HenryClubAdvisory
Tax & Compliance

AML Compliance UAE 2026: goAML, CDD & CBUAE Requirements

UAE AML compliance for DNFBPs and financial firms: goAML registration, customer due diligence, an AML officer, suspicious-transaction reporting, and fines from AED 50,000 to 5 million.

Get Free QuoteWhatsApp
Mirza Seraj Baig
Written by Mirza Seraj Baig Β· Founder & Advisory Strategist

Reviewed by Jashvantkumar Prajapati

Updated

Mirza Seraj Baig
I help founders understand their options clearly before they commit to any structure, provider, or direction.
Mirza Seraj Baig
Founder & Advisory Strategist, Henry Club UAEView profile β†’

In short: UAE anti-money-laundering rules sit under Federal Decree-Law No. 20 of 2018. If you are a financial institution or a DNFBP (real estate, precious metals, auditors, company service providers), you must register on goAML, run customer due diligence, appoint an AML compliance officer, file Suspicious Transaction Reports, and keep records 5 years. Fines run from AED 50,000 to AED 5,000,000.

AML is the compliance area most non-financial businesses assume is not theirs – right up to the inspection. The UAE deliberately pulled real estate agents, gold and jewellery dealers, accountants and company formation firms into the same regime as banks. If your business touches client money, high-value goods, or company structures, the question is not whether AML applies, but whether you can prove you are doing it.

This guide covers who is in scope, what the framework actually requires, and the penalties for getting it wrong. It has been reviewed by Jashvantkumar Prajapati of Avyanco Group, a licensed corporate service provider. It pairs naturally with our due diligence guide and the UBO and corporate secretarial guide.

The phrase I hear most is "we are not a bank, this is not for us." Then the inspector arrives, asks for the goAML registration and the CDD files, and the conversation changes very quickly. Scope is wider than people think.

— Jashvantkumar Prajapati, Business Structuring Specialist, Avyanco Group (reviewer)

Not sure if AML applies to your business? Ask us for a quick scope check – we will tell you whether you are a DNFBP and what you need in place. Estimate wider compliance costs with our calculator.

What UAE AML compliance is

Anti-Money Laundering and Combating the Financing of Terrorism (AML/CFT) is the framework that requires businesses to prevent their services being used to launder money or finance crime. In the UAE it is governed by Federal Decree-Law No. 20 of 2018 and its implementing regulations, overseen by the Ministry of Economy, the Central Bank, and the Financial Intelligence Unit. It is built on a risk-based approach: you assess where your business is exposed, then apply controls proportionate to that risk.

Who must comply

Two broad groups are in scope:

  • Financial institutions – banks, exchange houses, finance and insurance companies.
  • DNFBPs (Designated Non-Financial Businesses and Professions) – real estate brokers and agents, dealers in precious metals and stones, auditors and accountants, and company service providers.

The DNFBP category is where most owners are caught off guard. A real estate brokerage, a gold trader, an audit firm, or a company formation agent all carry the full set of obligations – goAML registration, CDD, an AML officer, reporting, and record-keeping.

The five things you must actually do

  1. Register on goAML – the FIU’s platform, used for all suspicious-activity reporting. Registration itself is mandatory.
  2. Run customer due diligence (CDD) – identify and verify each customer and the ultimate beneficial owner before you act; apply Enhanced Due Diligence to higher-risk cases.
  3. Appoint an AML compliance officer – a qualified person who owns the programme, monitoring, and reporting.
  4. File suspicious reports (STR/SAR) – through goAML, without tipping off the customer, whenever you have reasonable grounds to suspect.
  5. Keep records for 5 years – identification, due diligence, transactions and risk assessments, retrievable on request.

When standard checks are not enough

Enhanced Due Diligence applies where the risk is higher: politically exposed persons (PEPs) and their associates, customers from high-risk jurisdictions, unusually complex ownership structures, and transactions that do not fit the customer’s profile. EDD goes further into source of funds and source of wealth, and usually requires senior sign-off to proceed. The judgement call – deciding a case is higher-risk – is exactly what a trained compliance officer is there to make.

Penalties for getting it wrong

Penalty snapshot

BreachPenalty
Failure to register / comply (range)AED 50,000 – AED 5,000,000
Not registering on goAMLFined as a standalone breach
Failure to file an STRAmong the most serious breaches
Inadequate CDD or recordsFines + remedial orders
Repeated / serious breachesActivity suspension, manager removal, licence cancellation

Penalty amounts are as published by the relevant authority and subject to revision. Verify before relying on them.

Light KYC vs full AML programme

Have questions about this?

A 10-minute call with Mirza often saves weeks of research. No obligation β€” ask anything about your situation.

WhatsAppGet Free Quote
Basic KYC onlyFull AML programme
Customer identityCheckedChecked + verified + UBO traced
Risk approachNoneRisk-based, documented
ReportingNonegoAML STR/SAR
OfficerNoneAppointed AML officer
Inspection outcomeLikely failDefensible

If your business is a DNFBP, the right-hand column is the legal minimum – basic identity checks alone will not survive an inspection.

Five AML mistakes that trigger fines

  1. Assuming AML is only for banks. DNFBPs carry the full obligations.
  2. Skipping goAML registration. Not being on the system is a penalised breach on its own.
  3. A compliance officer in name only. The role must have real oversight and a paper trail.
  4. No UBO identification on customers. You must know the real people behind the companies you serve.
  5. Treating record-keeping casually. Five years, retrievable - missing files are a failure in themselves.

Pass the inspection, not just the intention

We will build your UAE AML programme

goAML registration, a risk-based CDD framework, your AML officer setup, and the records that hold up when an inspector asks. Scope check first.

Talk to a compliance adviser

Frequently asked questions

Which businesses must comply with UAE AML rules?

All financial institutions and Designated Non-Financial Businesses and Professions (DNFBPs) are in scope under Federal Decree-Law No. 20 of 2018. DNFBPs include real estate brokers and agents, dealers in precious metals and stones, auditors and accountants, and company service providers. If your business handles client money, high-value goods, or sets up companies for others, you are very likely caught - and most owners in these sectors underestimate that.

What is goAML and do I have to register?

goAML is the UAE Financial Intelligence Unit's reporting platform. In-scope businesses must register on goAML and use it to file Suspicious Transaction Reports and Suspicious Activity Reports. Registration is mandatory for DNFBPs and financial institutions, and failure to register is itself a penalised breach - regulators have fined businesses simply for not being on the system, before any transaction issue arises.

What does customer due diligence (CDD) actually require?

CDD means identifying and verifying who your customer really is before you do business, understanding the purpose of the relationship, and identifying the ultimate beneficial owner behind any company. You then monitor the relationship on a risk-based basis. Higher-risk customers - politically exposed persons, high-risk jurisdictions, unusual structures - require Enhanced Due Diligence, which goes deeper into source of funds and wealth.

Do I need an AML compliance officer?

Yes. In-scope businesses must appoint a qualified AML/Compliance Officer responsible for the programme - overseeing CDD, monitoring transactions, filing reports through goAML, and training staff. For a small DNFBP this can be an existing senior person with the right training, but the role must be real and documented. A named officer with no actual oversight is exactly what inspections expose.

What are the penalties for AML non-compliance in the UAE?

Penalties under the AML framework range from AED 50,000 to AED 5,000,000 depending on the breach, and regulators can also issue warnings, suspend or ban the business from its activity, remove managers, or cancel the licence. The UAE has enforced these actively as part of its FATF commitments, so they are not theoretical. The reputational damage and licence risk often outweigh the fine itself.

What records do I have to keep, and for how long?

You must keep customer identification documents, due diligence records, transaction records, and your risk assessments for at least five years after the business relationship ends or the transaction is completed. The records must be retrievable - an inspector who asks for a file expects it produced promptly. Disorganised or missing records are treated as a compliance failure in their own right, separate from any underlying transaction.

What is a Suspicious Transaction Report (STR)?

An STR is a report you file through goAML when you have reasonable grounds to suspect that funds or a transaction relate to a crime or money laundering. You must file without tipping off the customer. The test is suspicion, not proof - you are not investigating, you are flagging. Failing to report a transaction you should reasonably have found suspicious is one of the most serious breaches in the framework.

How do AML rules connect to UBO and due diligence?

They are the same discipline at different points. AML compliance requires you to identify the ultimate beneficial owner of your customers - which is exactly what the UBO register captures for your own company - and to verify counterparties, which is what due diligence does before a deal. A business that keeps its own UBO records current and runs proper due diligence is already most of the way to AML compliance.

Sources and official references

This guide is general information, not legal or tax advice. UAE tax law, thresholds, fees and penalties change without notice. Confirm the current position with the Federal Tax Authority (tax.gov.ae) or the Ministry of Finance (mof.gov.ae), or a licensed tax adviser, before you act.

Have a question about this?

Leave your details and a UAE expert will get back to you within 1 business day β€” free, no obligation.

We respond within 1 business day Β· No spam Β· Your details are never shared.

Next Steps

Ready to take action?

Whether you're ready to start or still comparing options β€” we'll give you a straight answer.

Chat on WhatsApp

Usually replies within 2h

Get a Free Quote

Personalised in 60 seconds

Call Directly

Sat–Thu, 9am–7pm UAE

βœ“500+ companies formedβœ“No hidden feesβœ“UAE specialists since 2019

About the Author

Mirza Seraj Baig
Mirza Seraj Baig

Founder & Advisory Strategist

Henry Club UAE

View Profile β†’

Dubai-based independent advisor on UAE visa, immigration, and offshore structuring. Founder of Henry Club UAE with 90+ published guides. Advisory-first β€” clarity before commitment.

LinkedInMirzaDigital.ae β†—