
Direct Answer
AML compliance in the UAE has entered a new phase. Federal Decree-Law No. 10 of 2025 replaced the previous AML law and introduced stricter obligations for every regulated DNFBP. With tougher enforcement and the UAE’s 2026 FATF evaluation approaching, businesses must ensure their compliance framework reflects the latest AML, CFT, and Proliferation Financing (PF) requirements.
Key Takeaways
What Changed Under UAE AML/CFT 2026?
The introduction of Federal Decree-Law No. 10 of 2025 represents one of the most significant reforms to the UAE’s financial crime framework. Instead of amending the previous legislation, the new law establishes a modern compliance regime aligned with international standards and strengthens the responsibilities of both financial institutions and DNFBPs.
The accompanying Cabinet Resolution No. 134 of 2025 expands operational requirements by introducing new compliance measures, broader risk management obligations, and stronger enforcement powers.
Some of the most significant changes include:
|
Area |
Before (Federal Decree-Law No. 20 of 2018) |
After (Federal Decree-Law No. 10 of 2025) |
|
Proliferation Financing |
Not treated as a standalone compliance obligation |
PF is now a mandatory part of every AML/CFT compliance programme and Enterprise-Wide Risk Assessment |
|
Commercial Gaming |
Not classified as a DNFBP |
Commercial gaming operators are now regulated DNFBPs |
|
Virtual Asset Service Providers |
Governed through separate regulatory requirements |
Explicitly aligned with AML/CFT obligations applicable to financial institutions |
|
Ultimate Beneficial Ownership |
Reporting obligations existed |
False UBO reporting now carries stronger criminal penalties |
|
Corporate Penalties |
Lower maximum penalties |
Penalties for legal persons can reach AED 100 million for serious offences |
|
Risk Assessment |
Focused primarily on Money Laundering and Terrorist Financing |
Risk assessments must also evaluate Proliferation Financing exposure |
|
Suspicious Transaction Reporting |
Existing reporting obligations |
Expanded reporting expectations and stronger enforcement mechanisms |
The practical impact extends well beyond updating policies. DNFBPs should review their governance framework, customer due diligence procedures, sanctions screening, internal controls, staff training, record-keeping practices, and Enterprise-Wide Risk Assessment to ensure they comply with the new legal requirements.
Businesses that continue relying on compliance documents prepared under the previous legislation may face regulatory findings during inspections. Regulators increasingly expect organisations to demonstrate that their AML/CFT framework is actively implemented, regularly reviewed, and proportionate to the risks associated with their business activities.
Who Is a DNFBP Under the UAE AML/CFT 2026 Framework?
A Designated Non-Financial Business or Profession (DNFBP) is a business that is not a financial institution but is considered vulnerable to money laundering, terrorist financing, or proliferation financing because of the nature of its activities.
Under Federal Decree-Law No. 10 of 2025 and Cabinet Resolution No. 134 of 2025, DNFBPs are subject to many of the same AML/CFT obligations as financial institutions. These businesses must adopt a risk-based compliance programme, carry out customer due diligence, monitor transactions, report suspicious activities, and maintain appropriate internal controls.
The legislation applies to both mainland and many free zone businesses, depending on their regulated activities and supervisory authority.
Businesses Classified as DNFBPs
The following businesses and professionals fall within the DNFBP category under the UAE AML/CFT framework:
Although these businesses operate in different sectors, they share a common responsibility to prevent their services from being misused for financial crime.
Why DNFBPs Face Greater Regulatory Attention
Unlike traditional financial institutions, many DNFBPs facilitate high-value transactions, establish corporate structures, manage client assets, or handle complex business relationships. These services can create opportunities for criminals to conceal the source or ownership of illicit funds.
For example:
Because of these risks, regulators expect DNFBPs to apply effective AML/CFT controls throughout the customer lifecycle rather than treating compliance as an administrative exercise.
What Every DNFBP Must Have in Place Under UAE AML/CFT 2026
Complying with the new legislation involves far more than completing a goAML registration. Regulators expect businesses to implement a practical compliance framework that is proportionate to their size, services, customer base, and overall risk profile.
The following elements are essential to building an effective AML/CFT compliance programme.
Enterprise-Wide Risk Assessment (EWRA)
Every DNFBP should maintain an up-to-date Enterprise-Wide Risk Assessment that identifies and evaluates the money laundering, terrorist financing, and proliferation financing risks associated with the business.
The assessment should consider factors such as:
The EWRA should be reviewed regularly and updated whenever there are significant changes to the business or regulatory environment.
AML/CFT/CPF Policies and Procedures
Businesses should maintain documented policies that reflect the requirements of the new legislation.
These policies typically cover:
Policies prepared under the previous AML framework should be reviewed and updated to reflect the requirements introduced by Federal Decree-Law No. 10 of 2025.
Customer Due Diligence (CDD)
DNFBPs are expected to understand who their customers are before establishing a business relationship.
Customer Due Diligence generally includes:
CDD is an ongoing obligation rather than a one-time verification exercise.
goAML Registration and Suspicious Transaction Reporting
All regulated DNFBPs must register with the UAE Financial Intelligence Unit’s goAML platform where required by their supervisory authority.
The platform enables businesses to submit:
Registration alone does not satisfy the law. Businesses must also demonstrate that they have internal processes to identify suspicious activity and submit reports when required.
Appointment of a Compliance Officer
Every DNFBP should appoint a qualified Compliance Officer or Money Laundering Reporting Officer (MLRO) responsible for overseeing the organisation’s AML/CFT programme.
Typical responsibilities include:
The Compliance Officer should have sufficient authority, independence, and access to senior management to perform these responsibilities effectively.
Employee Training
Employees are often the first line of defence against financial crime.
Regular AML/CFT training should help staff recognise:
Training should be tailored to employees’ roles and supported by documented attendance records.
Record Keeping
DNFBPs must maintain accurate records to demonstrate compliance during regulatory inspections.
These typically include:
Records should generally be retained for at least five years from the end of the business relationship or the completion of the relevant transaction, in accordance with applicable legal requirements.
Common AML/CFT Compliance Mistakes DNFBPs Should Avoid
Many regulatory findings arise because businesses have compliance documents in place but fail to implement them effectively. Supervisory authorities increasingly assess how an AML/CFT programme operates in practice, not just whether policies exist.
The following issues are among the most common compliance gaps identified during inspections.
Treating goAML Registration as Full Compliance
Registering on the goAML platform is only one part of the regulatory requirement. A compliant DNFBP must also maintain documented policies, conduct risk assessments, monitor customer activity, train employees, and report suspicious transactions when necessary.
Using Outdated AML Policies
Policies developed under the previous AML framework may no longer reflect current legal requirements. Businesses should review and update their compliance manuals to include the obligations introduced under Federal Decree-Law No. 10 of 2025 and Cabinet Resolution No. 134 of 2025.
Incomplete Risk Assessments
Some organisations perform customer risk assessments but overlook business-wide risks. An Enterprise-Wide Risk Assessment should evaluate risks across customers, products, delivery channels, jurisdictions, and now, proliferation financing.
Weak Customer Due Diligence
Incomplete customer files, missing beneficial ownership information, or insufficient verification of high-risk clients remain common issues during inspections. Customer Due Diligence should be proportionate to the level of risk and updated throughout the business relationship.
Irregular Staff Training
AML/CFT training should not be a one-time exercise. Employees need regular updates to stay informed about regulatory changes, emerging financial crime risks, and internal reporting procedures.
Poor Documentation
If a compliance activity is not documented, regulators may consider that it was not performed. Businesses should maintain organised records of customer due diligence, internal reviews, training sessions, policy updates, and suspicious transaction assessments
Why AML/CFT Enforcement Is Increasing in 2026
The UAE continues to strengthen its financial crime framework as part of its commitment to international AML/CFT standards.
A key focus in 2026 is the country’s Financial Action Task Force (FATF) Mutual Evaluation, where assessors examine not only the legal framework but also how effectively businesses implement AML/CFT measures.
For DNFBPs, this means regulators are placing greater emphasis on:
Regulatory inspections are expected to focus on whether businesses can demonstrate that their AML/CFT framework is operating effectively rather than existing solely as written documentation.
AML/CFT Compliance Checklist for DNFBPs
Before a regulatory inspection, every DNFBP should confirm that the following elements are in place.
|
Compliance Requirement |
Status |
|
Enterprise-Wide Risk Assessment (EWRA) updated |
✓ |
|
Proliferation Financing (PF) is included in the risk assessment |
✓ |
|
AML/CFT/CPF policies reviewed and updated |
✓ |
|
Customer Due Diligence (CDD) procedures implemented |
✓ |
|
Enhanced Due Diligence (EDD) process established |
✓ |
|
Ultimate Beneficial Owner (UBO) verification completed |
✓ |
|
Sanctions screening procedures in place |
✓ |
|
goAML registration completed where applicable |
✓ |
|
Staff AML/CFT training completed and documented |
✓ |
|
Compliance Officer (MLRO) appointed |
✓ |
|
Record retention procedures implemented |
✓ |
|
Internal monitoring and compliance reviews conducted |
✓ |
Completing this checklist does not automatically guarantee compliance, but it provides a practical starting point for evaluating whether the business meets the core expectations of the UAE AML/CFT framework.
Best Practices for Strengthening Your AML/CFT Programme
Regulators expect DNFBPs to adopt a proactive approach to compliance rather than reacting only when legislation changes.
Good practices include:
An effective AML/CFT programme protects more than regulatory compliance. It also strengthens corporate governance, reduces operational risk, supports banking relationships, and helps safeguard the reputation of the business.
Frequently Asked Questions
I am already registered on goAML from the 2018 framework. Do I need to re-register?
Your existing goAML registration continues. However, you must update your registration to reflect any changes in your entity, supervisory authority, or compliance officer. More importantly, registration alone is insufficient. You must have updated policies, an updated EWRA covering PF, trained staff, and a functioning compliance programme aligned with FDL No. 10 of 2025 and Cabinet Resolution No. 134 of 2025.
Does the new AML law apply to my free zone company?
Yes. Federal Decree-Law No. 10 of 2025 applies to DNFBPs and financial institutions operating in both mainland and free zones, including commercial free zones. Financial free zones (DIFC and ADGM) have their own AML frameworks aligned with the federal law but administered by DFSA and FSRA, respectively.
What counts as proliferation financing?
Proliferation financing refers to providing funds, financial services, or other support to individuals or entities involved in the development, production, or acquisition of weapons capable of mass destruction, including nuclear, chemical, biological, and radiological weapons, or their delivery systems. It also covers financing the acquisition of dual-use goods controlled under international sanctions regimes. DNFBPs must screen their clients against relevant PF-related sanctions lists and monitor transactions for PF red flags.
What are the penalties for operating as a DNFBP without proper AML compliance?
Administrative fines from AED 50,000 to AED 1,000,000 per violation, stacking across multiple findings. Unlicensed VASP activity specifically carries imprisonment and fines from AED 200,000 to AED 10,000,000. False UBO reporting is a criminal offence. The penalty ceiling for serious violations by legal persons is AED 100 million. Non-compliant businesses also face licence suspension and reputational consequences with banking partners.
How does IncHub support AML compliance for DNFBPs and corporate service clients?
IncHub Corporate Services provides AML compliance support, including goAML registration assistance, Enterprise-Wide Risk Assessment preparation, AML policy updates aligned with FDL No. 10 of 2025, Compliance Officer registration coordination, and client KYC framework design. As a DNFBP with CAMS-certified professionals, IncHub applies robust AML/CFT compliance practices within its own operations and helps clients develop effective compliance programmes.
Verified Sources and References
1. Al Tamimi – UAE AML Framework: Navigating a New Era of Financial Crime Compliance in 2026 (March 2026)
2. Kayrouz and Associates – UAE goAML Registration: Which Businesses Must Comply in 2026 (April 2026)
3. White and Case – UAE Enacts New AML Law: Key Changes (October 2025)
4. CMS LawNow – Operationalising the New UAE AML Law: Executive Regulations 2025 (December 2025)
5. AMLUAE – The New UAE AML/CFT Law: Federal Decree-Law No. 10 of 2025 Explained (December 2025)
6. Clyde and Co – UAE AML Law: A Reset for Corporate Accountability (November 2025)
7. Al Suwaidi – UAE FDL No. 10 of 2025: Practical Guide for DNFBPs and High-Risk Entities (January 2026)
8. Nexiant – AML Obligations in the UAE: Compliance Guide for 2026 (March 2026)
