Need expert help with this? View our advisory service →
UAE AML enforcement has fundamentally changed. Since 2022, the UAE has overhauled its AML framework — implementing FATF recommendations, significantly increasing penalties, and substantially expanding inspection activity. Businesses that assumed AML compliance was only for banks are now discovering, often during an inspection visit, that they face significant obligations. Here's what every UAE business owner needs to know.
Who is a DNFBP in UAE?
Designated Non-Financial Businesses and Professions (DNFBPs) are the non-bank business categories subject to full UAE AML obligations. They include: real estate brokers and developers, dealers in precious metals and stones, accounting firms and auditors, law firms, corporate service providers, and trust and company service providers.
If your business falls into any of these categories, you have mandatory AML/CFT obligations under UAE Federal Decree-Law No. 20 of 2018 and its amendments. This includes goAML registration, customer due diligence, suspicious transaction reporting, record keeping, and AML compliance programme requirements.
goAML registration — what it is and how to do it
goAML is the UAE Financial Intelligence Unit's (FIU's) platform for submitting Suspicious Activity Reports (SARs) and Cash Transaction Reports (CTRs). All UAE DNFBPs must register on the goAML portal.
Registration involves: creating an account on the UAE FIU goAML portal, submitting your institution details and compliance officer information, and receiving confirmation of registration. This is a mandatory prerequisite — businesses that have not registered are non-compliant and face immediate penalty exposure if inspected.
What a UAE AML compliance programme must contain
A UAE-compliant AML programme covers five core elements: (1) a documented AML/CFT risk assessment covering your client base, products, services, and geographic exposure; (2) written AML policies and procedures, including customer acceptance policy, CDD and EDD procedures, and SAR decision-making process; (3) a nominated MLRO/Compliance Officer; (4) staff AML training; and (5) an independent audit or review of the programme's effectiveness.
The risk assessment must be updated whenever there is a material change to the business or regulatory environment — not just done once and filed away.
What happens during a UAE AML inspection?
AML inspections are conducted by the supervisory authority relevant to your business type — for most DNFBPs, this is the Ministry of Economy's AML department. Inspectors review your risk assessment, customer files, AML policies, training records, SAR filing history, and compliance officer qualifications.
A first inspection finding of non-compliance typically results in a remediation plan and a follow-up visit. Serious or repeat non-compliance can result in fines up to AED 5 million, business suspension, and referral for criminal prosecution. The inspection environment has become significantly less forgiving since 2022.
What to do if you're not yet compliant
If your business falls within the DNFBP definition and you do not yet have a compliant AML programme, the priority order is: (1) register on goAML immediately, (2) conduct a risk assessment, (3) implement written policies and CDD procedures, (4) appoint or designate a Compliance Officer, and (5) train your team.
The good news is that a well-run AML remediation programme can be implemented in 4–6 weeks. The risk of waiting significantly outweighs the cost and effort of becoming compliant now.
Share this article
Need personalised advice?
Book a free 30-minute consultation with Jashvantkumar Prajapati — 21+ years in UAE business advisory.
Book a Free Consultation