How to File an STR in the UAE: 2026 goAML Reporting Guide - adilzone | Corporate Consulting Services

Filing a Suspicious Transaction Report (STR) is one of the most consequential decisions a UAE compliance officer makes, and getting the workflow wrong can result in fines starting at AED 100,000 and personal criminal liability. STR filing in the UAE runs through the goAML portal operated by the UAE Financial Intelligence Unit (FIU), and the rules tightened materially under Federal Decree-Law No. 10 of 2025 and Cabinet Decision No. 134 of 2025. This guide walks through the practical workflow, the “without delay” timing standard, the most common filing mistakes, and how to embed STR submission into a sustainable compliance programme.

Quick Answer

To file an STR in the UAE, a Reporting Entity must (1) be registered on the goAML portal operated by the UAE FIU, (2) submit the report “without delay” once suspicion is formed, (3) complete all mandatory fields including subject details, transaction data, indicators, and a clear narrative of the grounds for suspicion, and (4) preserve full supporting records for at least five years. The legal basis is Article 15 of Federal Decree-Law No. 10 of 2025 and Cabinet Decision No. 134 of 2025. Failure to file when required carries administrative penalties up to AED 5,000,000 per violation and can trigger criminal liability for the responsible officers.

Key Takeaways

STR filing is mandatory and personal. Both the entity and the named compliance officer can be sanctioned for non-filing.
“Without delay” is a same-business-day expectation. The FIU treats anything beyond 24 to 48 hours from confirmed suspicion as a red flag.
Tipping-off is a separate criminal offence. The customer must never be informed that an STR has been filed.
Use the correct goAML report type. STR, SAR, AIF, HRC, FFR, DPMSR, RFI, and PNMR each have specific triggers.
Documentation matters as much as the filing. Decisions not to file are also reviewed by the FIU and external auditors.
Records must be retained for five years. This includes the STR itself, internal escalation notes, and CDD files.
Federal Decree-Law No. 10 of 2025 raised the stakes. Maximum administrative fines have been substantially expanded compared with the prior framework.

What Is an STR and How Does It Differ from a SAR?

UAE compliance practitioners often use the terms STR and SAR interchangeably, but goAML treats them as distinct report types with different thresholds. Understanding the distinction is essential because using the wrong report type can be treated as a filing deficiency during a regulatory inspection.

STR vs SAR: The Practical Distinction

A Suspicious Transaction Report (STR) is filed when a Reporting Entity suspects that a specific transaction, attempted transaction, or fund movement is the proceeds of crime, related to a crime, or intended to be used in a crime. The trigger is transactional. There is a defined movement of money, assets, or value tied to a customer.

A Suspicious Activity Report (SAR) is filed when the suspicion arises from a pattern of behaviour, customer profile inconsistency, or activity that has not yet resulted in a transaction. SARs are used when a customer attempts to open an account with falsified documents, refuses to provide source-of-funds information, or exhibits behavioural red flags during onboarding even before any transfer occurs.

Other goAML Report Types You May Need

Report Type	When to Use
STR	Suspicion tied to a specific transaction or attempted transaction
SAR	Suspicion tied to activity, behaviour, or attempted onboarding without a transaction
AIF	Additional Information File supplementing a prior STR or SAR
HRC	High Risk Country related reporting
FFR	Funds Freeze Report following a sanctions match
DPMSR	Dealer in Precious Metals and Stones Report for transactions at or above AED 55,000
RFI	Response to an FIU Request for Information
PNMR	Partial Name Match Report for sanctions screening hits requiring FIU adjudication

Selecting the right report type is the first practitioner-level decision, and it should be documented in the internal escalation memo before the report is opened in goAML.

Who Must File STRs in the UAE

The STR obligation under Federal Decree-Law No. 10 of 2025 attaches to every entity classified as a Reporting Entity. The classification covers a broad cross-section of the UAE economy, which is one of the reasons the FATF expects high STR volumes during its 2026 mutual evaluation cycle.

Licensed Financial Institutions (LFIs)

LFIs include banks, exchange houses, finance companies, insurance brokers and providers, money service businesses, and capital markets participants regulated by the Central Bank of the UAE (CBUAE), the Securities and Commodities Authority (SCA), the Dubai Financial Services Authority (DFSA), or the Financial Services Regulatory Authority (FSRA). For LFIs, the obligation to file is integrated with prudential supervision, meaning the regulator also reviews STR filing rates as a supervisory metric.

Designated Non-Financial Businesses and Professions (DNFBPs)

DNFBPs supervised by the Ministry of Economy include real estate brokers and agents, dealers in precious metals and stones (DPMS), independent accountants and auditors, lawyers and notaries operating outside law firms, and corporate service providers (CSPs). The DNFBP population is the largest group of registered Reporting Entities in the country and historically the lowest-rate STR submitter, which is precisely why MOE inspections now scrutinise the “no-STR” rationale almost as closely as the filings themselves.

Virtual Asset Service Providers (VASPs)

VASPs licensed by the Virtual Assets Regulatory Authority (VARA) in Dubai, the FSRA in Abu Dhabi Global Market (ADGM), or the SCA at federal level have the same STR obligation, with additional reporting expectations around suspicious wallet activity, mixer or tumbler exposure, and high-risk jurisdiction wallet flows.

If your business is registered on the goAML portal, you are a Reporting Entity. If it should be registered but is not, the failure to register is itself a separate administrative violation, and the obligation to file STRs still applies. For a complete walkthrough of how to onboard your entity, see our goAML Portal Registration Guide for 2026.

Need a faster path through goAML registration and STR setup?

First Compliance automates CDD, sanctions screening, transaction monitoring, and goAML report generation in a single platform built for UAE entities. Explore First Compliance to see how it shortens the path from alert to filed STR.

When to File: The “Without Delay” Standard

The statutory wording is “without delay.” This is a deliberately strict standard, and inspectors interpret it operationally rather than literally.

How “Without Delay” Is Interpreted in Practice

In practice, the FIU and the supervising regulators expect the following internal timeline:

Hour 0: A red flag is detected, either by automated transaction monitoring, frontline staff escalation, or sanctions screening alert.
Hour 0 to 24: Internal investigation by the Compliance Officer or MLRO confirms or dismisses the suspicion. Documentation is prepared regardless of the outcome.
Hour 24 to 48: If suspicion is confirmed, the STR is drafted and submitted on goAML.
Hour 48 plus: Continued monitoring of the customer, response to any FIU follow-up, and updating internal risk ratings.

A delay of several days from confirmed suspicion to filing is almost always treated as a deficiency. Where a complex investigation genuinely requires more time, the FIU expects an internal memo documenting why each day of delay was necessary.

The Tipping-Off Prohibition

Once an STR has been filed, or once internal escalation has begun, the customer must not be informed that they are the subject of a report. Tipping-off is a criminal offence under UAE law and applies to every employee who has knowledge of the filing, not only the compliance officer. This includes seemingly innocuous communications: declining a transaction with the explanation that “compliance has flagged it” is itself a tipping-off violation.

Train all customer-facing staff to use neutral language when an account or transaction is held pending review, such as “we are conducting standard internal checks.” Document this training in your AML programme as part of your audit trail.

Step-by-Step: Filing an STR Through goAML

Step 1: Confirm Registration and Access

Before a single field is completed, confirm that your entity is fully registered on goAML, your designated MLRO has reporting credentials, and at least one backup user is provisioned. Locked-out accounts during an active filing are a common cause of delay, especially over public holidays. Test login monthly and refresh the contact and authorised signatory information whenever staff changes occur.

Step 2: Gather Customer and Transaction Data

The goAML form requires a structured set of data points. Pull them together before opening the report:

Subject identification details: full legal name, Emirates ID or passport, date of birth, nationality, residential and registered address.
Customer due diligence file: onboarding date, customer risk rating, source of funds and source of wealth declarations.
Transaction details: amount in AED equivalent, currency of execution, counterparty information, account or wallet identifiers, channel and instrument used.
Internal investigation notes: who escalated, when, the chain of review, the indicators triggered.
Supporting documents: scanned identification, transaction confirmations, screening hits, internal memos.

The strength of an STR is judged largely by the depth of the supporting data. A short narrative with rich attachments is acceptable. A long narrative with thin documentation is not.

Step 3: Choose the Right Report Type

Select STR if a transaction or attempted transaction is the trigger. Select SAR if the trigger is activity without a transaction. Select DPMSR if you are a dealer in precious metals or stones and the transaction is at or above the AED 55,000 threshold, regardless of suspicion. Selecting the wrong type forces the FIU to reclassify and is recorded as a quality issue against your entity.

Step 4: Complete the Report Sections

A goAML STR has the following core sections that must be completed accurately:

Reporting Entity details: automatically populated from your registration, but verify currency.
Reason for Reporting: the narrative section. Lead with the indicators that triggered suspicion, then describe the transaction or activity, then explain why the available CDD does not satisfactorily explain the activity. Use specific numbers, dates, and identifiers.
Transactions: enter each relevant transaction separately. Group only when transactions are functionally inseparable.
Persons and Accounts: subject, counterparties, beneficial owners, intermediaries. Each is a separate record.
Indicators: tick all indicators from the FIU library that apply. Do not under-select to avoid scrutiny. Under-selection is itself a finding.
Goods and Services (where relevant): for DNFBPs especially, describe the underlying transaction (real estate purchase, gold sale, professional service rendered).

Step 5: Submit and Receive Acknowledgement

Submit the report through the portal. Save the system-generated acknowledgement reference. This reference, along with the date and time stamp, is your evidentiary record that the obligation was met. The acknowledgement is not the same as a substantive response from the FIU, which may follow as a Request for Information (RFI) days, weeks, or months later.

Step 6: Continue Monitoring the Customer

Filing an STR does not authorise the entity to exit the relationship. In many cases, the FIU will instruct the Reporting Entity to maintain the account and continue monitoring to support ongoing investigations. Document the customer’s risk rating upgrade, increase monitoring frequency, and ensure that any further suspicious behaviour is reported through an Additional Information File (AIF) rather than a new STR.

Common STR Filing Mistakes That Trigger Penalties

From the pattern of fines published by the UAE supervising authorities over the past 18 months, the most penalised STR-related failures are clustered around the same recurring issues:

Late filing. Suspicion documented in internal records dated weeks before the STR submission. This is the single most common deficiency cited in MOE and CBUAE inspection reports.
Non-filing. Internal escalation closed with a “no STR required” decision that an inspector cannot reconcile with the underlying facts.
Thin narrative. A few generic sentences without specifying the indicators, the CDD contradiction, or the financial impact.
Wrong report type. Filing a SAR when a transaction is involved, or vice versa.
Missing counterparties. Failure to include all beneficial owners, intermediaries, and connected accounts.
Tipping-off through indirect channels. An account manager telling a relationship contact that “things are being reviewed.”
No follow-up. Filing the STR and then continuing to operate the customer relationship as normal, without re-rating risk or increasing oversight.
Insufficient record retention. Inability to produce the underlying CDD file, internal memos, or alert history during an inspection.

Each of these is addressable through procedural design and staff training. They are not failures of judgement; they are failures of process. For practitioners building or refreshing their AML programme, our Build an AML Compliance Programme in UAE guide outlines the procedural framework that prevents these errors.

Penalties Under Federal Decree-Law No. 10 of 2025

The 2025 legislative refresh substantially recalibrated the penalty regime for STR-related failures. The headline figures matter for compliance officers building risk-based cases for budget and headcount.

Violation	Administrative Range
Failure to file an STR when required	AED 100,000 to AED 1,000,000
Tipping-off the subject of an STR	AED 100,000 to AED 1,000,000 plus criminal liability
Failure to maintain transaction and CDD records for five years	AED 50,000 to AED 500,000
Failure to register on goAML	AED 50,000 to AED 1,000,000
Repeated or systemic non-compliance	Up to AED 5,000,000 plus suspension or revocation of licence

Beyond administrative fines, the responsible compliance officer and senior management may face individual criminal liability for wilful non-reporting, with imprisonment terms attaching to the most serious cases. The combination of corporate and individual liability is intentional: it ensures that compliance is not treated as a cost-of-doing-business calculation. For the full legislative text and consolidated context, see the UAE Financial Intelligence Unit, the Central Bank of the UAE, and the published FATF mutual evaluation expectations.

Worried your STR process would not survive an FIU inspection?

Adil Zone conducts four types of independent AML/CFT audit covering federal, DFSA, VARA, and supply-chain entities. We test STR workflow design, narrative quality, and escalation evidence, then issue a Remedial Action Plan you can present to your regulator. Request an independent AML audit.

How to Build a Sustainable STR Programme

The entities that file STRs effectively are not those with the largest compliance budgets. They are those with the cleanest process design. Three internal building blocks separate effective programmes from reactive ones.

Internal Escalation Procedures

Every entity needs a documented escalation path that moves from frontline observation to MLRO decision within hours, not days. The path should specify named roles (not named individuals, to avoid breaks when staff change), decision authority at each step, and the documentation required to support either a filing or a no-filing decision. The path should be tested at least annually through a tabletop exercise using fictitious cases.

Training the First Line of Defence

Frontline staff are the originators of most useful STRs. They observe behavioural inconsistencies, customer reluctance, document anomalies, and pattern shifts that automated systems may miss. Training must move beyond “what is money laundering” into “how to recognise specific red flags in our specific business,” with sector-specific case studies. The KHDA-approved Compliance 360 training programme includes 32 courses with sector-specific modules for LFIs, DPMS, real estate, accounting, legal, and CSP staff.

Documenting “No-STR” Decisions

A decision not to file is not a non-event. It must be documented with the same rigour as a filing. The record should capture who reviewed the alert or escalation, the indicators considered, the CDD facts relied upon, and the rationale for concluding that suspicion was not formed. Regulators routinely sample “no-STR” memos during inspections precisely because under-reporting is a more systemic risk than over-reporting.

For entities still building their internal risk assessment framework, our AML self-assessment guide for DNFBPs and our transaction monitoring setup guide provide the underlying components that feed an effective STR pipeline. The legal foundation sits in our explainer on Federal Decree-Law No. 10 of 2025.

Frequently Asked Questions

How long do I have to file an STR in the UAE?

The statutory standard is “without delay.” Operationally, the FIU expects filing within 24 to 48 hours of internal suspicion being confirmed, supported by a documented investigation trail. Delays beyond that window need a justifying memo on file.

Can a customer find out an STR has been filed against them?

No. Tipping-off is a separate criminal offence applying to every employee with knowledge of the filing, not only the compliance officer. The fact of an STR, the existence of an internal investigation, and the reason for any account hold must never be disclosed to the customer or any related party.

What happens after I submit an STR?

You receive a system-generated acknowledgement reference from goAML. The FIU may then issue a Request for Information (RFI), instruct you to maintain or freeze the account, or proceed silently. You are expected to continue normal monitoring and to file an Additional Information File (AIF) if further suspicious behaviour occurs.

Do I file an STR if I am unsure whether a crime occurred?

Yes. The legal threshold is “suspicion,” not “knowledge.” If a reasonable compliance professional in your position would form a suspicion based on the available facts, the obligation to file is engaged. The FIU exists to determine whether the suspicion translates into a substantive investigation; that is not the Reporting Entity’s decision.

What is the difference between an STR and a DPMSR?

A DPMSR is a mandatory transaction report filed by dealers in precious metals and stones for every transaction at or above AED 55,000, regardless of whether suspicion exists. An STR is filed only when suspicion is formed. A single transaction can trigger both: a DPMSR for crossing the threshold, and an STR if the transaction is also suspicious.

Are STR filings used by anyone other than the FIU?

STRs are confidential to the FIU and the authorities to whom it disseminates intelligence. They are not shared with the customer, the customer’s counsel, or third parties. They are, however, reviewed by supervising regulators (CBUAE, MOE, SCA, VARA, DFSA, FSRA) during prudential and AML inspections as part of assessing your programme’s effectiveness.

How long must I retain STR records?

A minimum of five years from the date of the report, or longer if directed by the FIU or supervising regulator. This includes the report itself, supporting documents, internal escalation memos, and the underlying CDD file. Records must be retrievable in a form usable by an inspector.

What if my entity has never filed an STR?

A nil-filing record is a supervisory red flag in most sectors. The FIU and MOE expect a baseline filing volume consistent with the risk profile of the business. If your entity has never filed, the most likely explanation is that the internal escalation and monitoring systems are not surfacing the cases that exist. An independent review is the standard first response.