Federal Decree-Law No. 10 of 2025: UAE AML Compliance Guide - adilzone | Corporate Consulting Services

Federal Decree-Law No. 10 of 2025 is the most consequential rewrite of UAE anti-money laundering legislation since 2018. It replaces Federal Decree-Law No. 20 of 2018, sharpens supervisory powers, expands designated non-financial business obligations, and introduces a tiered administrative penalty regime that runs from AED 50,000 to AED 100 million. For Licensed Financial Institutions (LFIs), Designated Non-Financial Businesses and Professions (DNFBPs), and Virtual Asset Service Providers operating in the UAE, the new law is now the operating standard.

This guide breaks down the structure of the law, what changed against the 2018 framework, the specific obligations facing in-scope entities, and a practical implementation roadmap for compliance teams completing their refresh before the next supervisory cycle.

Quick Answer

Federal Decree-Law No. 10 of 2025 is the new UAE federal AML/CFT statute. It replaces Federal Decree-Law No. 20 of 2018 and is supplemented by Cabinet Decision No. 134 of 2025, which sets the implementing regulations. The law applies to LFIs, DNFBPs, VASPs, and Registered Hawala Providers. Core obligations include enterprise risk assessment, customer due diligence, ongoing monitoring, sanctions and PEP screening against UAE local lists and UNSC consolidated lists, suspicious transaction reporting through goAML, and independent AML audit. Administrative fines now run from AED 50,000 up to AED 100,000,000 with potential imprisonment under criminal provisions.

Key Takeaways

New legal foundation: Decree-Law 10/2025 replaces Decree-Law 20/2018; Cabinet Decision 134/2025 replaces Cabinet Decision 10/2019 as the implementing regulation.
Wider scope: Crypto and virtual asset activity is brought fully into scope alongside traditional LFIs and DNFBPs, codifying the supervisory remit of VARA and the SCA.
Higher penalties: Administrative fines now extend to AED 100 million for severe or repeat breaches, with a layered framework for first, second, and persistent violations.
Supervisor coordination: CBUAE, MOE, DFSA, FSRA, VARA, SCA, and the Insurance Authority are explicitly tied to the National AML/CFT Committee structure for joint enforcement.
Risk-based approach: Article-level emphasis on a documented Enterprise-Wide Risk Assessment (EWRA) reviewed at least annually.
Independent audit reinforced: Periodic independent AML/CFT audit is no longer optional best practice — it is a statutory expectation across in-scope sectors.
FATF alignment: The drafting reflects feedback from the 2024 FATF follow-up review and prepares the UAE for the 2026 mutual evaluation cycle.

What Federal Decree-Law No. 10 of 2025 Replaced

The previous AML/CFT statute — Federal Decree-Law No. 20 of 2018 on the Criminalisation of Money Laundering and Combating the Financing of Terrorism and Financing of Illegal Organisations — defined the UAE framework for almost seven years. Cabinet Decision No. 10 of 2019 issued the implementing regulations, and Cabinet Resolution No. 74 of 2020 added the targeted financial sanctions list mechanics.

Decree-Law 10/2025 is not a minor amendment. It is a full repeal-and-replace, addressing four areas where the 2018 framework had become difficult to enforce in the modern UAE economy:

Virtual assets and crypto activity were only partially covered. The new law gives VARA and SCA explicit statutory grounding for AML supervision of VASPs.
DNFBP coverage was uneven across sectors. The new text consolidates obligations for real estate brokers, DPMS, accounting and audit firms, lawyers and notaries, corporate service providers, and trust providers.
Penalty scaling in the 2018 law topped out at limits that did not deter the largest LFIs. The new banding goes up to AED 100 million for severe and repeated breaches.
Coordination architecture between supervisors was informal. The 2025 law codifies the National AML Committee, the Higher Committee, and the FIU’s escalation pathways.

Cabinet Decision No. 134 of 2025 supplements the law by setting out the implementing regulations — the operational detail on CDD thresholds, record-keeping periods, ongoing monitoring expectations, and STR/SAR filing mechanics through the goAML portal.

Map your obligations under Decree-Law 10/2025

Adil Zone’s compliance advisory team translates the new statutory text into a working programme: risk register, policy refresh, MLRO appointment, and supervisor-ready evidence files.

Speak to an Advisor

Scope: Who Must Comply

The new law captures three broad categories of in-scope entities. Compliance teams should re-confirm their classification because some entities sit in more than one category and must answer to multiple supervisors.

Licensed Financial Institutions (LFIs)

Banks, exchange houses, finance companies, payment service providers, insurance companies, brokers, reinsurance providers, and capital market intermediaries. CBUAE supervises most LFIs; SCA covers capital markets; the Insurance Authority covers insurance.

Designated Non-Financial Businesses and Professions (DNFBPs)

Real estate brokers and agents executing transactions of AED 55,000 or more, dealers in precious metals and stones (DPMS) executing single or linked transactions of AED 55,000 or more, audit and accounting firms, lawyers and notaries advising on covered transactions, corporate service providers, and trust and company service providers. Most DNFBPs answer to the Ministry of Economy unless they sit inside a free-zone supervisor’s perimeter.

Virtual Asset Service Providers and Registered Hawala

VASPs licensed by VARA in Dubai or by SCA in the wider UAE, and Registered Hawala Providers (RHPs) under CBUAE supervision. The 2025 law removes earlier ambiguity about whether crypto exchanges, custodians, and OTC desks fall fully inside the AML regime: they do.

Free-zone entities are not exempt. ADGM-licensed firms answer to FSRA, DIFC firms to DFSA, and other free-zone entities answer to either MOE or the relevant zone authority. Adil Zone is an approved channel partner for ADGM, DIFC, DMCC, JAFZA, RAKEZ, RAK ICC, Meydan, SHAMS, HFZA, Dubai CommerCity, and Fujairah Free Zone, which lets us coordinate compliance setup across multiple regulators for the same group.

Core Obligations Under the New Law

The substantive AML/CFT obligations under Decree-Law 10/2025 follow the FATF Recommendations and align closely with what experienced UAE compliance officers already do under the 2018 framework. The differences sit in the level of documentation supervisors now expect and the speed of escalation through the FIU.

Risk-Based Approach and Enterprise-Wide Risk Assessment

Every in-scope entity must complete a documented Enterprise-Wide Risk Assessment (EWRA) covering customer risk, product and service risk, jurisdictional risk, and delivery channel risk. The EWRA must be approved by the board or equivalent governing body, reviewed at least annually, and updated whenever the business introduces a new product, enters a new market, or detects a material change in its threat profile.

For most UAE businesses the practical question is not whether to do an EWRA — the 2018 law already required one — but whether the existing document is current, board-approved, and tied to specific control decisions. Supervisors increasingly ask: “Show me the risk you identified, the control you put in place, and the evidence the control is working.” Generic risk language scored “medium” across every category will not pass that test.

Customer Due Diligence and Enhanced Due Diligence

CDD must be performed at the start of the business relationship and refreshed periodically based on customer risk. Decree-Law 10/2025 retains the four core CDD steps:

Identify the customer and verify identity from reliable, independent source documents.
Identify the beneficial owner and take reasonable measures to verify their identity, with at least 25% beneficial ownership as the default threshold (lower for higher-risk structures).
Understand the purpose and intended nature of the business relationship.
Conduct ongoing monitoring of the relationship.

EDD applies to high-risk customers, PEPs, customers from FATF-listed jurisdictions, customers in high-risk sectors, and complex or unusual transactions. The new law explicitly references the use of senior management approval for PEP relationships and ongoing scrutiny of transactions.

For practical implementation, see our guide on Customer Due Diligence (CDD) in the UAE, which walks through identity verification, source-of-funds documentation, and ongoing monitoring triggers.

Sanctions and PEP Screening

Targeted Financial Sanctions (TFS) screening must run against the UAE Local Terrorist List and the UN Security Council consolidated list. Many in-scope entities go further and screen against OFAC, EU, UK-HMT, and FINTRAC lists — particularly LFIs with cross-border exposure. The new law confirms that freezing measures must be applied without delay, in practice within 24 hours of designation.

PEP screening covers domestic PEPs, foreign PEPs, and international organisation officials, plus their family members and close associates (RCAs). For higher-risk relationships, ongoing screening rather than only onboarding screening is the supervisory expectation. Adil Zone’s First Compliance platform screens against 1,800+ sanction lists and a 5.5 million-record PEP database, with ongoing automated re-screening built into the case workflow.

Useful reference: the UAE Executive Office for Control and Non-Proliferation publishes the UAE Local List and provides operational guidance for in-scope entities.

Suspicious Transaction Reporting via goAML

Decree-Law 10/2025 reaffirms the obligation to file Suspicious Transaction Reports (STRs) and Suspicious Activity Reports (SARs) with the UAE Financial Intelligence Unit through the goAML portal. Filing must happen “without delay” once suspicion is formed, which supervisors interpret as the same business day where practicable. The law preserves the tipping-off prohibition and the legal protection for staff who file in good faith.

For dealers in precious metals and stones, separate DPMSR (DPMS Reporting) obligations apply for cash transactions of AED 55,000 or more. The goAML portal accommodates both report types. See our goAML Portal Registration Guide for the step-by-step onboarding process.

Authoritative guidance for filers is published by the UAE FIU and supplemented by typology bulletins issued through goAML.

Automate CDD, screening, and goAML reporting

First Compliance covers 1,800+ sanction lists and 5.5M+ PEP records, with patented entity linking, automated DPMSR, and STR/SAR filing flows aligned to the new law.

Explore First Compliance

Penalties and Enforcement Under Decree-Law 10/2025

Administrative penalties under the new law are graduated by severity, repeat behaviour, and the size of the regulated entity. The headline numbers:

Breach Category	Indicative Fine Range	Typical Triggers
Procedural / minor	AED 50,000 — AED 500,000	Late filings, incomplete records, minor CDD gaps.
Material / repeat	AED 500,000 — AED 5,000,000	Failure to file STRs, missing EWRA, weak EDD, sanctions screening gaps.
Severe / systemic	AED 5,000,000 — AED 100,000,000	Wilful breach, sanctions evasion facilitation, repeated material non-compliance.

Beyond fines, supervisors can apply non-financial sanctions: licence suspension, restrictions on business lines, removal of senior managers, and — in the most serious cases — revocation of the operating licence. Criminal liability under the financing-of-terrorism and money laundering provisions remains separate from the administrative regime, with imprisonment available on conviction.

The CBUAE has stated repeatedly that fine quantum will reflect the size of the regulated entity. A six-figure CDD-failure fine on a small exchange house signals the same message as an eight-figure fine on a major bank: supervisors expect proportionate, evidence-backed compliance, not minimum-effort paperwork.

How Decree-Law 10/2025 Aligns with FATF

The 2025 law was drafted with FATF feedback in mind. The UAE’s removal from the FATF grey list in February 2024 was a national milestone, and the new statute is the legislative anchor for keeping that status. Key FATF alignments visible in the text:

Recommendation 10 (CDD): Beneficial ownership thresholds and ongoing monitoring obligations are codified at the same level as the FATF standard.
Recommendation 12 (PEPs): Domestic PEPs are now treated with the same procedural rigour as foreign PEPs in higher-risk relationships.
Recommendation 15 (Virtual Assets): VASPs are now an in-scope category by name, addressing the gap that the FATF flagged in earlier evaluations.
Recommendation 22 (DNFBPs): The DNFBP perimeter is broader and the supervision pathway clearer.
Recommendation 35 (Sanctions): The 100 million dirham ceiling brings dissuasive penalty power into line with global peers.

The next FATF mutual evaluation cycle for the UAE begins in 2026. Compliance officers should treat 2026 not as a distant deadline but as the year supervisors will be looking for evidence that Decree-Law 10/2025 is being implemented in substance, not just on paper. For wider context on the evaluation, see our FATF Mutual Evaluation 2026 guide.

Reference: FATF country page for the United Arab Emirates.

Implementation Timeline and Practical Steps

If your entity already has a working AML programme under the 2018 law, the migration to Decree-Law 10/2025 is a refresh, not a rebuild. The risk is treating it as an administrative renaming exercise — swapping document headers and reissuing the same content.

A defensible implementation path looks like this:

Gap analysis (weeks 1-2): Map your existing policies, procedures, and controls against Decree-Law 10/2025 and Cabinet Decision 134/2025 article by article. Tag each gap by severity.
Risk assessment refresh (weeks 2-4): Update the EWRA to reflect the expanded DNFBP and VASP scope, new sanctions list cadence, and any geographic or product changes since the last review.
Policy and procedure rewrite (weeks 3-6): Rewrite the AML/CFT policy, CDD/EDD procedures, sanctions and PEP screening procedure, transaction monitoring rules, STR/SAR filing protocol, training plan, and record-retention schedule. Cite the new law and Cabinet Decision sections directly.
Board approval (week 6): Present the refreshed framework to the board or governing body for documented approval. Capture minutes.
Training rollout (weeks 6-8): Deliver targeted training to MLRO, deputy MLRO, front-line teams, and senior management. Record attendance, content, and assessment scores.
Independent audit (within 12 months): Commission an independent AML/CFT audit — federal, DFSA, VARA, or supply-chain depending on your supervisor. Track findings to closure with a Remedial Action Plan.

For a step-by-step operational programme build, see our companion guide on how to build an AML compliance programme in the UAE.

Independent AML/CFT audit (Federal, DFSA, VARA)

Article 24 of Decree-Law 10/2025 reinforces the requirement for periodic independent audits. Adil Zone delivers all four audit types with a Remedial Action Plan, including supply-chain audits for DPMS clients.

Book an Independent Audit

Common Compliance Gaps Under the New Law

From recent supervisor inspections and our own audit work, six gaps come up repeatedly when programmes built under the 2018 framework are tested against Decree-Law 10/2025:

Stale EWRA: A risk assessment dated 18 months ago, with no evidence of board review or update for new business lines.
Beneficial ownership shortcuts: 25% threshold ticked at onboarding, but no evidence of ongoing review when ownership changes during the relationship.
Sanctions screening lag: Daily list updates not actually happening; weekly batches treated as sufficient when supervisors expect near-real-time application of designations.
STR filing thresholds confused with reporting thresholds: The AED 55,000 DPMSR cash threshold is a reporting trigger, not a suspicion threshold. Suspicion below the threshold still requires an STR.
Training records without assessment evidence: Attendance logs but no test scores or competence evidence — supervisors increasingly want both.
Audit findings without closure trail: Last year’s independent audit identified gaps; no Remedial Action Plan exists, or the RAP exists but actions are still “open” with no review date.

These are the gaps that turn a procedural inspection into a material finding under the new penalty bands. The fix is not more documentation — it is documentation that demonstrates a working control rather than the existence of a policy.

For sector-specific implementation, see our existing guides on AML compliance for DPMS, AML for Corporate Service Providers, and AML compliance for accounting firms.

Frequently Asked Questions

What is Federal Decree-Law No. 10 of 2025?

It is the new UAE federal AML/CFT statute, replacing Federal Decree-Law No. 20 of 2018. It is supplemented by Cabinet Decision No. 134 of 2025 (the implementing regulations). Together they set the legal framework for anti-money laundering, counter-terrorist financing, and counter-proliferation financing across all in-scope UAE entities.

When did Decree-Law 10/2025 take effect?

The law came into force in 2025 following publication in the Official Gazette and gazettal of Cabinet Decision 134/2025. Supervisors have communicated transitional expectations through their respective channels (CBUAE notices, MOE circulars, DFSA dear-CEO letters, VARA bulletins). Entities should treat the present compliance cycle as fully under the new framework.

Does the new law apply to free-zone companies?

Yes. ADGM, DIFC, DMCC, JAFZA, RAKEZ, RAK ICC, Meydan, SHAMS, HFZA, Dubai CommerCity, and Fujairah Free Zone entities are all in scope. The supervisor differs by zone — FSRA for ADGM, DFSA for DIFC, MOE or the zone authority for the rest — but the statutory obligations are the same.

What are the maximum fines under Decree-Law 10/2025?

Administrative penalties extend up to AED 100 million for severe or repeat breaches. Lower bands run from AED 50,000 for procedural failings to AED 5 million for material gaps. Criminal liability for money laundering and terrorism financing offences is separate, with imprisonment available on conviction.

Do I need to redo my AML risk assessment?

Yes, if your existing EWRA was built solely under the 2018 framework or is more than 12 months old. Supervisors expect a current, board-approved EWRA that reflects the expanded DNFBP and VASP scope, new sanctions list cadence, and any product or jurisdictional changes since the last review.

How does Decree-Law 10/2025 affect VASPs and crypto firms?

VASPs are now an explicitly in-scope category. VARA-licensed firms in Dubai and SCA-supervised firms elsewhere in the UAE must operate full AML/CFT programmes — EWRA, CDD/EDD, sanctions screening, transaction monitoring, STR/SAR filing through goAML, and independent audit. The 2025 law removes the prior ambiguity about whether crypto activity sat fully inside or partly outside the regime.

How often must I run an independent AML audit?

Most supervisors expect an annual independent AML/CFT audit, with shorter cycles for higher-risk entities or where prior findings remain open. Adil Zone delivers four audit types: Independent AML/CFT Audit under the Federal Decree-Law, DFSA-regulated audit, VARA-regulated audit, and Sourcing Supply Chain Audit, each accompanied by a Remedial Action Plan.

Where do I file Suspicious Transaction Reports?

STRs and SARs are filed through the goAML portal operated by the UAE FIU. DPMSR cash-transaction reports for dealers in precious metals and stones (transactions of AED 55,000 or more) are filed through the same portal. The tipping-off prohibition applies once a suspicion has been formed.