AML Compliance in the UAE: A 2026 Governance Guide for Businesses

Why AML compliance now sits at board level

AML compliance in the UAE has moved from a specialist back-office issue to a board and senior management responsibility. The reason is simple: financial crime controls now affect licensing, banking relationships, investor confidence, audit readiness and transaction execution.

The UAE’s current federal framework is anchored in Federal Decree by Law No. 10 of 2025 on anti-money laundering, combating the financing of terrorism and proliferation financing. The official UAE legislation platform lists the law as active, issued on 30 September 2025 and effective from 14 October 2025.

That matters because many internal policies still refer to the 2018 framework. Federal Decree by Law No. 10 of 2025 expressly repealed Federal Decree by Law No. 20 of 2018, while preserving earlier regulations and circulars only where they did not conflict until superseded.

For businesses, the practical message is not to panic. It is to update the control environment. The operating pillars are familiar: CDD, KYC, EDD, transaction monitoring, suspicious reporting, training and internal audit. These were the core themes in the supplied draft and remain useful as a management framework.

What the UAE framework expects in practice

The UAE framework covers financial institutions, designated non-financial businesses and professions, virtual asset service providers and certain non-profit organisations. Cabinet Resolution No. 134 of 2025 sets out executive regulations for the 2025 AML law and expressly refers to financial institutions, DNFBPs and virtual asset service providers throughout its customer due diligence framework.

In practice, a business should be able to answer five questions clearly:

• Who is the customer?
• Who ultimately owns or controls the customer?
• What is the purpose and expected nature of the relationship?
• What level of risk does the customer, product, geography or transaction create?
• What evidence shows that monitoring, escalation and reporting decisions were made properly?

These questions should be answered before onboarding and refreshed when the relationship changes.

Good AML governance is not defined by how many documents a business collects, but by whether the documents explain the risk and support a defensible decision. — The Consulting Journal

Customer due diligence is the operating core

Customer due diligence is the first control layer. Cabinet Resolution No. 134 of 2025 requires financial institutions, DNFBPs and virtual asset service providers to verify the identity of the customer and beneficial owner before or during the establishment of a business relationship, or before carrying out a transaction where there is no existing relationship.

That does not mean every customer receives the same process. A risk-based approach should separate low-risk, standard-risk and high-risk relationships. The mistake many firms make is collecting documents without writing a risk conclusion.

A practical CDD file should include:

• identity and registration documents;
• beneficial ownership information;
• source of funds or source of wealth where relevant;
• sanctions, PEP and adverse media screening results;
• expected transaction profile;
• risk rating and rationale;
• approval evidence, especially for higher-risk cases.

The file should be easy to review months later. A regulator, bank, auditor or buyer should be able to understand what was known, what was checked and why the relationship was approved.

Enhanced due diligence needs senior attention

Enhanced due diligence should apply when risk indicators justify deeper review. Common triggers include politically exposed persons, complex ownership chains, offshore holding structures, high-value cash exposure, unusual payment routes, customers linked to high-risk jurisdictions, or activity that does not fit the customer’s stated profile.

EDD does not need to be theatrical. It should be specific. For example, a real estate broker handling a high-value cross-border transaction may need to verify the buyer’s beneficial owner, understand the origin of funds, screen the parties, review the payment path and document why the transaction is commercially coherent.

Senior management should not approve EDD files with a simple signature. The approval should show that the risk was understood and either accepted with controls or declined.

Beneficial ownership is a governance issue

Beneficial ownership work is not only a compliance step. It is also a governance safeguard. A UAE company may appear straightforward at trade licence level while the actual control chain sits through multiple shareholders, nominees, trusts or offshore vehicles.

Federal Decree by Law No. 10 of 2025 defines supervisory authorities as federal and local authorities entrusted with supervising financial institutions, DNFBPs, virtual asset service providers and non-profit organisations. It also includes definitions for the Financial Intelligence Unit, the National Committee and targeted financial sanctions.

A sound beneficial ownership process should identify the natural persons who ultimately own or control the customer. Where ownership is layered, the business should map the chain, retain evidence and record any gaps or assumptions.

Where information is incomplete, the business should not simply proceed because a commercial team wants the customer onboarded. The unresolved ownership risk should be escalated.

Transaction monitoring must match the business model

Transaction monitoring is often misunderstood. It is not only software. It is a method for comparing actual behaviour against expected behaviour.

For a payment business, monitoring may focus on velocity, counterparties, corridors and transaction patterns. For a real estate brokerage, it may focus on unusual payment structures, third-party payments, rapid resale or unexplained buyer profiles. For a precious metals dealer, it may focus on cash exposure, repeat purchases and inconsistent customer behaviour.

The UAE’s 2025 executive regulations also address virtual asset activities, including exchange between virtual assets and fiat currencies, exchange between virtual assets, transfer of virtual assets, custody, administration and participation in related financial services.

The monitoring design should therefore reflect the actual risk. A generic alert list copied from another sector is rarely enough.

Suspicious reporting requires a clear escalation path

The Financial Intelligence Unit is central to suspicious reporting. Federal Decree by Law No. 10 of 2025 identifies the Unit as the Financial Intelligence Unit established under the law, while the executive regulations describe the Unit’s competence to receive, examine, analyse and retain reports from financial institutions, DNFBPs and virtual asset service providers.

A business should have a documented process for internal suspicious activity escalation. Staff should know who receives the concern, what must be included, how confidentiality is protected and who decides whether to file.

The compliance officer should record both outcomes: why a report was filed, or why the matter was retained with no filing. Silence is not a control. A written decision is.

Example 1: A real estate firm fixes a weak onboarding file

Example 1: A Dubai real estate brokerage receives an enquiry from a foreign buyer using a corporate vehicle. The initial file contains a passport copy, trade licence and signed reservation form. The payment is expected from a third-party account.

Under a stronger AML process, the brokerage pauses completion. It requests the corporate ownership chart, identifies the beneficial owner, screens all relevant parties, asks for the commercial reason for the third-party payment and escalates the matter to the compliance officer.

The transaction may still proceed. But it should proceed only if the payment route, ownership and source of funds are understood and documented. If the explanation is weak, the firm should consider declining the transaction and assessing whether reporting obligations arise.

Example 2: A fintech recalibrates monitoring rules

Example 2: A UAE fintech notices that several newly onboarded customers are sending frequent small transfers to the same overseas beneficiaries. Individually, the transfers are below internal review thresholds. Collectively, the pattern does not match the customers’ stated profiles.

The compliance team updates monitoring rules to identify linked transactions, repeat beneficiaries and rapid activity after onboarding. It also adds a case review process that combines automated alerts with human analysis.

This is a practical improvement because it connects onboarding data with actual behaviour. AML systems work best when they learn from the business’s own risk experience.

Training and audit make the framework real

Training should be role-specific. Front-line sales staff need to spot red flags. Finance teams need to recognise unusual payments. Senior managers need to understand when risk acceptance is required. Compliance staff need deeper training on screening, escalation and reporting.

Internal audit should test evidence rather than policy language. It should sample customer files, review risk ratings, check screening records, test alert closure quality, inspect training attendance and assess whether old policies refer to repealed legislation.

The outcome should be a remediation plan with owners, deadlines and board visibility

Practical checklist

• Update AML policies to reflect Federal Decree by Law No. 10 of 2025 and Cabinet Resolution No. 134 of 2025.
• Map whether the business is a financial institution, DNFBP, virtual asset service provider or otherwise exposed entity.
• Refresh customer risk assessment methodology.
• Review beneficial ownership collection and verification steps.
• Re-test sanctions, PEP and adverse media screening controls.
• Define EDD triggers and senior management approval requirements.
• Align transaction monitoring scenarios with the actual business model.
• Document suspicious activity escalation and decision-making.
• Maintain training records by role and date.
• Run periodic internal audits and track remediation to closure.

Final governance point

AML compliance in the UAE should be treated as an operating discipline. It is not enough to have a policy, a compliance officer and a training deck. The business must show how risk is identified, assessed, approved, monitored, escalated and corrected.

Boards and founders should ask for evidence: overdue reviews, high-risk customer counts, unresolved alerts, declined relationships, training completion, STR decision logs and audit findings. These indicators give management a clearer view of whether AML controls are alive or merely documented.

This article is for informational purposes and does not constitute legal or tax advice.