The General Commercial Gaming Regulatory Authority (GCGRA) is the sole AML/CFT supervisor for commercial gaming operators in the UAE. The UAE ML/TF National Risk Assessment 2024 (paragraph 234) confirms that the authority was established in September 2023.

GCGRA exercises the Supervisory Authority competencies set out in Article 16 of Federal Decree-Law No. (10) of 2025, coordinates with the FIU at the Central Bank for STRs and with the Executive Office for Control and Non-Proliferation on targeted financial sanctions.

A commercial gaming operator should start with six controls, all traceable to Cabinet Resolution No. (134) of 2025 and the 2025 Commercial Gaming Policy Paper: an enterprise risk assessment under Article (5); CDD and beneficial owner identification under Articles (6) to (10); PEP handling under Article (16); sanctions screening under Cabinet Decision No. (74) of 2020; STR filing via goAML under Articles (17) to (19); and record-keeping under Article (25).

These should be supported by the appointment of a Compliance Officer under Article (22), written internal policies under Article (21), training, and technical controls aligned with the 2025 Commercial Gaming Policy Paper’s ISO 27001 and VAPT expectations.

Source of funds and source of wealth checks flow from Articles (6) to (10) and Article (16) of Cabinet Resolution No. (134) of 2025, supported by the 2025 Commercial Gaming Policy Paper’s treatment of patron risk and EDD. At onboarding, the operator collects and verifies funding information proportionate to patron risk; for higher-risk patrons, PEPs or those from higher-risk jurisdictions, enhanced evidence is required.

Ongoing source of funds review should be triggered by threshold breaches, unusual patterns, matches against EOCN and UN lists, and red flags drawn from the Terrorist and PF Red Flags Guidance of December 2023 and the FIU’s May 2025 Strategic Analysis Report on Terrorist Financing.

Federal Decree-Law No. 10 of 2025 is the current primary AML/CFT legislation. Article 41 repeals Federal Decree-Law No. 20 of 2018 and any provision that contradicts the new law. However, the same article preserves circulars, resolutions, and decisions issued under the 2018 law to the extent they do not conflict with the 2025 statute or its executive regulation, Cabinet Resolution No. 134 of 2025. This means that supervisory guidance, sector-specific circulars, and administrative decisions issued by the CBUAE, CMA, and other supervisory authorities under the old framework generally remain valid, unless a specific conflict exists with the new legislation. Practitioners should review each item of existing guidance against the new law to confirm its continued applicability.

Frequent legislative updates reflect two primary pressures: evolving international standards and expanding domestic risk categories. The FATF Recommendations are reviewed periodically, and member jurisdictions are expected to align their laws accordingly. The preambles of Cabinet Resolutions 74/2020, 109/2023, 71/2024, and others reference and supersede the instruments that preceded them, illustrating the iterative nature of reform. New risk categories, virtual assets, commercial gaming, trust arrangements, and complex corporate structures require specific legislative responses as they grow in economic significance. The governance architecture of Law 10/2025, including the National Committee under Article 13 and the Supreme Committee under Article 12, is designed to ensure continuous monitoring and timely legislative updating.

The UAE AML framework applies to three broad categories of entities. Financial institutions are defined across fourteen activity types listed in Article 2 of Cabinet Resolution No. 134 of 2025. Designated non-financial businesses and professions (DNFBPs) are defined in Article 3 of the same Resolution and include: commercial gaming operators, real estate brokers, dealers in precious metals and precious stones, lawyers, accountants, notaries, and trust and company service providers. Virtual asset service providers are defined across six activity types in Article 4 of Cabinet Resolution No. 134 of 2025. For a complete breakdown with entity-specific obligations, see Who Must Comply with UAE AML Regulations.

Each authority supervises a distinct population of entities. The Central Bank of the UAE (CBUAE) supervises financial institutions licensed on the UAE mainland, including banks, exchange houses, finance companies, and payment service providers. The Dubai Financial Services Authority (DFSA) supervises financial institutions within the Dubai International Financial Centre (DIFC), a financial free zone that operates under its own legal framework. The Financial Services Regulatory Authority (FSRA) supervises financial institutions within the Abu Dhabi Global Market (ADGM), another financial free zone with a separate regulatory regime. The Capital Markets Authority (CMA) supervises securities and investment businesses. Federal Decree-Law No. 10 of 2025 designates supervisory authorities generically in Article 16 and empowers them to impose administrative penalties of AED 10,000 to AED 5,000,000 per Article 17, with each authority applying these powers within its own supervised population.

The most significant changes for DNFBPs under the 2025 legislative package concern scope, thresholds, and the penalty framework. Cabinet Resolution No. 134 of 2025 introduces commercial gaming as a new DNFBP category under Article 3, with a CDD threshold of AED 11,000 per transaction. The AED 55,000 threshold for precious metals and precious stones dealers is retained. Article 3 also defines the activities of real estate brokers, lawyers, accountants, notaries, and trust and company service providers in updated terms consistent with international standards. The administrative penalty schedule applicable to DNFBPs under Ministry of Justice and MoET oversight was updated by Cabinet Resolution No. 71 of 2024, which replaced the 2021 penalty schedule, raised fine ceilings to AED 1,000,000, and introduced a doubling mechanism for repeated violations under Article 5.

The Financial Intelligence Unit has operated within the UAE’s AML framework since before the 2025 reforms. It functioned under Federal Decree-Law No. 20 of 2018 and was already embedded within the Central Bank of the UAE. Federal Decree-Law No. 10 of 2025 formally re-embeds and significantly strengthens the FIU under Article 11, reinforcing its mandate and conferring new active powers. Under Law 10/2025, the FIU retains its analytical functions, receiving and disseminating suspicious transaction reports, and gains new protective powers under Article 5: the authority to order the suspension of suspicious transactions for up to ten working days and to freeze related assets for up to thirty days pending referral to the competent authority. The expansion of the FIU’s powers beyond analysis into active intervention is one of the most significant institutional developments in the current reform cycle.

The Ministry of Economy and Tourism (MoET) supervises most DNFBP sectors in the mainland UAE, including real estate agents, dealers in precious metals and precious stones, company and trust service providers, and accountants. The Ministry of Justice supervises lawyers and notaries. The GCGRA supervises commercial gaming operators. Article 3 of Cabinet Resolution No. (134) of 2025 defines the full DNFBP categories.

The UAE Financial Intelligence Unit (FIU) is an independent unit within the Central Bank, established under Article 11 of Federal Decree-Law No. (10) of 2025. It receives all Suspicious Transaction Reports (STRs) from financial institutions, DNFBPs, and VASPs exclusively through the goAML portal. The FIU studies and analyses these reports and refers findings to the Concerned Authorities. The FIU is not an AML supervisory authority and does not conduct compliance inspections.

The Executive Office for Control and Non-Proliferation (EOCN) is responsible for implementing targeted financial sanctions in the UAE, as defined in Article 1 of Federal Decree-Law No. (10) of 2025. EOCN administers the domestic terrorist and sanctions lists and issues TFS instructions to all regulated entities. Supervisory authorities ensure that entities under their supervision have effective sanctions-compliance frameworks, but the TFS instructions themselves originate from EOCN.

No. The UAE uses a multi-authority model where supervisory responsibility is assigned by sector and geographic zone. Depending on the activity and jurisdiction, the relevant authority may include CBUAE, MoET, Ministry of Justice, GCGRA, CMA, VARA, DFSA, FSRA, or, for ADGM-licensed DNFBPs, the ADGM Registration Authority. The NAMLCFTC coordinates the national AML/CFT strategy across all supervisory authorities, and the UAE FIU serves as the single national financial intelligence function.

The ADGM Registration Authority monitors AML compliance for ADGM-licensed DNFBPs under an agreement with the FSRA. The FSRA is ADGM’s financial regulator and supervises firms within its financial regulatory perimeter. Still, it is not accurate to describe ADGM-licensed DNFBPs as supervised by FSRA in the same way as ADGM financial services firms. Entities in ADGM should identify whether they fall within the FSRA’s financial regulatory perimeter or within the Registration Authority’s commercial regulatory remit.

No. The FSRA is ADGM’s financial regulator for firms and persons within its regulatory perimeter, including banks, fund managers, and VASPs. The ADGM Registration Authority holds the commercial regulatory mandate and monitors AML compliance for ADGM-licensed DNFBPs under an agreement with FSRA. An ADGM entity that is not within the FSRA’s financial regulatory perimeter should look to the ADGM Registration Authority as the relevant AML monitoring body.

The Ministry of Justice supervises law firms, legal consultancy offices, and notaries public through its AML/CTF Department, following Cabinet Decision No. (1/3 W) of 2019 and Cabinet Decision 65 of 2024, which upgraded the AML section into a full department. Ministerial Resolution No. (248) of 2025 sets out the current supervisory procedures and controls. Firms licensed in ADGM are supervised by FSRA; firms licensed in DIFC are supervised by DFSA. 

A law firm should maintain its firm-wide risk assessment; each client risk assessment; CDD and enhanced due diligence files; beneficial ownership information; transaction records and transaction risk assessments for covered activities; sanctions-screening logs, including CNMR and PNMR records and EOCN correspondence; STR decision records and goAML submission receipts; training and attendance records; and a corrective action register. Retention is for five years from the end of the business relationship or completion of the transaction, per the MoJ Guidebook of November 2025 and Cabinet Resolution 134 of 2025. 

Ministerial Resolution No. (248) of 2025, issued on 29 April 2025, replaces Ministerial Resolutions 532 and 533 of 2019. It confirms the MoJ AML/CTF Department as the competent supervisory body for law firms, legal consultancy offices, and notaries public; applies the Cabinet Resolution 71 of 2024 penalty schedule through Article 6; provides a 20-working-day grievance window in Article 7; and requires a 30-working-day response in Article 8. Firms should refresh their sanctions, STR, and governance policies to align with the new instrument. 

Yes. Law firms licensed in Abu Dhabi Global Market are supervised by the Registration Authority and follow the ADGM Financial Services and Markets Regulations together with the FSRA AML Rulebook. Law firms licensed in the Dubai International Financial Centre are supervised by the Dubai Financial Services Authority and follow the DIFC Regulatory Law and DFSA AML Module. These free-zone regimes are distinct from the Mainland MoJ regime described above and are covered on the ADGM and DIFC pages in this cluster.

The Real Estate Activity Report (REAR) is a transaction-level filing on the goAML platform required by MoE Circular 05/2022 since 1 July 2022. Brokers file a REAR on every freehold purchase or sale transaction involving AED 55,000 or more in physical cash (single or linked), or any settlement in virtual assets, or any cash funded by conversion from a virtual asset. A REAR is filed in addition to any STR, SAR, CNMR, PNMR, HRC or HRCA obligations, and records are kept for at least five years.

At minimum: identify and verify the customer under Article 9 and the beneficial owner under Article 10 of Cabinet Resolution 134 of 2025; screen every party against UN sanctions, the UAE Local Terrorism List and MoE notifications; understand the source of funds and source of wealth for high-value or cash-intensive transactions; apply enhanced due diligence to politically exposed persons under Article 16 and customers linked to high-risk countries; conduct ongoing monitoring for the duration of the relationship; and report suspicions via goAML. The November 2024 Implementation Guides on CRA and CDD provide the detailed methodology.

The UAEFIU 2023 strategic analysis identifies six dominant typologies: use of third parties and family members, abuse of legal-person structures and corporate accounts, misuse of DNFBPs and brokers’ bank accounts, claimed rental income with no substance, home finance followed by rapid early settlement and manipulation of the property price. The 2019 Supplemental Guidance lists detailed indicators across the customer, the transaction and the means of payment. Any combination of these factors requires enhanced due diligence and, if suspicion remains, an STR via goAML.

Yes. Real estate activity inside the ADGM is supervised by the ADGM Registration Authority and follows the ADGM AML rulebook. Real estate activity inside the DIFC is supervised by the Dubai Financial Services Authority and follows the DFSA AML rulebook. Both regimes align with Federal Decree-Law 10 of 2025 at the principles level, but the specific rules, thresholds, reporting channels, and penalty schedules are different. Brokers operating across the mainland and a financial free zone must comply with both regimes in parallel.

MoE Circular 08/AML/2021 requires DPMS to file a Dealers in Precious Metals and Stones Report (DPMSR) on the UAEFIU’s goAML platform for every cash transaction at or above AED 55,000 with a resident or non-resident individual, and for every transaction at or above AED 55,000 with a legal entity, whether paid in cash or by wire transfer. Separately, any suspicion of ML, TF or proliferation financing, regardless of amount, must be filed as a Suspicious Transaction Report via goAML, and confirmed and partial name matches against sanctions lists must be filed as CNMR or PNMR within five business days of the freeze or suspension.

Yes. Under Ministerial Decree 68 of 2024 and MoET Circular 2 of 2024, entities that engage in refining or recycling gold must adhere to the 5-step Due Diligence Regulations for Responsible Sourcing of Gold and, additionally, appoint an independent third-party auditor and submit an annual due diligence report on the gold supply chain. The audit obligation has applied since 1 January 2023. Refineries remain subject to all the generic DPMS obligations under Decree Law 10 of 2025 and Cabinet Resolution 134 of 2025 in parallel.

The UAEFIU Strategic Analysis Report on DPMS (September 2025) lists thirty-two sector-specific indicators. The most common include: refusal to provide identification; inability to demonstrate funding sources; forged certificates of origin, refinery stamps or fake invoices; supply chains transiting conflict-affected or high-risk jurisdictions; large or frequent cash transactions inconsistent with the customer’s profile; structuring through multiple visits or split invoices just below AED 55,000; payments via multiple third parties or offshore entities without clear commercial link; and repeated requests for duplicate invoices or refunds after cash purchases.

DPMS established in ADGM and DIFC are supervised by the AFDGM Registration Authority (RA) and the Dubai Financial Services Authority (DFSA), respectively. Their rulebooks implement UAE federal AML/CFT law and the UAE’s international AML/CFT commitments, so the substantive obligations and the AED 55,000 threshold logic track federal law. The procedural touchpoints licensing, inspections, filings and enforcement are, however, with the financial free-zone regulator rather than MoET. DPMS in commercial free zones outside ADGM and DIFC remain under MoET supervision.