May 03, 2024
8 min read

AML/KYC Guide to The UAE—New Laws and Regulations for 2024

Learn how to stay compliant with the latest Anti-Money Laundering (AML) regulations in the United Arab Emirates (UAE)

The UAE is a global hub for international trade and finance. The country has several free trade zones that attract big business but also pose risks for money laundering and terrorist financing. To keep these threats at bay, the UAE maintains strict AML laws and regulations.

The UAE has taken significant steps in strengthening its AML regulations over the past several years. This includes the establishment of aSpecialized Money Laundering Court. As a result,the Financial Action Task Force (FATF) stated in February 2024 that the UAE is no longer subject to increased monitoring .

The UAE is set to continue improving its AML regulations. Therefore businesses that operate in the country need to ensure they stay up to date with the requirements. That’s why Sumsub prepared this guide to help businesses navigate the compliance process.

Who’s affected

Both domestic and international companies operating in the UAE need to follow AML-CFT Law. There are three main categories of companies that must comply:

  • Financial institutions;
  • Designated non-financial businesses and professions;
  • Non-profit organizations.

Complying with regulations can be easier for your company with Sumsub’s complete AML/KYC solution. Download a demo today.

Financial Institutions

All financial institutions (FIs) must comply if they conduct one or several of financial activities or operations on the customer’s behalf. These include:

  • Receiving deposits and other funds that can be paid by the public, including deposits in accordance with Sharia Law (Islamic religious law);
  • Providing private banking services, cash brokerage services, credit facilities of all types;
  • Providing currency exchange and money transfer services, stored value services, electronic payments for retail and digital cash, virtual banking services;
  • Issuing and managing means of payment, guarantees, or obligations;
  • Trading, investing, operating or managing funds, options contracts, futures contracts, exchange rate and interest rate transactions, other derivatives or negotiable financial instruments;
  • Participating in issuing securities and providing financial services related to these issues;
  • Managing and saving funds and portfolios of all kinds.

This list is not exhaustive as the regulating authorities have the right to include additional activities or financial transactions to the list.

Designated Non-Financial Businesses and Professions

Designated Non-Financial Businesses and Professions (DNFBPs), similar to FIs, conduct financial activities on behalf of their customers. DNFBPs usually include the following types of businesses:

  • Brokers and real estate agents;
  • Dealers in precious metals and precious stones in carrying out any single monetary transaction or several transactions that appear to be interrelated or equal to more than AED 55,000 (approximately $15,000);
  • Lawyers, notaries, and other independent legal professionals and independent accountants, when preparing, conducting or executing financial transactions for their customers;
  • Providers of corporate services and trusts upon performing or executing a transaction on behalf of their customers;
  • Other professions and activities which shall be determined by a decision of the Minister.

It should be noted that only lawyers and corporate servers providers that act on behalf of their customers are affected by the regulations. For example, legal professionals who manage funds owned by their clients fall into the category of DNFBPs.

Non-profit organizations

Non-profit organizations (NPOs) are defined as any organized group of a continuing nature set for a temporary or permanent period, comprising natural or legal persons or not-for-profit legal arrangements.
Unlike FIs and DNFBPs, NPOs have very limited obligations under legislation.

Who’s the regulator?

In August 2020, the Central Bank of the UAE (CBUAE) established a special department to regulate all matters related to Anti-Money Laundering (AML) and Combating the Financing of Terrorism (CFT). Previously, such operations were conducted by the Banking Supervision Department.

This Anti-Money Laundering and Combating the Financing of Terrorism Supervision Department (AMLD) is concerned with three main objectives:

  • Examining Licensed FIs;
  • Ensuring adherence to the UAE’s AML/CFT legal and regulatory framework;
  • Identifying threats, vulnerabilities, and emerging risks to the UAE’s financial sector.

The AMLD cooperates with the UAE’s National AML/CFT Committee and the Examination Division of the Banking Supervision Department. Additionally, the AMLD mediates between CBAUE and the domestic stakeholders.

There are other authorities that deal with AML/CFT activities, including the Securities and Commodities Authority and bodies that solely operate within special economic areas, such as the Dubai International Financial Center and federal and local supervisory and law enforcement authorities.

What are the main regulations?

There are a variety of laws on AML/CFT activities in the UAE. The most important are: 

  • Federal Decree-Law No. (20) of 2018 On Anti-Money Laundering and Combating the Financing of Terrorism and Financing of Illegal Organizations (the “AML-CFT Law” or “the Law”)
  • Cabinet Decision No. (10) of 2019 Concerning the Implementing Regulation of Decree-Law No. (20) of 2018 On Anti-Money Laundering and Combating the Financing of Terrorism and Illegal Organizations (the “AML-CFT Decision” or “the Cabinet Decision”)
  • Cabinet Decision No. (58) of 2020 Regulating the Beneficial Owner Procedures
  • Cabinet Resolution No. (53) of 2021 Concerning the Administrative Penalties against Violators of The Provisions of the Cabinet Resolution No. (58) of 2020 Concerning the Regulation of Beneficial Owner Procedures
  • Cabinet Decision No. (16) of 2021 Regarding the Unified List of the Violations and Administrative Fines for the Said Violations of Measures to Combat Money Laundering and Terrorism Financing that are Subject to the Supervision of the Ministry of Justice and the Ministry of Economy
  • Cabinet Resolution No. (74) of 2020 regarding the Terrorism Lists Regulation and Implementation of UN Security Council Resolutions on the Suppression and Combating of Terrorism, Terrorist Financing, Countering the Proliferation of Weapons of Mass Destruction and its Financing, and Relevant Resolutions

According to the AML-CFT Law, a person acts unlawfully is they knowingly commit one of the following crimes:

  1. Transferring or transporting proceeds of crime with intent to conceal or disguise its illicit origin;
  2. Concealing or disguising the true nature, origin, location, way of disposition, movement or rights related to any proceeds or the ownership thereof;
  3. Acquiring, possessing or using such proceeds;
  4. Assisting the perpetrator of the predicate offense to escape punishment.

To provide a better understanding of all the regulations, the UAE government has published special guidelines for FIs and DNFBPs.

How to stay compliant

To stay compliant with all the regulations, businesses should monitor customer transactions, ensure that they provide authentic data, and report suspicious cases.

Below, we talk about the major requirements, reporting process, and penalties in detail.

Customer Due Diligence requirements

FIs and DNFBPs are required to undertake appropriate risk-based Customer Due Diligence (CDD) measures, including, among other things, understanding the nature of the customer’s business and the purpose of the transaction in the cases specified in Article 6 of the AML-CFT Decision. Such cases include:

  • Carrying out occasional transactions in favor of a customer for amounts equal to or exceeding AED 55,000 (approximately $15,000), whether the transaction is carried out in a single transaction or in several transactions that appear to be linked;
  • Carrying out occasional transactions in the form of wire transfers for amounts equal to or exceeding AED 3,500 (approximately $950);
  • Having suspicion of a crime;
  • Having doubts about the veracity or adequacy of identification data previously obtained with regard to the customer.

FIs are obliged to enhance their CDD measures concerning customers identified as high-risk, which the AML/CFT Decisions divides into multiple categories. These include Politically Exposed Persons (PEPs), customers associated with high-risk countries, and correspondent banking institutions.

Simplified Customer Due Diligence and Enhanced Due Diligence

FIs can exercise Simplified Customer Due Diligence measures (SDD) concerning customers identified as low-risk. Elements of SDD include, but are not limited to:

  • “A reduction in verification requirements with regard to customer or Beneficial Owner identification;
  • Fewer and less detailed inquiries regarding the purpose of the Business Relationship, the nature of the customer’s business, the customer’s source of funds, and the pursuit of individual transactions;
  • More limited supervision of the Business Relationship, including less frequent monitoring of transactions and less frequent review/updating of customer due diligence information.”

There’re also Enhanced Due Diligence (EDD) measures, which involve more rigorous CDD measures applied towards high-risk customers:

  • “Increased scrutiny and higher standards of verification and documentation;
  • More detailed inquiry and evaluation of reasonableness in regard to the purpose of the Business Relationship, the nature of the customer’s business, the customer’s source of funds, and the purpose of individual transactions;
  • Increased supervision of the Business Relationship, including the requirement for higher levels of management approval, more frequent monitoring of transactions, and more frequent review and updating of customer due diligence information.”

Suspicious activity reporting

Certain obligations need to be fulfilled by FIs in case they detect any suspicious activity related to ML/FT operations.

FIs are obliged to report transactions “without any delay” to the Financial Intelligence Union (FIU) when there are suspicions, or reasonable grounds to suspect, that the proceeds are related to a crime or to the attempt or intention to use funds or proceeds for the purpose of committing, concealing, or benefitting from a crime.

There is no minimum reporting threshold and no statute of limitations concerning ML/FT crimes or reporting of suspicious transactions. Under federal law and regulations, whether the FI operates in the mainland UAE or in a Financial or Commercial Free Zone, the designated Competent Authority for reporting suspicious transactions is the FIU.

Suspicious ML/FT activities should be reported to the FIU through the GoAML portal. All related companies should be registered on the portal. A complete guide on how to register is available here.

Data retention requirements

Depending on the circumstances, the statutory retention period for all records is at least five years, from the date of the most recent of any of the following events:

  • Termination of the Business Relationship or the closing of a customer’s account with the supervised institution;
  • Completion of a casual transaction (in respect of a customer with whom no Business Relationship is established);
  • Completion of an inspection of the records by the Supervisory Authorities;
  • The issue date of a final judgment by the competent judicial authorities;
  • Liquidation, dissolution, or other forms of termination of a legal person or arrangement.

The records that FIs are obliged to keep can be separated into two categories: financial transaction records and CDD records.

Know Your Customer

Businesses need to follow Know Your Customer (KYC) requirements when working with their customers. Know Your Customer (KYC) is the process of identifying and verifying customers. To verify personal data, businesses need to collect different types of documents from individual customers and companies:

Individual customers:

  • ID or travel document;
  • Proof of Residential Address.

Companies:

  • ID/travel document for all shareholders with 25% and more shares;
  • Proof of Operating Address in the UAE (utility bill or other bank statements from last three months);
  • Trade License or Certificate of Incorporation;
  • Memorandum & Articles of Association;
  • Resolution of the Board of Directors to open an account; identification of those who have authority to operate the account.

If you want to stay compliant with AML regulations in the UAE, contact Sumsub today to get consulted on our AML/KYC solutions.

Penalties

If FIs fail to report suspicious activities, their managers or employees may be subjected to imprisonment and fines between AED 100,000 (approximately $27,200) and AED 1,000,000 (approximately $272,000). For violating other AML/CFT requirements, companies may face imprisonment or fines between AED 10,000 (approximately $2,720) and AED 100,000 (approximately $27,200). For DNFBPs, the fines range from AED 50,000 to AED 200,000.

In 2021, the CBUAE announced that it imposed financial sanctions on 11 UAE banks for failing to comply with AML/CFT regulations.

What is goAML?

goAML is a special application created by the United Nations Office on Drugs and Crime (UNODC). It aims to combat money laundering, terrorism financing, and other types of financial crimes. The app is actively employed by the UAE’s FIU to collect data and check information regarding suspicious activities.

All FIs, DNFBP, and VASPs are required to register on the goAML portal as part of their compliance procedures. Without this application, companies won’t be able to file reports (e.g., suspicious activity reports) with the FIU. 


AML solutions in the UAE

It’s clear that the UAE will continue introducing new measures to minimize the threat of money laundering, terrorist financing, and other illegal activities in the country. Therefore, it’s essential for all types of businesses to ensure they’re compliant with all relevant regulations. Sumsub will continue to monitor developments in the UAE’s AML/CFT requirements. 

There’s a variety of solutions companies can employ in order to stay compliant with AML regulations in the UAE. For example, Sumsub enables companies to tailor verification to different customer groups through a wide selection of checks, including ID verification, Liveness, Proof of Address and more. 

Download our UAE Compliance Guidelines to get insights about the country’s jurisdictions. In this edition, learn about the legal requirements for customer identification, verification, and due diligence measures for non-face-to-face business relations in the UAE.

Download the Guidelines

FAQ

  • What is the AML policy of the UAE?

    The AML-CFT Law and the AML-CFT Decision set out the minimum statutory obligations as follows:

    • Identifying, assessing, understanding risks

    • Defining the scope of and taking necessary due diligence measures

    • Appointing a compliance officer in accordance with the requirements of the relevant Supervisory Authority

    • Putting in place adequate management and information systems, internal controls, policies, procedures to mitigate risks and monitor implementation

    • Putting in place indicators to identify suspicious transactions

    • Reporting suspicious activity and cooperating with Competent Authorities

    • Promptly applying directives of Competent Authorities for implementing UN Security Council decisions under Chapter 7 of the UN Convention for the Prohibition and Suppression of the FT and Proliferation

    • Maintaining adequate records

  • What is the AML threshold in the UAE?

    FIs and DNFBPs are required to undertake appropriate risk-based Customer Due Diligence (CDD) measures in several cases, one of which is carrying out transactions for amounts equal to or exceeding AED 55,000 (approximately $15,000).

  • Is the UAE a high-risk country for AML?

    In February 2024, the Financial Action Task Force (FATF) dropped the UAE from the gray zone, stating that the country has improved its AML policies and is no longer subject to increased monitoring.

  • What is KYC in the UAE?

    To verify personal data, businesses need to collect different types of documents from individual customers and companies. Individual customers need to provide:

    • An ID or travel document

    • Proof of residential address

    Meanwhile, companies have to provide:
    • ID/travel documents for all shareholders with 25% and more shares

    • Proof of Operating Address in the UAE (utility bill or other bank statements from last three months)

    • Trade License or Certificate of Incorporation

    • Memorandum & Articles of Association

    • Resolution of the Board of Directors to open an account

Subscribe to continue reading

Enter your email address to get access to the full article

By providing your email you consent to receiving our newsletter. For further information please see ourPrivacy Notice

AMLFinancial InstitutionsKYCPenaltiesReportingRisk-Based ApproachUAE