What a Suspicious Transaction Report Is Under UAE AML Law
A Suspicious Transaction Report (STR) is a formal notification submitted to the UAE Financial Intelligence Unit (FIU) when a financial institution or Designated Non-Financial Business and Profession (DNFBP) has reasonable grounds to suspect that a transaction or attempted transaction involves funds connected to a crime. Filing an STR is not a discretionary best practice — it is a legal obligation under the UAE’s AML/CFT framework, and failure to file one when it is warranted is itself a criminal offence.
The current governing framework is Federal Decree-Law No. 10 of 2025, which took effect on 14 October 2025 and replaced Federal Decree-Law No. 20 of 2018, and Cabinet Resolution No. 134 of 2025, effective 14 December 2025, which replaced Cabinet Decision No. 10 of 2019. Any guide to STR filing that references the 2018 law as current is now working from superseded legislation.
Who Is Required to File STRs Under UAE Law
Two broad categories of entity carry the STR obligation:
- Financial institutions — banks, insurance companies, money exchange houses, investment firms, and other regulated financial services providers
- Designated Non-Financial Businesses and Professions (DNFBPs) — a specific set of non-financial businesses whose activities create elevated money laundering, terrorism financing, and proliferation financing risk
Under the current framework, the following activities define a DNFBP for UAE AML purposes:
- Real estate agents and brokers involved in the buying and selling of real estate
- Dealers in precious metals and stones
- Company service providers
- Auditors and accountants
- Law firms and independent legal professionals
- Operators of commercial gaming activities — newly included under Cabinet Resolution No. 134 of 2025
Every entity in these categories is legally required to register on the goAML platform and file STRs and Suspicious Activity Reports (SARs) promptly when the obligation is triggered. The obligation applies to the entity itself and to its managers and employees who become aware of a suspicious transaction in the course of their work.
Need Expert Advice?
Contact the team at Farahat & Co. for professional support and expert insights for businesses operating in the UAE.
What Counts as a Suspicious Transaction Under the 2025 Law
Under Federal Decree-Law No. 10 of 2025, a suspicious transaction is broadly defined as any transaction or attempted transaction — or any funds — where there are reasonable grounds to suspect a connection to a crime. This encompasses:
- Transactions related to funds reasonably suspected to be proceeds of any felony or misdemeanor
- Transactions that may be connected to the financing of terrorism
- Transactions that may be linked to the financing of illegal organisations
- Transactions connected to proliferation financing — the funding of the development, manufacture, or acquisition of weapons of mass destruction — now a standalone offence under the 2025 law
The word “reasonably” is important: the threshold is not proof, nor even a high degree of suspicion. If a DNFBP has reasonable grounds to question the legitimacy of a transaction, that is sufficient to trigger the reporting obligation. Waiting for certainty before filing is not the correct standard.
The “Should Have Known” Standard — A Critical Change in the 2025 Law
One of the most significant changes in Federal Decree-Law No. 10 of 2025 is the lowering of the evidentiary threshold for establishing liability. Under the 2018 law, criminal liability required proof of actual knowledge that funds were of criminal origin. Under the 2025 law, that knowledge can be inferred from objective circumstances.
In practical terms: a DNFBP whose AML controls were inadequate — whose processes failed to identify red flags that a properly designed compliance program would have caught — can now face liability even without direct proof that anyone in the organisation actually knew. The gap between “we didn’t know” and “we should have known” has been closed as a legal defence.
This means the quality of a DNFBP’s risk assessment and red flag detection processes is now legally consequential, not merely a compliance best practice.
Red Flags That Indicate a Transaction May Need Reporting
UAE AML law requires DNFBPs to maintain documented indicators — red flags — that help identify when suspicion should be triggered. These are not exhaustive: the obligation is to maintain and regularly update these indicators as criminal methods evolve. Common red flags across DNFBP categories include:
Client Behaviour and Identity
- Reluctance or refusal to provide identification or beneficial ownership information
- Providing false or inconsistent information that cannot be verified
- Unusual urgency, pressure, or discomfort when asked routine KYC questions
- A client who appears unfamiliar with the transaction being conducted on their behalf
- Politically Exposed Persons (PEPs) or clients connected to high-risk jurisdictions without a plausible business explanation
Transaction Characteristics
- Transactions with no apparent legitimate business purpose or economic logic
- Unusually large cash payments, or payments in cash where non-cash methods are normal for the type of transaction
- Overpayment followed by a request to refund the excess to a different account
- Transactions that are structured in a way that appears designed to avoid reporting thresholds or CDD requirements
- Rapid purchase and resale of the same asset with no clear commercial rationale
- Multiple, apparently unrelated third parties sending funds for a single transaction
Ownership and Structure Indicators
- Complex or opaque corporate ownership structures with no apparent commercial reason for the complexity
- Use of shell companies or nominees to obscure the true beneficial owner
- Transactions involving jurisdictions on FATF’s high-risk or enhanced monitoring lists
- Funds originating from, or being directed to, jurisdictions with known weak AML controls
How to File a Suspicious Transaction Report Through goAML
All STRs in the UAE must be submitted through the goAML portal, operated by the UAE Financial Intelligence Unit. The process is entirely electronic.
Step 1 — Register on goAML
Every DNFBP must register on the goAML platform before the obligation to file an STR can be met. Registration is carried out by the organisation’s designated AML Compliance Officer and requires the organisation’s UAE licence details and Compliance Officer credentials. Operating without goAML registration is itself a regulatory violation independent of any specific STR obligation.
Step 2 — Identify the Report Type
The goAML platform accepts several types of report. The two most relevant to DNFBPs are:
- Suspicious Transaction Report (STR) — where a completed or attempted transaction triggers suspicion
- Suspicious Activity Report (SAR) — where suspicious behaviour or circumstances trigger suspicion without a specific transaction being the focus
- Real Estate Activity Report (REAR) — required specifically for real estate sector transactions meeting the applicable reporting criteria
Step 3 — Complete and Submit the Report Promptly
The 2025 law requires that a suspicious transaction be reported immediately once the suspicion arises — there is no grace period or minimum investigation period before reporting. A DNFBP that delays filing to conduct its own investigation, or waits to see whether the suspicion intensifies, is not meeting the legal standard.
The report must include all available information about the transaction, the parties involved, the nature of the suspicion, and the grounds on which it arose. Incomplete reports are less useful to the FIU and may attract follow-up requests.
Step 4 — Maintain Confidentiality
The tipping-off obligation applies from the moment a report is filed — or is being contemplated. Under Article 29 of Federal Decree-Law No. 10 of 2025, tipping off now extends beyond intentional disclosure to cover grossly negligent disclosures that alert a subject to the existence of a report or investigation. The client whose transaction has been reported must not be made aware that a report has been submitted to the FIU. Internal communication about the report should be strictly limited to those who need to know.
Step 5 — Maintain Records
All records related to an STR filing — the report itself, the supporting evidence of the red flags identified, and the CDD documentation for the client — must be retained for a minimum of 5 years from the date the report was filed or the business relationship ended.
Penalties for Failing to File or for Tipping Off
The UAE AML framework attaches serious consequences to both failures:
- Failure to report a suspicious transaction is a criminal offence under Federal Decree-Law No. 10 of 2025. Managers and employees who fail to report when the obligation arises are personally liable. Administrative fines for failure to file currently range from AED 300,000 to AED 5,000,000 per violation under Ministry of Economy supervision, with the upper range reserved for persistent or systemic failures
- Tipping off — disclosing that an STR has been filed, or that an investigation is underway, whether intentionally or through gross negligence — is a criminal offence under Article 29, with aggravated penalties where the disclosure results in the loss of criminal proceeds
- Good faith protection — DNFBPs, their board members, employees, and authorised representatives are expressly protected from administrative, civil, or criminal liability for filing an STR in good faith, even where the suspicion later proves to be unfounded
The Role of the FIU in Receiving and Acting on STRs
The UAE Financial Intelligence Unit receives, analyses, and acts on all STRs and SARs submitted through goAML. It does not investigate individual transactions directly — its role is to analyse patterns and intelligence across the full volume of reports received, identify systemic risks, and share financial intelligence with law enforcement and relevant government bodies. The FIU also collaborates with DNFBPs by sharing typologies, red flag indicators, and guidance to help the private sector improve its detection capabilities, recognising that the quality of STRs filed determines the quality of intelligence available for investigation.
Frequently Asked Questions (FAQs)
What is a Suspicious Transaction Report (STR) in UAE AML law?
An STR is a formal notification submitted to the UAE Financial Intelligence Unit through the goAML platform when a financial institution or DNFBP has reasonable grounds to suspect that a transaction or attempted transaction involves funds connected to a crime — including money laundering, terrorism financing, or proliferation financing.
Which DNFBPs are required to file STRs in the UAE?
Real estate agents and brokers, dealers in precious metals and stones, company service providers, auditors and accountants, law firms, and — under Cabinet Resolution No. 134 of 2025 — operators of commercial gaming activities are all required to file STRs when the obligation is triggered.
What is the standard for triggering the STR obligation?
Reasonable grounds to suspect a connection to a crime — not proof, and not certainty. Under the 2025 law, knowledge of criminal origin can be inferred from objective circumstances, meaning a DNFBP whose processes failed to catch obvious red flags can face liability even without direct evidence of actual knowledge.
When must an STR be filed?
Immediately once suspicion arises. There is no minimum investigation period or grace period before filing. A DNFBP that delays reporting while conducting its own inquiry is not meeting the legal standard.
Can a DNFBP face liability for filing an STR that turns out to be unfounded?
No. Federal Decree-Law No. 10 of 2025 expressly protects DNFBPs, their employees, and their representatives from any administrative, civil, or criminal liability for reports made in good faith, even if the underlying suspicion later proves incorrect.
What is tipping off and why does it matter?
Tipping off is disclosing to a client or third party that an STR has been filed or that an investigation is underway. Under Article 29 of the 2025 law, this includes grossly negligent disclosures — not just intentional ones — and carries criminal liability, with aggravated penalties where the disclosure results in loss of criminal proceeds.
What platform is used to file STRs in the UAE?
All STRs, SARs, and Real Estate Activity Reports must be submitted through the goAML portal operated by the UAE Financial Intelligence Unit. Every DNFBP must be registered on goAML before the filing obligation can be met.
Need Expert Advice?
Contact the team at Farahat & Co. for professional support and expert insights for businesses operating in the UAE.
How Farahat & Co. Can Help
Farahat & Co. supports DNFBPs across the UAE with AML compliance under the current 2025 legislative framework — including goAML registration, STR filing procedures, red flag indicator documentation, AML policy development, independent AML audits, and Compliance Officer support.
Contact Farahat & Co. today to discuss your STR filing obligations and AML compliance requirements.
