The United Arab Emirates operates one of the most complex and multi-layered anti-money laundering regulatory environments in the world. Unlike jurisdictions with a single financial regulator, the UAE has multiple supervisory authorities operating across different jurisdictions, onshore, DIFC, ADGM, and across different sectors, from banking to virtual assets to real estate.
Understanding which laws apply, which regulator supervises your business, and how the frameworks interlock is not straightforward. Following the UAE’s removal from the FATF grey list in June 2024, compliance expectations have not relaxed, if anything, the regulatory infrastructure is now better resourced, better coordinated, and more actively enforced than at any point in the UAE’s regulatory history.
This guide maps the full UAE AML legal stack, explains the key provisions of each instrument, and provides a practical overview of enforcement actions, penalties, and what a compliant programme looks like across the regulatory landscape.
1. The UAE AML Legal Stack: An Overview
The UAE’s AML framework operates at three levels: primary federal legislation that applies across all the UAE; implementing regulations that translate the primary law into operational requirements; and regulator-specific rulebooks that apply additional requirements to entities within a given supervisory perimeter.
The table below maps the key instruments, their type, scope and supervising authority:
Instrument | Type | Scope | Supervisor |
Federal Decree-Law No. 20 of 2018 | Primary legislation | All persons in UAE (onshore + free zones) | AMLSCU / MoE / CBUAE |
Cabinet Decision No. 10 of 2019 | Implementing regulation | DNFBPs + financial institutions | MoE / CBUAE |
CBUAE AML/CFT Guidelines | Regulatory guidance | CBUAE-licensed FIs + hawala providers | Central Bank UAE |
DFSA Rulebook (AML Module) | Regulator rulebook | DIFC-licensed firms only | DFSA |
FSRA AML/CFT Rulebook | Regulator rulebook | ADGM-licensed firms only | FSRA |
VARA Virtual Asset Regulation | Sector regulation | VASPs licensed in Dubai | VARA |
Insurance Authority AML Rules | Sector regulation | Insurance companies + intermediaries | Insurance Authority |
The critical point for compliance officers is that free zone entities, including DIFC and ADGM firms, are subject to both the federal legislation and their own regulator’s rulebook. A DIFC-licensed firm must comply with Federal Decree-Law No. 20 of 2018 and the DFSA’s AML Module. The federal law sets the floor, the regulator’s rules may set a higher standard.
2. Federal Decree-Law No. 20 of 2018 Core Provisions
Federal Decree-Law No. 20 of 2018 on Anti-Money Laundering and Combating the Financing of Terrorism and Financing of Illegal Organisations is the foundational AML statute of the UAE. It repealed the previous AML law (Federal Law No. 4 of 2002) and brought the UAE’s primary legislation broadly into alignment with FATF Recommendations.
Key Definitions
• Proceeds of crime: funds derived from any predicate offence listed in the law, including drug trafficking, fraud, corruption, tax crimes, human trafficking, cybercrime and terrorist financing
• Money laundering: acquiring, possessing, using, converting, transferring, managing, keeping, depositing, or investing funds, knowing or having reasonable grounds to know they are proceeds of crime
• Predicate offences: the law adopts an all-crimes approach, meaning that any crime generating proceeds can give rise to a money laundering offence
• Terrorist financing: providing, collecting or transferring funds knowing they will be used, in whole or in part, to finance a terrorist act, organisation or individual, regardless of whether the act occurs
Core Obligations Imposed
• Customer due diligence (CDD): all financial institutions and DNFBPs must identify and verify customers, beneficial owners and the purpose of the business relationship
• Enhanced due diligence (EDD): mandatory for high-risk customers, politically exposed persons (PEPs), customers from high-risk countries, and correspondent banking relationships
• Suspicious transaction reporting (STR): mandatory filing with the UAEFIU via goAML where money laundering or terrorist financing is known, suspected or there are reasonable grounds to suspect
• Record keeping: CDD records, transaction records and STR-related documentation must be retained for a minimum of five years
• AML compliance programmes: financial institutions and DNFBPs must maintain written AML/CFT policies, appoint a compliance officer and provide staff training
• Targeted financial sanctions: obligations to implement UN and UAE sanctions designations, freeze assets immediately and report to the AMLSCU
Penalties Under the Primary Law
The law establishes significant criminal penalties. An individual convicted of money laundering faces imprisonment of between one and ten years and a fine of between AED 100,000 and AED 500,000. Where the offence is committed by an organised group, through a licensed financial institution, or involves a public official, the penalty increases to between ten and twenty-five years. Legal persons (companies) are subject to fines of between AED 300,000 and AED 10,000,000.
3. Cabinet Decision No. 10 of 2019 Implementing Regulations
Cabinet Decision No. 10 of 2019 on the Implementing Regulation of Federal Decree-Law No. 20 of 2018 translates the primary law’s principles into detailed operational requirements. It is the instrument that compliance officers are most likely to work with on a day-to-day basis.
What Cabinet Decision 10 Adds
• Detailed CDD requirements: specifying when simplified, standard and enhanced due diligence apply; the documents required to verify natural persons and legal entities; and the conditions under which CDD may be performed by a third party
• Beneficial ownership: defining UBO as the natural person(s) who ultimately own or control 25% or more of a legal entity, or who otherwise exercise effective control, and setting out verification requirements
• Correspondent banking: specific EDD obligations for correspondent banking relationships, including assessment of the respondent institution’s AML controls and prohibition on shell bank relationships
• Wire transfers: requirements for originator and beneficiary information to accompany cross-border wire transfers, aligned with FATF Recommendation 16 (the “travel rule”)
• DNFBP-specific obligations: clarifying which activities trigger AML obligations for each DNFBP category and the supervisory authority responsible for each sector
• Targeted financial sanctions (TFS) procedures: the mechanism for implementing asset freezes, reporting to AMLSCU and applying for delisting
• Proliferation financing: obligations to screen for and report activities that may finance the proliferation of weapons of mass destruction
Cabinet Decision No. 10 of 2019 was amended by Cabinet Resolution No. 24 of 2022 to incorporate updated FATF guidance on virtual assets, proliferation financing and the travel rule for crypto transactions. Firms should ensure they are working from the amended version, not the original 2019 text. |
4. DFSA Rulebook (AML Module) for DIFC-Regulated Entities
The Dubai Financial Services Authority (DFSA) is the independent regulator for financial services conducted in or from the Dubai International Financial Centre (DIFC). Its Anti-Money Laundering, Counter-Terrorist Financing and Sanctions Module, commonly referred to as the AML Module, is part of the DFSA Rulebook and constitutes the primary AML compliance framework for all DFSA-authorised firms.
Key Features of the DFSA AML Module
• Applies to all DFSA-authorised firms and Registered Auditors, regardless of their size or business model
• Requires each firm to appoint a Senior Executive Officer-level Anti-Money Laundering Reporting Officer (AMLRO) who must be approved by the DFSA as an Authorised Individual
• Mandates a written Business Risk Assessment (BRA) that must be reviewed and updated when there are material changes to the business or regulatory environment
• Sets out detailed CDD and EDD requirements that in several respects go beyond the federal minimum, including specific guidance on PEP screening, source of wealth verification and high-risk country lists
• Requires firms to maintain an STR register and to file suspicious activity reports with both the DFSA and the UAEFIU (via goAML)
• Includes specific provisions on group-wide AML compliance, requiring DIFC firms that are part of international groups to apply DFSA-equivalent standards across the group
• Imposes sanctions compliance obligations, including real-time screening against UN, US OFAC, EU and UK sanctions lists in addition to UAE designations
DFSA Supervision Style
The DFSA operates a risk-based supervision model, with firms assigned a supervisory intensity based on their assessed AML risk profile. High-risk firms, such as private banks, family offices, high-value payment firms receive more frequent and more intrusive supervision, including on-site examinations that review CDD files, transaction monitoring outputs and STR decision-making.
The DFSA’s enforcement record demonstrates a willingness to impose significant penalties, impose conditions on licences and, in serious cases, withdraw authorisation. Firms seeking DFSA authorisation should expect AML governance and controls to be examined in detail during the application process.
5. Central Bank UAE, VARA & FSRA Cross-Regulator Map
Outside the DIFC, the UAE AML regulatory landscape is divided among several authorities depending on the sector and jurisdiction. The table below provides a practical cross-regulator reference:
Regulator | Jurisdiction | Sector | AML Framework | STR Platform |
CBUAE | Onshore UAE | Banks, exchange houses, payment firms, hawala | CBUAE AML Guidelines | goAML |
DFSA | DIFC (Dubai) | All DIFC-licensed financial services | DFSA Rulebook (AML) | DFSA reporting portal |
FSRA | ADGM (Abu Dhabi) | All ADGM-licensed financial services | FSRA AML/CFT Rules | FSRA portal / goAML |
VARA | Dubai (all areas) | Virtual asset service providers | VARA VA Regulation | goAML |
Ministry of Economy | Onshore + free zones | DNFBPs (real estate, gold, CSPs, lawyers) | Cabinet Decision 10/2019 | goAML |
Insurance Authority | Onshore UAE | Insurance and reinsurance | IA AML Instructions | goAML |
Key Points on Regulatory Perimeters
• DIFC and ADGM are financial free zones with their own legal systems and their own regulators (DFSA and FSRA respectively). They are not supervised by the CBUAE for AML purposes, though federal AML law applies to them.
• VARA was established in 2022 as the dedicated regulator for virtual assets in Dubai (including DIFC for VASPs). Its framework is the most recently developed and is still evolving, firms should monitor VARA guidance closely.
• The Ministry of Economy supervises all DNFBP sectors for AML purposes through its Anti-Money Laundering Department. RERA in Dubai and ADREC in Abu Dhabi have additional supervisory roles for real estate brokers.
• The AMLSCU (Anti-Money Laundering and Suspicious Cases Unit, part of the UAE Central Bank) coordinates the UAE’s financial intelligence function and is the primary point of contact for TFS implementation and inter-agency financial crime coordination.
6. Recent UAE Central Bank Fines & Enforcement Actions
The enforcement landscape in the UAE has changed dramatically since 2020. What was historically a relationship-based, guidance-oriented regulatory environment has become significantly more sanctions-driven, with regulators across all sectors demonstrating a willingness to impose substantial financial penalties and publicise enforcement outcomes.
Year | Regulator | Action | Key Finding |
2023 | CBUAE | AED 5.6 billion in fines against 11 banks | Failures in transaction monitoring, CDD, STR filing and sanctions screening across major domestic and international banks |
2022–23 | CBUAE | Multiple exchange house licence suspensions | Unregistered hawala activity, failure to conduct CDD, inadequate STR processes |
2023 | DFSA | Formal censure and fines against two DIFC firms | Failures in beneficial ownership verification and PEP screening |
2022 | Ministry of Economy | Fines against 50+ real estate brokers and gold dealers | Non-registration as DNFBPs, absence of AML policies, failure to conduct CDD on clients |
2024 | VARA | Enforcement action against unlicensed VASP operators | Operating virtual asset exchange services without VARA authorisation; failure to apply CDD |
2023–24 | FSRA | Enhanced supervisory oversight of ADGM trust companies | Beneficial ownership gaps and inadequate source-of-wealth verification for high-risk clients |
The 2023 CBUAE action against eleven banks, resulting in aggregate fines of AED 5.6 billion, was one of the largest coordinated AML enforcement actions ever taken by a single regulator against its supervised population. It sent a clear signal that AML non-compliance at scale would be met with penalties at scale and prompted a significant review of AML programmes across the UAE banking sector.
⚠️ What Enforcement Actions Tell Us About Regulatory Priorities • Transaction monitoring effectiveness is the top supervisory concern: systems that generate alerts, but where alerts are not reviewed, escalated or actioned are treated as equivalent to having no monitoring at all • Beneficial ownership verification remains a persistent gap: regulators continue to find firms that have corporate customers on their books without verified UBO information • STR quality and timeliness matters: filing STRs late, or filing low-quality reports without adequate analysis, is treated as a compliance failure in its own right • Governance is examined, not just controls: regulators expect board-level ownership of AML risk, not delegation to a compliance team with insufficient authority or resources |
7. Penalties for AML Breaches in UAE (with Figures)
The UAE AML penalty framework combines criminal liability under the primary legislation with administrative sanctions applied by each regulator. The table below summarises the key penalty categories and indicative ranges:
Violation | Administrative Penalty Range | Criminal Exposure |
Money laundering (primary offence) | Asset confiscation + unlimited fines | 10–25 years imprisonment |
Terrorist financing | Asset confiscation + unlimited fines | Life imprisonment possible |
Failure to file STR | AED 100,000 – AED 1,000,000 per incident | Criminal referral in aggravated cases |
Failure to conduct CDD / EDD | AED 50,000 – AED 500,000 per incident | Criminal referral where wilful |
Failure to maintain AML policies | AED 50,000 – AED 500,000 | N/A (administrative) |
Tipping off (disclosing STR to customer) | AED 100,000 – AED 500,000 | Criminal liability |
Failure to register as DNFBP | AED 50,000 – AED 100,000 + licence suspension | N/A (administrative) |
Operating unlicensed as VASP or hawala provider | Unlimited fines + business closure | Criminal prosecution |
CBUAE fines (licensed FIs) | Up to AED 1,000,000 per violation under CBUAE framework; aggregate unlimited | Criminal referral |
DFSA fines (DIFC firms) | Unlimited (applied per violation) | Referral to Dubai public prosecution |
It is important to note that penalties are cumulative: a firm may face administrative fines from its regulator, separate fines for each individual violation, criminal proceedings against responsible individuals, reputational damage from public enforcement notices, and secondary consequences such as loss of banking relationships or licence revocation.
8. How to Build a Compliance Programme Aligned with All UAE Sources
Building a compliance programme that satisfies the UAE’s multi-layered regulatory requirements is achievable but requires a structured approach that starts from the applicable legal sources rather than a generic template.
Step 1: Identify Your Regulatory Perimeter
The first question is always: which regulator(s) supervise your business? A DIFC-licensed firm has a different primary framework from an onshore UAE bank, a Ministry of Economy-registered DNFBP, or a VARA-licensed VASP. If your business operates across multiple perimeters, you must satisfy all applicable frameworks.
Step 2: Conduct a Business Risk Assessment
Every firm subject to UAE AML law must have a documented, risk-based assessment of its exposure to money laundering and terrorist financing. The BRA should cover: the firm’s products and services, its customer base, its geographic exposure and the delivery channel it uses. It must be updated at least annually and whenever there are material changes to the business.
Step 3: Design Controls Proportionate to Your Risk
Your AML policies, CDD procedures, transaction monitoring approach and STR process should be calibrated to the risks identified in your BRA. A low-risk DNFBP and a private bank serving PEP clients have very different risk profiles and need very different controls. Generic, off-the-shelf AML programmes that are not tailored to the firm’s specific risk profile are a common finding in regulatory inspections.
Step 4: Appoint Qualified Oversight
Every regulated entity must have a named compliance officer or MLRO with adequate experience, qualifications, authority and resources. In DFSA-regulated firms, the AMLRO must be an Authorised Individual approved by the DFSA. In CBUAE-licensed institutions, the compliance officer must meet CBUAE fit-and-proper criteria. In MoE-supervised DNFBPs, a designated compliance officer must be registered with the MoE.
Step 5: Train, Test and Update
Staff training is a regulatory requirement, not a one-time event. Training must be delivered to all relevant staff, records must be maintained, and the content must be updated as the regulatory framework evolves. Similarly, transaction monitoring rules, CDD risk scoring and AML policies must be reviewed and tested regularly.
✓ UAE AML Compliance Programme Essentials ✔ Regulatory perimeter identified and all applicable frameworks documented ✔ Business Risk Assessment completed, documented and reviewed annually ✔ AML/CFT policies and procedures written, approved by senior management or board ✔ Compliance officer or MLRO appointed, qualified and registered where required ✔ CDD procedures applied to all clients, including UBO verification for legal entities ✔ EDD applied to PEPs, high-risk countries, and high-risk product/service types ✔ Transaction monitoring system calibrated to the firm’s specific risk profile ✔ goAML account registered and STR filing process operational ✔ Targeted financial sanctions screening in place and tested ✔ Staff AML training delivered and records maintained ✔ Record retention of at least five years for all CDD and transaction records ✔ Independent AML audit or review conducted at least annually |
B-AML provides regulatory mapping, Business Risk Assessments, policy development, compliance officer services and AML programme reviews for regulated businesses across all UAE regulatory perimeters – CBUAE, DFSA, FSRA, VARA and MoE. We help firms build programmes that satisfy their specific regulatory requirements, not just a generic standard. |
