UAEServicesUAE Taxation & Regulatory ComplianceEconomic Substance & AML CompliancegoAML Portal Registration & Reporting Assistance

UAE Taxation & Regulatory Compliance · Economic Substance & AML Compliance

goAML Portal Registration & Reporting Assistance

goAML is not an optional formality — it is the UAE's central mechanism for detecting money laundering and terrorist financing, and registration on the portal is a legal obligation for every Designated Non-Financial Business and Profession (DNFBP) and financial institution operating in the UAE.

Chartered Accountants · Dubai · Since 1986

What goAML Portal Registration & Reporting Assistance is

goAML is the online reporting platform operated by the UAE's Financial Intelligence Unit (FIU), which sits within the UAE Central Bank, for the receipt, analysis, and dissemination of Suspicious Transaction Reports (STRs), Suspicious Activity Reports (SARs), and other statutory disclosures required under Federal Decree-Law No. 20 of 2018 on Anti-Money Laundering and Combating the Financing of Terrorism (the AML/CFT Law) and its Cabinet Decision implementing regulations. Every entity that falls within the definition of a Financial Institution or a Designated Non-Financial Business and Profession (DNFBP) under the AML/CFT framework — including real estate brokers and agents, dealers in precious metals and stones, auditors, independent legal professionals and notaries providing specified services, and company service providers — is legally required to register on goAML and to file reports through it whenever a reporting trigger arises. Registration is not optional and is not linked to whether a business has ever actually suspected a transaction; it is a standing obligation that begins the moment the entity meets the DNFBP or Financial Institution definition.

goAML registration itself is a two-stage process: an organisation-level registration that establishes the reporting entity's profile on the FIU platform, followed by the registration of the entity's designated Compliance Officer (in some structures called the Money Laundering Reporting Officer, MLRO) who is authorised to file reports on the organisation's behalf. Only after both stages are complete, and the Compliance Officer's access has been activated by the FIU, can the entity actually submit STRs, SARs, or other required disclosures. Many businesses discover the registration step only when a supervisory authority — the Ministry of Economy for most DNFBPs, or the relevant free zone / Central Bank for regulated financial entities — asks for evidence of it during a routine AML inspection, by which point the business is already in breach and exposed to administrative penalties under Cabinet Decision No. 10 of 2019 and its amendments.

Beyond the initial sign-up, goAML is the channel through which an entity discharges its ongoing statutory reporting duties: filing an STR whenever there are reasonable grounds to suspect that funds constitute the proceeds of a crime or are connected to money laundering; filing a SAR where the suspicion relates to an underlying criminal activity more broadly; and responding to any information requests the FIU raises through the platform in connection with a filed report. The AML/CFT Law also requires that suspicion be reported without delay once it arises — tipping off the customer, delaying the filing pending further investigation of one's own, or filing only after a supervisory inspection prompts it, are all treated as compliance failures in their own right, independent of whether the underlying transaction turns out to be legitimate.

For most DNFBPs and regulated entities, goAML registration and reporting sits inside a broader AML/CFT compliance programme: a documented risk assessment of the business's exposure to money laundering and terrorist financing, board-approved AML/CFT policies and procedures, Customer Due Diligence (CDD) and Enhanced Due Diligence (EDD) protocols, sanctions and Politically Exposed Persons (PEP) screening, a named and empowered Compliance Officer, staff training records, and independent audit of the AML function. goAML registration without the surrounding programme is a box checked on paper; supervisory authorities inspect the substance behind it, and the absence of a functioning programme is treated as seriously as the absence of registration itself.

goAML also runs an annual re-registration/confirmation cycle: registered entities are periodically required to review and confirm their profile and Compliance Officer details, and a lapsed or unconfirmed profile can leave an entity technically deregistered and unable to file when a report is actually needed. This is a recurring trap — a business that registered once, years ago, and never revisited the portal can discover mid-crisis that its access is dormant. Beyond STRs and SARs, goAML is also the channel for other statutory report types, including the Funds Awaiting Return / Fund Freeze Report following a Targeted Financial Sanctions (TFS) list match, where a name hit against the UN or UAE local terrorist lists must be reported and the relevant funds frozen without delay — a filing obligation that is easy to overlook because it is not triggered by a customer's transaction behaviour but by a list update.

The practical risk on this service is rarely the mechanics of the portal form; it is treating registration as the whole obligation, nominating a Compliance Officer who lacks real authority, or building a programme on a copied template that does not describe the business. PNPC therefore treats goAML work as the visible top of a risk-based programme and aligns the registration, the risk assessment, the CDD/EDD design, sanctions screening, MLRO governance and evidence retention so that what a Ministry of Economy inspector tests on the ground matches what the portal profile claims.

Who is legally required to register on goAML

Real estate brokers and agents when involved in transactions concerning the buying and selling of real estate — a defined DNFBP category under the AML/CFT Law

Dealers in precious metals and stones when engaged in any single cash transaction (or connected transactions) at or above the prescribed threshold set by the Ministry of Economy

Independent legal professionals, notaries, and other independent legal practitioners when preparing for or carrying out specified transactions for a client — company formation, management of client funds, or buying/selling of real estate or business entities

Auditors and accountants providing specified services covered under the DNFBP definition

Corporate service providers (company formation agents, registered agents, trust and corporate service providers) forming companies, acting as registered agent, or providing nominee director/shareholder or company secretarial services

Financial institutions, exchange houses, and other entities licensed and regulated by the UAE Central Bank or a financial free zone regulator (DFSA in DIFC, FSRA in ADGM)

Any entity that has been notified by its supervisory authority (Ministry of Economy, Central Bank, or free zone regulator) that it falls within scope, even where its own self-assessment is uncertain

Any business that has already identified a transaction it considers suspicious and needs to file without further delay — registration and first filing frequently happen together under time pressure

An entity that registered on goAML years ago but has never confirmed its profile through the portal's periodic re-registration cycle, and cannot be certain its filing access is still live

A business whose Compliance Officer has left, moved roles, or was never properly activated on the portal — leaving a gap in who can actually file a report today

An entity that has received a Ministry of Economy AML inspection notice, or a supervisory query, and needs its registration, risk assessment, and policy file made inspection-ready quickly

A group with an existing global AML policy that needs localising to the UAE AML/CFT Law, the goAML channel, and UAE-specific sanctions lists and activity thresholds before it can be relied on

A business that needs to file a Fund Freeze / Funds Awaiting Return report after a sanctions-list name match and is unsure of the goAML mechanics and the freeze-without-delay obligation

Where the obligation genuinely does not apply — verify before assuming

Businesses entirely outside the DNFBP and Financial Institution categories defined in the AML/CFT Law and its Cabinet Decisions — most ordinary trading, retail, manufacturing, and professional services businesses fall outside scope unless they specifically provide one of the designated services

A retail jeweller whose transactions never reach the cash-transaction threshold set for precious metals and stones dealers — though the entity should still document why it has assessed itself as out of scope, since supervisory authorities may query the assessment

A law firm that never handles client funds, company formation, or real estate/business transactions on a client's behalf — general litigation and advisory work alone does not typically trigger DNFBP status, but this line is fact-specific and should be confirmed, not assumed

An accounting firm providing only bookkeeping and tax filing services without company formation, trust, or specified transaction involvement — again, a fact-specific determination best confirmed with a compliance adviser rather than self-assessed

A business that has already completed goAML registration correctly and simply needs day-to-day filing support — in that case the engagement is about reporting assistance and programme maintenance, not registration itself

A client who wants PNPC to hold the statutory Compliance Officer/MLRO role itself — that position requires day-to-day authority inside the regulated entity and cannot be discharged by an external adviser (we support the role, we do not take it on)

A client seeking a guaranteed assurance that the Ministry of Economy will not penalise them, or a promise that a filed STR/SAR will produce a particular outcome — neither is within any adviser's control

A pure legal-privilege determination for a law firm — whether a specific engagement is privileged and thus outside the reporting duty is a legal question for the firm's own counsel, alongside which we build the AML architecture

A client who wants a template AML policy dropped in without a risk assessment or calibration to their actual business — that is precisely the box-ticking pattern supervisory authorities flag on inspection

A business that is not yet willing to identify its beneficial owners, share its customer and transaction profile, or nominate an empowered Compliance Officer — the CDD and governance groundwork cannot be skipped

Structure Comparison

goAML obligations across common DNFBP categories in the UAE

DNFBP CategoryTypical Trigger for STR/SARRegistration TimingKey Ongoing Obligation
Real estate brokers/agentsCash-intensive deals, unusual source-of-funds patterns, PEP counterparties, rapid resaleBefore conducting any real estate brokerage transaction as a licensed entityCDD/EDD on buyer and seller, STR filing without delay on suspicion
Dealers in precious metals and stones (DPMS)Cash transactions at or above the Ministry of Economy's prescribed thresholdBefore or immediately upon crossing the designated activity thresholdThreshold transaction record-keeping and STR filing on suspicion
Independent legal professionals/notariesCompany formation, real estate conveyancing, management of client money or securities on client instructionBefore undertaking any specified transaction on a client's behalfCDD on beneficial owners, STR filing, legal professional privilege carve-outs handled carefully
Auditors and accountants (specified services)Specified services connected with company formation, management, or asset transferBefore providing the specified serviceCDD, STR filing, coordination with statutory audit independence rules
Corporate service providersCompany formation for undisclosed beneficial owners, nominee arrangements, shell structuresBefore acting as formation agent, registered agent, or nominee providerBeneficial ownership verification, UBO register maintenance, STR filing
Financial institutions / exchange housesWire transfers, cash transactions, unusual account activity, sanctions list hitsBefore commencing regulated financial activityFull AML/CFT programme, transaction monitoring, STR/SAR filing, sanctions screening

This table is directional. Whether a specific business falls within a DNFBP category, and which threshold or trigger applies, depends on the precise nature of services rendered and must be confirmed against the AML/CFT Law, its Cabinet Decisions, and any sector-specific guidance issued by the Ministry of Economy or the relevant regulator. A formal AML applicability assessment by PNPC is the appropriate first step where status is unclear.

How it works
#Stage & What PNPC DoesWhat Businesses Miss Without a CA/Compliance AdviserTimeline
1AML/CFT Applicability Assessment — confirm whether the entity is a DNFBP or Financial Institution in scopeBusinesses frequently self-assess as out of scope based on their trade licence activity description alone, without checking whether their actual services (company formation, client fund handling, real estate transactions) trigger DNFBP status regardless of licence wording. We assess against the actual activity, not the licence label.1–3 working days
2Entity Profile Preparation — trade licence, ownership structure, and business activity documentation gathered for the goAML organisation profileThe organisation profile requires accurate legal name, licence details, and business activity classification consistent with the trade licence and any regulator records — mismatches between goAML and licence data are a common cause of registration queries and delay.1–2 working days
3Compliance Officer / MLRO Identification and Vetting — nominate and prepare the individual who will hold reporting authorityThe AML/CFT Law expects the Compliance Officer to be sufficiently senior and empowered to act independently — a junior staff member nominated only to satisfy the registration requirement, without real authority to halt a transaction or escalate, is a red flag on inspection.1–2 working days
4goAML Organisation Registration — submission on the FIU goAML portalThe organisation-level registration form requires consistent, verifiable detail; incomplete or inconsistent submissions are queried by the FIU and restart the review clock. We prepare and submit a complete, internally consistent application the first time.Submission same day; FIU review timeline varies and is outside applicant control
5Compliance Officer Registration and Activation — the nominated MLRO is registered and linked to the organisation profileOrganisation approval alone does not grant filing rights — the Compliance Officer's individual registration and activation is a separate step that is frequently missed, leaving an entity technically registered but unable to actually file a report when one is needed.Following organisation approval; FIU-dependent
6AML/CFT Risk Assessment Documentation — a written, entity-specific risk assessment covering customer, product, geography, and delivery-channel riskA goAML registration without a documented risk assessment behind it looks, on inspection, like compliance theatre — supervisory authorities expect the registration to be the visible top of a real risk-based programme, not a standalone filing.3–7 working days depending on business complexity
7AML/CFT Policy and Procedures Manual — board-approved written policies covering CDD, EDD, PEP screening, sanctions screening, record-keeping, and reporting escalationTemplate policies copied from another business without adaptation to the entity's actual customer base and transaction types are one of the most common inspection findings — the policy has to reflect what the business actually does.5–10 working days
8CDD/EDD Procedure Implementation — customer onboarding checks calibrated to the entity's risk assessmentStandard KYC is not the same as CDD under the AML/CFT Law — CDD requires beneficial ownership identification, source-of-funds/wealth understanding for higher-risk customers, and ongoing monitoring, not just a one-time ID copy at onboarding.Ongoing from go-live
9Staff AML/CFT Training — documented training for all staff who interact with customers or transactionsTraining that is not documented (attendance, content, date, refresher cadence) is treated by supervisory authorities as if it did not happen — verbal briefings do not satisfy the record-keeping expectation.Initial session 1 day; annual refresher thereafter
10Sanctions and PEP Screening Setup — screening against UN, local UAE, and other applicable sanctions lists plus PEP identificationAd hoc googling of a customer's name is not systematic screening — supervisory authorities expect a repeatable, documented screening process against current sanctions lists at onboarding and periodically thereafter.1–2 weeks to set up; ongoing thereafter
11First STR/SAR Filing Support (as and when triggered) — PNPC assists in preparing and submitting the report through goAMLA late STR — filed only after internal deliberation or after a supervisory prompt — is treated as a standalone compliance failure under the AML/CFT Law, independent of the outcome of the underlying transaction. Reports must be filed without delay once suspicion arises.As and when a reporting trigger arises — no fixed timeline, but 'without delay' once suspicion crystallises
12Independent AML/CFT Audit Coordination — periodic independent review of the compliance programme, often required by the supervisory authority or as good practiceAn AML programme that has never been independently tested tends to reveal its gaps for the first time during a regulator's own inspection — by which point remediation is reactive rather than planned.Annually, or per supervisory authority requirement
13Ongoing Regulatory Change Monitoring — Cabinet Decisions, Ministry of Economy guidance, and FIU circulars are tracked and the programme updated accordinglyAML/CFT obligations in the UAE are actively supervised and periodically updated; a policy manual written once at registration and never revisited drifts out of alignment with current guidance within a year or two.Continuous, retainer basis
14Targeted Financial Sanctions (TFS) readiness — process to screen against UN and UAE local terrorist lists and to file a Fund Freeze / Funds Awaiting Return report through goAML on a matchMany DNFBPs build STR/SAR reporting but overlook the separate sanctions-freeze obligation, which is triggered by a name match rather than transaction behaviour and requires freezing funds and reporting without delay.Set up alongside screening; live thereafter
15Portal re-registration / profile confirmation cycle — periodic review and confirmation of the organisation and Compliance Officer profiles so filing access stays liveAn entity that registered once and never revisited the portal can find its profile dormant and its filing access unusable exactly when a report is needed.Periodic; diarised on the compliance calendar
16Compliance Officer succession and profile update — updating the registered Compliance Officer on goAML when the role holder changes, with a named deputyA departed Compliance Officer left on the portal record is both a governance gap and a live filing risk — the new nominee must be registered and activated before any gap in reporting capability.On any change of role holder
17Inspection-response support — pre-inspection readiness review and representation support if the Ministry of Economy or a free zone regulator inspectsBusinesses that assemble their file only after a notice arrives find the window to fix structural gaps has already closed.On inspection notice

Realistic timeline from applicability assessment to a fully registered and reporting-capable entity: typically 3–6 weeks, depending on FIU processing times (which PNPC does not control) and the complexity of the underlying AML/CFT programme being built. Entities that already have licences and ownership documentation in order move faster; those needing beneficial ownership clean-up or governance changes first will take longer.

Document Checklist
Entity / Organisation Documents

Valid UAE trade licence (mainland DED licence or free zone licence) showing current activity classification

Certificate of Incorporation / formation documents and Memorandum/Articles of Association (or free zone equivalent constitutional documents)

Shareholder and beneficial ownership register — the FIU and supervisory authorities expect clarity on ultimate beneficial owners, not just registered shareholders

Corporate organisation chart identifying reporting lines relevant to the AML/CFT function

Registered office address and any branch/additional business location details

Emirates ID or passport copies of the authorised signatory registering the organisation on goAML

Compliance Officer / MLRO Documentation

Emirates ID (residents) or passport copy (where the nominee is not yet UAE-resident) of the proposed Compliance Officer

CV or role description evidencing the Compliance Officer's seniority, authority, and relevant experience

Board resolution or equivalent management decision formally appointing the Compliance Officer with documented authority to escalate, halt transactions, and file reports independently

Contact details (dedicated email and phone) to be registered on the goAML platform for FIU correspondence

Signed acceptance of Compliance Officer responsibilities under the AML/CFT Law

AML/CFT Risk Assessment Inputs

Description of products/services offered and typical transaction sizes and patterns

Customer base profile — individual vs corporate, resident vs non-resident, typical geographies dealt with

Payment and delivery channel details — cash handling, wire transfers, third-party payments, use of intermediaries

History of any prior suspicious activity, internal escalations, or regulator correspondence relevant to risk profiling

Details of any higher-risk jurisdictions the business has dealings with, referenced against current FATF and UAE-designated high-risk country lists

Policy & Procedure Baseline Materials

Existing internal policies (if any) to be reviewed, gap-assessed, and updated rather than discarded

Sample customer onboarding files to assess current CDD practice against required standard

Record-retention practice details — the AML/CFT Law requires transaction and CDD records to be retained for a prescribed minimum period

Any existing sanctions/PEP screening tool subscription details, or confirmation that none currently exists

For Regulated Financial Institutions (Additional)

UAE Central Bank licence or free zone financial regulator (DFSA/FSRA) licence and authorisation letter

Existing regulator-mandated compliance function documentation (if previously submitted to Central Bank, DFSA, or FSRA)

Details of correspondent banking or cross-border payment relationships where applicable

Existing transaction monitoring system documentation, if a system is already in use

For STR/SAR Filing Support (As-Needed)

Full transaction detail giving rise to the suspicion — dates, amounts, parties, and the specific factors that triggered concern

Customer due diligence file for the parties involved in the transaction

Internal escalation trail showing how and when the suspicion was raised internally to the Compliance Officer

Any supporting correspondence, contracts, or documentation relevant to the transaction under review

AML governance file

Business risk assessment and customer-risk methodology

AML/CFT policies, procedures and MLRO appointment records

Sanctions/PEP screening settings and evidence

Staff training logs and board/management approvals

Customer and transaction evidence

CDD/KYC files and beneficial-owner records

EDD files for high-risk customers

Transaction-monitoring alerts and disposition notes

STR/SAR escalation and goAML submission records where relevant

Remediation pack

Gap assessment against UAE AML/CFT obligations

Action plan with owner and due date

Policy and workflow updates

Testing evidence and management sign-off

Ongoing obligations
PhaseTriggered ByPNPC GuidanceRisk If Ignored
Applicability DeterminationNew licence issuance, business activity expansion, or regulator queryAssess DNFBP/Financial Institution status against actual services rendered, not just licence wording. Document the determination in writing regardless of outcome.Incorrect self-assessment leaves the entity unregistered and exposed the moment a supervisory authority reviews actual activity rather than licence description.
Initial Registration (Week 1–3)Confirmed in-scope statusOrganisation profile and Compliance Officer registration on goAML, submitted as a complete and internally consistent package to minimise FIU queries and delay.Delayed or rejected registration due to inconsistent data extends the exposure window during which the entity remains formally unregistered and non-compliant.
Programme Build (Week 2–6, parallel to registration)Registration in progress or completeRisk assessment, board-approved policies, CDD/EDD procedures, sanctions/PEP screening, and staff training built out to sit behind the goAML registration.A registered-but-hollow compliance function fails inspection as readily as no registration at all — supervisory authorities assess substance, not just the portal sign-up.
Steady-State ReportingOngoing customer transactions and onboardingCDD performed at onboarding and refreshed periodically; transactions screened; any suspicion escalated to the Compliance Officer and filed via goAML without delay.Tipping off customers, internal delay in escalation, or filing only after regulator prompting are treated as standalone breaches of the AML/CFT Law, separate from any penalty on the underlying transaction.
Periodic Review & Training RefreshAnnual cycle or material change in business/regulatory guidanceIndependent AML audit, refreshed risk assessment, updated policies reflecting current Cabinet Decisions and FIU/Ministry of Economy guidance, and refresher staff training.Stale policies and undocumented refresher training are recurring findings in DNFBP inspections and undermine the credibility of an otherwise registered programme.
Supervisory InspectionScheduled or ad hoc inspection by Ministry of Economy, Central Bank, or free zone regulatorPre-inspection readiness review, document assembly, and representation support during the inspection process.Administrative penalties under Cabinet Decision No. 10 of 2019 (as amended) can include substantial fines, licence-related sanctions, and in serious cases referral for further action — the range and severity depend on the nature and persistence of the breach.
Remediation (If a Gap Is Found)Inspection finding, internal audit finding, or self-identified gapStructured remediation plan addressing the specific finding, with documented evidence of correction for the next inspection cycle.Unaddressed findings compound at the next inspection cycle and are viewed by regulators as an aggravating factor reflecting a pattern of non-compliance rather than an isolated lapse.
Sanctions-List EventA UN or UAE local terrorist-list update, or a name match surfacing during screeningScreen against the updated list, and where a match is confirmed, freeze the relevant funds and file the Fund Freeze / Funds Awaiting Return report through goAML without delay — this is a separate obligation from an STR.A missed or delayed freeze-and-report on a genuine sanctions hit is treated as a serious standalone breach, independent of any transaction-based reporting.
Portal Profile ConfirmationgoAML periodic re-registration / confirmation cycle, or a change of Compliance OfficerConfirm the organisation and Compliance Officer profiles on schedule and update the role holder promptly so filing access never lapses.A dormant or unconfirmed profile can leave the entity technically deregistered and unable to file exactly when a report is needed.
Frequently asked
What exactly is goAML and who runs it?

goAML is the online platform operated by the UAE's Financial Intelligence Unit (FIU), which sits within the UAE Central Bank, for receiving Suspicious Transaction Reports (STRs), Suspicious Activity Reports (SARs), and other statutory AML/CFT disclosures from regulated entities. It is the single national channel through which Financial Institutions and Designated Non-Financial Businesses and Professions (DNFBPs) meet their reporting obligations under Federal Decree-Law No. 20 of 2018 and its implementing Cabinet Decisions.

Practitioner noteWe are often asked whether goAML registration is 'just for banks.' It is not — a large share of our goAML engagements are real estate brokers, precious metals dealers, and corporate service providers, not banks.
Is goAML registration mandatory, or only if my business has something to report?

Registration is mandatory for every entity that falls within the DNFBP or Financial Institution definition, regardless of whether it has ever identified a suspicious transaction. The obligation attaches the moment the entity's activity brings it into scope — it is a standing registration requirement, not something triggered only by an actual suspicious event.

Practitioner noteThis is the single most common misunderstanding we encounter. Businesses assume 'we've never seen anything suspicious, so we don't need to register.' That reasoning is backwards under the AML/CFT Law — registration is the baseline obligation; reporting is what happens on top of it if and when a trigger arises.
How do I know if my business is a DNFBP under UAE law?

The AML/CFT Law and its Cabinet Decisions define specific DNFBP categories: real estate brokers and agents, dealers in precious metals and stones (above prescribed thresholds), independent legal professionals and notaries carrying out specified transactions, auditors and accountants providing specified services, and corporate/trust service providers. Whether a specific business falls into one of these categories depends on the actual services it provides, not the wording of its trade licence.

Practitioner noteWe run a short applicability assessment before recommending registration — it is a genuine legal determination, not a rubber stamp, and we document the conclusion in writing either way so the business has a defensible record of its status.
My trade licence doesn't mention AML-sensitive activities — am I automatically exempt?

No. Supervisory authorities look at the substance of the services actually rendered, not just the licence activity description. A company registered under a general business consultancy licence that, in practice, forms companies for clients or manages client funds can still fall within the DNFBP definition regardless of how the licence is worded.

Practitioner noteWe have seen entities assume they are out of scope because their licence says 'management consultancy' when their actual day-to-day work includes company formation for third parties — which is a specified DNFBP activity. The licence label is a starting point, not the answer.
What is the difference between the organisation registration and the Compliance Officer registration on goAML?

goAML registration happens in two linked stages: first, the entity itself is registered as an organisation on the platform; second, the individual designated as Compliance Officer (or MLRO) is registered and given filing authority linked to that organisation profile. An entity that has only completed the organisation-level registration cannot yet file reports — the Compliance Officer's activation is a separate and necessary step.

Practitioner noteWe regularly find businesses that believe they are 'registered' because the organisation profile was approved, without realising their Compliance Officer was never separately activated — meaning they could not actually file an STR if one arose today. We verify both stages are complete before considering an engagement closed.
Who should be nominated as the Compliance Officer or MLRO?

The nominee should be sufficiently senior and empowered within the organisation to act independently — able to escalate concerns, request further information from business units, and where necessary pause a transaction pending review, without needing case-by-case sign-off from someone whose interests might conflict with reporting. A junior staff member with no real authority, nominated only to satisfy the registration requirement, is a recognised inspection red flag.

Practitioner noteWe ask clients directly: if your Compliance Officer wanted to stop a transaction tomorrow because they were uneasy about it, could they actually do that without needing three layers of sign-off? If the honest answer is no, the nomination needs rethinking before registration, not after an inspection finding.
What is the difference between an STR and a SAR?

A Suspicious Transaction Report (STR) is filed when there are reasonable grounds to suspect that funds involved in a specific transaction are, in whole or part, the proceeds of a crime or connected to money laundering. A Suspicious Activity Report (SAR) is broader and can relate to suspicious activity or patterns connected to underlying criminal conduct, including terrorist financing, even where a single discrete transaction is not the trigger. Both are filed through goAML and both carry the same 'without delay' filing expectation once suspicion arises.

Practitioner noteIn practice we advise clients not to spend excessive time deliberating over which label technically fits — the more important discipline is escalating and filing promptly once genuine suspicion exists, rather than delaying the report while debating STR versus SAR classification.
What does 'without delay' mean in practice for filing a report?

The AML/CFT Law requires reporting entities to file an STR or SAR promptly once reasonable suspicion arises — it does not permit a business to sit on a suspicion while it conducts its own extended internal investigation, waits to see how the transaction plays out, or delays until a supervisory inspection prompts disclosure. Internal escalation and review should happen quickly, with the report filed as soon as the suspicion is reasonably formed.

Practitioner noteWe build a documented internal escalation timeline into every client's AML procedures precisely so that 'without delay' has evidence behind it — a dated escalation log showing hours or days between identification and filing, not an undocumented gap that a regulator has to take on faith.
What happens if my business fails to register on goAML at all?

Failure to register when in scope is itself a compliance breach under the AML/CFT Law and its Cabinet Decision on administrative penalties (Cabinet Decision No. 10 of 2019, as amended). Supervisory authorities — principally the Ministry of Economy for most DNFBPs — can impose administrative penalties for non-registration, independent of whether any actual suspicious transaction has occurred. The specific penalty amount and any additional licence-related consequences depend on the nature and duration of the non-compliance and are determined by the relevant authority.

Practitioner noteWe deliberately avoid quoting a specific fine figure here because penalty schedules are set and periodically revised by the regulator, and the amount actually applied depends on case-specific factors. What we can say with confidence: businesses that come to us after an inspection finding consistently regret not registering proactively.
Is there tipping-off liability if I tell a customer I've filed a report about them?

Yes. The AML/CFT Law prohibits disclosing to a customer, or to any third party, that an STR or SAR has been filed or that an AML-related investigation is underway, where that disclosure could prejudice an investigation. This 'tipping off' prohibition applies to the Compliance Officer and to any staff member aware of the filing.

Practitioner noteWe build tipping-off awareness explicitly into staff training — it is one of the most consequential mistakes an otherwise well-intentioned employee can make, often without realising the disclosure itself is a separate breach.
How long does goAML registration take from start to finish?

The organisation and Compliance Officer registration submissions themselves can typically be prepared and filed within days once documentation is in order. The FIU's own review and approval timeline is not within the applicant's control and can vary. Building the surrounding AML/CFT programme — risk assessment, policies, CDD procedures, training — in parallel typically takes several weeks depending on the complexity of the business.

Practitioner noteWe tell clients to expect a realistic 3–6 week window from first engagement to a fully registered, reporting-capable, and programme-backed entity — and we flag that the FIU's own processing time is the one variable we cannot compress.
Do free zone companies need to register on goAML, or only mainland companies?

DNFBP and AML/CFT obligations, including goAML registration, apply based on the nature of the licensed activity, not on whether the entity is set up on the UAE mainland or in a free zone. A free zone company genuinely carrying out a DNFBP activity — corporate services, real estate brokerage where permitted, precious metals dealing — falls within scope in the same way a mainland entity would, subject to the relevant free zone's own supervisory arrangements where applicable (for example, DIFC-licensed entities are supervised by the DFSA and ADGM-licensed entities by the FSRA for AML purposes).

Practitioner noteSome free zone clients assume free zone status is itself a shield from mainland-style AML obligations. It is not — the activity determines the obligation, and DIFC/ADGM entities in fact sit under their own dedicated financial regulators (DFSA/FSRA) with equally serious AML expectations.
What is Customer Due Diligence (CDD) and how is it different from basic KYC?

Basic KYC (Know Your Customer) is typically limited to identifying who the customer is — name, ID, address. CDD under the AML/CFT Law goes further: it requires identifying and verifying beneficial ownership behind corporate customers, understanding the purpose and intended nature of the business relationship, and — for higher-risk customers — understanding the source of funds or source of wealth, with ongoing monitoring of the relationship over time rather than a one-time check at onboarding.

Practitioner noteWe regularly find businesses that believe a passport copy and Emirates ID scan at onboarding satisfies their AML obligation. It satisfies basic KYC; it does not satisfy CDD. This gap is one of the most common findings we correct when building out a client's compliance programme.
What is Enhanced Due Diligence (EDD) and when is it required?

EDD is a heightened level of due diligence applied to higher-risk customers or transactions — for example, Politically Exposed Persons (PEPs), customers or counterparties connected to high-risk jurisdictions, complex or unusually large transactions with no clear economic rationale, or relationships involving significant cash. EDD typically requires additional verification of source of funds and wealth, senior management approval to onboard or continue the relationship, and more frequent ongoing monitoring.

Practitioner noteThe risk assessment we build for each client explicitly defines what triggers EDD for that specific business — a generic checklist copied from elsewhere rarely matches the actual risk profile of the entity using it.
What is a PEP and why does it matter for AML compliance?

A Politically Exposed Person (PEP) is an individual who holds, or has held, a prominent public function — a head of state, senior government official, senior judiciary or military official, senior executive of a state-owned enterprise, or senior political party official — along with their immediate family members and close associates. PEPs are treated as inherently higher-risk under AML/CFT frameworks worldwide because of the potential for corruption-linked proceeds, and relationships with PEPs typically require EDD and senior management approval.

Practitioner notePEP screening needs to be a systematic, repeatable process against a maintained reference list — not a one-off internet search when someone 'seems important.' We set this up as part of the screening infrastructure for every AML engagement.
What sanctions lists should a UAE business screen against?

At minimum, UAE entities are expected to screen against the UN Security Council Consolidated Sanctions List and the UAE's own local terrorist and sanctions lists maintained under the AML/CFT framework. Depending on the entity's international dealings, screening against other major international sanctions regimes (such as those of the EU, UK, or US where relevant to cross-border transactions) may also form part of a properly risk-calibrated programme.

Practitioner noteWe advise clients to use a maintained, regularly updated screening tool or service rather than manually checking a downloaded list — sanctions lists change, sometimes with immediate effect, and a stale local copy creates exposure.
How often does an AML/CFT risk assessment need to be updated?

The risk assessment should be treated as a living document — reviewed at least annually, and refreshed sooner if there is a material change in the business (new products or services, new customer segments, new geographies, significant growth in transaction volumes, or a relevant regulatory update). An assessment prepared once at registration and never revisited quickly becomes disconnected from what the business actually does.

Practitioner noteWe schedule an annual risk assessment refresh into every retainer client's compliance calendar — it is not a service we wait to be asked for, because a stale risk assessment is one of the most common inspection findings we see when reviewing another firm's earlier work.
Does PNPC act as our Compliance Officer or MLRO?

PNPC advises on, trains, and supports the Compliance Officer function, and can assist in preparing the individual for the role, but the statutory Compliance Officer/MLRO role must be held by a suitably senior individual within the regulated entity itself who can be held accountable under the AML/CFT Law. We do not take on the statutory role as an external party, since the position requires day-to-day authority within the business that an outside adviser cannot exercise.

Practitioner noteWe are sometimes asked to simply 'be' the Compliance Officer so the client does not have to think about it. We decline that specific arrangement because it misaligns accountability — but we do provide extensive hands-on support, training, and ongoing advisory to whoever the business appoints internally.
What records does my business need to keep for AML purposes, and for how long?

The AML/CFT Law and its regulations require reporting entities to retain CDD records, transaction records, and records of any internal analysis or reports filed for a prescribed minimum retention period following the end of the business relationship or the date of the transaction, whichever is applicable. The exact retention period should be confirmed against the current regulations and any supervisory authority guidance applicable to the entity's specific DNFBP category.

Practitioner noteWe build the record-retention schedule into the client's written AML policy so that it is not left to individual staff judgment about what to keep and for how long — a policy-driven retention discipline holds up far better on inspection than an ad hoc approach.
Can goAML reporting obligations conflict with legal professional privilege for lawyers?

The AML/CFT Law recognises certain carve-outs for independent legal professionals in specific circumstances connected to privileged legal advice, but these carve-outs are narrow and fact-specific — they do not exempt a lawyer from DNFBP reporting obligations when acting in a transactional capacity (company formation, real estate conveyancing, managing client funds) rather than providing pure legal advice or litigation representation. Legal professionals in scope should seek specific guidance on how privilege interacts with their reporting duty for particular engagements.

Practitioner noteThis is a genuinely nuanced area, and we work alongside the client's own legal counsel rather than opining on privilege ourselves — our role is the AML/CFT compliance architecture around it, not the privilege determination, which is a legal question in its own right.
What is beneficial ownership and why does goAML/AML compliance care about it?

Beneficial ownership refers to identifying the natural person(s) who ultimately own or control an entity, even where legal ownership sits behind layers of corporate shareholding, trusts, or nominee arrangements. AML/CFT compliance — and UAE beneficial ownership regulations more broadly — require entities to look through the legal structure to identify and verify the real individuals in control, because obscured beneficial ownership is a recognised money-laundering technique.

Practitioner noteCorporate service providers in particular need airtight beneficial ownership verification and record-keeping, since forming companies for undisclosed beneficial owners is precisely the DNFBP risk area regulators focus on most closely.
Is goAML registration connected to Economic Substance Regulations (ESR) compliance?

They are related in that both sit within the UAE's broader regulatory compliance landscape, but they are separate obligations administered by different authorities. ESR, administered under Ministry of Finance guidance, previously required certain UAE entities carrying out defined 'Relevant Activities' to file annual notifications and substance reports — however, the ESR notification and report filing requirement was discontinued for financial years starting on or after 1 January 2023, under Cabinet Decision No. 98 of 2024, so ESR is no longer a live ongoing filing obligation for most current financial years (earlier-year filings and any related historical assessments may still be relevant). goAML/AML compliance, by contrast, is a live, ongoing obligation under the AML/CFT Law aimed at money-laundering and terrorist-financing detection, with no equivalent discontinuation. A business should confirm current status on each regime separately rather than assuming one still tracks the other.

Practitioner noteWe flag this proactively because clients who dealt with ESR filings in earlier years sometimes assume the same annual-filing rhythm still applies today, or conversely assume that because ESR wound down, other compliance obligations wound down with it. goAML/AML/CFT obligations are unaffected by the ESR discontinuation and remain fully live.
What is the difference between the Ministry of Economy's role and the Central Bank/FIU's role in AML compliance?

The FIU, housed within the UAE Central Bank, operates the goAML platform and receives, analyses, and disseminates STRs/SARs. The Ministry of Economy is the primary supervisory authority for most DNFBP categories — it conducts inspections, issues guidance, and enforces administrative penalties for DNFBP non-compliance. Financial institutions are separately supervised by the Central Bank or the relevant financial free zone regulator (DFSA in DIFC, FSRA in ADGM) for prudential and AML purposes.

Practitioner noteBusinesses sometimes assume 'the bank' polices all AML compliance. In practice, DNFBPs answer primarily to the Ministry of Economy for supervision, while filing their reports through the Central Bank's FIU platform — two different bodies playing two different roles in the same framework.
What triggers a Ministry of Economy AML inspection for a DNFBP?

Inspections can be scheduled as part of a routine supervisory cycle, triggered by risk-based selection of higher-risk DNFBP categories, prompted by a specific complaint or referral, or connected to a broader sectoral sweep. A business should not assume inspection risk is low simply because it has not been inspected before — the supervisory programme has expanded its coverage over time as the UAE's AML/CFT framework has matured.

Practitioner noteWe advise every DNFBP client to be inspection-ready at all times rather than treating readiness as something to prepare only once a notice arrives — by the time a notice arrives, the window to fix structural gaps has effectively closed.
What does PNPC actually deliver in a goAML and AML/CFT engagement?

A typical engagement covers: DNFBP/Financial Institution applicability assessment; goAML organisation and Compliance Officer registration; a written, entity-specific AML/CFT risk assessment; board-approved AML/CFT policies and procedures covering CDD, EDD, sanctions/PEP screening, and record-keeping; staff training with documented records; support setting up sanctions/PEP screening; and ongoing advisory including STR/SAR filing assistance when a reporting trigger arises. Engagements can be scoped as a one-time registration-and-setup project or as an ongoing retainer.

Practitioner noteWe scope every engagement in writing before starting — clients know exactly what is and is not included, and what the retainer covers if they choose ongoing support rather than a one-time build.
How much does goAML registration and AML/CFT programme setup cost?

PNPC agrees a fixed, written fee for the registration and programme-build engagement before work begins, scoped to the complexity of the business — a single-office corporate service provider and a multi-branch real estate brokerage require materially different depth of work. Ongoing retainer pricing for periodic risk assessment refresh, training, and reporting support is quoted separately and is also fixed and agreed in writing.

Practitioner noteWe deliberately do not publish a single number here because AML programme complexity varies enormously by business type — a fixed generic price would either overcharge simple businesses or undercharge complex ones. Ask us for a scoped, written quote.
Why should I engage PNPC rather than registering on goAML myself?

Registering an organisation profile on goAML is mechanically straightforward once the applicability question is answered correctly — the harder and higher-stakes work is everything around it: confirming whether you are actually in scope, nominating a Compliance Officer with real authority, building a risk assessment that reflects your actual business rather than a generic template, and having a firm on call when an actual suspicious transaction arises and the 'without delay' clock starts running. A self-filed registration with no programme behind it is the pattern we most often see corrected after an inspection finding.

Practitioner noteWe have taken on multiple clients after a Ministry of Economy inspection flagged a registered-but-hollow AML function — registration existed, nothing behind it did. Rebuilding under inspection pressure, with a remediation deadline, costs materially more in time and stress than building it correctly the first time.
What happens the first time we actually need to file an STR — what does PNPC do?

We work with the Compliance Officer to document the specific facts giving rise to suspicion, confirm the internal escalation trail is properly recorded, prepare the STR/SAR content for accuracy and completeness, and support submission through goAML without unnecessary delay. We also advise on the tipping-off restriction throughout the process so the customer-facing team does not inadvertently disclose the filing.

Practitioner noteThe businesses that call us in a mild panic at this stage are almost always ones we already have a relationship with from the registration and setup phase — having an adviser who already understands your business before the pressure moment arrives makes a material difference to how calmly and correctly the filing gets done.
Do sole practitioners and very small DNFBPs (like a single real estate agent) need the same full programme as a large firm?

The AML/CFT Law's registration and reporting obligations apply regardless of entity size, but the depth and formality of the surrounding programme can reasonably scale to the size and complexity of the business — a sole practitioner's risk assessment and policy documentation will look different from a 50-person brokerage's, while still covering the same substantive requirements: risk assessment, CDD/EDD procedures, a designated Compliance Officer, and reporting readiness.

Practitioner noteWe scale documentation depth to the entity, not the other way around — but we do not skip any required element just because the business is small. Supervisory authorities apply the same core expectations regardless of headcount.
What if we discover, after registering, that we were actually never in scope as a DNFBP?

There is generally no penalty for having registered proactively even where, on closer review, the entity's activities do not squarely meet the DNFBP definition — registering when uncertain is the lower-risk choice compared to remaining unregistered while genuinely in scope. PNPC can revisit the applicability assessment and advise on whether continued registration, deregistration, or simply maintaining a dormant but compliant registration is the sensible path.

Practitioner noteWhen applicability is genuinely borderline, we usually recommend registering rather than betting on a favourable interpretation — the downside of over-caution is minor administrative overhead; the downside of being wrong the other way is a compliance breach.
Can a foreign parent company's global AML policy be used as-is for the UAE entity's goAML compliance?

A global group AML policy is a useful starting point but rarely satisfies UAE requirements on its own — it needs to be localised to reference the specific UAE AML/CFT Law provisions, the goAML reporting channel, the UAE Compliance Officer's specific authority and contact registration, and any UAE-specific risk factors (local sanctions lists, local high-risk activity thresholds) that a global template will not capture.

Practitioner noteWe regularly localise group policies for UAE subsidiaries of international clients — it is faster than building from scratch, but it is not a copy-paste exercise, and we flag every clause that needs UAE-specific adaptation.
How does PNPC's Chennai/Bangalore/Hyderabad/Dubai presence help with UAE AML/CFT compliance specifically?

For clients with operations spanning India and the UAE, our Dubai team leads the UAE AML/CFT and goAML engagement directly, while our India offices support any parallel India-side compliance (such as FEMA reporting or Indian AML obligations for cross-border structures) under the same coordinated engagement — so a group with entities in both jurisdictions is not explaining its business twice to two unconnected advisers.

Practitioner noteMoney-laundering typology often has a cross-border dimension — a client with both an Indian and a UAE entity benefits from one advisory team that understands the full structure, not two firms each seeing only half the picture.
What is the consequence of a Compliance Officer leaving the business — does goAML registration lapse?

The organisation's goAML registration itself does not automatically lapse, but the entity must promptly update the registered Compliance Officer details on the platform when there is a change in the role holder, and ensure the new nominee is properly registered and activated before there is any gap in filing capability. Continuing to operate with an outdated or departed Compliance Officer on record is itself a governance gap that inspection will identify.

Practitioner noteWe recommend building Compliance Officer succession into the AML policy itself — naming a deputy or clear handover process — so a resignation does not leave the entity without functional reporting capability, even briefly.
Are there specific thresholds in dirhams for when a DPMS (precious metals/stones dealer) must register?

The AML/CFT framework sets a designated cash-transaction threshold above which dealers in precious metals and stones fall within DNFBP scope for a given transaction or series of connected transactions, as prescribed by the Ministry of Economy. Because threshold figures are set by regulation and can be updated, PNPC confirms the current applicable threshold against the latest Ministry of Economy guidance at the time of the applicability assessment rather than relying on a fixed number that may have changed.

Practitioner noteWe deliberately verify the live threshold at the point of each engagement rather than quoting a remembered figure — regulatory thresholds are exactly the kind of detail that should be checked fresh, not assumed.
Does having goAML registration and an AML programme protect the business if a customer turns out to be a money launderer?

A properly implemented AML/CFT programme — registration, risk-based CDD/EDD, monitoring, and timely reporting when suspicion arises — is the standard against which a business's conduct is judged. It does not guarantee that criminal activity will never occur through the business, but a business that can demonstrate it followed its documented programme in good faith is in a materially different position, from a regulatory and reputational standpoint, than one that had no programme or ignored red flags.

Practitioner noteWe are candid with clients: the goal of the programme is defensible, demonstrable good-faith compliance — not a guarantee that no bad actor will ever attempt to use the business. Those are different standards, and understanding the difference shapes how the programme should be designed and documented.
Does goAML registration alone satisfy AML compliance?

No. goAML registration only opens the reporting channel — it gives the organisation and its Compliance Officer the ability to file STRs and SARs. It says nothing about whether the entity has a documented risk assessment, board-approved policies, CDD/EDD procedures, sanctions/PEP screening, or trained staff behind it. Supervisory authorities inspect the substance of the AML/CFT programme, not just whether the portal profile exists.

Practitioner noteWe routinely meet businesses that treat the green tick on the goAML portal as the finish line. It is the starting point — the programme built around it is what actually gets tested at inspection.
Can we use a downloaded or template AML policy instead of building our own?

A template can be a useful starting reference, but it must be adapted to the entity's actual customers, products, geography, delivery channels, and transaction patterns before it functions as a real policy. A policy that describes a generic business rather than the one operating under it is a recognised, recurring inspection finding — supervisory authorities test whether the document matches reality, not whether a document exists.

Practitioner noteWe ask new clients to send us their existing policy first, if they have one — nine times out of ten it was copied from somewhere else and never actually calibrated to their business.
We already registered on goAML ourselves — can PNPC just check it's done correctly?

Yes. A common engagement is a goAML registration health check: confirming the organisation profile and Compliance Officer registration are both complete and active, that registered details match the current trade licence and ownership structure, and that a documented risk assessment and policy set exist behind the registration. Gaps are common even where the portal itself shows as registered.

Practitioner noteThe most frequent finding in these health checks is an organisation profile that shows approved while the Compliance Officer's own registration was never separately activated — meaning the entity could not actually file a report today.
What happens if the FIU queries or rejects our goAML submission?

FIU queries usually arise from inconsistencies between the goAML organisation profile and the entity's trade licence, ownership records, or activity description. PNPC reviews the specific query, reconciles the underlying records, and resubmits a corrected, internally consistent application rather than resubmitting the same data and expecting a different outcome.

Practitioner noteMost rejections we see trace back to a mismatch that was avoidable at the drafting stage — matching the goAML profile to the trade licence word-for-word before submission saves a review cycle.
Our business has never had a suspicious transaction — do we still need to register and maintain a programme?

Yes. The registration obligation attaches the moment an entity's actual activity falls within the DNFBP or Financial Institution definition, regardless of whether it has ever identified a suspicious transaction. An AML/CFT programme with no filings to date is not evidence of exemption from the obligation — it may simply mean no reporting trigger has yet arisen.

Practitioner noteWe hear 'we've never seen anything suspicious, so surely we don't need this' often enough that we address it head-on in the very first meeting — the obligation is about being ready, not about having already used the reporting channel.
How does PNPC decide who inside our company should own the AML/CFT function day to day?

The AML/CFT Law requires a specific, sufficiently senior Compliance Officer/MLRO with real authority to escalate concerns and pause transactions where needed. PNPC works with management to identify a nominee who genuinely holds that authority within the existing organisation chart, rather than assigning the role to whoever is administratively convenient.

Practitioner noteWe ask a blunt test question early: could this person actually stop a transaction tomorrow without needing sign-off from someone who might not want it stopped? If the answer is no, we work through who the right nominee actually is before registering anyone.
What documentation should we retain specifically for the goAML function, separate from general AML records?

Alongside the broader CDD/risk-assessment file, keep the goAML organisation and Compliance Officer registration confirmations, any FIU correspondence or queries and their resolutions, the internal escalation log showing how and when suspicion was raised before any STR/SAR filing, and confirmation of Compliance Officer succession whenever the role changes hands.

Practitioner noteWe index the goAML-specific records separately from the wider AML file so that, if the FIU or Ministry of Economy asks specifically about the reporting channel, the answer is one folder away rather than buried in a broader compliance archive.
Can PNPC guarantee the Ministry of Economy won't issue a penalty even after we register?

No. PNPC can materially improve the completeness and defensibility of the registration and the programme behind it, but penalty decisions rest with the supervisory authority and depend on the specific facts, the history of the entity's compliance, and the authority's own discretion. We do not promise a regulatory outcome we do not control.

Practitioner noteWe are candid with every client on this point — our job is to make the file as strong as it can be, not to promise an outcome that depends on someone else's decision.
How does PNPC stay current on goAML and AML/CFT changes given the rules keep evolving?

PNPC tracks Cabinet Decisions, Ministry of Economy circulars, and FIU guidance updates affecting DNFBP registration and reporting obligations, and reflects relevant changes in client risk assessments and policy manuals as part of the ongoing retainer rather than waiting for the next inspection to prompt a review.

Practitioner noteA policy written once at registration and never revisited is one of the most common gaps we find when taking over a client's compliance file from elsewhere — we build the update cycle into the retainer from day one instead.
What does close-out look like at the end of a goAML registration and programme-build engagement?

Close-out includes confirmed organisation and Compliance Officer activation on goAML, the finalised risk assessment and policy manual, training records for the initial session, the sanctions/PEP screening setup, and a forward compliance calendar showing the next scheduled review, refresher training, and any pending FIU or Ministry of Economy items.

Practitioner noteWe hand over a single close-out pack rather than scattered emails and documents — it is what we would want to receive if we were inheriting the file ourselves.
Can PNPC coordinate our goAML/AML compliance with our external auditor or legal counsel?

Yes. Where the entity's statutory auditor needs to confirm AML programme existence for audit purposes, or where legal counsel is separately advising on a related matter such as beneficial ownership structuring or a specific privilege question, PNPC coordinates directly with them so the client is not relaying technical detail between advisers.

Practitioner noteAML/CFT programmes often intersect with a client's audit and legal work — we would rather speak directly to the auditor or lawyer involved than have the client act as a relay and risk something getting lost in translation.
Is there a separate goAML report we have to file on a sanctions-list match, distinct from an STR?

Yes. Where a customer, counterparty, or beneficial owner matches a name on the UN Security Council or the UAE's local terrorist/sanctions lists, the obligation is not an STR — it is a Targeted Financial Sanctions response: the relevant funds must be frozen without delay and a Fund Freeze / Funds Awaiting Return report filed through goAML. This is triggered by a list match, not by a suspicious pattern of transactions, which is why entities that build only STR/SAR workflows sometimes miss it entirely.

Practitioner noteThis is one of the most commonly overlooked goAML obligations we find — businesses set up STR reporting and screening but have no defined freeze-and-report procedure for an actual sanctions hit, which is a materially higher-consequence event than a routine STR.
We registered on goAML a few years ago and haven't touched it since — is that a problem?

Potentially yes. goAML runs a periodic re-registration / profile-confirmation cycle, and a profile that is never reviewed or confirmed can become dormant, leaving the entity technically unable to file when a report is actually needed. Compliance Officer details also drift out of date as people change roles. A registration completed years ago and never revisited should be checked for live filing access, not assumed to be current.

Practitioner noteWe treat 'we registered once, years ago' as a red flag rather than reassurance — the profile that mattered at registration is worth nothing if it has lapsed and the Compliance Officer named on it left the business eighteen months ago.
Does the AML/CFT Law require an independent audit of our AML programme, and can PNPC do it?

The AML/CFT framework expects regulated entities, proportionate to size and risk, to subject their AML programme to independent review that tests whether policies, CDD/EDD, screening, and reporting actually work in practice — not just that documents exist. Where PNPC has built or advises on the programme, independence considerations mean the review is best performed by a separate reviewer; where another party built the programme, PNPC can perform the independent AML review directly.

Practitioner noteWe keep the build and the independent test separate on principle — a reviewer signing off on their own programme is exactly the conflict the independence requirement exists to prevent, and inspectors notice when the same hand did both.
How do goAML reporting duties interact with the UAE beneficial ownership (UBO) register requirement?

They are separate obligations that reinforce each other. UAE UBO regulations require most entities to identify and maintain a register of their ultimate beneficial owners with the relevant registrar, while AML/CFT CDD requires a reporting entity to look through its customers' structures to the real controllers. A corporate service provider therefore has a double exposure: its own UBO register obligation, and a CDD duty to verify the beneficial owners of every client it forms companies for.

Practitioner noteFor corporate service providers this is the single sharpest risk area — forming companies for undisclosed beneficial owners is precisely the DNFBP conduct regulators scrutinise most, so we treat UBO verification and record-keeping as non-negotiable rather than a form-filling step.
If we file an STR and the transaction later turns out to be entirely legitimate, are we exposed for having reported?

No. The AML/CFT Law protects a reporting entity and its staff who file a report in good faith based on reasonable suspicion — the fact that the underlying transaction is later found to be legitimate does not create liability for having reported. The standard is whether there were reasonable grounds for suspicion at the time, not whether a crime was ultimately proven.

Practitioner noteWe reassure clients on this deliberately, because fear of 'being wrong' is a common reason staff sit on a suspicion — the law is built to encourage good-faith reporting, and the far greater risk is the un-filed report, not the filed one that turns out benign.
What is the real risk of using the cheapest provider that just 'does the goAML registration' for us?

A low-cost provider typically completes the visible step — an organisation profile on the portal — and stops there. What is usually missing is the substance an inspector actually tests: a correct applicability determination, a Compliance Officer with genuine authority (and their separate activation), a risk assessment that describes your business rather than a template, calibrated CDD/EDD, live sanctions screening, and documented training. A registered-but-hollow profile is the exact pattern that fails a Ministry of Economy inspection, and rebuilding under a remediation deadline costs far more than doing it properly once.

Practitioner noteAlmost every remediation client we take on had a cheap or self-filed registration with nothing behind it — the portal showed a green tick, and the inspection found an empty programme. The registration was never the hard part; everything around it is.
How does PNPC price a goAML and AML/CFT engagement, and what is included?

PNPC agrees a fixed written fee before work begins, scoped to the entity's complexity — a single-office corporate service provider and a multi-branch real estate brokerage require materially different depth. A one-time build covers applicability assessment, goAML organisation and Compliance Officer registration, risk assessment, policies, CDD/EDD procedures, screening setup, and documented training; ongoing retainer pricing for periodic risk-assessment refresh, profile confirmation, training, and STR/SAR support is quoted separately. Any government or third-party charges are shown separately from professional fees.

Practitioner noteWe deliberately do not publish a single headline number — AML programme complexity varies enormously by DNFBP type, and a generic price would either overcharge a simple business or undercharge a complex one.
What happens if authority guidance or the goAML platform requirements change while our programme is in place?

AML/CFT obligations in the UAE are actively supervised and periodically updated through Cabinet Decisions, Ministry of Economy circulars, and FIU guidance. On a retainer, PNPC tracks these changes and reflects the relevant ones in the client's risk assessment, policies, and reporting procedures rather than waiting for an inspection to expose the drift — a policy manual written once at registration and never revisited falls out of alignment within a year or two.

Practitioner noteA stale policy is one of the most common findings we see when taking over an AML file from elsewhere — we build the update cycle into the retainer from day one instead of treating it as an occasional extra.
Does registering on goAML for AML purposes have anything to do with our discontinued ESR filings?

No — and the two should not be conflated. ESR notification and report filing was discontinued for financial years starting on or after 1 January 2023 under Cabinet Decision No. 98 of 2024, so ESR is no longer a live annual filing obligation for current periods (only historical pre-2023 assessments may still matter). goAML/AML-CFT obligations under Federal Decree-Law No. 20 of 2018 are entirely separate, administered by a different authority, and remain fully live and ongoing — the winding-down of ESR filing has no effect on them.

Practitioner noteWe flag this because clients who wound down their ESR filings sometimes assume other regulatory obligations tapered off in the same period — goAML/AML compliance did not, and treating it as legacy the way ESR filing became legacy is a serious and avoidable error.
Why PNPC Global

PNPC AML/CFT & goAML engagement vs a bare portal registration

DimensionBare goAML Self-RegistrationPNPC Engagement
Applicability determinationSelf-assessed, often based on licence wording aloneDocumented legal assessment against actual services rendered
Compliance Officer readinessNominated to satisfy the form fieldVetted for seniority, authority, and independence; trained for the role
Risk assessmentOften skipped or copied from a generic templateEntity-specific, written, and kept current
Policies and proceduresFrequently absent or a downloaded templateBoard-approved, calibrated to the business's actual risk profile
CDD vs basic KYCPassport/Emirates ID copy treated as sufficientFull CDD/EDD framework including beneficial ownership and source of funds
Staff trainingUndocumented or non-existentDocumented sessions with attendance and content records
Sanctions/PEP screeningAd hoc manual checks, if anySystematic, repeatable screening process set up and maintained
STR/SAR filing supportBusiness navigates the filing alone under time pressureAdviser on call to help document and file without delay
Inspection readinessReactive — scrambling once a notice arrivesProactive — audit-ready documentation maintained continuously
Ongoing regulatory trackingNoneCabinet Decisions, FIU circulars, and Ministry of Economy guidance monitored and reflected in the programme
Sanctions-freeze reportingSTR filing set up; the separate freeze-and-report obligation on a list match often overlookedDefined Fund Freeze / Funds Awaiting Return procedure tied to live sanctions screening
Portal profile upkeepRegistered once, then dormant — access can lapse unnoticedRe-registration cycle and Compliance Officer succession diarised so filing access stays live

What the PNPC package includes

  1. 01

    DNFBP / Financial Institution applicability assessment, documented in writing

  2. 02

    goAML organisation registration and Compliance Officer registration and activation

  3. 03

    Written, entity-specific AML/CFT risk assessment covering customer, product, geography, and delivery-channel risk

  4. 04

    Board-approved AML/CFT policy and procedures manual covering CDD, EDD, PEP and sanctions screening, and record-keeping

  5. 05

    Compliance Officer/MLRO preparation and role-authority documentation

  6. 06

    Sanctions and PEP screening process setup

  7. 07

    Documented staff AML/CFT training with attendance and content records

  8. 08

    STR/SAR filing assistance as and when a reporting trigger arises

  9. 09

    Annual risk assessment refresh and policy update as part of ongoing retainer

  10. 10

    Inspection-readiness support and representation coordination with the Ministry of Economy or relevant regulator

  11. 11

    Targeted Financial Sanctions readiness — screening against UN and UAE local terrorist lists and a defined Fund Freeze / Funds Awaiting Return reporting procedure

  12. 12

    goAML profile-confirmation / re-registration diary and Compliance Officer succession handling so filing access never lapses

  13. 13

    goAML registration health check confirming both organisation and Compliance Officer profiles are complete, active, and consistent with the trade licence

  14. 14

    Beneficial ownership verification and record-keeping aligned with the UAE UBO register obligation

  15. 15

    Independent AML programme review (where PNPC did not build the programme) or a separate independent reviewer where it did

  16. 16

    FIU query-response support to reconcile and resubmit a queried or rejected goAML application

  17. 17

    Localisation of a foreign parent's group AML policy to the UAE AML/CFT Law, goAML channel, and UAE-specific lists and thresholds

  18. 18

    Documented internal escalation-log design so 'without delay' STR/SAR filing has an evidence trail

  19. 19

    Coordination with auditors and legal counsel on AML-programme confirmation and privilege questions where required

  20. 20

    Close-out pack: activated goAML profiles, finalised risk assessment and policy manual, training records, screening setup, and a forward compliance calendar

Get your goAML registration and AML/CFT compliance programme built correctly the first time — talk to PNPC's Dubai compliance team before a regulator asks why it wasn't.

Jurisdiction

🇦🇪
United Arab Emirates

Free zone, mainland & offshore

Ready to get started?

Tell us about your requirement — a UAE specialist responds within 24 hours.

← Back to Economic Substance & AML Compliance