AML Compliance Requirements for Businesses

AML compliance requirements for businesses in the UAE include registering on the GoAML portal, appointing a compliance officer, conducting customer due diligence (CDD), filing Suspicious Transaction Reports (STRs), maintaining records for at least five years, performing enterprise-wide risk assessments, and training staff on anti-money laundering procedures. The UAE’s AML framework is governed by Federal Decree-Law No. 10 of 2025 and Cabinet Resolution No. 134 of 2025, which replaced earlier legislation and introduced the most comprehensive anti-money laundering, counter-terrorism financing, and counter-proliferation financing (AML/CFT/CPF) framework the country has ever had. Since the UAE was removed from the FATF grey list in February 2024 after implementing major reforms, enforcement has only gotten stricter. Authorities fined 29 DNFBP organizations AED 22.6 million in 2024, and that figure jumped to AED 42 million in the first half of 2025 alone, according to the Washington Centre. With the FATF’s fifth round of mutual evaluations scheduled to begin in June 2026, businesses in Dubai that ignore AML compliance are facing penalties that can reach up to AED 5 million per violation. This article covers every AML requirement businesses in the UAE must meet, the penalties for non-compliance, and the steps to get fully compliant.

What Are the AML Compliance Requirements for Businesses in the UAE?

The AML compliance requirements for businesses in the UAE are GoAML registration, appointment of a compliance officer and Money Laundering Reporting Officer (MLRO), customer due diligence (CDD), enhanced due diligence (EDD) for high-risk clients, filing of Suspicious Transaction Reports (STRs) and Suspicious Activity Reports (SARs), record-keeping for at least five years, enterprise-wide risk assessments (EWRA), sanctions screening, Ultimate Beneficial Ownership (UBO) disclosure, and regular staff training.

These requirements apply to financial institutions, Designated Non-Financial Businesses and Professions (DNFBPs), and Virtual Asset Service Providers (VASPs). The legal foundation comes from Federal Decree-Law No. 10 of 2025 (which replaced Federal Decree-Law No. 20 of 2018) and Cabinet Resolution No. 134 of 2025, according to Al Tamimi and Company. Together, these laws contain nearly 300 enforceable requirements.

The UAE’s AML regime aligns with international standards set by the Financial Action Task Force (FATF). According to Norton Rose Fulbright, the UAE was placed on the FATF grey list in March 2022 due to strategic deficiencies and removed in February 2024 after implementing reforms including a new specialist court for financial crimes, new AML guidelines for financial institutions and DNFBPs, and a strengthened penal code. The country now faces a new mutual evaluation in June 2026, which means enforcement is intensifying, not relaxing.

According to Azakaw, AML penalties in the UAE can range from AED 10,000 to AED 50 million depending on the severity of the breach. Sanctions may also include license suspension, personal fines for managers, criminal prosecution, and reputational damage.

Businesses in Deira and across Dubai that take AML compliance seriously from day one protect themselves from penalties, banking disruptions, and regulatory enforcement actions. Completing GoAML registration is the essential first step.

Who Needs To Comply With AML Regulations in the UAE?

The businesses that need to comply with AML regulations in the UAE include financial institutions (banks, exchange houses, insurance companies), Designated Non-Financial Businesses and Professions (DNFBPs), Virtual Asset Service Providers (VASPs), and non-profit organizations.

DNFBPs represent the largest category of non-bank businesses affected. According to the UAE AML law and AML UAE’s comprehensive guide, DNFBPs include real estate agents and brokers who facilitate buying or selling property, dealers in precious metals and stones who handle cash transactions of AED 55,000 or more, auditors and independent accountants, legal consultants and notaries, corporate service providers who help set up companies or act as nominee shareholders, trust service providers, and (as of December 2025 under Cabinet Decision No. 134 of 2025) operators of commercial gaming.

VASPs are now fully aligned with conventional financial institutions in their AML obligations under the new executive regulations, according to CMS Law. This includes virtual asset exchanges, wallet providers, and platforms that facilitate the transfer, safekeeping, or administration of virtual assets.

According to Flying Colour Tax Consultant, DNFBPs are considered prime targets for illicit financial activities because of the nature of their work. Real estate transactions can be used for layering. Precious metals provide an easy value transfer mechanism. Corporate service providers create legal entities that can be misused for money laundering.

The Ministry of Economy and Tourism (MoET) supervises DNFBPs in the UAE (except those in DIFC and ADGM, which have their own regulators). According to AML Square, MoET has been issuing “Letters of Concern” to firms with compliance gaps, giving them 30 days to fix deficiencies and provide evidence of corrective action.

Businesses that fall under any DNFBP category need to start with GoAML registration and AML policy development. Companies that handle tax compliance alongside AML through experienced VAT and corporate tax professionals build a fully integrated compliance framework.

What Is GoAML and Why Do Businesses Need To Register?

GoAML is the UAE’s official secure online portal operated by the Financial Intelligence Unit (FIU) for receiving Suspicious Transaction Reports (STRs) and Suspicious Activity Reports (SARs) from registered entities. Businesses need to register because it is the only authorized channel for reporting suspicious activities to the authorities.

All financial institutions, DNFBPs, and VASPs with AML reporting obligations must create and maintain an active account on the GoAML portal. According to Azakaw, GoAML is the single most important compliance tool in the UAE’s AML framework. Failure to register when required carries financial penalties, regulatory enforcement actions, and potential banking restrictions.

Registration requires specific information including trade license details, company registration number, physical office address, compliance officer details (name, Emirates ID, contact information), and a description of business activities. The FIU reviews each application and may request additional documentation before activating the account.

According to Filings.ae, banks verify AML compliance status when reviewing account relationships. Companies without active GoAML registration when required may face account restrictions, enhanced due diligence, fund freezes, or outward remittance blocks from their bank. A clean GoAML registration demonstrates regulatory compliance and supports smooth banking operations.

Once the account is active, the designated compliance officer must log in regularly and file STRs or SARs whenever suspicious transactions or activities are identified. Failure to report carries penalties under the AML law.

Businesses in Al Khabaisi, Deira, and across Dubai that need professional support with the registration process benefit from dedicated GoAML registration services that handle every step from document preparation to portal activation.

What Is Customer Due Diligence and When Is It Required?

Customer due diligence (CDD) is the process of verifying a customer’s identity, understanding the nature of their business, and assessing the risk they present before establishing a business relationship or conducting a transaction. CDD is required before every new client onboarding and on an ongoing basis for existing relationships.

Under the UAE’s AML framework, CDD involves collecting and verifying the customer’s name, nationality, date of birth, identification documents (passport, Emirates ID), proof of address, and source of funds. For legal entities, CDD includes verifying the trade license, Memorandum of Association, shareholder structure, and Ultimate Beneficial Owners (UBOs).

According to Bizedge Business Setup, UAE firms must verify customer identity, assess risk profiles, and conduct enhanced due diligence for high-risk clients before establishing business relationships. Under Cabinet Resolution No. 58 of 2020 (and the updated provisions under Cabinet Resolution No. 134 of 2025), companies must maintain accurate UBO registers and submit ownership details to authorities.

Enhanced Due Diligence (EDD) is required for high-risk customers. This includes customers from FATF grey-listed countries, politically exposed persons (PEPs), customers with complex ownership structures, and transactions that appear inconsistent with the customer’s profile. EDD requires obtaining additional information about the source of funds and source of wealth, obtaining senior management approval before onboarding, and conducting more frequent transaction monitoring.

According to CMS Law, CDD triggers for financial institutions remain at AED 55,000 or more for single or linked transactions, or AED 3,500 for occasional wire transfers. VASPs now have a lower CDD threshold of AED 3,500 or more.

Businesses that keep detailed customer records through structured bookkeeping services are better positioned to complete CDD and produce documentation during regulatory inspections.

What Are Suspicious Transaction Reports and How Are They Filed?

Suspicious Transaction Reports (STRs) are reports filed through the GoAML portal when a transaction raises indicators of money laundering, terrorism financing, or other illegal activity. STRs must be filed promptly once suspicion is formed, without tipping off the customer.

Red flags that trigger an STR include unusually large cash transactions, rapid movement of funds between accounts, transactions that do not match the customer’s known business profile, structuring transactions to avoid reporting thresholds, customers who refuse to provide identification or source of funds information, and transactions involving countries on international sanctions lists.

According to Azakaw, real estate firms and DNFBPs such as precious metals dealers, company service providers, and accountants are required to report cash transactions above AED 55,000 and submit STRs via the GoAML platform. These sectors have historically been exploited for integrating illicit funds, making regulatory compliance a growing enforcement priority.

Suspicious Activity Reports (SARs) cover non-transactional activities that raise money laundering or terrorism financing concerns. Examples include unusual customer behavior, inconsistent documentation, requests to avoid standard procedures, and attempts to disguise the true nature of a business relationship.

The compliance officer is responsible for reviewing internal reports from staff, making the decision to file an STR or SAR, and submitting the report through GoAML. Every report must be documented in the company’s internal records for at least five years.

Failure to file an STR when required is one of the most serious AML violations. According to the Washington Centre, regulators fined DNFBP organizations AED 22.6 million in 2024, with precious metals and stones traders absorbing AED 20 million across 473 violations and real estate brokerages facing AED 18.5 million across 495 violations in the first half of 2025.

Businesses that maintain accurate financial statements and transaction records can identify suspicious patterns more quickly and file reports with complete supporting documentation.

What Is an Enterprise-Wide Risk Assessment for AML?

An enterprise-wide risk assessment (EWRA) for AML is a documented evaluation of the money laundering, terrorism financing, and proliferation financing risks that a business faces based on its customers, products, services, geographic exposure, and delivery channels.

Every business with AML obligations must complete an EWRA. According to Al Tamimi and Company, the updated executive regulations under Cabinet Resolution No. 134 of 2025 require all regulated entities (financial institutions, DNFBPs, and VASPs) to identify, mitigate, and document proliferation financing risks alongside traditional money laundering and terrorism financing risks.

The EWRA must cover customer risk (who are your clients and what risks do they present), product and service risk (which of your offerings are most vulnerable to abuse), geographic risk (do you deal with clients from high-risk jurisdictions), delivery channel risk (how do customers access your products), and transaction risk (what types and volumes of transactions does the business process).

The risk assessment must be documented and kept ready for review by the supervisory authority. According to Bizedge Business Setup, businesses must update their EWRA whenever there are significant changes to their operations, customer base, or the regulatory environment.

The EWRA drives all other compliance decisions. It determines which customers require Enhanced Due Diligence, how frequently transaction monitoring should occur, what staff training topics to prioritize, and how resources should be allocated to AML compliance.

Businesses that combine their AML risk assessment with their broader business compliance through professional auditing and assurance services get a complete picture of their regulatory exposure.

What AML Penalties Do UAE Businesses Face for Non-Compliance?

The AML penalties UAE businesses face for non-compliance range from AED 10,000 to AED 50 million depending on the severity and nature of the breach, according to Azakaw. Sanctions may also include license suspension, personal fines for managers, criminal prosecution, and imprisonment for individuals found responsible for negligence.

According to AML Square, non-compliance with the new Federal Decree-Law No. 10 of 2025 can lead to financial penalties up to AED 5,000,000, administrative sanctions including suspension or total cancellation of trade licenses, and potential imprisonment for individuals responsible for negligence.

According to Flying Colour Tax Consultant, DNFBP penalties can range from AED 100,000 to AED 1,000,000 depending on the severity of the violation. Senior management, compliance officers, and other involved staff can face imprisonment if found guilty of negligence or deliberate violations.

The enforcement numbers tell the story. According to the Washington Centre, in 2024 alone, authorities fined 29 DNFBP organizations AED 22.6 million. In the first half of 2025, the total jumped to AED 42 million across industries. Precious metals and stones traders faced AED 20 million in fines across 473 violations. Real estate brokerages were liable for AED 18.5 million across 495 violations. Corporate service providers and audit firms absorbed over AED 4 million across 95 cases.

According to A&O Shearman, the UAE Central Bank has ramped up enforcement against financial institutions, issuing nearly AED 350 million in fines in recent months for breaches of AML regulations. Licenses of 32 local gold refineries were suspended between July and October 2024.

Beyond direct penalties, non-compliance damages banking relationships. Banks monitor client AML status and will restrict accounts, block remittances, or terminate relationships for companies that are not GoAML registered or that have received enforcement actions.

What Records Must Businesses Keep for AML Compliance?

Businesses must keep all AML-related records for at least five years from the date of the transaction or the end of the business relationship, whichever is later. These records include customer identification documents, CDD and EDD records, transaction records, internal STR and SAR filing logs, risk assessments, training records, and all correspondence with the FIU.

According to Al Tamimi and Company, VASPs are required to maintain records for at least five years under the new executive regulations. This obligation extends to all regulated entities, not just financial institutions. Record-keeping is a core compliance requirement that regulators specifically check during inspections.

CDD records must include copies of all identification documents collected, the results of verification checks, the risk rating assigned to the customer, and any Enhanced Due Diligence measures applied. Transaction records must show the nature, date, and value of each transaction, the parties involved, and the account details.

Internal reporting records must document every suspicious activity flagged by staff, the compliance officer’s assessment, and the outcome (whether an STR or SAR was filed or whether the activity was determined to be legitimate). These records create an audit trail that demonstrates the business took its reporting obligations seriously.

According to CMS Law, the executive regulations strengthen record-keeping obligations and explicitly require ongoing monitoring documentation. Businesses must demonstrate not just that they have policies in place, but that those policies are consistently applied and produce tangible compliance outcomes.

Businesses that maintain organized financial records through professional bookkeeping services have a much easier time meeting AML record-keeping requirements because transaction data is already structured and accessible.

How Does AML Compliance Affect Business Banking in the UAE?

AML compliance directly affects business banking in the UAE because banks verify compliance status when reviewing account applications, credit facilities, and ongoing relationships. A company without active GoAML registration, proper CDD documentation, or a designated compliance officer faces account restrictions, enhanced scrutiny, or relationship termination.

According to Filings.ae, banks are concerned about losing their own licenses, so when they identify a DNFBP operating without GoAML clearance, they will freeze funds and block outward remittances until the business proves compliance. This can halt operations completely.

The UAE Central Bank conducts inspections of financial institutions to verify that their customers are AML compliant. Banks that allow non-compliant businesses to operate accounts risk their own enforcement actions. According to A&O Shearman, the Central Bank issued a fine of AED 5.8 million on a local bank in 2024 for breaching AML laws. This creates a strong incentive for banks to cut ties with non-compliant clients.

For businesses seeking new bank accounts, AML compliance documentation is now part of the standard Know Your Customer (KYC) package that banks require. This includes the GoAML registration certificate, the company’s AML policy manual, the compliance officer’s designation letter, and the most recent EWRA.

Businesses in Al Rigga, Port Saeed, and across Dubai that need help preparing complete AML and banking documentation benefit from business bank account assistance services that coordinate directly with major UAE banks.

What Is the Role of the Compliance Officer in AML?

The role of the compliance officer in AML is to oversee all anti-money laundering activities within the business, including monitoring transactions, managing CDD processes, filing STRs and SARs through GoAML, maintaining AML policies, conducting risk assessments, training staff, and serving as the primary contact with the FIU and supervisory authorities.

Every entity with AML obligations must officially appoint a qualified AML Compliance Officer (also called a Money Laundering Reporting Officer or MLRO). According to Bizedge Business Setup and Al Tamimi and Company, this role cannot be assigned informally. The compliance officer must be registered on the GoAML portal by name.

According to Al Tamimi and Company, the updated executive regulations under Cabinet Resolution No. 134 of 2025 broaden compliance officer responsibilities to cover proliferation financing and VASP oversight, alongside traditional AML and CTF duties. Senior management is expected to personally approve internal AML policies and oversee high-risk relationships.

The compliance officer must have sufficient authority, resources, and access to information to carry out their duties effectively. They must report directly to senior management and must not have conflicting responsibilities that could compromise their independence.

Staff throughout the organization must know who the compliance officer is and how to report suspicious activities internally. The compliance officer then evaluates these internal reports and decides whether to file an STR or SAR through GoAML.

What Is the UAE’s National Risk Assessment for AML?

The UAE’s National Risk Assessment (NRA) for AML is a government-level evaluation of the money laundering, terrorism financing, and proliferation financing threats and vulnerabilities across the entire country. The most recent NRA is the 2024 edition, published in April 2025.

According to Herbert Smith Freehills Kramer, the 2024 NRA provides a comprehensive analysis of the UAE’s money laundering threats and vulnerabilities and forms the basis for the national AML strategy for 2024 to 2027. The NRA identifies which sectors are at highest risk, which transaction types are most vulnerable, and which geographic factors contribute to the overall threat level.

According to the Washington Centre, precious metals and real estate remain high-risk categories in the NRA because they are prone to value transfer mechanisms and layering. This is why these sectors face the highest enforcement activity and the strictest inspection schedules.

Businesses are required to take the NRA findings into account when conducting their own enterprise-wide risk assessments. According to AML UAE, Circular No. 4 of 2025 issued by MoET requires all DNFBPs to incorporate the NRA findings into their AML programs, specifically their CDD measures and risk rating methodologies.

The NRA matters because the FATF evaluates whether businesses in the UAE are actually using it. During the upcoming fifth-round mutual evaluation scheduled for June 2026, FATF assessors will check whether companies have aligned their internal risk assessments with the national-level findings. A company that has never read or referenced the NRA will struggle to demonstrate effective compliance.

Companies that need help aligning their AML risk assessments with the NRA benefit from professional guidance through GoAML registration and AML compliance services.

AML Compliance Requirements Comparison Table

Sources: Federal Decree-Law No. 10 of 2025, Cabinet Resolution No. 134 of 2025, Al Tamimi and Company, Azakaw, CMS Law, Norton Rose Fulbright, Washington Centre, A&O Shearman, AML Square, Bizedge Business Setup

Frequently Asked Questions

What Is the Deadline for GoAML Registration in the UAE?

There is no single universal deadline for GoAML registration because the requirement applies from the moment a business begins operating in a DNFBP capacity or obtains a license for a regulated activity. Businesses must register before they start conducting activities that trigger AML obligations. According to AML Square, the Ministry of Economy and Tourism is actively issuing Letters of Concern to DNFBPs with compliance gaps and giving them 30 days to fix deficiencies. Businesses in Dubai that have not yet registered should do so immediately.

Do Accounting Firms Need To Register on GoAML?

Yes, accounting firms need to register on GoAML. Independent accountants and auditors are classified as DNFBPs under UAE AML law and must comply with all AML requirements including GoAML registration, CDD, STR filing, and staff training. According to the Washington Centre, corporate service providers and audit firms were fined over AED 4 million across 95 cases in the first half of 2025. Accounting firms in Deira and across the UAE should treat GoAML registration as a priority.

What Are the AML Penalties for Real Estate Companies in the UAE?

The AML penalties for real estate companies in the UAE include fines ranging from AED 100,000 to AED 1,000,000 or more per violation, license suspension, and potential criminal prosecution for responsible individuals. According to the Washington Centre, real estate brokerages were fined AED 18.5 million across 495 violations in the first half of 2025 alone. Real estate is classified as a high-risk sector in the UAE’s National Risk Assessment.

Does AML Compliance Apply to Free Zone Companies?

Yes, AML compliance applies to free zone companies. Any free zone entity that falls under a DNFBP category or is identified by its supervisory authority as having AML obligations must register on GoAML and meet all AML requirements. This includes entities in DMCC, JAFZA, DIFC, DAFZA, IFZA, RAKEZ, and all other UAE free zones. DIFC and ADGM have their own regulators (DFSA and FSRA) with additional AML rulebooks.

How Often Should AML Training Be Conducted?

AML training should be conducted at least annually for all relevant staff, with additional sessions when there are significant changes to the AML law, the company’s risk profile, or the staff roster. According to Al Tamimi and Company, the updated regulations require businesses to implement training programs on updated policies and procedures. Training records must be maintained for at least five years and produced during regulatory inspections. Businesses in Al Muraqqabat, Naif, and across Dubai should calendar annual training sessions.

What Is the Connection Between AML Compliance and Corporate Tax?

The connection between AML compliance and corporate tax is that both require accurate financial records, both fall under FTA and regulatory authority oversight, and companies undergoing combined tax and AML compliance reviews must demonstrate that their financial records are consistent across all filings. According to Taxograph’s service framework, companies that complete VAT and corporate tax registration alongside GoAML registration build a fully compliant regulatory profile. Cabinet Decision No. 129 of 2025 updates tax penalty structures that intersect with AML documentation requirements.

When Is the Next FATF Evaluation of the UAE?

The next FATF mutual evaluation of the UAE is the fifth round, scheduled to begin in June 2026, according to Herbert Smith Freehills Kramer. This evaluation will assess whether the UAE has maintained and strengthened its AML reforms since being removed from the grey list in February 2024. The FATF will evaluate enforcement results, STR quality, agency coordination, and prosecution success rates. Businesses that demonstrate strong AML compliance contribute to the UAE’s overall evaluation score.

Final Thoughts

AML compliance is no longer a checkbox exercise in the UAE. Authorities fined DNFBP organizations AED 22.6 million in 2024 and AED 42 million in just the first half of 2025. The UAE Central Bank issued nearly AED 350 million in fines to financial institutions. Licenses have been suspended. Individuals have been prosecuted. And with the FATF’s fifth-round mutual evaluation starting in June 2026, enforcement will only intensify.

Every business with AML obligations must register on GoAML, appoint a qualified compliance officer, conduct customer due diligence, file STRs and SARs when required, complete an enterprise-wide risk assessment, and train staff regularly. The penalties for failure range from AED 10,000 to AED 50 million, plus license suspension and criminal prosecution.

Taxograph provides complete GoAML registration, AML policy development, and ongoing compliance support for businesses across Dubai and all seven UAE emirates. From DNFBP registration and compliance officer training to STR filing and annual policy reviews, our team of Chartered Accountants and licensed consultants handles every detail. Businesses that need help with GoAML registration and AML compliance can call +971501840951 or visit our office at Ginger Business Center, Al Khabaisi, Deira, Dubai, near Abu Baker Al Siddique Metro Station on the Green Line. Protect your business and your license before the next inspection.