Supplemental Guidance for Trust and Company Service Providers (TCSPs)
Last Updated: 06/03/2026
Protect your business with reliable and effective AML strategies with AML UAE.
MoET's Supplemental Guidance for TCSPs in a Nutshell
- Issued by the UAE Ministry of Economy and Tourism in April 2026, anchored in Federal Decree-Law No. 10 of 2025 and Cabinet Resolution No. 134 of 2025, supplementing the broader DNFBP Guidelines.
- Applies equally to mainland and commercial free zone TCSPs, covering company formation, nominee services, trusts and foundations, registered office services, and cross-border structuring.
- Sets out core obligations: Business Risk Assessments, risk-based CDD and EDD, beneficial ownership verification across every layer, source of funds and wealth checks, ongoing monitoring, STR reporting, and MLRO governance.
- Maps five sector-specific risk areas with 21 case studies covering BO opacity, nominee abuse, shell entities, cross-border flows, governance failures, and trust or foundation misuse, alongside detailed red flags and a practical interpretation of the NRA’s Medium Risk rating.
- Supervisors will test whether controls work in practice rather than on paper, exposing weaknesses to supervisory findings and required remedial actions within specified timeframes.
The UAE Ministry of Economy and Tourism (MoET) released its Supplemental Guidance for Trust and Company Service Providers in April 2026. It is sector-specific and detailed. While it does not create new legal obligations, it is a strong supervisory reference for how MoET expects TCSPs to implement their AML/CFT/CPF obligations in practice. If you operate as a TCSP in the UAE, whether as a formation agent, registered office provider, nominee service provider, trust administrator, or company secretarial firm, this guidance gives a clear indication of the areas supervisors are likely to assess during inspections and supervisory engagements.
This article unpacks the MoET Supplemental Guidance for TCSPs in plain language, adds professional context, and tells you what it actually means for your day-to-day operations. For ease of reference, we use ‘MLRO’ throughout to refer to the designated AML/CFT Compliance Officer or reporting officer responsible for internal escalation and FIU reporting under Article 22 of Cabinet Resolution No. 134 of 2025.
What Is the MoET Supplemental Guidance for TCSPs and Why Does It Matter?
Key Points Under This Section
- Issued by the UAE Ministry of Economy and Tourism in April 2026
- Supplements the main DNFBP Guidelines with sector-specific depth
- Anchored in Federal Decree-Law No. 10 of 2025 and Cabinet Resolution No. 134 of 2025
- Does not create new law but shapes what supervisors will test
- Applies to mainland and commercial free zone TCSPs equally
The MoET Supplemental Guidance for Trust and Company Service Providers provides detailed guidance to TCSPs on exactly how the Ministry expects them to identify, assess, and mitigate money laundering, terrorist financing, and proliferation financing risks within their specific sector.
It sits alongside the broader DNFBP Guidelines rather than replacing them. It does not constitute additional legislation or regulation, does not set legal precedent, and does not replace or supersede statutory obligations under Federal Decree-Law No. 10 of 2025, Cabinet Resolution No. 134 of 2025, or any other binding instrument. Where any discrepancy arises between this guidance and prevailing law, the law prevails.
Think of the DNFBP Guidelines as the framework, and this guidance as the instruction manual for TCSPs within that framework. Where the two overlap, TCSPs should treat this supplemental guidance as the sector-specific reference point, while ensuring continued compliance with the broader DNFBP Guidelines and prevailing legal requirements.
Why This TCSP Guidance Needs Immediate Attention
During supervisory inspections, MoET will assess whether your AML/CFT/CPF controls are operating effectively in practice, not just whether policies exist on paper. The guidance explicitly states that deficiencies in risk assessment, beneficial ownership transparency, or ongoing monitoring may result in supervisory findings and required remedial actions within specified timeframes. The emphasis is on substance over form.
The legal anchor for this guidance is Federal Decree-Law No. 10 of 2025, which came into effect on 14 October 2025, and its implementing regulations under Cabinet Resolution No. 134 of 2025, which followed on 14 December 2025. These are the operative instruments for all UAE AML/CFT/CPF compliance work. References to the older 2018 or 2019 legislation are no longer sufficient.
Who Does the MoET Supplemental Guidance for TCSPs Apply To? Scope and Covered Activities
Key Points Under This Section
- Five specific activities trigger DNFBP obligations for TCSPs
- Applies to mainland and free zone TCSPs
- Covers all boards, management, and employees of covered entities
- Trust formation and administration carry distinct additional obligations
The MoET Supplemental Guidance for TCSPs applies to any entity conducting the following activities on behalf of a client in the UAE:
| Covered Activity | What It Means in Practice |
| Acting as an agent in the creation or establishment of legal persons | Company formation agents, business setup advisors, incorporation service providers |
| Providing directors, secretaries, partners, or similar roles | Nominee director services, company secretary services, registered manager arrangements |
| Providing a registered office, work address, or administrative address | Virtual office providers, registered address services, correspondence handling |
| Acting as or equipping another person to act as trustee | Trust administration, fiduciary services, trust operators |
| Acting as or equipping another person to act as a nominee shareholder | Nominee shareholding services, share custody arrangements |
The guidance applies to all such entities operating in the UAE, whether on the mainland or within commercial free zones, and covers board members, senior management, and employees. Section 1.3 of the guidance grounds this scope in Articles (2) and (3) of Cabinet Resolution No. 134 of 2025 (the Executive Regulations of Federal Decree-Law No. 10 of 2025).
Not sure whether your firm qualifies as a TCSP under UAE law?
Our team at AML UAE has helped several formation agents, registered office providers, and company secretarial firms determine their regulatory scope and build compliant frameworks from the ground up.
Core AML/CFT/CPF Obligations: What the MoET Supplemental Guidance for TCSPs Requires
Key Points Under This Section
- Risk identification and assessment must be documented and updated regularly
- Policies and procedures must cover all compliance dimensions, not just CDD
- CDD and ongoing monitoring are core functions, not checkbox exercises
- STR and SAR reporting obligations apply regardless of transaction value
- Governance includes a qualified MLRO, senior oversight, and staff training
- Record keeping must allow full reconstruction of decisions by authorities
- Targeted financial sanctions compliance must include screening freezing action without delay, and reporting under Cabinet Decision No. 74 of 2020
The MoET Supplemental Guidance for TCSPs requires every TCSP to maintain a comprehensive, risk-based compliance framework. The seven core components are not aspirational. They are the minimum standard against which your firm will be assessed.
Each of these components carries a specific weight in supervisory assessments. However, the guidance places particular emphasis on the gap between policy and practice. Having a well-written CDD policy is not enough. Your MLRO needs to be able to demonstrate that it was actually applied, documented, and reviewed in individual client relationships.
On record keeping, the guidance sets a standard that many TCSPs currently fall short of. Records must be detailed enough that a competent authority can reconstruct the rationale and context of every relationship decision without needing oral explanations from your staff. That means documenting not just what you collected, but why you made the risk decisions you did and what alternative courses of action you considered. Under Article 25 of Cabinet Resolution No. 134 of 2025, all CDD records, transaction records, and supporting documentation must be retained for a minimum of five years from the termination of the business relationship or the completion of the occasional transaction, and must be organised so that individual transactions can be reconstructed and made immediately available to competent authorities.
“The governance component is where many TCSPs struggle most. The guidance requires the MLRO to do more than sign off on onboarding forms. They need to be actively reviewing high-risk relationships, providing guidance on ambiguous cases, assessing escalations, and deciding whether reporting thresholds are triggered. That is a substantive role, and it needs to be properly resourced. Appointing an MLRO as a title without giving them the time, access, and authority to do the job is a control weakness that supervisors will identify quickly.”
Five Sector-Specific Risk Areas Every TCSP Must Understand
Key Points Under This Section
- TCSPs should apply enhanced scrutiny during company formation to ensure transparency and to avoid the misuse of this structure to obscure ownership and facilitate illicit activity.
- Nominee arrangements require enhanced governance regardless of perceived legitimacy
- Trust and foundation services carry distinct risks from the separation of ownership and control
- Registered office services carry low inherent risk but are frequently misused in practice
- Cross-border structures demand a higher standard of scrutiny across all dimensions
The guidance does not treat all TCSP activities as equally risky. It identifies five service types that carry elevated ML/TF/PF exposure and sets out specific control expectations for each.
Company Formation and Legal Structuring
Company formation is the point of entry into the financial and corporate system. The guidance notes that risks are elevated where structures are established with multiple layers of ownership, incorporated across different jurisdictions, or created without a clear commercial purpose aligned to the customer’s economic profile.
The practical expectation is that TCSPs apply enhanced scrutiny at the point of formation itself. This means documenting the purpose of the structure, the rationale for the chosen legal form and jurisdictions, the roles of all parties, and how ownership and control actually work in practice. Higher-risk or more complex structures should go through internal review and approval, including MLRO escalation.
Nominee Shareholders and Directors
The guidance acknowledges that nominee arrangements serve legitimate purposes in some contexts. However, it is equally clear that they carry inherent ML/TF/PF risk because they can obscure the identity of the true beneficial owner and reduce transparency over control.
TCSPs providing nominee services must ensure full transparency over the underlying beneficial ownership structure. This means identifying and verifying the beneficial owners behind the arrangement, documenting the legal relationship between the nominee and the beneficial owner clearly, and understanding the precise scope of the nominee’s authority. Arrangements where the TCSP cannot obtain sufficient information about the beneficial owner must not be accepted.
Trust and Foundation Services
Trusts and foundations present distinct risks because they deliberately separate legal ownership from beneficial interest. The multiple parties involved, including settlors, trustees, beneficiaries, and protectors, make it harder to identify who actually controls and benefits from the arrangement.
The guidance requires TCSPs to identify and verify all relevant parties to the arrangement. Trust deeds must be reviewed in detail. Discretionary arrangements deserve particular attention, because control in these structures is not always immediately apparent. Ongoing monitoring needs to cover distributions, changes in beneficiaries, and amendments to the structure.
Provision of Registered Office and Administrative Services
Registered office services are often treated as low-risk administrative functions. The guidance pushes back on this assumption. When multiple entities are registered at the same address, or when a registered office is used to establish a presence without any substantive business operations, risk exposure increases significantly.
TCSPs providing these services must understand the nature and purpose of each registered entity, verify beneficial ownership and key controlling parties, and monitor for unusual patterns. Even where the TCSP has no broader relationship with the entity beyond address provision, minimum CDD requirements still apply.
Cross-Border Structures and Multi-Jurisdictional Arrangements
The guidance identifies cross-border structures as carrying elevated risk across all TCSP activities. The core concern is that multi-jurisdictional arrangements can fragment ownership, complicate beneficial ownership identification, and obscure the flow of funds in ways that no single service provider can fully see.
The expected approach includes understanding the role and purpose of each jurisdiction, assessing the regulatory environment in those jurisdictions, tracing the flow of funds and assets across borders, and verifying that the geographic footprint of the structure is consistent with the customer’s stated business activities. Cross-border structures should attract enhanced oversight and internal escalation procedures.
Key Risk Factors: Customers, Transactions, and Geographic Exposure
Key Points Under This Section
- Customer risk is not static: it includes behavioural indicators throughout the relationship
- Non-resident, offshore, and PEP-linked customers carry elevated inherent risk
- Transactional risk must be assessed across the full lifecycle of the service
- Frequent changes in ownership or control are a risk signal, not just an administrative matter
- Geographic risk extends beyond the customer’s location to the full jurisdictional footprint of the structure
The MoET Supplemental Guidance for TCSPs breaks down risk factors across three dimensions: the nature and type of customers, the nature and type of transactions or services, and geographic exposure. Understanding these three dimensions is the foundation of any credible risk-based approach.
Customer Risk Factors
The guidance expects TCSPs to go beyond static customer characteristics when assessing risk. A customer who presents well at onboarding can still raise red flags during the relationship through inconsistent information, unexplained urgency, or evasiveness about the purpose of a structure.
Specific higher-risk customer types identified in the guidance include non-resident or offshore customers with no clear economic link to the UAE, customers introduced through intermediaries without a face-to-face component, and individuals with PEP connections or links to high-risk jurisdictions. In all these cases, the TCSP’s ability to independently verify information is reduced, and enhanced scrutiny is required.
Transactional and Service Risk Factors
The guidance explicitly frames transactional risk assessment as covering the full lifecycle of the service, not just individual transactions in isolation. A structure that looks low risk at formation can become high risk following changes in ownership, the introduction of new jurisdictions, or shifts in the nature of the underlying activity.
Higher-risk scenarios in this dimension include the establishment of multiple entities within a short timeframe with similar ownership profiles, frequent changes to directors or signatories without commercial justification, rapid transfer or restructuring of ownership across jurisdictions, and the provision of registered office or administrative services to entities without substantive operations.
Geographic Risk Factors
Geographic risk in the TCSP sector is multi-dimensional. The guidance requires TCSPs to assess geographic risk not only based on the customer’s location, but also in relation to the jurisdictions of incorporation of legal entities, the origin and destination of funds, and the location of underlying business activities.
Higher-risk scenarios arise where structures involve jurisdictions with weaker AML/CFT frameworks, limited beneficial ownership disclosure requirements, or known exposure to corruption or sanctions risks. The guidance states that using such jurisdictions is not inherently indicative of wrongdoing. However, it does require a higher level of scrutiny and a clear understanding of the commercial rationale.
Does your TCSP compliance framework cover all five risk areas?
Many UAE TCSPs have strong onboarding processes but significant gaps in nominee governance, cross-border scrutiny, and registered office CDD. Our AML consulting team can help you identify and close those gaps.
Customer Due Diligence, Beneficial Ownership, and Ongoing Monitoring: The TCSP Standard
Key Points Under This Section
- CDD must go beyond identity verification to encompass purpose, structure, and economic rationale
- Beneficial ownership identification must cover all layers of complex structures
- Source of funds and source of wealth verification are distinct requirements
- Ongoing monitoring must include trigger-based reassessments, not just periodic reviews
- Record keeping must enable full reconstruction of relationship decisions
- The MLRO plays a pivotal role beyond receiving and filing escalations
Customer Due Diligence in the TCSP sector carries a higher standard than in most other DNFBP categories. This is because TCSPs are directly involved in creating and administering legal structures, meaning they act as a critical control point before a structure becomes operational.
Establishing a Business Relationship
When a TCSP agrees to create, manage, or support a legal person or arrangement on behalf of a client, it establishes a business relationship that triggers full CDD obligations. At this point, the guidance expects the TCSP to develop a holistic understanding covering the purpose behind the structure, the roles and relationships of all involved parties, the jurisdictions and their risk levels, and the anticipated nature and scale of activities.
The guidance gives particular weight to situations where the structure appears unnecessarily complex, where there is reliance on intermediaries without a clear commercial role, or where the customer is reluctant to provide complete or consistent information. In these cases, the TCSP must not rely solely on formal compliance with documentation requirements. It must critically assess whether the overall arrangement is coherent, transparent, and credible.
TCSPs often receive customers through introducers, law firms, business setup agents, and overseas advisors. Article 20 of Cabinet Resolution No. 134 of 2025 permits reliance on CDD performed by a third party only where the third party is itself subject to AML/CFT regulation and supervision, applies CDD measures consistent with the UAE framework, and provides immediate access to the underlying CDD information and documentation on request. Ultimate responsibility for CDD remains with the TCSP regardless of any reliance arrangement, and the guidance expects the TCSP to satisfy itself, on a documented basis, that these conditions are met before placing weight on a third party’s work.
Beneficial Ownership Identification and Verification
The guidance states that beneficial ownership identification is one of the most critical and complex aspects of CDD for TCSPs. The ability of legal persons and arrangements to separate legal ownership from actual control creates inherent vulnerabilities that can be exploited to conceal illicit activity.
The expected approach requires TCSPs to identify the natural persons who ultimately own or control the structure, whether through direct ownership interests, voting rights, or other forms of control. This includes indirect holdings and layered structures across multiple jurisdictions. The process must not stop at collecting declarations from the customer. The information must be corroborated using independent and reliable sources wherever feasible.
Enhanced scrutiny is required where ownership structures involve jurisdictions with limited transparency, where shares are held on behalf of others without clear documentation, where there are frequent or unexplained changes in ownership, or where the customer seeks to limit access to ownership information.
Source of Funds and Source of Wealth
The guidance distinguishes between the source of funds (the specific origin of the funds used in a transaction) and the source of wealth (the origin of the customer’s overall accumulated wealth). Both are relevant for TCSPs, particularly where structures are used to hold, manage, or transfer assets, or where there is exposure to higher-risk customers or jurisdictions.
The practical expectation is that TCSPs assess whether the customer’s financial profile is consistent with the nature and scale of the structure being established or managed. Particular care is required where the origin of funds links to high-risk activities or jurisdictions, where there is a mismatch between the customer’s known profile and the scale of the transaction, where funds pass through multiple intermediaries without a clear rationale, or where payment methods obscure traceability.
Ongoing Monitoring
The guidance is explicit that ongoing monitoring in the TCSP sector must be dynamic, not periodic. Risks in this sector often materialise through gradual changes rather than discrete suspicious transactions. A risk-calibrated approach to monitoring must include reviewing changes in ownership, control, or governance arrangements, tracking amendments to legal structures, assessing whether the structure continues to be used consistently with its stated purpose, and reassessing risk levels following trigger events.
The guidance identifies specific trigger events that should prompt an immediate reassessment: changes in shareholders, directors, or authorised signatories; introduction of new entities or jurisdictions; significant changes in the nature or scale of activities; and requests for services outside the originally stated purpose.
Where CDD cannot be completed, or where beneficial ownership transparency cannot be achieved to the standard required, Article 14 of Cabinet Resolution No. 134 of 2025 prohibits the TCSP from establishing or continuing the business relationship and from carrying out the requested transaction. The TCSP must also consider whether the underlying facts give rise to a suspicion that warrants an STR or SAR filing through goAML under Article 18 of Cabinet Resolution No. 134 of 2025. Exit and refusal decisions, and the reasoning supporting them, must be documented to the same standard as onboarding decisions.
What This Means in Practice
If you are running annual CDD reviews as your only monitoring mechanism, you are not meeting the standard set by this guidance. The guidance requires trigger-based reassessment as the primary monitoring mechanism, supported by periodic reviews. Your compliance framework needs to define what constitutes a trigger event for each service type and ensure that frontline staff can identify and escalate these promptly.
Is your CDD framework aligned with the 2025 UAE law and this guidance?
Outdated CDD templates, missing source of wealth processes, and weak trigger-based monitoring are among the most common findings in UAE TCSP supervisory reviews. Our team can conduct a targeted AML health check on your CDD framework.
Common Sectoral Challenges and Best Practices: What Good Looks Like
Key Points Under This Section
- Beneficial ownership transparency across multi-layered structures is the most persistent challenge
- Over-reliance on customer-provided information without independent corroboration is a recurring weakness
- Limited visibility in administrative-only relationships creates monitoring blind spots
- Inconsistent application of the risk-based approach leads to uneven control quality
- Best practice includes systematic ownership mapping and trigger-based monitoring
- Integration of CDD, monitoring, and governance functions distinguishes strong frameworks
The guidance dedicates a full section to common challenges and best practices within the TCSP sector. This is unusual in regulatory guidance and reflects MoET’s recognition that the sector faces structural challenges that go beyond a failure to follow rules.
Challenges the Guidance Identifies
The most persistent challenge is beneficial ownership transparency in multi-layered structures. TCSPs encounter ownership chains that include foreign holding companies, trusts, or foundations in jurisdictions with limited public disclosure requirements. Verification beyond the first or second layer is genuinely difficult, particularly where documentation is incomplete or inconsistent across sources.
A second challenge is over-reliance on customer-provided information at onboarding. The guidance notes that information declared by a client may contradict publicly available data or adverse media. Without independent corroboration, these discrepancies remain undetected.
A third challenge is limited visibility in administrative-only relationships. Where a TCSP only provides a registered office or administrative support without involvement in financial transactions, detecting unusual activity becomes significantly harder.
What Best Practice Looks Like
The guidance describes best practices for TCSPs, which include systematically mapping and documenting ownership and control structures using visual or diagrammatic representations rather than narrative descriptions alone. They cross-check customer-provided information against official registries, regulatory filings, and third-party intelligence tools. They implement trigger-based monitoring mechanisms rather than relying solely on fixed review cycles. And they maintain strong documentation and audit trail practices that clearly record not just what information was collected, but why key decisions were made.
The guidance also describes mature TCSPs as forward-looking: using internal data, typologies, and supervisory feedback to continuously refine controls, updating risk indicators, and incorporating lessons from past cases into staff training and internal guidance.
How TCSPs Are Misused: Typologies from the MoET Guidance
Key Points Under This Section
- Layered corporate structures are the most common vehicle for ML via TCSPs
- Nominee arrangements are used to create a formal separation between legal and beneficial ownership
- Company formation services are misused to create entities with no substantive activity
- Multi-jurisdictional structures exploit regulatory gaps and fragment oversight
- Trusts and foundations can be used to distance beneficial ownership from assets
- Registered office and administrative services can create a veneer of legitimacy
- Fiduciary roles are misused to enhance the perceived legitimacy of illicit structures
The guidance describes eight distinct typologies through which TCSP services may be misused for ML/TF/PF. Understanding these is not an academic exercise. Each one maps directly to a control expectation in your compliance framework.
| Typology | How It Works | Key Control Response |
| Layered corporate structures | Multiple entities across jurisdictions create distance between beneficial owner and assets | Full ownership chain mapping; verify UBO across all layers |
| Nominee arrangements | Nominees provide formal separation from beneficial owner; act on instructions without independent judgement | Document legal relationship; verify UBO behind nominee; ongoing monitoring of use |
| Shell entity formation | Legal entities with no substantive activity used to hold funds, conduct transactions, or create legitimacy | Verify actual business activity; assess economic substance at formation and ongoing |
| Multi-jurisdictional structures | Jurisdictional diversity fragments oversight and exploits regulatory gaps | Assess each jurisdiction’s risk; verify commercial rationale for jurisdictional choices |
| Trust and foundation misuse | Discretionary beneficiaries, broad classes, and cross-border elements obscure beneficial interests | Identify all parties; review trust deeds; monitor distributions and amendments |
| Fiduciary role exploitation | Regulated professional involvement used to enhance legitimacy of illicit structure | Exercise independent judgement; maintain oversight of entity activities |
| Administrative service misuse | Registered office used to create presence without substantive operations | Assess economic substance; verify business activities; monitor financial flows |
| Client account structuring | Client accounts used to move funds between entities or jurisdictions with reduced transparency | Understand purpose of client account use; monitor for structuring patterns |
All 21 MoET Case Studies: Grouped, Interpreted, and Rated
Customer Behaviour: Individual Clients
- The guidance contains 21 case studies covering the full spectrum of TCSP risk scenarios
- Most involve a pattern of individually reasonable changes that become suspicious in aggregate
- Supervisory expectations consistently focus on holistic assessment, not transaction-by-transaction review
- Several case studies test the MLRO’s obligation to escalate even where each step appears procedurally compliant
- Our ratings reflect the complexity of detection, not the severity of the underlying risk
The 21 case studies in the MoET Supplemental Guidance are one of its most valuable features. They show you exactly how MoET expects TCSPs to apply professional judgement in real scenarios. Here we group them by typology, add an AML UAE interpretation, and rate each one by detection difficulty.
How to Read Our Case Study Ratings
Detection Difficulty: Low = clear red flags from the outset | Medium = patterns emerge over time | High = individually reasonable, suspicious only in aggregate
The ratings reflect how challenging detection is in practice, not the severity of the underlying risk. These scenarios should prompt risk reassessment and appropriate escalation. Depending on the facts, the response may include enhanced due diligence, enhanced monitoring, MLRO review, refusal or exit, and, where suspicion is formed, an STR or SAR filing.
Group A: Beneficial Ownership Opacity Through Structural Complexity
| Case Study | Core Scenario | AML UAE Interpretation | Detection Difficulty |
| CS1: Layered Corporate Structure with Frequent Ownership Changes | UAE holding company with offshore shareholders undergoes repeated incremental ownership changes over nine months, each framed as capital restructuring | The nine-month horizon is the point. No single change triggers suspicion. The obligation is to assess the pattern. Most TCSPs process change requests individually and never see the aggregate picture. You need a relationship-level view of structural changes over time. | Medium |
| CS6: Gradual Obscuring Through Corporate Restructuring | Long-standing client repeatedly amends company structure, ownership progressively diluted across multiple jurisdictions, each change individually documented | This is the boiling-frog scenario. Each change comes with documentation. Each change has an explanation. But commercial activity does not grow in proportion to structural complexity. The mismatch between operational reality and structural elaboration is the signal. | High |
| CS13: Parallel Structures with Similar Ownership Patterns | Multiple companies under different client names share identical nominee arrangements, overlapping addresses, and similar governance frameworks | This requires cross-client visibility that most TCSPs do not build into their monitoring systems. The guidance expects you to identify patterns across your portfolio, not just within individual relationships. | High |
| CS19: Client Seeking Limited Transparency in Corporate Records | Client repeatedly asks to minimise ownership information in corporate records and questions documentation requirements | The client’s consistent focus on reducing transparency, even where the structure remains technically legal, is the red flag. Legitimate clients generally accept documentation requirements. Clients who resist them repeatedly warrant enhanced scrutiny. | Medium |
Group B: Nominee and Intermediary Abuse
| Case Study | Core Scenario | AML UAE Interpretation | Detection Difficulty |
| CS2: Nominee Director with Operational Disconnect | TCSP provides nominee director for a company engaged in high-value consultancy; financial control rests with informal parties not in the corporate structure | The nominee director arrangement is legitimate on paper. The red flag is the disconnect between formal governance and actual control. Where instructions consistently come from parties outside the corporate structure, the TCSP must investigate the actual control arrangement and escalate to the MLRO. | Medium |
| CS7: Use of Professional Intermediaries to Distance Control | Foreign client routes all communications through a legal advisor who acts for multiple entities with near-identical structures, all linked to different clients | The use of a well-documented professional intermediary is precisely the kind of scenario where TCSPs lower their guard. But the guidance expects independent verification of beneficial ownership and purpose, regardless of how credible the intermediary appears. Pattern recognition across multiple engagements is key here. | High |
| CS9: Repeated Nominee Arrangements Across Unrelated Entities | CSP provides nominee director services to multiple companies with similar ownership patterns, later finding the same individuals indirectly linked across structures | This demands portfolio-level analysis. Individual onboarding files look clean. The risk only becomes visible when you map connections across your client base. The guidance explicitly expects this cross-client analysis. | High |
| CS21: Unusual Reliance on Powers of Attorney for Corporate Control | Company formally owned and managed by identifiable individuals; operational control exercised via powers of attorney to third parties not in the ownership structure | Powers of attorney used as the primary mechanism for operational control are a significant red flag. The guidance requires TCSPs to identify who actually exercises control, not just who appears on the corporate register. | Medium |
Group C: Shell Entity and Economic Substance Issues
| Case Study | Core Scenario | AML UAE Interpretation | Detection Difficulty |
| CS4: Misuse of Registered Office and Administrative Services (Portfolio) | TCSP provides registered office to multiple entities with overlapping management, all engaging in cross-border consultancy, licensing, and procurement flows | This tests the portfolio-level risk assessment requirement. Individually, each entity may look acceptable. The shared characteristics, the overlapping management, and the transaction patterns across the portfolio are what warrant investigation. | Medium |
| CS8: Inconsistent Business Activity vs Declared Purpose | Company incorporated for general trading shows no identifiable trading activity but repeatedly amends its licensed activities to unrelated sectors | The mismatch between declared purpose and actual activity is the clearest red flag in this group. Periodic reviews should include a check on whether the entity has actually conducted the business it claims to conduct. | Low |
| CS15: Shelf Company for Perceived Credibility | Client acquires older shelf company to present as an established business to counterparties, then remains operationally inactive | This is a misrepresentation risk as much as an ML risk. The TCSP is being used to facilitate a false impression of legitimacy. The guidance requires the compliance officer to assess the intended use and whether the structure creates a misleading impression. | Low |
| CS18: Registered Office Without Genuine Presence | Client uses registered office without any physical presence or operations, periodically requesting official letters confirming UAE presence for use with overseas counterparties | The combination of no operational substance and repeated requests for presence confirmation letters is the key pattern here. TCSPs providing administrative services must assess whether their services are being used to manufacture a perceived footprint. | Low |
Group D: Cross-Border Complexity and Financial Flows
| Case Study | Core Scenario | AML UAE Interpretation | Detection Difficulty |
| CS3: Cross-Border Structuring with Circular Investment Flows | UAE holding company with multi-jurisdictional subsidiaries executes intercompany loans, equity injections, and service agreements that circulate the same pool of funds | Circular fund flows are the defining characteristic of layering. The internal agreements may be formally documented, but economic substance is absent. TCSPs need to assess the economic purpose of transactions, not just their procedural compliance. | Medium |
| CS5: Misuse of Registered Office and Administrative Services | Low-risk general trading client over time introduces offshore ownership, new counterparties, and complex payment arrangements explained as tax efficiency measures | This is the long-term relationship risk. TCSPs often apply less scrutiny to clients they have known for years. The guidance is clear: initial risk assessments do not hold indefinitely. Cumulative changes must trigger reassessment. | High |
| CS12: High-Risk Jurisdiction Entity Post Incorporation | UAE company with local shareholders later introduces a foreign corporate shareholder from a limited-transparency jurisdiction, framed as strategic investment, with no commercial follow-through | The post-incorporation introduction of a high-risk jurisdiction entity without any corresponding commercial activity is a classic escalation trigger. The risk rating of the entire relationship must be reassessed, not just the new shareholder. | Low |
| CS16: Multi-Jurisdictional Structure with Unclear Decision-Making Authority | UAE company administered by TCSP receives instructions from multiple individuals in different jurisdictions with no single authority identified; client claims decisions are made collectively at group level | The absence of a clear decision-making authority in a multi-jurisdictional structure is itself a control concern. TCSPs must be able to identify who exercises ultimate control and document it. Vague governance arrangements warrant escalation. | Medium |
Group E: Governance and Process Failures
| Case Study | Core Scenario | AML UAE Interpretation | Detection Difficulty |
| CS10: Frequent Changes in Authorised Signatories | UAE company undergoes repeated changes in authorised signatories within a short timeframe; each change is procedurally documented but individuals have limited connection to the business | Procedural compliance and risk compliance are different things. Each signatory change passes the formal test. But the pattern of frequent rotation without operational justification suggests an attempt to manage accountability rather than run a business. | Medium |
| CS14: Delayed Disclosure of Beneficial Ownership Changes | Client discloses beneficial ownership changes after regulatory deadlines; subsequent review shows changes occurred significantly earlier than declared | Intentional delay in ownership disclosure is the clearest form of transparency failure. The guidance expects TCSPs to enforce timely disclosure requirements actively and to treat repeated delays as an escalation trigger. | Low |
| CS17: Frequent Changes in Business Activities Without Clear Direction | Company with consultancy licence repeatedly amends activities to unrelated sectors while showing no commercial development in any of them | Activity amendments without commercial development in any direction indicate the entity is being positioned for a purpose other than its stated one. The TCSP’s compliance officer should assess the cumulative picture. | Low |
| CS20: Use of Multiple CSPs for Fragmented Service Provision | Client distributes services across multiple CSPs, each receiving limited visibility; client coordinates between them, providing only partial information to each | This is a deliberate fragmentation strategy designed to prevent any single TCSP from having full visibility. The guidance makes clear that the TCSP’s obligation to understand the full structure does not diminish because other providers are involved. | High |
Group F: Foundation and Trust Misuse
| Case Study | Core Scenario | AML UAE Interpretation | Detection Difficulty |
| CS11: Foundation Without Clear Purpose | Client requests establishment of a foundation citing wealth preservation, with complex multi-jurisdictional governance but no identifiable assets, activities, or defined purpose | Wealth preservation is a legitimate purpose for a foundation. But the inability to identify any assets, activities, or defined mechanism for that preservation means the stated purpose cannot be verified. The guidance expects TCSPs to decline where clarity is not achieved. | Low |
Do your staff know how to respond to these 21 scenarios in practice?
Understanding what a risk looks like on paper is very different from identifying and escalating it in the middle of a client relationship. Our AML consulting team provides TCSP-specific training and scenario-based assessments.
How TCSPs Should Interpret the NRA's Medium Risk Classification in Practice
Key Points Under This Section
- The 2024 UAE NRA classifies the TCSP sector as Medium Risk for ML
- Medium Risk at the national level does not mean Medium Risk at the entity or customer level
The 2024 UAE National Risk Assessment categorises the TCSP sector as Medium Risk for money laundering. This rating has a direct influence on how TCSPs calibrate their internal risk appetite and how they justify the level of resources they allocate to compliance.
The MoET guidance describes a sector characterised by elevated inherent risks from company formation and nominee services, a gatekeeper role that directly influences access to the financial system, consistent identification in national risk assessments as a key vulnerability linked to the misuse of legal persons and arrangements, 21 detailed case studies illustrating complex and hard-to-detect risk patterns, and a red flag framework covering individual behaviour, entity behaviour, transaction behaviour, and additional indicators.
Rather than treating the NRA’s Medium Risk rating as a reason for standardised controls across all TCSP relationships, firms should use it as a sector-level reference point. The guidance makes clear that certain TCSP activities, including nominee arrangements, complex ownership chains, cross-border structuring, and trust or foundation services, may require enhanced scrutiny.
The AML UAE Perspective on the Medium Risk Classification
The Medium Risk classification reflects the NRA’s assessment of the sector as a whole relative to other sectors in the UAE economy. It does not mean that individual TCSPs, client relationships, or transaction types within the sector are medium risk. The guidance itself is explicit that certain activities within the TCSP sector, including nominee arrangements, cross-border structuring, and trust services, carry elevated risk that requires enhanced controls.
The practical implication is this: if your internal risk framework defaults to medium-risk treatment across your TCSP business simply because the NRA says the sector is Medium Risk, you are almost certainly miscalibrating your controls. The guidance expects TCSPs to apply the NRA findings in a nuanced and operationalised way, not as a sector-wide risk floor.
We recommend that TCSPs treat the Medium Risk NRA classification as the baseline for their lowest-risk, highest-transparency clients with no elevated customer, transaction, or geographic risk factors. For every scenario involving nominee arrangements, cross-border elements, or complex ownership structures, the internal risk assessment should reflect elevated risk regardless of the sector-level NRA classification.
Red Flag Indicators from the MoET Supplemental Guidance for TCSPs: A Practical Reference
Key Points Under This Section
- Red flags are grouped across individual customer behaviour, entity and arrangement behaviour, and transaction behaviour
- The presence of one red flag does not automatically confirm suspicious activity
- Multiple concurrent red flags warrant escalation to the MLRO regardless of transaction value
- The MLRO must assess, document, and determine whether circumstances give rise to suspicion
- Declining to report because no transaction occurred does not extinguish the reporting obligation
The guidance contains an extensive and well-structured set of red flag indicators. These are not a checklist to be completed at onboarding and filed away. They are a living reference that should inform monitoring, trigger reassessment when observed during the relationship, and feed into the MLRO’s STR and SAR decision-making process. Some of these red flags are as follows:
Individual Customer Behaviour Red Flags
- Refuses to provide personal, business, or financial information
- Provides inconsistent or incomplete information across different interactions
- Avoids personal contact or in-person meetings without justification
- Does not maintain contact after the initial establishment of a legal entity
- Refuses to disclose the identity of the beneficial owner, source of wealth, or nature of business dealings
- Withdraws, becomes unresponsive, or terminates the relationship following EDD requests
- Applies pressure to expedite incorporation or documentation while discouraging due diligence
- Is under investigation, has criminal connections, or appears in adverse media
- Is a PEP or has associations with a PEP inconsistent with their official duties
- Appears unfamiliar with the details of the transaction they are requesting
Legal Entity and Arrangement Red Flags
- Cannot demonstrate actual business activity or provide evidence of operations
- Uses an address linked to multiple unrelated companies
- Has dormant status that suddenly becomes active without explanation
- Uses overly complicated ownership or management structures without justification
- Uses nominee agreements, shelf companies, or offshore trusts to obscure beneficial ownership
- Requests use of foreign private foundations in secrecy jurisdictions
- Engages in rapid changes to company ownership, management, or structure shortly after establishment
- Is registered in a tax haven or jurisdiction with weak AML regulations
- Has directors or shareholders who are difficult to contact or appear uninvolved
- Uses the same individuals as directors or shareholders across multiple companies
- Requests to backdate incorporation documents, share transfers, or directorship appointments
Transaction Behaviour Red Flags
- Conducts high-value transactions inconsistent with their profile or financial history
- Uses multiple accounts or funding sources without a clear rationale
- Requests transactions with excessive secrecy or through anonymous instruments
- Engages in frequent or high-value intercompany loans with no clear economic purpose
- Sends or receives funds to and from high-risk jurisdictions without justification
- Uses cash as collateral for loans from foreign institutions
- Makes significant capital contributions inconsistent with company size or industry norms
- Breaks down transactions into smaller parts to avoid reporting requirements
- Receives payments from unrelated third parties with no apparent connection
- Prefers unusual payment methods such as virtual assets or precious metals
“In our experience reviewing TCSP compliance programmes, the registered office risk area is consistently underestimated. Firms set up good onboarding processes for company formation clients but apply almost no CDD to entities that only use their address. The guidance is clear: even if your only service to an entity is providing its registered address, you still have minimum CDD obligations. And if you have fifty entities at the same address with overlapping management and no discernible business activity, that portfolio-level pattern is itself a red flag that requires investigation at the group level, not just entity by entity.”
Common Challenges in the IAA Sector: What the SRA Found
TCSP Compliance Gap Scorecard: Where Does Your Firm Stand?
- Use this scorecard to identify gaps between your current controls and the MoET Supplemental Guidance for TCSPs expectations
- Score each item honestly: Yes (2 points), Partial (1 point), No (0 points)
- A score below 70% indicates significant remediation priorities
- Share this assessment with your MLRO and senior management
The following scorecard is an AML UAE practical self-assessment tool derived from the guidance. It is not an MoET scoring methodology and does not represent an official supervisory assessment framework.
Rate each item: Yes (2 points) | Partial (1 point) | No (0 points). Total possible score: 60 points.
| Control Area | Assessment Question | Your Score (0/1/2) |
| Risk Framework | Is your Business Risk Assessment aligned with the UAE NRA and the TCSP Sectoral Risk Assessment, and updated at least annually? | |
| Risk Framework | Does your risk assessment specifically address the five sector-specific risk areas in the MoET Supplemental Guidance for TCSPs? | |
| Policies and Procedures | Do your policies cover all seven core obligations including sanctions compliance and reporting? | |
| Policies and Procedures | Were your policies updated following the UAE Federal Decree-Law No. 10 of 2025 and its implementing regulation under Cabinet Resolution No. 134 of 2025? | |
| Customer Due Diligence | Does your CDD process go beyond identity verification to assess purpose, structure, and economic rationale? | |
| Customer Due Diligence | Do you have a documented source of wealth process for higher-risk customers, distinct from source of funds? | |
| Beneficial Ownership | Can you demonstrate that beneficial ownership has been identified and verified across all layers, not just the first? | |
| Beneficial Ownership | Do you independently corroborate beneficial ownership information using sources beyond the customer’s own declarations? | |
| Nominee Services | Do you have a specific policy and enhanced oversight process for nominee director and shareholder arrangements? | |
| Ongoing Monitoring | Does your monitoring framework include trigger-based reassessments, not just annual reviews? | |
| Ongoing Monitoring | Do you have a process to identify and escalate the trigger events listed in the guidance? | |
| STR and SAR Reporting | Does your internal escalation process ensure that suspicions reach the MLRO without delay? | |
| MLRO and Governance | Does your MLRO have the time, authority, and access to actively review high-risk relationships? | |
| Record Keeping | Can your records allow a competent authority to reconstruct the rationale for every risk decision without oral explanation? | |
| Cross-Border Structures | Do you apply a higher standard of scrutiny and enhanced internal review to cross-border and multi-jurisdictional structures? | |
| Staff Training | Have your frontline staff been trained on the TCSP-specific risk scenarios and red flags in this guidance? | |
| Registered Office | Do you apply CDD requirements to entities using your registered office address even if they use no other services? | |
| Portfolio Monitoring | Do you have a process to identify risk patterns across your client portfolio, not just within individual relationships? | |
| Sanctions Compliance | Do you screen all beneficial owners and related parties, not just primary customers, against sanctions lists? | |
| Cross-Client Analysis | Do you have a process to identify when the same individuals appear across multiple client structures? |
Interpreting Your Score
50 to 60 points (83% to 100%): Your framework is broadly aligned with the guidance. Focus on documentation quality and continuous improvement.
35 to 49 points (58% to 82%): Material gaps exist. Prioritise beneficial ownership, ongoing monitoring, and governance.
Below 35 points (under 58%): Significant remediation required. Consider an external AML health check before your next supervisory engagement.
Scored below 70% on the compliance gap scorecard?
Do not wait for a supervisory inspection to surface the gaps. Our team at AML UAE provides targeted remediation support for UAE TCSPs across all compliance dimensions covered by this guidance.
TCSP Compliance Obligations Timeline: What Triggers What
Key Points Under This Section
- Compliance obligations in the TCSP sector are event-driven as well as time-driven
- Formation or onboarding triggers the full CDD cycle before the relationship commences
- Ongoing triggers include structural changes, ownership changes, and behavioural shifts
- Suspicious activity triggers an STR or SAR obligation regardless of transaction value or completion
- Periodic reviews serve as a backstop but do not replace trigger-based monitoring
The guidance does not present TCSP compliance obligations in a linear way. In practice, obligations are activated by specific events across the lifecycle of a client relationship.
Frequently Asked Questions About the MoET Supplemental Guidance for TCSPs
Is this guidance legally binding on UAE TCSPs?
The guidance itself clarifies that it does not constitute additional legislation or regulation. However, it sets out how MoET will assess compliance with Federal Decree-Law No. 10 of 2025 and Cabinet Resolution No. 134 of 2025, which are legally binding. In a supervisory inspection, failure to meet the standards set out in the guidance will likely be treated as evidence of non-compliance with those binding instruments. Treat the guidance as an important supervisory reference for demonstrating compliance with the binding AML/CFT/CPF framework.
My firm only provides registered office services. Does this guidance apply to me?
Yes. The guidance explicitly states that providing a registered office, work address, correspondence address, or administrative address for a legal person or legal arrangement is one of the five activities that trigger TCSP obligations under the UAE AML/CFT framework. You are required to apply minimum CDD requirements to all entities using your address, even if you have no other relationship with them.
What does the guidance mean by beneficial ownership verification across all layers?
It means identifying the natural person who ultimately owns or controls the legal structure, whether directly or through a chain of companies, trusts, or other arrangements. You cannot stop at the first company layer and record that company as the beneficial owner. You must follow the ownership chain until you reach a natural person. For complex multi-jurisdictional structures, this may require reviewing corporate registries in multiple jurisdictions, obtaining certified documentation, and using third-party intelligence tools.
How is an STR different from a SAR, and which one applies to TCSPs?
An STR (Suspicious Transaction Report) is filed where a specific transaction is the basis of suspicion. A SAR (Suspicious Activity Report) is filed where the suspicion arises from activity, behaviour, or circumstances rather than a specific transaction. Both apply to TCSPs. The guidance explicitly notes that suspicion may arise from the formation, administration, or restructuring of legal persons, from customer behaviour, from inconsistencies in information, or from the absence of a clear economic rationale. None of these requires a specific transaction to have occurred.
Can a TCSP rely on due diligence conducted by a third-party intermediary?
The guidance is cautious on this point. While reliance on third-party CDD is permitted under the UAE framework in certain circumstances, the TCSP retains ultimate responsibility for the adequacy of the information obtained. Where an intermediary is used, the TCSP must ensure it can independently verify the accuracy and completeness of the information, particularly for beneficial ownership. The guidance specifically flags heavy reliance on intermediaries without direct engagement with the beneficial owner as a red flag in Case Study 7.
The NRA rates TCSPs as Medium Risk. Can we use that to justify lower-intensity controls?
No. The guidance states that TCSPs must integrate NRA findings into their internal risk assessment frameworks. The Medium Risk classification is a sector-level average, not a floor for individual customer or transaction risk. The guidance explicitly expects TCSPs to apply enhanced scrutiny to nominee arrangements, cross-border structures, and complex ownership chains regardless of the sector-level NRA rating. Your internal risk appetite must reflect the actual risk of each client relationship and each service type, not a sector average.
What is the tipping-off prohibition, and how does it affect how we handle suspicious clients?
TCSPs are strictly prohibited from disclosing to a customer or any third party that an STR or SAR has been filed, that one is intended to be filed, or that an investigation is underway. This prohibition extends to any information that could reasonably lead the customer to become aware of such reporting. Importantly, the guidance clarifies that taking steps to delay a transaction, decline a service, or request additional information for legitimate compliance purposes does not constitute tipping-off, provided these actions are conducted without revealing the existence of a report or suspicion.
How often should we update our Business Risk Assessment?
The guidance requires the Business Risk Assessment to be documented, regularly updated, and aligned with national and sectoral risk findings, including the NRA and relevant Sectoral Risk Assessments. It does not specify a fixed frequency. In practice, an annual review is a prudent minimum, with earlier updates triggered by changes in the NRA, SRA, supervisory guidance, business model, client base, or emerging typologies.
We use a standard form agreement for our nominee director service. Is that sufficient?
Not on its own. The guidance requires TCSPs to clearly document the legal and contractual relationship between the nominee and the beneficial owner, understand the scope and limitations of the nominee’s authority, and maintain ongoing awareness of how the entity is being used. A standard form agreement may cover the contractual dimension, but it does not satisfy the ongoing monitoring, beneficial ownership verification, and governance oversight requirements. Nominee services require enhanced procedures, not just standard documentation.
What should we do if a client refuses to provide enhanced due diligence information?
The guidance is clear: where material uncertainties remain unresolved, the TCSP should decline to establish the relationship or exit an existing one, and should consider whether the circumstances warrant internal escalation or external reporting. A client’s withdrawal, unresponsiveness, or termination of the relationship following EDD requests is itself listed as a red flag indicator. Document everything. Escalate to the MLRO. If the circumstances meet the reporting threshold, file an STR or SAR with the FIU.
Conclusion: From Guidance to Action
The MoET Supplemental Guidance for Trust and Company Service Providers is one of the most detailed sector-specific AML/CFT/CPF documents the UAE has produced. As AML UAE’s analysis demonstrates, it reflects a regulatory environment that has moved decisively beyond tick-box compliance and toward genuine, evidence-based supervision.
The message running through every section is consistent: the quality of your professional judgement matters as much as the completeness of your documentation. Supervisors will assess whether your controls work in practice, not just whether they exist on paper.
For TCSP operators, the practical priorities are clear. Revisit your scope and ensure you have correctly identified all the activities that trigger your obligations. Stress-test your beneficial ownership processes against complex, multi-layered structures. Build trigger-based monitoring into your operational workflows. Invest in your MLRO’s capacity to do the role properly. And use the 21 case studies in the guidance as a training resource for your frontline teams.
If the compliance gap scorecard in this article surfaced significant gaps, the time to address them is now, before a supervisory engagement does it for you.
AML UAE: Your Specialist Partner for TCSP Compliance in the UAE
Our team of qualified AML professionals, led by CAMS-certified consultants with deep UAE DNFBP experience, helps TCSPs build, test, and remediate their AML/CFT/CPF compliance frameworks. From Business Risk Assessments to MLRO support to staff training, we cover the full spectrum of TCSP compliance needs.
Share via :
About the Author
Pathik Shah
FCA, CAMS, CISA, CS, DISA (ICAI), FAFP (ICAI)
Pathik is an ACAMS-certified AML consultant specialising in governance, risk, and compliance for regulated entities in the UAE. He brings over 28 years of experience, with 1,000+ hours of AML training and 200+ advisory engagements across DNFBPs, VASPs, and FIs. He supports businesses in aligning with AML/CFT requirements from the CBUAE, DFSA, MoET, MoJ, VARA, CMA, FSRA, and FATF. Known for translating complex regulations into audit-ready procedures, Pathik enables operational clarity and compliance readiness.
Reach Out to Pathik