A Practical Guide for Financial Institutions, DNFBPs, and Virtual Asset Service Providers
The UAE’s new AML framework has created a regulatory environment where compliance is no longer optional, procedural, or periodic. It is continuous, risk driven, and enforceable. Institutions that work systematically through the steps below will meet both the legal expectations and the operational realities set out in Federal Decree by Law No. 10 of 2025.
Step One. Build a Live Risk Assessment Program
The decree requires institutions to identify, understand, manage, assess, document, and continuously update AML risk. This applies to financial institutions, DNFBPs, and virtual asset service providers.
To implement this, institutions should:
Create a comprehensive risk taxonomy
Include customer risk, product risk, transaction risk, geographic risk, delivery channel risk, beneficial owner risk, and sector specific vulnerabilities.
Build a risk scoring model
Use measurable criteria. Link risk scores to onboarding decisions, CDD levels, monitoring frequency, and escalation paths.
Update the assessment continuously
Risk must reflect national risk assessments, sector guidance, geopolitical changes, sanctions updates, and internal findings.
Document everything
Regulators will expect to see the full rationale behind risk scoring and service decisions.
Step Two. Redesign Onboarding Around Identification and Verification Requirements
Institutions must identify both customers and beneficial owners. They must understand the purpose of the relationship, verify all information, and maintain clarity over the ownership and control structure.
Operationally this requires:
Structured collection of identity information
For natural persons: full identity records, nationality, occupation, and purpose of relationship.
For legal persons: legal name, registration details, ownership chart, controlling persons, senior management, and operating status.
Beneficial owner verification
Institutions must identify the natural person who exercises ultimate control. This includes direct owners, indirect owners, trustees, protectors, founders, and any person with ultimate effective control.
Screening during onboarding
Apply sanctions screening, adverse media screening, PEP screening, and checks for financial or legal red flags.
Refuse anonymous or fictitious relationships
Anonymous, numbered, or disguised accounts are completely prohibited.
Step Three. Apply Customer Due Diligence Proportionate to Risk
CDD is no longer a single process. It is risk dependent and must adjust to what the institution learns over time.
To comply:
Perform standard CDD for normal risk clients
Identity verification, risk scoring, ownership checks, sanctions screening, and purpose of relationship.
Apply enhanced CDD where risk increases
This includes complex ownership structures, clients from high risk jurisdictions, PEP involvement, unusual sources of funds, or high value transactions.
Enhanced CDD may involve more detailed beneficial ownership mapping, additional documentation, deeper source of wealth verification, external intelligence checks, and senior management approval.
Apply simplified CDD only when justified
This must align with national and sector risk guidance.
Document all decisions
The decree requires evidence based compliance, not judgement based compliance.
Step Four. Implement Continuous Monitoring
Monitoring is no longer periodic. Institutions must continuously review activity to detect suspicious behaviour.
A compliant monitoring framework includes:
Real time transaction monitoring
Flag unusual transaction patterns, rapid movement of funds, transfers with no clear economic purpose, and activity inconsistent with customer profile.
Behavioural monitoring
Monitor changes in ownership, unexpected changes in business activity, or increased use of high risk corridors.
Periodic reviews based on risk
High risk clients require more frequent reviews. Risk levels must be updated with each review.
Automated alerts and human review
Technology should detect anomalies. Compliance officers must analyse them.
Escalation paths
Suspicious activity must move quickly to the reporting stage if concerns are confirmed.
Step Five. Submit Suspicious Transaction Reports Immediately
When suspicion exists, institutions must notify the FIU without delay. The FIU may freeze assets or suspend transactions based on the information provided.
To operationalise this:
Define what creates suspicion
Use national typologies, FATF guidance, and internal red flags.
Train employees to escalate concerns quickly
Frontline staff, relationship managers, and tellers must understand the triggers.
Build an internal STR analysis workflow
Collect evidence, verify documentation, summarise behavioural patterns, and prepare a clear narrative.
Use the FIU approved reporting channels
Reports must be detailed, accurate, and timely.
Prohibit tipping off
Employees must never inform a customer that they were reported or investigated. Violations carry criminal penalties.
Step Six. Apply Targeted Financial Sanctions Without Delay
The decree requires immediate implementation of all TFS lists issued by the Executive Office and the United Nations Security Council.
To comply:
Integrate automated sanctions screening
Screen all customers and beneficial owners during onboarding and continuously thereafter.
Apply freeze obligations immediately
If a match is confirmed, freeze funds instantly and follow notification procedures.
Monitor updates to sanctions lists
Changes can occur at any time. Institutions must be capable of reacting in minutes, not days.
Train staff to distinguish between potential matches and confirmed matches
False positives must be eliminated quickly. True positives must be escalated immediately.
Step Seven. Strengthen Governance and Internal Controls
The decree requires institutions to create internal policies and procedures approved by senior management and implemented across all branches and subsidiaries.
Compliance must involve:
A governance framework with clear ownership
Assign responsibilities for AML, CFT, PF compliance, monitoring, training, and reporting.
A compliance committee
Review risk assessments, STR patterns, sanctions matches, and policy updates.
Independent audit and testing
Annual audits must test whether controls are effective and aligned with regulatory expectations.
Board engagement
Senior management must approve policies and show oversight of AML risks.
Step Eight. Maintain Complete Records for the Required Period
Institutions must retain all customer, transaction, identification, and monitoring records for the durations stated in the decree and its upcoming executive regulations.
Practical requirements include:
Centralised document management
Ensure quick retrieval for inspections.
Retention of both domestic and international transactions
Records must be immediately available to authorities.
Retention of CDD and ECDD documentation
Every verification step must be reproducible.
Step Nine. Prepare for Inspections and Enforcement
Supervisory authorities have expanded powers to inspect, penalise, and suspend activities. Penalties include multi million dirham fines, suspension of licenses, and even dissolution of legal entities.
To remain compliant:
Conduct internal readiness reviews
Simulate inspections and ensure documentation is complete.
Respond quickly to regulatory requests
Delays may be treated as non compliance.
Document remediation actions
Authorities will want evidence of improvements.
Ensure leadership understands the consequences
Personal liability applies when misconduct occurs through negligence or knowing participation.
Step Ten. Build an International Cooperation Mindset
The decree strengthens cross border cooperation, including allowing foreign confiscation orders to be executed directly.
Institutions should:
Be prepared to share information with foreign regulators
This applies especially during investigations of predicate offences or cross border fund flows.
Strengthen cross border beneficiary verification
Jurisdictions with low transparency require additional due diligence.
Integrate foreign sanctions and risk lists
Global risks cannot be analysed with domestic datasets alone.
Practical Outcome: A Compliance Model That Matches the UAE’s Ambition
When institutions follow the steps above, they do more than comply with the decree. They build a risk management culture that can withstand the complexity of modern financial crime. The UAE’s 2025 AML framework is one of the most advanced in the region. It expects institutions to respond with maturity, intelligence, and operational discipline.
The guide above converts the legal obligations into a practical roadmap so that compliance teams, risk officers, and senior leaders can implement the decree effectively.
