UAE AML Law: What It Requires and Who It Applies To

What is UAE AML Law?

UAE Federal Decree-Law No. 20 of 2018 on Anti-Money Laundering and Combating the Financing of Terrorism and Financing of Illegal Organizations is the primary federal statute governing financial crime compliance in the United Arab Emirates. The Central Bank of the UAE (CBUAE) is the principal supervisory authority for banks and licensed financial institutions, while the Securities and Commodities Authority (SCA) and Insurance Authority cover their respective sectors.

The law came into force in October 2018, replacing a 2002 framework that regulators and FATF found inadequate given the UAE's position as a major international financial hub. A companion Cabinet Decision No. 10 of 2019 added the implementing rules, including the specific thresholds, timelines, and procedures institutions must follow. The CBUAE followed with sector-specific AML-CFT Guidelines that expand on the decree's requirements for banks, exchange houses, and payment service providers.

The political backdrop matters here. FATF placed the UAE on its grey list in March 2022, citing weak enforcement, gaps in beneficial ownership transparency, and insufficient coverage of designated non-financial businesses. The UAE responded with substantial reform: new regulations, 25 new financial crime prosecutors, and tightened supervision. FATF removed the UAE from the grey list in February 2024, crediting those reforms as adequate. That exit does not lower the compliance bar; if anything, it raises examiner expectations.

The law aligns with FATF Rec 20 (FATF) on suspicious transaction reporting, which the 2022 mutual evaluation found partially deficient in UAE implementation.

Who does UAE AML Law apply to?

The decree applies broadly across the UAE financial sector and extends to designated non-financial businesses and professions (DNFBPs). Key covered entity types include:

• Banks and branches of foreign banks licensed by the CBUAE, including both conventional and Islamic banks
• Licensed exchange houses and money transfer operators, a category of particular weight given the UAE's remittance volume (the World Bank estimated UAE outbound remittances at USD 43 billion in 2022)
• Payment service providers and fintechs holding a CBUAE payment institution license or a financial services permission from the Abu Dhabi Global Market (ADGM) or Dubai International Financial Centre (DIFC)
• Insurance companies and insurance-related intermediaries
• Securities brokers and dealers licensed by the SCA
• Virtual asset service providers (VASPs) registered with the Virtual Assets Regulatory Authority (VARA) in Dubai or under ADGM/DIFC frameworks
• DNFBPs, including real estate agents, gold and precious metals dealers, lawyers, accountants, and trust and company service providers when transaction values exceed AED 55,000

The DIFC and ADGM are federal free zones with their own regulators (DFSA and FSRA). Both are bound by the same federal AML decree, and their own rulebooks add a second compliance layer. Firms registered in those centres face dual obligations.

Retail-facing fintechs often underestimate their exposure. A digital wallet issuer or buy-now-pay-later provider holding a CBUAE payment institution license is a "financial institution" under the decree, subject to the full Customer Due Diligence (CDD) and transaction monitoring framework. The lighter treatment that applies to smaller payment firms in some other jurisdictions does not exist here.

What does UAE AML Law require?

The decree and Cabinet Decision No. 10 of 2019 establish a layered compliance framework. The core obligations are:

1. Business-wide risk assessment. Institutions must assess and document ML/TF risk across products, customers, delivery channels, and geographies. The assessment must be reviewed at least annually or after any material business change.

2. Customer due diligence. Before establishing a relationship or processing an occasional transaction above AED 55,000, institutions must verify customer identity and understand the nature of the relationship. For legal entities, verification must extend to the Ultimate Beneficial Owner (UBO) down to a 25% ownership threshold.

3. Enhanced due diligence. Enhanced Due Diligence (EDD) is mandatory for politically exposed persons (PEPs), customers connected to high-risk countries, correspondent banking relationships, and any customer or transaction classified as high-risk. Onboarding a PEP requires senior management approval and ongoing monitoring.

4. Ongoing monitoring. Institutions must monitor transactions throughout the relationship, not only at onboarding. The monitoring system must detect unusual patterns relative to the customer's risk profile and expected transaction behavior.

5. Suspicious Transaction Reporting. Any employee who suspects a transaction involves ML or TF must escalate internally. The compliance officer then files a STR (Suspicious Transaction Report) with the UAE Financial Intelligence Unit (UAIFIU) via the goAML platform. Regulators expect prompt filing, typically within 24 to 48 hours of suspicion forming. There is no minimum transaction value for filing.

6. Cash transaction reporting. Transactions in currency above AED 40,000 must be reported to the UAIFIU.

7. Record retention. All customer identification records, transaction records, and internal reports must be retained for at least five years after the relationship ends or the transaction date, whichever is later.

8. Internal controls, training, and audit. Institutions need a dedicated compliance officer, written AML-CFT policies approved by senior management, annual staff training with role-specific content, and an independent audit function that tests program effectiveness.

9. Group-wide programs. UAE parent institutions operating international groups must apply group-wide AML policies to overseas branches and subsidiaries, to the extent local law permits.

What evidence do regulators expect?

When CBUAE examiners arrive, they want documented proof that the program actually runs, not that it exists on paper. The audit-day checklist:

• Written risk assessment. Dated, signed off by the board or senior management, with evidence of an annual review cycle and approval of any material updates.
• CDD files. Complete customer files containing identity documents, beneficial ownership verification for corporate customers, source of wealth evidence for high-risk relationships, and a documented rationale for the risk classification applied.
• EDD records for PEPs and high-risk customers. Senior management approval records, enhanced source of wealth documentation, and sign-offs from each periodic review.
• Transaction monitoring system (TMS) configuration. Documented rules or model parameters, threshold rationale, and tuning history. Regulators want to see calibration decisions, not a vendor's default rules running untouched.
• Alert handling logs. For every TMS alert, examiners want to see who reviewed it, what decision was taken, why, and when. Unreviewed alerts are a finding by themselves.
• STR filing register. A log of all STRs submitted via goAML, with dates and reference numbers, plus a record of any internal decision not to file and the documented rationale.
• Training records. Attendance logs, training content, and test results for all relevant staff, updated annually. Front-office staff and relationship managers are always in scope.
• Internal audit reports. Independent audit findings and evidence that management closed each finding, with completion dates.
• Board and senior management minutes. Evidence that AML-CFT risks are discussed at the board level on a regular basis.

Missing beneficial ownership records and poorly tuned transaction monitoring are the two most common gaps found in examinations.

Common failure modes

We've seen UAE-regulated institutions cited for a consistent set of deficiencies. These are the patterns that show up repeatedly in enforcement and examination findings:

• Weak beneficial ownership verification. Accepting self-certification from corporate customers without independent verification through commercial registries or structured documentation. CBUAE expects institutions to look through complex ownership chains, not stop at the first legal entity.
• Transaction monitoring alert volumes that prevent meaningful review. A system generating thousands of daily alerts with a 95%+ false positive rate is a liability. Examiners check alert closure rates and escalation timelines. An alert sitting unreviewed for 30 days is evidence of a broken process.
• Late STR filing. Institutions that run internal committees to debate whether something is "really" suspicious before filing typically file late or not at all. The law requires reasonable suspicion, not certainty.
• PEP screening gaps on existing customers. Screening at onboarding but not on an ongoing basis. A customer who becomes a PEP after onboarding must be identified and escalated. Most screening failures involve existing relationships.
• Role-generic training. Delivering identical AML training to everyone, with no content tailored to front-line staff, relationship managers, or senior management. Examiners test for this specifically.
• Lapsed records for dormant accounts. Institutions often maintain active-account documentation but allow records for dormant accounts to degrade. The five-year retention clock runs from the end of the relationship, not from the last transaction.

The CBUAE's enforcement disclosure process has published fines against exchange houses for poor STR timeliness and absent beneficial ownership records, with individual penalties ranging from AED 1 million to AED 10 million.

Penalties for non-compliance

The UAE AML Law and Cabinet Decision No. 10 of 2019 set out both administrative and criminal penalties, administered through the CBUAE, the public prosecution, and the courts.

Administrative penalties imposed by the CBUAE can reach AED 50 million (approximately USD 13.6 million) per violation for legal entities. For natural persons, the cap is AED 5 million. The CBUAE can also suspend or revoke a license. License revocation is functionally fatal for a regulated entity.

Criminal penalties are more severe. Natural persons convicted of ML or TF offenses face imprisonment of up to 10 years and fines up to AED 50 million. For corporate entities where ML involvement reaches the management level, dissolution of the entity is possible under the law.

In 2022, the CBUAE fined multiple exchange houses and banks for AML-CFT violations during the grey list remediation period. Disclosed fines ranged from AED 1 million to AED 10 million per institution. The CBUAE publishes enforcement actions on its official AML page.

The UAIFIU can freeze accounts and assets pending investigation, which creates immediate operational and reputational damage before any formal penalty is issued. Following the grey list period, UAE public prosecution increased financial crime prosecutions substantially, and conviction rates for ML offenses rose. The post-greylist era in the UAE is one of genuine enforcement, not paperwork compliance.

Related regulations and frameworks

UAE AML Law does not operate in isolation. Several overlapping frameworks shape how institutions must implement it.

FATF Recommendations. The decree directly implements the FATF 40 Recommendations. The risk-based approach required by the law mirrors FATF Rec 1 (FATF). Where the decree is silent on implementation detail, CBUAE examiners expect institutions to reference FATF methodology and guidance notes.

Cabinet Decision No. 10 of 2019. This is the primary implementing regulation under the decree. It contains specific definitions, thresholds (the AED 55,000 CDD trigger and the AED 40,000 cash reporting threshold), and procedural requirements. A gap analysis of the decree alone, without Cabinet Decision No. 10, is incomplete.

CBUAE AML-CFT Guidelines. The CBUAE has issued sector-specific guidance covering risk assessment methodologies, correspondent banking requirements, and virtual asset due diligence. The guidelines are supervisory expectations, not law; CBUAE examiners treat non-compliance with them as evidence of a weak program.

VARA Regulations. For virtual asset service providers operating in Dubai, the Virtual Assets Regulatory Authority's AML rulebook sits alongside the federal decree. VASPs must comply with both. VARA requirements include travel rule obligations for VA transfers above USD 1,000, consistent with FATF's updated guidance on virtual assets.

ADGM and DIFC frameworks. Both financial free zones have their own rulebooks that incorporate and extend the federal requirements. ADGM's Anti-Money Laundering and Sanctions Rules 2020 and DIFC's AML Module set out detailed requirements for their licensees, adding a further compliance layer for entities in those centres.

UAE-based institutions with US dollar correspondent banking relationships also face indirect exposure to the BSA (US-FinCEN) through their US clearing arrangements, making CBUAE compliance only part of the picture for internationally active banks.

How FluxForce supports UAE AML Law compliance

FluxForce AI agents handle the transaction monitoring, CDD workflows, and suspicious activity detection that UAE AML Law demands. Nova Sentinel runs continuous monitoring against configured risk rules, generates auditable alert logs, and flags PEP status changes on existing customers throughout the relationship lifecycle. Aiden Flux manages the evidence trail regulators expect: documented decisions, timestamps, and reviewer records at every step. Every alert closure, STR decision, and EDD approval is logged and retrievable on audit day. See how FluxForce maps to your CBUAE compliance program by requesting a demo.