UAE KYC requirements | Identification, Due Diligence, and Ongoing Monitoring

If you are operating a business in the UAE today, you have likely noticed a sharp shift in tone from your banks and regulators. The days when “Know Your Customer” (KYC) was a simple onboarding checklist-collect a passport, trade license, and move on – are effectively over.

With the enactment of Federal Decree – Law No. (10) of 2025, the UAE has fundamentally rewritten the rules of engagement. According to which the KYC is not an option, but it’s a statutory requirement with criminal implications. For corporate service providers (CSPs), fintechs, and Designated Non-Financial Businesses and Professionals (DNFBPs) and financial institutions. This clearly states that KYC is not just a department, but it’s the license to operate.

This guide breaks down exactly what the new laws demand and how to treat KYC in UAE as a continuous risk-management cycle rather than a one-time hurdle.

Understanding the Legal Basis of KYC in the UAE

The regulatory framework governing KYC has tightened significantly over the last 18 months. The “check-box” approach is now a liability.

The cornerstone of the current regime is Federal Decree-Law No. (10) of 2025 on Combating Money Laundering and the Financing of Terrorism and Proliferation. This law replaced the 2018 statute and introduced a critical legal standard that is the “Objective Test.” Previously, prosecutors often had to prove a firm knew funds were illicit. Under the above-mentioned law, you can be liable if you are aware based on the circumstances. This shifts the burden of proof squarely onto your KYC files.

Supporting this law is Cabinet Decision No. (134) of 2025, which details the operational requirements for Customer Due Diligence (CDD), and Cabinet Decision No. (109) of 2023, which regulates the Beneficial Owner (UBO) procedures – a specific focus area for the Ministry of Economy.

Enforcement is aggressive and segmented by sector. The CBUAE supervises banks, exchange houses, and payment service providers. The Ministry of Economy (MOE) is the primary regulator for DNFBPs (Designated Non-Financial Businesses and Professions), including real estate agents, CSPs, and auditors. Meanwhile, the DFSA & FSRA regulate firms inside the DIFC and ADGM financial free zones.

The cost of failure is no longer just a slap on the wrist. Fines for legal entities now reach up to AED 100 million for systemic failures. More critically, senior management and directors can face personal criminal prosecution if their negligence facilitates financial crime. Beyond the courts, the “naming and shaming” policy means your company’s name could be published on regulatory blacklists, effectively ending your banking relationships.

Stage 1: Customer Identification (CID)

This is the data-gathering phase. You cannot manage risk if you don’t know who you are dealing with.

For individuals, this is straightforward: a valid passport and Emirates ID (for residents). For corporate customers, it gets complex. You are legally required to “unmask” the entity. This means obtaining the Trade License, Memorandum of Association (MOA), and a Register of Directors.

The real challenge lies with the Ultimate Beneficial Owner (UBO). Under Cabinet Decision No. (109) of 2023, you must identify the natural person who owns or controls 25% or more of the entity. A common mistake we see is accepting a holding company as the UBO. A UBO must be a human being. If a company is owned by another company, you must keep drilling up the chain until you find the human at the top.

Stage 2: Customer Due Diligence 

If CID is asking “Who are you?”, CDD is asking “Do I trust you?” This is where the risk-based approach (RBA) kicks in.

Standard CDD applies to low-to-medium risk clients. You verify their identity and understand the nature of their business. However, Enhanced Due Diligence (EDD) is mandatory for high-risk customers. This includes Politically Exposed Persons (PEPs), clients from certain jurisdictions (the FATF “Grey List”), or complex structures with no clear commercial reason.

A major friction point we see at Arnifi involves distinguishing between Source of Funds (SoF) and Source of Wealth (SoW). SoF asks where the money for this specific transaction came from (e.g., “Salary transfer from X Company”). SoW asks how the client acquired their total net worth (e.g., “Inheritance from father in 2010” + “Sale of Google stocks in 2022”). Regulators expect firms to verify SoW with documents like title deeds or sale agreements for high-risk clients, rather than relying on self-declarations.

Simplified Due Diligence is only permitted for strictly low-risk entities, such as government bodies or public companies listed on a reputable stock exchange where disclosure requirements are already high.

Stage 3: Ongoing Monitoring

• The 2025 law emphasizes that risk is dynamic. A low-risk client today could be sanctioned tomorrow.
• Transaction Monitoring looks for anomalies. If a client registered as a “Marketing Consultancy” suddenly receives $500,000 from a “Scrap Metal Trader,” that’s a red flag. Relationship Monitoring involves regularly reviewing the client’s file to see if their UBO has changed or if they have expanded into high-risk jurisdictions.
• You cannot wait for the annual review if a “trigger event” occurs. These include a sudden change in the UBO structure, adverse media reports (e.g., the client is named in a fraud investigation), or a material change in the volume or value of transactions.

Record-Keeping and Audit Readiness

• When the Ministry of Economy inspectors arrive, they don’t ask what you did; they ask what you can prove.
• You must legally retain all KYC records, transaction logs, and correspondence for a minimum of five years from the date the business relationship ended. It is not enough to store the documents. You need a log showing who approved the client, when the risk assessment was done, and why a specific decision was made.

Practical Challenges in KYC Implementation

• We know this isn’t easy. In our work at Arnifi, we navigate these hurdles daily. False Positives are common; screening tools often flag common names (like “Mohammed Ahmed”) against sanctions lists, requiring a human process to rule these out quickly. Transliteration issues also arise, where a name spelled “Mohamed” on a passport might be “Muhamad” on a bank statement.
• Complex structures present another difficulty. Clients with offshore entities (BVI, Cayman) often struggle to provide legalized documents. However, under the new law, “it’s too difficult” is not a valid defense.

Best Practices for a Defensible KYC Framework

• First, don’t copy-paste policies. Your AML policy must reflect your actual business. If you are a real estate broker, your risk assessment should focus on cash transactions and third-party payments, not trade finance.
• Second, training is key. Your sales team is your first line of defense. They need to know that tipping off a client (“The compliance team is asking questions because they think you are suspicious”) is a criminal offense.
• Finally, use tech wisely. Utilize e-KYC platforms for identity verification, but never let the software make the final decision on a high-risk client. That requires human judgment.

FAQs

• Is KYC a one-time requirement or an ongoing legal obligation in the UAE? It is ongoing. Federal Decree-Law No. (10) of 2025 mandates continuous monitoring. You must update records periodically or when a trigger event occurs.
• When is Enhanced Due Diligence (EDD) mandatory under UAE KYC regulations? EDD is mandatory for Politically Exposed Persons (PEPs), clients from high-risk countries, and transactions involving complex/unusual structures or high-value amounts with no clear economic purpose.
• How often must KYC records be reviewed and updated under UAE law? Typically: High-Risk (Annually), Medium-Risk (Every 2 years), Low-Risk (Every 3 years). However, this depends on your internal risk policy.
• What are the record-keeping obligations for KYC documents in the UAE? Records must be kept for 5 years after the relationship ends. This includes ID copies, risk assessments, and transaction logs.
• How does ongoing monitoring differ from transaction monitoring? Transaction monitoring looks at financial flows (money movement), while ongoing monitoring looks at the customer profile (changes in ownership, behavior, or legal status).
• Which UAE authorities supervise and enforce KYC compliance? The CBUAE (for financial firms), Ministry of Economy (for DNFBPs like CSPs and real estate), and the Ministry of Justice (for lawyers).
• What penalties can businesses face for failing to comply with statutory KYC requirements? Fines up to AED 100 million for entities, license revocation, and potential imprisonment for directors under the 2025 AML Law.

Conclusion

• Treating KYC as a lifecycle protects more than just the financial system – it protects your business from being the “weakest link” that criminals exploit. In the current UAE regulatory climate, the cost of proactive control is a fraction of the cost of reactive damage control.
• At Arnifi, we understand that balancing compliance with business efficiency is a challenge. But remember: in the eyes of the regulator, a clean KYC file is your best insurance policy.