UAE law firms and legal consultancies are now operating under one of the most demanding AML supervisory regimes in the region. Federal Decree-Law No. 10 of 2025 reset the rules in October 2025, Cabinet Decision No. 134 of 2025 added detailed executive regulations, and the Ministry of Justice has signalled a sharp uplift in inspections of mainland legal practices. If your firm advises on real estate transactions, manages client funds, sets up companies, or holds title to assets on behalf of clients, AML compliance for law firms in the UAE is no longer a back-office formality. It is a board-level risk.

Quick Answer

UAE law firms are classified as Designated Non-Financial Businesses and Professions (DNFBPs) and are required to comply with Federal Decree-Law No. 10 of 2025 and Cabinet Decision No. 134 of 2025. Mainland law firms are supervised by the Ministry of Justice, while law firms in DIFC and ADGM are supervised by the DFSA and FSRA respectively. Every firm must register on goAML, appoint an MLRO, complete an enterprise-wide risk assessment, run risk-based CDD, monitor transactions, file STRs, and undergo independent AML/CFT audits. Administrative penalties now reach AED 100 million for legal persons, alongside criminal exposure for partners and MLROs.

Key Takeaways

  • Law firms are DNFBPs: Five lawyer activities trigger AML obligations under UAE law, including buying or selling real estate, managing client money, and creating legal entities.
  • Three supervisors, one law: Ministry of Justice (mainland), DFSA (DIFC), and FSRA (ADGM) all enforce Federal Decree-Law No. 10 of 2025 and its executive regulations.
  • Penalties have multiplied: Legal-person fines now range from AED 5 million to AED 100 million, up from AED 500,000 to AED 50 million under the repealed regime.
  • Proliferation Financing is now in scope: Law firms must screen, monitor, and report for PF risk, not only ML and TF.
  • Effectiveness over policy: Supervisors no longer accept paper compliance. They test whether policies actually identify, mitigate, and report risk.
  • Independent audit is mandatory: Every DNFBP, including law firms, must appoint an independent auditor to evaluate the AML/CFT/CPF programme.
  • 2026 is a high-watch year: FATF re-evaluation pressure has pushed UAE supervisors into a sustained enforcement cycle that already produced AED 42 million in DNFBP fines in H1 2025 alone.

1. When a Law Firm Becomes a DNFBP Under UAE Law

A common misconception is that only law firms with active money-handling mandates are caught by the AML regime. Federal Decree-Law No. 10 of 2025, in line with FATF Recommendation 22, takes a wider view. A UAE-licensed lawyer, legal consultant, or notary becomes a DNFBP the moment they prepare for, or carry out, any of the following on behalf of a client:

  • Buying or selling real estate.
  • Managing client money, securities, or other assets.
  • Managing bank, savings, or securities accounts.
  • Organising contributions for the creation, operation, or management of companies.
  • Creating, operating, or managing legal persons or arrangements, including foundations, trusts, and SPVs, and the buying or selling of business entities.

If your firm advises on freezone licensing, structures family offices, drafts shareholder agreements involving share transfers, manages an escrow client account, or holds nominee directorships, you are inside the perimeter. The trigger is the activity, not the size of the firm.

1.1 Mainland, DIFC, and ADGM: Three Supervisors

The same federal AML law applies across the UAE, but supervisory authority differs by jurisdiction:

  • Mainland law firms (Dubai, Abu Dhabi, Sharjah, and other emirates): Supervised by the Ministry of Justice (MoJ). The MoJ reviews MLRO appointments, conducts inspections, and imposes administrative penalties on practices licensed outside the financial freezones.
  • DIFC law firms: Supervised by the Dubai Financial Services Authority (DFSA), which applies its own DNFBP rulebook on top of the federal law.
  • ADGM law firms: Supervised by the Financial Services Regulatory Authority (FSRA) under the ADGM AML and Sanctions Rules.

Cross-border firms with offices in more than one jurisdiction must align their group AML programme with the strictest applicable rule, then layer in jurisdiction-specific add-ons. A single, watered-down group policy will not survive a focused inspection.

2. The Federal Decree-Law No. 10 of 2025 Reset

Federal Decree-Law No. 10 of 2025 replaced Federal Decree-Law No. 20 of 2018 and recalibrated the entire UAE financial-crime framework. The changes that matter most to lawyers and legal consultants are:

2.1 Proliferation Financing as a Standalone Offence

For the first time, Countering Proliferation Financing (CPF) is a standalone obligation, not a footnote to sanctions screening. Law firms must now identify and mitigate PF risk in their client onboarding, ongoing monitoring, and reporting frameworks. A client structuring trade in dual-use goods, or a client connected to a sanctioned export-control regime, is a CPF red flag that must be analysed and, if necessary, reported.

2.2 Higher Administrative Fines

The penalty band for legal persons committing AML, TF, or PF offences has moved up sharply: from AED 500,000 to AED 50 million under the old regime, to AED 5 million to AED 100 million, or an amount equivalent to the criminal property involved, under the new regime. Natural persons (managing partners, MLROs, board members) face fines up to AED 5 million plus imprisonment for serious failures.

2.3 Effectiveness-Based Supervision

Cabinet Decision No. 134 of 2025 makes it explicit that supervisors will assess effectiveness of the AML programme, not the existence of policies on paper. A risk assessment that does not match the firm’s actual client base, a sanctions screening tool that has not been calibrated to UAE Local Terrorist List sources, or transaction monitoring rules that have never triggered an alert, will be treated as control failures.

2.4 Tighter Beneficial Ownership Rules

Lawyers are routinely engaged to set up holding structures and SPVs, which makes UBO transparency a daily compliance issue. Firms must verify beneficial owners at 25% threshold, document senior managing official fallbacks where no natural person meets the threshold, and re-verify when ownership changes.

Need help mapping your firm’s regulatory obligations under Federal Decree-Law No. 10 of 2025? Adil Zone’s compliance advisory team builds AML/CFT/CPF programmes for UAE law firms across mainland, DIFC, and ADGM. Schedule a free gap analysis with our advisory team.

3. The Six Pillars of a Law-Firm AML Programme

A defensible AML/CFT/CPF programme for a UAE law firm rests on six interlocking components. Treat them as a system, not a checklist.

3.1 Enterprise-Wide Risk Assessment (EWRA)

Your EWRA is the foundation. It must analyse:

  • Customer risk: PEPs, foreign clients from high-risk jurisdictions, complex ownership chains, cash-intensive sectors, opaque trusts.
  • Service risk: Real-estate conveyancing, company formation, fiduciary services, escrow, nominee arrangements, trust administration.
  • Geographic risk: Clients or counterparties from FATF-listed grey or black-list jurisdictions, or jurisdictions with weak corporate transparency.
  • Delivery channel risk: Non-face-to-face onboarding, intermediary referrals, online instruction without verification.

The EWRA must be reviewed at least annually, and re-run whenever the firm enters a new practice area, opens a new office, or onboards a fundamentally different client profile.

3.2 Risk-Based CDD, SDD, and EDD

Customer due diligence is the operational core. The federal law and Cabinet Decision No. 134 of 2025 require:

  • Standard CDD for normal-risk clients: identify and verify the client and the beneficial owner; understand the purpose and nature of the engagement.
  • Simplified Due Diligence (SDD) only when documented low risk is established (for example, a UAE-listed entity with full transparency). SDD is not a default, it is an exception.
  • Enhanced Due Diligence (EDD) for higher-risk clients: PEPs, high-risk jurisdictions, complex structures, large cash transactions, and any client whose risk score crosses the firm’s EDD threshold. EDD includes source-of-funds and source-of-wealth verification, senior management approval, and enhanced ongoing monitoring.

3.3 Sanctions and PEP Screening

Lawyers must screen every client, beneficial owner, and connected party against:

  • UN Security Council Consolidated Sanctions List.
  • UAE Local Terrorist List.
  • Other relevant lists including OFAC, EU, UK HMT, where the engagement has a nexus to those jurisdictions.
  • PEP and Relatives and Close Associates (RCA) lists.

Manual spreadsheet screening will not pass an effectiveness test. The screening tool must be auditable, version-controlled, and able to demonstrate matches and false-positive disposition.

3.4 Ongoing Monitoring and Transaction Review

For law firms holding client money, ongoing monitoring of inflows and outflows from the client account is mandatory. Firms must apply rules-based or behavioural monitoring, document alert disposition, and feed unresolved alerts into the STR pipeline.

3.5 STR/SAR Filing via goAML

Every UAE law firm must register on the goAML portal of the UAE Financial Intelligence Unit and file Suspicious Transaction Reports without delay when suspicion arises. Tipping off the client about an STR is itself a criminal offence. Firms must also be prepared for Dealer in Precious Metals and Stones Reports (DPMSR) where the engagement involves transactions in precious metals or stones at or above the AED 55,000 threshold.

3.6 Independent Audit, Training, and Record-Keeping

The programme must close the loop with:

  • Independent AML/CFT/CPF audit at a frequency commensurate with risk (typically annual for medium and high-risk firms).
  • Annual mandatory training for all partners, fee-earners, and support staff who interact with clients or transactions, with role-specific deeper training for the MLRO and senior management.
  • Record retention of at least five years from the end of the relationship or the date of the transaction, including CDD documents, transaction records, STR documentation, and training logs.

4. The MLRO: Role, Authority, and Personal Liability

The Money Laundering Reporting Officer (MLRO), sometimes called the Compliance Officer in DNFBP guidance, is the firm’s central nervous system. The role is not a part-time hat for the office manager.

4.1 Statutory Duties

  • Acting as the firm’s main point of contact with the supervisor and the FIU.
  • Reviewing internal escalations and deciding whether to file an STR or DPMSR.
  • Maintaining and testing the AML programme.
  • Reporting to the firm’s senior management on programme effectiveness, alert volumes, training completion, and inspection readiness.

4.2 Independence and Authority

The MLRO must have direct access to senior management, sufficient seniority to challenge fee-earners, and protection against conflicts of interest. A junior lawyer reporting to the same partner who pushes for a client’s onboarding cannot, in practice, exercise independent judgment.

4.3 Personal Liability

Under the new regime, MLROs face personal administrative and criminal exposure for serious failures, including failure to file an STR, tipping off, and gross negligence in monitoring. This makes the appointment, support, and resourcing of the MLRO a partner-level decision.

5. Inspections, Penalties, and the 2026 Enforcement Climate

The Ministry of Economy and Tourism (MoET) reported 1,063 DNFBP compliance violations and over AED 42 million in administrative fines during the first half of 2025 alone, across DNFBP sectors under its supervision. The Ministry of Justice has been pushing the same enforcement curve for legal professionals. The 2026 FATF mutual evaluation makes any reduction in supervisory pressure unlikely before the evaluation cycle is complete.

5.1 What an Inspection Looks Like

A typical MoJ or financial freezone inspection for a law firm covers:

  • Reviewing the EWRA and the firm’s risk register.
  • Sampling client files for CDD completeness, EDD application, and beneficial ownership documentation.
  • Testing the sanctions screening tool with live and historical names.
  • Reviewing alert and STR logs, including timing of escalations.
  • Interviewing the MLRO and a sample of fee-earners on AML knowledge.
  • Reviewing training records and the most recent independent audit report and remedial action plan.

5.2 Penalty Spectrum

Failure Category Typical Range Aggravating Factors
Failure to register on goAML AED 50,000 to AED 1,000,000 Repeat failure, refusal to remediate
Failure to apply CDD AED 50,000 to AED 5,000,000 High-risk client, large value, repeat
Failure to file STR AED 100,000 to AED 5,000,000 Knowledge of suspicion, tipping off
Programme-wide failure (legal person) AED 5,000,000 to AED 100,000,000 Equivalent to criminal property where higher
Personal liability (managing partner, MLRO) Up to AED 5,000,000 plus imprisonment Wilful negligence, complicity

5.3 Reputational and Licensing Impact

Beyond fines, repeat or material AML failures can trigger licence suspension, denial of MLRO approvals, public disclosure on supervisor websites, and downstream impacts on bank account renewals and PI insurance pricing. For a law firm, the brand cost often exceeds the financial cost.

Inspection-ready, or only paper-ready? Adil Zone conducts independent AML/CFT audits for law firms supervised by the Ministry of Justice, DFSA, and FSRA, including a Remedial Action Plan you can present to your supervisor. Book an independent audit and gap analysis.

6. Sector-Specific Risks: Where Law Firms Get Caught

Not every legal practice has the same risk profile. The MoJ and the financial freezone supervisors apply a risk-based lens, which means firms in higher-risk practice areas attract more scrutiny.

6.1 Real Estate and Conveyancing

Real-estate transactions are one of the most-cited DNFBP risk areas in UAE supervisory reports. Law firms that handle deposits, escrow, or off-plan structuring must apply EDD where the buyer is a foreign PEP, where funds originate from a high-risk jurisdiction, or where the transaction price diverges materially from market value. See our guide on money laundering through real estate in the UAE for sector-specific red flags.

6.2 Corporate Structuring and SPVs

Setting up holding companies, SPVs, and trusts is bread-and-butter work for many UAE law firms, and it is also the most exploited route for opaque ownership. Firms must document the rationale for the structure, identify beneficial owners at 25%, and apply EDD where the structure crosses multiple jurisdictions or features nominees. Our deep-dive on beneficial ownership obligations in the UAE covers the documentation expectations in detail.

6.3 Family Offices, Trusts, and Foundations

DIFC, ADGM, and RAK ICC foundations, as well as trust structures, are legitimate wealth-planning tools, but they also draw EDD attention. Source-of-wealth verification is mandatory, especially where settlors are PEPs or come from high-risk jurisdictions.

6.4 Client Money Accounts

Client account inflows and outflows must be monitored in real terms. Receipts that bypass the firm’s ordinary fee structure, third-party payments, and rapid in-and-out transfers are classic placement and layering signals. Where the firm cannot evidence the legitimate purpose, the only safe response is to delay, query, and escalate to the MLRO.

7. Building or Upgrading Your AML Programme: A Practical Roadmap

For firms starting from a low base, or for established firms preparing for a 2026 inspection, the following sequence works in practice.

7.1 Days 1 to 30: Diagnostic and Foundations

  • Run an independent AML gap analysis against Federal Decree-Law No. 10 of 2025 and Cabinet Decision No. 134 of 2025.
  • Review and update or replace the EWRA.
  • Confirm the MLRO appointment, mandate, and reporting line.
  • Register or refresh registration on goAML.

7.2 Days 31 to 60: Policy and Tooling

  • Re-issue AML/CFT/CPF policies, procedures, and controls aligned to the new law.
  • Implement or replace the sanctions and PEP screening tool with one that covers UN, UAE Local Terrorist List, and other relevant sanctions sources.
  • Define rules and thresholds for transaction monitoring on the client money account.
  • Document escalation flows from fee-earner to MLRO to senior management.

7.3 Days 61 to 90: Training, Testing, and Audit

  • Deliver mandatory firm-wide AML training, including role-based modules for the MLRO and senior management.
  • Run a tabletop test of the STR filing process, including a simulated tipping-off scenario.
  • Commission an independent audit of the programme and address findings via a Remedial Action Plan.
  • Schedule the next EWRA refresh and the next independent audit.

A fuller, generic implementation framework is set out in our guide on how to build an AML compliance programme in the UAE, and the operational checklist in our AML compliance checklist for UAE businesses.

8. Build, Outsource, or Hybrid: Choosing the Right Operating Model

UAE law firms typically run one of three AML operating models. Each has trade-offs.

8.1 Fully In-House

A dedicated MLRO and one or more compliance executives, supported by in-house tooling. This works well for large firms with diverse practice areas and high-risk client books, but it carries the highest fixed cost.

8.2 Fully Outsourced

An external AML compliance service provider acts as the firm’s MLRO support, runs CDD, sanctions screening, and STR drafting, and delivers the independent audit through a separate provider. This is the most cost-effective path for small and mid-sized firms, particularly in high-volume real-estate or company-formation practices.

8.3 Hybrid

An in-house MLRO supported by an outsourced operations team for screening, monitoring, and goAML reporting. This is the most common model for mid-sized UAE firms, and the model that tends to perform best in MoJ inspections.

Our practitioner comparison of in-house MLRO versus outsourced AML compliance in the UAE walks through the cost, control, and risk implications of each model.

9. Technology: What “Effective” Looks Like in 2026

UAE supervisors increasingly expect law firms to deploy fit-for-purpose technology rather than spreadsheets. The minimum capability set for a 2026-ready firm includes:

  • Identity and CDD workflow with audit trail, e-KYC integration, and document version control.
  • Sanctions and PEP screening against multiple lists including the UAE Local Terrorist List, with adjustable fuzzy-match thresholds and false-positive resolution logs.
  • Adverse media screening with structured categorisation of negative news.
  • Risk scoring engine that updates dynamically with new information.
  • Transaction monitoring on client money flows, with rule libraries tuned to legal-sector typologies.
  • goAML integration or structured export to support STR and DPMSR filing.
  • Case management for alert disposition, MLRO sign-off, and audit trail.

Adil Zone’s First Compliance platform covers all of these modules, with screening across 1,800-plus sanction lists and 5.5 million-plus PEP records, dynamic risk scoring, and patented linking technology to surface hidden connections across client portfolios.

10. Cross-Border Considerations: When the Firm Is Not Just UAE

Many UAE law firms are part of regional or global networks, or maintain offices in DIFC and ADGM alongside mainland practices. Three considerations are non-negotiable:

  • Group AML policy: The group standard must meet the highest applicable threshold, then be supplemented by local rules. A DIFC standard cannot be diluted to a mainland standard for cost reasons.
  • Information sharing: Group-wide CDD information sharing is permitted, but only within the legal limits set out in the federal law and freezone rulebooks. Local data protection law also applies.
  • Sanctions exposure: A UAE office advising a client whose owner is sanctioned by OFAC or HMT is exposed to secondary sanctions risk even where the UAE Local Terrorist List does not match. Group sanctions policies must reflect this.

11. Frequently Asked Questions

Are all UAE law firms covered by the AML regime?

Yes, in practice. Any law firm or legal consultancy in the UAE that performs one or more of the five DNFBP-trigger activities (real-estate transactions, managing client money, managing accounts, organising contributions for entity creation, or creating and managing legal persons or arrangements) is a DNFBP under Federal Decree-Law No. 10 of 2025. Most full-service UAE firms touch at least one of these activities, which puts them inside the regime.

Who supervises my UAE law firm for AML?

Mainland law firms, including those in Dubai, Abu Dhabi, Sharjah, and the other emirates outside the financial freezones, are supervised by the Ministry of Justice. DIFC law firms are supervised by the DFSA. ADGM law firms are supervised by the FSRA. Each supervisor enforces the same federal law plus its own additional rulebook.

What are the maximum penalties for an AML breach by a UAE law firm in 2026?

Under Federal Decree-Law No. 10 of 2025, legal persons face fines from AED 5 million up to AED 100 million, or an amount equivalent to the criminal property involved if higher. Natural persons, including managing partners and MLROs, can face fines up to AED 5 million plus imprisonment for serious offences such as failure to report, tipping off, or wilful negligence.

How often must we update our AML/CFT/CPF policies?

Policies must be reviewed at least annually and updated whenever the firm’s risk profile changes, the National Risk Assessment is updated, the client base or service mix shifts, or new legal obligations come into force. After 14 October 2025, every firm should already have re-issued its policies to reflect Federal Decree-Law No. 10 of 2025 and Cabinet Decision No. 134 of 2025.

Can the same person act as MLRO and Managing Partner?

Technically, yes, the law does not prohibit it for smaller firms. In practice, supervisors expect the MLRO to operate with sufficient independence to challenge business decisions. A combined role is high-risk for inspection findings unless the firm can demonstrate clear segregation of duties and documented escalation routes.

Do we need to register on goAML if we have never filed an STR?

Yes. goAML registration is mandatory for all DNFBPs, including law firms, regardless of whether an STR has ever been filed. Failure to register is itself a stand-alone administrative violation. Our goAML registration guide for 2026 walks through the steps.

What does an independent AML audit for a law firm look like?

An independent AML/CFT/CPF audit reviews the firm’s EWRA, policies and procedures, sample client files for CDD and EDD compliance, screening tool effectiveness, transaction monitoring, STR pipeline, training records, and MLRO function. The output is a written report with findings ranked by severity and a Remedial Action Plan with target dates. Adil Zone provides this service for mainland, DIFC, and ADGM-licensed law firms.

What is Proliferation Financing and why does it matter for lawyers?

Proliferation Financing is the financing of weapons of mass destruction and the related actors and networks. Federal Decree-Law No. 10 of 2025 made CPF a standalone obligation alongside AML and CFT. For lawyers, this means screening, monitoring, and reporting must consider PF risk factors, particularly when advising on dual-use trade, cross-border structures involving sanctioned regimes, or clients connected to high-risk export-control jurisdictions.

How should our firm prepare for the 2026 FATF evaluation cycle?

The most effective preparation is to ensure the firm’s AML/CFT/CPF programme is genuinely effective, not just documented. This means a current EWRA, evidence of risk-based CDD and EDD application, real screening and monitoring activity with audit trails, current training records, and a recent independent audit with a Remedial Action Plan that is being closed out. Supervisors will look for effectiveness signals.

12. Related Reading

13. Authoritative Sources

Train your fee-earners and partners on the new law. Adil Zone’s Compliance 360 platform delivers KHDA-approved AML training, including dedicated modules on AML/CFT for legal professionals, MLRO training, sanctions and PEP screening, and STR/SAR reporting. Explore Compliance 360 training programmes.

Closing

The UAE’s 2025 AML reset has changed what “good enough” looks like for a law firm. Effective controls, documented evidence, an empowered MLRO, and a current independent audit are now the baseline expectation, not the gold standard. Firms that move quickly to align with Federal Decree-Law No. 10 of 2025 and Cabinet Decision No. 134 of 2025 will reduce both their inspection risk and their cost of compliance over the long term. Firms that wait will find themselves rebuilding under inspection pressure, which is the most expensive way to become compliant.

Disclaimer: This article is provided for general information only and does not constitute legal or compliance advice. UAE AML/CFT/CPF obligations depend on the specific licensing jurisdiction, business activities, and client profile of each firm. Professional advice should be sought before relying on any information set out above.

Related Posts

Scroll to Top