The UAE AML/CFT framework — Federal Decree-Law 20/2018 + Cabinet Decision 10/2019 + Cabinet Decision 74/2020 (Targeted Financial Sanctions) + Cabinet Decision 58/2020 (UBO) — applies to far more SMBs than most owners realize. Real-estate brokers, dealers in precious metals, lawyers, accountants, and trust service providers fall under DNFBP obligations. Every UAE-resident business has TFS screening obligations. Every Mainland and Free Zone entity has UBO obligations. This guide walks the framework end-to-end with the practical compliance checklist.
The UAE was placed on the FATF "grey list" in March 2022 over AML/CFT shortcomings, and was removed in February 2024 after a significant enforcement push. The framework that emerged from that period has teeth — fines now reach 5 million per violation, with substantial enforcement activity across DNFBP sectors. SMBs that assumed "AML applies to banks, not us" have been a frequent enforcement target.
The real scope:
| Layer | What it requires | Who it applies to |
|---|---|---|
| FDL 20/2018 — Anti-Money Laundering Law | Core AML framework: ML offence definition, customer due diligence, record-keeping, STR reporting, FIU cooperation | Financial institutions + DNFBPs |
| Cabinet Decision 10/2019 — Implementing Regulations | Practical AML programme requirements: risk assessment, CDD procedures, training, compliance officer, audit | Financial institutions + DNFBPs |
| Cabinet Decision 74/2020 — Targeted Financial Sanctions | Screening counterparties against UAE Local Terrorist List + UN Security Council Sanctions List, immediate freezing on hit, FIU reporting within 24 hours | All UAE-resident businesses |
| Cabinet Decision 58/2020 — UBO Register | Ultimate Beneficial Owner register (25%+ ownership or ultimate control), filing with licensing authority, update within 15 days of change | All UAE Mainland + Free Zone entities (with limited exceptions) |
Cabinet Decision 10/2019 Article 3 defines four DNFBP categories that fall under the full AML programme (risk assessment, CDD, STR, training, compliance officer):
If your business falls in one of these categories, you have full DNFBP obligations including: appointing a Compliance Officer reporting to senior management, implementing a Customer Due Diligence (CDD) programme, conducting annual risk assessments, providing annual AML training to staff, maintaining records for 5 years minimum, and filing STRs with the UAE FIU.
Cabinet Decision 74/2020 applies to every UAE-resident business regardless of sector. The core requirement: screen counterparties against the UAE Local Terrorist List and the UN Security Council Sanctions List before establishing a business relationship, and on an ongoing basis.
Counterparties to screen:
If a screening returns a positive match against the TFS lists:
UAE FIU operates the goAML portal as the central system for AML/CFT reporting. Every business with reporting obligations (DNFBP + financial institutions + others) is required to register on goAML. The portal handles: STR submissions, TFS reporting, UBO data exchange in some scenarios, and ongoing communications with FIU.
The UBO Register requirement applies to every UAE-licensed entity except specific carve-outs (UAE-government-owned entities, listed companies with regulated disclosure, etc.). Every entity must:
DNFBPs and financial institutions must file Suspicious Transaction Reports (STRs) with the UAE FIU when they identify a transaction (or attempted transaction) involving funds suspected to be proceeds of crime, related to terrorism financing, or otherwise suspicious.
STR triggers commonly include:
STRs are filed through the goAML portal. Filing is confidential — the customer must not be informed (tipping-off offence). STR filing does not in itself confirm wrongdoing; it triggers FIU investigation.
The UAE AML/CFT penalty regime, administered through the AML/CFT Committee and the Executive Office, has been substantially strengthened since 2022:
| Violation | Penalty range |
|---|---|
| Failure to register on goAML (DNFBPs) | 50,000 - 500,000 |
| Failure to implement AML programme | 100,000 - 1,000,000 |
| Failure to file UBO with licensing authority | 50,000 + license suspension |
| Failure to conduct TFS screening | 50,000 - 5,000,000 |
| Tipping-off offence | 50,000 - 1,000,000 + criminal liability |
| Failure to file STR when triggered | 100,000 - 1,000,000 |
| Continued non-compliance | License cancellation |
For UAE SMBs evaluating their AML/CFT exposure and building a compliance programme:
Yes, in most cases more than owners realize. The UAE AML framework (Federal Decree-Law 20/2018 + Cabinet Decision 10/2019) applies to every financial institution. The Designated Non-Financial Businesses and Professions (DNFBP) framework under Cabinet Decision 10/2019 Article 3 extends to real-estate brokers and agents, dealers in precious metals + stones, lawyers + notaries + accountants (when conducting in-scope transactions), and trust + company service providers. The Targeted Financial Sanctions framework under Cabinet Decision 74/2020 applies to all UAE-resident businesses regardless of sector. UBO obligations under Cabinet Decision 58/2020 apply to virtually every UAE Mainland and Free Zone entity. The combined scope means most UAE SMBs have at least some AML/CFT obligation.
Cabinet Decision 74/2020 requires UAE businesses to screen counterparties (customers, suppliers, employees, beneficiaries) against the UAE Local Terrorist List + UN Security Council Sanctions List + the OFAC list (where applicable). Hits trigger immediate freezing of funds + reporting to the UAE Financial Intelligence Unit (UAE FIU) within 24 hours. The framework is administered through the UAE Cabinet's Targeted Financial Sanctions Committee, with the screening lists published through the goAML portal.
Cabinet Decision 58/2020 requires every UAE-licensed entity (Mainland + Free Zone with exceptions) to maintain an Ultimate Beneficial Owner register, file the UBO data with the licensing authority, and update changes within 15 days. UBO is defined as any natural person who ultimately owns 25%+ of the entity directly or indirectly, or who exercises ultimate control. The register is filed via the DED for Mainland Dubai, ADED for Abu Dhabi, individual Free Zone authorities for Free Zones.
An STR (Suspicious Transaction Report) is filed when you suspect a transaction is connected to money laundering, terrorism financing, or other criminal activity — it's a forward-looking report that triggers FIU investigation. A TFS (Targeted Financial Sanctions) report is filed when a screening match is found against the UAE Local Terrorist List or UN Sanctions List — it's a reactive report on a positive screening hit. Both are filed through goAML but they have different triggers and downstream processes.
The UAE was on the FATF "grey list" from March 2022 to February 2024 over AML/CFT shortcomings. During grey-list status, UAE businesses faced additional scrutiny from foreign correspondent banks, payment processors, and compliance counterparts. The UAE made substantial enforcement and regulatory improvements during the grey-list period. Maintaining the standards post-removal is critical to avoid future grey-listing.
Free Zone entities are subject to the same AML/CFT framework as Mainland entities. Individual Free Zone authorities (DIFC, ADGM specifically) have their own additional regulatory frameworks that overlay the federal AML framework — DIFC entities are regulated by the DFSA, ADGM by the FSRA, with detailed rulebooks that go beyond the federal AML floor. For Free Zone entities outside DIFC/ADGM (DMCC, JAFZA, etc.), the federal AML framework + the Free Zone authority's own AML rules apply.
Federal Decree-Law 20/2018 is at u.ae. Cabinet Decisions 10/2019, 58/2020, and 74/2020 are at u.ae and mof.gov.ae. The UAE FIU operates the goAML portal at goaml.ae. Sectoral guidance is published by the Ministry of Economy (for DNFBPs broadly), DED/ADED (for licensing authority obligations), and the individual Free Zone authorities. We strongly recommend verifying current state against official sources and engaging a qualified UAE AML advisor for compliance programme design.