Amara Commercial Concierge — UAE

AML/CFT Compliance for UAE Businesses: A Practical Guide

Anti-Money Laundering and Counter-Terrorism Financing compliance is mandatory for most UAE businesses. This guide covers who is obligated, what a compliant AML programme looks like, goAML registration, and ongoing requirements.

Overview

The UAE's Anti-Money Laundering and Counter-Terrorism Financing (AML/CFT) framework is one of the most comprehensive in the region. Following the UAE's 2022 removal from the FATF grey list, compliance standards are rigorously enforced. Businesses that fail to meet their AML/CFT obligations face substantial penalties — and in serious cases, criminal liability for directors and officers.

This guide covers who is obligated, what a compliant programme looks like, and how Amara supports clients in meeting their obligations.

Who Is Subject to AML/CFT Obligations?

The UAE's AML/CFT framework applies primarily to two categories of entity:

Financial Institutions (FIs) — banks, exchange houses, insurance companies, investment firms, and other entities regulated by the CBUAE, SCA, or FSRA/DFSA.

Designated Non-Financial Businesses and Professions (DNFBPs) — a broader category including:

  • Real estate brokers and agents (buying/selling transactions)
  • Dealers in precious metals and stones (transactions above AED 55,000)
  • Accountants and auditors
  • Lawyers, notaries, and legal professionals
  • Company formation agents and trust service providers
  • Virtual asset service providers (VASPs)

If your business falls into any of these categories, you have mandatory AML/CFT obligations. Failure to comply is not treated as an administrative oversight — it is a criminal offence under Federal Decree-Law No. 20 of 2019.

Core AML/CFT Obligations

1. Business Risk Assessment (BRA)

Every obligated entity must conduct and document a Business Risk Assessment — an analysis of the ML/TF risks inherent in its business model, customer base, products, services, transactions, geographies, and delivery channels. The BRA should be updated at least annually and when material changes occur.

2. Policies, Procedures, and Controls

Entities must have written AML/CFT policies and procedures that are:

  • Approved by senior management
  • Proportionate to the identified risks
  • Communicated to all relevant staff
  • Reviewed and updated regularly

Minimum policy coverage: CDD procedures, record-keeping requirements, suspicious activity reporting, staff training, and the role of the Compliance Officer.

3. Customer Due Diligence (CDD)

CDD involves identifying and verifying the identity of customers before entering a business relationship or carrying out a transaction above the threshold.

CDD LevelWhen Required
Simplified CDDLow-risk customers (e.g. listed companies, regulated entities)
Standard CDDMost customers
Enhanced CDD (EDD)High-risk customers, PEPs, complex transactions, high-risk jurisdictions

CDD documentation typically includes: government-issued ID, proof of address, source of funds, source of wealth (for EDD), beneficial ownership information.

Ongoing monitoring — CDD is not a one-time exercise. Transactions must be monitored for consistency with the customer's known profile, and records must be updated when material changes occur.

4. Ultimate Beneficial Owner (UBO) Identification

All UAE companies must identify and verify the Ultimate Beneficial Owners — natural persons who own 25%+ of shares or voting rights, or who exercise effective control. UBO details must be registered with the relevant authority (Ministry of Economy for mainland entities; freezone authority for freezone companies).

5. Politically Exposed Persons (PEPs)

Additional scrutiny — Enhanced Due Diligence — is mandatory for Politically Exposed Persons: current or former senior public officials, their family members, and close associates. Source of wealth verification is required for all PEP relationships.

6. Suspicious Activity Reporting

Entities must file a Suspicious Transaction Report (STR) or Suspicious Activity Report (SAR) with the UAE Financial Intelligence Unit (FIU) via the goAML platform when they know, suspect, or have reasonable grounds to suspect that a transaction or activity is related to money laundering or terrorist financing.

Filing is mandatory — failure to file when suspicion exists is an offence. Tipping off the subject of a report is also an offence.

7. Record Keeping

All CDD records, transaction records, and correspondence relating to CDD must be retained for a minimum of 5 years from the end of the business relationship or completion of the transaction.

goAML — Registration and Use

goAML is the UAE FIU's platform for STR/SAR submission, operated by the EOCN (Executive Office of AML/CFT). Registration on goAML is mandatory for all DNFBPs.

Registration process:

  1. Entity registers on goAML portal (go-aml.ae)
  2. Designated MLRO/Compliance Officer is registered as the primary user
  3. Registration is reviewed and approved by the FIU
  4. Ongoing: STRs/SARs are submitted via the portal when required

Amara manages goAML registration as part of all retainer tiers.

The Compliance Officer / MLRO Role

All obligated entities must appoint a Compliance Officer (for most DNFBPs) or a Money Laundering Reporting Officer (MLRO) (for regulated financial institutions). The Compliance Officer is responsible for:

  • Overseeing the AML/CFT programme
  • Receiving and evaluating internal suspicious activity reports
  • Filing STRs/SARs with the FIU
  • Reporting to senior management and the board on compliance matters
  • Ensuring staff are trained

For small businesses without the capacity to employ a dedicated Compliance Officer, Amara provides an outsourced MLRO/CCO function as an add-on module.

Staff Training

All staff who interact with customers or handle transactions must receive AML/CFT training appropriate to their role. Training must:

  • Be delivered at onboarding and at least annually thereafter
  • Cover the entity's specific risks and procedures
  • Be documented with attendance records and assessments

Amara provides AML Staff Training (Group) as an add-on module — half-day or full-day, with a certificate of completion.

Penalties for Non-Compliance

The UAE's AML/CFT enforcement framework is active and well-funded. Penalties include:

  • Administrative fines from AED 50,000 to AED 5 million per violation
  • Licence suspension or revocation
  • Criminal prosecution of responsible individuals
  • Public naming of non-compliant entities

The EOCN, CBUAE, and sector regulators conduct risk-based supervision and targeted inspections.

Related articles

FAQ: UAE Compliance and Regulatory

Answers to common questions about UAE AML/CFT obligations, corporate tax, VAT, UBO registration, and what compliance actually looks like in practice for an SME.

ComplianceCorporate TaxVAT

goAML Registration for DNFBPs: A Step-by-Step Guide

goAML is the UAE FIU's platform for suspicious transaction reporting. Registration is mandatory for all DNFBPs. This article walks through who must register, what the process involves, and the ongoing obligations.

AML/CFTCompliance

Importing Goods into the UAE: MOCCAE Permits and the Clearance Process

Importing certain goods into the UAE — including live animals, plants, food products, and veterinary items — requires permits from the Ministry of Climate Change and Environment. This article explains who needs a permit and what the process involves.

Business SetupCompliance

UAE Corporate Tax: A Practical Guide for SMEs

The UAE introduced a 9% federal Corporate Tax in 2023. This guide covers who is subject, how taxable income is calculated, key exemptions, freezone qualifying conditions, registration deadlines, and how to stay compliant.

Corporate TaxCompliance

UAE VAT: A Complete Guide for Business Owners

UAE VAT was introduced at 5% in January 2018. This guide covers registration thresholds, standard-rated and zero-rated supplies, input tax recovery, EmaraTax filing, and common compliance pitfalls.

VATCompliance

UBO Registration in the UAE: What It Is and Why It Matters

All UAE companies must identify and register their Ultimate Beneficial Owners. This article explains who qualifies as a UBO, the registration process, deadlines, and the penalties for non-compliance.

ComplianceAML/CFT