BizLegal-AIStart Free
jurisdiction

AML KYC Policy UAE & DIFC: Compliance Guide 2024

BizLegal-AI Intelligence Deskuae

AML KYC Policy UAE & DIFC: Compliance Guide 2024

What Is an AML KYC Policy in the UAE and DIFC?

An AML KYC policy is a formal, written framework that regulated entities in the UAE and DIFC must maintain to detect, prevent, and report money laundering, terrorist financing, and proliferation financing. The policy operationalises two interconnected compliance disciplines: Anti-Money Laundering (AML), which governs how businesses identify and disrupt illicit financial flows, and Know Your Customer (KYC), which governs how businesses verify the identity, ownership structure, and risk profile of their customers before and during a business relationship.

In the UAE, the obligation to maintain a documented AML policy applies to a wide range of entities, including banks, insurance companies, exchange houses, designated non-financial businesses and professions (DNFBPs) such as real estate brokers, lawyers, accountants, and corporate service providers, as well as virtual asset service providers (VASPs). In the DIFC specifically, firms authorised by the Dubai Financial Services Authority (DFSA) are subject to a parallel but complementary AML framework that mirrors FATF standards and EU-equivalent requirements.

For founders and compliance officers, an AML KYC policy is not a checkbox document. It is a living operational manual that regulators will scrutinise during inspections, and its absence or inadequacy is one of the most cited grounds for administrative sanctions in the UAE today.

Legal Requirements and Regulatory Framework

The UAE's AML KYC landscape is governed by a layered legislative and regulatory architecture. Understanding each layer is essential before drafting or updating your policy.

  • Federal Decree-Law No. 20 of 2018 on Anti-Money Laundering and Combating the Financing of Terrorism and Illegal Organisations is the primary statute. It defines predicate offences, sets out customer due diligence obligations, and establishes the criminal and administrative penalty regime.
  • Cabinet Decision No. 10 of 2019 provides the executive regulations implementing Federal Decree-Law No. 20, detailing the specific CDD measures, enhanced due diligence triggers, and suspicious transaction reporting obligations.
  • Cabinet Decision No. 24 of 2022 updated the regulatory framework and broadened the scope of entities required to register on the goAML platform operated by the UAE Financial Intelligence Unit (UAE FIU).
  • The Central Bank of the UAE (CBUAE) issues sector-specific AML/CFT regulations and guidance for licensed financial institutions, including Circular No. 2 of 2019 and the comprehensive AML/CFT Guidelines published in 2021.
  • The DFSA enforces AML obligations within the DIFC under its Anti-Money Laundering, Counter-Terrorist Financing and Sanctions Module (AML Module) within the DFSA Rulebook, which is directly binding on all DFSA-authorised firms.
  • The Securities and Commodities Authority (SCA) governs AML compliance for investment firms and VASPs licensed onshore outside the DIFC and ADGM.
  • FATF Recommendations underpin all UAE legislation, and the UAE's 2024 removal from the FATF grey list reflects the regulatory momentum that regulators are now actively sustaining through enforcement.

Key Clauses and Requirements in an AML KYC Policy

A compliant AML KYC policy in the UAE or DIFC must contain specific, substantive provisions. Generic templates drawn from other jurisdictions will not satisfy UAE regulatory expectations. The following are the core components your policy must address:

  • Risk-Based Approach (RBA) Statement: A documented methodology for assessing AML/CFT risk at the institutional level and at the customer level, aligned with the UAE National Risk Assessment and any sector-specific guidance issued by your regulator.
  • Customer Due Diligence (CDD) Procedures: Clear procedures for identifying and verifying natural persons (using Emirates ID, passport, or equivalent) and legal entities (using trade licences, Memoranda of Association, UBO declarations). CDD must be applied at onboarding, at defined trigger events, and on an ongoing basis.
  • Ultimate Beneficial Owner (UBO) Identification: Under Cabinet Decision No. 58 of 2020 on the Regulation of the Beneficial Owner Procedures, entities must identify and verify any natural person holding 25% or more ownership or control. DIFC firms must comply with DIFC Companies Law requirements on beneficial ownership registers.
  • Enhanced Due Diligence (EDD) Triggers: Mandatory EDD for Politically Exposed Persons (PEPs), high-risk jurisdictions flagged by FATF, complex ownership structures, correspondent banking relationships, and high-value or unusual transactions.
  • Simplified Due Diligence (SDD): Conditions under which reduced CDD may be applied, which in the UAE are narrowly defined and must be documented with a clear rationale.
  • Suspicious Transaction Reporting (STR) and Suspicious Activity Reporting (SAR): Internal escalation procedures, the role of the Money Laundering Reporting Officer (MLRO), and the obligation to file reports via the UAE FIU's goAML portal without tipping off the customer.
  • Record-Keeping Obligations: All CDD documents, transaction records, and STR filings must be retained for a minimum of five years from the end of the business relationship or the date of the transaction.
  • Sanctions Screening: Real-time screening against UAE Local Terrorist List (Cabinet Decision No. 83 of 2023 and updates), UN Security Council Consolidated List, OFAC, and EU sanctions lists.
  • Training Programme: Annual AML/KYC training for all relevant staff, with records of completion maintained.
  • MLRO Appointment: Designation of a qualified, senior MLRO with direct access to senior management and the board, and a defined escalation and reporting line.

Step-by-Step Process for Implementing an AML KYC Policy in the UAE

Implementing a compliant AML KYC policy is a structured process. The following steps apply to both onshore UAE entities and DIFC-licensed firms, with specific regulatory touchpoints identified at each stage.

  • Step 1 — Conduct an Institutional Risk Assessment: Map your business model, customer segments, products, delivery channels, and geographies against the UAE National Risk Assessment and FATF typologies. Document your findings and assign an overall risk rating.
  • Step 2 — Draft the Policy Document: Using your risk assessment as the foundation, draft a policy that includes all mandatory clauses outlined above. Ensure the language is specific to your business operations, not generic. DFSA-authorised firms should cross-reference the AML Module at every relevant clause.
  • Step 3 — Appoint and Empower the MLRO: Register the MLRO with the relevant regulator. For CBUAE-regulated entities, notify the CBUAE. For DFSA firms, the MLRO must be an Approved Individual. Ensure the MLRO has authority, resources, and independence.
  • Step 4 — Build Operational CDD and Screening Workflows: Implement customer onboarding workflows, ongoing monitoring protocols, and automated or manual sanctions screening. Integrate with goAML for STR submissions.
  • Step 5 — Register on goAML: All entities subject to Federal Decree-Law No. 20 of 2018 must register on the UAE FIU's goAML platform and submit required reports electronically.
  • Step 6 — Train Staff: Deliver role-specific AML/CFT training before go-live and annually thereafter. Document attendance and assessment results.
  • Step 7 — Conduct Independent Audit: Arrange an independent audit or review of your AML programme, either through internal audit or an external compliance firm. Address findings before regulatory inspections.
  • Step 8 — Review and Update Annually: AML policy UAE requirements evolve. Designate a review cycle tied to regulatory updates, changes in your business model, and findings from your ongoing monitoring programme.

Common Mistakes to Avoid

Regulatory enforcement in the UAE has intensified significantly since 2022. The following are the most frequently cited deficiencies identified during CBUAE, DFSA, and Ministry of Economy inspections:

  • Adopting a generic, jurisdiction-agnostic AML policy template without tailoring it to UAE law and your specific business activities.
  • Failing to identify and verify UBOs beyond the first layer of corporate ownership, particularly in structures involving offshore holding companies.
  • Conducting sanctions screening only at onboarding rather than on a continuous or periodic basis, leaving exposure to post-onboarding designations.
  • Not registering on the goAML platform or submitting STRs late, both of which carry administrative penalties under the Federal Decree-Law.
  • Appointing an MLRO who lacks the requisite seniority, independence, or regulatory approval, particularly in DFSA-regulated firms where the Approved Individual regime applies.
  • Treating KYC compliance UAE obligations as a one-time onboarding exercise rather than an ongoing relationship management obligation with defined periodic review triggers.
  • Failing to document the rationale for CDD risk ratings, PEP determinations, or EDD waivers, leaving the firm unable to demonstrate compliance during an inspection.

Frequently Asked Questions

Who is required to have an AML KYC policy in the UAE?

All entities licensed by the CBUAE, DFSA, SCA, or falling within the DNFBP or VASP categories as defined under Federal Decree-Law No. 20 of 2018 are required to maintain a documented AML KYC policy. This includes banks, exchange houses, insurance companies, real estate brokers, lawyers, accountants, corporate service providers, gold and precious metals dealers, and virtual asset service providers. Failure to maintain a compliant policy exposes the entity and its senior officers to administrative fines, licence suspension, or criminal liability.

What is the difference between AML compliance under the CBUAE and the DFSA?

Both frameworks are grounded in FATF Recommendations and Federal Decree-Law No. 20 of 2018, but the DFSA applies its own AML Module within the DFSA Rulebook, which sets out additional prescriptive requirements for DIFC-authorised firms. DFSA firms must appoint an MLRO as an Approved Individual subject to DFSA approval, comply with DFSA-specific risk assessment and record-keeping formats, and engage with DFSA supervisory reviews. Onshore CBUAE-regulated entities follow CBUAE circulars and guidelines. Entities operating in both environments must maintain dual-track compliance.

What are the penalties for non-compliance with AML policy UAE requirements?

Under Federal Decree-Law No. 20 of 2018 and Cabinet Decision No. 10 of 2019, administrative penalties range from AED 50,000 to AED 5 million per violation. The Ministry of Economy publishes enforcement actions against DNFBPs on its website. The CBUAE and DFSA have separate penalty frameworks and can impose licence conditions, financial penalties, and public censures. Criminal liability under the Federal Decree-Law can result in imprisonment for individuals involved in facilitation or concealment of money laundering proceeds. Anti-money laundering UAE enforcement has materially escalated since 2022 and shows no signs of softening.

How often should an AML KYC policy be reviewed and updated?

Regulators in the UAE expect at a minimum an annual review of the AML KYC policy, with additional reviews triggered by material changes to the business model, new product launches, regulatory updates, or findings from internal or external audits. The DFSA AML Module and CBUAE guidelines both emphasise that the policy must reflect the current risk environment. Given the pace of regulatory change in the UAE — including updates to the Local Terrorist List, FATF mutual evaluation follow-up requirements, and VASP-specific guidance — a static policy is a compliance liability.

Does a DIFC entity need to register on the UAE FIU's goAML platform?

Yes. All entities subject to Federal Decree-Law No. 20 of 2018, including DIFC-licensed entities, are required to register on the goAML platform and submit Suspicious Transaction Reports (STRs) and other mandatory reports through it. The DIFC's legal status as a financial free zone does not exempt its entities from UAE federal AML legislation. DFSA-authorised firms must also comply with DFSA notification and reporting obligations in parallel, meaning STR obligations may need to be fulfilled under both the DFSA framework and the goAML system simultaneously.

AML policy UAEKYC compliance UAEanti-money laundering UAEuae
Turn this guide into a plan

Get your jurisdiction-specific compliance risk score

BizLegal-AI maps your structure against this exact regulation and tells you what's missing — before a regulator does. Free preview, no card required.

Run my free risk check →

Used by founders & counsel across 50+ jurisdictions · Not legal advice

Related

Regulatory changes, before they cost you

One email when a rule that affects crypto, fintech, or cross-border deals actually changes. No noise. Unsubscribe anytime.

Disclaimer: BizLegal-AI produces regulatory intelligence and working drafts. It is not legal, financial, or tax advice. Consult qualified counsel for specific situations.