UAE Taxation & Regulatory Compliance · Economic Substance & AML Compliance
goAML Portal Registration & Reporting Assistance
goAML is not an optional formality — it is the UAE's central mechanism for detecting money laundering and terrorist financing, and registration on the portal is a legal obligation for every Designated Non-Financial Business and Profession (DNFBP) and financial institution operating in the UAE.
Chartered Accountants · Dubai · Since 1986
goAML is the online reporting platform operated by the UAE's Financial Intelligence Unit (FIU), which sits within the UAE Central Bank, for the receipt, analysis, and dissemination of Suspicious Transaction Reports (STRs), Suspicious Activity Reports (SARs), and other statutory disclosures required under Federal Decree-Law No. 20 of 2018 on Anti-Money Laundering and Combating the Financing of Terrorism (the AML/CFT Law) and its Cabinet Decision implementing regulations. Every entity that falls within the definition of a Financial Institution or a Designated Non-Financial Business and Profession (DNFBP) under the AML/CFT framework — including real estate brokers and agents, dealers in precious metals and stones, auditors, independent legal professionals and notaries providing specified services, and company service providers — is legally required to register on goAML and to file reports through it whenever a reporting trigger arises. Registration is not optional and is not linked to whether a business has ever actually suspected a transaction; it is a standing obligation that begins the moment the entity meets the DNFBP or Financial Institution definition.
goAML registration itself is a two-stage process: an organisation-level registration that establishes the reporting entity's profile on the FIU platform, followed by the registration of the entity's designated Compliance Officer (in some structures called the Money Laundering Reporting Officer, MLRO) who is authorised to file reports on the organisation's behalf. Only after both stages are complete, and the Compliance Officer's access has been activated by the FIU, can the entity actually submit STRs, SARs, or other required disclosures. Many businesses discover the registration step only when a supervisory authority — the Ministry of Economy for most DNFBPs, or the relevant free zone / Central Bank for regulated financial entities — asks for evidence of it during a routine AML inspection, by which point the business is already in breach and exposed to administrative penalties under Cabinet Decision No. 10 of 2019 and its amendments.
Beyond the initial sign-up, goAML is the channel through which an entity discharges its ongoing statutory reporting duties: filing an STR whenever there are reasonable grounds to suspect that funds constitute the proceeds of a crime or are connected to money laundering; filing a SAR where the suspicion relates to an underlying criminal activity more broadly; and responding to any information requests the FIU raises through the platform in connection with a filed report. The AML/CFT Law also requires that suspicion be reported without delay once it arises — tipping off the customer, delaying the filing pending further investigation of one's own, or filing only after a supervisory inspection prompts it, are all treated as compliance failures in their own right, independent of whether the underlying transaction turns out to be legitimate.
For most DNFBPs and regulated entities, goAML registration and reporting sits inside a broader AML/CFT compliance programme: a documented risk assessment of the business's exposure to money laundering and terrorist financing, board-approved AML/CFT policies and procedures, Customer Due Diligence (CDD) and Enhanced Due Diligence (EDD) protocols, sanctions and Politically Exposed Persons (PEP) screening, a named and empowered Compliance Officer, staff training records, and independent audit of the AML function. goAML registration without the surrounding programme is a box checked on paper; supervisory authorities inspect the substance behind it, and the absence of a functioning programme is treated as seriously as the absence of registration itself.
goAML also runs an annual re-registration/confirmation cycle: registered entities are periodically required to review and confirm their profile and Compliance Officer details, and a lapsed or unconfirmed profile can leave an entity technically deregistered and unable to file when a report is actually needed. This is a recurring trap — a business that registered once, years ago, and never revisited the portal can discover mid-crisis that its access is dormant. Beyond STRs and SARs, goAML is also the channel for other statutory report types, including the Funds Awaiting Return / Fund Freeze Report following a Targeted Financial Sanctions (TFS) list match, where a name hit against the UN or UAE local terrorist lists must be reported and the relevant funds frozen without delay — a filing obligation that is easy to overlook because it is not triggered by a customer's transaction behaviour but by a list update.
The practical risk on this service is rarely the mechanics of the portal form; it is treating registration as the whole obligation, nominating a Compliance Officer who lacks real authority, or building a programme on a copied template that does not describe the business. PNPC therefore treats goAML work as the visible top of a risk-based programme and aligns the registration, the risk assessment, the CDD/EDD design, sanctions screening, MLRO governance and evidence retention so that what a Ministry of Economy inspector tests on the ground matches what the portal profile claims.
Who is legally required to register on goAML
Real estate brokers and agents when involved in transactions concerning the buying and selling of real estate — a defined DNFBP category under the AML/CFT Law
Dealers in precious metals and stones when engaged in any single cash transaction (or connected transactions) at or above the prescribed threshold set by the Ministry of Economy
Independent legal professionals, notaries, and other independent legal practitioners when preparing for or carrying out specified transactions for a client — company formation, management of client funds, or buying/selling of real estate or business entities
Auditors and accountants providing specified services covered under the DNFBP definition
Corporate service providers (company formation agents, registered agents, trust and corporate service providers) forming companies, acting as registered agent, or providing nominee director/shareholder or company secretarial services
Financial institutions, exchange houses, and other entities licensed and regulated by the UAE Central Bank or a financial free zone regulator (DFSA in DIFC, FSRA in ADGM)
Any entity that has been notified by its supervisory authority (Ministry of Economy, Central Bank, or free zone regulator) that it falls within scope, even where its own self-assessment is uncertain
Any business that has already identified a transaction it considers suspicious and needs to file without further delay — registration and first filing frequently happen together under time pressure
An entity that registered on goAML years ago but has never confirmed its profile through the portal's periodic re-registration cycle, and cannot be certain its filing access is still live
A business whose Compliance Officer has left, moved roles, or was never properly activated on the portal — leaving a gap in who can actually file a report today
An entity that has received a Ministry of Economy AML inspection notice, or a supervisory query, and needs its registration, risk assessment, and policy file made inspection-ready quickly
A group with an existing global AML policy that needs localising to the UAE AML/CFT Law, the goAML channel, and UAE-specific sanctions lists and activity thresholds before it can be relied on
A business that needs to file a Fund Freeze / Funds Awaiting Return report after a sanctions-list name match and is unsure of the goAML mechanics and the freeze-without-delay obligation
Where the obligation genuinely does not apply — verify before assuming
Businesses entirely outside the DNFBP and Financial Institution categories defined in the AML/CFT Law and its Cabinet Decisions — most ordinary trading, retail, manufacturing, and professional services businesses fall outside scope unless they specifically provide one of the designated services
A retail jeweller whose transactions never reach the cash-transaction threshold set for precious metals and stones dealers — though the entity should still document why it has assessed itself as out of scope, since supervisory authorities may query the assessment
A law firm that never handles client funds, company formation, or real estate/business transactions on a client's behalf — general litigation and advisory work alone does not typically trigger DNFBP status, but this line is fact-specific and should be confirmed, not assumed
An accounting firm providing only bookkeeping and tax filing services without company formation, trust, or specified transaction involvement — again, a fact-specific determination best confirmed with a compliance adviser rather than self-assessed
A business that has already completed goAML registration correctly and simply needs day-to-day filing support — in that case the engagement is about reporting assistance and programme maintenance, not registration itself
A client who wants PNPC to hold the statutory Compliance Officer/MLRO role itself — that position requires day-to-day authority inside the regulated entity and cannot be discharged by an external adviser (we support the role, we do not take it on)
A client seeking a guaranteed assurance that the Ministry of Economy will not penalise them, or a promise that a filed STR/SAR will produce a particular outcome — neither is within any adviser's control
A pure legal-privilege determination for a law firm — whether a specific engagement is privileged and thus outside the reporting duty is a legal question for the firm's own counsel, alongside which we build the AML architecture
A client who wants a template AML policy dropped in without a risk assessment or calibration to their actual business — that is precisely the box-ticking pattern supervisory authorities flag on inspection
A business that is not yet willing to identify its beneficial owners, share its customer and transaction profile, or nominate an empowered Compliance Officer — the CDD and governance groundwork cannot be skipped
goAML obligations across common DNFBP categories in the UAE
| DNFBP Category | Typical Trigger for STR/SAR | Registration Timing | Key Ongoing Obligation |
|---|---|---|---|
| Real estate brokers/agents | Cash-intensive deals, unusual source-of-funds patterns, PEP counterparties, rapid resale | Before conducting any real estate brokerage transaction as a licensed entity | CDD/EDD on buyer and seller, STR filing without delay on suspicion |
| Dealers in precious metals and stones (DPMS) | Cash transactions at or above the Ministry of Economy's prescribed threshold | Before or immediately upon crossing the designated activity threshold | Threshold transaction record-keeping and STR filing on suspicion |
| Independent legal professionals/notaries | Company formation, real estate conveyancing, management of client money or securities on client instruction | Before undertaking any specified transaction on a client's behalf | CDD on beneficial owners, STR filing, legal professional privilege carve-outs handled carefully |
| Auditors and accountants (specified services) | Specified services connected with company formation, management, or asset transfer | Before providing the specified service | CDD, STR filing, coordination with statutory audit independence rules |
| Corporate service providers | Company formation for undisclosed beneficial owners, nominee arrangements, shell structures | Before acting as formation agent, registered agent, or nominee provider | Beneficial ownership verification, UBO register maintenance, STR filing |
| Financial institutions / exchange houses | Wire transfers, cash transactions, unusual account activity, sanctions list hits | Before commencing regulated financial activity | Full AML/CFT programme, transaction monitoring, STR/SAR filing, sanctions screening |
This table is directional. Whether a specific business falls within a DNFBP category, and which threshold or trigger applies, depends on the precise nature of services rendered and must be confirmed against the AML/CFT Law, its Cabinet Decisions, and any sector-specific guidance issued by the Ministry of Economy or the relevant regulator. A formal AML applicability assessment by PNPC is the appropriate first step where status is unclear.
| # | Stage & What PNPC Does | What Businesses Miss Without a CA/Compliance Adviser | Timeline |
|---|---|---|---|
| 1 | AML/CFT Applicability Assessment — confirm whether the entity is a DNFBP or Financial Institution in scope | Businesses frequently self-assess as out of scope based on their trade licence activity description alone, without checking whether their actual services (company formation, client fund handling, real estate transactions) trigger DNFBP status regardless of licence wording. We assess against the actual activity, not the licence label. | 1–3 working days |
| 2 | Entity Profile Preparation — trade licence, ownership structure, and business activity documentation gathered for the goAML organisation profile | The organisation profile requires accurate legal name, licence details, and business activity classification consistent with the trade licence and any regulator records — mismatches between goAML and licence data are a common cause of registration queries and delay. | 1–2 working days |
| 3 | Compliance Officer / MLRO Identification and Vetting — nominate and prepare the individual who will hold reporting authority | The AML/CFT Law expects the Compliance Officer to be sufficiently senior and empowered to act independently — a junior staff member nominated only to satisfy the registration requirement, without real authority to halt a transaction or escalate, is a red flag on inspection. | 1–2 working days |
| 4 | goAML Organisation Registration — submission on the FIU goAML portal | The organisation-level registration form requires consistent, verifiable detail; incomplete or inconsistent submissions are queried by the FIU and restart the review clock. We prepare and submit a complete, internally consistent application the first time. | Submission same day; FIU review timeline varies and is outside applicant control |
| 5 | Compliance Officer Registration and Activation — the nominated MLRO is registered and linked to the organisation profile | Organisation approval alone does not grant filing rights — the Compliance Officer's individual registration and activation is a separate step that is frequently missed, leaving an entity technically registered but unable to actually file a report when one is needed. | Following organisation approval; FIU-dependent |
| 6 | AML/CFT Risk Assessment Documentation — a written, entity-specific risk assessment covering customer, product, geography, and delivery-channel risk | A goAML registration without a documented risk assessment behind it looks, on inspection, like compliance theatre — supervisory authorities expect the registration to be the visible top of a real risk-based programme, not a standalone filing. | 3–7 working days depending on business complexity |
| 7 | AML/CFT Policy and Procedures Manual — board-approved written policies covering CDD, EDD, PEP screening, sanctions screening, record-keeping, and reporting escalation | Template policies copied from another business without adaptation to the entity's actual customer base and transaction types are one of the most common inspection findings — the policy has to reflect what the business actually does. | 5–10 working days |
| 8 | CDD/EDD Procedure Implementation — customer onboarding checks calibrated to the entity's risk assessment | Standard KYC is not the same as CDD under the AML/CFT Law — CDD requires beneficial ownership identification, source-of-funds/wealth understanding for higher-risk customers, and ongoing monitoring, not just a one-time ID copy at onboarding. | Ongoing from go-live |
| 9 | Staff AML/CFT Training — documented training for all staff who interact with customers or transactions | Training that is not documented (attendance, content, date, refresher cadence) is treated by supervisory authorities as if it did not happen — verbal briefings do not satisfy the record-keeping expectation. | Initial session 1 day; annual refresher thereafter |
| 10 | Sanctions and PEP Screening Setup — screening against UN, local UAE, and other applicable sanctions lists plus PEP identification | Ad hoc googling of a customer's name is not systematic screening — supervisory authorities expect a repeatable, documented screening process against current sanctions lists at onboarding and periodically thereafter. | 1–2 weeks to set up; ongoing thereafter |
| 11 | First STR/SAR Filing Support (as and when triggered) — PNPC assists in preparing and submitting the report through goAML | A late STR — filed only after internal deliberation or after a supervisory prompt — is treated as a standalone compliance failure under the AML/CFT Law, independent of the outcome of the underlying transaction. Reports must be filed without delay once suspicion arises. | As and when a reporting trigger arises — no fixed timeline, but 'without delay' once suspicion crystallises |
| 12 | Independent AML/CFT Audit Coordination — periodic independent review of the compliance programme, often required by the supervisory authority or as good practice | An AML programme that has never been independently tested tends to reveal its gaps for the first time during a regulator's own inspection — by which point remediation is reactive rather than planned. | Annually, or per supervisory authority requirement |
| 13 | Ongoing Regulatory Change Monitoring — Cabinet Decisions, Ministry of Economy guidance, and FIU circulars are tracked and the programme updated accordingly | AML/CFT obligations in the UAE are actively supervised and periodically updated; a policy manual written once at registration and never revisited drifts out of alignment with current guidance within a year or two. | Continuous, retainer basis |
| 14 | Targeted Financial Sanctions (TFS) readiness — process to screen against UN and UAE local terrorist lists and to file a Fund Freeze / Funds Awaiting Return report through goAML on a match | Many DNFBPs build STR/SAR reporting but overlook the separate sanctions-freeze obligation, which is triggered by a name match rather than transaction behaviour and requires freezing funds and reporting without delay. | Set up alongside screening; live thereafter |
| 15 | Portal re-registration / profile confirmation cycle — periodic review and confirmation of the organisation and Compliance Officer profiles so filing access stays live | An entity that registered once and never revisited the portal can find its profile dormant and its filing access unusable exactly when a report is needed. | Periodic; diarised on the compliance calendar |
| 16 | Compliance Officer succession and profile update — updating the registered Compliance Officer on goAML when the role holder changes, with a named deputy | A departed Compliance Officer left on the portal record is both a governance gap and a live filing risk — the new nominee must be registered and activated before any gap in reporting capability. | On any change of role holder |
| 17 | Inspection-response support — pre-inspection readiness review and representation support if the Ministry of Economy or a free zone regulator inspects | Businesses that assemble their file only after a notice arrives find the window to fix structural gaps has already closed. | On inspection notice |
Realistic timeline from applicability assessment to a fully registered and reporting-capable entity: typically 3–6 weeks, depending on FIU processing times (which PNPC does not control) and the complexity of the underlying AML/CFT programme being built. Entities that already have licences and ownership documentation in order move faster; those needing beneficial ownership clean-up or governance changes first will take longer.
Valid UAE trade licence (mainland DED licence or free zone licence) showing current activity classification
Certificate of Incorporation / formation documents and Memorandum/Articles of Association (or free zone equivalent constitutional documents)
Shareholder and beneficial ownership register — the FIU and supervisory authorities expect clarity on ultimate beneficial owners, not just registered shareholders
Corporate organisation chart identifying reporting lines relevant to the AML/CFT function
Registered office address and any branch/additional business location details
Emirates ID or passport copies of the authorised signatory registering the organisation on goAML
Emirates ID (residents) or passport copy (where the nominee is not yet UAE-resident) of the proposed Compliance Officer
CV or role description evidencing the Compliance Officer's seniority, authority, and relevant experience
Board resolution or equivalent management decision formally appointing the Compliance Officer with documented authority to escalate, halt transactions, and file reports independently
Contact details (dedicated email and phone) to be registered on the goAML platform for FIU correspondence
Signed acceptance of Compliance Officer responsibilities under the AML/CFT Law
Description of products/services offered and typical transaction sizes and patterns
Customer base profile — individual vs corporate, resident vs non-resident, typical geographies dealt with
Payment and delivery channel details — cash handling, wire transfers, third-party payments, use of intermediaries
History of any prior suspicious activity, internal escalations, or regulator correspondence relevant to risk profiling
Details of any higher-risk jurisdictions the business has dealings with, referenced against current FATF and UAE-designated high-risk country lists
Existing internal policies (if any) to be reviewed, gap-assessed, and updated rather than discarded
Sample customer onboarding files to assess current CDD practice against required standard
Record-retention practice details — the AML/CFT Law requires transaction and CDD records to be retained for a prescribed minimum period
Any existing sanctions/PEP screening tool subscription details, or confirmation that none currently exists
UAE Central Bank licence or free zone financial regulator (DFSA/FSRA) licence and authorisation letter
Existing regulator-mandated compliance function documentation (if previously submitted to Central Bank, DFSA, or FSRA)
Details of correspondent banking or cross-border payment relationships where applicable
Existing transaction monitoring system documentation, if a system is already in use
Full transaction detail giving rise to the suspicion — dates, amounts, parties, and the specific factors that triggered concern
Customer due diligence file for the parties involved in the transaction
Internal escalation trail showing how and when the suspicion was raised internally to the Compliance Officer
Any supporting correspondence, contracts, or documentation relevant to the transaction under review
Business risk assessment and customer-risk methodology
AML/CFT policies, procedures and MLRO appointment records
Sanctions/PEP screening settings and evidence
Staff training logs and board/management approvals
CDD/KYC files and beneficial-owner records
EDD files for high-risk customers
Transaction-monitoring alerts and disposition notes
STR/SAR escalation and goAML submission records where relevant
Gap assessment against UAE AML/CFT obligations
Action plan with owner and due date
Policy and workflow updates
Testing evidence and management sign-off
| Phase | Triggered By | PNPC Guidance | Risk If Ignored |
|---|---|---|---|
| Applicability Determination | New licence issuance, business activity expansion, or regulator query | Assess DNFBP/Financial Institution status against actual services rendered, not just licence wording. Document the determination in writing regardless of outcome. | Incorrect self-assessment leaves the entity unregistered and exposed the moment a supervisory authority reviews actual activity rather than licence description. |
| Initial Registration (Week 1–3) | Confirmed in-scope status | Organisation profile and Compliance Officer registration on goAML, submitted as a complete and internally consistent package to minimise FIU queries and delay. | Delayed or rejected registration due to inconsistent data extends the exposure window during which the entity remains formally unregistered and non-compliant. |
| Programme Build (Week 2–6, parallel to registration) | Registration in progress or complete | Risk assessment, board-approved policies, CDD/EDD procedures, sanctions/PEP screening, and staff training built out to sit behind the goAML registration. | A registered-but-hollow compliance function fails inspection as readily as no registration at all — supervisory authorities assess substance, not just the portal sign-up. |
| Steady-State Reporting | Ongoing customer transactions and onboarding | CDD performed at onboarding and refreshed periodically; transactions screened; any suspicion escalated to the Compliance Officer and filed via goAML without delay. | Tipping off customers, internal delay in escalation, or filing only after regulator prompting are treated as standalone breaches of the AML/CFT Law, separate from any penalty on the underlying transaction. |
| Periodic Review & Training Refresh | Annual cycle or material change in business/regulatory guidance | Independent AML audit, refreshed risk assessment, updated policies reflecting current Cabinet Decisions and FIU/Ministry of Economy guidance, and refresher staff training. | Stale policies and undocumented refresher training are recurring findings in DNFBP inspections and undermine the credibility of an otherwise registered programme. |
| Supervisory Inspection | Scheduled or ad hoc inspection by Ministry of Economy, Central Bank, or free zone regulator | Pre-inspection readiness review, document assembly, and representation support during the inspection process. | Administrative penalties under Cabinet Decision No. 10 of 2019 (as amended) can include substantial fines, licence-related sanctions, and in serious cases referral for further action — the range and severity depend on the nature and persistence of the breach. |
| Remediation (If a Gap Is Found) | Inspection finding, internal audit finding, or self-identified gap | Structured remediation plan addressing the specific finding, with documented evidence of correction for the next inspection cycle. | Unaddressed findings compound at the next inspection cycle and are viewed by regulators as an aggravating factor reflecting a pattern of non-compliance rather than an isolated lapse. |
| Sanctions-List Event | A UN or UAE local terrorist-list update, or a name match surfacing during screening | Screen against the updated list, and where a match is confirmed, freeze the relevant funds and file the Fund Freeze / Funds Awaiting Return report through goAML without delay — this is a separate obligation from an STR. | A missed or delayed freeze-and-report on a genuine sanctions hit is treated as a serious standalone breach, independent of any transaction-based reporting. |
| Portal Profile Confirmation | goAML periodic re-registration / confirmation cycle, or a change of Compliance Officer | Confirm the organisation and Compliance Officer profiles on schedule and update the role holder promptly so filing access never lapses. | A dormant or unconfirmed profile can leave the entity technically deregistered and unable to file exactly when a report is needed. |
What exactly is goAML and who runs it?
goAML is the online platform operated by the UAE's Financial Intelligence Unit (FIU), which sits within the UAE Central Bank, for receiving Suspicious Transaction Reports (STRs), Suspicious Activity Reports (SARs), and other statutory AML/CFT disclosures from regulated entities. It is the single national channel through which Financial Institutions and Designated Non-Financial Businesses and Professions (DNFBPs) meet their reporting obligations under Federal Decree-Law No. 20 of 2018 and its implementing Cabinet Decisions.
Is goAML registration mandatory, or only if my business has something to report?
Registration is mandatory for every entity that falls within the DNFBP or Financial Institution definition, regardless of whether it has ever identified a suspicious transaction. The obligation attaches the moment the entity's activity brings it into scope — it is a standing registration requirement, not something triggered only by an actual suspicious event.
How do I know if my business is a DNFBP under UAE law?
The AML/CFT Law and its Cabinet Decisions define specific DNFBP categories: real estate brokers and agents, dealers in precious metals and stones (above prescribed thresholds), independent legal professionals and notaries carrying out specified transactions, auditors and accountants providing specified services, and corporate/trust service providers. Whether a specific business falls into one of these categories depends on the actual services it provides, not the wording of its trade licence.
My trade licence doesn't mention AML-sensitive activities — am I automatically exempt?
No. Supervisory authorities look at the substance of the services actually rendered, not just the licence activity description. A company registered under a general business consultancy licence that, in practice, forms companies for clients or manages client funds can still fall within the DNFBP definition regardless of how the licence is worded.
What is the difference between the organisation registration and the Compliance Officer registration on goAML?
goAML registration happens in two linked stages: first, the entity itself is registered as an organisation on the platform; second, the individual designated as Compliance Officer (or MLRO) is registered and given filing authority linked to that organisation profile. An entity that has only completed the organisation-level registration cannot yet file reports — the Compliance Officer's activation is a separate and necessary step.
Who should be nominated as the Compliance Officer or MLRO?
The nominee should be sufficiently senior and empowered within the organisation to act independently — able to escalate concerns, request further information from business units, and where necessary pause a transaction pending review, without needing case-by-case sign-off from someone whose interests might conflict with reporting. A junior staff member with no real authority, nominated only to satisfy the registration requirement, is a recognised inspection red flag.
What is the difference between an STR and a SAR?
A Suspicious Transaction Report (STR) is filed when there are reasonable grounds to suspect that funds involved in a specific transaction are, in whole or part, the proceeds of a crime or connected to money laundering. A Suspicious Activity Report (SAR) is broader and can relate to suspicious activity or patterns connected to underlying criminal conduct, including terrorist financing, even where a single discrete transaction is not the trigger. Both are filed through goAML and both carry the same 'without delay' filing expectation once suspicion arises.
What does 'without delay' mean in practice for filing a report?
The AML/CFT Law requires reporting entities to file an STR or SAR promptly once reasonable suspicion arises — it does not permit a business to sit on a suspicion while it conducts its own extended internal investigation, waits to see how the transaction plays out, or delays until a supervisory inspection prompts disclosure. Internal escalation and review should happen quickly, with the report filed as soon as the suspicion is reasonably formed.
What happens if my business fails to register on goAML at all?
Failure to register when in scope is itself a compliance breach under the AML/CFT Law and its Cabinet Decision on administrative penalties (Cabinet Decision No. 10 of 2019, as amended). Supervisory authorities — principally the Ministry of Economy for most DNFBPs — can impose administrative penalties for non-registration, independent of whether any actual suspicious transaction has occurred. The specific penalty amount and any additional licence-related consequences depend on the nature and duration of the non-compliance and are determined by the relevant authority.
Is there tipping-off liability if I tell a customer I've filed a report about them?
Yes. The AML/CFT Law prohibits disclosing to a customer, or to any third party, that an STR or SAR has been filed or that an AML-related investigation is underway, where that disclosure could prejudice an investigation. This 'tipping off' prohibition applies to the Compliance Officer and to any staff member aware of the filing.
How long does goAML registration take from start to finish?
The organisation and Compliance Officer registration submissions themselves can typically be prepared and filed within days once documentation is in order. The FIU's own review and approval timeline is not within the applicant's control and can vary. Building the surrounding AML/CFT programme — risk assessment, policies, CDD procedures, training — in parallel typically takes several weeks depending on the complexity of the business.
Do free zone companies need to register on goAML, or only mainland companies?
DNFBP and AML/CFT obligations, including goAML registration, apply based on the nature of the licensed activity, not on whether the entity is set up on the UAE mainland or in a free zone. A free zone company genuinely carrying out a DNFBP activity — corporate services, real estate brokerage where permitted, precious metals dealing — falls within scope in the same way a mainland entity would, subject to the relevant free zone's own supervisory arrangements where applicable (for example, DIFC-licensed entities are supervised by the DFSA and ADGM-licensed entities by the FSRA for AML purposes).
What is Customer Due Diligence (CDD) and how is it different from basic KYC?
Basic KYC (Know Your Customer) is typically limited to identifying who the customer is — name, ID, address. CDD under the AML/CFT Law goes further: it requires identifying and verifying beneficial ownership behind corporate customers, understanding the purpose and intended nature of the business relationship, and — for higher-risk customers — understanding the source of funds or source of wealth, with ongoing monitoring of the relationship over time rather than a one-time check at onboarding.
What is Enhanced Due Diligence (EDD) and when is it required?
EDD is a heightened level of due diligence applied to higher-risk customers or transactions — for example, Politically Exposed Persons (PEPs), customers or counterparties connected to high-risk jurisdictions, complex or unusually large transactions with no clear economic rationale, or relationships involving significant cash. EDD typically requires additional verification of source of funds and wealth, senior management approval to onboard or continue the relationship, and more frequent ongoing monitoring.
What is a PEP and why does it matter for AML compliance?
A Politically Exposed Person (PEP) is an individual who holds, or has held, a prominent public function — a head of state, senior government official, senior judiciary or military official, senior executive of a state-owned enterprise, or senior political party official — along with their immediate family members and close associates. PEPs are treated as inherently higher-risk under AML/CFT frameworks worldwide because of the potential for corruption-linked proceeds, and relationships with PEPs typically require EDD and senior management approval.
What sanctions lists should a UAE business screen against?
At minimum, UAE entities are expected to screen against the UN Security Council Consolidated Sanctions List and the UAE's own local terrorist and sanctions lists maintained under the AML/CFT framework. Depending on the entity's international dealings, screening against other major international sanctions regimes (such as those of the EU, UK, or US where relevant to cross-border transactions) may also form part of a properly risk-calibrated programme.
How often does an AML/CFT risk assessment need to be updated?
The risk assessment should be treated as a living document — reviewed at least annually, and refreshed sooner if there is a material change in the business (new products or services, new customer segments, new geographies, significant growth in transaction volumes, or a relevant regulatory update). An assessment prepared once at registration and never revisited quickly becomes disconnected from what the business actually does.
Does PNPC act as our Compliance Officer or MLRO?
PNPC advises on, trains, and supports the Compliance Officer function, and can assist in preparing the individual for the role, but the statutory Compliance Officer/MLRO role must be held by a suitably senior individual within the regulated entity itself who can be held accountable under the AML/CFT Law. We do not take on the statutory role as an external party, since the position requires day-to-day authority within the business that an outside adviser cannot exercise.
What records does my business need to keep for AML purposes, and for how long?
The AML/CFT Law and its regulations require reporting entities to retain CDD records, transaction records, and records of any internal analysis or reports filed for a prescribed minimum retention period following the end of the business relationship or the date of the transaction, whichever is applicable. The exact retention period should be confirmed against the current regulations and any supervisory authority guidance applicable to the entity's specific DNFBP category.
Can goAML reporting obligations conflict with legal professional privilege for lawyers?
The AML/CFT Law recognises certain carve-outs for independent legal professionals in specific circumstances connected to privileged legal advice, but these carve-outs are narrow and fact-specific — they do not exempt a lawyer from DNFBP reporting obligations when acting in a transactional capacity (company formation, real estate conveyancing, managing client funds) rather than providing pure legal advice or litigation representation. Legal professionals in scope should seek specific guidance on how privilege interacts with their reporting duty for particular engagements.
What is beneficial ownership and why does goAML/AML compliance care about it?
Beneficial ownership refers to identifying the natural person(s) who ultimately own or control an entity, even where legal ownership sits behind layers of corporate shareholding, trusts, or nominee arrangements. AML/CFT compliance — and UAE beneficial ownership regulations more broadly — require entities to look through the legal structure to identify and verify the real individuals in control, because obscured beneficial ownership is a recognised money-laundering technique.
Is goAML registration connected to Economic Substance Regulations (ESR) compliance?
They are related in that both sit within the UAE's broader regulatory compliance landscape, but they are separate obligations administered by different authorities. ESR, administered under Ministry of Finance guidance, previously required certain UAE entities carrying out defined 'Relevant Activities' to file annual notifications and substance reports — however, the ESR notification and report filing requirement was discontinued for financial years starting on or after 1 January 2023, under Cabinet Decision No. 98 of 2024, so ESR is no longer a live ongoing filing obligation for most current financial years (earlier-year filings and any related historical assessments may still be relevant). goAML/AML compliance, by contrast, is a live, ongoing obligation under the AML/CFT Law aimed at money-laundering and terrorist-financing detection, with no equivalent discontinuation. A business should confirm current status on each regime separately rather than assuming one still tracks the other.
What is the difference between the Ministry of Economy's role and the Central Bank/FIU's role in AML compliance?
The FIU, housed within the UAE Central Bank, operates the goAML platform and receives, analyses, and disseminates STRs/SARs. The Ministry of Economy is the primary supervisory authority for most DNFBP categories — it conducts inspections, issues guidance, and enforces administrative penalties for DNFBP non-compliance. Financial institutions are separately supervised by the Central Bank or the relevant financial free zone regulator (DFSA in DIFC, FSRA in ADGM) for prudential and AML purposes.
What triggers a Ministry of Economy AML inspection for a DNFBP?
Inspections can be scheduled as part of a routine supervisory cycle, triggered by risk-based selection of higher-risk DNFBP categories, prompted by a specific complaint or referral, or connected to a broader sectoral sweep. A business should not assume inspection risk is low simply because it has not been inspected before — the supervisory programme has expanded its coverage over time as the UAE's AML/CFT framework has matured.
What does PNPC actually deliver in a goAML and AML/CFT engagement?
A typical engagement covers: DNFBP/Financial Institution applicability assessment; goAML organisation and Compliance Officer registration; a written, entity-specific AML/CFT risk assessment; board-approved AML/CFT policies and procedures covering CDD, EDD, sanctions/PEP screening, and record-keeping; staff training with documented records; support setting up sanctions/PEP screening; and ongoing advisory including STR/SAR filing assistance when a reporting trigger arises. Engagements can be scoped as a one-time registration-and-setup project or as an ongoing retainer.
How much does goAML registration and AML/CFT programme setup cost?
PNPC agrees a fixed, written fee for the registration and programme-build engagement before work begins, scoped to the complexity of the business — a single-office corporate service provider and a multi-branch real estate brokerage require materially different depth of work. Ongoing retainer pricing for periodic risk assessment refresh, training, and reporting support is quoted separately and is also fixed and agreed in writing.
Why should I engage PNPC rather than registering on goAML myself?
Registering an organisation profile on goAML is mechanically straightforward once the applicability question is answered correctly — the harder and higher-stakes work is everything around it: confirming whether you are actually in scope, nominating a Compliance Officer with real authority, building a risk assessment that reflects your actual business rather than a generic template, and having a firm on call when an actual suspicious transaction arises and the 'without delay' clock starts running. A self-filed registration with no programme behind it is the pattern we most often see corrected after an inspection finding.
What happens the first time we actually need to file an STR — what does PNPC do?
We work with the Compliance Officer to document the specific facts giving rise to suspicion, confirm the internal escalation trail is properly recorded, prepare the STR/SAR content for accuracy and completeness, and support submission through goAML without unnecessary delay. We also advise on the tipping-off restriction throughout the process so the customer-facing team does not inadvertently disclose the filing.
Do sole practitioners and very small DNFBPs (like a single real estate agent) need the same full programme as a large firm?
The AML/CFT Law's registration and reporting obligations apply regardless of entity size, but the depth and formality of the surrounding programme can reasonably scale to the size and complexity of the business — a sole practitioner's risk assessment and policy documentation will look different from a 50-person brokerage's, while still covering the same substantive requirements: risk assessment, CDD/EDD procedures, a designated Compliance Officer, and reporting readiness.
What if we discover, after registering, that we were actually never in scope as a DNFBP?
There is generally no penalty for having registered proactively even where, on closer review, the entity's activities do not squarely meet the DNFBP definition — registering when uncertain is the lower-risk choice compared to remaining unregistered while genuinely in scope. PNPC can revisit the applicability assessment and advise on whether continued registration, deregistration, or simply maintaining a dormant but compliant registration is the sensible path.
Can a foreign parent company's global AML policy be used as-is for the UAE entity's goAML compliance?
A global group AML policy is a useful starting point but rarely satisfies UAE requirements on its own — it needs to be localised to reference the specific UAE AML/CFT Law provisions, the goAML reporting channel, the UAE Compliance Officer's specific authority and contact registration, and any UAE-specific risk factors (local sanctions lists, local high-risk activity thresholds) that a global template will not capture.
How does PNPC's Chennai/Bangalore/Hyderabad/Dubai presence help with UAE AML/CFT compliance specifically?
For clients with operations spanning India and the UAE, our Dubai team leads the UAE AML/CFT and goAML engagement directly, while our India offices support any parallel India-side compliance (such as FEMA reporting or Indian AML obligations for cross-border structures) under the same coordinated engagement — so a group with entities in both jurisdictions is not explaining its business twice to two unconnected advisers.
What is the consequence of a Compliance Officer leaving the business — does goAML registration lapse?
The organisation's goAML registration itself does not automatically lapse, but the entity must promptly update the registered Compliance Officer details on the platform when there is a change in the role holder, and ensure the new nominee is properly registered and activated before there is any gap in filing capability. Continuing to operate with an outdated or departed Compliance Officer on record is itself a governance gap that inspection will identify.
Are there specific thresholds in dirhams for when a DPMS (precious metals/stones dealer) must register?
The AML/CFT framework sets a designated cash-transaction threshold above which dealers in precious metals and stones fall within DNFBP scope for a given transaction or series of connected transactions, as prescribed by the Ministry of Economy. Because threshold figures are set by regulation and can be updated, PNPC confirms the current applicable threshold against the latest Ministry of Economy guidance at the time of the applicability assessment rather than relying on a fixed number that may have changed.
Does having goAML registration and an AML programme protect the business if a customer turns out to be a money launderer?
A properly implemented AML/CFT programme — registration, risk-based CDD/EDD, monitoring, and timely reporting when suspicion arises — is the standard against which a business's conduct is judged. It does not guarantee that criminal activity will never occur through the business, but a business that can demonstrate it followed its documented programme in good faith is in a materially different position, from a regulatory and reputational standpoint, than one that had no programme or ignored red flags.
Does goAML registration alone satisfy AML compliance?
No. goAML registration only opens the reporting channel — it gives the organisation and its Compliance Officer the ability to file STRs and SARs. It says nothing about whether the entity has a documented risk assessment, board-approved policies, CDD/EDD procedures, sanctions/PEP screening, or trained staff behind it. Supervisory authorities inspect the substance of the AML/CFT programme, not just whether the portal profile exists.
Can we use a downloaded or template AML policy instead of building our own?
A template can be a useful starting reference, but it must be adapted to the entity's actual customers, products, geography, delivery channels, and transaction patterns before it functions as a real policy. A policy that describes a generic business rather than the one operating under it is a recognised, recurring inspection finding — supervisory authorities test whether the document matches reality, not whether a document exists.
We already registered on goAML ourselves — can PNPC just check it's done correctly?
Yes. A common engagement is a goAML registration health check: confirming the organisation profile and Compliance Officer registration are both complete and active, that registered details match the current trade licence and ownership structure, and that a documented risk assessment and policy set exist behind the registration. Gaps are common even where the portal itself shows as registered.
What happens if the FIU queries or rejects our goAML submission?
FIU queries usually arise from inconsistencies between the goAML organisation profile and the entity's trade licence, ownership records, or activity description. PNPC reviews the specific query, reconciles the underlying records, and resubmits a corrected, internally consistent application rather than resubmitting the same data and expecting a different outcome.
Our business has never had a suspicious transaction — do we still need to register and maintain a programme?
Yes. The registration obligation attaches the moment an entity's actual activity falls within the DNFBP or Financial Institution definition, regardless of whether it has ever identified a suspicious transaction. An AML/CFT programme with no filings to date is not evidence of exemption from the obligation — it may simply mean no reporting trigger has yet arisen.
How does PNPC decide who inside our company should own the AML/CFT function day to day?
The AML/CFT Law requires a specific, sufficiently senior Compliance Officer/MLRO with real authority to escalate concerns and pause transactions where needed. PNPC works with management to identify a nominee who genuinely holds that authority within the existing organisation chart, rather than assigning the role to whoever is administratively convenient.
What documentation should we retain specifically for the goAML function, separate from general AML records?
Alongside the broader CDD/risk-assessment file, keep the goAML organisation and Compliance Officer registration confirmations, any FIU correspondence or queries and their resolutions, the internal escalation log showing how and when suspicion was raised before any STR/SAR filing, and confirmation of Compliance Officer succession whenever the role changes hands.
Can PNPC guarantee the Ministry of Economy won't issue a penalty even after we register?
No. PNPC can materially improve the completeness and defensibility of the registration and the programme behind it, but penalty decisions rest with the supervisory authority and depend on the specific facts, the history of the entity's compliance, and the authority's own discretion. We do not promise a regulatory outcome we do not control.
How does PNPC stay current on goAML and AML/CFT changes given the rules keep evolving?
PNPC tracks Cabinet Decisions, Ministry of Economy circulars, and FIU guidance updates affecting DNFBP registration and reporting obligations, and reflects relevant changes in client risk assessments and policy manuals as part of the ongoing retainer rather than waiting for the next inspection to prompt a review.
What does close-out look like at the end of a goAML registration and programme-build engagement?
Close-out includes confirmed organisation and Compliance Officer activation on goAML, the finalised risk assessment and policy manual, training records for the initial session, the sanctions/PEP screening setup, and a forward compliance calendar showing the next scheduled review, refresher training, and any pending FIU or Ministry of Economy items.
Can PNPC coordinate our goAML/AML compliance with our external auditor or legal counsel?
Yes. Where the entity's statutory auditor needs to confirm AML programme existence for audit purposes, or where legal counsel is separately advising on a related matter such as beneficial ownership structuring or a specific privilege question, PNPC coordinates directly with them so the client is not relaying technical detail between advisers.
Is there a separate goAML report we have to file on a sanctions-list match, distinct from an STR?
Yes. Where a customer, counterparty, or beneficial owner matches a name on the UN Security Council or the UAE's local terrorist/sanctions lists, the obligation is not an STR — it is a Targeted Financial Sanctions response: the relevant funds must be frozen without delay and a Fund Freeze / Funds Awaiting Return report filed through goAML. This is triggered by a list match, not by a suspicious pattern of transactions, which is why entities that build only STR/SAR workflows sometimes miss it entirely.
We registered on goAML a few years ago and haven't touched it since — is that a problem?
Potentially yes. goAML runs a periodic re-registration / profile-confirmation cycle, and a profile that is never reviewed or confirmed can become dormant, leaving the entity technically unable to file when a report is actually needed. Compliance Officer details also drift out of date as people change roles. A registration completed years ago and never revisited should be checked for live filing access, not assumed to be current.
Does the AML/CFT Law require an independent audit of our AML programme, and can PNPC do it?
The AML/CFT framework expects regulated entities, proportionate to size and risk, to subject their AML programme to independent review that tests whether policies, CDD/EDD, screening, and reporting actually work in practice — not just that documents exist. Where PNPC has built or advises on the programme, independence considerations mean the review is best performed by a separate reviewer; where another party built the programme, PNPC can perform the independent AML review directly.
How do goAML reporting duties interact with the UAE beneficial ownership (UBO) register requirement?
They are separate obligations that reinforce each other. UAE UBO regulations require most entities to identify and maintain a register of their ultimate beneficial owners with the relevant registrar, while AML/CFT CDD requires a reporting entity to look through its customers' structures to the real controllers. A corporate service provider therefore has a double exposure: its own UBO register obligation, and a CDD duty to verify the beneficial owners of every client it forms companies for.
If we file an STR and the transaction later turns out to be entirely legitimate, are we exposed for having reported?
No. The AML/CFT Law protects a reporting entity and its staff who file a report in good faith based on reasonable suspicion — the fact that the underlying transaction is later found to be legitimate does not create liability for having reported. The standard is whether there were reasonable grounds for suspicion at the time, not whether a crime was ultimately proven.
What is the real risk of using the cheapest provider that just 'does the goAML registration' for us?
A low-cost provider typically completes the visible step — an organisation profile on the portal — and stops there. What is usually missing is the substance an inspector actually tests: a correct applicability determination, a Compliance Officer with genuine authority (and their separate activation), a risk assessment that describes your business rather than a template, calibrated CDD/EDD, live sanctions screening, and documented training. A registered-but-hollow profile is the exact pattern that fails a Ministry of Economy inspection, and rebuilding under a remediation deadline costs far more than doing it properly once.
How does PNPC price a goAML and AML/CFT engagement, and what is included?
PNPC agrees a fixed written fee before work begins, scoped to the entity's complexity — a single-office corporate service provider and a multi-branch real estate brokerage require materially different depth. A one-time build covers applicability assessment, goAML organisation and Compliance Officer registration, risk assessment, policies, CDD/EDD procedures, screening setup, and documented training; ongoing retainer pricing for periodic risk-assessment refresh, profile confirmation, training, and STR/SAR support is quoted separately. Any government or third-party charges are shown separately from professional fees.
What happens if authority guidance or the goAML platform requirements change while our programme is in place?
AML/CFT obligations in the UAE are actively supervised and periodically updated through Cabinet Decisions, Ministry of Economy circulars, and FIU guidance. On a retainer, PNPC tracks these changes and reflects the relevant ones in the client's risk assessment, policies, and reporting procedures rather than waiting for an inspection to expose the drift — a policy manual written once at registration and never revisited falls out of alignment within a year or two.
Does registering on goAML for AML purposes have anything to do with our discontinued ESR filings?
No — and the two should not be conflated. ESR notification and report filing was discontinued for financial years starting on or after 1 January 2023 under Cabinet Decision No. 98 of 2024, so ESR is no longer a live annual filing obligation for current periods (only historical pre-2023 assessments may still matter). goAML/AML-CFT obligations under Federal Decree-Law No. 20 of 2018 are entirely separate, administered by a different authority, and remain fully live and ongoing — the winding-down of ESR filing has no effect on them.
PNPC AML/CFT & goAML engagement vs a bare portal registration
| Dimension | Bare goAML Self-Registration | PNPC Engagement |
|---|---|---|
| Applicability determination | Self-assessed, often based on licence wording alone | Documented legal assessment against actual services rendered |
| Compliance Officer readiness | Nominated to satisfy the form field | Vetted for seniority, authority, and independence; trained for the role |
| Risk assessment | Often skipped or copied from a generic template | Entity-specific, written, and kept current |
| Policies and procedures | Frequently absent or a downloaded template | Board-approved, calibrated to the business's actual risk profile |
| CDD vs basic KYC | Passport/Emirates ID copy treated as sufficient | Full CDD/EDD framework including beneficial ownership and source of funds |
| Staff training | Undocumented or non-existent | Documented sessions with attendance and content records |
| Sanctions/PEP screening | Ad hoc manual checks, if any | Systematic, repeatable screening process set up and maintained |
| STR/SAR filing support | Business navigates the filing alone under time pressure | Adviser on call to help document and file without delay |
| Inspection readiness | Reactive — scrambling once a notice arrives | Proactive — audit-ready documentation maintained continuously |
| Ongoing regulatory tracking | None | Cabinet Decisions, FIU circulars, and Ministry of Economy guidance monitored and reflected in the programme |
| Sanctions-freeze reporting | STR filing set up; the separate freeze-and-report obligation on a list match often overlooked | Defined Fund Freeze / Funds Awaiting Return procedure tied to live sanctions screening |
| Portal profile upkeep | Registered once, then dormant — access can lapse unnoticed | Re-registration cycle and Compliance Officer succession diarised so filing access stays live |
What the PNPC package includes
- 01
DNFBP / Financial Institution applicability assessment, documented in writing
- 02
goAML organisation registration and Compliance Officer registration and activation
- 03
Written, entity-specific AML/CFT risk assessment covering customer, product, geography, and delivery-channel risk
- 04
Board-approved AML/CFT policy and procedures manual covering CDD, EDD, PEP and sanctions screening, and record-keeping
- 05
Compliance Officer/MLRO preparation and role-authority documentation
- 06
Sanctions and PEP screening process setup
- 07
Documented staff AML/CFT training with attendance and content records
- 08
STR/SAR filing assistance as and when a reporting trigger arises
- 09
Annual risk assessment refresh and policy update as part of ongoing retainer
- 10
Inspection-readiness support and representation coordination with the Ministry of Economy or relevant regulator
- 11
Targeted Financial Sanctions readiness — screening against UN and UAE local terrorist lists and a defined Fund Freeze / Funds Awaiting Return reporting procedure
- 12
goAML profile-confirmation / re-registration diary and Compliance Officer succession handling so filing access never lapses
- 13
goAML registration health check confirming both organisation and Compliance Officer profiles are complete, active, and consistent with the trade licence
- 14
Beneficial ownership verification and record-keeping aligned with the UAE UBO register obligation
- 15
Independent AML programme review (where PNPC did not build the programme) or a separate independent reviewer where it did
- 16
FIU query-response support to reconcile and resubmit a queried or rejected goAML application
- 17
Localisation of a foreign parent's group AML policy to the UAE AML/CFT Law, goAML channel, and UAE-specific lists and thresholds
- 18
Documented internal escalation-log design so 'without delay' STR/SAR filing has an evidence trail
- 19
Coordination with auditors and legal counsel on AML-programme confirmation and privilege questions where required
- 20
Close-out pack: activated goAML profiles, finalised risk assessment and policy manual, training records, screening setup, and a forward compliance calendar
Get your goAML registration and AML/CFT compliance programme built correctly the first time — talk to PNPC's Dubai compliance team before a regulator asks why it wasn't.
Jurisdiction
Free zone, mainland & offshore
Ready to get started?
Tell us about your requirement — a UAE specialist responds within 24 hours.