Business Transformation & Technology Consulting · IT Risk & Technology Assurance
AML/CFT Software Advisory & Setup
AML/CFT Software Advisory & Setup helps UAE Designated Non-Financial Businesses and Professions (DNFBPs), financial institutions, and other regulated entities select, configure, and embed the right anti-money-laundering and counter-terrorism-financing technology into their day-to-day compliance workflow — not just install a tool and leave the policy manual untouched.
Chartered Accountants · Dubai · Since 1986
AML/CFT Software Advisory & Setup is the practice of assessing a regulated UAE entity's money-laundering and terrorist-financing risk profile, then selecting, configuring, and operationalising the screening, monitoring, and reporting technology needed to meet its obligations under UAE AML/CFT law. The UAE framework rests on Federal Decree-Law No. 20 of 2018 on Anti-Money Laundering and Combating the Financing of Terrorism and Illegal Organisations (as amended by subsequent decree-laws), its Cabinet Decision executive regulations, and sector-specific guidance issued by the relevant supervisory authority — the UAE Central Bank for banks, insurers, and finance companies; the Securities and Commodities Authority (SCA) for capital markets participants; the Ministry of Economy for Designated Non-Financial Businesses and Professions (DNFBPs) operating on the mainland; and individual free zone authorities (including DMCC for precious metals and stones traders, DIFC and ADGM through their own regulators) for entities licensed within their jurisdictions. The Financial Intelligence Unit (FIU), housed within the UAE Central Bank, operates the goAML platform through which registered entities file Suspicious Transaction Reports (STRs), Suspicious Activity Reports (SARs), and other statutory disclosures.
At the core of any AML/CFT technology stack are three functional layers. The first is customer screening — checking new and existing customers, beneficial owners, and connected parties against UN Security Council sanctions lists, the UAE's Local Terrorist List, and Politically Exposed Persons (PEP) databases at onboarding and on an ongoing basis, since sanctions lists change continuously and a customer clean at onboarding may appear on a list months later. The second is transaction monitoring — applying rules or risk-scoring logic to flag transactions that deviate from a customer's expected pattern, structuring behaviour, unusual counterparties, or activity inconsistent with the customer's declared business, so that a human compliance officer reviews a manageable, prioritised list of alerts rather than every transaction. The third is case management and regulatory reporting — recording the investigation, evidence, and decision behind each alert, and where a transaction or attempted transaction is genuinely suspicious, filing the STR/SAR through goAML within the timeframe the law requires, without tipping off the customer.
Software selection is not one-size-fits-all. A small real estate brokerage handling a modest volume of high-value property transactions has fundamentally different screening and monitoring needs than a precious metals trading house processing daily cash-intensive transactions, a company service provider incorporating entities and acting as registered agent, or a law firm handling client funds. Enterprise-grade platforms built for banks bring monitoring sophistication that most DNFBPs neither need nor can justify on cost; a bare sanctions-list-checking tool with no case management or audit trail leaves a DNFBP unable to demonstrate to an inspector that alerts were actually investigated. PNPC's role is to size the right tool to the entity's actual risk-based assessment — the risk profile the business is legally required to document under its own AML/CFT policy — rather than defaulting to whichever vendor is best marketed.
Software alone does not satisfy the law, and this is the point most vendor-led buyers miss. UAE AML/CFT regulations require a documented risk-based approach, a designated Compliance Officer (MLRO — Money Laundering Reporting Officer) registered with the relevant supervisor, an AML/CFT policy and procedures manual, ongoing staff training, independent audit of the AML/CFT programme, and registration on goAML and, where applicable, the UAE's sanctions-screening portals. Technology is the operational engine that makes these obligations executable at scale and defensible under inspection — it does not replace the governance, the documented risk assessment, or the judgement of a trained compliance officer. Ministry of Economy guidance is explicit that goAML is the reporting channel for Suspicious Transaction Reports and Suspicious Activity Reports; it is not, and was never intended to be, a substitute for the MLRO's risk assessment, CDD/EDD, sanctions screening, and STR/SAR decisioning that sit behind each filing. PNPC positions software setup as one component of a broader AML/CFT compliance programme, coordinated with the entity's policy documentation, training, and audit cycle so the technology, the paperwork, and the actual practice all tell the same story when a supervisor asks to see it.
The recurring failure mode in this service is a boundary confusion, and it costs entities findings at inspection: a sanctions-list hit mistaken for a completed investigation, a screening tool mistaken for a control environment, goAML registration mistaken for AML compliance, or an auto-closed low-score alert mistaken for a documented human decision. Each of these looks like coverage on a demo screen and reads as a gap in an inspection file. PNPC's engagement is built to keep those boundaries visible — which questions the software answers, which questions only the MLRO can answer, and where the documented evidence for each has to live. The three questions we make every AML/CFT technology file answer are: which supervisor (Ministry of Economy, a free zone authority, the Central Bank, or SCA) will rely on it, what evidence supports each screening and monitoring decision, and what triggers the next recalibration once the initial configuration is live. Treating the service as a managed workstream rather than a one-off installation is what makes the setup survive the first supervisory review rather than merely pass the vendor's acceptance test.
When a UAE business needs AML/CFT software advisory and setup
The business is a Designated Non-Financial Business or Profession (DNFBP) under UAE law — real estate brokers and agents, dealers in precious metals and stones, company service providers, independent lawyers, notaries, and accountants providing specified services — and is legally required to maintain an AML/CFT programme, including screening and monitoring capability
The business is currently relying on manual sanctions-list checks (spreadsheet lookups, ad hoc web searches) that cannot keep pace with list updates, growing customer volumes, or a supervisory inspection's expectation of a documented, repeatable screening process
A supervisory authority inspection, external auditor, or bank has flagged the absence of automated screening or monitoring as a control gap, or the business has received a finding requiring remediation within a specified timeframe
Transaction volumes or customer numbers have grown to the point where manual review of every transaction for suspicious patterns is no longer realistic, and a risk-scoring or rules-based alert system is needed to prioritise the compliance officer's attention
The entity is registering, or should already be registered, on the goAML platform and needs its internal alert and investigation workflow to feed cleanly into STR/SAR filing without gaps or duplicated manual work
The business is expanding into a higher-risk customer segment or geography (cash-intensive trade, high-net-worth real estate, cross-border remittance-adjacent activity) where its existing manual controls were adequate at a smaller or lower-risk scale but no longer are
A new Compliance Officer / MLRO has been appointed and needs a properly configured, documented technology environment to inherit rather than a fragmented set of manual processes with no institutional record
A group parent has mandated an AML/CFT platform and someone independent of the vendor needs to confirm it is actually localised for UAE goAML reporting, UAE-specific list sources, and the local supervisor's expectations rather than left on its home-jurisdiction configuration
The Compliance Officer is drowning in false-positive alerts from a tool that was installed on default settings and needs the thresholds recalibrated against the entity's real transaction data before genuine alerts start getting lost in the noise
You want the technology setup coordinated with the written AML/CFT policy manual and the goAML workflow so the software, the paperwork, and actual practice do not contradict each other when an inspector cross-checks them
The business is preparing for a sale, investor round, or new banking relationship and needs its screening history, case management records, and goAML filing trail formatted into defensible due-diligence evidence
When a lighter-touch approach may be appropriate first
The business has not yet completed its own documented AML/CFT risk assessment and does not have a Compliance Officer or AML/CFT policy in place — software selection should follow the risk assessment and policy design, not precede it, since the risk assessment determines what the software actually needs to screen and monitor for
A very small, low-transaction-volume DNFBP where a well-documented manual screening and record-keeping process, reviewed periodically by PNPC, may satisfy the risk-based proportionality principle at the current scale, with software introduced as volumes grow
The business is not a DNFBP or otherwise regulated entity under UAE AML/CFT law and has no supervisory obligation to maintain AML/CFT controls — in this case, the priority is confirming regulatory scope, not procuring software
An entity that already operates a mature, properly configured AML/CFT technology stack — PNPC's role there is typically a periodic effectiveness review or independent audit rather than a fresh selection and setup exercise
The business needs urgent remediation of a specific inspection finding with a tight deadline — in that scenario, a focused gap-closure engagement addressing the specific finding is often the right first step, with broader software modernisation sequenced afterward
The business is looking for PNPC to act as its registered Compliance Officer / MLRO — that is a designated, personally accountable role the entity must appoint and register with its supervisor, not a function a software advisory engagement can absorb
The customer base and transaction profile are still in flux — a pre-launch entity that has not yet onboarded real customers cannot meaningfully calibrate monitoring thresholds, and a configuration built on assumed rather than actual activity would need reworking almost immediately
What the entity actually needs first is bespoke software development or deep system integration rather than configuration of an existing screening/monitoring platform — that is specialist engineering work PNPC coordinates but does not itself deliver
The business wants automated STR/SAR filing with no human review to cut compliance workload — this is not permissible under UAE AML/CFT rules, which require a documented MLRO judgement behind every filing decision, and PNPC will not configure a workflow that removes it
AML/CFT Technology Approaches for UAE Regulated Businesses
| Feature | PNPC-Advised Configured Platform | Off-the-Shelf Software, Self-Configured | Manual / Spreadsheet-Based Screening | No Formal Screening or Monitoring |
|---|---|---|---|---|
| Sized to entity's documented risk-based assessment | Yes — selection driven by the entity's own risk profile | Rarely — vendor's default configuration typically applied as-is | N/A — no systematic sizing exercise | N/A |
| Sanctions and PEP list screening | Automated, continuously updated, applied at onboarding and ongoing | Automated but often left at default sensitivity, generating noisy or missed alerts | Manual lookup, dependent on staff remembering to check and list currency | Not performed |
| Transaction monitoring / alert generation | Rules and thresholds calibrated to the entity's actual transaction patterns | Default vendor rules, frequently generating high false-positive or false-negative rates | Not systematically performed | Not performed |
| Case management and audit trail | Structured investigation record for every alert, defensible under inspection | Depends on module purchased and whether it is actually used | Informal notes at best, rarely centralised | None |
| goAML integration / reporting workflow | Internal alert-to-STR/SAR workflow mapped and tested | Left to the compliance officer to bridge manually | Entirely manual, high risk of missed filing deadlines | Not in place |
| Staff training on the configured tool | Included as part of setup and rollout | Often skipped after purchase, leaving the tool under-used | N/A | N/A |
| Alignment with AML/CFT policy manual and MLRO role | Coordinated so technology, policy, and practice match | Frequently misaligned — software purchased separately from policy documentation | Policy and practice diverge over time without a technology anchor | No alignment to assess |
| Inspection-readiness | Configured and documented to withstand supervisory review | Depends heavily on internal configuration discipline post-purchase | Weak — manual processes are difficult to evidence systematically | High exposure to findings and penalties |
| Cost profile | Right-sized licence plus advisory fee for configuration and training | Licence cost with hidden configuration and integration effort absorbed internally | Low direct cost, high compliance and reputational risk | No direct cost, highest regulatory exposure |
| Ongoing effectiveness review | Periodic review built into the engagement | Rarely revisited unless a problem surfaces | No structured review mechanism | None |
The right technology choice depends entirely on the entity's regulatory category, transaction volume, customer risk profile, and existing AML/CFT governance maturity. A documented risk-based assessment should precede software selection, not follow it — PNPC's advisory process is built around that sequencing.
| # | Stage & What PNPC Does | What a Vendor-Led Sales Process Misses | Timeline |
|---|---|---|---|
| 1 | Regulatory Scoping & Risk-Based Assessment Review — Confirming obligations before any tool is discussed | We ask what a software vendor's sales team never asks: which supervisory authority actually regulates this entity — Ministry of Economy, DMCC, a specific free zone regulator, the Central Bank, or SCA? Has the entity completed its own documented risk-based assessment? Is there an appointed, registered Compliance Officer? These answers determine whether software procurement is even the right next step, or whether policy and governance work needs to happen first. | Week 1 |
| 2 | Customer & Transaction Profile Analysis — Understanding actual exposure, not assumed exposure | We review the entity's actual customer base, transaction sizes, payment methods (cash, wire, escrow), geographic spread, and any existing red flags — before recommending a screening sensitivity or monitoring rule set that either misses real risk or drowns the compliance officer in false positives. | Week 1–2 |
| 3 | Software Shortlisting Against Risk Profile — Matching capability to actual need, not vendor scale | Enterprise platforms built for banks are frequently oversized and overpriced for a DNFBP's actual risk; a bare sanctions-checker with no case management leaves the entity unable to evidence investigations. We shortlist 2–3 options genuinely proportionate to the entity's size, sector, and risk category, with a clear cost-benefit comparison in writing. | Week 2 |
| 4 | Configuration Design — Screening lists, PEP sensitivity, monitoring rules, and thresholds | Default vendor settings are calibrated for a generic customer base, not this entity's actual risk profile. We design the specific sanctions and PEP list sources to be screened, the ongoing re-screening frequency, and the transaction monitoring thresholds and typologies relevant to the sector — real estate structuring patterns differ materially from precious metals cash-intensive typologies. | Week 2–3 |
| 5 | Case Management & Escalation Workflow Design | We design the internal alert-to-investigation-to-decision workflow — who reviews an alert, within what timeframe, what evidence is recorded, and how an alert escalates to a suspicion assessment — so the software's case log is a defensible record, not just a list of unresolved flags. | Week 3 |
| 6 | goAML Registration & Reporting Pathway Integration | For entities not yet registered on the FIU's goAML platform, we coordinate registration. For those already registered, we map the internal case management workflow directly to the STR/SAR filing process so a genuine suspicion identified in the software translates into a timely filing without a manual, error-prone handoff. | Week 3–4 |
| 7 | System Configuration & Testing — Live setup against real (anonymised where needed) data | The configured platform is tested against a sample of the entity's actual historical customer and transaction data before go-live, to confirm the alert volume is manageable and genuinely risk-relevant — not a theoretical configuration that floods the compliance officer on day one. | Week 4–5 |
| 8 | Policy & Procedure Alignment — Technology matched to the written AML/CFT manual | A configured tool that does not match the entity's written AML/CFT policy and procedures manual creates an inspection contradiction. We review and, where needed, update the policy document so it accurately describes how the software is actually used. | Week 4–5 |
| 9 | Compliance Officer & Staff Training — Practical, tool-specific training, not generic AML awareness | We train the Compliance Officer / MLRO and relevant frontline staff on the configured platform specifically — how to clear a false positive, how to escalate a genuine alert, how to document a decision — rather than generic AML awareness training disconnected from the actual tool in use. | Week 5 |
| 10 | Go-Live & Initial Monitoring Period | The system goes live with PNPC monitoring the initial alert volume and false-positive rate closely, adjusting thresholds where the early data shows the configuration is either too noisy or too permissive. | Week 5–6 |
| 11 | Post-Go-Live Calibration Review | Roughly 4–8 weeks after go-live, we review actual alert patterns against the initial configuration assumptions and recalibrate thresholds, list sources, or workflow steps based on real operating experience rather than the original theoretical design. | Week 10–14 |
| 12 | Periodic Independent Effectiveness Review | UAE AML/CFT regulations expect periodic independent review of the AML/CFT programme's effectiveness. PNPC can conduct this review — assessing whether the configured software, the policy, and actual practice remain aligned and proportionate to the current risk profile — on an annual or otherwise agreed cycle. | Annually, or per supervisory expectation |
| 13 | Ongoing Advisory — Regulatory change, business growth, and inspection support | AML/CFT obligations evolve with regulatory updates, business growth, and new typologies. PNPC remains available to recalibrate the technology and policy as the business scales, enters new customer segments, or faces a supervisory inspection. | Ongoing |
| 14 | Scope-boundary memo — PNPC states in writing what the engagement covers (selection, configuration, testing, workflow design) and what it does not (acting as the registered MLRO, conducting the underlying risk-based assessment as a separate statutory deliverable, bespoke software development, or regulated legal/investment advice). | Vendor sales processes blur advice and accountability because they are oriented around closing the licence, leaving the entity assuming a coverage it never actually bought. | Before engagement confirmation |
| 15 | Data-portability and vendor-contract review — Before the licence is signed, PNPC checks the vendor terms for data ownership on exit, list-update SLA, and auto-renewal lock-in so the entity can export its full screening and case history if it later switches platforms. | A screening tool with no export-on-termination right effectively holds the entity's compliance history hostage — the clause vendors most often leave inadequate. | Before licence commitment |
| 16 | Tipping-off and escalation-script review — PNPC reviews the case-management and customer-facing workflow specifically so an alert investigation, document request, or account review cannot inadvertently disclose to a customer that a report may be filed. | Vendors configure alert workflows for efficiency, not for the tipping-off prohibition under Federal Decree-Law No. 20 of 2018 — a gap that turns a well-meaning frontline reassurance into an offence. | During configuration design |
| 17 | Record-retention and retrievability configuration — PNPC sets the archival parameters so CDD, transaction, and STR/SAR records remain not just stored but retrievable and searchable for the full statutory retention window. | A record locked in an unsupported software version nobody can export is functionally as bad as no record — vendors treat storage as done, retrievability as the entity's problem. | Before go-live |
| 18 | Close-out and calibration calendar — PNPC hands over the configuration rationale, testing results, policy-alignment note, and a dated calendar for the post-go-live recalibration and annual effectiveness review. | A configured tool with no record of why thresholds were set, and no diarised review, drifts silently out of alignment and forces every decision to be re-justified at the next inspection. | After completion |
A properly scoped, configured, and tested AML/CFT software setup — from initial risk-profile review through go-live — typically takes 5–6 weeks for a single-entity DNFBP with a moderate customer base. Entities without an existing documented risk-based assessment or appointed Compliance Officer should expect that foundational governance work to be sequenced before or alongside the technology setup, adding to the overall timeline. Complex, multi-branch, or higher-risk entities (precious metals traders, larger real estate brokerages) typically require 8–10 weeks for full calibration.
Trade licence confirming the entity's activity classification and licensing authority (DED, specific free zone, or financial free zone regulator)
Confirmation of DNFBP or otherwise-regulated status and the identity of the relevant supervisory authority (Ministry of Economy, a specific free zone authority, UAE Central Bank, or SCA)
Existing AML/CFT risk-based assessment document, if one has been completed
Existing AML/CFT policy and procedures manual, if one exists
Appointment letter or Board resolution confirming the designated Compliance Officer / MLRO, and confirmation of their registration with the relevant supervisor
Current customer master list or CRM export, with an indication of customer type (individual, corporate, PEP-adjacent where known)
Sample of recent transaction data — value ranges, payment methods, frequency — sufficient to model realistic monitoring thresholds
Description of typical customer onboarding process and current identity verification / KYC steps
Any existing record of red flags, declined customers, or past suspicious activity considerations, even if informally documented
Details of the CRM, accounting, or transaction-processing system(s) currently in use, to assess integration feasibility with a screening or monitoring platform
Any existing sanctions-screening or KYC tool currently in use, including licence terms and configuration documentation if available
IT environment overview — cloud-based or on-premise systems, data residency considerations, and any existing data protection or cybersecurity policy relevant to housing customer screening data
Confirmation of current goAML platform registration status, including registered Compliance Officer credentials if already registered
Record of any STRs/SARs filed to date, if applicable, for continuity in the new configured workflow
Any correspondence from the FIU, Ministry of Economy, or relevant supervisory authority regarding AML/CFT compliance status or findings
List of staff who will use the screening/monitoring tool directly, with their current AML/CFT training history
Organisational chart showing escalation lines from frontline staff to the Compliance Officer
Any prior AML/CFT training records or certificates held by relevant staff
Indicative budget range for software licensing and advisory setup, to guide realistic shortlisting
Decision-maker(s) and expected timeline for approval, so the software selection and procurement process can be sequenced accordingly
Any existing vendor relationships or contractual constraints (e.g. group-mandated software from a parent company) that should be factored into the recommendation
Business risk assessment and customer-risk methodology
CDD/EDD fields and sanctions/PEP screening requirements
MLRO escalation matrix and case disposition rules
goAML STR/SAR reporting workflow requirements
Vendor configuration matrix
Screening list/source settings and match thresholds
Case-management statuses and maker-checker controls
Audit log and evidence-retention settings
User training and MLRO handover record
Testing of alerts, false positives and escalation paths
Periodic tuning and model/rules review calendar
Regulator/query response pack
| Phase | Triggered By | PNPC Guidance | Risk If Ignored |
|---|---|---|---|
| Scoping & Risk Assessment Review (Week 1–2) | Engagement start | Confirm regulatory category and supervisory authority, review or help build the entity's documented risk-based assessment, and confirm Compliance Officer status before recommending any technology. | Software procured without a documented risk basis is difficult to justify to a supervisor as proportionate, and may be misconfigured for the entity's actual exposure. |
| Selection & Configuration Design (Week 2–4) | Risk profile confirmed | Shortlist proportionate software options, design screening list sources, PEP sensitivity, and monitoring thresholds specific to the entity's customer and transaction profile. | Default, unconfigured settings either miss genuine risk indicators or generate an unmanageable volume of false positives that overwhelms the compliance function. |
| Setup, Testing & Go-Live (Week 4–6) | Configuration approved | Test the configured system against real historical data, align the AML/CFT policy manual to match actual practice, and train the Compliance Officer and relevant staff on the specific tool. | A tool that goes live untested, or that contradicts the written policy manual, creates a documentation gap that a supervisory inspection will flag immediately. |
| Post-Go-Live Calibration (Week 8–14) | Initial operating data available | Review real alert volumes and false-positive rates against the original configuration and recalibrate thresholds and rules based on actual operating experience. | An uncalibrated system either continues generating unmanageable noise, causing genuine alerts to be missed in the volume, or remains too permissive and fails to flag real risk. |
| Ongoing Monitoring & STR/SAR Filing (Continuous) | Day-to-day transaction and customer activity | Alerts investigated within the entity's documented timeframe, decisions recorded in the case management system, and genuine suspicions filed via goAML without tipping off the customer. | Missed or late STR/SAR filings, or an inability to evidence that alerts were properly investigated, exposes the entity and its Compliance Officer to supervisory penalties and potential criminal liability under Federal Decree-Law No. 20 of 2018. |
| Independent Effectiveness Review (Annual or per supervisory cycle) | Scheduled review or regulatory update | Assess whether the software configuration, policy documentation, and actual practice remain aligned and proportionate as the business has grown or regulatory guidance has evolved. | A programme that is never independently reviewed drifts out of alignment with the entity's actual current risk profile and with updated regulatory expectations, weakening its defensibility at the next inspection. |
| Business Change (Growth, New Segment, New Branch, M&A) | Expansion, new customer segment, or corporate transaction | The screening and monitoring configuration is reassessed and extended to cover new risk exposure — a new customer segment, a new emirate of operation, or an acquired book of business. | A configuration calibrated for the original, smaller risk profile becomes inadequate as the business scales into higher-risk segments or additional jurisdictions, creating a growing control gap. |
| Supervisory Inspection or Finding | Ministry of Economy, free zone regulator, or Central Bank inspection | PNPC supports the entity through the inspection process, and where a finding is issued, designs and implements the specific remediation required within the given timeframe. | An inspection finding left unaddressed, or addressed only superficially, escalates to formal enforcement action, which under UAE AML/CFT law can include significant administrative fines and licence-level consequences. |
| Sanctions List Update (Continuous, Vendor-Driven) | UN Security Council, UAE Local Terrorist List, or PEP database change | Confirm the platform ingests list updates automatically and re-screens the existing customer book on a defined cadence — not just new customers at onboarding — since a customer clean at onboarding may be designated months later. | Onboarding-only screening leaves the entity dealing with a customer who became sanctioned after the relationship began — one of the most common configuration gaps found at inspection. |
| New MLRO Handover | Compliance Officer resignation or replacement | Ensure the incoming MLRO inherits the configuration rationale, threshold justifications, calibration log, and open-alert backlog as a structured pack, and confirm their re-registration with the relevant supervisor. | A new Compliance Officer inheriting an undocumented tool cannot explain or defend the configuration to an inspector, and unregistered MLRO status is itself a finding. |
| Regulatory or Guidance Change | Ministry of Economy, Central Bank, FIU, or free zone regulator update | Assess whether updated screening obligations, reporting timelines, or list sources require a configuration change, and update the policy manual and workflow to match. | A configuration compliant at setup becomes outdated purely through regulatory evolution, with no change in the business itself, weakening defensibility at the next review. |
| Auto-Close Temptation (Recurring Risk) | Rising alert volume overwhelming the compliance function | Resist any auto-close or auto-file rule for low-scoring alerts; recalibrate thresholds against real data instead so every alert still reaches a named reviewer with a documented disposition. | Auto-closing alerts to cut workload is precisely the shortcut a supervisory inspection is trained to detect, and removes the human disposition the law requires behind every decision. |
Which UAE businesses are actually required to have AML/CFT screening and monitoring in place?
Under UAE Federal Decree-Law No. 20 of 2018 and its Cabinet Decision implementing regulations, obligations extend beyond banks and financial institutions to Designated Non-Financial Businesses and Professions (DNFBPs) — real estate brokers and agents involved in property transactions, dealers in precious metals and stones above specified transaction thresholds, company service providers (including those forming companies, acting as registered agents, or providing nominee director/shareholder services), independent lawyers and notaries when conducting specified financial or property transactions on a client's behalf, and accountants providing specified services. The exact obligations and their intensity depend on the entity's specific activity and its own documented risk-based assessment.
Do I need software, or can I meet AML/CFT obligations with a well-documented manual process?
For a very small, low-volume DNFBP, a well-documented and consistently applied manual screening and record-keeping process can, in principle, satisfy the risk-based proportionality principle underpinning UAE AML/CFT regulation. In practice, manual processes struggle to keep pace with continuously updated sanctions and PEP lists, and become genuinely difficult to defend under inspection once transaction or customer volume grows. PNPC assesses proportionality as part of the initial scoping — we do not recommend software procurement as a default answer for every entity regardless of scale.
What is goAML and does my business need to register on it?
goAML is the electronic platform operated by the UAE's Financial Intelligence Unit (FIU), housed within the UAE Central Bank, through which regulated entities file Suspicious Transaction Reports (STRs), Suspicious Activity Reports (SARs), and other statutory AML/CFT disclosures. Entities falling within scope of UAE AML/CFT law — including DNFBPs — are generally required to register on goAML and designate a Compliance Officer authorised to file reports through the platform. PNPC coordinates registration for entities not yet registered and, for those already registered, ensures the internal alert workflow maps cleanly to the goAML filing process.
What is a Compliance Officer / MLRO and is it a mandatory appointment?
A Money Laundering Reporting Officer (MLRO), referred to under UAE regulation as the Compliance Officer, is the individual designated within a regulated entity as responsible for the AML/CFT programme, including reviewing internal alerts, deciding whether to file an STR/SAR, and liaising with the FIU and relevant supervisory authority. UAE AML/CFT regulations require regulated entities, including DNFBPs above the applicable scope, to appoint and register a Compliance Officer. The appointment should be senior enough to have genuine authority within the organisation and free from conflicts that would compromise independent judgement on suspicious activity decisions.
How does PNPC decide which AML/CFT software to recommend for a specific business?
We start from the entity's documented risk-based assessment — its customer base, transaction profile, geographic exposure, and sector-specific typologies — rather than a generic vendor comparison. A real estate brokerage handling occasional high-value transactions has different screening cadence needs than a precious metals trader processing frequent cash transactions. We shortlist 2–3 platforms genuinely proportionate to the entity's actual risk and scale, present a written cost-benefit comparison, and are not tied to a single vendor relationship that would bias the recommendation.
What is the difference between sanctions screening and transaction monitoring?
Sanctions and PEP screening checks a customer's identity — at onboarding and on an ongoing basis — against UN Security Council sanctions lists, the UAE's Local Terrorist List, and databases of Politically Exposed Persons, to confirm the entity is not knowingly dealing with a sanctioned or high-risk individual or organisation. Transaction monitoring is a separate, ongoing function that reviews the pattern of a customer's actual transactions — value, frequency, counterparties, structuring behaviour — for activity inconsistent with their declared profile or indicative of money-laundering typologies, regardless of whether the customer appears on any sanctions list. Both are required components of a functioning AML/CFT programme; neither substitutes for the other.
How often do sanctions and PEP lists actually change, and does the software update automatically?
UN Security Council sanctions lists, the UAE's Local Terrorist List, and major commercial PEP databases are updated frequently — sometimes multiple times within a single week. A properly configured screening platform updates its underlying list data automatically and re-screens the existing customer base on a defined cadence (commonly overnight or in near-real-time for continuously updated platforms), not just at the point of onboarding. PNPC confirms the update frequency and re-screening cadence as part of software evaluation, since a platform that only screens at onboarding leaves a business exposed to a customer who becomes designated after the relationship is already established.
What happens if the software generates a large number of false-positive alerts?
An uncalibrated system — using default vendor thresholds not tailored to the entity's actual customer base — commonly generates a high volume of false-positive alerts, which either overwhelms the compliance officer or, worse, trains staff to dismiss alerts too quickly, increasing the risk that a genuine alert gets missed in the noise. PNPC's configuration process specifically tests the system against a sample of the entity's real historical data before go-live and recalibrates thresholds during the post-go-live review period to bring the false-positive rate to a manageable, defensible level.
Does the software file STRs/SARs automatically, or does a person still make that decision?
No properly designed AML/CFT programme allows software to file an STR/SAR automatically without human review. The software's role is to flag alerts for investigation and, where relevant, to structure the case management record; the decision on whether an alert rises to the level of genuine suspicion warranting a filing remains a judgement call made by the trained Compliance Officer, based on the totality of the evidence. PNPC designs the workflow so the software supports that judgement with structured information — it does not replace it.
Can PNPC help if we already have AML/CFT software but it was never properly configured?
Yes, this is one of the more common engagements we see. A business purchases a platform, applies the vendor's default settings, and either never trains staff properly on it or never revisits the configuration as the business has grown. PNPC can conduct a configuration and effectiveness review of an existing system, identify gaps against the entity's current risk profile, and recalibrate or reconfigure the platform without necessarily requiring a full new software procurement.
How does PNPC handle confidentiality of customer and transaction data during the setup engagement?
All customer, transaction, and configuration data reviewed during an AML/CFT software engagement is handled under a signed engagement letter and confidentiality terms, accessed only by the specific PNPC team members assigned to the engagement. Where sample transaction data is used for configuration testing, PNPC works with the entity to anonymise or minimise personally identifiable information wherever the testing objective allows it.
What penalties apply for non-compliance with UAE AML/CFT obligations?
Federal Decree-Law No. 20 of 2018 and its implementing Cabinet Decisions provide for a range of administrative and criminal sanctions for non-compliance, including substantial administrative fines that can apply per violation, suspension or revocation of licences for regulated entities, and criminal liability — including imprisonment in serious cases — for individuals involved in money-laundering offences or in wilful failure to report. The precise penalty in any given case depends on the nature and severity of the violation and is determined by the relevant supervisory authority or the courts; PNPC does not quote specific fine amounts as these are set and applied by the regulator based on the facts of each case.
How long does it take to get an AML/CFT software solution fully operational?
For a single-entity DNFBP with a moderate customer base and an already-completed risk-based assessment, PNPC's engagement — from initial scoping through go-live — typically takes 5–6 weeks. Entities that do not yet have a documented risk-based assessment or an appointed Compliance Officer should expect that foundational governance work to be sequenced first, which extends the overall timeline. Larger or higher-risk entities, such as precious metals traders with high transaction volumes, typically require 8–10 weeks to reach a properly calibrated, tested configuration.
Is this service only for DNFBPs, or does it apply to financial institutions too?
While DNFBPs make up a large share of PNPC's AML/CFT software advisory clients, the same advisory and configuration discipline applies to any UAE-regulated entity with AML/CFT obligations, including smaller finance companies, exchange houses, and insurance intermediaries regulated by the UAE Central Bank, and entities within DIFC or ADGM subject to those centres' own AML/CFT frameworks. The specific supervisory authority, reporting channel, and regulatory expectations differ by category, and PNPC scopes the engagement to the entity's actual regulator from the outset.
Does PNPC provide the ongoing AML/CFT compliance function, or only the initial software setup?
PNPC's engagement can be scoped either as a defined software selection, configuration, and go-live project, or as an ongoing retainer that includes periodic recalibration, independent effectiveness review, staff training refreshers, and advisory support through supervisory inspections. Many clients start with the initial setup and move to an ongoing advisory retainer once the system is live and the compliance function's needs become clearer in practice.
What is a risk-based approach and why does it matter for software configuration?
A risk-based approach — the foundational principle underlying UAE and international AML/CFT regulation — means an entity applies AML/CFT controls proportionate to the actual money-laundering and terrorist-financing risk it faces, rather than applying a uniform, one-size-fits-all control regardless of risk level. In practical terms, a higher-risk customer segment (cash-intensive transactions, complex ownership structures, higher-risk geographies) warrants more intensive screening and monitoring than a lower-risk segment. Software configuration must reflect this — applying uniform default settings across all customers regardless of risk level either wastes compliance resource on low-risk relationships or under-scrutinises genuinely higher-risk ones.
Can the AML/CFT software integrate with our existing CRM or accounting system?
Many screening and monitoring platforms offer integration options — API connections, batch data uploads, or plug-ins for common CRM and accounting platforms — that reduce manual re-entry of customer and transaction data. The feasibility and cost of integration depends on the specific platforms involved on both sides. PNPC assesses integration feasibility as part of the software shortlisting process and factors the setup effort into the overall cost-benefit comparison presented to the client.
What ongoing staff training is required alongside the software?
UAE AML/CFT regulations expect regulated entities to provide ongoing AML/CFT training to relevant staff, not a one-time induction session. PNPC's setup engagement includes tool-specific training for the Compliance Officer and frontline staff who will use the platform directly, and we recommend a periodic refresher — commonly annual — that covers both general AML/CFT awareness and any changes to the configured system, typologies, or regulatory guidance since the last session.
How does PNPC handle AML/CFT software setup for a UAE branch of a foreign company or group?
A UAE branch or subsidiary of a foreign group often already operates under a group-mandated AML/CFT platform selected by the parent company. In this scenario, PNPC's role typically shifts to confirming the group platform's configuration is properly localised to UAE regulatory requirements — UAE-specific sanctions lists, goAML reporting integration, and Ministry of Economy or relevant local supervisor expectations — rather than a fresh platform selection exercise. For groups with an India-linked entity, PNPC can coordinate this localisation review through our Chennai, Bangalore, Hyderabad, and Dubai offices.
What is Know Your Customer (KYC) and how does it relate to AML/CFT software?
KYC is the process of verifying a customer's identity and understanding the nature of their intended relationship with the business, typically at onboarding — collecting identity documents, verifying beneficial ownership for corporate customers, and understanding the customer's expected transaction profile. AML/CFT software builds on the KYC data collected: sanctions and PEP screening checks the identity data gathered during KYC, and transaction monitoring compares actual activity against the expected profile established at KYC. Weak or incomplete KYC data undermines the software's effectiveness regardless of how well the screening and monitoring tool itself is configured.
Does PNPC assist with Enhanced Due Diligence (EDD) for higher-risk customers?
Yes. Where the risk-based assessment or a screening/monitoring alert identifies a customer requiring Enhanced Due Diligence — a Politically Exposed Person, a customer from a higher-risk jurisdiction, or a complex ownership structure — PNPC advises on the additional verification steps, source-of-funds and source-of-wealth documentation, and senior management approval process that EDD requires under UAE AML/CFT regulation, and helps configure the software's case management workflow to capture this documentation properly.
How does PNPC price an AML/CFT software advisory and setup engagement?
PNPC charges a fixed, agreed advisory fee for the scoping, selection, configuration, and go-live phases of the engagement, scoped to the entity's size, customer volume, and risk complexity, confirmed in writing before work begins. This advisory fee is separate from the software vendor's own licensing cost, which PNPC helps the client evaluate and negotiate but does not itself charge for. Ongoing retainer pricing for periodic review and advisory support is quoted separately once the initial scope is agreed.
What if our business decides, after review, that we do not need automated AML/CFT software at our current scale?
That is a legitimate outcome of a proper scoping exercise for a genuinely small, low-volume entity. PNPC can instead help design and document a proportionate manual screening and record-keeping process, along with clear criteria for when the business should revisit the software question as volumes or risk exposure grow. We do not recommend software procurement where the entity's actual documented risk profile does not justify it.
Can AML/CFT software help with due diligence during a business sale, investor round, or partnership?
Yes, indirectly but materially. A regulated entity that can demonstrate a properly configured, actively used AML/CFT programme — screening records, monitoring history, case management logs, and clean goAML filing history — presents a materially stronger compliance posture to an acquirer, investor, or banking partner during due diligence than one relying on undocumented manual processes. PNPC can format the AML/CFT programme's documentation specifically for a due diligence data room when a transaction is anticipated.
How does PNPC stay current on UAE AML/CFT regulatory changes that might affect our software configuration?
PNPC's compliance advisory team monitors updates from the Ministry of Economy, the UAE Central Bank, the Financial Intelligence Unit, and relevant free zone regulators, and factors regulatory changes into the periodic effectiveness reviews conducted for clients on an ongoing retainer. Where a regulatory change materially affects screening obligations, reporting timelines, or supervisory expectations, PNPC proactively flags the change and, where relevant, recommends a configuration update.
What is the first step if my business has never had any formal AML/CFT programme in place?
The first step is a scoping conversation to confirm the entity's regulatory category, the applicable supervisory authority, and whether a documented risk-based assessment, AML/CFT policy, and Compliance Officer appointment already exist. From there, PNPC proposes a sequenced plan — governance and policy foundation first if it is missing, followed by proportionate software selection and configuration — rather than jumping straight to a technology purchase.
What is 'tipping off' and how does the software workflow need to guard against it?
Tipping off is the offence of disclosing to a customer, directly or indirectly, that they are or may be the subject of a suspicious transaction report or an ongoing investigation — a prohibition set out under UAE AML/CFT law that applies regardless of the reporting entity's good intentions. Case management workflows must be designed so that alert investigation, escalation, and any subsequent account restriction or relationship review do not reveal to the customer that a report has been or may be filed. PNPC reviews the configured escalation workflow specifically for tipping-off risk — including how customer-facing staff are instructed to behave if a customer questions a delay or additional document request tied to an open investigation.
How long must screening records, alerts, and STR/SAR documentation be retained?
UAE AML/CFT regulation requires regulated entities to retain customer due diligence records, transaction records, and records relating to any suspicious transaction analysis and reporting for a minimum retention period set out in Federal Decree-Law No. 20 of 2018 and its implementing regulations, generally running for a period of years from the end of the business relationship or the date of the transaction, whichever is relevant — entities should confirm the current prescribed period with PNPC or the relevant supervisor rather than relying on a remembered figure, as retention requirements can be updated. PNPC configures the software's data retention and archival settings to meet this requirement, including ensuring records remain retrievable, not just stored, for the full retention window.
Does hosting the screening and monitoring data in the cloud raise any UAE-specific data residency concerns?
UAE AML/CFT regulation does not universally mandate that screening and monitoring data be hosted on servers physically located within the UAE, but data protection obligations under UAE federal personal data protection law, sector-specific rules (particularly for DIFC and ADGM entities under their own data protection regimes), and any group-level data governance policy can all bear on where customer and transaction data may be hosted and processed. PNPC reviews the proposed platform's hosting location and data protection terms as part of software shortlisting, flagging any residency or cross-border transfer consideration relevant to the client's specific regulatory position.
What is the realistic cost range for AML/CFT software licensing, separate from PNPC's advisory fee?
Software licensing costs vary substantially by platform tier, customer volume, and module selection (screening only versus screening plus full transaction monitoring and case management), and are set and quoted directly by the software vendor — PNPC does not mark up or take commission on licence fees. As a general orientation, a bare sanctions/PEP screening tool sized for a small DNFBP typically sits at the lower end of available platforms, while a full monitoring-and-case-management suite for a higher-volume entity commands a materially higher licence cost. PNPC presents the actual vendor quotes for shortlisted options in writing during the selection phase rather than estimating a figure in the abstract.
How does AML/CFT software setup differ for a DMCC-licensed precious metals and stones dealer versus a mainland real estate broker?
Both fall within DNFBP categories under UAE AML/CFT law, but their risk typologies and supervisory touchpoints differ. A DMCC-licensed precious metals and stones dealer typically faces higher cash-intensity risk, specific transaction-value reporting thresholds relevant to the sector, and DMCC's own compliance oversight alongside the federal framework. A mainland real estate broker under Ministry of Economy oversight typically faces lower transaction frequency but higher per-transaction value, with beneficial ownership and source-of-funds scrutiny on property purchases as the dominant risk theme. PNPC calibrates monitoring rules, screening cadence, and the case management workflow to the specific typology profile of the sector, not a generic DNFBP template.
Can PNPC support an entity with operations across multiple emirates or multiple free zones under one AML/CFT programme?
Yes. Where a single licensed entity operates across multiple emirates, or a group has related entities licensed in different free zones (each potentially under a different immediate regulator), PNPC designs a coordinated AML/CFT technology and governance approach that respects each entity's specific supervisory requirements while avoiding duplicated, inconsistent, or contradictory screening and monitoring practices across the group. Centralising the underlying platform where feasible, with entity-specific configuration layers, is often more cost-effective and easier to govern than fully separate systems per licence.
What should be in the software vendor contract to protect the business, beyond price?
Beyond licence pricing, PNPC reviews proposed vendor contracts for data ownership and portability on termination (can the entity export its full screening and case history if it switches platforms later), service-level commitments on list-update frequency and system uptime, liability and indemnity terms relevant to a compliance-critical system, and any auto-renewal or lock-in clauses that could leave the entity committed to an underperforming platform. These commercial terms sit alongside, not instead of, the configuration and effectiveness questions PNPC evaluates.
Does PNPC's AML/CFT software advisory connect to the firm's broader internal audit or IT risk assurance work?
Yes, where relevant. AML/CFT software configuration sits within PNPC's broader IT Risk & Technology Assurance practice, and for clients also engaging PNPC for internal audit, IT general controls review, or specialised audit and certification work, the AML/CFT technology environment is assessed as part of that wider control landscape rather than in isolation — avoiding duplicated fieldwork and giving management a single, coherent view of technology-dependent controls across the business.
Can AML/CFT software replace the MLRO's judgment on a suspicious transaction?
No. The configured platform generates alerts, structures the case record, and can flag a customer against sanctions or PEP lists, but the decision on whether an alert amounts to genuine suspicion warranting an STR/SAR filing through goAML remains the Compliance Officer's judgment call, informed by the totality of the evidence rather than a system-generated score alone. PNPC's configuration deliberately routes every alert to a named reviewer rather than allowing any auto-close or auto-file rule.
Does registering on goAML by itself satisfy our AML/CFT obligations as a DNFBP?
No. goAML registration gives the entity the ability to file STRs/SARs with the FIU, but it says nothing about whether the entity has a documented risk-based assessment, an AML/CFT policy, functioning CDD/EDD procedures, sanctions and PEP screening, staff training, or a working internal escalation process feeding into that portal. PNPC treats goAML registration as one checkpoint within a wider programme, not the finish line, when scoping a software advisory engagement.
How does PNPC decide the right alert-sensitivity settings during configuration?
Alert thresholds are set against the entity's own transaction and customer data — value bands, payment methods, counterparty patterns, and sector typology — rather than a vendor's generic default. PNPC tests proposed thresholds against a sample of the entity's actual historical activity before go-live specifically to see whether the rule set produces a manageable, genuinely risk-relevant alert volume, then documents the reasoning behind each threshold so it can be defended to an inspector later.
What does PNPC actually look at before recommending any specific AML/CFT platform?
Before any vendor conversation, PNPC confirms the entity's DNFBP or regulated category and supervisory authority, reviews (or helps build) the documented risk-based assessment, and profiles the actual customer base and transaction patterns. Only once that picture exists does PNPC shortlist platforms proportionate to the entity's real exposure, rather than starting from a vendor's feature list.
Is a one-off software installation enough, or does the engagement need to produce something more durable?
A configured platform with no accompanying documentation is a fragile deliverable — it cannot show an inspector why thresholds were set the way they were, who approved the configuration, or how the technology maps to the written policy manual. PNPC's engagement produces a configuration record, a calibration log, and an alignment note tying the software to the AML/CFT policy, alongside the working system itself.
We already engaged a software vendor directly — can PNPC still help?
Yes. PNPC can review an existing vendor-led configuration, identify gaps against the entity's actual risk profile and current regulatory expectations, and either recalibrate the existing setup or, where the underlying platform genuinely cannot be configured to meet the entity's needs, recommend a considered migration rather than continuing to build on a weak foundation.
How does PNPC keep AML/CFT software advice specific to our business rather than generic?
Every recommendation is tied to the entity's actual licence activity, customer segment, transaction typology, and existing governance maturity, with an explicit note of what fact — a change in customer base, transaction volume, or supervisory guidance — would change the recommendation. A real estate broker and a precious metals trader receive materially different configuration advice even though both are DNFBPs.
What should be kept on file once the AML/CFT software engagement is complete?
PNPC recommends retaining the risk-based assessment used to size the platform, the configuration and threshold rationale, testing results from the pre-go-live calibration, training records for the Compliance Officer and relevant staff, the policy-alignment review, and any correspondence with the supervisory authority — alongside the standard screening, case-management, and STR/SAR records the software itself retains.
Who inside the business should sign off on the final AML/CFT software configuration?
The registered Compliance Officer / MLRO should sign off on the configuration and workflow, since they carry personal accountability for the programme's operation, with senior management or the board acknowledging the overall setup and its resourcing implications where the entity's governance structure requires that level of sign-off.
Can PNPC guarantee a specific go-live date for the configured system?
No. PNPC controls the pace of its own scoping, configuration, and testing work, but overall timing also depends on the entity's existing governance readiness (whether a risk assessment and Compliance Officer are already in place), vendor implementation support, and the volume of historical data available for testing — all factors PNPC flags early rather than committing to a fixed date before scoping is complete.
How often should the AML/CFT software configuration itself be reviewed, separate from routine alert monitoring?
PNPC recommends a full configuration and effectiveness review at least annually, and additionally whenever the entity's customer base, transaction volumes, or geographic exposure changes materially, a new typology emerges in the sector, or UAE AML/CFT regulatory guidance is updated. Day-to-day alert monitoring is continuous, but the underlying rule set and screening parameters should not simply run untouched between reviews.
What does the final handover pack from an AML/CFT software engagement actually contain?
The handover pack includes the configuration record (screening sources, sensitivity settings, monitoring thresholds and the rationale behind them), the pre-go-live testing results, the policy-alignment note tying the software to the written AML/CFT manual, training records for the Compliance Officer and relevant staff, and a calendar for the post-go-live calibration review and subsequent periodic effectiveness reviews.
Why does PNPC set out explicitly what is not covered by an AML/CFT software advisory engagement?
AML/CFT software advisory covers technology selection, configuration, testing, and workflow design; it does not extend to conducting the entity's underlying risk-based assessment from scratch as a separate statutory deliverable, providing regulated investment or legal advice, or acting as the entity's registered Compliance Officer. PNPC states these boundaries in writing at the outset so the engagement is not mistaken for a broader compliance-outsourcing or regulated-advisory service.
Does PNPC bring in outside specialists for parts of the AML/CFT software engagement it cannot handle directly?
Yes, where needed. If the entity requires bespoke software development or deep technical integration work beyond configuring an existing platform, or if a specific legal question arises about the entity's regulatory scope, PNPC coordinates with the relevant licensed IT integrator or legal specialist while continuing to own the overall AML/CFT advisory and configuration relationship.
What is the realistic cost of delaying an AML/CFT software upgrade after an inspection has flagged a gap?
Delay after a documented inspection finding typically narrows the entity's options: a supervisor expecting remediation within a set timeframe leaves less room for a considered software selection process, increasing the risk of a rushed, poorly configured deployment or, in more serious cases, escalation to formal enforcement action under Federal Decree-Law No. 20 of 2018. PNPC prioritises finding-driven engagements precisely because the remediation clock is already running when the request reaches us.
What happens during the first scoping call for an AML/CFT software advisory engagement?
PNPC confirms the entity's licence activity and DNFBP or regulated category, identifies the relevant supervisory authority, asks whether a documented risk-based assessment and appointed Compliance Officer already exist, and gets a first-pass picture of customer volume and transaction profile. This determines whether the engagement starts with governance foundation work or moves straight to software shortlisting.
How does PNPC handle a business that wants AML/CFT software configured but has no compliance staff at all yet?
PNPC flags this as a governance gap to close before or alongside the technology work — a configured platform with no appointed, registered Compliance Officer to review its alerts is a control on paper, not a control in practice. PNPC can support the entity in scoping the Compliance Officer role and initial policy documentation in parallel with software shortlisting so both land together at go-live.
Can the same AML/CFT software configuration be reused unchanged if the entity adds a new business line?
Not without review. A new business line or customer segment can introduce risk typologies the original configuration was never designed to catch — cash-intensive activity, a new geography, or a different customer profile. PNPC reassesses the risk-based assessment and, where needed, extends screening sources and monitoring rules to cover the new exposure rather than assuming the existing setup automatically scales.
What role does the AML/CFT software play if the entity is later approached about an acquisition or investment?
A well-configured, actively used AML/CFT programme — documented screening history, case management records, and a clean goAML filing history — is evidence an acquirer or investor's due diligence team increasingly expects to see from a regulated UAE entity. PNPC can format the existing configuration records and effectiveness reviews specifically for a due diligence data room when a transaction is anticipated.
Our screening tool keeps flagging common names as sanctions matches — is that a configuration problem we can fix?
Almost always, yes. High false-positive rates on common names usually trace to match sensitivity (fuzzy-matching thresholds) left at the vendor's cautious default, no secondary identifiers (date of birth, nationality, identifier numbers) being used to disambiguate, and no documented process for clearing a false match. PNPC recalibrates the match thresholds against the entity's real customer base, configures the tool to weigh secondary identifiers, and — critically — documents the clearance rationale for each dismissed match so the decision is defensible rather than looking like an alert quietly ignored.
If a customer is flagged and we decide not to file an STR, do we still need to keep a record?
Yes, and this is one of the most consequential record-keeping points. A decision not to file is itself a compliance decision the MLRO must be able to justify later. The case-management record should capture the alert, the evidence reviewed, the reasoning, and the named person who decided the activity did not meet the suspicion threshold — with the same discipline as a decision to file. Under Federal Decree-Law No. 20 of 2018 and its implementing regulations, CDD and transaction records tied to that analysis must be retained for the prescribed period, and PNPC configures the software so a 'no-file' disposition produces a retained, retrievable record rather than simply closing the alert with no trace.
PNPC AML/CFT Software Advisory vs Typical Alternatives
| Dimension | PNPC Global (Dubai) | Software Vendor Sales Team | Generic IT Consultant |
|---|---|---|---|
| Independent of any single software vendor | Yes — advisory fee only, no referral commissions | No — inherently incentivised toward their own platform | Sometimes, but often lacks AML/CFT regulatory depth |
| Grounded in the entity's documented risk-based assessment | Standard starting point for every engagement | Rarely assessed — configuration follows generic defaults | Depends entirely on the individual consultant's compliance background |
| Familiarity with UAE Federal Decree-Law No. 20 of 2018 and sector-specific supervisory expectations | Core practice area, tracked on an ongoing basis | Generic product knowledge, not regulatory expertise | Variable, usually IT-focused rather than regulatory-focused |
| goAML workflow integration | Mapped and tested as part of setup | Sometimes offered as a technical feature, rarely process-tested | Not typically within scope |
| Policy manual and technology alignment | Reviewed and aligned as standard | Out of scope for a software vendor | Out of scope unless separately engaged |
| Compliance Officer and staff training on the specific configured tool | Included in setup | Basic product training only, not compliance-judgement training | Not typically offered |
| India-UAE group coordination for cross-border entities | Direct coordination through PNPC's Chennai, Bangalore, Hyderabad, and Dubai offices | Not available | Not available |
| Fixed, written advisory fee agreed upfront | Yes, always in writing before work begins | Licence quote only, configuration effort often unclear until underway | Variable, often time-and-materials with uncertain total cost |
| Scope boundary | Defined before execution, with exclusions and any licensed-party needs set out in writing | Often blurred or undocumented, since the sales process is oriented around closing the licence deal | Varies by consultant; rarely documented as a formal scope memo |
| Aftercare | Calendarises renewals, effectiveness reviews and control tests as part of the engagement | Stops at delivery of the licence and initial configuration | Typically stops once the initial implementation ticket is closed |
What the PNPC package includes
- 01
Regulatory scoping to confirm DNFBP or other regulated status and the relevant UAE supervisory authority
- 02
Review of, or support building, the entity's documented AML/CFT risk-based assessment before software is discussed
- 03
Independent, vendor-neutral shortlisting of screening and monitoring platforms proportionate to the entity's actual risk profile
- 04
Configuration design covering sanctions/PEP list sources, screening sensitivity, and transaction monitoring thresholds and typologies
- 05
Case management and escalation workflow design, mapped directly to the entity's goAML reporting pathway
- 06
Testing of the configured system against real historical customer and transaction data before go-live
- 07
Alignment review between the configured technology and the written AML/CFT policy and procedures manual
- 08
Tool-specific training for the Compliance Officer / MLRO and relevant frontline staff
- 09
Post-go-live calibration review based on actual alert volumes and false-positive rates
- 10
Periodic independent effectiveness review, available as an ongoing advisory retainer
- 11
Direct advisory support through supervisory inspections and any resulting remediation findings
- 12
Scope and statutory-boundary memo setting out what the engagement includes and what remains the MLRO's, the vendor's, or a specialist's responsibility
- 13
Vendor-contract review covering data portability on exit, list-update SLAs, and auto-renewal lock-in before the licence is signed
- 14
Tipping-off and escalation-script review of the customer-facing workflow against Federal Decree-Law No. 20 of 2018
- 15
Record-retention and retrievability configuration for CDD, transaction, and STR/SAR records across the statutory window
- 16
Threshold-rationale log documenting why each screening sensitivity and monitoring rule was set the way it was
- 17
Sign-off note capturing the MLRO's approval of the configuration and any senior-management or board acknowledgement required
- 18
Post-go-live calibration calendar plus a diarised annual effectiveness review
- 19
goAML workflow map linking each internal alert disposition to its STR/SAR filing pathway
- 20
Close-out pack with the configuration record, testing results, policy-alignment note, and training evidence indexed for supervisory review
Talk to PNPC's Dubai compliance team before your next inspection or your next platform renewal — an AML/CFT technology setup sized to your actual risk profile, not a vendor's default configuration.
Jurisdiction
Free zone, mainland & offshore
Ready to get started?
Tell us about your requirement — a UAE specialist responds within 24 hours.