Proliferation Financing UAE Compliance: 2026 Guide - adilzone | Corporate Consulting Services

Proliferation financing UAE compliance moved from a footnote to a front-line obligation when the Central Bank of the UAE (CBUAE) issued dedicated CPF guidance on 16 April 2026. With Federal Decree-Law No. 10 of 2025 in force and the June 2026 FATF Mutual Evaluation underway, every Licensed Financial Institution (LFI), Registered Hawala Provider (RHP), and Designated Non-Financial Business or Profession (DNFBP) must demonstrate a working counter proliferation financing (CPF) framework, not just a written policy.

Quick Answer

Proliferation financing (PF) is the act of raising, moving, or making available funds, assets, or services to support the manufacture, acquisition, or transfer of weapons of mass destruction. In the UAE, PF is now treated as a distinct compliance discipline alongside AML and CFT, governed by Federal Decree-Law No. 10 of 2025, Cabinet Decision No. 134 of 2025, and the CBUAE’s April 2026 CPF guidance. UAE entities must run a dedicated PF risk assessment, screen against UN Security Council and UAE Local Terrorist List sanctions in real time, and embed lifecycle monitoring across customer relationships.

Key Takeaways

PF is now its own compliance pillar. The CBUAE 16 April 2026 guidance treats counter proliferation financing as a separate framework, distinct from AML and CFT obligations.
The legal stack has changed. Federal Decree-Law No. 10 of 2025 replaced Federal Decree-Law No. 20 of 2018; Cabinet Decision No. 134 of 2025 codifies 71 articles and close to 300 enforceable requirements.
Three components are mandatory. Inherent PF risk assessment, control evaluation with remediation, and continuous monitoring of emerging typologies.
Sanctions screening must run in real time. UN Security Council Resolutions 1718 (DPRK) and 2231 (Iran) lists, plus the UAE Local Terrorist List, must be enforced without delay across new and existing customers.
Lifecycle CDD is non-negotiable. Risk profiles must update on triggers such as ownership changes, dual-use trade activity, or adverse media.
Penalties are punitive. Federal administrative fines run from AED 50,000 to AED 5,000,000 per violation, with criminal exposure for officers and directors who breach targeted financial sanctions.
The FATF Mutual Evaluation in June 2026 will test effectiveness. Inspectors will check whether controls work in practice, not whether documents exist on paper.

What Is Proliferation Financing?

Proliferation financing covers any financial activity that supports the proliferation of weapons of mass destruction (WMD), including nuclear, chemical, biological, and radiological weapons, plus their delivery systems and dual-use precursor goods. The Financial Action Task Force defines PF in Recommendation 7 and the related Interpretive Note, which require countries to implement targeted financial sanctions (TFS) without delay.

How PF Differs From AML and CFT

AML targets the disguise of illicit proceeds. CFT targets the funding of terrorism. CPF targets the funding of WMD programmes, sanctioned regimes, and front entities operating on their behalf. The same payment flow can be clean by AML standards but a serious PF breach if it touches a UN-designated network. Treating PF as a sub-set of CFT is the most common compliance failure UAE auditors flag.

Why PF Now Has Its Own UAE Framework

The UAE’s 2024-2027 National AML/CFT/CPF Strategy elevated proliferation financing to a stand-alone risk theme. The Cabinet Office for Targeted Financial Sanctions and the UAE Financial Intelligence Unit (FIU) coordinate enforcement across Federal regulators, including CBUAE, the Securities and Commodities Authority (SCA), the Dubai Financial Services Authority (DFSA), the Financial Services Regulatory Authority (FSRA-ADGM), and the Virtual Assets Regulatory Authority (VARA). The April 2026 CBUAE guidance is the operational playbook financial sector entities have been waiting for.

The CBUAE 16 April 2026 CPF Guidance Explained

On 16 April 2026, the CBUAE released four updated guidance documents covering proliferation financing, trade-based money laundering, correspondent banking, and customer due diligence. The CPF document applies to all LFIs and Registered Hawala Providers and signals where DFSA-, FSRA-, and VARA-regulated firms should also align. For more on the broader update, see our CBUAE April 2026 AML Update explainer and our CBUAE AML/CFT Guidance for UAE Banks walkthrough.

Component 1: Inherent PF Risk Assessment

Boards and senior management must commission a documented PF risk assessment that addresses customer risk, product and service risk, jurisdictional risk, and delivery channel risk, applied through the lens of WMD proliferation. The assessment must consider:

Direct or indirect exposure to UN-listed jurisdictions (DPRK, Iran)
Trade in dual-use goods covered by the Wassenaar, NSG, MTCR, or Australia Group lists
Customers with complex ownership chains incorporated in high-risk jurisdictions
Correspondent relationships with banks in territories with weak CPF enforcement
Virtual asset and digital payment rails that obscure beneficiary identity

Component 2: Control Evaluation and Gap Remediation

The CBUAE expects a written gap analysis comparing current controls to the assessed inherent risk, with a remediation plan, ownership, and timelines. Required controls include:

Real-time sanctions screening at onboarding and on every transaction
Pre-transaction trade screening for dual-use indicators
Beneficial ownership verification down to natural persons
Adverse media screening for PF and WMD-related signals
Red-flag escalation pathways with documented MLRO sign-off

Component 3: Continuous Monitoring and Typology Tracking

Static controls are now explicitly insufficient. The CBUAE requires lifecycle management of customer risk profiles, with reviews triggered by ownership changes, beneficiary changes, unusual transaction patterns, adverse media, or geopolitical events. Institutions must also subscribe to and act on emerging typology updates from the FATF, the UAE Executive Office for AML/CFT, and the FIU.

Need help mapping your PF obligations to a working CPF framework?
Adil Zone’s compliance advisory team builds risk assessments, controls evaluations, and lifecycle monitoring playbooks for UAE entities under the new CBUAE guidance. Speak to our compliance advisory team.

Who Must Comply With UAE PF Requirements

Federal Decree-Law No. 10 of 2025 and the supporting Cabinet Decision No. 134 of 2025 cover a wide perimeter. Read our full Federal Decree-Law No. 10 of 2025 guide for the legal architecture, then map your obligations using the table below.

Entity Type	Primary Regulator	CPF Obligations
Banks and Finance Companies	CBUAE	Full April 2026 CPF guidance applies; PF risk assessment + lifecycle CDD + real-time screening
Exchange Houses, Payment Service Providers, Stored Value Issuers	CBUAE	Same as banks; heightened scrutiny on cross-border flows
Registered Hawala Providers	CBUAE	Quarterly returns plus PF-specific risk reporting
DIFC firms (banking, asset management, money services)	DFSA	DFSA Rulebook AML module + alignment with CBUAE CPF expectations
ADGM firms	FSRA	FSRA AML Rulebook + UN Security Council TFS obligations
VASPs and crypto exchanges	VARA / SCA	VARA Compliance and Risk Management Rulebook + travel rule + CPF screening
Insurance and reinsurance	CBUAE	PF risk assessment proportionate to product line
Real estate brokers, DPMS, accountants, auditors, lawyers, CSPs	Ministry of Economy	DNFBP Rules + goAML registration + sanctions screening

The DNFBP Spillover

While the April 2026 guidance technically targets LFIs and RHPs, the Ministry of Economy (MOE) has signalled that DNFBP supervisors will use the same risk and control benchmarks during inspections. Real estate brokers, dealers in precious metals and stones, accountants, lawyers, and corporate service providers should treat the CBUAE document as the de facto standard. For sector-specific obligations see our AML Compliance for DPMS, AML Compliance for Corporate Service Providers, and AML Compliance for Accounting Firms guides.

Building a CPF Framework: A Five-Step Implementation Guide

Step 1: Charter and Governance

Issue a board-approved CPF policy that names the MLRO as the responsible officer, defines escalation pathways to senior management, and sets review cadence. The policy should reference Federal Decree-Law No. 10 of 2025, Cabinet Decision No. 134 of 2025, and the relevant CBUAE, DFSA, FSRA, or VARA rulebook by article number. Sample policy structures and templates are part of the standard AML compliance programme build.

Step 2: PF Risk Assessment

Conduct a documented PF-specific risk assessment using a structured methodology. Apply the FATF Risk-Based Approach across four dimensions: customer, product/service, jurisdiction, and delivery channel. Map each business line to its inherent PF exposure score, then re-test annually or on a material change.

Step 3: Control Design and Sanctions Screening

Stand up real-time screening against UN Security Council Resolutions 1718 (DPRK) and 2231 (Iran), the UAE Local Terrorist List, OFAC SDN, EU Consolidated, UK HMT, AUSTRAC, and FINTRAC lists. Screening must cover customers, beneficial owners, related parties, counterparties, and shippers in trade transactions. Refer to our UAE Targeted Financial Sanctions guide for the full enforcement architecture.

Step 4: Reporting and goAML Integration

Suspicious activity must be reported to the UAE FIU through the goAML portal. STRs related to PF, sanctions matches, and dual-use trade red flags carry their own reporting obligations and timelines. For new MLROs, our goAML Portal Registration Guide walks through entity registration, user provisioning, and STR/SAR submission.

Step 5: Independent Audit

An independent audit of the CPF programme is now an explicit expectation under the CBUAE guidance. Adil Zone offers four types of independent AML/CFT/CPF audit aligned to the regulator: Federal (under Federal Decree-Law No. 10 of 2025), DFSA-regulated, VARA-regulated, and Sourcing Supply Chain audit, each delivered with a Remedial Action Plan (RAP).

Independent CPF audit ahead of the June 2026 FATF evaluation.
Adil Zone conducts independent AML/CFT/CPF audits for CBUAE, DFSA, and VARA-regulated entities, with documented gap analysis and a Remedial Action Plan you can present to inspectors. Book an independent audit.

PF Risk Indicators and Red Flags

The CBUAE guidance lists indicators that should trigger enhanced due diligence or a defensive STR filing. UAE compliance teams should embed these into transaction monitoring rules and case management workflows.

Customer-Level Red Flags

Beneficial owners or directors resident in or nationals of UN-sanctioned jurisdictions
Complex ownership structures involving free zone shells with no apparent commercial purpose
Front companies operating in trading hubs with limited physical presence
Use of nominees or professional service intermediaries to obscure ultimate ownership
Customers refusing to disclose end-user information for dual-use goods

Transaction-Level Red Flags

Trade finance involving dual-use precursor chemicals, machine tools, or specialised electronics
Letters of credit with vague descriptions (“equipment”, “spare parts”) and inflated values
Round-trip transactions through multiple jurisdictions with no commercial logic
Routing through correspondent banks in CPF-deficient jurisdictions
Stored value or virtual asset transfers timed to evade screening windows

Geographic and Trade Red Flags

Shipments transiting UAE free ports with end-users in restricted jurisdictions
Bills of lading showing port substitution or vessel-to-vessel transfers in international waters
Trade documentation referencing controlled goods on the Wassenaar, NSG, MTCR, or Australia Group lists

For the trade dimension, our Trade-Based Money Laundering UAE guide covers indicator overlap with PF typologies in detail.

Penalties and Enforcement Under the New Regime

Administrative Penalties

Under Federal Decree-Law No. 10 of 2025 and Cabinet Decision No. 134 of 2025, administrative penalties for AML/CFT/CPF breaches range from AED 50,000 to AED 5,000,000 per violation, with daily accruals for ongoing breaches and aggravated factors that can push exposure higher. Common enforcement triggers include:

Failure to conduct or document a PF risk assessment
Delayed implementation of UN Security Council sanctions designations
Inadequate beneficial ownership verification
Late or absent goAML reporting
Lack of an independent AML/CFT/CPF audit

Criminal Penalties

Wilful breaches of targeted financial sanctions, including PF designations, can attract imprisonment terms and fines payable jointly by the entity and the responsible natural persons. Senior management, directors, and MLROs sit in the personal liability perimeter.

Reputational and Licensing Consequences

Beyond fines, the CBUAE, DFSA, FSRA, and VARA can suspend, condition, or revoke licences, restrict business lines, and require independent monitor appointments. Free zone authorities may bar shareholder applications by sanctioned-linked individuals across the 11 UAE free zones Adil Zone serves as an approved channel partner.

Preparing for the June 2026 FATF Mutual Evaluation

The UAE’s National Risk Assessment cycle and the FATF Mutual Evaluation in June 2026 mean inspections are heavier, more technical, and more focused on outcomes. The 2024 removal from the FATF grey list raised, not lowered, the bar. Read our FATF Mutual Evaluation 2026 UAE guide for the methodology and our AML compliance checklist for the practitioner-level controls list.

Practical evaluation prep for PF specifically should include:

A documented PF risk assessment refreshed in 2026
Real-time screening logs for the past 12 months, with positive-match dispositions
Board minutes showing CPF policy approval and review
Training records demonstrating PF-specific content for front-line staff
Independent audit report with Remedial Action Plan and closure evidence

Train your team on PF, sanctions, and the new CBUAE framework.
Compliance 360 by Adil Zone offers 32 specialised, KHDA-approved AML/CFT/CPF training courses, including Targeted Financial Sanctions, EWRA and Risk Appetite Statements, and the AML Compliance Officer Training (8-hour). Explore the Compliance 360 catalogue.

How First Compliance Software Operationalises CPF

The CBUAE guidance pushes towards “dynamic risk intelligence” rather than periodic checks. Adil Zone’s First Compliance platform was built precisely for that workload: 1,800+ sanction lists, 5.5M+ PEP records, AI-powered adverse media, real-time screening, beneficial ownership resolution, transaction monitoring, automated DPMSR reporting, and goAML integration in a single audit-ready platform. Where most teams piece this together across spreadsheets, list providers, and manual STR filing, First Compliance gives the inspector a single dashboard and a complete evidence trail.

Frequently Asked Questions

What is proliferation financing in the UAE context?

Proliferation financing is the provision of funds, financial assets, or services that support the manufacture, acquisition, possession, development, export, transhipment, brokering, or transport of nuclear, chemical, biological, or radiological weapons and their delivery systems, in breach of national obligations under UN Security Council Resolutions and the UAE’s Federal Decree-Law No. 10 of 2025. It is treated separately from money laundering and terrorist financing in the UAE regulatory framework.

Who is required to comply with the CBUAE April 2026 CPF guidance?

The guidance is directly binding on Licensed Financial Institutions and Registered Hawala Providers supervised by the CBUAE. DFSA-, FSRA-, and VARA-regulated firms should align with the same standard, and DNFBPs supervised by the Ministry of Economy will be benchmarked against the CBUAE document during inspections.

What is the difference between AML, CFT, and CPF?

AML targets the laundering of proceeds from predicate crimes. CFT targets the funding of terrorism and terrorist organisations. CPF, or counter proliferation financing, targets the funding of weapons of mass destruction programmes and the entities sanctioned by the UN Security Council in connection with proliferation. The same control infrastructure can serve all three, but the risk indicators, sanctions lists, and typologies differ.

How often must a PF risk assessment be refreshed?

The CBUAE guidance requires assessments to be refreshed annually at a minimum, and immediately on any material change such as new product launches, M&A activity, ownership shifts, expansion into new jurisdictions, or significant geopolitical events affecting sanctions designations.

What are the penalties for breaching PF obligations in the UAE?

Administrative penalties range from AED 50,000 to AED 5,000,000 per violation under Federal Decree-Law No. 10 of 2025 and Cabinet Decision No. 134 of 2025. Wilful breaches of targeted financial sanctions can attract criminal penalties, including imprisonment, alongside licensing actions by CBUAE, DFSA, FSRA, or VARA.

Do free zone companies have to comply with PF rules?

Yes. Free zone companies fall under either CBUAE, DFSA (DIFC), FSRA (ADGM), VARA, or Ministry of Economy supervision depending on their licensed activity. Read our AML obligations for free zone companies guide and our DMCC AML compliance guide for sector detail.

Does the new framework affect VASPs and crypto exchanges?

Yes. VARA-licensed Virtual Asset Service Providers must operate sanctions screening, travel rule compliance, and PF risk assessment proportionate to their product. The CBUAE guidance is the de facto benchmark VARA inspectors will reference for screening cadence and lifecycle CDD.

Can a small DNFBP outsource its CPF compliance?

Operational tasks can be outsourced, but ultimate accountability remains with the licensed entity and its senior management. Many UAE DNFBPs use a managed compliance arrangement with the MLRO function staffed externally. See our In-House MLRO vs. Outsourced AML Compliance comparison for the tradeoffs.