UAEServicesUAE Taxation & Regulatory ComplianceEconomic Substance & AML ComplianceAML/CFT Compliance Programme Design

UAE Taxation & Regulatory Compliance · Economic Substance & AML Compliance

AML/CFT Compliance Programme Design

AML/CFT compliance in the UAE is not a policy document that sits in a drawer until an inspector asks for it.

Chartered Accountants · Dubai · Since 1986

What AML/CFT Compliance Programme Design is

An AML/CFT Compliance Programme is the documented and operational framework through which a UAE business identifies, assesses, mitigates, and reports the money laundering, terrorist financing, and proliferation financing risks it is exposed to. It is mandated under Federal Decree-Law No. 20 of 2018 on Anti-Money Laundering and Combating the Financing of Terrorism and Illegal Organisations (as amended by Federal Decree-Law No. 26 of 2021), its Cabinet Decision No. 10 of 2019 executive regulations (as amended), and sector-specific guidance issued by the relevant supervisory authority. For Designated Non-Financial Businesses and Professions (DNFBPs) — a category that includes real estate agents and brokers, dealers in precious metals and stones, corporate service providers, independent legal and accounting professionals conducting specified activities, and trust and company service providers — the Ministry of Economy is generally the primary supervisor, alongside emirate-level and free-zone-level regulators such as DMCC for precious metals and stones businesses operating in that free zone. For licensed financial institutions and certain regulated entities, the Central Bank of the UAE, the Securities and Commodities Authority, DIFC's regulator, or ADGM's regulator may be the relevant supervisor depending on licence type and jurisdiction.

A compliant programme is built around a documented Business Risk Assessment (BRA) that evaluates the entity's exposure to money laundering and terrorist financing risk across its customer base, products and services, delivery channels, and geographic footprint. From that risk assessment flows a risk-based Customer Due Diligence (CDD) framework — including simplified due diligence for lower-risk relationships and Enhanced Due Diligence (EDD) for higher-risk customers, Politically Exposed Persons (PEPs), and relationships involving higher-risk jurisdictions. The programme must also include ongoing transaction monitoring calibrated to the entity's risk profile, sanctions and UN Consolidated List screening procedures, a documented process for identifying and filing Suspicious Transaction Reports (STRs) and Suspicious Activity Reports (SARs) through the goAML platform administered by the UAE's Financial Intelligence Unit, record-keeping procedures compliant with the minimum retention periods prescribed under the law, an appointed and adequately resourced Compliance Officer (often referred to as the MLRO — Money Laundering Reporting Officer), and a documented staff training programme delivered at onboarding and at appropriate refresher intervals.

The distinction between having AML policies and having an AML compliance programme is where most businesses fall short. A policy document copied from a template, signed once, and never operationalised does not satisfy regulatory expectations and will not withstand an inspection. Supervisors — whether the Ministry of Economy's inspection teams, DMCC's compliance department, or a free zone authority — increasingly test whether the documented risk assessment matches the entity's actual customer base and transaction patterns, whether CDD files show real evidence of identity verification and source-of-funds enquiry (not just a checklist tick), whether the entity can demonstrate it screened customers against sanctions lists at onboarding and periodically thereafter, and whether the Compliance Officer can articulate how the programme actually functions day to day. Registered entities are also generally required to complete the annual AML/CFT return through the relevant portal, and DNFBPs must register on the goAML platform even where no STR has ever been filed.

Getting the programme design wrong carries real consequences. Administrative penalties under Cabinet Decision No. 10 of 2019 (as amended) can run into hundreds of thousands of dirhams per violation, and enforcement action can extend to licence suspension, restriction, or revocation by the relevant licensing authority — DED, a free zone authority, or a financial regulator — in serious or repeated cases. Beyond direct penalties, an inadequate AML programme is now a standard due diligence item for banks opening or maintaining corporate accounts, for investors conducting deal diligence, and for larger corporate counterparties conducting vendor onboarding. PNPC designs programmes that are proportionate to your actual risk profile — neither a generic template that collapses under inspection, nor an over-engineered framework that a small business cannot realistically operate.

The order in which the programme is built matters more than most businesses expect. The Business Risk Assessment is not paperwork you produce last to satisfy a checklist — it is the foundation every other control is calibrated against. If the BRA is wrong or generic, the CDD tiering, the EDD triggers, the monitoring thresholds, and the screening cadence are all mis-set, and an inspector who finds a BRA that does not match the actual customer book treats everything downstream as suspect. This is why a template purchased online, where the BRA is identical for a jeweller and a corporate service provider, fails on first contact: the risk assessment has no relationship to the business it supposedly governs.

The second recurring failure is the gap between the documented programme and what staff actually do. A supervisor's inspection is not a document review — it is a test of whether the paper trail in a sampled customer file matches the procedure the manual describes, and whether the appointed Compliance Officer can speak to real transactions rather than recite policy. A programme that exists only on paper — no goAML registration, no CDD files evidencing source-of-funds enquiry, no dated training records tied to named staff — is treated as no programme at all, regardless of how comprehensive the manual reads.

PNPC designs programmes proportionate to actual risk: neither a generic template that collapses under inspection, nor a bank-grade framework transplanted onto a three-person firm that then gets ignored because nobody can realistically operate it. We build the risk assessment from your real transaction history, sequence goAML registration and Compliance Officer appointment as early discrete milestones, and run a mock file review before we consider the programme live — because the gaps we find first are the gaps a supervisor does not.

When you need a formal AML/CFT compliance programme

Your business falls within the DNFBP definition — real estate brokerage or development, dealing in precious metals/stones above the prescribed cash threshold, corporate/trust service provision, or independent legal/accounting professional services involving specified activities (buying/selling real estate, managing client funds or accounts, company formation, or managing companies/trusts)

You hold a financial services licence from the Central Bank of the UAE, the Securities and Commodities Authority, DIFC's regulator, or ADGM's regulator, and are subject to that authority's AML/CFT rulebook

You are onboarding your first customers/clients and need a defensible CDD and risk-scoring framework before you can demonstrate compliance to your supervisor or to a bank during account opening

Your free zone authority (DMCC, JAFZA, or others with active AML supervisory functions) has flagged your entity for an AML/CFT inspection, compliance return, or remediation notice

You have never registered on the goAML platform despite falling within a DNFBP category — registration and an operative reporting capability are baseline expectations regardless of transaction volume

Your existing AML policy was drafted years ago, purchased as a generic template, or has never been tested against an actual transaction or customer file, and you need it rebuilt to reflect how the business actually operates

A bank, investor, or large corporate counterparty has requested evidence of your AML/CFT programme as part of their own due diligence or KYC-on-you process

You have identified a suspicious transaction but have no operative goAML capability or documented STR decision process to act on it

Your existing customer files were onboarded without proper CDD and need retrospective remediation before your next inspection or renewal

You are entering a new higher-risk customer segment, geography, or product line and your Business Risk Assessment no longer reflects the business

You need a bank-facing evidence pack demonstrating your own AML/CFT programme for an account opening or renewal in a DNFBP sector

When a full programme build may not be the immediate priority

Your activity does not fall within the DNFBP definitions and you hold no AML-regulated licence — confirm applicability first with a scoping review rather than commissioning a full programme build; PNPC offers this as an initial diagnostic

You are a very early-stage entity that has not yet commenced the regulated activity (e.g., a real estate brokerage licence obtained but no transactions yet conducted) — a lighter-weight readiness framework may be more appropriate than a full operational programme, to be scaled up before go-live

You already have a functioning, recently reviewed AML/CFT programme with a documented BRA, active goAML registration, and evidenced CDD files — what you likely need is an independent AML/CFT audit or gap assessment rather than a full programme redesign

Your immediate need is a single overdue filing (an annual AML return or a specific STR) rather than the underlying programme architecture — PNPC can address the urgent filing while scoping the broader programme work separately

Your entity is a pure holding company with no customer-facing transactions, no cash handling, and no activity that falls within any DNFBP category — confirm non-applicability in writing from your licensing authority rather than building an unnecessary programme

You expect a guarantee that no penalty will ever be imposed or that an inspection will pass regardless of your actual controls — a well-built programme reduces exposure but no advisor can guarantee a supervisor's outcome

The matter has become a criminal or contested enforcement question rather than a compliance one, and needs legal counsel with privilege rather than compliance advisory

You want a single advertised flat-fee package before sharing the licence, customer profile, and transaction data needed to scope the actual work — the right scope genuinely depends on those facts

Structure Comparison

AML/CFT obligation comparison by UAE entity type and sector exposure

Entity TypePrimary AML SupervisorgoAML RegistrationCDD/EDD ObligationSTR/SAR Filing DutyTypical Inspection Trigger
Real estate broker/agentMinistry of Economy (or Dubai Land Department-linked framework in Dubai)MandatoryFull CDD on buyer/seller; EDD for high-value or PEP-linked dealsYes — on suspicion, regardless of deal sizeCash transactions, high-value deals, foreign buyer volume
Dealer in precious metals/stones (DPMS)Ministry of Economy / DMCC (if DMCC-licensed)MandatoryFull CDD above cash threshold; EDD for high-value cash dealsYesCash-heavy trade, cross-border shipments, DMCC compliance return
Corporate/trust service provider (CSP/TCSP)Ministry of EconomyMandatoryFull CDD on ultimate beneficial owners of every entity formed/managedYesCompany formation volume, nominee arrangements, UBO opacity
Independent accountant/auditor (specified activities)Ministry of EconomyMandatory if performing specified activitiesFull CDD when managing client funds/accounts or forming companiesYesClient money handling, company formation services offered
Independent legal professional (specified activities)Ministry of EconomyMandatory if performing specified activitiesFull CDD on real estate, company formation, and client fund transactionsYesConveyancing, escrow handling, entity formation work
Bank / licensed financial institutionCentral Bank of the UAEMandatoryFull CDD/EDD framework under Central Bank AML/CFT regulationsYes — highest scrutinyRoutine supervisory examination, transaction monitoring alerts
DIFC-regulated entityDIFC regulator (DFSA)Mandatory where applicableDFSA AML Module requirementsYesDFSA thematic reviews, licence renewal
ADGM-regulated entityADGM regulator (FSRA)Mandatory where applicableFSRA AML rulebook requirementsYesFSRA supervisory cycle, licence renewal
General trading LLC (non-DNFBP activity)None directly under AML law — DED licensing oversight onlyNot required unless activity crosses into a DNFBP categoryStandard KYC for banking relationship, not statutory AML CDDNo statutory STR duty absent DNFBP statusBank account opening/renewal KYC only
Free zone trading company (non-DNFBP)Free zone authority licensing oversightNot required unless activity crosses into a DNFBP categoryStandard KYC for banking relationship, not statutory AML CDDNo statutory STR duty absent DNFBP statusFree zone compliance renewal, bank KYC

This table is directional. Whether a specific entity is a DNFBP, and the precise scope of its CDD/EDD and reporting obligations, depends on the actual activities licensed and performed — not merely the trade licence category. A scoping review against your specific licensed activities and transaction patterns is the correct first step, and PNPC provides this as a standalone engagement before recommending the scope of a full programme.

How it works
#Stage & What PNPC DoesWhat Generic Template Providers MissTimeline
1Applicability Scoping — Confirm DNFBP status and supervisory authorityWe map your actual licensed activities against the DNFBP definitions in Cabinet Decision No. 10 of 2019 (as amended) — not just your trade licence description. A company with a broad 'general trading' licence that also brokers property deals is a DNFBP for that activity regardless of what the licence certificate says. We also confirm whether Ministry of Economy, a free zone authority, or a financial regulator is your effective supervisor.Week 1
2Business Risk Assessment (BRA) — Entity-specific ML/TF/PF risk evaluationA template BRA scores generic risk categories without reference to your actual customer base, deal sizes, payment methods, and geographic exposure. We build a BRA from your real transaction history and customer profile — the document a supervisor actually tests during inspection is whether the BRA matches reality, not whether it exists.Week 1–2
3AML/CFT Policy & Procedures Manual — Drafted to your operating modelWe draft the manual around how your business actually processes a transaction from first customer contact to file closure — not a generic 40-page document copied from a different sector. Includes CDD/EDD procedures, PEP screening protocol, sanctions screening cadence, record-retention schedule, and escalation pathway to the Compliance Officer.Week 2–3
4Compliance Officer / MLRO Appointment — Role definition and resourcingThe appointed Compliance Officer must have genuine authority, access to senior management, and adequate time allocation — a nominal appointment where the 'MLRO' has no real visibility into transactions is a common inspection failure point. We define the role, draft the appointment letter and reporting lines, and brief the appointee on statutory duties including STR filing authority.Week 2–3
5goAML Portal Registration — FIU registration for the entity and Compliance OfficerRegistration on the goAML platform (administered by the UAE Financial Intelligence Unit) is mandatory for DNFBPs regardless of whether an STR has ever been filed. We handle the registration, entity profile setup, and Compliance Officer credentialing — a step many entities discover they never completed until an inspection asks for the registration number.Week 3
6Customer Due Diligence (CDD) Framework Build — Risk-scored onboarding workflowA tiered CDD framework — simplified, standard, and enhanced — mapped to concrete risk triggers specific to your sector: cash thresholds, PEP status, high-risk jurisdiction exposure, complex ownership structures. We build the actual onboarding form, UBO identification methodology, and documentary evidence checklist your staff will use.Week 3–4
7Sanctions & PEP Screening Setup — Screening tool selection and screening cadenceScreening against the UN Consolidated List and the UAE Local Terrorist List must happen at onboarding and on an ongoing basis, not as a one-time check. We advise on appropriate screening tools proportionate to your transaction volume and set the review cadence — daily list-update checks for higher-volume entities, periodic re-screening for the full customer book.Week 4
8Transaction Monitoring Design — Thresholds and red-flag indicators for your sectorGeneric red-flag lists copied from a bank's AML manual do not fit a real estate brokerage or a precious metals dealer. We calibrate monitoring thresholds and red flags to your actual product/service and payment patterns — structuring, unusual cash volumes, third-party payments, rapid resale patterns for real estate, and sector-specific indicators.Week 4–5
9STR/SAR Filing Protocol — Internal escalation to goAML submissionWe build the internal decision pathway: what triggers an internal report to the Compliance Officer, how the Compliance Officer evaluates and documents the decision to file (or not file) an STR, and the actual mechanics of submitting through goAML — including the tipping-off prohibition under the Decree-Law that staff must understand before any customer interaction follows a report.Week 5
10Staff Training Programme — Role-specific training and evidenced completionTraining that is not documented, dated, and tied to specific staff by name does not satisfy inspection evidence requirements. We design onboarding training and an annual refresher programme, deliver an initial training session, and set up the record-keeping (attendance, materials, assessment) that demonstrates the training actually happened.Week 5–6
11Record-Keeping & File Structure Setup — Retention-compliant documentation systemThe law prescribes minimum retention periods for CDD records, transaction records, and STR-related documentation. We set up a file structure — physical or digital — that meets retention requirements and can be produced intact and complete during an inspection, including UBO documentation trails for company formation service providers.Week 6
12Independent Review & Sign-Off — Pre-launch programme testBefore we consider the programme live, we run a mock file review — testing whether a sample customer file would actually pass inspection scrutiny. Gaps identified here are fixed before your supervisor finds them, not after.Week 6–7
13Annual AML/CFT Return & Ongoing Advisory — Continuing compliance supportThe programme does not end at design. Annual AML/CFT returns to the relevant portal, periodic BRA refresh, ongoing screening list updates, and STR advisory as live situations arise are all part of keeping the programme operative. PNPC remains engaged as your compliance advisory partner, not a one-time document vendor.Ongoing — annually and as needed
14Retrospective CDD remediation — Back-book existing customer files brought up to current CDD/EDD standardA new programme applied only to new customers leaves the entire existing book non-compliant — inspectors sample old files, not just new onboarding. We remediate the back-book, prioritising higher-risk and higher-value relationships first.Parallel to build, as needed
15Annual self-assessment survey support — Complete the Ministry of Economy AML/CFT survey within the open windowThe survey opens on the authority's calendar, not the client's, and missing the window is a standalone penalisable failure independent of any inspection.When the survey opens
16STR decision-log discipline — Documented reasoning for every escalation, including decisions not to fileAn empty STR log against a busy customer book reads as a monitoring failure. We ensure suspicions considered-and-cleared are documented, not just STRs actually filed.Ongoing

Realistic end-to-end timeline for a full programme build: 6–8 weeks from applicability scoping to a fully operative, inspection-ready programme, depending on entity complexity and the volume of historical customer files that need retrospective CDD remediation. Entities with an existing but deficient programme can often be remediated faster where the core documentation exists and only specific gaps need closing.

Document Checklist
Entity & Licensing Documents

Trade licence copy showing all licensed activities — not just the primary activity — as this determines DNFBP classification

Certificate of Incorporation / Commercial Registration extract

Memorandum and Articles of Association or equivalent constitutional document

Free zone or DED licence renewal history, if applicable, to confirm continuous licensing status

Shareholding/ownership structure chart identifying Ultimate Beneficial Owners (UBOs) down to natural persons

Organisational chart identifying who will be appointed Compliance Officer/MLRO and their reporting line to senior management

Existing Compliance Materials (If Any)

Any existing AML/CFT policy or procedures manual, however outdated, for gap analysis against current requirements

Any prior Business Risk Assessment document

goAML registration confirmation, if the entity has previously registered

Record of any prior STR/SAR filings, including goAML reference numbers

Any correspondence from Ministry of Economy, a free zone authority, or a financial regulator relating to AML/CFT inspections, notices, or remediation requirements

Staff training records or certificates from any prior AML training delivered

Operational & Transaction Data

Description of actual services offered and how a typical transaction/engagement flows from first client contact to completion

Sample customer/client files (anonymised if needed for initial review) showing current onboarding documentation practices

Transaction volume and value data for the past 12 months, broken down by payment method (cash, bank transfer, cheque, other)

List of jurisdictions from which customers/clients typically originate, to assess geographic risk exposure

Details of any customers or transactions involving Politically Exposed Persons (PEPs), if known

Payment and banking relationship details — which banks the entity uses for customer-related transactions

For Real Estate Brokers/Developers Specifically

Sample sale/purchase agreement templates currently in use

Details of typical deal values and the proportion involving cash or third-party payment

Escrow account arrangements, if the entity holds client funds

RERA or equivalent local real estate regulatory registration details, where applicable

For Corporate/Trust Service Providers Specifically

List of entities currently formed/managed on behalf of clients, with UBO identification status for each

Nominee director/shareholder arrangements currently in place, if any, and the disclosure documentation held

Standard company formation engagement letter and client onboarding forms currently used

For Dealers in Precious Metals & Stones Specifically

Details of typical transaction values and cash-handling volume against the prescribed reporting threshold

Supplier and customer base geographic profile

DMCC or relevant free zone compliance return history, if applicable

Post-Design Operational Documents (PNPC Prepares)

AML/CFT Policy & Procedures Manual, tailored to the entity

Business Risk Assessment document

CDD/EDD onboarding forms and UBO identification methodology

Sanctions and PEP screening protocol document

Transaction monitoring red-flag and escalation matrix

STR/SAR internal reporting and goAML filing protocol

Staff training materials and attendance/record templates

Record-retention schedule and file structure guide

AML governance file

Business risk assessment and customer-risk methodology

AML/CFT policies, procedures and MLRO appointment records

Sanctions/PEP screening settings and evidence

Staff training logs and board/management approvals

Customer and transaction evidence

CDD/KYC files and beneficial-owner records

EDD files for high-risk customers

Transaction-monitoring alerts and disposition notes

STR/SAR escalation and goAML submission records where relevant

Ongoing obligations
PhaseTriggered ByPNPC Compliance GuidanceRisk If Ignored
Applicability DeterminationNew licence issued or activity expansionScope the entity's actual activities against DNFBP definitions under Cabinet Decision No. 10 of 2019 (as amended); confirm supervisory authority; determine whether goAML registration is required.Operating as an unregistered DNFBP is itself a compliance failure — supervisors do not accept 'we did not know we qualified' as a defence during inspection.
Programme Design & BuildConfirmed DNFBP status or regulator directionBusiness Risk Assessment, policy manual, CDD/EDD framework, screening protocols, STR pathway, and training programme built and documented.A missing or template-only programme is the single most common finding in Ministry of Economy and free zone AML inspections, and typically triggers the largest administrative penalties.
goAML Registration & Compliance Officer AppointmentProgramme design phase / regulator noticeEntity and Compliance Officer registered on the goAML platform; appointment formalised with clear authority and reporting lines to senior management.Unregistered entities cannot file STRs even when a suspicious transaction is identified — creating a compounding compliance failure on top of the underlying detection gap.
Live Operations — Ongoing CDDEvery new customer/client relationshipRisk-scored onboarding applied consistently; UBO identification completed and documented for every corporate customer; EDD triggered automatically for PEPs and high-risk profiles.Inconsistent or undocumented CDD is the most frequent file-level inspection failure — supervisors sample customer files and test whether the paper trail supports the risk rating assigned.
Live Operations — Screening & MonitoringEvery transaction and periodic review cycleSanctions/PEP screening at onboarding and on a defined ongoing cadence; transaction monitoring against sector-calibrated red flags; internal escalation logged even where no STR results.Failure to screen against updated sanctions lists exposes the entity to dealing with a designated person — a serious violation carrying both AML and broader legal consequences beyond administrative fines.
Suspicious Transaction IdentifiedRed flag triggers internal reviewCompliance Officer evaluates, documents the decision, and files an STR/SAR via goAML where warranted — without alerting the customer (tipping-off prohibition under the Decree-Law).Failure to file, or tipping off the customer, is a standalone offence under Federal Decree-Law No. 20 of 2018 (as amended) independent of the underlying suspected activity.
Annual Review Cycle12-month anniversary of programme / calendar deadlineBusiness Risk Assessment refreshed against the past year's actual customer and transaction data; annual AML/CFT return filed through the relevant portal; staff refresher training delivered and evidenced.A stale BRA that no longer reflects the business is treated by supervisors as equivalent to having no risk assessment at all; missed annual returns attract separate penalties from the licensing/supervisory authority.
Regulatory InspectionScheduled cycle or risk-triggered by supervisorPre-inspection file review, Compliance Officer briefing, and representation support during the inspection; remediation plan drafted for any findings.Unaddressed inspection findings escalate to formal notices, larger administrative penalties, and in serious or repeated cases, licence suspension or revocation by the relevant licensing authority.
Programme RemediationInspection finding or internal gap discoveryRoot-cause gap analysis; policy and procedure amendment; retrospective CDD remediation for affected customer files; evidence pack prepared for supervisor follow-up.Repeat findings on the same issue are treated far more seriously by supervisors than a first-time finding — indicating a systemic, not isolated, compliance failure.
Ownership or Control ChangeNew UBO, new shareholder, or change in the entity's own control structureUpdate the entity's own beneficial-owner records; reassess whether the change alters the risk profile or introduces PEP/sanctions exposure; refresh the BRA where material.A stale ownership record undermines both AML CDD credibility and the entity's separate Real Beneficial Owner register obligations, and can surface as an inconsistency an inspector or bank flags.
Frequently asked
What is a DNFBP and how do I know if my UAE business qualifies?

DNFBP stands for Designated Non-Financial Business or Profession — a category defined under UAE AML/CFT law that captures specific business activities considered higher-risk for money laundering even though they are not financial institutions. Under Cabinet Decision No. 10 of 2019 (as amended), the DNFBP categories broadly include: real estate agents and brokers when involved in transactions concerning the buying and selling of real estate; dealers in precious metals and stones when engaged in cash transactions above a prescribed threshold; independent legal professionals and accountants when preparing for or carrying out transactions involving buying/selling real estate, managing client money/securities/assets, managing bank/savings/securities accounts, organising contributions for company formation/operation/management, or forming/operating/managing legal persons or arrangements; and corporate and trust service providers offering company formation and management services (including registered agents and nominee arrangements). What matters is the activity actually performed, not the label on your trade licence.

Practitioner noteWe regularly encounter entities with a broad 'general trading' or 'business consultancy' trade licence that are, in practice, performing company formation or real estate brokerage services and are therefore DNFBPs without realising it. The activity governs the obligation — not the licence category printed on the certificate.
What is the legal basis for AML/CFT obligations in the UAE?

The primary statute is Federal Decree-Law No. 20 of 2018 on Anti-Money Laundering and Combating the Financing of Terrorism and Illegal Organisations, as amended by Federal Decree-Law No. 26 of 2021. The executive regulations are set out in Cabinet Decision No. 10 of 2019, as subsequently amended, which details DNFBP categories, CDD requirements, and administrative penalties. Various Ministerial Decisions and supervisory-authority-specific guidance (from the Ministry of Economy, individual free zone authorities, and financial regulators such as the Central Bank, DFSA, and FSRA) provide operational detail applicable to specific sectors.

Practitioner noteThe framework is periodically updated in response to FATF (Financial Action Task Force) evaluation cycles and UAE-specific action plans. We track amendments as they are issued rather than relying on a static reading of the original 2018/2019 texts — a programme built against an outdated version of the regulations will have gaps.
What is goAML and why do I need to register even if I've never filed a report?

goAML is the electronic platform administered by the UAE's Financial Intelligence Unit (FIU) through which reporting entities register, submit Suspicious Transaction Reports (STRs), Suspicious Activity Reports (SARs), and other statutory reports. Registration on goAML is a standalone obligation for DNFBPs and other reporting entities — it is required regardless of whether the entity has ever identified a suspicious transaction. Supervisors treat an unregistered entity as non-compliant on its face, independent of its actual transaction history.

Practitioner noteThis is one of the most common gaps we find at first engagement — a business that has operated for years, has a reasonable customer base, but never completed goAML registration because nobody flagged it as a distinct step from having an AML policy. We handle the registration as a discrete early milestone in every engagement.
What does a Business Risk Assessment (BRA) actually need to contain?

A BRA is a documented evaluation of the money laundering, terrorist financing, and proliferation financing risks the specific entity is exposed to, assessed across at least four dimensions: customer risk (types of customers, PEP exposure, beneficial ownership complexity), product/service risk (which of your services carry higher inherent ML/TF risk), delivery channel risk (face-to-face versus remote/digital onboarding), and geographic risk (jurisdictions your customers and counterparties are based in or transact with, including any exposure to higher-risk jurisdictions). The BRA should conclude with an overall risk rating and specific mitigating controls tied to each identified risk — not just a generic risk statement.

Practitioner noteThe BRA is the document supervisors interrogate first during an inspection, because everything else in the programme — CDD tiering, monitoring thresholds, EDD triggers — should trace back to it. A BRA that reads like it was written for a different type of business (a common symptom of purchased templates) is an immediate red flag to an inspector.
What is the difference between CDD and EDD, and when does EDD apply?

Customer Due Diligence (CDD) is the baseline identity verification and risk assessment performed on every customer or client before or during onboarding — verifying identity, understanding the nature of the business relationship, and identifying beneficial ownership for corporate customers. Enhanced Due Diligence (EDD) is a more intensive version applied to higher-risk relationships: Politically Exposed Persons (PEPs) and their close associates/family members, customers from higher-risk jurisdictions, complex or opaque ownership structures, unusually large or structured transactions, and any relationship the risk assessment otherwise flags as elevated risk. EDD typically requires additional identity verification, source-of-funds and source-of-wealth enquiry, senior management approval to onboard, and more frequent ongoing monitoring.

Practitioner notePEP screening is not a one-time check at onboarding — a customer can become a PEP after the relationship begins (a change in political office, for example), and ongoing screening needs to catch that. We build periodic re-screening into every CDD framework, not just point-in-time onboarding checks.
Who can be appointed as Compliance Officer / MLRO, and what does the role actually require?

The Compliance Officer (often referred to functionally as the Money Laundering Reporting Officer or MLRO) should be a person with sufficient seniority, independence, and access to be able to receive internal reports, make STR filing decisions, and engage directly with senior management and, where necessary, the regulator. The role requires genuine time allocation — not a title added to an existing job description with no practical change in duties — and direct access to customer files and transaction data. For smaller entities, the role can be combined with another senior function, but the AML responsibilities and authority must be real and demonstrable.

Practitioner noteInspectors frequently test this by asking the appointed Compliance Officer direct questions about specific customer files or recent transactions. A nominal appointee who cannot answer basic questions about the business's actual customer base is treated as evidence the programme is not genuinely operative, regardless of what the policy document says.
What is an STR, and what happens after we file one?

A Suspicious Transaction Report (STR) — or Suspicious Activity Report (SAR) where no specific transaction has yet occurred — is a mandatory report filed via goAML when a reporting entity has reasonable grounds to suspect that funds or a transaction is connected to money laundering, terrorist financing, or proceeds of a predicate crime. Once filed, the FIU reviews and may request further information from the reporting entity. Crucially, the entity must not disclose to the customer, or to anyone outside the permitted internal escalation chain, that an STR has been or will be filed — a prohibition known as 'tipping off,' which is itself an offence under the Decree-Law.

Practitioner noteWe build the internal escalation and documentation process specifically so that frontline staff know what to observe and report internally, while only the Compliance Officer makes the actual filing decision and interacts with goAML — this keeps the tipping-off risk contained to a small, trained group rather than spread across the whole team.
How often does the AML/CFT programme need to be reviewed or updated?

At minimum, the Business Risk Assessment should be reviewed annually, or sooner if there is a material change in the business — new products/services, new customer segments, entry into new geographic markets, or a significant change in transaction volume or type. Policies and procedures should be reviewed against the current version of the law and any updated supervisory guidance at least annually. Staff training should include an annual refresher, in addition to onboarding training for new hires. Sanctions and PEP screening lists should be checked for updates on an ongoing basis, not merely at the annual review point.

Practitioner noteA programme frozen at its initial design date and never revisited is functionally equivalent, from a supervisor's perspective, to having no programme at all after enough time has passed. We build the annual review into the engagement scope rather than treating programme design as a one-time deliverable.
What are the penalties for non-compliance with UAE AML/CFT requirements?

Cabinet Decision No. 10 of 2019 (as amended) sets out a schedule of administrative penalties for specific violations — including failure to register, failure to appoint a Compliance Officer, failure to conduct or maintain CDD records, failure to file STRs, and tipping off — with penalties that can run into the hundreds of thousands of dirhams depending on the violation and its severity, and which can be levied per violation. Beyond administrative fines, the relevant licensing authority (DED, a free zone authority, or a financial regulator) can suspend or revoke the trade licence in serious or repeated non-compliance cases, and certain violations carry criminal exposure under the broader provisions of the Decree-Law.

Practitioner noteWe deliberately avoid quoting a single specific fine figure for a given violation in general advisory conversations, because penalty amounts and their application depend on the specific violation, its severity, and the supervisor's assessment at the time — a business should get its actual exposure assessed against its specific facts rather than working from a generic figure.
Does a free zone company need a separate AML/CFT programme from a mainland company?

The underlying federal AML/CFT law applies across the UAE regardless of mainland or free zone status — what differs is the day-to-day supervisory authority. A mainland DNFBP typically falls under Ministry of Economy supervision. A free-zone-licensed entity performing a DNFBP activity may fall under both the Ministry of Economy framework and, for some free zones with an active compliance function (DMCC being a prominent example for dealers in precious metals and stones), an additional free-zone-level compliance return and inspection regime. The substantive programme requirements are broadly consistent, but the registration, reporting, and inspection touchpoints can differ by free zone.

Practitioner noteWe check the specific free zone's own compliance department requirements in addition to the federal framework — DMCC in particular runs its own periodic AML compliance return process for its licensed DPMS and related entities that is distinct from, but complementary to, the federal goAML registration.
We are a small company service provider with only a handful of clients. Do we really need a full programme?

Yes, in substance, though the programme should be proportionate to your size and risk profile — proportionality is itself a recognised principle in a risk-based AML framework. A company service provider forming even a small number of entities is handling UBO identification, nominee arrangements, and company formation activity that sits squarely within the DNFBP definition regardless of client count. The core obligations — registration, a risk assessment, CDD on every client, a Compliance Officer, and the capacity to file an STR — apply irrespective of scale, though the sophistication of your monitoring systems and the depth of documentation can reasonably scale with your size.

Practitioner noteWe design programmes for small CSPs and boutique advisory firms that are genuinely operable by a two- or three-person team — the goal is a programme the business can actually run day to day, not a large-firm framework transplanted onto a small operation that then gets ignored because it is unworkable.
What is the tipping-off prohibition and how does it affect how we handle a suspicious customer?

The tipping-off prohibition, set out in the Decree-Law, prohibits a reporting entity or its staff from disclosing to the customer (or to any third party) that an STR has been filed, is being considered, or that an investigation is underway, where that disclosure could prejudice an investigation. In practice, this means frontline staff should not confront a customer about suspected activity, should not explain a delay or account restriction by referencing an AML concern, and should escalate internally through the defined pathway to the Compliance Officer rather than acting independently.

Practitioner noteWe train staff specifically on this point because the natural instinct — especially for client-facing staff — is to explain a delay or ask the customer directly about a concern. We build simple, non-disclosing language into training materials for situations where a customer asks why a transaction or onboarding is taking longer than usual.
How does UAE Corporate Tax or VAT registration interact with AML/CFT obligations?

They are separate regulatory regimes administered by different authorities — the Federal Tax Authority for Corporate Tax and VAT, and the Ministry of Economy or sector regulators for AML/CFT — and compliance with one does not substitute for the other. However, in practice they intersect operationally: proper AML CDD and UBO identification records often support the ownership and beneficial-interest disclosures relevant to tax registration and Economic Substance Regulations assessments, and a business with disorganised AML files often also struggles with clean tax documentation, since both stem from the same underlying record-keeping discipline.

Practitioner noteWe generally recommend a business address its AML/CFT, Economic Substance Regulations, and tax registration obligations as a coordinated compliance calendar rather than as disconnected projects handled by different advisors — the underlying entity, ownership, and transaction data overlaps significantly across all three.
What sanctions lists must we screen against, and how often?

UAE reporting entities are required to screen customers and transactions against the UN Security Council Consolidated List (sanctions relating to terrorism, proliferation financing, and specific country regimes) and the UAE's Local Terrorist List maintained under domestic legislation. Screening should occur at the point of onboarding and on an ongoing basis thereafter, since sanctions lists are updated periodically and a previously clear customer can be added to a list after the relationship begins. Entities should also be alert to relevant international sanctions regimes (such as those administered by the UN, and applicable regional or bilateral sanctions frameworks) where their customer base or transaction flows have cross-border exposure.

Practitioner noteWe advise on a screening cadence proportionate to transaction volume — for higher-volume or higher-risk entities, this typically means checking for list updates far more frequently than an annual review cycle, since a gap between a list update and your next screening cycle is exactly the kind of gap an inspector will test for.
Can PNPC act as our outsourced Compliance Officer / MLRO?

PNPC's role is primarily to design, build, remediate, and periodically review your AML/CFT programme, train your team, and provide ongoing advisory support — including guidance to your appointed Compliance Officer on specific STR decisions and inspection responses. Depending on the engagement and your specific regulatory category, outsourced or fractional compliance officer arrangements may be structured, but the appropriateness of an outsourced MLRO arrangement depends on your specific regulator's expectations and entity type — this is assessed and agreed explicitly as part of scoping, not assumed by default.

Practitioner noteSome supervisory frameworks are comfortable with a properly structured outsourced compliance function; others expect the Compliance Officer to be an internal appointee with direct employment ties to the entity. We confirm the position for your specific supervisor before proposing an outsourcing structure.
What triggers an AML/CFT inspection from the Ministry of Economy or a free zone authority?

Inspections can be routine (scheduled as part of a supervisor's ongoing oversight cycle across licensed DNFBPs), risk-triggered (following a sector-wide concern, a specific complaint, or an unusual pattern flagged through other regulatory touchpoints), or prompted by a renewal cycle where AML compliance documentation is requested as part of trade licence renewal. Free zones with active compliance functions, such as DMCC for precious metals and stones dealers, may run their own periodic compliance return process that itself can surface issues warranting a closer inspection.

Practitioner noteWe recommend treating every trade licence renewal as an implicit AML compliance check-point even where the licensing authority does not explicitly request AML documentation at renewal — building the habit of an annual internal review ahead of renewal avoids being caught unprepared if the authority does ask.
What happens during an actual Ministry of Economy or free zone AML inspection?

Typically, the inspector requests the entity's AML/CFT policy and procedures manual, the Business Risk Assessment, evidence of goAML registration, a sample of customer/client files to test CDD and EDD application, records of any STRs filed (or a documented basis for none having been filed), staff training records, and confirmation of the Compliance Officer's appointment and role. The inspection tests whether the documented programme reflects actual practice — mismatches between policy and observed file evidence are the most common source of findings.

Practitioner noteWe prepare clients for inspections with a mock file review beforehand — pulling a representative sample of actual customer files and testing them exactly as an inspector would, so that any gaps are found and fixed by us first, not flagged for the first time by the regulator.
How does PNPC price AML/CFT compliance programme design?

PNPC agrees a fixed, written scope and fee before any work begins, based on the applicability scoping outcome — the fee for a small CSP with a handful of clients differs meaningfully from a real estate brokerage with high transaction volume or a DPMS with significant cash handling. The fee covers the full programme build as scoped: BRA, policy manual, CDD/EDD framework, goAML registration, screening protocol, STR pathway, training delivery, and a pre-launch mock review. Ongoing annual review and advisory support is quoted separately as a retainer, agreed only once the client has seen the value of the initial build.

Practitioner noteWe do not price AML programme design as a flat, one-size-fits-all package advertised online — the actual scope of work depends heavily on transaction volume, existing documentation quality, and whether retrospective remediation of historical customer files is needed. We provide a written fee proposal after the applicability scoping step, not before.
We already have an AML policy from a template provider. Can PNPC just review it instead of starting fresh?

Yes — this is a common and often more cost-effective starting point. We run a gap analysis comparing the existing document against current regulatory requirements and, more importantly, against how the business actually operates. In many cases the core policy structure can be retained with targeted amendments, while the operational gaps — goAML registration, actual CDD file evidence, Compliance Officer resourcing, and training records — are what genuinely need building out, since a template document is rarely the whole problem.

Practitioner noteWe have reviewed template AML policies that were technically comprehensive on paper but had never been operationalised — no goAML registration, no CDD files matching the stated procedures, no training records. The document was fine; the operating programme behind it did not exist. We assess both separately.
What is proliferation financing, and why does it appear alongside money laundering and terrorist financing in UAE AML law?

Proliferation financing refers to the provision of funds or financial services used, in whole or in part, for the manufacture, acquisition, development, or use of weapons of mass destruction and their delivery systems, often in connection with international sanctions regimes targeting specific states or entities. The UAE's AML/CFT framework, aligned with FATF standards, requires reporting entities to consider proliferation financing risk alongside money laundering and terrorist financing risk within their Business Risk Assessment and screening procedures — particularly relevant for entities with cross-border trade, precious metals dealing, or exposure to sanctioned jurisdictions.

Practitioner noteFor most DNFBPs with a purely domestic UAE customer base and no cross-border trade exposure, proliferation financing risk will typically be assessed as low — but the BRA still needs to document that this risk category was considered and why it was rated as it was, rather than omitting it entirely.
How does beneficial ownership (UBO) identification work for corporate customers?

For a corporate customer, CDD requires identifying and verifying the Ultimate Beneficial Owner(s) — the natural person(s) who ultimately own or control the customer entity, typically through a specified ownership threshold (commonly 25% or more, though the applicable threshold and methodology should be confirmed against current regulatory guidance) or through other means of control such as voting rights or the ability to appoint senior management. Where a corporate customer has a layered ownership structure — one company owned by another, owned by another — CDD requires looking through the layers to the natural persons at the top, not stopping at the first corporate layer.

Practitioner noteLayered offshore ownership structures are exactly where CDD files most often fall short — a file that verifies only the immediate corporate shareholder, without looking through to the natural person UBO, will not satisfy an inspector and is one of the most common findings we see when reviewing client files at other firms.
Do we need AML/CFT training for all staff, or just the Compliance Officer?

All staff who have customer-facing responsibilities or who could plausibly encounter a red flag in the course of their role — sales, operations, finance, and client-facing management — should receive AML/CFT awareness training, not only the appointed Compliance Officer. The training should be role-appropriate: frontline staff need to recognise red flags and know the internal escalation process, while the Compliance Officer needs deeper training on risk assessment methodology, EDD decision-making, and the STR filing process itself.

Practitioner noteWe tier training by role rather than delivering one generic session to everyone — a receptionist and a deal-closing broker need different depths of AML training, and inspectors increasingly ask to see role-appropriate training records rather than a single blanket certificate for the whole company.
What records must we retain, and for how long?

The Decree-Law and its executive regulations prescribe minimum retention periods for CDD documentation, transaction records, and records relating to any STR filed — generally requiring retention for a period of years following the end of the business relationship or the completion of the transaction, sufficient to allow reconstruction of individual transactions if required by a competent authority. The precise retention period should be confirmed against the current executive regulations and any sector-specific guidance, as retention requirements can be refined by subsequent Cabinet or Ministerial decisions.

Practitioner noteWe build the record-retention schedule as part of the programme documentation itself, cross-referenced to the current regulations at the time of design, and flag it for review at each annual programme refresh rather than treating it as a fixed figure set once and forgotten.
Is there a difference between AML/CFT obligations and Economic Substance Regulations (ESR) obligations?

Yes, these are distinct regimes with different purposes and different administering authorities. AML/CFT, under Federal Decree-Law No. 20 of 2018 (as amended), addresses money laundering and terrorist financing risk and is supervised by the Ministry of Economy, free zone authorities, or financial regulators depending on entity type. Economic Substance Regulations, administered by the Ministry of Finance, required certain UAE entities conducting defined 'Relevant Activities' to demonstrate adequate economic substance in the UAE and to file an annual ESR notification and, where applicable, an ESR report — however, the ESR notification and report filing obligation was discontinued for financial years commencing on or after 1 January 2023, under Cabinet Decision No. 98 of 2024, meaning ESR is now a historical-compliance and legacy-exposure matter (confirming past filings were made correctly) rather than a live ongoing filing obligation for current financial years. A business can still be subject to AML/CFT obligations independent of whatever its historical ESR position was.

Practitioner noteWe assess AML/CFT applicability and any legacy ESR exposure together at the outset of any engagement, since the underlying activity classification exercise overlaps significantly, even though ESR filing itself is no longer a live ongoing obligation for financial years starting on or after 1 January 2023. PNPC's Economic Substance Regulations service now focuses on confirming historical compliance and closing out any legacy exposure rather than ongoing annual filing.
Our business has grown quickly and our customer base has changed significantly. Does our AML programme need updating mid-cycle, or can it wait for the annual review?

It should be updated as soon as the material change occurs, not deferred to the next scheduled annual review. A significant shift in customer profile, geographic exposure, transaction volume, or the introduction of a new product/service line changes the underlying risk profile that the Business Risk Assessment is meant to reflect. Operating on a stale BRA that no longer matches the business, even for a few months, creates exactly the mismatch between documented risk assessment and actual operations that inspectors focus on.

Practitioner noteWe ask clients to flag material business changes to us proactively — a new product line, entry into a new market, or a large new client segment — rather than waiting for us to catch it at the next scheduled annual review. The gap between the change and the update is where exposure sits.
What is the relationship between our AML/CFT Compliance Officer and our bank's own KYC/AML requirements?

These are related but distinct. Your bank conducts its own KYC and AML due diligence on you as its customer, under the Central Bank's regulatory framework applicable to the bank — this is separate from your own statutory AML/CFT obligations toward your customers if you are a DNFBP. However, having a robust, evidenced AML/CFT programme of your own materially strengthens your position during bank account opening and renewal KYC reviews, since banks increasingly ask corporate customers — particularly those in DNFBP sectors — to demonstrate their own compliance framework as part of the bank's enhanced due diligence on higher-risk customer categories.

Practitioner noteWe have seen bank account opening or renewal delayed or declined specifically because a DNFBP applicant could not produce evidence of its own AML/CFT programme when the bank's relationship manager asked for it. A well-documented programme is now a practical banking relationship asset, not just a regulatory box to tick.
Can our AML/CFT programme be shared or standardised across multiple group entities in the UAE?

A group-level policy framework can provide consistency, but each licensed entity that independently qualifies as a DNFBP or regulated entity typically needs its own entity-specific Business Risk Assessment, its own goAML registration, and evidence that CDD is being applied to that entity's actual customers — a shared policy document alone, without entity-specific risk assessment and operational evidence, does not satisfy each entity's individual obligations.

Practitioner noteWe design a consistent group-wide policy architecture where a client has multiple UAE entities, but we build a distinct BRA and CDD evidence trail for each entity separately, since that is what each entity's own supervisor will test independently.
What should we do if we discover, during our own review, that we may have missed filing an STR on a past transaction?

This situation should be addressed directly and promptly rather than left unaddressed — a documented internal review that identifies a historical gap, followed by appropriate escalation and, where warranted, a late filing with clear documentation of the discovery and remediation process, is viewed far more favourably by a supervisor than a gap that is only found during an external inspection. The specific handling depends heavily on the facts and should be discussed with your compliance advisor and, where appropriate, legal counsel before any filing decision is finalised.

Practitioner noteWe treat this as a priority advisory conversation, not a routine filing task — the facts of each case (why the gap occurred, what has changed since, what the underlying transaction actually involved) materially affect the right course of action, and we do not recommend a generic 'just file it now' approach without first understanding the full picture.
Does PNPC only design AML/CFT programmes, or can you also help if we are already mid-inspection or have received a remediation notice?

PNPC supports clients at every stage — from ground-up programme design for a new DNFBP, through gap remediation for an existing but deficient programme, to active representation and remediation planning during or after a regulatory inspection. If you have received a notice from the Ministry of Economy, a free zone authority, or another supervisor, the priority is understanding the specific findings and timeline first, then building a remediation plan that addresses both the immediate finding and the underlying programme gap that caused it.

Practitioner noteClients who reach out only after receiving a formal notice are working against a compressed timeline that a proactive engagement would have avoided. If you have any live notice or deadline, tell us immediately when we scope the engagement so we can prioritise accordingly — this is not a case where a standard 6–8 week build timeline applies.
How does PNPC's AML/CFT work relate to the firm's broader UAE tax and regulatory compliance services?

AML/CFT compliance programme design sits within PNPC's broader UAE Taxation & Regulatory Compliance practice, alongside legacy Economic Substance Regulations assessment (confirming historical filing positions for years before the regime was discontinued for financial years starting on or after 1 January 2023), AML/CFT risk assessment and customer risk profiling, goAML portal registration and reporting assistance, KYC and customer due diligence advisory, and AML/CFT regulatory remediation support. For clients also engaging PNPC for Corporate Tax or VAT compliance, we coordinate the entity, ownership, and record-keeping work across all regimes rather than treating each as a siloed engagement.

Practitioner noteThe overlap in underlying entity and ownership data across AML/CFT, ESR, and tax compliance means a coordinated engagement is usually more efficient and more consistent than separate advisors working from separate, potentially inconsistent, entity information.
What is the practical first step if we are not sure whether we need this service at all?

Engage PNPC for a standalone applicability scoping review — a focused assessment of your licensed activities, actual services performed, and customer/transaction profile against the DNFBP definitions and any sector-specific regulatory framework applicable to you. This produces a clear written determination of whether you are a DNFBP or otherwise AML-regulated entity, which supervisory authority applies, and — if applicable — a scoped recommendation for the programme design work that follows. This is a smaller, faster, and lower-cost engagement than committing directly to a full programme build.

Practitioner noteWe recommend this scoping step for any business that is uncertain, rather than either assuming no obligation exists or over-investing in a full programme before confirming it is actually required. It is the single highest-value first conversation we can have with a new AML/CFT client.
What is the difference between an AML/CFT compliance programme and simply registering on goAML?

goAML registration is one operational step within a compliance programme, not the programme itself. A registered entity with no Business Risk Assessment, no documented CDD procedure, no appointed Compliance Officer, and no evidenced staff training is still non-compliant even though it holds a goAML login. Inspectors treat goAML registration as a baseline administrative checkbox and move directly to testing the substantive controls behind it — the risk assessment, the CDD files, and the Compliance Officer's actual authority and knowledge.

Practitioner noteWe have seen entities point to their goAML registration as evidence of compliance when asked about their AML programme — registration is necessary but tells an inspector nothing about whether the underlying controls actually function.
Can our AML/CFT programme rely on a generic sanctions screening tool without any UAE-specific configuration?

No. Screening must cover the UN Security Council Consolidated List and the UAE Local Terrorist List specifically, not just a generic global sanctions feed that may omit UAE domestic designations. The tool also needs to be configured to your actual customer data fields — name variations, transliteration from Arabic, and corporate structure layers — so that a screening match is not missed because of a formatting mismatch. We assess whether a client's chosen screening tool or provider actually covers both lists before relying on it as evidence of a working screening control.

Practitioner noteA screening tool that only checks a generic international list and omits the UAE Local Terrorist List leaves a specific, testable gap that an inspector can identify by asking a single pointed question.
How does PNPC handle AML/CFT programme design for an entity that also needs a legacy Economic Substance Regulations position confirmed?

These are scoped as two related but separate work streams. The AML/CFT programme build proceeds on its own timeline against current law. Separately, we review whether the entity had a Relevant Activity and a live ESR notification/report obligation for financial years before 1 January 2023 (the ESR filing requirement was discontinued for financial years starting on or after that date under Cabinet Decision No. 98 of 2024), and if so, confirm that historical filings were made correctly or identify remediation needed for that legacy period. We do not treat ESR as a current annual filing item for FY2023 onward — only as historical-period exposure that may still need closing out.

Practitioner noteClients sometimes assume ESR is still an annual filing alongside AML/CFT and Corporate Tax — we correct that assumption early, since continuing to prepare an ESR notification for a current financial year is unnecessary work and can itself confuse a bank or auditor reviewing the file.
Does PNPC provide the actual screening software, or only the policy and advisory framework?

PNPC designs the programme — risk assessment methodology, policies, CDD/EDD framework, screening cadence, and training — and advises on selecting a screening tool or provider proportionate to your transaction volume and budget. We are not a screening software vendor. Where a client already has a preferred provider or an existing tool from a related engagement (including PNPC's separate AML/CFT software advisory and setup service), we configure the programme around it rather than mandating a specific product.

Practitioner noteKeeping programme design and software vendor selection separate avoids a conflict where a compliance advisor is incentivised to recommend a particular tool regardless of fit.
How is source-of-funds enquiry actually documented in a CDD file, versus just ticking a box?

A ticked 'source of funds verified' checkbox with nothing behind it is one of the most common inspection findings. A defensible file records what the stated source is (salary, business income, sale of an asset, inheritance), what corroborating evidence was seen (bank statements, a sale contract, an employer letter, audited accounts), and — critically — whether that evidence is consistent with the transaction size and the customer's profile. For a real estate buyer paying AED 8 million in a jurisdiction where the customer's declared income does not support it, the file must show the enquiry was made and how the gap was resolved, not just that a box was checked.

Practitioner noteThe test an inspector applies is whether a stranger reading the file cold could understand why the entity was satisfied the funds were legitimate. If the answer relies on something in the relationship manager's head rather than in the file, it fails — we train staff to write the reasoning down, not just the conclusion.
How do the cash-transaction reporting thresholds differ between a real estate broker and a precious metals dealer?

These are two distinct reporting regimes that businesses often confuse. Dealers in precious metals and stones (DPMS) fall within the DNFBP CDD/EDD obligations when engaged in cash transactions at or above the prescribed threshold, and the sector also sits under a dedicated real-estate/DPMS cash-and-transfer reporting mechanism the FIU operates. Real estate brokers are subject to a specific reporting requirement for defined property transactions — including single or linked cash payments and virtual-asset settlements at or above the prescribed value — reported through the FIU's dedicated real estate reporting channel, in addition to the general STR duty on suspicion. The precise threshold figures should be confirmed against the current Ministry of Economy and FIU guidance at the time, as they have been revised.

Practitioner noteThe threshold report and the suspicion-based STR are different obligations — a broker can owe a threshold-triggered report on a large cash deal that raises no suspicion at all, while still owing an STR on a small deal that does. We build both triggers into the monitoring workflow separately, because catching one and missing the other is a live inspection risk.
What does the Ministry of Economy's automated fining regime mean for a DNFBP that ignores its AML obligations?

The Ministry of Economy has run automated grievance and penalty processes for DNFBPs that fail baseline obligations — most visibly for failure to register on goAML and the automatic systems (such as the Automatic Reporting System for Sanctions Lists and the goAML STR system), and for failure to file the annual AML risk-assessment self-assessment survey when opened. The point is that some violations are detected administratively without any inspection at all: a DNFBP that never registered can be identified and penalised from the register itself. This is different from a finding that only surfaces when an inspector samples files.

Practitioner noteThe failures that get caught automatically — no goAML registration, no sanctions-list system registration, missing the annual survey — are the cheapest to avoid and the ones we sequence first, precisely because a business can be penalised for them without an inspector ever visiting.
Our onboarding is fully remote and digital. Does that change our CDD obligations?

Yes — non-face-to-face onboarding is itself a risk factor that your Business Risk Assessment must address, because it raises the risk of impersonation and identity fraud relative to in-person verification. A remote-onboarding programme needs compensating controls: reliable electronic identity verification, liveness/biometric checks where proportionate, verification of a genuine link between the customer and the payment instrument, and heightened alertness to documents that cannot be examined physically. The delivery-channel risk dimension of the BRA is where this is captured, and CDD procedures should reflect the additional verification steps a remote channel requires.

Practitioner noteFirms that moved to remote onboarding during or after the pandemic frequently kept their old face-to-face CDD procedures unchanged on paper — creating a mismatch where the documented process assumes an in-person check that no longer happens. We align the delivery-channel risk rating with how onboarding actually works now.
What is the annual AML/CFT self-assessment survey and is it separate from the goAML STR obligation?

Yes, they are separate. The supervisory authorities — the Ministry of Economy for most DNFBPs — periodically open an annual AML/CFT risk self-assessment survey (historically administered through the automated systems supporting the goAML environment) that registered DNFBPs must complete within the stated window. This is distinct from filing STRs (which are event-driven, on suspicion) and from goAML registration (a one-time onboarding step). Missing the survey window is itself a penalisable administrative failure independent of whether any suspicious transaction ever arose.

Practitioner noteBecause the survey opens on the authority's calendar rather than yours, a business that only thinks about AML when a transaction looks suspicious will miss it. We diarise the expected survey window as a fixed annual compliance date alongside the BRA refresh, so it is not left to chance.
How should EDD handle a customer connected to a higher-risk jurisdiction on the FATF or UAE lists?

Exposure to a higher-risk jurisdiction — whether through the customer's nationality, residence, source of funds, or counterparties — is a mandatory EDD trigger. The programme should reference the FATF lists of jurisdictions under increased monitoring and those subject to a call for action, alongside any UAE-specific high-risk-country determinations, and apply enhanced measures: additional source-of-funds and source-of-wealth verification, senior-management sign-off to establish or continue the relationship, and more frequent ongoing monitoring. The lists change periodically, so the programme must reference the current FATF/UAE position rather than a static country list baked into the manual.

Practitioner noteA hard-coded high-risk-country list in a policy manual ages badly — jurisdictions are added and removed from the FATF lists at each plenary. We build the EDD trigger to reference the current list as a live input rather than embedding a snapshot that is out of date within months.
Does the UBO data we gather for AML CDD overlap with what Corporate Tax and the UBO register require?

Substantially, yes — and coordinating them avoids duplicated and inconsistent work. The natural-person beneficial-owner identification that AML CDD demands for corporate customers is the same underlying data the UAE's Real Beneficial Owner regulations require entities to maintain on a register, and it feeds the ownership and related-party disclosures relevant to Corporate Tax under Federal Decree-Law No. 47 of 2022. A business that has done rigorous AML UBO work has most of what its own beneficial-owner register and tax related-party analysis need; one with disorganised AML files usually struggles across all three, because they draw on the same source records. PNPC coordinates the entity and ownership data across these regimes rather than rebuilding it separately for each.

Practitioner noteThe efficiency is real but the direction of reliance matters — AML CDD is about your customers' UBOs, while the beneficial-owner register and tax disclosures are about your own entity's UBOs. We keep the two data sets distinct even though the verification discipline is identical, because conflating whose ownership you are documenting is a common filing error.
Are there third-party or authority fees for AML programme design, or is it all professional fees?

AML/CFT programme design is largely a professional-fee engagement — the design, documentation, training, and advisory work — because goAML registration itself is a free FIU process rather than a paid licence. The costs to be aware of separately are any screening-tool or software subscription you choose to procure (PNPC advises on selection but is not a software vendor), and, where relevant, translation or notarisation of source documents. There is no government filing fee for STRs or the annual survey. PNPC agrees a fixed written professional fee after the applicability scoping step, and flags any third-party subscription cost separately so it is never buried in the professional fee.

Practitioner noteThe recurring cost most clients underestimate is not the build — it is the ongoing screening-tool subscription and the annual advisory retainer to keep the programme live, since a one-off build with no ongoing screening or refresh drifts out of compliance within a year.
What happens to our programme when the AML law or executive regulations are amended?

The UAE's AML/CFT framework is updated regularly in response to FATF mutual-evaluation cycles and the country's own action plans — Federal Decree-Law No. 20 of 2018 was amended by Federal Decree-Law No. 26 of 2021, and Cabinet Decision No. 10 of 2019 has itself been amended. When a relevant change lands — a revised threshold, a new red-flag typology, a change to reporting mechanics, an updated high-risk-country determination — the programme's affected components (BRA, CDD triggers, screening lists, procedures manual) need to be reviewed and updated, and the change documented. A programme frozen at its original 2019 baseline will have accumulated gaps against the current law.

Practitioner noteWe track amendments as they are issued rather than re-reading the framework only at the annual review — a threshold or typology change that lands mid-year can create a live gap the moment it takes effect, and 'we hadn't done our annual review yet' is not a defence an inspector accepts.
Our UBOs and clients are Indian nationals or India-based groups. Does that create additional AML considerations?

It does not change your UAE statutory obligations, but it sharpens two practical points. First, UBO verification for India-linked ownership often means looking through Indian corporate and trust layers to natural persons, which requires documents (share registers, PAN-linked records) that take longer to obtain and verify than a single-jurisdiction structure. Second, cross-border source-of-funds enquiry on inbound remittances from India intersects with India's own outward-remittance framework (Form 15CA/15CB, FEMA/LRS limits) — a mismatch between what the customer says the funds are and how they could lawfully have left India is itself a red flag. PNPC's India desk can corroborate the India-side documentation where relevant.

Practitioner noteThe most common India-UAE CDD weakness we see is a file that verifies the immediate UAE or offshore holding company but never reaches the Indian natural-person UBO — layered structures are exactly where look-through CDD tends to stop one layer too early.
What should the final programme deliverable pack actually contain so it survives an inspection two years later?

An inspection-ready pack is more than the policy manual. It should contain the current Business Risk Assessment with its dated version history, the AML/CFT procedures manual, the Compliance Officer appointment letter and reporting-line documentation, the goAML registration confirmation and reference number, the sanctions/PEP screening protocol and evidence of screening runs, the CDD/EDD onboarding forms with a representative set of completed files, the transaction-monitoring red-flag matrix, the STR decision log (including documented decisions not to file), the record-retention schedule, and dated staff training records tied to named individuals. The test is whether a new Compliance Officer joining in two years could reconstruct what was done and why, without asking the person who left.

Practitioner noteThe single item most often missing when we review other firms' files is the log of decisions not to file an STR. Supervisors expect to see that suspicions were considered and reasoned through, not just the STRs that were filed — an empty STR log with a busy customer book looks like a monitoring failure, not a clean record.
When does an AML matter need to be escalated to a lawyer rather than handled as a compliance engagement?

Programme design, CDD/EDD frameworks, goAML registration, screening, and inspection preparation sit within PNPC's compliance advisory scope. Escalation to legal counsel is appropriate when the facts move from compliance into legal exposure: a suspected predicate offence with potential criminal liability, a formal enforcement action or prosecution, a contested penalty the entity intends to challenge, a tipping-off incident that may already have occurred, or a situation where privileged legal advice is needed on whether and how to file. In those cases the STR filing decision itself may need to be taken with legal counsel involved, particularly where the entity's own potential liability is in question.

Practitioner noteThe line we watch for is where filing (or not filing) an STR could implicate the entity or its officers personally — at that point the decision needs legal privilege around it, and we bring counsel in rather than treating it as a routine compliance call.
Can PNPC take over an AML programme another consultant built but that failed an inspection?

Yes, and this is a frequent starting point. The first step is a diagnostic against the inspection findings: which specific gaps the supervisor identified, the remediation deadline given, and whether the underlying programme is salvageable or needs rebuilding. Often the manual is adequate but the operating evidence behind it is not — no completed CDD files, no STR decision log, no dated training records — so the remediation is about building the evidence trail, not rewriting policy. Where the BRA itself is generic and does not match the business, that gets rebuilt first because everything downstream depends on it.

Practitioner noteInherited programmes almost always fail on evidence rather than on the document. We start by pulling the actual customer files and testing them against the manual the previous consultant wrote — the gap between the two is usually the whole story of why the inspection went badly.
How long does a full programme build take, and what drives the timeline?

A ground-up build for a straightforward DNFBP typically runs 6–8 weeks from applicability scoping to an operative, inspection-ready programme. The main variable is retrospective CDD remediation: an entity with hundreds of existing customer files onboarded without proper CDD needs those files brought up to standard, which can extend the timeline well beyond the core design work. An entity with an existing but deficient programme can often be remediated faster where the core documentation exists and only specific gaps — goAML registration, training records, screening evidence — need closing. A live inspection notice or remediation deadline compresses everything and reorders the sequence around the supervisor's timeline.

Practitioner noteThe hidden time-sink is almost always the back-book of existing customers. Designing the go-forward programme is the quick part; retrospectively remediating years of thin CDD files on active customers is what actually moves the completion date.
How does PNPC quality-check a programme before declaring it inspection-ready?

The final gate is a mock inspection, not a document sign-off. We pull a representative sample of live customer files and test them exactly as a Ministry of Economy or free-zone inspector would: does the CDD in the file support the risk rating assigned, is UBO look-through complete for corporate customers, is there evidence of sanctions screening at onboarding and since, and does the STR decision log show that suspicions were reasoned through. We also test the Compliance Officer with the kind of direct questions about specific files that inspectors ask. Gaps found here are fixed before the programme is called live.

Practitioner noteThe mock file review is where a programme that looks complete on paper reveals its real gaps — a manual can describe a perfect CDD process while the sampled files show it was never actually applied. Testing files, not documents, is the only reliable pre-inspection check.
What ongoing tasks keep an AML programme operative after the initial build?

A live programme carries a recurring calendar: sanctions and PEP screening list-update checks on the defined cadence, ongoing CDD on new customers and periodic re-screening of the existing book, the annual Business Risk Assessment refresh against the past year's real data, the annual AML/CFT self-assessment survey when the authority opens it, annual staff refresher training with dated records, and STR decisioning as live situations arise. Each of these is a discrete obligation a supervisor can test independently — a programme that was perfectly built but then left static fails on the same points as one that was never built.

Practitioner noteThe obligation businesses most often let lapse is periodic re-screening of the existing customer book — screening at onboarding feels like the job is done, but a customer clear at onboarding can be sanctioned or become a PEP later, and the gap until your next screening run is exactly what an inspector probes.
How does a strong AML/CFT programme affect our banking relationships in the UAE?

It has become a practical banking asset, not just a regulatory obligation. UAE banks conduct their own enhanced due diligence on corporate customers in DNFBP sectors, and increasingly ask those customers to evidence their own AML/CFT programme as a condition of opening or renewing an account. A DNFBP that cannot produce a BRA, goAML registration, and evidenced CDD when the bank's relationship manager asks has, in practice, seen account opening delayed or declined. A well-documented programme shortens that conversation and de-risks the banking relationship.

Practitioner noteWe have seen account applications stall specifically because a real estate or corporate-services applicant could not show its own AML programme on request — for DNFBP-sector clients, we now prepare a bank-facing summary of the programme precisely because the bank will ask for it.
How does PNPC handle the highly sensitive customer and STR data involved in this work?

AML work involves some of the most sensitive data an entity holds — UBO identities, source-of-funds evidence, and STR-related records that carry a tipping-off prohibition. PNPC requests only what is needed for the specific stage, keeps CDD and STR material segregated from general engagement files, and is mindful that STR-related information cannot be shared beyond the permitted chain even internally. Client responsibility for the accuracy and completeness of the underlying information remains part of the engagement.

Practitioner noteSTR material is handled differently from ordinary engagement documents because of the tipping-off rules — we keep it on a strict need-to-know basis rather than in the general client file, since improper disclosure is itself an offence, not merely a confidentiality lapse.
How do we present the AML programme to our board or investors so they can actually rely on it?

Boards and investors want a risk-ranked position, not the manual. A board-ready summary states the entity's DNFBP classification and supervisor, the overall residual ML/TF risk rating from the BRA, the status of each core control (registration, CDD, screening, Compliance Officer, training), any open gaps and their remediation timeline, and the specific residual exposures the board is being asked to accept. Investors conducting deal diligence increasingly treat AML programme quality as a value and liability item, so the summary should be candid about gaps rather than presenting a clean bill that a diligence team will disprove.

Practitioner noteInvestor diligence teams test AML programmes now — presenting an over-clean summary that their review then contradicts damages credibility more than an honest one that names the gaps and the plan to close them.
When is a scoping diagnostic the right first step instead of committing to a full build?

A scoping diagnostic is the right start whenever DNFBP applicability is genuinely uncertain, the entity has not yet commenced the regulated activity, or management needs to know the true scope of its obligation before committing budget. It produces a written determination of whether the entity is a DNFBP, which supervisor applies, and what a proportionate programme would need to contain — for a fraction of the cost and time of a full build. It prevents both errors that cost real money: assuming no obligation exists when it does (and being caught unregistered), and over-building a bank-grade programme onto a small operation that cannot run it.

Practitioner noteThe scoping diagnostic is the single highest-value first conversation with a new AML client — it stops a business either sleepwalking into an unregistered-DNFBP finding or spending on a framework far heavier than its actual risk profile warrants.
Why PNPC Global
FeatureTemplate/Online ProviderGeneric Compliance ConsultantPNPC Global
Applicability ScopingNot offered — assumes you already knowBasic — may rely on trade licence description aloneActivity-level scoping against actual services performed, cross-checked against DNFBP definitions
Business Risk AssessmentGeneric template, same for every clientCustomised but often desk-based onlyBuilt from your actual transaction and customer data — the document inspectors actually test
goAML RegistrationOften left to the client to complete separatelyUsually handled, sometimes as an afterthoughtHandled end-to-end as a core milestone, including Compliance Officer credentialing
CDD/EDD FrameworkChecklist-based, minimal sector calibrationReasonable but rarely sector-specificSector-calibrated onboarding workflow with real UBO methodology and documentary evidence standards
Staff TrainingSlide deck only, no evidenced deliveryDelivered but records often incompleteRole-tiered training delivered and documented with attendance and assessment records
Pre-Inspection ReadinessNot offeredRarely offered proactivelyMock file review before programme is considered live — gaps found and fixed before an inspector finds them
Ongoing AdvisoryNone — one-time document saleReactive — responds to requests onlyProactive annual BRA refresh, screening updates, and live STR advisory as situations arise
Cross-Regime CoordinationAML only, siloedAML only, siloedCoordinated with ESR, VAT, and Corporate Tax compliance where the client also engages PNPC on those fronts
Access When It MattersSupport ticket queueDepends on consultant availabilityDirect access to your engagement advisor — including for time-sensitive STR or inspection situations
Currency of the frameworkReuses a static template built against the original 2018/2019 textsReads the current law but rarely tracks amendments between engagementsProgramme built against the law as amended, with FATF-cycle updates tracked and folded into the annual refresh
Evidence retentionNo retention schedule — client works it out laterFiles kept, but often without a documented retention schedule tied to the regulationsRetention schedule cross-referenced to the current executive regulations, with an inspection-ready file structure and a diarised next-review trigger

What the PNPC package includes

  1. 01

    Applicability scoping — activity-level DNFBP determination and supervisory authority confirmation

  2. 02

    Business Risk Assessment built from your actual customer, transaction, and geographic data

  3. 03

    AML/CFT Policy & Procedures Manual tailored to your specific operating model

  4. 04

    Compliance Officer / MLRO role definition, appointment documentation, and briefing

  5. 05

    goAML platform registration for the entity and Compliance Officer

  6. 06

    Risk-tiered CDD/EDD onboarding framework with UBO identification methodology

  7. 07

    Sanctions and PEP screening protocol, calibrated to your transaction volume and risk profile

  8. 08

    Transaction monitoring red-flag matrix and internal escalation pathway

  9. 09

    STR/SAR internal reporting protocol and goAML filing support

  10. 10

    Role-tiered staff training programme, delivered and evidenced

  11. 11

    Record-retention schedule and inspection-ready file structure

  12. 12

    Pre-launch mock file review to test the programme before it goes live

  13. 13

    Ongoing annual BRA refresh, screening list monitoring advisory, and inspection representation support

  14. 14

    Retrospective CDD remediation of the existing customer back-book, prioritised by risk and value

  15. 15

    STR decision log setup, capturing reasoned decisions both to file and not to file

  16. 16

    Bank-facing programme summary for account opening or renewal in DNFBP sectors

  17. 17

    Annual AML/CFT self-assessment survey completion support within the authority's window

  18. 18

    Inspection representation and post-finding remediation planning where a notice is live

  19. 19

    Coordinated UBO data across AML CDD, the entity's Real Beneficial Owner register, and Corporate Tax related-party disclosures

  20. 20

    Written applicability-scoping determination with the DNFBP classification, supervisor, and proportionate programme scope, owned by a named PNPC advisor

Speak directly with a PNPC compliance advisor who has built AML/CFT programmes across real estate, precious metals, corporate services, and professional services sectors in the UAE — and who will still be available when an inspector calls, a suspicious transaction needs a decision, or your risk profile changes.

Jurisdiction

🇦🇪
United Arab Emirates

Free zone, mainland & offshore

Ready to get started?

Tell us about your requirement — a UAE specialist responds within 24 hours.

← Back to Economic Substance & AML Compliance