United Arab Emirates Financial Crime & AML Compliance: Regulators, Laws, and What Foreign Banks Need to Know

Who regulates financial crime in the United Arab Emirates?

The Central Bank of the UAE (CBUAE) is the primary AML/CFT supervisor for mainland financial institutions: banks, exchange houses, payment service providers, finance companies, and insurance firms. Its AML/CFT supervisory division sets requirements, conducts on-site and off-site examinations, and issues administrative penalties. CBUAE guidance, circulars, and AML/CFT standards are published at cbuae.gov.ae.

The UAE Financial Intelligence Unit (UAE FIU) sits within the Ministry of Economy's Anti-Money Laundering and Suspicious Cases Unit (AMLSCU). It receives, analyses, and disseminates suspicious transaction reports submitted through the goAML platform. Every obligated entity in the UAE files STRs directly to the FIU via goAML. CBUAE sees STR volumes as part of examinations and benchmarks them against peer institutions.

The Dubai Financial Services Authority (DFSA) has autonomous jurisdiction over firms incorporated in the Dubai International Financial Centre (DIFC). It publishes its own AML rulebook, runs independent examinations, and maintains a public enforcement register at dfsa.ae. DFSA-regulated firms don't report to CBUAE; they operate under DIFC law rather than UAE federal law.

The Financial Services Regulatory Authority (FSRA) plays the equivalent role for the Abu Dhabi Global Market (ADGM), a separate common-law free zone. FSRA mirrors FATF standards and runs its own AML supervision independently of both CBUAE and DFSA.

In Dubai, the Virtual Assets Regulatory Authority (VARA) was established under Dubai Law No. 4 of 2022 to license and supervise virtual asset service providers. VASPs operating elsewhere in the UAE, outside DIFC and ADGM, are jointly supervised by CBUAE and the Securities and Commodities Authority (SCA).

The Executive Office for Anti-Money Laundering and Counter-Terrorist Financing (EO AML/CTF), set up in 2021, coordinates national AML/CFT policy and connects UAE supervisors to FATF and the Egmont Group. It led much of the remediation programme that secured the UAE's removal from the FATF grey list in February 2024.

What are the key AML and fraud laws in the United Arab Emirates?

UAE Federal Decree-Law No. 20 of 2018 on Anti-Money Laundering and Combating the Financing of Terrorism and Illegal Organizations is the primary statute. It defines ML and TF offences, identifies obligated entities, and sets out the due diligence, reporting, and record-keeping obligations all licensed financial institutions must meet. Cabinet Decision No. 10 of 2019 provides the implementing regulations: customer risk classification methodology, beneficial ownership verification procedures, and the STR filing framework.

The law is built on the FATF risk-based approach (Recommendation 1), requiring institutions to assess their own ML/TF exposure and calibrate controls to their specific risk profile. FATF Recommendation 10 on customer due diligence is transposed through Article 14 of the Decree-Law: institutions must identify and verify customers, beneficial owners, and the purpose and nature of every business relationship before it opens.

Cabinet Decision No. 58 of 2020 mandates beneficial ownership registers for all UAE-incorporated companies, requiring disclosure of ultimate beneficial owners (UBOs) down to a 25% shareholding threshold. This was a direct response to FATF's findings on corporate opacity and shell company abuse in the 2020 Mutual Evaluation.

Federal Law No. 7 of 2014 on Combating Terrorism Offences and its Financing runs alongside the 2018 Decree-Law, covering TF specifically. The UAE also maintains a local terrorist designation list, separate from UN Security Council consolidated lists, administered by the National Anti-Money Laundering and Combating Financing of Terrorism Committee (NAMLCFTC). Every licensed institution must screen against both.

For record-keeping, FATF Recommendation 11 is implemented through Article 19 of the Decree-Law: all transaction records and CDD documentation must be retained for at least five years from the end of the business relationship. The FATF Mutual Evaluation of the UAE is the authoritative external assessment of how these laws are implemented in practice and is publicly available at fatf-gafi.org.

UAE Federal Decree-Law No. 45 of 2021 (the Personal Data Protection Law, PDPL) governs how financial institutions handle personal data. It requires a lawful basis for processing, restricts cross-border data transfers to countries with adequate protections, and grants individuals access and correction rights. The tension between PDPL obligations and AML's five-year retention requirement is real. Closing an account doesn't end your retention obligation, but it does require care about how and where the data sits. UAE legislation is accessible via legis.gov.ae.

What controls do United Arab Emirates regulators expect?

Customer due diligence

CBUAE expects customer due diligence on all new customers and periodic refresh on existing ones, calibrated to risk. The minimum is identity verification, address confirmation, and an assessment of the customer's business activity and expected transaction behaviour. For corporate clients, CDD extends to full UBO mapping: if a customer can't document its ownership structure, that requires escalation before onboarding continues.

High-risk customers (politically exposed persons, nationals or entities from FATF-listed countries, and customers with opaque ownership structures) require enhanced due diligence, including senior management approval before a relationship opens or continues. FATF Recommendation 12 on PEPs is fully incorporated in the 2018 Decree-Law.

Transaction monitoring

Transaction monitoring must be risk-based and cover both historical behaviour patterns and real-time flows. CBUAE examiners have cited banks specifically for running unmodified vendor rule sets that weren't tuned to their customer base and risk profile. Running a generic global rule set and calling it done isn't acceptable.

Sanctions screening

Sanctions screening is mandatory against UN Security Council consolidated lists and the UAE's own local terrorist designation list. Screening must happen at onboarding, at transaction initiation, and immediately when list updates are published. Gaps between list publication and actual screening implementation are treated as control failures by CBUAE examiners, not as acceptable processing delays.

STR reporting

All obligated entities must file suspicious transaction reports (STRs) via the goAML platform within 30 days of suspicion arising. Terrorism financing suspicion requires immediate reporting. There's no minimum transaction value: suspicion is the trigger. Tipping off the customer about a filed or pending STR is a criminal offence under the 2018 Decree-Law.

Record-keeping

Five-year retention from the end of a business relationship or the date of the transaction, whichever is later. This covers transaction records, CDD files, STR documentation, and correspondence related to the business relationship.

What is unique about compliance in the United Arab Emirates?

The UAE's dual free-zone architecture creates three parallel regulatory environments. Mainland firms answer to CBUAE. DIFC entities answer to DFSA. ADGM entities answer to FSRA. A bank with offices across all three runs three compliance programmes with different STR channels, different examination cycles, and different interpretations on EDD thresholds and PEP classification. This is the structural complexity that foreign banks most consistently underestimate when planning their UAE entry.

FATF placed the UAE on its increased monitoring list in March 2022, citing weaknesses in beneficial ownership transparency, low STR quality and volume, and gaps in supervision of DNFBPs (designated non-financial businesses and professions, including real estate agents, gold dealers, auditors, and company formation agents). The UAE was removed from the grey list in February 2024 after a structured national remediation programme. That process permanently raised the supervisory baseline. CBUAE now examines institutions more frequently, requires STR quality self-assessments, and expects enhanced due diligence on clients in historically higher-risk trade sectors. The intensity has stayed post-grey-list.

High-value real estate and gold are persistent trade-based money laundering concerns. CBUAE expects banks to verify that commercial clients in these sectors are registered under the DNFBP regime and submitting their own goAML reports. A bank that doesn't check its real estate developer clients against the DNFBP register is accepting a gap it can't defend in an examination.

Virtual asset regulation is fragmented. VARA governs Dubai-licensed VASPs under rules issued since 2022. CBUAE and SCA jointly supervise VASPs in the broader UAE outside DIFC and ADGM, aligned with FATF Recommendation 15 on new technologies. DFSA runs a separate crypto regime for DIFC entities. A bank holding correspondent accounts for VASP clients needs a documented internal policy on which framework applies to each client, because the answer genuinely differs depending on where the client holds its licence.

The PDPL's cross-border data transfer restrictions add friction to group-level due diligence workflows. Sharing customer files with a foreign parent requires either an adequate-country determination or explicit consent. That's a practical issue for global banks running centralised compliance review teams outside the UAE.

Recent enforcement actions in the United Arab Emirates

CBUAE has escalated enforcement consistently since the 2022 grey-listing. Its supervisory reports identify four recurring failure types across examined institutions: STR filing volumes below what the institution's risk profile would predict; transaction monitoring scenarios not tuned to institution-specific risks; screening applied only to UN lists but not the UAE local designation list; and CDD files with missing or outdated UBO documentation for corporate clients. Any examination team that walks in and finds these gaps is going to have a difficult conversation.

The DFSA publishes enforcement notices at dfsa.ae. Actions against DIFC-regulated firms have covered inadequate AML systems and governance, failures in suspicious activity identification, and weaknesses in AML oversight frameworks. DFSA penalties are public by default. The enforcement register is worth reading for any compliance team working in or planning to enter DIFC.

International enforcement actions illustrate what UAE-connected transaction flows look like to foreign regulators. Standard Chartered's 2019 USD 1.1 billion settlement with US and UK authorities included sanctions violations across the MENA corridor, with regulatory documentation detailing how payments through Gulf-region entities were used to obscure sanctioned beneficiaries. BNP Paribas's 2014 USD 8.97 billion settlement remains a benchmark case on correspondent banking failures that CBUAE examiners reference when assessing banks' correspondent due diligence programmes. Both cases are instructive for any institution with Gulf-region correspondent relationships.

VARA has not published formal AML enforcement actions for virtual asset firms as of early 2024. Its inspection programme for Dubai-licensed VASPs began in 2023, with a number of conditional licences under active review. Formal enforcement is expected as that programme matures.

What foreign banks operating in the United Arab Emirates need to know

Three entry routes, three frameworks

A foreign bank has three choices: a CBUAE-licensed branch on the UAE mainland, a subsidiary or branch in DIFC under DFSA supervision, or a subsidiary or branch in ADGM under FSRA supervision. Each requires a dedicated MLRO appointed to the local entity and approved by the relevant regulator before taking the role. You can't share an MLRO across a mainland branch and a DIFC entity; they're separate jurisdictions with separate supervisory relationships.

MLRO independence

CBUAE requires the MLRO to be independent of internal audit. The MLRO can't hold a role that creates a conflict with their compliance obligations, including the CEO position. For smaller entities, a compliance officer can double as MLRO, but that person needs documented AML-specific training and regulator registration. DFSA and FSRA have equivalent fitness-and-propriety requirements for their licensed entities. The MLRO function can't be outsourced, though supporting compliance functions can be delegated to group entities under a documented arrangement approved by the board.

STR deadlines and reporting channels

STRs go to the UAE FIU via goAML within 30 days of suspicion arising. TF cases require immediate filing. Reports go directly to the FIU, not CBUAE. CBUAE sees filing volumes through examination data and benchmarks institutions against their peer group. Consistently low volumes relative to business risk profile are a red flag.

Practical risk areas

The UAE's hawala networks, high-volume cross-border remittances, and cash-intensive commercial sectors are the areas regulators focus on most. Trade finance clients in gold, real estate, and commodities get extra scrutiny post-grey-list. Foreign banks running global customer risk models not built for UAE-specific typologies will have gaps. A risk model calibrated for US or European transaction patterns won't catch the specific trade flows that raise flags for CBUAE and the UAE FIU.

Language is not a barrier: CBUAE guidance and goAML are available in both Arabic and English, and STRs can be filed in either language. VARA documentation is predominantly in English.

How FluxForce supports United Arab Emirates compliance

FluxForce maps to the UAE's core control obligations: real-time transaction monitoring calibrated to UAE-specific risk typologies including gold trading and high-value real estate flows, automated screening against both UN consolidated lists and the UAE local designation list, and AI-assisted STR drafting formatted for the goAML platform. For institutions operating across CBUAE, DFSA, and FSRA regimes, FluxForce's regulatory compliance automation supports parallel control configurations with audit-ready evidence behind every decision. Book a demo to see it applied to UAE-specific scenarios.