AML/CFT Compliance in the UAE: The Complete Guide for 2026

The UAE’s anti-money laundering and counter-terrorist financing (AML/CFT) regime has undergone its most significant transformation in years. With Federal Decree-Law No. 10 of 2025 replacing the previous framework, Cabinet Decision No. 134 of 2025 introducing updated implementing regulations, and the 2026 FATF mutual evaluation placing every regulated entity under heightened scrutiny, the cost of non-compliance has never been higher.

This guide consolidates everything practitioners need to know about AML compliance in the UAE in 2026 — from the legal framework and supervisory landscape to core obligations, penalties, goAML reporting requirements, and the practical steps your organisation must take to remain compliant under a risk-based approach.

Quick Answer: What Is AML/CFT Compliance in the UAE?

AML/CFT compliance in the UAE is the set of legal obligations, internal controls, and supervisory requirements that financial institutions, designated non-financial businesses and professions (DNFBPs), and virtual asset service providers (VASPs) must implement to detect, prevent, and report money laundering, terrorist financing, and proliferation financing. The primary law is Federal Decree-Law No. 10 of 2025, enforced by multiple supervisory authorities including the CBUAE, Ministry of Economy, DFSA, FSRA, SCA, VARA, and the Financial Intelligence Unit (FIU). Non-compliance can result in administrative fines of up to AED 100 million for legal persons and criminal imprisonment of up to 10 years.

Key Takeaways

New law in force: Federal Decree-Law No. 10 of 2025 replaces No. 20 of 2018, introducing significantly higher penalties and broader scope covering VASPs, non-profit organisations, and beneficial ownership transparency.
Penalties have escalated dramatically: Administrative fines for legal persons can now reach AED 100 million per violation, up from AED 5 million under the previous regime.
The 2026 FATF mutual evaluation is the single most consequential event for the UAE’s compliance ecosystem. Every supervised entity should expect increased inspections and enforcement activity.
Risk-based approach is mandatory: Regulators expect documented, proportionate controls — not checkbox compliance.
goAML registration is compulsory for all reporting entities. Failure to register or file Suspicious Transaction Reports (STRs) is a criminal offence.
Independent AML audits are required annually for most regulated entities — not optional.
Beneficial ownership declarations are now subject to stricter verification requirements and must be kept current.

1. Why AML/CFT Compliance Matters in the UAE

The UAE occupies a unique position in global finance. As the Middle East’s largest financial hub, a gateway for international trade, and home to over 40 free zones, the country processes trillions of dirhams in cross-border transactions annually. This volume and connectivity create inherent money laundering and terrorist financing (ML/TF) risks that regulators — and global bodies like the Financial Action Task Force (FATF) — take extremely seriously.

Between 2020 and 2024, the UAE was placed on the FATF “grey list,” undergoing an intensive period of legislative reform, enforcement action, and institutional restructuring. The country exited the list in early 2024, but the compliance momentum has only accelerated since. The upcoming 2026 FATF mutual evaluation means that both technical compliance and the effectiveness of AML/CFT measures will be rigorously assessed.

For businesses, the practical implications are clear:

Regulatory enforcement is active and escalating. The CBUAE, Ministry of Economy, and free zone regulators have imposed record fines over the past 18 months.
Due diligence failures carry reputational risk that extends far beyond fines — banking relationships, partnerships, and market access are all at stake.
Supervisory expectations have matured. Regulators now expect demonstrably risk-based, technology-enabled compliance programmes — not static policy documents.

2. The Legal Framework: Federal Decree-Law No. 10 of 2025

The cornerstone of AML/CFT compliance in the UAE is Federal Decree-Law No. 10 of 2025 on Anti-Money Laundering and Combating the Financing of Terrorism and Financing of Illegal Organisations. This law replaced Federal Decree-Law No. 20 of 2018 and represents the UAE’s most comprehensive AML/CFT statute to date.

Key Changes from the Previous Law

While the 2018 law established the foundational framework, Decree-Law No. 10 of 2025 introduces several critical updates:

Expanded scope: Explicit inclusion of Virtual Asset Service Providers (VASPs) as reporting entities, alongside updated definitions for designated non-financial businesses and professions (DNFBPs).
Enhanced penalties: Administrative fines for legal persons increased to a maximum of AED 100 million per violation (previously AED 5 million). Individuals face fines up to AED 10 million.
Beneficial ownership transparency: Strengthened requirements for the identification, verification, and ongoing monitoring of ultimate beneficial owners (UBOs), aligned with FATF Recommendation 24.
Proliferation financing: Express provisions addressing the financing of proliferation of weapons of mass destruction, in line with updated FATF standards.
Targeted Financial Sanctions (TFS): Clearer implementation mechanisms for UN Security Council and UAE local sanctions lists, including obligations for immediate asset freezing without delay.
Non-profit organisations (NPOs): Specific requirements to prevent misuse for terrorist financing.

Cabinet Decision No. 134 of 2025

The implementing regulations under Cabinet Decision No. 134 of 2025 provide the detailed procedural requirements for compliance. These regulations specify:

Customer Due Diligence (CDD) and Enhanced Due Diligence (EDD) procedures
Record-keeping periods and formats
Requirements for the Compliance Officer and internal reporting mechanisms
Risk assessment methodologies
Transaction monitoring thresholds
Obligations regarding reliance on third parties for CDD

Together, the primary legislation and implementing regulations form the backbone of AML regulations in the UAE that every supervised entity must comply with.

Need a structured walkthrough of every compliance requirement? Download the AML Compliance Checklist for New UAE Businesses.

3. Who Must Comply: Regulated Entity Categories

The UAE’s AML/CFT regime applies to a broad range of entities. Understanding whether your organisation falls within scope is the first step toward compliance.

Licensed Financial Institutions (LFIs)

Banks (conventional and Islamic)
Finance companies and investment firms
Insurance companies and insurance intermediaries
Money exchange houses and money transfer businesses
Registered Hawala service providers (RHPs)
Securities and commodities firms
Fund managers and custodians
Payment service providers

Designated Non-Financial Businesses and Professions (DNFBPs)

Real estate agents and brokers
Dealers in precious metals and stones (DPMS)
Lawyers, notaries, and other independent legal professionals
Auditors and accountants
Company service providers (CSPs) and trust service providers

Virtual Asset Service Providers (VASPs)

Cryptocurrency exchanges and trading platforms
Wallet providers and custodians
Token issuers and transfer service providers
Any entity providing services involving virtual assets as defined under the law

Other Covered Entities

Non-profit organisations (NPOs) — subject to specific TF prevention requirements
Free zone entities — must comply with both federal law and applicable free zone regulations

If your entity operates across jurisdictions — for example, a DIFC-registered firm with mainland operations — you must satisfy the requirements of each applicable regulator. For a detailed breakdown, read our guide on AML Requirements: Mainland vs DIFC vs ADGM.

4. Supervisory Authorities: Who Regulates What

The UAE’s AML/CFT supervisory architecture involves multiple authorities, each with jurisdiction over specific entity types and geographic zones.

Central Bank of the UAE (CBUAE)

The CBUAE supervises banks, exchange houses, finance companies, payment service providers, registered Hawala providers, and insurance companies for AML/CFT compliance. It is the most active enforcement body, conducting regular on-site inspections and issuing substantial fines for deficiencies.

Ministry of Economy (MOE)

The MOE supervises DNFBPs operating on the UAE mainland, including real estate agents, DPMS, auditors, accountants, and CSPs. It has significantly expanded its inspection capacity since 2022 and now conducts both scheduled and surprise AML inspections.

Dubai Financial Services Authority (DFSA)

The DFSA regulates all firms operating within the Dubai International Financial Centre (DIFC). It applies its own AML/CFT Rulebook in addition to federal law requirements.

Financial Services Regulatory Authority (FSRA)

The FSRA supervises entities registered in the Abu Dhabi Global Market (ADGM), applying ADGM’s AML regulations alongside the federal framework.

Securities and Commodities Authority (SCA)

The SCA regulates securities firms, fund managers, and commodities brokers operating outside the financial free zones.

Virtual Assets Regulatory Authority (VARA)

VARA is the dedicated AML/CFT supervisor for VASPs operating in Dubai. Its regulatory framework includes specific requirements for virtual asset risk assessments, transaction monitoring for on-chain and off-chain transactions, and travel rule compliance.

Financial Intelligence Unit (FIU)

The UAE FIU, accessible through the goAML platform, is the central authority for receiving, analysing, and disseminating Suspicious Transaction Reports (STRs) and Suspicious Activity Reports (SARs). All reporting entities must register with the FIU and file reports through goAML.

Adil Zone Advisory

Not sure which regulator supervises your entity? Adil Zone’s compliance advisory team can map your regulatory obligations across all applicable supervisory authorities and jurisdictions. As an approved channel partner for ADGM, DIFC, DMCC, and eight additional free zones, we have direct experience with each regulator’s specific AML/CFT expectations. Talk to our AML advisory team.

5. Core AML/CFT Compliance Obligations

Every regulated entity must implement a comprehensive AML/CFT compliance programme built on the risk-based approach. The following obligations are not optional — they are legal requirements under Federal Decree-Law No. 10 of 2025 and Cabinet Decision No. 134 of 2025.

5.1 ML/TF Risk Assessment

The foundation of the entire compliance programme. Every entity must conduct and document a business-wide risk assessment that identifies, assesses, and understands its ML/TF risks across four dimensions:

Customer risk: Customer types, ownership structures, source of funds, geographic exposure
Product/service risk: Complexity, anonymity potential, transaction volume
Country/geographic risk: Exposure to high-risk jurisdictions, sanctioned countries, and jurisdictions with weak AML/CFT regimes
Delivery channel risk: Non-face-to-face relationships, digital channels, intermediated relationships

The risk assessment must be reviewed and updated annually, or whenever there is a material change in the business or regulatory environment. Learn how to build one from scratch in our guide to building an AML compliance programme.

5.2 Customer Due Diligence (CDD)

CDD is the process of identifying and verifying the identity of customers, beneficial owners, and persons acting on behalf of customers. Standard CDD must be conducted:

Before establishing a business relationship
Before carrying out a transaction for a walk-in customer above the applicable threshold
When there is a suspicion of ML/TF
When there are doubts about the accuracy of previously obtained identification data

For legal persons and arrangements, CDD includes identifying the ownership and control structure, verifying the identity of ultimate beneficial owners (UBOs) holding 25% or more (or in some cases, a lower threshold where the supervisor requires it), and understanding the nature and purpose of the business relationship.

5.3 Enhanced Due Diligence (EDD)

EDD is mandatory in higher-risk situations, including but not limited to:

Customers or beneficial owners who are Politically Exposed Persons (PEPs), their family members, or close associates
Business relationships and transactions with persons from high-risk countries identified by the FATF, the UAE, or the entity’s own risk assessment
Complex or unusually large transactions with no apparent lawful purpose
Correspondent banking relationships
New technologies or delivery channels that present elevated ML/TF risk

EDD measures must be proportionate to the level of risk identified and may include obtaining additional information on the source of wealth and source of funds, conducting adverse media checks, obtaining senior management approval, and increasing the frequency of ongoing monitoring.

5.4 PEP Screening

Entities must implement systems to determine whether a customer, beneficial owner, or person connected to a transaction is a PEP. This includes domestic PEPs, foreign PEPs (FPEPs), and persons entrusted with prominent functions by international organisations (HIOs). PEP screening must be conducted at onboarding and on an ongoing basis throughout the business relationship.

5.5 Transaction Monitoring

All regulated entities must establish systems for monitoring business relationships and transactions on an ongoing basis, to ensure that transactions are consistent with the entity’s knowledge of the customer, the customer’s business, risk profile, and where necessary, the source of funds.

Monitoring must be:

Risk-based: Higher-risk customers and transactions subject to more intensive monitoring
Documented: Rules, thresholds, and alert disposition must be recorded
Reviewed and updated: Monitoring parameters must evolve with the business and the threat landscape

5.6 Sanctions Screening

Every entity must screen customers, beneficial owners, and transactions against applicable sanctions lists, including:

UN Security Council Consolidated List
UAE Local Terrorist List
UAE Cabinet decisions implementing targeted financial sanctions
Other applicable lists as required by the supervisory authority (e.g., OFAC, EU, UK-HMT)

Screening must occur at onboarding, upon list updates, and during ongoing monitoring. For entities subject to Targeted Financial Sanctions (TFS), any match requires immediate freezing of assets without prior notice. Understand your obligations in detail: Targeted Financial Sanctions in the UAE.

5.7 Suspicious Transaction Reporting (STR/SAR Filing)

Where there are grounds for suspicion that a transaction or activity is related to money laundering, terrorist financing, or the proceeds of a predicate offence, the entity must file a Suspicious Transaction Report (STR) or Suspicious Activity Report (SAR) with the FIU through the goAML platform. This obligation exists regardless of the transaction amount.

Failure to report a suspicious transaction is a criminal offence under Federal Decree-Law No. 10 of 2025.

5.8 Record Keeping

All records relating to customer identification, transactions, correspondence, and internal analysis must be retained for a minimum of five years from the date of the transaction or the termination of the business relationship — whichever is later. Records must be sufficient to permit reconstruction of individual transactions and must be available to competent authorities upon request.

5.9 Compliance Training

Entities must provide regular AML/CFT training to all relevant employees, including:

Board members and senior management
The Compliance Officer / MLRO and compliance team
Front-line staff involved in customer onboarding, transactions, and relationship management
Any personnel who may encounter suspicious activity

Training must be documented, relevant to the employee’s role, and updated to reflect regulatory changes. Supervisory authorities review training records during inspections.

5.10 Independent AML Audit

Regulated entities are required to undergo an independent audit of their AML/CFT compliance programme on an annual basis (or as specified by the supervisory authority). The audit must be conducted by a qualified, independent party and must assess the adequacy and effectiveness of the entity’s policies, procedures, controls, and risk management framework.

The audit report, including any findings and the entity’s Remedial Action Plan (RAP), must be made available to the supervisory authority upon request. Learn how to prepare: How to Prepare for an AML Inspection in the UAE.

First Compliance: AML Software Built for UAE Regulations

Managing CDD, sanctions screening, PEP checks, transaction monitoring, and goAML reporting manually is no longer viable at scale. First Compliance is Adil Zone’s AI-powered compliance platform, built by compliance professionals and anti-financial crime specialists, screening against 1,800+ global sanction lists and 5.5 million+ PEP records.

Modules include KYC management, document management, risk scoring, transaction monitoring with automated goAML reporting, case management, and multi-level approval workflows — all 100% customisable to your entity’s risk profile and regulatory requirements.

Explore First Compliance.

6. goAML Registration and Reporting

The goAML platform, developed by the United Nations Office on Drugs and Crime (UNODC) and operated by the UAE Financial Intelligence Unit (FIU), is the mandatory channel for all suspicious transaction reporting in the UAE.

Who Must Register

All Licensed Financial Institutions, DNFBPs, and VASPs operating in the UAE must register on the goAML platform. Registration is not optional — it is a legal requirement regardless of whether the entity has filed, or expects to file, an STR.

Reporting Obligations

STR (Suspicious Transaction Report): Filed when there are reasonable grounds to suspect that funds or a transaction are related to ML/TF or the proceeds of crime.
SAR (Suspicious Activity Report): Filed for suspicious activity that does not necessarily involve a completed transaction.
DPMS Report: Dealers in Precious Metals and Stones must report cash transactions of AED 55,000 or above through goAML.
Threshold-based reports: As may be required by the supervisory authority for specific sectors.

Filing Best Practices

File promptly — unjustified delays in reporting can constitute a violation.
Provide complete and accurate information, including supporting documentation.
Maintain confidentiality — tipping off the subject of an STR is a criminal offence.
Retain a copy of every report and the entity’s internal analysis.

For a step-by-step walkthrough of the registration process, read our goAML Registration Guide for 2026.

7. Penalties for Non-Compliance

Federal Decree-Law No. 10 of 2025 introduced a substantially expanded penalty regime. The consequences of non-compliance are now severe enough to threaten the viability of any business operating in the UAE.

Administrative Penalties

Violation Category	Natural Persons	Legal Persons
Failure to conduct risk assessment	Up to AED 10 million	Up to AED 100 million
CDD deficiencies	Up to AED 10 million	Up to AED 100 million
Failure to report (STR/SAR)	Up to AED 10 million	Up to AED 100 million
Sanctions screening failure	Up to AED 10 million	Up to AED 100 million
Record-keeping violations	Up to AED 5 million	Up to AED 50 million

Additional administrative sanctions include written warnings, orders to take corrective action, restrictions on business activities, suspension or revocation of licenses, and prohibition of individuals from holding management positions in regulated entities.

Criminal Penalties

Money laundering conviction: Imprisonment of up to 10 years and/or a fine of up to AED 5 million.
Terrorist financing conviction: Imprisonment of up to life and/or a fine of up to AED 50 million.
Failure to report suspicion: Imprisonment of up to 5 years and/or a fine of up to AED 1 million.
Tipping off: Imprisonment of up to 3 years and a fine.
Confiscation: Courts may order confiscation of funds, proceeds, and instrumentalities involved in the offence.

The key message for compliance officers and senior management: the risk of personal criminal liability is real. Directors and officers who fail to implement adequate AML/CFT controls can be held individually accountable.

8. The 2026 FATF Mutual Evaluation: What It Means for Your Business

The FATF conducts periodic mutual evaluations of its member countries to assess the effectiveness of their AML/CFT systems. The UAE’s 2026 mutual evaluation is a landmark event that will determine the country’s compliance rating against the FATF’s 40 Recommendations and 11 Immediate Outcomes.

Why This Evaluation Matters

National reputation: The evaluation result directly affects the UAE’s standing as a global financial centre. A poor outcome could lead to grey-listing or enhanced monitoring.
Enforcement intensity: Regulators have been proactively stepping up inspections, enforcement actions, and guidance issuance to demonstrate effectiveness ahead of the evaluation.
Private sector impact: Assessors interview private sector entities, review compliance files, and evaluate whether supervisors are achieving their objectives. Your business may be selected for assessment.
Ongoing monitoring: Entities that demonstrate deficiencies during the evaluation period may face targeted supervisory action.

How to Prepare

Ensure your risk assessment is current, documented, and reflects the actual risk profile of the business.
Verify that your CDD/EDD procedures are applied consistently, not just documented.
Confirm your sanctions and PEP screening systems are operational and calibrated.
Review your STR filing history — regulators will question entities that have never filed, particularly in higher-risk sectors.
Ensure your training records are up to date and role-specific.
Conduct or commission an independent AML audit proactively — do not wait for the supervisory request.

For a deeper analysis, read FATF Mutual Evaluation 2026: What UAE Businesses Need to Know.

9. How Adil Zone Helps You Achieve and Maintain AML/CFT Compliance

Adil Zone Corporate Services is an ISO 27001 and ISO 9001:2015 certified compliance advisory firm with deep expertise across the full spectrum of UAE AML/CFT obligations. As an affiliate of Anjarwalla Collins & Haidermota (AC&H) — the regional office of Africa Legal Network — our advisory is grounded in regulatory and legal expertise, not generic consulting.

AML Policy Development and Risk Assessment

We design tailored AML/CFT policies, procedures, and risk assessment frameworks aligned with Federal Decree-Law No. 10 of 2025, FATF Recommendations, and the specific requirements of your supervisory authority. Our risk assessments cover the full ML/TF risk taxonomy including customer, product, geographic, and delivery channel risk dimensions.

First Compliance Software Platform

First Compliance is our proprietary, AI-powered compliance platform that automates:

KYC and CDD management with multi-level approval workflows
Sanctions and PEP screening against 1,800+ global lists and 5.5M+ records
Transaction monitoring with configurable rules and alert management
Automated goAML reporting integrated directly into the STR workflow
Document management and audit trail for regulatory inspection readiness
Risk scoring with customisable methodologies aligned to your risk appetite

Unlike generic compliance tools, First Compliance was built by lawyers, compliance professionals, and anti-financial crime specialists specifically for the UAE regulatory environment. It is 100% customisable, supports unlimited users and locations, and includes E-KYC integration.

Compliance 360 Training Programmes

Our Compliance 360 training catalogue includes 32 specialised courses covering every aspect of AML/CFT compliance — from foundational AML and KYC training through to advanced sanctions screening, transaction monitoring design, trade-based money laundering, and cryptocurrency compliance. Courses are available for financial institutions, DNFBPs, senior management, MLROs, and sector-specific roles including DPMS, real estate brokers, and auditing firms.

Independent AML Audit

Adil Zone conducts independent AML/CFT audits for entities regulated by the CBUAE, Ministry of Economy, DFSA, VARA, and other supervisory bodies. Our audit programme evaluates AML policies, transaction monitoring effectiveness, sanctions screening accuracy, CDD file quality, training adequacy, and overall programme governance. Each audit concludes with a detailed findings report and a practical Remedial Action Plan (RAP).

goAML Registration Assistance

We guide entities through the complete goAML registration process and provide ongoing support for STR/SAR drafting and filing. For DPMS clients, we offer an automated DPMSR reporting solution for transactions at or above AED 55,000.

Workforce Supply for Compliance Functions

For organisations that need to build or supplement their compliance team, Adil Zone provides experienced compliance executives with specialised skills in KYC, screening, risk assessment, EDD, monitoring, and document management.

Ready to assess your AML/CFT compliance posture? Contact Adil Zone for a free consultation and gap analysis.

10. Frequently Asked Questions

What is AML/CFT compliance and why is it required in the UAE?

AML/CFT compliance refers to the legal and regulatory requirements for detecting, preventing, and reporting money laundering, terrorist financing, and proliferation financing. In the UAE, compliance is required under Federal Decree-Law No. 10 of 2025 and its implementing regulations. All financial institutions, DNFBPs, and VASPs must implement a risk-based compliance programme that includes customer due diligence, transaction monitoring, sanctions screening, suspicious transaction reporting, staff training, and independent audit.

Who needs to comply with UAE AML/CFT laws?

All Licensed Financial Institutions (banks, exchange houses, insurance companies, finance companies, payment service providers), Designated Non-Financial Businesses and Professions (real estate agents, DPMS, lawyers, accountants, company service providers), and Virtual Asset Service Providers (exchanges, wallet providers, token issuers). This applies to entities operating on the mainland, in free zones (DIFC, ADGM, DMCC, etc.), and in special economic zones.

What are the penalties for AML non-compliance in the UAE in 2026?

Under Federal Decree-Law No. 10 of 2025, administrative fines for legal persons can reach AED 100 million per violation. Natural persons face fines up to AED 10 million. Criminal penalties for money laundering include imprisonment of up to 10 years, while terrorist financing convictions can result in life imprisonment. Additional sanctions include license revocation, activity restrictions, and personal liability for directors and compliance officers.

What is goAML and how do I register?

goAML is the UAE Financial Intelligence Unit’s secure platform for submitting Suspicious Transaction Reports (STRs), Suspicious Activity Reports (SARs), and other mandatory reports. Registration is compulsory for all reporting entities and is completed through the goAML portal. The process requires submission of entity details, compliance officer information, and supporting documentation. For a step-by-step walkthrough, see our goAML Registration Guide.

What is the difference between CDD and EDD?

Customer Due Diligence (CDD) is the standard process of identifying and verifying customers and beneficial owners before establishing a business relationship. Enhanced Due Diligence (EDD) involves additional measures applied to higher-risk situations — such as PEPs, high-risk jurisdictions, complex transactions, or correspondent banking — including deeper source-of-wealth inquiries, adverse media screening, and senior management approval.

How often should an AML risk assessment be updated?

The business-wide ML/TF risk assessment should be reviewed and updated at least annually, or more frequently if there is a material change in the business (new products, markets, or customer segments), regulatory requirements, or the external threat environment. The risk assessment should be a living document that directly informs your compliance programme’s controls and resource allocation.

Is an independent AML audit mandatory in the UAE?

Yes, for most regulated entities. The law and supervisory authorities require an independent audit of the AML/CFT compliance programme on a regular basis — typically annually. The audit must be conducted by an independent, qualified party (not the entity’s internal compliance team) and must assess the adequacy and effectiveness of policies, procedures, controls, and training. The resulting report and Remedial Action Plan must be retained and made available to regulators.

What should I do to prepare for the 2026 FATF mutual evaluation?

Treat this as an urgent compliance priority. Review and update your risk assessment, ensure CDD/EDD is applied consistently across all business relationships, verify your sanctions and PEP screening systems are operational, audit your STR filing history (particularly if you have never filed), confirm all staff training is current and role-specific, and commission an independent AML audit. Regulators are increasing inspections ahead of the evaluation, so proactive action is essential.