➤ The UAE DNFBP AML Compliance Playbook

What Business Owners Must Get Right Before Regulators Ask

For many UAE businesses, AML compliance is still viewed as a regulatory requirement that sits somewhere between licensing and annual reporting. That perception is becoming increasingly risky.

Regulators across the UAE are placing greater scrutiny on Designated Non-Financial Businesses and Professions (DNFBPs), with inspections becoming more structured, documentation requirements more rigorous, and expectations around governance significantly higher.

The businesses attracting regulatory attention are not necessarily those involved in wrongdoing. In many cases, enforcement actions stem from inadequate documentation, incomplete risk assessments, weak customer due diligence procedures, or failures in suspicious transaction reporting.

➤ Who Qualifies as a DNFBP in the UAE?

Under the UAE's AML framework, DNFBPs are defined under Federal Law No. 10 of 2025 (which replaced Federal Decree-Law No. 20 of 2018, effective 14 October 2025) and Cabinet Decision No. 10 of 2019, as amended. These are non-financial sectors considered inherently vulnerable to money laundering and terrorist financing risks.

Regulated DNFBP categories include:

• Real estate brokers and agents (when buying or selling real estate for clients)
• Dealers in Precious Metals and Precious Stones — DPMS (for cash transactions at or above AED 55,000)
• Auditors, external accountants, and accounting firms
• Corporate service providers (formation, management, directorship, nominee services)
• Legal professionals when engaged in specified financial activities — managing client funds, company formation, or real estate transactions
• Virtual Asset Service Providers (VASPs) — regulated under VARA and SCA frameworks, with daily FIU reporting obligations 

These sectors are subject to AML and CFT obligations comparable in scope to those imposed on licensed financial institutions — including customer due diligence, beneficial ownership identification, record keeping, risk assessments, suspicious transaction reporting, and ongoing monitoring.

➤ The Biggest AML Mistake UAE Businesses Continue to Make

Many DNFBPs focus on compliance documents rather than compliance frameworks. Having an AML policy in a folder is not the same as operating an effective AML program. During inspections, regulators assess whether a business can demonstrate — not merely state — how controls function in practice.

During inspections, regulators typically look for evidence across all of the following:

➤ goAML Registration: Mandatory, But Only the Starting Point

goAML registration is among the most frequently searched AML topics for UAE businesses — and rightly so, as it is a mandatory obligation for all regulated DNFBPs. The UAE Financial Intelligence Unit (UAEFIU) goAML platform is used to submit Suspicious Transaction Reports (STRs) and Suspicious Activity Reports (SARs).

Registration is a two-stage process: (1) SACM registration (approximately 5–10 working days), followed by (2) goAML portal registration (approximately 2–5 working days). Upon completion, entities receive a unique registration number required for all STR filings.

However, registration alone does not satisfy the broader requirements of a compliant AML framework. Regulators expect organizations to have established the internal mechanisms that identify, evaluate, and escalate reportable activities before any report is filed.

➤ Core Components of a Compliant AML Framework

Customer Due Diligence (CDD) and Enhanced Due Diligence (EDD): Verify customer identity, understand the business relationship, and identify beneficial owners (individuals controlling 25% or more). EDD applies to PEPs, high-risk jurisdictions, and complex ownership structures.

Ongoing Monitoring: Risk profiles must be reviewed periodically — not assessed only at onboarding. Trigger events (significant changes in transaction volume or customer profile) should prompt a formal review.

Internal Escalation Procedures: Employees require a clearly defined process for identifying and escalating unusual activity to the MLRO, documented at each step.

STR/SAR Protocols: Suspicious Transaction Reports must be submitted to the UAEFIU via goAML within 3–5 business days of internal determination. Note: informing a customer that a report has been filed ("tipping off") is a criminal offence under UAE law.

Record Keeping: CDD records and transaction documentation must be retained for a minimum of five years from the date of the transaction or end of the business relationship, whichever is later.

➤ Why the AML Risk Assessment Is Your Most Critical Document

If regulators request a single document that reflects AML maturity, it is almost always the AML risk assessment. A robust, documented assessment demonstrates that your organization has systematically identified its vulnerabilities and put proportionate controls in place.

A comprehensive risk assessment framework for UAE DNFBPs should address the following risk dimensions — informed by the UAE National Risk Assessment (NRA) 2024:

➤ What Regulators Typically Look for During AML Inspections

AML inspections are significantly more operational than many businesses anticipate. Inspectors from supervisory authorities — including ADGM, DFSA, Dubai Economy Establishment, MOHRE, and other relevant regulators — evaluate whether controls actually function in practice, not merely whether policies exist.

In addition to reviewing policy documents, inspectors frequently request:

• Customer onboarding files, including CDD, EDD, and UBO documentation
• Risk-rating methodologies with evidence of consistent application across the customer base
• Sanctions screening records, including pre-transaction and periodic rescreening logs
• AML training attendance registers and training content materials
• MLRO or senior management meeting minutes referencing AML matters
• STR/SAR documentation including internal escalation decisions and goAML submission records
• Internal audit or compliance monitoring reports with management responses
• Evidence of controls operating in actual customer transactions

➤ Board and Senior Management Oversight: Now a Formal Inspection Criterion

AML compliance is no longer solely the responsibility of a compliance officer or MLRO. Federal Law No. 10 of 2025 introduced explicit personal liability for managers and directors — meaning individuals can now face criminal prosecution alongside corporate penalties for AML failures under their watch.

Regulators increasingly expect senior management and boards to demonstrate active, documented oversight of AML risk. Leadership teams should be able to answer:

• What are our organization's highest AML risk areas, and how were they identified?
• How frequently is the AML risk assessment reviewed and by whom?
• How are suspicious activities identified and escalated internally?
• What AML training has been delivered, to whom, when, and at what level?
• What internal reviews or audits have tested the effectiveness of the AML framework?
• How are compliance gaps documented, tracked, and remediated?
• Is Proliferation Financing (a new standalone offence under Federal Law No. 10 of 2025) explicitly addressed in our policies and controls?

➤ Building a Practical DNFBP AML Compliance Framework

Leading organizations build proactive AML programs that integrate compliance into day-to-day operations. An effective framework under UAE regulatory expectations typically encompasses the following components:

➤ UAE AML Penalties at a Glance (Federal Law No. 10 of 2025)

Understanding the penalty regime helps contextualize the business case for compliance investment:

➤ DNFBP AML Readiness Checklist

Use this checklist before your next regulatory review or internal compliance audit. Each item represents a baseline expectation under current UAE AML law.

➤ Frequently Asked Questions

Q1.  Is goAML registration mandatory for all DNFBPs in the UAE?
A1. Yes. All regulated DNFBPs are required to register with the UAE Financial Intelligence Unit (UAEFIU) via the goAML platform to fulfil their suspicious transaction reporting obligations under Federal Law No. 10 of 2025 and Cabinet Decision No. 10 of 2019.

Q2. How often should an AML risk assessment be updated?
A2. At a minimum, annually. The assessment should also be revisited following any material change — expansion into new markets, new products or services, significant shifts in the customer base, personnel changes, or updates to UAE regulatory guidance and the National Risk Assessment.

Q3. What is Federal Law No. 10 of 2025 and how does it affect DNFBPs?
A3. Federal Law No. 10 of 2025 (effective 14 October 2025) replaced Federal Decree-Law No. 20 of 2018 as the core UAE AML legislation. Key changes for DNFBPs include: Proliferation Financing as a standalone criminal offence; explicit personal criminal liability for managers and directors; tighter CDD and record-keeping obligations; and expanded VASP regulation. All policies and risk assessments must be updated accordingly.

Q4 . What is the role of the MLRO?
A4. The Money Laundering Reporting Officer (MLRO) is responsible for overseeing the AML compliance programme, managing internal reporting, and submitting STRs and SARs to the UAEFIU via goAML. The MLRO must be a senior individual with appropriate authority and sufficient resources. Their appointment must be documented and communicated to the relevant supervisory authority.

Q5. What is the difference between an STR and a CTR?
A5. An STR (Suspicious Transaction Report) is judgment-based — filed when activity appears suspicious, regardless of amount, within 3–5 business days of determination. A CTR (Cash Transaction Report) is threshold-based — mandatory for all cash transactions at or above AED 55,000. Both are submitted via the goAML portal. Non-compliance: STR failure can attract fines up to AED 5 million; CTR failure up to AED 1 million.

Q6. What are the most common AML compliance gaps identified during UAE inspections?
A6. Common deficiencies include: outdated or generic risk assessments not reflecting the UAE NRA 2024; inadequate beneficial ownership identification; missing or incomplete CDD documentation; insufficient training records; absence of Proliferation Financing controls; limited evidence of management oversight; and weak internal escalation documentation.

Q7. Can a small or newly established DNFBP be inspected?
A7. Yes. Regulatory inspections are not limited to large or long-established organizations. DNFBPs of all sizes and at any stage of operation may be subject to both scheduled and unannounced compliance reviews.

Q8. What is 'tipping off' and why does it matter?
A8. Tipping off refers to informing a customer or third party that a suspicious transaction report has been filed, or that an investigation is underway. This is a criminal offence under UAE AML law. All employees — particularly those with customer-facing roles — must be trained to maintain strict confidentiality around all STR/SAR activity.

➤ Related Services on ascglobal.ae

The following ASC Group UAE service pages provide detailed information relevant to DNFBP AML compliance:

•       Anti-Money Laundering (AML) Compliance Services

•       Risk Advisory Services

•       Internal Audit Services

•       Corporate Governance Services

•       Enterprise Risk Management (ERM)

•       Internal Control Over Financial Reporting (ICFR)

•       Forensic Investigation

•       Business Continuity Planning (BCP)

•       ASC Insights — Risk Advisory Articles