UAEServicesUAE Taxation & Regulatory ComplianceEconomic Substance & AML ComplianceKYC & Customer Due Diligence Advisory

UAE Taxation & Regulatory Compliance · Economic Substance & AML Compliance

KYC & Customer Due Diligence Advisory

KYC & Customer Due Diligence Advisory is the engagement through which PNPC designs, implements, and remediates the Know Your Customer and Customer Due Diligence programme that UAE Designated Non-Financial Businesses and Professions, financial institutions, and Virtual Asset Service Providers are legally required to maintain under Federal Decree-Law No.

Chartered Accountants · Dubai · Since 1986

What KYC & Customer Due Diligence Advisory is

Know Your Customer (KYC) and Customer Due Diligence (CDD) are the identification, verification, and risk-assessment procedures that UAE-regulated entities must apply to every customer before establishing a business relationship and throughout its life. The legal foundation sits in Federal Decree-Law No. 20 of 2018 on Anti-Money Laundering and Combating the Financing of Terrorism (AML/CFT), as amended, together with Cabinet Decision No. 10 of 2019 and its subsequent amendments, which set out the detailed CDD, record-keeping, and reporting obligations. For Designated Non-Financial Businesses and Professions (DNFBPs) — a category that in the UAE captures real estate brokers and developers, dealers in precious metals and stones, corporate service providers, independent legal professionals, and independent accountants and auditors above prescribed transaction thresholds — the Ministry of Economy is the primary supervisory authority, alongside sector regulators for financial institutions (the UAE Central Bank), securities firms (the Securities and Commodities Authority), and Virtual Asset Service Providers (the Virtual Assets Regulatory Authority in Dubai, and other emirate-level VASP regulators). Free zone entities, including those in DIFC and ADGM, sit under their own AML supervisors — the Dubai Financial Services Authority in DIFC and the Financial Services Regulatory Authority in ADGM — layered on top of the federal AML law.

CDD is not a single step; it is a graduated framework. Standard due diligence applies to most customers: verifying identity through original or certified documents, understanding the nature and purpose of the intended business relationship, and identifying beneficial ownership. Simplified due diligence may apply to lower-risk customers where the entity's own risk assessment justifies a reduced level of scrutiny, subject to it never applying automatically to customers or jurisdictions carrying elevated risk. Enhanced due diligence is mandatory for higher-risk categories — Politically Exposed Persons (PEPs) and their close associates and family members, customers or beneficial owners connected to jurisdictions identified by the Financial Action Task Force (FATF) as having strategic AML/CFT deficiencies, complex or opaque ownership structures, and cash-intensive or high-value transaction profiles. Enhanced due diligence requires additional verification, senior management approval to onboard, and a documented source-of-funds and source-of-wealth assessment.

Beneficial ownership identification is a core pillar of UAE CDD obligations, aligned with Cabinet Decision No. 58 of 2020 (as amended) regulating beneficial ownership procedures. Entities must look through corporate and trust structures to identify the natural person or persons who ultimately own or control 25% or more of the customer (or exercise control through other means), and must maintain a Register of Beneficial Owners that is kept current and available to the relevant licensing authority and to the Ministry of Economy or Central Bank on request. Sanctions and PEP screening is a parallel, continuous obligation — checking customers, beneficial owners, and counterparties against the UAE Local Terrorist List, the UN Consolidated Sanctions List, and other applicable sanctions lists at onboarding and at appropriate intervals thereafter, since a name that screens clean today can be listed tomorrow.

Where the CDD process identifies a transaction or customer relationship that gives rise to suspicion of money laundering, terrorist financing, or proliferation financing — regardless of the transaction value — the entity is obligated to file a Suspicious Transaction Report (STR) or Suspicious Activity Report (SAR) through the goAML platform operated by the UAE Financial Intelligence Unit, and must not disclose ('tip off') the customer that a report has been made. KYC & CDD Advisory is the discipline of building all of this into a coherent, risk-based programme — a documented AML/CFT policy, a business-wide risk assessment, onboarding checklists and forms, screening tools or processes, staff training, and an audit trail — rather than treating each element as a disconnected compliance task performed inconsistently across different customer relationships.

What goes wrong without this discipline is rarely a missing document — it is inconsistency. The customer onboarded on a Tuesday gets a full beneficial-ownership look-through; the one onboarded the following Monday, when the office was busy, gets a passport copy and nothing else. When a Ministry of Economy or Central Bank inspector pulls a cross-section of files, that inconsistency is the finding: the policy on paper describes a risk-based programme the files do not evidence. The real decision points a good CDD build resolves are practical ones — where the simplified-due-diligence line actually sits for your customer mix, who has authority to approve a PEP relationship, at what transaction pattern an account moves from monitored to escalated, and how a front-line staff member raises a concern without tipping off the customer. Those are operating decisions, not policy sentences, and they are where template programmes fail. PNPC's role is to convert the statutory obligation into an onboarding form, an escalation script, a screening cadence, and a retention system your own staff can run under time pressure and defend when a supervisor tests a real file against the written procedure.

When KYC & CDD Advisory is the right engagement

Your business falls within the DNFBP categories under UAE AML law — real estate brokerage or development, dealing in precious metals and stones above the prescribed cash threshold, corporate service provision, independent legal or accounting practice — and you do not yet have a documented, risk-based CDD programme

You are a newly licensed entity in a regulated sector (financial services, VASP, DNFBP) and need the AML/CFT policy, business risk assessment, and CDD procedures built and registered with the goAML platform before you can lawfully onboard customers

Your existing KYC file templates and onboarding checklist have not been updated since the last material change in Cabinet Decision requirements and you are due, or overdue, for an internal review

You have received a Ministry of Economy, Central Bank, DFSA, FSRA, or VARA inspection notice, finding, or remediation directive relating to your AML/CFT or CDD controls and need a structured response and corrective action plan

Your onboarding volumes have grown to a point where manual, ad hoc customer checks are no longer defensible and you need a documented risk-based CDD framework with clear escalation triggers for enhanced due diligence

You handle customers, beneficial owners, or transaction counterparties connected to higher-risk jurisdictions, complex offshore structures, or politically exposed persons, and need an enhanced due diligence protocol that will withstand supervisory scrutiny

You need staff trained to actually execute CDD and file goAML reports correctly — not just a policy binder that sits unread on a shelf

Your beneficial ownership register is incomplete, outdated, or was never properly compiled under Cabinet Decision No. 58 of 2020 and needs to be reconstructed and kept current

A bank has flagged your account during its own periodic AML review of business customers and asked to see your CDD policy, beneficial ownership records, or risk assessment — and you need a defensible programme to produce, not a scramble

You are acquiring or merging with another regulated entity and need its AML/CFT and CDD position diligenced before completion, since you inherit its historical onboarding gaps and any undisclosed suspicious relationships

Your existing customer files predate any formal programme and need a risk-prioritised back-book remediation to bring higher-risk relationships up to standard before your next inspection cycle

You need your designated Compliance Officer or MLRO supported with a documented procedure, escalation script, and training records that give the role genuine operating substance rather than a name on an organisation chart

When a different engagement may fit better

You need a historical Economic Substance Regulations (ESR) matter resolved — an outstanding notification, report, or penalty from a financial year before the regime was discontinued for periods starting on or after 1 January 2023 — and have no separate AML/CFT supervisory obligation; that sits under a dedicated ESR review engagement, distinct from CDD

You are not a DNFBP, financial institution, or VASP and your business activity does not fall within any AML/CFT-regulated category under UAE law — confirm applicability first through a scoping call before commissioning a full programme build

You have already been formally accused of, or are under active investigation for, money laundering or terrorist financing offences — that requires criminal defence legal representation as the primary engagement, with AML advisory support playing a secondary role

You need only a standalone goAML portal registration completed with no wider policy or risk-assessment work — a narrower registration-only engagement may be a faster starting point, though PNPC generally recommends the risk assessment precede or accompany registration

Your requirement is limited to sanctions list screening software selection and implementation with no advisory input on policy design — that is closer to a technology/vendor selection engagement, though PNPC can advise on requirements

You are seeking general company incorporation or licensing services with no AML/CFT compliance dimension currently in scope — that sits under UAE company formation services

You want a guaranteed pass on inspection or a promise that no finding will be issued — no advisor can offer that, and even well-run programmes commonly receive first-inspection findings; what a good programme buys is a fast, credible remediation, not immunity

You are looking for a signed-off AML policy overnight with no scoping call and no willingness to share your actual customer base, ownership structure, or existing files — the risk-based approach the law requires cannot be built from assumptions

Structure Comparison

KYC & CDD Advisory vs related UAE AML/CFT and regulatory engagements

FeatureKYC & CDD AdvisoryESR Assessment & ReportingStandalone goAML RegistrationAML Compliance Officer OutsourcingSanctions Screening Tool Implementation
Primary purposeDesign, implement, and remediate the full risk-based CDD programme — policy, onboarding, screening, monitoring, reportingDetermine historical ESR exposure and close out any outstanding notification, report, or penalty matter for financial years before the regime was discontinuedRegister the entity on the FIU's goAML platform to enable STR/SAR filingProvide an ongoing designated AML Compliance Officer / MLRO function on a retained basisSelect, configure, and roll out a sanctions and PEP screening tool
Legal basisFederal Decree-Law No. 20 of 2018 and Cabinet Decision No. 10 of 2019 (as amended)Cabinet Decision No. 57 of 2020 and Ministerial Decision No. 100 of 2020 on Economic Substance Regulations, as affected by Cabinet Decision No. 98 of 2024 discontinuing the regime prospectivelySame AML/CFT framework — the reporting mechanism specificallyAML/CFT framework's requirement for a designated compliance functionOperational tool supporting the AML/CFT screening obligation
Scope depthFull — risk assessment, policy, procedures, training, ongoing advisoryFocused — legacy substance test, notification, and report review for pre-discontinuation financial years, plus any open penalty matterNarrow — platform registration and access credentialsOngoing operational function, not a one-time buildTechnical/operational, not policy-level advisory
Overlaps with CDD workIs the CDD workDistinct, now-discontinued regime — historically had different triggers (relevant activity + related-party income) from AML/CFT statusA component within a full CDD programme, not a substitute for itExecutes the CDD programme PNPC or the client has designedSupports but does not replace documented CDD procedures
Who typically needs itAny DNFBP, financial institution, or VASP without a current, defensible CDD programmeUAE entities with unresolved ESR notification/report obligations or penalties from financial years starting before 1 January 2023, when the regime still applied on an ongoing annual basisEntities that already have a CDD programme but lack goAML platform accessSmaller regulated entities without in-house AML expertise wanting a retained specialistEntities that have a policy but need the operational screening layer built or upgraded
Regulatory inspection readinessDirectly addresses what supervisors test for in an inspectionAddresses a separate, now largely closed-out compliance question for historical periodsNecessary but not sufficient on its own for inspection readinessDepends on the quality of the underlying programme being executedNecessary but not sufficient — a tool without policy discipline is a partial answer
Engagement cadenceInitial build plus ongoing annual review and remediation as regulations evolveOne-time or historical review only — the Ministry of Finance discontinued ESR notification and report filing for financial years starting on or after 1 January 2023 under Cabinet Decision No. 98 of 2024One-time registration, ongoing platform useContinuous, retained monthly or quarterlyOne-time implementation, ongoing licence/subscription

These engagements are frequently combined, though the ESR regime itself has been discontinued for financial years starting on or after 1 January 2023 under Cabinet Decision No. 98 of 2024 — PNPC's ESR-related work today is limited to closing out historical-period obligations or penalties, not ongoing annual filing. A typical PNPC DNFBP client runs KYC & CDD Advisory as the foundation and either trains an internal compliance officer or engages PNPC on a retained AML advisory basis to keep the programme current as Cabinet Decisions and FATF guidance evolve.

How it works
#Stage & What PNPC DoesWhat Generic Policy Templates MissTimeline
1Applicability & Scoping Assessment — Confirming whether, and how, AML/CFT obligations applyWe ask what a downloaded template never asks: which DNFBP category do you actually fall under, and does your transaction profile cross the prescribed cash thresholds that trigger DNFBP status? Are you a free zone entity subject to DIFC/DFSA or ADGM/FSRA rules layered on top of federal law, or a mainland entity under the Ministry of Economy? Do you handle virtual assets, bringing VARA or another emirate VASP regulator into scope? These answers determine which supervisory authority you register with and which rulebook governs your programme.Week 1
2Business-Wide AML/CFT Risk Assessment — The foundation document every programme is built onA defensible CDD programme starts from a documented risk assessment covering customer risk, geographic risk, product/service risk, and delivery channel risk — specific to your business, not a generic industry template. We assess your actual customer base, transaction types, and jurisdictions of exposure, and produce a risk rating methodology your onboarding process will apply.Week 1–3
3AML/CFT Policy & CDD Procedures DraftingThe policy document must translate into an operational procedure your front-line staff can actually follow — standard, simplified, and enhanced due diligence triggers, escalation paths, approval authorities for higher-risk onboarding, and record-retention rules. We draft procedures your staff can execute without calling a lawyer every time, while remaining defensible on inspection.Week 2–4
4Beneficial Ownership Identification Framework — Cabinet Decision No. 58 of 2020 complianceWe build the process for identifying and verifying the natural person(s) who ultimately own or control 25% or more of a customer entity (or exercise control through other means), including look-through procedures for layered corporate and trust structures, and set up the ongoing Register of Beneficial Owners maintenance discipline that must stay current, not just accurate at onboarding.Week 3–4
5Sanctions & PEP Screening DesignWe design the screening workflow against the UAE Local Terrorist List, UN Consolidated Sanctions List, and applicable PEP databases — covering onboarding screening, periodic re-screening, and real-time list-update monitoring, and advise on screening tool selection where the client does not already have one, matched to transaction volume and risk profile.Week 3–5
6Enhanced Due Diligence Protocol — For higher-risk customer categoriesWe build the specific additional steps required for PEPs and their associates, high-risk jurisdiction exposure, and complex ownership structures: source-of-funds and source-of-wealth documentation standards, senior management sign-off requirements before onboarding, and the enhanced ongoing monitoring cadence these relationships require.Week 4–5
7Suspicious Transaction Reporting (STR/SAR) Procedure & goAML RegistrationWe register the entity on the FIU's goAML platform, obtain the necessary access credentials, and build the internal escalation procedure — from a front-line staff observation, through internal review by the designated Compliance Officer, to a filed STR/SAR — with the mandatory no-tipping-off discipline built into staff training, since alerting a customer to a filed report is itself a criminal offence.Week 4–6
8Record-Keeping & Documentation StandardsAML law requires customer identification records, transaction records, and CDD documentation to be retained for a minimum prescribed period after the relationship ends or the transaction date, and produced to the supervisory authority on request. We set up the retention system, format, and retrieval process so a document request from the Ministry of Economy or Central Bank can be answered within the timeframe given, not scrambled together after the fact.Week 5–6
9Compliance Officer / MLRO DesignationUAE AML law requires most regulated entities to designate a Compliance Officer (often referred to as the Money Laundering Reporting Officer) with the authority and independence to execute the programme. We advise on the designation, the reporting line to senior management or the board, and — where the entity lacks in-house capacity — can structure a retained PNPC advisory role to support that function.Week 5–6
10Staff Training & Competency Sign-OffA written policy that staff have not been trained on is close to worthless on inspection. We deliver role-specific training — front-line onboarding staff, the Compliance Officer, and senior management — covering red flags, escalation procedures, and the specific STR/SAR obligation, with attendance and competency records maintained as evidence.Week 5–7
11Internal Testing & Mock InspectionBefore relying on the programme in a live inspection, we run a sample file review — pulling a cross-section of actual customer files and testing them against the documented procedure — to identify gaps between what the policy says and what onboarding staff are actually doing in practice, and remediate before a regulator finds the same gaps.Week 6–7
12Regulatory Filing & Registration CompletionWe complete and file the applicable registrations — DNFBP registration with the Ministry of Economy's goAML and DNFBP portal, or the relevant sector regulator's AML registration — and compile the full programme documentation set into an inspection-ready file.Week 6–8
13Ongoing Advisory & Annual ReviewAML/CFT obligations do not end at go-live. Cabinet Decisions, FATF mutual evaluation follow-up actions, and sector-specific guidance evolve, and your customer base and risk profile change. PNPC reviews the risk assessment and procedures at least annually, updates screening list sources, and remains available for live escalations — a suspicious transaction identified at 4pm on a Thursday needs an answer, not a queue.Ongoing — PNPC on call
14Authority issue triage — PNPC identifies the governing UAE tax/AML/ESR/excise rule, portal status and deadline for KYC and customer due diligence advisory.Generic advisors often start drafting before verifying the authority route and deadline.Immediate triage
15Evidence-room build — Source filings, records, approvals, policies, ledgers or product data are indexed.A response without an evidence room is fragile.Discovery stage
16Technical position memo — We document the statutory basis, assumptions, exposure and recommended action.Clients need to know what facts would change the conclusion.Before submission
17Submission or remediation pack — PNPC prepares the authority response, remediation tracker, return support or compliance-control pack.Loose documents do not equal regulator-ready support.Execution stage
18Query and corrective-action tracker — Follow-up questions, corrective actions and owners are tracked to closure.Open items often become the next notice.After submission

Realistic timeline for a full programme build, from scoping call to inspection-ready documentation: 6–10 weeks depending on entity size, number of customer categories, and whether beneficial ownership records need reconstruction from scratch. A narrower remediation engagement responding to a specific inspection finding can move faster. Ongoing advisory and annual review continue for the life of the client relationship.

Document Checklist
Entity & Licensing Information

Trade licence copy — mainland DED licence or free zone licence, showing licensed activities in full, since DNFBP status is determined by actual licensed activity

Memorandum and Articles of Association or equivalent constitutional documents, showing ownership and management structure

Details of all UAE and overseas branches, subsidiaries, or related entities sharing customer data or referral relationships

Organisational chart identifying the proposed Compliance Officer / MLRO and their reporting line to senior management or the board

Existing AML/CFT policy documents, if any, for gap assessment against current Cabinet Decision requirements

Beneficial Ownership & Corporate Structure

Shareholder register and, for corporate shareholders, their own ownership structure down to the natural person level

Passport copies and Emirates ID (where applicable) for all individuals identified as ultimate beneficial owners (25% or more ownership or control)

Trust deeds, nominee arrangements, or power-of-attorney documents where the ownership or control structure involves anything other than direct individual shareholding

Existing Register of Beneficial Owners, if maintained, for accuracy review against Cabinet Decision No. 58 of 2020 requirements

Customer Base & Transaction Profile

A representative sample or full listing of current customer categories — individual, corporate, trust, government — with an indication of transaction value ranges and frequency

Description of the geographic spread of customers and counterparties, including any exposure to jurisdictions flagged by FATF as higher-risk

Details of payment methods accepted — bank transfer, cash, cryptocurrency/virtual assets, third-party payment — since each carries different CDD implications

Any existing customer onboarding forms, KYC intake templates, or checklists currently in use, however informal

Existing Compliance Infrastructure

Details of any sanctions or PEP screening tool currently used, including vendor, list sources, and screening frequency

Records of any prior Suspicious Transaction Reports filed, or internal escalations raised, with outcome

Correspondence from the Ministry of Economy, Central Bank, DFSA, FSRA, VARA, or any other supervisor relating to a prior inspection, finding, or directive

Staff training records relating to AML/CFT, if any prior training has been delivered

Regulatory Portal Access

Existing goAML platform registration details and login credentials, if the entity is already registered

DNFBP registration status with the Ministry of Economy, if applicable, and associated reference numbers

Sector-specific regulator registration details — Central Bank, SCA, DFSA, FSRA, or VARA — where the entity falls under one of these regimes

UAE Pass or authorised signatory credentials needed to complete or update regulatory portal filings

For Enhanced Due Diligence Cases (Additional)

Source-of-funds and source-of-wealth documentation for identified PEPs or high-risk customers — bank statements, business ownership evidence, inheritance or sale documentation as applicable

Details of the nature of any relationship with a Politically Exposed Person, including the specific public function held and the jurisdiction

Documentation supporting the commercial rationale for any complex or layered ownership structure encountered in the customer base

Senior management approval records for any customer relationship classified as higher-risk

AML governance file

Business risk assessment and customer-risk methodology

AML/CFT policies, procedures and MLRO appointment records

Sanctions/PEP screening settings and evidence

Staff training logs and board/management approvals

Customer and transaction evidence

CDD/KYC files and beneficial-owner records

EDD files for high-risk customers

Transaction-monitoring alerts and disposition notes

STR/SAR escalation and goAML submission records where relevant

Remediation pack

Gap assessment against UAE AML/CFT obligations

Action plan with owner and due date

Policy and workflow updates

Testing evidence and management sign-off

Ongoing obligations
PhaseTriggered ByPNPC CA/AML GuidanceRisk If Ignored
Pre-Onboarding Design (Week 1–8)New licence issuance or first structured CDD programme buildRisk assessment, policy and procedure drafting, beneficial ownership framework, screening design, goAML registration, and staff training delivered as a complete package before live customer onboarding begins at scale.Onboarding without a documented, risk-based programme leaves the entity unable to demonstrate compliance on first inspection, and increases the chance that a genuinely suspicious relationship is onboarded without the controls to catch it.
Live Onboarding (Ongoing)Every new customer relationshipStandard, simplified, or enhanced due diligence applied per the documented risk methodology; beneficial ownership identified and verified; sanctions/PEP screening run before the relationship is established; approval recorded per the designated authority level.Inconsistent onboarding creates a customer file that looks materially different from the policy on paper — the single most common inspection finding, and a strong signal to a supervisor that the policy is not actually operative.
Ongoing MonitoringContinuous, throughout the customer relationshipPeriodic re-screening against updated sanctions and PEP lists, transaction monitoring for activity inconsistent with the customer's stated profile, and periodic file refresh for higher-risk customers on the schedule the risk assessment sets.A customer who screened clean at onboarding but is later sanctioned, or whose transaction pattern shifts materially, generates undetected exposure if ongoing monitoring is not actually running — not merely documented as a policy.
Suspicious Activity IdentifiedFront-line staff observation, screening hit, or transaction anomalyInternal escalation to the Compliance Officer per the documented procedure, assessment against the STR/SAR threshold, and — where warranted — filing through goAML within the expected timeframe, with strict no-tipping-off discipline maintained throughout.Failure to file an STR/SAR where warranted is itself a breach of Federal Decree-Law No. 20 of 2018, carrying administrative and potentially criminal exposure for the entity and the individuals responsible. Tipping off a customer about a filed report is a separate offence.
Regulatory InspectionScheduled or unannounced supervisory visit from the Ministry of Economy, Central Bank, DFSA, FSRA, or VARAPNPC supports document production, sample file walkthroughs, and direct engagement with the inspecting officer, drawing on the same documentation set built at programme design stage.An entity unable to produce customer files, risk assessments, or training records on request faces findings that typically escalate from a corrective action directive to administrative fines, and in serious or repeat cases to licence-level consequences.
Finding or Directive ReceivedInspection outcome requiring remediationPNPC structures a corrective action plan against the specific findings, with realistic timelines, and represents the entity in follow-up correspondence with the supervisor to close out the finding formally.An unaddressed or poorly documented remediation response risks escalating findings, repeat inspection within a shorter interval, and reputational exposure with banking partners who increasingly conduct their own AML due diligence on business customers.
Annual ReviewAnniversary of programme adoption, or material change in business/regulationRisk assessment refreshed against actual customer base changes, Cabinet Decision or FATF guidance updates incorporated, screening list sources reconfirmed as current, and beneficial ownership register reconciled against any ownership changes during the year.A stale risk assessment or an unreviewed beneficial ownership register is one of the first things a supervisor tests — 'when was this last updated' is a standard inspection question with an easy pass or fail answer.
Business Change (M&A, new activity, new jurisdiction exposure)Acquisition, new product line, new customer segment, or new geographic marketPNPC reassesses DNFBP or sector-regulator scope, updates the risk assessment for the new activity or exposure, and revises CDD procedures before the change goes live rather than retrofitting compliance after exposure has already been taken on.A new business line or customer segment onboarded under an unrevised risk framework is effectively unassessed — the programme on paper no longer matches what the business actually does, which is precisely the gap inspections are designed to find.
Initial obligationClient identifies KYC and customer due diligence advisory requirement, notice, product/category, customer-risk issue or historical ESR concernUAE AML/CFT work for DNFBPs must cover risk assessment, CDD/EDD, sanctions screening, MLRO governance, staff training, goAML STR/SAR workflow and evidence retention; portal registration alone is not compliance.Wrong obligation, stale law or unsupported authority position
Evidence assemblyPortal records, financials, policies, ledgers, customer files or product documents are collectedIndex records and separate confirmed facts from assumptions.Weak file cannot support an authority response.
Submission/remediationResponse, filing, remediation plan or control update is preparedTie each statement to records and management approval.Authority queries expose unsupported assertions.
MonitoringNew tax period, product, customer-risk event, notice or law update occursRetest the position and update the compliance calendar.Stale advice or missed next action.
Frequently asked
What is the difference between KYC and CDD — are they the same thing?

Know Your Customer (KYC) is generally used to describe the identification and verification of who a customer is — name, legal form, identity documents, beneficial ownership. Customer Due Diligence (CDD) is the broader risk-based framework that includes KYC identification but also covers understanding the purpose of the relationship, assessing and rating risk, screening against sanctions and PEP lists, and ongoing monitoring for the life of the relationship. In practice the terms are often used together or interchangeably in the UAE regulatory context, but CDD is the more complete and legally precise term used in Federal Decree-Law No. 20 of 2018.

Practitioner noteWe see entities that have done KYC — collected passport copies and a trade licence — and mistakenly believe that satisfies their CDD obligation. Identity verification is the starting point, not the finish line. The risk assessment, ongoing monitoring, and reporting obligations are where most programmes fall short.
Which UAE businesses are actually required to have a formal AML/CFT and CDD programme?

Financial institutions regulated by the UAE Central Bank, securities and investment firms under the Securities and Commodities Authority, Virtual Asset Service Providers under VARA or the relevant emirate regulator, and Designated Non-Financial Businesses and Professions (DNFBPs) under the Ministry of Economy. DNFBPs specifically include real estate agents and developers involved in property sale/purchase transactions, dealers in precious metals and stones for cash transactions above the prescribed threshold, corporate service providers (company formation agents, registered agents, nominee directors/shareholders), and independent legal professionals and independent accountants and auditors when carrying out specified activities on behalf of a client, such as managing client funds or acting in company formation.

Practitioner noteWe regularly encounter corporate service providers and real estate brokers who assume AML obligations only apply to banks. That assumption is incorrect and carries real regulatory exposure — DNFBP inspections by the Ministry of Economy have increased materially in recent years.
What happens if my business is a DNFBP and has no AML/CFT programme at all?

Operating without a documented risk assessment, CDD procedures, and goAML registration where required is a breach of Federal Decree-Law No. 20 of 2018 and its implementing Cabinet Decisions. Consequences on inspection or discovery can include administrative fines set out in Cabinet Decision No. 10 of 2019 (as amended), corrective action directives with mandated timelines, and in serious or repeated cases, licence suspension or referral for further regulatory or criminal action. The exact fine schedule and escalation path depend on the supervisory authority and the nature of the breach.

Practitioner noteWe do not quote specific fine amounts casually — the schedule is set by Cabinet Decision and revised periodically, and the actual penalty applied depends on the supervisor's assessment of severity. What we can say confidently: building the programme proactively is materially cheaper than remediating after a finding, in both fees and business disruption.
What is a beneficial owner and why does the 25% threshold matter?

A beneficial owner is the natural person who ultimately owns or controls a customer, whether through direct or indirect shareholding, voting rights, or other means of control — even where that person's name does not appear on the trade licence or shareholder register. Cabinet Decision No. 58 of 2020 (as amended) sets the standard threshold at 25% direct or indirect ownership or control, though control can also arise through other mechanisms such as the right to appoint or remove directors, regardless of shareholding percentage. Entities must identify and verify these individuals, not just the immediate corporate or nominee shareholder shown on paper.

Practitioner noteLayered structures — a UAE company owned by a BVI entity owned by another holding company — are exactly where beneficial ownership identification breaks down in practice. We build the look-through methodology explicitly into the onboarding procedure so staff know when to keep asking 'who owns the owner' rather than stopping at the first corporate layer.
What is a Politically Exposed Person (PEP) and what extra steps does a PEP customer require?

A PEP is an individual who holds or has held a prominent public function — a head of state, senior government official, senior judicial or military official, senior executive of a state-owned enterprise, or senior political party official — together with their immediate family members and close associates. UAE AML regulations require enhanced due diligence for PEP relationships regardless of the customer's home jurisdiction: senior management approval before onboarding, a documented source-of-funds and source-of-wealth assessment, and enhanced ongoing monitoring for the life of the relationship.

Practitioner noteDomestic PEPs are as relevant as foreign PEPs under current UAE practice — we advise clients not to assume the obligation applies only to foreign officials. Screening tools flag both categories, and the enhanced due diligence obligation applies equally.
What is goAML and does every regulated entity need to register on it?

goAML is the electronic platform operated by the UAE's Financial Intelligence Unit (part of the Central Bank) through which regulated entities register, submit Suspicious Transaction Reports (STRs) and Suspicious Activity Reports (SARs), and — for certain sectors — file additional prescribed reports. Entities within scope of the AML/CFT law, including DNFBPs, are generally required to register on goAML as part of their overall compliance obligation, since the reporting mechanism has to exist and be accessible before a suspicious transaction obligation can actually be discharged.

Practitioner notegoAML registration alone does not satisfy your CDD obligation — it is the reporting channel, not the programme. We register clients on goAML as one component of a complete build, not as a substitute for the underlying risk assessment and procedures.
What is a Suspicious Transaction Report (STR) and when must one be filed?

An STR (sometimes referred to as a SAR — Suspicious Activity Report) must be filed via goAML whenever an entity has reasonable grounds to suspect that funds, a transaction, or an attempted transaction is connected to money laundering, a predicate crime, terrorist financing, or proliferation financing — regardless of the transaction amount and even if the transaction was ultimately not completed. There is no minimum monetary threshold; suspicion, not transaction size, is the trigger.

Practitioner noteA common misconception we correct is that only large transactions warrant reporting. A modest transaction with clear red flags — inconsistent customer explanation, unusual structuring to avoid a threshold, refusal to provide requested documentation — can and should trigger an STR regardless of value.
What is 'tipping off' and why is it treated so seriously?

Tipping off is directly or indirectly informing a customer, or any third party, that a Suspicious Transaction Report has been filed, is being considered, or that an investigation is underway. Under Federal Decree-Law No. 20 of 2018, tipping off is a separate criminal offence from the underlying money laundering or terrorist financing conduct, because it defeats the entire purpose of the reporting mechanism — allowing the customer to move funds, destroy evidence, or otherwise evade detection once alerted.

Practitioner noteThis is one of the most important points we cover in staff training. Front-line staff sometimes want to explain to a customer why a transaction is delayed or an account is under review — that instinct, however well-intentioned, can itself constitute an offence. We build the internal escalation script specifically to prevent this.
How is my business risk-rated, and can I use simplified due diligence to reduce onboarding friction?

Risk rating is built from four dimensions applied to each customer: customer risk (individual versus corporate, industry, ownership complexity), geographic risk (home jurisdiction and transaction counterparty jurisdictions, including any FATF-flagged exposure), product/service risk (nature of the transaction), and delivery channel risk (face-to-face versus remote onboarding). Simplified due diligence can apply to genuinely lower-risk customer categories where your documented risk assessment supports it, but it can never be applied automatically or as a default — and it can never apply to a customer or jurisdiction that carries elevated risk indicators regardless of how the relationship is otherwise structured.

Practitioner noteWe caution clients against treating simplified due diligence as the default to reduce onboarding friction. A supervisor reviewing files will specifically test whether simplified due diligence was applied appropriately, and a pattern of unjustified simplified treatment is a common inspection finding.
Do free zone companies in DIFC or ADGM follow the same AML rules as mainland companies?

DIFC entities regulated by the Dubai Financial Services Authority (DFSA) and ADGM entities regulated by the Financial Services Regulatory Authority (FSRA) operate under their own AML rulebooks specific to those financial free zones, which sit alongside — and are generally aligned in substance with — the federal AML/CFT framework under Federal Decree-Law No. 20 of 2018. The specific forms, reporting mechanisms, and supervisory relationship differ by free zone, so a DIFC-regulated entity's CDD programme must be built against the DFSA rulebook specifically, not a generic mainland template.

Practitioner noteWe scope this explicitly at the start of every engagement — building a mainland-style programme for a DIFC or ADGM entity, or vice versa, creates a document that will not satisfy the entity's actual supervisor. The underlying AML principles are similar; the specific rulebook and registration process are not interchangeable.
How long must customer identification and transaction records be retained?

UAE AML law requires customer identification records, CDD documentation, and transaction records to be retained for a minimum prescribed period following the end of the business relationship or the date of the transaction, and to be made available to the competent supervisory authority on request within the timeframe given. The precise retention period and any sector-specific variations should be confirmed against the current Cabinet Decision and any relevant sector-regulator rulebook applicable to the entity, since retention requirements have been refined through amendments over time.

Practitioner noteRetention is not just a filing-cabinet question — it is a retrieval question. We have seen entities that technically retained records but could not locate or produce them within the timeframe a supervisor gave, which reads on inspection almost identically to not having kept the records at all. We build retention with retrievability as the design goal, not just storage.
What does an AML/CFT Compliance Officer or MLRO actually need to do day to day?

The Compliance Officer (often referred to as the Money Laundering Reporting Officer, or MLRO) is responsible for the entity's ongoing AML/CFT programme: reviewing escalated customer relationships, approving higher-risk onboarding, deciding whether an internal escalation rises to the level of an STR/SAR filing, maintaining the risk assessment and policy documents as current, coordinating staff training, and acting as the primary point of contact for the Ministry of Economy, Central Bank, or relevant sector regulator during any inspection or correspondence.

Practitioner noteSmaller DNFBPs sometimes designate a Compliance Officer in name only, with no real authority or time allocated to the role. Supervisors test for this specifically — asking the designated officer direct questions about recent onboarding decisions. We advise clients to give the role genuine authority and calendar time, or to consider a retained external advisory arrangement where in-house capacity genuinely does not support it.
Can PNPC act as our outsourced Compliance Officer or MLRO?

PNPC can provide retained AML advisory support to a designated internal Compliance Officer, and in appropriate structures can support the compliance function on an ongoing outsourced basis, depending on the entity's regulatory category and what the applicable rulebook permits for that role. The specific arrangement — advisory support versus a formally designated function — is scoped based on your sector, size, and supervisory requirements, and confirmed in writing before the engagement begins.

Practitioner noteWe are explicit with clients about the boundary between advisory support and formally holding the designated MLRO role, since some sector rulebooks have specific requirements about who can hold that designation. We scope this precisely rather than assuming one model fits every client.
How does economic substance (ESR) relate to AML/CFT and CDD — are they the same requirement?

No — they were always separate regimes with separate triggers. Economic Substance Regulations under Cabinet Decision No. 57 of 2020 and Ministerial Decision No. 100 of 2020 tested whether a UAE entity carrying out a defined 'relevant activity' (such as holding company business, IP business, or distribution and service centre business) maintained adequate substance in the UAE. Importantly, the Ministry of Finance discontinued the ESR notification and report filing requirement for financial years starting on or after 1 January 2023, under Cabinet Decision No. 98 of 2024 — so for most entities today, ESR is a closed historical-period question rather than a live ongoing filing obligation, while AML/CFT and CDD obligations continue on an ongoing basis for any entity whose licensed activity falls within a regulated financial or DNFBP category. An entity can have historical ESR exposure, current AML/CFT exposure, both, or neither — the two applicability tests were always independent of each other.

Practitioner noteWe still assess historical ESR exposure at the initial scoping call where relevant — for example, an unresolved notification, report, or penalty matter from a financial year before the regime was discontinued — but we do not describe ESR to clients as an ongoing annual obligation any more, since it no longer is for current financial years. We do not conflate the two regimes in the deliverable either way: an ESR notification never satisfied any AML obligation, and a CDD programme does not satisfy any ESR filing requirement.
We are a corporate service provider — does forming companies for clients bring extra AML obligations?

Yes. Corporate service providers — entities that form companies, act as a registered agent, or provide nominee director, nominee shareholder, or company secretary services — are explicitly captured within the DNFBP category under UAE AML law when carrying out those activities for clients. This means CDD must be applied to the ultimate client requesting the company formation or nominee service, with beneficial ownership identification extending through to the natural person who will actually control the entity being formed — not just the immediate instructing party.

Practitioner noteThis is a frequently underestimated obligation. A corporate service provider forming an entity on behalf of an intermediary — a lawyer or another agent instructing on behalf of an undisclosed end client — must still identify the ultimate beneficial owner, not simply rely on the intermediary's assurance. We build this specific look-through step into the CDD procedure for every corporate services client.
Does accepting cryptocurrency or virtual asset payments change our AML obligations?

Yes, materially. Accepting or facilitating virtual asset transactions can bring an entity within the scope of Virtual Asset Service Provider (VASP) regulation — supervised in Dubai by VARA, and by other frameworks in other emirates and free zones — which carries its own, generally more stringent, AML/CFT and CDD requirements, including specific travel-rule-style obligations for transferring identifying information alongside virtual asset transfers. A business that starts accepting crypto payments without reassessing its regulatory scope risks operating outside a licensing framework it did not realise applied.

Practitioner noteWe treat any client mentioning virtual asset acceptance as requiring an immediate scope reassessment, not a footnote addition to an existing traditional-payment CDD programme. The VASP regulatory framework is materially different and still evolving.
What is the difference between AML/CFT and sanctions compliance — do we need both?

AML/CFT compliance is the broader framework addressing money laundering, terrorist financing, and proliferation financing risk through CDD, monitoring, and reporting. Sanctions compliance specifically addresses screening against designated persons and entities lists — the UAE Local Terrorist List, UN Consolidated Sanctions List, and other applicable lists — to ensure the entity does not deal with a sanctioned party. Sanctions screening is a mandatory component within a complete AML/CFT and CDD programme, not a separate, optional add-on.

Practitioner noteWe build sanctions screening as an integrated step within onboarding and ongoing monitoring, not a bolt-on. Entities that treat sanctions screening as a separate, occasional exercise typically have gaps between when a list updates and when their customer base is re-screened.
What is the real estate sector's specific AML exposure in the UAE?

Real estate brokers and developers are explicitly designated DNFBPs when involved in transactions concerning the buying and selling of real estate on behalf of clients. High-value, often cash-adjacent property transactions, layered ownership structures (including foreign and offshore buyers), and the historical role of real estate in laundering typologies make this a sector supervisors scrutinise closely. CDD obligations apply to both the buyer and seller side of a transaction the broker or developer facilitates, with beneficial ownership identification extending through any corporate or trust purchasing vehicle.

Practitioner noteWe have supported real estate clients through Ministry of Economy inspections where the specific gap was inadequate source-of-funds documentation for high-value cash or rapid-turnaround purchases. Building that documentation standard into the onboarding form from the outset is far less disruptive than reconstructing it retrospectively during an inspection.
How often should the AML/CFT risk assessment and policy be reviewed and updated?

At minimum annually, and additionally whenever there is a material change in the business — a new product or service line, entry into a new customer segment or geographic market, a change in ownership or control, or a relevant new Cabinet Decision, Ministerial Decision, or FATF guidance update. A risk assessment that has not been revisited in several years, regardless of how well-drafted it originally was, is itself a common inspection finding because it no longer reflects the business as it currently operates.

Practitioner noteWe build the annual review into the ongoing advisory relationship rather than leaving it to the client to remember. A calendar-driven review catches drift in the customer base or business activity before a supervisor does.
What documentation should we expect a Ministry of Economy inspector to ask for?

Typically: the AML/CFT policy and risk assessment documents, a sample of customer onboarding files across different risk ratings, the beneficial ownership register, screening records and evidence of periodic re-screening, staff training records, any STRs filed (or a defensible explanation of why none have been filed, if applicable), the Compliance Officer's designation and reporting evidence, and goAML registration confirmation. Inspectors typically walk through several actual customer files in detail to test whether the documented procedure matches what staff actually did.

Practitioner noteWe run an internal mock inspection using this exact document list before any client goes live, specifically because the file walkthrough — not the policy document review — is where most gaps surface. A beautifully written policy with inconsistent underlying files does not pass inspection.
Can a small business with only a handful of customers skip a formal CDD programme?

No — if the business falls within a regulated category (DNFBP, financial institution, VASP), the AML/CFT and CDD obligation applies regardless of size or transaction volume. The scale and complexity of the programme can and should be proportionate to the size and risk profile of the business — a small corporate service provider's procedures will look different from a large real estate developer's — but 'we are too small to need this' is not a recognised exemption under UAE AML law.

Practitioner noteWe right-size every programme to the client's actual scale rather than imposing an enterprise-grade framework on a small business. A proportionate, well-executed programme for a five-person firm passes inspection; an oversized, unused policy document does not.
What is the practical difference between having a policy document and having an operating programme?

A policy document states what should happen. An operating programme is evidence that it actually does — completed onboarding files matching the documented procedure, screening records showing checks were actually run and at the stated frequency, training attendance records, and a Compliance Officer who can answer specific questions about recent decisions. Supervisors inspect the operating programme, not the policy document in isolation; a well-written policy with no supporting evidence of execution reads, on inspection, almost the same as having no policy at all.

Practitioner noteThis distinction is the single most important thing we communicate to new clients. We are frequently engaged to fix a policy document that was purchased as a template years ago and never actually implemented — the fix is rarely rewriting the policy; it is building the operating discipline underneath it.
Does PNPC provide the actual sanctions and PEP screening technology, or just the advisory framework?

PNPC's core engagement is the advisory and policy/procedure design work — the risk assessment, CDD framework, and compliance discipline. Where a client does not already have a screening tool, we advise on selection criteria matched to transaction volume, budget, and risk profile, and coordinate the implementation, but we are not a technology vendor ourselves. For clients who already have a screening tool, we assess whether its list sources, update frequency, and configuration actually support the documented procedure.

Practitioner noteWe have seen clients pay for expensive screening software that is misconfigured — screening only at onboarding with no periodic re-screening scheduled, for example — which leaves the same gap as having no tool at all. Configuration review is part of what we do even when we are not the vendor.
What is the connection between UAE Corporate Tax, VAT, and our AML/CFT obligations?

These are distinct regulatory regimes with no direct legal dependency — a business can be fully Corporate Tax and VAT compliant while having a materially deficient AML/CFT programme, and vice versa. That said, the same underlying accounting and transaction records that support your tax filings are often relevant evidence in an AML file review, and PNPC's integrated view across tax, accounting, and AML advisory means inconsistencies between what a customer file says and what the transaction ledger shows are more likely to be caught internally before a regulator finds them.

Practitioner noteClients working with PNPC across accounting, tax, and AML advisory get the benefit of one firm cross-checking consistency across all three areas — a transaction pattern that looks unusual from an AML risk perspective is also visible to the team doing your bookkeeping, and that overlap has caught issues for clients before they became inspection findings.
What is source of funds versus source of wealth, and when is each required?

Source of funds refers to the origin of the specific funds used in a particular transaction — for example, the bank account or sale proceeds funding a property purchase. Source of wealth refers to the origin of a customer's overall net worth — how they accumulated their wealth over time, such as through business ownership, inheritance, or investment returns. Enhanced due diligence for higher-risk customers, particularly PEPs, generally requires both: source-of-funds evidence for the specific transaction, and a broader understanding of source of wealth to assess whether the transaction is consistent with the customer's overall profile.

Practitioner noteWe coach clients on asking for source-of-wealth documentation in a way that is proportionate and non-confrontational — over-aggressive requests can damage a legitimate client relationship, while under-documented files fail on inspection. Getting that balance right is part of what a properly designed procedure, rather than an ad hoc request, achieves.
How does PNPC price a KYC & CDD Advisory engagement?

PNPC scopes and quotes a fixed fee for the initial programme build — risk assessment, policy and procedure drafting, beneficial ownership framework, goAML registration, and staff training — based on entity size, customer base complexity, and sector. Ongoing annual review and ad hoc advisory support are quoted separately, typically as a retained arrangement. The exact fee is confirmed in writing before work begins; we do not start a build on a verbal estimate.

Practitioner noteWe are not the cheapest AML template provider in the market, and we do not aim to be. A downloaded policy costs less upfront and consistently costs more later — in inspection findings, remediation fees, and the business disruption of a corrective action directive. We price for a programme that actually holds up.
What is the risk of using a generic, downloaded AML policy template instead of a bespoke build?

A generic template is written for no specific business — it typically does not reflect your actual customer categories, transaction profile, jurisdiction exposure, or licensed activities, and inspectors recognise template language quickly. More importantly, a template document with no underlying risk assessment specific to your business cannot demonstrate the risk-based approach that UAE AML law explicitly requires — the law does not ask for a policy that exists; it asks for a policy that reflects a genuine, documented risk assessment of your specific business.

Practitioner noteWe have rebuilt several clients' AML programmes after a Ministry of Economy inspection flagged that their policy was a generic template with details from another jurisdiction's regulations still visible in the text. That is about as clear a signal to an inspector as it gets that the programme was never genuinely implemented.
Can PNPC support us through an active Ministry of Economy or Central Bank inspection?

Yes. PNPC supports clients through live inspections — preparing the documentation set in advance where notice is given, attending or coordinating the walkthrough of sample customer files, drafting the formal response to any findings, and structuring the corrective action plan and its implementation. We are also engaged after the fact by entities that received a finding using a different, or no, prior advisor and need a structured remediation response.

Practitioner noteThe single biggest difference in outcome we have seen between clients is not whether a finding is issued — many well-run businesses still get findings on their first inspection — but how credible and fast the remediation response is. A well-documented, promptly executed corrective action plan closes out a finding; a defensive or slow response invites escalation.
Does an accounting or audit firm client of PNPC's need its own CDD programme, or does PNPC's own AML compliance cover them?

Every regulated entity needs its own AML/CFT programme covering its own customer relationships — PNPC's internal AML/CFT compliance as a practising CA firm governs how we conduct due diligence on our own clients, and does not substitute for a client's own obligation to run CDD on its own customers. If your business is itself a DNFBP or otherwise regulated, you need your own programme regardless of who your professional advisors are.

Practitioner noteWe explain this distinction early because it is genuinely confused by some clients — engaging PNPC satisfies our due diligence on you as our client; it has no bearing on your separate legal obligation to run CDD on your own customers if your business is in scope.
What red flags should staff be trained to recognise during onboarding?

Common red flags include: reluctance or refusal to provide requested identification or beneficial ownership information; unusually complex or opaque ownership structures with no clear commercial rationale; requests for unusual secrecy or use of intermediaries without disclosed purpose; transaction values or structuring patterns inconsistent with the customer's stated business or profile; use of funds from unrelated third parties without adequate explanation; and urgency or pressure to bypass standard verification steps. No single red flag is automatically conclusive, but a documented, risk-based assessment of the combination is what the CDD procedure is designed to capture.

Practitioner noteWe build red-flag recognition into role-specific training rather than a generic slide deck — the red flags a real estate broker should watch for differ meaningfully from those relevant to a corporate service provider, and training that does not reflect the actual job function tends not to stick.
If we already outsource bookkeeping and payroll to PNPC, does that create a conflict with PNPC also advising on our AML/CFT programme?

No. Accounting, payroll, and AML/CFT advisory are distinct professional services, and PNPC applies clear engagement scoping and, where relevant, information barriers between service lines to avoid any conflict. In practice, clients often find the combination beneficial rather than conflicted — the accounting team's visibility into actual transaction flows supports, rather than compromises, the integrity of the AML risk assessment.

Practitioner noteWe are explicit in every engagement letter about scope and any conflict considerations. If a genuine independence issue arose in a specific matter — for example, a formal investigation requiring separate legal representation — we would say so directly rather than continue an engagement that should not continue.
How does PNPC keep a client's AML/CFT programme current as UAE regulations evolve?

The UAE's AML/CFT framework has been actively refined through successive Cabinet Decisions and Ministerial Decisions, partly in response to the country's FATF mutual evaluation process and subsequent follow-up commitments. PNPC tracks regulatory developments as part of the ongoing advisory relationship and proactively flags changes that affect a client's existing programme — rather than waiting for the client to discover a gap at their next inspection.

Practitioner noteThis is precisely why we structure most KYC & CDD engagements as an ongoing relationship rather than a one-time deliverable — a programme built to the letter of the regulations at the time of drafting can become non-compliant purely through regulatory evolution, with no change on the client's part at all.
What is the goAML platform registration process, and how long does it take?

Registration on goAML involves creating an entity profile on the FIU platform, designating authorised users (typically the Compliance Officer), and completing the entity's regulatory details. Processing timelines vary and depend on the completeness of the submitted information and the FIU's current processing volumes; PNPC coordinates the registration as part of the wider programme build and manages any follow-up queries from the FIU to keep the process moving.

Practitioner noteWe advise clients to treat goAML registration as one milestone within the broader build timeline, not a standalone task to rush ahead of the underlying risk assessment and procedures — registering the platform access before the programme it supports is ready creates an awkward gap if a suspicious transaction arises before staff are trained on how to actually use it.
Does registering on goAML by itself mean our AML/CFT compliance is complete?

No. goAML is the reporting channel for Suspicious Transaction Reports and Suspicious Activity Reports — registration proves you can file a report, not that you have a working CDD programme behind it. Genuine compliance requires the documented risk assessment, standard/simplified/enhanced due diligence procedures, beneficial ownership identification, sanctions and PEP screening, a designated Compliance Officer, staff training, and ongoing monitoring operating together. A supervisor who sees goAML access but no underlying risk assessment or onboarding evidence treats that as a bigger red flag than no registration at all, because it signals the entity thought a portal login was the finish line.

Practitioner noteWe have taken over engagements where a well-meaning founder registered on goAML from a checklist article and considered AML 'done.' Portal access with nothing behind it is often worse optics on inspection than an honest admission that the programme is still being built.
We already have a written AML policy from our free zone's standard onboarding pack — is that sufficient?

Generally no. Free zone authorities sometimes provide a template AML policy as a starting reference at licensing stage, but the law requires the policy to reflect your entity's actual risk assessment — your specific customer categories, products, jurisdictions, and delivery channels — not the free zone's generic version distributed to every licensee. An unmodified template with no entity-specific risk assessment behind it does not satisfy the risk-based approach Federal Decree-Law No. 20 of 2018 requires, and inspectors are familiar with these templates and specifically test whether they were customised or simply signed and filed.

Practitioner noteWe ask every new client for their existing policy at the scoping call specifically to check whether it still has another company's name, or the free zone's generic boilerplate, left in the document. That is one of the fastest ways to spot an unimplemented programme.
How does PNPC typically start a KYC & CDD Advisory engagement — what happens in the first meeting?

The first session is a scoping and applicability call: confirming your DNFBP category or sector-regulator status, mapping your actual customer base and transaction types, reviewing anything you already have in place (policy documents, onboarding forms, goAML registration status), and identifying any live inspection findings or historical ESR exposure that needs separate attention. We leave that call with a clear picture of what already exists, what is missing, and a realistic build timeline before any drafting begins.

Practitioner noteWe deliberately do not start drafting a risk assessment before this conversation happens — a programme built on assumptions about your customer base rather than the actual facts is exactly the kind of generic document that fails on inspection.
Our onboarding volume is low right now — should we wait until we scale up before building a formal CDD programme?

No. The AML/CFT obligation attaches to your regulatory category (DNFBP, financial institution, VASP) from the point you begin operating in that capacity, not from a transaction-volume threshold. Waiting until volumes justify it, in the entity's own view, leaves every customer onboarded in the interim without a documented, risk-based assessment behind it — and those files cannot be retrofitted convincingly after the fact. A right-sized programme for a low-volume business is faster and cheaper to build now than a full remediation exercise once volumes and inspection risk have both grown.

Practitioner noteWe scale the depth of the risk assessment and procedures to current volume, then build in review triggers tied to specific growth milestones — new customer segments, a jurisdiction expansion, a product change — so the programme grows with the business instead of falling behind it.
What is the difference between a business risk assessment and a customer risk rating — do we need both?

Yes, and they serve different purposes. The business-wide risk assessment is the foundational document assessing your entity's overall exposure across customer types, geography, products/services, and delivery channels — it shapes your policy and procedures. The customer risk rating is the operational output applied to each individual customer at onboarding, using the methodology the business risk assessment establishes, to decide whether standard, simplified, or enhanced due diligence applies to that specific relationship. A business risk assessment with no consistent customer-level rating process is a document with no operational teeth.

Practitioner noteWe build the customer risk rating as a short, usable form your onboarding staff complete in minutes, not a lengthy questionnaire that gets skipped under time pressure — a risk methodology nobody actually uses at the point of onboarding might as well not exist.
If we outsource company formation work to a corporate service provider, do we still need our own CDD programme, or does theirs cover us?

You still need your own programme if your own licensed activity falls within a regulated category. A corporate service provider's CDD obligation covers its own relationship with you as its client — it identifies and verifies you and your beneficial owners. It does not extend to, or substitute for, your separate obligation to run CDD on your own customers if your business is itself a DNFBP, financial institution, or VASP. These are two independent obligations running in parallel, not a single chain where one party's compliance covers the other.

Practitioner noteWe see this confusion most often with newly formed corporate service providers themselves — they assume the formation agent who set up their own company already handled 'the AML part,' when in fact they now need their own programme for the clients they in turn serve.
Can existing customer relationships be brought into a new CDD programme, or does everything start fresh with new customers only?

A properly built programme covers both. New customer onboarding applies the documented procedure from day one, but existing relationships also need to be brought up to the same standard through a structured back-book remediation exercise — reviewing existing files, filling identification and beneficial ownership gaps, and applying risk ratings retrospectively. Supervisors expect existing relationships to be covered on a risk-prioritised basis (higher-risk existing customers first), not left indefinitely on the old, undocumented basis simply because they predate the new programme.

Practitioner noteBack-book remediation is usually the most time-consuming part of a first-time programme build for an entity with an existing customer base — we scope it as a distinct workstream with its own timeline rather than folding it into the same schedule as new onboarding procedures.
How does the enhanced due diligence protocol differ for a high-risk jurisdiction exposure versus a PEP relationship?

Both trigger enhanced due diligence, but the specific evidence differs. A high-risk jurisdiction exposure (a customer or counterparty connected to a jurisdiction FATF has flagged for strategic AML/CFT deficiencies) generally requires closer scrutiny of the transaction rationale, additional verification of the underlying business activity, and often more frequent ongoing monitoring. A PEP relationship specifically requires senior management approval before onboarding and a documented source-of-funds and source-of-wealth assessment tied to the individual's public role, regardless of transaction size. An entity can face either trigger independently, or both together in a single relationship, and the protocol should address each explicitly rather than applying one generic 'enhanced' label.

Practitioner noteWe build separate enhanced due diligence checklists for each trigger type rather than one combined form, because staff applying a single generic enhanced-due-diligence form tend to miss the specific evidence a PEP file needs versus what a high-risk-jurisdiction file needs.
How does the dealer-in-precious-metals cash threshold actually work — when does a jeweller become a DNFBP?

A dealer in precious metals and stones is captured as a DNFBP when it carries out a cash transaction, or a series of apparently linked cash transactions, at or above the prescribed threshold — commonly applied at AED 55,000 — at which point the AML/CFT obligations, including CDD on the counterparty and goAML registration, are triggered. The trap is the 'series of linked transactions' wording: splitting a single AED 200,000 purchase into four AED 50,000 cash payments does not put the customer below the line, and structuring specifically to stay under it is itself a red flag warranting an STR.

Practitioner noteWe tell precious-metals clients to build the aggregation logic into the till or invoicing process, not leave it to the salesperson's memory. The moment a supervisor sees several same-day sub-threshold cash sales to the same buyer with no CDD, the argument that each was individually below the line collapses — and confirm the current threshold figure against the applicable Cabinet Decision at the time, since these are periodically revised.
How is the fine schedule for AML/CFT breaches structured, and can penalties be levied per breach?

Administrative penalties for DNFBP and financial-institution AML breaches are set out in Cabinet Decision No. 16 of 2021 (which replaced the earlier penalty framework) and are applied by the supervising authority per violation category — failing to register on goAML, failing to apply CDD, failing to file an STR, failing to maintain records, and so on are each separate breaches. Because penalties attach per category and can be repeated for continuing or per-file failures, a single inspection surfacing several deficiencies across a customer book can aggregate well beyond what an entity expects from reading any one line item.

Practitioner noteWe do not quote a headline fine figure as if it were 'the' penalty, because the real exposure is cumulative — one missing risk assessment plus fifty deficient customer files plus no goAML registration is not one fine, it is several categories compounding. Verify the current penalty amounts against Cabinet Decision No. 16 of 2021 as amended at the time of any specific advice.
Our jurisdiction was just added to (or removed from) the FATF grey list — do we need to re-screen our whole customer book?

When FATF updates its lists of jurisdictions under increased monitoring ('grey list') or with strategic deficiencies, any customer, beneficial owner, or counterparty connected to a newly-listed jurisdiction can move from standard to enhanced due diligence overnight, and a de-listing can relax the position. A properly designed programme treats a FATF list change as a monitoring trigger: existing relationships connected to the affected jurisdiction are re-risk-rated, not just new ones. Doing nothing on an existing book after a list change is a live gap, because the risk profile of those relationships has objectively changed even though the customer has not.

Practitioner noteWe build the FATF-list review into the standing monitoring calendar precisely because most breaches here are omissions, not errors — the entity screened correctly at onboarding, the world changed, and nobody re-ran the book. The UAE itself was on the FATF grey list until early 2024, which is exactly why local supervisors test this discipline closely.
Who exactly has to be registered on goAML — the entity, the MLRO, or both?

The regulated entity registers as an organisation on goAML, and within that registration it nominates authorised users — typically the Compliance Officer / MLRO and any delegate — who hold the credentials to actually file. Both layers matter: an entity registered with no active, trained authorised user cannot discharge a real-time STR obligation, and an individual cannot file on behalf of an entity that is not itself registered. Registration also requires the entity to keep its details current, so a change of MLRO or a change of licensed activity means the goAML profile has to be updated, not left as filed at first registration.

Practitioner noteA recurring gap we find is the MLRO who left the business twelve months ago still being the only named goAML user — meaning nobody currently at the entity can actually file. We check live user access, not just that a registration exists, as part of the programme review.
What is the difference between an STR, an SAR, and the other report types on goAML?

goAML supports several report types beyond the core Suspicious Transaction Report and Suspicious Activity Report. An STR is filed where suspicion attaches to a specific transaction; an SAR where suspicion attaches to activity or conduct not tied to a single completed transaction (including an attempted or refused transaction). goAML also carries other prescribed report types such as high-value and certain funds-transfer reports for entities in scope of those obligations, and a Partial Name Match report used where a customer or counterparty screens as a possible hit against a sanctions or terrorist list. Choosing the correct report type matters — an SAR is the right vehicle when you decline to onboard a suspicious would-be customer, since there may be no transaction to report at all.

Practitioner noteStaff frequently assume 'no completed transaction means nothing to report.' The opposite is often true: a customer who walks away when you ask for beneficial-ownership evidence is exactly the SAR scenario, and the fact that they took no money through you does not extinguish the reporting obligation.
How does the goAML sanctions Partial Name Match and the Local Terrorist List obligation work in practice?

Beyond STR/SAR filing, entities are expected to screen against the UAE Local Terrorist List and the UN Consolidated List and to act on the Executive Office for Control and Communications notifications — freezing funds without delay and filing the relevant report through goAML where a true match arises, typically within the short mandated window after a listing. In practice most screening produces partial or 'possible' matches rather than confirmed hits, and the discipline is a documented adjudication step: recording why a possible match was cleared or escalated, so the file shows a decision was made rather than an alert being silently dismissed.

Practitioner noteThe finding we see most on the sanctions side is not a missed true match — those are rare — but a screening tool generating alerts that nobody dispositions in writing. An unactioned alert queue is worse on inspection than no tool, because it proves the entity was told and did nothing.
If we onboard customers fully remotely, does that change our CDD obligations?

Yes — non-face-to-face onboarding is expressly a higher delivery-channel risk factor in the UAE risk-based framework, so a fully remote onboarding model generally requires additional or compensating measures: independent verification of identity documents, liveness or video verification, confirming an independent second data point, or a first transaction routed through a bank account in the customer's verified name. Remote onboarding is permitted, but it cannot be run at the same evidential depth as a face-to-face file and still satisfy the risk-based standard.

Practitioner noteWe see fintech-style and brokerage clients build a slick remote onboarding flow that captures a passport image and an OTP and call it done. That is KYC data capture, not risk-based CDD — the delivery-channel risk uplift for remote onboarding has to be visible in the procedure, or an inspector reads the whole model as under-controlled.
One of our existing customers has just been sanctioned — what are we actually required to do, and how fast?

A live sanctions listing of an existing customer or beneficial owner triggers an immediate freeze obligation — funds and assets must be frozen without delay, no further transactions processed, and a report filed through goAML within the short window set by the UAE framework, all without tipping off the customer. This is the scenario ongoing monitoring exists to catch: a name that screened clean at onboarding can be listed at any time, which is why periodic re-screening against updated lists, not just onboarding screening, is a non-negotiable part of a defensible programme.

Practitioner noteThe gap here is almost always tempo. Entities know they must freeze; what fails is the internal path from 'the screening tool flagged an existing customer overnight' to 'funds actually frozen and report filed the same day.' We rehearse that specific runbook, because a freeze obligation discovered on a Thursday cannot wait for Sunday.
Does relying on another regulated firm's CDD (reliance on third parties) let us skip our own checks?

The UAE framework permits, in defined circumstances, reliance on CDD performed by another regulated third party — but reliance is narrow and conditional: the third party must be appropriately regulated and supervised, must make the underlying CDD information available to you immediately on request, and critically the ultimate responsibility for CDD adequacy remains with your entity, not the party you relied on. It is not outsourcing the liability; it is a documented arrangement where you can still produce the CDD evidence and stand behind it.

Practitioner noteClients hear 'reliance permitted' and assume they can accept an introducer's assurance and move on. When we ask to see the underlying CDD file the introducer supposedly holds, it frequently is not obtainable — which means the reliance was never valid and those customers are effectively un-diligenced on your own book.
How do PNPC's own AML checks on us as a client differ from the CDD programme you build for us?

They are two entirely separate obligations. As a practising CA firm and itself a DNFBP for certain activities, PNPC applies its own CDD to you when we take you on as a client — identifying you and your beneficial owners under our own programme. The CDD programme we design for you governs how you apply due diligence to your customers. Engaging us satisfies our obligation toward you; it has no bearing on, and cannot substitute for, your separate legal duty to run CDD on your own customer base if your business is itself in scope.

Practitioner noteThis genuinely confuses clients, especially other professional-services firms. We spell it out in the engagement letter so nobody leaves believing that being our client somehow discharges their own onboarding obligations toward the people they in turn serve.
What is the most common reason a KYC & CDD programme that passed once fails at the next inspection?

Drift. The programme was accurate the day it was built, but the business changed and the paper did not: a new product line, a new customer segment, expansion into a new jurisdiction, a change of ownership, or a change of MLRO — none of which was reflected in an updated risk assessment or revised procedure. Supervisors specifically test currency: 'when was this last reviewed' and 'does the risk assessment describe the business as it operates today' are standard questions with a binary pass/fail answer, and a two-year-old assessment describing a business that has since doubled its footprint fails on its face.

Practitioner noteThis is why we resist selling a one-off build with no review cadence. A perfect programme decays purely through the business growing around it — the annual review and the change-triggered review are not upsells, they are what keeps the original work from silently expiring.
How does PNPC's cross-service view of our accounting and tax records strengthen the AML file specifically?

The same ledgers, bank statements, and related-party data that support your Corporate Tax and VAT positions are direct evidence when assessing whether a customer's transaction pattern is consistent with their stated profile. A payment flow that looks unremarkable on a KYC intake form may look anomalous against the actual transaction ledger — third-party funding, round-tripping, or activity inconsistent with the customer's declared business. Because PNPC often holds both views, a mismatch between what a customer file asserts and what the underlying accounting shows is more likely to be caught internally before it becomes an inspection finding or an undetected suspicious relationship.

Practitioner noteThe AML risk assessment and the bookkeeping look at the same money from two angles. When one firm sees both, an unusual counterparty pattern surfaces to the team that can actually assess it — that overlap has flagged issues for clients that a standalone AML consultant, working only from the intake form, would never have seen.
When does a KYC & CDD matter need a lawyer rather than PNPC's advisory scope?

PNPC designs, implements, and remediates the CDD programme and supports inspections and findings within our professional scope. The line to independent legal counsel is crossed when the entity or an individual is under active criminal investigation for a money-laundering or terrorist-financing offence, when a formal enforcement action requires legal representation before a court or tribunal, or when a privileged legal opinion is needed on a contested point of law. In those situations AML advisory supports the legal strategy rather than leading it, and we coordinate with counsel rather than stretch the engagement past its proper boundary.

Practitioner noteWe are direct about this boundary. Advisory and remediation are our work; a live criminal matter is a lawyer's, and pretending otherwise would not serve the client. Where both are needed, the AML file we maintain becomes the factual backbone counsel works from.
Can PNPC take over and fix an AML/CFT programme another consultant built or a founder assembled from templates?

Yes, and it is a common starting point. The first step is a diagnostic against current obligations: what the existing policy actually says versus what the files evidence, whether the risk assessment is entity-specific or generic, whether goAML registration is live with an active authorised user, whether beneficial ownership was genuinely looked through, and whether any inspection finding or bank query is currently open. From that gap assessment we scope a remediation plan with owners and dates rather than blindly rewriting a document that may not have been the real problem.

Practitioner noteThe fix is rarely the policy prose — it is the operating discipline underneath it. We have inherited beautifully drafted policies with no risk assessment, no training records, and a goAML account nobody could log into. Rewriting the policy those clients already had would have solved nothing; rebuilding the evidence layer did.
Why PNPC Global

PNPC KYC & CDD Advisory vs generic compliance template providers

DimensionGeneric Template / Downloaded PolicyPNPC Global
Risk assessment basisGeneric industry boilerplate, not specific to your customer base or jurisdiction exposureBusiness-specific risk assessment built from your actual licensed activity, customer categories, and transaction profile
Beneficial ownership methodologyOften a single form with no look-through guidance for layered structuresDocumented look-through procedure for corporate, trust, and nominee structures, aligned to Cabinet Decision No. 58 of 2020
Staff capability after deliveryPolicy document handed over; staff left to interpret it unaidedRole-specific training delivered, with competency records maintained as inspection evidence
goAML and regulator registrationRarely included — treated as the client's separate taskRegistered and coordinated as part of the engagement, with credentials handed over ready to use
Inspection readiness testingNot offered — the first real test is the actual inspectionInternal mock file review and walkthrough conducted before go-live to surface gaps early
Response to regulatory findingsNo ongoing relationship to call onDirect support drafting corrective action plans and representing the client in follow-up correspondence
Ongoing regulatory trackingStatic document, not updated as Cabinet Decisions evolveAnnual review built into the relationship, updated as FATF guidance and Cabinet Decisions change
Cross-disciplinary contextAML in isolation from tax, accounting, and corporate structureIntegrated view across UAE tax, accounting, corporate structuring, and AML — inconsistencies are more likely to be caught internally
Presence beyond deliveryTransaction ends at document handoverPNPC Dubai office, practising CA firm since 1986, available for live escalations and ongoing advisory
Screening-alert handlingTool generates alerts; no documented disposition of possible matchesEvery partial/possible sanctions or PEP match adjudicated and recorded, so the file shows a decision was made, not an alert ignored
Back-book and change triggersNew customers only; existing files and FATF-list changes left untouchedRisk-prioritised back-book remediation plus monitoring triggers for FATF-list moves, ownership changes, and new activity

What the PNPC package includes

  1. 01

    Applicability scoping to confirm DNFBP, financial institution, or VASP status and the correct supervisory authority

  2. 02

    Business-wide AML/CFT risk assessment specific to your customer base, geography, and transaction profile

  3. 03

    Bespoke AML/CFT policy and CDD procedure documentation your staff can actually execute

  4. 04

    Beneficial ownership identification framework and Register of Beneficial Owners setup under Cabinet Decision No. 58 of 2020

  5. 05

    Sanctions and PEP screening design, with tool selection guidance where none currently exists

  6. 06

    Enhanced due diligence protocol for PEPs, high-risk jurisdictions, and complex ownership structures

  7. 07

    goAML platform registration and Suspicious Transaction Report / Suspicious Activity Report escalation procedure

  8. 08

    Compliance Officer / MLRO designation support and reporting-line structuring

  9. 09

    Role-specific staff training with attendance and competency records

  10. 10

    Internal mock inspection and sample file testing before go-live

  11. 11

    Ongoing annual review and regulatory update tracking

  12. 12

    Direct representation and corrective action planning in response to any Ministry of Economy, Central Bank, DFSA, FSRA, or VARA finding

  13. 13

    Current-law and authority-route memo for KYC and customer due diligence advisory

  14. 14

    Evidence request list tailored to UAE tax/AML/ESR/excise context

  15. 15

    Portal-status and registration/filing profile review

  16. 16

    Source-record index with missing-item tracker

  17. 17

    Technical position paper with assumptions and exclusions

  18. 18

    Submission, remediation or response pack prepared for review

  19. 19

    Authority query-response matrix and owner tracker

  20. 20

    Management sign-off note and corrective-action calendar

  21. 21

    Scoping and applicability call with written assumptions, exclusions, supervisory-authority mapping, and an accountable PNPC engagement owner

Talk to PNPC's Dubai team before your next inspection finds the gap for you — we build AML/CFT and CDD programmes that hold up on the file, not just on paper.

Jurisdiction

🇦🇪
United Arab Emirates

Free zone, mainland & offshore

Ready to get started?

Tell us about your requirement — a UAE specialist responds within 24 hours.

← Back to Economic Substance & AML Compliance