A Guide to New AML/KYC Regulations in the UAE for the Year 2024
The United Arab Emirates (UAE) has a robust and evolving AML/CFT framework, aimed at combating money laundering and terrorism financing effectively. This framework is primarily governed by Federal Decree-Law No. 20 of 2018, with significant reinforcement from Federal Decree-Law No. 7 of 2024.
The latter established the Supreme Committee for AML/CFT to strengthen national coordination. The UAE also follows a 2024-2027 National AML/CFT Strategy, focusing on cybercrime, digital payments, and trade-based money laundering.
Key Regulatory Bodies
The Central Bank of the UAE (CBUAE) oversees AML controls across banks, digital banks, payment processors, and financial institutions. Active in enforcement, the CBUAE conducts inspections and imposes financial sanctions for compliance breaches. In July 2025, CBUAE fined a bank AED 3 million for AML violations and also fined exchange houses over AED 4.1 million in total for similar deficiencies.
The Executive Office for AML/CFT is responsible for inspections and ensuring licensed entities demonstrate strong AML/KYC controls, especially from 2025 onward. The Financial Intelligence Unit (FIU) receives Suspicious Activity Reports and monitors compliance across sectors.
Regulators within UAE financial free zones, such as Abu Dhabi Global Market (ADGM) and Dubai International Financial Centre (DIFC), implement and enforce AML regulations with international standards aligned within their jurisdictions.
Enforcement and Compliance
The UAE's AML/CFT framework applies to a wide range of entities, including financial institutions, Designated Non-Financial Businesses and Professions (DNFBPs), and virtual asset providers. All these entities must comply with regulations to maintain a stringent regulatory environment focused on aligning with global standards.
Key regulatory components include robust Know Your Customer (KYC) and Customer Due Diligence (CDD) requirements, mandatory Suspicious Activity Reporting (SAR) to the Financial Intelligence Unit (FIU), record-keeping, and sanctions compliance for financial institutions and DNFBPs.
If financial institutions fail to report suspicious activities, their managers or employees may be subjected to imprisonment and fines. FIs are obliged to report suspicious activities related to ML/FT operations to the Financial Intelligence Union (FIU) without delay.
Obligations for DNFBPs and NPOs
DNFBPs, such as brokers, real estate agents, lawyers, notaries, independent legal professionals, independent accountants, providers of corporate services and trusts, dealers in precious metals and precious stones, and other professions or activities determined by the Minister, must also comply with AML-CFT regulations.
Non-profit organizations (NPOs) have very limited obligations under legislation compared to FIs and DNFBPs.
goAML and Compliance Procedures
To stay compliant with all the regulations, businesses should monitor customer transactions, ensure that they provide authentic data, and report suspicious cases. goAML, a special application created by the United Nations Office on Drugs and Crime (UNODC), aims to combat money laundering, terrorism financing, and other types of financial crimes. All FIs, DNFBP, and VASPs are required to register on the goAML portal as part of their compliance procedures.
In 2021, the Central Bank of the UAE announced that it imposed financial sanctions on 11 UAE banks for failing to comply with AML/CFT regulations.
The UAE has a Specialized Money Laundering Court.
Businesses need to follow Know Your Customer (KYC) requirements when working with their customers, which includes collecting different types of documents from individual customers and companies. FIs are obliged to enhance their CDD measures concerning high-risk customers, including Politically Exposed Persons (PEPs), customers associated with high-risk countries, and correspondent banking institutions.
There is no minimum reporting threshold and no statute of limitations concerning ML/FT crimes or reporting of suspicious transactions. FIs can exercise Simplified Customer Due Diligence (SDD) concerning low-risk customers, which includes a reduction in verification requirements, fewer and less detailed inquiries, and less frequent monitoring. FIs and DNFBPs are required to undertake risk-based Customer Due Diligence (CDD) measures, including understanding the nature of the customer's business and the purpose of the transaction in specified cases. There are Enhanced Due Diligence (EDD) measures, which involve more rigorous CDD measures applied towards high-risk customers.
A person acts unlawfully if they knowingly commit one of the following crimes: transferring or transporting proceeds of crime with intent to conceal or disguise its illicit origin, concealing or disguising the true nature, origin, location, way of disposition, movement or rights related to any proceeds or the ownership thereof, acquiring, possessing or using such proceeds, or assisting the perpetrator of the predicate offense to escape punishment.
FIs must comply if they conduct one or several of financial activities or operations on the customer's behalf, as listed in the paragraph.
The Financial Action Task Force (FATF) stated in February 2024 that the UAE is no longer subject to increased monitoring. The most important AML/CFT laws in the UAE include Federal Decree-Law No. (20) of 2018, Cabinet Decision No. (10) of 2019, Cabinet Decision No. (58) of 2020, Cabinet Resolution No. (53) of 2021, Cabinet Decision No. (16) of 2021, and Cabinet Resolution No. (74) of 2020. The records that FIs are obliged to keep can be separated into two categories: financial transaction records and CDD records, and their statutory retention period is at least five years.
The financial sector in the UAE, with businesses and institutions operating within the robust AML/CFT framework, focuses on compliance with AML and KYC regulations. The Central Bank of the UAE (CBUAE) is a key regulatory body that ensures financial institutions, including banks, digital banks, payment processors, and financial institutions, adhere to AML controls and imposes sanctions for non-compliance. Additionally, businesses must follow compliance procedures such as customer transaction monitoring, authentic data provision, and suspicious activity reporting.
