UAE AML/CFT 2026: What Every DNFBP Must Have in Place Under Federal Decree-Law No. 10 of 2025

AML compliance in the UAE has entered a new phase. Federal Decree-Law No. 10 of 2025 replaced the previous AML law and introduced stricter obligations for every regulated DNFBP. With tougher enforcement and the UAE’s 2026 FATF evaluation approaching, businesses must ensure their compliance framework reflects the latest AML, CFT, and Proliferation Financing (PF) requirements.

Mahesh Maddu July 6, 2026
uae aml cft uae 2026

Direct Answer
AML compliance in the UAE has entered a new phase. Federal Decree-Law No. 10 of 2025 replaced the previous AML law and introduced stricter obligations for every regulated DNFBP. With tougher enforcement and the UAE’s 2026 FATF evaluation approaching, businesses must ensure their compliance framework reflects the latest AML, CFT, and Proliferation Financing (PF) requirements.

Key Takeaways

  • Federal Decree-Law No. 10 of 2025 replaces Federal Decree-Law No. 20 of 2018, creating a new AML/CFT legal framework rather than updating the previous one.
  • Proliferation Financing (PF) is now a mandatory compliance obligation alongside Anti-Money Laundering (AML) and Counter-Terrorist Financing (CFT).
  • Commercial gaming operators have been added to the list of regulated DNFBPs.
  • Every DNFBP must maintain a complete AML/CFT compliance programme. goAML registration alone is not sufficient.
  • The Ministry of Economy has imposed more than AED 130 million in penalties on DNFBPs since 2022, including AED 42 million during the first half of 2025, reflecting increased regulatory enforcement.
  • Administrative penalties generally range from AED 50,000 to AED 1,000,000 for each violation, with multiple breaches attracting cumulative fines.
  • False Ultimate Beneficial Owner (UBO) reporting is now a criminal offence, and legal entities may face penalties of up to AED 100 million for the most serious violations.
  • Virtual Asset Service Providers (VASPs) are now subject to AML/CFT/CPF standards comparable to those applicable to traditional financial institutions.

What Changed Under UAE AML/CFT 2026?

The introduction of Federal Decree-Law No. 10 of 2025 represents one of the most significant reforms to the UAE’s financial crime framework. Instead of amending the previous legislation, the new law establishes a modern compliance regime aligned with international standards and strengthens the responsibilities of both financial institutions and DNFBPs.

The accompanying Cabinet Resolution No. 134 of 2025 expands operational requirements by introducing new compliance measures, broader risk management obligations, and stronger enforcement powers.

Some of the most significant changes include:

Proliferation Financing

Not treated as a standalone compliance obligation

PF is now a mandatory part of every AML/CFT compliance programme and Enterprise-Wide Risk Assessment

Commercial Gaming

Not classified as a DNFBP

Commercial gaming operators are now regulated DNFBPs

Virtual Asset Service Providers

Governed through separate regulatory requirements

Explicitly aligned with AML/CFT obligations applicable to financial institutions

Ultimate Beneficial Ownership

Reporting obligations existed

False UBO reporting now carries stronger criminal penalties

Corporate Penalties

Lower maximum penalties

Penalties for legal persons can reach AED 100 million for serious offences

Risk Assessment

Focused primarily on Money Laundering and Terrorist Financing

Risk assessments must also evaluate Proliferation Financing exposure

Suspicious Transaction Reporting

Existing reporting obligations

Expanded reporting expectations and stronger enforcement mechanisms

The practical impact extends well beyond updating policies. DNFBPs should review their governance framework, customer due diligence procedures, sanctions screening, internal controls, staff training, record-keeping practices, and Enterprise-Wide Risk Assessment to ensure they comply with the new legal requirements.

Businesses that continue relying on compliance documents prepared under the previous legislation may face regulatory findings during inspections. Regulators increasingly expect organisations to demonstrate that their AML/CFT framework is actively implemented, regularly reviewed, and proportionate to the risks associated with their business activities.

Who Is a DNFBP Under the UAE AML/CFT 2026 Framework?

A Designated Non-Financial Business or Profession (DNFBP) is a business that is not a financial institution but is considered vulnerable to money laundering, terrorist financing, or proliferation financing because of the nature of its activities.

Under Federal Decree-Law No. 10 of 2025 and Cabinet Resolution No. 134 of 2025, DNFBPs are subject to many of the same AML/CFT obligations as financial institutions. These businesses must adopt a risk-based compliance programme, carry out customer due diligence, monitor transactions, report suspicious activities, and maintain appropriate internal controls.

The legislation applies to both mainland and many free zone businesses, depending on their regulated activities and supervisory authority.

Businesses Classified as DNFBPs

The following businesses and professionals fall within the DNFBP category under the UAE AML/CFT framework:

  • Real estate brokers and agents involved in the sale, purchase, or leasing of property.
  • Dealers in precious metals and precious stones, including businesses trading in gold, diamonds, silver, platinum, and other high-value commodities.
  • Lawyers, legal consultants, notaries, and independent legal professionals assist clients with specified financial or corporate transactions.
  • Accountants and auditors providing regulated accounting, auditing, tax, or financial advisory services.
  • Company and Trust Service Providers (CSPs), including company formation consultants, registered agents, nominee service providers, and corporate secretarial service providers.
  • Commercial gaming operators, including casinos, online gaming platforms, sports betting operators, and lottery operators, became regulated DNFBPs under the new executive regulations.

Although these businesses operate in different sectors, they share a common responsibility to prevent their services from being misused for financial crime.

Why DNFBPs Face Greater Regulatory Attention

Unlike traditional financial institutions, many DNFBPs facilitate high-value transactions, establish corporate structures, manage client assets, or handle complex business relationships. These services can create opportunities for criminals to conceal the source or ownership of illicit funds.

For example:

  • A company formation agent may unknowingly establish a business used to disguise beneficial ownership.
  • A real estate broker could facilitate property purchases funded with illicit proceeds.
  • A dealer in precious metals may receive large cash payments for high-value assets.
  • An accounting firm may be asked to structure transactions involving multiple jurisdictions.
  • A legal professional may assist with trusts, share transfers, or corporate restructuring involving high-risk clients.

Because of these risks, regulators expect DNFBPs to apply effective AML/CFT controls throughout the customer lifecycle rather than treating compliance as an administrative exercise.

What Every DNFBP Must Have in Place Under UAE AML/CFT 2026

Complying with the new legislation involves far more than completing a goAML registration. Regulators expect businesses to implement a practical compliance framework that is proportionate to their size, services, customer base, and overall risk profile.

The following elements are essential to building an effective AML/CFT compliance programme. 

Enterprise-Wide Risk Assessment (EWRA)

Every DNFBP should maintain an up-to-date Enterprise-Wide Risk Assessment that identifies and evaluates the money laundering, terrorist financing, and proliferation financing risks associated with the business.

The assessment should consider factors such as:

  • Customer types
  • Products and services
  • Delivery channels
  • Geographic exposure
  • Transaction patterns
  • Higher-risk industries
  • Sanctions exposure
  • Virtual asset involvement, where applicable

The EWRA should be reviewed regularly and updated whenever there are significant changes to the business or regulatory environment.

AML/CFT/CPF Policies and Procedures

Businesses should maintain documented policies that reflect the requirements of the new legislation.

These policies typically cover:

  • Customer onboarding
  • Risk assessment methodology
  • Customer Due Diligence (CDD)
  • Enhanced Due Diligence (EDD)
  • Ongoing transaction monitoring
  • Sanctions screening
  • Suspicious Transaction Reporting (STR)
  • Record retention
  • Staff responsibilities
  • Internal reporting procedures

Policies prepared under the previous AML framework should be reviewed and updated to reflect the requirements introduced by Federal Decree-Law No. 10 of 2025.

Customer Due Diligence (CDD)

DNFBPs are expected to understand who their customers are before establishing a business relationship.

Customer Due Diligence generally includes:

  • Verifying customer identity
  • Identifying Ultimate Beneficial Owners (UBOs)
  • Understanding the purpose of the business relationship
  • Assessing customer risk
  • Screening against sanctions and watchlists
  • Conducting Enhanced Due Diligence for higher-risk customers

CDD is an ongoing obligation rather than a one-time verification exercise.

goAML Registration and Suspicious Transaction Reporting

All regulated DNFBPs must register with the UAE Financial Intelligence Unit’s goAML platform where required by their supervisory authority.

The platform enables businesses to submit:

  • Suspicious Transaction Reports (STRs)
  • Suspicious Activity Reports (SARs)
  • Other mandatory regulatory reports

Registration alone does not satisfy the law. Businesses must also demonstrate that they have internal processes to identify suspicious activity and submit reports when required.

Appointment of a Compliance Officer

Every DNFBP should appoint a qualified Compliance Officer or Money Laundering Reporting Officer (MLRO) responsible for overseeing the organisation’s AML/CFT programme.

Typical responsibilities include:

  • Monitoring compliance
  • Reviewing high-risk relationships
  • Managing internal investigations
  • Filing regulatory reports
  • Liaising with supervisory authorities
  • Keeping policies and procedures current
  • Coordinating employee training

The Compliance Officer should have sufficient authority, independence, and access to senior management to perform these responsibilities effectively.

Employee Training

Employees are often the first line of defence against financial crime.

Regular AML/CFT training should help staff recognise:

  • Suspicious customer behaviour
  • Money laundering indicators
  • Terrorist financing risks
  • Proliferation financing red flags
  • Sanctions risks
  • Reporting obligations
  • Internal escalation procedures

Training should be tailored to employees’ roles and supported by documented attendance records.

Record Keeping

DNFBPs must maintain accurate records to demonstrate compliance during regulatory inspections.

These typically include:

  • Customer identification documents
  • Risk assessments
  • Due diligence records
  • Transaction history
  • Internal investigations
  • STR and SAR documentation
  • Training records
  • Compliance reviews
  • Policy updates

Records should generally be retained for at least five years from the end of the business relationship or the completion of the relevant transaction, in accordance with applicable legal requirements.

Common AML/CFT Compliance Mistakes DNFBPs Should Avoid

Many regulatory findings arise because businesses have compliance documents in place but fail to implement them effectively. Supervisory authorities increasingly assess how an AML/CFT programme operates in practice, not just whether policies exist.

The following issues are among the most common compliance gaps identified during inspections.

Treating goAML Registration as Full Compliance

Registering on the goAML platform is only one part of the regulatory requirement. A compliant DNFBP must also maintain documented policies, conduct risk assessments, monitor customer activity, train employees, and report suspicious transactions when necessary.

Using Outdated AML Policies

Policies developed under the previous AML framework may no longer reflect current legal requirements. Businesses should review and update their compliance manuals to include the obligations introduced under Federal Decree-Law No. 10 of 2025 and Cabinet Resolution No. 134 of 2025.

Incomplete Risk Assessments

Some organisations perform customer risk assessments but overlook business-wide risks. An Enterprise-Wide Risk Assessment should evaluate risks across customers, products, delivery channels, jurisdictions, and now, proliferation financing.

Weak Customer Due Diligence

Incomplete customer files, missing beneficial ownership information, or insufficient verification of high-risk clients remain common issues during inspections. Customer Due Diligence should be proportionate to the level of risk and updated throughout the business relationship.

Irregular Staff Training

AML/CFT training should not be a one-time exercise. Employees need regular updates to stay informed about regulatory changes, emerging financial crime risks, and internal reporting procedures.

Poor Documentation

If a compliance activity is not documented, regulators may consider that it was not performed. Businesses should maintain organised records of customer due diligence, internal reviews, training sessions, policy updates, and suspicious transaction assessments

Why AML/CFT Enforcement Is Increasing in 2026

The UAE continues to strengthen its financial crime framework as part of its commitment to international AML/CFT standards.

A key focus in 2026 is the country’s Financial Action Task Force (FATF) Mutual Evaluation, where assessors examine not only the legal framework but also how effectively businesses implement AML/CFT measures.

For DNFBPs, this means regulators are placing greater emphasis on:

  • Effective risk-based compliance programmes
  • Accurate customer due diligence
  • Timely suspicious transaction reporting
  • Governance and management oversight
  • Staff awareness and training
  • Evidence of ongoing compliance monitoring

Regulatory inspections are expected to focus on whether businesses can demonstrate that their AML/CFT framework is operating effectively rather than existing solely as written documentation.

AML/CFT Compliance Checklist for DNFBPs

Before a regulatory inspection, every DNFBP should confirm that the following elements are in place.

Enterprise-Wide Risk Assessment (EWRA) updated

Proliferation Financing (PF) is included in the risk assessment

AML/CFT/CPF policies reviewed and updated

Customer Due Diligence (CDD) procedures implemented

Enhanced Due Diligence (EDD) process established

Ultimate Beneficial Owner (UBO) verification completed

Sanctions screening procedures in place

goAML registration completed where applicable

Staff AML/CFT training completed and documented

Compliance Officer (MLRO) appointed

Record retention procedures implemented

Internal monitoring and compliance reviews conducted

Completing this checklist does not automatically guarantee compliance, but it provides a practical starting point for evaluating whether the business meets the core expectations of the UAE AML/CFT framework.

Best Practices for Strengthening Your AML/CFT Programme

Regulators expect DNFBPs to adopt a proactive approach to compliance rather than reacting only when legislation changes.

Good practices include:

  • Review your Enterprise-Wide Risk Assessment at least annually or whenever business activities change.
  • Update AML policies whenever new laws or regulatory guidance are introduced.
  • Apply a consistent risk-based approach to customer onboarding and ongoing monitoring.
  • Verify Ultimate Beneficial Ownership before establishing business relationships.
  • Conduct periodic independent reviews of your AML/CFT controls.
  • Maintain detailed documentation to support every compliance decision.
  • Deliver regular AML/CFT training tailored to different employee roles.
  • Monitor regulatory updates issued by your supervisory authority to ensure ongoing compliance.

An effective AML/CFT programme protects more than regulatory compliance. It also strengthens corporate governance, reduces operational risk, supports banking relationships, and helps safeguard the reputation of the business.

Frequently Asked Questions

I am already registered on goAML from the 2018 framework. Do I need to re-register?

Your existing goAML registration continues. However, you must update your registration to reflect any changes in your entity, supervisory authority, or compliance officer. More importantly, registration alone is insufficient. You must have updated policies, an updated EWRA covering PF, trained staff, and a functioning compliance programme aligned with FDL No. 10 of 2025 and Cabinet Resolution No. 134 of 2025.

Does the new AML law apply to my free zone company?

Yes. Federal Decree-Law No. 10 of 2025 applies to DNFBPs and financial institutions operating in both mainland and free zones, including commercial free zones. Financial free zones (DIFC and ADGM) have their own AML frameworks aligned with the federal law but administered by DFSA and FSRA, respectively.

What counts as proliferation financing?

Proliferation financing refers to providing funds, financial services, or other support to individuals or entities involved in the development, production, or acquisition of weapons capable of mass destruction, including nuclear, chemical, biological, and radiological weapons, or their delivery systems. It also covers financing the acquisition of dual-use goods controlled under international sanctions regimes. DNFBPs must screen their clients against relevant PF-related sanctions lists and monitor transactions for PF red flags.

What are the penalties for operating as a DNFBP without proper AML compliance?

Administrative fines from AED 50,000 to AED 1,000,000 per violation, stacking across multiple findings. Unlicensed VASP activity specifically carries imprisonment and fines from AED 200,000 to AED 10,000,000. False UBO reporting is a criminal offence. The penalty ceiling for serious violations by legal persons is AED 100 million. Non-compliant businesses also face licence suspension and reputational consequences with banking partners.

How does IncHub support AML compliance for DNFBPs and corporate service clients?

IncHub Corporate Services provides AML compliance support, including goAML registration assistance, Enterprise-Wide Risk Assessment preparation, AML policy updates aligned with FDL No. 10 of 2025, Compliance Officer registration coordination, and client KYC framework design. As a DNFBP with CAMS-certified professionals, IncHub applies robust AML/CFT compliance practices within its own operations and helps clients develop effective compliance programmes. 

Verified Sources and References

1. Al Tamimi – UAE AML Framework: Navigating a New Era of Financial Crime Compliance in 2026 (March 2026) 
2. Kayrouz and Associates – UAE goAML Registration: Which Businesses Must Comply in 2026 (April 2026)
3. White and Case – UAE Enacts New AML Law: Key Changes (October 2025) 
4. CMS LawNow – Operationalising the New UAE AML Law: Executive Regulations 2025 (December 2025) 
5. AMLUAE – The New UAE AML/CFT Law: Federal Decree-Law No. 10 of 2025 Explained (December 2025) 
6. Clyde and Co – UAE AML Law: A Reset for Corporate Accountability (November 2025) 
7. Al Suwaidi – UAE FDL No. 10 of 2025: Practical Guide for DNFBPs and High-Risk Entities (January 2026) 
8. Nexiant – AML Obligations in the UAE: Compliance Guide for 2026 (March 2026)

Mahesh Maddu

Founder & CEO, IncHub

Mahesh Maddu is the Founder and CEO of IncHub Group. With over 15 years of advisory experience, he has supported founders, family offices, and global investors in setting up and managing businesses across UAE mainland, free zones, and offshore jurisdictions. He holds an MBA from Bangalore University and is a certified Anti-Money Laundering specialist and STEP member, with expertise in trust and foundation structuring for high-net-worth clients.