AML/CFT Remedial Action Plan (RAP) Implementation Steps and Best Practices

Blogs

Q: What are the characteristics of white collar crime?

They generally involve deception, breach of trust, complex financial manipulation and non-violent conduct carried out for financial benefit.

Last Updated: 12/17/2025

Protect your business with reliable and effective AML strategies with AML UAE.

AML/CFT Remedial Action Plans at a Glance

RAPs are corrective roadmaps used to address AML/CFT deficiencies identified by regulators or audits
A RAP clearly defines issues, remedial actions, ownership, timelines, and validation, ensuring accountable remediation.
Strong governance, monitoring, and reporting are critical to demonstrate progress, transparency, and regulatory compliance.
Proper RAP execution strengthens long-term AML/CFT controls.

What Is a Remedial Action Plan (RAP) in AML/CFT?

A Remedial Action Plan (RAP) is also referred to as remediation action plan, compliance remediation plan or simply a remedial plan; which is a structured corrective program used in AML/CFT framework that Regulated Entities implement when supervisory authorities identify gaps, deficiencies or breaches in their AML/CFT compliance program.

When Is an AML/CFT Remediation Action Plan Required?

An AML/CFT Remediation Action Plan is required whenever regulators or internal audits identify weaknesses, gaps, or non-compliance within an entity’s AML framework. This may occur after supervisory inspections, regulatory notices, or when institution itself detects failures in due diligence, monitoring, sanctions, screening, reporting, or governance.

Authorities may require an entity to implement a regulatory compliance remediation program when risk management controls are inadequate or when serious breaches occur. Entities may also voluntarily initiate AML remediation as a part of broader compliance remediation strategy to proactively fix issues before they escalate.

Key Components of an Effective Remedial Action Plan Template (RAP Template)

An effective Remedial Action Plan (RAP) template also referred to as a remedial plan template provides a structured format for documenting and executing corrective actions.

The key components of a remediation action plan template cover what needs to be fixed, how it will be fixed, who is responsible, the timeline for completion and how remediation will be validated.

A compliance action plan template clearly outlines identified issues, the remedial actions required, ownership and accountability, priority level, timelines, and resources needed for completion, along with validation methods and reporting status to evidence progress and closure.

A solid remedial action plan template typically includes steps related to updating policies, improving CDD/EDD processes, enhancing internal controls, rectifying reporting failures (e.g. STR delays), staff training, progress monitoring and evidence-based validation to demonstrate regulatory compliance.

AML remediation ensures the entity meets regulatory expectations, reduces ML/TF risk, and prevents penalties or supervisory actions.

Governance, Oversight, and Regulatory Reporting for RAP Execution

In the UAE, strong governance and oversight are essential for executing a Regulatory Action Plan (RAP) in line with national AML/CFT program requirements. Regulators such as the Central Bank of the UAE (CBUAE), Ministry of Economy & Tourism (MoET), Securities and Commodities Authority (SCA), Dubai Financial Services Authority (DFSA), and Financial Services Regulatory Authority (FSRA) expect entities to maintain robust RAP monitoring, and timely progress tracking.

Regular internal reviews and a formal RAP Audit process help ensure accurate AML reporting and demonstrate transparency and accountability throughout the remediation process.

AML/CFT Remedial Action Plan (RAP) Implementation Steps and Best Practices

As a part of its supervisory function, the relevant Supervisory Authority conducts investigations on the level of AML/CFT compliance of a regulated entity (Financial Institution, Designated Non-Financial Business or Profession – DNFBP, Virtual Asset Service Provider – VASP). The Supervisory Authority often issues an AML/CFT Remedial Action Plan directing the reporting entity to fill the gaps in its AML/CFT compliance framework or implementation. The Remedial Action Plan (RAP) enumerates the actions to address these identified deficiencies. It mentions the applicable provision, area of concern, and required remediation.

Some of these AML/CFT investigations carried out by the Supervisory Authority to include various aspects such as:

Review of Enterprise-Wide Risk Assessment carried out by the entity
Adoption of necessary policies, procedures, and controls for the AML framework
On-time submission of STRs, SARs, DPMSR, REAR, HRC, HRCA, CNMR, PNMR, and other sector-relevant reports to the FIU
Compliance with Targeted Financial Sanctions (TFS) requirements
Compliance with Proliferation Financing (PF) requirements
Identification and verification of customers through KYC, CDD, and AML screening
Ongoing monitoring of transactions and business relationship
Appointment of an AML compliance officer and dedicated team to ensure AML compliance
Measures for understanding the reason and type of business relationships
Implementation of enhanced due diligence measures against high-risk customers
Training programs for employees for AML awareness and methods
Record-keeping requirements compliance

Entities receiving such remediation action plans from the Supervisory Authority must understand their importance. It is an opportunity for you to improve your AML Compliance Program. Such improvements can lead to the prevention or mitigation of money laundering threats. So, you must commit to following and implementing the action plans in your business.

Worried about the deficiencies in your AML compliance framework?

Talk to our team for a complete, effective, and efficient AML action plan.

Step-by-Step Procedure to Implement the Remedial Action Plan (RAP)

Once a Remedial Action Plan is issued, the next stage for the entity is to initiate the step-by-step RAP implementation, by following the requisite RAP implementation and remediation steps:

1. Review the complete remedial action plan word-by-word

The first thing that you must do is review the remedial action plan thoroughly. Read every word of RAP and try to understand. Specifically, focus on the remediation strategy suggested by the Supervisory Authority. Make a note of the submissions you need to make to the authorities.

Ask the Supervisory Authority for more guidance if you do not understand any part of it. Also, discuss with the AML compliance team and the officer if they are unclear on any topic. The senior management and AML compliance team must understand every plan aspect and discuss the execution amongst themselves.

2. Deliberate over the plan with stakeholders

The compliance team and the relevant manager must have all information on this remedial action plan. So, it would be best if you discussed it with everyone involved in AML compliance tasks. They must know the loopholes and participate in deciding the actions you need to take.

It’s equally critical to discuss the impending changes for employees. To prepare for them, employees must know what changes will come in the processes. They must also learn about their roles in executing these remedial actions and how they can contribute to better AML compliance for the entity.

3. Make a list of the tasks and set priorities

When you review and discuss the remedial action plan with stakeholders, you must list the tasks. You must assess the remedial activities to understand their importance and urgency. Now, list them per their priority.

You can define a strategy, including the tasks, resources required, and time needed. You will be clear on what to do and how long it will take. Thus, you can take a proactive approach to address the serious issues first, followed by the unimportant ones.

4. Form a team focused on the execution of the RAP

Already, you have an AML compliance team handling all the specific tasks related to AML. For RAP, make a special team focusing on implementing the recommendations. The other AML team members must pay attention to the daily AML tasks and activities.

Once you select the remedial action plan execution team members, define their roles. Allocate responsibilities to each to manage every single task mentioned in RAP. Also, ensure the appointment of a manager or auditor who will oversee the quality performance of these tasks.

5. Execute the remedial measures

Once you form the team, you are ready for the actual action. You must manage it quickly and accurately to comply with the RAP before the deadlines. So, start the execution.

Implement each of the actions as mentioned in the RAP. Monitor each action and check the quality of deliverables. Keep assessing the deliverables at every step to ensure compliance with the law and RAP.

6. Maintain enough records and documents

The RAP will need you to submit some reports or documents by a specific date. You must prepare these reports in the required format and structure. Be ready with them for submission to the Authority before the deadline date.

Also, maintain records and documents of each action you have taken per the RAP. You might be asked for them during audits or if the Authority wants to check the compliance with the Remedial Action Plan. Keep track of the deadlines mentioned by the Supervisory Authority, as compliance before that is mandatory.

7. Update the Supervisory Authority on the progress and support needed

You must stay in constant communication with the Supervisory Authority. Regular communication lets you clarify your doubts on any point mentioned in the RAP. You must also update the Authority on the actions taken and the success achieved. The Authority must know the effectiveness of the remedial measures you took. The Compliance Officer and the Senior Management must sign the RAP.

Best Practices to Implement Remedial Action Plan:

Implementing an AML/CFT Remedial Action Plan requires a disciplined and a structured approach. An effective compliance remediation strategy focuses on addressing gaps, strengthening control, improving documentation and building long-term AML/CFT compliance resilience.

Adopting the following remediation best practices help entities establish a robust compliance environment.

Make continuous improvements in AML processes

The remediation strategies mentioned by the Supervisory Authority are an opportunity for you to improve your AML program. You know the usual mistakes you make. Also, you know the expectations of the Authority from you.

So, revamp your AML compliance program. Include steps of constant monitoring and improvement to align with the regulatory expectations. Review the areas with gaps and improve them. Monitor the internal processes and AML controls and tweak them for higher effectiveness.

Thus, the RAP gives you a direction to follow to make your operations AML-compliant.

Conduct training and awareness programs for employees

If you want to have a smooth experience of AML compliance, it is necessary to prepare your employees. They need preparation in terms of:

Awareness of the importance of AML compliance
Training on the different tasks to achieve AML compliance
Change management programs to accept the changes in operations due to new regulatory requirements

You must engage in such awareness and training programs to prepare your employees for the impending changes. They must have the necessary skills and expertise to work on AML compliance processes. They must also be ready for such supervisory engagements of authorities in AML compliance assessments.

Engage in internal audits to check AML compliance

The RAP from the Authority is helpful in understanding the importance of implementing a strong AML/CFT compliance program. Since you didn’t give it a serious thought earlier or lacking in your efforts, you have to face the RAP. So, now you must take a proactive approach to reviewing your AML compliance.

For this, you must engage in regular internal audits. Such audits will reveal where you lack and what areas need improvement. You can implement the corrective actions and be fully compliant with AML regulations.

Implement relevant advanced technology solutions

Technology solutions can be a big help in making your AML compliance a reality. Explore what are the possible uses of technology in AML processes. You can use it in the following:

Risk assessments
KYC and CDD
Transaction monitoring
Record-keeping and reports

Use solutions for these processes to automate them, leading to more efficiency and accuracy. These systems make your compliance with AML regulations faster and easier.

Seek help from professional AML consultants

Besides all these best practices, one tip that can help you the most is seeking professional assistance. AML compliance is not an easy task. A lot is on your plate to manage and handle, so you can’t achieve AML compliance.

In such a case, the best action to take is to hire a specialist AML consultant. They give a professional touch to your AML compliance procedures. They ensure all your systems, procedures, and internal controls meet the AML requirements. With their expert help, you will not face remedial activities from the authorities.

AMLUAE – your partner for professional AML consulting services

AML UAE is a leading provider of AML consulting services to clients in different industries. Our specialised AML remediation support and RAP consultancy ensure your entity meets regulatory expectations.

Our comprehensive offerings include the following:

Business risk assessments
Execution of KYC and CDD measures
Transaction monitoring
AML training
Creation of AML framework customized to your business
Selection of AML software
Submission of relevant reports to authorities
Responding to authorities on concerns, submissions, or reviews
Forming an AML compliance team and appointing an AML compliance officer
Monitoring of AML policies, procedures, and controls
Audits of AML operations to suggest corrective actions
Legal advisory services

We can even help you implement the RAP received from the Supervisory Authority. We understand the requirements of such RAPs and their importance. We review the findings, discuss them with your management, and get down to the real action.

On receiving RAP, our services include the following:

RAP Review
AML/CFT Framework Review
Gap Analysis
RAP Implementation
AML/CFT Framework Strengthening
Continuous Monitoring & Improvement Plan Development
Staff Training
RAP Documentation Submission to the Authority

Frequently Asked Questions (FAQs) on RAP

Remedial actions in the AML/CFT context mean the specific corrective measures taken to fix AML/CFT weaknesses such as updating policies, enhancing controls, conducting staff training, etc.

AML RAP is required when the regulators, auditors, or internal reviews identify compliance gaps often following inspections, enforcement actions, supervisory findings and risk-assessment.

A remedial action addresses existing deficiencies or past non-compliance, while a corrective action focuses on preventing recurrence by fixing root causes and strengthening future controls.

RAP implementation involves prioritising issues, assigning ownership/responsibilities, executing remedial actions, tracking progress, validating completion, and reporting outcomes to management and regulators.

Common remediation steps in AML/KYC program includes identifying gaps, conducting the requisite due diligence, updating customer records, revising policies, training staff, upgrading systems, and implementing ongoing monitoring to ensure compliance.

AML remediation is the process of correcting weaknesses in an AML/CFT Framework. It is important to reduce regulatory risk, prevent financial crime, avoid penalties, and maintain regulatory compliance.

A compliance remediation plan works by translating regulatory findings into actionable tasks, tracking their execution, validating effectiveness, and demonstrating closure to regulators.

In audit and compliance, RAP refers to a formal action plan developed to address audit findings, regulatory observations, or compliance breaches within defined timelines.

The RAP work plan’s key components include a clear issue description, specific remedial actions, required evidence, a validation method, and a system for tracking status, owners/responsible persons, and deadlines to ensure accountability and completion.

Typical KYC remediation actions include updating customer information, verifying beneficial ownership, obtaining missing/additional documents, reassessing customer risk, and enhanced due diligence for high-risk clients.

A remediation plan is monitored through progress trackers, internal audits, and reviews. Reporting is done via periodic updates to senior management and submissions to regulators, supported by evidence.

A RAP framework is the overall structure governing remediation, including governance, accountability, execution, validation, and regulatory reporting mechanisms.

The best practices for AML/CFT remediation include using the RAP as opportunity to strengthen AML controls, continuously monitor and improve internal processes, train employees on compliance responsibilities, conduct internal audits, leverage AML technology nd seek expert support where needed.

Scared of the consequences of AML non-compliance?

Get started with our AML compliance services now.

Share via :

About the Author

Jyoti Maheshwari

CAMS, ACA

Jyoti has over 11 years of hands-on experience in regulatory compliance, policymaking, risk management, technology consultancy, and implementation. She holds vast experience with Anti-Money Laundering rules and regulations and helps companies deploy adequate mitigation measures and comply with legal requirements. Jyoti has been instrumental in optimizing business processes, documenting business requirements, preparing FRD, BRD, and SRS, and implementing IT solutions.

Reach Out to Jyoti

AML Implications for Politically Exposed Person (PEP)

Blogs

Last Updated: 12/10/2025

Protect your business with reliable and effective AML strategies with AML UAE.

Key Takeaways on PEP Compliance

PEPs pose elevated ML/FT and PF risks due to their influence, access, and potential exposure to corruption or misuse of authority.
DNFBPs and VASPs must identify, assess and monitor PEPs through CDD, name screening, enhanced due diligence, and ongoing monitoring.
UAE AML laws require additional controls for PEPs, including verifying source of funds/wealth and obtaining senior management approval for onboarding or continuing the relationship.
A risk-based approach is essential, as not all PEPs carry the same level of risk; entities must evaluate individual circumstances, position, country risks, and associations.

Businesses operating in the UAE, particularly the Designated Non-Financial Businesses and Professions (DNFBPs) and Virtual Assets Services Providers (VASPs), may occasionally encounter customers that are classified as Politically Exposed Persons (PEPs) according to the Federal Decree Law on Anti-Money Laundering (AML). This blog provides insights into the AML compliance implications for a regulated entity when they deal with a Politically Exposed Person (PEP).

It becomes essential for businesses such as DNFBPs and VASPs to conduct Customer Due Diligence (CDD) of existing and prospective customers to identify the sanctioned individuals or entities and individuals who hold the capacity to influence their business decisions, such as allocation of funds in a certain project or may knowingly or unknowingly facilitate money laundering (ML), financing of terrorism (FT), and proliferation financing (PF) risks along-with the increased risk of corruption and bribery, such as PEPs.

The blog also covers situations where an existing low-risk customer has recently been classified as PEP and its AML compliance implications.

UAE Regulatory Framework Concerning PEPs

The UAE has implemented robust AML laws to combat financial crimes, including ML, FT, and PF. The PEP UAE regulatory framework in the UAE includes federal laws that are aligned with international standards set out by the Financial Action Task Force (FATF).

Legal Framework concerning Politically Exposed Persons (PEPs):

Federal Decree by Law No. (10) of 2025 Regarding Anti-Money Laundering, and Combating the Financing of Terrorism and Proliferation Financing
Cabinet Resolution No. (134) of 2025 (will come into effect from December 14, 2025) Concerning the Executive Regulations of Federal Decree-Law No. (10) of 2025 Concerning Combating Money Laundering, Terrorist Financing, and the Financing of the Proliferation of Weapons

Cabinet Decision No. (109) of 2023 On Regulating the Beneficial Owner Procedures.
Cabinet Decision No. 74/2020 Concerning the UAE List of Terrorists and the Implementation of UN Security Council Decisions Relating to Preventing and Countering Financing Terrorism and Leveraging Non-Proliferation of Weapons of Mass Destruction, and the Relevant Resolutions.

The AML-CFT Decision, in Article 15, imposes specific Customer Due Diligence (CDD) obligations on regulated entities with respect to Customers who are Politically Exposed Persons (PEPs), which include the Direct Family Members or Associates Known to be Close to the PEPs.

FATF Guidance on PEPs

The Financial Action Task Force (FATF) is the global watchdog that gives recommendations and guidance for combating ML/FT and PF risks. The FATF has issued a guidance named, Politically Exposed Persons (Recommendations 12 And 22).
The FATF Recommendations and guidance on recommendations 12 and 22 elaborate on steps to be taken while onboarding a customer who is a PEP or continuing a business relationship with a customer who is recently classified as PEP.

Understanding Politically Exposed Persons within AML Landscape

Navigating PEP AML compliance is a critical component for regulated entities in the UAE. Understanding who qualifies as a PEP is the first step in implementing effective controls to mitigate the associated risks of money laundering and terrorist financing

Who is categorised as a Politically Exposed Person (PEP)?

The UAE Anti-Money Laundering and Combating the Financing of Terrorism (AML/CFT) laws define a Politically Exposed Person (PEP) as a natural person assigned with prominent public functions in any Emirate in UAE or any country other than UAE.

A prominent public function does not necessarily need to be popular, but it holds considerable importance to society at large. Such a position puts a PEP in the driver’s seat where they can influence public policy, government programs, and the functioning of any business, establishing a business relationship either directly, through beneficial ownership, or through close associates or family.

A PEP may acquire a prominent public function or position in a government or government organisation by means of an appointment, promotion through civil ranks, or majority from an election.

Identifying PEPs while carrying out AML compliance is important because PEPs are persons with political power who can exercise political influence or pressurise businesses to carry out business activities and other administrative tasks at their discretion without creating a paper trail.

It is noteworthy that not only the person with the political power but also the family, friends, and close associates are also considered high-risk customers owing to the relationship they share with the PEP. Here are broad categorisations of PEP.

Domestic PEPs

Politically Exposed Persons who have been assigned to prominent public posts in the UAE are known as domestic PEPs.

Foreign PEPs

Politically Exposed Persons who have been assigned with prominent public posts in any other foreign country are known as foreign PEPs.

Heads of International Organizations (HIOs) PEPs

Politically Exposed Persons who have been appointed with the management or any prominent function within an international organisation are known as the Heads of International Organizations (HIOs).

Family & Friends

The direct family members of a PEP, i.e. parents, children, spouses, and spouses of children, are treated as PEPs. The regulated entities need to take a risk-based approach and consider whether the relationship between the customer and the PEP could be exploited or abused to obscure the PEP’s connection to illicit funds, as the above is not an exhaustive list.

Business Associates

People with close business relationships with PEP are also considered persons associated with PEPs; people holding joint beneficial ownership or legal arrangements with the PEP are considered with similar risk as PEP themselves. Associates who conduct transactions on behalf of the PEP are also categorised according to the degree of risk they pose.

What are examples of Politically Exposed Persons?

Here are the examples of persons considered as Politically Exposed Persons:

Examples of Domestic PEPs include heads of government or state, senior government, military and judicial officials, senior executives of state-owned corporations and important political party officials holding official posts within the government.
Examples of Foreign PEPs include heads of government or state, senior government, military and judicial officials, senior executives of state-owned corporations and important political party officials holding official posts within the government.
Examples of HIOs PEPs or International Organisation PEPs include managing director, secretary, chairperson, president, and such designations in international organisations such as the World Bank and International Monetary Fund, to name a few.
Examples of close associates of PEPs include natural persons having joint ownership rights in a legal person or arrangement or any other close business relationship with PEP, natural persons having individual rights in a legal person or arrangement established in favour of PEP.
Examples of related persons include direct family members, close associates, partners, prominent members of the same political party or civil organisations as the PEP, close friends or advisors, business partners or associates, etc.

Our timely and accurate AML consulting services

For your smooth journey towards your goals

Importance of Including PEP Screening within AML Framework

There are several factors that businesses operating in the UAE need to consider in their AML risk assessment, such as the type of business, the nature, category, demographics of their customers, the country in which it operates, and the local AML regulations.

The AML framework of the DNFBPs and VASPs need to include and clearly state the steps, procedures, methods and approach when it comes to onboarding a customer who is classified as PEP or addressing customer due diligence enhancement when an existing low risk customer is newly classified as Politically Exposed Person.

Businesses must be mindful of covering the aspect in their AML framework where the UBOs of legal entity customers are identified and screened across relevant databases to find out if such UBO, or UBO’s family, friends or close associates qualify as PEP, and take necessary customer due diligence measures, derived from the risk-based approach.

It is important for businesses intending to establish business relationships with individuals or legal entities to identify the true nature of the person involved in such proposed business relations.

Businesses need to ensure that their establishment does not get abused or misused as an instrument to carry out illicit activities such as ML/FT and PF and related predicate offences.

Identification of PEPs becomes important as a prospective individual customer or beneficial owner of a legal entity might try to evade AML/CFT, anti-bribery and anti-corruption measures. The following is the list of reasons that make undertaking Politically Exposed Person (PEP) screening important:

Compliance with AML/CFT and TFS Laws

The AML/CFT and Targeted Financial Sections (TFS) regulations in the UAE require businesses such as DNFBPs and VASPs to have mitigation measures in place to curb ML/FT and PF risks to which they are exposed by their customers. They need to formulate and undertake effective policies, define processes and implement relevant measures to identify PEPs and mitigate any potential risks associated with PEPs. The identification of PEPs through screening will help DNFBPs and VASPs implement appropriate controls to mitigate risks associated with PEPs in an effective manner.

Identify and Mitigate ML/FT and PF Risks Associated with PEPs

The DNFBPs and VASPs must specify in their AML framework the PEP screening software, tool, and Application Programming Interface (APIs) used to access government, public, commercial and other forms of databases maintained by relevant organisations regarding PEPs.

The AML framework must also specify if the business is going to rely on any in-house database or information system for sharing data within the group organisations. The AML framework also needs to mention whether they are issuing a PEP declaration form (a specific customer self-declaration form), seeking information from customers themselves and whether any of them are PEP or associated with PEP in any manner.

Only when PEP identification is timely and successful can the ML/FT and PF risk mitigation measure-related workflows be triggered, such as enhanced customer due diligence by seeking sources of funds and sources of wealth from the PEP and obtaining senior management approval for establishing or continuing such a business relationship.

Reputation Management

The DNFBPs and VASPs attract tremendous reputational risk whenever establishing or continuing a business relationship with a Politically Exposed Person. The knowledge of whether their customer is a PEP enables them to take suitable and effective ML/FT and PF risk mitigation measures. If they fail to identify a PEP customer and fail to deploy necessary risk mitigation measures, then such a situation may result in their organisation being misused or abused by corrupt PEPs to carry out illicit activities such as ML/FT and PF or corruption and bribery.

Involvement of any business with crimes leads to severe reputational loss, leading to business crumbling in no time. The correct and timely identification of PEP helps DNFBPs and VASPs undertake timely risk mitigation measures and maintain reputation and trust among regulatory bodies as well as customers.

Adherence with Global Standards

The implementation and adoption of PEP identification processes that help in managing PEPs risk has been recognised as an essential element of FATF recommendations to combat ML/FT and PF risks. DNFBPs and VASPs, by including PEP screening, formulation and deployment of adequate PEP risk mitigation measures within the AML framework, showcase their adherence to the global standards for mitigation of ML/FT and PF risks from PEPs.

Maintain Autonomy of Decision-Making

There have been instances where corrupt PEPs have taken up unofficial control of businesses such as DNFBPs or VASPs through legal entities of which they are UBOs and used such business relationships to further their illicit motives by exerting their undue influence on the DNFBPs or VASPs to make decisions regarding its operations and functioning.

Businesses such as DNFBPs and VASPs are at risk of being used by corrupt PEPs to carry out their illegal tasks by exerting their influence, power, and control where the business or its board of directors loses their autonomy to decide for their own course of action. The chance of businesses being held hostage by corrupt PEPs is a risk which can be effectively mitigated by screening business relationships for Politically Exposed Person identification and taking timely PEP risk mitigation measures.

Devising PEP Risk Assessment Methodology

Once PEP identification and risk mitigation measures have been included in the AML framework, the AML framework needs to address PEP risk assessment methodology; the business needs to assess the ML/FT and PF risk posed by such a PEP on their business. For this purpose, DNFBPs and VASPs need to undertake PEP risk assessment and assign PEP risk rating according to set criteria.

PEP Risk Rating Criteria

The PEP risk rating is assigned by consideration of several factors as follows:

A. The nature of PEP’s position to influence or control decisions.

The nature of PEP’s control over issues or decisions.
The extent of PEP’s control over the disbursement of funds.
The extent of PEP’s autonomy or independence in decision-making.
The PEP’s rank or status within the government or international organisation.

B. The anti-corruption controls in place in PEP’s own country (in case of a foreign PEP).

The country’s rating on transparency and corruption aspects.
The level of investigations and prosecutions on the charges of high-level corruption in a country.
The internal audit function within the PEP’s entity (in case PEP is a UBO of a legal entity).
The asset disclosure requirements on the part of PEPs in the country or jurisdiction.

C. Other risk factors related to products, services, customers, geographies, delivery channels, and technology should be given due consideration.

D. If there are more than two PEPs involved in an entity where one of the PEPs carries high risk, then the treatment of the entity as high-risk should be considered.

Assessing PEP Risk against Risk Appetite

Risk appetite means the ability of a company to navigate and deal with the consequences of a risk, if, in any event, such a risk materialises.

Every business must formulate its ML/FT and PF risk assessment, within which the ML/FT and PF risk appetite statement must be defined. The risk appetite statement defines the degree and extent of ML/FT and PF risk that the business is willing to take in pursuit of forming business relationships and engaging in profitable transactions. To implement effective AML measures for PEP risk management and assessment, businesses need to assess and compare risks imposed by every Politically Exposed Person against its risk appetite statement.

Do all PEPs pose a risk?

Different PEPs pose different levels of risk to a business. A customised approach is needed to identify a PEP, perform a PEP risk assessment, and assign a PEP risk rating, as not all PEPs can be classified as high-risk. It depends on the regulatory requirements, the businesses’ internal AML policies, and their risk-based approach.

Businesses cannot employ a blanket approach as not all PEPs pose a high degree of ML/FT/PF, corruption and bribery risk. DNFBPs and VASPs need to develop a holistic approach which considers several factors, such as the nationality of the Politically Exposed Person, the ability of a PEP to influence business autonomy, connection to the transaction and nature of the transaction with the said PEP, and so on, prior to assigning a risk rating to a PEP.

Steps to Identify a Politically Exposed Person (PEP)

As the PEP risk assessment methodology is drafted and included in the AML framework, businesses must chart out steps through which they will identify if their existing or prospective customers are PEP. There are no strict steps defined anywhere in the regulation for identifying PEPs, but generally, PEP identification is carried out by a step-by-step methodology for effective identification of a PEP:

1. Collection of Key Identifier Details

The first step in identifying a Politically Exposed Person is ascertaining the correct name and profile of the natural person or UBO of a legal person and readying their details for carrying out a PEP screening exercise. This process includes collecting key identifier information such as name, aliases, last known address, ID or passport information, nationality, occupation, and age of the customer. This data collection is often formalised through PEP declaration as a part of the initial onboarding paperwork. This helps regulated entities assess the risk associated with customers by allowing them to understand the purpose and nature of the business relationship.

2. Entry of Key Identifier Details into Name Screening Software

The next step is to carry out a screening process against the Politically Exposed Person database. As part of this step, businesses need to subscribe to relevant lists and utilise databases that contain lists of known PEPs, their family members, and close associates. This facilitates businesses such as DNFBPs and VASPs in comparing customer information against these databases to identify any matches.

3. Running PEP Search in Name Screening Software

This step involves the name screening software running the process of comparing customer details across various databases containing names and related details of PEPs.

4. Disambiguation of Matches

After the screening, DNFBPs and VASPs need to check if the potential matches found during screening are false matches or true matches. If false matches are found, the company can onboard such a customer without conducting enhanced due diligence. If a true match is found, the appropriate enhanced due diligence measures must be carried out depending upon the steps prescribed in the DNFBPS or VASPs AML framework.

5. Establishing if Match is a Domestic PEP or Foreign PEP

Lastly, upon ascertaining a true match, the DNFBPs or VASPs need to ascertain if the PEP is a domestic PEP or a Foreign PEP to ascertain the degree of ML/FT or PF risk posed by such a PEP and take necessary further steps.

Identifying PEPs is crucial for assessing their risks and further undertaking mitigating measures. Thus, the identifying process is an important factor in overall PEP risk assessment, aiding regulated entities in fulfilling their legal obligations and mitigating the risk of being involved in ML/FT/PF or predicate crimes or unethical practices associated with PEPs.

Our timely and accurate AML consulting services

For your smooth journey towards your goals

Implementation of AML Compliance Measures for Dealing with PEPs

Like any other ML/FT and PF risks, the UAE has also included AML provisions to deal with PEPs and their associated ML/FT and PF risks.

The following is the list of regulatory requirements that DNFBPs or VASPs need to conduct when engaging with PEPs:

Know Your Customer (KYC)

The role of PEP in AML KYC is fundamental. It is essential for DNFBPs or VASPs to identify the PEP status before establishing a business relationship or engaging in transactions with them. For this purpose, the AML-regulated framework in the UAE mandated all regulated entities to undertake KYC processes and procedures for PEPs.

Name Screening

The regulated entities must carry out name screening to identify sanction and Politically Exposed Person matches, if any. If matches are found, they need to be disambiguated with proper reasons.

Customer Risk Assessment

Identifying PEP is not enough to assess the risks associated with it, as the risks would vary for various reasons, such as depending on the nature of PEP, the country they belong to, and any prior connection with financial crimes. Therefore, UAE’s AML regulatory framework requires DNFBPs or VASPs to undertake customer risk assessment processes to assess the risks associated with each person designated as PEP.

Enhanced Due Diligence (EDD) Procedure

The regulatory framework in the UAE requires regulated entities to conduct enhanced due diligence for high-risk customers. Generally, all PEPs are recognised as high-risk due to their power to influence the government’s decision-making and spending.

However, there is a possibility that the particular nature of a specific transaction or business relationship may not actually pose any significant risk; therefore, DNFBPs or VASPs are required to adopt a risk-based approach in formulating their customer onboarding policy pertaining to PEPs and allocate adequate PEP risk rating according to the risk rating matrix applicable for their own business. In simple words, a blanket approach is not recommended, and case-to-case decisions must be made considering the risk-based approach.

Ongoing Monitoring of Business Relationships

When regulated entities decide to engage with a person recognised as PEP and have taken all necessary measures to mitigate any risks associated with them, they still need to keep an eye on such persons. Therefore, DNFBPs and VASPs must conduct source of funds and source of wealth of business relationships with PEPs to safeguard themselves from any probable ML/FT and PF risks associated with PEPs.

Transaction Monitoring

In addition to ongoing monitoring of business relationships, DNFBPs and VASPs also need to monitor transactions entered with PEPs. This is done to assess transactions undertaken by PEP that show any suspicion of financial crimes or have monies that might be proceeds of such illicit activities. Therefore, to combat ML/FT and PF activities related to such transactions, DNFBPs and VASPs need to monitor transactions in which PEPs deal.

Reporting Suspicion

Regulated entities must report any activities or transactions that raise concerns over ML/FT and PF. When assessing PEP’s status or transactions, if DNFBPs and VASPs encounter any suspicious transaction or activity, they must report it to the regulatory authorities on the goAML platform.

CDD Measures for Foreign PEPs

Adequate and appropriate AML risk management tools and systems to find out whether any customer or Ultimate Beneficial Owner (UBO) of a legal entity or legal arrangement customer with whom the business relationship is ongoing or proposed to be established can be classified as a PEP.
Seek senior management approval prior to commencing a business relationship or continuing an ongoing business relationship with a PEP.
Seek a source of funds and source of wealth for customers and UBOs identified as PEP.
Insisting that the first payment for the transaction comes from the bank account help in PEP’s own name
Carry out enhanced ongoing monitoring of such business relationships.

CDD Measures for Domestic PEPs and PEPs who held prominent public functions in the past

An inadequate and appropriate mechanism or system is needed to identify if a customer or a UBO can be classified as a domestic PEP or someone who used to be a PEP.

Adequate and appropriate measures for:
- Seeking senior management approval prior to commencing a business relationship or continuing an ongoing business relationship with a PEP.
- Seeking the source of funds and source of wealth of customers and UBOs identified as PEP.
- Insisting that the first payment for the transaction comes from the bank account help in PEP’s own name.
- Carrying out enhanced ongoing monitoring of such business relationships.

Challenges in Assessing and Managing PEP Risk

Assessing whether a customer is PEP is a crucial part of the AML framework. However, DNFBPs and VASPs may come across various challenges when assessing and managing PEP Risk.

Here’s a list of a few challenges:

1. Evolving Regulations

The legal landscape is dynamic as it keeps evolving with the introduction of new ML/FT and PF typologies, resulting in amendments and repeal of redundant laws, to be replaced by new and more effective legislation. Therefore, it is difficult for DNFBPs and VASPs to keep pace with ever evolving regulatory landscape, which ultimately results in regulatory changes concerning and governing treatment of customers classified as PEP.

2. Updates in the PEPs Status

Political power or prominent public position keeps changing hands with changes in political tides due to elections and the removal or elevation of political officials; a PEP may not always hold the same influential position as he held in the present or past. Also, a new low-risk individual can be classified as PEP.

These changes in the nature of the person from being a PEP to a non-PEP or from being a non-PEP to a PEP result in mismatch or inaccurate PEP screening results. These updates in the nature of PEPs make the whole process of identifying PEPs much more difficult.

3. Verification and Identification of Status

The identification and verification of PEPs is a challenge in itself due to the difficulties involved in collecting and verifying their identification documents. These difficulties arise as PEPs may or may not always cooperate in providing the necessary information. In addition, businesses may rely on government websites or databases containing details of PEP for identifying the PEPs. However, the same databases do not always provide sufficient details to verify the identity of PEPs, or such databases may not contain updated or latest details of the PEPs, leaving the businesses in a state of confusion and incomplete compliance as there is no sufficient data to verify the identity of the PEP for completion identification and verification requirements.

4. Resources Intensive

The inclusion of PEP identification in the AML framework requires a lot of time and resources from DNFBPs and VASPs. Some of them might not be equipped or have the resources to implement robust processes for PEP screening and risk-mitigating measures, leaving them to deal with the ML/FT and PF risks.

5. Foreign PEPs

Foreign PEPs are people who hold important public positions in foreign countries. It is difficult to identify foreign PEPs in the absence of a central database of PEPs. The regulated entities depend on their software vendors to maintain a comprehensive database of PEPs. Since there are no benchmarks set in terms of the quality of the data, it becomes difficult to ascertain whether the PEP screening results are accurate.

Regulations surrounding PEPs vary by country. Therefore, it is difficult to assess the degree of risk posed by foreign PEP on a DNFBP or VASP operating in the UAE. The DNFBPs and VASPs need to adopt a risk-based approach and onboard foreign PEP by assessing their ML/FT and PF risk and assign appropriate risk rating on a case-by-case basis.

Our timely and accurate AML consulting services

For your smooth journey towards your goals

Best Practices for Managing PEP Risk

In order to effectively identify and assess the risks associated with PEPs, DNFBPs and VASPs in the UAE need to incorporate best practices that effectively mitigate any financial risks imposed by PEPs.

Here’s a list of best practices that regulated entities must implement for managing PEP risks:

1. Establishing Robust Policies and Procedures

The foremost thing that DNFBPs and VASPs need to manage ML/FT and PF associated with any customer, including PEP, is establishing robust policies and procedures. The AML framework of the DNFBPs or VASPs must provide an onboarding policy for customers who are classified as PEPs and mention steps, methodologies, and workflows to be carried out for risk mitigation, such as enhanced due diligence process. The AML framework must also provide for steps to be taken to identify if an existing low-risk customer is classified as PEP and further due diligence requirements.

2. Senior Management Oversight

Decisions related to high-risk customers require oversight by senior management. In addition to this, senior management also keeps oversight when monitoring and reviewing PEP’s status. The tone at the top guides the compliance and business team in complying with the regulatory requirements.

3. Training and Awareness Programs

Screening PEPs manually or with the help of software requires skills. DNFBPs and VASPs should conduct training and awareness programs that are tailored towards enhancing the skills and abilities of staff when undertaking the name screening process for screening any recognised PEPs.

4. Monitoring and Reviewing

DNFBPs and VASPs need to continuously monitor and review the risks associated with PEPs and their activities. The regulatory framework of UAE also requires DNFBPs and VASPs to monitor and review CDD/EDD information on high-risk customers such as PEPs at regular intervals to keep a check on ML/FT and PF risk associated with them. Such measures help DNFBPs and VASPs to keep an eye on PEPs and safeguard themselves against any probable illicit activity, including corruption and bribery.

5. Utilising Name Screening Software

Screening customers to identify if any one of them is a PEP manually takes up a lot of time and also has the chance of human errors in such results. Further, there is no comprehensive list available to screen names against. Therefore, to overcome such challenges, DNFBPs and VASPs should incorporate name-screening or PEP screening software that is capable of effectively screening the PEP against various lists in minimal time with utmost efficiency. The regulated entities must evaluate the quality of the PEP database offered by the name screening software to ensure that it doesn’t miss out on positive matches.

6. Periodic review of Recognized PEP

When a DNFBPs and VASPs decides to onboard a person recognised as PEP after undertaking EDD and other measures at the initial stage, it is necessary that the DNFBPs and VASPs conduct periodic reviews of the recognised PEP in order to keep a check on their activities and transactions to ensure that PEP is not engaging in any illicit activities include ML, FT and PF. The practice of keeping a check also helps DNFBPs and VASPs to identify if any existing PEP is not a PEP anymore and shift their risk rating from high to low appropriately.

Conclusion on AML Requirements for PEPs

The prominent public function exercised by PEPs is what makes them special when it comes to an assessment of ML/FT/PF, corruption, and bribery risks associated with them. The DNFBPs and VASPs in the UAE must establish a sound AML framework that contains provisions on the procedural aspects of treating a customer accordingly if they are identified as PEP. The DNFBPs and VASPs can rely on the best practices discussed in this blog and make sure they can steer clear of challenges faced while assessing and managing PEP risks. Ultimately, DNFBPs and VASPs must rely on the concept of a risk-based approach when assigning risk rating and carrying out diligence measures when conducting business with PEPs or associates or relatives of PEPs.

Lastly, DNFBPs and VASPs must always strive to investigate deeper as to the nature of UBOs in the case of customers who are legal entities or legal arrangements. DNFBPs and VASPs must make sure that legal entities they are about to establish a business relationship with or have an existing business relationship with are not mere shell companies or shelf companies; if legal entities are shell companies, then its UBO who is PEP may be much riskier to conduct business with.

FAQs on AML Requirements for PEPs

PEP is an acronym for Politically Exposed Person who is prone to engage in financial crimes like ML/FT, bribery or corruption due to their prominent position or influence.

In AML, a PEP refers to a Politically Exposed Person; someone in a high public role who poses higher risk for potential corruption, bribery, or money-laundering, requiring enhanced due diligence measures.

A PEP declaration is a self-statement given by a customer confirming whether they are a Politically Exposed Person (PEP) or related/connected to one.

A PEP Customer is an individual who hold or has held a prominent public position (e.g. heads of the state, ministers, senior bureaucrats, judges, etc.) or their immediate family members or close associates.

PEPs are susceptible to corruption due to their power to influence government spending. This gives rise to money laundering as they would then want to convert illicit money into legitimate money.

A PEP declaration form is nothing but an AML KYC check performed on a customer where the potential customer is asked to indicate if he is a Politically Exposed Person.

UAE AML Regulations require reporting entities to carry out AML KYC checks while onboarding a new customer. The reporting entities also perform PEP screening to identify if the customer is politically exposed. If the AML screening software shows a positive result for PEP screening, such customers are treated as PEPs and considered high-risk.

The AML regulatory framework in the UAE requires regulated entities to comply with mandatory requirements that include undertaking Customer Due Diligence (CDD), Customer Risk Assessment, Enhanced Due Diligence (EDD) Procedure, Ongoing Monitoring of Business Relationships, Transaction Monitoring and Reporting any Suspicion.

In order to check if a person is a Politically Exposed Person (PEP), reporting entities can resort to AML screening software. The name-screening software would screen the customer against the sanctions list and the list of PEPs. It is difficult to check for PEPs manually as no such global database is publicly available.

Politically Exposed Persons are classified as high-risk customers. However, not all PEPs are high-risk. The risks associated with PEPs should be determined considering their power to influence the government’s decision-making, spending, and business operations.

A close associate of a PEP is an individual who has close social or professional relations with a PEP.

Businesses identify PEPs through a combination of manual background checks using online and offline resources, and increasingly by using specialised AML software solutions.

Insurance companies need to ascertain if a beneficiary of a life insurance policy is a PEP or the person whose life is insured is a PEP, they must take adequate due diligence measures to mitigate risks arising out of such an insurance policy.

Banks must conduct Politically Exposed Persons (PEP) screening while onboarding a new customer or entering into a fresh transaction with an existing customer. If the name screening software shows a positive match, then the customer is treated as a PEP in Banking and EDD is performed.

The time limit for considering a person’s PEP status after they leave their position is not a fixed duration but requires ongoing evaluation. Due diligence obligations emphasize a risk-based assessment to determine if a former PEP still holds influence or senior status from their past role.

To determine the current status of PEP’s influential power, DNFBPs should consider factors like power and seniority derived by the person from their previous role.

PEPs carry higher exposure to risks such as corruption, bribery, and money laundering. Identifying them and their relatives and/or close associates helps detect misuse of political influence, prevent illicit fund flows, and meet mandatory AML compliance requirements.

Not all PEPs pose a risk to a business. Some roles are inherently high-risk, while lower-level positions my pose minimal risk. Institutions must use a risk-based approach and not a blanket approach. A customised approach is needed to identify a PEP and perform a PEP risk assessment.

The PEP’s controlling power to influence highly consequential outcomes.
The PEP’s authority and independence in their role or function.
The PEP’s authority to control the disbursement of funds.
The governance structure (Anti-corruption laws and their level of enforcement, authority of independent public auditors, etc.) in a state or organisation where the PEP is functioning.
The corruption level in the state or organisation where the PEP is functioning.

FATF Recommendations 12 and 22 define PEPs as individuals entrusted with prominent public function. As such positions can be misused for corruption, bribery, or money laundering, FATF requires enhanced AML/CFT measures when dealing with PEPs.

PEPs are always natural persons or individuals, and therefore, in the case of legal entities, the Ultimate Beneficial Owners of such entities are classified as PEPs.

Our timely and accurate AML consulting services

For your smooth journey towards your goals

Share via :

About the Author

Jyoti Maheshwari

CAMS, ACA

Reach Out to Jyoti

Regulator-Ready Business Risk Assessment for VASPs in UAE

Benefits of Well-Articulated Business Risk Assessment

Blogs

Last Updated: 12/09/2025

Protect your business with reliable and effective AML strategies with AML UAE.

Business Risk Assessment for VASPs: At a Glance

Business Risk Assessment helps VASPs identify, assess and mitigate ML/TF/PF Risks.
Covers key risk factors for VASPs: Customers, Geography, Transactions, Products/Services, Delivery Channels.
Business Risk Assessment must be aligned with the VARA Rulebook, Federal AML/CFT Laws, UAE NRA and other sectoral risk assessments.
VASPs must regularly update BRA to reflect new products, typologies and emerging risks.
A Robust BRA supports stronger controls, enhanced decision making and regulator-ready compliance.

Regulator-Ready Business Risk Assessment for VASPs in UAE

A Business Risk Assessment (BRA) is a structured analytical process for Virtual Assets Service Providers (VASPs) in UAE. It assesses the nature of VASP’s business model, customer base, products, technologies and transaction patterns with an aim to determine the impact of these factors in exposing the business to financial crime risks.

The BRA facilitates identification of the inherent risks, evaluation of the already implemented control measures, calculation of the residual risks and is based on the risk appetite of VASPs. BRA provides insights into the actual Money Laundering (ML), Terrorist Financing (TF), and Proliferation Financing (PF) risks the business is exposed to.

Why VASPs Require a Structured BRA?

VASPs operate in an ecosystem where transactions move fast, across borders and often without traditional financial intermediaries. It offers a platform which covers anonymity in financial transactions. And it is a consensus that where anonymity lies, the chances of ML/TF/PF risks are higher.

Unlike traditional financial transactions, in VASPs, the activities happen without face-to-face interaction, and users may deposit or withdraw funds from anywhere in the world.

This creates a business environment where risks are not always visible on the surface. In order to get a comprehensive view of the ML/TF/PF threats, VASPs are required to undertake a structured BRA.

Business Risk Assessment through risk weighing and risk scoring provides a foretelling vision into the risk areas that are more vulnerable to the chain of financial crimes.

A well-done BRA helps a VASP break down the risk factors in a systematic way instead of relying on assumptions or scattered observations.

It ensures that the VASP get a full vision to understand where its vulnerabilities lie, how its products can be misused, which controls are working and which aren’t, and how it is exposed to on-chain threats.

Without a structured BRA, VASP is essentially operating in the dark, making decisions without a clear grasp of its own risk exposure. An efficiently conducted Business Risk Assessment not only protects the business from probable financial crimes but also ensures that resources are prioritized in a better manner, specifically in areas that are weak.

Regulatory Mandate for VASPs to Conduct BRA under AML/CFT Framework of UAE

Virtual Assets Service Providers (VASPs) in UAE are regulated and supervised by Virtual Assets Regulatory Authority (VARA). VARA issues periodic guidelines and rulebooks that VASPs are obligated to adhere.

The Virtual Assets and Related Activities Regulations 2023 recognise the Federal AML/CFT Laws (Federal Decree by Law No. (10) of 2025 Regarding Anti-Money Laundering and Combating the Financing of Terrorism and Proliferation Financing and its implementing Cabinet Decision No. (10) of 2019).

It mandates VASPs to comply with all Federal AML/CFT Laws, regulatory requirements, rules and directives with respect to VASPs’ AML/CFT obligations.

The Federal Decree by Law No. (10) of 2025 calls for a comprehensive Business Risk Assessment for VASPs to identify, assess and mitigate the ML/TF/PF within the business model.

Additionally, VARA rulebook Part III D talks about the Business Risk Assessment obligations of VASPs.

Rule III.D of VARA rulebook requires VASPs to conduct and maintain a documented and data-driven AML/CFT Business Risk Assessment in order to understand, identify and assess ML/TF risks specific to their business.

BRA must be carried out at least once every 3 months, and when there are changes in business model, products/services, customer base, technology, or new regulatory requirements. The AML/CFT policies, procedures, systems, and controls must align with the BRA, and high-risk areas must be prioritized for resource allocation.

Unsure where to start with the new AML/CFT law?

Partner with us to quickly realign your policies and procedures with the new law.

Key Risk Factors VASPs Must Consider for Effective BRA

An effective BRA starts with identifying what can expose a VASP to financial crime risks. The risk is often enveloped in the form of customers, jurisdictions, transactions, products, services and delivery channels.

Evaluating these areas helps the VASP build a realistic picture of where vulnerabilities exist. While conducting Business Risk Assessment, VASPs must consider risk factors related to these key areas.

The following infographic depicts the key risk factors VASPs must take into consideration while performing Business-Wide Risk Assessment.

Customer Related Risk Factors

While conducting Enterprise-Wide Risk Assessment (EWRA), the VASP must assess customer profiles, behavior patterns and wallet activities. Factors such as weak KYC data, customers with cloudy sources of funds, PEPs, high-net worth individuals dealing in large volumes or showing inconsistent behavior increase vulnerability.

Assessing these risks helps VASPs understand which customer segments require additional AML/CFT controls, such as Enhanced Due Diligence (EDD) to prevent misuse of the platform.

Geography Related Risk Factors

Another major key factor to consider while conducting Business-Wide Risk Assessment is to analyze VASP’s risk exposure through where customers and counterparties are located. Crypto flows are borderless, that makes the destination of originators and beneficiaries a major risk factor.

Hence, considering geographic risk in the BRA helps the VASPs to identify potential links to high-risk or sanctioned nations and jurisdictions associated with illicit crypto flows.

Transaction Related Risk Factors

In the Virtual Assets sector, the transactions are pseudonymous, which is a major risk factor for financial crime if controls are not deployed appropriately. Therefore, while conducting a comprehensive Business Risk Assessment, VASPs are required to consider transaction related risk factors.

This includes sudden spikes in transactions, irregular or unusual transaction patterns, bizarre amounts and frequency of transactions that have no logical explanation, source of funds or wealth that have traces to criminal activities.

Products and Services Related Risk Factors

In the Virtual Assets sector, different crypto products carry different inherent risks. These include trading platforms with high-value movement, NFT platforms with anonymized transfers or OTC desks dealing in large, off-exchange transactions.

Evaluating the risk of particular products and services that VASPs offer allows them to understand the offerings which are more vulnerable to ML/TF/PF activities. This facilitates putting additional AML/CFT controls at places that are weak.

Delivery Channel Related Risk Factors

While developing the business risk profile, VASPs must consider delivery channel related risk factors, as how users access the VASPs affects the likelihood of abuse. For instance, online onboarding may face identity spoofing, API-based services can enable high-speed activities, and integration with third-party platforms may introduce risks that VASPs cannot fully control.

Therefore, assessing delivery channel related risks helps the VASPs to identify where additional verifications or oversight mechanisms are required.

Stay Ahead of Evolving Virtual Assets Risks

Get Expert Guidance to Ensure Your BRA Covers All VA-Specific Typologies.

Step-by-Step Guide for VASPs to Undertake Comprehensive Business Risk Assessment

VASPs often feel overwhelmed to conduct an effective BRA, especially because the Virtual Assets ecosystem moves fast and ML/TF risks evolve even faster. A structured step-by-step approach helps bring clarity to this process.

Key steps for VASPs to undertake an extensive Business Risk Assessment include

collecting business data, categorizing risks,
developing methodology for risk calculations,
assessing inherent risk, evaluating control measures,
finding residual risk,
conducting gap analysis of findings, documenting it, and
preparing the final BRA report.

The below infographic illustrates the chronological approach for VASPs to conduct efficient Enterprise-Wide Risk Assessment.

Collecting and Mapping Business Data

The process of Business Risk Assessment (BRA) for VASPs begins with collecting all relevant information regarding the operating model through a customized questionnaire. This involves collecting structured data on customer types, regions, products, transactions and delivery channels. Further, the analysis of the National Risk Assessment and Sectoral Risk Assessment is performed to ensure thorough compliance with them.

Through mapping of this information, VASP establishes a factual basis that anchors the entire risk assessment. It ensures that every decision is grounded in how the business truly functions rather than mere assumptions.

Identifying and Categorizing Risks

Once the data mapping process is over, identifying and categorizing risks based on the gathered data takes place. VASPs disambiguate the collected data and scatter into different risk factors.

This includes categorizing possible risks such as risky customers, high-risk countries, complex products, unusual transactions, weak onboarding channel, etc.

These risks are later grouped into categories, so they are easy to analyze. In simpler terms, this step basically is to recognize “Where can things go wrong”.

Developing a Structured Methodology for Risk Calculation

Post categorizing the risk into different risk factors, VASPs develops a structured methodology for risk calculation.

Designing a repeatable and auditable approach, defining scales and risk weightings (likelihood, impact), outlining qualitative and quantitative thresholds, specifying how to combine scores (matrix, weighted average), and setting governance rules for calibration, helps VASPs in turning a list of risks into a measurable framework.

Assessing Inherent Risks

Post determining a structured methodology for risk calculation, the inherent risk of the VASP’s business model is evaluated. Inherent risk is basically the ML/TF/PF risk that is omnipresent in the business from its inception, before applying any controls.

To assess the inherent risk, the likelihood of occurrence or materialization of identified ML/TF risk and the impact of that risk on the VASP is calculated using both quantitative and qualitative methods.

Evaluating Mitigation Controls

Once the inherent risk of the VASP is identified, the following process is to evaluate the mitigating controls that are already present in the business.

This includes checking the efficacy of AML/CFT Policies and Procedures, KYC Processes, Screening tools, Transaction Monitoring rules, Regulatory Reporting pathways and other control measures.

Determining the Residual Risks

After evaluating the effectiveness of mitigation controls, the subsequent stage is to determine the level of residual risks. Residual risk is basically ML/TF risk that is remaining in VASP after safeguards.

Residual Risk in VASP business model is calculated through a structured methodology that is inherent risk minus the controls. This uniform approach helps VASPs to produce consistent residual ratings across risk categories.

Conducting Gap Analysis

After assigning the residual risk score to each risk category, the following workflow is to conduct a gap analysis. Undertaking analysis of differences with reference to the risk appetite of the VASP provides a full insight into the actual weaker areas and facilitates developing a roadmap that is required to fulfill that gap.

These gaps are subjective and can differ from entity to entity, as it depends on the individual risk appetite. For VASPs, conducting a thorough gap analysis is of utmost importance as it shows the strengths and weaknesses of the business through raw approach.

Documenting Findings and Risk Scoring

Following the gap analysis, documenting the findings and ultimate risk scoring captures the full assessment in a structured record for VASPs. This documentation also includes recording risk inventory, scoring rationale, data inputs, control assessments and version history in an organized manner.

The explanation and logic for reaching the final risk scoring are required to be documented. Thorough documentation ensures transparency and reduces the chances of errors.

Preparing the Final BRA Report

The final stage of an effective Business Risk Assessment for VASPs is preparing the final BRA report. It is a consolidated report that summarizes the VASP’s risk posture, high-risk exposure areas, key vulnerabilities, and residual risk priorities, along with a thorough recommended remediation plan.

This action plan outlines resource allocation, suggests updating AML/CFT policies/procedures and provides a roadmap for effective implementation and impactful decision-making to combat the risk of ML/TF/PF activities.

Is Building a Structured Business Risk Assessment Too Cumbersome?

Get Specialized Solutions for End-to-End BRA Support.

Unlocking the Benefits of Business Risk Assessment for VASPs in UAE

The advantages of a well-articulated Business Risk Assessment show up across the entire organization. It sharpens the way business understands its risk exposure, highlights which areas need stronger controls and removes guesswork from decision-making.

Provides a Multidimensional and Balanced View of ML/TF/PF Risks

A robust Business Risk Assessment provides a comprehensive perspective on ML/TF/PF risks that a VASP is exposed to. It takes multiple dimensions into consideration, such as customer related risks, geographical risks, product/services related risks, delivery channel and transaction patterns related risks.

This multidimensional approach offered by BRA enables VASPs to make nuanced risk-based decisions regarding financial crime risk management and controls.

Facilitates the Development of an Informed and Curated ML/TF/PF Risk Appetite

A Well-defined and analyzed Business-Wide Risk Assessment (BWRA) provides VASPs a clear vision into their risk areas.

Moreover, it offers necessary data to VASPs to understand the exposure of financial crimes to their business model. That helps them to develop an informed and carefully curated ML/TF/PF risk appetite commensurate with the nature, size and risk exposure of the VASPs.

Drives Efficient Allocation of Resources Towards ML/TF/PF Risk Management

An efficient Business Risk Assessment framework ensures that resources are deployed appropriately. It facilitates VASPs to prioritize areas that pose a high risk of ML/TF/PF activities and reduces underutilization of its resources.

By analyzing each risk area it helps VASPs to plan their risk management efforts to optimize their AML/CFT/CPF compliance.

Strengthens Competence in ML/TF/PF Risk Management

An effective BRA framework enhances the overall competency of VASPs in managing financial crime risks. With the right assessment of risk exposure, calculation of inherent risk, residual risks and evaluation of control measures, VASPs help to build a more knowledgeable and risk-aware workforce.

It supports data-driven decision making, ensuring management of financial crime risks.

Ensures Alignment with National Risk Assessment and Sectoral Risk Assessment

An efficient BRA framework ensures that a VASP aligns with the findings of the National Risk Assessment and Sectoral Risk Assessments.

By incorporating outcomes from these assessments, VASPs can enhance their understanding of ML/TF/PF risks.

Supports Long-Term Growth Through Risk-Informed Decisions

A good Business-Risk Assessment helps VASPs to understand where risks are and how to manage them.

This lets the business make smarter decisions, plan safely and grow without unexpected problems. Over time, it builds a stronger and more stable business.

Make Your Business Risk Assessment Work Harder for Your VASP

Develop Methodologies for BRA that Unlock Its Full Potential

Repeated Mistakes VASPs Made While Performing BRA

Despite clearly defined regulatory expectations, many VASPs fall into similar traps when conducting BRA. The basic mistakes often repeated by VASPs often come from rushing the process with unrealistic risk scoring, misalignment with the actual business model, absence of documentation and treating the Business Risk Assessment as a single time exercise.

These mistakes often weaken the objective of conducting Business Risk Assessment and end up introducing VASPs to regulatory penalties when expectations of regulators are not met.

The infographic below demonstrates the common mistakes replicated by VASPs while performing Business Risk Assessment.

Treating BRA as One-Time Exercise

There is a wide-spread misjudgment among VASPs that Business Risk Assessment is a single time exercise. The BRA is mistakenly treated as a static document instead of a living assessment.

This results in BRA that no longer reflects the VASP’s real ML/TF/PF exposure as the risk factors affecting it keep changing. The approach to treating Business Risk Assessment as One-time activity quickly makes it outdated.

Not Aligning BRA with Actual Business Model

Some VASPs prepare BRA that appears good on paper; however, they lack the substance. The prepared Business Risk Assessment does not resonate with the actual business model, its products, customers, supply chains, or transaction patterns.

Inaccurate representation makes risk assessment theoretical rather than practical. A BRA that is disconnected from the core business model cannot lead to true and effective decision-making.

Ignoring On-Chain Typologies and Virtual Assets Red Flags

One of the major roadblocks for VASPs to conduct an effective Business Risk Assessment is focusing on traditional financial crime risks while ignoring the Blockchain-specific ML/TF/PF Typologies.

The nature of the Virtual Assets (VA) Sector is quite different from the basic financial or DNFBPs sector. And this uniqueness requires a unique approach, which VASPs fail to implement.

Failing to consider VA specific red flags and typologies in the BRA underestimates the real risk exposure and weakens monitoring strategies.

Weak Documentation and Lack of Supporting Evidence

A lot of VASPs lag behind in preparing regulator-ready BRA because the findings are not supported by a clear rationale, data and evidence. The assessment tends difficult to defend during audits or regulatory reviews due to illogical, scattered and undocumented assumptions.

A strong BRA requires a documented methodology, scoring explanations and consistent use of risk metrices. The failure to incorporate these practices in BRA makes it sluggish and incompetent.

Unrealistic Residual Risk Ratings

A very common mistake repeated across multiple VASPs is the inefficiency in realistically rating the residual risks.

Residual Risk is a very important aspect of an accurate Business Risk Assessment, as it paves the way for sound decision-making and gives a real idea of financial crime risk exposure to VASPs.

However, wrongly calculating it by overestimating control effectiveness or underestimating inherent risk exposure creates a false sense of security.

No Scope for Mistakes Anymore

Reign Over Basicness with Regulator-Ready Business Risk Assessment

Best Practices for VASPs to Conduct Robust BRA in Line with Regulatory Expectations

As the regulators often find Business Risk Assessment by VASPs underwhelming, here comes the savior. With the implementation of certain best practices while performing an Enterprise-Wide Risk Assessment ensures that it fulfills the regulator’s expectations.

These best practices include incorporating sector-specific risk indicators, alignment with UAE NRA and VARA, periodic updates in VA-specific typologies, leveraging AI for risk scoring, using qualitative/quantitative scoring, training employees and documenting all assumptions, data, rationale and methodologies.

Moreover, integrating the Business Risk Assessment outcomes into the internal framework and conducting quarterly reviews ensures the robustness of BRA.

The following infographic represents the best practices for VASPs to conduct BRA that are in line with the Regulatory expectations.

Incorporating Sector-Specific Risk Indicators for VASPs

For an accurate Business Risk Assessment, VASPs must include ML/TF/PF risk indicators that are specific to the Virtual Assets Sector. This includes indicators like wallet anonymity, cross-chain transfers, decentralized platforms or high-velocity trading patterns.

Embedding these VA-specific risk indicators into the BRA ensures that VASPs reflect actual threats rather than solely relying on traditional sayings.

Aligning BRA with the UAE National Risk Assessment and VARA Regulations

VASPs must ensure that it aligns Business Risk Assessment with the results of National Risk Assessment (NRA), VARA Regulations and UAE’s Federal AML/CFT Laws. The risks and industry findings identified in UAE NRA and relevant Sectoral Risk Assessments must be considered in the VASP’s risk rating methodology.

This alignment ensures that VASP’s internal view of risk matches the country’s identified threats and regulatory expectations.

Updating Typologies and Red Flags for Virtual Assets Regularly

Since financial crime methods evolve rapidly in the crypto landscape, VASPs must continuously refresh their knowledge of typologies and red flags.

This includes staying updated on emerging schemes such as Anonymity-Enhanced Transactions, new or evolving Virtual Assets Products etc. Keeping the typology database current ensures that VASP is using the latest intelligence to judge ML/TF/PF risk exposure accurately in BRA.

Leveraging Advanced Technology for Risk Scoring and Weighing

For a robust Business Risk Assessment, VASPs must leverage advanced technology rather than solely relying on manual judgement.

VASPs should integrate help from tools such as blockchain analytics platforms, automated scoring engines, visual heatmaps and AI-based gap detection in BRA. This improves accuracy and consistency in risk scoring.

Using Qualitative and Quantitative Scoring for Balanced Assessment

VASPs must combine qualitative and quantitative scoring scales for a balanced approach in Business Risk Assessment. This includes merging numerical scoring with approximate judgment.

This blending approach in the risk scoring model prevents the BRA from becoming overly mechanical. It ensures that VASPs evaluate the ML/TF/PF risks of their business from both a data-driven and practical perspective.

Documenting All Data Sources, Assumptions and Methodologies

In order to create a structured Business Risk Assessment, VASPs must document every data source used, the assumptions behind scoring, the logic for weightings and the rationale behind the final risk rating.

These are some of the most important aspects of BRA. Such documentation strengthens governance and ensures that BRA can be defended during regulatory audits.

Training Employees on Risk Assessment Concepts

For an effective and sound Business Risk Assessment, it is essential that VASPs must provide periodic training for their employees on risk assessment concepts.

The accuracy of BRA relies on informed people. Providing training on VA-specific typologies and scoring methodologies builds internal competency. It ensures consistent judgment across VASP and creates shared understanding of how risk decisions are made.

Incorporating BRA Outcomes into the Internal Framework of VASPs

For an effective implementation of Business Risk Assessment, it is crucial that VASPs incorporate the findings and recommendations of BRA Report into the internal framework of their organization.

This includes integrating BRA outcomes into VASP’s AML/CFT Policies and Procedures, Customer Risk Assessment, Transaction Monitoring Calibration, internal audit and other compliance monitoring plans. Allocating Resources as per the results of BRA, increases the efficiency of VASPs.

Conducting Quarterly Reviews of BRA

The best practice to make the BRA current is to conduct periodic reviews of it. VASPs must establish framework to quarterly review the BRA against any new developments, supervisory findings and emerging typologies.

Moreover, VARA expects VASPs to analyze key operational data and material changes, at least once every quarter. This ensures that BRA remains relevant and accurately reflects the risk landscape throughout the year.

Turn Your Business Risk Assessment into Regulator-Ready Backbone for Your VASPs Operations

A well-articulated Business Risk Assessment is not just a compliance requirement, but a foundation for an effective AML/CFT Program for VASPs. As Virtual Assets sector continues to evolve, regulators expect VASPs to display real understanding of their own ML/TF/PF risk exposure. An organized and regularly updated Business Risk Assessment facilitates VASPs to stay ahead of these expectations instead of reacting at the last minute.

AML UAE= Your Trusted Partner to Conduct Robust Business Risk Assessment

Let Us Take Charge of Your Compliance Journey!

Frequently Asked Questions (FAQs)

Business Risk Assessment is a structured review of the financial crimes risks faced by VASPs’ business model. It gives insight into risk exposure considering wide-ranging factors such as customer base, delivery channels, geographies, transaction patterns, and product/services offered.

VASPs in UAE should update their Business Risk Assessment at every quarter or occurrence of significant events as mandated and expected by the UAE’s regulatory authorities.

VASPs should evaluate customer related risks, transaction related risks, geographical risks, product/services related risks, delivery channel related risk and other relevant risks for an effective Business Risk Assessment.

To perform a Business Risk Assessment, collect mandatory business data, assess inherent risk, evaluate existing control measures, calculate residual risk with a structured methodology, prepare a report and document all the data and rationale.

Yes, VASPs are required to align their Business Risk Assessment with the outcomes of UAE’s National Risk Assessment and FATF Guidance.

To conduct a Business Risk Assessment for a VASP, first understand the regulatory requirements and the nature of the business, gain a grasp over VA-specific typologies, then determine the risk appetite, develop a board-approved methodology and commence with the assessment with relevant business-related data.

AI facilitates VASPs to perform BRA by analyzing large customer sets, transactions and on-chain data sets more accurately. It also automates scoring and identifies anomalies that a manually conducted Business Risk Assessment may miss.

Share via :

About the Author

Pathik Shah

FCA, CAMS, CISA, CS, DISA (ICAI), FAFP (ICAI)

Pathik is an ACAMS-certified AML consultant specialising in governance, risk, and compliance for regulated entities in the UAE. He brings over 28 years of experience, with 1,000+ hours of AML training and 200+ advisory engagements across DNFBPs, VASPs, and FIs. He supports businesses in aligning with AML/CFT requirements from the CBUAE, DFSA, MoET, MoJ, VARA, CMA, FSRA, and FATF. Known for translating complex regulations into audit-ready procedures, Pathik enables operational clarity and compliance readiness.

Reach Out to Pathik

What is a White-Collar Crime and Its Inter-Relationship with ML/TF

Last Updated: 12/08/2025

Protect your business with reliable and effective AML strategies with AML UAE.

Key Highlights: White Collar Crime & ML/TF

White collar crime involves non-violent financial offences committed through deception or misuse of professional authority
Typical characteristics include deception, concealment, abuse of trust and complex financial transactions.
Money Laundering often overlaps with white collar crime, especially during the placement and layering stages.
Key measures to combat white collar crime include strong legal and regulatory framework, internal controls, whistleblowing systems, employee awareness, and corporate governance practices.

A non-violent and financially motivated crime is termed a white-collar crime when it is executed by an employee while carrying out their responsibilities at work. This blog aims to elaborate upon the concept of white-collar crime, its characteristics, and its types. The blog also sheds light on how white-collar crime impacts not only the country where it originates but also its impact across the globe and how white-collar crime is carried out.

In addition, the blog elaborates upon how machine learning helps counter white-collar crime, the challenges in investigating and prosecuting the same, the steps that businesses can take to combat the occurrence of white-collar crime, and how white-collar crime is closely linked to money laundering (ML) and terrorism financing (TF).

What is a White-Collar Crime

The term ‘white collar’ refers to any person employed in an organisation who does not carry out manual labour and makes use of their intellectual capacities.

White-collar crimes refer to crimes carried out by white-collar employees. White-collar employees may tend to misuse their ability to make decisions at work to conceal, deceive, violate trust or commit fraud related to large amounts of money upon any other company or person.

Our timely and accurate AML consulting services

For your smooth journey towards your goals

Characteristics of a White-Collar Crime

The key characteristics of white collar crime which set them apart from traditional offences are as follows:

1. Non-Violent

White-collar crimes, by definition, are non-violent in nature. An example of this would be no violent activity being carried out in committing white-collar crimes such as insider trading. This crime takes place by misuse of unpublished price–sensitive information by any person within the business (usually a white–collar employee in this example) to book profits or facilitate price manipulation. Here, the entire crime gets executed, generating immense profits for the criminal without the use of violence.

2. Financially Motivated

The primary motive behind white-collar crimes is generating quick financial gains illegally. In many businesses, where the management itself is ignorant about ethical conduct and does not set the tone from the top for utmost good behaviour and ethically carrying out duties in the interest of the business. This mismanagement, coupled with frustrated employees who are morally and ethically compromised, get attracted to making quick money by disclosing confidential company information or carrying out corrupt and fraudulent activities to enrich themselves financially.

3. Carried Out by Professionals

The nature of white-collar crime is such that it can be carried out by knowledgeable and educated professionals in their relevant sphere, as they are aware of how to misuse the loopholes in compliance within their workspace. This can be better understood with the help of an example: a white-collar employee, such as a screening analyst facilitating terrorism financing, can simply manually manipulate sanctions screening results flagging a sanctioned individual to a non-sanctioned individual, resulting in the onboarding of such a sanctioned person carrying out terrorism financing by using the business as a vehicle to move funds for terrorist end-use.

4. Carefully Planned

The execution of white-collar crime requires the person executing it to devise steps to work around the checks and balances and plan for carrying out the intended white-collar crime. Generally, white-collar crimes are carried out by identifying loopholes and navigating checks and balances well in advance, as a lack of planning would result in the employee getting caught and questioned for misconduct.

5. Technology-Driven

A lot of white-collar crimes these days, such as forgery, misappropriation of funds, cybercrime, personal data privacy violations, and intellectual property infringement, are carried out online or with the help of hacking into secure databases containing sensitive data or information.

6. Concealment and Deception

White–collar crimes, in general, have an element of concealment and deception as a normal–appearing employee facilitates the planning and execution of crime in the background. Such employees, in the guise of their routine work, look for opportunities which they can exploit to make financial gains.

Understanding White-Collar Crime

White-collar crimes are non-violent, sophisticated crimes. Professionals in high-paying private or government jobs and big corporations engage in such crimes. These crimes are more strategic, innovative, and meticulously planned to avoid detection.

However, the fight against these crimes is not so strong because detection is challenging and often goes unaddressed in terms of legislation. Since these crimes are non-violent and involve many complexities, misuses, and misrepresentations, uncovering these crimes and the persons committing them before they impact society is challenging. The major impact is on individuals, corporations, economies, and communities. If caught, the perpetrators will face financial penalties, jail terms, and bankrupt business.

Why is White-Collar Crime a Matter of Global Concern

The impact of white-collar crimes on – employees, customers, and society – is enormous. They lose money, assets, jobs, and mental peace. Even the countries suffer substantial economic costs, investor confidence loss, and customer trust reduction. Bankruptcies and business failures can destroy the entire country’s economy. It can also distort competition, create social unrest, weaken integrity, and aggravate inequality and poverty.

These effects on the societies and economies sometimes spread to other jurisdictions. This is because of globalisation, which has interconnected many global financial systems. Cross-border white-collar crimes have also become frequent, affecting several countries. So, it is a matter of grave concern for global watchdogs and regulatory authorities.

Types of White-Collar Crime

The different types of white-collar crimes include:

Fraud

Fraud involves misrepresentation or the use of a false pretence to obtain something from someone. There are various ways to deceive someone to get their money or other valuable assets.

Embezzlement

Embezzlement occurs when someone entrusted with funds or assets misappropriates them without the consent of the company or agency allocating the funds or assets.

Insider trading

Insider trading refers to misusing unpublished price-sensitive information that has the potential to sway market prices to make profits out of it.

The insiders can be directors, promoters, employees, executives of the company, or someone closely related to such people who have access to inside information.

Bribery

Bribery involves influencing the decision or action of an individual or entity in power to get preferential treatment in exchange for gifts, payments, or valuable items. The bribe can be cash, property, services, or favours. The reason can be anything like getting a government contract or an award.

Cybercrimes

Cybercrimes are crimes occurring using digital means, including laptops, mobile phones, computers, and the internet. Criminals use these mediums to harass someone, lure people online, or conduct fraudulent activities. These are sophisticated crimes conducted for monetary or non-monetary gains. This can be data theft, mental harassment, stealing online money, or any other crime.

Money Laundering

Money laundering is a white-collar crime in which criminals disguise the illegal origins or sources of funds by layering them with legal transactions or integrating them into the legal financial system. Criminals hide the sources of such funds through complex transactions or a series of money movements. These activities lead to cleaning the illegitimate origins of the funds to make them appear legal.

Tax Evasion

Tax evasion means avoiding taxes by falsifying data, hiding income, or other illegal ways. Some common tax evasion strategies include underreporting income, using shell companies to hide the beneficial owners of assets, not reporting illegal income, avoiding tax audits, altering financial statements, having offshore accounts in tax havens, and many more.

Ponzi Schemes

It is a type of white-collar crime involving fraudulent investment schemes. The initiator of the scheme promises investment of money to generate higher profits for distribution. However, the investments of new investors are actually used as returns to pay off earlier investors. When the new investments are less than the amount to be paid off to previous investors, the scheme fails.

Forgery

Forgery includes altering or copying legal documents or records to defraud someone. Criminals can forge currency, cheques, identity documents, artwork, wills, certificates, or contract agreements. It can be a physical forgery or electronic. Criminals use sophisticated technologies to forge or create false documents. For example, employees may create a false letter of recommendation to get a job in a company.

Counterfeiting

Counterfeiting means imitating a genuine or authentic object. Counterfeiting aims to replace the original and earn greater value from the sale of fake products. The objects generally counterfeited are currency, identity documents, luxury goods, chemicals, spare parts, medicines, and food items. It primarily affects the trader of original products who suffers losses. Counterfeiting can also harm the lives, health, safety, and well-being of individuals, companies, or economies.

Extortion

Extortion involves threatening a person or their family or friends to gain some money or other valuable things. The criminal might threaten the victim’s family, use force to intimidate them or use violence to harm them. The criminal gains money, property, valuable security, or a signature on a critical document from the victim.

Environmental Crime

Environmental crime means the exploitation of natural resources or causing harm to the environment. It affects a country’s natural resources, human health, plants and animals’ lives, food chains, life expectancy, and biodiversity. These can include crimes such as improper disposal of waste, the killing of protected wild animals, illegal trading of plant species, illegal operations of destructive substances or materials, and others. Chemical pollutants released by industries and factories are a big crime, destroying environments across the globe.

Common Methods Used in White-Collar Crime

Knowing these common methods of conducting white-collar crimes enables businesses to detect them before the crime occurs. The common ways in which white-collar crimes occur are:

Identity Theft

Identity theft occurs when someone illegally obtains or uses an individual’s identity details without consent.

This information includes personal identification documents such as an identity, credit/debit card, bank account details, and many more. Criminals use this information to conduct any of the following:

Open new accounts
Obtain products and services in the victim’s name
Use the victim’s existing bank accounts to conduct transactions
Apply for loans
Spend money on travel, tickets, property purchases, etc.
Buy medicines or medical facilities, affecting health insurance coverage
Commit a crime under the victim’s name, leading to legal consequences

Accounting Data Manipulation

Another way criminals conduct white-collar crimes is by manipulating accounting data. It involves the misstatement or misrepresentation of a company’s or individual’s financial data. Companies manipulate these statements to avoid the repercussions of showing an adverse financial scenario. Some of the ways they manipulate this information are:

Recording fictitious revenues or adding other incomes to it
Change the accounting period for a few expenses
Adjusting accounting estimates and assumptions
Understating liability or overstating assets
Creating fake invoices
Falsifying cash and bank balances.

Market Manipulation

Manipulating the markets is another way to conduct white-collar crimes. The aim is to influence people’s behaviour in one direction so that the criminal can benefit. It means artificially affecting a financial instrument’s demand, supply, or price. It can be a currency, commodity, or share. Market manipulation can involve any of the following:

Manipulating the quotes or prices of securities
Spreading misleading information about a company
Posting fake orders
Acting on insider information not made public yet.

Exploitation of New and Emerging Technology

Technological advancements are a benefit to any economy because they solve problems. However, the exploitation of such technologies by criminals has increased. Financial criminals know how to utilise technology to deceive businesses, regulators, or individuals to achieve some financial benefits.

The primary ways in which fraudsters exploit emerging and new technologies for their personal gain are:

Data breaches
Gaining wrongful access to sensitive customer information
Malicious software or hacking to steal money
Hacking financial systems to get insider information
Technologies make identity theft easier
Cyber fraud
Fake online marketplaces
Using digital currencies to launder money.

Our timely and accurate AML consulting services

For your smooth journey towards your goals

Challenges in Investigating and Prosecuting White-Collar Crime

White-collar criminals exploit technologies, manipulate data, and misuse information to conduct crimes. Their work is so sophisticated that detecting the crime is challenging.

Cross-Border Transactions

Investigating cross-border transactions is challenging, given the jurisdictional variances and the need for cross-border collaborations. Currency fluctuations and regulatory differences make it easier to commit crimes. Prosecuting becomes even tougher due to legal differences in civil and criminal laws.

Resource-Intensive Investigations

Having adequate compliance measures in place and implementing them to avoid the materialisation of white-collar crimes requires funding, as compliance tools such as the screening software or employee background and monitoring policy require substantial funding, which not all types of businesses can afford. Even if the funding is available, it is difficult to recruit the right skills. This gives scope for businesses being used for conducting white-collar crimes.

Influential Perpetrators

The wrongdoers in white-collar crimes are employees, top management, or leaders of entities. In most cases, they are business and government professionals. These people have earned respect in their community. They are influential people with known credibility and trust among their professional and personal networks. So, detecting such people and understanding their criminal minds is challenging. Further, if they are guilty of having committed a white-collar crime, they use their influential network to jeopardise the investigation against them.

Evolving Crime Typologies

Crimes worldwide are increasing day-by-day. Countries are introducing new laws, and companies are developing new technologies to restrict the execution of crimes. But criminals find loopholes and harness them for their benefit. They try new ways, identify new loopholes in laws, and harness technologies’ weak points to commit crimes.

Difficulty in Gathering Evidence

White-collar crimes involve either the entire organisation, a few top managers, or one individual. One can identify all these only after in-depth investigations. Detecting the part where the fault lies or from where it all started is challenging.

Machine Learning and its Application in Detecting White-Collar Crimes

Machine learning (ML) learns the data patterns and predicts future occurrences. Based on these predictions, potential red flags can be spotted and stopped before occurrence. Machine learning helps businesses with the following:

Anomaly Detection

Anomaly means the behaviour in contrast to the usual customer activity. ML helps spot unusual patterns, outliers, or irregularities in customer or transaction data. These irregularities point towards a potential fraud, vulnerability, or failure. Incomplete data, unexpected manual intervention, or inconsistencies in the dataset are warning signs.

These signs indicate a problem which needs further investigation. Anomaly detection helps businesses to spot suspicions in datasets in real time so that immediate action can be taken.

Predictive Analytics

Predictive analytics in machine learning predicts future outcomes based on historical data analysis. So, while studying the old data, predictive analytics identifies patterns and trends and analyses them. It uses past learnings while analysing the new data. Based on the analysis of old data on user behaviour, ML predicts potential patterns in new data. It recognises similar trends and behaviour and flags them as suspicious.

Automated Monitoring

Any system using ML techniques to sift through data runs on automated monitoring. It is in continuous action. It continuously monitors it. It studies the old data, identifies patterns, and applies the same learning to the new incoming data. It checks and tracks the data in real-time to identify trends and flag them for further investigation.

Network Analysis

Network analysis means studying the relationships between factors. Businesses can identify the linkages between data points under study in machine learning and detect the following:

Relationships between various people involved in the crime
The pattern of relationships between them
Key influencers in the group who control others
The spread of unique behaviour that led to the crime
The organisation and hierarchy of criminal groups

Natural Language Processing (NLP)

Natural language processing means processing and understanding the natural language of humans. Using this feature, ML helps study, comprehend, and analyse text. Text-based data can be from emails, videos, audio, social media posts, or other sources. It helps understand the text exchanged between white-collar criminals. It sifts through all this qualitative data and detects suspicious behaviour. Whether it is phrases, keywords, tone, or patterns, it can study them to identify suspicious behaviour.

What is Money Laundering and Terrorist Financing

Money laundering means disguising the origin or source of illegal money and introducing it into the legal financial system. It is a financial crime committed by individuals, entities, and big criminal organisations. When an individual earns or generates illicit funds from a transaction, they layer these funds with complex transactions and integrate them with legal money. This entire process of placement, layering, and integration is called money laundering.

Terrorist financing means funding the activities of terrorists and terrorism. This can include operational activities of terrorism, terrorist attacks, travel, and lives of terrorists, or buying weapons. Any activity that provides financial support to terrorist organisations to carry out their terrorist acts is terrorist financing. The process of terrorism financing is carried out by collecting funding either legally or illegally, followed by making provisions to store or park such funds until they can be moved safely for further use without raising suspicion.

The Inter-Relationship between White-Collar Crime and Money Laundering and Terrorist Financing

Generally, it’s the greed of some individuals or entities that leads to white-collar crimes. These criminals are already in a position of power and prestige and command respect for it. But they want a commercial or personal advantage, more money, or avoid losing their assets.

White-collar crimes involve manipulating data or markets, misusing identities, or exploiting technology. Using these techniques, white-collar criminals can deceive the legal and regulatory authorities and people. Now, hiding this illegal money or disguising illegal funds and reintroducing it into the financial system as legitimate gains or income is possible with money laundering.

Criminals hide the illegal money or assets gained from such white-collar crimes by taking the money far from their origins. The aim is to confuse the investigators who want to trace the money or assets. So, criminals either layer them with several transactions or integrate them with the legal financial system. This is how white-collar crimes, in a way, facilitate money laundering.

White-collar criminals might also use money from such crimes to fund terrorist activities. If they have more dangerous aims, they will transfer the money to terrorist organisations. In doing this, they use false identities to save their name from all crimes.

To distance themselves from illicit sources of income or gains, white-collar criminals resort to:

Hiding the source or destination of funds
Creating layers of transactions to conceal them
Using the illicit layered money for a legal transaction

This is how white-collar crimes are interrelated with ML/TF. Not only this, the financial gains from white-collar crimes are also used in drug trafficking, arms dealing, and other transnational criminal activities. So, they create a maze of unlawful and unethical activities to hide their face and name.

Measures to Combat White-Collar Crimes, ML, TF

Businesses need to find a weak link in interrelationships between these white-collar crimes to catch them and implement the following measures to prevent these crimes by having in place:

Strong Legal and Regulatory Framework

In cognisance of the white-collar crimes in the country, UAE has taken strong steps to fight them and reduce their impact. The UAE Penal Code, the Federal Decree Law on AML/CFT and TFS Compliance are measures taken by the government to identify and take action in the event of any white-collar crime and have in place measures to report suspicious activity to the goAML portal by filing a Suspicious Activity Report.

Also, laws governing the protection of whistleblowers contribute to quick detection of potential white-collar crime.

Enhanced Supervision and Oversight

Businesses must strive to improve the supervision and oversight of their anti-crime measures. This will enable the business to know the status of each procedure, internal control, and technique applied against these white-collar crimes and gauge the following with such supervision:

Positive points of its anti-financial crime measures
Gaps, weaknesses, and areas of concern
Ways to fill these gaps and solutions for them
Whether these measures facilitate compliance with regulations
Reporting the compliance status to authorities
Any non-compliance penalties or legal proceedings against the business

Corporate Governance

The senior management in a company must set the tone at the top. Once that is taken care of, it is possible to design and implement effective measures against these crimes. Businesses must have a strong board of directors and top management who define the plan, accountability, and responsibilities.

Other corporate governance practices that help in preventing these white-collar crimes are:

Defining clear roles and responsibilities to facilitate faster crime prevention initiatives.
Defining a code of conduct, including acceptable and unacceptable behaviours, to create an ethical environment in the entity.
Ongoing training to employees and other stakeholders on crime prevention, compliance, and ethical behaviour.
Defining data permissions and accessibility to prevent data theft or misuse by internal people.
A reporting structure to keep everyone in the entity aware of the entity’s financial health and any potential crime threats.
Auditing by internal and external parties to ensure accuracy and completeness of the anti-crime measures.

Enhanced Compliance

UAE has specific laws against money laundering, terrorism financing, proliferation financing, fraud, embezzlement, cybercrimes, and many more. These laws mention the mandatory requirements needed to be followed to prevent white-collar crimes by enabling businesses to:

Identify and analyse the risks to the business from these crimes
Implement policies, procedures, and internal controls to fight these crimes
Train employees on these procedures
Conduct processes to know your customers and their transactions better
Appoint relevant officers and team to handle the compliance requirements
Perform audits of all these systems, technologies, and procedures to improve

Performing all these activities leads to compliance with these regulations.

Technological Solutions

Technology is a sure-shot solution to white-collar crimes. Advanced technologies like artificial intelligence, machine learning, data analytics, and others can help detect suspicious activities. They can identify potential warning signs in customers’ behaviour and transactions.

These technological solutions help mitigate crimes besides prevention. Technological systems help in conducting audits, monitoring, and investigations of measures against financial crimes.

Training and Awareness

It is difficult to achieve success in anti-crime measures without knowledge. Businesses must conduct employee training on the above aspects to make them aware and diligent in their approach. Building a positive, anti-crime culture in any business is crucial so that no employee resorts to white-collar crimes. Such culture also ensures that employees report or discourage others from committing white-collar crimes. Having a legally compliant and ethical culture is an excellent anti-crime measure.

Collaborative Approach

Collaboration and coordination with regulators, peers, and industry-specific associations is an effective step against these crimes. Such collaboration helps businesses by:

Understanding the challenges and finding their solutions
Learning about the best practices peers have implemented
Detecting the new emerging risks and white-collar crime tactics
Improving record-keeping and reporting procedures by consulting with regulators.

Harmonisation of Laws

By coordinating with authorities of the free zones and federal, regional, and international jurisdictions, businesses can create consistent anti-financial crime/AML frameworks and internal guidelines. Harmonised laws make compliance easier and faster. Also, it reduces criminals’ opportunities to exploit jurisdictional differences in laws.

Whistleblower Protection

One vital activity that can help businesses uncover white-collar crimes or criminals is whistleblowers. They are people from inside the organisation who report suspicious activities or operations. However, one factor that discourages them from such reporting is personal risks. If businesses do not keep them anonymous, criminals or their associates can harm whistleblowers or their families’ lives or jobs.

Whistleblower protection programs are essential to encourage employees to report their suspicions. They must feel safe and secure to report such crimes. Businesses must create policies to protect their anonymity and keep their information confidential. With a guarantee of a safe environment, whistleblowers will be active in detecting suspicions and reporting them on time.

Media and Civil Society Participation

This is also a measure not in the hands of entities but other associations and society. Regulatory authorities must run campaigns to increase the awareness of white-collar crimes and the significance of measures against them. They must impart training on ethics, fraud prevention strategies, and corporate governance to improve the workforce’s integrity. Besides, the following can help:

Media must write articles on such crimes and measures businesses implement against them.
The supervisory authorities must keep a check on businesses in their industry to ensure the implementation of anti-crime measures.
Civil society must provide platforms for whistleblowers to voice their concerns and protect them.
The media can create anonymous reporting channels so whistleblowers feel safe and secure to report.
Media and civil society can create public pressure and lobby for stronger laws against white-collar crimes.
They can facilitate collaboration between different stakeholders and the community to devise a plan against crimes.

Frequently Asked Questions (FAQs)

White-collar crime includes non-violent, financially driven acts such as fraud, embezzlement, insider trading, and money laundering committed by professionals or corporate entities.

They generally involve deception, breach of trust, complex financial manipulation and non-violent conduct carried out for financial benefit.

Yes. Money laundering is a white-collar crime because it involves financial deception, concealment of illicit funds, and non-violent methods to make illegal money appear legitimate.

Examples include fraud, embezzlement, insider trading, forgery, bribery, and money laundering; all of which are non-violent crimes committed for financial gain.

Companies can prevent white-collar crime through strong internal controls, KYC/AML compliance, employee screening, transaction monitoring, whistleblower protections, and regular audits.

People commit white-collar crimes primarily for financial gain, exploiting access, authority, and weak controls to benefit personally or professionally.

Yes. Identity theft is considered a white-collar crime because it involves deception, misuse of personal information, and financial manipulation without violence.

White-collar crimes often go unreported because organisations fear reputational damage, financial loss, or legal scrutiny. Many cases also remain unnoticed due to complex fraud schemes, lack of internal controls, and hesitation by employees to report wrongdoing.

Protect your business, employees, and customers from white-collar crimes.

Consult with our experienced team at AMLUAE for expert consulting services.

Share via :

About the Author

Pathik Shah

FCA, CAMS, CISA, CS, DISA (ICAI), FAFP (ICAI)

Reach Out to Pathik

The New UAE AML/CFT Law – Federal Decree Law No. 10 of 2025 Explained

Key Changes in the New UAE AML Law 2025 and Its Impact on Businesses

Blogs

Last Updated: 12/03/2025

Protect your business with reliable and effective AML strategies with AML UAE.

Key Highlights of Core Changes in the New AML/CFT Law 10 of 2025

The New UAE AML/CFT Law, i.e. Federal Decree Law No. 10 of 2025, replaces the old AML Law of 2018, introducing stronger enforcement powers, higher penalties, and new criminal categories, such as Proliferation Financing. It came into force on 14 October 2025.
Executive Regulations: Cabinet Resolution No. 134 of 2025 (in force from 14 December 2025)
Virtual Assets & VASPs are now directly regulated, with strict licensing and reporting, with added checks on cryptographic technologies.
Beneficial Ownership, STR filing, sanctions compliance, and risk assessments face significantly higher scrutiny, backed by extended FIU freezing powers.
Businesses must upgrade systems, governance, and internal controls immediately to avoid fines up to AED 100 million and potential dissolution.

The New UAE AML/CFT Law: Federal Decree Law No. 10 of 2025 Explained

The UAE’s financial regulatory landscape has entered a new era. The Federal Decree Law No. 10 of 2025, effective from October 14, 2025, marks the most significant overhaul of the country’s Anti-Money Laundering (AML) and Combating Financing of Terrorism (CFT) framework. This new legislation repeals and replaces Federal Law No. 20 of 2018, arriving almost a year after amendments were made through Federal Decree-Law No. 7 of 2024.

The 2025 law doesn’t merely update the 2018 law; it transforms how businesses must operate across the Emirates. While the New AML Law is now in force, the existing Executive Regulations, Resolutions, and Circulars remain applicable until updated Regulations, Resolutions, and Circulars are issued. Accordingly, Cabinet Resolution No. 10 of 2019 will be repealed by Cabinet Resolution No. (134) of 2025 Concerning the Executive Regulations of Federal Decree-Law No. (10) of 2025 Concerning Combating Money Laundering, Terrorist Financing, and the Financing of the Proliferation of Weapons with effect from 14^th December 2025.

This means businesses must apply current rules while preparing systems and governance to meet the requirements of the new framework.

What is Federal Decree Law No. 10 of 2025?

In a decisive move to strengthen its position as a trusted global financial hub, the UAE has introduced Federal Decree Law No. 10 of 2025 Regarding Anti-Money Laundering, and Combating the Financing of Terrorism and Proliferation Financing. The law goes far beyond cosmetic updates.

It introduces new criminal offences, expanding enforcement powers, and imposing penalties that can reach AED 100 million for corporate violations. From the introduction of Proliferation Financing as a distinct crime to explicit regulation of Virtual Assets (VAs) and cryptocurrency transactions, the 2025 law addresses emerging threats in an increasingly digital and interconnected world.

Any business entity handling customer transactions or providing designated services must now meet far more rigorous regulatory obligations. For businesses operating across the Emirates, understanding these changes is essential for maintaining compliance and operational continuity.

This article provides a comprehensive analysis of the Federal Decree Law No. 10 of 2025 Regarding Anti-Money Laundering and Combating the Financing of Terrorism and Proliferation Financing. It shares insights into key changes, examines implications for different stakeholder groups, outlines practical compliance steps, identifies implementation challenges, and offers best practices for navigating this new regulatory environment. For further reading, check a guide to Anti-Money Laundering Laws in the UAE.

Unsure where to start with the new AML/CFT law?

Partner with us to quickly realign your policies and procedures with the new law.

Who are the Stakeholders Under the New UAE AML/CFT Law 2025?

The Federal Decree By Law No. 10 of 2025 casts a wide net across the UAE’s business landscape. It provides a clear overview of all stakeholder groups covered under the 2025 Law.

Understanding whether an entity falls under these regulations is crucial for compliance. The law applies to:

Financial Institutions (FIs)
Designated Non-Financial Businesses and Professions (DNFBPs)
Virtual Asset Service Providers (VASPs)
Non-Profit Organisations (NPOs)

Each category carries specific obligations and faces substantial penalties for non-compliance.

Too busy running the business to decode AML/CFT reforms?

Let AML UAE handle the technical details while you focus on clients and growth.

Key changes introduced by Federal Decree Law 10 of 2025

The Federal Decree By Law No. 10 of 2025 introduces substantial reforms across multiple dimensions of AML/CFT/CPF enforcement. While some provisions build upon the earlier Federal Decree Law No. 20 of 2018 framework, others represent entirely new territory for UAE businesses.

The following key changes, comprising Proliferation Financing, Direct Regulation of Virtual Assets, Increased Penalties, Extended Freezing Powers, Stricter Beneficial Ownership Requirements, Two-Tier Supervisory Framework, and No Statute of Limitations, constitute the most significant shifts that stakeholders must understand and address

Proliferation Financing

The most notable addition to the 2025 law is the introduction of ‘Proliferation Financing’ as a distinct criminal offence. This category did not exist in the 2018 legislation and reflects growing international concerns about weapons of mass destruction.

What It Means: This provision criminalises providing funds for weapons of mass destruction, including nuclear, biological, chemical, or radiological weapons.

Penalties: Temporary imprisonment and fines ranging from AED 1 million to AED 10 million, or twice the value of Criminal Property, whichever is greater.

Impact on Business: Businesses involved in international trade, technology transfers, or dual-use goods (civil and military use goods) require enhanced AML/CFT controls to ensure compliance with proliferation financing restrictions.

Direct Regulation of Virtual Assets

Cryptocurrency and digital assets, which were not addressed under the 2018 law, now receive comprehensive and explicit treatment throughout the 2025 legislation. This change addresses the rapid growth of the crypto economy in the UAE.

What Changed:

Virtual Asset Service Providers (VASPs) are now defined as Regulated Entities
VASPs are explicitly subject to Suspicious Transaction Reporting (STR) requirements
Penalties apply to the use of technologies, accounts, or virtual assets that obscure the Source of Funds or the identity of the Beneficial Owner.
Virtual assets that enable total anonymity or obstruct tracing are expressly restricted.

Penalties: Promoting or dealing in totally anonymous virtual assets carries a minimum 3 months imprisonment and a fine not less than AED 50,000 , or either of these two penalties.

Impact on Business: Crypto exchanges, blockchain service providers, and any allied businesses accepting cryptocurrency payments must now implement the same rigorous AML/CFT compliance as imposed on other Regulated Entities

Increased Penalties

While the 2018 law imposed significant penalties, the 2025 version raises the stakes, particularly for corporate entities. The potential financial exposure for violations has multiplied several times over.

What Changed:

Money Laundering (Individuals):
- 2018 Law: Up to 10 years imprisonment + fines up to AED 5 million
- 2025 Law: 1-10 years imprisonment + fines up to AED 5 million OR value of Criminal Property (whichever is greater)

Money Laundering with Aggravated Circumstances:

Money Laundering committed under Aggravating circumstances includes: exploiting position authority, committing through NPOs or organised crime groups, certain serious predicate offences, or recidivism.

2025 Law: Temporary imprisonment + fines AED 1-10 million OR twice the criminal property value (whichever is greater)

Legal Entities:
- 2018 Law: Fines AED 500,000 to AED 50 million
- 2025 Law: Fines AED 5 million to AED 100 million OR Criminal Property value (whichever is greater)

Impact on Business: A single violation can now cost companies up to AED 100 million, representing a doubling of maximum penalties and creating substantially higher financial risk exposure.

Offence Category	2018 Law (Federal Decree-Law No. 20 of 2018)	2025 Law (Federal Decree-Law No. 10 of 2025)	Analysis
Proliferation Financing (PF)	Not explicitly defined or penalised.	Punishable by temporary imprisonment and a fine between AED 1,000,000–10,000,000, or twice the value of the Criminal Property, whichever is greater.	PF is recognised as a distinct crime with severe penalties, aligning UAE law with FATF standards and addressing Weapons of Mass Destruction (WMD)-related financial risks.
Financing of Terrorism (Individuals)	Life imprisonment or temporary imprisonment (≥ 10 years) and a fine between AED 300,000–10,000,000.	Life imprisonment or temporary imprisonment (≥10 years) and a fine between AED 1,000,000–10,000,000, or twice the value of the Criminal Property.	The minimum fine increased more than threefold (from AED 300,000 to AED 1,000,000); it introduces asset-value-based fines, strengthening deterrence and recovery of illicit gains.
Dealing in Anonymous Virtual Assets	Not addressed.	Imprisonment (≥3 months) and/or fine ≥AED 50,000 for promoting, offering, or dealing in completely anonymous virtual assets.	A new and explicit penalty targeting untraceable Virtual Assets, highlighting the 2025 law’s digital-risk focus.
Unlicensed Activities (VASPs / DNFBPs)	Generic penalty of AED 10,000–100,000 for violations.	Imprisonment and/or fine between AED 200,000–10,000,000 or either penalty, for (violating Article 20) engaging in financial/VASP/DNBFP activities without a license.	The 2025 Law introduces a specific and severe penalty for operating without a valid license or registration, reinforcing regulatory control over fintech and VASPs.
Tip-Off / Warning (Breach of Confidentiality)	Imprisonment (≥6 months) and/or fine AED 100,000–500,000.	Imprisonment and/or fine ≥AED 50,000.	The 2025 Law removes the minimum imprisonment period (of 6 months) but maintains the ability to impose imprisonment and a fine while retaining strict confidentiality obligations.
Failure to Report / Gross Negligence	Imprisonment and a fine of AED 100,000 to AED 1,000,000, or either.	Punishment by imprisonment and a fine of not less than AED 100,000 and not exceeding AED 1,000,000, or by either of these two penalties.	The range remains the same, but the 2025 Law rephrases the minimum penalty to state “not less than” AED 100,000.
Violating Targeted Financial Sanctions (TFS) Instructions	Imprisonment or fine AED 50,000–5,000,000 applied to anyone who violates instructions issued by the Relevant Authority for the implementation of UN Security Council directives.	Imprisonment and/or fine ≥AED 20,000, for violating instructions issued by the Executive Office or other Competent Authority related to Targeted Financial Sanctions.	While the 2018 law addressed UN sanctions compliance, the 2025 Law sets a new minimum fine of AED 20,000 for violations against the Executive Office’s sanctions instructions, reflecting the new structure.
Administrative Fines (Supervisory Authorities)	Fine of AED 50,000–5,000,000 per violation.	Fine of AED 10,000–5,000,000 per violation.	The minimum administrative fine is drastically reduced (from AED 50,000 to AED 10,000).

Extended Freezing Powers

Enforcement authorities have gained considerably more time and flexibility to freeze suspicious funds and suspend transactions. These expanded powers enable faster action against potential Money Laundering activities while investigations proceed.

What Changed:

Transaction Suspension: The Financial Intelligence Unit (FIU) can suspend suspicious transactions for up to 10 working days without court approval.
Fund Freezing: The FIU can freeze funds for up to 30 days (increased from 7 days under the 2018 law), with extension provisions available through the Attorney General.
Enhanced Authority: Public Prosecution can directly access accounts, computer systems, and communications without prior notice to account holders.

Impact on Business: Businesses face potential 30-day account freezes that could disrupt operations, affect cash flow, and prevent payment of suppliers or employees during investigation periods.

Stricter Beneficial Ownership Requirements

Under the 2025 law, greater emphasis is placed on establishing Beneficial Ownership across corporate and legal arrangements.

What Changed:

More detailed and specific definitions of Beneficial Ownership
Enhanced obligations requirements for legal arrangements and trusts
Specific obligations imposed on nominee directors and shareholders

Penalties: Providing false Beneficial Ownership information now carries imprisonment plus fines starting at AED 20,000.

Impact on Business: Businesses must maintain Beneficial Ownership records, verify ownership chains at multiple levels, and update information regularly as structures change. This may involve additional documentation during customer onboarding to ensure transparency.

Disclosure Requirements for Cash, Precious Metals/Stones, Negotiable Instruments

The Federal Decree Law No. 10 of 2025 introduces cash, precious metals/stones, and negotiable instruments disclosure requirements for individuals entering or departing from the UAE in accordance with the disclosure system issued by the Federal Authority for Identity, Citizenship, Customs, and Port Security in coordination with the Central Bank.

Impact on Business: Businesses must ensure that adequate disclosure is made when their staff carry cash, precious metals/stones, and negotiable instruments while entering or departing from the UAE. The AML/CFT policy and procedures must be amended to reflect this mandatory requirement as the UAE Customs Declaration Form.

Two-Tier Supervisory Framework

The 2025 law restructures how Anti-Money Laundering efforts are coordinated and supervised at the national level. The creation of the following dual oversight bodies reflects a more sophisticated approach to governance and enforcement.

Supreme Committee: It provides high-level strategy and supervision, affiliated with the Presidential Court, and is responsible for monitoring the National Strategy
National Committee: It handles operational coordination and implementation, chaired by the Central Bank Governor.

Impact on Business: More frequent inspections, higher regulatory expectations, dual reporting lines to both strategic and operational oversight bodies, and increased administrative penalty exposure.

Strengthened International Cooperation

The 2025 law enhances cross-border information sharing and mutual legal assistance, introducing streamlined mechanisms that improve coordination with foreign authorities and reduce barriers to international investigations.

Key Changes:

Automatic information exchange with counterpart authorities in other jurisdictions
Priority handling requirements for international cooperation requests simplified mutual legal assistance procedures
Foreign confiscation orders are executable without separate national investigations
Tax matters no longer constitute grounds for refusing cooperation requests

Impact on Business: Transactions face greater scrutiny from multiple jurisdictions simultaneously. Moreover, information held by UAE entities can be shared more easily with foreign authorities, and cross-border operations require an understanding of multiple jurisdictions’ AML requirements.

No Statute of Limitations (Continued from 2018)

While not a new provision, the continuation of unlimited prosecution timeframes remains one of the most significant features of UAE’s AML framework. The 2025 law adds Proliferation Financing to the list of crimes with no statute of limitations, whereas the 2018 law only covered Money Laundering and Terrorism Financing.

What It Means: Criminal proceedings for Money Laundering, Terrorism Financing, and Proliferation Financing can be initiated at any time, regardless of how many years have passed since the offence occurred.

Impact on Business: Past violations can be prosecuted indefinitely, creating permanent legal risk. Businesses must maintain compliance records for extended periods, as past transactions remain subject to investigation and prosecution decades later.

Make the New UAE AML 2025 Law Your Competitive Advantage.

Strengthen Your compliance journey with AML UAE by Your side.

Comparative Chart of Changes in Federal Decree Law No. (10) of 2025

To put these developments and key changes into perspective, the following table highlights how core provisions have evolved from Federal Decree Law No. (20) of 2018 to Federal Decree Law No. (10) of 2025. Many of these refinements aim to streamline compliance obligations and enhance alignment with international standards. This comparison helps identify areas where institutions may need to recalibrate their internal processes.

Feature	2018 Law (Federal Decree Law No. 20 of 2018)	2025 Law (Federal Decree Law No. 10 of 2025)	Analysis
Primary Scope	Focuses on ML, TF, and Financing of Illegal Organisations.	Focuses on ML, TF, and Proliferation Financing (PF).	The 2025 Law introduces PF as a distinct crime and removes the specific term “Financing of Illegal Organisations” (which was present in the 2018 Law).
Definitions and Coverage	Includes definitions for ML, TF and Illegal Organisations.	Introduces detailed definitions for Proliferation, Weapons of Mass Destruction (WMD), and Virtual Assets, alongside expanded definitions for ML/TF.	The 2025 Law incorporates modern financial crime concerns, explicitly covering PF and transactions involving Virtual Assets.
Treatment of Virtual Assets	No reference to Virtual Assets (VA) or Service Providers.	Explicitly addresses VA, including their use in ML & TF. It also defines and regulates Virtual Asset Service Providers (VASPs).	It modernises the AML scope to include digital currencies and crypto-related activities.
Financial Intelligence Unit (FIU)	The FIU is established within the Central Bank of the UAE (CBUAE), chaired by the Governor.	It retains CBUAE structure but affirms FIU’s independence. Now, the FIU is established as an independent unit within the Central Bank (CBUAE).	It emphasises institutional autonomy and operational independence of the FIU.
National Coordination Framework	It established the National Committee, chaired by the CBUAE Governor.	It introduces a two-tier structure: a Supreme Committee for the Supervision of the National Strategy for AML, CFT, PF (affiliated with the Presidential Court) and a National Committee, chaired by the Governor	The 2025 Law creates a two-tiered oversight structure, placing strategic supervision under the Supreme Committee while maintaining the National Committee for policy implementation.
FIU Freezing Authority	The Governor or their delegate may freeze suspicious funds up to 7 working days, renewable by the Public Prosecutor.	The FIU Chief may suspend transactions up to 10 days or freeze funds for 30 days.	It extends FIU’s power and timeframe, allowing faster, independent intervention.
Money Laundering Penalties (Individuals)	Imprisonment not exceeding 10 years and a fine of AED 100,000 to AED 5,000,000, or either penalty; Aggravated penalty (temporary imprisonment and fine of AED 300,000 to AED 10,000,000) for specific circumstances.	Imprisonment for a term of not less than 1 year and not exceeding 10 years, together with a fine of AED 100,000 to AED 5,000,000, or equivalent Criminal Property value. Aggravated penalty (temporary imprisonment and fine of AED 1,000,000 to AED 10,000,000).	The 2025 Law clarifies the minimum imprisonment term (not less than 1 year) and increases the minimum fine for aggravated offences (from AED 300,000 to AED 1,000,000).
Penalties for Legal Persons	Liquidate and close the office, and a fine of AED 500k –50 M.	Fine AED 5M –100M or equivalent Criminal property value.	The maximum fine for a Legal Person conviction is doubled (from AED 50 million to AED 100 million) in the 2025 Law, and the minimum fine is significantly increased (from AED 500,000 to AED 5,000,000), reinforcing corporate liability.
Legal Person Conviction for CFT/PF	If convicted of terrorism financing, the Court shall order liquidation and closure of the office premises.	If convicted of Financing of Terrorism or Proliferation Financing, the Court shall order dissolution and closure.	The mandatory dissolution and closure provision now includes PF Convictions.
Professional Secrecy Exemption	Exemption for lawyers, notaries, other legal professionals, and independent legal auditors who obtained information subject to professional confidentiality.	Exemption maintained for lawyers, notaries, other legal professionals, or independent legal auditors if information was obtained under circumstances subjecting them to professional secrecy. maintained with an identical scope.	This core exemption remains largely consistent in both laws, protecting legal professional privilege.
Repeal Status	Repealed by Decree-Law No. 10 of 2025.	Repeals the 2018 Decree-Law.	The 2025 Law is the currently effective legal framework, along with existing resolutions, notifications, and circulars to the extent they aren’t repealed.

Step-by-Step Guide for the Regulated Entities to Comply with the New UAE AML Law 2025

The following step-by-step guide outlines each compliance step required under the New AML Law 2025.

This section provides a clear overview of the entire process—from Securing Licensing, Conducting Risk Assessments, Establishing Internal Policies, Implementing CDD, Ensuring Beneficial Owner Transparency, Applying TFS Forthwith, Reporting Suspicious Transactions, Avoiding Tipping-Off, Meeting VASP-Specific Obligations, and Keeping Records.

Together, these steps highlight the essential actions businesses must take to meet the law’s requirements, strengthen internal controls, and ensure full alignment with regulatory expectations.

Secure Required Licensing/Registration

Before engaging in any Financial Activities, DNFBP, or VASP activities, the natural or legal person must obtain a license, registration, or enrolment from the Competent Authority or the relevant Supervisory Authority.

Violation of this specific licensing requirement carries a potential penalty of imprisonment and a fine of not less than AED 200,000 and not exceeding AED 10,000,000, or either penalty.

Conduct and Maintain Risk Assessment

The next step for the Regulated Entities is to identify, understand, manage, assess, document, and continuously update the risks of financial crimes such as Money Laundering, Financing of Terrorism, and Proliferation Financing, within their business scope. This assessment is grounded in a risk-based approach, and multiple risk dimensions are considered.

Assessing how the new risks (Virtual Assets, Proliferation Financing) can affect specific products, services, and customer base.
Allocating more resources to scrutinise high-risk areas (e.g., Politically Exposed Persons, Clients from High-Risk Countries, Complex Crypto Transactions).

Moreover, the Risk Assessment study and related information are retained and provided to the Supervisory Authority upon request.

Establish Robust Internal Policies and Controls

The following step for Regulated Entities is to establish internal AML/CFT policies, controls, and procedures that are approved by Senior Management. These controls enable Regulated Entities to manage and mitigate identified risks.

These Policies are applied to all branches and subsidiary companies in which the REs own a majority share.
These Policies and Procedures are continuously reviewed and updated.

Implement Customer Due Diligence (CDD) and Monitoring

The next step is implementing CDD measures and continuous monitoring procedures for clients. The scope for these measures is determined based on the multiple ML/TF/PF risk dimensions and the outcomes of the National Risk Assessment (NRA). The CDD process usually consists of,

Identifying and verifying the information of the Customer and the Beneficial Owner in a legal person (the natural person exercising ultimate effective control over a corporate person).
Identifying the nature of the Customer’s business and the purpose of the business relationship.
Ensuring not to open or maintain accounts, or conduct transactions, under anonymous, fictitious, alias, or numbered names, or provide services to such accounts.

Ensure Beneficial Owner Transparency

While onboarding corporate clients, the identification of the Ultimate Beneficial Owner ensures transparency and accountability.

Intentionally providing false or misleading information concerning the Beneficial Owner is subject to criminal punishment (imprisonment and a fine of not less than AED 20,000, or either penalty).

Apply Targeted Financial Sanctions (TFS) Forthwith

For Regulated Entities, applying the instructions issued by the Executive Office or any other Competent Authorities concerning Targeted Financial Sanctions is another essential component of an efficient AML/CFT Compliance Program. This includes,

Freezing of funds and prohibition of making them available for designated persons/organisations.
Filling relevant reports such as Confirmed Name Match Report (CNMR) and Partial Name Match Report (PNMR), as the case may be.

Violation of these instructions is a serious offence, punishable by imprisonment and a fine of not less than AED 20,000, or either penalty.

Report Suspicious Transactions

In case there is a red flag in the transaction pattern or Regulated Entities have reasonable grounds to suspect that the Transaction or Funds are related to the criminal offences of Money Laundering, Financing of Terrorism, and Proliferation Financing, then taking appropriate steps is required. This includes,

Notifying the Financial Intelligence Unit (FIU) without delay and directly.
Providing a detailed Suspicious Transaction Report (STR) or Suspicious Activity Report (SAR) containing all available data and information via the electronic system or other approved means.

It must be noted that confidentiality provisions cannot be invoked to withhold information requested by the Unit. (Note: This obligation does not apply to legal professionals or independent legal auditors if the information was obtained under professional secrecy).

Avoid "Tipping Off"

After taking the necessary steps required by FIU to file STR or SAR, ensuring the crucial information is not tipped off to the client in question is imperative for Regulated Entities.

Any person who notifies, warns, or discloses information related to Suspicious Transactions under review or investigation (in contravention of confidentiality rules) is subject to punishment with imprisonment and a hefty fine of not less than AED 50,000, or either penalty.

Comply with VASP-Specific Regulations

If the stakeholder is a VASP (defined as a person conducting one or more Virtual Asset activities specified in the Executive Regulations for commercial purposes), then complying with VASP-Specific Regulations (VARA) is required. This includes,

Obtaining the required license/registration.
Refraining from dealing in, promoting, or offering for sale Virtual Assets characterised by total anonymity or that prevent or obstruct the ability of the Competent Authorities to trace the Transaction or its parties.

Violation of this rule is punishable by imprisonment for a period of not less than three (3) months and a fine of not less than AED 50,000, or either penalty.

Record Keeping

Retaining all records, documents, and data relating to domestic and international transactions, AML/CFT compliance program and measures for the prescribed time is mandatory for Regulated Entities as per the UAE’s AML/CFT Law.

This also ensures their immediate availability to Competent Authorities upon request during regulatory inspections or audits.

Make Compliance Simpler!

Understand the New AML 2025 Framework with AML UAE

Challenges Faced by the Regulated Entities in complying with the legal obligations

While the 2025 law establishes clear compliance requirements, translating these obligations into operational reality presents significant challenges.

This section highlights the most significant hurdles businesses are likely to face under the strengthened AML framework, including Technology Limitations, Cost Burden, Knowledge & Skill Divide, Complex Ownership Structures, Operational Disruption & Impact on Customers. Further, the Cabinet Resolution No. 134 of 2025 will take effect from December 14, 2025, and regulated entities will have to ensure that they follow the regulations. Read our Guide to New Cabinet Resolution No. 134 of 2025 on AML Law No. 10 of 2025.

Technology Limitations

Many businesses rely on legacy systems that cannot support virtual asset monitoring, Screening against local and global watchlists, or real-time sanctions updates. Integrating blockchain analytics, tracking cryptocurrency transactions, and identifying complex ownership structures often requires significant technical upgrades.

Cost Burden

Implementing an enhanced AML framework, including technology, training, governance, and dedicated compliance roles, creates substantial financial strain, particularly for smaller DNFBPs and emerging VASPs.

Knowledge & Skill Divide

Many employees lack understanding of new requirements, particularly regarding virtual assets and Proliferation Financing. This increases the risk of misidentifying red flags or applying due diligence inconsistently.

Complex Ownership Structures

Identifying true Beneficial Owners in complex corporate structures with multiple layers, offshore entities, and nominee arrangements remains extremely difficult. Clients often cannot provide complete ownership information, and cross-border chains require verification in multiple jurisdictions, which can further delay onboarding and monitoring.

Operational Disruption & Impact on Customers

Enhanced CDD, STR reporting, and Sanctions Screening can slow onboarding, increase documentation demands, and create friction for legitimate customers. Businesses must balance regulatory expectations with customer experience.

Don’t Let Trials Obstruct Your Compliance Pathway

Tackle the Toughest Hurdles Along with AML UAE

Best Practices for the Stakeholders to Ensure New UAE AML Law 2025 Compliance

While challenges are common, solutions exist. Businesses that approach AML compliance strategically distinguish themselves as market leaders from those merely avoiding penalties.

This section outlines the essential best practices for building an effective AML compliance under the 2025 framework. These include adopting a Risk-Based Approach, investing in Quality Technology Adoption, building a Strong Compliance Culture, Maintaining Documentation, and Leveraging Expertise.

Adopt Risk-Based Approach

Regulated Entities must allocate compliance resources based on actual risk levels. This includes conducting ML/FT risk assessment in line with NRA and SRA, supervisory guidance, global best practices, and categorising customers into risk tiers (low, medium, high) and applying appropriate due diligence levels, documenting Risk Assessment methodology and reviewing ratings regularly.

Invest in Quality Technology

Regulated Entities must deploy robust AML technology capable of real-time transaction monitoring, automated sanctions screening, blockchain analytics, and scalable case-management systems that integrate smoothly with existing infrastructure.

Build a Strong Compliance Culture

Regulated Entities must foster a culture where compliance is everyone’s responsibility. This requires visible senior management support, regular staff training & internal audits, clear accountability, open communication, and protected whistleblowing mechanisms to encourage internal reporting.

Maintain Documentation

Regulated Entities must maintain detailed records of all compliance decisions, due diligence, risk assessments, onboarding outcomes, suspicious transaction analyses, training sessions, and audits. Employing standardised templates and securing digital storage helps ensure consistency and accessibility.

Leverage Expertise

Regulated Entities must strengthen their AML frameworks by engaging specialised consultants, legal advisors, and technology experts for compliance program design, gap analysis, independent audits, system optimisation, and staff training development.

Reign Over Regulatory Changes

The New UAE AML/CFT Law of 2025, Federal Decree by Law No. 10 of 2025, significantly strengthens the national compliance framework, introducing new offences, virtual asset regulations, and higher penalties, amongst other things. For businesses, strong AML compliance is essential to protect their reputation and adhere to global best practices.

The message is clear: the cost of compliance is always lower than the cost of violation.

How AML UAE can support your transition to the NEW AML/CFT Law 10 of 2025

AML UAE can help you transition from the old Federal Decree Law No. 20 of 2018 to the new law.

We start by assessing the gaps in your existing AML/CFT framework.
We help you customise your AML/CFT policy and procedures to align them with the Federal Decree Law No. 10 of 2025 and the Cabinet Resolution No. 134 of 2025.
We provide customised AML training for your staff.
We help you select the right AML Software to automate your business processes.
We periodically perform health checks to ensure that you remain compliant at all times.

Frequently Asked Questions (FAQs)

Violations under the previous AML framework remain prosecutable because the UAE imposes no statute of limitations on ML offences, even after the introduction of the New UAE AML law of 2025.

Risk assessments must be continuously monitored and regularly updated.

The business relationship cannot proceed without identifying Beneficial Ownership.

Yes, but only if they comply with AML/CFT requirements, conduct robust KYC procedures, and ensure traceability of all virtual asset transactions.

Businesses enjoy legal immunity for STRs filed in good faith; liability only applies when reporting is made maliciously or with wrongful intent.

While not explicitly criminalised under the New Law of 2025, failure to train staff could constitute a violation of internal policy obligations.

Yes. Foreign nationals convicted under AML offences may face deportation in addition to other penalties under the 2025 law.

Compliance Doesn’t Wait - Neither Should You.

Adopt Our Tailored Solutions to Efficiently Navigate New UAE Law 2025

Share via :

About the Author

Pathik Shah

FCA, CAMS, CISA, CS, DISA (ICAI), FAFP (ICAI)

Reach Out to Pathik

How to Detect High-risk Customer and Safeguard Your Business

Blogs

Last Updated: 12/03/2025

Protect your business with reliable and effective AML strategies with AML UAE.

Quick Guide: Identifying AML High-Risk Customers

High-risk customers are those whose profile, geography or business activity increase the likelihood of Money Laundering or Terrorist Financing (ML/TF).
Common high risk indicators include PEP status, complex ownership structures, unusual transactional patterns, and cash-intensive or high risk business activities.
Such customers require Enhanced Due Diligence (EDD) and ongoing monitoring to understand their source of funds and business purpose.
Effective risk classification helps institutions prioritise monitoring and prevent exposure to ML/TF.

How to Detect High-risk Customer and Safeguard Your Business

Money laundering and terrorism financing are significant threats to the integrity of the global economy. Various countries have implemented regulatory anti-money laundering and combating of financing of terrorism (AML/CFT) frameworks, laying down detailed guidelines around how to detect high-risk customers and safeguard the business.

Similarly, UAE authorities have implemented the AML/CFT regulations covering Financial Institutions, Virtual Assets Service Providers (VASPs), and Designated Non-Financial Businesses and Professions (DNFBPs). The UAE AML regulations mandate the regulated entities to conduct customer risk assessments to detect high-risk customers and apply Enhanced Due Diligence measures.

This article discusses the aspects to be considered for identifying high-risk customers and potentially suspicious activities and developing robust customer risk assessment frameworks.

Understanding AML compliance and high-risk customers

Before discussing the identification of high-risk customers, it is essential to understand why AML/CFT compliance is necessary and what customer characteristics would be considered high-risk from a money laundering perspective.

What is AML compliance?

Money laundering is a global problem adversely impacting the security and stability of society as a whole. Under money laundering activities, the financial criminals attempt to hide the source of the illegally obtained proceeds and disguise it to make it appear as though they were generated from legitimate economic activities. While through terrorism financing, the criminal provides financial assistance to propagate terrorist activities.

To fight these vices, there is a need for AML/CFT compliance. AML/CFT compliance is a set of measures implemented to identify and prevent money laundering and terrorism financing activities. The AML/CFT compliance includes developing robust internal policies and procedures to identify and verify the customers and monitor their activities to detect any unusual or suspicious behaviour.

AML compliance is mandatory for regulated organizations to safeguard their businesses against exploitation by financial criminals, avoid administrative penalties for regulatory non-compliance and ensure the integrity of the business. The failure to comply with AML regulations results in huge fines, legal actions against the business and irreversible damage to the reputation of the organization.

Who are considered high-risk customers under UAE AML regulations?

The customers who usually operate in sectors or jurisdictions that pose elevated exposure to financial crime, particularly when they engage in high risk business activities that increase AML scrutiny. The following would be construed as a high-risk customer from ML/FT perspective:

Individuals who are Politically Exposed Persons (PEP) and the individual or legal person associated with PEPs
The PEP is entrusted with prominent public function, domestically or in foreign countries and the Heads of International Organizations. Given the PEP’s access to government funds and power to influence government decisions, they are more susceptible to criminal activities such as corruption and, in turn, money laundering to hide these illegal funds. The close family members and business associates would also be considered as PEP for risk classification of the customer under AML compliance.
Individuals or entities hailing from or are closely connected with high-risk countries
These high-risk countries are vulnerable to high risk of money laundering due to factors like a high rate of corruption, less transparency around business activities and beneficial ownership, and weaker AML/CFT measures known to have been assisting the countries or organizations supporting terrorist activities.
The individuals or entities whose behaviour or transactions suggest the presence of ML/FT suspicion
The customer’s behaviour while establishing a business relationship or conducting the customer due diligence suggests any connection with proceeds or crime or the transactions executed by the customer are contrary to the customer’s profile.

The customers engaged in business are considered as high-risk, or where the customer’s business activities are associated with ML/FT typologies, such as Virtual Assets Service Provider, where large amounts of fiat currency can be easily converted into cryptocurrencies and transferred across the border without actually disclosing the identity or drawing the attention of the authorities.

Such categories are typically classified as AML high-risk customers because their transactions require enhanced controls and continuous monitoring This risk-based approach is mandated under Article 19 of Federal Decree-Law No. (10) of 2025, which requires Financial Institutions, VASPs, and DNFBPs to apply Enhanced Due Diligence (EDD) measures to these customers to manage the higher risk and determine whether they are connected with any illegal activities, money laundering or financing of terrorism.

Importance of identifying high-risk customers

Identifying high-risk customers and applying required due diligence measures to mitigate the increased risk are critical aspects of an effective AML program. It helps the regulated organization maintain integrity among the stakeholders and customers, safeguard the business from being involved in money laundering or terrorism funding activities, and stay 100% AML compliant.

Protecting your business from financial crimes

Not just directly indulging in money laundering or terrorism financing activities is a federal crime, but indirectly assisting anybody, knowingly or unknowingly, is also a crime punishable under UAE AML regulations. The regulated organizations, whether Financial Institutions, DNFBPs or VASPs, would be subject to heavy monetary fines and sanctions from the Supervisory Authority for executing any financial crime through its business.

Hence, regulated organizations need to identify high-risk customers and apply additional verification measures to prevent the misuse of the business by financial criminals and money launderers.

The regulated organization must use rigorous identity verification checks to detect the customers connected with high-risk parameters like high-risk countries and robust transaction monitoring systems to identify unusual patterns or suspicious customer behaviour.

Once identified, high-risk customers should be subject to EDD measures, which include obtaining additional information and documents about customer identity, financial position (source of funds and source of wealth), frequent, ongoing monitoring, etc.

Meeting regulatory requirements and staying compliant

AML regulations in UAE mandate the regulated organization to apply adequate AML measures and stay 100% AML compliant. Non-compliance with AML regulatory requirements by any regulated organization calls for severe actions from the authorities, including imposing hefty administrative fines, imprisonment, restriction on the business activities or even termination of the business license.

As part of the AML Compliance program, the regulated organization must identify high-risk customers, take adequate mitigation measures, and report to the Financial Intelligence Unit (FIU) to remain AML compliant and avoid non-compliance penalties.

The regulated organizations must adhere to the UAE’s AML Federal Law, implementing Cabinet Decision and supplementary guidelines issued by the relevant Supervisory Authority. These regulations require the Financial Institutions, DNFBPs and the VASPs to implement AML compliance programs to identify and report suspicious activity. One of the critical aspects of the AML compliance framework is identifying high-risk customers.

Maintaining a solid reputation and business integrity

The regulated organizations need to protect their reputation and integrity to survive in the economy and maintain customer trust. The involvement of the regulated organizations in a money laundering scheme or any other financial crime badly damages its reputation amongst its stakeholders and customers in an irreversible manner. Identifying high-risk customers can help detect and prevent such potential indulgence in financial crime.

Instead, implementing a strong AML culture in the organization and demonstrating a commitment towards AML compliance increases the organization’s reputation in the market. These AML measures could include comprehensive AML policies and procedures, adequate customer due diligence process, imparting AML training to employees, etc. The customers and other stakeholders are more inclined towards working with businesses compliant with the regulatory framework.

Identifying high-risk customers is critical for regulated organizations to protect themselves from getting inadvertently involved in financial crimes, stay compliant with regulatory requirements, and avoid any reputational damage. By implementing effective AML compliance programs, regulated organizations can detect suspicious elements posing higher ML/FT risks and prevent money laundering activities from occurring through their businesses.

Customer Risk Assessment and adequate Customer Due Diligence

It is pertinent to design and implement a robust customer risk assessment procedure and apply adequate Customer Due Diligence (CDD) measures to identify high-risk customers, exposing the business to increased ML/FT risks. This part of AML compliance involves identifying the customers and their Ultimate Beneficial Owners (UBOs) and verifying the customer identity and other information to create the customer’s risk profile and identify any suspicion.

Developing a risk assessment framework

It is essential to assess the risk of each customer the organization is dealing with. The customer risk assessment procedure is about obtaining customers’ identification information, like name, nationality, business activities, etc., to determine the ML/FT risk they bring.

The factors to be considered while determining the customer risk are the nature of the customer, its business activities, the geography of the customers, the nature and purpose of the business relationship, transactional parameters – value, mode of payment, etc. Customers involved in opaque or cash-heavy sectors also trigger high risk AML indicators due to the greater potential for concealment or misuse of funds.

By developing a comprehensive customer risk assessment framework, regulated organizations can adopt a risk-based approach and prioritize the customer due diligence measures depending on the risk associated with the customers. The regulated organisation can design and implement adequate risk mitigation measures by evaluating the specific ML/FT risks associated with the customers.

Performing appropriate Customer Due Diligence

Customer Due Diligence (CDD) measure involves:

Identifying the customer and verifying the customer’s identity using reliable, independent sources, including the customer’s valid identification documents
Conducting screening against the sanctions and adverse media to check customer’s background and reputation
Performing customer risk assessment, based on the customer’s profile and the transactional parameters, to identify the ML/FT risk the customer is posing to the business.

The regulated organizations must design a strong CDD program, including policies, procedures, and controls. The organizations may also deploy AML software to perform CDD, such as using Artificial Intelligence or Machine Learning to screen the customers or create customer risk profiles, evaluating the customer’s identification data and documents.

The AML software can help regulated organizations to identify suspicious activities timely and immediately report the same to the authorities, reducing false positive matches.

The Customer Due Diligence process is incomplete without ongoing monitoring of the customer’s profile to identify changes in customer identification information, and ongoing transaction monitoring to determine whether the customer’s behaviour is in sync with the originally assessed risk or customer rile level needs to be re-evaluated.

Enhanced Due Diligence for high-risk customers

Application of Enhanced Due Diligence (EDD) is mandatory for customers identified as high-risk. The EDD is an extension of the CDD process, requiring the regulated organizations to apply additional checks and verification measures to evaluate the customer’s identity (including the beneficial owners and the controlling parties), their financial position, the purpose of the transaction, etc.

EDD involves obtaining information about the customer’s and Ultimate Beneficial Owners’ source of funds and wealth and determining its legitimacy. Further, UAE AML regulations mandate the regulated organizations to ensure that the first payment towards their product or services is received from the customer’s bank account in a bank subject to similar CDD measures. Customers and transactions with high-risk customers are to be subjected to increased ongoing monitoring to assess and detect any unusual patterns or suspicious activities.

No business relationship can be established or a transaction be executed with a high-risk customer without the approval of the regulated organization’s senior management.

For example, suppose a customer is associated with a high-risk country. In that case, the regulated organization must apply rigorous verification measures and implement EDD to manage the increased ML/FT risk associated with a customer hailing from a high-risk country.

Red Flags and potential risk indicators of high-risk customers

Detecting the ML/FT red flags and risk indicators is essential to determining the risk associated with a customer and classifying them as high-risk customers. Here are a few examples of ML/FT red flags that can suggest the involvement of proceeds of crime, money laundering or terrorism financing activities:

Unusual transaction patterns

Transactions inconsistent with a customer’s profile or nature of business activities, unusually large, or series of transactions over a short period can indicate money laundering activities. Additionally, transactions involving unnecessary intermediaries or multiple jurisdictions can raise red flags.

For example, if a customer with a fixed monthly income starts making large value transactions frequently, contrary to its annual income, it indicates suspicion around the source of funds.

Incomplete, fake or inconsistent information

Customers who provide incomplete, incorrect or inconsistent information are red flags, suggesting the customer attempts to hide their identity or disguise the purpose of the transaction. The regulated organizations should be cautious while verifying the customer’s identity and establishing its risk profile to determine the legitimacy of the identification information and validity of the identity documents.

E.g., if a customer provides a different address every time they interact or multiple customers use the same contact number/email ID, suggest a potential money laundering activity involving multiple parties across different jurisdictions. Similarly, if the customer’s identification documents prove to be forged upon verification, a red flag indicates potential involvement in financial crime activities and hence the need to mislead the identification.

High-risk occupations or connect with high-risk business segments

Customers with high-risk business activities, such as gambling, real estate, and precious metals, prone to higher exploitation by money launderers, require enhanced verification measures.

E.g., if a customer engaged in a real estate brokerage business insists on cash payment, it could be considered a potential risk indicator suggesting money laundering activities.

Geographical risk factors

Customers located in or closely connected with high-risk countries, such as those with no or weaker AML regulations, terrorist activity, or high-rate of corruption, should also be considered as high-risk to apply AML/CFT measures.

E.g., a customer from a country mentioned in the FATF’s grey list of countries subject to increased monitoring is to be considered for enhanced customer due diligence measures.

Identifying the potential risk indicators helps the regulated organization proactively detect high-risk customers and apply adequate measures to manage the increased ML/FT risk, stay compliant, and avoid non-compliance penalties.

These high risk customers examples reflect profiles that regulators closely monitor due to their vulnerability to misuse.

With AML UAE’s expertise, manage your increased ML/FT risk posed by high-risk customers

Identifying high-risk customers and deploying mitigative measures is crucial for regulated organizations to manage regulatory compliance, safeguard the business from ML/FT vulnerabilities and avoid reputational damage.

AML UAE is an AML Consultancy service provider that offers end-to-end support in your AML compliance journey. We help clients conduct the overall Enterprise-Wide Risk assessment and design the tailor-made AML compliance framework, including controls and procedures to identify high-risk customers and enlist the potential risk indicator and red flags relevant to the business activities. We assist clients in effectively implementing the AML framework by imparting comprehensive AML training to the client’s AML/CFT Compliance Officer and the compliance team.

Stay safe, Stay compliant!

FAQs on High-risk customers

High-risk customers are individuals or entities whose profiles, activities, or jurisdictions expose a business to greater AML/CFT risks compared to regular customers.

High-risk customers can be identified through risk indicators like unusual transaction patterns, high-risk geographies, complex ownership structures, or engagement in high-risk business activities.

To assess a high-risk customer, businesses must obtain additional information and supporting documents that clarify the customer’s identity, ownership, business activity, and transaction purpose, as required under EDD.

Personal lifestyle preferences or unrelated demographic details are not considered in AML risk classification, as risk assessment focuses on financial behaviour, ownership, transactional patterns, business activities and geography.

Make significant progress in your fight against financial crimes,

With the best consulting support from AML UAE.

Share via :

About the Author

Pathik Shah

FCA, CAMS, CISA, CS, DISA (ICAI), FAFP (ICAI)

Reach Out to Pathik

Guide to New Cabinet Resolution No. 134 of 2025 on AML Law No. 10 of 2025

Blogs

Protect your business with reliable and effective AML strategies with AML UAE.

Cabinet Resolution No. (134) of 2025: At a glance

Cabinet Resolution No. (134) of 2025 to take effect from December 14, 2025 and it will repeal the Cabinet Resolution No. (10) of 2019
The scope expands from AML/CFT to include Proliferation Financing (PF) explicitly across all sectors impacted by the resolution
Gaming Operators are now included in the definition of DNFBPs, reporting threshold being AED 11,000
The authority, powers, and scope of the UAE FIU increased to include PF risks and the expansion of Freezing and Suspension powers
Scope expansion of risks that VASPs must mitigate, increased regulatory scrutiny, and detailed requirements for Virtual Asset Transfers.

The Shift from Cabinet Resolution No. 10 of 2019 to Cabinet Resolution No. 134 of 2025

Starting from December 14, 2025, the Cabinet Resolution No. (134) of 2025 Concerning the Executive Regulations of Federal Decree-Law No. (10) of 2025 Concerning Combating Money Laundering, Terrorist Financing, and the Financing of the Proliferation of Weaponsrepeals the Cabinet Resolution No. (10) of 2019 and brings forth sweeping changes to the anti-financial crime framework in UAE.

The primary legislative shift is the replacement of the words “Combating the Financing of Illegal Organisations” with the explicit obligations to combat and mitigate the Financing of the Proliferation of Weapons (PF).

This requires all Regulated Entities, i.e., Financial Institutions (FIs), Designated Non-Financial Businesses and Professions (DNFBPs), and Virtual Asset Service Providers (VASPs) to identify, assess, and mitigate PF risks in their AML/CFT compliance framework.

The scope of the resolution is expanded to include Commercial Gaming Operators as the newly introduced category of DNFBPs, subject to AML/CFT and CPF compliance obligations.

VASPs face increased scrutiny and obligations pertaining to wire transfer rules requiring retention of accurate information of originators and beneficiaries according to the “Travel Rule”.

Additionally, the UAE FIU’s powers have significantly increased in the context of freezing of suspicious funds, and new definitions for roles such as Nominee Director and Nominee Shareholder have been included to facilitate beneficial owner (UBO) identification.

Read our comprehensive guide to Anti-Money Laundering (AML) laws in the UAE for a more detailed understanding.

Major Scope Expansions: Proliferation Financing and New Sectors

The 2025 cabinet resolution fundamentally restructures the regulatory landscape by focusing on three major areas, namely: the inclusion of PF, the introduction of the commercial gaming sector into DNFBPs’ definition and the deep integration of AML/CFT and CPF obligations for VASPs.

Integration of Proliferation Financing (PF)

The new resolution explicitly mandates the inclusion of Proliferation Financing risk mitigation for all sectors requiring Regulated Entities to include PF into their:

Risk Assessment: Regulated Entities must now identify, assess, and implement control measures to mitigate PF risks to their business through Enterprise-Wide Risk Assessment (EWRA).
TFS Measures: Conduct a rigorous review of business relationships to ensure non-violation of Targeted Financial Sanctions (TFS) requirements by detecting and preventing potential TFS violations by identifying PF risks and mitigating them in a timely manner. Regulated Entities must specifically screen business relationships against PF risks.
AML Compliance Officer Responsibilities: Must include reviewing internal policies and procedures’ efficacy in the context of mitigating PF risks effectively.

The New "Commercial Gaming" Sector

The Commercial Gaming Sector, which includes Commercial Games and Gaming Operators, are formally recognised and defined as DNFBPs under the new resolution. The AML/CFT and CPF obligations for Gaming Operators get triggered when the threshold of 11,000 (eleven thousand) AED is crossed either through a single or a series of transactions.

Deep Integration of VASPs

The new 2025 resolution solidifies the role of VASPs and enforces detailed operational requirements, which were previously only imposed on traditional FIs. Some of these expanded obligations upon VASPs include compliance with wire transfer obligations as specified under Articles 26 to 33, as specified under Article 36 of the 2025 resolution. These requirements include

Originator VASP Obligations
Beneficiary VASP Obligations
TFS Obligations as applicable to FIs
Record-keeping obligations as applicable to FIs.

Operational Impact: Changes to the Core AML Obligations

The operational steps for AML/CFT and CPF compliance remain the same, while the intensity or depth of scrutiny required varies according to the 2025 resolution and can be divided under four major categories such as Governance and Risk Management, Customer Onboarding and Due Diligence, Transaction Monitoring and Regulatory Reporting, and Data Maintenance and Record Keeping.

The Executive Regulations of Federal Decree Law No. (10) of 2025 (Cabinet Resolution No. 134 of 2025), while remaining fundamentally and structurally consistent with repealed legislation, do expand or enhance the scope of earlier provisions, making their compliance an unavoidable obligation upon Regulated Entities.

Governance and Risk Management

The goAML Registration and Reporting methodology remains consistent, while the roles and responsibilities of Senior Management are expanded in terms of having to approve internal policies and controls and approve high-risk business relationships (specifically including PF risk emanating from a business relationship). The Compliance Officer must review the internal AML, CFT and CPF Compliance Framework to manage and mitigate identified PF risks. REs are also required to assess ML, FT and PF risks arising from the introduction of new products, professional services, or technologies prior to their implementation.

Customer Onboarding and Due Diligence

The broadened scope of DNFBPs, now including Gaming Operators, must implement and continue CDD obligations prescribed under the legislation while keeping in mind that the Screening obligations, Customer Risk Profiling, and risk-based due diligence measures are implemented while considering PF risks posed by customers to the business. In simple words, the customer onboarding and due diligence process must be risk-based and recalibrated to include the PF risks faced by the business. The identification of the UBO process is sharpened with definitions clarifying the position of Nominee Shareholders and Nominee Directors, who cannot be deemed as UBOs.

Transaction Monitoring and Reporting

The monitoring of Business Relationships obligations remains consistent; however, VASPs must now comply with Wire Transfer Obligations for obtaining and retaining originator and beneficiary information. All Regulated Entities must continue to file STRs/SARs with FIU immediately without delay, regardless of transaction value.

Data Maintenance and Record Keeping

The mandatory record retention period of 5 (five) years remains the same. Regulated Entities are obligated to update essential information, including the beneficial ownership database, within 15 (fifteen) working days of any change identified. All records must be accessible and retrievable for tracing the legitimacy of transactions.

Operational Impact of Cabinet Resolution No. (134) of 2025 to the 12 Core AML Obligations
AML/CFT Compliance Obligations	Comparative Analysis of Cabinet Resolution No. (134) of 2025 vs. Cabinet Resolution No. (10) of 2019	Action Required by Regulated Entities, including Gaming Operators, as a newly introduced category of DNFBPs
Governance and Risk Management
1. Reporting System (goAML)	Consistent	Regulated Entities can continue relying on the goAML portal
2. Appointing Compliance Officer	Expanded Scope	The Compliance Officer must review the AML Framework of the Regulated Entity for effective mitigation of Proliferation Financing (PF) risks
3. Enterprise-Wide Risk Assessment	Expanded Scope	Regulated Entities must factor in the PF risks to which their business is exposed while conducting and revising EWRA
4. Internal Policies & Controls	Expanded Scope	RE’s AML Policies must consider PF red-flags, typologies, and control measures to identify, assess and mitigate PF risks
Customer Onboarding and Due Diligence
5. CDD Process	Consistent	The CDD Process remains largely consistent.
6. Name Screening (TFS Compliance)	Enhanced	Screening of business relationships to identify PF risks is now mandatory, including the identification of foreign PEP and TFS compliance
7. Customer Risk Profiling	Expanded Factors	RE’s customer Risk profiling must take into account the PF risks a customer may pose (for instance, involvement of dual-use goods traders, high-risk jurisdictions for weapons)
8. Risk-Based Due Diligence	Refined	In the case of high-risk customers, Enhanced Due Diligence (EDD) for PF risk clients is now mandatory. While for low-risk customers, Simplified Due Diligence (SDD) is allowed when no suspicion of crime
Transaction Monitoring and Reporting
9. Ongoing Monitoring	Consistent	Ongoing Monitoring Obligations remain consistent
10. Suspicious Transaction Reporting	Strict	REs are required to report to the UAE Unit (FIU) immediately. The FIU Head has the power to order a 10-day suspension
Data Maintenance and Record Keeping
11. Updating Customer Info	Time-Bound	Regulated Entities are required to update Beneficial Owner/Nominee info within 15 working days
12. Record Keeping	Consistent	Record-Keeping Obligations Remain consistent

Critical Updates to Definitions

The following definitions in the 2025 resolution have been introduced to reflect the enhanced scope of the law and improve transparency goals, such as:

Commercial Gaming
Commercial Gaming Operators
Nominee Shareholder
Nominee Director

Key Takeaways for UAE Business Owners

Regulated Entities in UAE, including DNFBPs, VASPs, FIs, and Gaming Operators, need to

Develop/Update EWRA to include PF risk oversight
Develop/Update AML/CFT/CPF Policy and Procedures
Develop/Update CDD measures to include PF risk oversight
Develop/Update Customer Risk Assessment Methodology in line with the new regulations
Compliance Officer Job Description expansion to include PF oversight
Identification of Nominee Directors and Shareholders to exclude them from UBO categorisation
Impart training on the updated AML/CFT policy and procedures

To ensure compliance with Cabinet Resolution No. (134) of 2025 and Federal Decree Law No. (10) of 2025.

How AML UAE can help you navigate this regulatory change?

AML UAE can help conduct EWRA, draft updated AML/CFT policies and procedures, impart training, update KYC/CDD forms and procedures, update customer risk assessment methodology, and more.

FAQs on the Cabinet Resolution No. 134 of 2025

The new Cabinet Resolution No. 134 of 2025 on AML Law No. 10 of 2025 provides the detailed implementing rules that financial institutions, DNFBPs, and VASPs must apply.

Federal Decree-Law No. (10) of 2025 Concerning Combating Money Laundering, Terrorist Financing, and the Financing of the Proliferation of Weapons is the new law which repealed the Federal Decree Law No. (20) of 2018. The new Cabinet Resolution No. 134 of 2025 on AML Law No. 10 of 2025 provides the detailed implementing rules that financial institutions, DNFBPs, and VASPs must apply and it repeals the Cabinet Resolution No. (10) of 2019. The new Cabinet Resolution no. 134 of 2025 will come into force with effect from December 14, 2025.

Yes, the new Cabinet Resolution No. 134 of 2025 replaces the Cabinet Decision No. 10 of 2019 and its amendments.

The new Executive Regulation applies to:

The new Executive Regulations apply to:

Financial institutions
Virtual asset service providers
DNFBPs including lotteries and commercial gaming sector

The regulated entities should take the following steps to comply with the requirements of Cabinet Resolution No. 134 of 2025:

Study the Cabinet Resolution No. 134 of 2025 thoroughly
Analyse the new resolution’s impact on the EWRA and AML/CFT policy and procedures
Update EWRA
Update AML/CFT policy and procedures
Update customer risk assessment methodology
Conduct training on the updated policy and procedures
Document the change and maintain version history

Our Timely and Accurate AML consulting Services

For your smooth journey towards your goals

Share via :

About the Author

Pathik Shah

FCA, CAMS, CISA, CS, DISA (ICAI), FAFP (ICAI)

Reach Out to Pathik

Updated list of FATF high-risk countries and countries under increased monitoring: 24th October 2025

Blogs

Protect your business with reliable and effective AML strategies with AML UAE.

FATF List of High Risk Countries

In the latest plenary, which concluded on 24th October 2025, South Africa, Nigeria, Mozambique, and Burkina Faso were removed from the Grey List. The FATF Grey List is also known as the Jurisdiction under Increased Monitoring list. This list includes countries that are actively working with the FATF to address strategic deficiencies in their regimes to counter money laundering, terrorist financing, and proliferation financing.

The FATF is an international body that establishes intercontinental standards to combat money laundering, counter-terrorism financing and combat financing of proliferation of weapons of mass destruction, updates the list of jurisdictions under increased monitoring thrice annually.

List of Jurisdictions under Increased Monitoring (Grey List) as of 24th October 2025

FATF Grey List and Blacklist Update History:

Date	Countries Added	Countries Removed	Countries in grey list
25^th October 2024	Angola Algeria Côte d’Ivoire Lebanon	Senegal	1. Angola 2. Algeria 3. Bulgaria 4. Burkina Faso 5. Cameroon 6. Côte d’Ivoire 7. Croatia 8.Democratic Republic of the Congo 9. Haiti 10. Kenya 11. Lebanon 12. Mali 13. Monaco 14. Mozambique 15. Namibia 16. Nigeria 17. Philippines 18. South Africa 19. South Sudan 20. Syria 21. Tanzania 22. Venezuela 23. Vietnam 24. Yemen
28^th June 2024	Monaco Venezuela	Jamaica Türkiye	1. Bulgaria 2. Burkina Faso 3. Cameroon 4. Croatia 5. Democratic Republic of the Congo 6. Haiti 7. Kenya 8. Mali 9. Monaco 10. Mozambique 11. Namibia 12. Nigeria 13. Philippines 14. Senegal 15. South Africa 16. South Sudan 17. Syria 18. Tanzania 19. Venezuela 20. Vietnam 21. Yemen
23^rd February 2024	Kenya Namibia	Barbados Gibraltar Uganda United Arab Emirates	Bulgaria Burkina Faso Cameroon Democratic Republic of the Congo Croatia Haiti Jamaica Kenya Mali Mozambique Namibia Nigeria Philippines Senegal South Africa South Sudan Syria Tanzania Türkiye Vietnam Yemen

1. Algeria
2. Angola
3. Bolivia
4. Bulgaria
5. Cameroon
6. Côte d’Ivoire
6. Democratic Republic of Congo
8. Haiti
9. Kenya
10. Laos

11. Lebanon
12. Monaco
13. Namibia
14. Nepal
15. South Sudan
16. Syria
17. Venezuela
18. Vietnam
19. Virgin Islands (UK)
20. Yemen

Jurisdictions under Increased Monitoring - Grey List

Which publicly recognizes jurisdictions that have committed to, or are actively working with, the FATF to resolve strategic deficiencies in their anti-money laundering, combatting of terrorism financing as well as combatting of proliferation financing (AML/CFT/CPF) regimes within agreed timelines. This list is commonly known as the “grey list.”

Let AML UAE Handle the Complexities of FATF Updates

Get specialised solutions for modifying your AML/CFT Policy, Controls and Procedures

FATF Grey List and Blacklist Update History:

In the latest plenary, which concluded on 24th October 2025, South Africa, Nigeria, Mozambique and Burkina Faso were removed from the Financial Action Task Force (FATF) Grey List.

In the last plenary, which concluded on 13^thJune 2025, Croatia, Mali, and Tanzania are removed from the Financial Action Task Force (FATF) Grey List and

Bolivia
the Virgin Islands (UK)

were added to grey list.

In the plenary, that concluded on 21^st February 2025, Philippines was removed from the Financial Action Task Force (FATF) Grey List, and:

Lao PDR
Nepal

were added to the Grey List.

In the plenary that concluded on 25^th October 2024, Senegal was removed from the Financial Action Task Force (FATF) Grey List, and:

Angola,
Algeria,
Côte d’Ivoire
Lebanon

were added to the Grey List.

In the plenary that concluded on 28^th June 2024, Jamaica and Türkiye were removed from the FATF Grey List and:

Monaco
Venezuela

were added to Grey List.

In its plenary, which concluded on 23rd February 2024, the FATF removed UAE, Barbados, Gibraltar, and Uganda from the Grey List, whereas:

Kenya
Namibia

were added to the Grey List.

In October 2023, the, while the following countries were removed: Albania, Cayman Islands, Jordan. and Panama and:

Bulgaria

was added to the Grey List.

The FATF established two statements as part of its listing and monitoring procedures to assure consistency with its international standards.

To learn more about the difference between FATF-blacklisted countries and greylisted countries: Checkout What are FATF Blacklist and Grey list countries?

No.	Country	No.	Country
1	Bulgaria	12	Nigeria
2	Burkina Faso	13	Philippines
3	Cameroon	14	Senegal
4	Croatia	15	South Africa
5	Democratic Republic of the Congo	16	South Sudan
6	Haiti	17	Syria
7	Kenya	18	Tanzania
8	Mali	19	Venezuela
9	Monaco	20	Vietnam
10	Mozambique	21	Yemen
11	Namibia

Need Your Enterprise-Wide Risk Assessment Updated as per the FATF updates?

We’ve got you covered with our years of experience and qualified experts

High-Risk Countries Subject to a Call for Action - FATF Blacklist

FATF categorises certain countries as “Blacklist” countries. This “Blacklist” identifies jurisdictions with substantial strategic weaknesses publicly in their AML/CFT/CPF regimes and calls on all FATF members to conduct enhanced due diligence and, in the most severe cases, implement countermeasures to protect the international financial system from money laundering, funding of terrorism and proliferation risks stood by the identified nations. This list is commonly referred to as the “Blacklist.”

Recently, the FATF has added Myanmar to this list of High-Risk countries subject to a Call for Action. Accordingly, with effect from 21st October 2022, the FATF “Blacklist” stands as under

Iran and the Democratic People’s Republic of Korea (subject to FATF call on its members/jurisdictions to apply countermeasures),

Myanmar (subject to FATF call on its members/jurisdictions to apply enhanced due diligence measures proportionate to the risks arising from Myanmar).

AML Compliance pertaining to grey-listed and blacklisted countries

All Financial Institutions (FIs) and Designated Non-Finance Businesses and Professions (DNFBPs) are required to have appropriate risk-based AML/CFT protections in place to limit the potential of money laundering and terror financing posed by countries subject to increased monitoring or listed as high-risk jurisdictions subject to a “Call for Action” by FATF.

As a result, FI and DNFBPs must screen customers against the FATF Jurisdictions under Increased Monitoring and High-Risk Jurisdictions Subject to a Call for Action while onboarding and continuously monitor their transactions throughout their business relationship. DNFBPs should ensure that their customer due diligence measures verify their customer’s residence in, or business with, listed countries and that their transaction monitoring measures can examine the size, frequency, and pattern of transactions involving high-risk countries to determine the possibility of occurrence of financial crimes such as money laundering.

FIs and DNFBPs must file suspicious transaction/activity reports (STR/SAR) to the Financial Intelligence Unit (FIU) when red flags are observed so that enforcement actions can be conducted.

Further, FIs and DNFBPs are obligated to report the transaction or activity with high-risk countries subject to a “Call for Action” to the FIU by filing High-Risk Country Transaction Report or High-Risk Country Activity Report (HRC/HRCA), as the case may be

Is Conducting a Re-KYC after the FATF Updates Too Cumbersome?

AML UAE is here to save the day

Role of AML UAE

AML UAE is a leading AML compliance services provider in UAE. We help you with fulfilling all the requirements for AML and CFT in UAE. Our spectrum of AML compliance services is not restricted to national boundaries, but we also make sure that you comply with the global regulations of AML.

We can help you with:

Creating firm-specific AML policies, procedures, internal controls, best practices, and guidelines for your smooth business operations
Setting up an expert AML compliance department for your firm that can handle all AML-related activities
Selecting the most effective and appropriate AML software for your business needs to ensure AML compliance
Helping you in filing and submitting annual AML/CFT risk assessment reports with the UAE government
Conducting training for your employees in handling KYC, screening, risk profiling, CDD, EDD, and filing of STRs

High-Risk Countries - FAQs

Through its position in setting global standards to combat terrorist financing, assisting jurisdictions in implementing financial provisions of United Nations Security Council resolutions on terrorism, and evaluating countries’ ability to prevent, detect, investigate, and prosecute terrorist financing, the FATF plays a critical role in global efforts to combat terrorism financing. Despite this, several nations have yet to apply the FATF Standards fully. They are unaware of the nature of the TF threats they face and lack adequate counter-measures.

When a regime is put on the Grey List by the FATF, it means the country is actively working with FATF to fight against money laundering and other risks. It means the government is taking active measures to identify the deficiencies in its regulatory structure and correct them within the agreed timelines.

FATF Blacklist features the high-risk jurisdictions subject to a Call for Action. As per the FATF October 2022 plenary report, the Democratic People’s Republic of Korea, Myanmar and Iran feature in the FATF Blacklist.

A member of the FATF may impose economic sanctions on a country on the blacklist. North Korea, Iran and Myanmar for example, are both on the FATF Blacklist. As a result, sanctions against North Korea, Iran and Myanmar are possible.

Share via :

About the Author

Pathik Shah

FCA, CAMS, CISA, CS, DISA (ICAI), FAFP (ICAI)

Reach Out to Pathik

A Comprehensive Guide to AML Customer Risk Assessment for DNFBPs in UAE

Blogs

Protect your business with reliable and effective AML strategies with AML UAE.

A Comprehensive Guide to AML Customer Risk Assessment for DNFBPs in UAE

As per UAE AML regulations and to cope with the ever-evolving financial landscape, the regulated entities – Financial Institutions, Designated Non-Financial Businesses and Professions (DNFBPs), and Virtual Asset Service Providers (VASPs) – are required to conduct Customer Risk Assessments. The Customer Risk Assessment is a critical AML measure focused on identifying the money laundering or financing of terrorism (ML/FT) risk posed by each customer.

In this article, we will discuss the significance of performing customer risk assessment for DNFBPs in UAE and the best practices to conduct the same to manage the risk and stay compliant with the UAE AML regulations.

Understanding the Importance of Customer Risk Assessment

UAE has introduced AML/CFT regulations, providing guidelines for regulated organizations to implement AML compliance programs and combat financial crimes like money laundering and terrorism financing. One of the AML measures provided under the UAE AML laws is the Customer Due Diligence (CDD) process.

CDD is a set of comprehensive measures to be applied while onboarding a customer. It includes Know Your Customer (KYC), aimed at identifying the customers and verifying their identity, including the Ultimate Beneficial Owners (UBOs). The name screening of the customers and UBOs also forms part of the CDD process. Additionally, the Customer Due Diligence measures also include customer risk assessment.

What is Customer Risk Assessment under AML Compliance Program?

Customer Risk Assessment plays a pivotal role in the AML program, as it assists in adopting the risk-based approach to deploy resources and optimally manage financial crime risks. It involves assessing the potential ML/FT risk the customer is expected to pose to the business, i.e., creating the customer risk profile or conducting the risk assessment. It is an essential element of a risk-based approach and regulatory requirement. FATF Recommendation 10 also advocates the importance of customer risk assessment.

By assessing the risk associated with customers, regulated organisations can determine the level of procedures to be performed and the controls to be applied to manage risk effectively.

The customer risk assessment is primarily based on customer identification information, the nature of business activities, the geographies they are associated with, the purpose of the business relationship, the expected transactions, the actual transaction pattern, etc. Evaluation of the risk basis of these factors, along with other relevant risk parameters, assists the business in determining the level of customer risk and accordingly deploying adequate AML measures.

Why is Customer Risk Assessment a significant part of the AML Compliance Program?

As an outcome of the Customer Risk Assessment, the customer’s risk profile is created and classified as either high, medium, or low risk for the business. It assists businesses in determining the level of due diligence measures to be applied. For example, enhanced due diligence measures are applied to manage the increased risk for customers categorized as posing a high risk to the business. The businesses may adopt simplified verification measures for customers with low ML/FT risk. Thus, it helps the organizations apply the risk-based approach in its true and use the resources optimally, with smooth customer onboarding in line with the risk profile.

It serves as the foundation to build the ongoing monitoring program to identify any unusual patterns or suspicious activities, allowing the businesses to prioritize the monitoring efforts toward high-risk customers.

Moreover, the customer’s information and the activity profile keep evolving over time; thus, it is pertinent to ensure the customer’s risk assessment is updated to identify the level of risk associated with the customer and ensure appropriate mitigation measures are applied.

With a comprehensive customer risk assessment process, businesses can protect themselves from being exploited by financial criminals and ensure compliance with the AML regulatory landscape of the country.

How to conduct Customer Risk Assessment (CRA)?

Adopting the following steps will enhance the effectiveness of the Customer Risk Assessment:

Identifying and evaluating the risk factors

The first step in CRA is identifying the risk factors that expose the business to ML/FT vulnerabilities. These risk factors can include the following:

nature of the customer
customer’s country of residence, business, nationality, and birth
occupation and employer details of the customer
nature of the proposed transaction
transactional parameters like nature of product, services
mode of payment
person’s background (adverse media, connection with sanctioned persons, or past incidence of reporting suspicious transactions)
customer’s source of funds and wealth

For example, the customer working with an industry connected with ML/FT typologies, such as precious metals and stones or real estate, is treated as a high-risk customer. Further, the customer whose proposed payment mode is cash or virtual assets without any business rationale may trigger a suspicion warranting to classify the customer as high-risk.

The customer associated with a country on the FATF Grey List or jurisdiction notorious for higher risk of money laundering poses a higher risk to the business than the customer with a jurisdiction having strong AML regulations.

The comprehensive and combined evolution of these factors helps the business determine the risk associated with each customer and create its risk profile.

The evaluation of the risk factors to help identify the inherent ML/FT risk the customer poses and the level of AML/CFT measures are required to mitigate this inherent risk. For instance, regulated organizations must perform additional verification checks and obtain documents for high-risk customers to establish the legitimacy of the customer’s source of funds and wealth. Moreover, senior management approval must also be sought to establish a business relationship with such a customer.

Adopting appropriate mitigation measures significantly reduces the ML/FT risk, ensuring an inherent level of risk is brought within the business’s risk appetite to conduct a transaction with such a customer.

The factors considered for the risk assessment, the methodology adopted and the outcome of the CRA must be well-documented to demonstrate AML compliance.

Periodic review and reassessment

The customer risk profile is not a static one, i.e., once a customer is classified as high-risk would not necessarily pose such increased ML/FT risk to the business. The risk exposure changes as the customer’s profile is updated, the business activities change, the relevant country’s AML regulatory framework changes, etc. Further, the evolving AML regulations and emerging risk typologies also impact the customer’s risk profile.

Thus, the regulated entities must ensure that the customer’s risk assessment is dynamic, updated as and when there is any movement in the risk factor.

Empowering the team

Well-crafted AML/CFT procedures and controls are of no use without having a well-trained team to implement the same effectively. The regulated entities must impart adequate AML training to their employees around the performance of customer risk assessment and its impact on the nature of AML/CFT measures to be applied. The factors to be considered for risk assessment and the methodology to be adopted must be discussed during the AML training program.

How can the use of tools and techniques improve the effectiveness of the Customer Risk Assessment?

When assessing customer risk, regulated entities can deploy a wide range of tools and techniques to obtain accurate and real-time results. These tools and techniques would be both – manual as well as automated using technology.

Use of emerging technology in performing Customer Risk Assessment

With the use of developing technologies, businesses can improve the effectiveness of the risk assessment process. The automated software and tools can process a large volume of customer data to assess the level of risk and provide insights into the customer’s risk profile.

Leveraging these technological tools can speed up the processes, providing real-time assessment of the customer risk upon every transaction executed with the customer, without worrying about remembering the requirement to reassess the customer risk.

Moreover, these solutions use the initially assessed risk level as a base and can promptly identify any unusual patterns and suspicious activities inconsistent with the customer’s profile.

Use of manual techniques for assessing customer risk

Though deploying technology for customer risk assessment is one of the best alternatives, the power of manual techniques can’t be ignored. Small and medium-sized businesses can use sophisticated Excel-based methods to assess the risk, including manually verifying customer documents and information.

With the human touch, businesses can assess the risk by interviewing the customer, studying their behavior, involving third parties to evaluate the customer’s financial position, etc.

When the manual techniques are combined with technological tools, the comprehensiveness of the CRA measures enhances, ensuring that tool-based assessment is supported by manual verification and no potential risk exposure goes unnoticed.

Let AML UAE help you design your Customer Risk Assessment Program

As the risk factors and AML regulations in UAE keep advancing, the methodologies of conducting customer risk assessment also change. Seek professional help from AML experts like AML UAE to develop your customer risk assessment policies and program, ensuring you appropriately determine the customer’s ML/FT risk and apply necessary mitigation measures.

AML UAE, with its diversified experience and subject knowledge, can assist the regulated entities in customizing the AML framework in accordance with the nature and risk exposure of the business while staying AML compliant and managing the risks effectively.

Whichever way you go – technological or manual – AML UAE can help you either by identifying and assisting in implementing the right AML software for CRA or designing the manual techniques and processes to create customer risk profiles effectively.

With Customer Risk Assessment, manage your ML/FT risks effectively!

Make significant progress in your fight against
financial crimes

With the best consulting support from AML UAE.

Share via :

About the Author

Pathik Shah

FCA, CAMS, CISA, CS, DISA (ICAI), FAFP (ICAI)

Reach Out to Pathik

How to File CNMR and PNMR on the goAML Portal Under TFS Guidance, 2025

Best Practices for CNMR and PNMR Filing on the goAML Portal to Ensure TFS Compliance

Blogs

Protect your business with reliable and effective AML strategies with AML UAE.

How to File CNMR and PNMR on the goAML Portal Under TFS Guidance, 2025

This blog elaborates on the July 2025 updates to the Targeted Financial Sanctions (TFS) Guidance. These updates introduce sharper procedures, especially around screening and reporting, and call attention to nuanced revisions, such as:

Fund Freeze Report (FFR) changed to Confirmed Name Match Report (CNMR)
Clarified screening during weekends and public holidays
Updated procedures related to Partial Name Match Reporting
Additional examples on PNMR Reporting
Grievance procedures were deleted and published separately on the EOCN website.

The blog also includes a detailed explanation of what TFS obligations are, an in-depth understanding of CNMR and PNMR filing obligations and step-wise processes under TFS Guidelines 2025, and the best practices that Reporting Entities can incorporate into their AML framework to ensure Sanctions Compliance.

Apart from procedural updates, this blog also provides a step-by-step walkthrough for CNMR and PMNR filing using the goAML portal, helping AML compliance professionals and Regulated Entities to understand their core TFS compliance obligations.

Guidance on Targeted Financial Sanctions, July 2025: What Reporting Entities Must Know

In order to decode the provisions of the TFS Guidelines July 2025, reporting entities must develop a sound understanding of the basic concepts, such as:

What are Targeted Financial Sanctions (TFS) in the UAE?

“Targeted Financial Sanctions” refers to an obligation to freeze the funds or other assets of designated individuals or entities, and to restrict access to such funds, assets, or related services, either directly or indirectly.

The primary purpose of TFS is to prevent designated persons and entities from accessing financial resources, thereby disrupting the use of such resources for illicit purposes or transactions that may benefit individuals or organisations involved in terrorism, proliferation financing, or other criminal activities.

TFS Compliance Obligations

Article 21 of Cabinet Decision No. 74 of 2020 has set the main TFS compliance obligations on Reporting Entities, including DNFBPs, FIs, and VASPs:

Register

Reporting Entities must register for the EOCN Notification Alert System (NAS) to receive automated email notifications on any update to the Sanctions List. In terms of practical implementation, Regulated Entities using Sanctions Screening Software can ensure that the screening software is paired up with a sanctions screening API that gives real-time data and updates as to additions and deletions of names in:

The UAE Local Terrorist List that contains the names of all the sanctioned individuals, entities, or groups designated by the UAE Cabinet.
The UNSC Consolidated List that contains the names of all the sanctioned individuals, entities, or groups designated by the United Nations Sanctions Committees or directly by the UNSC.

Screen

The “when” and “whom” of sanctions screening is covered under paragraphs 30 and 31 of the latest guidance, which provide that Reporting Entities must undertake regular and ongoing screening on the latest Sanction Lists. Sanctions Screening must be undertaken mandatorily in the following circumstances:

Updates, i.e., additions, deletions, and revisions of names to Sanction lists
Prior to onboarding a new customer, i.e., a potential customer
Persons or entities party to any transactions or related to parties of any transaction, including names of persons with direct or indirect relationships with designated individuals, entities, or groups
Upon periodic KYC reviews or if there is any material change in the nature or ownership of the customer is identified
Daily screening of the existing customer database
Daily screening of the offboarded customers or previous customers with whom the Regulated Entity had prior business relationships and transactions
- Reporting Entities need to be mindful that they are required to SCREEN all their previous or offboarded customers on an ongoing basis for a period of five (5) years after termination or cessation of the business relationship, even if there is no active business relationship or no assets are held with the Regulated Entity at present.
Before processing any transactions with a counterparty.

The “what” of the sanctions screening requirement is covered under paragraphs 32 and 33, which state the “key identifiers” and “other identifiers” required to be obtained by regulated entities from their customers to screen their names against those contained in the latest sanctions lists. These key identifiers and other identifiers are:

Once the key identifier details are available with the regulated entity, the Screening Analyst can proceed with conducting sanctions screening either manually or through screening software. The latest guidance on TFS requires regulated entities to have in place an adequate screening mechanism to help ensure TFS compliance.

The sanctions screening process generates screening outcomes, which can be disambiguated into four categories, such as:

Confirmed Name Match: The name of the customer matches with the sanctions screening outcome.
Partial Name Match: The name of the customer partially matches with the sanctions screening outcome.
False Positive: The name of the customer does not match with the screening outcome.
Negative Match: The name of the customer does not generate a screening outcome.

The occurrence of any of these four outcomes requires the personnel of the regulated entity to take appropriate steps, which are more elaborately discussed in the table below:

Sanctions Screening Outcomes and Resultant Reporting Requirements
Screening Result	TFS Measures	TFS Reporting Requirement	Record-Keeping Obligation
Perfect Match or Confirmed Name Match	Freezing of Funds or Other Assets without any delay (within 24 hours) Prohibition from Making Funds or Other Assets or Services Available If the confirmed name match is of a potential customer, transaction must be immediately rejected (TFS measures discussed more elaborately in step 3)	Confirmed Name Match Report (CNMR) to be filed within 5 days alongwith obligatory information	Paragraph 46 of the TFS Guidance updated in July 2025 prescribes to maintain records for the duration of atleast five (5) years, irrespective of the screening outcome.
Partial Match	Immediate suspension of transaction without any delay Avoid offering funds or any other services Scenario-wise requirements apply	Partial Name Match Report (PNMR) to be filed within 5 days alongwith obligatory information
False Positives or False Match	Not applicable	No reporting required
No Match or Negative Match	Not applicable	No reporting required

Stop Guessing. Start Screening Right!

Ready to handle every match- Confirmed, Partial, or Not?

Implement TFS Measures

Reporting Entities must either freeze all funds and assets without delay, prohibit the provision of services/funds or reject the transaction. The core elements of TFS Measures prescribed by the Guidance on TFS include:

Asset Freezing without delay
Prohibition from making funds or other assets or services available
- Financial Assets
- Economic Resources
- Any other assets.

The distinction between “Freezing Measures” in the case of a Confirmed Match and “Suspension Measures” in the case of a Partial Match is discussed in depth in further paragraphs of this AML UAE blog.

Report

The mechanism to report any TFS measures taken by the Reporting Entity must be after identifying a Confirmed or Partial Name Match, reporting to the relevant Supervisory Authority and submitting one of the following two reports via goAML:

Confirmed Name Match Report (CNMR)
Partial Name Match Report (PNMR)

The TFS Guidance also requires Reporting Entities to include and enclose mandatory and obligatory information along with the CNMR and PNMR filed.

In the context of CNMR, the RE is required to enclose ID documents of the person or legal entity whose name is found in the sanctions lists, resulting in a confirmed match during screening, as without possession of ID documents, the RE cannot conclusively confirm that the screening match found is a perfect match, requiring regulatory reporting. Examples of obligatory information for CNMR are:

The amount of funds or other assets frozen with documentary evidence, such as bank statements, transaction receipts, investment portfolios, title deeds, account summaries, etc
Detailed description of rejected transactions or services.

In the context of PNMR, the RE is required to enclose documents such as ID documents (if and when available) and the full name of the person or entity whose name is found to have partially matched during screening. The examples of obligatory information that REs can attach to PNMR are:

Funds or other assets that are suspended
Detailed description of rejected transactions or services.

Confused by the Latest TFS Updates?

Connect with our expert to ensure full compliance with the latest TFS Guidance

How to File a Confirmed Name Match Report (CNMR) While Implementing TFS Measures

The step-wise process for filing CNMR requires a well-developed internal workflow to be followed by employees of a Regulated Entity. Timely filing of CNMR is only possible when the process from match identification to submitting the report on the goAML portal flows seamlessly from one department to another. Regulated Entities need to appoint an AML Compliance Officer and register themselves on the goAML portal. Registration on the goAML portal enables REs to file reports to the UAE FIU (Financial Intelligence Unit) to fulfil regulatory reporting requirements. The step-wise process for filing CNMR includes:

The subscription to the EOCN Notification Alert System (NAS) is a prerequisite that REs must tick off their to-dos once they commence business operations concerning covered activities under UAE’s AML/CFT regime. The subscription to NAS is a one-time exercise, which enables REs to access updated Sanctions Lists in real-time.

Identification of Confirmed Name Match During Sanctions Screening

REs can opt to screen their customers manually across the Sanctions Lists obtained through NAS or rely on a Sanctions Screening Software or unified AML Software that relies on efficient Screening APIs. Using one of these or a combination of software tools ensures that Sanctions Lists relied on for screening customers are updated in real time as published by the regulator, or EOCN, in the context of TFS compliance. The process of screening customers generates screening results or screening outcomes, which need to be disambiguated by the Screening Analyst.

Regulated Entities must remain mindful that they screen across their customer databases, which include potential, existing, and former customers, with whom they had a previous business relationship during the past five (5) years

When a Screening Analyst, while disambiguating screening results, identifies a perfect match or a confirmed match, they need to assess the screening outcome to confirm its accuracy.

Assessment of Confirmed Name Match Outcome

Assessment of a Confirmed Name Match or Perfect Match outcome is quite straightforward. In the case of potential, existing, and former customers, the frontline team or the Screening Analyst is required to carefully examine and cross-verify the customer’s key identifiers and the screening outcome’s attributes to assess whether the initial identification and disambiguation of the screening is accurate or erroneous. Once the Screening Analyst or the frontline team is sure of the match outcome assessment, they need to escalate the customer profile and screening outcome findings to the AML Compliance Officer for carrying out further steps.

Escalation by the Frontline Team or Screening Analyst to the AML Compliance Officer

The AML Compliance Officer needs to assess the customer profile forwarded by the frontline or screening team and assess whether the customer (potential, existing, or former) is indeed a confirmed match or there is any confusion or error on part of screening or frontline team in identifying the match results accurately and proceed further with imposition of TFS Measures and fulfilling CNMR filing formalities in a timely manner.

Impose Freezing Measures on Potential, Existing, and Former Customers

Once the AML Compliance Officer is sure that the confirmed match screening outcome is correct and accurate, he needs to act fast and impose freezing measures without delay (within 24 hours of the confirmed match). The extent and manner of imposing TFS Measures shall differ on the basis of the maturity of the business relationship, as elaborated below:

In case of a Potential Customer

Rejection of transaction or service immediately

In case of an Existing Customer

Freeze all funds/assets
Prohibition from making funds, other assets, or services available to such customer

In case of a Former Customer

If the confirmed match is that of a former customer and the RE does not have any assets or funds available with them, they can still proceed with the CNMR filing process, stating that business relationship concluded and they are not in possession of any assets.

Preparation of Mandatory and Obligatory Information & Documents for CNMR in alignment with goAML Requirements

After imposing TFS Measures, the Compliance Officer then needs to ensure that he is equipped with all the mandatory and obligatory information pertaining to the customer against whom the CNMR is supposed to be filed. The ID documents (passport, Emirates ID, trade license) are assumed to be in possession of the RE and need to be submitted with CNMR. The examples of obligatory information are:

Asset value proof (bank statements, portfolio summaries, title deeds)
Description of rejected service or transaction.

Logging in on the goAML Portal to File CNMR

The AML Compliance Officer must log into their employer’s goAML portal account using RE’s log-in details to file CNMR.

Selecting Report Type as CNMR & Entering Information and Documents

The AML Compliance Officer needs to select CNMR from the list of options given in the dropdown menu on the goAML portal. The AML Compliance Officer can either upload the CNMR in an XML format or fill in the details regarding a confirmed name match in real-time by opting for the web-report option on the goAML portal.

Saving and Submitting CNMR

Once the details regarding the confirmed name match are entered on the goAML portal successfully, the AML Compliance Officer must save the CNMR details and submit the same. The AML Compliance Officer must be mindful of the requirement to complete the legal obligation filing of CNMR on the goAML portal within 5 days after applying freezing measures.

Maintaining Records of CNMR Filed for Five (5) Years

REs are required by law to maintain records of all screening results, including CNMRs, the identification, decision, freezing measures taken, and details of the CNMR filed on the goAML portal for the period of at least five (5) years.

From Sanctions Screening to CNMR Filing: We’ve Got You Covered!

Struggling with real-time screening, escalation, and goAML reporting? Let AML UAE streamline it for you.

How to File a Partial Name Match report (PNMR) While Implementing TFS Measures

The step-wise process of filing a PNMR broadly consists of the steps elaborated in further paragraphs. However, based on the maturity of the business relationship, i.e., whether the customer is a potential customer, an existing customer, or a former customer, the employees of the Reporting Entity, such as the frontline team, Screening Analysts, KYC Analysts, and AML Compliance Officer, must make sure that they collect necessary information about the customer to ensure accurate filing of PNMR. Timely filing of PNMR can be achieved through well-coordinated efforts by all personnel concerned.

Needless to say, the prerequisite of subscription to the EOCN Notification Alert System (NAS) is implied when it comes to having a well-defined and documented process to file PNMR in place. The Reporting Entity may screen its customers manually, through updated sanctions lists and notifications received after subscribing to EOCN NAS or can rely on a Sanction Screening Software or an AML Software with Sanctions Screening API.

Identification of Partial Name Match During Sanctions Screening

Regulated Entities must ensure that they screen across their customer databases, including potential, existing, and former customers, with whom they had a previous business relationship during the past five (5) years.

When a Screening Analyst, while disambiguating screening results, comes across screening results or outcomes where only some or few of the attributes of the customer profile, and they cannot conclusively confirm whether or not such a match is a confirmed match or a false positive, then in such a scenario, they are required to escalate the customer profile and screening outcome to the AML Compliance Officer for further assessment.

Assessing Partial Name Match Outcome

Assessment of Partial Name Match Outcome after screening needs to be done to rule out the possibility of the initial match disambiguation being inaccurate, false positive, or a confirmed name match instead. However, the issue with Partial Name Match outcomes is that the Screening Analyst or frontline team cannot conclusively decide whether it’s a false or a complete match due to factors such as:

Lack of adequate information and non-availability of the customer’s ID documents in case of potential customers
Lack of information in Screening Outcomes, i.e., screening results exist but don’t provide adequate information so as to conclude successful disambiguation
A high number of screening outcomes or results are generated by the screening software due to lower match percentage thresholds configured, leading to high disambiguation volume with non-existent substantial information for disambiguation.

In order to simplify the Partial Name Match Outcome’s accuracy assessment, the following factors must be considered by Reporting Entities, such as:

For Potential Customers: Obtaining ID documents must be attempted when ID documents are not available, leading to a lack of information on key identifier details, so that the match can be disambiguated by having a complete set of information prior to disambiguation for accurate results.

If ID is received within 10 days, the RE must conduct Screening with details contained in the ID obtained. Based on the screening outcome, if the RE finds that the match is indeed a Partial Match, they must continue/implement Suspension/Freezing Measures and proceed with the PNMR/CNMR filing process. If, after fresh screening, the RE finds that the screening outcome is a false positive or no match, they must proceed with establishing a business relationship.
If ID is not received within 10 days, the RE must Reject/Cancel Transaction and proceed with PNMR filing process
If ID is received after 10 days, the RE must conduct Screening based on the recently acquired ID and implement Suspension Measures accordingly, if a Partial Match is found, or proceed with CNMR if a Complete Match is found, or establish a business relationship if false or no match found.

Existing and Former Customers: The possession of a Customer ID is assumed

Suspend any transaction, refrain from offering any funds, assets, or services.

Escalation by the Frontline Team or Screening Analyst to the AML Compliance Officer

The AML Compliance Officer needs to assess the customer profile forwarded by the frontline or screening team and determine whether the customer (potential, existing, or former) is indeed a partial match or confirmed match or false match, based on which further actions can be taken.

Impose Suspension Measures on Potential, Existing, and Former Customers

Once the AML Compliance Officer is sure that the partial match screening outcome is correct and accurate, he needs to act fast and impose a suspension of the business relationship and refrain from or avoid providing any service, assets, or funds to such a customer without delay (within 24 hours of the partial match).

The extent and manner of imposing TFS Measures, i.e., suspension, shall differ on the basis of the maturity of the business relationship, as elaborated below:

In case of a Potential Customer

Cancel the Transaction and proceed with the PNMR filing process

Existing and Former Customers

Suspend any transaction, refrain from offering any funds, assets, or services.

Preparation of Mandatory and Obligatory Information & Documents for PNMR in alignment with goAML Requirements

After imposing TFS Measures, the Compliance Officer then needs to ensure that he is equipped with all the mandatory and obligatory information pertaining to the customer against whom the PNMR is supposed to be filed. The ID documents of existing and former customers (passport, Emirates ID, trade license) are assumed to be in possession of the RE and need to be submitted with PNMR. The ID documents of potential customers can be submitted if and when available. The examples of obligatory information are:

Asset value proof (bank statements, portfolio summaries, title deeds)
Description of suspended service or transaction
Description of rejected transaction or service (when no funds are held).

Logging in on the goAML Portal for PNMR Filing

The AML Compliance Officer must log into their employer’s goAML portal account using RE’s log-in details to file PNMR.

Selecting Report Type as PNMR & Entering Information and Documents

The AML Compliance Officer needs to select PNMR from the list of options given in the dropdown menu on the goAML portal. The AML Compliance Officer can either upload the PNMR in an XML format or fill in the details regarding a confirmed name match in real-time by opting for the web-report option on the goAML portal.

Saving and Submitting PNMR

Once the details regarding the confirmed name match are entered on the goAML portal successfully, the AML Compliance Officer must save the PNMR details and submit the same. The AML Compliance Officer must be mindful of the requirement to complete the legal obligation filing of PNMR on the goAML portal within 5 days after applying suspension measures.

Following EOCN Response

REs after filing a PNMR must await and follow the EOCN instructions and maintain suspension measures until further instructions are received.

The EOCN instructions in the context of PNMR concern the treatment of suspension measures, particularly in the case of existing and former customers. The Reporting Entity must submit PNMR along with all the necessary and obligatory customer information so that EOCN can verify the PNMR submitted and give further instructions to the RE. Either of the following steps must be taken by RE, based on EOCN response:

If EOCN concludes PNMR filed as a False Positive, RE must cancel TFS suspension measures and proceed with the business relationship
If EOCN validates PNMR as a Confirmed Match, REs must freeze funds and submit CNMR.

In the case of potential customers, if customer information and documents are lacking, then EOCN will not be able to verify the PNMR report submitted into Confirmed Match or False Positive.

Maintaining Records of PNMR Filed for Five (5) Years

REs are required by law to maintain records of all screening results, including PNMRs, the identification, decision, suspension measures taken, and details of the PNMR filed on the goAML portal for the period of at least 5 years.

Partial Match or Confirmed? Don’t Second-Guess Compliance.

Get step-by-step guidance on match escalation, TFS imposition, and goAML filing.

Key Differences Between CNMR and PNMR: Comparative Table

Differences Between CNMR and PNMR
Distinguishing Aspects	CNMR (Confirmed Name Match Report)	PNMR (Partial Name Match Report)
Trigger Event	Identification of Confirmed Match during Sanctions Screening	Identification of Partial Match during Sanctions Screening
Immediate Action Needed	Freezing Measures for TFS Compliance to be applied within 24 hours	Suspension Measures for TFS Compliance to be applied within 24 hours
Filing Timelines	Within 5 days after imposing Freezing Measures	Within 5 days after imposing Suspension Measures
Documents Required	Complete Customer ID + Documents of Freezing Measures/ Transaction Rejection	Complete or Partial Customer ID + Documents of Suspension Measures
Post Filing Measures	Freezing Measures to say in place. However lift Freezing Measures if Person/Entity is Delisted from Sanctions List or Freezing Cancellation Decision given by EOCN	Await EOCN Response, maintain Suspension Measures, may need to file CNMR or mark match as False Positive

Key Differences Between Freezing and Suspension Measures

Differences Between Freezing and Suspension of Funds
Distinguishing Aspects	Freezing Measures	Suspension Measures
Sanctions Screening Disambiguation Outcome	Confirmed or Perfect Match	Partial Match
Report to be filed on GoAML Portal	CNMR	PNMR
TFS Compliance Requirements	Freezing measures remain in place until person/entity is delisted from Sanctions List or Freezing Cancellation Decision given by EOCN	Suspension measures remain in place until EOCN provides further instructions on the match’s status

Partial Match or Confirmed? Don’t Second-Guess Compliance.

Get step-by-step guidance on match escalation, TFS imposition, and goAML filing.

General Do’s and Don’ts to Ensure TFS Compliance

Compliance with Targeted Financial Sanctions (TFS) is legally mandated under UAE law and reinforced by the 2025 TFS Guidance. These emphasize proactive, risk-based screening, reporting, and asset freezing for designated persons. The following do’s and don’ts guide Reporting Entities, i.e., DNFBPs, FIs, and VASPs in meeting TFS obligations, particularly for CNMR and PNMR submissions via goAML.

Dos to Ensure TFS Compliance

Do subscribe to the Executive Office mailing list or alert system

Regulated Entities (DNFBPs, VASPs, and FIs) are required to register on the goAML platform to submit STRs and SARs to the FIU. They must also use the platform to report CNMRs/PNMRs to the EOCN and the Supervisory Authority.

Do screen continuously, even on weekends and holidays

Reporting Entities must establish internal procedures for screening against the UAE Local Terrorist List and UNSC Consolidated List during weekends and public holidays, ensuring that access to funds or assets is restricted at all times. If no transactions or customer access occur during weekends or holidays, screening must begin immediately at the start of business activity, and freezing measures should be promptly applied.

Do Report and Disclose previous transactions or business dealings with Confirmed or Partial Name Matches.

Reporting Entities must submit CNMRs and PNMRs for all relevant transactions, business relationships, and accounts held within the past five years, including those closed before the designation, even if no current assets or ties exist. The report must explicitly state that no funds or assets are presently held, no ongoing relationship exists with the designated party, and that the account in question is closed.

Do Report Matches via Email to the EOCN if You’re Not a goAML User

For an entity not registered with goAML (that do not fall under the definition of FIs, DNFBPs, or VASPs and are therefore not under an obligation to register on goAML), CNMRs or PNMRs must be reported by emailing and providing a complete set of case details that clearly explain the identified match with all relevant supporting documents attached in the message.

Do Escalate Matches Found in Criminal or Unilateral/Multilateral Sanctions Lists

Reporting Entities must consult the relevant Supervisory Authority (SA) for guidance on handling matches found with unilateral or multilateral sanctions lists, or other criminal lists, and consider submitting an STR or SAR to the Financial Intelligence Unit (FIU) if such matches are confirmed. The Reporting Entity should not use CNMR/PNMR reports in goAML for matches found on other sanction or criminal lists like OFAC, EU, HMT, or INTERPOL. These reports are only for matches with the UAE Local Terrorist List and UN List.

Do understand the change in penalty for non-compliance and inform staff

Reporting Entities must equip themselves with the awareness of changes made to the penalty imposed on TFS violations and incorporate the changes, such as imprisonment for a period of one to seven years. REs must also understand that Administrative Sanctions might be applied to them, resulting in a warning for license cancellation.

Keep Screening 24/7- Even on Holidays!

Set up a continuous screening process to avoid compliance gaps

Don'ts to Ensure TFS Compliance

Don’t overlook changes in ownership structures, as even minority holdings may evolve into controlling stakes.

Reporting Entities are required to impose freezing measures on any entity that is majority-owned (more than 50%) by designated persons or entities. During implementation, REs must determine whether a designated person owns or exercises control over more than 50% of the proprietary rights. If the designated individual holds only a minority stake (50% or less), the entity is not subject to freezing measures unless ownership shifts, and the designated person gains a majority stake or controlling interest. Furthermore, all funds or assets owed to designated individuals must be frozen and must not be made accessible under any circumstances.

Don’t notify customers before freezing measures, as doing so may be considered tipping off

Reporting Entities must avoid informing customers about freezing measures before they are applied, as this may constitute tipping off. Customers may be notified once the measures have been implemented.

Don’t Forget to Document False Positives

Reporting Entities do not need to report a False Positive result to the EOCN and may proceed with the business transaction. However, they must maintain internal records of the screening alert and all actions taken.

Don’t rely solely on third-party screening services to meet compliance obligations

Reporting Entities must not consider third-party screening services as a guarantee of compliance. Reporting Entities remain responsible and must assess the reliability and robustness of external systems before using them.

Don’t Rely on Assumptions or Unverified Links

When a Confirmed or Partial Name Match is identified, the Reporting Entity must obtain and review the customer’s identification documents. Following the review, appropriate freezing or suspension actions should be taken and properly documented.

Best Practices for CNMR and PNMR Filing on the goAML Portal to Ensure TFS Compliance

Filing of CNMRs and PNMRs via goAML portal is a key compliance requirement for Reporting Entities, including DNFBPs, FIs, and VASPs. By implementing the following best practices, Reporting Entities can ensure effective compliance with the UAE’s Latest Guidance Targeted Financial Sanctions (TFS):

Establish Comprehensive Sanctions Compliance Policies and Internal Controls

Reporting Entities must set and implement policies, procedures, and internal controls that align with the requirements of the latest TFS Guidance. These should ensure compliance with freezing obligations, include reasonable measures to identify beneficial owners, signatories, and strictly prohibit staff from disclosing freezing actions to customers or third parties. REs must allocate appropriate human and technical resources to fulfil TFS obligations effectively.

Using Sanctions Screening Software for Accuracy

REs must deploy Sanctions Screening Software that enables high-accuracy detection of designated individuals and entities across the UAE Local Terrorist List and the UNSC Consolidated List. The software should allow configurable thresholds to minimise false positives while ensuring true matches are not missed. The software must support real-time updates to watchlists, automatic batch screening, and ongoing monitoring of customer databases and transactions. These capabilities are critical for ensuring that CNMRs and PNMRs are identified without delay.

Providing Sanctions Compliance Training to Employees

REs must conduct regular and role-specific training for employees, especially those in compliance, operations, and client onboarding teams. The training must cover the detection and handling of CNMRs and PNMRs, the use of sanctions screening software, and the regulatory obligations outlined in the latest TFS Guidance. Training should also emphasise the importance of confidentiality (prohibition of tipping off) and include practical case scenarios to ensure readiness for real-life detection and reporting situations.

Group Oversight Across All Branches and Trade Zones

REs must establish Group Oversight to ensure consistent application of CNMR and PNMR processes across all branches and trade zones. This includes unified match thresholds, centrally managed screening tools, and standardised escalation procedures. Group Compliance must include overseeing implementation, conducting regular audits, and providing training to ensure effective and consistent Sanctions Screening. Central oversight ensures that potential matches are identified and resolved promptly, reducing the risk of sanctions breaches across the institution’s entire operational footprint.

Tamper-Proof Record-Keeping

REs must maintain tamper-proof record-keeping systems to ensure the integrity and security of data related to CNMR and PNMR activities. Records of screening results, match investigations, and escalation decisions must be securely maintained with access controls that restrict unauthorised viewing or editing. The system must include audit trails that log all user actions and prevent any undetected alterations or deletions.

Implementing Centralised Record Management Systems

REs must implement Centralised Record Management Systems to ensure consistent, secure, and traceable handling of data related to CNMR and PNMR processes. These systems should consolidate customer and transaction records across all business units and branches, enabling efficient access and retrieval during sanctions screening, investigations, and regulatory inspections. Centralisation ensures that relevant data is readily available as a single source of truth, supporting timely identification, review, and escalation of potential matches. Easy access to accurate records is essential for demonstrating compliance with TFS obligations and facilitating smooth regulatory visits.

Internal Reporting & Escalation Module

REs must establish a structured Internal Reporting & Escalation Module to manage alerts generated through CNMR and PNMR processes. This module should define clear roles, timelines, and procedures for the review, escalation, and resolution of potential sanctions matches. Automated workflows should support timely alert handling, while ensuring that all actions are logged for audit purposes. Effective internal reporting and escalation are essential for preventing delays, ensuring regulatory compliance, and facilitating prompt decision-making in line with TFS obligations.

Freeze, File, and Comply Without the Panic!

Our experts help you navigate every step of the sanctions screening and CNMR/PNMR reporting process.

Bringing It All Together: TFS Measures, Match Outcomes, and goAML Reporting

The advent of TFS Guidance, July 2025, calls for more than reactive and passive compliance measures; it requires proactive internal policies and procedures that take care of timely screening, clear escalation protocols, and accurate CNMR/PNMR reporting through the goAML portal and reposting to the relevant Supervisory Authority. Irrespective of dealing with confirmed or partial match in case of potential, existing, or former customers, regulated entities must implement appropriate freezing or suspension measures, document actions taken, and maintain records for a period of five (5) years.

Incorporating these practices into daily workflows helps ensure regulatory compliance while reinforcing operational resilience. With right Sanctions Screening Software, Role Specific AML Training, and governance, REs in UAE can go beyond reactive compliance and master proactive and risk-based TFS Compliance.

Need CNMR/PNMR SOPs, Templates, or Screening Software & Personnel Training?

From Screening to GoAML, we help you operationalise every step of CNMR/PNMR Compliance

FAQs

CNMR can only be filed in a scenario where the customer details completely and entirely match with those of the screening outcome, whereas PNMR can be filed when some of the customer details match with those of the screening output, but it cannot be conclusively determined to be a confirmed match or a false match due to a lack of information or clarity.

CNMR and PNMR both need to be filed within 5 business days of imposing freezing or suspension measures.

Absolutely, filing of CNMR/PNMR can be done through logging into the goAML portal using REs’ credentials. The role of the Screening Software is limited to carrying out Sanctions Screening, generating alerts upon finding matches, streamlining workflows and escalations and preparing or downloading screening reports and details for the purpose of filing CNMR/PNMR accurately.

AML UAE – your partner for AML training requirements

Share via :

About the Author

Pathik Shah

FCA, CAMS, CISA, CS, DISA (ICAI), FAFP (ICAI)

Reach Out to Pathik

Blogs

AML/CFT Remedial Action Plans at a Glance

What Is a Remedial Action Plan (RAP) in AML/CFT?

When Is an AML/CFT Remediation Action Plan Required?

Key Components of an Effective Remedial Action Plan Template (RAP Template)

Governance, Oversight, and Regulatory Reporting for RAP Execution

AML/CFT Remedial Action Plan (RAP) Implementation Steps and Best Practices

Step-by-Step Procedure to Implement the Remedial Action Plan (RAP)

1. Review the complete remedial action plan word-by-word

2. Deliberate over the plan with stakeholders

3. Make a list of the tasks and set priorities

4. Form a team focused on the execution of the RAP

5. Execute the remedial measures

6. Maintain enough records and documents

7. Update the Supervisory Authority on the progress and support needed

Best Practices to Implement Remedial Action Plan:

Make continuous improvements in AML processes

Conduct training and awareness programs for employees

Engage in internal audits to check AML compliance

Implement relevant advanced technology solutions

Seek help from professional AML consultants

AMLUAE – your partner for professional AML consulting services

Frequently Asked Questions (FAQs) on RAP

What are remedial actions in a remediation project?

When is an AML remediation action plan required?

What is the difference between a remedial action and corrective action?

How do you implement a remediation action plan (RAP)?

What are common remediation steps in AML/KYC programs?

What is AML remediation and why is it important?

How does a compliance remediation plan work?

What does RAP mean in audit and compliance?

What are the key components of a RAP work plan?

What are typical KYC remediation actions?

How is a remediation plan monitored and reported?

What is a RAP framework in AML/CFT?

What are the best practices for AML/CFT remediation?

Blogs

Key Takeaways on PEP Compliance

UAE Regulatory Framework Concerning PEPs

Legal Framework concerning Politically Exposed Persons (PEPs):

FATF Guidance on PEPs

Understanding Politically Exposed Persons within AML Landscape

Who is categorised as a Politically Exposed Person (PEP)?

Domestic PEPs

Foreign PEPs

Heads of International Organizations (HIOs) PEPs

Family & Friends

Business Associates

What are examples of Politically Exposed Persons?

Importance of Including PEP Screening within AML Framework

Compliance with AML/CFT and TFS Laws

Identify and Mitigate ML/FT and PF Risks Associated with PEPs

Reputation Management

Adherence with Global Standards

Maintain Autonomy of Decision-Making

Devising PEP Risk Assessment Methodology

PEP Risk Rating Criteria

Assessing PEP Risk against Risk Appetite

Do all PEPs pose a risk?

Steps to Identify a Politically Exposed Person (PEP)

1. Collection of Key Identifier Details

2. Entry of Key Identifier Details into Name Screening Software

3. Running PEP Search in Name Screening Software

4. Disambiguation of Matches

5. Establishing if Match is a Domestic PEP or Foreign PEP

Implementation of AML Compliance Measures for Dealing with PEPs

Know Your Customer (KYC)

Name Screening

Customer Risk Assessment

Enhanced Due Diligence (EDD) Procedure

Ongoing Monitoring of Business Relationships

Transaction Monitoring

Reporting Suspicion

CDD Measures for Foreign PEPs

CDD Measures for Domestic PEPs and PEPs who held prominent public functions in the past

Challenges in Assessing and Managing PEP Risk

1. Evolving Regulations

2. Updates in the PEPs Status

3. Verification and Identification of Status

4. Resources Intensive