existing customers — a control that must operate on an ongoing basis, not only at onboarding. | Week 5–7 |
| 9 | Staff Training & Awareness | We deliver AML/CFT training to relevant staff — what triggers Enhanced Due Diligence, how to recognise red-flag transaction patterns, and the internal escalation procedure to the MLRO — and document attendance, since training records are themselves an inspection deliverable. | Week 6–8 |
| 10 | Internal Testing / Independent Review Readiness | Where the entity's risk profile or regulator expects an independent audit function for the AML/CFT programme, we prepare the testing scope and supporting file so an internal or external review can be conducted against a documented programme rather than an ad hoc one. | Week 7–9 |
| 11 | Regulator-Ready Documentation Pack | We compile the file a Ministry of Economy inspector or financial free zone supervisor will actually request — the Enterprise-Wide Risk Assessment, the Policies and Procedures Manual, MLRO appointment records, sample CDD files across risk ratings, training records, and screening logs — organised for rapid production, not scattered across email threads. | Week 8–10 |
| 12 | Periodic Review & Update Cycle | The Enterprise-Wide Risk Assessment and Customer Risk Profiling methodology are reviewed on a defined periodic cycle and refreshed immediately whenever a trigger event occurs — a new product line, a new customer geography, a materially changed ownership structure, or new Ministry of Economy or FATF guidance. | Annually, plus trigger-based updates |
| 13 | Ongoing MLRO & STR Support | PNPC remains available to the MLRO for real-time guidance when a transaction or customer pattern raises a genuine suspicion — helping assess whether the threshold for an STR/SAR filing is met, and supporting the filing itself where appropriate, without PNPC ever taking over the MLRO's statutory decision-making authority. | Ongoing, as needed |
A realistic first-cycle timeline to a fully documented, inspection-ready programme is 8–12 weeks for a business of moderate size and customer-book complexity, with existing customer file remediation scaling that timeline for larger or higher-risk books. Thereafter, the programme runs on an annual review cycle with ad hoc updates triggered by material business changes.
Trade licence copy showing the licensed activity, legal form, and whether the entity is mainland or free zone
Memorandum/Articles of Association or equivalent constitutional document showing ownership and management structure
Confirmation of the specific DNFBP category (if applicable) — real estate broker/agent, precious metals and stones dealer, corporate service provider, auditor, or independent legal/accounting professional — or confirmation of the financial regulator supervising the entity
Any prior AML/CFT policy, risk assessment, or inspection correspondence already on file, to establish the starting point rather than begin from zero
Shareholder register and ownership chart, including any layered or nominee arrangements, to support both the AML/CFT risk assessment and the related UBO filing
Ultimate Beneficial Owner identification documents — passport copies, Emirates ID (where applicable), and proof of address for each UBO holding the prescribed ownership or control threshold
Corporate shareholder documents — certificate of incorporation, register of directors, and authorised signatory confirmation for any corporate shareholder in the chain
A representative sample or full listing of customer types served, to inform the Enterprise-Wide Risk Assessment's customer-risk dimension
Description of products, services, and delivery channels offered — face-to-face, remote/online, or through intermediaries
Geographic breakdown of customers and counterparties, flagging any exposure to jurisdictions identified by FATF as having strategic AML/CFT deficiencies
Existing customer files (where any exist) — onboarding forms, identity documents collected, and any risk ratings previously assigned, for the file remediation exercise
Proposed or existing Money Laundering Reporting Officer's CV and role description, to assess suitability and independence of the role
Organisation chart showing reporting lines from front-line staff through to the MLRO and senior management
List of staff who interact with customers or transactions, for AML/CFT training scoping and attendance tracking
Any existing sanctions/PEP screening tool or provider currently in use, including screening frequency and coverage
Any Suspicious Transaction Reports or Suspicious Activity Reports previously filed, with outcome correspondence if available
Prior Ministry of Economy inspection findings, financial free zone supervisory letters, or bank due diligence queries relating to AML/CFT, to prioritise remediation
Enterprise-Wide Risk Assessment document, rated and dated, ready for regulator production
Customer Risk Profiling methodology and risk-scoring matrix
AML/CFT Policies and Procedures Manual, including CDD, EDD, and Simplified Due Diligence procedures
MLRO appointment letter and governance mandate
Training attendance records and staff acknowledgement forms
Sanctions and PEP screening log template and re-screening schedule
| Phase | Triggered By | PNPC Guidance | Risk If Ignored |
|---|---|---|---|
| Initial Build (Week 1–10) | Decision to establish or overhaul the AML/CFT programme | Applicability scoping, Enterprise-Wide Risk Assessment, Customer Risk Profiling methodology, Policies and Procedures Manual, MLRO appointment, and goAML registration built as a coherent, business-specific programme rather than a generic template. | A downloaded template that does not reflect the entity's actual customer base and risk exposure fails inspection scrutiny and provides no real protection if a suspicious transaction later occurs undetected. |
| Customer Onboarding (Ongoing) | New customer or transaction relationship | Risk-based CDD applied at the correct intensity — Simplified, Standard, or Enhanced — based on the documented risk-scoring methodology, with sanctions and PEP screening performed before the relationship is accepted. | Under-scoped CDD on a high-risk customer is one of the most common inspection findings and the fact pattern most likely to attract Ministry of Economy administrative penalties under the Implementing Regulation. |
| Ongoing Monitoring (Continuous) | Every transaction and periodic customer review | Transaction monitoring calibrated to each customer's risk rating, periodic re-screening against sanctions and PEP lists, and re-rating of customers whose risk profile has changed — a new beneficial owner, a new geography, an unusual transaction pattern. | Static risk ratings that are never revisited miss genuine changes in customer risk and leave the programme unable to demonstrate active risk management at inspection. |
| Suspicious Activity Identified | Transaction or customer pattern raising genuine concern | MLRO-led assessment of whether the pattern meets the threshold for a Suspicious Transaction Report, filed through goAML without tipping off the customer, supported by PNPC's guidance on documentation and the statutory protections available to the reporting entity and MLRO. | Failure to file where the threshold is met is a serious compliance breach with potential criminal exposure for the entity and, in some circumstances, individual officers; 'tipping off' the customer is itself a separate offence. |
| Regulatory Inspection | Ministry of Economy DNFBP inspection or financial free zone supervisory review | The regulator-ready documentation pack — risk assessment, policies, MLRO records, sample CDD files, training logs, and screening records — produced promptly and coherently, with PNPC available to support the entity's response to inspector queries. | An entity unable to produce a documented, risk-based programme on request faces administrative fines under the Implementing Regulation, and in serious or repeated cases, licence-level consequences imposed by the Ministry of Economy or the relevant supervisory authority. |
| Business Change | New product, service line, delivery channel, or customer geography | The Enterprise-Wide Risk Assessment and Customer Risk Profiling methodology reassessed against the new activity before it goes live, so the risk rating and CDD intensity applied from day one reflect the changed exposure. | Launching a new higher-risk service line — for example, accepting cash transactions above a prescribed threshold, or onboarding customers from a new higher-risk jurisdiction — without updating the risk assessment leaves a documented gap that predates the very activity an inspector will scrutinise most closely. |
| Periodic Review | Annual cycle or material trigger event | Full refresh of the risk assessment, re-validation of the customer risk profiling methodology against any new Ministry of Economy or FATF guidance, and confirmation that MLRO governance, training, and screening arrangements remain current. | A programme that is never revisited becomes stale relative to evolving FATF standards and UAE regulatory guidance, and 'we built it once years ago' is not a defensible answer at inspection. |
What exactly is a Designated Non-Financial Business and Profession (DNFBP), and does my business qualify?
A DNFBP is a business category identified under the UAE's AML/CFT Implementing Regulation as carrying elevated money-laundering risk despite sitting outside the traditional financial sector. The categories typically include real estate brokers and agents, dealers in precious metals and stones (above prescribed cash-transaction thresholds), corporate service providers (including company formation agents and registered agents), independent auditors, and independent legal and accounting professionals when carrying out specified activities such as managing client funds or acting on behalf of a client in a financial transaction. Whether your specific licensed activity falls within scope depends on the precise nature of the services you provide, not just your trade licence category name.
Is AML/CFT compliance mandatory even if my business has never handled a suspicious transaction?
Yes. The obligation to maintain a documented, risk-based AML/CFT programme — including an Enterprise-Wide Risk Assessment, Customer Due Diligence procedures, and an appointed MLRO — applies to obliged entities regardless of whether any suspicious activity has ever actually occurred. The framework is preventive by design: it exists to detect and deter money laundering and terrorist financing before it happens, and regulators inspect for programme adequacy independent of whether an incident has occurred.
What is an Enterprise-Wide Risk Assessment and how is it different from a generic AML policy?
An Enterprise-Wide Risk Assessment (also called a Business Risk Assessment) is a documented evaluation of the specific money-laundering and terrorist-financing risks your business is exposed to, assessed across customer types, products and services, delivery channels, and geographies. A generic AML policy states abstract legal obligations; an Enterprise-Wide Risk Assessment applies those obligations to your actual book of business and produces a risk rating that drives everything downstream — how due diligence intensity is calibrated, which customers require Enhanced Due Diligence, and where monitoring resources are concentrated.
What is Customer Risk Profiling and how does it determine the level of due diligence applied?
Customer Risk Profiling is the methodology by which each customer is scored against defined risk factors — ownership complexity, PEP status, transaction geography, cash-intensity, source-of-funds clarity, and the nature of the products or services used — and assigned a rating, typically low, medium, or high. That rating then determines the applicable due diligence tier: Simplified Due Diligence for genuinely low-risk relationships meeting prescribed conditions, Standard Customer Due Diligence for the majority of relationships, and Enhanced Due Diligence for higher-risk categories, which requires additional verification steps such as source-of-wealth confirmation and senior management approval before onboarding.
Who qualifies as a Politically Exposed Person (PEP) and why does it matter?
A Politically Exposed Person is an individual who holds, or has held, a prominent public function — senior government officials, judiciary members, senior military officers, senior executives of state-owned enterprises, and senior political party officials — along with their immediate family members and known close associates. PEP status does not prohibit a business relationship, but it mandates Enhanced Due Diligence: additional identity and source-of-wealth verification, senior management approval before onboarding, and more frequent ongoing monitoring, because of the elevated corruption and money-laundering risk historically associated with this customer category.
What is the Money Laundering Reporting Officer (MLRO) role, and can any employee be appointed?
The MLRO is the individual formally designated to receive internal reports of suspicious activity, decide whether the threshold for filing a Suspicious Transaction Report or Suspicious Activity Report is met, and file that report through the goAML platform. The role requires genuine independence — the MLRO must be able to file an STR/SAR without requiring prior approval from business management, since requiring sign-off would defeat the purpose of the safeguard. The person appointed should have sufficient seniority, access to relevant information across the business, and — ideally — direct reporting access to senior management or the board.
What is goAML and do we need to register even if we never expect to file a report?
goAML is the reporting platform operated by the UAE's Financial Intelligence Unit through which obliged entities and their MLROs file Suspicious Transaction Reports, Suspicious Activity Reports, and certain other statutory reports. Registration on the platform is generally expected of obliged entities as part of a functioning AML/CFT programme, independent of whether a report has ever actually been filed — the readiness to report promptly, if the need arises, is itself part of what a compliant programme demonstrates.
What happens if we identify a suspicious transaction — what is the actual reporting process?
Once a staff member identifies a transaction or customer pattern that raises genuine suspicion, it is escalated internally to the MLRO under the documented procedure. The MLRO assesses whether the pattern meets the statutory threshold for filing a Suspicious Transaction Report or Suspicious Activity Report, and if so, files it through goAML. Critically, the customer must not be informed that a report has been made or is being considered — this 'tipping off' prohibition is a separate offence under the Federal Decree-Law, independent of the underlying suspicion itself.
How often does the AML/CFT risk assessment need to be updated?
The Enterprise-Wide Risk Assessment should be reviewed on a defined periodic cycle — commonly annually — and refreshed immediately whenever a material trigger event occurs: a new product or service line, a new delivery channel, expansion into a new customer geography, a materially changed customer base, or new Ministry of Economy or FATF guidance that changes the risk landscape. A static risk assessment that has not been revisited in several years, regardless of business changes, is a common and easily identified inspection finding.
What penalties can the Ministry of Economy impose for AML/CFT non-compliance?
The Implementing Regulation empowers the Ministry of Economy (for DNFBPs) and the relevant financial regulator (for licensed financial entities) to impose administrative sanctions for non-compliance, which can include financial penalties, formal warnings, suspension or restriction of licensed activities, and in serious or repeated cases, licence revocation. The severity of the sanction generally scales with the nature and persistence of the breach — an isolated documentation gap is treated differently from a systemic failure to conduct due diligence or a failure to report a genuinely suspicious transaction. Specific penalty amounts are prescribed by Cabinet Decision and are subject to periodic revision; PNPC advises on the current position rather than quoting a fixed figure that may have since changed.
How does AML/CFT compliance relate to Economic Substance Regulations (ESR)?
AML/CFT and ESR are separate regulatory frameworks, administered under different legal instruments — AML/CFT under Federal Decree-Law No. 20 of 2018 and its Implementing Regulation, ESR under Cabinet Decision No. 57 of 2020 — and historically applied to many of the same entities, drawing on overlapping corporate and ownership information. Importantly, ESR Notification and Report filing was discontinued for financial years starting on or after 1 January 2023 under Cabinet Decision No. 98 of 2024, so ESR is no longer a live, ongoing annual filing obligation for current financial years. A corporate service provider today is typically a DNFBP subject to active AML/CFT obligations, while any ESR relevance is now confined to closing out pre-2023 financial year positions or responding to a historical enquiry. PNPC coordinates AML/CFT work with any residual ESR record-keeping or historical query where relevant, rather than treating current-year ESR as an active parallel filing.
Do free zone companies need AML/CFT compliance, or is it only a mainland requirement?
AML/CFT obligations apply based on the nature of the licensed activity and the supervising authority, not on mainland versus free zone status. A free zone company carrying on a DNFBP-category activity — for example, a free zone corporate service provider or a free zone real estate brokerage — is subject to the same federal AML/CFT framework as its mainland equivalent, generally supervised by the Ministry of Economy unless the free zone itself is a financial free zone (such as DIFC or ADGM) with its own dedicated financial regulator applying an equivalent but separately administered regime.
What is Enhanced Due Diligence and when exactly is it required?
Enhanced Due Diligence (EDD) is a heightened level of Customer Due Diligence applied to relationships assessed as higher risk — including PEPs, customers connected to jurisdictions identified by FATF as having strategic AML/CFT deficiencies, relationships involving complex or non-transparent beneficial ownership structures, and cash-intensive or high-value transactions above the thresholds relevant to your DNFBP category. EDD typically requires additional identity verification, source-of-wealth and source-of-funds documentation, senior management approval before the relationship is accepted, and more frequent ongoing monitoring than a standard-risk relationship receives.
What sanctions lists must we screen customers against?
UAE obliged entities are expected to screen customers and counterparties against the UAE's Local Terrorist List, maintained pursuant to Cabinet Decision, and the United Nations Security Council Consolidated List, which the UAE gives domestic effect to under its targeted financial sanctions framework. A positive or partial match requires immediate escalation and, where confirmed, freezing of funds and reporting obligations under the targeted financial sanctions regime — a materially different and faster process than a standard STR filing.
How long must CDD records and risk assessment documentation be retained?
The Implementing Regulation prescribes minimum record-retention periods for CDD documentation, transaction records, and risk assessment files, generally running from the end of the business relationship or the date of the transaction, whichever the specific record type requires. Records must be available for prompt production to the supervisory authority on request — an obligation that in practice requires organised, retrievable filing, not merely retention in principle.
Can PNPC act as our outsourced MLRO?
PNPC supports clients extensively in building the MLRO function, training the appointed individual, and providing ongoing guidance on suspicious activity assessment — but the MLRO role itself generally needs to sit with someone embedded in the business, with direct access to customer and transaction information and the authority the role requires. Some regulatory frameworks and free zone regulators do permit outsourced or shared MLRO arrangements under specific conditions; where that structure is appropriate and permitted for a client's specific licence and regulator, PNPC discusses it as part of scoping rather than assuming it is available by default.
What is the difference between an STR and an SAR?
Both are reports filed through goAML to the UAE Financial Intelligence Unit, and the two terms are often used close to interchangeably in UAE guidance, though 'Suspicious Transaction Report' typically refers to a report tied to a specific transaction, while 'Suspicious Activity Report' can capture a broader pattern of activity or behaviour that raises concern even without a single identifiable transaction. In either case, the filing obligation and the tipping-off prohibition apply equally.
Does a real estate brokerage need a different AML/CFT approach than a corporate service provider?
Yes, materially. Real estate transactions carry distinct risk indicators — high-value cash purchases, third-party or nominee buyers, and rapid resale patterns — while corporate service providers face risks concentrated around beneficial ownership opacity, shell company formation, and nominee director/shareholder arrangements. The Enterprise-Wide Risk Assessment and Customer Risk Profiling methodology for each DNFBP category should be built around the risk indicators genuinely relevant to that specific business, not a single undifferentiated template applied across categories.
What is Simplified Due Diligence and when can it be applied?
Simplified Due Diligence (SDD) is a reduced level of Customer Due Diligence permitted for relationships genuinely assessed as low risk under prescribed conditions — for example, certain regulated public entities or listed companies subject to disclosure requirements that provide adequate transparency by themselves. SDD is not a default or a shortcut; it is only available where the risk assessment specifically supports it, and it does not remove the obligation to identify the customer and understand the nature of the relationship — it reduces the intensity, not the requirement, of due diligence.
How does PNPC handle AML/CFT compliance for a business with UAE and India operations?
PNPC has an operating Dubai office and offices across India, giving us direct visibility into both jurisdictions' compliance frameworks for clients whose ownership, customers, or fund flows span both countries. On the UAE side, we build the DNFBP-appropriate AML/CFT programme under Federal Decree-Law No. 20 of 2018. Where the same group has Indian entities or Indian-resident beneficial owners, we coordinate the UAE risk assessment with the disclosures and source-of-funds documentation that may also be relevant to Indian FEMA and RBI reporting for the same underlying ownership structure — under one engagement rather than two disconnected advisors working from incomplete pictures of each other's requirements.
Is a one-time AML/CFT policy purchase from an online template provider sufficient for compliance?
A template policy document alone does not constitute a compliant programme. Ministry of Economy and financial free zone inspections test whether the risk assessment reflects the business's actual customers and transactions, whether CDD has genuinely been applied and documented at the intensity the risk rating requires, whether the MLRO function operates with real independence, and whether staff have been trained. A policy document that has never been operationalised — no risk-rated customer files, no MLRO with real authority, no training records — fails inspection regardless of how professionally the document itself reads.
What triggers a Ministry of Economy inspection for a DNFBP?
Inspections can be routine and risk-based (as part of the Ministry's ongoing supervisory programme across DNFBP categories), or triggered by specific concerns — a whistleblower report, information from another regulator or financial institution, or patterns identified through the FIU's own analysis. Because routine inspections are not always predictable, the practical position for any DNFBP is to maintain an inspection-ready programme continuously rather than treating readiness as something to assemble only once an inspection notice arrives.
How does PNPC price an AML/CFT Risk Assessment & Customer Risk Profiling engagement?
PNPC scopes and quotes a fixed, agreed fee for the initial programme build — covering the Enterprise-Wide Risk Assessment, Customer Risk Profiling methodology, Policies and Procedures Manual, MLRO support, and goAML registration — confirmed in writing before work begins. Existing customer file remediation is typically scoped separately once the size and risk complexity of the customer book is known, since remediation effort scales with book size in a way the initial programme build does not. Ongoing annual review and MLRO support are offered as a retainer.
Can our AML/CFT programme be shared across multiple related UAE entities under common ownership?
A group-level Enterprise-Wide Risk Assessment methodology and a shared Policies and Procedures framework can often be designed once and adapted across related entities under common ownership and management, which is more efficient than building each entity's programme in isolation — but each licensed entity still needs its own entity-specific risk assessment output, its own designated MLRO function (which can, in appropriate structures, be a shared individual across group entities where permitted), and its own customer file discipline, since each entity is separately supervised and separately accountable at inspection.
What is beneficial ownership transparency and how does it connect to AML/CFT risk assessment?
Beneficial ownership transparency — understanding who ultimately owns or controls a customer, beyond the nominal or corporate shareholder on record — is a core input into Customer Risk Profiling. A customer with a simple, transparent ownership structure is generally lower risk on this dimension than one with layered corporate entities, nominee shareholders, or ownership routed through jurisdictions with weak corporate transparency requirements. This overlaps directly with the UBO register obligation applicable to most UAE entities, and PNPC's AML/CFT engagement typically draws on the same UBO documentation gathered for that separate filing.
What ongoing support does PNPC provide after the initial programme is built?
PNPC's engagement does not end at policy delivery. We provide the annual Enterprise-Wide Risk Assessment refresh, support for onboarding new higher-risk customers requiring Enhanced Due Diligence, real-time guidance to the MLRO when a genuine suspicious-activity question arises, updates to the programme when Ministry of Economy or FATF guidance changes, and support producing the documentation pack promptly if an inspection notice arrives.
How does AML/CFT risk assessment differ for a corporate service provider offering nominee director or registered agent services?
Corporate service providers offering nominee director, nominee shareholder, or registered agent services sit at a particularly sensitive point in the AML/CFT framework, because these services can — deliberately or inadvertently — be used to obscure genuine beneficial ownership. The risk assessment for this category needs specific attention to know-your-client procedures on the underlying principal (the person actually instructing the nominee arrangement), documented understanding of why a nominee structure is being used, and enhanced ongoing monitoring of entities administered under such arrangements.
Does providing accounting or bookkeeping services to a client trigger DNFBP AML/CFT obligations?
Independent accountants and auditors are typically captured within DNFBP scope specifically when performing certain activities on behalf of a client — such as managing client money, securities, or other assets, managing bank or securities accounts, or acting on behalf of a client in relation to the creation, operation, or management of a company. Routine bookkeeping or statutory audit work performed without exercising that kind of client-fund or transaction control may sit outside the narrower DNFBP trigger, but the boundary depends on the exact scope of services provided and should be confirmed rather than assumed.
What red flags should staff be trained to recognise in day-to-day transactions?
Common red flags include: a customer reluctant to provide standard identification or beneficial ownership information, transactions structured just below reporting or verification thresholds, unusual urgency with no clear business rationale, payment from or to a party unrelated to the underlying transaction, use of cash for transactions where electronic payment would be the norm, and counterparties connected to jurisdictions with weak AML/CFT regimes. The specific red-flag list should be tailored to the DNFBP category — real estate red flags differ materially from corporate service provider red flags.
Can PNPC help if we are already mid-inspection or have received a Ministry of Economy query?
Yes. We support clients who are already facing an active inspection or a specific regulatory query — assessing the gap between the existing programme and what is being requested, compiling and organising the documentation that does exist, remediating urgent gaps where time allows, and supporting the client's formal response. This work is more constrained by the compressed timeline than a proactive engagement, but a documented, honest effort at remediation generally supports a materially better outcome than an unaddressed gap.
Do e-commerce and online businesses face different AML/CFT considerations?
Where an e-commerce or online business falls within DNFBP scope — for example, an online real estate portal facilitating brokerage, or a corporate service provider operating primarily through a digital onboarding flow — the remote, non-face-to-face delivery channel is itself a risk factor that the Enterprise-Wide Risk Assessment needs to address specifically: how identity is verified without in-person contact, how document authenticity is confirmed, and what additional verification steps compensate for the absence of a face-to-face relationship.
What is the relationship between our AML/CFT programme and the bank's own KYC requirements for our corporate account?
Banks apply their own Know Your Customer standards under Central Bank of the UAE guidance, which overlap substantially with — but are not identical to — the CDD documentation a DNFBP builds for its own AML/CFT programme. A well-documented internal AML/CFT programme, with clean beneficial ownership records and source-of-funds documentation already on file, materially eases a bank's own KYC review and account-opening or account-maintenance process, since much of the same underlying documentation satisfies both purposes.
How does the Small Business or newly licensed entity approach differ from an established business with an existing customer book?
A newly licensed DNFBP has the advantage of building the Enterprise-Wide Risk Assessment, Customer Risk Profiling methodology, and CDD discipline into its operating process from day one — every customer onboarded from the start is captured under the correct methodology. An established business with an existing customer book faces the additional file remediation exercise of retrofitting risk ratings and CDD onto customers who were onboarded before a proper programme existed, which is materially more effort but equally necessary.
What is the FATF and why does its guidance matter for a UAE business?
The Financial Action Task Force (FATF) is the global standard-setting body for AML/CFT policy, and the UAE is a member jurisdiction whose domestic framework — Federal Decree-Law No. 20 of 2018 and its Implementing Regulation — is designed to align with FATF's 40 Recommendations. FATF also periodically identifies jurisdictions with strategic AML/CFT deficiencies (commonly referred to informally as 'grey list' or 'black list' status), and transactions or customers connected to such jurisdictions are treated as a specific elevated risk factor within UAE Customer Risk Profiling methodologies.
PNPC AML/CFT Risk Assessment & Customer Risk Profiling vs a generic template or portal provider
| Dimension | Generic Template / Portal Provider | PNPC Global |
|---|---|---|
| Risk assessment basis | Generic risk categories copied into a document regardless of your actual customer base | Enterprise-Wide Risk Assessment built from your actual customers, products, channels, and geographies |
| Customer Risk Profiling | A checklist with no defined scoring methodology behind it | A documented, defensible scoring methodology that drives CDD/EDD intensity file by file |
| MLRO governance | One line in a policy document naming a person | Properly constituted role with documented independent authority and escalation pathway |
| goAML readiness | Rarely addressed at all | Platform registration and MLRO walkthrough before it is ever needed under pressure |
| Existing customer files | Not addressed — new policy, old files untouched | File-by-file remediation exercise prioritised by risk |
| DNFBP-category specificity | One template applied across every business type | Sector-specific risk indicators for real estate, corporate services, precious metals, and audit/accounting |
| Coordination with UBO and legacy ESR positions | Treated as unrelated obligations, often missed entirely | Coordinated under a single engagement where applicable, using shared underlying documentation — including correctly flagging that ESR filing was discontinued for financial years from 2023 onward |
| Cross-border UAE-India structures | Not addressed | Coordinated with Indian-side FEMA/RBI considerations via PNPC's India offices |
| Ongoing relationship | One-time document delivery | Annual review cycle, real-time MLRO support, and inspection-response readiness |
| Inspection readiness | A document that may not withstand inspector scrutiny of actual practice | A regulator-ready pack demonstrating the programme is genuinely operated, not just written |
What the PNPC package includes
- 01
DNFBP and regulated-sector applicability scoping specific to your licensed activity
- 02
Enterprise-Wide Risk Assessment built from your actual customer base, products, channels, and geographies
- 03
Customer Risk Profiling methodology and risk-scoring matrix, sector-adapted to your DNFBP category
- 04
AML/CFT Policies and Procedures Manual drafted in your operational language, not legal paraphrase
- 05
MLRO appointment support with a documented independent-authority mandate
- 06
goAML platform registration and MLRO filing walkthrough
- 07
Existing customer file remediation, prioritised by risk rating
- 08
Sanctions and PEP screening set-up against the UAE Local Terrorist List and UN Consolidated List
- 09
Staff AML/CFT training with documented attendance records
- 10
Annual review cycle and ongoing MLRO support for real-time suspicious-activity questions
- 11
Coordinated UBO filing support and, where a legacy pre-2023 ESR matter remains open, guidance reflecting the current discontinued status of ESR filing
- 12
Regulator-ready documentation pack, compiled and organised for rapid production at inspection
Talk to PNPC's Dubai compliance team before your next inspection finds the gap for you — we build AML/CFT programmes that are actually run, not just written.
Jurisdiction
Free zone, mainland & offshore
Ready to get started?
Tell us about your requirement — a UAE specialist responds within 24 hours.