What Is AML Law in the UAE and Who Must Comply?

The UAE has built one of the most comprehensive Anti-Money Laundering (AML) frameworks in the Middle East region. Understanding the AML law is not optional for businesses operating in the country — it is a legal obligation that carries serious penalties for non-compliance. This guide explains the UAE’s AML legal framework, identifies who must comply, and outlines the core obligations.

The Legal Framework

The primary legislation governing AML in the UAE is Federal Decree-Law No. 20 of 2018 on Anti-Money Laundering and Combating the Financing of Terrorism and Illegal Organisations. This law replaced the earlier Federal Law No. 4 of 2002 and brought the UAE’s AML framework in line with international standards set by the Financial Action Task Force (FATF).

Supporting this decree-law are several key pieces of legislation:

• Cabinet Decision No. 10 of 2019: The implementing regulations that detail the procedural requirements for AML compliance.
• Cabinet Decision No. 74 of 2020: Establishes the framework for beneficial ownership requirements.
• Various supervisory authority guidelines: Including those issued by the Central Bank of the UAE, the Securities and Commodities Authority (SCA), and the Insurance Authority.

What Does the AML Law Cover?

The law criminalises money laundering and the financing of terrorism, and establishes requirements for:

• Customer Due Diligence (CDD): Verifying the identity of customers and beneficial owners before establishing business relationships.
• Ongoing monitoring: Continuously monitoring transactions and business relationships for suspicious activity.
• Record keeping: Maintaining all CDD records and transaction records for a minimum of five years after the relationship ends or the transaction is completed.
• Suspicious Transaction Reporting (STR): Reporting any suspicious transactions to the UAE Financial Intelligence Unit (FIU) through the goAML platform.
• Sanctions screening: Screening customers and transactions against UAE and international sanctions lists.

Who Must Comply with AML Law?

The UAE’s AML law applies to two broad categories of entities:

1. Financial Institutions (FIs)

These include:

• Banks and financial institutions licensed by the Central Bank
• Exchange houses and money service businesses
• Insurance companies and insurance brokers
• Securities and commodities firms licensed by the SCA
• Finance companies
• Payment service providers
• Stored value facilities
• Licensed financial free zone entities (DIFC and ADGM)

2. Designated Non-Financial Businesses and Professions (DNFBPs)

These include:

• Real estate agents and brokers when involved in transactions for clients
• Dealers in precious metals and stones when conducting transactions above AED 55,000
• Auditors and accountants when providing certain services
• Corporate service providers (company formation agents, registered agents, trust service providers)
• Lawyers and notaries when preparing or carrying out certain financial transactions for clients

3. Virtual Asset Service Providers (VASPs)

Since 2022, the UAE has extended AML requirements to Virtual Asset Service Providers, reflecting the growing importance of cryptocurrency and digital assets. VASPs operating in the UAE must register with the relevant authority and comply with the full suite of AML obligations.

Key AML Obligations

Risk Assessment

Every covered entity must conduct an institutional risk assessment that identifies and evaluates the money laundering and terrorism financing risks specific to its business. This assessment should consider the types of customers served, the products and services offered, the geographic areas of operation, and the delivery channels used.

AML Compliance Programme

Entities must establish and maintain a written AML/CFT compliance programme that includes:

• Internal policies, procedures, and controls
• An appointed compliance officer at the management level
• An independent audit function
• Screening procedures for hiring employees
• An ongoing training programme

Customer Due Diligence

CDD must be performed when:

• Establishing a new business relationship
• Carrying out occasional transactions above the prescribed threshold
• There is suspicion of money laundering or terrorism financing
• There are doubts about previously obtained identification data

Enhanced Due Diligence (EDD)

Higher-risk situations require enhanced measures, including:

• Politically Exposed Persons (PEPs)
• Correspondent banking relationships
• Non-face-to-face business relationships
• Customers from high-risk jurisdictions
• Complex or unusually large transactions

Penalties for Non-Compliance

The penalties under the UAE’s AML law are severe:

• Institutions: Fines of up to AED 5 million for failure to comply with AML obligations.
• Individuals: Persons convicted of money laundering face imprisonment of up to 10 years and fines of up to AED 5 million.
• Terrorism financing: Even more severe penalties, including life imprisonment in certain cases.
• Administrative sanctions: Supervisory authorities can impose warnings, restrictions on activities, removal of board members, and licence revocation.

Conclusion

The UAE’s AML law creates a comprehensive framework that affects a wide range of businesses beyond just banks and financial institutions. If your business falls into any of the categories described above, you have a legal obligation to implement AML procedures and maintain ongoing compliance. The consequences of ignoring these requirements — from heavy fines to criminal prosecution — make it essential to take AML compliance seriously from day one.