UAE AML Compliance Checklist 2026: CBUAE Requirements, Penalties & Deadlines
If you are searching for a UAE AML compliance checklist, this is the working version for 2026: what the CBUAE AML framework expects, what counts as a reportable suspicion, what the CBUAE suspicious transaction reporting deadline really is, and what the latest UAE AML penalty framework looks like in numbers.
This guide is aimed at banks, exchange houses, finance companies, payment and virtual-asset firms, and in-house compliance teams working around UAE financial crime controls. If you want the broader framework explainer as well, see our CBUAE AML/CFT compliance guide.
What the CBUAE AML framework requires
The operational starting point for UAE anti-money laundering requirements in 2026 is no longer just the older 2018-2019 stack. Teams now need to read the framework in layers: the CBUAE's own procedures and guidance, plus the newer federal law and executive regulations that took effect in late 2025.
For licensed financial institutions, three documents matter most day to day. First, Decision 59/4/2019 sets the CBUAE procedures for AML/CFT controls. Second, the June 2021 AML/CFT Guidance for Licensed Financial Institutions explains how the CBUAE expects firms to translate legal obligations into working controls: risk assessment, CDD, EDD, transaction monitoring, reporting, governance, and training. Third, the newer Federal Decree-Law No. (10) of 2025 and Cabinet Resolution No. (134) of 2025 reset the federal perimeter and penalty structure that firms must now map into their programmes.
In practical terms, the framework expects firms to do five things well and continuously: understand their ML/FT risk, implement risk-based CDD and EDD, monitor customer and transaction activity, file suspicious reports without delay, and prove senior-management oversight through documented policies, controls, staffing, and training. That is the real compliance baseline for AML compliance UAE banks and other CBUAE-supervised firms in 2026.
Procedures for Anti-Money Laundering and Combating the Financing of Terrorism and Illicit Organizations
Core CBUAE procedures document on risk assessment, controls, CDD, reporting, and governance for licensed financial institutions.
CBUAE AML/CFT Guidance for Licensed Financial Institutions
Detailed guidance on suspicious transaction reporting, no-threshold reporting, CDD triggers, escalation, monitoring, and penalties tied to non-reporting and tipping off.
Federal Decree-Law No. (10) of 2025 Regarding Anti-Money Laundering, and Combating the Financing of Terrorism and Proliferation Financing
Current federal AML law on the CBUAE Rulebook, including administrative penalties, criminal penalties, FIU powers, and the expanded perimeter covering DNFBPs and VASPs.
Cabinet Resolution No. (134) of 2025 Regarding the Executive Regulations of Federal Decree-Law No. (10) of 2025
Executive regulations effective 14 December 2025. This is the operative replacement for Cabinet Decision No. (10) of 2019.
Guidance for Licensed Financial Institutions on Suspicious Transaction Reporting
Rulebook guidance focused specifically on STR process design, internal escalation, monitoring, and FIU filing expectations.
Key AML obligations by entity type
The fastest way to miss something important is to talk about “UAE AML” as if every firm sits in the same perimeter. The control architecture is similar across sectors, but the source documents and supervisory focus differ by entity type.
1. Banks and exchange houses
For banks and exchange houses, the 2021 guidance is explicit: they must maintain a documented business-wide risk assessment, implement board-approved AML policies and procedures, monitor all customers under a risk-based model, and escalate suspicious activity fast enough to show continuous action from the first alert. Correspondent-banking controls also matter here, including shell-bank prohibitions, due diligence on respondent institutions, and senior-management approval before establishing new correspondent relationships.
2. Finance companies
The Finance Companies Regulation pulls AML obligations directly into the governance stack. Finance companies must maintain an independent compliance function, a board-appointed compliance officer with direct reporting to the board, a written compliance policy, regular AML/CFT training, and timely suspicious-transaction reporting to the FIU. For restricted-licence finance companies and agents, the regulation also says they must comply with the AML law and take preventive measures to deter abuse of the sector as a conduit for illicit funds.
3. Payment and virtual-asset fintechs
For CBUAE-licensed fintechs, the key bridge is the rulebook. The Payment Token Services Regulation treats licensees and registrees as AML obligors. That means risk-based CDD, transaction monitoring, suspicious-transaction reporting, screening, shell-bank prohibitions, customer risk ratings, and compliance-management arrangements that include both a compliance officer and an MLRO. The regulation is also unusually direct about why the sector is high risk: speed, anonymity, and cross-border use increase money-laundering exposure.
In practice, if your “fintech” touches payment tokens, wallets, stored value, payment initiation, or embedded finance, your AML design needs to be product-specific. The CBUAE expects controls that fit funding methods, transfer features, cross-border use, multi-wallet patterns, and higher-risk merchant activity, not a generic policy copied from a bank template.
4. DNFBPs
DNFBPs do not sit in the same CBUAE licensed-financial- institution perimeter as banks or exchange houses, but the 2025 federal AML law expressly defines and captures them in the wider preventive framework. For compliance teams inside banks that onboard DNFBPs, the practical point is simple: you still need to evidence beneficial ownership, activity rationale, source of funds where appropriate, and escalation routes for suspicious behavior. In other words, the bank's AML standard does not relax just because the customer is outside the banking sector.
CBUAE Payment Token Services Regulation
Fintech-facing rulebook source requiring AML obligors to apply risk-based AML/CFT controls, customer due diligence, screening, reporting, and MLRO/compliance-officer oversight.
CBUAE Finance Companies Regulation
Finance-company regulation requiring an independent compliance function, board-appointed compliance officer, AML training, and timely suspicious-transaction reporting to the FIU.
CBUAE public enforcement press releases
Official press releases showing real 2025 sanctions on exchange houses and bank branches for AML/CFT shortcomings.
STR requirements: triggers, deadline, and filing path
If a compliance officer is searching for CBUAE suspicious transaction reporting deadline, the most accurate answer is this: the rule is immediately and without delayonce the suspicious nature of the transaction becomes clear. The guidance does not frame STR filing as a relaxed 24-hour-or-48-hour operational SLA. It frames it as continuous, prompt action from first alert through FIU submission.
The June 2021 guidance says firms must report to the FIU the transaction immediately once suspicion becomes clear, and that they must be able to show immediate and continuous action from the moment the alert arose. The rulebook's STR pages repeat the same standard: report promptly, file with the UAE FIU, and do not wait for a minimum amount because there is none.
What triggers an STR?
The guidance gives practical examples rather than a closed list. Common triggers include transactions that are unnecessarily complex, inconsistent with a customer's expected activity, exceptionally large relative to declared turnover, involving unexplained cash deposits or withdrawals, routed through high- risk countries without clear economic logic, or impossible to reconcile with the CDD file. A failed or attempted transaction can be reportable too.
To whom does the report go?
Under federal law and regulation, the designated competent authority for suspicious-transaction reporting is the Financial Intelligence Unit. Operationally, firms file through the goAML system. The CBUAE guidance notes that the user must select at least one reporting reason inside goAML to avoid rejection of the report.
What does “deadline” mean in practice?
A good operating interpretation is: investigate alerts expeditiously, decide quickly, file once suspicion is formed, and document the timestamps. If an alert sits unworked for days, the firm will struggle to defend that it acted “without delay.” The control question is not whether the team filed within an arbitrary internal SLA. It is whether the audit trail shows immediate escalation, review, and filing once the facts crossed the suspicion threshold.
- No minimum threshold: all suspicious transactions, including attempted ones, are reportable.
- Trigger standard: suspicions or reasonable grounds to suspect proceeds of crime or intended criminal use of funds.
- Filing channel: FIU via goAML.
- Confidentiality rule: do not tip off the customer or another person that a report was made or that an investigation is underway.
CBUAE AML penalties and public enforcement amounts
This is the section most readers actually need. There are two different penalty buckets to understand in 2026: the legal penalty framework in the federal AML law, and the real supervisory sanctions the CBUAE is publicly imposing on firms in the market.
| Breach Type | Source | Exposure |
|---|---|---|
| Administrative penalties for AML rule breaches | Federal Decree-Law No. 10 of 2025, Article 17 | AED 10,000 to AED 5,000,000 per violation, plus warnings, restrictions, suspension, or license revocation. |
| Failure to immediately report a suspicious transaction | CBUAE AML/CFT Guidance (June 2021), Section 7.5 | AED 100,000 to AED 1,000,000 and/or imprisonment. |
| Tipping off after an STR or investigation | CBUAE AML/CFT Guidance (June 2021), Section 7.8 | AED 100,000 to AED 500,000 and imprisonment for at least 6 months. |
| Money laundering offence | Federal Decree-Law No. 10 of 2025, Article 26 | 1 to 10 years' imprisonment plus AED 100,000 to AED 5,000,000; aggravated cases rise to AED 1,000,000 to AED 10,000,000. |
| Legal-person liability | Federal Decree-Law No. 10 of 2025, Article 27 | AED 5,000,000 to AED 100,000,000 for ML/FT/PF crimes; AED 200,000 to AED 10,000,000 for certain disclosure and preventive-measure offences. |
Two numbers deserve special attention. Under Article 17 of Federal Decree-Law No. 10 of 2025, supervisory authorities may impose AED 10,000 to AED 5,000,000 per violation administratively, on top of business restrictions or license action. Separately, the 2021 guidance is still clear that failure to immediately report suspicion can expose the firm, managers, and employees to AED 100,000 to AED 1,000,000 and/or imprisonment.
Recent public enforcement examples
The market signal is that the CBUAE is not treating AML/CFT as a paper programme. In 2025 alone, it published sanctions across exchange houses and banks with amounts large enough to matter at board level.
| Date | Institution | Amount | Note |
|---|---|---|---|
| 7 July 2025 | Three exchange houses | AED 4.1 million | Sanctions imposed under Article 14 of Federal Decree-Law No. 20 of 2018. |
| 2 July 2025 | Branch of a foreign bank | AED 5.9 million | CBUAE public sanction tied to AML/CFT shortcomings. |
| 10 July 2025 | Bank operating in the UAE | AED 3 million | Public enforcement example under AML law and Article 137 of the CBUAE law. |
| 28 May 2025 | Two foreign bank branches | AED 18.1 million total | AED 10.6 million on one branch and AED 7.5 million on the other. |
| 20 May 2025 | Exchange house | AED 200 million | Large sanction under Article 137 of the central bank law, paired with a prohibition on the owner from future licensed roles. |
The practical lesson is not that every firm will face a nine-figure sanction. It is that the CBUAE has made enforcement visibly real. If your AML programme is weak on monitoring, escalation, governance, or documentation, the downside is no longer theoretical.
2025-2026 AML updates to track
As of April 15, 2026, the most important recent changes are the late-2025 updates that now shape 2026 compliance work.
1. Federal Decree-Law No. (10) of 2025
Effective 14 October 2025, the new federal AML law expands and modernises the framework, updates definitions, clarifies FIU powers, and sets the current administrative and criminal penalty architecture now cited by compliance teams and supervisors.
2. Cabinet Resolution No. (134) of 2025
Effective 14 December 2025, Cabinet Resolution 134/2025 replaced the older Cabinet Decision No. 10/2019. That matters because many internal policies and training decks still cite the old 2019 executive regulation. Those references should be refreshed in 2026 workstreams.
3. November 2025 best-practice publications
The CBUAE rulebook also shows a meaningful wave of AML best- practice material effective 7 November 2025, including role-based AML/CFT/CPF training guidance and a risk- based approach / institutional risk-assessment best-practice document. These do not replace the law, but they do show where supervisory expectations are getting more detailed: annual training plans, role-based content, and clearer action plans when residual risk increases.
For 2026 implementation, that means three near-term cleanup tasks inside most firms: update citation packs from 2019 to 2025 where relevant, review risk-assessment methodology against the new best-practice expectations, and tighten board/senior- management training coverage rather than limiting training to frontline teams only.
Quick UAE AML compliance checklist
- Document a board-approved business-wide AML risk assessment and refresh it whenever products, corridors, channels, or customer mix changes.
- Map your entity to the right perimeter: bank, exchange house, finance company, payment token provider, or other CBUAE-licensed LFI.
- Confirm your MLRO / compliance officer appointment, reporting line, and escalation authority are formally documented.
- Make sure onboarding rules trigger CDD for business relationships, AED 55,000 occasional transactions, AED 3,500 wire transfers, suspicion, and data-quality doubts.
- Apply enhanced due diligence to high-risk customers, high-risk countries, complex ownership structures, cash-intensive activity, and opaque counterparties.
- Screen customers, beneficial owners, counterparties, and wire-transfer parties against sanctions and other watchlists before and during the relationship.
- Monitor all customers and accounts under a risk-based model, not only high-value transactions.
- Treat the STR deadline as immediate / without delay once suspicion becomes clear, and keep evidence showing continuous action from the first alert.
- Register and test goAML / FIU filing access before an actual case arises.
- Train front line, investigations teams, operations, product, IT support, and senior management on role-specific AML/CFT/CPF scenarios.
- Lock down anti-tipping-off controls so customer-facing teams do not reveal filings or ongoing investigations.
- Track 2025-2026 rulebook updates, especially DFL 10/2025, Cabinet Resolution 134/2025, and the November 2025 best-practice documents.
If you only remember one thing from this checklist, make it this: the CBUAE expects a live programme, not a static policy. The 2026 test is whether your institution can show risk-based decisions, immediate STR escalation, documented governance, and current citations to the rulebook now in force.
Sources and References
- Procedures for Anti-Money Laundering and Combating the Financing of Terrorism and Illicit Organizations — official source
- CBUAE AML/CFT Guidance for Licensed Financial Institutions — official source
- Federal Decree-Law No. (10) of 2025 Regarding Anti-Money Laundering, and Combating the Financing of Terrorism and Proliferation Financing — official source
- Cabinet Resolution No. (134) of 2025 Regarding the Executive Regulations of Federal Decree-Law No. (10) of 2025 — official source
- Guidance for Licensed Financial Institutions on Suspicious Transaction Reporting — official source
- CBUAE Payment Token Services Regulation — official source
- CBUAE Finance Companies Regulation — official source
- CBUAE public enforcement press releases — official source
- CBUAE imposes financial sanctions of AED 4.1 million on three exchange houses — CBUAE press release
- CBUAE imposes a financial sanction of AED 5.9 million on a branch of foreign bank operating in the UAE — CBUAE press release
- CBUAE imposes a financial sanction of AED 3 million on a bank — CBUAE press release
- CBUAE imposes financial sanctions of AED 18.1 million on two branches of foreign banks — CBUAE press release PDF
- CBUAE imposes a financial sanction of AED 200 million on an exchange house — CBUAE press release
Have a specific CBUAE AML question?
Have a specific CBUAE AML question? Ask RegIQ free — get the exact circular citation in seconds: https://regiq.nanocorp.app
Ask RegIQ Free