Jan 02, 2023
7 min read

AML/KYC Guide to The UAE—New Laws and Regulations for 2024

The UAE is a global hub for international trade and finance. The country has several free trade zones that attract big business but also pose risks for money laundering and terrorist financing. To keep these threats at bay, the UAE maintains strict AML laws and regulations.

The UAE has taken significant steps in strengthening its AML regulations over the past several years. This includes the updated Guidelines for Financial Institutions issued in June 2021 and the establishment of the New Specialized Money Laundering Court.

Businesses that operate in the UAE must comply with all of these AML regulations. That’s why Sumsub prepared this guide to help businesses navigate the compliance process. We’ll keep updating this article with all the major developments.

Who’s affected

Both domestic and international companies operating in the UAE need to follow AML-CFT Law. There are three main categories of companies that must comply:

  • Financial institutions;
  • Designated non-financial businesses and professions;
  • Non-profit organizations.

Complying with regulations can be easier for your company with Sumsub’s complete AML/KYC solution. Download a demo today.

Financial Institutions

All financial institutions (FIs) must comply if they conduct one or several of financial activities or operations on the customer’s behalf. These include:

  • Receiving deposits and other funds that can be paid by the public, including deposits in accordance with Sharia Law (Islamic religious law);
  • Providing private banking services, cash brokerage services, credit facilities of all types;
  • Providing currency exchange and money transfer services, stored value services, electronic payments for retail and digital cash, virtual banking services;
  • Issuing and managing means of payment, guarantees, or obligations;
  • Trading, investing, operating or managing funds, options contracts, futures contracts, exchange rate and interest rate transactions, other derivatives or negotiable financial instruments;
  • Participating in issuing securities and providing financial services related to these issues;
  • Managing and saving funds and portfolios of all kinds.

This list is not exhaustive as the regulating authorities have the right to include additional activities or financial transactions to the list.

Designated Non-Financial Businesses and Professions

Designated Non-Financial Businesses and Professions (DNFBPs), similar to FIs, conduct financial activities on behalf of their customers. DNFBPs usually include the following types of businesses:

  • Brokers and real estate agents;
  • Dealers in precious metals and precious stones in carrying out any single monetary transaction or several transactions that appear to be interrelated or equal to more than AED 55,000 (approximately $15,000);
  • Lawyers, notaries, and other independent legal professionals and independent accountants, when preparing, conducting or executing financial transactions for their customers;
  • Providers of corporate services and trusts upon performing or executing a transaction on behalf of their customers;
  • Other professions and activities which shall be determined by a decision of the Minister.

It should be noted that only lawyers and corporate servers providers that act on behalf of their customers are affected by the regulations. For example, legal professionals who manage funds owned by their clients fall into the category of DNFBPs.

Non-profit organizations

Non-profit organizations (NPOs) are defined as any organized group of a continuing nature set for a temporary or permanent period, comprising natural or legal persons or not-for-profit legal arrangements.
Unlike FIs and DNFBPs, NPOs have very limited obligations under legislation.

Who’s the regulator?

In August 2020, the Central Bank of the UAE (CBUAE) established a special department to regulate all matters related to Anti-Money Laundering (AML) and Combating the Financing of Terrorism (CFT). Previously, such operations were conducted by the Banking Supervision Department.

This Anti-Money Laundering and Combating the Financing of Terrorism Supervision Department (AMLD) is concerned with three main objectives:

  • Examining Licensed FIs;
  • Ensuring adherence to the UAE’s AML/CFT legal and regulatory framework;
  • Identifying threats, vulnerabilities, and emerging risks to the UAE’s financial sector.

The AMLD cooperates with the UAE’s National AML/CFT Committee and the Examination Division of the Banking Supervision Department. Additionally, the AMLD mediates between CBAUE and the domestic stakeholders.

There are other authorities that deal with AML/CFT activities, including the Securities and Commodities Authority and bodies that solely operate within special economic areas, such as the Dubai International Financial Center and federal and local supervisory and law enforcement authorities.

What are the main regulations?

There are a variety of laws on AML/CFT activities in the UAE. The most important are:

  • Federal Decree-Law No. (20) of 2018 On Anti-Money Laundering and Combating the Financing of Terrorism and Financing of Illegal Organizations (the “AML-CFT Law” or “the Law”);
  • Cabinet Decision No. (10) of 2019 Concerning the Implementing Regulation of Decree-Law No. (20) of 2018 On Anti-Money Laundering and Combating the Financing of Terrorism and Illegal Organizations (the “AML-CFT Decision” or “the Cabinet Decision”).

According to the AML-CFT Law, a person acts unlawfully is they knowingly commit one of the following crimes:

  1. Transferring or transporting proceeds of crime with intent to conceal or disguise its illicit origin;
  2. Concealing or disguising the true nature, origin, location, way of disposition, movement or rights related to any proceeds or the ownership thereof;
  3. Acquiring, possessing or using such proceeds;
  4. Assisting the perpetrator of the predicate offense to escape punishment.

To provide a better understanding of all the regulations, the UAE government has published special guidelines for FIs and DNFBPs.

How to stay compliant

To stay compliant with all the regulations, businesses should monitor customer transactions, ensure that they provide authentic data, and report suspicious cases.

Below, we talk about the major requirements, reporting process, and penalties in detail.

Customer Due Diligence requirements

FIs and DNFBPs are required to undertake appropriate risk-based Customer Due Diligence (CDD) measures, including, among other things, understanding the nature of the customer’s business and the purpose of the transaction in the cases specified in Article 6 of the AML-CFT Decision. Such cases include:

  • Carrying out occasional transactions in favor of a customer for amounts equal to or exceeding AED 55,000 (approximately $15,000), whether the transaction is carried out in a single transaction or in several transactions that appear to be linked;
  • Carrying out occasional transactions in the form of wire transfers for amounts equal to or exceeding AED 3,500 (approximately $950);
  • Having suspicion of a crime;
  • Having doubts about the veracity or adequacy of identification data previously obtained with regard to the customer.

FIs are obliged to enhance their CDD measures concerning customers identified as high-risk, which the AML/CFT Decisions divides into multiple categories. These include Politically Exposed Persons (PEPs), customers associated with high-risk countries, and correspondent banking institutions.

Simplified Customer Due Diligence and Enhanced Due Diligence

FIs can exercise Simplified Customer Due Diligence measures (SDD) concerning customers identified as low-risk. Elements of SDD include, but are not limited to:

  • “A reduction in verification requirements with regard to customer or Beneficial Owner identification;
  • Fewer and less detailed inquiries regarding the purpose of the Business Relationship, the nature of the customer’s business, the customer’s source of funds, and the pursuit of individual transactions;
  • More limited supervision of the Business Relationship, including less frequent monitoring of transactions and less frequent review/updating of customer due diligence information.”

There’re also Enhanced Due Diligence (EDD) measures, which involve more rigorous CDD measures applied towards high-risk customers:

  • “Increased scrutiny and higher standards of verification and documentation;
  • More detailed inquiry and evaluation of reasonableness in regard to the purpose of the Business Relationship, the nature of the customer’s business, the customer’s source of funds, and the purpose of individual transactions;
  • Increased supervision of the Business Relationship, including the requirement for higher levels of management approval, more frequent monitoring of transactions, and more frequent review and updating of customer due diligence information.”

Suspicious activity reporting

Certain obligations need to be fulfilled by FIs in case they detect any suspicious activity related to ML/FT operations.

FIs are obliged to report transactions “without any delay” to the Financial Intelligence Union (FIU) when there are suspicions, or reasonable grounds to suspect, that the proceeds are related to a crime or to the attempt or intention to use funds or proceeds for the purpose of committing, concealing, or benefitting from a crime.

There is no minimum reporting threshold and no statute of limitations concerning ML/FT crimes or reporting of suspicious transactions. Under federal law and regulations, whether the FI operates in the mainland UAE or in a Financial or Commercial Free Zone, the designated Competent Authority for reporting suspicious transactions is the FIU.

Suspicious ML/FT activities should be reported to the FIU through the GoAML portal. All related companies should be registered on the portal. A complete guide on how to register is available here.

Data retention requirements

Depending on the circumstances, the statutory retention period for all records is at least five years, from the date of the most recent of any of the following events:

  • Termination of the Business Relationship or the closing of a customer’s account with the supervised institution;
  • Completion of a casual transaction (in respect of a customer with whom no Business Relationship is established);
  • Completion of an inspection of the records by the Supervisory Authorities;
  • The issue date of a final judgment by the competent judicial authorities;
  • Liquidation, dissolution, or other forms of termination of a legal person or arrangement.

The records that FIs are obliged to keep can be separated into two categories: financial transaction records and CDD records.

Know Your Customer

Businesses need to follow Know Your Customer (KYC) requirements when working with their customers. Know Your Customer (KYC) is the process of identifying and verifying customers. To verify personal data, businesses need to collect different types of documents from individual customers and companies:

Individual customers:

  • ID or travel document;
  • Proof of Residential Address.


  • ID/travel document for all shareholders with 25% and more shares;
  • Proof of Operating Address in the UAE (utility bill or other bank statements from last three months);
  • Trade License or Certificate of Incorporation;
  • Memorandum & Articles of Association;
  • Resolution of the Board of Directors to open an account; identification of those who have authority to operate the account.

If you want to stay compliant with AML regulations in the UAE, contact Sumsub today to get consulted on our AML/KYC solutions.


If FIs fail to report suspicious activities, their managers or employees may be subjected to imprisonment and fines between AED 100,000 (approximately $27,200) and AED 1,000,000 (approximately $272,000). For violating other AML/CFT requirements, companies may face imprisonment or fines between AED 10,000 (approximately $2,720) and AED 100,000 (approximately $27,200). For DNFBPs, the fines range from AED 50,000 to AED 200,000.

In 2021, the CBUAE announced that it imposed financial sanctions on 11 UAE banks for failing to comply with AML/CFT regulations.

Recent developments

The UAE keeps introducing new regulations and updating old ones to ensure a higher level of AML/CFT actions. Besides updating the Guidelines in 2021, the country started requiring businesses to adopt internal procedures to identify suspicious transactions with banks and exchange houses.

Additionally, the UAE is introducing new governmental bodies to ensure AML/CFT compliance. Among such organizations are the Executive Office of Anti-Money Laundering and Countering the Financing of Terrorism and Dubai’s Specialized Anti-Money Laundering Court.

It’s clear that the UAE will continue introducing new measures to minimize the level of money laundering, terrorist financing, and other illegal activities in the country. Therefore, it’s essential for all types of businesses to ensure they’re compliant with all the relevant regulations. Sumsub will continue to monitor developments in the UAE’s AML/CFT requirements.

Let us help your company stay compliant with AML/KYC regulations in the UAE. Get in touch with us today.

AMLFinancial InstitutionsKYCPenaltiesReportingRisk-Based ApproachUAE