Supplemental Guidance for Independent Accountants and Auditors

Last Updated: 06/02/2026

Protect your business with reliable and effective AML strategies with AML UAE.

In April 2026, the Ministry of Economy and Tourism (MoET) released its Supplemental Guidance for Independent Accountants and Auditors (IAA), sitting alongside the broader MoET Guidelines for Designated Non-Financial Businesses and Professions (DNFBPs). This MoET IAA Guideline is not a standalone document; it is a sector-specific layer that builds on the foundational DNFBP guidelines and speaks directly to the unique risk environment in which accounting and audit professionals operate.

If you are an independent accountant, auditor, sole practitioner, or a partner or employee of a firm providing audit, accounting, assurance, or related professional services that fall within the IAA sector in the UAE, this guidance is relevant to you. It sets out what MoET expects, what the law requires, and where the real risks lie in your day-to-day work.

This article is written for practitioners who want to understand their obligations, for compliance officers in IAA firms, and for DNFBPs who engage accountants as service providers, and for anyone who wants to understand why the UAE’s AML regime treats this sector as a critical gatekeeper.

What Is the MoET Supplemental Guidance for IAA, and Why Does It Exist?

The MoET IAA Guideline was developed by the Ministry of Economy and Tourism under its supervisory mandate over DNFBPs, and it references the findings of two key assessments: the 2024 UAE National Risk Assessment (NRA) and the MoET’s own 2024 Sectoral Risk Assessment (SRA) for accountants.

Both assessments reached a consistent conclusion: the IAA sector carries a medium level of inherent ML risk, with a Medium-Low residual risk profile. That may sound reassuring, but the SRA was candid about where the vulnerabilities lie. The sector’s unique position inside a client’s financial governance structure, its access to beneficial ownership information, internal controls, financial records, and cross-border transactions, means that when professional services are misused, the consequences can be significant and hard to detect.

The guidance should be treated as an essential supervisory reference for IAA firms.

Legal Status of This Guidance: The MoET Supplemental Guidance for Independent Accountants and Auditors is a practical tool to assist regulated entities in implementing AML/CFT/CPF measures.

It does not constitute additional legislation or regulation, is not intended to set legal, regulatory, or judicial precedent, and should not be construed as legal advice or legal interpretation.

The guidance does not replace or supersede any legal or regulatory requirements. In the event of any discrepancy between this guidance and the applicable legal or regulatory framework, the latter prevails.

Firms should perform their own assessments and seek professional advice if they are unsure of the application of the legal or regulatory framework to their specific circumstances.

Where the document uses the word “shall” or “must”, the requirement is compulsory under the applicable law and regulations. Where it uses “should”, it signals recommended best practice that can only be departed from with a documented, risk-based justification that provides an equal or greater level of control. Departure from best practice without that documentation is a supervisory risk.

Who Is Covered by the MoET Guidelines for Auditors and Accountants?

The MoET Guidelines for Accountants apply to all regulated entities within the IAA sector, including:

Sole practitioners providing audit, accounting, and related services. Wider services such as tax advisory, corporate restructuring, insolvency, forensic accounting, and corporate structuring may create AML/CFT/CPF exposure depending on the nature of the engagement and whether they fall within the professional activities outlined in Articles 2 and 3 of Cabinet Resolution No. 134 of 2025.
Partners and employees of firms engaged primarily in audit and accounting-related services.
Entities operating in both the mainland UAE and the Commercial Free Zones.

The guidance is explicit that it covers professionals acting independently, whether as sole practitioners or as part of larger organisations. Internal auditors employed within a corporate entity are not covered; this guidance is for independent practitioners only.

Key Legal Anchors

Federal Decree-Law No. 10 of 2025 on Combating Money Laundering, Terrorism Financing, and Proliferation Financing

Cabinet Resolution No. 134 of 2025: Executive Regulations of Federal Decree-Law No. 10 of 2025

Federal Law No. 12 of 2014 on the Regulation of the Auditing Profession

MoET Supplemental Guidance for Independent Accountants and Auditors, April 2026

EOCN Guidelines on Targeted Financial Sanctions and Counter-Proliferation Financing

FATF Guidance for a Risk-Based Approach for the Accounting Profession (2019)

Understanding the Sector Risk Context: Why Accountants Are Gatekeepers

The language of gatekeeping appears throughout both the MoET Guideline for Accountants and the broader FATF guidance on the accounting profession. It is not merely a professional label; it reflects a responsibility to recognise when professional services may be used to create an appearance of legitimacy.

Accountants and auditors sit at the intersection of a client’s financial reporting, governance, ownership, and transactional activity. That position gives them visibility that most other service providers simply do not have.

When that visibility is used well, it is a powerful tool for detecting and deterring financial crime. When it is ignored, overlooked under commercial pressure, or deliberately avoided, it becomes a channel through which illicit wealth can be legitimised.

The Two Perspectives the IAA Sector Must Hold Simultaneously

The MoET IAA Guideline makes an important structural observation about how IAA entities need to approach risk identification. There are two distinct perspectives that must be maintained at the same time:

The entity’s own business risk, including the services it provides, the clients it works with, the geographies it is exposed to, and how it is compensated for its services.
The customer’s risk, including situations where the professional services provided to that customer may be misused by them to facilitate money laundering, terrorism financing, or proliferation financing.

This dual-lens approach is more demanding than what many smaller IAA firms currently apply. Most have some form of client onboarding process. Far fewer have systematically mapped the ML/TF/PF risk profile of each type of service they provide and calibrated their controls accordingly.

Where an IAA entity reviews, assesses, or tests a customer’s internal controls, risk management framework, or AML/CFT/CPF programme as part of an engagement, the guidance expects the IAA to evaluate the adequacy and effectiveness of the customer’s risk identification and assessment framework. This means looking at whether the customer has documented risk methodology, appropriate risk differentiation, involvement of internal stakeholders, and a process for periodic review. A customer whose own AML/CFT/CPF framework is inadequate or ineffective is itself a risk indicator that the IAA entity must factor into its customer risk profile.

Sector-Specific Vulnerabilities Identified by MoET's SRA

The SRA identified two primary vulnerability drivers that are particularly relevant to the IAA sector:

Complex Ownership Structures

The IAA sector serves a predominantly corporate client base. Corporate clients often operate through offshore entities, nominees, holding companies, and trusts. These structures can obscure the ultimate beneficial owner, and the IAA firm is frequently the professional with the most direct view of those structures. When a foreign jurisdiction with weak AML controls or limited public registries is involved, verification becomes harder, and the risk of inadvertent complicity in concealment becomes real.

Exposure to High-Risk Jurisdictions and Professional Services Misuse

The guidance notes that IAA firms may inadvertently authenticate financial statements used to disguise illicit funds, support entity incorporation, or assist with documentation used for international ML networks, sanctions evasion, or tax evasion. The word “inadvertently” is significant. The guidance focuses on the risk of professional services being misused, including unknowingly, rather than suggesting sector-wide intentional misconduct. Misuse can happen through the ordinary provision of professional services when risk awareness and controls are insufficient.

“What MoET is saying in this guidance is something we see confirmed in client engagements regularly. The risk for IAA firms is not primarily that they will be caught in an obvious fraud. The risk is that a client with a complex ownership structure, a plausible business story, and a well-presented set of financials will slowly draw the firm into legitimising something that should have triggered a closer look three engagements ago. By the time the pattern becomes visible, the audit trail showing how the firm responded to each early warning sign becomes the story. Risk-based controls are not just a regulatory obligation; they are the firm’s own protection.”

Pathik Shah - CAMS, FCA, CISA | Founder and Principal Consultant, NIYEAHMA Consultants LLP

The Full Scope of AML/CFT/CPF Obligations for IAA Firms

Under Federal Decree-Law No. 10 of 2025 and Cabinet Resolution No. 134 of 2025, IAA entities must implement a comprehensive, risk-based AML/CFT/CPF programme. The MoET Guideline for Accountants summarises these obligations into seven core areas. These obligation areas form the core of the AML/CFT/CPF framework expected from IAA entities, with implementation calibrated to the firm’s size, nature, complexity, and risk exposure.

Obligation Area	What It Requires	Key Supervisory Focus
Compliance Administration	Appoint a qualified CO/MLRO. Implement staff training and screening. Subject the AML/CFT/CPF framework to an independent audit. When part of a group, implement group-wide programmes.	CO/MLRO qualifications and sector knowledge. Training records. Independent audit completion.
Risk Identification and Assessment	Conduct a Business Risk Assessment (BRA) proportionate to the entity’s nature, size, and complexity. Document findings and review regularly.	Quality and currency of the BRA. Whether controls are genuinely calibrated to the risk identified.
Policies, Procedures, and Internal Controls	Establish, document, implement, and regularly update AML/CFT/CPF policies and procedures tailored to the entity’s specific risk exposure.	Whether procedures are operational and tailored, not generic. Whether they reflect the entity’s actual service mix.
Customer Due Diligence and Ongoing Monitoring	Identify and verify customers and beneficial owners. Understand the purpose and nature of business relationships. Create and maintain customer risk profiles. Apply EDD where higher risks are identified. Handle PEPs appropriately.	Beneficial ownership verification quality. Evidence of risk-driven (not threshold-driven) CDD. PEP management.
Sanctions Compliance	Screen against the applicable UAE sanctions framework, including UNSC lists and the UAE Local Terrorist List, in line with EOCN requirements under Cabinet Decision No. 74 of 2020. Depending on the firm’s client base, jurisdictions, banking relationships, and risk exposure, firms may also consider other sanctions lists such as OFAC and HMT as part of a broader risk-based screening framework.	Screening process design and frequency. EOCN guidelines compliance. CPF risk incorporation in the BRA.
Suspicious Activity / Transaction Reporting (SAR/STR)	Identify and promptly report suspicion to the FIU. The threshold is reasonable suspicion, not certainty. Timely, high-quality reports are a key supervisory focus.	Timeliness of reports. Quality of narrative and supporting detail. Evidence of internal escalation processes.
Record-Keeping	Maintain comprehensive records covering all transactions, CDD documentation, business correspondence, and risk assessment processes. Retain for a minimum of five years.	Record organisation and accessibility. Ability to reconstruct transactions. Readiness for FIU or supervisory access.

One point from the guidance deserves special attention in relation to CDD, MoET explicitly states that entities must apply a risk-driven CDD and EDD measure as opposed to a threshold-driven measure. Relying on transaction value alone to determine the level of due diligence is not acceptable under this framework. Risk indicators must drive the intensity of controls, not the size of the fee invoice.

Is Your AML Framework Truly Risk-Driven?

Assess whether your AML controls, risk assessment, and monitoring processes align with MoET expectations for IAA firms.

Risk Identification and Assessment: What the MoET IAA Guideline Actually Expects

Section 2 of the MoET IAA Guideline is one of the most practically detailed sections of the document. It provides an extensive list of risk factors across five categories that IAA entities must consider when undertaking their ML/TF/PF risk assessment. This is not a generic checklist; it is a sector-calibrated framework that reflects how financial crime risk actually materialises in accounting and audit engagements.

Customer Risk Factors

The guidance lists a wide range of customer-level risk indicators. These are the factors that should be feeding directly into your client risk profiling process:

Customers operating in sectors identified as higher risk in the UAE NRA or other sectoral risk assessments
PEPs or persons closely associated with PEPs, noting that foreign corruption is a key ML threat in the 2024 NRA
Complex or opaque ownership structures, including multi-layered legal entities, offshore arrangements, and nominee shareholders or directors without a clear economic rationale
Customers where beneficial ownership cannot be readily identified or verified, or where there are attempts to obscure ownership, control, or the nature of business activities
Customers acting on behalf of undisclosed third parties or whose instructions appear inconsistent with their stated profile
Customers with funds obviously and inexplicably disproportionate to their known circumstances, including age, income, occupation, or wealth
Frequent or unexplained changes in professional advisers or members of management
Customers reluctant to provide information, or where information provided appears inconsistent, insufficient, or unreliable

Geographic Risk Factors

Customers, beneficial owners, or transactions linked to jurisdictions subject to sanctions or with weak AML/CFT controls
Customers operating across multiple jurisdictions without a clear economic or commercial rationale
Transfer of corporate structures or activities to jurisdictions without genuine business activity

Business and Industry Risk Factors

Cash-intensive businesses or businesses dealing in cash equivalents
Customers involved in emerging or high-growth sectors where regulatory oversight may be evolving, including virtual asset-related activities
Non-profit or charitable organisations where transactions lack a clear economic purpose or alignment with stated activities

Transaction and Behavioural Risk Factors

Transactions or arrangements inconsistent with the customer’s known business profile or economic purpose
Sudden changes in transaction patterns, including activity from dormant entities
Last-minute or unexplained changes in transaction instructions, payment methods, or counterparties
Use of virtual assets or other methods intended to obscure the origin of funds

Control and Governance Risk Factors

Weaknesses in the customer’s AML/CFT/CPF framework, including a lack of oversight, inadequate policies, or ineffective implementation
Indicators of falsification or manipulation of financial records, including false invoices, fictitious loans, or misleading accounting entries
Customers offering unusually high fees without a clear commercial rationale
Indicators that the customer is attempting to avoid regulatory approvals or reporting requirements

Advisory Note: The BRA Is Not a One-Off Exercise

The MoET IAA Guideline is explicit that the Business Risk Assessment must be proportionate to the nature, size, and complexity of the entity’s activities. It must be periodically reviewed and updated, particularly when significant changes occur in the business, risk, or regulatory environment. Many IAA firms complete an initial BRA and treat it as done. The guidance expects it to be a living document, reviewed periodically and updated whenever significant changes occur in the client base, services offered, delivery channels, geographic exposure, payment arrangements, sanctions or proliferation financing exposure, or the broader regulatory environment.

Customer Due Diligence: What the MoET Guideline for Accountants Expects in Practice

Section 3 of the MoET Supplemental Guidance for Independent Accountants is where the practical expectations get most specific. CDD for IAA firms is not simply a matter of collecting identity documents at onboarding. It is a continuous, risk-informed process that runs through the entire client lifecycle.

Beneficial Ownership: The Starting Point That Many Firms Mishandle

The guidance is direct about beneficial ownership verification. The starting point is to ask pertinent questions and obtain information directly from the client. But that information cannot simply be accepted at face value in higher-risk situations. It must be analysed for reasonableness and consistency and corroborated with reference to reliable independent sources.

Reliable independent sources include bank references or bank account information, commercial registries, and federal or national tax identification numbers. Where those sources are unavailable, the IAA entity must consider reliable alternatives appropriate to the risk level identified.

The guidance specifically flags situations where clients appear unable or unwilling to divulge relevant ownership information or to grant permissions to third parties to provide that information. These are not neutral circumstances; they are red flags that indicate heightened risk and should trigger additional scrutiny or, where the risk cannot be mitigated, refusal or exit.

Screening: Continuous, Risk-Based, and Not Optional

The MoET IAA Guideline requires IAA entities to implement appropriate processes for screening customers, prospective customers, beneficial owners, and persons exercising management control against applicable sanctions lists and adverse media. These processes must be:

Ongoing and risk-based, not just conducted at onboarding
Inclusive of detection for links to financial crime, PEPs, and other higher-risk indicators
Implemented on a continuous basis at onboarding, during material changes, and periodically throughout the relationship
Proportionate in depth and frequency to the risks associated with each client

The guidance references publicly accessible government and intergovernmental sanctions lists, commercially available customer intelligence databases, and internet search techniques as tools for this process. IAA entities are expected to be familiar with these tools and use them appropriately.

Apply Enhanced Due Diligence

EDD is not limited to formal PEP designations or sanctions matches. The MoET Guideline for Accountants identifies a range of circumstances that should trigger enhanced scrutiny:

Clients associated with high-risk jurisdictions
Clients where beneficial ownership involves nominees, trusts, offshore entities, or multi-layered structures
Non-resident clients or intermediaries where the role is unclear, and there is no discernible economic rationale
Clients with complex cross-border arrangements or ownership structures that do not align with their declared business profile
Any situation where the overall risk profile warrants more than standard inquiry

Document Authenticity: A Specific IAA Concern

The guidance dedicates specific attention to a risk that is particularly relevant for accounting and audit engagements: the use of fraudulent or forged documents. When IAA entities are involved in approving or opining on acquisitions, dispositions, transfers, or financing of legal entities, they must pay particular attention to the authenticity of documents and financial instruments involved. This includes securities, bonds, title deeds, loan or mortgage documents, and promissory notes.

This expectation is not about becoming a forensic document examiner. It is about exercising professional scepticism and escalating when something does not look right, rather than treating inconsistencies as clerical errors to be corrected.

Refusing and Exiting Relationships

One of the clearest statements in the MoET IAA Guideline is this: IAA entities must refuse or exit relationships where beneficial ownership or the source of funds cannot be reasonably verified, or where sanctions or proliferation financing risks cannot be mitigated. This is not discretionary. Where the risk cannot be managed, the relationship must not proceed.

“In practice, one of the most common gaps we see in IAA firm compliance is in the area of ongoing monitoring. There is often reasonable rigour at the onboarding stage, with identity documents collected and some form of sanctions check conducted. But the monitoring process then becomes static. The client profile does not get updated when ownership changes, when the nature of instructions shifts, or when the volume or type of transactions starts to diverge from what was expected at onboarding. The MoET guidance is very clear that monitoring must be continuous and proportionate to the risk. For higher-risk clients, that means active review, not periodic reminders.”

Dipali Vora - Partner, NIYEAHMA Consultants LLP

Facing Challenges with Beneficial Ownership Verification?

Strengthen your customer due diligence process with support for complex ownership structures and higher-risk clients.

Ongoing Monitoring: Practical Expectations for IAA Firms

The MoET Guideline for Accountants acknowledges a practical reality that distinguishes IAA entities from licensed financial institutions: the nature of accounting and audit work means it is not always possible to conduct detailed ongoing monitoring of the entirety of client activity in the same manner as a bank or exchange house would. An engagement to audit a specific aspect of internal controls does not give the auditor the same continuous transactional visibility that a bank has over its account holders.

However, the guidance is clear that this limitation does not reduce the obligation to take reasonable steps to protect against misuse. IAA entities must not become unwitting accomplices to ML/TF/PF through the sources and methods by which they are compensated, to the extent that those sources and methods are visible through fee arrangements, engagement documentation, or information obtained in the ordinary course of providing services.

Practical Monitoring Steps the Guidance Identifies

The MoET IAA Guideline provides concrete examples of monitoring steps appropriate to the sector:

Examining information in commercial registries or held by registered agents to detect unexpected changes, amendments, or transfers
Monitoring changes in ownership, dividend payments, additional capital contributions, lending and borrowing activity, powers of attorney, and similar indicators of true beneficial ownership and control
Reviewing accounting records, audit evidence, or information provided during engagements to monitor the frequency and size of transactions against the expected business profile
When collecting professional fees, ensure that funds come from known sources on which CDD has been performed, not from third parties, foreign accounts, or other unknown sources
Ensuring payment methods are consistent with the client’s profile and are not methods designed to obscure the origin of funds, including cash, cashier’s cheques, postal money orders, prepaid cards, third-party endorsed cheques, or cryptocurrencies

Reporting Obligations: What IAA Firms Must Know About SARs and STRs

The reporting obligations for IAA entities are clearly framed in the MoET Supplemental Guidance for Independent Accountants and Auditors. They are triggered by reasonable suspicion, not by certainty, and they apply regardless of whether a transaction has been completed, attempted, or discontinued.

The Threshold Is Reasonable Suspicion

The obligation to file a Suspicious Transaction Report (STR) or Suspicious Activity Report (SAR) with the UAE Financial Intelligence Unit (FIU) arises when an IAA entity has reasonable grounds to suspect that funds, transactions, or related activities are linked to ML/TF/PF or the proceeds of crime. The guidance is emphatic: this obligation applies regardless of transaction value. A low-value transaction with clear red flag indicators must be reported. A high-value transaction with no suspicious indicators does not, simply by virtue of its size, require a report.

Reporting Extends to Attempted Activity

The reporting obligation extends to attempted activities, including situations where an IAA entity declines to establish or continue a business relationship because of concerns identified during CDD or ongoing monitoring. Where the decision to exit or refuse a relationship arises from reasonable grounds for suspicion, the matter should be assessed for SAR/STR filing. Not every refusal or exit is automatically reportable, but where attempted suspicious activity is the basis for that decision, the reporting framework applies.

Tipping Off: A Strict Prohibition

IAA entities are strictly prohibited from disclosing, directly or indirectly, to the client or any third party, the fact that an STR or SAR has been filed, is intended to be filed, or that an investigation is being or may be conducted. This prohibition is absolute and extends to any information that could reasonably lead the client to become aware of such reporting.

Breaches of the tipping-off provisions carry legal and administrative sanctions. The guidance clarifies, however, that declining a transaction, delaying the provision of services, or requesting additional information for legitimate compliance purposes does not constitute tipping-off, provided those actions do not reveal the existence of a report or suspicion.

SAR/STR Quality Is a Key Supervisory Focus

The guidance is unusually direct in identifying the timeliness and quality of SAR/STR reporting as key supervisory focus areas for the IAA sector. This is not incidental language. It indicates that MoET expects firms to strengthen the timeliness, quality, and internal governance of suspicious activity reporting. Reports should be comprehensive, accurate, and supported by sufficient detail to enable the FIU to understand the nature of the suspicion, the parties involved, and the underlying activity. The focus must be on clearly articulating the basis for suspicion, rather than providing definitive conclusions.

On Reporting Gaps

The SRA’s observation that SAR/STR timeliness and quality are supervisory focus areas is significant. In our experience, many IAA firms do not have a clearly documented internal escalation process that connects an engagement team member’s concern to the Compliance Officer and then to the FIU within a defined timeline. The guidance requires that internal processes enable timely identification, escalation, and assessment of suspicions. Without that process being written down, trained on, and tested, the firm is exposed.

ML/TF/PF Typologies Most Relevant to the IAA Sector

Section 5 of the MoET IAA Guideline provides a detailed typology analysis specific to the accounting and audit profession. Understanding these typologies is not just about passing a compliance training module; it is about building the professional judgement to recognise when a client engagement is moving into territory that warrants closer scrutiny.

Use of Corporate Vehicles and Complex Legal Structures

This is the typology most frequently associated with the IAA sector. It involves the formation or use of corporate vehicles, shell companies, and complex legal structures such as trusts, foundations, and special-purpose vehicles. While there are numerous legitimate reasons for such structures, they may also be exploited for the placement and layering of proceeds of crime, the obscuring of beneficial ownership, and the provision of an appearance of legitimacy through professional intermediaries.

This typology is directly relevant to IAA entities providing financial reporting, tax advisory, or corporate structuring services, where visibility into ownership and control structures is inherent to the engagement.

Misuse of Professional Services to Create an Appearance of Legitimacy

The professional outputs of IAA entities, including audit reports, financial statements, assurance opinions, and accounting certifications, carry significant weight with third parties, including banks, investors, and other professional service providers. This weight can be exploited. The guidance identifies several examples:

Preparation or presentation of financial statements that obscure the true source or nature of funds
Creation or support of accounting entries, intercompany transactions, loans, royalty arrangements, or consultancy fees lacking genuine economic substance
Use of audit, assurance, or accounting outputs to create comfort for counterparties or financial institutions in circumstances where the underlying activity is suspicious

Real Estate-Related Laundering Through Corporate or Financial Structures

Real estate remains one of the most commonly used vehicles for the laundering of illicit proceeds in the UAE. The IAA sector intersects with this typology through accounting, tax structuring, and advisory work. Specific methods include the use of corporate vehicles to acquire or hold property, manipulation of property valuations, and the use of complex lending or mortgage arrangements.

Trade-Based Money Laundering and Commercial Documentation Misuse

From an accounting, audit, advisory, or forensic review perspective, the most relevant TBML methods include the manipulation of invoices (over-, under-, or fictitious invoicing), fraudulent shipments involving misrepresented goods, and customs, excise, or VAT fraud. Accounting records are frequently the primary evidence through which these methods are concealed or detected.

Sanctions Evasion and Proliferation Financing

The guidance identifies a specific category of typologies relating to sanctions evasion and PF. IAA entities may be misused to support these activities through the use of front companies to disguise links to sanctioned persons or jurisdictions, manipulation of accounting or commercial records to conceal the nature of goods, services, or counterparties, and the use of complex ownership or payment chains to obscure the ultimate beneficiary.

Misuse of Payment Flows and Settlement Arrangements

In situations where IAA entities have visibility into payment instructions, client money, or third-party settlements, for example, through insolvency, liquidation, or restructuring work, those arrangements may be exploited. Specific examples include unexplained transfers to or from unrelated third parties, cancellation of transactions followed by instructions to redirect funds, and the use of loans, advances, or professional fee arrangements to disguise the movement of value.

Other Related Typologies

The MoET IAA Guideline identifies additional typologies that IAA professionals should be aware of. These include: the use of licence or royalty payment arrangements to move value between related parties without genuine economic substance; private loan or credit agreements used to explain the movement of funds between entities or individuals; fraudulent consultancy agreements or advisory fee arrangements used to justify payments with no corresponding service; fraudulent investment agreements used to legitimise the transfer of funds across jurisdictions; and the misuse of charities or non-profit entities to channel funds. These typologies may be less obvious than the principal categories above but appear with regularity in complex cross-border and multi-entity engagements.

Help Your Team Recognise AML Red Flags Earlier

Build practical knowledge of typologies, risk indicators, and reporting obligations relevant to UAE accounting professionals.

Red Flag Indicators: A Practical Reference for IAA Professionals

Section 6 of the MoET IAA Guideline contains one of the most comprehensive and operationally useful sections of the document: a detailed list of red flag indicators organised by customer type and transaction behaviour. These are not triggers for automatic refusal or reporting; they are signals that warrant enhanced scrutiny and careful assessment by the Compliance Officer. The presence of multiple indicators in combination should increase the urgency of that assessment.

Customer Behaviour: Individual Clients

Concealment of Beneficial Ownership

Use of companies, trusts, or bearer shares to obscure beneficial ownership
Use of professional intermediaries, trustees, or nominee shareholders to provide an appearance of legitimacy
Creation or use of multi-jurisdictional structures to disguise beneficial ownership or facilitate a predicate offence
Ownership by or affiliation with a legal entity incorporated in a jurisdiction that does not require beneficial owner reporting
Acquisition or use of shelf companies or pre-constituted shell companies without updating ownership information
Becoming defensive, evasive, or hostile when questioned about the source of funds, tax history, or beneficial ownership

Suspicious Behaviour or Lack of Transparency

Refusal to co-operate or provide information, data, and documents usually required to facilitate an audit
Inability or refusal to explain the business activity, corporate history, identity of beneficial owners, or source of wealth
Active avoidance of personal contact without sufficient justification
Requests that the accountant or auditor simplify explanations, accept management representations without evidence, or exclude certain accounts, transactions, or jurisdictions from scope
Claims of being tax-exempt or not required to file without a credible legal or jurisdictional justification
Inability or unwillingness to provide tax returns, tax residency certificates, or proof of tax payments

Unusual Customers and High-Risk or Criminal Associations

Customer under investigation, with known criminal connections, or subject to adverse information in reliable public sources
Customer is a PEP or has familial or professional associations with a PEP
Customer or UBO appearing on applicable UAE or UN sanctions lists, or identified in other credible watchlists or adverse intelligence sources relevant to the firm’s risk assessment
Funds originating from or transiting through high-tax-secrecy jurisdictions or those exhibiting weak tax enforcement

Customer Behaviour: Entity Clients

Cannot demonstrate a history or provide evidence of real operational activity
Suddenly becomes active after a long period of dormancy without a logical explanation
Cannot be found on the internet, social business network platforms, or in the public domain
Registered at an address that does not match the company’s profile or is listed against numerous other companies, indicating a mailbox service
Has directors or controlling shareholders who cannot be located or contacted, or who do not appear to have an active role
Is not normally cash-intensive but appears to have substantial unexplained cash
Provides falsified records or counterfeit documentation
Transfers its registration from another jurisdiction without evidence of genuine economic activity in the country of origin
Requests shortcuts or unusually fast completion of work, prepared to pay substantially higher fees in exchange
Preferred payment method is unusual, including precious metals, virtual currencies, or other unconventional methods
Individuals managing multiple entities that transfer funds among themselves without corresponding commercial activity

Transaction Behaviour

Unexplained last-minute changes involving the identity of parties, transaction details, or payment methods
Involvement of cash or negotiable instruments that do not state the true payer
Transactions financed by a non-financial institution third party, with no logical explanation or commercial justification
Funds sent to or received from a foreign country with no apparent connection to the client
Significant increase in capital or successive capital contributions over a short period for a recently incorporated company
Personal funds funnelled through corporate accounts, followed by personal expenditures or asset acquisitions
Complicated transaction routings or multi-jurisdictional corporate structures without sufficient explanation or trade records
Customer claims to export technical equipment without any manufacturing capacity
Financial statements reflecting payments to unknown suppliers in high-risk jurisdictions
Customer refuses to provide end-use or end-user information, customs documentation, or supply chain details

Case Studies: Learning from the MoET Guidance Scenarios

The MoET IAA Guideline includes seven illustrative case studies. This article summarises five of them below; firms are encouraged to review all seven in the full guidance document, as each contains supervisory expectations directly applicable to audit, advisory, and accounting engagements.

They are illustrative supervisory learning scenarios, intended to help IAA firms identify relevant red flags and understand the expected supervisory response, rather than verified historical cases.

Each case study concludes with supervisory expectations that are directly applicable to IAA engagement work.

Case Study 1: PEP Using Corporate and Trust Structures to Conceal Corruption Proceeds

A PEP used a group of corporate entities, trust arrangements, and intermediaries across multiple jurisdictions to conceal ownership of high-value assets acquired through corruption. Assets were held through previously incorporated entities with nominee control. Forged company accounts, false incorporation documents, and misleading ownership records were produced to create an appearance of legitimacy.

IAA Relevance: This case illustrates how corporate structures, financial records, and ownership documentation may be misused to conceal beneficial ownership. The supervisory expectation is to apply professional scepticism to company accounts, incorporation records, and trust documents, particularly when they are central to the verification of legitimacy. Where the declared wealth is inconsistent with the scale of assets or structures, enhanced scrutiny is required.

Case Study 2: Shell Companies and Procurement Manipulation to Launder Corruption Proceeds

An infrastructure project’s bidding process was rigged by a project manager in conspiracy with contractors. A web of shell corporations submitted coordinated bids, creating a false appearance of competition. Excessive payments were made and subsequently layered through affiliated parties, consulting contracts, and subcontracting arrangements, supported by invoices and financial records that appeared authentic.

IAA Relevance: Invoices and financial records that support sham transactions are often the primary tools in procurement fraud. Professional scepticism must be applied when reviewing consultancy agreements, subcontracting arrangements, and payments to related entities, particularly where multiple companies in a tender process appear to share ownership, management, or financial arrangements.

Case Study 3: Front Company and Structured Real Estate Transaction

A person using a false identity formed a company, received funds from overseas third parties, acquired a property through the company, then liquidated the company and reacquired the asset at an inflated price. This created an appearance of a legitimate capital gain while channelling illicit money through the financial system.

IAA Relevance: Rapid asset acquisition and disposal, company liquidation shortly after a significant transaction, and inflated valuations without market rationale are all patterns that should trigger closer scrutiny when observed in accounting or advisory work.

Case Study 4: Misuse of Professional Customer Account and Corporate Structure

A company used a notary’s customer account to purchase property, with funds routed through multiple cheques and transfers that appeared legitimate. However, the structure concealed the connection between the individual and the company, and the funds were later linked to a known drug dealer through the company’s ownership. This enabled illicit money to be laundered through real estate investments using layered financial transactions.

IAA Relevance: Use of intermediary accounts, indirect funding structures, unclear beneficial ownership, and transaction patterns inconsistent with normal professional activities are key indicators that require enhanced scrutiny during accounting and advisory engagements.

Case Study 5: Front Company and Cash Structuring for Tax Fraud Proceeds

A criminal group channelled tax evasion proceeds through a company with no real operations, using multiple individuals to deposit cash in smaller amounts before pooling into the corporate account. The company then made unjustified VAT refund claims linked to property transactions, generating apparently legitimate income.

IAA Relevance: Structured cash deposits, asset acquisitions inconsistent with a company’s declared business, and disproportionate VAT refund requests are all indicators that should be escalated during accounting or tax advisory work.

Sectoral Best Practices: What MoET Expects IAA Firms to Do

Section 4.2 of the MoET IAA Guideline is one of the most forward-looking sections of the document. It sets out best practices that MoET expects firms to work towards, beyond the minimum mandatory requirements. These best practices provide a useful benchmark for firms assessing the maturity of their compliance framework.

Risk-Based Approach as the Foundation of Everything

The guidance calls for a documented and proportionate risk-based approach that guides all aspects of compliance from client onboarding through to monitoring and escalation. This includes periodic business-wide risk assessments covering client profile, ownership opacity, geographic exposure, service type, delivery channel, fee and payment arrangements, and sanctions or PF exposure. Risk scoring methodologies must be structured, documented, approved by senior management, and consistently applied.

Strong Governance Framework

The guidance emphasises a strong governance framework appropriate to the firm’s size and risk exposure. This means:

A qualified CO/MLRO with sector-specific knowledge and a sound understanding of regulatory obligations
Written policies and procedures aligned with regulatory requirements and best practices
Regular AML/CFT/CPF training for all employees, including frontline staff and senior management
Group-wide AML/CFT/CPF frameworks where the firm has multiple branches or affiliates
Regular escalation of AML/CFT/CPF issues to senior management, with documented decisions on higher-risk clients or engagements

Service-Based Risk Calibration

The guidance specifically recommends that firms take a service-based approach to risk identification and mitigation. Services associated with higher risk, including company structuring, complex cross-border arrangements, liquidation or insolvency work linked to unexplained wealth, and non-routine financial transactions, should receive enhanced scrutiny and management oversight. The calibration of controls must extend beyond the client profile to the type of service being provided.

Document Scrutiny and Consistency Checking

The guidance recommends that firms apply an appropriate level of scrutiny to documents, justifications, and transaction narratives provided by clients. Best practice includes ensuring consistency of documents across different sources, verifying reconciliation of figures, dates, counterparties, and ownership information, and escalating where records appear backdated, fabricated, commercially inconsistent, or unsupported by the firm’s understanding of the client’s business.

Clear Internal Escalation Procedures

The guidance calls for clear and documented internal escalation procedures, with employees trained to identify red flags specific to the accounting profession. These include ownership opacity, unjustified cross-border structures, false invoicing, false loans, abuse of corporate vehicles, sanctions evasion indicators, and attempts to pressure the firm to reduce scrutiny or overlook gaps that may arise.

“The MoET Supplemental Guidance for IAA is one of the most operationally detailed pieces of sector guidance MoET has issued for this sector. What stands out is the combination of specificity and balance. It does not treat every accounting firm as a high-risk entity; it explicitly acknowledges that smaller firms with domestic, low-complexity clients operate at a different risk level from firms with cross-border, multi-jurisdictional, corporate-heavy client bases. What it does require, for all firms at every scale, is that the risk assessment, the controls, the monitoring, and the reporting are proportionate to the actual risk. The firms that will struggle are not necessarily the ones with the highest risk profiles; they are the ones that have not clearly documented why their current controls are appropriate for their specific risk exposure.”

Jyoti Maheshwari - Partner, NIYEAHMA Consultants LLP

Build an AML Programme Aligned with MoET Expectations

Start with a risk assessment that reflects your services, clients, geographic exposure, and compliance obligations.

Common Challenges in the IAA Sector: What the SRA Found

The MoET Sectoral Risk Assessment was candid about the compliance challenges it observed across the IAA sector. Understanding these challenges helps firms identify where their own frameworks may have gaps, not to criticise, but to focus remediation efforts where they are most needed.

Challenge Identified	What This Means in Practice
Uneven compliance maturity across firms	Smaller practices often have limited dedicated compliance resources, resulting in inconsistent risk assessments, weak documentation of decisions, and under-identification of suspicious activity.
Gaps in escalation to senior management	AML/CFT issues are not being escalated to senior management regularly. Decisions on higher-risk clients or engagements are often not documented or reviewed at the partner level.
Insufficient tailored AML/CFT/CPF training	Training is often generic rather than tailored to the specific risks of the accounting profession. Staff may be unaware of sector-specific red flags or typologies.
Over-reliance on manual processes	Manual screening and monitoring processes create inconsistency and are prone to gaps. Firms relying solely on manual checks are likely to miss indicators that a systematic process would catch.
Commercial pressures are creating blind spots	Where a client is commercially important or insistent on speed, there is implicit pressure to treat gaps in documentation or opacity in ownership as routine. FATF guidance specifically highlights this as a risk factor.
Cross-border complexity	Foreign client bases and cross-border operations create challenges for due diligence, transparency, sanctions checks, and document consistency that domestic-only clients do not present.

Frequently Asked Questions on the MoET IAA Guideline

Yes. The guidance applies to all regulated entities within the IAA sector, including sole practitioners, partners, and employees of firms providing audit and accounting-related services, across both the mainland UAE and relevant Commercial Free Zones. It does not apply to internal auditors employed within an organisation, who are not acting independently.

The MoET DNFBP Guidelines provide the general framework for all designated non-financial businesses and professions. The MoET IAA Guideline is a sector-specific supplement that adds practical detail relevant to the unique risk environment and service profile of independent accountants and auditors. Both must be read and applied together. The supplemental guidance does not replace the general guidelines; it adds to them.

IAA entities must file an STR or SAR with the FIU when they have reasonable grounds to suspect that funds, transactions, or related activities are linked to ML/TF/PF or the proceeds of crime. The threshold is reasonable suspicion, not certainty or proof. The obligation applies regardless of transaction value, and it extends to attempted activities, including situations where an IAA entity declines to establish or continue a business relationship due to compliance concerns.

Risk-driven CDD means that the intensity and depth of due diligence applied to a client are determined by the assessed risk profile of that client and the nature of the services being provided, not by transaction value thresholds alone. A low-value engagement for a client with complex offshore ownership, cross-border transactions, and links to a high-risk jurisdiction should attract more rigorous due diligence than a high-value engagement for a well-known, domestically focused corporate with transparent ownership.

Yes. IAA entities must incorporate PF risk into their Business Risk Assessment. They must refer to the EOCN Guidance on Counter-Proliferation Financing for detailed obligations, including requirements for screening against UNSCR lists, freezing obligations, and reporting in relation to designated persons or entities. The MoET IAA Guideline provides high-level guidance on CPF obligations, but the operational requirements are governed by EOCN guidelines.

IAA entities must maintain comprehensive records covering all transactions, CDD documentation, business correspondence, and outcomes of any analysis performed. Records must include documentation generated as part of the entity’s ML/TF/PF risk assessment and mitigation processes. Records must be retained for a minimum of five years from the latest of the following events: termination of the business relationship, completion of an occasional transaction, issuance of a final judgment by a competent authority, or dissolution of a legal person or arrangement.

The MoET IAA Guideline is clear that the obligation to report is triggered by reasonable suspicion, not certainty. If reasonable grounds for suspicion exist based on available information, professional judgement, and the assessment of risk indicators, the matter must be escalated internally to the Compliance Officer, assessed, and if not resolved, reported to the FIU. The Compliance Officer should document the reasoning process and the outcome, whether a report is filed or not.

Yes. Taking steps to decline a transaction, delay the provision of services, or request additional information for legitimate compliance purposes does not constitute tipping-off, provided those actions are conducted in a manner that does not reveal the existence of a report or a suspicion. The prohibition on tipping-off relates specifically to disclosing that a report has been or may be filed, or that an investigation is underway.

The MLRO or Compliance Officer must be a qualified professional with sector-specific knowledge and a sound understanding of regulatory obligations. The guidance does not prescribe a specific seniority level, but it does require senior management oversight of the AML/CFT/CPF framework and places responsibility for AML/CFT/CPF compliance on senior management. In practice, the MLRO should have sufficient seniority to escalate concerns to partners and, in larger firms, to the board, without facing commercial pressure to suppress those concerns.

The BRA must be reviewed and updated regularly. The guidance specifies that it must be updated, particularly when significant changes occur in the business, risk, or regulatory environment. In practice, this means reviewing the BRA periodically and updating it whenever there is a material change in the firm’s client base, services offered, delivery channels, geographic exposure, sanctions or proliferation financing exposure, or the broader regulatory or risk environment. Many firms adopt an annual review cycle as a governance practice, but the guidance does not prescribe a fixed minimum frequency; the trigger is material change, not the calendar.

Closing Observations: What This Guidance Signals for the IAA Sector

The MoET Supplemental Guidance for Independent Accountants and Auditors is one of the most detailed and operationally specific pieces of sector guidance that MoET has issued to date. It is built on a clear empirical foundation in the 2024 NRA and SRA, it is calibrated to the actual risk environment of the sector, and it provides a more practical and sector-specific articulation of MoET’s expectations for IAA firms.

Several themes run through the entire document and are worth holding in mind as a firm works through its compliance framework against this guidance:

Proportionality is non-negotiable. The guidance is explicit that a sole practitioner with a domestic, low-complexity client base operates differently from a mid-sized firm with a cross-border, corporate-heavy client portfolio. Controls must be proportionate to the actual risk, but that proportionality must be documented and justified, not assumed.
Professional judgement is expected, not optional. The case studies and typologies section of the guidance is essentially a training manual in professional scepticism. Recognising when a client’s ownership structure is needlessly complex, when financial records do not add up, or when instructions are being given by someone who should not have the authority to give them is a core professional competency under this framework.
Documentation is the difference between compliance and exposure. Whether it is the BRA, the CDD file, the escalation decision, or the rationale for not filing a report, documentation is what allows a firm to demonstrate to a regulator that it applied a risk-based approach. Without documentation, even good processes become invisible.
The reporting threshold is reasonable suspicion, not certainty or proof. Firms should review their internal escalation and reporting processes against the guidance expectations and satisfy themselves that concerns are being identified, documented, assessed, and where appropriate reported promptly. MoET’s identification of SAR/STR quality and timeliness as key supervisory focus areas signals that reporting maturity across the sector needs attention.
The firms that will navigate this regulatory environment well are those that treat the MoET IAA Guideline not as a checklist to be ticked once a year, but as a framework that should be embedded in how they onboard clients, structure engagements, review financial records, and make decisions about difficult client relationships.

About AML UAE and NIYEAHMA Consultants

AML UAE is part of the NIYEAHMA AMLVerse, a global AML compliance ecosystem connecting consulting, regulatory knowledge, professionals, implementation frameworks, and technology.

Our team includes CAMS-certified professionals with hands-on experience across the UAE DNFBP sectors, financial institutions, VASPs, and capital market participants. We have delivered AML health checks, Business Risk Assessments, policy documentation, training programmes, and managed KYC services across the mainland UAE and financial free zones.

Need Practical AML Guidance for Your IAA Firm?

Speak with specialists who understand the compliance challenges faced by UAE accountants and auditors.

Share via :

About the Author

Pathik Shah

FCA, CAMS, CISA, CS, DISA (ICAI), FAFP (ICAI)

Pathik is an ACAMS-certified AML consultant specialising in governance, risk, and compliance for regulated entities in the UAE. He brings over 28 years of experience, with 1,000+ hours of AML training and 200+ advisory engagements across DNFBPs, VASPs, and FIs. He supports businesses in aligning with AML/CFT requirements from the CBUAE, DFSA, MoET, MoJ, VARA, CMA, FSRA, and FATF. Known for translating complex regulations into audit-ready procedures, Pathik enables operational clarity and compliance readiness.

Reach Out to Pathik