Book Free Session

AML Compliance in UAE: The Complete Guide for Business Owners (2026)

AML Compliance in UAE: The Complete Guide for Business Owners (2026)

Last year, a trading company in Deira got hit with a AED 1.2 million fine. Not for fraud. Not for tax evasion. For failing to file a single Suspicious Transaction Report.

The owner had no idea he was even required to. He thought AML compliance was something banks worried about — not a company that sold industrial equipment. He was wrong, and it cost him everything short of his trade licence.

Here’s the reality: AML compliance in UAE isn’t optional for “certain industries” anymore. The UAE’s aggressive push to exit the FATF grey list (which it achieved in early 2024) has transformed Anti-Money Laundering from a banking concern into an obligation that touches almost every business in the country.

If you’re a business owner in the UAE and you haven’t reviewed your AML obligations recently, this guide is your wake-up call. We’re going to walk through everything — what AML is, who must comply, how to register on goAML, what KYC really means in practice, and exactly how much you’ll pay if you get it wrong.

At Volta Edge, we’ve helped hundreds of businesses across Dubai, Abu Dhabi, and Sharjah build AML compliance programs from scratch. This is the guide we wish every business owner had on Day 1.

What is AML (Anti-Money Laundering)?

Anti-Money Laundering — AML — is a set of laws, regulations, and procedures designed to prevent criminals from disguising illegally obtained funds as legitimate income. Learn more about ICV Certification.

Money laundering typically follows three stages:

  1. Placement: Introducing dirty money into the financial system (e.g., depositing cash from illegal activities)
  2. Layering: Moving money through complex transactions to obscure its origin (e.g., transferring between multiple accounts or companies)
  3. Integration: Re-introducing the “cleaned” money into the legitimate economy (e.g., buying real estate, investing in businesses)

The UAE’s position as a global trade hub, with its large cash economy, free zones, and international banking system, makes it particularly attractive for money laundering. That’s precisely why the government has spent the last several years building one of the most comprehensive AML frameworks in the region.

Why AML Matters for Your Business

You might think: “I’m not laundering money, so why should I care?”

Because AML compliance isn’t about your intentions. It’s about ensuring your business isn’t used — knowingly or unknowingly — as a vehicle for someone else’s financial crime. A real estate agency that doesn’t verify where a buyer’s funds come from. A gold trader who accepts large cash payments without documentation. An accounting firm that doesn’t screen clients against sanctions lists.

All of these are AML failures, and all carry serious penalties. Learn more about VAT Fines.

UAE AML Laws and Regulatory Framework

The UAE’s AML framework is built on several key pieces of legislation:

Federal Decree-Law No. 20 of 2018

This is the primary AML law — officially titled “On Anti-Money Laundering and Combating the Financing of Terrorism and Financing of Illegal Organisations.” It replaced the earlier 2014 law and brought the UAE in line with Financial Action Task Force (FATF) standards.

Key provisions include:

  • Definition of money laundering offences and predicate crimes
  • Requirements for financial institutions and Designated Non-Financial Businesses and Professions (DNFBPs)
  • Establishment of the Financial Intelligence Unit (FIU)
  • Framework for international cooperation
  • Penalty structure for violations

Cabinet Decision No. 10 of 2019

The implementing regulation that provides the operational detail — how to conduct Customer Due Diligence, what records to keep, how to report suspicious transactions, and the specific obligations for different types of businesses.

Cabinet Decision No. 74 of 2020

Regulates Beneficial Ownership, requiring companies to identify and disclose their Ultimate Beneficial Owners (UBOs) to relevant authorities. This was a critical step in the UAE’s transparency push.

Other Relevant Regulations

  • CBUAE guidelines for banks and financial institutions
  • SCA regulations for securities and commodities
  • DFSA and FSRA rules for DIFC and ADGM respectively
  • Ministry of Economy directives for DNFBPs
  • Various free zone authority regulations

The regulatory landscape is multi-layered, and your specific obligations depend on your business type, location, and licensing authority. This is exactly why working with a professional advisory firm is critical.

Who Must Comply with AML in the UAE?

This is where most business owners get it wrong. AML compliance isn’t just for banks.

Financial Institutions

  • Banks and finance companies
  • Insurance companies and brokers
  • Exchange houses and money service businesses
  • Securities brokers and investment firms
  • Payment service providers
  • Digital asset service providers (VASPs)

Designated Non-Financial Businesses and Professions (DNFBPs)

This is the category most people miss. DNFBPs include:

Business Type Supervising Authority Key AML Trigger
Real estate agents and brokers Ministry of Economy / RERA Any property transaction
Dealers in precious metals and stones Ministry of Economy Cash transactions ≥ AED 55,000
Auditors and accountants Ministry of Economy Preparing/conducting financial transactions for clients
Lawyers and notaries Ministry of Justice Real estate, company formation, financial transactions
Trust and company service providers Ministry of Economy All activities
Virtual Asset Service Providers (VASPs) VARA / SCA All crypto-related activities

Important: If you’re an accountant, auditor, real estate agent, gold trader, lawyer, or company formation agent — you have AML obligations. Full stop.

Free Zone Companies

Being in a free zone doesn’t exempt you. DIFC entities follow DFSA rules, ADGM follows FSRA rules, and other free zone entities follow the relevant authority’s AML regulations. In many cases, the Ministry of Economy’s DNFBP requirements apply to free zone companies as well.

The goAML Portal: Registration and Reporting

The goAML portal is the UAE Financial Intelligence Unit’s (FIU) online reporting system. If your business falls under AML obligations, you must register on goAML.

Who Must Register on goAML?

All financial institutions and DNFBPs must register. This includes:

  • All entities licensed by the Central Bank
  • Insurance companies regulated by CBUAE
  • All DNFBPs listed above
  • Free zone entities with AML obligations

How to Register on goAML

  1. Visit the portal: Access goAML through the FIU website (www.uaefiu.gov.ae)
  2. Create an organisation profile: Enter your trade licence details, business type, and licensing authority
  3. Designate a Compliance Officer: Name your AML Compliance Officer and their contact details
  4. Submit supporting documents: Trade licence, Compliance Officer appointment letter, Emirates ID copies
  5. Await approval: The FIU reviews and activates your account (usually 5-10 business days)
  6. Complete training: goAML provides online training modules that your Compliance Officer should complete

goAML Reporting Obligations

Once registered, you must file:

  • Suspicious Transaction Reports (STRs) — when you suspect or have reasonable grounds to suspect that funds are the proceeds of crime or related to terrorism financing
  • Suspicious Activity Reports (SARs) — for suspicious activity that doesn’t involve a completed transaction

Reports must be filed promptly — there’s no specific deadline in days, but unreasonable delays are themselves a violation.

KYC and Customer Due Diligence (CDD) Obligations

Know Your Customer (KYC) is the foundation of AML compliance. It’s not just collecting a passport copy — it’s a systematic process of verifying who your customers are, understanding the nature of their business, and assessing the risk they present.

Standard CDD Requirements

For every customer relationship, you must:

  1. Identify the customer: Collect full name, nationality, date of birth, address, and identification documents (Emirates ID, passport)
  2. Verify identity: Confirm the documents are genuine and the person is who they claim to be
  3. Identify the Beneficial Owner: Determine who ultimately owns or controls the entity (any individual with 25%+ ownership)
  4. Understand the business relationship: What services are they seeking? What’s the expected pattern of transactions?
  5. Ongoing monitoring: Continuously review transactions against the customer’s risk profile

Enhanced Due Diligence (EDD)

For high-risk customers, you need to go further:

  • Politically Exposed Persons (PEPs): Current or former government officials and their family members require EDD, including senior management approval for the relationship
  • High-risk countries: Customers from FATF-identified high-risk jurisdictions require additional scrutiny
  • Complex or unusual transactions: Transactions with no clear economic purpose require investigation
  • Non-face-to-face relationships: Online or remote customers require additional verification

Simplified Due Diligence (SDD)

In limited low-risk scenarios, you may apply simplified measures — but only when the risk assessment genuinely supports it. SDD is the exception, not the rule.

Practical KYC Checklist for UAE Businesses

Document/Information Individual Customers Corporate Customers
Emirates ID / Passport ✅ (for authorised signatories)
Proof of Address
Trade Licence N/A
Memorandum of Association N/A
Beneficial Ownership Declaration N/A
Source of Funds Declaration Risk-based Risk-based
Sanctions Screening
PEP Screening ✅ (owners and directors)

STR and SAR Reporting: What, When, and How

Filing Suspicious Transaction Reports (STRs) and Suspicious Activity Reports (SARs) is arguably the most critical AML obligation — and the one that carries the highest penalties for failure.

What Triggers a Report?

You must file when you have suspicion or reasonable grounds to suspect that:

  • Funds are the proceeds of a crime
  • A transaction is related to money laundering
  • A transaction is related to terrorism financing
  • The customer is on a sanctions list

Red Flags to Watch For

  • Transactions inconsistent with the customer’s known profile
  • Unusually large cash transactions
  • Structuring transactions to avoid reporting thresholds
  • Reluctance to provide identification or source of funds information
  • Transactions involving high-risk jurisdictions without clear business purpose
  • Use of shell companies or complex structures without apparent economic rationale
  • Customer acting on behalf of an undisclosed third party
  • Rapid movement of funds in and out without clear purpose

How to File an STR/SAR

  1. Log into the goAML portal
  2. Select “New Report” and choose STR or SAR
  3. Fill in the subject details (customer information)
  4. Describe the suspicious activity in detail — be specific about what raised your suspicion
  5. Attach supporting documents (transaction records, KYC files)
  6. Submit the report

Critical rule: You must never tip off the customer that you’ve filed or are considering filing an STR/SAR. This is known as the “tipping off” offence and carries criminal penalties.

What Happens After You File?

The FIU reviews the report and may:

  • Request additional information from you
  • Refer the matter to law enforcement
  • Issue an order to freeze the account/transaction
  • Close the report with no further action

You must cooperate fully with any FIU requests. Importantly, filing an STR/SAR in good faith provides you with legal protection — you cannot be held liable for any losses resulting from the report.

Need Expert Help?

Volta Edge has helped 200+ UAE businesses stay FTA compliant. Our team handles everything so you can focus on growing your business.

→ Book a Free Consultation

Compliance Officer Requirements

Every entity subject to AML obligations must appoint a Compliance Officer (also called an MLRO — Money Laundering Reporting Officer).

Who Can Be the Compliance Officer?

  • Must be a senior employee with sufficient authority and independence
  • Must have relevant experience in AML/CFT or compliance
  • Must be approved by the entity’s board or senior management
  • Must be resident in the UAE
  • Must have completed AML training

Compliance Officer Responsibilities

  • Developing and maintaining the AML/CFT compliance programme
  • Receiving internal suspicious activity reports from staff
  • Deciding whether to file STRs/SARs with the FIU
  • Acting as the primary contact with the FIU and supervisory authorities
  • Ensuring staff training on AML procedures
  • Conducting periodic reviews and audits of AML controls
  • Maintaining all AML records
  • Reporting to the board/senior management on AML compliance status

Can a Small Business Outsource the Compliance Function?

While the ultimate responsibility always stays with the business, certain aspects of the compliance programme can be outsourced to specialised firms. Many small and medium businesses in the UAE work with firms like Volta Edge to develop their AML framework and provide ongoing compliance support.

However, the designated Compliance Officer must always be an internal appointment — you can’t fully outsource that role.

AML Penalties in UAE: The Complete List

This is where it gets serious. The UAE doesn’t play around with AML violations.

Administrative Penalties (Imposed by Supervisory Authorities)

Violation Penalty Range
Failure to conduct CDD AED 50,000 – AED 5,000,000
Failure to file STR/SAR AED 50,000 – AED 5,000,000
Failure to register on goAML AED 50,000 – AED 1,000,000
Inadequate record keeping AED 50,000 – AED 5,000,000
Failure to appoint Compliance Officer AED 50,000 – AED 1,000,000
Failure to conduct risk assessment AED 50,000 – AED 1,000,000
Inadequate internal controls AED 50,000 – AED 5,000,000
Failure to train staff AED 50,000 – AED 500,000
Tipping off AED 100,000 – AED 5,000,000 + criminal prosecution

Criminal Penalties

For the actual offence of money laundering:

  • Imprisonment: Up to 10 years
  • Fines: AED 100,000 to AED 5,000,000 (or more)
  • Confiscation: Seized assets and proceeds of crime
  • Deportation: For non-UAE nationals
  • Business closure: Permanent or temporary

For terrorism financing offences, penalties are even more severe, including potential life imprisonment.

Real Cases: AML Enforcement in the UAE

The UAE has significantly ramped up enforcement since 2022:

  • In 2023, the UAE imposed over AED 58 million in AML-related fines across financial institutions and DNFBPs
  • Multiple exchange houses had their licences revoked for systemic AML failures
  • Several real estate firms were fined for failing to conduct proper CDD on property buyers
  • A gold trading company was fined AED 2.5 million for failure to maintain adequate transaction records

The message is clear: enforcement is real, active, and growing.

Building Your AML Compliance Program

A proper AML compliance programme has several key components. Here’s what yours needs:

1. Business Risk Assessment

Before anything else, assess your money laundering and terrorism financing risks based on:

  • Customer risk: Who are your customers? Where are they from? What’s their risk profile?
  • Product/service risk: Which of your products/services are more vulnerable to misuse?
  • Geographic risk: Do you deal with high-risk jurisdictions?
  • Delivery channel risk: Face-to-face vs online vs through intermediaries?

2. Written Policies and Procedures

Document everything:

  • CDD procedures for onboarding new customers
  • Ongoing monitoring procedures
  • STR/SAR filing procedures
  • Sanctions screening procedures
  • Record-keeping policies
  • Staff training requirements
  • Escalation procedures for suspicious activity

3. Customer Due Diligence Processes

Implement practical KYC processes that your team can actually follow. The best compliance programme in the world is useless if staff can’t execute it consistently.

4. Transaction Monitoring

Depending on your business size, this could be:

  • Manual review: For smaller businesses, regular review of transactions against customer profiles
  • Automated systems: For larger businesses, software that flags anomalous transactions

5. Staff Training

All relevant staff must receive AML training:

  • At the time of hiring
  • Annually thereafter
  • When there are significant regulatory changes

Training should cover: recognising suspicious activity, internal reporting procedures, regulatory obligations, and consequences of non-compliance.

6. Independent Audit

Your AML programme should be independently reviewed at least annually. This audit checks whether your controls are effective and identifies gaps before the regulator does.

Need help building your compliance programme? Book a session with Volta Edge and we’ll assess your current position and build a roadmap.

Record-Keeping Requirements

UAE AML law requires you to maintain records for a minimum of 5 years from the date of the transaction or the end of the business relationship (whichever is later). Some supervisory authorities require longer periods.

Records you must keep include:

  • All CDD documentation and identification records
  • Transaction records (amount, date, parties, nature of transaction)
  • Correspondence with customers
  • Internal suspicious activity reports
  • STRs/SARs filed with the FIU
  • Risk assessments
  • Training records
  • Compliance audit reports

Records must be sufficient to reconstruct any individual transaction and must be available to supervisory authorities upon request. Using proper accounting software helps maintain organised transaction records that support your AML compliance.

AML Compliance in Free Zones

Free zone companies often assume they operate in a separate regulatory bubble. Not true for AML.

DIFC and ADGM

DIFC entities follow the DFSA’s AML/CFT module, while ADGM entities follow the FSRA’s AML rules. These are comprehensive frameworks that largely mirror — and in some cases exceed — the federal requirements.

Other Free Zones

Companies in DMCC, JAFZA, DAFZA, and other free zones must comply with the federal AML law and the Ministry of Economy’s directives for DNFBPs (where applicable). Some free zones issue their own supplementary AML guidelines.

Virtual Asset Free Zones

With the growth of crypto and virtual asset businesses in the UAE, specialised regulations have emerged. VARA (Virtual Assets Regulatory Authority) in Dubai has its own comprehensive AML framework for VASPs operating under its jurisdiction.

How Volta Edge Helps with AML Compliance

AML compliance isn’t something you set up once and forget. It’s an ongoing commitment that requires expertise, systems, and regular review.

At Volta Edge, we provide:

  • AML risk assessments tailored to your business type and customer base
  • Policy and procedure development that meets regulatory requirements while being practical for your team
  • goAML registration support to get you set up correctly
  • Staff training programmes customised to your industry
  • Ongoing compliance monitoring and advisory support
  • Independent AML audits to identify gaps before regulators do

Combined with our accounting and bookkeeping services and corporate tax advisory, we ensure your business is compliant across every dimension.

Don’t Wait for a Fine to Take AML Seriously

AML compliance requirements are only getting stricter. The cost of building a proper programme is a fraction of the penalties for non-compliance.

Book a free consultation with Volta Edge and let’s review your AML obligations together. Whether you need a full compliance programme built from scratch or just a gap analysis, we’ve got you covered.

Need Expert Help?

Volta Edge has helped 200+ UAE businesses stay FTA compliant. Our team handles everything so you can focus on growing your business.

→ Book a Free Consultation

Frequently Asked Questions About AML Compliance in UAE

What is AML compliance in UAE?

AML compliance in UAE refers to the legal obligations businesses have under Federal Decree-Law No. 20 of 2018 to prevent money laundering and terrorism financing. This includes conducting customer due diligence, monitoring transactions, filing suspicious transaction reports, and maintaining comprehensive records.

Who needs to comply with AML regulations in the UAE?

All financial institutions (banks, exchange houses, insurance companies, investment firms) and Designated Non-Financial Businesses and Professions (DNFBPs) must comply. DNFBPs include real estate agents, precious metal dealers, accountants, auditors, lawyers, and company service providers.

What is goAML and do I need to register?

goAML is the UAE Financial Intelligence Unit’s online portal for reporting suspicious transactions. All entities with AML obligations — financial institutions and DNFBPs — must register on goAML, even if they’ve never encountered a suspicious transaction.

What are the penalties for AML non-compliance in UAE?

Administrative fines range from AED 50,000 to AED 5,000,000 per violation. Criminal penalties for actual money laundering offences include imprisonment up to 10 years, fines up to AED 5,000,000, asset confiscation, and deportation for non-UAE nationals.

What is the difference between STR and SAR?

A Suspicious Transaction Report (STR) is filed when a suspicious transaction has occurred. A Suspicious Activity Report (SAR) is filed when suspicious behaviour or activity is detected, even if no transaction has been completed. Both are filed through the goAML portal.

Do free zone companies need to comply with AML?

Yes. Free zone companies must comply with federal AML law plus any additional requirements from their specific free zone authority. DIFC companies follow DFSA rules, ADGM companies follow FSRA rules, and other free zone companies follow Ministry of Economy directives where applicable.

How long must I keep AML records?

You must maintain all AML-related records — CDD documents, transaction records, STR/SAR copies, training records — for a minimum of 5 years from the date of the transaction or the end of the business relationship, whichever is later.

Can I outsource AML compliance?

You can outsource certain elements like risk assessment development, policy drafting, training, and audit functions. However, the Compliance Officer must be an internal appointment, and ultimate responsibility for AML compliance always remains with the business.

What happens if I file an STR and the customer isn’t actually laundering money?

You are legally protected when filing in good faith. The law specifically provides safe harbour for reports filed based on genuine suspicion. You cannot be sued or held liable for losses resulting from a good-faith STR/SAR filing.

How often should AML training be conducted?

AML training should be provided at the time of hiring, annually for all relevant staff, and whenever significant regulatory changes occur. Training records must be maintained as part of your compliance documentation.

More Blogs