AML Compliance Policy (UAE)

An AML Compliance Policy in the United Arab Emirates is a formal governance document that sets out a company's framework for preventing, detecting, and reporting money laundering and terrorist financing in compliance with the Anti-Money Laundering and Combating the Financing of Terrorism Law — Federal Decree-Law No. 20 of 2018 — and the AML-CFT Executive Regulations, Cabinet Decision No. 10 of 2019. Money laundering is the process of disguising the proceeds of criminal activity — such as drug trafficking, fraud, bribery, or tax evasion — as legitimate funds. Terrorist financing is the provision or collection of funds to support terrorist acts or terrorist organisations.

The UAE's AML-CFT legal framework is complete and has been strengthened substantially since 2021 as part of the country's successful action plan to exit the FATF grey list, which the UAE joined in 2024 as a full member. Federal Decree-Law No. 20 of 2018 creates the primary offences of money laundering and terrorist financing, imposes obligations on regulated entities, and establishes the Financial Intelligence Unit (FIU) — operating within the Central Bank of the UAE — as the national centre for receiving and analysing Suspicious Transaction Reports via the goAML system. The AML-CFT Executive Regulations, Cabinet Decision No. 10 of 2019, set out detailed requirements for Customer Due Diligence, Suspicious Transaction Reporting, record-keeping, and risk-based compliance programmes.

Two broad categories of entity bear mandatory AML compliance obligations in the UAE. Financial institutions — regulated by the Central Bank of the UAE, the Insurance Authority, or the Securities and Commodities Authority (SCA) — must maintain complete AML compliance frameworks including board-level AML policies, a designated Money Laundering Reporting Officer (MLRO), customer due diligence, transaction monitoring, and staff training. Designated Non-Financial Businesses and Professions (DNFBPs) — including real estate agents, auditors, accountants, legal consultants, dealers in precious metals and stones, and trust and company service providers — are supervised by the Ministry of Economy for AML purposes and must comply with the DNFBP AML-CFT regulations. Virtual Asset Service Providers (VASPs) licensed by the Virtual Asset Regulatory Authority (VARA) in Dubai are subject to VARA's AML-CFT regulatory framework.

The Executive Office of Anti-Money Laundering and Counter Terrorism Financing coordinates national AML-CFT policy across UAE federal and emirate-level authorities, the Central Bank of the UAE, the Ministry of Economy, and the Ministry of Justice. The National Anti-Money Laundering Committee issues guidance on ML-TF risk assessment and compliance requirements. The forms-legal.com AML Compliance Policy (UAE) template provides a complete policy suitable for DNFBPs, financial institutions, and VASPs, available in PDF and Word format.

An AML Compliance Policy is needed in the UAE whenever a company falls within the scope of Federal Decree-Law No. 20 of 2018 or sector-specific AML regulations.

For financial institutions — banks, finance companies, exchange houses, payment service providers, and insurance companies — the Central Bank of the UAE's AML-CFT standards require a formal, board-approved AML policy as a non-negotiable compliance requirement. The Central Bank conducts regular AML-CFT inspections and can impose fines of up to AED 50 million for serious deficiencies.

For DNFBPs supervised by the Ministry of Economy, an AML compliance policy is required as part of the DNFBP risk-based AML-CFT framework. Real estate agents involved in property transactions above AED 55,000 cash, auditors and accountants, lawyers, dealers in precious metals and stones, and company service providers must have documented AML policies, conduct customer due diligence, and file STRs with the FIU.

For Virtual Asset Service Providers licensed by VARA in Dubai, the VARA AML-CFT Rulebook (updated 2024) requires VASPs to maintain complete AML compliance frameworks aligned with FATF's updated guidance on virtual assets.

For general commercial companies in the UAE, an AML compliance policy — while not legally mandatory in all cases — is increasingly a practical necessity. UAE banks and international financial institutions conduct Know Your Customer and Enhanced Due Diligence on their corporate customers, and a documented AML policy demonstrates the compliance culture that sophisticated counterparties expect. Companies seeking to list on the Abu Dhabi Securities Exchange (ADX) or Dubai Financial Market (DFM) are subject to SCA corporate governance requirements that include AML compliance frameworks.

Companies that conduct business in sectors or geographies identified as high-risk in the UAE National AML-CFT Risk Assessment — including real estate, gold trading, free zone corporate services, and cross-border cash transactions — have the strongest practical case for maintaining a formal AML policy regardless of whether they are formally regulated.

A UAE AML Compliance Policy must contain the following elements to meet the requirements of Federal Decree-Law No. 20 of 2018 and the AML-CFT Executive Regulations.

Risk assessment: A documented Business Risk Assessment evaluating the company's exposure to money laundering and terrorist financing risk across customer types, products and services, geographic reach, and delivery channels, as required by Article 16 of the AML-CFT Executive Regulations. The risk assessment must be reviewed annually or when material business changes occur.

Customer Due Diligence programme: Detailed procedures for Standard CDD, Enhanced Due Diligence (EDD) for high-risk customers — including politically exposed persons, non-resident customers, and customers from high-risk jurisdictions — and Simplified Due Diligence where permitted. CDD must include customer identification and verification, UBO identification under Cabinet Resolution No. 58 of 2020, and understanding the purpose and nature of the business relationship.

Suspicious Transaction Reporting: Clear procedures for employees to report suspicions internally to the MLRO, the MLRO's assessment process, and the obligation and mechanism for filing STRs with the FIU via goAML, including the tipping-off prohibition.

Record-keeping: Requirements to retain CDD records, transaction records, and STR files for a minimum of five years, in accordance with Article 25 of Federal Decree-Law No. 20 of 2018.

MLRO designation: The name and contact details of the designated MLRO, their responsibilities, authority, and reporting line to senior management and the board.

Training: Annual AML-CFT training requirements for all staff, with enhanced training for the MLRO and senior management. The forms-legal.com AML Compliance Policy (UAE) covers all mandatory elements under UAE AML law, structured for immediate operational use.

Completing the AML Compliance Policy begins with entering the company's registered name, emirate, effective date, and the approval authority — typically the board of directors.

Select the type of regulated entity. The choice between financial institution, DNFBP, VASP, or general commercial entity determines the applicable regulatory framework and the level of detail required in the policy. DNFBPs supervised by the Ministry of Economy and financial institutions supervised by the Central Bank of the UAE face the most prescriptive requirements and the greatest regulatory scrutiny. If uncertain of the company's classification, seek advice from UAE-qualified legal counsel registered with the Ministry of Justice.

Designate the MLRO. Enter the name and title of the senior officer responsible for AML compliance. The MLRO must have sufficient seniority, independence, and authority to fulfil their role effectively and must have direct access to senior management and the board. Enter a dedicated email address or hotline through which employees can make internal suspicion reports. The MLRO contact must be accessible to all staff.

Select the overall AML risk rating based on the Business Risk Assessment. This assessment should have been completed before the policy is adopted and should be updated annually. The risk rating — low, medium, or high — determines the intensity of the CDD programme and the frequency of enhanced reviews.

Select the policy review period. Annual review is required for regulated entities and recommended for all companies with AML obligations. After completing the wizard, arrange for board approval, distribute the policy to all employees, provide immediate AML-CFT training, and register the MLRO with the relevant supervisory authority — the Central Bank of the UAE for financial institutions, the Ministry of Economy for DNFBPs, or VARA for VASPs — as required.

Legal requirements for a UAE AML Compliance Policy arise from multiple sources.

Federal Decree-Law No. 20 of 2018, the AML-CFT primary legislation, criminalises money laundering and terrorist financing, imposes obligations on regulated entities, and creates the FIU. Article 20 requires financial institutions and DNFBPs to adopt internal AML-CFT systems and controls proportionate to the nature and size of their business.

The AML-CFT Executive Regulations, Cabinet Decision No. 10 of 2019, set out the specific requirements for regulated entities: risk assessments (Article 16); customer due diligence (Articles 4-14), including enhanced due diligence for politically exposed persons and high-risk relationships (Article 7); UBO identification aligned with Cabinet Resolution No. 58 of 2020 (Articles 8-9); STR filing with the FIU (Articles 17-18); record-keeping for five years (Article 25); and employee training (Article 23).

The UAE UBO Regulation, Cabinet Resolution No. 58 of 2020, as amended by Cabinet Resolution No. 132 of 2023, requires mainland UAE companies to identify and register their ultimate beneficial owners — natural persons who own or control 25% or more of shares or voting rights — with the relevant licensing authority.

The Central Bank of the UAE's AML-CFT Standards impose requirements on supervised financial institutions that go beyond the minimum legal requirements, including board-level governance of AML risk, an independent AML function, mandatory suspicious transaction reporting culture, and regular independent AML audits.

The Ministry of Economy's DNFBP AML-CFT supervisory framework sets out obligations for real estate agents, auditors, lawyers, and other DNFBPs, including registration on the Hayasaat system and participation in Ministry-conducted AML-CFT inspections. The Commercial Companies Law, Federal Decree-Law No. 32 of 2021, imposes fiduciary duties on directors that encompass compliance with AML-CFT obligations, and breach can result in director liability.

Common mistakes in UAE AML Compliance Policies include the following.

Conducting no Business Risk Assessment before adopting the policy is a critical gap. The AML-CFT Executive Regulations, Cabinet Decision No. 10 of 2019, require a documented risk assessment as the foundation of the compliance programme. A policy that sets a flat compliance approach without reference to the company's actual risk profile — treating a cash-intensive precious metals dealer the same as a software company with no government-facing operations — is non-compliant with the risk-based approach required by FATF and UAE law.

Failing to conduct Enhanced Due Diligence for Politically Exposed Persons (PEPs) is a recurring finding in UAE regulatory inspections by the Ministry of Economy and Central Bank of the UAE. PEPs — current and former senior government officials, their family members, and close associates — require enhanced scrutiny under Article 7 of the AML-CFT Executive Regulations because of their elevated risk of corruption and abuse of public office. A policy that does not identify PEPs as a high-risk customer category and mandate enhanced review with senior management approval before onboarding fails a basic AML requirement.

Failing to update CDD records on an ongoing basis leaves companies with stale information about customers whose risk profile may have changed. Ongoing monitoring — reviewing transactions against expected patterns, updating customer risk ratings, refreshing CDD records when material information changes — is a mandatory element of the AML-CFT programme under the AML-CFT Executive Regulations. A CDD file that was accurate at onboarding but has not been updated for three years provides no protection against a customer who has since been designated on a sanctions list or whose business model has changed significantly.

Designating a junior employee as MLRO without genuine authority or resources to fulfil the role is a compliance fiction. The Central Bank of the UAE, the Ministry of Economy, and VARA assess whether the MLRO has the seniority, independence, and operational capacity to manage the AML programme effectively. An MLRO who cannot access senior management, who lacks authority to block suspicious transactions, or who has no budget for training does not meet the regulatory standard and may result in personal liability for the person holding the title.

Ignoring the tipping-off prohibition by informally warning a customer that a report has been filed — even with good intentions — is a criminal offence under Article 17 of Federal Decree-Law No. 20 of 2018, punishable by imprisonment and fines. All staff must be trained on the absolute nature of this prohibition.