How to Build an AML Compliance Framework for a Small Firm in the UAE

Building an AML compliance framework may sound like something only banks and large financial institutions need to worry about. But if your small firm falls within the scope of the UAE’s AML law — whether as a financial institution, DNFBP, or virtual asset service provider — you are legally required to have one. The good news is that an effective AML framework for a small firm does not need to be complex or expensive. It needs to be proportionate, practical, and well-documented.

Who Needs an AML Framework?

You need to build an AML compliance framework if your business is:

• An exchange house or money service business
• A real estate brokerage or agency
• A dealer in precious metals or stones
• An accounting or auditing firm
• A corporate service provider (company formation, registered agent services)
• A law firm or notary public
• A finance or lending company
• A virtual asset service provider (VASP)

If you are unsure whether AML applies to your business, err on the side of caution and build a framework. The penalties for not having one are far more costly than the effort required to create it.

Step 1: Conduct a Business Risk Assessment

The foundation of any AML framework is a risk assessment. This document identifies and evaluates the money laundering and terrorism financing risks specific to your business.

What to Assess

• Customer risk: Who are your typical customers? Do you deal with high-risk categories such as PEPs (Politically Exposed Persons), non-resident customers, or customers from high-risk jurisdictions?
• Product/service risk: Which of your products or services are more vulnerable to misuse? For example, corporate formation services are higher risk than standard accounting services.
• Geographic risk: Do you operate in or have customers from jurisdictions identified as high risk by the FATF or the UAE’s National Risk Assessment?
• Delivery channel risk: How do customers access your services? Non-face-to-face relationships carry higher risk.
• Transaction risk: Do your customers make large cash transactions or complex wire transfers?

How to Document It

Your risk assessment should be a written document (it can be as simple as a spreadsheet or a Word document) that:

• Lists each risk category
• Rates the risk level (low, medium, high)
• Describes the mitigating controls you have in place
• Is reviewed and updated at least annually

Step 2: Write Your AML Policies and Procedures

Based on your risk assessment, create a written AML policy document. For a small firm, this does not need to be a 100-page manual. A clear, concise document of 15-30 pages that covers the following is sufficient:

Customer Due Diligence (CDD)

• How you identify and verify customers (ID documents, proof of address)
• How you identify beneficial owners
• When Enhanced Due Diligence (EDD) is required
• When you will decline a business relationship

Ongoing Monitoring

• How you monitor transactions for unusual or suspicious activity
• The frequency and method of reviewing customer relationships
• Triggers that require additional investigation

Suspicious Transaction Reporting

• What constitutes a suspicious transaction
• The process for escalating and reporting through the goAML platform
• Who is responsible for filing STRs
• The prohibition on tipping off

Record Keeping

• What records to maintain (CDD records, transaction records, correspondence)
• How long to retain them (minimum five years)
• How records are stored securely

Sanctions Screening

• How you screen customers and transactions against UAE and international sanctions lists
• The frequency of screening (at onboarding and on an ongoing basis)
• What to do if a match is identified

Step 3: Appoint a Compliance Officer

Every entity subject to AML must appoint a Compliance Officer at the management level. For a small firm, this is often the owner, a partner, or a senior manager. The compliance officer should:

• Have sufficient authority and resources to perform the role
• Have knowledge of AML requirements and risks
• Be the point of contact for regulatory authorities
• Be responsible for filing STRs
• Oversee the implementation of the AML programme

For very small firms, the compliance officer role can be combined with other management responsibilities, but the person must still have the time and knowledge to fulfil the role effectively.

Step 4: Train Your Staff

All employees must receive AML training that is relevant to their role. For a small firm, this can be:

• Initial training: When an employee joins the firm, covering the basics of AML, the firm’s policies, and how to identify and report suspicious activity.
• Annual refresher: At least once a year, updating staff on any regulatory changes and reinforcing key AML concepts.

Training should be documented, with records of who attended, what was covered, and when. Training does not need to be expensive — internal presentations, online courses, or even guided reading of the firm’s AML manual can be effective for a small team.

Step 5: Implement Screening and Monitoring

For a small firm, sophisticated software is not always necessary. Practical approaches include:

Sanctions Screening

• Use free or low-cost sanctions screening tools available online to check customer names against sanctions lists.
• Screen at the start of every new customer relationship and periodically thereafter.
• Document all screening checks and results.

Transaction Monitoring

• For firms with low transaction volumes, manual review of transactions can be effective.
• Set clear thresholds and red flags (e.g., transactions above AED 55,000 for precious metals dealers).
• Review transaction patterns for anomalies (e.g., sudden spikes in activity, round-amount transfers).

Step 6: Establish an Independent Audit Function

The AML regulations require an independent audit of your AML programme. For a small firm, this does not need to be a full external audit every year. Options include:

• Engaging an external consultant to review your AML programme annually.
• Having a qualified person within the firm (other than the compliance officer) conduct an internal review.
• Rotating the review responsibility between senior staff members.

The key is that the review is conducted by someone who was not directly responsible for implementing the programme, ensuring an objective assessment.

Step 7: Keep Everything Updated

An AML framework is not a one-time project. It requires ongoing maintenance:

• Update your risk assessment annually or when significant changes occur (new products, new customer types, regulatory changes).
• Review and update your policies and procedures to reflect any changes in the law or regulations.
• Maintain training records and schedule regular refreshers.
• Monitor regulatory guidance and enforcement actions for lessons learned.

Budget Considerations for Small Firms

Building an AML framework does not need to be expensive:

• Risk assessment: Can be done in-house with a simple spreadsheet.
• Policies and procedures: A senior team member or a consultant can draft these in a few days.
• Training: Internal training sessions or affordable online courses.
• Screening tools: Free or low-cost online sanctions lists and screening tools.
• Annual review: A day or two of consultant time, or internal self-assessment.

The total cost for a small firm to build and maintain a basic AML framework is typically a fraction of the cost of a single penalty for non-compliance.

Conclusion

An AML compliance framework for a small UAE firm does not need to be complex, but it does need to be genuine, well-documented, and proportionate to your risks. By following these seven steps, you can build a framework that satisfies regulatory requirements, protects your business from financial crime risks, and demonstrates to your supervisory authority that you take your obligations seriously.