Key Stages of AML: Risk Assessment, Monitoring, and Reporting in the UAE

AML compliance is not a single action but a continuous cycle of assessing risk, monitoring activity, and reporting suspicious behaviour. Understanding how these stages connect and flow into each other is essential for building an effective AML programme. This guide walks through each stage with practical examples from the UAE context.

Stage 1: Risk Assessment

The risk assessment is the starting point of the AML cycle. Before you can monitor or report anything, you need to understand what risks your business faces.

Business-Level Risk Assessment

This is a comprehensive assessment of your entire business. It evaluates:

• Your customer base: Who are your typical customers? What percentage are high-risk (PEPs, non-residents, complex structures)?
• Your products and services: Which of your offerings are more vulnerable to misuse?
• Your geographic exposure: Which countries are involved in your transactions?
• Your delivery channels: How do customers access your services?

UAE Example: A Dubai-based real estate brokerage conducting its risk assessment identifies that 40% of its buyers are non-resident, 15% are from high-risk jurisdictions, and most transactions are conducted remotely. The firm rates its overall risk as high and implements enhanced controls accordingly.

Customer-Level Risk Assessment

Each individual customer should be assessed for risk when the relationship begins and reassessed periodically.

UAE Example: A corporate service provider in RAKEZ onboards a new client — a BVI-registered company whose beneficial owner is a national of a FATF grey-listed country. The company is requesting formation of three UAE entities. The provider rates this customer as high risk and applies EDD, including verification of the source of funds and the business rationale for the UAE entities.

Stage 2: Customer Due Diligence (CDD)

Based on the risk assessment, you implement the appropriate level of due diligence for each customer.

Standard CDD

For low and medium-risk customers:

• Verify identity (passport, Emirates ID, trade licence)
• Identify beneficial owners
• Understand the purpose of the relationship
• Determine the source of funds

UAE Example: An accounting firm in Abu Dhabi onboards a new client — a UAE-registered LLC owned by two UAE nationals. The firm collects copies of the partners’ Emirates IDs, the company’s trade licence, and its memorandum of association. The client’s annual turnover is AED 3 million from standard trading activities. The firm rates the client as low risk and applies standard CDD.

Enhanced Due Diligence (EDD)

For high-risk customers, additional measures are required:

• Senior management approval for the relationship
• Enhanced source of funds and source of wealth verification
• More detailed understanding of the business relationship
• More frequent monitoring

UAE Example: A precious metals dealer in the DMCC receives an order from a new customer who is a PEP from a neighbouring country. The order is for gold bars worth AED 2 million. The dealer applies EDD: obtains senior management approval, verifies the customer’s source of wealth through bank statements and employment records, and sets up quarterly review of the relationship.

Stage 3: Ongoing Monitoring

CDD is not a one-time exercise. Once a relationship is established, you must continuously monitor it for changes and suspicious activity.

Transaction Monitoring

Review transactions to identify patterns that may indicate money laundering:

• Transactions that are inconsistent with the customer’s known profile
• Large cash transactions (especially near reporting thresholds)
• Rapid movement of funds through accounts
• Transactions with no apparent business purpose
• Transactions involving high-risk jurisdictions

UAE Example: A money exchange house in Sharjah notices that a customer who typically sends AED 5,000 per month to his family in Pakistan has suddenly started sending AED 45,000 per week to multiple recipients in different countries. The transaction pattern is inconsistent with the customer’s stated purpose and income. The compliance officer flags this for investigation.

Relationship Monitoring

Periodically review the overall customer relationship:

• Has the customer’s business changed?
• Has the ownership structure changed?
• Is the customer’s activity consistent with the information provided at onboarding?
• Have any new risk factors emerged (e.g., the customer’s country has been added to a sanctions list)?

UAE Example: A law firm in DIFC conducts its annual review of a client — a holding company that was rated low risk at onboarding. During the review, the firm discovers that the holding company has acquired a subsidiary in a country that was recently added to the FATF grey list. The firm upgrades the client’s risk rating to medium and applies additional monitoring.

Stage 4: Investigation and Escalation

When monitoring identifies unusual activity, the next step is investigation.

Initial Investigation

• Gather all relevant information about the flagged activity
• Review the customer’s profile, transaction history, and CDD records
• Determine if there is a legitimate explanation for the activity
• Document the investigation and findings

Escalation to Compliance Officer

If the initial investigation does not resolve the concern, escalate to the compliance officer for a decision on whether to file an STR.

UAE Example: An auditor in Dubai discovers during a client engagement that a trading company has been issuing invoices to related parties at prices significantly above market rates. The junior auditor reports this to the senior partner, who escalates to the firm’s compliance officer. The compliance officer reviews the information and determines that this may indicate trade-based money laundering.

Stage 5: Suspicious Transaction Reporting

If the investigation confirms that a transaction or activity is suspicious, you must file a Suspicious Transaction Report (STR) with the UAE Financial Intelligence Unit (FIU).

Filing Process

1. Prepare the STR: Include all relevant details — the customer’s identity, the nature of the suspicion, the transactions involved, and any supporting documentation.
2. File through goAML: The UAE FIU uses the goAML platform for receiving STRs electronically.
3. File promptly: Do not delay. The STR should be filed as soon as the decision to report is made.
4. Do not tip off: Never inform the customer or any other person that an STR has been filed.
5. Continue the relationship: Unless instructed otherwise by the FIU, continue the business relationship but with enhanced monitoring.

What Happens After Filing

The FIU reviews the STR and may:

• Request additional information from you
• Disseminate the information to law enforcement if warranted
• Instruct you to take specific actions regarding the customer or transaction

You must cooperate fully with any FIU requests.

Stage 6: Record Keeping and Feedback

The final stage of the cycle involves maintaining records and using the experience to improve your programme.

Record Keeping

• All CDD records: minimum five years from end of relationship
• All transaction records: minimum five years from date of transaction
• STR records: maintained separately with restricted access
• Investigation files: documented and retained

Feedback Loop

Use the outcomes of your monitoring, investigations, and any regulatory feedback to:

• Update your risk assessment
• Refine your transaction monitoring parameters
• Improve your CDD procedures
• Update your training programme

Conclusion

The AML compliance lifecycle is a continuous process of assessing, monitoring, investigating, and reporting. Each stage builds on the previous one, creating a comprehensive framework that protects your business and the UAE’s financial system from abuse. By understanding how these stages connect and maintaining discipline throughout the cycle, your UAE business can manage its AML obligations effectively and confidently.