UAE Taxation & Regulatory Compliance · Economic Substance & AML Compliance
KYC & Customer Due Diligence Advisory
KYC & Customer Due Diligence Advisory is the engagement through which PNPC designs, implements, and remediates the Know Your Customer and Customer Due Diligence programme that UAE Designated Non-Financial Businesses and Professions, financial institutions, and Virtual Asset Service Providers are legally required to maintain under Federal Decree-Law No.
Chartered Accountants · Dubai · Since 1986
Know Your Customer (KYC) and Customer Due Diligence (CDD) are the identification, verification, and risk-assessment procedures that UAE-regulated entities must apply to every customer before establishing a business relationship and throughout its life. The legal foundation sits in Federal Decree-Law No. 20 of 2018 on Anti-Money Laundering and Combating the Financing of Terrorism (AML/CFT), as amended, together with Cabinet Decision No. 10 of 2019 and its subsequent amendments, which set out the detailed CDD, record-keeping, and reporting obligations. For Designated Non-Financial Businesses and Professions (DNFBPs) — a category that in the UAE captures real estate brokers and developers, dealers in precious metals and stones, corporate service providers, independent legal professionals, and independent accountants and auditors above prescribed transaction thresholds — the Ministry of Economy is the primary supervisory authority, alongside sector regulators for financial institutions (the UAE Central Bank), securities firms (the Securities and Commodities Authority), and Virtual Asset Service Providers (the Virtual Assets Regulatory Authority in Dubai, and other emirate-level VASP regulators). Free zone entities, including those in DIFC and ADGM, sit under their own AML supervisors — the Dubai Financial Services Authority in DIFC and the Financial Services Regulatory Authority in ADGM — layered on top of the federal AML law.
CDD is not a single step; it is a graduated framework. Standard due diligence applies to most customers: verifying identity through original or certified documents, understanding the nature and purpose of the intended business relationship, and identifying beneficial ownership. Simplified due diligence may apply to lower-risk customers where the entity's own risk assessment justifies a reduced level of scrutiny, subject to it never applying automatically to customers or jurisdictions carrying elevated risk. Enhanced due diligence is mandatory for higher-risk categories — Politically Exposed Persons (PEPs) and their close associates and family members, customers or beneficial owners connected to jurisdictions identified by the Financial Action Task Force (FATF) as having strategic AML/CFT deficiencies, complex or opaque ownership structures, and cash-intensive or high-value transaction profiles. Enhanced due diligence requires additional verification, senior management approval to onboard, and a documented source-of-funds and source-of-wealth assessment.
Beneficial ownership identification is a core pillar of UAE CDD obligations, aligned with Cabinet Decision No. 58 of 2020 (as amended) regulating beneficial ownership procedures. Entities must look through corporate and trust structures to identify the natural person or persons who ultimately own or control 25% or more of the customer (or exercise control through other means), and must maintain a Register of Beneficial Owners that is kept current and available to the relevant licensing authority and to the Ministry of Economy or Central Bank on request. Sanctions and PEP screening is a parallel, continuous obligation — checking customers, beneficial owners, and counterparties against the UAE Local Terrorist List, the UN Consolidated Sanctions List, and other applicable sanctions lists at onboarding and at appropriate intervals thereafter, since a name that screens clean today can be listed tomorrow.
Where the CDD process identifies a transaction or customer relationship that gives rise to suspicion of money laundering, terrorist financing, or proliferation financing — regardless of the transaction value — the entity is obligated to file a Suspicious Transaction Report (STR) or Suspicious Activity Report (SAR) through the goAML platform operated by the UAE Financial Intelligence Unit, and must not disclose ('tip off') the customer that a report has been made. KYC & CDD Advisory is the discipline of building all of this into a coherent, risk-based programme — a documented AML/CFT policy, a business-wide risk assessment, onboarding checklists and forms, screening tools or processes, staff training, and an audit trail — rather than treating each element as a disconnected compliance task performed inconsistently across different customer relationships.
When KYC & CDD Advisory is the right engagement
Your business falls within the DNFBP categories under UAE AML law — real estate brokerage or development, dealing in precious metals and stones above the prescribed cash threshold, corporate service provision, independent legal or accounting practice — and you do not yet have a documented, risk-based CDD programme
You are a newly licensed entity in a regulated sector (financial services, VASP, DNFBP) and need the AML/CFT policy, business risk assessment, and CDD procedures built and registered with the goAML platform before you can lawfully onboard customers
Your existing KYC file templates and onboarding checklist have not been updated since the last material change in Cabinet Decision requirements and you are due, or overdue, for an internal review
You have received a Ministry of Economy, Central Bank, DFSA, FSRA, or VARA inspection notice, finding, or remediation directive relating to your AML/CFT or CDD controls and need a structured response and corrective action plan
Your onboarding volumes have grown to a point where manual, ad hoc customer checks are no longer defensible and you need a documented risk-based CDD framework with clear escalation triggers for enhanced due diligence
You handle customers, beneficial owners, or transaction counterparties connected to higher-risk jurisdictions, complex offshore structures, or politically exposed persons, and need an enhanced due diligence protocol that will withstand supervisory scrutiny
You need staff trained to actually execute CDD and file goAML reports correctly — not just a policy binder that sits unread on a shelf
Your beneficial ownership register is incomplete, outdated, or was never properly compiled under Cabinet Decision No. 58 of 2020 and needs to be reconstructed and kept current
When a different engagement may fit better
You need a historical Economic Substance Regulations (ESR) matter resolved — an outstanding notification, report, or penalty from a financial year before the regime was discontinued for periods starting on or after 1 January 2023 — and have no separate AML/CFT supervisory obligation; that sits under a dedicated ESR review engagement, distinct from CDD
You are not a DNFBP, financial institution, or VASP and your business activity does not fall within any AML/CFT-regulated category under UAE law — confirm applicability first through a scoping call before commissioning a full programme build
You have already been formally accused of, or are under active investigation for, money laundering or terrorist financing offences — that requires criminal defence legal representation as the primary engagement, with AML advisory support playing a secondary role
You need only a standalone goAML portal registration completed with no wider policy or risk-assessment work — a narrower registration-only engagement may be a faster starting point, though PNPC generally recommends the risk assessment precede or accompany registration
Your requirement is limited to sanctions list screening software selection and implementation with no advisory input on policy design — that is closer to a technology/vendor selection engagement, though PNPC can advise on requirements
You are seeking general company incorporation or licensing services with no AML/CFT compliance dimension currently in scope — that sits under UAE company formation services
KYC & CDD Advisory vs related UAE AML/CFT and regulatory engagements
| Feature | KYC & CDD Advisory | ESR Assessment & Reporting | Standalone goAML Registration | AML Compliance Officer Outsourcing | Sanctions Screening Tool Implementation |
|---|---|---|---|---|---|
| Primary purpose | Design, implement, and remediate the full risk-based CDD programme — policy, onboarding, screening, monitoring, reporting | Determine historical ESR exposure and close out any outstanding notification, report, or penalty matter for financial years before the regime was discontinued | Register the entity on the FIU's goAML platform to enable STR/SAR filing | Provide an ongoing designated AML Compliance Officer / MLRO function on a retained basis | Select, configure, and roll out a sanctions and PEP screening tool |
| Legal basis | Federal Decree-Law No. 20 of 2018 and Cabinet Decision No. 10 of 2019 (as amended) | Cabinet Decision No. 57 of 2020 and Ministerial Decision No. 100 of 2020 on Economic Substance Regulations, as affected by Cabinet Decision No. 98 of 2024 discontinuing the regime prospectively | Same AML/CFT framework — the reporting mechanism specifically | AML/CFT framework's requirement for a designated compliance function | Operational tool supporting the AML/CFT screening obligation |
| Scope depth | Full — risk assessment, policy, procedures, training, ongoing advisory | Focused — legacy substance test, notification, and report review for pre-discontinuation financial years, plus any open penalty matter | Narrow — platform registration and access credentials | Ongoing operational function, not a one-time build | Technical/operational, not policy-level advisory |
| Overlaps with CDD work | Is the CDD work | Distinct, now-discontinued regime — historically had different triggers (relevant activity + related-party income) from AML/CFT status | A component within a full CDD programme, not a substitute for it | Executes the CDD programme PNPC or the client has designed | Supports but does not replace documented CDD procedures |
| Who typically needs it | Any DNFBP, financial institution, or VASP without a current, defensible CDD programme | UAE entities with unresolved ESR notification/report obligations or penalties from financial years starting before 1 January 2023, when the regime still applied on an ongoing annual basis | Entities that already have a CDD programme but lack goAML platform access | Smaller regulated entities without in-house AML expertise wanting a retained specialist | Entities that have a policy but need the operational screening layer built or upgraded |
| Regulatory inspection readiness | Directly addresses what supervisors test for in an inspection | Addresses a separate, now largely closed-out compliance question for historical periods | Necessary but not sufficient on its own for inspection readiness | Depends on the quality of the underlying programme being executed | Necessary but not sufficient — a tool without policy discipline is a partial answer |
| Engagement cadence | Initial build plus ongoing annual review and remediation as regulations evolve | One-time or historical review only — the Ministry of Finance discontinued ESR notification and report filing for financial years starting on or after 1 January 2023 under Cabinet Decision No. 98 of 2024 | One-time registration, ongoing platform use | Continuous, retained monthly or quarterly | One-time implementation, ongoing licence/subscription |
These engagements are frequently combined, though the ESR regime itself has been discontinued for financial years starting on or after 1 January 2023 under Cabinet Decision No. 98 of 2024 — PNPC's ESR-related work today is limited to closing out historical-period obligations or penalties, not ongoing annual filing. A typical PNPC DNFBP client runs KYC & CDD Advisory as the foundation and either trains an internal compliance officer or engages PNPC on a retained AML advisory basis to keep the programme current as Cabinet Decisions and FATF guidance evolve.
| # | Stage & What PNPC Does | What Generic Policy Templates Miss | Timeline |
|---|---|---|---|
| 1 | Applicability & Scoping Assessment — Confirming whether, and how, AML/CFT obligations apply | We ask what a downloaded template never asks: which DNFBP category do you actually fall under, and does your transaction profile cross the prescribed cash thresholds that trigger DNFBP status? Are you a free zone entity subject to DIFC/DFSA or ADGM/FSRA rules layered on top of federal law, or a mainland entity under the Ministry of Economy? Do you handle virtual assets, bringing VARA or another emirate VASP regulator into scope? These answers determine which supervisory authority you register with and which rulebook governs your programme. | Week 1 |
| 2 | Business-Wide AML/CFT Risk Assessment — The foundation document every programme is built on | A defensible CDD programme starts from a documented risk assessment covering customer risk, geographic risk, product/service risk, and delivery channel risk — specific to your business, not a generic industry template. We assess your actual customer base, transaction types, and jurisdictions of exposure, and produce a risk rating methodology your onboarding process will apply. | Week 1–3 |
| 3 | AML/CFT Policy & CDD Procedures Drafting | The policy document must translate into an operational procedure your front-line staff can actually follow — standard, simplified, and enhanced due diligence triggers, escalation paths, approval authorities for higher-risk onboarding, and record-retention rules. We draft procedures your staff can execute without calling a lawyer every time, while remaining defensible on inspection. | Week 2–4 |
| 4 | Beneficial Ownership Identification Framework — Cabinet Decision No. 58 of 2020 compliance | We build the process for identifying and verifying the natural person(s) who ultimately own or control 25% or more of a customer entity (or exercise control through other means), including look-through procedures for layered corporate and trust structures, and set up the ongoing Register of Beneficial Owners maintenance discipline that must stay current, not just accurate at onboarding. | Week 3–4 |
| 5 | Sanctions & PEP Screening Design | We design the screening workflow against the UAE Local Terrorist List, UN Consolidated Sanctions List, and applicable PEP databases — covering onboarding screening, periodic re-screening, and real-time list-update monitoring, and advise on screening tool selection where the client does not already have one, matched to transaction volume and risk profile. | Week 3–5 |
| 6 | Enhanced Due Diligence Protocol — For higher-risk customer categories | We build the specific additional steps required for PEPs and their associates, high-risk jurisdiction exposure, and complex ownership structures: source-of-funds and source-of-wealth documentation standards, senior management sign-off requirements before onboarding, and the enhanced ongoing monitoring cadence these relationships require. | Week 4–5 |
| 7 | Suspicious Transaction Reporting (STR/SAR) Procedure & goAML Registration | We register the entity on the FIU's goAML platform, obtain the necessary access credentials, and build the internal escalation procedure — from a front-line staff observation, through internal review by the designated Compliance Officer, to a filed STR/SAR — with the mandatory no-tipping-off discipline built into staff training, since alerting a customer to a filed report is itself a criminal offence. | Week 4–6 |
| 8 | Record-Keeping & Documentation Standards | AML law requires customer identification records, transaction records, and CDD documentation to be retained for a minimum prescribed period after the relationship ends or the transaction date, and produced to the supervisory authority on request. We set up the retention system, format, and retrieval process so a document request from the Ministry of Economy or Central Bank can be answered within the timeframe given, not scrambled together after the fact. | Week 5–6 |
| 9 | Compliance Officer / MLRO Designation | UAE AML law requires most regulated entities to designate a Compliance Officer (often referred to as the Money Laundering Reporting Officer) with the authority and independence to execute the programme. We advise on the designation, the reporting line to senior management or the board, and — where the entity lacks in-house capacity — can structure a retained PNPC advisory role to support that function. | Week 5–6 |
| 10 | Staff Training & Competency Sign-Off | A written policy that staff have not been trained on is close to worthless on inspection. We deliver role-specific training — front-line onboarding staff, the Compliance Officer, and senior management — covering red flags, escalation procedures, and the specific STR/SAR obligation, with attendance and competency records maintained as evidence. | Week 5–7 |
| 11 | Internal Testing & Mock Inspection | Before relying on the programme in a live inspection, we run a sample file review — pulling a cross-section of actual customer files and testing them against the documented procedure — to identify gaps between what the policy says and what onboarding staff are actually doing in practice, and remediate before a regulator finds the same gaps. | Week 6–7 |
| 12 | Regulatory Filing & Registration Completion | We complete and file the applicable registrations — DNFBP registration with the Ministry of Economy's goAML and DNFBP portal, or the relevant sector regulator's AML registration — and compile the full programme documentation set into an inspection-ready file. | Week 6–8 |
| 13 | Ongoing Advisory & Annual Review | AML/CFT obligations do not end at go-live. Cabinet Decisions, FATF mutual evaluation follow-up actions, and sector-specific guidance evolve, and your customer base and risk profile change. PNPC reviews the risk assessment and procedures at least annually, updates screening list sources, and remains available for live escalations — a suspicious transaction identified at 4pm on a Thursday needs an answer, not a queue. | Ongoing — PNPC on call |
Realistic timeline for a full programme build, from scoping call to inspection-ready documentation: 6–10 weeks depending on entity size, number of customer categories, and whether beneficial ownership records need reconstruction from scratch. A narrower remediation engagement responding to a specific inspection finding can move faster. Ongoing advisory and annual review continue for the life of the client relationship.
Trade licence copy — mainland DED licence or free zone licence, showing licensed activities in full, since DNFBP status is determined by actual licensed activity
Memorandum and Articles of Association or equivalent constitutional documents, showing ownership and management structure
Details of all UAE and overseas branches, subsidiaries, or related entities sharing customer data or referral relationships
Organisational chart identifying the proposed Compliance Officer / MLRO and their reporting line to senior management or the board
Existing AML/CFT policy documents, if any, for gap assessment against current Cabinet Decision requirements
Shareholder register and, for corporate shareholders, their own ownership structure down to the natural person level
Passport copies and Emirates ID (where applicable) for all individuals identified as ultimate beneficial owners (25% or more ownership or control)
Trust deeds, nominee arrangements, or power-of-attorney documents where the ownership or control structure involves anything other than direct individual shareholding
Existing Register of Beneficial Owners, if maintained, for accuracy review against Cabinet Decision No. 58 of 2020 requirements
A representative sample or full listing of current customer categories — individual, corporate, trust, government — with an indication of transaction value ranges and frequency
Description of the geographic spread of customers and counterparties, including any exposure to jurisdictions flagged by FATF as higher-risk
Details of payment methods accepted — bank transfer, cash, cryptocurrency/virtual assets, third-party payment — since each carries different CDD implications
Any existing customer onboarding forms, KYC intake templates, or checklists currently in use, however informal
Details of any sanctions or PEP screening tool currently used, including vendor, list sources, and screening frequency
Records of any prior Suspicious Transaction Reports filed, or internal escalations raised, with outcome
Correspondence from the Ministry of Economy, Central Bank, DFSA, FSRA, VARA, or any other supervisor relating to a prior inspection, finding, or directive
Staff training records relating to AML/CFT, if any prior training has been delivered
Existing goAML platform registration details and login credentials, if the entity is already registered
DNFBP registration status with the Ministry of Economy, if applicable, and associated reference numbers
Sector-specific regulator registration details — Central Bank, SCA, DFSA, FSRA, or VARA — where the entity falls under one of these regimes
UAE Pass or authorised signatory credentials needed to complete or update regulatory portal filings
Source-of-funds and source-of-wealth documentation for identified PEPs or high-risk customers — bank statements, business ownership evidence, inheritance or sale documentation as applicable
Details of the nature of any relationship with a Politically Exposed Person, including the specific public function held and the jurisdiction
Documentation supporting the commercial rationale for any complex or layered ownership structure encountered in the customer base
Senior management approval records for any customer relationship classified as higher-risk
| Phase | Triggered By | PNPC CA/AML Guidance | Risk If Ignored |
|---|---|---|---|
| Pre-Onboarding Design (Week 1–8) | New licence issuance or first structured CDD programme build | Risk assessment, policy and procedure drafting, beneficial ownership framework, screening design, goAML registration, and staff training delivered as a complete package before live customer onboarding begins at scale. | Onboarding without a documented, risk-based programme leaves the entity unable to demonstrate compliance on first inspection, and increases the chance that a genuinely suspicious relationship is onboarded without the controls to catch it. |
| Live Onboarding (Ongoing) | Every new customer relationship | Standard, simplified, or enhanced due diligence applied per the documented risk methodology; beneficial ownership identified and verified; sanctions/PEP screening run before the relationship is established; approval recorded per the designated authority level. | Inconsistent onboarding creates a customer file that looks materially different from the policy on paper — the single most common inspection finding, and a strong signal to a supervisor that the policy is not actually operative. |
| Ongoing Monitoring | Continuous, throughout the customer relationship | Periodic re-screening against updated sanctions and PEP lists, transaction monitoring for activity inconsistent with the customer's stated profile, and periodic file refresh for higher-risk customers on the schedule the risk assessment sets. | A customer who screened clean at onboarding but is later sanctioned, or whose transaction pattern shifts materially, generates undetected exposure if ongoing monitoring is not actually running — not merely documented as a policy. |
| Suspicious Activity Identified | Front-line staff observation, screening hit, or transaction anomaly | Internal escalation to the Compliance Officer per the documented procedure, assessment against the STR/SAR threshold, and — where warranted — filing through goAML within the expected timeframe, with strict no-tipping-off discipline maintained throughout. | Failure to file an STR/SAR where warranted is itself a breach of Federal Decree-Law No. 20 of 2018, carrying administrative and potentially criminal exposure for the entity and the individuals responsible. Tipping off a customer about a filed report is a separate offence. |
| Regulatory Inspection | Scheduled or unannounced supervisory visit from the Ministry of Economy, Central Bank, DFSA, FSRA, or VARA | PNPC supports document production, sample file walkthroughs, and direct engagement with the inspecting officer, drawing on the same documentation set built at programme design stage. | An entity unable to produce customer files, risk assessments, or training records on request faces findings that typically escalate from a corrective action directive to administrative fines, and in serious or repeat cases to licence-level consequences. |
| Finding or Directive Received | Inspection outcome requiring remediation | PNPC structures a corrective action plan against the specific findings, with realistic timelines, and represents the entity in follow-up correspondence with the supervisor to close out the finding formally. | An unaddressed or poorly documented remediation response risks escalating findings, repeat inspection within a shorter interval, and reputational exposure with banking partners who increasingly conduct their own AML due diligence on business customers. |
| Annual Review | Anniversary of programme adoption, or material change in business/regulation | Risk assessment refreshed against actual customer base changes, Cabinet Decision or FATF guidance updates incorporated, screening list sources reconfirmed as current, and beneficial ownership register reconciled against any ownership changes during the year. | A stale risk assessment or an unreviewed beneficial ownership register is one of the first things a supervisor tests — 'when was this last updated' is a standard inspection question with an easy pass or fail answer. |
| Business Change (M&A, new activity, new jurisdiction exposure) | Acquisition, new product line, new customer segment, or new geographic market | PNPC reassesses DNFBP or sector-regulator scope, updates the risk assessment for the new activity or exposure, and revises CDD procedures before the change goes live rather than retrofitting compliance after exposure has already been taken on. | A new business line or customer segment onboarded under an unrevised risk framework is effectively unassessed — the programme on paper no longer matches what the business actually does, which is precisely the gap inspections are designed to find. |
What is the difference between KYC and CDD — are they the same thing?
Know Your Customer (KYC) is generally used to describe the identification and verification of who a customer is — name, legal form, identity documents, beneficial ownership. Customer Due Diligence (CDD) is the broader risk-based framework that includes KYC identification but also covers understanding the purpose of the relationship, assessing and rating risk, screening against sanctions and PEP lists, and ongoing monitoring for the life of the relationship. In practice the terms are often used together or interchangeably in the UAE regulatory context, but CDD is the more complete and legally precise term used in Federal Decree-Law No. 20 of 2018.
Which UAE businesses are actually required to have a formal AML/CFT and CDD programme?
Financial institutions regulated by the UAE Central Bank, securities and investment firms under the Securities and Commodities Authority, Virtual Asset Service Providers under VARA or the relevant emirate regulator, and Designated Non-Financial Businesses and Professions (DNFBPs) under the Ministry of Economy. DNFBPs specifically include real estate agents and developers involved in property sale/purchase transactions, dealers in precious metals and stones for cash transactions above the prescribed threshold, corporate service providers (company formation agents, registered agents, nominee directors/shareholders), and independent legal professionals and independent accountants and auditors when carrying out specified activities on behalf of a client, such as managing client funds or acting in company formation.
What happens if my business is a DNFBP and has no AML/CFT programme at all?
Operating without a documented risk assessment, CDD procedures, and goAML registration where required is a breach of Federal Decree-Law No. 20 of 2018 and its implementing Cabinet Decisions. Consequences on inspection or discovery can include administrative fines set out in Cabinet Decision No. 10 of 2019 (as amended), corrective action directives with mandated timelines, and in serious or repeated cases, licence suspension or referral for further regulatory or criminal action. The exact fine schedule and escalation path depend on the supervisory authority and the nature of the breach.
What is a beneficial owner and why does the 25% threshold matter?
A beneficial owner is the natural person who ultimately owns or controls a customer, whether through direct or indirect shareholding, voting rights, or other means of control — even where that person's name does not appear on the trade licence or shareholder register. Cabinet Decision No. 58 of 2020 (as amended) sets the standard threshold at 25% direct or indirect ownership or control, though control can also arise through other mechanisms such as the right to appoint or remove directors, regardless of shareholding percentage. Entities must identify and verify these individuals, not just the immediate corporate or nominee shareholder shown on paper.
What is a Politically Exposed Person (PEP) and what extra steps does a PEP customer require?
A PEP is an individual who holds or has held a prominent public function — a head of state, senior government official, senior judicial or military official, senior executive of a state-owned enterprise, or senior political party official — together with their immediate family members and close associates. UAE AML regulations require enhanced due diligence for PEP relationships regardless of the customer's home jurisdiction: senior management approval before onboarding, a documented source-of-funds and source-of-wealth assessment, and enhanced ongoing monitoring for the life of the relationship.
What is goAML and does every regulated entity need to register on it?
goAML is the electronic platform operated by the UAE's Financial Intelligence Unit (part of the Central Bank) through which regulated entities register, submit Suspicious Transaction Reports (STRs) and Suspicious Activity Reports (SARs), and — for certain sectors — file additional prescribed reports. Entities within scope of the AML/CFT law, including DNFBPs, are generally required to register on goAML as part of their overall compliance obligation, since the reporting mechanism has to exist and be accessible before a suspicious transaction obligation can actually be discharged.
What is a Suspicious Transaction Report (STR) and when must one be filed?
An STR (sometimes referred to as a SAR — Suspicious Activity Report) must be filed via goAML whenever an entity has reasonable grounds to suspect that funds, a transaction, or an attempted transaction is connected to money laundering, a predicate crime, terrorist financing, or proliferation financing — regardless of the transaction amount and even if the transaction was ultimately not completed. There is no minimum monetary threshold; suspicion, not transaction size, is the trigger.
What is 'tipping off' and why is it treated so seriously?
Tipping off is directly or indirectly informing a customer, or any third party, that a Suspicious Transaction Report has been filed, is being considered, or that an investigation is underway. Under Federal Decree-Law No. 20 of 2018, tipping off is a separate criminal offence from the underlying money laundering or terrorist financing conduct, because it defeats the entire purpose of the reporting mechanism — allowing the customer to move funds, destroy evidence, or otherwise evade detection once alerted.
How is my business risk-rated, and can I use simplified due diligence to reduce onboarding friction?
Risk rating is built from four dimensions applied to each customer: customer risk (individual versus corporate, industry, ownership complexity), geographic risk (home jurisdiction and transaction counterparty jurisdictions, including any FATF-flagged exposure), product/service risk (nature of the transaction), and delivery channel risk (face-to-face versus remote onboarding). Simplified due diligence can apply to genuinely lower-risk customer categories where your documented risk assessment supports it, but it can never be applied automatically or as a default — and it can never apply to a customer or jurisdiction that carries elevated risk indicators regardless of how the relationship is otherwise structured.
Do free zone companies in DIFC or ADGM follow the same AML rules as mainland companies?
DIFC entities regulated by the Dubai Financial Services Authority (DFSA) and ADGM entities regulated by the Financial Services Regulatory Authority (FSRA) operate under their own AML rulebooks specific to those financial free zones, which sit alongside — and are generally aligned in substance with — the federal AML/CFT framework under Federal Decree-Law No. 20 of 2018. The specific forms, reporting mechanisms, and supervisory relationship differ by free zone, so a DIFC-regulated entity's CDD programme must be built against the DFSA rulebook specifically, not a generic mainland template.
How long must customer identification and transaction records be retained?
UAE AML law requires customer identification records, CDD documentation, and transaction records to be retained for a minimum prescribed period following the end of the business relationship or the date of the transaction, and to be made available to the competent supervisory authority on request within the timeframe given. The precise retention period and any sector-specific variations should be confirmed against the current Cabinet Decision and any relevant sector-regulator rulebook applicable to the entity, since retention requirements have been refined through amendments over time.
What does an AML/CFT Compliance Officer or MLRO actually need to do day to day?
The Compliance Officer (often referred to as the Money Laundering Reporting Officer, or MLRO) is responsible for the entity's ongoing AML/CFT programme: reviewing escalated customer relationships, approving higher-risk onboarding, deciding whether an internal escalation rises to the level of an STR/SAR filing, maintaining the risk assessment and policy documents as current, coordinating staff training, and acting as the primary point of contact for the Ministry of Economy, Central Bank, or relevant sector regulator during any inspection or correspondence.
Can PNPC act as our outsourced Compliance Officer or MLRO?
PNPC can provide retained AML advisory support to a designated internal Compliance Officer, and in appropriate structures can support the compliance function on an ongoing outsourced basis, depending on the entity's regulatory category and what the applicable rulebook permits for that role. The specific arrangement — advisory support versus a formally designated function — is scoped based on your sector, size, and supervisory requirements, and confirmed in writing before the engagement begins.
How does economic substance (ESR) relate to AML/CFT and CDD — are they the same requirement?
No — they were always separate regimes with separate triggers. Economic Substance Regulations under Cabinet Decision No. 57 of 2020 and Ministerial Decision No. 100 of 2020 tested whether a UAE entity carrying out a defined 'relevant activity' (such as holding company business, IP business, or distribution and service centre business) maintained adequate substance in the UAE. Importantly, the Ministry of Finance discontinued the ESR notification and report filing requirement for financial years starting on or after 1 January 2023, under Cabinet Decision No. 98 of 2024 — so for most entities today, ESR is a closed historical-period question rather than a live ongoing filing obligation, while AML/CFT and CDD obligations continue on an ongoing basis for any entity whose licensed activity falls within a regulated financial or DNFBP category. An entity can have historical ESR exposure, current AML/CFT exposure, both, or neither — the two applicability tests were always independent of each other.
We are a corporate service provider — does forming companies for clients bring extra AML obligations?
Yes. Corporate service providers — entities that form companies, act as a registered agent, or provide nominee director, nominee shareholder, or company secretary services — are explicitly captured within the DNFBP category under UAE AML law when carrying out those activities for clients. This means CDD must be applied to the ultimate client requesting the company formation or nominee service, with beneficial ownership identification extending through to the natural person who will actually control the entity being formed — not just the immediate instructing party.
Does accepting cryptocurrency or virtual asset payments change our AML obligations?
Yes, materially. Accepting or facilitating virtual asset transactions can bring an entity within the scope of Virtual Asset Service Provider (VASP) regulation — supervised in Dubai by VARA, and by other frameworks in other emirates and free zones — which carries its own, generally more stringent, AML/CFT and CDD requirements, including specific travel-rule-style obligations for transferring identifying information alongside virtual asset transfers. A business that starts accepting crypto payments without reassessing its regulatory scope risks operating outside a licensing framework it did not realise applied.
What is the difference between AML/CFT and sanctions compliance — do we need both?
AML/CFT compliance is the broader framework addressing money laundering, terrorist financing, and proliferation financing risk through CDD, monitoring, and reporting. Sanctions compliance specifically addresses screening against designated persons and entities lists — the UAE Local Terrorist List, UN Consolidated Sanctions List, and other applicable lists — to ensure the entity does not deal with a sanctioned party. Sanctions screening is a mandatory component within a complete AML/CFT and CDD programme, not a separate, optional add-on.
What is the real estate sector's specific AML exposure in the UAE?
Real estate brokers and developers are explicitly designated DNFBPs when involved in transactions concerning the buying and selling of real estate on behalf of clients. High-value, often cash-adjacent property transactions, layered ownership structures (including foreign and offshore buyers), and the historical role of real estate in laundering typologies make this a sector supervisors scrutinise closely. CDD obligations apply to both the buyer and seller side of a transaction the broker or developer facilitates, with beneficial ownership identification extending through any corporate or trust purchasing vehicle.
How often should the AML/CFT risk assessment and policy be reviewed and updated?
At minimum annually, and additionally whenever there is a material change in the business — a new product or service line, entry into a new customer segment or geographic market, a change in ownership or control, or a relevant new Cabinet Decision, Ministerial Decision, or FATF guidance update. A risk assessment that has not been revisited in several years, regardless of how well-drafted it originally was, is itself a common inspection finding because it no longer reflects the business as it currently operates.
What documentation should we expect a Ministry of Economy inspector to ask for?
Typically: the AML/CFT policy and risk assessment documents, a sample of customer onboarding files across different risk ratings, the beneficial ownership register, screening records and evidence of periodic re-screening, staff training records, any STRs filed (or a defensible explanation of why none have been filed, if applicable), the Compliance Officer's designation and reporting evidence, and goAML registration confirmation. Inspectors typically walk through several actual customer files in detail to test whether the documented procedure matches what staff actually did.
Can a small business with only a handful of customers skip a formal CDD programme?
No — if the business falls within a regulated category (DNFBP, financial institution, VASP), the AML/CFT and CDD obligation applies regardless of size or transaction volume. The scale and complexity of the programme can and should be proportionate to the size and risk profile of the business — a small corporate service provider's procedures will look different from a large real estate developer's — but 'we are too small to need this' is not a recognised exemption under UAE AML law.
What is the practical difference between having a policy document and having an operating programme?
A policy document states what should happen. An operating programme is evidence that it actually does — completed onboarding files matching the documented procedure, screening records showing checks were actually run and at the stated frequency, training attendance records, and a Compliance Officer who can answer specific questions about recent decisions. Supervisors inspect the operating programme, not the policy document in isolation; a well-written policy with no supporting evidence of execution reads, on inspection, almost the same as having no policy at all.
Does PNPC provide the actual sanctions and PEP screening technology, or just the advisory framework?
PNPC's core engagement is the advisory and policy/procedure design work — the risk assessment, CDD framework, and compliance discipline. Where a client does not already have a screening tool, we advise on selection criteria matched to transaction volume, budget, and risk profile, and coordinate the implementation, but we are not a technology vendor ourselves. For clients who already have a screening tool, we assess whether its list sources, update frequency, and configuration actually support the documented procedure.
What is the connection between UAE Corporate Tax, VAT, and our AML/CFT obligations?
These are distinct regulatory regimes with no direct legal dependency — a business can be fully Corporate Tax and VAT compliant while having a materially deficient AML/CFT programme, and vice versa. That said, the same underlying accounting and transaction records that support your tax filings are often relevant evidence in an AML file review, and PNPC's integrated view across tax, accounting, and AML advisory means inconsistencies between what a customer file says and what the transaction ledger shows are more likely to be caught internally before a regulator finds them.
What is source of funds versus source of wealth, and when is each required?
Source of funds refers to the origin of the specific funds used in a particular transaction — for example, the bank account or sale proceeds funding a property purchase. Source of wealth refers to the origin of a customer's overall net worth — how they accumulated their wealth over time, such as through business ownership, inheritance, or investment returns. Enhanced due diligence for higher-risk customers, particularly PEPs, generally requires both: source-of-funds evidence for the specific transaction, and a broader understanding of source of wealth to assess whether the transaction is consistent with the customer's overall profile.
How does PNPC price a KYC & CDD Advisory engagement?
PNPC scopes and quotes a fixed fee for the initial programme build — risk assessment, policy and procedure drafting, beneficial ownership framework, goAML registration, and staff training — based on entity size, customer base complexity, and sector. Ongoing annual review and ad hoc advisory support are quoted separately, typically as a retained arrangement. The exact fee is confirmed in writing before work begins; we do not start a build on a verbal estimate.
What is the risk of using a generic, downloaded AML policy template instead of a bespoke build?
A generic template is written for no specific business — it typically does not reflect your actual customer categories, transaction profile, jurisdiction exposure, or licensed activities, and inspectors recognise template language quickly. More importantly, a template document with no underlying risk assessment specific to your business cannot demonstrate the risk-based approach that UAE AML law explicitly requires — the law does not ask for a policy that exists; it asks for a policy that reflects a genuine, documented risk assessment of your specific business.
Can PNPC support us through an active Ministry of Economy or Central Bank inspection?
Yes. PNPC supports clients through live inspections — preparing the documentation set in advance where notice is given, attending or coordinating the walkthrough of sample customer files, drafting the formal response to any findings, and structuring the corrective action plan and its implementation. We are also engaged after the fact by entities that received a finding using a different, or no, prior advisor and need a structured remediation response.
Does an accounting or audit firm client of PNPC's need its own CDD programme, or does PNPC's own AML compliance cover them?
Every regulated entity needs its own AML/CFT programme covering its own customer relationships — PNPC's internal AML/CFT compliance as a practising CA firm governs how we conduct due diligence on our own clients, and does not substitute for a client's own obligation to run CDD on its own customers. If your business is itself a DNFBP or otherwise regulated, you need your own programme regardless of who your professional advisors are.
What red flags should staff be trained to recognise during onboarding?
Common red flags include: reluctance or refusal to provide requested identification or beneficial ownership information; unusually complex or opaque ownership structures with no clear commercial rationale; requests for unusual secrecy or use of intermediaries without disclosed purpose; transaction values or structuring patterns inconsistent with the customer's stated business or profile; use of funds from unrelated third parties without adequate explanation; and urgency or pressure to bypass standard verification steps. No single red flag is automatically conclusive, but a documented, risk-based assessment of the combination is what the CDD procedure is designed to capture.
If we already outsource bookkeeping and payroll to PNPC, does that create a conflict with PNPC also advising on our AML/CFT programme?
No. Accounting, payroll, and AML/CFT advisory are distinct professional services, and PNPC applies clear engagement scoping and, where relevant, information barriers between service lines to avoid any conflict. In practice, clients often find the combination beneficial rather than conflicted — the accounting team's visibility into actual transaction flows supports, rather than compromises, the integrity of the AML risk assessment.
How does PNPC keep a client's AML/CFT programme current as UAE regulations evolve?
The UAE's AML/CFT framework has been actively refined through successive Cabinet Decisions and Ministerial Decisions, partly in response to the country's FATF mutual evaluation process and subsequent follow-up commitments. PNPC tracks regulatory developments as part of the ongoing advisory relationship and proactively flags changes that affect a client's existing programme — rather than waiting for the client to discover a gap at their next inspection.
What is the goAML platform registration process, and how long does it take?
Registration on goAML involves creating an entity profile on the FIU platform, designating authorised users (typically the Compliance Officer), and completing the entity's regulatory details. Processing timelines vary and depend on the completeness of the submitted information and the FIU's current processing volumes; PNPC coordinates the registration as part of the wider programme build and manages any follow-up queries from the FIU to keep the process moving.
PNPC KYC & CDD Advisory vs generic compliance template providers
| Dimension | Generic Template / Downloaded Policy | PNPC Global |
|---|---|---|
| Risk assessment basis | Generic industry boilerplate, not specific to your customer base or jurisdiction exposure | Business-specific risk assessment built from your actual licensed activity, customer categories, and transaction profile |
| Beneficial ownership methodology | Often a single form with no look-through guidance for layered structures | Documented look-through procedure for corporate, trust, and nominee structures, aligned to Cabinet Decision No. 58 of 2020 |
| Staff capability after delivery | Policy document handed over; staff left to interpret it unaided | Role-specific training delivered, with competency records maintained as inspection evidence |
| goAML and regulator registration | Rarely included — treated as the client's separate task | Registered and coordinated as part of the engagement, with credentials handed over ready to use |
| Inspection readiness testing | Not offered — the first real test is the actual inspection | Internal mock file review and walkthrough conducted before go-live to surface gaps early |
| Response to regulatory findings | No ongoing relationship to call on | Direct support drafting corrective action plans and representing the client in follow-up correspondence |
| Ongoing regulatory tracking | Static document, not updated as Cabinet Decisions evolve | Annual review built into the relationship, updated as FATF guidance and Cabinet Decisions change |
| Cross-disciplinary context | AML in isolation from tax, accounting, and corporate structure | Integrated view across UAE tax, accounting, corporate structuring, and AML — inconsistencies are more likely to be caught internally |
| Presence beyond delivery | Transaction ends at document handover | PNPC Dubai office, practising CA firm since 1986, available for live escalations and ongoing advisory |
What the PNPC package includes
- 01
Applicability scoping to confirm DNFBP, financial institution, or VASP status and the correct supervisory authority
- 02
Business-wide AML/CFT risk assessment specific to your customer base, geography, and transaction profile
- 03
Bespoke AML/CFT policy and CDD procedure documentation your staff can actually execute
- 04
Beneficial ownership identification framework and Register of Beneficial Owners setup under Cabinet Decision No. 58 of 2020
- 05
Sanctions and PEP screening design, with tool selection guidance where none currently exists
- 06
Enhanced due diligence protocol for PEPs, high-risk jurisdictions, and complex ownership structures
- 07
goAML platform registration and Suspicious Transaction Report / Suspicious Activity Report escalation procedure
- 08
Compliance Officer / MLRO designation support and reporting-line structuring
- 09
Role-specific staff training with attendance and competency records
- 10
Internal mock inspection and sample file testing before go-live
- 11
Ongoing annual review and regulatory update tracking
- 12
Direct representation and corrective action planning in response to any Ministry of Economy, Central Bank, DFSA, FSRA, or VARA finding
Talk to PNPC's Dubai team before your next inspection finds the gap for you — we build AML/CFT and CDD programmes that hold up on the file, not just on paper.
Jurisdiction
Free zone, mainland & offshore
Ready to get started?
Tell us about your requirement — a UAE specialist responds within 24 hours.