Regulatory & Enforcement Regulatory

Compliance & investigations

Compliance · programmes

Compliance in the United Arab Emirates has quietly graduated from a box-ticking exercise into a condition of doing business. A formal, documented programme is now the difference between a company that can weather a regulator's letter or a bank's de-risking review, and one that cannot.

Why the pressure has converged

For most of the last decade, a UAE business could treat "compliance" as something banks worried about. That era is over. What has changed is not one law but the convergence of several, each carrying its own obligations, penalties and record-keeping demands, and each capable of triggering the others.

  • Anti-money laundering and counter-terrorist financing. Federal Decree-Law No. 20 of 2018 obliges financial institutions and a wide class of designated non-financial businesses and professions to conduct customer due diligence, monitor transactions, and file suspicious transaction reports with the Financial Intelligence Unit. Penalties run to substantial fines and imprisonment, and enforcement has sharpened since the country's exit from international grey-listing.
  • Targeted financial sanctions. The UAE gives effect to United Nations and domestic listings through a national framework overseen by the Executive Office for Control and Non-Proliferation. Screening counterparties against sanctions lists — and freezing without delay — is a legal duty, not a courtesy to correspondent banks.
  • Anti-bribery. The Penal Code (Federal Decree-Law No. 31 of 2021) criminalises bribery of public officials and reaches private-sector corruption. Exposure is compounded where a UAE group also touches the US FCPA or the UK Bribery Act.
  • Data protection. Federal Decree-Law No. 45 of 2021 established the UAE's first omnibus personal-data regime, with GDPR-style principles, breach obligations and cross-border transfer controls. Several free zones — notably the DIFC and ADGM — operate their own data laws that may apply instead.
  • Ultimate beneficial ownership and economic substance. UBO disclosure obligations (Cabinet Decision No. 58 of 2020) require accurate, maintained beneficial-ownership registers, while economic substance rules — since recalibrated for later periods — put substance and governance on the map.
  • Corporate tax. Federal Decree-Law No. 47 of 2022, effective for financial years beginning on or after 1 June 2023, imports transfer-pricing discipline, documentation and record-retention duties that a compliance function, not just finance, must own.

The stakes are rarely a single fine. The real jeopardy is reputational and, above all, banking: a compliance failure that prompts a relationship bank to exit or restrict an account can be existential in a market where access to correspondent banking is the oxygen supply.

The anatomy of a programme that holds

An effective programme is not a binder of policies. It is a living system that a regulator, an auditor, or an acquiring party's counsel can inspect and find coherent. Six elements carry the weight.

Risk assessment first

Everything begins with an honest, documented risk assessment — mapping the business's exposure by geography, sector, customer type, payment channel and third-party footprint. Controls that are not anchored to identified risk are decoration.

Policies, controls and tone from the top

Written policies must translate into operating controls: due-diligence workflows, approval thresholds, gifts-and-hospitality registers, conflicts declarations. None of it survives contact with reality unless the board and senior management visibly own it. Governance — a defined reporting line to the board, a resourced compliance officer, minuted oversight — is what converts intention into a defensible record.

A programme is judged not by how good it looks on the day it is written, but by whether it can explain itself years later when something has gone wrong.

Third-party due diligence, training and monitoring

Agents, distributors, introducers and joint-venture partners are the most common vector for bribery and sanctions exposure. Risk-based diligence, contractual audit and termination rights, periodic re-screening, targeted training, and ongoing transaction monitoring together form the connective tissue. A control performed once and never tested again is a liability dressed as an asset.

Speak-up channels

A confidential whistleblowing or "speak-up" channel is the early-warning system. The DIFC has introduced statutory whistleblower protections; onshore there is no comprehensive standalone regime, so a well-designed internal channel — with anti-retaliation commitments and a clear triage route to the board — does real work.

Internal investigations: getting the first 48 hours right

Investigations are where a programme is tested under fire. A credible trigger — a whistleblower report, an audit exception, a regulator's query, a banking alert — should launch a defined protocol, not an improvised scramble.

  • Preserve. Issue a litigation-style hold immediately, secure devices and email, and stop routine deletion. Spoliation is often more damaging than the underlying conduct.
  • Scope and staff. Define the question narrowly, decide early who directs the work, and consider engaging external counsel to lead sensitive matters.
  • Interview with care. Give employees an "Upjohn"-style warning that counsel acts for the company, not for them. Document consistently.

The hardest issue is privilege, and here candour matters. UAE onshore law does not recognise a broad common-law litigation privilege; confidentiality protections attach principally to licensed advocates, and in-house counsel are generally treated as employees rather than privileged advisers. The DIFC and ADGM, whose courts draw on English legal principles, offer a materially more protective environment — including for in-house lawyers and litigation-related work product. The practical implication: where a matter is genuinely sensitive, structure the investigation through external counsel and, where the facts allow, within a common-law free-zone framework. Treat nothing created in an onshore investigation as automatically shielded from later disclosure.

Remediation and the self-reporting question

Finding a problem obliges you to fix it. Remediation — disciplinary action, control redesign, restitution, retraining — is what regulators and banks look for as evidence that the programme works. Self-reporting is more finely balanced: several UAE regimes carry mandatory reporting duties (a suspicious transaction cannot be quietly buried), while other conduct involves a judgement call weighing credit for disclosure against exposure. That decision should be taken deliberately, with counsel, and documented.

A defensible programme, in practice

For boards and general counsel, the goal is defensibility: a programme proportionate to risk, owned at the top, evidenced in contemporaneous records, and stress-tested before a regulator does it for you. Build the risk assessment, resource the function, rehearse the investigation protocol, and decide your privilege architecture before the crisis — because in the first 48 hours of a live matter, there is no time left to design one.

Instruments referenced: Federal Decree-Law No. 20 of 2018 (Anti-Money Laundering and Combating the Financing of Terrorism and Illegal Organisations); Federal Decree-Law No. 31 of 2021 (Penal Code); Federal Decree-Law No. 45 of 2021 (Personal Data Protection); Cabinet Decision No. 58 of 2020 (Ultimate Beneficial Owner procedures); Federal Decree-Law No. 47 of 2022 (Taxation of Corporations and Businesses); together with the UAE's targeted financial sanctions framework, the economic substance regime (as recalibrated), and the distinct DIFC and ADGM legal frameworks. This page is general information, not legal advice.

A regulatory or enforcement matter on your desk?

Every matter is handled personally. Tell me about your situation and I'll advise on the best way forward — confidentially and without obligation.

Get in touch