UAE AML Regulations: Key Changes & Compliance Guide The UAE's AML regulatory landscape underwent its most significant restructuring in October 2025. Federal Decree Law No. 10 of 2025 took effect on 14 October 2025, replacing the 2018 framework that had governed financial crime compliance for nearly seven years. For financial institutions, fintechs, DNFBPs, and VASPs operating in the UAE, this isn't an incremental update — it's a foundational reset.

The timing matters. The UAE was removed from the FATF increased monitoring list on 23 February 2024 after demonstrating verified progress against identified deficiencies. The 2024–2027 National AML/CFT/CPF Strategy followed shortly after, approved in September 2024 as a framework for sustaining that progress. The new law, and intensified enforcement activity alongside it, reflects the UAE's commitment to proving the delisting was warranted.

This guide breaks down what changed, who's covered, what compliance looks like in practice, and where the penalty exposure now sits.

Key Takeaways

  • Federal Decree Law No. 10 of 2025 (eff. 14 Oct 2025) replaces the 2018 AML law; Cabinet Resolution No. 134 of 2025 (eff. 14 Dec 2025) replaces its 2019 executive regulations
  • Proliferation financing (CPF) is now a named pillar of the framework, alongside AML and CFT
  • Commercial gaming operators are newly added as a DNFBP category
  • Corporate fines now reach AED 100 million; managers face personal criminal liability
  • All regulated entities must register on the goAML portal
  • Record retention is now mandatory for at least five years

What Changed: The Updated UAE AML/CFT/CPF Legal Framework

The New Legal Architecture

Two instruments form the new legal foundation:

  • Federal Decree Law No. 10 of 2025 — formally repeals Federal Decree Law No. 20 of 2018 and any conflicting provisions
  • Cabinet Resolution No. 134 of 2025 — issued 29 October 2025, effective 14 December 2025; repeals Cabinet Resolution No. 10 of 2019 under Article 70

Where no new sector-specific guidance has been issued yet, older guidance remains applicable. That said, entities are expected to align policies with the new law without delay.

The law's full title signals its expanded scope: it now expressly covers Anti-Money Laundering, Combating the Financing of Terrorism, and Proliferation Financing. CPF is no longer treated as an ancillary concern. It now carries its own institutional obligations and risk assessment requirements.

Key Substantive Changes

Three changes carry the most immediate operational weight for regulated entities:

1. Objective knowledge test for money laundering Knowledge or intent can now be inferred from objective circumstances — prosecutors no longer need to prove actual knowledge. This extends liability exposure to managers and compliance officers who should have identified red flags, not just those who demonstrably did.

2. New account misuse offense Article 35(2) creates a criminal offense for knowingly enabling a third party to misuse an account at a financial institution or VASP. Fintech platforms, payment firms, and digital wallet providers face direct exposure here, particularly where account ownership verification is weak.

3. Expanded FIU enforcement powers Article 5 grants the FIU Chief direct authority to:

  • Order cessation of suspicious transactions for up to 10 working days
  • Freeze suspected funds for up to 30 days, extendable by the Attorney General

Under the 2018 law, the Central Bank Governor held a narrower 7-working-day freezing power. Moving that authority to the FIU — and extending the timeframe — is a meaningful escalation. Compliance teams should ensure their transaction hold and customer notification procedures can accommodate the new windows.

Who Must Comply with UAE AML Regulations

Financial Institutions and VASPs

The following categories are covered under Federal Decree Law No. 10 of 2025:

  • Financial institutions — banks, exchange houses, insurance companies, payment service providers, securities firms, and licensed fintechs
  • VASPs — entities conducting virtual asset exchanges, transfers, custody, or services related to VA issuance

VASP oversight is split across four regulators based on where the entity is licensed:

  • VARA — VASPs in Dubai (outside DIFC)
  • CMA/SCA — VASPs elsewhere in the UAE
  • DFSA — entities in DIFC
  • FSRA — entities in ADGM

Licensing jurisdiction determines which supervisory obligations apply.

DNFBPs: Who's In Scope

Cabinet Resolution No. 134 of 2025 defines the DNFBP categories and their applicable thresholds:

DNFBP Category Trigger Condition
Real estate brokers and agents When concluding buying/selling transactions
Dealers in precious metals and stones Single or linked cash transactions ≥ AED 55,000
Lawyers, notaries, legal professionals When preparing or executing specified financial transactions
Independent accountants and auditors When executing specified client transactions
Trust and corporate service providers For incorporation, trustee, nominee, and registered office services
Commercial gaming operators (new) Single or linked transactions ≥ AED 11,000

UAE DNFBP categories and AML compliance trigger thresholds comparison table

Commercial gaming operators are a new addition under the 2025 framework — bringing a previously unregulated channel under formal AML oversight for the first time.

All these obligations apply across the UAE mainland, commercial free zones, and financial free zones — though DIFC and ADGM entities also carry additional rulebook obligations from their respective regulators.

Which Authority Regulates AML in the UAE

The UAE operates a multi-regulator model — there is no single AML authority. Understanding which regulator supervises your entity is a compliance prerequisite.

Authority Supervisory Scope
CBUAE Banks, exchange houses, insurance, payment providers, licensed fintechs
Ministry of Economy and Tourism (MoET) Most DNFBP categories
Ministry of Justice (MoJ) Lawyers, notaries, independent legal professionals
CMA/SCA Securities firms; VASPs outside Dubai
VARA VASPs in Dubai (outside DIFC)
DFSA Entities in DIFC
FSRA Entities in ADGM
GCGRA Commercial gaming operators

The UAE FIU sits across all of these as the central reporting authority. Every regulated entity — regardless of sector or location — reports STRs, SARs, and other financial crime disclosures through the goAML portal. Under the new law, the FIU now also holds direct enforcement powers for the first time.

Two additional bodies operate at the national level:

  • NAMLCFTC — coordinates national AML/CFT/CPF strategy and represents the UAE in international forums
  • EOCN (Executive Office for Control and Non-Proliferation) — administers the targeted financial sanctions regime; entities must subscribe to its notification alert system

Core AML Compliance Obligations Under the New UAE Law

Risk Assessments: EWRA and CRA

Every regulated entity must conduct and document an Enterprise-Wide Risk Assessment (EWRA) that reflects its specific business model, products, customer base, and geographic exposure. The federal law requires risk assessments to be continuously updated — there is no fixed annual cycle prescribed, but any material change to the business, product mix, or risk environment should trigger a review.

The Customer Risk Assessment (CRA) assigns each customer a risk rating at onboarding and requires ongoing reassessment. Risk ratings must be supported by documented methodology — not just assigned as checkbox outputs.

Customer Due Diligence and EDD

CDD obligations follow a tiered structure: simplified, standard, or enhanced depending on the customer's risk profile and transaction context.

Key thresholds and triggers:

  • Occasional customer transactions for DNFBPs: CDD required at or above AED 55,000
  • Commercial gaming operators: CDD triggered at AED 11,000
  • Suspicion: CDD applies regardless of transaction size whenever suspicion arises

Enhanced Due Diligence (EDD) is mandatory for:

  • Politically Exposed Persons (PEPs) — defined broadly under UAE regulations to include persons with prominent public functions domestically or internationally, officials of international organizations, plus their immediate family members and close associates
  • High-risk countries
  • Complex, unusual, or high-value transactions with no clear economic purpose

Targeted Financial Sanctions (TFS) Screening

TFS screening is a continuous obligation — not a one-time onboarding check. Requirements under official CBUAE and MoET guidance:

  • Screen customers, beneficial owners, and counterparties against the UAE local terrorist list and UN Security Council lists
  • Conduct screening at least daily following list updates
  • Subscribe to the EOCN notification alert system
  • On any match: freeze assets immediately and without prior notice to the affected party, then report to the supervisory authority

UAE targeted financial sanctions TFS screening process four-step compliance workflow

STR/SAR Reporting via goAML

All regulated entities must detect and report suspicious activity through the UAE FIU's goAML portal. The internal process requires:

  • Escalating the matter to the MLRO or Compliance Officer
  • Documenting the decision on whether to file
  • Observing the tipping-off prohibition throughout

Beyond standard STRs, two sector-specific reports apply:

  • Real Estate Activity Reports (REAR) — for freehold transactions involving cash payments of AED 55,000 or more, or any virtual asset settlement
  • Dealers in Precious Metals and Stones Reports (DPMSR) — for transactions at or above the AED 55,000 threshold

Governance, Records, and Training

Minimum governance requirements include:

  • Appoint a qualified MLRO/Compliance Officer
  • Maintain AML/CFT policies and procedures aligned with the EWRA
  • Retain all CDD documents, transaction records, and STR decisions for at least five years
  • Deliver role-based AML/CFT training to staff at all levels

Regulators look at documentation quality and audit trails, not just whether a policy exists.

Penalties, Enforcement, and What Businesses Should Do Now

Penalty Structure Under Federal Decree Law No. 10 of 2025

The penalty exposure under the new law is sharply higher than its predecessor:

  • Corporate fines: AED 5 million to AED 100 million, or the value of the criminal property — whichever is greater
  • Corporate dissolution: Courts may order dissolution for money laundering offenses; dissolution is mandatory upon conviction for terrorism financing or proliferation financing
  • Individual ML penalties: Imprisonment of 1 to 10 years and fines up to AED 5 million

UAE AML penalty structure corporate fines dissolution and individual imprisonment comparison

Enforcement activity was already intensifying before the new law took effect. On 2 July 2025, the CBUAE imposed an AED 5.9 million financial sanction on a branch of a foreign bank for AML/CFT compliance failures. That action preceded Federal Decree Law No. 10 of 2025 — the bar has since moved higher.

Personal Liability for Managers

Under Article 27(5), managers of legal entities face personal fines or imprisonment where they had actual knowledge of a principal offense or where the offense resulted from a breach of their employment duties. This shifts compliance from a back-office function to a board-level governance priority.

Common Compliance Gaps That Draw Regulatory Action

UAE inspections consistently surface the same deficiencies:

  • Customer risk ratings not supported by documented methodology
  • Beneficial ownership not verified or updated after onboarding
  • TFS screening conducted only at account opening — not ongoing
  • STR filing decisions made informally with no documented rationale
  • AML policies copied from generic templates that don't reflect the entity's actual products or customer base

Regulators examine consistency of implementation, not just whether a policy binder exists on the shelf.

Compliance Action Checklist

Regulated entities operating in the UAE should address the following:

  1. Register on the goAML portal — mandatory for all regulated entities
  2. Appoint a qualified MLRO — with documented authority and reporting lines
  3. Conduct or update the EWRA — accounting for the expanded CPF scope and any new product or customer segments
  4. Update AML/CFT policies — aligned to Federal Decree Law No. 10 of 2025 and Cabinet Resolution No. 134 of 2025
  5. Implement ongoing TFS screening — including EOCN subscription and documented match/no-match records
  6. Verify training records and audit trails — role-based training with dated completion records

Six-step UAE AML compliance action checklist for regulated entities in 2025

For fintechs and payments companies, these obligations must be embedded into product and operational workflows — not managed as a parallel compliance process.

Firms building or upgrading a UAE-aligned AML program may find it useful to work with a specialist advisory firm. Pillars FinCrime Advisory supports financial institutions, fintechs, and payments companies across the full program lifecycle: policy development, enterprise risk assessments, transaction monitoring optimization, and audit readiness.

Free Zone Considerations

The checklist above applies to all regulated entities — but for DIFC and ADGM firms, there is an additional layer. Entities in both free zones must comply with both federal AML law and their regulator's rulebook. The DFSA updated its AML rulebook via Rule-Making Instrument No. 435/2026, which came into force on 2 March 2026, aligning DFSA requirements with the updated federal AML legislation. ADGM's FSRA has similarly referenced Federal Decree Law No. 10 of 2025 and Cabinet Resolution No. 134 of 2025 in its updated AML materials. Internal controls in both free zones should be reviewed against the revised rulebooks, not just the federal law.

Frequently Asked Questions

What is AML compliance in the UAE?

AML compliance in the UAE refers to the legal obligations placed on financial institutions, DNFBPs, and VASPs to identify, assess, and report money laundering, terrorism financing, and proliferation financing risks. The current framework is governed by Federal Decree Law No. 10 of 2025 and Cabinet Resolution No. 134 of 2025.

What is considered money laundering under UAE law?

Money laundering under Federal Decree Law No. 10 of 2025 includes the transfer, conversion, concealment, or disguising of proceeds from a predicate crime — such as fraud, corruption, tax evasion, or terrorism financing. Liability can be established if a person knew or, under the new objective test, reasonably should have known the funds were illicit.

What are the new AML laws in the UAE?

Federal Decree Law No. 10 of 2025 (effective 14 October 2025) is the principal new law, with Cabinet Resolution No. 134 of 2025 (effective 14 December 2025) as its executive regulation. They replaced the 2018 law and 2019 Cabinet Resolution, adding proliferation financing as a named pillar, new digital asset offenses, and significantly higher penalties.

Which authority regulates AML in the UAE?

The UAE operates a multi-regulator model. Key supervisory authorities include:

  • CBUAE — financial institutions
  • MoET — most DNFBPs
  • MoJ — legal professionals
  • VARA — VASPs in Dubai; CMA/SCA — VASPs elsewhere
  • DFSA / FSRA — DIFC and ADGM entities respectively

The UAE FIU serves as the central reporting authority for all regulated entities via the goAML portal.

What are the penalties for AML non-compliance in the UAE?

Corporate fines range from AED 5 million to AED 100 million, or the equivalent value of criminal property — whichever is greater. Managers face personal criminal liability, including imprisonment, where they had knowledge of the offense or where it resulted from a breach of their duties. Corporate dissolution, license revocation, and asset freezing are also available sanctions.

What are the core AML compliance obligations for regulated entities in the UAE?

Regulated entities must fulfill five core obligations:

  1. Conduct an enterprise-wide risk assessment
  2. Perform tiered CDD and EDD on customers
  3. Screen against TFS and sanctions lists daily
  4. File STRs and sector-specific reports via the goAML portal
  5. Maintain governance through a qualified MLRO, role-based training, and five-year record retention