From Name to Risk Profile: Collecting the Right Information for Individual KYC

Good compliance starts with good processes, and individual KYC onboarding is one of the most important places to get it right.

To support the UAE AML compliance community, AMLUAE and NIYEAHMA are introducing a free, web-based Individual KYC Compliance Tool.

This webinar walks you through everything it does step by step, with a live demonstration.

The tool is built in line with the UAE’s current KYC and CDD requirements and designed to make individual onboarding structured and audit-ready.

What We Will Cover

Common pain points in individual onboarding and why they persist
The regulatory framework behind the tool: Federal Decree Law No. 10 of 2025, Cabinet Resolution No. 134 of 2025, and the MoET CDD Implementation Guide
The 5-Step Wizard: Personal Identity, Identity Documents, Address and Employment, Business Relationship, and Summary and Risk Rating
How the tool separates data collection from risk assessment
Live demonstration of the tool
Practical use cases: inspection preparation, staff training, process benchmarking, and active onboarding

About the Tool

Free and web-based, no sign-in required
Built in line with applicable UAE AML/CFT regulations
Provides step-by-step guidance with built-in compliance reasoning and red flag indicators
Applicable across DNFBPs and regulated entities operating in the UAE

Come as you are, whether you’re new to KYC or reviewing your current process. Registration is free, and the session is open to all.

📅 Date: 19th May, 2026
⏰ Time: 11:00 AM (GST)
🔗 Registration Link: https://events.teams.microsoft.com/event/142a52f3-c1ac-4510-b302-03378c51a973@9111ea08-5731-461f-bdce-1de7f7d1d9d0/registration

Effective AML consulting services

make your business dealings brighter, smoother, and better

Share via :

goAML Registration Guide – Dubai, UAE

goAML registration guide

Last Updated: 03/31/2026

Protect your business with reliable and effective AML strategies with AML UAE.

goAML Registration Guide: Key Facts

goAML is the official online reporting platform used by the UAE Financial Intelligence Unit (FIU) to collect and disseminate suspicious financial transactions related to money laundering, terrorism financing, and proliferation financing.
Who must register: Financial Institutions, Designated Non-Financial Businesses and Professions (DNFBPs) and Virtual Assets Service Providers (VASPs)
Purpose: Submitting Suspicious Activity Reports (SAR), Suspicious Transaction Reports (STR), other AML compliance-related filings such as HRC, HRCA, and TFS related filings such as CNMR and PNMR
goAML Registration Cost: Registration on goAML is free of charges
Registration Process: goAML registration is a two-step process
- SACM Registration
- goAML Portal Registration
Regulator: UAE Financial Intelligence Unit
Penalty for goAML reporting failure: Regulated Entities will be subject to fines/penalties and/or imprisonment.

What is goAML in UAE?

goAML is an official reporting platform used by the UAE FIU to collect and disseminate suspicious activity and transaction reports from regulated entities, related to ML/TF or PF.

The goAML is a software application used by the UAE’s Financial Intelligence Unit (FIU) to curb money laundering and terrorist financing. The ownership of goAML lies with the United Nations Office on Drugs and Crime (UNODC). It is one of the UNODC’s strategic responses to money laundering and terrorist financing.

The goAML portal takes care of data collection, management, analytical, document management, workflow, and statistical needs of the UAE’s Financial Intelligence Unit.

goAML is used by the UAE FIU to:

Receive Suspicious Activity and Transaction Reports (SARs/STRs)
Monitor, disseminate, and analyse SARs/STRs filed
Support AML/CFT and CPF investigations
Ensure compliance with UAE AML/CFT/CPF and TFS laws.
Article 46 of the Cabinet Resolution No. 134 of 2025 empowers the UAE FIU to receive reports from regulated entities, including FIs, DNFBPs, and VASPs.

What is goAML registration?

goAML registration is nothing but the registration with the goAML portal maintained by the UAE FIU. Once the entities fulfil AML registration requirements, they get an email from the FIU regarding their successful Anti-Money Laundering registration.

Regulated entities in UAE must perform this anti-money laundering registration to report suspicious activities and transactions to the FIU.

Why should you register on UAE FIU goAML portal?

Is goAML registration mandatory?

No AML/CFT matters can be reported to the FIU or the regulatory authorities without registration on the goAML Portal. To ensure timely reporting of the following reports with the FIU and the concerned supervisory authority, the regulated organizations must register themselves on the goAML Portal:

Suspicious Activity Report (SAR)
Suspicious Transaction Report (STR)
Additional Information File without Transaction (AIF) 
Additional Information File with Transaction/s (AIFT) 
Request for Information without Transactions (RFI) 
Request for Information with Transaction/s (RFIT) 
Dealers in Precious Metals and Stones Report (DPMSR)
Real Estate Activity Report (REAR)
Confirmed Name Match Report (CNMR)
Partial Name Match Report (PNMR)
High-Risk Country Transaction Report (HRC)
High-Risk Country Activity Report (HRCA)

Who should register with goAML system in UAE?

In order to curb financial crimes, some businesses in the UAE are required to perform anti-money laundering registration. goAML Dubai is a state-of-the-art platform utilized by regulated entities in Dubai to fight money laundering and ensure regulatory compliance. The regulated organizations subject to the latest AML regulations in the UAE are required to carry out goAML reporting, including Suspicious Activity Report (SAR) and Suspicious Transaction Report (STR), to the FIU and the regulatory authorities. Accordingly, all the following AML-regulated organizations must register on the UAE FIU’s goAML Portal:

Financial Institutions
Virtual Asset Service Providers (VASPs)
Designated Non-Financial Businesses and Professions (DNFBPs)
- Dealers in Precious Metals and Stones
- Real Estate Agents and Brokers
- Trust and Corporate Service Providers
- Lawyers, Notaries, and independent legal professionals
- Independent Accountants and Auditors

UAE goAML Registration Deadline

For the regulated organization that existed as on 31st March 2021, the deadline prescribed by the Ministry of Economy for the UAE FIU registration on the goAML portal was 31st March 2021. The date was later extended to 30th April 2021.

The regulated organisations which did not register then as per the deadline mentioned above can still register with the goAML UAE.

The companies newly incorporated in the UAE post the given deadline must register on the goAML system in UAE once they receive their Commercial or Trade License.

What are the documents required for goAML registration in UAE?

The following documents are required for goAML registration in UAE:

The organisation’s Authorisation Letter (Click to download goAML Registration Authorisation Letter template) in favour of the designated AML/CFT Compliance Officer
A copy of the passport, resident visa, and Emirates ID of the Compliance Officer
A copy of the organization’s commercial or trade license

In addition to the documents, the organization must also download the ‘Google Authenticator’ application on the mobile of the registered contact number.

How much does it cost to register for goAML?

The goAML registration does not involve any charges, and it is free for all DNFBPs, VASPs, and Financial Institutions.

UAE goAML Registration Type

The goAML Portal offers three types of goAML registration, as prescribed by the UAE’s Financial Intelligence Unit:

Reporting Entity
Stakeholder
Supervisory Body

Financial Institutions (FIs), VASPs, and DNFBPs must register on the goAML Portal with Registration Type “Reporting Entities”.

What are the steps to register on the goAML Portal in UAE?

Regulated Entities must adhere to the steps enumerated in the goAML System Registration Guide published by the Ministry of Economy and Tourism.

The goAML registration is a two-stage process enabling you to obtain the goAML login in UAE:

Stage 1: Register in the Service Access Control Manager (SACM) system of the UAE FIU to get Username and the Secret Key for accessing Google Authenticator.

Stage 2: Registration on the UAE FIU’s  goAML Portal, furnishing information about the organization and the Compliance Officer.

Stage 1 of goAML Registration: SACM Registration and Obtaining the Secret Key

The first stage is registering the entity to get the username and the SECRET CODE to access the Google Authenticator application on the mobile device.

a. Access https://services.uaefiu.gov.ae/sacm/registration.php and complete this form, attaching the documents mentioned above.

b. goAML Pre-registration Phase Guide – Key considerations to be taken care of while performing SACM Registration:

Mandatory fields marked with (*) must be completed
Select “Registration Type” as Reporting Entity
Appropriate Supervisory Authority must be selected
Under “ID Number/Reg. No.” captures the License Number as mentioned in the Trade License
Phone number and email address must be entered accurately to receive OTPs
Attachment of the supporting documents is allowed as PDF only
The documents to be uploaded – Authorization Letter, Trade/Commercial License, copy of Passport, Emirates ID and Residence Visa – must be merged and uploaded as a single pdf file
Do not forget to TICK the acceptance of the “goAML Portal Service Terms and Conditions” block
Ensure that the e-mail IDs are whitelisted – no-reply.sacm@uaefiu.gov.ae and no-reply.goaml@uaefiu.gov.ae

Upon submission of this form, you will receive an email on the registered email ID, capturing the Email OTP and URL to access the username and the Secret Key for setting up the Google Authenticator application.

The OTP is valid for 24 hours only.

c. Set up Google Authenticator

Install the Google Authenticator application on the mobile, with a contact number registered on the SACM.

Now create an account on the application, capturing the following details:

Capture the Account Name as “goAML Portal”.
Under Your Key field, enter the Secret Key received via email.

Stage 2 of goAML Registration: Completing goAML Registration

Now, complete the goAML registration.

a. SACM Portal Login https://services.uaefiu.gov.ae/goaml/ and log in using the username received post-SACM registration and a 6-digit code on the Google Authenticator as a Password.

b. Upon Sign In, you will be directed to the goAML homepage.

c. Initiate the registration by clicking “Register as a New organization”.

d. goAML Registration Phase Guide – Key considerations to be taken care of while registering on FIU’s goAML Portal:

Select “Registration Type” as Reporting Entity
Mandatory fields marked with (*) must be completed
Accurately furnish organizational details and the details about the Compliance Officer
If you face any issues while registering, you can write to us at info@amluae.com and in case of any Portal related issue, write to goAML@uaefiu.gov.ae

e. Wait for email confirmation about the approval of your registration application, and you will get a unique “Org ID”, which is each organization’s unique goAML identity number.

UAE FIU goAML Registration Approval

The registration applications submitted on UAE the FIU’s goAML Portal are approved by the organization’s Supervisory Authorities in the UAE. Some of the examples of such supervisory authorities include:

Central Bank of the UAE
Ministry of Economy and Tourism
Ministry of Justice
Capital Market Authority
Virtual Assets Regulatory Authority
Dubai Financial Services Authority
Financial Services Regulatory Authority
General Commercial Gaming Regulatory Authority

What should I do if I do not receive an email OTP for my goAML Pre-registration request?

Firstly, confirm whether email ID – no-reply.sacm@uaefiu.gov.ae has been whitelisted by your IT team. Also check your spam or junk emails.

If not received, write an email to goaml@uaefiu.gov.ae, with a request to resend the email OTP for the purpose of SACM login on the goAML Platform.

What if a business in UAE fails to Register in goAML?

Is goAML registration mandatory?

All Financial Institutions, VASPs and DNFBPs must register on the UAE FIU’s goAML Portal.

The failure to register on goAML Portal is a failure on the part of the regulated organization to implement necessary procedures to detect and “Report” suspicious transactions related to money laundering or terrorism financing.

What is the penalty for failure to register on the goAML portal?

Article 28 of the Federal Decree Law No. 10 of 2025 states that the failure to report is a violation of the AML/CFT regulations of the UAE and would attract punishment by imprisonment and a fine of not less than AED 100,000 and not exceeding AED 1,000,000, or either of these two penalties

Anti Money Laundering Registration and Subsequent Access to UAE goAML Portal

How do you log in to the goAML portal in the UAE?

Once registered successfully, you can access the UAE FIU goAML portal for your reporting purposes by navigating to the goAML Login URL: https://services.uaefiu.gov.ae/goaml/

Sign-in to this pop-up using the username received post-SACM registration, and your Password would be the 6-digit code appearing on the Google Authenticator.

How to register as a “Person” on the UAE goAML Registration Portal?

Once the regulated organization is registered on the goAML Portal, new users can be added. For this, the person intending to access the organisation’s goAML Portal must first register on the goAML Portal.

Registration on goAML Portal as a “New User”

Following the below-mentioned steps for registering on the goAML Portal as a new user:

1. The new user must register on the SACM Portal by navigating https://services.uaefiu.gov.ae/sacm/registration.php

2. Upon approval of the SACM application or goAML pre-registration, the user will get an email for Username and Security Key

3. Download the Google Authenticator application on the mobile device and set up the app using Secret Key received

4. Access https://services.uaefiu.gov.ae/goaml/

5. Upon Sign In, you will be directed to the goAML homepage.

6. Initiate the registration by clicking “Register as a New Person”.

7. The application for accessing the goAML Portal as a “new user” will be sent to the Compliance Officer of the organization (an ADMIN user for the organization’s goAML Portal access), who shall approve the new user request.

Key considerations to be taken care of while registering on FIU’s goAML Portal as a “New Person”:

Capture the “Organization ID” accurately to access your organization’s goAML Account
Mandatory fields marked with (*) must be completed

Approval of the “New User” Request by the Compliance Officer on the goAML Portal

Upon accessing goAML Portal, the Compliance Officer will be directed to the homepage.

1. Login https://services.uaefiu.gov.ae/goaml/

2. The Compliance Officer shall navigate the “ADMIN” menu and select “User Request Management” from the dropdown list.

3. The “User Change Request” page shall be displayed, and the Compliance Officer should click “Preview“ to verify the details

4. The Compliance Officer can approve or reject the new use request and may also add the comments for rejection, if any.

5. Upon finalisation of the request by the Compliance Officer, the user will get an email notification on the registered email ID.

Setting Access Rights for Users on the UAE goAML Portal for registered Reporting Entity?

The Compliance Officer of the reporting entity can specify the roles (as ADMIN or as USER) of various users on the goAML Portal, as under:

a. Login https://services.uaefiu.gov.ae/goaml/

b. Navigate the “ADMIN” menu and select “User-Role Management” from the dropdown list.

c. Select the user from the available list and specify the role for the person

The Compliance Officer can also create more roles, apart from ADMIN and USER, if required, by selecting “Role Management” option from the “ADMIN” menu.

Now, the Compliance Officer can add any new roles for the users and specify the corresponding access rights by clicking on “Add a new role for this entity” button.

How to disable an active user on the UAE goAML Portal?

The ADMIN user of the organization’s goAML Account can disable an active use, by clicking on “Disable” icon, as under:

I have forgotten my Password for the UAE goAML Portal. How do I reset it?

The goAML Portal Password can be reset as under:

1. Click on “Forgot Password” button

2. A pop-up will be provided to capture Username and Email ID (registered with goAML Portal)

3. An email shall be received on the registered email ID capturing the link to set a new Password.

I have forgotten my Username for accessing the UAE goAML Portal for 2nd Stage registration. How do I retrieve my FIU UAE goAML Login ID?

To retrieve the forgotten FIU UAE goAML Login Username, write an email to goAML Support Team on goaml@uaefiu.gov.ae, capturing the following information:

Name of the organization
Organization ID
First and last name as registered on the goAML Portal
Registered Email ID
Emirates ID and Passport Number
Date of Birth
Nationality

Do I get UAE FIU goAML Registration Certificate?

The Financial Institutions, Virtual Asset Service Providers, and Designated Non-Financial Businesses and Professions have to register with the UAE FIU goAML system.

Once registered, the FIU UAE will share an email confirming the approval of the registration.

What is the UAE FIU goAML Contact Number?

goAML helpdesk contact number is: +971 2 6915599.

You may also contact goAML helpdesk by email: contact@uaefiu.gov.ae.

How do I update the changes in the organizational details on the UAE goAML Portal?

The Compliance Officer can update the changes in the organizational details as under:

a. Login https://services.uaefiu.gov.ae/goaml/

b. The Compliance Officer shall go to the “My goAML” menu and click on “My Org Details” from the dropdown list.

c. The Compliance Officer can now update the details like –

Organization name and address
Incorporation number
Nature of business activities
Website, Email ID and Contact number
Contact Person

d. Upon submission of the change details, the Supervisory Authority will verify and approve these changes. The Compliance Officer shall get an intimation for the approval by way of email on the registered email ID.

How do I deregister from the UAE FIU goAML Portal?

goAML Deregistration Procedure:

Write an email to aml@economy.ae and cc it to goaml@uaefiu.gov.ae
Include the following information in your goAML deregistration email:
- goAML Registration Number
- Entity Name
- Individual Name
- Supervisory Body
- Date of Cancellation of Trade License
Attach your Trade License copy and Clearance Certificate issued by the relevant authority

You should received goAML Deregistration email conformation shortly.

How to access goAML message board?

To access the goAML message board, log in to the goAML portal and select message board from the menu bar. You will be able to see the inbox. Further, the messages can only be exchanged between a registered entity and the FIU.

How to change MLRO in goAML?

In order to change MLRO in goAML, the new MLRO needs to register as an individual using the same organisation ID.

The regulator will then approve the newly registered MLRO, and then the new MLRO needs to inform the support team of goAML – goaml@uaefiu.gov.ae to deactivate the old MLRO and activate him as the new MLRO.

How AML UAE Can Help with goAML Registration

Navigating goAML registration and AML compliance requirements in UAE can be complex. AML UAE provides end-to-end support to help regulated entities register efficiently and remain compliant with AML/CFT and CPF requirements. AML UAE helps with:

Identifying goAML registration requirements
Preparing and reviewing required documentation
Assisting with SACM and goAML portal registration
Supporting ongoing reporting obligations such as SAR/STR filings
Advising on AML/CFT policies, procedures, and risk assessments

With expert AML consultants for support, businesses in UAE can avoid common goAML registration and reporting errors, reduce delays, and ensure compliance with regulatory requirements.

FIU UAE goAML Registration Step-by-Step Guide

Download UAE goAML registration guide: UAE Financial Intelligence Unit (FIU)

FIU UAE goAML Registration Step-by-Step Guide: Video

UAE’s Financial Intelligence Unit (FIU) launched a new anti-money laundering platform called goAML in UAE with the aim to regulate and control organized financial crimes.

goAML registration is the process that financial institutions and designated non-financial businesses and professions (DNFBPs) must follow to register on the goAML system. It includes registration on the goAML portal’s protection system (SACM) followed by registration on the goAML system.

goAML is an integrated system used to fight against money laundering and terrorism financing. The United Nations Office on Drugs and Crime (UNODC) built this system. All financial institutions and DNFBPs required to comply with AML guidelines are supposed to register on this platform.

To register for anti-money laundering in UAE, relevant entities must register into the FIU goAML system. This system collects data on the SAR, STR, REAR, DPMSR, HRC, HRCA, CNMR, and PNMR submitted by entities.

Visit https://services.uaefiu.gov.ae/ Systems >> GOAML
Login using username received from no-reply.sacm@uaefiu.gov.ae &Google Authenticator Passcode as the password
Login using the username and password created at the time of registering on goAML Portal

In response to money laundering and terrorist financing, the goAML application is available to more than 60 member states of the United Nations Office on Drugs and Crime (UNODC) through their country FIUs.

goAML collects data on suspicious transaction reports, Dealers in Precious Metals and Stones Report (DPMSR) and other reports from country-specific FIUs, evaluates them, disseminates intelligence reports to relevant authorities and exchanges reports or data with other global authorities.

For goAML Login, click on link: https://services.uaefiu.gov.ae/ for goAML login. Then click on Systems, click on goAML, then provide your Username and the Google Authenticator Passcode as the Password. Click Sign In. You will now be redirected to the goAML UAE homepage. Now, click the Login button and provide the Username and Password created at the time of registering on the goAML portal and click login.

UAE Financial Intelligence Unit (FIU) is empowered to receive Suspicious Transactions Reports (STR), Suspicious Activity Reports (SAR), Dealers in Precious Metals and Stones Report (DPMSR), Real Estate Activity Report (REAR) via a portal specifically maintained for the purpose viz., goAML. DNFBPs and FIs in UAE are required to file these reports with goAML UAE.

DNFBPs in UAE have to register with the goAML portal and provide all mandatory information and supporting documents. The FIU UAE will verify this information and send an email notifying the approval of the registration.

1. If you ever forget your UAEFIU goAML login password, hit forget password button as highlighted below:

goAML Forgot Password

2. It will pop up the reset password request window. You need to enter your user name, registered email, CAPTCHA, and hit submit

goAML Reset Password

3. You will receive a link on your registered email which will help you reset your UAE goAML password

goAML Change your password

In order to update organization detail, the registered user needs to login to the UAE FIU goAML portal, go to the My goAML Menu, and then click My Org Details Menu.

Here, the user can update information like business name, licensed activity, incorporation number, email, website, contact person, telephone number, and address.

The supervisory authority will verify the information, and upon approval, an automated confirmation email will be sent to the organization’s registered email.

Registering for goAML in the UAE involves pre-registration on the SACM portal, where documents such as the trade license, the MLRO’s ID, and the authorisation letter are uploaded, after which the email containing the goAML login credentials is received. The goAML website can be logged in to using credentials received from SACM and Google Authenticator, and registration as a new organisation can be completed.

If you are not receiving emails from CBUAE’s goAML system, make sure you have white-listed the emails no-reply.sacm@uaefiu.gov.ae and no-reply.goaml@uaefiu.gov.ae.

Yes, delegating your CBUAE FIU goAML reporting responsibilities to third parties is possible. You may outsource goAML reporting responsibilities for STR, SAR, DPMSR, REAR, etc., to external parties, but it is recommended that such parties create an account on the goAML portal before providing such services.

The admin user of the goAML portal should click the change Selected Delegating Organization, provide the Organization ID associated with the delegated party, and submit the request. The supervisory authority will verify the information and approve the change.

Yes, you can. Navigate to My goAML menu and make the required changes. The admin user of your organization must approve the change in email, and then the supervisory authority will verify the information and approve the change.

You need to click the preview button before submitting an STR/SAR/DPMSR/PNMR/CNMR/REAR and then click the print button to print the report.

STR Printing

The CBUAE FIU goAML registration in UAE is approved by the respective regulator or supervisory body.

The goAML Message Board facilitates communication between the FIU UAE and the goAML users. The reporting entities can come to know of the status of their submitted reports immediately through the message board. The FIU also requests its information requirement through the message board. The goAML message board is not specific to a particular user, but it is for the reporting entity as a whole.

The United Nations Office on Drugs and Crime (UNODC) developed the goAML software. It is an integrated system for Financial Intelligence Units to receive, analyse, and distribute Suspicious Transactions Reports (STRs) in an efficient way. The UAE is the first country in the Gulf to adopt this modern STR reporting system.

UNODC is the United Nations Office on Drugs and Crime. You can reach UNODC at https://www.unodc.org/

The goAML portal is maintained by the FIU UAE. For all IT and technical related issues, please send an email to goAML@uaefiu.gov.ae

One can contact the FIU UAE on +971 2 6915599, email: contact@uaefiu.gov.ae.

One needs to register with the UAE FIU goAML portal. The detailed guide for FIU registration process is available here: https://amluae.com/goaml-registration-guide/

goAML is a communication medium between the reporting entity and the Financial Intelligence Unit (FIU). All the suspicion reports and reporting of designated transactions prescribed under AML/CFT regulations will be reported via the goAML Portal. So to submit these reports, a reporting entity shall initially have to register with the goAML.

Failure to register on goAML Portal may result in severe penalties invoked by the Supervisory Authority, ranging from AED 50,000 to AED 5,000,000.

All FIs, DNFBPs & VASPs must register on the goAML portal and implement the policies and procedures to identify and report any suspicious transactions related to money laundering or terrorism financing.

Share via :

About the Author

Pathik Shah

FCA, CAMS, CISA, CS, DISA (ICAI), FAFP (ICAI)

Pathik is an ACAMS-certified AML consultant specialising in governance, risk, and compliance for regulated entities in the UAE. He brings over 28 years of experience, with 1,000+ hours of AML training and 200+ advisory engagements across DNFBPs, VASPs, and FIs. He supports businesses in aligning with AML/CFT requirements from the CBUAE, DFSA, MoET, MoJ, VARA, CMA, FSRA, and FATF. Known for translating complex regulations into audit-ready procedures, Pathik enables operational clarity and compliance readiness.

Reach Out to Pathik

Kuwait and Papua New Guinea Added to FATF Grey List: 13th February 2026

Kuwait and Papua New Guinea Added to FATF Grey List

Outcome of FATF Plenary, 11-13 February 2026

Added to Grey List: Kuwait and Papua New Guinea
Removed from Grey List: No change
Blacklist: No change.

FATF Grey List February 2026 Update: Kuwait and Papua New Guinea Added to FATF Grey List

On 13th February 2026, the first plenary session of the year was concluded by FATF. Post that, the FATF announced significant revisions to the FATF Grey List. Kuwait and Papua New Guinea were added to the FATF Grey List.

As part of its supervisory mandate, the Financial Action Task Force (FATF) periodically publishes updates on “Jurisdictions Subject to Increased Monitoring”, widely known as the “FATF Grey List”.

The FATF Grey List is a formal classification of countries that have strategic deficiencies in their Anti-Money Laundering (AML), Counter Financing of Terrorism (CFT), and Counter Proliferation Financing (CPF) measures. These countries are actively working with FATF to strengthen their AML/CFT/CPF measures.

The FATF serves as a global authority dedicated to combating financial crimes such as Money Laundering (ML), Terrorist Financing (TF) and Proliferation Financing (PF).

Through its in-depth analysis, it formulates internationally recognised recommendations to prevent wrongdoers from exploiting the financial system. FATF has issued uniform recommendations on Anti-Money Laundering (AML), Counter Financing of Terrorism (CFT) and Counter-Proliferation Financing (CPF).

These recommendations help countries around the world develop their domestic AML/CFT/CPF frameworks. Furthermore, FATF closely monitors compliance with these norms within nations’ internal AML/CFT/CPF frameworks.

Core Updates on Financial Action Task Force (FATF) Grey List in February 2026

Modifications made to the FATF Grey List mainly include the addition of Country Names and the erasure of Country Names.

Added Kuwait and PNG in the FATF Grey List (Jurisdictions Under Increased Monitoring) on 13th February 2026

Recognising the need to incorporate more stringent measures in their AML/CFT/CPF program, the following countries were added to the FATF Grey List.

Kuwait
Papua New Guinea

Removed Countries in the FATF Grey List (Jurisdictions Under Increased Monitoring) on 13th February 2026

No change

Jurisdictions Under Increased Monitoring by FATF as of 13th February 2026: The FATF Grey List as of 13th February 2026

As of 13th February 2026, the following countries are recognised as “Jurisdictions Under Increased Monitoring” by FATF.

FATF Grey List – updated on 13th February 2026

Algeria
Angola
Bolivia
Bulgaria
Cameroon
Cote d’Ivoire
Democratic Republic of Congo
Haiti
Kenya
Kuwait
Laos

12. Lebanon
13. Monaco
14. Namibia
15. Nepal
16. Papua New Guinea
17. South Sudan
18. Syria
19. Venezuela
20. Vietnam
21. Virgin Islands (UK)
22. Yemen

Kuwait has been added to the FATF Grey List: 13th February 2026

Following the conclusion of its first plenary on 13 February 2026, the FATF placed Kuwait on the Increased Monitoring List (Grey List).

Kuwait made a high-level political commitment in February 2026 to work with FATF and MENAFATF to strengthen the effectiveness of its AML/CFT regime.

Kuwait adopted its Mutual Evaluation Report (MER) in June 2024 and has made significant progress on the MER’s recommended actions.

Now that on 13^th February 2026, it has been added to the FATF Grey List, it will continue to work with FATF to implement its action plan by:

Enhancing outreach to real estate agents and DPMSs on STR reporting, including through the distribution of sector-based indicators of ML/TF
Ensuring that beneficial ownership information in the registry is accurate, and applying effective, proportionate and dissuasive sanctions in cases of inaccurate information where appropriate
Increasing ML investigations and prosecutions in relation to cross-border movements of currency and BNIs.

Papua New Guinea has been added to the FATF Grey List: 13th February 2026

Following the conclusion of its first plenary on 13 February 2026, the FATF placed Papua New Guinea (PNG) under the Increased Monitoring List (the Grey List). PNG made a high-level political commitment to work with the FATF and APG to strengthen the effectiveness of its AML/CFT regime.

Papua New Guinea adopted its Mutual Evaluation Report (MER) in September 2024, and since then, it has made progress on some of the MER’s recommended actions, including operationalising and strengthening the anti-corruption authority, developing a national risk assessment and automating communication of UNSCR updates to relevant government agencies and reporting entities.

Now that on 13th February 2026, Papua New Guinea has been added to the FATF Grey List, it will continue to work with the FATF to implement its FATF action plan by:

Improving its understanding of ML risks and endorsing the National AML/CFT/CPF Strategic Plan
Proactively seeking outbound international cooperation to identify and trace criminal property abroad
Improving risk-based supervision of banks, MVTS/FX dealers and higher risk DNFBPs
Demonstrating an increase in ML investigations and prosecutions
Demonstrating an increase in freezing/seizing and confiscation of criminal proceeds, instrumentalities and property of equivalent value
Conducting training for competent authorities to enhance their understanding of TFS-PF implementation
Addressing technical compliance deficiencies, including with respect to the ML offence, TF offence, TFS-PF, politically exposed persons and suspicious transaction reporting.

Regulatory Action Plan for Regulated Entities Subsequent to Changes in FATF Grey List Dated 13th February 2026

In UAE, Regulated Entities such as Financial Institutions (FIs), Designated Non-Financial Businesses and Professions (DNFBPs) and Virtual Assets Service Providers (VASPs) are required to stay up to date with the timely developments in the FATF Grey List as part of their AML/CTF/CPF compliance.

Regulated Entities should review their implemented AML/CFT/CPF program and align it with the new FATF Grey List countries, and consider greylisting of PNG and Kuwait.

The following actions are to be taken to ensure thorough compliance.

Initiate Enterprise-Wide Risk Assessment (EWRA) and assess the likelihood of ML/TF/PF risks arising from exposure to the greylisted Kuwait and PNG.
Revise Risk Metrics to flag the newly added Grey List Countries and recalibrate controls for jurisdictions that have been removed from the Grey List.
Update internal AML/CFT/CPF Policies and Procedures to reflect the material changes in the FATF Grey List.
Review Customer Risk Assessment parameters and synchronise them with the newly updated FATF Grey List.
Ensure Enhanced Due Diligence (EDD) is applied to the customers or suppliers associated with the “FATF Jurisdictions subject to increased monitoring”.
Recalibrate the configuration of AML Software solutions in accordance with the FATF Grey List Updates.
Conduct robust training sessions for the employees to raise their awareness of the changes in the FATF Grey List and educate them on the revised procedures for dealing with customers.

Jurisdiction Changes, Risk Changes, Your Compliance Does Not.

Strengthen Your Compliance Requirements with Every FATF Update through AML UAE

Share via :

South Africa, Nigeria, Mozambique, and Burkina Faso Off from FATF Grey List October 2025 Plenary

South Africa, Nigeria, Mozambique, and Burkina Faso Off from FATF Grey List: October 2025 Plenary

Executive Summary:

Removed from Grey list: 4 removals — South Africa, Nigeria, Mozambique, Burkina Faso.
Added to Grey List: No new additions.
Blacklist: No change.
Rationale: Progress on AML/CFT frameworks and inter-agency coordination.

South Africa, Nigeria, Mozambique, and Burkina Faso Off from FATF Grey List: October 2025 Plenary

As part of its mandate, FATF periodically provides updates for jurisdictions under their increased monitoring colloquially known as the “FATF Grey List”. This is a list of countries with strategic deficiencies in their AML/CFT/CPF regimes and are actively working with FATF to address these deficiencies.

On 24th October 2025, the last plenary session of the year was concluded by the FATF. It brought significant changes to the status of grey listed countries. South Africa, Nigeria, Mozambique, and Burkina Faso were removed from the FATF Grey List.

The Financial Action Task Force (FATF) is a global watchdog against the crimes of Money Laundering (ML), Terrorism Financing (TF), and Proliferation Financing (PF). FATF undertakes extensive research and sets international standards to combat financial crimes. FATF has issued uniform recommendations on Anti-Money Laundering (AML), Counter Financing of Terrorism (CFT), and Counter-Proliferation of Financing (CPF), for countries. It diligently monitors the compliance of these norms in the domestic AML/CFT/CPF framework of countries around the globe.

Updates Made to the Financial Action Task Force (FATF) Grey List on 24th October 2025

FATF Plenary October 2025: Updates made to FATF greylist mainly include removal of four countries as discussed below.

Countries Removed from FATF Grey List (Jurisdiction Under Increased Monitoring) on 24th October 2025:

FATF removes Burkina Faso from Grey List: 24th October 2025
FATF removes Mozambique from Grey List: 24th October 2025
FATF removes Nigeria from Grey List: 24th October 2025
FATF removes South Africa from Grey List: 24th October 2025

The FATF Grey List as of 24th October 2025: FATF Jurisdictions Under Increased Monitoring as of 24th October 2025

1. Algeria
2. Angola
3. Bolivia
4. Bulgaria
5. Cameroon
6. Côte d’Ivoire
6. Democratic Republic of Congo
8. Haiti
9. Kenya
10. Laos

11. Lebanon
12. Monaco
13. Namibia
14. Nepal
15. South Sudan
16. Syria
17. Venezuela
18. Vietnam
19. Virgin Islands (UK)
20. Yemen

Immediate impact of the FATF Grey List update 24th October 2025 on Regulated Entities:

As a consequence of FATF Grey List October 2025 Update, AML Compliance measures implemented by Regulated Entities need to be revised:

Enterprise- Wide Risk Assessment (EWRA):
Customer Due Diligence (CDD): CDD measures concerning customers or suppliers associated with “FATF defined Jurisdictions Subject to Increased Monitoring”
AML Policies and Procedures:
Recalibrating configuration of AML software solutions

To know more about how the FATF Grey List update triggers changes in a regulated entity’s AML/CFT/CPF compliance process, read our extensive blog on “Impact of FATF Grey List Update on UAE DNFBPs: AML/CFT Compliance Imperatives”

What will be the Implications of FATF Greylisting on the British Virgin Islands (BVI)?

Due to the greylisting of British Virgin Islands (BVI) by FATF, the costs associated with financial transactions originating from and destined to BVI would increase. Further, the businesses would experience slight delays in the processing of transactions by banks as banks and financial institutions adopt a risk-based approach while dealing with high-risk jurisdictions like Virgin Islands (UK).

The obligated entities will have to assess the BVI greylisting impact on its Enterprise-Wide ML/FT risk assessment, take a risk-based approach and align policies and procedures with the revised EWRA.

The reporting entities would also need to change their internal processes in relation to transaction monitoring and customer risk assessment, consequent to the greylisting of BVI.

Further, the BVI-based entities will have to adopt suitable measures to ensure that they have accurate beneficial ownership information about their clients.

How Does Bolivia’s Inclusion on the FATF Grey List Countries 2025 Impact Its Virtual Asset Sector?

The Virtual Asset Sector in Bolivia would be subjected to stringent ML/FT controls consequent to Bolivia’s greylisting by FATF on 13^th June 2025. The government would try to bring in a stringent regulatory framework and stricter supervision of crypto exchanges and crypto assets wallet providers. The obligated entities will have to strengthen their CDD, transaction monitoring, and suspicious transaction monitoring-related controls and have a more comprehensive process for the ultimate beneficial owner identification.

This would result in increased compliance costs for VASPs based out of Bolivia. Banks and financial institutions would adopt a risk-based approach and decide to go for de-risking the relationship.

Due to Bolivia’s inclusion on the FATF Grey List countries 2025, the international businesses dealing with Bolivia in sectors like virtual assets, trade finance, money exchange, and precious metals and stones will reassess their risk, and the Bolivia-based businesses might have to undergo EDD measures.

What Does Removal from the FATF Grey List Mean for Croatia?

Consequent to the removal of Croatia from FATF’s grey list (the list of jurisdictions under increased monitoring), it would benefit Croatia’s economy, and Croatia’s financial institutions will have greater access to international correspondent banking and can resort to relaxed norms around customer due diligence.

The international businesses dealing with Croatia will take a risk-based approach, and they will be exposed to lower compliance risks while dealing with Croatia-based entities. It would make transaction processing faster as there would be reduced customer diligence requirements, and it would improve investor confidence.

Croatia’s successful removal from grey list shows its commitment to following a methodical, transparent, and sustained effort to comply with and implement FATF recommendations.

Action Plan for Regulated Entities Consequent to Changes in Financial Action Task Force Grey List dated 24th October 2025

– Conduct Enterprise-Wide Risk Assessment and assess the likelihood of ML/TF risks arising from the exposure to the latest FATF Grey List countries.

– Revise risk matrices to flag

South Africa
Nigeria
Mozambique
Burkina Faso

related profiles to appropriate risk ratings while considering other risk factors applicable.

– Ensure Enhanced Due Diligence (EDD) is applied to the customers or suppliers associated with the “FATF defined Jurisdictions subject to increased monitoring”.

– Update internal AML Policies and Procedures to reflect the material changes of FATF Grey List

– Recalibrate the configuration of AML software solutions in proportion with the FATF Grey List updates

– Ensure that screening and submission of Regulatory Reports capture elevated or diluted risks associated with the Grey-Listed countries and mandate escalation as per the updated list.

– Conduct structured training sessions for the employees to educate them with updated procedures for dealing with the customer.

Grey Lists Changes, Your Vigilance Shouldn’t

AML UAE Helps You to Strengthen Your Compliance Requirements with Every FATF Update

Share via :

Croatia, Mali, and Tanzania Removed; Bolivia and Virgin Islands (UK) Added: FATF Grey List June 2025 Update

On 13^th June 2025, the Financial Action Task Force (FATF) concluded its second Plenary. During this Plenary, Croatia, Mali, and Tanzania were removed from the Grey List countries while Bolivia and The Virgin Islands (UK) were added to the FATF Grey List countries, 2025.

FATF is a global leader in efforts against financial crimes such as Money Laundering (ML), Terrorism Financing (TF), and Proliferation Financing (PF). FATF conducts extensive research on these financial crimes and sets international standards on Anti-Money Laundering (AML), Combatting the Financing of Terrorism (CFT), and Counter Proliferation Financing (CPF). Its primary mandate is to lead and encourage international efforts for the mitigation of ML/TF and PF.

FATF releases a list of “Jurisdictions under Increased Monitoring” colloquially known as the FATF Grey List. This is a list of countries with strategic deficiencies in their AML/CFT/CPF regimes that are actively working with the FATF to address these deficiencies.

To know about the FATF Grey List Update History, check out our blog here.

To understand the differences between FATF Grey List and Blacklist, read our blog here.

Here are the changes FATF made to its Grey List after its latest Plenary:

Updates Made to the Financial Action Task Force (FATF) Grey List on 13th June 2025

Countries Removed from FATF Grey List (Jurisdiction Under Increased Monitoring) on 13th June 2025:

Croatia
Mali
Tanzania

Countries Added to FATF Grey List (Jurisdictions under Increased Monitoring) on 13th June 2025:

Bolivia
Virgin Islands (UK)/BVI

The FATF Grey List as of 13th June 2025: Jurisdictions Under Increased Monitoring as of 13th June 2025

1. Algeria
2. Angola
3. Bolivia
4. Bulgaria
5. Burkina Faso
6. Cameroon
7. Côte d’Ivoire
8. Democratic Republic of Congo
9. Haiti
10. Kenya
11. Laos
12. Lebanon

13. Monaco
14. Mozambique
15. Namibia
16. Nepal
17. Nigeria
18. South Africa
19. South Sudan
20. Syria
21. Venezuela
22. Vietnam
23. Virgin Islands (UK)
24. Yemen

Immediate impact of the FATF Grey List update 13th June 2025 on Regulated Entities:

As a consequence of FATF Grey List June 2025 Update, AML Compliance measures implemented by Regulated Entities need to be revised:

Enterprise- Wide Risk Assessment (EWRA):
Customer Due Diligence (CDD): CDD measures concerning customers or suppliers associated with “FATF defined Jurisdictions Subject to Increased Monitoring”
AML Policies and Procedures:
Recalibrating configuration of AML software solutions

To know more about how the FATF Grey List update triggers changes in a regulated entity’s AML/CFT/CPF compliance process, read our extensive blog on “Impact of FATF Grey List Update on UAE DNFBPs: AML/CFT Compliance Imperatives”

What will be the Implications of FATF Greylisting on the British Virgin Islands (BVI)?

Due to the greylisting of British Virgin Islands (BVI) by FATF, the costs associated with financial transactions originating from and destined to BVI would increase. Further, the businesses would experience slight delays in the processing of transactions by banks as banks and financial institutions adopt a risk-based approach while dealing with high-risk jurisdictions like Virgin Islands (UK).

The obligated entities will have to assess the BVI greylisting impact on its Enterprise-Wide ML/FT risk assessment, take a risk-based approach and align policies and procedures with the revised EWRA.

The reporting entities would also need to change their internal processes in relation to transaction monitoring and customer risk assessment, consequent to the greylisting of BVI.

Further, the BVI-based entities will have to adopt suitable measures to ensure that they have accurate beneficial ownership information about their clients.

How Does Bolivia’s Inclusion on the FATF Grey List Countries 2025 Impact Its Virtual Asset Sector?

The Virtual Asset Sector in Bolivia would be subjected to stringent ML/FT controls consequent to Bolivia’s greylisting by FATF on 13^th June 2025. The government would try to bring in a stringent regulatory framework and stricter supervision of crypto exchanges and crypto assets wallet providers. The obligated entities will have to strengthen their CDD, transaction monitoring, and suspicious transaction monitoring-related controls and have a more comprehensive process for the ultimate beneficial owner identification.

This would result in increased compliance costs for VASPs based out of Bolivia. Banks and financial institutions would adopt a risk-based approach and decide to go for de-risking the relationship.

Due to Bolivia’s inclusion on the FATF Grey List countries 2025, the international businesses dealing with Bolivia in sectors like virtual assets, trade finance, money exchange, and precious metals and stones will reassess their risk, and the Bolivia-based businesses might have to undergo EDD measures.

What Does Removal from the FATF Grey List Mean for Croatia?

Consequent to the removal of Croatia from FATF’s grey list (the list of jurisdictions under increased monitoring), it would benefit Croatia’s economy, and Croatia’s financial institutions will have greater access to international correspondent banking and can resort to relaxed norms around customer due diligence.

The international businesses dealing with Croatia will take a risk-based approach, and they will be exposed to lower compliance risks while dealing with Croatia-based entities. It would make transaction processing faster as there would be reduced customer diligence requirements, and it would improve investor confidence.

Croatia’s successful removal from grey list shows its commitment to following a methodical, transparent, and sustained effort to comply with and implement FATF recommendations.

What should compliance teams do to mitigate risks arising from the greylisting of a country?

Compliance teams should take the following actions to mitigate risks arising out of the greylisting of a country:

Risk Assessment: Review exposure to grey-listed country and update Enterprise-Wide Risk Assessment (EWRA)
Policies & Procedures: Make suitable changes to customer onboarding and screening, as well as enhance due diligence policies and procedures to reflect a country’s new grey list status and the higher risks arising out of it.
Client Communication: Make suitable email templates and KYC templates ready to gather additional information from businesses from grey listed countries.
Ongoing Monitoring: Increase scrutiny of transactions or ownership links involving businesses from grey listed countries.

Don’t Let FATF’s Grey List Update
Catch You Off Guard

AML UAE helps you decode the FATF changes with expert AML services

Share via :

Philippines Removed; Laos and Nepal Added: FATF Grey List February 2025 Update

On 21st February 2025, the Financial Action Task Force (FATF) concluded its February Plenary. During this Plenary, Philippines was removed, and Laos and Nepal were added to the FATF’s Grey List.

FATF is a global leader in efforts against financial crimes such as Money Laundering (ML), Terrorism Financing (TF), and Proliferation Financing (PF). FATF conducts extensive research on these financial crimes and sets international standards on Anti-Money Laundering (AML), Combatting the Financing of Terrorism (CFT), and Counter Proliferation Financing (CPF). Its primary mandate is to lead and encourage international efforts for the mitigation of ML/TF and PF.

FATF releases a list of “Jurisdictions under Increased Monitoring” colloquially known as the FATF Grey List. This is a list of countries with strategic deficiencies in their AML/CFT/CPF regimes who are actively working with the FATF to address these deficiencies.

To know about the FATF Grey List Update History, check out our blog here.

To understand the differences between FATF Grey List and Blacklist, read our blog here.

Here are the changes FATF made to its Grey List after its latest Plenary:

Updates Made to the Financial Action Task Force (FATF) Grey List in February 2025

Countries Removed from FATF's Grey List (Jurisdiction Under Increased Monitoring):

Philippines

Countries Added to FATF's Grey List (Jurisdictions under Increased Monitoring):

Laos
Nepal

The FATF Grey List as of 21st February 2025

1. Algeria
2. Angola
3. Bulgaria
4. Burkina Faso
5. Cameroon
6. Côte d’Ivoire
7. Croatia
8. Democratic Republic of Congo
9. Haiti
10. Kenya
11. Laos
12. Lebanon
13. Mali

14. Monaco
15. Mozambique
16. Namibia
17. Nepal
18. Nigeria
19. South Africa
20. South Sudan
21. Syria
22. Tanzania
23. Venezuela
24. Vietnam
25. Yemen

Significant Updates to the FATF Grey List for Regulated Entities in UAE

When FATF updates its Grey List, it triggers the necessity for revision and changes in a Regulated Entity’s AML/CFT/CPF compliance program. UAE’s AML/CFT/CPF laws require Regulated Entities to take into account FATF’s Grey List while implementing their AML/CFT/CPF Programs. Regulated entities need to adopt a risk-based approach while engaging with customers from FATF Grey List countries and implement ML/TF and PF risk control measures based on the level of financial crime risks posed by the customer.

Specifically, the FATF Grey List triggers changes in the following components of a regulated entity’s AML/CFT/CPF Program:

Enterprise-Wide Risk Assessment (EWRA)
AML/CFT/CPF Policies, Procedures, and Controls
Customer Due Diligence (CDD) measures for customers from FATF Grey List countries
Configuration of AML software

To know more about how the FATF Grey List update triggers changes in a regulated entity’s AML/CFT/CPF compliance process, read our extensive blog on “Impact of FATF Grey List Update on UAE DNFBPs: AML/CFT Compliance Imperatives”

Don’t Let FATF’s Grey List Update
Catch You Off Guard

AML UAE helps you decode the FATF changes with expert AML services

Share via :

MoEc’s Implementation Guide for DNFBPs on Customer Due Diligence (CDD)

The Ministry of Economy (MoEc) has issued guidelines on Customer Due Diligence for DNFBPs in collaboration with the DNFBP’s Working Group under the Public and Private Partnership Committee. The standards set by the Financial Action Task Force (FATF), along with the industry’s best practices, are incorporated into these guidelines, providing a flexible approach for DNFBPs to meet their statutory obligations within the legal and regulatory environment.

The purpose of the MoEc’s Implementation Guide for DNFBPs on Customer Due Diligence (CDD) is to assist DNFBPs in tackling day-to-day compliance challenges and provide practical guidance in line with international best practices. Here is the summary of the key areas covered in the guideline.

What is Customer Due Diligence (CDD)?

Customer Due Diligence is a process employed by DNFBPs to understand the client profile. It includes measures like client identification and verification, understanding the purpose of business relationships, monitoring transactions, and keeping customer information up-to-date to counter financial crimes.

When do Business Need to Perform CDD?

CDD should be conducted in situations like:

Before starting a business relationship with a customer or during the process of starting a business relationship with a customer, opening an account or conducting transactions.
When the customer is making occasional transactions over AED 55,000, even if split into smaller amounts but seem connected or a transaction made in a single stretch.
Regardless of the stated exemption or threshold, if there’s any suspicion as to money laundering or terrorist financing.
When there are doubts about the veracity or adequacy of the previously provided customer information.

DNFBPs Customer Due Diligence Measures

For All Customers

DNFBPs should confirm and verify the identity of every customer, whether they are individuals, businesses or legal arrangements, through reliable and independent sources.
There must be proper authorisation and identity verification of the person acting on behalf of a customer.
Avoid dealings with any company that lacks genuine transparency or operates like a shell company.
Businesses must recognise and verify the identity of the beneficial owners, those with a significant stake (25% ownership or more) or effective control over the entity.
Gather information and understand the nature and purpose of the customer’s business relationship in order to understand its legitimacy.
Regularly review transactions and KYC information to check if they fit with the customer’s declared activities and risk profile.
Keep customer records updated, especially for customers categorised as high-risk.

For Legal Persons and Legal Arrangements

DNFBPs should understand the ownership and control structure of the customer and determine the nature of the business.
Identify and verify the information of the customer through:
- Details such as name, legal form, Memorandum of Association, office address
- Articles of Association recognised by relevant state authorities
- Names of the people in the senior management

Measures to Identify and Verify Beneficial Owners of the Customers

For Customers that are Legal Persons

Inquire whether any individual holds ownership interest, 25% or more of the company (directly or indirectly).
If it is unclear who is in control, identify individuals who manage or control the company in other ways, like decision-making authorities.
If no natural person can be identified, identify the senior managing official in power.
In the case of a listed company on a stock exchange subject to disclosure requirements or a majorly-owned subsidiary of such a company, the relevant identification data of the shareholders and beneficial owners can be obtained from a public register or the customer or other reliable sources.

For Customers that are Legal Arrangements

The settlor (person who creates the trust), the trustee(s) (person managing the trust), protector (if any), beneficiaries (people benefiting from the trust) or any other natural person with control in case of a trust.
Individuals holding similar positions in other types of legal arrangements.

Timing of Verification

DNFBPs must verify the information of their customers in the early phases of the business relationship, during or before the process of setting up business relationships with the customers. For occasional customers and in some cases if allowed, the verification of the customer identity may be completed after establishing the business relationship provided that:

it is done as soon as possible
it is necessary to avoid disrupting normal business operations.
money laundering and terrorist financing risks are effectively managed.

In the above cases, DNFBPs are required to implement risk management procedures to ensure that they counter ML/TF risks effectively. These measures can include:

Limitation on the number, types, and/or amount of transactions that can be performed
Monitoring of large or complex transactions which do not align with the type of business relationship

CDD for Existing Customers

For existing customers, DNFBPs must review and apply CDD measures depending on the importance of the business relationship and the risk level of the situation. It is important to consider whether the CDD has been conducted in the past and whether the information is still relevant.

When CDD Cannot Be Completed

If a DNFBP is not able to successfully complete the Customer Due Diligence process:

The DNFBP must refuse to start the business relationship or process a transaction.
The business relationship must be terminated if the business relationship has started.
The DNFBP needs to consider submitting a Suspicious Transaction Report (STR).

Avoid “Tipping Off” the Customer

DNFBPs and their staff should refrain from revealing information to anyone if they are filing a Suspicious Transaction Report (STR) with the Financial Intelligence Unit (FIU). In some cases where the DNFBPs suspect ML/TF but asking the customer for additional information will alert them, they are allowed to skip the due diligence process. Instead, they can directly file an STR with the authorities.

Reliance on CDD Measures Already Undertaken

A customer’s identity is not required to be verified for every transaction if their identity has already been verified. However, if there are concerns about the definiteness of the customer’s information, like the transactions do not match the customers’ business profile or there is a sudden increase in the volume of transactions, DNFBPs should reassess the provided information.

Ongoing Customer Due Diligence

Ongoing CDD means continuously monitoring and reviewing customer relationships to comply with regulations and reduce the risk of money laundering, fraud, and other financial crimes. The ongoing customer due diligence transaction process involves:

Continuous Monitoring: Inspecting the transactions and activities of the customer on a regular basis to recognise any unusual or suspicious patterns.
Updating Customer Information: Reexamining and updating customers’ details for any changes to be displayed on their risk profile.
Customer Risk Assessment: Evaluating each customer’s risk level based on their behaviour, transactions, and their geographic location.
Enhanced Due Diligence: Extra precautions when there are high-risk customers and performing strict checks, like taking extra documents or closely examining their transactions.
Training Staff: It is important that the employees know the importance of ongoing CDD and are trained to observe warning signs.
Regulatory Reporting: Following legal rules to report suspicious activities to the authorities.

The frequency of the ongoing monitoring needs to be decided based on the level of risks associated with the customer. High-risk customers need to undergo reviews more often than low-risk customers.

Record-Keeping Requirements

DNFBPs operating in the UAE must keep CDD records, whether physically or digitally, for at least five years after their business relationship with a customer ends.

Records can include identification documents, sanctions screening evidence, business records showing correspondence between the business and customer, and analysis records for background checks in the case of unusual or large transactions are also required to be maintained.

These records are required to keep domestic and international records and details of the customer transactions for the firm to respond to the request from government or regulatory bodies, and these records should be detailed enough to trace any specific transaction to use as evidence for charging somebody of criminal activity.

Guidelines for Record Keeping

The documents collected for customer verification must be from dependable and independent sources, and the information should be current at the time it is obtained. The most dependable documents are those that are hard to forge or obtain illegally, like government-issued IDs and passports, reports from independent business or company registries, audited annual reports and other sources.
All the documents must be clear and readable with a photo identity.
For a copy of documents, they must be verified against the original by an authorised staff member. For the cases where the original document is not available, the copy of the document should be notarised by a notary, lawyer or a qualified professional.
A staff member should provide a summary of the foreign language documents in the familiar language. It is the responsibility of the firm to ensure that they understand the nature and content of the document. The firm can also hire a professional translator to ensure that the document is properly understood.

Simplified CDD

DNFBPs use a risk-based approach to determine the level of Customer Due Diligence required, which means the intensity of the assessments depends on the level of money laundering or terrorism financing risks associated with a customer or transaction. Simplified Due Diligence is only acceptable when the risks are identified as lower based on thorough risk analysis.

When is Simplified Due Diligence Required?

Simplified CDD is allowed when:

A customer is assessed as low-risk after a proper risk analysis.
There is no indication from the customer suggesting money laundering or terrorism financing.
The transactions carried out by the customers are low in value and fit with the customer’s profile.

Simplified CDD measures can not be undertaken when there is a suspicion as to ML/TF or where the associated risks are high.

Enhanced Due Diligence

Enhanced Due Diligence takes into account rigorous inspections, detailed evaluations, and closely monitored activities related to customers that are considered high-risk when the customer or beneficial owner of the customer is a PEP or associated with a PEP.

When is Enhanced Customer Due Diligence Required?

Enhanced Due Diligence is required in situations when a business relationship or transaction suggests a higher risk of money laundering or terrorist financing. These risks can arise from customers’ geographic location, their business activities, or their association with PEPs.

When a customer is identified as high-risk, the intensity and nature of the examination increase to assess whether the transactions or activities are suspicious.

When the Enhanced CDD process is complete for high-risk customers, the senior management is involved in deciding whether to start or continue doing business with them.

For high-risk customers, as a part of the EDD process, the DNFBPs are required to:

Obtain additional information on the customer and beneficial owners
Carry out more frequent CDD measures, and transaction reviews based on the patterns identified and increase the number and timing of controls applied.
Obtain additional information on the intended nature of the business relationship
Verifying Source of Funds and Source of Wealth (Particularly for foreign PEPs)
Obtaining approval of the senior management to commence or continue the business relationship

Summing Up: Implementation Guide DNFBPs on Customer Due Diligence

Customer Due Diligence can be a complex process, but businesses can handle CDD efficiently with the right tools and strategies. MoEc’s Implementation Guidance for DNFBPs on Customer Due Diligence (CDD) provides practical and actionable guidance to DNFBPs in implementing an effective CDD process to counter ML/TF risks effectively.

With our AML expert guidance,

Start your AML compliance journey smoothly.

Share via :

Implementation Guide for DNFBPs on Customer Risk Assessment

The Ministry of Economy is the supervisory authority for Designated Non-Financial Businesses and Professions (DNFBPs) in UAE. It has published the Guide to help DNFBPs effectively comply with their Anti-Money Laundering (AML), Combatting the Financing of Terrorism (CFT), and Counter-Proliferation Financing (CPF) compliance obligations, specifically the following:

Obligation to consider all risk factors to understand the overall risk of financial crimes and determine the required level of risk mitigation measures to be adopted
Obligation to document the risk assessments, update them on a regular basis, and make them available to the regulatory authorities when requested

In this Update, we will discuss the meaning of CRA, its importance, the risk factors that must be considered for a comprehensive CRA, and the steps for implementing an effective CRA as discussed in the Guide.

The Meaning of Customer Risk Assessment (CRA)

The second segment of the Guide discusses how CRA differs from Institutional Risk Assessment (IRA) or Enterprise risk assessment (EWRA), while the third segment of the Guide discusses the meaning of CRA.

Customer Risk Assessment (CRA) is the process of assessing the Money Laundering (ML), Terrorism Financing (TF), and Proliferation Financing (PF) risks a customer presents. The CRA enables DNFBPs to adopt risk control measures such as Customer Due Diligence (CDD) and ongoing monitoring to mitigate the specific ML/TF and PF risks posed by the customers.

Both CRA and IRA are important parts of the DNFBP’s risk management framework but differ in certain aspects:

Parameter	CRA	IRA
Definition	CRA is the evaluation of ML/TF and PF risks a customer poses to the DNFBP.	IRA or EWRA is the assessment of the overall ML/TF and PF risk exposure of the DNFBP.
Factors to Be Considered	CRA involves considering factors such as customer characteristics, transaction patterns, behavioural analysis, geographic risks, etc.	IRA involves considering internal and external factors such as products, services, transactions, customers, jurisdictions, AML/CFT policies and procedures of the DNFBP, its operational processes, industry-specific risks, etc.
Level	It is conducted at the customer level.	It is conducted at the institutional level.
Purpose	As discussed in the fifth segment of the Guide, the purpose of the CRA is to enable DNFBP to adopt risk mitigation measures that are proportional to the level of ML/TF and PF risks presented by the customers. Therefore, conducting CRA is of immense importance.	The purpose of the IRA is to ensure that the DNFBP can effectively respond to the overall ML/TF and PF risks it faces.

Situations in which Customer Risk Assessment Should Be Conducted

The sixth segment of the Guide discusses the situations in which the CRA is triggered. This includes the following circumstances:

Onboarding of New Clients: CRA should be conducted before the business relationship with a client is created.
Throughout Business Relationships with Clients: CRA should be conducted periodically throughout the business relationship with the clients. The frequency of the CRA can vary according to the customer risk rating.
Change in Customer’s Profile: CRA is triggered whenever there is a change in the Customer’s profile, business relationship with the client changes, the products and services utilised by the client changes, etc.
Change in Risk Factors: CRA should be reconducted whenever there are changes in risk factors due to the National Risk Assessment (NRA) of UAE and the Sectoral Risk Assessments (SRA). This is to ensure that the findings of the NRA and CRA are incorporated into the CRA process.

Other situations that may result in a change in risk factors include amendments in regulations or guidance released by supervisory authorities, finding adverse media related to the Customer, sanctions listing, etc.

Risk Factors to Consider for Customer Risk Assessment

The seventh segment of the Guide discusses the risk factors that should be considered for a comprehensive CRA. A CRA should take into consideration a multiple range of factors to ensure that ML/TF and PF risks posed by the client are detected at an early stage and mitigated through the adoption of appropriate levels of CDD and other risk control measures. It includes the following risk factors:

Customer Related Risks
Geography Related Risks
Product/Services or Transaction-Related Risks
Delivery Channel-Related Risks
Other Applicable Risks

The eighth segment of the Guide discusses the necessity and importance of incorporating the risk factors identified in the NRA and the relevant SRA for a DNFBP.

The ninth segment of the Guide examines the Risk-Based Approach (RBA) and its importance in AML/CFT/CPF compliance. CRA is a facet of the RBA, enabling DNFBPs to categorise customers based on the level of ML/TF and PF risks they pose and adopt risk mitigation measures accordingly. This allows effective allocation of resources by ensuring that more stringent risk control measures are applied for high-risk customers.

For a comprehensive discussion of the factors to be considered for CRA, refer to our infographic here.

Steps for Successful Implementation of Customer Risk Assessment Process

The tenth segment of the Guide discusses the steps of implementing a comprehensive CRA process. Here’s an overview of these essential steps that DNFBPs must incorporate to undertake the CRA process successfully.

Defining Risk Factors:

The first step is to define the risk factors. These risk factors are to be used to assess the ML/TF and PF risks presented by the Customer.

Establishing Risk Levels and Defining Risk Scales and Risk Scores:

This step involves defining a scale for assessing the risk level with respect to each risk factor. For this purpose, risk scores can be utilised.

Creating a Risk Matrix to Represent the Risk Levels:

This step involves the creation of a risk matrix to represent the risk factors, levels, scales, and scores defined in the previous step.

Collecting Relevant Information and Documentation:

After defining their own risk factors and risk scores and creating the risk matrix, the DNFBPs need to use the same information during the CRA process. Therefore, when the Customer is onboarded, the DNFBP needs to collect the relevant information to aid its CRA process. This includes information such as the Customer’s identification documents, business activities, source of funds, information related to the transaction, etc.

Classifying Customers into Risk Categories:

The next step after gathering customer information is using the risk matrix created in Step 3 to categorise the customers in risk categories.

Calculating Customer Risk Scores:

The DNFBP needs to determine the overall risk score to be assigned to the Customer. This can be done in two ways:

Averaging the risk scores assigned to factors
Assigning risk weightage to each factor according to the importance of the factor to the specific DNFBP

Updating Risk Controls Based on Risk Scores:

The purpose of risk categorising customers is to adopt risk control measures that are in proportion to the level of risk that the customer presents. This step involves updating risk control measures as per the risk scores. For example, if the Customer is categorised as belonging to the higher risk category, the DNFBP should adopt suitable risk control measures such as conducting Enhanced Due Diligence, conducting ongoing monitoring of transactions, reporting suspicious activities and transactions, etc.

The Guide provides a detailed list of examples of risk mitigation measures that can be adopted.

Regularly Reviewing and Updating the CRA:

CRA should be regularly reviewed so that any changes in the risk factors are incorporated into the risk matrix.

Documenting the CRA Process:

The entire CRA process should be documented.

Maintaining Audit Trail of all Interactions with the Customer and CRA:

An audit trail must be maintained of all customer interactions, information collected, CRA conducted, risk mitigation measures adopted and its justification, etc.

Implementation Guide for DNFBPs on Customer Risk Assessment: A Summary

The Guide is divided into several segments. Here’s a final summary of the segments for a brief overview:

The first segment introduces the Guide and explains the purpose of conducting a CRA
The second segment discusses the difference between CRA and IRA
The third segment explains the meaning of a CRA
The fourth segment examines the means of high-risk customers and the importance of adopting stringent risk control measures for them
The fifth segment discusses the significance of the CRA process
The sixth segment lays down the situations in which it is necessary to conduct CRA
The seventh segment details the risk factors that must be considered while conducting the CRA
The eighth segment discusses the significance of incorporating the findings of the NRA and SRA for a comprehensive CRA
The ninth segment deliberates upon the implementation of the Risk-Based Approach and its importance in enhancing AML/CFT/CPF controls by focusing resources on higher ML/TF and PF risk areas
The tenth segment lays down a step-by-step approach to implementing the CRA process
The eleventh segment concludes the Guide by reiterating the importance of a comprehensive CRA in mitigating ML/TF and PF risks a DNFBP faces from its customers and meeting AML/CFT/CPF regulatory obligations.

With our AML expert guidance,

Start your AML compliance journey smoothly.

Share via :

Senegal Removed; Lebanon, Algeria, Angola, and Côte d’Ivoire Added: FATF Grey List October 2024 Update

The Financial Action Task Force (FATF) is a global watchdog on Money Laundering, Terrorism Financing, and Proliferation Financing. It releases a list of Jurisdictions under Increased Monitoring, commonly referred to as the Grey List. The FATF also sets international standards related to the Anti-Money Laundering (AML), Combating the Financing of Terrorism (CFT), and Counter-Proliferation Financing (CPF) regimes.

The Grey List includes countries that are proactively working with the FATF to counter strategic deficiencies in their regulatory framework to combat the threats of ML/TF and PF.

On 25 October 2024, the FATF concluded its October Plenary. In this latest plenary, the FATF removed Senegal from the ‘Grey List’. Senegal’s removal is in recognition of the countries significant progress in improving its AML/CFT/CPF regime.

This plenary also resulted in additions to the ‘Grey List’. The FATF added Algeria, Angola, Côte d’Ivoire, and Lebanon to the ‘Grey List’. These countries are now expected to work with the FATF and address the deficiencies in their AML/CFT/CPF regimes.

This requires modifications to the regulated entity’s internal AML policies and procedures to ensure that adequate Customer Due Diligence measures are applied while engaging with customers from or closely associated with the “FATF-defined Jurisdictions Subject to Increased Monitoring” list, adopting a risk-based approach.

Other updates from this Plenary include:

Adoption of joint FATF GAFILAT mutual evaluation report of Argentina, recognising the improvement Argentina made in its AML/CFT/CPF framework.
Adoption of FATF-MENAFATF assessment of Oman, recognising the positive steps of Oman to improve its AML/CFT/CPF regime with robust technical compliance.
Revision in FATF guidance for National Money Laundering Risk Assessment.
Agreement to release for public consultation proposed revisions to FATF standards, mainly Recommendation 1.
Agreement to strengthen support to regional bodies, for high-quality, consistent evaluations across the global network.
Launching initiative by inviting Senegal and the Cayman Islands to participate actively in the FATF to further engage with the region and acknowledge diverse perspectives.

Changes in Financial Action Task Force (FATF) Grey List

Countries Removed from FATF's Grey List (Jurisdiction Under Increased Monitoring):

Senegal

Countries Added to FATF's Grey List (Jurisdictions under Increased Monitoring):

Algeria
Angola
Côte d’Ivoire
Lebanon

FATF Grey List as of 25th October 2024

1. Algeria
2. Angola
3. Bulgaria
4. Burkina Faso
5. Cameroon
6. Côte d’Ivoire
7. Croatia
8. Democratic Republic of the Congo
9. Haiti
10. Kenya
11. Lebanon
12. Mali

13. Monaco
14. Mozambique
15. Namibia
16. Nigeria
17. Philippines
18. South Africa
19. South Sudan
20. Syria
21. Tanzania
22. Venezuela
23. Vietnam
24. Yemen

Source: Jurisdictions under Increased Monitoring – 25 October 2024

To dive deeper into the FATF Grey List Update History: Refer to FATF Grey List and Blacklist Update History

To learn more about the difference between FATF-blacklisted countries and greylisted countries: Checkout What are FATF Blacklist and Grey list countries?

Wondering How the FATF Blacklist and Grey List
Impact Your AML Compliance?

AML UAE is your trusted partner in ensuring your business keeps pace
with FATF updates in the UAE context

Share via :

FATF Tightens Focus on High-Risk Jurisdictions, Eases Burden on Low-Capacity Nations

The Financial Action Task Force (FATF) is a global Anti Money Laundering/Counter Financing of Terrorism and Counter-Proliferation Financing (AML/CFT and CPF) trendsetter. Its primary objectives are to promote the spreading of the AML spirit worldwide, track the implementation of the FATF Recommendations, and review AML/CFT and CPF trends and Money Laundering, Terrorism Financing, and Proliferation Financing (ML/FT & PF) mitigation measures.

The FATF isn’t empowered to impose fines and penalties against countries that function contrary to such assessment parameters. However, the FATF identifies countries and jurisdictions that have strategic deficiencies in their AML/CFT and CPF regime by publishing two watchlists thrice annually.

These watchlists are known as:

“High Risk Jurisdictions Subject to a Call for Action” often referred to as “FATF blacklist”
“Jurisdictions under Increased Monitoring” often referred to as “FATF Grey list”

The International Cooperation Review Group (ICRG) by FATF identifies and reviews grey-listed countries through a mutual evaluation process.

The FATF published “Procedures: For the FATF AML/CFT/CPF Mutual Evaluations, Follow-Up and ICRG,” which sets forth the procedures on basis of which the mutual evaluation process, follow-up, and ICRG process takes place.

The latest update to these procedures makes way risk focused grey listing approach by:

Increasing the Observation Period for Least Developed Countries (LDCs) from 12 months to two years to update the ICRG assessment body on their progress during review.
- Giving more time to address deficiencies prior to being listed
- LDCs with limited financial sectors will not be listed if they do not pose substantial ML/FT & PF risks.
Prioritising the assessment of regulatory shortcomings in higher-income countries and large financial sector jurisdictions, as their deficiencies pose a substantial threat to the international financial system.

These updated procedures help level the playing field when it comes to ICRG review, which determines whether a jurisdiction must be placed on the grey list.

We help you prepare and implement

a robust Anti-Money Laundering Program.

Effective AML consulting services

make your business dealings brighter, smoother, and better

Share via :

From Name to Risk Profile: Collecting the Right Information for Individual KYC

goAML registration guide

goAML Registration Guide: Key Facts

What is goAML in UAE?

What is goAML registration?

Why should you register on UAE FIU goAML portal?

Who should register with goAML system in UAE?

UAE goAML Registration Deadline

What are the documents required for goAML registration in UAE?

How much does it cost to register for goAML?

UAE goAML Registration Type

What are the steps to register on the goAML Portal in UAE?

Stage 1 of goAML Registration: SACM Registration and Obtaining the Secret Key

Stage 2 of goAML Registration: Completing goAML Registration

UAE FIU goAML Registration Approval

What should I do if I do not receive an email OTP for my goAML Pre-registration request?

What if a business in UAE fails to Register in goAML?

Anti Money Laundering Registration and Subsequent Access to UAE goAML Portal

How to register as a “Person” on the UAE goAML Registration Portal?

Registration on goAML Portal as a “New User”

Approval of the “New User” Request by the Compliance Officer on the goAML Portal

Setting Access Rights for Users on the UAE goAML Portal for registered Reporting Entity?

How to disable an active user on the UAE goAML Portal?

I have forgotten my Password for the UAE goAML Portal. How do I reset it?

I have forgotten my Username for accessing the UAE goAML Portal for 2nd Stage registration. How do I retrieve my FIU UAE goAML Login ID?

Do I get UAE FIU goAML Registration Certificate?

What is the UAE FIU goAML Contact Number?

How do I update the changes in the organizational details on the UAE goAML Portal?

How do I deregister from the UAE FIU goAML Portal?

How to access goAML message board?

How to change MLRO in goAML?

FIU UAE goAML Registration Step-by-Step Guide

Download UAE goAML registration guide: UAE Financial Intelligence Unit (FIU)

FIU UAE goAML Registration Step-by-Step Guide: Video

What is goAML in UAE?

What is goAML registration?

What is goAML system?

How do I register for anti-money laundering in UAE?

How do I log into goAML portal UAE?

What countries use goAML?

How does the goAML work?

How do I login to goAML UAE?

What is FIU reporting in UAE?

How do DNFBPs in UAE get a goAML certificate?

What should I do if I forget my goAML password?

How do I change my organization name/business activity/contact/email/contact person,etc on UAE goAML portal?

How to register for goAML in UAE?

I am not receiving emails from UAE FIU goAML system. What should I do?

Can I delegate my FIU goAML reporting responsibilities to third parties?

Can I change my goAML email as a goAML user?

How do I print an STR/SAR/DPMSR/PNMR/CNMR/REAR before submitting it to the FIU’s goAML portal?

Who approves FIU goAML registration in UAE?

What is the goAML message board?

Who developed the goAML software?

What is UNODC?

What is the contact information of goAML UAE helpdesk?

How to register for anti-money laundering laws in UAE?

What are the benefits of registering with goAML for businesses in the UAE?

Are there any penalties for failing to register with goAML in the UAE?

What are the reporting and compliance obligations for entities registered with goAML in the UAE?

Kuwait and Papua New Guinea Added to FATF Grey List

FATF Grey List February 2026 Update: Kuwait and Papua New Guinea Added to FATF Grey List

Core Updates on Financial Action Task Force (FATF) Grey List in February 2026

Jurisdictions Under Increased Monitoring by FATF as of 13th February 2026: The FATF Grey List as of 13th February 2026

Kuwait has been added to the FATF Grey List: 13th February 2026

Papua New Guinea has been added to the FATF Grey List: 13th February 2026

Regulatory Action Plan for Regulated Entities Subsequent to Changes in FATF Grey List Dated 13th February 2026

South Africa, Nigeria, Mozambique, and Burkina Faso Off from FATF Grey List: October 2025 Plenary

South Africa, Nigeria, Mozambique, and Burkina Faso Off from FATF Grey List: October 2025 Plenary

Updates Made to the Financial Action Task Force (FATF) Grey List on 24th October 2025

The FATF Grey List as of 24th October 2025: FATF Jurisdictions Under Increased Monitoring as of 24th October 2025

Immediate impact of the FATF Grey List update 24th October 2025 on Regulated Entities:

What will be the Implications of FATF Greylisting on the British Virgin Islands (BVI)?

How Does Bolivia’s Inclusion on the FATF Grey List Countries 2025 Impact Its Virtual Asset Sector?

What Does Removal from the FATF Grey List Mean for Croatia?

Action Plan for Regulated Entities Consequent to Changes in Financial Action Task Force Grey List dated 24th October 2025

Croatia, Mali, and Tanzania Removed; Bolivia and Virgin Islands (UK) Added: FATF Grey List June 2025 Update

Croatia, Mali, and Tanzania Removed; Bolivia and Virgin Islands (UK) Added: FATF Grey List June 2025 Update

Updates Made to the Financial Action Task Force (FATF) Grey List on 13th June 2025

The FATF Grey List as of 13th June 2025: Jurisdictions Under Increased Monitoring as of 13th June 2025