Home / Insights / Compliance
Compliance

UAE Anti-Money Laundering Requirements for Corporate Service Providers

The UAE's AML/CFT framework has been transformed since the country's FATF grey-listing in 2022. Corporate service providers operating in the UAE — whether in mainland, DIFC, ADGM, or free zones — now face a significantly more demanding compliance environment. This guide covers what CSPs must do to stay compliant in 2025.

HC
Head of Compliance, CSP Software
24 July 2025 · 8 min read

The UAE AML Landscape for CSPs

The UAE's removal from the FATF grey list in February 2024 followed a significant period of legislative and regulatory reform. For corporate service providers, the practical result of that reform effort is a compliance regime that now more closely resembles the obligations faced by CSPs in established financial centres like Jersey and Singapore than the lighter-touch environment that existed previously. The UAE's Federal Decree Law No. 20 of 2018 on Anti-Money Laundering and its subsequent amendments form the legislative backbone, supported by the Cabinet Decision No. 10 of 2019 on the Implementing Regulations.

CSPs operating in the UAE — including those licensed in mainland UAE, in DIFC, in ADGM, and in free zones such as JAFZA, RAKEZ, and Ajman Free Zone — are classified as Designated Non-Financial Businesses and Professions (DNFBPs) and are therefore subject to the full scope of UAE AML/CFT obligations.

Registration and Supervision

The first compliance requirement for UAE-based CSPs is registration with the appropriate supervisory authority. For mainland-licensed CSPs, this is the Ministry of Economy DNFBP supervision unit. For DIFC entities, the DFSA is the supervisor. For ADGM entities, the FSRA supervises. Free zone CSPs fall under either the Ministry of Economy or their free zone authority depending on the nature of their activities.

All UAE DNFBPs must also register with the goAML system operated by the UAE Financial Intelligence Unit (UAEFIU). GoAML is the platform through which suspicious transaction reports (STRs) and suspicious activity reports (SARs) are submitted. Registration is mandatory and must be completed before any CSP begins operating.

Customer Due Diligence Requirements

UAE AML regulations require CSPs to conduct customer due diligence (CDD) on all clients before establishing a business relationship. The standard CDD measures include:

  • Identity verification: Confirming the identity of the client and any beneficial owners using reliable, independent source documents — passport copies, Emirates ID, corporate documents
  • Beneficial ownership identification: Identifying all individuals who ultimately own or control 25% or more of the client entity (some supervisory guidance suggests a lower threshold of 10% for higher-risk clients)
  • Source of funds and wealth: Understanding the origin of the funds used in the business relationship, particularly for higher-risk clients
  • Business relationship purpose: Documenting the intended nature and purpose of the relationship
  • Ongoing monitoring: Keeping CDD information current and monitoring transactions for consistency with the stated business profile
Enhanced Due Diligence Triggers

UAE regulations require enhanced due diligence (EDD) for PEPs and their family members, high-risk countries, complex ownership structures, and clients with unusual transaction patterns. EDD must include senior management approval and more frequent ongoing monitoring.

Risk Assessment and AML Policy

Every UAE CSP must maintain a written risk assessment of its business, covering the money laundering and terrorist financing risks it faces by client type, service type, geographic exposure, and transaction type. This risk assessment should be reviewed at least annually and updated when there are material changes to the business.

Linked to the risk assessment, CSPs must have documented AML/CFT policies and procedures that are approved by senior management and communicated to all relevant staff. These policies must cover: client acceptance criteria, CDD procedures, EDD procedures, transaction monitoring, STR reporting procedures, record-keeping requirements, staff training, and the role of the Money Laundering Reporting Officer (MLRO).

The MLRO: A Mandatory Appointment

UAE regulations require every DNFBP to appoint a Money Laundering Reporting Officer at a sufficiently senior level. The MLRO is responsible for receiving internal STR disclosures from staff, assessing those disclosures, and deciding whether to escalate them as an STR to the UAEFIU via goAML. The MLRO must have adequate seniority, independence, and resources to perform this role effectively. In practice, for smaller CSPs, this is often a senior compliance professional; for larger firms, a dedicated compliance function.

Sanctions Screening

UAE CSPs must screen all clients and transactions against relevant sanctions lists, including the UAE's local terrorism and proliferation financing designations, UN sanctions, and other applicable international sanctions regimes (OFAC, EU, UK). Screening must occur at onboarding and on an ongoing basis as lists are updated — typically this means daily or near-real-time screening against list updates.

Manual sanctions screening against static lists is no longer adequate for a professional CSP operation. Automated screening tools that receive daily list updates and flag matches for human review are the baseline expectation of UAE supervisors.

goAML Reporting: STRs and SARs

When a UAE CSP identifies a transaction or activity that gives rise to a suspicion of money laundering, terrorist financing, or sanctions evasion, it must submit a Suspicious Transaction Report (STR) through the goAML system promptly — typically within 24-48 hours of forming the suspicion. There is no minimum threshold for reporting; the obligation is triggered by suspicion, not by transaction value.

CSPs must also submit Cash Transaction Reports (CTRs) for cash transactions above AED 55,000. Whilst most professional CSPs deal primarily in non-cash transactions, the CTR obligation applies to any qualifying cash receipt.

"UAE supervisory authorities have significantly increased their inspection activity post-grey list. CSPs that treated AML compliance as a paper exercise rather than an operational reality are being identified and sanctioned. The expectation is now a genuinely functioning compliance programme."

Record Keeping

All CDD records, transaction records, and STR-related documentation must be retained for at least five years from the end of the business relationship or from the date of the transaction. Records must be retrievable promptly in response to a supervisory enquiry — meaning they must be organised and searchable, not buried in email archives.

Technology for UAE AML Compliance

Managing UAE AML obligations across a client portfolio without technology support creates unacceptable operational risk. CSP Software's compliance module supports UAE-specific AML workflows — automated client screening against sanctions lists, CDD record management with expiry tracking, MLRO workflow for STR escalation, and audit trails that demonstrate compliance with regulatory requirements. The system maintains the documentary evidence needed to demonstrate compliance during a supervisory inspection.

UAE AML/CFT DNFBP goAML Sanctions Screening CDD
Keep Reading
Compliance
KYC and AML Automation for Corporate Service Providers: 2026 Guide
Regulatory
DIFC Corporate Services Update 2025: What Every CSP Needs to Know
Compliance
Customer Due Diligence Automation: Cutting CDD Time by 60%