AML Regulations for Banks and Financial Institutions in UAE
Published On: 07/09/2026
Protect your business with reliable and effective AML strategies with AML UAE.
Last Reviewed On: 07/09/2026 | Last Updated On: 07/09/2026
Key Highlights
- The principal statute is Federal Decree-Law No. 10 of 2025 on anti-money laundering, combating the financing of terrorism, and proliferation financing, read together with its Executive Regulations in Cabinet Resolution No. 134 of 2025.
- Financial institutions are a defined class under UAE AML law. Banks, insurance firms, exchange houses and money service businesses, registered hawala providers, capital market firms, finance companies, and other licensed financial institutions all fall inside it.
- Supervision is shared. The Central Bank of the UAE oversees most mainland financial institutions, the Capital Market Authority oversees the capital market, and the DFSA and FSRA supervise firms in the DIFC and ADGM financial free zones.
- Every regulated institution reports suspicious activity to the UAE Financial Intelligence Unit through the goAML platform.
- The national risk assessments rate residual money-laundering risk as highest for registered hawala providers and medium-high for banks and exchange houses, with proliferation-financing risk concentrated in trade finance (UAE ML and TF National Risk Assessment 2024; UAE PF National Risk Assessment 2026).
- Core obligations span the sector: risk assessment, customer due diligence, sanctions screening, transaction monitoring, recordkeeping, and suspicious transaction reporting.
- This page is the overview. Each sector has its own dedicated guide for the finer details.
Banks and financial institutions sit at the centre of the UAE’s fight against money laundering. They move most of the money, so they carry most of the responsibility to spot and stop it. This guide sets out the AML regulations for banks and financial institutions in the UAE. It discusses which institutions are covered, who supervises them, the full legal framework they answer to, and how the national risk assessments rate the money laundering, terrorist financing, and proliferation financing risk of each sub-sector. It is a map of the whole regime, with links out to detailed sector guides where you need to go deeper.
Banks and financial institutions in the UAE are subject to Federal Decree-Law No. 10 of 2025, Cabinet Resolution No. 134 of 2025, targeted financial sanctions rules, and the guidance or rulebook issued by their relevant AML supervisor. Mainland banks, exchange houses, finance companies, insurers and registered hawala providers are generally supervised by the Central Bank of the UAE. Mainland capital market firms are supervised by the Capital Market Authority, formerly SCA. DIFC firms are supervised by the DFSA, and ADGM firms by the FSRA. Suspicious reports are filed with the UAE FIU through goAML.
Which banks and financial institutions are covered by UAE AML Law?
Under Federal Decree-Law No. 10 of 2025 and Cabinet Resolution No. 134 of 2025, a “financial institution” is any entity that carries on one or more defined financial activities, whether licensed onshore by the Central Bank or in one of the financial free zones. If your business takes deposits, moves money, underwrites insurance, deals in securities, or lends, you are almost certainly inside the AML regulations for banks and financial institutions in the UAE. The categories below each have their own dedicated guide.
Banks
Banks are the widest and most heavily supervised group. The category covers commercial banks, wholesale banks, and the branches of foreign banks licensed by the Central Bank of the UAE. They take deposits, lend, run payment and correspondent banking relationships, and provide trade finance, so almost every money laundering, terrorist financing, and sanctions typology touches a bank at some point. Their scale, openness, and extensive cross-border networks are exactly what make them attractive to criminals, which is why they sit at the front line of the UAE regime and carry the deepest set of obligations. Read the dedicated guide: AML regulations for banks in the UAE.
Insurance
Life insurance and investment-linked products can be used to place and layer illicit funds, particularly where premiums can be settled in cash or policies surrendered early. The category captures insurers, brokers, agents, and other intermediaries carrying on relevant life and investment-related business. General insurance and pure protection products normally present lower ML and TF risk, but licensed insurers, brokers and agents supervised by the Central Bank should still assess their AML obligations and apply controls proportionate to their products and customers. Firms in this sector are treated as financial institutions and must run customer due diligence, screening, and reporting on the relevant lines. Read the dedicated guide: AML regulations for insurance companies and brokers in UAE.
Exchange houses and MSBs
Exchange houses and money service businesses handle currency exchange, remittance, wage payments, and banknote trading, which makes them a classic conduit for structuring and the cross-border movement of value. Because they deal in cash and often route payments through foreign correspondents, they carry a heightened risk of layering and third-party laundering. They are licensed and supervised by the Central Bank and must apply the same core AML controls as other licensed institutions. Read the dedicated guide: AML regulations for exchange houses in UAE.
Registered hawala providers
Hawala and other informal value transfer systems are legal in the UAE only when the provider holds a registration certificate from the Central Bank. Registered hawala providers carry AML duties in their own right, including customer identification, record-keeping, and suspicious transaction reporting through goAML. Their cash-based, relationship-driven model is inherently harder to monitor, so supervision of the sector is close. Read the dedicated guide: AML regulations for registered hawala providers in UAE.
Capital Market
The capital market covers brokerages, custodians, fund managers, investment managers, and other firms dealing in or advising on securities and commodities. These firms are financial institutions for AML purposes and are supervised for the capital market under the framework of the Capital Market Authority. Although securities firms do not take cash deposits, they must still identify their clients, screen against sanctions lists, and monitor for market-based laundering. Read the dedicated guide: AML regulations for capital market firms in UAE.
Finance Companies
Finance companies provide credit, consumer and commercial financing, and related lending services, and are licensed and supervised by the Central Bank of the UAE. They are captured as financial institutions and carry the full set of core AML obligations, scaled to their products and customer base. Their exposure tends to be lower than that of deposit-taking banks, but lending can still be used to integrate illicit funds. Read the dedicated guide: AML regulations for finance companies in the UAE.
Other LFIs
The financial institution definition is deliberately broad, so other licensed financial institutions carrying on defined activities are captured even where they do not fit the labels above. This includes certain payment and stored value activities and other specialist licensed models. Where a firm carries on a regulated financial activity, it should assume the AML framework applies and confirm its status with its supervisor. Read the dedicated guide: AML regulations for other LFIs in the UAE.
AML Supervisory Authority for Banks and Financial Institutions in UAE
Supervision in the UAE is shared between the federal financial regulators and the two financial free zone authorities. Knowing your supervisor matters because it determines which rulebook, guidance, and enforcement powers apply to you.
Central Bank of the UAE (CBUAE)
The Central Bank is the AML supervisor for most mainland financial institutions, including banks, exchange houses, finance companies, registered hawala providers, insurers, and money service businesses. It issues sector guidance, inspects licensed institutions, and can impose administrative and financial penalties for breaches. Institutions should expect their AML programme to be tested by thematic inspections.
Capital Market Authority
The capital market is supervised by the Capital Market Authority, formerly the Securities and Commodities Authority, under Federal Decree-Law No. 32 of 2025. It sets AML expectations for brokerages, custodians, fund managers, and other securities and commodities firms, and monitors their compliance.
Dubai Financial Services Authority (DFSA)
The DFSA is the independent regulator for firms established in the Dubai International Financial Centre. It runs its own AML rulebook that applies alongside the federal law, so a DIFC firm answers to the DFSA for day-to-day supervision while still meeting the UAE’s overarching AML obligations.
Financial Services Regulatory Authority (FSRA)
The FSRA is the independent regulator for firms established in the Abu Dhabi Global Market. Like the DFSA, it maintains its own AML rulebook and supervises and enforces against firms in its free zone, within the wider federal framework.
UAE FIU and goAML
Whoever supervises you, every regulated financial institution reports to a single national body. The UAE Financial Intelligence Unit receives and analyses suspicious transaction reports, suspicious activity reports, and related filings, all submitted through the goAML platform.
Registration on goAML is a baseline obligation, and timely, good-quality reporting is one of the clearest signals of an effective AML programme.
See our goAML registration guide and the difference between a suspicious activity and a suspicious transaction for the practical steps.
Firms in the DIFC and ADGM file suspicious reports with the UAE FIU through goAML in the same way, and may also carry parallel notification duties to the DFSA or FSRA under their own rulebooks.
The table below shows which authority supervises each type of financial institution.
|
Financial institution |
Primary AML supervisor |
|
Mainland banks |
Central Bank of the UAE (CBUAE) |
|
Exchange houses and MSBs |
CBUAE |
|
Registered hawala providers |
CBUAE |
|
Finance companies |
CBUAE |
|
Insurers, brokers and agents |
CBUAE |
|
Mainland capital market firms |
Capital Market Authority |
|
DIFC firms |
DFSA |
|
ADGM firms |
FSRA |
AML Legal Framework Applicable to Banks and Financial Institutions in UAE
The framework has four layers: the core federal laws and regulations, the guidance that applies to all reporting entities, the Central Bank’s own guidance for licensed financial institutions, and the national and sector risk assessments that tell you where the threats actually are. This section catalogues each layer. It stays at overview depth on purpose, because the detailed obligations live in the sector guides.
Federal AML Laws and Executive Regulations Applicable to Banks and Financial Institutions
These four instruments are the legal foundation for every financial institution in the UAE.
Federal Decree-Law No. 10 of 2025 on AML, CFT and CPF
Federal Decree-Law No. 10 of 2025 is the principal UAE statute governing anti-money laundering, terrorism financing, and proliferation financing. It sets the core definitions, recognises offences through virtual assets, and establishes the Financial Intelligence Unit within the Central Bank as the independent body that receives and analyses suspicious transaction reports. Powers to suspend or freeze suspicious transactions and funds sit with the FIU and the competent authorities under the law, Cabinet Resolution No. 74 of 2020 and UAE FIU Regulation No. 1 of 2026. For banks and insurers, it is the source of core reporting and oversight duties.
Cabinet Resolution No. 134 of 2025, the Executive Regulations
Cabinet Resolution No. 134 of 2025 issues the Executive Regulations of Federal Decree-Law No. 10 of 2025, translating the statute into detailed rules. It defines scope, including banking, securities, and life insurance, and requires a risk-based approach, customer due diligence, beneficial owner verification, ongoing monitoring, and approved internal policies. For banks and insurers, it is the practical rulebook of procedures and controls that supervisors test.
Cabinet Resolution No. 74 of 2020 on terrorist lists and UNSC resolutions
Cabinet Resolution No. 74 of 2020 regulates the terrorist lists and how the UAE implements United Nations Security Council resolutions on terrorism, its financing, and weapons proliferation. Freezing must be applied within twenty-four hours. Financial institutions must register with the Executive Office, continuously screen customers and beneficial owners against the lists, freeze matches without prior notice, and report promptly, establishing core sanctions screening duties.
Federal Law No. 7 of 2014 on combating terrorism crimes
Federal Law No. 7 of 2014 on Combating Terrorism Crimes defines terrorist offences in the UAE and fixes their penalties, up to life imprisonment or death. It penalises providing, collecting, or maintaining funds for terrorist purposes and addresses freezing suspected funds held in financial institutions. Banks and insurers rely on it to understand the predicate conduct their controls detect, deter, and report.
AML Guidance Applicable to All Reporting Entities
Beyond the core laws, the Central Bank and the FIU issue a large body of guidance, guidelines, and typologies that shape day-to-day compliance. The instruments below sit in the overarching guidance set for licensed financial institutions.
UAE FIU Regulation No. 1 of 2026 on Suspension and Freezing Powers, April 2026
UAE FIU Regulation No. 1 of 2026, dated April 2026, governs the postponement or suspension of suspicious transactions and the freezing of funds. Applying to financial institutions, designated non-financial businesses and virtual asset service providers, it introduces the urgent Postponement Suspicious Transaction Report, plus a Suspension Order of up to ten working days and a Freezing Order of up to thirty days. For firms, it preserves funds at risk.
UAE FIU Strategic Analysis Report on Human Trafficking, April 2026
The UAE FIU Strategic Analysis Report on Human Trafficking, dated April 2026, analyses money laundering flows linked to human trafficking using suspicious reports filed with the Financial Intelligence Unit. It covers sexual exploitation, forced labour and organ removal, profiles traffickers, organised crime and money mules, assesses vulnerable sectors, and develops risk indicators. For financial institutions, it is a detection resource that improves reporting quality.
Guidance on Targeted Financial Sanctions for Financial Institutions, DNFBPs and VASPs, March 2026
The Guidance on Targeted Financial Sanctions for Financial Institutions, DNFBPs and VASPs, from the Executive Office for Control and Non-Proliferation, was first published in January 2021 and last amended in March 2026. It sets four obligations: registering in the Notification Alert System, screening against the Local and UN lists, freezing assets without delay, and reporting. The 2026 update renames the confirmed-match report, previously the Funds Freeze Report or FFR, as the Confirmed Name Match Report, and reports of partial matches as the Partial Name Match Report.
Joint Guidance on the Compliance Officer and MLRO, 2026
The Joint Guidance on the Compliance Officer and Money Laundering Reporting Officer, issued in 2026 by the UAE Supervisory Sub-Committee, establishes a unified framework for the officer’s appointment, authority, and responsibilities across regulated sectors. Recognising the role as a cornerstone of effective AML defences, it sets expectations on seniority, experience, independence, board access, and resources, clarifying how institutions appoint and empower a fit and proper officer.
FIU Strategic Analysis Report on Terrorist Financing, May 2025
The FIU Strategic Analysis Report on Terrorist Financing, published in May 2025, is produced by the UAE Financial Intelligence Unit using data from 2021 to 2024. It sets out typologies such as unlicensed hawala, corporate networks, trade-based financing, real estate, and virtual assets, and examines facilitators, concluding with risk indicators that help institutions detect, trace, and report suspicious terrorist financing activity.
goAML FAQs, April 2024
The goAML FAQs, version 2.1 dated 18 April 2024, are a question-and-answer guide from the UAE Financial Intelligence Unit helping reporting entities use the goAML system and its access services. It gives step-by-step remedies for registration and login problems, including expired one-time passwords, Google Authenticator passcodes and password resets. For financial institutions, it supports reliable access, underpinning timely reporting.
PF Institutional Risk Assessment Guidance for FIs, DNFBPs and VASPs, December 2023
The Proliferation Financing Institutional Risk Assessment Guidance, published in December 2023, sets out how financial institutions should assess and manage exposure to proliferation financing. It explains a methodology built around inherent risks, control effectiveness, and residual risks, describes mitigating measures and a customer risk scoring questionnaire with worked case studies, helping firms recognise elevated risk customers, calibrate controls, and document risk decisions for supervisors.
Terrorist and Proliferation Financing Red Flags Guidance, December 2023
The Terrorist and Proliferation Financing Red Flags Guidance, updated December 2023, consolidates indicators helping financial institutions detect suspicious terrorist and proliferation financing, including evasion of targeted sanctions under United Nations Resolutions or local designations. It explains tactics such as front companies, sets out the legal basis for reporting, and groups proliferation indicators by customer profile, transaction, maritime and trade finance. It is a working reference for detection.
Suspicious Activity and Transaction Reporting Thematic Review, January 2023
The Suspicious Activity and Transaction Reporting Thematic Review, issued in January 2023, sets out findings and expectations from the 2022 AML/CFT examination of financial institutions and designated non-financial businesses. It contrasts acceptable and deficient practices across governance, policies, risk-based monitoring, data, alert review, investigation and reporting. For financial institutions, it is a practical benchmark to test monitoring and reporting arrangements and close gaps before inspection.
Cabinet Resolution No. 109 of 2023 Regulating the Real Beneficiary Procedures
Cabinet Resolution No. 109 of 2023 regulates beneficial owner procedures for legal persons in the UAE, requiring accurate, up-to-date ownership information and registers updated within short deadlines. Banks and insurers rely on this data for customer due diligence on corporate customers. These procedures apply to legal persons licensed or registered in the State, including commercial free zones, but exclude the financial free zones, the DIFC and ADGM, which operate their own beneficial ownership regimes.
Cabinet Resolution No. 132 of 2023 on Administrative Penalties for Real Beneficiary Violations
Cabinet Resolution No. 132 of 2023 sets the administrative penalties for violations of the beneficial owner procedures under Cabinet Resolution No. 109 of 2023, empowering the registrar to fine and, on a third violation, suspend licences. It reinforces why corporate customers must keep ownership data current. These penalties apply to legal persons licensed or registered in the State, including commercial free zones, but not to the financial free zones, the DIFC and ADGM, which follow their own regime.
Counter Proliferation Financing Guideline, November 2022
The Counter Proliferation Financing Guideline, published in November 2022 by the Executive Office for Control and Non-Proliferation, supplements the Guidance on Targeted Financial Sanctions. It helps financial institutions identify, assess, and mitigate Proliferation Financing risks in line with Financial Action Task Force standards, covering the UAE framework, risk assessment, preventive measures such as enhanced due diligence and trade finance controls, and red flags for sanctions evasion.
goAML Web Submission Guide, July 2022
The goAML Web Submission Guide, issued by the UAE Financial Intelligence Unit in July 2022, sets out how the Compliance Officer or Money Laundering Reporting Officer submits reports through goAML. It covers report types, including Suspicious Transaction and Suspicious Activity Reports, accessing the system, completing the cover and submitting. For financial institutions, it standardises reporting and helps officers file complete reports promptly.
IEMS User Guide for Reporting Entities, March 2022
The IEMS User Guide for Reporting Entities, dated March 2022, is a manual from the UAE Financial Intelligence Unit for its Integrated Enquiry Management System, which handles information requests, prosecution decisions, and freeze orders between the Unit, authorities, and reporting entities. It explains login, the dashboard, the reply workflow, and Admin, Maker, and Checker roles, showing institutions how to action enquiries and freeze instructions compliantly.
Joint Guidance on Combating the Use of Unlicensed Virtual Asset Providers, March 2022
The Joint Guidance on Combating the Use of Unlicensed Virtual Asset Providers, issued in March 2022 by the UAE Supervisory Authorities, including the Central Bank and the Virtual Assets Regulatory Authority, educates the public and regulated entities on the risks of unlicensed providers. It reminds institutions of their AML obligations, sets expectations on due diligence and reporting, and provides red flags such as missing licences and unrealistic promises.
goAML Pre-Registration Guide, March 2022
The goAML Pre-Registration Guide, issued by the UAE Financial Intelligence Unit in March 2022, explains how reporting entities secure access to the Services Access Control Manager, or SACM, before reaching goAML to register and file suspicious reports. It covers the gateway, a Google Authenticator one-time password, and safeguarding a personal Secret Key. For financial institutions, correct pre-registration is a prerequisite for secure reporting.
goAML Registration Guide, March 2022
The goAML Registration Guide, issued by the UAE Financial Intelligence Unit in March 2022, sets out how an organisation registers with the FIU on the goAML platform as a reporting entity, stakeholder or supervisory body. All accountable and reporting entities must register to submit suspicious reports. It covers portal access, selecting registration type, entering data, access rights and password resets. For financial institutions, it underpins compliant reporting.
Strategic Review on Targeted Financial Sanctions Case Studies, November 2021
The Strategic Review on Targeted Financial Sanctions Case Studies, dated November 2021, examines how sanctions-related reports arise in the UAE under Cabinet Resolution No. 74 of 2020, which implements United Nations freezing measures on terrorism and proliferation financing. It classifies reports by source, suspicion and instrument, distinguishes terrorist from proliferation patterns, and presents red flags, statistics and recommendations. For financial institutions, it strengthens detection, screening and reporting.
Typologies on the Circumvention of Targeted Sanctions, November 2021
This typologies report, amended in November 2021 and issued by the Executive Office, compiles cases showing how sanctioned parties circumvent targeted sanctions on terrorism and proliferation, evading United Nations Resolutions and the national terrorist list. It groups methods by channel, covering banking, remitters, exchange houses, hawala, smuggling, dual-use trade, legal entities and virtual assets, with red flags. For financial institutions, it strengthens screening, due diligence and reporting.
Update to the List of High Risk Jurisdictions, November 2021
This November 2021 decision of the National AML/CFT Committee updates the lists of high-risk jurisdictions subject to a call for action and under increased monitoring, and the counter-measures to apply, updating an earlier March 2021 decision. For financial institutions, country risk is a core input: it signals which jurisdictions warrant enhanced due diligence and keeps risk assessments aligned with the latest listings.
Joint Guidance on Satisfactory and Unsatisfactory Practice, June 2021
The Joint Guidance on Satisfactory and Unsatisfactory Practice, issued in June 2021 by the UAE Supervisory Authorities, draws on inspections between January 2020 and May 2021. It contrasts satisfactory and unsatisfactory practices across governance, risk assessment, policies, training, customer due diligence, monitoring, sanctions screening, and reporting. It translates real inspection findings into concrete examples of supervisory expectations, helping firms benchmark their controls and remediate weaknesses before examination.
Typologies on the Circumvention of TFS, PF and WMD, May 2021
This typologies report, amended in May 2021 and issued by the Executive Office, examines how sanctioned parties receive financing in evasion of United Nations Resolutions on terrorism and proliferation of weapons of mass destruction. Organised by method, it covers banking, money remitters, hawala, online payments, non-profits, cash smuggling, cyberactivity, trade and legal entities, with red flags. For financial institutions, it supports stronger screening, monitoring and reporting.
goAML FAQs, September 2020
The goAML FAQs Guide, issued by the UAE Financial Intelligence Unit in September 2020, is a question-and-answer reference for reporting entities using the goAML platform. It gives step-by-step help on resetting passwords, updating organisation and personal details, and delegating reporting subject to Supervisory Body approval. For financial institutions, accurate registration data and managed access underpin timely, compliant reporting to the FIU.
goAML Registration Guide Stage 2, September 2020
The goAML Registration Guide Stage 2, issued by the UAE Financial Intelligence Unit in September 2020, outlines how an organisation registers with the FIU on the goAML platform as a reporting entity, stakeholder or supervisory body. All accountable and reporting entities must register, with electronic submission required since 27 June 2019. It covers portal access, registration type, access rights and password resets.
Emerging ML, TF and PF Risks and Trends in the Financial Sector
Emerging ML, TF, and PF Risks and Trends in the Financial Sector is a Supervisory Subcommittee report giving financial institutions an overview of current threats. Issued under Article 16 of Federal Decree-Law No. 10 of 2025, it examines artificial intelligence exploitation, ESG fraud, trade finance abuse, virtual assets, and sanctions evasion, with banking case studies, highlighting typologies and red flags for risk assessments and controls.
Guideline on Grievance Procedures
The Guideline on Grievance Procedures is issued by the Executive Office for Control and Non-Proliferation, which receives grievance requests related to the UAE Local Terrorist List and the UN Consolidated List. Under Cabinet Resolution No. 74 of 2020, it processes three types: de-listing, cancellation of freezing measures, and permission to use frozen assets. It explains the lawful routes affected customers may use, informing how institutions respond.
Online Grievance System User Guide
The Online Grievance System User Guide is issued by the Executive Office for Control and Non-Proliferation, which receives grievance requests related to the UAE Local Terrorist List and the UN Consolidated List. It walks users through the application form for three request types: de-listing, cancellation of freezing measures, and permission to use frozen funds, explaining the route affected customers use to challenge designations or access frozen assets.
Simple Guide to Subscribe to the EOCN Notification Alert System (NAS)
This short guide explains how to subscribe to the Notification Alert System operated through the Executive Office’s website, so users receive timely updates to the UAE sanctions lists: the Local Terrorist List and the UN Consolidated List. It gives step-by-step subscription instructions. For financial institutions, it supports a core control, since sanctions screening is only effective when firms work from current lists.
Typologies in the Financial Sector
Typologies in the Financial Sector, produced jointly by the Supervisory Authorities Sub-Committee and the Financial Intelligence Unit with the Executive Office, shares money laundering, terrorist financing, sanctions, fraud and corruption typologies observed in the market, several arising during COVID-19. It covers risks beyond the National Risk Assessment, including unlicensed money service operators and links to human trafficking. For financial institutions, it is an early warning tool.
CBUAE Guidance for Licensed Financial Institutions
Alongside the guidance that reaches every reporting entity, the Central Bank issues a dedicated body of guidance, rules and thematic reviews for the licensed financial institutions it supervises. These set the CBUAE’s specific expectations for banks and other financial institutions across risk assessment, due diligence, sanctions, reporting and sector-specific exposure.
CBUAE Thematic Review on Sanctions List Screening in the Banking Sector, May 2026
Conducted by the CBUAE’s AML/CFT Supervision Department and published in May 2026 under Cabinet Resolution No. 74 of 2020, this thematic review assessed how banks screen customers and transactions against the UAE Local Terrorist List and the UNSC Sanctions List. It examined whether banks screen at onboarding, periodically and on list updates, freeze without delay and notify the authorities of matches. For banks, it flags where sanctions screening programmes fall short.
CBUAE Best Practices on Implementing a Risk-Based Approach, October 2025
Published by the CBUAE in October 2025, this best-practice paper explains how licensed FIs should design a risk-based approach and run an institutional ML, TF and PF risk assessment. It covers assessing inherent risk across customers, products, delivery channels and geographies, testing the control environment, and determining residual risk. For banks, it clarifies expected methodology, granularity, governance and review frequency, so their programme is genuinely risk-driven rather than tick-box.
CBUAE Best Practices on Role-Based AML/CFT/CPF Training, October 2025
Released by the CBUAE in October 2025, this paper sets expectations for tailoring AML/CFT/CPF training to staff roles. It separates training for the board, owners and senior management from the three lines of defence, and covers new-hire, annual enterprise-wide, group and localised training. Banks are expected to match content, frequency and intensity to each function’s risk exposure, document a training plan, and keep records evidencing delivery and effectiveness.
CBUAE Guidance on Customer Due Diligence, KYC and Record-Keeping, October 2025
Published by the CBUAE in October 2025, this guidance treats CDD, KYC and record-keeping as the cornerstone of AML, sanctions and anti-fraud compliance. It covers identifying and verifying customers and beneficial owners, building a risk profile from source of funds, wealth and expected activity, ongoing monitoring, simplified and enhanced due diligence, name screening, non-face-to-face relationships, third-party reliance and customer exit. Banks must evidence robust CDD and retain supporting records.
CBUAE Guidance on Correspondent Banking, October 2025
Released by the CBUAE in October 2025, this guidance addresses how licensed FIs should manage correspondent banking relationships and cross-border payments. It examines risk factors such as nested relationships, payable-through accounts, geography, ownership and customer base, and sets out standard, specific and enhanced due diligence, ongoing monitoring, sanctions obligations and reporting. Annexes cover the SWIFT to ISO 20022 transition and RMA relationships, helping banks scrutinise respondent institutions proportionately.
CBUAE Guidance on Risks Related to Trade-Based Money Laundering and Transshipment, October 2025
Issued by the CBUAE in October 2025, this guidance helps licensed FIs understand and mitigate trade-based money laundering and illicit transhipment risks. It explains documentary and open-account trade finance, typologies such as over-invoicing and under-invoicing, multiple invoicing, shell companies and free-trade-zone misuse, and vulnerable sectors like gold and vehicles. For banks, it prescribes enterprise-wide risk assessment, customer and enhanced due diligence, sanctions screening, transaction monitoring and reporting.
CBUAE Guidance on Risks Related to Proliferation Finance, October 2025
Issued by the CBUAE in October 2025, this guidance helps licensed FIs counter the financing of weapons of mass destruction proliferation. It maps threats and vulnerabilities across trade finance, correspondent banking, hawala, free trade zones, shell companies and precious metals, then sets out risk assessment, customer and enhanced due diligence, transaction monitoring and targeted financial sanctions duties. In practice, banks must build proliferation finance risk into their controls and export-control screening.
Federal Decree-Law No. 6 of 2025 on the Central Bank and the regulation of financial institutions
Federal Decree-Law No. 6 of 2025 is not the AML law, but it is the licensing and supervisory foundation for the Central Bank-regulated institutions covered here, including banks, exchange houses, finance companies, insurers and hawala providers. Issued on 8 September 2025, it governs the Central Bank and the regulation of licensed financial institutions and activities and insurance business. It repealed Federal Decree-Law No. 14 of 2018, the previous Central Bank law, and Federal Decree-Law No. 48 of 2023 on insurance activities, and regulations and circulars issued under those laws remain in force until they are replaced.
CBUAE AML/CFT Guidelines for Financial Institutions, July 2023
Issued by the CBUAE in July 2023, these are the flagship AML/CFT guidelines for financial institutions. They walk banks and other FIs through the UAE legal framework, the risk-based approach, business-wide risk assessment, customer due diligence and enhanced due diligence, wire transfers, ongoing monitoring, suspicious transaction reporting and record-keeping. In practice, they set the baseline compliance expectations against which supervised institutions must show they meet their statutory obligations.
CBUAE Guidance on Risks Related to Virtual Assets and VASPs, February 2023
Issued by the CBUAE on 20 February 2023, this guidance sets out how licensed FIs should identify and mitigate money laundering and terrorist financing risks from virtual assets and virtual asset service providers. It covers the UAE regulatory framework, the non-objection process for opening VASP accounts, customer due diligence, enhanced measures for higher-risk customers, transaction monitoring, sanctions obligations and proprietary virtual asset investments, giving banks concrete red flags and expectations.
CBUAE Guidance on Digital Identification for Customer Due Diligence, October 2022
Dated 31 October 2022, this CBUAE guidance explains how licensed FIs may use digital identity systems for customer due diligence. It describes identity proofing, enrolment, authentication and lifecycle management, and the risks these systems present. Crucially, it helps banks assess a system’s reliability and independence through assurance levels and decide on appropriate use in the context of risk, including customer verification, ongoing due diligence and third-party reliance.
CBUAE Guidance on Suspicious Transaction Reporting, August 2022
Published by the CBUAE on 3 August 2022, this document guides licensed FIs on identifying and reporting suspicious transactions across the three lines of defence. It addresses the compliance officer and MLRO role, manual and automated monitoring, how to draft and submit STRs and SARs through goAML, review and filing timelines, tipping-off prohibitions and record retention. For banks, it clarifies disclosure duties, legal protections and the consequences of failing to report.
CBUAE Guidance on the Risks Relating to Politically Exposed Persons, August 2022
The CBUAE issued this guidance on 1 August 2022 to help licensed FIs manage risks from politically exposed persons. It sets out the requirements for classifying customers as PEPs and related customers, time limits on PEP status, screening, risk rating and enhanced due diligence. It also covers transaction monitoring, suspicious transaction reporting, governance and training, and gives red flag indicators so banks can apply proportionate scrutiny to higher-risk relationships.
CBUAE Guidance on the Risks Relating to Payments, August 2022
Dated 1 August 2022, this CBUAE guidance addresses money laundering and terrorist financing risks in the payments sector. It examines peer-to-peer and cross-border payments, intermediation, nesting, use of agents and merchant risks, alongside obligations for stored value facilities, retail payment services and card schemes. Banks are directed to conduct risk assessment, apply customer and enhanced due diligence, wire transfer controls, correspondent due diligence, sanctions screening and reporting.
CBUAE Guidance on Transaction Monitoring and Sanctions Screening, September 2021
The CBUAE issued this guidance on 8 September 2021, requiring licensed FIs to show compliance within one month. It explains how to build risk-based transaction monitoring and sanctions screening programmes, covering risk assessment, data management, rule definition and testing, alert scoring, name and transaction screening, list management, and post-implementation tuning. In practice, banks must govern, audit and staff these systems, manage third-party vendors and keep supporting records.
CBUAE Guidance for Cash-Intensive Businesses, September 2021
Dated 27 September 2021, this CBUAE guidance addresses the money laundering vulnerabilities of cash, bearer instruments, prepaid cards, cash couriers and currency exchanges. It expects licensed FIs to run enterprise risk assessments, apply customer and enhanced due diligence, monitor transactions and file suspicious transaction reports. For banks, that means tighter scrutiny of customers who handle large volumes of cash and clearer expectations on documenting the source of those funds.
CBUAE Guidance for Registered Hawala Providers and LFIs, August 2021
Issued by the CBUAE on 15 August 2021, this guidance covers both registered hawala providers and the banks that serve them. It sets registration, sanctions freezing, AML/CFT programme, customer due diligence, record-keeping and goAML reporting duties for hawala providers, and a risk-based approach for licensed FIs banking them. In practice, banks must understand and manage the money laundering and terrorist financing risks these money remitters bring into the system.
CBUAE Guidance on the Implementation of Targeted Financial Sanctions, July 2021
Issued by the CBUAE on 4 July 2021, this guidance directs licensed FIs on implementing targeted financial sanctions. It requires a sanctions compliance programme with senior management commitment, risk assessment, internal controls, training, independent audit and record-keeping, plus screening against the UN Consolidated List and Local Terrorist List, handling of false positives, and payment screening. Banks must freeze without delay on a confirmed match and notify the CBUAE and Executive Office.
CBUAE Guidance on Services to Legal Persons and Arrangements, June 2021
Published by the CBUAE on 7 June 2021, this guidance tackles how companies, trusts and similar structures can obscure beneficial ownership, purpose and source of funds. It explains formation, beneficial owner identification and UAE economic substance rules, and requires licensed FIs to risk-rate such customers, verify ownership and control, monitor them and file suspicious transaction reports. For banks, it sharpens expectations on unwrapping who really owns and controls corporate clients.
CBUAE Guidance for the Real Estate and Precious Metals and Stones Sectors, June 2021
Issued by the CBUAE on 16 June 2021, this guidance helps licensed FIs manage ML and TF risk when serving real estate businesses and dealers in precious metals and stones. It explains sector-specific risks, typologies and red flags, then sets out mitigating measures covering the risk-based approach, customer and enhanced due diligence, suspicious transaction reporting, governance and training. For banks, it means calibrating controls to these high-value, cash-exposed sectors.
CBUAE STR Outreach for Banks and Finance Companies, March 2021
Delivered on 10 March 2021, this CBUAE outreach session brought together the Financial Intelligence Unit, AML/CFT Supervision and the Ministry of Interior to brief banks and finance companies on suspicious transaction reporting. Drawing on the AML law, it explains when and what to report, goAML as the sole reporting channel, the different report types and the compliance officer’s duties. It reinforces prompt, well-grounded STR filing as a core supervisory expectation.
CBUAE Board of Directors Decision No. 59/4/2019 on AML/CFT Procedures, 2019
Issued by the CBUAE Board of Directors on 13 June 2019, Decision No. 59/4/2019 sets the procedures for anti-money laundering and combating the financing of terrorism and illicit organisations. It requires every financial institution and its concerned persons to comply with the federal AML law, its Executive Regulation and Central Bank instructions, guidelines and notices, and empowers the Central Bank to impose administrative sanctions, subject to a right of appeal. It replaced Circular No. 24/2000.
CBUAE Guidance Note on the Responsible Use of AI and Machine Learning by LFIs
This CBUAE guidance note sets principles for the responsible, consumer-focused use of artificial intelligence and machine learning by licensed FIs. It addresses governance and board accountability, fairness and non-discrimination, transparency and explainability, data quality and privacy, continuous monitoring, human oversight and third-party risk. It flags high-impact decisions such as loan or insurance outcomes and expects banks to build these principles into their AI and machine learning policies and existing risk frameworks.
CBUAE List of Administrative and Financial Sanctions
This CBUAE document explains the Central Bank’s enforcement powers over financial institutions with weak AML and sanctions frameworks. Penalties range from a warning through mandatory remediation to restrictions, senior-management removal and licence revocation, alongside financial fines set per violation. The scale can reach very substantial sums under the Central Bank Law. For banks, it signals that supervisory consequences are dissuasive, proportionate and consistently applied across the sector.
NRA, SRA, and Other Important Guidelines Applicable to Banks and Financial Institutions in UAE
The UAE assesses its money laundering, terrorist financing, and proliferation financing risk at the national level, and the law expects every financial institution to align its own business and enterprise-wide risk assessment with those findings. The two assessments below are the anchor documents, and the sector ratings that follow show where banks and financial institutions actually sit, in the mainland and in the financial free zones.
UAE PF National Risk Assessment 2026
The UAE Proliferation Financing National Risk Assessment 2026 examines exposure to the financing of weapons of mass destruction and evasion of targeted sanctions on the DPRK and Iran. Overall country risk is medium-high. Virtual asset service providers are high in the mainland, banks, exchange houses and hawala providers medium-high, free zone banks and money service businesses medium, stored value facilities medium-low. For financial institutions, it guides screening and controls.
The table below summarises the residual risk ratings that banks and financial institutions should reflect in their own risk assessments.
UAE ML and TF National Risk Assessment 2024
The UAE Money Laundering and Terrorist Financing National Risk Assessment 2024, the country’s second, rates threats and residual risks across mainland and free zone financial sectors using 2019 to 2023 data. Overall, the national money laundering risk is medium-high. Banking, exchange houses and securities are medium-high; hawala providers are high; finance companies and insurance are medium. For financial institutions, it sets the national baseline for their risk-based controls.
|
Sub-sector |
ML and TF residual risk |
PF residual risk |
|
Banking |
Medium-high (mainland); medium to medium-high (free zones) |
Medium-high (mainland); medium (free zones) |
|
Exchange houses and MSBs |
Medium-high |
Medium-high (mainland); medium for free zone MSBs |
|
Registered hawala providers |
High |
Medium-high (mainland); not permitted in free zones |
|
Finance companies |
Medium |
Not separately rated |
|
Insurance |
Medium |
Medium for maritime (mainland); medium-low (free zones) |
|
Capital market and securities |
Medium range, effective controls |
Low (mainland and free zones) |
Alongside the national assessments, sector risk assessments, red flag guidance, and typologies reports give financial institutions the detail they need to keep their enterprise-wide risk assessment current and defensible.
Core AML Obligations at a Glance
Whatever the sector, the AML regulations for banks and financial institutions in the UAE turn on a common set of duties. This is the overview; each is covered in depth in its own guide.
- Business and enterprise-wide risk assessment, mapped to the national risk assessments.
- Customer due diligence and, for higher-risk relationships, enhanced due diligence.
- Ongoing transaction monitoring and sanctions screening.
- Suspicious transaction and activity reporting through goAML.
- Record keeping and robust AML governance, including a qualified compliance officer and MLRO.
Expert Tip:
Supervisors usually look beyond a single alert in isolation. They test whether the institution has a risk assessment aligned to the national risk assessment, documented alert handling and escalation, and a compliance officer who can show independence and authority. Systemic weaknesses and high-risk or sanctions-related failures that are poorly documented are what draw findings. Get the risk assessment and the compliance function right, and the rest becomes defensible.
Sub-Sector Guides for Financial Institutions in UAE
Use this page as the map, then go to the sector guide that fits your licence for the detailed rules, checklists, and templates.
- AML regulations for banks in UAE: the deposit-taking, lending, payments, and trade finance obligations that carry the deepest AML duties.
- AML regulations for insurance companies and brokers in UAE: how life and investment business is brought inside the AML perimeter, and what insurers and intermediaries must do.
- AML regulations for exchange houses in UAE: currency exchange, remittance, and banknote controls for a cash-intensive, cross-border sector.
- AML regulations for registered hawala providers in the UAE: registration, record-keeping, and reporting duties for the highest residual-risk financial sub-sector.
- AML regulations for capital market firms in UAE: client onboarding, screening, and monitoring for brokerages, custodians, and fund managers under the Capital Market Authority.
- AML regulations for finance companies in UAE: how credit and financing providers apply the core AML controls, scaled to their products.
- AML regulations for other LFIs in UAE: the catch-all for payment, stored value, and other licensed financial activities captured by the definition.
Conclusion
AML regulations for banks and financial institutions in the UAE come down to three questions: are you a financial institution, who supervises you, and which parts of the framework apply? For the great majority of licensed firms, the answer is that you are covered, the Central Bank or your free zone regulator supervises you, and the full stack of Federal Decree-Law No. 10 of 2025, its Executive Regulations, the sanctions rules, and the supporting guidance all apply. Use the national risk assessments to calibrate your programme to the real threats in your sub-sector, treat this page as your starting point, and use the sector guides to turn the framework into day-to-day controls. This is a fast-moving area, so review your obligations against the latest guidance regularly. For a wider view, see our guide to anti-money laundering laws in the UAE.
Frequently Asked Questions
What is the AML risk rating for banks in the UAE?
The UAE ML and TF National Risk Assessment 2024 rates the banking sector at medium-high residual risk, with an inherent risk of high because of the sector’s size, cross-border reach, and exposure to high-risk customers. For proliferation financing, mainland banks are rated medium-high, largely through trade finance, while banks in the financial free zones are rated medium.
Are registered hawala providers regulated for AML in the UAE?
Yes. Hawala is legal only when the provider is registered with the Central Bank, and registered hawala providers must run customer identification, record-keeping, and suspicious transaction reporting. The sector carries the highest residual money laundering rating of any financial sub-sector, and hawala is not permitted to operate in the financial free zones.
Which UAE financial sector has the highest AML risk?
Among the core financial institutions, registered hawala providers carry the highest residual money laundering risk. For proliferation financing, virtual asset service providers carry the highest exposure, which is relevant to any bank or institution that services them.
Do exchange houses in the UAE have high AML risk?
Exchange houses are rated medium-high for money laundering and terrorist financing, driven by cash handling, banknote shipments, reliance on foreign remittance partners, and third-party transactions. They are supervised by the Central Bank and must apply full customer due diligence and screening.
How do AML rules differ for firms in DIFC and ADGM?
Firms in the DIFC are supervised by the DFSA and firms in the ADGM by the FSRA, each under its own AML rulebook that sits alongside the federal law. In practice, financial free zone banks and money service businesses tend to carry lower proliferation financing risk than their mainland counterparts because they are account-based, cash is not permitted, and many are branches of global banks.
What is the AML risk for insurance companies in the UAE?
The insurance sector is rated medium for money laundering, reflecting the limited ways life and investment products can be abused, and maritime insurance is rated medium for proliferation financing in the mainland. Insurers and intermediaries carrying out relevant business are financial institutions and must apply customer due diligence, screening, and reporting.
Are capital market and securities firms treated as high AML risk?
No. Securities firms are rated low for proliferation financing in both the mainland and the free zones, and their money laundering risk sits in the medium range, with controls assessed as effective. They do not take cash deposits, but they must still identify clients, screen against sanctions lists, and monitor for market-based laundering under the Capital Market Authority framework.
Do finance companies in the UAE need an AML programme?
Yes. Finance companies are licensed by the Central Bank, are rated medium residual risk for money laundering, and must run the full set of core AML controls scaled to their credit and financing products.
Need help mapping these obligations to your licence?
Understand your AML obligations with expert guidance tailored to your banking licence and regulatory requirements.
Share via :
About the Author
Pathik Shah
FCA, CAMS, CISA, CS, DISA (ICAI), FAFP (ICAI)
Pathik is an ACAMS-certified AML consultant specialising in governance, risk, and compliance for regulated entities in the UAE. He brings over 28 years of experience, with 1,000+ hours of AML training and 200+ advisory engagements across DNFBPs, VASPs, and FIs. He supports businesses in aligning with AML/CFT requirements from the CBUAE, DFSA, MoET, MoJ, VARA, CMA, FSRA, and FATF. Known for translating complex regulations into audit-ready procedures, Pathik enables operational clarity and compliance readiness.
Reach Out to Pathik