AML Enforcement in the UAE Has Entered a New Phase
The Ministry of Economy has imposed more than AED 130 million in administrative fines on Designated Non-Financial Businesses and Professions since late 2022, with AED 42 million of that total landing in the first half of 2025 alone — a sharp acceleration from the AED 22.6 million spread across 29 DNFBP organizations for the whole of 2024. That trajectory, combined with a complete legislative overhaul that took effect in October and December 2025, makes 2026 a materially higher-risk year for any DNFBP still treating AML compliance as a paperwork exercise rather than an operational discipline.
This guide sets out exactly what changed in the UAE’s AML framework, which obligations apply to DNFBPs specifically, how to build a genuine risk-based compliance program, and what the practical, defensible response to rising enforcement actually looks like.
The Legal Framework DNFBPs Operate Under — What Changed in Late 2025
The UAE’s AML regime no longer rests on the law many compliance programs were originally built around. Federal Decree-Law No. 10 of 2025, issued 30 September 2025 and effective from 14 October 2025, repealed Federal Decree-Law No. 20 of 2018 in its entirety, along with the 2021 amendment that had previously updated it. The implementing framework followed shortly after: Cabinet Resolution No. 134 of 2025, effective 14 December 2025, revoked Cabinet Decision No. 10 of 2019 and replaced it as the executive regulation DNFBPs now operate under.
This was not a routine refresh. Four changes matter directly to how a DNFBP builds and defends its compliance program:
- The evidentiary threshold for liability has dropped. Under the 2018 law, prosecutors needed to prove actual knowledge that funds derived from a predicate crime. Under the 2025 law, that knowledge can be inferred from objective circumstances — a DNFBP that reasonably should have recognized the warning signs can now face liability even without direct proof it actually knew.
- Penalties have risen sharply. The penalty ceiling for legal persons has increased to AED 100 million, and a separate licensing requirement under Article 20 carries its own penalty of imprisonment alongside a fine of between AED 200,000 and AED 10,000,000 for operating without proper authorization.
- The tipping-off offence has expanded. Where the 2018 law only captured intentional disclosure of a suspicious transaction report or investigation, Article 29 of the 2025 law now also covers grossly negligent disclosures, applies to a broader range of conduct, and carries aggravated penalties where the disclosure results in loss of criminal proceeds.
- Proliferation financing now stands as its own offence, sitting alongside money laundering and terrorism financing as a third principal category DNFBPs must actively screen for, not a side note folded into broader financial crime provisions.
For accountants, auditors, real estate brokers, corporate service providers, and precious metals dealers specifically, this shift has turned AML compliance from a paperwork exercise into a board-level operational risk.
Need Expert Advice?
Contact the team at Farahat & Co. for professional support and expert insights for businesses operating in the UAE.
Which Businesses Are Classified as DNFBPs in the UAE
The DNFBP category captures a defined set of non-financial businesses considered particularly exposed to money laundering, terrorism financing, and proliferation financing risk because of the nature of what they offer:
- Real estate developers, brokers, and agents
- Dealers in precious metals and precious stones
- Auditors, accountants, and tax consultants
- Lawyers, notaries, and independent legal professionals
- Company and corporate service providers
- Operators of commercial gaming activities, brought within the DNFBP category under Cabinet Resolution No. 134 of 2025
Each category has its own specific trigger activities — a real estate broker facilitating a property purchase or sale on a client’s behalf, for instance, or a lawyer acting as a company director, secretary, or nominee shareholder — and a business should confirm exactly which of its activities fall within scope, rather than assuming DNFBP status applies uniformly across everything the firm does.
Core AML Compliance Obligations for DNFBPs
Regardless of sector, every DNFBP carries the same baseline set of obligations under the current framework:
- Written AML policies and procedures, documented rather than informally understood
- Risk-based internal controls, calibrated to the specific risks the business’s activities actually present
- A designated AML Compliance Officer, resident in the UAE, with sufficient seniority to act independently and direct access to senior management — accountability under the 2025 law now attaches personally to this individual, not just institutionally to the firm
- Customer due diligence completed before onboarding, not retrofitted afterward
- Ongoing transaction monitoring and suspicious activity reporting
- Accurate record-keeping, maintained for a minimum of five years and produced on demand during an inspection
Supervision sits primarily with the Ministry of Economy, working in coordination with the UAE’s Financial Intelligence Unit, and this coordinated structure is itself part of the UAE’s broader effort to demonstrate sustained enforcement ahead of the FATF’s 2026 mutual evaluation cycle.
Building an Effective AML Risk Assessment
A documented, regularly reviewed enterprise-wide risk assessment sits at the center of any compliance program regulators will actually treat as credible. Three dimensions need to be assessed together, not in isolation.
Client Risk Profiling
Customers should be classified as low, medium, or high risk based on the nature of their business activity, their ownership structure, whether nominees or agents are involved, and any exposure to politically exposed persons.
Transaction Risk Classification
Transaction patterns need ongoing analysis for unusual transaction sizes, high-value or cash-based activity, unusually rapid movement of funds, and any inconsistency between a transaction and what the client’s stated profile would suggest.
Geographic Risk Analysis
Certain jurisdictions carry materially higher AML risk due to weak governance and regulatory frameworks, sanctions exposure, or high corruption indices. DNFBPs dealing with counterparties or transactions tied to these jurisdictions are expected to apply enhanced controls and ongoing monitoring, not a one-time check at onboarding.
Customer Due Diligence and Enhanced Due Diligence Requirements
Standard Customer Due Diligence (CDD)
CDD must be completed before any business relationship begins, covering identity verification through valid documents, an understanding of the purpose and nature of the relationship, and identification of the actual beneficial owner for corporate clients.
For individuals, this typically requires an Emirates ID or passport, proof of address, and information on the source of funds. For corporate entities, it requires the trade licence, the Memorandum and Articles of Association, and ultimate beneficial owner information.
Enhanced Due Diligence (EDD)
EDD applies where higher risk has been identified — politically exposed persons, clients from high-risk jurisdictions, or complex, layered ownership structures. It requires deeper verification, formal senior management approval before the relationship proceeds, and continuous monitoring throughout its duration, rather than the periodic review that standard CDD relationships might receive.
Preparing for AML Inspections and Regulatory Reporting
Inspection frequency and depth have both increased, and a DNFBP needs to be in a position to demonstrate compliance at any point, not just when a deadline approaches.
Reporting Through goAML
DNFBPs must be registered on the goAML platform and submit suspicious transaction reports promptly, alongside any other reports the relevant regulator requires. Failure to report suspicious activity remains one of the most common triggers for enforcement action.
Record-Keeping and Data Retention
AML records must be retained for a minimum of five years, covering client onboarding documentation, risk assessments, transaction monitoring logs, and internal compliance reports. Given the 2025 law’s broader evidentiary standard and the longer practical look-back period regulators are now applying during inspections, treating five years as a floor rather than a target is the more defensible approach.
Independent AML Audits
Regular independent audits surface compliance gaps, weak internal controls, and documentation shortfalls before a regulator finds them first — and an audit-ready compliance framework measurably reduces enforcement exposure compared to one that’s only ever been reviewed internally.
Tools and Strategies That Reduce Compliance Failures
Role-Specific AML Training
Training needs to be tailored to the actual role each employee performs — client-facing staff, compliance staff, and senior management each need different depth and focus — and refreshed annually rather than delivered once at onboarding and never revisited.
A Properly Empowered AML Compliance Officer
Every DNFBP needs an experienced Compliance Officer responsible for overseeing the AML framework, communicating with regulators, and managing internal reporting and escalation. Under the current law, this individual carries personal accountability alongside the firm’s institutional liability, which makes the role’s seniority and actual authority within the business, not just its job title, the thing that matters most.
Technology-Driven Compliance
Sanctions screening, high-risk jurisdiction screening, and automated transaction monitoring have moved from optional efficiency tools to practical necessities, particularly as regulators increasingly expect — and in higher-risk sectors, require — AI-assisted monitoring to detect risk proactively rather than relying solely on manual review.
Outsourcing for Smaller DNFBPs
Smaller firms without the scale to build a full internal compliance function often benefit from outsourcing specific AML functions, including engaging independent auditors, which strengthens the overall framework without requiring the same fixed internal headcount a larger institution might carry.
Why AML Fines Are Expected to Keep Rising in 2026
The enforcement trajectory reflects a deliberate strategy, not a coincidence of timing. UAE authorities are building a documented track record of consistent, proportionate enforcement specifically ahead of the FATF’s 2026 mutual evaluation, which — unlike earlier review rounds focused on whether the right rules existed on paper — places its emphasis on demonstrated effectiveness. Regulators have stated plainly that supervision will tighten further, and the pattern in the fine data through 2024 and into 2025 already reflects that intent rather than anticipating it.
Administrative fines for goAML and broader AML violations currently range from AED 50,000 to AED 1,000,000 per violation, and those amounts stack across multiple findings identified within a single inspection — meaning a DNFBP with several unrelated gaps can face a cumulative penalty well beyond any single violation’s headline figure. Businesses that delay strengthening their compliance posture risk escalating fines, licence suspension or cancellation, and reputational damage that tends to outlast the financial penalty itself.
Practical Compliance Steps to Reduce 2026 Penalty Risk
- Review and update AML policies annually, rather than leaving a policy document untouched once it’s been written
- Conduct regular AML risk assessments, refreshed as the business’s client base, geography, or activities change
- Strengthen CDD and EDD documentation so it can withstand inspection without reconstruction after the fact
- Deliver ongoing, role-specific staff training on a genuine annual cycle
- Commission independent AML audits to identify gaps before a regulator does
- Adopt technology to strengthen monitoring where manual processes are no longer adequate to the volume or complexity of the business’s activity
- Maintain proactive communication with regulators rather than only engaging once an inspection has already begun
Proactive compliance is, in nearly every case, considerably less expensive than the alternative.
Frequently Asked Questions (FAQs)
What is the current AML law DNFBPs in the UAE must comply with?
DNFBPs must comply with Federal Decree-Law No. 10 of 2025, effective 14 October 2025, which repealed the previous 2018 AML law, and Cabinet Resolution No. 134 of 2025, effective 14 December 2025, which sets out the current implementing regulations.
Which businesses are classified as DNFBPs in the UAE?
DNFBPs include real estate developers, brokers, and agents; dealers in precious metals and stones; auditors, accountants, and tax consultants; lawyers and legal consultants; corporate service providers; and, following the 2025 reforms, operators of commercial gaming activities.
How much have UAE authorities fined DNFBPs for AML violations?
The Ministry of Economy has imposed more than AED 130 million in administrative fines on DNFBPs since late 2022, including AED 22.6 million across 29 organizations in 2024 and AED 42 million in the first half of 2025 alone. Individual fines for goAML and AML violations range from AED 50,000 to AED 1,000,000 per violation, and can stack across multiple findings in a single inspection.
What is the difference between standard CDD and Enhanced Due Diligence?
Standard Customer Due Diligence applies to all clients and covers identity verification, understanding the relationship’s purpose, and identifying beneficial owners. Enhanced Due Diligence applies where higher risk is identified — such as politically exposed persons or complex ownership structures — and requires deeper verification, senior management approval, and continuous monitoring.
How long must DNFBPs retain AML records in the UAE?
AML records, including client onboarding documents, risk assessments, transaction monitoring logs, and internal compliance reports, must be retained for a minimum of five years.
Why is AML enforcement increasing in the UAE ahead of 2026?
UAE regulators are building a documented record of sustained, effective enforcement ahead of the FATF’s 2026 mutual evaluation, which places particular weight on demonstrated outcomes rather than the existence of rules alone. This has driven a marked increase in inspections, fines, and licence actions against non-compliant DNFBPs through 2024 and 2025.
What penalties apply for operating as a DNFBP without proper licensing?
Operating DNFBP or financial activities without the required licence, registration, or authorization can result in imprisonment alongside a fine of between AED 200,000 and AED 10,000,000 under Article 20 of the 2025 AML Law.
Need Expert Advice?
Contact the team at Farahat & Co. for professional support and expert insights for businesses operating in the UAE.
How Farahat & Co. Can Help
Farahat & Co. supports DNFBPs across the UAE with AML policy development, risk assessments, goAML registration and reporting, independent AML audits, and direct support during regulatory inspections — helping businesses build a compliance framework that can withstand scrutiny under the current legal regime rather than one designed around rules that no longer apply.
Contact Farahat & Co. today to strengthen your AML compliance framework ahead of 2026.
