AML/CFT Compliance in the UAE: CBUAE, Federal Decree-Law No. 20 of 2018, and the 2026 Regulatory Landscape

The UAE's AML/CFT regime has undergone significant changes in recent years, with a focus on strengthening regulations and increasing enforcement. The Central Bank of the UAE (CBUAE) has imposed record fines on exchange houses, hawala operators, and designated non-financial businesses and professions (DNFBPs) for AML/CTF control failures. The regime's evolution, including the removal from the FATF grey list in February 2024, underscores the importance of documented compliance frameworks for institutions operating in the UAE.

The Regulatory Landscape

The UAE's AML/CFT framework is governed by Federal Decree-Law No. 20 of 2018, which was amended by Federal Decree-Law No. 26 of 2021. The law is implemented through Cabinet Decision No. 10 of 2019. The CBUAE, along with other regulators such as the Dubai Financial Services Authority (DFSA) and the Financial Services Regulatory Authority (FSRA), oversees the compliance of banks, exchange houses, payment-system operators and DNFBPs.

The regime has been reinforced by the creation of the Executive Office for AML/CTF, a cross-government body that coordinates investigations, policy-making and international cooperation. The FATF’s removal of the UAE from its grey list on 23 February 2024 confirmed that the reforms - including tighter customer-due-diligence (CDD) rules, mandatory suspicious-activity reporting and expanded sanctions screening - meet global standards.

CBUAE's AML/CFT Guidance

The CBUAE has issued a series of guidance notes that translate the statutory obligations into operational steps. The most frequently cited are:

• Risk-Based Approach (RBA) Guideline - provides a structured methodology for assessing money-laundering and terrorist-financing risks across customers, products, services and geographies.
• Circular No. 13 of 2020 - specific to exchange houses, payment-service providers and other “high-risk” entities; it details CDD, ongoing monitoring and SAR filing expectations.
• Guidance on Beneficial-Ownership Verification - clarifies the documentation required to identify natural persons who ultimately own or control a legal entity.

All guidance is published on the CBUAE rule-book portal and is binding under Article 5 of Federal Decree-Law No. 20 of 2018.

Customer Due Diligence and KYC

Under Article 4 of the Federal Decree-Law No. 20 of 2018, obliged entities must obtain and verify the full name, date of birth, nationality, residential address and identification document number of every natural-person client before establishing a business relationship. For legal entities, the regulator requires:

• Certified copy of the commercial registration (CR) issued by the Department of Economic Development.
• Articles of association and any amendment documents.
• Beneficial-ownership information for any shareholder holding 25 % or more of the equity, or a “person of significant control” where the 25 % threshold is not met.

The CBUAE expects institutions to retain the original documents for a minimum of five years after the termination of the relationship (Article 7). Enhanced due diligence (EDD) is mandatory for Politically Exposed Persons (PEPs), high-risk jurisdictions and complex corporate structures; the EDD period extends for at least 12 months after a PEP ceases to hold a public function (Circular 13/2020, paragraph 4.2).

Sanctions Screening

The UAE implements United Nations Security Council resolutions, European Union sanctions, and United States OFAC measures through a unified screening regime. CBUAE Circular 13/2020 requires real-time name-screening at onboarding and continuous transaction monitoring against the consolidated UN, EU and OFAC lists. Institutions must retain screening logs for five years (Article 9) and must be able to demonstrate the matching algorithm, false-positive thresholds and periodic data-quality reviews.

SAR/STR Reporting

Suspicious Activity Reports (SARs) and Suspicious Transaction Reports (STRs) must be filed electronically via the UAE FIU’s goAML platform. Article 13 of the Federal Decree-Law No. 20 of 2018 obliges reporting “without undue delay” - interpreted by the FIU as the same-day or next-working-day standard. Failure to file within this window can trigger administrative fines of up to AED 5 million per breach (Cabinet Decision No. 10/2019, Annex B).

Risk-Based Approach

The RBA Guideline (CBUAE, 2022) requires a documented, institution-wide risk assessment that is refreshed at least annually and whenever a material change occurs (e.g., new product launch, entry into a new market). The assessment must cover:

• Customer risk - based on geography, sector, PEP status and transaction behaviour.
• Product and service risk - e.g., correspondent banking, trade-finance, crypto-asset services.
• Geographic risk - especially jurisdictions identified by the FATF as high-risk or non-cooperative.
• Delivery channel risk - online onboarding, mobile payments, etc.

The outcome of the risk assessment drives the intensity of CDD, monitoring frequency, and the level of senior-management oversight required (Article 5, Federal Decree-Law No. 20 of 2018).

Crypto-Assets

While the UAE has not yet issued a stand-alone crypto-asset law, the CBUAE treats virtual-currency service providers (VCSPs) as “financial institutions” under Article 2 of the Federal Decree-Law No. 20 of 2018. The regulator therefore expects VCSPs to apply the same AML/CFT controls as traditional banks, including:

• Customer identification and verification on onboarding.
• Ongoing transaction monitoring with blockchain analytics for wallet-address risk assessment.
• Enhanced due diligence for unhosted wallets and high-value transfers.
• Reporting of suspicious crypto-transactions via goAML.

The DFSA (for DIFC) and the FSRA (for ADGM) have issued parallel guidance that aligns with the federal framework but adds jurisdiction-specific licensing requirements for crypto-asset exchanges and custodians.

Recent Enforcement

Enforcement activity has accelerated since the FATF grey-list removal. Notable cases include:

In addition to monetary penalties, the CBUAE has issued “name-and-warn” notices, suspended licences, and pursued personal liability against senior AML officers under Article 15 of the Federal Decree-Law No. 20 of 2018, which allows for imprisonment of up to three years for willful non-compliance.

Practical Compliance Checklist for UAE Institutions

Common Pitfalls

Three patterns dominate recent enforcement files. The first is SAR latency: institutions that have built escalation processes around weekly compliance committees rather than daily filing capacity find themselves systemically late.

The second is fragmented governance: where AML investigations sit across multiple business lines, multiple geographies, or multiple legal entities, the CBUAE treats the resulting coordination failures as substantive breaches in their own right.

The third is over-reliance on commercial screening tools without documented rationale. The CBUAE accepts the use of third-party PEP and sanctions databases but expects the obliged entity to be able to evidence the matching algorithms applied, the false-positive thresholds set, the data-quality controls in place, and the periodic validation of the vendor.

How RegMantle Helps

RegMantle generates jurisdiction-specific AML/CFT documentation for UAE institutions, citing Federal Decree-Law No. 20 of 2018, its 2021 amendment, Cabinet Decision No. 10 of 2019 and the CBUAE’s risk-based guidance directly in the text. Generated outputs include:

• Institution-wide risk-assessment report aligned with the RBA Guideline.
• Full AML/CFT policy manual (CBUAE-ready) with embedded references to Articles 4-13 of the Federal Decree-Law.
• KYC/CDD procedures that capture the exact data fields required by Circular 13/2020.
• Sanctions-screening policy referencing UN, EU and OFAC lists, with documented matching logic.
• SAR/STR filing SOPs keyed to goAML fields, same-day filing expectations and record-keeping periods.
• PEP and EDD workflow templates, including 12-month post-PEP monitoring.
• Crypto-asset AML add-on covering wallet-risk assessment and blockchain-analytics evidence.

All documents are exportable as branded DOCX files, ready for board approval and CBUAE inspection. RegMantle also provides a live screening feed (UN, EU, OFAC, UK) and an automated audit-trail that logs every change for regulator-ready evidence.