On 16 April 2026, the Central Bank of the UAE (CBUAE) released an updated package of AML/CFT/CPF guidance for licensed financial institutions across the country. The CBUAE AML CFT guidance 2026 covers six documents — four supervisory guidelines and two best practice manuals — addressing proliferation financing risk assessment, trade-based money laundering (TBML), correspondent banking due diligence, and customer due diligence (CDD) standards. If your institution operates under a CBUAE licence, these updates carry direct compliance implications that require prompt attention from your MLRO and compliance leadership.
Quick Answer
The CBUAE issued six updated compliance guidance documents on 16 April 2026. The four supervisory guidelines address proliferation financing risk assessment and mitigation, trade-based money laundering and transshipment risks, correspondent banking relationships, and customer due diligence (including KYC and record-keeping). Two best practice manuals were issued alongside them — one on implementing a risk-based approach to financial crime prevention, and one on role-specific AML/CFT/CPF training. All licensed financial institutions (LFIs) regulated by the CBUAE must review and align their compliance programmes with these updated standards under their existing obligations under Federal Decree-Law No. 10 of 2025 and Cabinet Decision No. 134 of 2025.
Key Takeaways
- Six documents in one package: Four supervisory guidelines and two best practice manuals were issued together on 16 April 2026.
- CDD goes beyond onboarding: LFIs must now conduct continuous risk reassessment throughout the customer lifecycle, with documented triggers and schedules.
- TBML is now a standalone risk category: Trade-based money laundering and transshipment risks have dedicated CBUAE guidance for the first time.
- Correspondent banking under higher scrutiny: Enhanced due diligence is required for all correspondent relationships, with specific attention to nested arrangements.
- Proliferation financing formalised: PF risk must be assessed and documented as a separate category within each institution’s enterprise-wide risk assessment.
- Role-based training is now the standard: Generic AML awareness training is no longer sufficient — programmes must be tailored to specific roles and functions.
- Regulatory alignment: This guidance advances the UAE National AML/CFT Strategy 2024–2027 and reflects FATF expectations ahead of the 2026 mutual evaluation.
What the CBUAE Released on 16 April 2026
The announcement was made from Abu Dhabi and describes the package as updated supervisory guidelines and best practice manuals designed to sharpen compliance systems across the UAE financial sector. The release forms part of the country’s broader efforts to meet the standards set by the Financial Action Task Force (FATF) and to demonstrate systemic readiness ahead of the UAE’s 2026 mutual evaluation.
The six documents can be summarised as follows:
| Document Type | Topic | Applicable To |
|---|---|---|
| Supervisory Guideline | Proliferation Financing Risk Assessment and Mitigation | All LFIs |
| Supervisory Guideline | Trade-Based Money Laundering and Transshipment Risks | All LFIs |
| Supervisory Guideline | Correspondent Banking Relationships | Banks and institutions with correspondent relationships |
| Supervisory Guideline | Customer Due Diligence, KYC and Record-Keeping | All LFIs |
| Best Practice Manual | Risk-Based Approach to Financial Crime Prevention | All LFIs |
| Best Practice Manual | Role-Based AML/CFT/CPF Training | All LFIs |
No separate implementation deadlines have been attached to these documents. Compliance is expected under existing obligations under Federal Decree-Law No. 10 of 2025 (which replaced Federal Decree-Law No. 20 of 2018) and Cabinet Decision No. 134 of 2025. The CBUAE’s supervisory approach treats guidance documents as forming part of the expected compliance standard — LFIs that fail to align their programmes may receive adverse findings during inspections.
Proliferation Financing Risk Assessment — What Has Changed
Proliferation financing (PF) refers to the provision of funds or financial services used to support the development, acquisition, manufacture, possession, transport, transfer, or use of chemical, biological, radiological, or nuclear weapons. It has been part of the UAE’s AML/CFT framework at a conceptual level for some years, but the April 2026 guidance formalises it as a standalone risk category that each LFI must assess and document independently.
What PF Risk Assessment Requires in Practice
Until recently, many institutions addressed proliferation financing primarily through their targeted financial sanctions (TFS) screening processes — checking customers and transactions against UN Security Council (UNSC) and other designated lists. The new guidance goes further. Institutions must assess PF risk at the programme level, not only through transaction-by-transaction screening.
Under the updated standard, LFIs must:
- Identify and document PF risks that are specific to their customer base, products, services, delivery channels, and geographic exposure
- Implement internal controls proportionate to the PF risks identified
- Monitor for emerging PF threats on an ongoing basis, including new UNSC designations and CBUAE advisories
- Update PF risk assessments when material changes occur — such as entry into new markets or the onboarding of customers in higher-risk sectors
- Integrate PF risk as a distinct component of the institution’s Enterprise-Wide Risk Assessment (EWRA)
This is a meaningful shift for compliance teams who have historically treated PF as an extension of sanctions compliance. For guidance on the full scope of targeted financial sanctions requirements in the UAE, refer to our detailed explainer.
Is your institution’s EWRA up to date with proliferation financing risk?
Adil Zone’s compliance advisory team conducts ML/FT/PF risk assessments for licensed financial institutions in the UAE. Contact our advisory team for a gap analysis.
Trade-Based Money Laundering and Transshipment Risks
Trade-based money laundering (TBML) involves the manipulation of trade transactions to disguise the movement of illicit funds. Common techniques include over-invoicing or under-invoicing goods, falsifying cargo descriptions, multiple invoicing of the same shipment, and fictitious trade transactions involving goods that are never physically delivered.
The UAE’s position as one of the world’s largest re-export hubs makes TBML a particularly significant national risk. Goods passing through UAE ports and free zones on their way to third-country destinations — a process known as transshipment — create compliance challenges because the final destination and end user may not be directly visible to the financial institution financing the original trade.
What the Transshipment Guidance Requires
The CBUAE’s April 2026 guidance on TBML and transshipment risks requires LFIs to treat these as a distinct risk category within their compliance frameworks. Institutions providing trade finance, letters of credit, or banking services to import/export businesses must:
- Conduct a documented TBML risk assessment as a standalone element within their EWRA
- Identify customers involved in trade activities where transshipment is a common feature, particularly those with counterparties in higher-risk jurisdictions
- Apply Enhanced Due Diligence (EDD) to trade finance clients with elevated TBML indicators
- Monitor for specific TBML red flags: significant discrepancies between invoice value and market price, vague or inconsistent cargo descriptions, transactions involving multiple intermediaries without clear commercial rationale, or shipments routed through jurisdictions inconsistent with the stated trade relationship
- Obtain information about the ultimate destination of goods where available and commercially reasonable
Free Zone Exposure to TBML Risk
For institutions with customers operating in UAE free zones, transshipment risk is heightened. Free zone entities engaged in re-export activities represent a customer segment where TBML red flags should be actively monitored. This does not mean refusing to bank free zone entities — it means applying appropriate, risk-based controls calibrated to the customer’s trade profile.
For institutions reviewing how AML obligations apply across UAE jurisdictions, our guide on AML requirements across mainland UAE, DIFC and ADGM provides a useful jurisdictional foundation.
Correspondent Banking — Enhanced Due Diligence Requirements
Correspondent banking — where one financial institution provides services to another to enable cross-border payments, currency clearing, or other financial transactions — carries significant ML/TF risk when not properly managed. The April 2026 guidance sets out specific expectations that go beyond general EDD standards.
Due Diligence for All Correspondent Relationships
Before establishing a correspondent banking relationship, and on a periodic basis thereafter, LFIs must conduct and document a risk assessment of each respondent institution. This assessment must cover:
- The respondent bank’s AML/CFT/CPF programme, including its governance structure, policies, and the quality of its compliance controls
- The regulatory environment and AML/CFT standards of the jurisdiction in which the respondent bank is headquartered and supervised
- The ownership structure of the respondent bank, including any government ownership or complex beneficial ownership arrangements
- The respondent bank’s customer base and the ML/TF risk profile of the sectors it primarily serves
- Any enforcement actions, sanctions, or adverse regulatory findings relating to the respondent bank
LFIs must obtain written confirmation from the respondent institution about its AML/CFT programme before establishing a relationship. The level of ongoing monitoring should be proportionate to the risk assessment outcome.
Nested Correspondent Relationships
A nested correspondent relationship occurs when a respondent bank uses the correspondent institution’s infrastructure to conduct transactions on behalf of its own customers — including other financial institutions. Nested arrangements insert additional layers of customers between the correspondent bank and the ultimate transaction parties, reducing visibility into who is actually using the service.
The CBUAE guidance requires LFIs to:
- Identify any nested correspondent arrangements within their existing relationships
- Apply EDD where nesting is present, including obtaining information about the respondent bank’s own correspondent relationships where possible
- Not establish or maintain relationships with shell banks — institutions that have no physical presence in any jurisdiction and are not affiliated with a supervised financial group
Automate correspondent banking screening and CDD with First Compliance
First Compliance provides automated KYC management, sanctions screening against 1,800+ lists, and PEP screening covering 5.5 million+ records — built for UAE-regulated institutions. Learn how First Compliance supports your CDD obligations.
Customer Due Diligence and KYC — The Lifecycle Standard
The updated CDD and KYC guideline applies to every licensed financial institution and introduces a continuous lifecycle approach to customer risk management that goes materially beyond the onboarding-focused standard many institutions currently operate.
From Onboarding CDD to Lifecycle Management
The April 2026 guidance establishes a clear expectation that CDD is a continuous process, not a one-time onboarding exercise. LFIs must document how and when customer risk profiles are reviewed, updated, and escalated throughout the full duration of a business relationship. This requires:
- A defined trigger-based reassessment protocol — covering ownership or control changes, unusual transaction patterns, adverse media, new designations, or sanctions
- A periodic reassessment schedule for higher-risk customers — the frequency must be documented in the CDD policy and proportionate to the customer’s risk tier
- Updated risk scoring each time material new information is collected, with the revised risk tier recorded in the customer file with supporting documentation
For a detailed breakdown of CDD requirements under UAE AML law — including standard, simplified, and enhanced due diligence thresholds — refer to our guide on customer due diligence in the UAE.
Record-Keeping Obligations
The guidance reinforces and clarifies the scope of record-keeping requirements. LFIs must retain:
- CDD records — including all documentation collected during onboarding and subsequent reviews — for a minimum of five years following the end of the business relationship
- Transaction records for a minimum of five years from the date of the transaction
- Records of all STR/SAR filings and supporting analysis documentation
Records must be maintained in a format that allows timely retrieval in response to a regulatory request. Electronic records are acceptable provided they include a verifiable audit trail. Institutions storing records across multiple legacy systems should audit their record-keeping architecture against these requirements.
Beneficial Ownership Verification
For legal entity customers, the guidance reinforces the requirement to identify and verify the ultimate beneficial owner (UBO). Under the UAE’s current framework, a UBO is any natural person who directly or indirectly holds 25% or more of the ownership or voting rights of a legal entity, or who exercises effective control through other means. Where no such person can be identified, the senior managing official must be treated as the UBO for compliance purposes.
For further detail on UBO obligations under UAE AML law, refer to our article on beneficial ownership requirements in the UAE.
Risk-Based Approach — Best Practice Manual Highlights
The first of the two best practice manuals addresses how institutions should implement a risk-based approach (RBA) to financial crime prevention at a programme level. The RBA is the cornerstone of the FATF methodology and is embedded in the UAE’s AML framework through Federal Decree-Law No. 10 of 2025.
The manual reinforces several principles that compliance teams should review against their current programmes:
- Proportionality: Controls must be scaled to the level of assessed risk. Higher-risk customer segments, products, and delivery channels require proportionately more stringent oversight. Applying identical controls to all customers is not a risk-based approach — it is an avoidance of risk differentiation.
- Documentation of rationale: Risk scoring decisions must be documented with sufficient detail that a supervisor can assess the basis for the institution’s conclusions. A risk score without supporting reasoning does not meet the standard.
- Breadth of application: The RBA must extend across all business lines, including those where ML/TF risk appears low. Residual risk must still be documented and monitored.
- Governance oversight: Senior management must actively review and approve the institution’s risk appetite for financial crime and the adequacy of its controls framework on a periodic basis.
Role-Based AML/CFT Training — What LFIs Must Now Implement
The second best practice manual addresses training. This is a significant update for institutions that have historically met their training obligations through annual all-staff e-learning modules. The CBUAE’s updated standard explicitly requires training that is tailored to specific roles and functions within the organisation.
A Framework for Role-Based Training
Under the April 2026 guidance, training content must be structured by function and level. A practical framework based on the guidance:
| Role Group | Training Content Focus | Suggested Frequency |
|---|---|---|
| Front-line staff (tellers, relationship managers, onboarding teams) | CDD basics, red flag recognition, customer interaction protocols, escalation procedures | Annual + at onboarding |
| Compliance and MLRO teams | Regulatory requirements, STR/SAR filing, risk assessment methodology, updated CBUAE guidance | Annual + following regulatory updates |
| Senior management and board members | Governance obligations, regulatory expectations, tone-from-the-top frameworks, strategic risk oversight | Annual |
| IT and operations staff | System controls for transaction monitoring, data integrity, audit trail obligations | Annual + when systems change |
| New joiners (all roles) | Role-appropriate foundation training before client-facing or compliance functions commence | Pre-commencement |
Documentation and Effectiveness Assessment
The CBUAE expects institutions to demonstrate training delivery during supervisory inspections. This requires maintaining records of who attended which programme, when it was delivered, and how its effectiveness was assessed. Completion certificates and training logs are minimum requirements. Institutions with larger compliance teams benefit from a training management system that tracks completion by role across the organisation.
For a full breakdown of AML training obligations in the UAE — including requirements for specific DNFBP sectors — refer to our guide on AML training requirements in the UAE.
Meet the CBUAE’s role-based training standard with Compliance 360
Compliance 360 offers 32 individual AML/CFT courses, including role-specific programmes for MLROs, front-line staff, senior management, DNFBPs, and licensed financial institutions. KHDA-approved and available as in-house sessions with participation certificates. View the Compliance 360 course catalogue.
What LFIs Must Do Now — A Practical Action Checklist
The April 2026 guidance does not carry a separate compliance deadline. LFIs are expected to meet these standards under their existing regulatory obligations. However, the simultaneous release of six updated guidance documents signals that the CBUAE is conducting a systematic review of compliance standards across the sector. Supervisory inspections will apply this updated framework when assessing institutional compliance.
A practical priority checklist for MLROs and compliance teams:
| Action | Priority | Owner |
|---|---|---|
| Update EWRA to include proliferation financing risk as a standalone component | High | MLRO / Risk Team |
| Conduct documented TBML risk assessment for all trade finance and import/export clients | High | MLRO / Trade Finance Compliance |
| Review and apply EDD to all correspondent banking relationships, including nested arrangements | High | Compliance / Relationship Management |
| Update CDD policy to include lifecycle reassessment triggers and periodic review schedule | High | Compliance / KYC Team |
| Audit record-keeping architecture against the five-year retention requirement | Medium | Operations / IT / Compliance |
| Restructure AML/CFT/CPF training programmes by role and document the delivery schedule | High | HR / Compliance / MLRO |
| Update AML policy documents to reference the April 2026 CBUAE guidance | Medium | MLRO / CCO |
| Brief senior management and board on their obligations under the updated guidance | High | MLRO / Compliance Leadership |
Institutions that have not yet undergone an independent AML/CFT audit since the passage of Federal Decree-Law No. 10 of 2025 should consider commissioning one to identify gaps before the next supervisory inspection cycle. For guidance on what a CBUAE inspection typically covers and how to prepare, refer to our article on preparing for an AML inspection in the UAE.
How This Guidance Fits the UAE’s 2026 Regulatory Framework
The April 2026 CBUAE guidance is part of a sequenced regulatory upgrade that includes:
- Federal Decree-Law No. 10 of 2025: The primary AML/CFT legislation that replaced Federal Decree-Law No. 20 of 2018, introducing updated definitions, obligations, and enforcement powers across the UAE’s financial and non-financial sectors.
- Cabinet Decision No. 134 of 2025: The implementing regulation that sets procedural requirements for LFIs, DNFBPs, and registered hawala providers.
- UAE National AML/CFT Strategy 2024–2027: The strategic framework prioritising financial intelligence, risk-based supervision, and international cooperation ahead of the UAE’s 2026 FATF mutual evaluation.
LFIs that have not yet updated their compliance programmes to reflect the 2025 legislative changes should treat the April 2026 guidance as a combined trigger to act. The CBUAE is not issuing advisory recommendations — it is defining the standards it will apply during supervisory assessments. Institutions that align now are better positioned during the country’s 2026 mutual evaluation period.
For direct access to CBUAE guidance documents and circulars, visit the CBUAE’s official AML/CFT page.
Frequently Asked Questions
Does the April 2026 CBUAE guidance apply to DNFBPs as well as LFIs?
The April 2026 package is specifically directed at licensed financial institutions regulated by the CBUAE. DNFBPs — including real estate agents, lawyers, accountants, auditors, corporate service providers, and dealers in precious metals and stones — are regulated under MOE supervision and are subject to separate guidance. That said, the risk-based approach and CDD standards reflected in this CBUAE guidance mirror the broader standard expected of all regulated entities under Federal Decree-Law No. 10 of 2025.
What are the penalties for AML/CFT non-compliance for UAE banks?
Under Federal Decree-Law No. 10 of 2025, administrative penalties for AML/CFT violations can range from AED 5 million to AED 100 million for licensed financial institutions. In cases involving wilful non-compliance, systemic failures, or senior management culpability, penalties may extend to criminal sanctions including imprisonment. The CBUAE also has authority to impose licence restrictions, enhanced supervisory measures, and public sanctions against non-compliant institutions.
Is proliferation financing risk separate from targeted financial sanctions compliance?
Yes, under the April 2026 guidance. Targeted financial sanctions (TFS) compliance — screening customers and transactions against designated lists — is necessary but not sufficient to address proliferation financing risk. PF risk assessment requires a programme-level analysis of how your institution’s services could be exploited for PF purposes, including by parties not yet designated on any list. The two frameworks are complementary but treated as distinct obligations under the updated standard.
What is a nested correspondent relationship and why does the CBUAE flag it as a risk?
A nested correspondent relationship occurs when a respondent bank allows its own customers — including other financial institutions — to use the correspondent bank’s infrastructure for their transactions. This creates additional opacity: the correspondent bank cannot directly verify the identity or activity of the respondent bank’s customers. The CBUAE guidance requires LFIs to identify nested arrangements and apply EDD where they are present.
How long must UAE banks keep CDD and transaction records?
Licensed financial institutions must retain CDD records for a minimum of five years following the end of a business relationship, and transaction records for a minimum of five years from the date of the transaction. Records must be maintained in a format that allows timely retrieval upon request from the CBUAE or other competent authorities, with a verifiable audit trail.
What evidence does the CBUAE expect to see during an AML inspection?
Key evidence points for CBUAE supervisory inspections include: an up-to-date EWRA incorporating PF and TBML as standalone risk categories; documented CDD procedures with defined lifecycle reassessment triggers and schedules; training records showing role-specific delivery, attendance, and effectiveness assessment; correspondent banking due diligence files for all active relationships; and an auditable STR/SAR filing trail. Institutions that cannot produce these records may receive adverse findings regardless of their underlying compliance posture.
What does a risk-based approach mean in practice for a UAE bank?
A risk-based approach (RBA) means applying compliance controls that are proportionate to the assessed level of ML/TF/PF risk — not applying identical controls to all customers and transactions regardless of their risk profile. In practice, this means conducting documented risk assessments, differentiating customers by risk tier, applying stronger controls to higher-risk relationships, and recording the rationale for all risk decisions. The CBUAE’s best practice manual makes clear that a uniform, tick-box approach does not constitute an adequate RBA.
Is there a deadline for implementing the April 2026 CBUAE guidance?
No separate implementation deadline has been issued with the April 2026 package. LFIs are expected to comply under their existing obligations as licensed institutions. However, CBUAE supervisory inspections will apply the standards set out in the guidance when assessing institutional compliance. The absence of a formal deadline should not be read as a grace period — compliance teams should begin reviewing and updating their programmes promptly.
Related Reading
- Customer Due Diligence Requirements in the UAE — A Compliance Guide
- Targeted Financial Sanctions in the UAE — What Regulated Entities Must Know
- How to Build an AML Compliance Programme in the UAE
- AML Training Requirements for UAE Financial Institutions and DNFBPs
- Preparing for an AML Inspection in the UAE
- goAML Registration and Reporting Guide 2026
- Beneficial Ownership Obligations Under UAE AML Law
- AML Requirements Across Mainland UAE, DIFC and ADGM
On 16 April 2026, the CBUAE raised the bar for financial crime compliance across the UAE banking sector. Whether the challenge is updating your EWRA to reflect proliferation financing risk, restructuring your training programmes by role, or applying EDD to correspondent banking relationships, Adil Zone’s compliance team is available to help. Contact us for a free consultation and compliance gap analysis.
Disclaimer: This article is for informational purposes only and does not constitute legal or regulatory advice. Adil Zone Corporate Services LLC recommends that all regulated entities seek professional compliance guidance specific to their individual circumstances and regulatory obligations.
