AML-CFT Framework for Business in UAE: An Implementation Guide

The UAE expects every regulated business to run a working AML-CFT framework that prevents money-laundering and terrorism-financing, not a paper policy. 

The legal base comes from Federal Decree-Law No. 20 of 2018 and its Implementing Regulations. On top of this, the Central Bank issues rules for financial firms, the Ministry of Economy guides DNFBPs, and the UAE Financial Intelligence Unit adds instructions through the goAML reporting platform.

What The Law And Regulators Expect

Primary law and rules. 

Decree Law No. 20 of 2018 sets core offences and obligations. Cabinet Decision No. 10 of 2019 provides the Implementing Regulations. This includes customer due diligence (CDD) and suspicious-activity reporting.

Who regulates you.

• Financial institutions: supervised by the Central Bank of the UAE. It issues detailed AML-CFT guidance and expectations.
• DNFBPs (auditors, dealers in precious metals and stones, real-estate brokers, company service providers, lawyers): supervised by the Ministry of Economy, with sector notices, templates, and inspection criteria. 

Reporting channel. 

Suspicious Transaction Reports (STRs), Suspicious Activity Reports (SARs), and related filings go through goAML, the FIU’s secure portal. Registration, SRA submission for DNFBPs, and reporting are mandatory. 

Sanctions and screening. 

UAE Targeted Financial Sanctions (TFS) lists and guidance are maintained by the Executive Office for Control and Non-Proliferation and circulated through official channels. Firms must screen customers and transactions and act on notices without delay. 

Build AML-CFT Program In Eight Practical Steps

• Risk Assessment. Identify inherent risks by customer type and product and delivery channel and geography. Describe controls that reduce those risks. Record the remaining risk after controls. Regulators will ask for this file first.
• Policies And Procedures. Write an AML CFT policy and a procedures manual that links the Decree Law and the Cabinet Decision to daily work. This may include onboarding and screening, monitoring, reporting, training and record keeping.
• Customer Due Diligence. Define standard CDD and enhanced due diligence for higher risk cases and clear triggers for ongoing checks. Link UBO verification to reliable independent sources.
• goAML Setup. Register the entity and relevant users on goAML, complete the SRA where applicable, and test submission flows.
• Screening And TFS Compliance. Screen customers, owners, and transactions against the UAE TFS lists at onboarding and regularly; maintain evidence of hits, escalations, and actions taken on Executive Office notices. 
• Transaction Monitoring. Define scenarios and thresholds aligned to the risk assessment. Keep alert rationale, investigations, and closure notes.
• Training. Run onboarding and annual refreshers tailored to roles; keep attendance logs and test scores. 
• Independent Testing. Schedule periodic reviews of the AML-CFT framework and fix gaps with dated action plans. 

Customer Due Diligence That Stands Up In Reviews

CDD must verify identity, understand purpose and nature of the business relationship, and identify and verify the ultimate beneficial owner. Collecting more evidence and approving the relationship at a senior level is a must for higher-risk customers. 

Keep copies of passports or Emirates IDs, licences, corporate documents, UBO charts, and source-of-funds checks. These expectations flow directly from the Implementing Regulations and regulator guidance.

Targeted Financial Sanctions And Screening Discipline

Screening is not a one-time task. Subscribe to Executive Office updates and run event-driven and periodic rescreening. While hitting a match, freeze without delay where required, file the prescribed notifications, and document the decision trail. Central Bank and Executive Office pages outline the operational steps and reporting templates. 

• Link screening tools to onboarding, payment release and periodic KYC review so sanctions checks do not sit in a separate silo.
• Keep a log of all true hits and false positives with reasons, so future decisions follow the same standard.
• Align sanctions procedures with goAML reporting and internal escalation rules, so TFS cases and STRs are handled in a consistent way.

Reporting Through goAML

Registering and using goAML correctly is part of compliance. Train staff to identify red flags and escalate to the MLRO. File STRs/SARs with full narratives and attach supporting documents. Meeting the timelines is mandatory. DNFBPs must also submit or update their Sector Risk Assessment (SRA) when directed. The FIU portal provides the registration, SRA, and reporting modules. 

The FIU portal provides the registration, SRA and reporting modules, as required under Federal Decree-Law No. 20 of 2018 on Anti-Money Laundering and Combating the Financing of Terrorism.

Record-Keeping One Can Prove

Keep CDD, transaction, screening, monitoring, STR/SAR, training, and audit records for the minimum periods required by the Implementing Regulations. Make sure files are retrievable by customer and by date. A clean archive helps respond to inspection notices without delay. Clear evidence of records and retrieval steps also reassures regulators that AML work is taken seriously.

What To Put In the AML/CFT Manual And Registers

The AML/CFT manual should explain:

• Who is responsible
• How customers are checked
• When risk ratings are updated
• How transactions are monitored
• How suspicions are reported

Registers should record high-risk customers, PEPs, staff training, internal alerts, goAML reports, and any decisions made by senior management. Keeping both the manual and registers clear, dated and easy to read helps inspection teams see real work and keeps regulators confident in the framework.

Inspections, Penalties, And Practical Discipline

Supervisors can review:

• Risk assessment
• Policy pack
• Evidence of screening and monitoring
• Reporting history

Penalties apply for failures. Banks and DNFBPs have been sanctioned where controls were weak. Staying inspection-ready means closing the loop on findings and keeping dated proof of remediation. 

Final Advice

Treat the AML-CFT framework for business in UAE as a live control system. Keep risk assessment, TFS screening, monitoring and goAML reporting moving together. 

Archive evidence so any reviewer can follow the steps without extra questions. Where hands-on help is needed to write the AML/CFT manual, set up goAML users or run the first round of training and testing. 

Need professional assistance? Visit Arnifi, the leading accounting and bookkeeping service provider in UAE. We’ve helped numerous businesses in the UAE with the AML-CFT framework setup.

FAQs

What is an AML-CFT Framework for Business in UAE?

 It is a set of policies and controls that prevent money laundering and terrorism financing and align with UAE AML regulations.

How does the Anti money laundering Law work in UAE?

 It defines offences and duties, and Executive Regulations explain detailed AML/CFT UAE requirements for risk assessment and reporting in practice.

What should an AML/CFT policy and procedures manual UAE contain?

 It describes roles, risk assessment steps, customer checks and reporting rules in clear language linked directly to UAE AML regulations.

Which firms fall under AML-CFT Framework for Business in UAE rules?

Finance companies and DNFBPs like real estate brokers and dealers in precious metals fall under AML/CFT UAE supervision.

How often should AML/CFT UAE programs be reviewed?

 Regulators expect an annual review and extra updates after major changes in customer types or products so controls continue matching current risks.