Overview of UAE AML Law

The UAE's Anti-Money Laundering framework is built on two primary legal instruments that every regulated business must understand:

These two instruments work together: the law sets the criminal framework and high-level obligations, while the Cabinet Decision provides the practical rules your business must follow on a daily basis.

⚖️ Current Legal Status Federal Decree-Law No. 20 of 2018 has been amended twice — by Federal Decree-Law No. 26 of 2021 and Federal Decree-Law No. 7 of 2024. Cabinet Decision No. 10 of 2019 was amended by Cabinet Resolution No. 24 of 2022. Your AML programme must reflect all current amendments, not the original 2018 text.

How the Law Has Evolved

Understanding the history of UAE AML law helps explain why compliance requirements have become progressively more demanding — and why the Ministry of Economy conducts increasingly rigorous inspections.

2018
Federal Decree-Law No. 20 of 2018 enacted
The foundational AML/CFT law replacing previous legislation. Introduced DNFBP obligations, STR requirements, and the criminal framework for money laundering and terrorism financing.
2019
Cabinet Decision No. 10 of 2019
The implementing regulation providing detailed operational requirements — CDD procedures, risk assessment methodology, compliance officer qualifications, record-keeping, and supervisory authority powers.
2021
Federal Decree-Law No. 26 of 2021 — First Amendment
Strengthened enforcement provisions, expanded definitions, and introduced additional obligations for DNFBPs in response to FATF mutual evaluation feedback.
2022
Cabinet Resolution No. 24 of 2022
Amended the implementing regulation with updated CDD thresholds, enhanced beneficial ownership requirements, and refined supervisory authority powers.
2023
Cabinet Decision No. 109 of 2023 — Real Beneficiary Procedures
Mandated the establishment of registers of Real Beneficiaries, Partners, Shareholders, and Nominee Directors for all corporate entities in the UAE mainland and non-financial free zones.
2024
Federal Decree-Law No. 7 of 2024 — Second Amendment
The most recent amendment, further strengthening the legislative framework in line with evolving FATF standards and the UAE's 2024–2027 National AML/CFT/CPF Strategy.

The 8 Minimum Statutory Obligations

Article 16 of the AML/CFT Law sets out the minimum statutory obligations of all regulated entities — including all DNFBPs in the UAE. These are non-negotiable regardless of business size, revenue, or number of employees.

01
Identify & Assess Risks
Article 16.1(a) | AML Decision Article 4.1
Conduct and document a Business-Wide Risk Assessment covering customers, geographies, products, services, and delivery channels. Update it regularly.
02
Customer Due Diligence
Article 16.1(b) | AML Decision Articles 4.1(a), 4.2
Verify client identity, understand the business relationship, apply enhanced checks for high-risk clients, and monitor on an ongoing basis.
03
Appoint a Compliance Officer
AML Decision Articles 21, 44.12
Designate a qualified Money Laundering Reporting Officer (MLRO) at management level, approved by the Ministry of Economy, with full independence and authority.
04
Internal Policies & Controls
Article 16.1(d) | AML Decision Article 4.2(a)
Implement written AML policies covering CDD, transaction monitoring, STR reporting, sanctions screening, and record-keeping — approved by senior management.
05
Suspicious Transaction Indicators
Article 15 | AML Decision Article 16
Establish internal red flags and indicators for identifying suspicious transactions or activities across all business lines.
06
Report Suspicious Activity
Articles 9.1, 15, 30 | AML Decision Articles 13.2, 17.1, 20.2
File Suspicious Transaction Reports (STRs) via goAML when there are reasonable grounds to suspect money laundering or terrorism financing. Cooperate fully with competent authorities.
07
Implement UN Sanctions
Article 16.1(e) | AML Decision Article 60
Immediately apply directives from competent authorities relating to UN Security Council resolutions on terrorism financing and proliferation of weapons of mass destruction.
08
Maintain Records (5 Years)
Article 16.1(f) | AML Decision Articles 7.2, 24
Retain all CDD records, transaction files, risk assessments, and STRs for a minimum of 5 years. Provide them to competent authorities promptly upon request.

What the Law Prohibits

In addition to positive obligations, the AML/CFT Law and Cabinet Decision impose a set of absolute prohibitions on all DNFBPs. Breaching any of these is a criminal offence under UAE law.

⚠️ Tipping Off Is a Criminal Offence Even a casual remark to a client that "we had to report something" constitutes tipping off under UAE AML law. The penalty is imprisonment of no less than 6 months plus a fine of AED 100,000 to AED 500,000. This applies to all staff, not just the Compliance Officer.

CDD: Standard, Enhanced and Simplified

The law requires a risk-based approach to Customer Due Diligence. The level of scrutiny applied must match the risk level of the client and transaction.

CDD Level When Applied Key Measures
Standard CDD Default for all new business relationships and transactions Identity verification, beneficial owner identification, understanding business purpose, ongoing monitoring
Enhanced Due Diligence (EDD) High-risk clients — PEPs, high-risk jurisdictions, complex structures, unusual transactions Additional information on client and beneficial owner, source of funds verification, senior management approval, increased monitoring frequency
Simplified Due Diligence (SDD) Low-risk clients only, where no suspicion exists Less frequent data updates, reduced monitoring rate — but SDD cannot be applied where any suspicion of crime exists

For a detailed guide on CDD requirements, see our upcoming post on Customer Due Diligence in UAE. For the full breakdown of what AML compliance means in practice, read: What is AML Compliance in UAE?

Let Fastlane Handle Your AML Compliance Under UAE Law

From MLRO appointment and goAML registration to Business-Wide Risk Assessments and monthly monitoring — Fastlane implements every obligation under Federal Decree-Law No. 20 of 2018 for your business.

View AML Compliance Services WhatsApp Us Now

Confidentiality & Whistleblower Protection

The AML/CFT Law strikes a careful balance between confidentiality obligations and reporting duties:

Reporting Cannot Be Blocked by Secrecy

DNFBPs cannot use banking, professional, or contractual secrecy as grounds to refuse their statutory reporting obligation. Data protection laws in the UAE include specific provisions that permit reporting to authorities — you cannot claim GDPR-style privacy rights to avoid filing an STR.

Internal Sharing Is Permitted

The confidentiality requirement does not prevent sharing of suspicious activity information within the same DNFBP or across affiliated group members — foreign branches, subsidiaries, or the parent company — for the purpose of identifying, preventing, or reporting financial crime.

Protection for Good-Faith Reporters

Under Article 27 of the AML/CFT Law, DNFBPs, their board members, employees, and authorised representatives are fully protected from administrative, civil, or criminal liability when they report suspicious activity to the FIU in good faith — even if they did not know the exact nature of the underlying crime, and even if no illegal activity ultimately occurred.

✅ Key Point Good-faith STR filing gives you legal protection. Not filing when you should have gives you criminal exposure. When in doubt — report.

Senior Management Accountability

One of the most significant aspects of UAE AML law is that accountability sits at the top of the organisation — not just with the Compliance Officer. Senior management and board members are personally responsible for:

⚠️ Personal Liability Penalties under UAE AML law apply to the business entity, its managers, and individual employees. Being the owner or director does not shield you — it increases your exposure. The law explicitly addresses situations where management abuses their position to facilitate financial crime, carrying aggravated penalties of up to AED 10,000,000 plus imprisonment.

Frequently Asked Questions

What is the main AML law in UAE?
The primary AML legislation is Federal Decree-Law No. 20 of 2018 on Anti-Money Laundering, Combating the Financing of Terrorism and Financing of Illegal Organisations, implemented through Cabinet Decision No. 10 of 2019. Both have been amended — most recently in 2024.
What are the minimum obligations under UAE AML law?
The 8 minimum obligations are: identify and assess risks, conduct CDD, appoint a Compliance Officer, implement internal policies and controls, establish suspicious transaction indicators, report suspicious activity via goAML, implement UN sanctions, and maintain records for 5 years.
What is Cabinet Decision No. 10 of 2019?
It is the implementing regulation of Federal Decree-Law No. 20 of 2018, providing detailed operational requirements including CDD procedures, risk assessment methodology, compliance officer qualifications, reporting obligations, and record-keeping requirements.
Has UAE AML law been updated recently?
Yes. The law was amended by Federal Decree-Law No. 26 of 2021 and Federal Decree-Law No. 7 of 2024. The Cabinet Decision was amended by Cabinet Resolution No. 24 of 2022. Your AML programme must reflect all current amendments.
What is the penalty for violating UAE AML law?
Penalties range from AED 10,000 fines to AED 10,000,000 plus imprisonment depending on the violation. The most severe penalty — life imprisonment — applies to using funds for terrorism financing.