Checklist for Identification of Sanction Screening Gaps to Ensure Robust AML Compliance

Regulated Entities need to identify weaknesses in their Anti Money Laundering (AML), CFT and TFS processes, which involve screening of individuals against sanctions lists. You might be checking the individual’s name against the UAE Local Terrorist List, the UNSC Consolidated List and other relevant lists, but it is necessary to ensure that no deficiencies arise due to outdated technology, ineffective screening process, data quality issues or others.

Here’s an easily downloadable, accessible and no-questions-asked “Checklist for Identification of Sanction Screening Gaps to Ensure Robust AML/CFT, TFS Compliance” + RACI Matrix, including a pocket-sized “RegTech Dictionary”, simplifying the compliance and technology aspects of Sanctions Screening Software.

If you are a part of the customer onboarding team, a Screening Analyst, IT/System Admin, a Compliance Officer, a Senior Board Member or an AML Enthusiast, this checklist is designed to ease your and your team’s roles and responsibilities, such as:

Assessing the effectiveness of control measures surrounding documents, customers, transactions, and counterparties to identify or detect any red flags indicating sanctions screening lapse
Identifying whether the regulatory reporting and AML training components are designed well enough to mitigate sanctions screening gaps
Identifying process efficiency for red-flag detection around name screening negligence, which might be indicators of underlying ML, TF, or PF activities
Designing workflow, role clarity, task allocation, and task escalation for managing cases with screening compliance failures
Ensuring timely filing of CNMR, PNMR and other relevant reports with the UAE FIU through the goAML portal when red flags are detected.

Download this “Checklist for Identification of Sanction Screening Gaps to Ensure Robust AML/CFT, TFS Compliance” whether you’re in ADGM, Dubai Silicon Oasis (DSO), DMCC or RAKEZ, to align your business with realistic sanctions screening and assess your business’s readiness to mitigate sanctions screening lapse to combat ML, FT and PF risks.

Our Latest Checklists

Confused with how to mitigate ML, FT, and PF risks within your Regulated Entity?

Share via :

AML Data Governance Checklist: Minimise Information Privacy Abuse, Maximise Compliance

Information privacy is not only necessary to carefully handle customers’ data according to prevailing AML/CFT regulations and the data privacy laws, but also to reduce potential risks to customers’ personal information. Customer data is prone to risks of data breaches and mishandling, which may lead to severe financial loss, reputational damage and even legal penalties to Regulated Entities.

Here is the “one-click-away”, easily downloadable, with a no-questions-asked AML Data Governance Checklist: Minimise Information Privacy Abuse, Maximise Compliance + RACI Matrix.

If you are a part of the customer onboarding team, a KYC Analyst, an AML Compliance officer, a Senior Board Member, a Transaction Monitoring Analyst, someone who’s an AML enthusiast keen on data privacy abuse risk, or anyone responsible for AML governance and information privacy, this checklist is designed to provide you with insights into information privacy abuse risk and simplify your below roles and responsibilities:

Assessing the effectiveness of control measures surrounding documents, customers, transactions, and counterparties to identify and detect any red flags indicating data breaches and data misuse.
Identifying whether the regulatory reporting and AML training components are designed well enough to mitigate data privacy abuse risk
Identifying process efficiency for red-flag detection around misuse or breach of customer data, which might be indicators of underlying ML, FT or PF activities
Designing workflow, role clarity, task allocation, and task escalation for managing cases with data privacy abuse
Ensuring timely filing of CNMR, PNMR, SAR or STRs with UAE FIU through goAML portal when red flags are detected.

Download this “AML Data Governance Checklist: Minimise Information Privacy Abuse, Maximise Compliance” + RACI Matrix, whether you have business operations in Dubai, Sharjah, Abu Dhabi or other parts of the UAE, to align your Regulated Entity with data privacy laws and abide by AML rules and regulations.

Our Latest Checklists

Confused with how to mitigate ML, FT, and PF risks within your Regulated Entity?

Share via :

Checklist for Foreign Diplomat Client Risk Assessment for AML/CFT Compliance

Foreign diplomats, embassy staff or any other representative of a sovereign state holds a favorable privilege in a host state, as per the mandate under international laws. Countries around the globe respect international immunities for smooth diplomatic functions. However, these protections often expose countries to vulnerabilities and loopholes that grant opportunities to foreign diplomats to smoothly conduct layering of illicit funds, with an aim to obscuring actual origin of proceeds of crime.

If you are a member of a Customer Onboarding system, a KYC Analyst, a Risk Analyst, a Transaction Monitoring Analyst, a Senior Board Member, a Compliance Officer or simply an AML/CFT enthusiast, you should be aware of the high-risk a customer claiming diplomatic status would pose for ML/TF activities due to their influence on government funds.

Regulated Entities need to implement a risk-based approach while onboarding foreign diplomat clients, coordinate internal responsibilities for continuous monitoring and elaborate clear escalation plans to mitigate threats of ML/TF activities.

Presenting a readily available and accessible “Checklist for Foreign Diplomat Client Risk Assessment for Robust AML/CFT Compliance” + RACI Matrix to simplify AML Compliance teams’ roles and responsibilities for an efficient and well-coordinated Customer Risk Assessment, such as:

Assessing the effectiveness of control measures surrounding foreign diplomat customers, transactions, and counterparties to identify or detect any red flags indicating risk from foreign diplomat clients.

Identifying whether the Regulatory Reporting and AML Training components calibrated well-enough to mitigate ML/TF risks arising from clients having diplomatic status.

Identifying process efficiency for red-flag detection around misuse of diplomat accounts for illicit money transfers across different jurisdictions, which might be indicators of underlying ML, TF, or PF activities.

Mapping workflow, role clarity, task allocation and task escalation for managing cases with risky overseas ambassadors.

Ensuring timely filing of CNMR, PNMR, STR or SAR with UAE FIU through goAML portal when red flags related to foreign ambassadors are detected.

Download this “Checklist for Foreign Diplomat Client Risk Assessment for Robust AML/CFT Compliance” + RACI Matrix, whether you are in ADGM, Dubai Silicon Oasis (DSO), DMCC or RAKEZ, to ensure tracking of high-risk foreign diplomats, to identify, assess, and monitor risk associated with them and to implement EDD or other commensurate risk mitigation strategies to combat ML/TF/PF risks.

Our Latest Checklists

Confused with how to mitigate ML, FT, and PF risks within your Regulated Entity?

Share via :

A Comprehensive Guide to AML Customer Risk Assessment for DNFBPs in UAE

Pathik Shah

Protect your business with reliable and effective AML strategies with AML UAE.

A Comprehensive Guide to AML Customer Risk Assessment for DNFBPs in UAE

As per UAE AML regulations and to cope with the ever-evolving financial landscape, the regulated entities – Financial Institutions, Designated Non-Financial Businesses and Professions (DNFBPs), and Virtual Asset Service Providers (VASPs) – are required to conduct Customer Risk Assessments. The Customer Risk Assessment is a critical AML measure focused on identifying the money laundering or financing of terrorism (ML/FT) risk posed by each customer.

In this article, we will discuss the significance of performing customer risk assessment for DNFBPs in UAE and the best practices to conduct the same to manage the risk and stay compliant with the UAE AML regulations.

Understanding the Importance of Customer Risk Assessment

UAE has introduced AML/CFT regulations, providing guidelines for regulated organizations to implement AML compliance programs and combat financial crimes like money laundering and terrorism financing. One of the AML measures provided under the UAE AML laws is the Customer Due Diligence (CDD) process.

CDD is a set of comprehensive measures to be applied while onboarding a customer. It includes Know Your Customer (KYC), aimed at identifying the customers and verifying their identity, including the Ultimate Beneficial Owners (UBOs). The name screening of the customers and UBOs also forms part of the CDD process. Additionally, the Customer Due Diligence measures also include customer risk assessment.

What is Customer Risk Assessment under AML Compliance Program?

Customer Risk Assessment plays a pivotal role in the AML program, as it assists in adopting the risk-based approach to deploy resources and optimally manage financial crime risks. It involves assessing the potential ML/FT risk the customer is expected to pose to the business, i.e., creating the customer risk profile or conducting the risk assessment. It is an essential element of a risk-based approach and regulatory requirement. FATF Recommendation 10 also advocates the importance of customer risk assessment.

By assessing the risk associated with customers, regulated organisations can determine the level of procedures to be performed and the controls to be applied to manage risk effectively.

The customer risk assessment is primarily based on customer identification information, the nature of business activities, the geographies they are associated with, the purpose of the business relationship, the expected transactions, the actual transaction pattern, etc. Evaluation of the risk basis of these factors, along with other relevant risk parameters, assists the business in determining the level of customer risk and accordingly deploying adequate AML measures.

Why is Customer Risk Assessment a significant part of the AML Compliance Program?

As an outcome of the Customer Risk Assessment, the customer’s risk profile is created and classified as either high, medium, or low risk for the business. It assists businesses in determining the level of due diligence measures to be applied. For example, enhanced due diligence measures are applied to manage the increased risk for customers categorized as posing a high risk to the business. The businesses may adopt simplified verification measures for customers with low ML/FT risk. Thus, it helps the organizations apply the risk-based approach in its true and use the resources optimally, with smooth customer onboarding in line with the risk profile.

It serves as the foundation to build the ongoing monitoring program to identify any unusual patterns or suspicious activities, allowing the businesses to prioritize the monitoring efforts toward high-risk customers.

Moreover, the customer’s information and the activity profile keep evolving over time; thus, it is pertinent to ensure the customer’s risk assessment is updated to identify the level of risk associated with the customer and ensure appropriate mitigation measures are applied.

With a comprehensive customer risk assessment process, businesses can protect themselves from being exploited by financial criminals and ensure compliance with the AML regulatory landscape of the country.

How to conduct Customer Risk Assessment (CRA)?

Adopting the following steps will enhance the effectiveness of the Customer Risk Assessment:

Identifying and evaluating the risk factors

The first step in CRA is identifying the risk factors that expose the business to ML/FT vulnerabilities. These risk factors can include the following:

nature of the customer
customer’s country of residence, business, nationality, and birth
occupation and employer details of the customer
nature of the proposed transaction
transactional parameters like nature of product, services
mode of payment
person’s background (adverse media, connection with sanctioned persons, or past incidence of reporting suspicious transactions)
customer’s source of funds and wealth

For example, the customer working with an industry connected with ML/FT typologies, such as precious metals and stones or real estate, is treated as a high-risk customer. Further, the customer whose proposed payment mode is cash or virtual assets without any business rationale may trigger a suspicion warranting to classify the customer as high-risk.

The customer associated with a country on the FATF Grey List or jurisdiction notorious for higher risk of money laundering poses a higher risk to the business than the customer with a jurisdiction having strong AML regulations.

The comprehensive and combined evolution of these factors helps the business determine the risk associated with each customer and create its risk profile.

The evaluation of the risk factors to help identify the inherent ML/FT risk the customer poses and the level of AML/CFT measures are required to mitigate this inherent risk. For instance, regulated organizations must perform additional verification checks and obtain documents for high-risk customers to establish the legitimacy of the customer’s source of funds and wealth. Moreover, senior management approval must also be sought to establish a business relationship with such a customer.

Adopting appropriate mitigation measures significantly reduces the ML/FT risk, ensuring an inherent level of risk is brought within the business’s risk appetite to conduct a transaction with such a customer.

The factors considered for the risk assessment, the methodology adopted and the outcome of the CRA must be well-documented to demonstrate AML compliance.

Periodic review and reassessment

The customer risk profile is not a static one, i.e., once a customer is classified as high-risk would not necessarily pose such increased ML/FT risk to the business. The risk exposure changes as the customer’s profile is updated, the business activities change, the relevant country’s AML regulatory framework changes, etc. Further, the evolving AML regulations and emerging risk typologies also impact the customer’s risk profile.

Thus, the regulated entities must ensure that the customer’s risk assessment is dynamic, updated as and when there is any movement in the risk factor.

Empowering the team

Well-crafted AML/CFT procedures and controls are of no use without having a well-trained team to implement the same effectively. The regulated entities must impart adequate AML training to their employees around the performance of customer risk assessment and its impact on the nature of AML/CFT measures to be applied. The factors to be considered for risk assessment and the methodology to be adopted must be discussed during the AML training program.

How can the use of tools and techniques improve the effectiveness of the Customer Risk Assessment?

When assessing customer risk, regulated entities can deploy a wide range of tools and techniques to obtain accurate and real-time results. These tools and techniques would be both – manual as well as automated using technology.

Use of emerging technology in performing Customer Risk Assessment

With the use of developing technologies, businesses can improve the effectiveness of the risk assessment process. The automated software and tools can process a large volume of customer data to assess the level of risk and provide insights into the customer’s risk profile.

Leveraging these technological tools can speed up the processes, providing real-time assessment of the customer risk upon every transaction executed with the customer, without worrying about remembering the requirement to reassess the customer risk.

Moreover, these solutions use the initially assessed risk level as a base and can promptly identify any unusual patterns and suspicious activities inconsistent with the customer’s profile.

Use of manual techniques for assessing customer risk

Though deploying technology for customer risk assessment is one of the best alternatives, the power of manual techniques can’t be ignored. Small and medium-sized businesses can use sophisticated Excel-based methods to assess the risk, including manually verifying customer documents and information.

With the human touch, businesses can assess the risk by interviewing the customer, studying their behavior, involving third parties to evaluate the customer’s financial position, etc.

When the manual techniques are combined with technological tools, the comprehensiveness of the CRA measures enhances, ensuring that tool-based assessment is supported by manual verification and no potential risk exposure goes unnoticed.

Let AML UAE help you design your Customer Risk Assessment Program

As the risk factors and AML regulations in UAE keep advancing, the methodologies of conducting customer risk assessment also change. Seek professional help from AML experts like AML UAE to develop your customer risk assessment policies and program, ensuring you appropriately determine the customer’s ML/FT risk and apply necessary mitigation measures.

AML UAE, with its diversified experience and subject knowledge, can assist the regulated entities in customizing the AML framework in accordance with the nature and risk exposure of the business while staying AML compliant and managing the risks effectively.

Whichever way you go – technological or manual – AML UAE can help you either by identifying and assisting in implementing the right AML software for CRA or designing the manual techniques and processes to create customer risk profiles effectively.

With Customer Risk Assessment, manage your ML/FT risks effectively!

Make significant progress in your fight against
financial crimes

With the best consulting support from AML UAE.

Share via :

About the Author

Pathik Shah

FCA, CAMS, CISA, CS, DISA (ICAI), FAFP (ICAI)

Pathik is an ACAMS-certified AML consultant specialising in governance, risk, and compliance for regulated entities in the UAE. He brings over 28 years of experience, with 1,000+ hours of AML training and 200+ advisory engagements across DNFBPs, VASPs, and FIs. He supports businesses in aligning with AML/CFT requirements from the CBUAE, DFSA, MoET, MoJ, VARA, CMA, FSRA, and FATF. Known for translating complex regulations into audit-ready procedures, Pathik enables operational clarity and compliance readiness.

Reach Out to Pathik

The Laundromat Review

The Laundromat Movie Review: Dry Cleaning the Truth

The rules of the game are rigged.

This throwaway line from ‘The Laundromat’ is the plot of the film, and for those of us in AML, it hits a little close to home.

Picture this: You think you’re booking a lovely little lake cruise. The sun’s out, the water’s sparkling, and life is peachy. Until the boat sinks, and suddenly, you’ve nosedived into the murky waters of insurance fraud, shell companies, and offshore secrets. Welcome to The Laundromat. Steven Soderbergh’s glitzy, satirical take on how money laundering isn’t the subplot. It is the plot.

The Laundromat is a glossy, witty, and at times chaotic take on the idea of money, the necessity of money, and the secret of money. It doesn’t so much tell the story as peel back the layers of a very global, very shady onion. Instead of one central plot, we’re treated to a series of secrets all tied together by shell companies, nominee directors, and a growing sense of financial injustice.

Let’s be honest. This is an all-you-can-eat buffet of red flags. Here’s how it stacks up from a compliance perspective:

The Shell Game

At the heart of it all? Shell companies. Lots of them. Mossack and Fonseca guide us through their “services” as if they’re selling luxury handbags. Only these bags come with no receipts, no owners, and no questions asked.

As Ramón Fonseca suavely explains,

“Some people say corruption is just a way of life. But we say corruption is how you live.”

For AML professionals, these shells are Exhibit A. They’re used to mask ownership, obscure transactions, and, in some cases, steal from widows (quite literally in this movie).

The International Game

One minute, we’re in China. The next is in Africa. Then, a yacht in the Caribbean. The geography is cinematic but also a metaphorical reference to the feature of the laundering itself. Dirty money doesn’t stay in one place. It hops through jurisdictions like a tourist with no luggage and too much cash.

In AML-speak, this is layering at its most cinematic. Money bounces through enough intermediaries to lose its scent, and in real life, that’s exactly how illicit funds stay hidden.

Missing Paperwork, Missing Morals

One of the film’s most effective messages? Just how little do you need to start a company that can hide millions? No ID checks. No source-of-funds verification. In some cases, not even a living person is the director.

In other words, it’s KYC gone AWOL. And that, dear reader, is how you end up laundering grief into profit.

Style Over Substance? Maybe. But Also Ouch

Yes, the film sometimes leans too hard into quirk. And yes, it’s more lecture than a thriller. But for compliance nerds, it’s cathartic. It shows the human cost of unchecked financial secrecy and does it with flair.

The real stars? Not the big names, but the little truths?

That a single fake policy can ruin a life.
That some criminals wear suits and work through paperwork.
That accountability is often that one thing money can outrun.

Final Word

Where the film shines (and stings) is in its theatrical delivery of a very real problem: global inequality amplified by financial secrecy. The Laundromat challenges viewers to ask: Who does the system really serve? And who is left holding the bills once the system collapses?

What The Laundromat teaches us beyond the cinematic panache, parody, and fourth-wall-breaking monologues is this: when oversight is minimal, and secrecy is profitable, corruption doesn’t wear a mask. It opens offshore accounts.

So, for the AML world, this is entertainment but also a tale with red flags waving like parade banners wrapped in a screenplay. The film whispers (or rather, shouts), Know your customer. Know their ownership. And for heaven’s sake, don’t let compliance be a checkbox exercise.

Recommended Popcorn Pairing: Extra salty. Because the reality is.

Frequently Asked Questions of The Laundromat Movie

Yes, the movie shares real-world money laundering schemes relevant to UAE’s 2025 context and AML enforcement.

Our Latest Publications

Don't let your operations tumble into trouble.

Related Infographics

Elements of the Customer Due Diligence Process

Customer Due Diligence process is a key element of the overall AML Program, requiring the regulated entities to identify the customers and assess the risk each customer poses to the business.

To ensure the effectiveness of the CDD under the AML program, the regulated entities in UAE must follow the below-mentioned approach:

Know Your Customer: The KYC process aims at identifying the customers, including the Ultimate Beneficial Owners (UBOs), and verifying their identity using reliable, independent sources. KYC also covers understanding other key information about the customer, such as their occupation, associated geographies, etc.
Customer Name Screening: Screening includes compliance with the Sanctions regime, identification of the customer’s connection with Politics or Politically Exposed Persons (PEP) and scanning the customer or the UBOs to check for the presence of any negative media against the customer.
Customer Risk Profiling: Assessing the level of risk the customer poses and determining the customer’s risk profile. Basis the risk classification, the regulated entities must determine the nature of overall Customer Due Diligence to be applied.
Enhanced Due Diligence: For customers identified as posing higher ML/FT risk, the regulated entities must adopt Enhanced Due Diligence measures, covering additional inquiries about the customers’ identity, purpose of transactions, customer’s financial position, and the source of funds/wealth.
Ongoing Monitoring: Customer Due Diligence is an ongoing activity requiring regulated entities to monitor the customer’s information and their transactions with the entity to identify any suspicious activities or inconsistencies in customer behaviour.

Here is an infographic to help the regulated entities in the UAE to develop and maintain an effective Customer Due Diligence process, covering the core components of managing the risk during customer onboarding and ongoing business relationships.

Let AML UAE be at your service in designing the CDD program for your business, highlighting the best practices to stay AML compliant and safeguard the business from being exploited by money launderers and other financial criminals.

Frequently Asked Questions of the Customer Due Diligence Process

Key steps include client verification, risk assessment, ongoing monitoring, and documentation as per latest UAE AML laws.

How to File CNMR and PNMR on the goAML Portal Under TFS Guidance, 2025

Best Practices for CNMR and PNMR Filing on the goAML Portal to Ensure TFS Compliance

Pathik Shah

Protect your business with reliable and effective AML strategies with AML UAE.

How to File CNMR and PNMR on the goAML Portal Under TFS Guidance, 2025

This blog elaborates on the July 2025 updates to the Targeted Financial Sanctions (TFS) Guidance. These updates introduce sharper procedures, especially around screening and reporting, and call attention to nuanced revisions, such as:

Fund Freeze Report (FFR) changed to Confirmed Name Match Report (CNMR)
Clarified screening during weekends and public holidays
Updated procedures related to Partial Name Match Reporting
Additional examples on PNMR Reporting
Grievance procedures were deleted and published separately on the EOCN website.

The blog also includes a detailed explanation of what TFS obligations are, an in-depth understanding of CNMR and PNMR filing obligations and step-wise processes under TFS Guidelines 2025, and the best practices that Reporting Entities can incorporate into their AML framework to ensure Sanctions Compliance.

Apart from procedural updates, this blog also provides a step-by-step walkthrough for CNMR and PMNR filing using the goAML portal, helping AML compliance professionals and Regulated Entities to understand their core TFS compliance obligations.

Guidance on Targeted Financial Sanctions, July 2025: What Reporting Entities Must Know

In order to decode the provisions of the TFS Guidelines July 2025, reporting entities must develop a sound understanding of the basic concepts, such as:

What are Targeted Financial Sanctions (TFS) in the UAE?

“Targeted Financial Sanctions” refers to an obligation to freeze the funds or other assets of designated individuals or entities, and to restrict access to such funds, assets, or related services, either directly or indirectly.

The primary purpose of TFS is to prevent designated persons and entities from accessing financial resources, thereby disrupting the use of such resources for illicit purposes or transactions that may benefit individuals or organisations involved in terrorism, proliferation financing, or other criminal activities.

TFS Compliance Obligations

Article 21 of Cabinet Decision No. 74 of 2020 has set the main TFS compliance obligations on Reporting Entities, including DNFBPs, FIs, and VASPs:

Register

Reporting Entities must register for the EOCN Notification Alert System (NAS) to receive automated email notifications on any update to the Sanctions List. In terms of practical implementation, Regulated Entities using Sanctions Screening Software can ensure that the screening software is paired up with a sanctions screening API that gives real-time data and updates as to additions and deletions of names in:

The UAE Local Terrorist List that contains the names of all the sanctioned individuals, entities, or groups designated by the UAE Cabinet.
The UNSC Consolidated List that contains the names of all the sanctioned individuals, entities, or groups designated by the United Nations Sanctions Committees or directly by the UNSC.

Screen

The “when” and “whom” of sanctions screening is covered under paragraphs 30 and 31 of the latest guidance, which provide that Reporting Entities must undertake regular and ongoing screening on the latest Sanction Lists. Sanctions Screening must be undertaken mandatorily in the following circumstances:

Updates, i.e., additions, deletions, and revisions of names to Sanction lists
Prior to onboarding a new customer, i.e., a potential customer
Persons or entities party to any transactions or related to parties of any transaction, including names of persons with direct or indirect relationships with designated individuals, entities, or groups
Upon periodic KYC reviews or if there is any material change in the nature or ownership of the customer is identified
Daily screening of the existing customer database
Daily screening of the offboarded customers or previous customers with whom the Regulated Entity had prior business relationships and transactions
- Reporting Entities need to be mindful that they are required to SCREEN all their previous or offboarded customers on an ongoing basis for a period of five (5) years after termination or cessation of the business relationship, even if there is no active business relationship or no assets are held with the Regulated Entity at present.
Before processing any transactions with a counterparty.

The “what” of the sanctions screening requirement is covered under paragraphs 32 and 33, which state the “key identifiers” and “other identifiers” required to be obtained by regulated entities from their customers to screen their names against those contained in the latest sanctions lists. These key identifiers and other identifiers are:

Once the key identifier details are available with the regulated entity, the Screening Analyst can proceed with conducting sanctions screening either manually or through screening software. The latest guidance on TFS requires regulated entities to have in place an adequate screening mechanism to help ensure TFS compliance.

The sanctions screening process generates screening outcomes, which can be disambiguated into four categories, such as:

Confirmed Name Match: The name of the customer matches with the sanctions screening outcome.
Partial Name Match: The name of the customer partially matches with the sanctions screening outcome.
False Positive: The name of the customer does not match with the screening outcome.
Negative Match: The name of the customer does not generate a screening outcome.

The occurrence of any of these four outcomes requires the personnel of the regulated entity to take appropriate steps, which are more elaborately discussed in the table below:

Sanctions Screening Outcomes and Resultant Reporting Requirements
Screening Result	TFS Measures	TFS Reporting Requirement	Record-Keeping Obligation
Perfect Match or Confirmed Name Match	Freezing of Funds or Other Assets without any delay (within 24 hours) Prohibition from Making Funds or Other Assets or Services Available If the confirmed name match is of a potential customer, transaction must be immediately rejected (TFS measures discussed more elaborately in step 3)	Confirmed Name Match Report (CNMR) to be filed within 5 days alongwith obligatory information	Paragraph 46 of the TFS Guidance updated in July 2025 prescribes to maintain records for the duration of atleast five (5) years, irrespective of the screening outcome.
Partial Match	Immediate suspension of transaction without any delay Avoid offering funds or any other services Scenario-wise requirements apply	Partial Name Match Report (PNMR) to be filed within 5 days alongwith obligatory information
False Positives or False Match	Not applicable	No reporting required
No Match or Negative Match	Not applicable	No reporting required

Stop Guessing. Start Screening Right!

Ready to handle every match- Confirmed, Partial, or Not?

Implement TFS Measures

Reporting Entities must either freeze all funds and assets without delay, prohibit the provision of services/funds or reject the transaction. The core elements of TFS Measures prescribed by the Guidance on TFS include:

Asset Freezing without delay
Prohibition from making funds or other assets or services available
- Financial Assets
- Economic Resources
- Any other assets.

The distinction between “Freezing Measures” in the case of a Confirmed Match and “Suspension Measures” in the case of a Partial Match is discussed in depth in further paragraphs of this AML UAE blog.

Report

The mechanism to report any TFS measures taken by the Reporting Entity must be after identifying a Confirmed or Partial Name Match, reporting to the relevant Supervisory Authority and submitting one of the following two reports via goAML:

Confirmed Name Match Report (CNMR)
Partial Name Match Report (PNMR)

The TFS Guidance also requires Reporting Entities to include and enclose mandatory and obligatory information along with the CNMR and PNMR filed.

In the context of CNMR, the RE is required to enclose ID documents of the person or legal entity whose name is found in the sanctions lists, resulting in a confirmed match during screening, as without possession of ID documents, the RE cannot conclusively confirm that the screening match found is a perfect match, requiring regulatory reporting. Examples of obligatory information for CNMR are:

The amount of funds or other assets frozen with documentary evidence, such as bank statements, transaction receipts, investment portfolios, title deeds, account summaries, etc
Detailed description of rejected transactions or services.

In the context of PNMR, the RE is required to enclose documents such as ID documents (if and when available) and the full name of the person or entity whose name is found to have partially matched during screening. The examples of obligatory information that REs can attach to PNMR are:

Funds or other assets that are suspended
Detailed description of rejected transactions or services.

Confused by the Latest TFS Updates?

Connect with our expert to ensure full compliance with the latest TFS Guidance

How to File a Confirmed Name Match Report (CNMR) While Implementing TFS Measures

The step-wise process for filing CNMR requires a well-developed internal workflow to be followed by employees of a Regulated Entity. Timely filing of CNMR is only possible when the process from match identification to submitting the report on the goAML portal flows seamlessly from one department to another. Regulated Entities need to appoint an AML Compliance Officer and register themselves on the goAML portal. Registration on the goAML portal enables REs to file reports to the UAE FIU (Financial Intelligence Unit) to fulfil regulatory reporting requirements. The step-wise process for filing CNMR includes:

The subscription to the EOCN Notification Alert System (NAS) is a prerequisite that REs must tick off their to-dos once they commence business operations concerning covered activities under UAE’s AML/CFT regime. The subscription to NAS is a one-time exercise, which enables REs to access updated Sanctions Lists in real-time.

Identification of Confirmed Name Match During Sanctions Screening

REs can opt to screen their customers manually across the Sanctions Lists obtained through NAS or rely on a Sanctions Screening Software or unified AML Software that relies on efficient Screening APIs. Using one of these or a combination of software tools ensures that Sanctions Lists relied on for screening customers are updated in real time as published by the regulator, or EOCN, in the context of TFS compliance. The process of screening customers generates screening results or screening outcomes, which need to be disambiguated by the Screening Analyst.

Regulated Entities must remain mindful that they screen across their customer databases, which include potential, existing, and former customers, with whom they had a previous business relationship during the past five (5) years

When a Screening Analyst, while disambiguating screening results, identifies a perfect match or a confirmed match, they need to assess the screening outcome to confirm its accuracy.

Assessment of Confirmed Name Match Outcome

Assessment of a Confirmed Name Match or Perfect Match outcome is quite straightforward. In the case of potential, existing, and former customers, the frontline team or the Screening Analyst is required to carefully examine and cross-verify the customer’s key identifiers and the screening outcome’s attributes to assess whether the initial identification and disambiguation of the screening is accurate or erroneous. Once the Screening Analyst or the frontline team is sure of the match outcome assessment, they need to escalate the customer profile and screening outcome findings to the AML Compliance Officer for carrying out further steps.

Escalation by the Frontline Team or Screening Analyst to the AML Compliance Officer

The AML Compliance Officer needs to assess the customer profile forwarded by the frontline or screening team and assess whether the customer (potential, existing, or former) is indeed a confirmed match or there is any confusion or error on part of screening or frontline team in identifying the match results accurately and proceed further with imposition of TFS Measures and fulfilling CNMR filing formalities in a timely manner.

Impose Freezing Measures on Potential, Existing, and Former Customers

Once the AML Compliance Officer is sure that the confirmed match screening outcome is correct and accurate, he needs to act fast and impose freezing measures without delay (within 24 hours of the confirmed match). The extent and manner of imposing TFS Measures shall differ on the basis of the maturity of the business relationship, as elaborated below:

In case of a Potential Customer

Rejection of transaction or service immediately

In case of an Existing Customer

Freeze all funds/assets
Prohibition from making funds, other assets, or services available to such customer

In case of a Former Customer

If the confirmed match is that of a former customer and the RE does not have any assets or funds available with them, they can still proceed with the CNMR filing process, stating that business relationship concluded and they are not in possession of any assets.

Preparation of Mandatory and Obligatory Information & Documents for CNMR in alignment with goAML Requirements

After imposing TFS Measures, the Compliance Officer then needs to ensure that he is equipped with all the mandatory and obligatory information pertaining to the customer against whom the CNMR is supposed to be filed. The ID documents (passport, Emirates ID, trade license) are assumed to be in possession of the RE and need to be submitted with CNMR. The examples of obligatory information are:

Asset value proof (bank statements, portfolio summaries, title deeds)
Description of rejected service or transaction.

Logging in on the goAML Portal to File CNMR

The AML Compliance Officer must log into their employer’s goAML portal account using RE’s log-in details to file CNMR.

Selecting Report Type as CNMR & Entering Information and Documents

The AML Compliance Officer needs to select CNMR from the list of options given in the dropdown menu on the goAML portal. The AML Compliance Officer can either upload the CNMR in an XML format or fill in the details regarding a confirmed name match in real-time by opting for the web-report option on the goAML portal.

Saving and Submitting CNMR

Once the details regarding the confirmed name match are entered on the goAML portal successfully, the AML Compliance Officer must save the CNMR details and submit the same. The AML Compliance Officer must be mindful of the requirement to complete the legal obligation filing of CNMR on the goAML portal within 5 days after applying freezing measures.

Maintaining Records of CNMR Filed for Five (5) Years

REs are required by law to maintain records of all screening results, including CNMRs, the identification, decision, freezing measures taken, and details of the CNMR filed on the goAML portal for the period of at least five (5) years.

From Sanctions Screening to CNMR Filing: We’ve Got You Covered!

Struggling with real-time screening, escalation, and goAML reporting? Let AML UAE streamline it for you.

How to File a Partial Name Match report (PNMR) While Implementing TFS Measures

The step-wise process of filing a PNMR broadly consists of the steps elaborated in further paragraphs. However, based on the maturity of the business relationship, i.e., whether the customer is a potential customer, an existing customer, or a former customer, the employees of the Reporting Entity, such as the frontline team, Screening Analysts, KYC Analysts, and AML Compliance Officer, must make sure that they collect necessary information about the customer to ensure accurate filing of PNMR. Timely filing of PNMR can be achieved through well-coordinated efforts by all personnel concerned.

Needless to say, the prerequisite of subscription to the EOCN Notification Alert System (NAS) is implied when it comes to having a well-defined and documented process to file PNMR in place. The Reporting Entity may screen its customers manually, through updated sanctions lists and notifications received after subscribing to EOCN NAS or can rely on a Sanction Screening Software or an AML Software with Sanctions Screening API.

Identification of Partial Name Match During Sanctions Screening

Regulated Entities must ensure that they screen across their customer databases, including potential, existing, and former customers, with whom they had a previous business relationship during the past five (5) years.

When a Screening Analyst, while disambiguating screening results, comes across screening results or outcomes where only some or few of the attributes of the customer profile, and they cannot conclusively confirm whether or not such a match is a confirmed match or a false positive, then in such a scenario, they are required to escalate the customer profile and screening outcome to the AML Compliance Officer for further assessment.

Assessing Partial Name Match Outcome

Assessment of Partial Name Match Outcome after screening needs to be done to rule out the possibility of the initial match disambiguation being inaccurate, false positive, or a confirmed name match instead. However, the issue with Partial Name Match outcomes is that the Screening Analyst or frontline team cannot conclusively decide whether it’s a false or a complete match due to factors such as:

Lack of adequate information and non-availability of the customer’s ID documents in case of potential customers
Lack of information in Screening Outcomes, i.e., screening results exist but don’t provide adequate information so as to conclude successful disambiguation
A high number of screening outcomes or results are generated by the screening software due to lower match percentage thresholds configured, leading to high disambiguation volume with non-existent substantial information for disambiguation.

In order to simplify the Partial Name Match Outcome’s accuracy assessment, the following factors must be considered by Reporting Entities, such as:

For Potential Customers: Obtaining ID documents must be attempted when ID documents are not available, leading to a lack of information on key identifier details, so that the match can be disambiguated by having a complete set of information prior to disambiguation for accurate results.

If ID is received within 10 days, the RE must conduct Screening with details contained in the ID obtained. Based on the screening outcome, if the RE finds that the match is indeed a Partial Match, they must continue/implement Suspension/Freezing Measures and proceed with the PNMR/CNMR filing process. If, after fresh screening, the RE finds that the screening outcome is a false positive or no match, they must proceed with establishing a business relationship.
If ID is not received within 10 days, the RE must Reject/Cancel Transaction and proceed with PNMR filing process
If ID is received after 10 days, the RE must conduct Screening based on the recently acquired ID and implement Suspension Measures accordingly, if a Partial Match is found, or proceed with CNMR if a Complete Match is found, or establish a business relationship if false or no match found.

Existing and Former Customers: The possession of a Customer ID is assumed

Suspend any transaction, refrain from offering any funds, assets, or services.

Escalation by the Frontline Team or Screening Analyst to the AML Compliance Officer

The AML Compliance Officer needs to assess the customer profile forwarded by the frontline or screening team and determine whether the customer (potential, existing, or former) is indeed a partial match or confirmed match or false match, based on which further actions can be taken.

Impose Suspension Measures on Potential, Existing, and Former Customers

Once the AML Compliance Officer is sure that the partial match screening outcome is correct and accurate, he needs to act fast and impose a suspension of the business relationship and refrain from or avoid providing any service, assets, or funds to such a customer without delay (within 24 hours of the partial match).

The extent and manner of imposing TFS Measures, i.e., suspension, shall differ on the basis of the maturity of the business relationship, as elaborated below:

In case of a Potential Customer

Cancel the Transaction and proceed with the PNMR filing process

Existing and Former Customers

Suspend any transaction, refrain from offering any funds, assets, or services.

Preparation of Mandatory and Obligatory Information & Documents for PNMR in alignment with goAML Requirements

After imposing TFS Measures, the Compliance Officer then needs to ensure that he is equipped with all the mandatory and obligatory information pertaining to the customer against whom the PNMR is supposed to be filed. The ID documents of existing and former customers (passport, Emirates ID, trade license) are assumed to be in possession of the RE and need to be submitted with PNMR. The ID documents of potential customers can be submitted if and when available. The examples of obligatory information are:

Asset value proof (bank statements, portfolio summaries, title deeds)
Description of suspended service or transaction
Description of rejected transaction or service (when no funds are held).

Logging in on the goAML Portal for PNMR Filing

The AML Compliance Officer must log into their employer’s goAML portal account using RE’s log-in details to file PNMR.

Selecting Report Type as PNMR & Entering Information and Documents

The AML Compliance Officer needs to select PNMR from the list of options given in the dropdown menu on the goAML portal. The AML Compliance Officer can either upload the PNMR in an XML format or fill in the details regarding a confirmed name match in real-time by opting for the web-report option on the goAML portal.

Saving and Submitting PNMR

Once the details regarding the confirmed name match are entered on the goAML portal successfully, the AML Compliance Officer must save the PNMR details and submit the same. The AML Compliance Officer must be mindful of the requirement to complete the legal obligation filing of PNMR on the goAML portal within 5 days after applying suspension measures.

Following EOCN Response

REs after filing a PNMR must await and follow the EOCN instructions and maintain suspension measures until further instructions are received.

The EOCN instructions in the context of PNMR concern the treatment of suspension measures, particularly in the case of existing and former customers. The Reporting Entity must submit PNMR along with all the necessary and obligatory customer information so that EOCN can verify the PNMR submitted and give further instructions to the RE. Either of the following steps must be taken by RE, based on EOCN response:

If EOCN concludes PNMR filed as a False Positive, RE must cancel TFS suspension measures and proceed with the business relationship
If EOCN validates PNMR as a Confirmed Match, REs must freeze funds and submit CNMR.

In the case of potential customers, if customer information and documents are lacking, then EOCN will not be able to verify the PNMR report submitted into Confirmed Match or False Positive.

Maintaining Records of PNMR Filed for Five (5) Years

REs are required by law to maintain records of all screening results, including PNMRs, the identification, decision, suspension measures taken, and details of the PNMR filed on the goAML portal for the period of at least 5 years.

Partial Match or Confirmed? Don’t Second-Guess Compliance.

Get step-by-step guidance on match escalation, TFS imposition, and goAML filing.

Key Differences Between CNMR and PNMR: Comparative Table

Differences Between CNMR and PNMR
Distinguishing Aspects	CNMR (Confirmed Name Match Report)	PNMR (Partial Name Match Report)
Trigger Event	Identification of Confirmed Match during Sanctions Screening	Identification of Partial Match during Sanctions Screening
Immediate Action Needed	Freezing Measures for TFS Compliance to be applied within 24 hours	Suspension Measures for TFS Compliance to be applied within 24 hours
Filing Timelines	Within 5 days after imposing Freezing Measures	Within 5 days after imposing Suspension Measures
Documents Required	Complete Customer ID + Documents of Freezing Measures/ Transaction Rejection	Complete or Partial Customer ID + Documents of Suspension Measures
Post Filing Measures	Freezing Measures to say in place. However lift Freezing Measures if Person/Entity is Delisted from Sanctions List or Freezing Cancellation Decision given by EOCN	Await EOCN Response, maintain Suspension Measures, may need to file CNMR or mark match as False Positive

Key Differences Between Freezing and Suspension Measures

Differences Between Freezing and Suspension of Funds
Distinguishing Aspects	Freezing Measures	Suspension Measures
Sanctions Screening Disambiguation Outcome	Confirmed or Perfect Match	Partial Match
Report to be filed on GoAML Portal	CNMR	PNMR
TFS Compliance Requirements	Freezing measures remain in place until person/entity is delisted from Sanctions List or Freezing Cancellation Decision given by EOCN	Suspension measures remain in place until EOCN provides further instructions on the match’s status

Partial Match or Confirmed? Don’t Second-Guess Compliance.

Get step-by-step guidance on match escalation, TFS imposition, and goAML filing.

General Do’s and Don’ts to Ensure TFS Compliance

Compliance with Targeted Financial Sanctions (TFS) is legally mandated under UAE law and reinforced by the 2025 TFS Guidance. These emphasize proactive, risk-based screening, reporting, and asset freezing for designated persons. The following do’s and don’ts guide Reporting Entities, i.e., DNFBPs, FIs, and VASPs in meeting TFS obligations, particularly for CNMR and PNMR submissions via goAML.

Dos to Ensure TFS Compliance

Do subscribe to the Executive Office mailing list or alert system

Regulated Entities (DNFBPs, VASPs, and FIs) are required to register on the goAML platform to submit STRs and SARs to the FIU. They must also use the platform to report CNMRs/PNMRs to the EOCN and the Supervisory Authority.

Do screen continuously, even on weekends and holidays

Reporting Entities must establish internal procedures for screening against the UAE Local Terrorist List and UNSC Consolidated List during weekends and public holidays, ensuring that access to funds or assets is restricted at all times. If no transactions or customer access occur during weekends or holidays, screening must begin immediately at the start of business activity, and freezing measures should be promptly applied.

Do Report and Disclose previous transactions or business dealings with Confirmed or Partial Name Matches.

Reporting Entities must submit CNMRs and PNMRs for all relevant transactions, business relationships, and accounts held within the past five years, including those closed before the designation, even if no current assets or ties exist. The report must explicitly state that no funds or assets are presently held, no ongoing relationship exists with the designated party, and that the account in question is closed.

Do Report Matches via Email to the EOCN if You’re Not a goAML User

For an entity not registered with goAML (that do not fall under the definition of FIs, DNFBPs, or VASPs and are therefore not under an obligation to register on goAML), CNMRs or PNMRs must be reported by emailing and providing a complete set of case details that clearly explain the identified match with all relevant supporting documents attached in the message.

Do Escalate Matches Found in Criminal or Unilateral/Multilateral Sanctions Lists

Reporting Entities must consult the relevant Supervisory Authority (SA) for guidance on handling matches found with unilateral or multilateral sanctions lists, or other criminal lists, and consider submitting an STR or SAR to the Financial Intelligence Unit (FIU) if such matches are confirmed. The Reporting Entity should not use CNMR/PNMR reports in goAML for matches found on other sanction or criminal lists like OFAC, EU, HMT, or INTERPOL. These reports are only for matches with the UAE Local Terrorist List and UN List.

Do understand the change in penalty for non-compliance and inform staff

Reporting Entities must equip themselves with the awareness of changes made to the penalty imposed on TFS violations and incorporate the changes, such as imprisonment for a period of one to seven years. REs must also understand that Administrative Sanctions might be applied to them, resulting in a warning for license cancellation.

Keep Screening 24/7- Even on Holidays!

Set up a continuous screening process to avoid compliance gaps

Don'ts to Ensure TFS Compliance

Don’t overlook changes in ownership structures, as even minority holdings may evolve into controlling stakes.

Reporting Entities are required to impose freezing measures on any entity that is majority-owned (more than 50%) by designated persons or entities. During implementation, REs must determine whether a designated person owns or exercises control over more than 50% of the proprietary rights. If the designated individual holds only a minority stake (50% or less), the entity is not subject to freezing measures unless ownership shifts, and the designated person gains a majority stake or controlling interest. Furthermore, all funds or assets owed to designated individuals must be frozen and must not be made accessible under any circumstances.

Don’t notify customers before freezing measures, as doing so may be considered tipping off

Reporting Entities must avoid informing customers about freezing measures before they are applied, as this may constitute tipping off. Customers may be notified once the measures have been implemented.

Don’t Forget to Document False Positives

Reporting Entities do not need to report a False Positive result to the EOCN and may proceed with the business transaction. However, they must maintain internal records of the screening alert and all actions taken.

Don’t rely solely on third-party screening services to meet compliance obligations

Reporting Entities must not consider third-party screening services as a guarantee of compliance. Reporting Entities remain responsible and must assess the reliability and robustness of external systems before using them.

Don’t Rely on Assumptions or Unverified Links

When a Confirmed or Partial Name Match is identified, the Reporting Entity must obtain and review the customer’s identification documents. Following the review, appropriate freezing or suspension actions should be taken and properly documented.

Best Practices for CNMR and PNMR Filing on the goAML Portal to Ensure TFS Compliance

Filing of CNMRs and PNMRs via goAML portal is a key compliance requirement for Reporting Entities, including DNFBPs, FIs, and VASPs. By implementing the following best practices, Reporting Entities can ensure effective compliance with the UAE’s Latest Guidance Targeted Financial Sanctions (TFS):

Establish Comprehensive Sanctions Compliance Policies and Internal Controls

Reporting Entities must set and implement policies, procedures, and internal controls that align with the requirements of the latest TFS Guidance. These should ensure compliance with freezing obligations, include reasonable measures to identify beneficial owners, signatories, and strictly prohibit staff from disclosing freezing actions to customers or third parties. REs must allocate appropriate human and technical resources to fulfil TFS obligations effectively.

Using Sanctions Screening Software for Accuracy

REs must deploy Sanctions Screening Software that enables high-accuracy detection of designated individuals and entities across the UAE Local Terrorist List and the UNSC Consolidated List. The software should allow configurable thresholds to minimise false positives while ensuring true matches are not missed. The software must support real-time updates to watchlists, automatic batch screening, and ongoing monitoring of customer databases and transactions. These capabilities are critical for ensuring that CNMRs and PNMRs are identified without delay.

Providing Sanctions Compliance Training to Employees

REs must conduct regular and role-specific training for employees, especially those in compliance, operations, and client onboarding teams. The training must cover the detection and handling of CNMRs and PNMRs, the use of sanctions screening software, and the regulatory obligations outlined in the latest TFS Guidance. Training should also emphasise the importance of confidentiality (prohibition of tipping off) and include practical case scenarios to ensure readiness for real-life detection and reporting situations.

Group Oversight Across All Branches and Trade Zones

REs must establish Group Oversight to ensure consistent application of CNMR and PNMR processes across all branches and trade zones. This includes unified match thresholds, centrally managed screening tools, and standardised escalation procedures. Group Compliance must include overseeing implementation, conducting regular audits, and providing training to ensure effective and consistent Sanctions Screening. Central oversight ensures that potential matches are identified and resolved promptly, reducing the risk of sanctions breaches across the institution’s entire operational footprint.

Tamper-Proof Record-Keeping

REs must maintain tamper-proof record-keeping systems to ensure the integrity and security of data related to CNMR and PNMR activities. Records of screening results, match investigations, and escalation decisions must be securely maintained with access controls that restrict unauthorised viewing or editing. The system must include audit trails that log all user actions and prevent any undetected alterations or deletions.

Implementing Centralised Record Management Systems

REs must implement Centralised Record Management Systems to ensure consistent, secure, and traceable handling of data related to CNMR and PNMR processes. These systems should consolidate customer and transaction records across all business units and branches, enabling efficient access and retrieval during sanctions screening, investigations, and regulatory inspections. Centralisation ensures that relevant data is readily available as a single source of truth, supporting timely identification, review, and escalation of potential matches. Easy access to accurate records is essential for demonstrating compliance with TFS obligations and facilitating smooth regulatory visits.

Internal Reporting & Escalation Module

REs must establish a structured Internal Reporting & Escalation Module to manage alerts generated through CNMR and PNMR processes. This module should define clear roles, timelines, and procedures for the review, escalation, and resolution of potential sanctions matches. Automated workflows should support timely alert handling, while ensuring that all actions are logged for audit purposes. Effective internal reporting and escalation are essential for preventing delays, ensuring regulatory compliance, and facilitating prompt decision-making in line with TFS obligations.

Freeze, File, and Comply Without the Panic!

Our experts help you navigate every step of the sanctions screening and CNMR/PNMR reporting process.

Bringing It All Together: TFS Measures, Match Outcomes, and goAML Reporting

The advent of TFS Guidance, July 2025, calls for more than reactive and passive compliance measures; it requires proactive internal policies and procedures that take care of timely screening, clear escalation protocols, and accurate CNMR/PNMR reporting through the goAML portal and reposting to the relevant Supervisory Authority. Irrespective of dealing with confirmed or partial match in case of potential, existing, or former customers, regulated entities must implement appropriate freezing or suspension measures, document actions taken, and maintain records for a period of five (5) years.

Incorporating these practices into daily workflows helps ensure regulatory compliance while reinforcing operational resilience. With right Sanctions Screening Software, Role Specific AML Training, and governance, REs in UAE can go beyond reactive compliance and master proactive and risk-based TFS Compliance.

Need CNMR/PNMR SOPs, Templates, or Screening Software & Personnel Training?

From Screening to GoAML, we help you operationalise every step of CNMR/PNMR Compliance

FAQs

What is the difference between CNMR and PNMR under UAE TFS Guidance 2025?

CNMR can only be filed in a scenario where the customer details completely and entirely match with those of the screening outcome, whereas PNMR can be filed when some of the customer details match with those of the screening output, but it cannot be conclusively determined to be a confirmed match or a false match due to a lack of information or clarity.

What are the timelines for CNMR or PNMR filing in UAE?

CNMR and PNMR both need to be filed within 5 business days of imposing freezing or suspension measures.

Can REs file CNMR/PNMR manually without screening software?

Absolutely, filing of CNMR/PNMR can be done through logging into the goAML portal using REs’ credentials. The role of the Screening Software is limited to carrying out Sanctions Screening, generating alerts upon finding matches, streamlining workflows and escalations and preparing or downloading screening reports and details for the purpose of filing CNMR/PNMR accurately.

AML UAE – your partner for AML training requirements

Contact us now, and let's get started.

Share via :

About the Author

Pathik Shah

FCA, CAMS, CISA, CS, DISA (ICAI), FAFP (ICAI)

Pathik is an ACAMS-certified AML consultant specialising in governance, risk, and compliance for regulated entities in the UAE. He brings over 28 years of experience, with 1,000+ hours of AML training and 200+ advisory engagements across DNFBPs, VASPs, and FIs. He supports businesses in aligning with AML/CFT requirements from the CBUAE, DFSA, MoET, MoJ, VARA, CMA, FSRA, and FATF. Known for translating complex regulations into audit-ready procedures, Pathik enables operational clarity and compliance readiness.

Reach Out to Pathik

High-Net-Worth Client Risk Assessment Checklist for AML/CFT Compliance

High-Net-Worth Individuals (HNWIs) pose a high risk to Regulated Entities as they may themselves be involved in money laundering or targeted by criminals and fraudsters to commit crime. Basically, HNWI is an individual owning a net worth between US$1 and US$5 million who could benefit businesses with big purchases or premium services but can adversely affect the business with ML/TF risks.

So, if you are part of the customer onboarding team, a KYC Analyst, a Screening Analyst, an AML Compliance Officer, a Senior Board Member, a Transaction Monitoring Analyst, or an AML enthusiast, you must be aware of the risks associated with HNWIs and take actions to mitigate the risks.

Behold this easily downloadable, “High-Net-Worth Client Risk Assessment Checklist for AML/CFT Compliance” + RACI Matrix to simplify your and your team’s AML Compliance roles and responsibilities, such as:

Assessing the effectiveness of control measures surrounding documents, customers, transactions, and counterparties to identify or detect any red flags indicating risk from high-net-worth clients.
Identifying whether the regulatory reporting and AML training components are designed well enough to mitigate risks from high-net-worth individuals.
Identifying process efficiency for red-flag detection around the misuse of wealth by HNWIs, which might be indicators of underlying ML, TF or PF activities.
Designing workflow, role clarity, task allocation, and task escalation for managing cases of high-risk HNWIs.
Ensuring timely filing of CNMR/PNMR or SAR/STR with UAE FIU through the goAML portal when red flags in HNWIs are detected.

Download this High-Net-Worth Client AML Checklist, whether you are in DIFC, ADGM, DMCC, or Jebel Ali Free Zone, to align your firm with real-world crime detection associated with HNWIs and assess your business’s readiness to mitigate ML/TF risks.

Our Latest Checklists

Confused with how to mitigate ML, FT, and PF risks within your Regulated Entity?

Share via :

AML compliance vs AML risk management: Closely aligned despite striking differences

Protect your business with reliable and effective AML strategies with AML UAE.

AML compliance vs AML risk management: Closely aligned despite striking differences

The main difference between AML Compliance and AML Risk Management is that AML compliance is a regulatory requirement which can be achieved through implementation of AML Risk Management practices. AML Risk Management deals with how a Regulated Entity plans to deal with money laundering, terrorism financing, and proliferation financing risks through developing and implementing AML,CFT and CPF framework that includes policies, procedures, practices, and internal controls.

Understanding AML compliance vs AML risk management is essential. In the realm of AML, businesses use compliance and risk management as substitutes. Both are crucial for any business entity. So, you must understand the differences between risk management and compliance in AML.

Anti-money laundering compliance is an ‘in-trend’ term for businesses nowadays. Another similar term that has been in use for quite a long time is risk management, specifically in the case of financial institutions. While the former talks about adherence to rules, the latter entails managing threats to a business.

In this blog, we will explore the distinctions between the two. First, we will understand what AML compliance and AML risk management mean. Then, we will discover the similarities and differences between AML risk management and compliance.

Say Hello to a risk-free world of business for you,

By partnering with AML UAE’s expert consultants.

Compliance and risk management: Term differences

What is compliance?

Compliance means adhering to regulations, laws, and rules. It means you are ethical in your business practices. You do what the government and the law expect you to without deviating from the business morals. Thus, it is a reactive exercise to show your country and regulator that you follow the rules.

Suppose you are a business in the UAE. You must follow the local rules and regulations related to your operations, license, environment, labour, and many other aspects.

The process of following these rules and how well you are able to do it means compliance.

By complying with laws, the regulator or relevant authority will not impose penalties or fines on you. Also, you will not face any legal cases for non-compliance. Thus, by complying, you save yourself from financial losses, legal ramifications, and reputational damages.

What is risk management?

Risk management means managing the risks to your business. How do you manage them? You identify these risks, categorise them, measure their probability and impact, and develop strategies to mitigate, control, or manage them.

You can try to avoid risks in the first place. Or, you can try to reduce their impact on your business activities. Whatever you do, you can plan it before the risks affect you. Thus, it is a proactive action from your side based on your expectations of potential risks.

When there is a change in the business environment, potential risks change. So, you must keep changing your risk management strategies. Thus, risk management requires you to be more strategic in your thinking while planning for it.

Thus, compliance and risk management differ in many aspects. But, when you consider these terms related to money laundering, some more differences crop up. Let’s explore these differences between AML risk management and compliance.

AML compliance vs AML risk management: Definitions

AML compliance

AML compliance means adhering to the regulations to protect your business from money laundering. It involves creating a framework that includes policies, procedures, practices, and internal controls to guide the fight against money laundering. Moreover, this framework or strategy is unique to each business’s needs and activities.

AML compliance requires businesses to comply with the local AML regulations. As per the UAE AML/CFT laws, you need to:

Create an AML compliance department and appoint an AML compliance officer
Assess the money laundering risks to your business from several factors so that you can fight them
Create a risk-based AML compliance program that enables adherence to each requirement of the law
Monitor transactions to identify suspicious ones
Conduct KYC, screening, and due diligence of customers to identify threats
Conduct training of your employees on AML-specific aspects
Implement technology solutions or manual systems to facilitate compliance
Create reports on suspicious transactions and customers and report them to authorities

AML risk management

If you check the aspects of AML compliance, risk management is an integral part of it. It requires you to identify the money laundering risks from your:

Customers
Transactions
Geographies
Delivery methods
Products and services

After risk identification, it entails analysis, rating, and categorising. Based on the levels of risks identified, you can take a risk-based approach for your AML compliance. It allows you to determine:

Stern AML measures for high-risk customers
Less strict AML actions for moderate-risk customers
Relaxed AML strategies for low-risk customers

These measures include:

KYC of customers, which is typical for every risk type
Customer due diligence, which is standard for every customer
Enhanced due diligence for high-risk customers
Monitoring of transactions of high-risk and medium-risk customers
Ending the relationship or cancelling the transaction is possible only in the case of high-risk customers

Differences between AML risk management and AML compliance

AML compliance vs AML risk management is crucial but challenging to understand. However, you must remember that to comply with AML regulations, you need to follow the rules. Risk management is a strategy to ensure that you adhere to these rules.

Superset vs subset

A crucial aspect of the AML compliance vs AML risk management contest is to identify which concept includes the other.

AML compliance is the set of activities you must undertake to adhere to the UAE regulations. AML risk management is a broader term that includes strategies, policies, and procedures an organisation implements to identify, assess, and counter ML/TF risks. Thus, AML compliance is a subset of AML risk management.

Compliance has always been a part of risk management. Further, there is something called compliance risk management, wherein the risks associated with non-compliance are identified, assessed, and managed.

Reactive vs proactive

AML compliance is a reactive exercise. As a business entity in the UAE, you must follow UAE’s AML regulations. To avoid penalties, you must adhere to each requirement. Thus, you react to a mandate by the government.

In contrast, AML risk management is a proactive exercise. You must protect your business from money laundering risks so you can take action to prevent or mitigate them. Thus, you act before these risks affect you.

Legal vs strategic aspect

Another factor that differentiates AML compliance from AML risk management is the business aspect covered.

AML compliance is a legal requirement in the UAE. Since you are one of the financial institutions, DNFBPs, or VASPs, you must follow the UAE’s AML regulations. So, the goal is the same for all of you, although your compliance journey might differ.

When you follow these rules accurately and on time, you are AML-compliant. These requirements include submitting:

Suspicious Transaction Report and Suspicious Activity Report
Confirmed Name Match Report and Partial Name Match Report
DPMSR and REAR reports
HRC and HRCA reports
PNMR and CNMR reports
Surveys and Questionnaires

On the other hand, AML risk management is a strategy to enable AML compliance. You must identify, categorise, rate, and assess risks to manage and mitigate risks. During this process, you generate KYC, CDD, PNMR, CNMR, DPMSR, REAR, STRs, and SAR records.

Your risk management differs from that of other organisations because the risks differ. Even in the same industry, the impact of these risks differs because your operations and business models vary. So, you need to create a unique strategy for AML risk management to help you with legal and regulatory compliance in AML.

Current vs futuristic

AML compliance is more of a current process. It defines your legal obligations for this year. So, this year, you have to follow these specific AML requirements. So, you know what you have to do. You are legally obligated to follow these rules, which makes you compliant for this year.

On the other hand, AML risk management ensures you are safe from money laundering risks now and in the future. You have to predict the risks your business will face from money launderers. You need to consider the emerging threats of predicate offences as well. Thus, it makes you more of a planner for the current and future risks.

Tangible vs intangible

The tangibility of the process is a crucial point in AML compliance vs AML risk management.

AML compliance is a tangible process. You have to follow specific rules to comply with industry standards. If you follow these particular requirements of the AML regulator, you become AML-compliant. If you do not follow them, you will have to face penalties. Thus, you will suffer financial losses, reputational damage, and legal proceedings.

In the case of AML risk management, there are no concrete rules. You have to analyse the business environment in which your firm operates. You need to predict and evaluate the possible ways criminals can launder money through your business processes. Thus, it is unique to every firm. If you cannot control or mitigate these risks, your business suffers. The money laundering risks will affect your business, causing losses in terms of customers, credibility, and money.

However, the FATF has recommended that regulated entities follow a risk-based approach, and similarly, the UAE Federal Decree by Law No. (10) of 2025 and related cabinet decisions require reporting entities to do the same. By virtue of this, AML risk management is embedded in the AML compliance requirements.

Tickmark exercise vs continuous process

AML compliance is more of a checklist-based process. The AML compliance department ensures the business adheres to each requirement and tickmarks it. If you miss any of these, you have to pay a penalty. Once you adhere to the requirements, your work ends.

In contrast, AML risk management is not a tickmark exercise. It’s not like you have submitted a report, so you are done with it. It is a continuous process. You need to keep identifying the money laundering risks your business faces. Analyse them. Find ways to mitigate, prevent, or manage them. So, you must continue the AML risk management exercise to reap complete benefits.

Besides these differences between AML risk management and compliance, there are also some similarities. These include:

Risk management tactics and compliance strategies keep changing. As and when the regulations change, you need to make changes in your AML compliance program. Moreover, the money laundering risks, macroeconomic climate, and industry trends keep changing, leading to amendments in your AML risk management policies.
Both AML compliance and risk management become better with the help of technology. Innovative solutions and technologies make these procedures smoother. The technologies use data analytics, artificial intelligence, and other advanced concepts to ensure your process is faster, smoother, and more accurate.
Both AML compliance and risk management need decision-making at the top level. Since identifying and managing money laundering risks is critical, the top management must set the tone. Only when you ensure AML compliance and risk management culture at the top, you can maintain it across the firm.
One significant challenge in both these procedures is maintaining a good customer experience. Customers demand a seamless user experience. If you are unable to do that, you might lose customers. So, while managing AML compliance and risk management, you must ensure the processes are not time-consuming or intrusive for them. On the other hand, collecting all information is also essential for successful procedures.

Setting the similarities and differences aside, your primary focus must be to protect your business from money laundering threats. To do this, you need to create a robust AML compliance program. This program will include a well-defined AML risk management strategy. In combination, it will help you meet UAE’s AML regulations and prevent risks.

Exploring these differences and similarities enables you to fit both into your strategy. You can determine the efforts, resources, timelines, and overall alignment with business operations. This is how you can prevent potential threats and create value for your business. To help you achieve this objective, partnering with an expert AML consultant like AMLUAE will help.

How can AMLUAE help you?

AMLUAE has revolutionised the AML compliance landscape in the UAE. We help clients strategise risk management and compliance in AML. Be it just one part of AML compliance or the entire journey, you can rely on us for quality services.

Your business can enjoy our expertise in:

Monitoring transactions and identifying suspicious ones
Conducting KYC and due diligence of customers
Identifying money laundering risks to your business and assessing them
Developing a risk-based AML compliance framework personalised to your entity
Imparting AML training to your employees
Preparing and submitting STR, SAR, and other industry-specific reports to authorities

By partnering with us, you get a streamlined AML compliance process for the fight against money laundering risks.

Access AMLUAE’s expert AML compliance services,

To say goodbye to your business’s money laundering risks.

Share via :

Add a comment

Related Blogs

29/12/2025

AML Compliance Officer: Role and Responsibilities

29/12/2025

A guide to Enhanced Due Diligence – Element of AML Compliance framework

19/12/2025

What is Integration in Money Laundering?

About the Author

Pathik Shah

FCA, CAMS, CISA, CS, DISA (ICAI), FAFP (ICAI)

Pathik is an ACAMS-certified AML consultant specialising in governance, risk, and compliance for regulated entities in the UAE. He brings over 28 years of experience, with 1,000+ hours of AML training and 200+ advisory engagements across DNFBPs, VASPs, and FIs. He supports businesses in aligning with AML/CFT requirements from the CBUAE, DFSA, MoET, MoJ, VARA, CMA, FSRA, and FATF. Known for translating complex regulations into audit-ready procedures, Pathik enables operational clarity and compliance readiness.

Reach Out to Pathik

Checklist for Detecting Terrorist Financing Typologies for Strengthened AML/CFT Compliance

Terrorists use a wide variety of methods such as exploiting non-profit organisations, unregulated channels, digital currencies and others, to raise, transfer and conceal funds for terrorism financing activities. If you are a member of a customer onboarding system, a KYC Analyst, a Risk Analyst, a Transaction Monitoring Analyst, a Senior Board Member, a Compliance Officer or simply an AML/CFT enthusiast, you should be aware and informed about the evolving Terrorist Financing typologies to detect and mitigate risks relating to them.

Presenting a “one-click-away, easily downloadable, “Checklist for Detecting Terrorist Financing Typologies for Strengthened AML/CFT Compliance” + RACI Matrix to simplify AML Compliance teams’ roles and responsibilities, which include:

Assessing the effectiveness of control measures surrounding documents, customers, transactions, and counterparties to identify or detect any red flags indicating Terrorist Financing.
Identifying whether the regulatory reporting and AML training components are designed well enough to mitigate Terrorism Financing typologies.
Identifying process efficiency for red flag detection around Terrorism Financing patterns, which might be indicators of underlying ML, FT or PF activities.
Designing workflow, role clarity, task allocation, and task escalation for managing cases with TF typologies.
Ensuring timely filing of CNMR, PNMR, SAR or STR with UAE FIU through the goAML portal when TF typologies are detected.

Download this Checklist for Detecting Terrorist Financing Typologies for Strengthened AML/CFT Compliance, whether you are in Dubai, Sharjah or Abu Dhabi, to align your business with detecting red flags relating to Terrorism Financing typologies for robust AML/CFT Compliance.

Our Latest Checklists

Confused with how to mitigate ML, FT, and PF risks within your Regulated Entity?

Share via :

Checklist for Identification of Sanction Screening Gaps to Ensure Robust AML Compliance

Checklist for Identification of Sanction Screening Gaps to Ensure Robust AML Compliance

Our Latest Checklists

AML Data Governance Checklist: Minimise Information Privacy Abuse, Maximise Compliance

AML Data Governance Checklist: Minimise Information Privacy Abuse, Maximise Compliance

Our Latest Checklists

Checklist for Foreign Diplomat Client Risk Assessment for AML/CFT Compliance

Checklist for Foreign Diplomat Client Risk Assessment for AML/CFT Compliance

Our Latest Checklists

Pathik Shah

A Comprehensive Guide to AML Customer Risk Assessment for DNFBPs in UAE

Understanding the Importance of Customer Risk Assessment

What is Customer Risk Assessment under AML Compliance Program?

Why is Customer Risk Assessment a significant part of the AML Compliance Program?

How to conduct Customer Risk Assessment (CRA)?

Identifying and evaluating the risk factors

Periodic review and reassessment

Empowering the team

How can the use of tools and techniques improve the effectiveness of the Customer Risk Assessment?

Use of emerging technology in performing Customer Risk Assessment

Use of manual techniques for assessing customer risk

Let AML UAE help you design your Customer Risk Assessment Program

The Laundromat Movie Review: Dry Cleaning the Truth

The Laundromat Movie Review: Dry Cleaning the Truth

The Shell Game

The International Game

Missing Paperwork, Missing Morals

Style Over Substance? Maybe. But Also Ouch

Final Word

Frequently Asked Questions of The Laundromat Movie

Our Latest Publications

Elements of the Customer Due Diligence Process

Elements of the Customer Due Diligence Process

Related Posts

Frequently Asked Questions of the Customer Due Diligence Process

Pathik Shah

How to File CNMR and PNMR on the goAML Portal Under TFS Guidance, 2025

Guidance on Targeted Financial Sanctions, July 2025: What Reporting Entities Must Know

What are Targeted Financial Sanctions (TFS) in the UAE?

TFS Compliance Obligations

Register

Screen

Implement TFS Measures

Report

How to File a Confirmed Name Match Report (CNMR) While Implementing TFS Measures

Identification of Confirmed Name Match During Sanctions Screening

Assessment of Confirmed Name Match Outcome

Escalation by the Frontline Team or Screening Analyst to the AML Compliance Officer

Impose Freezing Measures on Potential, Existing, and Former Customers

Preparation of Mandatory and Obligatory Information & Documents for CNMR in alignment with goAML Requirements

Logging in on the goAML Portal to File CNMR

Selecting Report Type as CNMR & Entering Information and Documents

Saving and Submitting CNMR

Maintaining Records of CNMR Filed for Five (5) Years

How to File a Partial Name Match report (PNMR) While Implementing TFS Measures

Identification of Partial Name Match During Sanctions Screening

Assessing Partial Name Match Outcome

Escalation by the Frontline Team or Screening Analyst to the AML Compliance Officer

Impose Suspension Measures on Potential, Existing, and Former Customers

Preparation of Mandatory and Obligatory Information & Documents for PNMR in alignment with goAML Requirements

Logging in on the goAML Portal for PNMR Filing

Selecting Report Type as PNMR & Entering Information and Documents

Saving and Submitting PNMR

Following EOCN Response

Maintaining Records of PNMR Filed for Five (5) Years

Key Differences Between CNMR and PNMR: Comparative Table

Key Differences Between Freezing and Suspension Measures

General Do’s and Don’ts to Ensure TFS Compliance

Dos to Ensure TFS Compliance

Don'ts to Ensure TFS Compliance

Best Practices for CNMR and PNMR Filing on the goAML Portal to Ensure TFS Compliance

Establish Comprehensive Sanctions Compliance Policies and Internal Controls

Using Sanctions Screening Software for Accuracy

Providing Sanctions Compliance Training to Employees

Group Oversight Across All Branches and Trade Zones

Tamper-Proof Record-Keeping

Implementing Centralised Record Management Systems

Internal Reporting & Escalation Module

Bringing It All Together: TFS Measures, Match Outcomes, and goAML Reporting

FAQs