The United Arab Emirates has undergone the most significant transformation of its anti-money laundering framework in a decade. Whether you work in compliance, legal, or risk — at a bank, a fintech, a law firm, an exchange house, or a real estate business — the rules you operate under today look substantially different to those of even 18 months ago.
This guide gives you a clear, grounded understanding of what the UAE’s AML framework now requires, who it applies to, and what a genuinely effective compliance programme looks like under current regulatory expectations.
Background: The FATF Grey List and What Came Next
Before examining the obligations themselves, it helps to understand the environment in which they sit.
UAE placed on the FATF Grey List
Formally listed as a Jurisdiction under Increased Monitoring, signalling strategic deficiencies in AML and counter-terrorism financing controls — a significant reputational concern for a major global financial centre.
UAE removed from the FATF Grey List
Following a comprehensive programme of legislative reform, institutional strengthening, and enforcement escalation, the UAE’s removal was formal recognition that strategic deficiencies had been addressed.
UAE removed from the EU high-risk third countries list
The European Parliament did not oppose the European Commission’s decision, with delisting taking effect on 5 August 2025.
Federal Decree-Law No. 10 of 2025 comes into force
The cornerstone of the current UAE AML framework, repealing and replacing Federal Law No. 20 of 2018 and fundamentally reshaping obligations for all regulated entities.
Executive Regulations (Cabinet Resolution No. 134 of 2025) come into force
71 articles and nearly 300 enforceable requirements setting out the practical detail of how the 2025 law applies — a document compliance teams need to understand in depth.
FATF Fifth Round Mutual Evaluation
UAE regulators are actively demonstrating to international assessors that reforms have translated into effective, real-world implementation. Inspections have increased and fines have escalated sharply.
For organisations operating in or from the UAE, the post-grey-list period brings more regulatory scrutiny, not less. With the June 2026 Mutual Evaluation approaching, inspections are more frequent, more detailed, and increasingly focused on whether controls actually work in practice rather than simply existing on paper.
What Has Changed: Federal Decree-Law No. 10 of 2025
The 2025 law introduces several significant changes that go beyond incremental updates to the previous framework:
Proliferation Financing
A third pillar added alongside ML/TF — covering financing of weapons of mass destruction programmes as a discrete, separately assessed obligation
Expanded DNFBP Scope
Gaming operators — including online gaming, sports betting, and lottery providers — are now explicitly captured for the first time
VASPs at Full Parity
Virtual Asset Service Providers are now held to the same AML, CFT, and CPF standards as conventional financial institutions, including mandatory Travel Rule compliance
Enhanced FIU Powers
The FIU can now order immediate asset suspensions for up to 10 working days and 30-day freezes — expanded from the previous seven-day limit held by the CBUAE Governor
Constructive Knowledge Standard
Liability can now attach if an organisation should have known funds were illicit — not only if it had actual knowledge, raising the bar for what “reasonable steps” means
Broader FIU Information Access
The FIU can now request data from VASPs, customs, tax, and beneficial ownership datasets — not only from financial institutions and DNFBPs as before
The UAE Regulatory Landscape
The UAE’s compliance landscape involves multiple regulators. The one that applies to your organisation depends on your licence type and the emirate in which you operate — getting this right is foundational.
Primary AML supervisory authority for licensed financial institutions — banks, exchange houses, insurance companies, finance companies, and registered hawala providers. The CBUAE issues guidance, conducts inspections, and imposes administrative penalties. In October 2025 it published updated guidance on KYC, CDD, record-keeping, risk-based institutional assessments, and role-based staff training.
The national agency responsible for receiving, analysing, and disseminating Suspicious Transaction Reports and Suspicious Activity Reports. All regulated entities — regardless of sector — must register on the goAML platform and file reports through it. Registration is mandatory even where no suspicious transactions have ever occurred. Failure to register is treated as an automatic internal controls failure.
Supervises firms operating within the Dubai International Financial Centre (DIFC). The DFSA’s regulated population grew by 14% in 2024 to over 900 authorised firms, driven partly by a 75% increase in wealth management licences. It is an active enforcer — in April 2025 it imposed an $8.85 million fine on a virtual asset firm for AML systems failures and unlicensed activities.
Supervises financial services firms and VASPs within Abu Dhabi Global Market (ADGM). The FSRA maintains its own AML framework that applies alongside the federal law — both must be complied with.
Licences and supervises virtual asset businesses operating on Dubai mainland. VARA publishes its own AML Rulebook, and businesses operating across multiple Emirates may need separate licences and legal structures in each jurisdiction. The VARA framework applies in addition to — not instead of — the federal law.
Supervises DNFBPs including real estate agents and developers, auditors and accountants, corporate service providers, and dealers in precious metals and stones.
Practical Compliance Obligations
Understanding the legal framework is one thing. Knowing what it means for your day-to-day compliance programme is another. Every regulated entity must have the following in place:
Enterprise-Wide Risk Assessment
A thorough, documented assessment of ML, TF, and now proliferation financing risks specific to your organisation. Inspectors actively identify copy-paste assessments and treat them as a red flag. Your assessment must reflect your actual clients, services, transaction volumes, geographic exposures, and delivery channels.
KYC, CDD, and Enhanced Due Diligence
Verify customer identity using reliable, independent documentation before establishing a business relationship. EDD is mandatory for PEPs and their associates, customers connected to FATF Grey or Black List jurisdictions, complex corporate structures, and unusually large or complex transactions without obvious legitimate purpose.
Beneficial Ownership Verification
Identify and verify the Ultimate Beneficial Owner of all corporate and legal entity clients — the natural persons who ultimately own or control them. Records must be kept current. This is a particular area of regulatory focus and a consistent area of enforcement findings.
Ongoing Transaction Monitoring
Due diligence at onboarding is necessary but not sufficient. Monitor the business relationship on an ongoing basis, scrutinising transactions for consistency with your understanding of the customer and their risk profile. Where anomalies arise, investigate and report where appropriate.
Suspicious Transaction Reporting via goAML
If you have reasonable grounds to suspect a transaction involves proceeds of crime or terrorism/proliferation financing, you are legally obligated to file an STR via goAML. There is no minimum value threshold. The duty is triggered by suspicion, not certainty. You must not tip off the customer that a report has been made.
Sanctions Screening
Screen customers and transactions against UAE local terrorist designations, UN Security Council sanctions lists, and FATF high-risk and monitored jurisdictions. Circular No. 3 of 2025 requires processes to be updated whenever these lists change. Screening must occur at onboarding and on an ongoing real-time basis.
Appointed MLRO
Every regulated entity must appoint a dedicated Money Laundering Reporting Officer who is UAE-resident, holds sufficient seniority to act independently, and has direct access to senior management and the board. Under the 2025 law, accountability is personal as well as institutional.
Role-Based AML Training
Training is a compulsory, ongoing obligation. The CBUAE’s October 2025 best practices guidance establishes a role-based framework — what a branch teller needs to know differs from what the MLRO needs to know. Training must be documented with logs available for inspection. Generic annual e-learning delivered uniformly to all staff is unlikely to satisfy a well-prepared inspector.
Record-Keeping
All CDD documentation, transaction records, and compliance records must be retained for a minimum of five years following the end of a business relationship or the completion of a transaction. Records must be stored securely and retrievable within the timeframes regulators specify.
The Enforcement Landscape
The scale of recent enforcement activity makes the stakes concrete:
| Period | Action | Amount / Scale |
|---|---|---|
| Full year 2025 | CBUAE fines across banks, exchange houses & insurers | AED 370m+ |
| May 2025 | Single exchange house — fundamental AML/CTF framework failures | AED 200m |
| May 2025 | Two foreign bank branches — similar AML/CTF breaches | AED 18.1m |
| Jan–Aug 2025 | 31 institutions fined: 13 exchange houses, 10 banks, 7 insurers, 1 finance company | 31 institutions |
| Jul–Oct 2024 | Licence suspensions — local gold refineries | 32 licences suspended |
| April 2025 | DFSA fine — virtual asset firm, AML failures & unlicensed activities | USD 8.85m |
Firms face licence suspensions, licence cancellations, and operational bans. Reputational damage in a market built significantly on trust and relationships can be harder to recover from than any fine.
Key Areas of Inspection Focus
Based on regulatory guidance and enforcement patterns emerging from the 2025 framework, these are the areas most likely to attract scrutiny during an inspection:
Generic Risk Assessments
If your Enterprise-Wide Risk Assessment does not specifically reflect your business, clients, and risk exposures, it will be identified as a weakness.
Beneficial Ownership Gaps
Identifying UBOs accurately and keeping those records current is consistently flagged as an area of failure across multiple sectors.
Low-Quality STR Narratives
Filing a report is not enough. The quality of the narrative matters — vague or formulaic reports raise questions about whether your monitoring programme is genuinely effective.
Poorly Calibrated TM Systems
Having a transaction monitoring system is a baseline. Demonstrating it is appropriately calibrated, regularly reviewed, and generating meaningful alerts is what regulators now look for.
goAML Non-Registration
Non-registration is treated as an automatic control failure, regardless of whether you have ever had suspicious activity to report.
Generic Staff Training
Training delivered uniformly to all staff does not meet the role-based standard set out in the CBUAE’s October 2025 best practices guidance.
Frequently Asked Questions
Reviewing your AML programme ahead of the June 2026 FATF Evaluation?
Nexiant works with compliance officers, legal teams, and risk professionals across financial institutions, fintechs, and DNFBPs operating in the UAE to build AML programmes genuinely fit for the current regulatory environment.
Get in touch with our teamThis article was accurate at the time of publication in March 2026 and is intended for general informational purposes only. It does not constitute legal advice. Regulated entities should seek qualified legal and compliance counsel in relation to their specific obligations under UAE law.
