The United Arab Emirates has built, in barely a decade, one of the most demanding anti-financial-crime regimes in the region. For banks, exchange houses, real-estate brokers, gold dealers, auditors and corporate service providers, AML/CFT compliance is no longer a back-office formality — it is a licence-critical, board-level obligation, enforced by supervisors with real appetite for penalties.
The legal architecture
The modern regime was set by Federal Decree-Law No. 20 of 2018 on Anti-Money Laundering and Combating the Financing of Terrorism and the Financing of Illegal Organisations, given operational detail by its Implementing Regulation, Cabinet Decision No. 10 of 2019, and later refined by Federal Decree-Law No. 26 of 2021. That framework criminalised money laundering as a standalone offence, imposed preventive duties on the private sector, and created the institutions that supervise them.
Practitioners must now read that foundation through its successor. Federal Decree-Law No. 10 of 2025, in force from 14 October 2025, repeals and replaces the 2018 law. It preserves the preventive architecture while broadening the perimeter — extending expressly to proliferation financing, to virtual assets and virtual-asset service providers, and to a lower evidential threshold under which criminal knowledge may be inferred from objective circumstances rather than proven directly. Subordinate regulations and sector guidance built under the 2018 regime continue to frame day-to-day compliance pending their own updates. The practical message for regulated firms is continuity, not reprieve: the obligations below remain, and in several respects they have hardened.
Who is caught: financial institutions and DNFBPs
The regime reaches beyond banks. Alongside financial institutions, it binds Designated Non-Financial Businesses and Professions (DNFBPs) — a category that regularly surprises those within it. It captures:
- Real-estate agents and brokers, when they conduct or facilitate transactions in buying or selling property;
- Dealers in precious metals and precious stones, above prescribed cash thresholds;
- Auditors and independent accountants;
- Corporate service providers — those forming, managing or acting for companies and trusts;
- Lawyers, notaries and other independent legal professionals when preparing or executing certain defined transactions for clients.
Being a DNFBP is not optional or self-declared. If your activity falls within the definition, the duties attach automatically, and registration on the supervisory systems is itself a compliance requirement.
The core obligations
Whatever the sector, the substantive duties converge on a common spine:
- Customer due diligence (CDD) — identify and verify the customer before or during the establishment of the relationship, with enhanced due diligence for higher-risk clients, politically exposed persons and higher-risk jurisdictions, and simplified measures only where risk is demonstrably low.
- Beneficial-owner identification — look through corporate and trust structures to the natural persons who ultimately own or control the customer. Opacity of ownership is treated as a risk indicator, not an excuse.
- Suspicious-transaction reporting — file Suspicious Transaction and Suspicious Activity Reports with the Financial Intelligence Unit through the goAML platform. Reporting is mandatory, prompt, and protected; "tipping off" the customer is itself an offence.
- Record-keeping — retain transaction records, CDD files and correspondence for a minimum of five years, and make them available to the authorities on request.
- A risk-based programme — written policies and controls proportionate to the firm's risk profile, a designated compliance officer, independent audit, ongoing staff training, and screening against sanctions and terrorist-designation lists.
Compliance in the UAE is judged not by the existence of a policy, but by whether that policy demonstrably shaped a real decision when it mattered.
Supervision — and the grey-list milestone
The supervisory map has three layers. The Financial Intelligence Unit, housed within the Central Bank, receives and analyses reports and disseminates intelligence. The Executive Office for Anti-Money Laundering and Counter-Terrorism Financing coordinates national strategy. Sector supervisors — the Central Bank for financial institutions, the Ministry of Economy for most DNFBPs, and the financial-free-zone regulators in the DIFC and ADGM — examine and discipline the firms within their remit.
The credibility of that machinery was tested internationally. The UAE was placed on the Financial Action Task Force "grey list" of jurisdictions under increased monitoring in March 2022, and was removed on 23 February 2024 after satisfying the FATF's action plan. Removal was a milestone, not a relaxation. It reflected a state that had invested heavily in enforcement capacity — and one that now has every incentive to keep demonstrating results.
Enforcement and penalties
Non-compliance carries both criminal and administrative exposure. Under the 2018 law as amended, the principal money-laundering offence attracted imprisonment and a fine broadly in the range of AED 100,000 to AED 5,000,000, with heavier penalties for aggravated conduct; the 2025 law raises the ceiling for legal entities materially. Separately, supervisors impose administrative sanctions — fines, warnings, restrictions and licence action — for preventive-obligation failures, without any need to prove an underlying laundering offence. Enforcement is active rather than theoretical: the Ministry of Economy has publicly announced multi-company penalty rounds, including fines of the order of AED 22.6 million imposed on a single tranche of DNFBP firms for AML breaches.
Building a defensible programme
A defensible programme is one that would survive an inspection on its worst day. In practice, that means:
- Start from a documented risk assessment. Controls that are not tied to an articulated view of the firm's risks are difficult to defend and easy to criticise.
- Make beneficial-ownership work real. Verify to source, refresh it, and escalate where structures resist explanation.
- Treat goAML reporting as a live discipline — trained staff, clear internal escalation, and evidence that reports were considered and either filed or reasoned away.
- Keep the evidence trail. Undocumented good judgement is, to a supervisor, indistinguishable from no judgement at all.
- Refresh against the 2025 law now — reassess virtual-asset exposure, sanctions screening and governance against the strengthened standard, rather than waiting for an examination to expose the gap.
Handled properly, AML/CFT compliance is not merely defensive. In a market that has worked hard to shed reputational risk, a genuinely robust programme is a commercial asset — the difference between a business regulators trust and one they watch.
Instruments referenced: Federal Decree-Law No. 20 of 2018 and its Implementing Regulation, Cabinet Decision No. 10 of 2019; Federal Decree-Law No. 26 of 2021 (amendments); and Federal Decree-Law No. 10 of 2025, which repeals and replaces the 2018 law with effect from 14 October 2025; together with the FATF's removal of the UAE from its list of jurisdictions under increased monitoring on 23 February 2024. This page is general information, not legal advice; specific obligations turn on a firm's sector, licence and facts, and should be confirmed with qualified counsel against the instruments in force at the relevant time.