1. What Is the UAE Red List? Definition & Legal Basis
The term "UAE red list countries" does not refer to a single official document with that exact title. It is a widely used shorthand, common in the compliance community and in public search queries, that encompasses two related but distinct categories of high-risk jurisdictions:
Category 1 FATF High-Risk Jurisdictions (Call for Action)
Countries formally identified by the Financial Action Task Force (FATF) as having significant strategic deficiencies in their AML/CFT regimes. The UAE, as a member of the FATF-style regional body MENAFATF and an observer to FATF itself, is obligated to apply enhanced measures to these jurisdictions. This list is the closest equivalent to what most people mean when they refer to the "red list."
Category 2 UAE Sanctions Targets
Countries and entities subject to financial sanctions administered through the UAE's Executive Office for Control and Non-Proliferation (EOCN), implementing UN Security Council resolutions and UAE-specific Cabinet Decisions. Sanctions go beyond AML risk, they create outright prohibitions on dealings with designated persons, entities, and in some cases entire jurisdictions.
The legal foundation for both categories sits in Federal Decree-Law No. 20 of 2018 on Anti-Money Laundering and Combating the Financing of Terrorism and Financing of Illegal Organisations, and its implementing regulations under Cabinet Decision No. 10 of 2019. These instruments require all UAE reporting entities to apply countermeasures and Enhanced Due Diligence (EDD) when dealing with high-risk jurisdictions, and to screen all customers and transactions against applicable sanctions lists.
2. Current UAE Red List Countries (2026 Update)
The FATF publishes its High-Risk Jurisdictions subject to a Call for Action, the closest official equivalent to the "red list", on a rolling basis, typically updated three times per year following each FATF Plenary session.
As of 2026, the jurisdictions subject to FATF's highest level of concern and for which the UAE mandates countermeasures include:
Democratic People's Republic of Korea (North Korea) – subject to FATF call for action and comprehensive UN Security Council sanctions. UAE businesses are prohibited from virtually all dealings.
Iran – subject to FATF call for action and broad international sanctions. The UAE applies countermeasures consistent with FATF guidance and relevant UN resolutions.
Myanmar – added to the FATF call for action list following the 2021 military coup and subsequent deterioration of its AML/CFT framework.
Important: The FATF list is a living document. Jurisdictions move on and off it as their compliance posture improves or deteriorates. UAE-regulated entities must refer to the most current FATF publication. The FATF updates its jurisdictions list at fatf-gafi.org after each plenary.
In addition to the FATF call-for-action list, UAE businesses must also monitor:
FATF Jurisdictions Under Increased Monitoring (the Grey List – see Section 4 below), which also carry EDD obligations under UAE AML regulations.
UN Security Council Consolidated Sanctions List, which UAE businesses must screen against via the EOCN portal.
UAE Cabinet Decision No. 83 of 2023 and related instruments designating specific countries for targeted financial sanctions.
3. How the UAE Red List Differs from FATF & UN Sanctions Lists
Understanding the relationship between these frameworks prevents both over-compliance (treating all high-risk flags as outright bans) and under-compliance (missing obligations that sit outside the FATF framework).
The FATF List
FATF identifies jurisdictions with systemic AML/CFT weaknesses. Being on this list does not automatically mean that all transactions with that country are prohibited. It means that UAE reporting entities must apply heightened scrutiny, specifically EDD, and in some cases apply countermeasures such as transaction limitations or refusal of business. The severity of the required response scales with FATF's own language: a "call for action" is more serious than "increased monitoring."
The UN Sanctions List
Administered globally through the UN Security Council, this list targets specific individuals, entities, and jurisdictions for conduct related to terrorism financing, weapons proliferation, and other threats to international peace. The UAE implements UN sanctions directly through Cabinet Decisions and EOCN administration. Dealings with UN-designated targets are prohibited, not merely subject to enhanced scrutiny.
UAE-Specific Designations
The UAE also maintains its own domestic designations through the EOCN, including a Local Terrorist List and a Cabinet-designated Sanctions List that may include entities not on the UN list. Compliance teams must screen against the UAE list separately from the UN Consolidated List.
Key Practical Distinction
FATF high-risk jurisdiction → EDD required; business may proceed with adequate controls.
UN or UAE sanctions target → Transaction prohibited; no amount of due diligence permits the dealing.
4. Red List vs Grey List vs Blacklist: Key Differences
These three terms are used interchangeably in the market but carry different regulatory implications.
Red List (FATF Call for Action)
The most serious category of FATF jurisdiction-level concern. Countries on the call-for-action list are those where FATF has determined that the AML/CFT deficiencies are so significant that other countries should apply countermeasures. For UAE businesses, this means mandatory EDD and, in some cases, restrictions on the type of business that can be conducted. Currently: North Korea, Iran, Myanmar.
Grey List (FATF Increased Monitoring)
Jurisdictions that have committed to addressing identified deficiencies and are working with FATF under an agreed action plan. Grey-listed countries are not subject to the same countermeasures as red-listed ones, but UAE AML regulations still require EDD for transactions involving them. The grey list is significantly longer than the red list and changes more frequently. In recent FATF cycles, it has included jurisdictions across Africa, the Middle East, Asia-Pacific, and the Caribbean.
Blacklist (Sanctions)
In popular usage, "UAE blacklist" typically refers to individuals, entities, or jurisdictions subject to targeted financial sanctions, either under UN resolutions implemented by the UAE, or UAE-specific designations via the EOCN. Unlike the FATF lists (which are about systemic risk), sanctions are legal prohibitions. There is no EDD pathway that allows a sanctioned dealing to proceed.
Term | Issuing Body | UAE Legal Effect | Business Permitted? |
|---|---|---|---|
Red List | FATF | EDD + countermeasures required | Yes, with controls |
Grey List | FATF | EDD required | Yes, with controls |
Blacklist / Sanctions | UN / UAE EOCN | Prohibition | No |
5. AML Obligations for UAE Businesses Dealing with Red-Listed Jurisdictions
When a customer, transaction, or counterparty has a connection to a red-listed or high-risk jurisdiction, UAE reporting entities face a tiered set of obligations under Federal Decree-Law No. 20 of 2018 and Cabinet Decision No. 10 of 2019.
Customer Risk Classification
Your risk-based approach must flag any customer who is a national of, resident in, incorporated in, or sending/receiving funds to or from a red-listed or grey-listed jurisdiction as elevated risk. This re-classification triggers EDD obligations (see Section 6) and must be documented in the customer's risk file.
Transaction Monitoring
All transactions with a red-list nexus must be subject to heightened transaction monitoring. Thresholds, frequency patterns, and counterparty jurisdictions should be reviewed against your entity's established risk indicators. Automated systems should flag these transactions for manual review.
STR Obligations
If, after applying EDD and transaction monitoring, you identify that a transaction involving a high-risk jurisdiction appears suspicious, you are required to file a Suspicious Transaction Report (STR) on goAML within the applicable timeframe – 35 days for standard suspicion, 24 hours if terrorism financing is suspected.
Correspondent Banking and Business Relationships
Financial institutions maintaining correspondent banking relationships or business partnerships with entities in red-listed or grey-listed jurisdictions must conduct enhanced due diligence on those relationships and satisfy themselves that the counterpart institution has adequate AML/CFT controls. Shell banks incorporated in or operating from red-list jurisdictions cannot be maintained as correspondent partners.
Countermeasures for FATF Call-for-Action Jurisdictions
For the most serious category, FATF call-for-action countries such as North Korea and Iran, the UAE's regulatory framework effectively requires refusal of new business relationships and restrictions on existing ones, consistent with FATF's own countermeasure guidance. In practice, most regulated UAE institutions apply a near-total prohibition on dealings with these jurisdictions, outside of narrow humanitarian exceptions.
6. Enhanced Due Diligence (EDD) Requirements for Red List Transactions
Enhanced Due Diligence is the cornerstone of UAE compliance obligations when a high-risk jurisdiction is involved. EDD goes beyond standard Know Your Customer (KYC) procedures and requires a deeper, documented investigation into the customer's identity, the source of their funds, and the purpose of the transaction.
What EDD Must Cover
Identity verification. Standard document verification is insufficient. EDD requires additional corroboration: a second form of government-issued ID, certified copies of documents, or independent database verification. For corporate customers, full UBO mapping is required, not just director-level identification.
Source of funds. You must establish and document where the money originates. Bank statements, audited accounts, salary certificates, property sale agreements, and similar evidence may be required depending on the transaction type. A customer's assertion of source is not sufficient documentation.
Source of wealth. For higher-value transactions or ongoing relationships, EDD requires understanding the broader wealth picture: how did the customer accumulate their overall net worth, not just the funds in this transaction?
Purpose and nature of the relationship. Why is this customer transacting with your entity, and does the stated purpose make commercial sense given their profile and the jurisdiction involved?
Ongoing monitoring. EDD is not a one-time exercise. Customers classified as high-risk due to a red-list connection must be subject to more frequent periodic reviews and to enhanced transaction monitoring for the duration of the relationship.
Senior Management Approval
For new business relationships with high-risk jurisdiction connections, UAE AML regulations require that the decision to proceed is approved by senior management. This approval must be documented and retained.
Documentation Retention
All EDD documentation must be retained for a minimum of five years from the end of the business relationship or the date of the transaction, whichever is later.
7. Penalties for Non-Compliance (Federal Decree-Law No. 20 of 2018)
The consequences of failing to apply appropriate controls when dealing with red-listed or high-risk jurisdictions are severe, and UAE enforcement activity has increased materially since the country's FATF mutual evaluation process.
Administrative Penalties
Under Federal Decree-Law No. 20 of 2018 and the implementing Cabinet Decisions, supervisory authorities, including the Central Bank of the UAE, the Securities and Commodities Authority, and the Ministry of Economy, can impose:
Fines ranging from AED 50,000 to AED 5 million per violation, with certain violations carrying fines up to AED 50 million where systemic failures are identified.
Suspension or revocation of the business licence.
Public censure and listing of non-compliant entities on regulatory notices.
Prohibition of specific individuals from holding compliance roles.
Criminal Liability
Where a reporting entity or its officers wilfully facilitate money laundering or terrorism financing, including by failing to apply countermeasures on red-list transactions, criminal penalties under the law include imprisonment and fines. The compliance officer and senior management can face personal liability, not just the corporate entity.
Regulatory Consequences Beyond the Fine
Enforcement action from a UAE supervisor is increasingly likely to trigger parallel scrutiny from international correspondent banks and business partners. Regulated entities found to have systemic AML failings often face de-risking by international banks, which can severely restrict their ability to conduct cross-border business – a consequence that can be more commercially damaging than the fine itself.
8. FAQ: Qatar, Iran, North Korea and Other Specific Countries
Is Qatar on the UAE red list?
Qatar is not on the FATF call-for-action list and is not subject to UAE financial sanctions. The confusion likely arises from the period of the Gulf diplomatic crisis (2017–2021), during which the UAE imposed trade and travel restrictions on Qatar. Those measures have been lifted following the Al-Ula Declaration of January 2021, and the UAE–Qatar relationship has since normalised. For AML purposes, Qatar is not a red-listed or sanctioned jurisdiction. Searches for "Qatar red list countries UAE" typically reflect residual confusion from that period.
Is Iran on the UAE red list?
Yes. Iran is on the FATF call-for-action list and is subject to both UN Security Council sanctions and UAE-implemented measures. Dealings with Iranian-connected customers, transactions, or entities require extreme caution and, in most cases, must be declined. UAE-regulated entities should treat Iran as a near-total prohibition jurisdiction absent specific legal guidance to the contrary.
Is North Korea on the UAE red list?
Yes. North Korea (DPRK) is the most comprehensively sanctioned jurisdiction in the FATF framework, subject to both the FATF call for action and sweeping UN Security Council sanctions. There is effectively no permissible category of dealing with DPRK-connected parties for UAE regulated entities outside of narrow, supervised humanitarian exceptions.
What about Russia?
Russia is not on the FATF call-for-action list, and the FATF suspended rather than expelled Russia following the invasion of Ukraine. However, the United States, EU, and UK have imposed extensive sanctions on Russian individuals and entities. The UAE does not automatically implement Western unilateral sanctions, but UAE businesses with US dollar clearing relationships, international correspondent banks, or cross-border business must be aware of secondary sanctions risk. This is a nuanced area requiring entity-specific legal advice.
What about countries on the FATF grey list?
Grey-listed countries trigger EDD obligations for UAE reporting entities, even though they are not subject to the same level of countermeasures as red-listed jurisdictions. If you are onboarding a customer from or transacting with a grey-listed country, EDD is mandatory. Always refer to the current FATF list, as grey-list status changes regularly.
Does the UAE maintain its own separate country risk list?
The UAE does not publish a standalone "red list" by that name. Country-level risk for UAE regulated entities is primarily driven by FATF publications, UN Security Council sanctions lists, and UAE Cabinet Decisions on targeted financial sanctions. Your internal AML policy should incorporate all three sources and be reviewed whenever FATF publishes updated country assessments.
Protect Your Business: Book a Free AML Risk Assessment
Navigating red-list obligations, EDD requirements, and sanctions screening across multiple regulatory frameworks is complex and getting it wrong carries consequences that go well beyond a fine.
B-AML's UAE compliance experts offer a free AML risk assessment tailored to your sector, customer base, and transaction profile. Whether you are a financial institution managing correspondent banking risk, a real estate broker dealing with international buyers, or a VASP operating in a fast-moving regulatory environment, we can identify your exposure and help you build a defensible compliance framework.
