Supplemental Guidance for Lawyers, Notaries, and Other Legal Professionals in the UAE
Last Updated: 06/18/2026
Protect your business with reliable and effective AML strategies with AML UAE.
Legal Professionals Guidance in Nutshell
Lawyers, notaries, and other independent legal professionals in the UAE are classified as Designated Non-Financial Businesses and Professions (DNFBPs) under Cabinet Resolution No. 134 of 2025 when they prepare or carry out transactions for clients involving:
- buying or selling real estate;
- managing client money, securities or other assets;
- managing bank, savings or securities accounts;
- organising contributions for the creation, operation or management of companies; or
- creating, operating or managing legal persons or arrangements, including buying and selling business entities.
When acting in these capacities, they must:
- register on goAML;
- conduct risk-based customer due diligence;
- screen against the UAE Local Terrorist List and UN Consolidated List;
- file Suspicious Transaction Reports without delay through goAML;
- appoint an MoJ-approved Compliance Officer;
- retain records for five years; and
- implement AML/CFT/CPF policies, training, and independent audit.
If you run a law firm, work as a legal consultant, or operate a notary practice in the UAE, you have a specific set of anti-money laundering (AML) obligations that go beyond what most people assume. The Ministry of Justice (MoJ) has issued guidance, grounded in Federal Decree-Law No. 10 of 2025, that spells out exactly what is expected of legal professionals.
This article covers what inspectors actually look for when they inspect law firms, the most common gaps we see during compliance reviews, real-world scenarios, and a self-assessment checklist at the end. Whether you are a senior partner, a newly appointed compliance officer, or a fee earner who simply wants to understand your personal obligations, this guide is for you.
What this article covers:
- Why legal professionals are classified as DNFBPs and what that means in practice
- The legal framework that applies to your firm right now
- Risk assessment: what it means and how to do it properly
- Customer due diligence: the rules, thresholds, and how to apply them
- Enhanced due diligence: when it applies and how deep you need to go
- Suspicious transaction reporting: your personal obligation and timeline
- Sanctions screening: the EOCN, UNSC, and UAE Cabinet lists
- Proliferation financing: an often-overlooked obligation
- Compliance officer appointment: conditions and responsibilities
- Recordkeeping, training, and penalties
- A compliance readiness self-assessment table
What Is a DNFBP and Why Does It Include Legal Professionals?
DNFBP stands for Designated Non-Financial Business or Profession. The term was developed by the Financial Action Task Force (FATF) to capture sectors outside banking that can still be used to launder money or finance terrorism. In the UAE, this category is defined in Federal Decree-Law No. 10 of 2025 and its executive regulations issued under Cabinet Resolution No. 134 of 2025.
Lawyers, notaries, and other independent legal professionals fall into the DNFBP category, but only when they are performing specific types of work on behalf of clients. This is a critical distinction.
| Activity | Does it trigger AML obligations? |
| Buying or selling real estate on behalf of a client | Yes |
| Managing client funds in a client account | Yes |
| Managing a client’s bank, savings, or securities account | Yes |
| Setting up a company, trust, or other legal arrangement for a client | Yes |
| Buying or selling a business on a client’s behalf | Yes |
| Organising capital contributions for a business | Yes |
The key takeaway here is that your AML obligations attach to the transaction, not the relationship. A client you have known for 20 years still needs to go through due diligence if you are handling their property purchase or company formation.
The Legal Framework: What Laws Apply to Your Firm Today
The UAE overhauled its AML legal framework in 2025. Two instruments now form the foundation of everything:
- Primary Law: Federal Decree-Law No. 10 of 2025 on AML/CFT/CPF
- Effective 14 October 2025. This replaces the previous 2018 legislation.
- Defines money laundering, terrorism financing, and proliferation financing offences.
- Sets out the obligations of DNFBPs, including all legal professionals.
- Executive Regulations: Cabinet Resolution No. 134 of 2025 (Executive Regulations)
- Effective 14 December 2025.
- Provides detailed rules on CDD, enhanced due diligence, third-party reliance, compliance officer requirements, and reporting.
Important: Do not rely on pre-2025 guidance
Any AML policy, procedure, or training material your firm produced before October 2025 must be reviewed and updated. The 2018 and 2019 primary legislation has been superseded. The core framework is now Federal Decree-Law No. 10 of 2025 and Cabinet Resolution No. 134 of 2025. However, a number of supporting instruments remain operative and should not be discarded, including Cabinet Decision No. 74 of 2020 (TFS obligations), Cabinet Decision No. 71 of 2024 (administrative penalty schedule), Cabinet Decision No. 65 of 2024 (MoJ AML Department), and Minister of Justice Decision No. 248 of 2025 (supervisory procedures). If your compliance officer is using the old primary legislation as their reference, your firm is already out of date.
The Ministry of Justice (MoJ) is the designated supervisory authority over lawyers and notaries in the UAE, including entities in free zones and financial free zones. This was established by Cabinet Decision No. (3/1 W) of 2019 and reinforced under the current framework.
Within the MoJ, the Anti-Money Laundering and Counter-Terrorism Financing Department carries out inspections, issues guidance, maintains a database of compliance officers, imposes administrative sanctions, and liaises with the Financial Intelligence Unit.
Is your AML/CFT framework anchored to the 2025 legislation?
NIYEAHMA provides AML compliance gap assessments for law firms and legal consultancies in the UAE, benchmarked against Federal Decree-Law No. 10 of 2025 and Cabinet Resolution No. 134 of 2025.
Risk Assessment: The Foundation of Everything
The risk assessment is not optional, and it is not a one-time exercise. Every law firm and legal consultancy in the UAE must identify, assess, and document the money laundering and terrorism financing risks it faces, and must update this assessment periodically. The MoJ can request your written risk assessment at any time.
Why does a risk assessment matter?
Think of it this way: your risk assessment is the document that justifies every other decision you make in your compliance programme. If you apply enhanced due diligence to a particular client, the reason should trace back to your risk assessment. If you decide simplified due diligence is appropriate in a specific situation, the logic must be documented in writing.
Without a credible, up-to-date risk assessment, your entire compliance programme is built on sand. The MoJ inspection team will look for it first.
The risk dimensions you must assess
The framework requires you to assess risk across three categories:
| Risk Dimension | What you need to assess |
| Client risks | What types of clients do you serve? Are any in high-risk categories: PEPs, non-residents, clients with complex ownership structures, clients who prefer non-face-to-face interaction, or clients from high-risk countries? |
| Geographic risks | Where do your clients operate? Where does money move to and from? Are any jurisdictions identified by FATF, MENAFATF, the UAE National Committee for Combating Money Laundering, or other competent UAE authorities as high-risk or subject to enhanced monitoring? |
| Service and delivery channel risks | Which of your services are most vulnerable to misuse? Are you delivering services remotely without identity verification safeguards? Are clients using intermediaries or agents to avoid direct contact with your firm? |
Scoring your risks
Once you have mapped your risks across these three dimensions, you need to assign a risk level to each: high, medium, or low. You then overlay the controls you already have in place and identify residual risk. Residual risks that fall outside your current controls require additional mitigating action.
This should be a written document, reviewed and signed off by senior management, and updated at least annually or whenever there is a material change to your client base, services, or operating environment.
“The most common misunderstanding I see in law firms is the assumption that because they are lawyers, they are automatically covered by legal professional privilege and do not need AML systems. That is wrong. Privilege protects certain communications. It does not exempt you from CDD, screening, or reporting obligations when you are handling a triggering transaction. The MoJ’s inspection regime is specifically designed to test whether firms understand this line.”
Pathik Shah - CAMS, FCA, CISA | Founder and Principal Consultant, NIYEAHMA Consultants LLP
Does your risk assessment reflect your firm as it operates today?
NIYEAHMA helps UAE law firms build, review, and maintain risk assessments that are inspection-ready and proportionate to their actual operations.
Customer Due Diligence: The Rules, Thresholds, and How to Apply Them
Customer due diligence (CDD) is the process of identifying who you are dealing with, understanding the nature of your relationship with them, and verifying that the information they have given you is genuine. It is not just an onboarding exercise. It continues throughout the relationship.
When is CDD required?
CDD must be applied in the following circumstances, without exception:
- When establishing a new business relationship with any client
- When there is any suspicion of criminal activity, regardless of the amount
- When you have doubts about the accuracy or completeness of the identification data you have already collected
What does CDD require you to collect?
The requirements differ depending on whether your client is an individual or a company.
| Client Type | What to collect and verify |
| Natural person (individual) | Full name as per valid identity card or passport (certified copy attached). Nationality. Address and place of birth. Employer name and address. Confirmation of whether the individual is a Politically Exposed Person (PEP) to obtain senior management approval for onboarding. |
| Legal person (company) | Name, legal form, and articles of incorporation. Registered address or principal place of business. If foreign entity: name and address of UAE legal representative. Memorandum of association or equivalent, approved by the competent UAE authority. Names of senior management. |
| Legal arrangement (trust etc.) | Identity of trustee, settlor, and equivalent roles. Identity of beneficiaries or classes of beneficiaries. Identity of any person exercising ultimate effective control. |
Identifying the beneficial owner: the 25% rule
For companies, you must identify the natural person who ultimately owns or controls 25% or more of the entity. If that person cannot be identified, or if the controlling shareholder is not the true beneficial owner, you must identify the natural persons holding senior management positions instead.
Do not stop at the first layer of ownership. If your client is a holding company owned by another holding company, you need to work through the structure until you reach the natural person at the top.
What if CDD cannot be completed?
This is a hard rule: if you cannot complete CDD, you cannot take on the client, you cannot proceed with the transaction, and you cannot continue an existing relationship. In addition, you must consider filing a Suspicious Transaction Report (STR) with the Financial Intelligence Unit via the goAML system. Not completing CDD is not a neutral outcome. It triggers a reporting obligation.
Enhanced Due Diligence: When Standard CDD is Not Enough
Enhanced due diligence (EDD) applies when you are dealing with higher-risk clients or transactions. It means doing more: collecting more information, verifying it more rigorously, updating it more frequently, monitoring the relationship more intensively, and obtaining senior management approval before proceeding.
High-risk clients: who they are
The following client types are considered high-risk by default and require EDD:
- Clients from countries identified by FATF, MENAFATF, the UAE National Committee for Combating Money Laundering, or other competent UAE authorities as high-risk or subject to enhanced monitoring
- Non-residents who do not hold a valid UAE identity document
- Clients with complex ownership structures that make it difficult to identify the beneficial owner
- Clients conducting large cash transactions
- Clients conducting complex transactions with unclear economic or legal purpose
- Clients transacting with unknown third parties
- Clients who refuse face-to-face interaction and cannot be verified through other robust means
- Politically Exposed Persons and their immediate family members and close associates
- Any client whom the lawyer reasonable determines to present high risk
Politically Exposed Persons (PEPs): a closer look
A PEP is any person who holds or has held a prominent public function, including heads of state, senior politicians, senior government officials, senior judiciary or military officers, senior executives of state-owned enterprises, and senior officials of international organisations. The definition also extends to their immediate family members and known close associates.
When you identify a PEP in your client base, you must:
- Take reasonable steps to identify the source of their funds and their wealth
- Assess the legitimacy of that source, including their professional and financial background
- Obtain senior management approval before establishing or continuing the relationship
- Apply enhanced ongoing monitoring throughout the relationship
For domestic PEPs and former international organisation officials, EDD applies only when the relationship is classified as high-risk. But given the inherent nature of PEP relationships, that threshold is almost always met in practice.
High-risk countries: where to find the lists
The FATF publishes two lists: the ‘black list’ of countries subject to a call for action, and the ‘grey list’ of countries under increased monitoring. Both are updated regularly. In addition, the National Committee for Combating Money Laundering publishes its own guidance on high-risk jurisdictions. You should check both the FATF list and the UAE national list before establishing any relationship involving a foreign jurisdiction.
Simplified due diligence: when is it allowed?
Simplified due diligence (SDD) is only permitted for clients you have assessed as low-risk, based on a documented risk assessment. It allows you to verify identity after the relationship starts (rather than before), update information less frequently, and reduce the intensity of ongoing monitoring.
SDD is never allowed when there is any suspicion
Even a single indicator of suspicious activity removes the option of applying simplified due diligence. If your compliance officer spots a red flag, SDD must stop immediately, standard or enhanced CDD must be applied, and the suspicious transaction must be reported. There is no middle ground.
Need help building your CDD and EDD procedures?
NIYEAHMA has designed CDD and EDD frameworks for law firms across the UAE, calibrated to the MoJ's inspection criteria and the 2025 regulatory framework.
Suspicious Transaction Reporting: Your Personal Obligation
Reporting suspicious transactions is one of the most serious obligations in the AML framework. It is not limited to your compliance officer. Every lawyer and member of staff in your firm has a personal obligation to report internal suspicions to the compliance officer. The compliance officer then decides whether to file an STR externally via goAML.
What counts as suspicious?
A suspicious transaction is any dealing involving funds that you suspect, or have reasonable grounds to suspect, are connected to a crime, terrorism financing, or proliferation financing. The suspicion does not need to be proven. It does not need to reach a specific value. It can relate to a transaction that was attempted but never completed.
Suspicion can arise from:
- The pattern or structure of transactions that seems unusual for the client
- Information gathered during the CDD process that does not add up
- A client who is evasive about the purpose of a transaction or the source of funds
- A transaction that has no obvious legitimate economic or legal purpose
- A client who is on or connected to a sanctions list
The tipping-off prohibition
Once a suspicion has been identified and reported internally, you must not tell the client that they have been reported or that a report is being prepared. This is the tipping-off prohibition. Breaching it is itself a criminal offence. The only thing a lawyer can do without breaching this prohibition is attempt to dissuade a client from engaging in unlawful conduct, which is not considered disclosure.
The timeline: what 'without delay' means
The regulations require STRs to be submitted ‘without delay.’ In practice, this means:
- Every member of staff must report internal suspicions to the compliance officer immediately upon identifying them
- The compliance officer must file the external STR via goAML at the moment they determine that the suspicion is genuine and reportable
There is no grace period. If you know, you report. Sitting on a suspicion for days while waiting to gather more evidence is not compliant behaviour.
The legal professional privilege exemption
Lawyers are exempt from the STR obligation only when the information giving rise to the suspicion was obtained in the course of assessing the client’s legal position, or when defending or representing the client in judicial proceedings, arbitration, or mediation. This exemption applies before, during, and after those proceedings.
Critically, this exemption does not apply to the CDD obligation, the sanctions screening obligation, or the obligation to maintain records. It only applies to the STR reporting obligation in the specific privileged contexts described above.
Not sure whether to file an STR? Let us help.
NIYEAHMA provides confidential advisory support to compliance officers at law firms facing STR decisions, including red flag analysis and goAML filing guidance.
Targeted Financial Sanctions and Sanctions Screening
Sanctions compliance is not the same as AML compliance. It is a parallel obligation, and the consequences of missing a sanctions match are severe. Every UAE law firm must screen its clients, beneficial owners, counterparties, and transaction parties against two sets of lists.
The two applicable lists
- The UAE Domestic Terrorism List: Issued by the UAE Cabinet, this list includes individuals, entities, and organisations involved in or connected to terrorist activities.
- The UN Security Council Consolidated Sanctions List: Maintained by the United Nations, this list covers individuals and entities designated for activities threatening international peace and security, including terrorism and weapons proliferation.
Both lists are accessible through the Executive Office for Control and Non-Proliferation (EOCN) at https://www.uaeiec.gov.ae/en-us/. Register on the EOCN platform to receive email notifications whenever the lists are updated.
The freezing obligation
If you identify a match during screening, you must freeze the client’s assets immediately, without notice to them.
You must also establish internal policies that prohibit staff from informing the matched individual or any third party that a freeze is being implemented.
Who must be screened, and when?
Screening should be applied to:
- All existing clients in your database
- All new clients before onboarding
- All prospective clients before any serious engagement
- Beneficial owners of all clients
- All individuals and entities with direct or indirect relationships to your clients
- All parties to any transaction you are handling
Re-screening must be triggered whenever a new name is added to either list. The term ‘without delay’ in this context means within hours of a designation by the UN Security Council or the UAE Cabinet, not within days.
“When we conduct compliance gap assessments for law firms, the first thing we check is whether the firm’s policies are anchored to the 2025 Decree-Law and the 2025 executive regulations. Almost every firm we have assessed in the past year was still referencing the old legislation. The MoJ’s inspection team will check this immediately. Getting your legal references right is not a detail, it is a foundational credibility test.”
Countering Proliferation Financing: The Obligation Most Firms Overlook
Proliferation financing refers to the risk that funds, assets, or economic resources are raised, moved, or used to support the development or acquisition of weapons of mass destruction. This includes nuclear, chemical, and biological weapons, their delivery systems, and dual-use technologies that could be exploited for weapons programmes.
It is an area that many law firms have not fully integrated into their compliance programmes. The MoJ guidebook makes clear that this is a standalone obligation, not a subset of AML or CFT.
What are dual-use goods?
Dual-use goods are products with legitimate civilian applications that can also be used for weapons development. If you are acting on a transaction involving goods that could potentially be dual-use, you should request technical specifications, end-use declarations, and end-user information from your client.
This is particularly relevant for law firms acting in trade finance, logistics, and cross-border commercial transactions.
What must your policies cover?
- Periodic updating of policies to reflect new proliferation risks and regulatory guidance
- Enhanced CDD for clients connected to cross-border transactions involving dual-use materials
- Screening against EOCN and UNSC sanctions lists as part of routine onboarding
- Staff training on proliferation financing red flags
- Documentation of all procedures, with records retained for five years
The EOCN has published a dedicated guidance manual on countering proliferation financing for DNFBPs, available on their website at https://www.uaeiec.gov.ae/en-us/. The MoJ AML Department specifically recommends that law firms review this manual. It is practical, accessible, and directly relevant to the inspection criteria.
Is proliferation financing covered in your AML/CFT/CPF framework?
NIYEAHMA provides CPF risk assessments and policy reviews for UAE law firms, incorporating EOCN guidance and FATF Recommendation 7.
Appointing a Compliance Officer: Conditions, Duties, and the MoJ Approval Process
Every law firm and legal consultancy in the UAE must appoint a compliance officer. This person is the single point of accountability for your AML/CFT/CPF programme. They must be genuinely empowered to perform their role, given access to all relevant information and client files, and supported by senior management.
Who can be appointed?
The compliance officer must meet all of the following conditions:
- Be at least 21 years of age
- Hold a university or higher institute qualification recognised in the UAE
- Possess appropriate competence and experience in AML/CFT
- Be fully legally competent, of good conduct and reputation
- Have no conviction for a felony or a misdemeanour involving dishonesty or breach of trust
Critically, prior approval from the MoJ Anti-Money Laundering and Counter-Terrorism Financing Department is required before the appointment is formalised. This is not a post-appointment notification. You cannot let a compliance officer start work and then notify the MoJ. Approval must come first.
The eight core duties
Once appointed, the compliance officer’s core duties are:
- Monitor all transactions related to potential criminal activity
- Review records, assess suspicious transaction indicators, and decide whether to file or retain with documented reasons
- Review the firm’s internal AML/CFT/CPF systems and assess their consistency with the 2025 Decree-Law
- Evaluate the firm’s adherence to its own policies and recommend improvements
- Prepare semi-annual reports for senior management and submit a copy to the MoJ AML Department
- Build, implement, and document ongoing training programmes for all staff
- Cooperate fully with the MoJ, the FIU, and other competent UAE authorities
- Verify suspicious transactions, file STRs, and provide information to authorities as required
Need support for your compliance officer function?
NIYEAHMA provides outsourced compliance officer support, co-sourced arrangements, and training for newly appointed compliance officers at UAE law firms.
Recordkeeping, Training, and Internal Policies
The five-year retention rule
All records related to client due diligence, transaction monitoring, STRs, and business correspondence must be retained for a minimum of five years. The five-year clock starts from the latest of the following events:
- Completion of the transaction
- Termination of the business relationship
- Account closure
- Completion of a one-off transaction
- Completion of an MoJ inspection
- Conclusion of an investigation
- Issuance of a final court judgment
Records must be organised in a way that allows data analysis and transaction tracing. They must be made available to the MoJ immediately upon request. This means your record-keeping system needs to be searchable, not just stored.
Training: what the programme must actually cover
Your training programme must go beyond explaining the law. It must cover:
- The firm’s own internal policies, procedures, and controls
- The specific responsibilities and duties of each category of staff under UAE legislation
- How to identify red flags in client behaviour, transactions, and instructions
- How to report internally to the compliance officer
- Updates on new risks, typologies, and emerging methods of money laundering
Training records must be maintained and made available to MoJ inspectors on request. The MoJ AML Department also runs its own annual training programme, including workshops that are available free of charge. Your compliance officer should be attending these as a minimum.
Looking for AML training designed specifically for UAE law firms?
NIYEAHMA delivers in-person and online AML/CFT/CPF training programmes for law firms and legal consultancies, including staff awareness sessions and compliance officer masterclasses.
Administrative Sanctions and Criminal Penalties: What Non-Compliance Looks Like
Non-compliance with AML/CFT/CPF obligations exposes your firm and your individual staff members to both administrative and criminal consequences. The MoJ inspection regime is active, risk-based, and increasingly data-driven.
The inspection process
The MoJ conducts both desk-based and field inspections. When a violation is identified, the process is:
- The MoJ notifies the firm of the alleged violation and sets a deadline for corrective measures and supporting documentation
- The MoJ reviews the response and either accepts it or refers a report to the Undersecretary
- If referred, a reasoned decision is issued imposing one or more sanctions
- The firm is notified of the sanction decision within 20 business days of its issuance
The MoJ can bypass the corrective measures step entirely when: a previously corrected violation recurs, there is clear governance failure, or there is a serious breach of AML/CFT procedures.
The seven types of administrative sanction
- Warning
- Administrative fine
- Prohibition from working in the relevant sector for a specified period
- Restriction of the powers of managers found responsible
- Suspension of managers found responsible, or request for their replacement
- Suspension or restriction of professional practice for a specified period
- Revocation of licence
The MoJ may also publish imposed sanctions through media outlets. In a reputation-sensitive sector like legal services, this is a significant deterrent.
The appeal process
A firm can appeal an administrative sanction within 30 business days of notification by submitting a substantiated appeal with supporting documentation to the Minister of Justice. If no response is received within 40 business days of submission, the appeal is deemed rejected. Legal challenge cannot be initiated before the appeal process is completed.
Criminal liability is personal
The criminal penalties under Federal Decree-Law No. 10 of 2025 (Arts. 26–35) apply to individuals, not just firms. A lawyer or compliance officer who knowingly fails to report a suspicious transaction, or who tips off a client, faces personal criminal exposure. AML compliance is not just a firm-level obligation.
“A risk assessment needs to be a living document. I have seen firms spend significant time producing a beautiful risk assessment in year one and then leave it untouched for three years. By the time the inspector arrives, the client base has changed, the firm has expanded into new services, and the assessment no longer reflects reality. The MoJ is increasingly sophisticated in cross-referencing your assessment against your actual client files. Gaps are very visible.”
Compliance Readiness Self-Assessment
Use the table below to assess your firm’s current compliance status. This is not a substitute for a formal compliance review, but it will give you a clear picture of where your gaps are.
| Compliance Requirement | Category | Your Status (tick or note) |
| Business-wide risk assessment documented and signed off by senior management | Required | |
| Internal AML/CFT/CPF policies, procedures, and controls in place | Required | |
| Compliance Officer appointed and approved by MoJ AML Department | Required | |
| Compliance Officer semi-annual reports submitted to management and MoJ | Required | |
| CDD procedures applied for all clients at onboarding | Required | |
| EDD applied for high-risk clients, PEPs, and high-risk country connections | Required | |
| Sanctions screening against the UAE Local Terrorist List and the UN Security Council Consolidated Sanctions List, with NAS registration on the EOCN platform for list update notifications | Required | |
| goAML account registered and STR reporting channel tested | Required | |
| Records retained for minimum 5 years from transaction completion | Required | |
| Staff AML/CFT training programme documented with attendance records | Required | |
| Proliferation financing risks assessed and addressed in internal policies | Required | |
| Dual-use goods awareness embedded in onboarding and transaction review | Good Practice | |
| Third-party reliance agreements documented with controls | If applicable | |
| Emerging technologies assessed before use in client service delivery | Good Practice |
If you find more than three items marked as incomplete or uncertain, your firm should prioritise a formal compliance review before your next MoJ inspection cycle.
Ready to close the gaps?
NIYEAHMA provides full AML compliance reviews for UAE law firms, covering policies, procedures, risk assessments, CDD files, STR records, and training documentation.
Frequently Asked Questions
Below are the questions we hear most often from lawyers, compliance officers, and legal firm staff in the UAE.
Does every law firm in the UAE need to comply with the AML/CFT framework, or only large firms?
Size is not the determining factor. Any law firm, legal consultancy, or individual lawyer who performs triggering activities (such as real estate transactions, company formations, or management of client funds) must comply, regardless of firm size. The principle of proportionality applies to how you implement your compliance programme, not whether you need one.
We provide legal advice only. Do we need a compliance officer?
If your firm performs any of the triggering activities listed in the DNFBP definition (real estate, company formation, management of client accounts, and so on), yes, you need a compliance officer. If your firm is genuinely limited to pure legal advice and litigation representation, take a risk-based approach.
Can one person be both a practising lawyer and the compliance officer?
There is no explicit prohibition, but it creates a practical problem. A practising lawyer has client relationships that create conflicts of interest in assessing suspicious transactions. The MoJ expects the compliance officer to be independent in their judgement. For larger firms, a dedicated compliance officer is strongly advisable. For sole practitioners, the role can be self-held, but then proper risk-based controls must be in place.
How often do we need to update our risk assessment?
At a minimum, annually. In addition, the risk assessment must be updated whenever there is a material change: a new service line, a significant change in client demographics, a new jurisdiction entering your practice, a change in the national risk assessment published by the UAE, or a new regulatory requirement. The MoJ will check the date on your risk assessment as one of the first steps in any inspection.
What is the goAML system, and how do we get access?
goAML is the electronic platform operated by the Financial Intelligence Unit (FIU) at the Central Bank of the UAE, through which suspicious transaction reports are submitted. Your compliance officer needs to be registered on the system. Registration is done through the FIU’s portal. The MoJ AML Department can assist with guidance on registration. Do not wait until you have a report to file before registering.
What happens if we file an STR and the client later turns out to be innocent?
Nothing negative happens to you or your firm. The law explicitly provides that no administrative, civil, or criminal liability attaches to a lawyer or their staff for filing a report in good faith. The protection is absolute. Conversely, not filing when you should have creates serious personal and corporate exposure.
Our client is a listed company on a regulated exchange. Do we still need to do full CDD?
There is a specific exemption that allows lawyers to skip verifying the identity of shareholders, partners, or beneficial owners when the client, or its controlling shareholder, is listed on a regulated securities exchange subject to financial supervision and disclosure requirements. This is a narrow exemption and applies to the beneficial ownership verification step only, and the firm is still required to identify UBOs from reliable sources, including stock exchange, corporate registry, etc.
What does 'without delay' mean for STR filing?
The regulations use ‘without delay’ deliberately rather than specifying a fixed number of hours. In practice, it means immediately upon the compliance officer forming a genuine suspicion. There is no permitted waiting period for additional investigation before filing. If you have reasonable grounds to suspect, you file. Additional information can be provided as a supplementary report.
Share via :
About the Author
Pathik Shah
FCA, CAMS, CISA, CS, DISA (ICAI), FAFP (ICAI)
Pathik is an ACAMS-certified AML consultant specialising in governance, risk, and compliance for regulated entities in the UAE. He brings over 28 years of experience, with 1,000+ hours of AML training and 200+ advisory engagements across DNFBPs, VASPs, and FIs. He supports businesses in aligning with AML/CFT requirements from the CBUAE, DFSA, MoET, MoJ, VARA, CMA, FSRA, and FATF. Known for translating complex regulations into audit-ready procedures, Pathik enables operational clarity and compliance readiness.
Reach Out to Pathik