CBUAE AML/CFT Compliance Requirements 2026: What Every UAE Business Needs to Know
A comprehensive guide to anti-money laundering and combating the financing of terrorism obligations under UAE Central Bank regulations — with exact circular citations and practical compliance steps.
The UAE AML/CFT Legal Framework
The United Arab Emirates has built one of the most comprehensive anti-money laundering and counter-terrorism financing (AML/CFT) frameworks in the Middle East. At the federal level, the framework is anchored by Federal Decree-Law No. (20) of 2018 on Anti-Money Laundering and Combating the Financing of Terrorism and Financing of Illegal Organisations, along with its implementing regulation, Cabinet Decision No. (10) of 2019.
In 2025, the UAE enacted a significant update: Federal Decree-Law No. (10) of 2025 — Anti-Money Laundering and Combating Financing of Terrorism, which modernises the legal framework and strengthens enforcement mechanisms across all regulated sectors.
The Central Bank of the UAE (CBUAE) serves as the primary supervisor for Licensed Financial Institutions (LFIs) — banks, finance companies, exchange houses, payment service providers, registered hawala providers, and insurance companies. All LFIs must comply with both federal law and CBUAE-specific regulations, circulars, and guidance.
The UAE's AML/CFT framework is aligned with the Financial Action Task Force (FATF) 40 Recommendations and the country is an active member of MENAFATF, the regional FATF-style body. This alignment means UAE compliance requirements closely mirror international best practices while addressing region-specific risks.
Key CBUAE Circulars and Regulations
Compliance professionals working in the UAE must be familiar with several critical CBUAE instruments. Here are the most important ones for AML/CFT compliance:
Procedures for Anti-Money Laundering and Combating the Financing of Terrorism and Illicit Organisations
The foundational CBUAE regulation that sets out detailed AML/CFT procedures for all Licensed Financial Institutions. Covers customer identification, record-keeping requirements, internal controls, and reporting obligations.
CBUAE AML/CFT Guidance for Licensed Financial Institutions
Comprehensive guidance document expanding on the practical implementation of AML/CFT obligations. Covers risk-based approach methodology, customer due diligence procedures, suspicious transaction identification, and compliance programme requirements.
CBUAE Guidance for LFIs on AML/CFT — Virtual Assets
Targeted guidance on customer due diligence (CDD) and enhanced due diligence (EDD) for LFIs dealing with Virtual Asset Service Providers (VASPs). Addresses de-risking, governance, and record-keeping for virtual asset transactions.
Anti-Money Laundering and Combating Financing of Terrorism
The latest federal law updating and strengthening the UAE's AML/CFT regime. Introduces enhanced penalties, expanded scope of regulated entities, and updated compliance requirements aligned with FATF standards.
Corporate Governance Standards for Banks
While primarily a governance standard, this circular has direct AML implications — it requires banks to establish compliance functions, appoint compliance officers, and ensure board-level oversight of AML/CFT programmes.
Core Compliance Obligations for Financial Institutions
Under the CBUAE framework, every Licensed Financial Institution must establish and maintain a comprehensive AML/CFT compliance programme. The key obligations include:
1. Risk-Based Approach (RBA)
The CBUAE requires all LFIs to adopt a risk-based approach to AML/CFT compliance. This means institutions must identify, assess, and understand the money laundering and terrorism financing risks they face based on their customers, products, services, geographic exposure, and delivery channels. The CBUAE AML/CFT Guidance (June 2021) emphasises that a risk-based approach is not a justification for ignoring certain risks — even low-risk categories require reasonable mitigation measures.
2. Internal Controls and Governance
Financial institutions must appoint a designated Compliance Officer at a senior level, establish an independent compliance function, and implement written AML/CFT policies and procedures. The board of directors bears ultimate responsibility for the institution's AML/CFT compliance and must approve the compliance programme. Corporate Governance Standards (Circular No. 83/2019) reinforces these requirements at the board level.
3. Record-Keeping
All customer identification documents, transaction records, and account files must be maintained for a minimum of five years after the business relationship ends or the transaction is completed. Records relating to suspicious transaction reports must be retained for five years from the date of reporting. Records must be sufficient to permit reconstruction of individual transactions so as to provide evidence for prosecution, if necessary.
4. Staff Training
LFIs must implement ongoing AML/CFT training programmes for all relevant staff. Training must cover the legal framework, institution-specific policies, red flags for suspicious transactions, and staff responsibilities under the law. Training programmes must be regularly updated and documented.
Customer Due Diligence (CDD) and Enhanced Due Diligence (EDD)
Customer due diligence is the cornerstone of UAE AML/CFT compliance. The CBUAE Procedures (Decision 59/4/2019) and the 2021 Guidance set out detailed CDD requirements:
Standard CDD Requirements
- Customer identification and verification — verify the identity of customers using reliable, independent source documents before or during the establishment of a business relationship
- Beneficial ownership identification — identify the ultimate beneficial owner (UBO) and take reasonable measures to verify their identity, in line with the UAE Cabinet UBO Resolution
- Purpose and nature of business relationship — understand and obtain information on the purpose and intended nature of the business relationship
- Ongoing monitoring — conduct ongoing due diligence on the business relationship, including scrutiny of transactions to ensure they are consistent with the institution's knowledge of the customer and their risk profile
Enhanced Due Diligence (EDD)
EDD is required for higher-risk customers and situations, including:
- Politically Exposed Persons (PEPs) — the CBUAE has issued specific guidance on PEP-related risks, requiring senior management approval for establishing business relationships, enhanced ongoing monitoring, and source of wealth/funds verification
- Correspondent banking relationships — requiring detailed assessment of the respondent institution's AML/CFT controls
- Non-face-to-face customers — additional verification steps for customers onboarded without physical presence
- Virtual Asset Service Providers (VASPs) — the May 2023 CBUAE Guidance introduces specific EDD requirements for financial institutions dealing with VASPs, including assessing the VASP's licensing status, AML/CFT controls, and transaction monitoring capabilities
Suspicious Transaction Reporting
One of the most critical obligations under UAE AML/CFT law is the requirement to report suspicious transactions. Under Articles 15, 24, and 25 of the AML-CFT Law, financial institutions must:
- Report any transaction or attempted transaction suspected to involve proceeds of crime, money laundering, or terrorism financing to the UAE Financial Intelligence Unit (FIU)
- File Suspicious Transaction Reports (STRs) promptly — there is no minimum threshold for reporting
- Not "tip off" the customer or any third party that a report has been or will be made
- Maintain confidentiality of STR filings — disclosure of filing information is a criminal offence
The FIU, known as the goAML system, is the centralised platform for filing STRs in the UAE. All regulated entities must register with goAML and ensure their compliance teams are trained on filing procedures.
Common red flags that should trigger enhanced scrutiny include unusual transaction patterns, transactions inconsistent with the customer's profile, use of shell companies or complex corporate structures without clear business rationale, and rapid movement of funds through multiple accounts.
Penalties for Non-Compliance
The UAE takes AML/CFT violations seriously. Under the legal framework, penalties include:
Administrative Penalties
- Financial penalties imposed by the CBUAE for regulatory breaches — fines can reach millions of dirhams depending on severity and repetition
- Suspension or revocation of licences for institutions that fail to maintain adequate AML/CFT controls
- Restrictions on specific business activities or customer categories
- Public naming of sanctioned institutions in severe cases
Criminal Penalties
- Imprisonment of up to 10 years for money laundering offences
- Fines of up to AED 5 million for individuals involved in laundering proceeds of crime
- Personal criminal liability for compliance officers who wilfully fail to report suspicious transactions
- Confiscation of all proceeds and instruments of crime
Federal Decree-Law No. (10) of 2025 has further strengthened enforcement powers, expanding the scope of sanctions and increasing the severity of penalties for repeated or egregious violations.
2025-2026 Regulatory Updates
The regulatory landscape continues to evolve. Key recent developments include:
Federal Decree-Law No. (10) of 2025
This is the most significant legislative update to the UAE's AML/CFT framework since the original 2018 law. Key changes include modernised definitions, expanded coverage of virtual assets and digital financial services, strengthened beneficial ownership requirements, and enhanced cooperation mechanisms between UAE authorities and international bodies.
Federal Decree-Law No. (6) of 2025
Alongside the AML update, the UAE enacted Federal Decree-Law No. (6) of 2025 — Regarding the Central Bank, Regulation of Financial Institutions and Insurance, which updates the CBUAE's own regulatory powers and scope of authority over financial institutions and insurance companies.
Virtual Assets Focus
Since the May 2023 guidance on virtual assets, the CBUAE continues to tighten requirements for LFIs interacting with the crypto and virtual asset ecosystem. Financial institutions must implement specific CDD and EDD processes for VASP customers and ensure transaction monitoring systems can detect virtual asset-related red flags.
FATF Alignment
The UAE has been actively working to demonstrate compliance with FATF standards following its greylisting. Recent regulatory updates reflect this focus, with enhanced requirements for beneficial ownership transparency, cross-border wire transfer monitoring, and targeted financial sanctions implementation.
Practical Compliance Steps for 2026
Based on the current regulatory framework and recent updates, here are the key actions UAE businesses should take:
- Review your AML/CFT programme against Federal Decree-Law No. (10) of 2025 — ensure all policies and procedures reflect the updated legal requirements
- Update your risk assessment — conduct a fresh enterprise-wide ML/FT risk assessment incorporating new risk factors such as virtual assets and evolving sanctions regimes
- Strengthen beneficial ownership processes — ensure your UBO identification and verification procedures meet the enhanced requirements
- Enhance transaction monitoring — review and update your transaction monitoring rules and thresholds, particularly for virtual asset-related transactions
- Train your staff — update training materials to cover the 2025 law changes, new typologies, and any CBUAE-specific guidance updates
- Verify goAML registration — ensure your institution is properly registered with the FIU and that designated staff are trained on the reporting platform
- Document everything — maintain comprehensive records of your compliance activities, risk assessments, and training programmes as evidence of regulatory compliance
Sources and References
- CBUAE Procedures for Anti-Money Laundering and Combating the Financing of Terrorism (Decision 59/4/2019) — CBUAE Rulebook
- CBUAE AML/CFT Guidance for Licensed Financial Institutions (June 2021) — centralbank.ae
- CBUAE Guidance for LFIs on AML/CFT — Virtual Assets (May 2023) — centralbank.ae
- Federal Decree-Law No. (10) of 2025 — Anti-Money Laundering and Combating Financing of Terrorism — CBUAE Rulebook
- CBUAE Corporate Governance Standards for Banks (Circular No. 83/2019) — centralbank.ae
Have a specific regulatory question?
Ask RegIQ for free — get instant answers with exact circular citations. No signup required.
Ask RegIQ Now