A Guide to AML/CFT Compliance and Reporting in the UAE
An overview of UAE Anti-Money Laundering (AML) and Combating the Financing of Terrorism (CFT) compliance requirements, reporting best practices, area-wise supervisory authorities.
Introduction
This guide provides an overview of Anti-Money Laundering (AML) and Combating the Financing of Terrorism (CFT) compliance requirements for Financial Institutions (FIs) and Designated Non-Financial Businesses and Professions (DNFBPs) in the UAE. It outlines the legal framework, key obligations, risk factors, potential sanctions for non-compliance, and the roles of different entities in maintaining AML/CFT standards.
The UAE National Anti-Money Laundering and Combatting the Financing of Terrorism and Financing of Illegal Organizations Committee (NAMLCFTC) serves as the primary authority responsible for policymaking and issuing regulations aimed at combating money laundering and the financing of terrorism in the UAE.
Definition of money laundering
Money laundering is defined as a series of acts committed by a person who is aware that their funds are derived from criminal activities (felony or misdemeanor). Specific acts considered money laundering include:
- Transferring or moving proceeds: Conducting transactions to conceal or disguise the illegal source of funds.
- Concealing true nature: Hiding the true nature, source, or location of the proceeds.
- Acquiring or possessing proceeds: Acquiring, possessing, or using funds upon receipt.
- Assisting the perpetrator: Helping the offender of the underlying crime evade punishment.
Legal implications:
- Money laundering is treated as an independent crime, meaning individuals can be prosecuted for money laundering regardless of the outcomes of any associated predicate offenses.
- The prosecution does not require proof of the illicit source of the funds to convict the perpetrator of the underlying offense, which explains the seriousness of money laundering in UAE law.
Legal framework
The UAE has established a robust legal framework for AML and CFT through the AML-CFT Law and related decisions. This framework designates the financing of terrorism and illegal organizations as criminal offenses, subject to severe penalties.
Historical context
- Initial Legislation (1987): Possession or concealment of criminal proceeds was first recognized as a crime in the UAE.
- First AML Law (2002): The UAE introduced Federal Law No. (4) of 2002, the first special penal legislation criminalizing money laundering, aligning with international agreements and recommendations.
Amendments and updates
- 2014 Amendments: The 2002 legislation was amended, and executive regulations were introduced to comply with updated Financial Action Task Force (FATF) recommendations.
- Federal Decree Law No. (20) of 2018 on Anti-Money Laundering and Combating the Financing of Terrorism and Financing of Illegal Organizations: Issued in preparation for the second round of mutual evaluations by the Middle East and North Africa Financial Action Task Force (MENAFATF), this law repealed the previous 2002 law and included enhanced measures for AML/CFT.
- Cabinet Decision No. (10) of 2019 9 concerning the Implementing Regulation of Decree-Law No. (20) of 2018 on Anti-Money Laundering and Combating the Financing of Terrorism and Illegal Organizations: Provided executive regulations to support the implementation of Federal Decree Law No. (20) of 2018.
- AML and Sanctions Rules and Guidance issued by the Financial Services Regulatory Authority for units in ADGM.
- AML/CFT and Sanctions Module – Rulebook issued by the Dubai Financial Services Authority for units in DIFC.
- Other guidelines issued by the regulatory authorities (like the Central Bank of UAE, Ministry of Economy, Ministry of Justice, Virtual Asset Regulatory Authority, etc.)
Recent developments
- Federal Decree Law No. (26) of 2021: Amended provisions of Federal Decree Law No. (20) of 2018 to ensure ongoing alignment with international recommendations and to address operational challenges.
- Cabinet Decision No. (24) of 2022: Made further amendments to the executive regulations established by Cabinet Decision No. (10) of 2019.
- Federal Decree Law No. (7) of 2024: Introduced additional amendments to Federal Decree Law No. (20) of 2018, establishing:
- The National Committee to Combat Money Laundering, Financing of Terrorism, and the Financing of Illegal Organizations (NAMLCFT).
- The Higher Committee Overseeing the National Strategy on Anti-Money Laundering and Countering the Financing of Terrorism.
UAE Strengthens Anti-Money Laundering and Counter-Terrorism Financing Framework
As of September 23, 2024, the UAE Cabinet has approved a resolution replacing the Executive Office of the Anti-Money Laundering and Countering the Financing of Terrorism (AML/CTF) with the newly established National Anti-Money Laundering and Combating Financing of Terrorism and Illegal Organisations Committee (NAMLCFTC). This committee will assume all the rights and obligations previously held by the Executive Office.
The transition, which took place in accordance with Federal Decree Law No. (7) of 2024, also mandates that all employees of the Executive Office be transferred to the NAMLCFTC.
As part of the reforms, a General Secretariat has been established within the NAMLCFTC, tasked with overseeing the implementation of the national strategy on anti-money laundering and countering the financing of terrorism. This move reflects the UAE’s ongoing commitment to protecting both its domestic and international financial systems from illegal activities.
The creation of the NAMLCFTC aims to enhance coordination and communication between local and federal institutions, as well as improve international cooperation. This effort is seen as a vital step in reducing financial crime risks while reinforcing the UAE’s position as a leading global financial hub, promoting economic sustainability, and ensuring compliance with global standards.
Obligations of financial institutions
Financial institutions must adhere to the following compliance requirements:
- GoAML registration: Register with the UAE Financial Intelligence Unit (FIU) using the GoAML system. This system facilitates the reporting of suspicious transactions and streamlines communication with the FIU.
- Appointment of AML/CFT Compliance Officer: Designate a qualified individual responsible for overseeing AML/CFT compliance. The officer should have the necessary authority, resources, and access to senior management.
- AML business risk assessment: Conduct an initial assessment of business risks and update it periodically to reflect changes in the business environment, emerging risks, and regulatory requirements.
- Internal policies, controls, and procedures: Define and regularly update internal AML/CFT policies and procedures, ensuring they align with regulatory requirements and best practices.
- Know your customer (KYC): Implement robust KYC measures for both natural persons and businesses to verify their identities and assess their risk profiles.
- Screening: Screen clients against the United Nations Security Council (UNSC) consolidated list and the UAE local list:
- Full match: For existing customers, freeze funds, block all transactions, classify as high-risk, and submit a Fund Freeze Report (FFR). For potential customers, reject them and classify as high-risk.
- Partial match: Classify customers as high-risk, suspend all transactions, and submit a Partial Name Match Report (PNMR) if any suspicion is observed.
- Risk profiling: Assess customer risk based on their behavior, structure, screening results, geography, product/service/transaction, and delivery channel to identify potential red flags.
- Enhanced due diligence (EDD): Obtain the source of funds and wealth from higher-risk customers, ensuring that the first payment is processed through an account in the client’s name. Senior management approval is required before conducting business with high-risk customers.
- Submit STR/SAR: Submit Suspicious Transactions Reports (STRs) or Suspicious Activity Reports (SARs) to the FIU whenever suspicion arises regarding potential money laundering or terrorist financing activities.
- Record keeping: Maintain detailed records of customers and financial transactions for a minimum of five years, ensuring that records are readily available for audits and regulatory inspections.
- Other requirements:
- Provide an Annual AML/CFT Risk Assessment Report.
- Regularly report to senior management on AML/CFT compliance and risk issues.
- Submit High-Risk Country Transaction Report (HRC) or High-Risk Country Activity Report (HRCA) reports for transactions with customers from high-risk countries.
- Conduct mandatory AML training for the Compliance Officer and staff on a regular basis to ensure awareness of emerging risks and compliance requirements.
What is the role of the UAE Financial Intelligence Unit (FIU)?
- Analysis of transactions: The FIU is responsible for analyzing suspicious transactions and activities that may relate to money laundering, terrorism financing, and other criminal activities.
- Data sources: It relies on data and reports from financial institutions (FIs) and designated non-financial businesses and professions (DNFBPs) to identify and address suspicious activities.
- Collaboration and partnerships: The FIU promotes collaboration with local, regional, and international stakeholders to enhance the effectiveness of combatting financial crimes. This includes developing shared network platforms for knowledge sharing and strategic partnerships aimed at combating money laundering and terrorism financing.
Customer Due Diligence (CDD) Measures
Risk-based Customer Due Diligence (CDD) measures are essential for financial institutions to mitigate money laundering and terrorist financing risks. Key components include:
- Customer identification: Verify the identities of customers, beneficial owners, beneficiaries, and controlling persons using reliable sources.
- Screening: Check customers against international financial sanctions lists, especially in higher-risk situations.
- Understanding the business relationship: Gain insight into the purpose of the relationship and the structure of the customer’s business.
- Monitoring: Continuously oversee the business relationship to ensure transaction consistency with gathered information.
- Transaction scrutiny: Analyze transactions to confirm alignment with the customer’s risk profile and source of funds.
- Document updates: Regularly review and update CDD records, especially for high-risk customers.
For higher-risk scenarios, EDD is required, which includes verifying the source of funds. FIs should adopt a risk-based approach when developing CDD policies, considering outcomes from risk assessments and ensuring documentation and approval from senior management. Overall, these measures should be proportional to the identified risks and effectively communicated within the organization.
Appointment and responsibilities of the Compliance Officer
Appointment
Financial institutions (FIs) must proactively identify and manage conflicts of interest involving:
- Internal relationships: This includes ensuring independence between the FI, its personnel (including the compliance officer, i.e., CO), and its customers.
- CO and management: The CO should be positioned independently within the organization, allowing for informed decision-making without undue pressure, essential for addressing money laundering and terrorist financing risks.
The AML-CFT Decision requires that the appointment of a CO is approved by the relevant Supervisory Authority. Some FIs may also appoint a Money Laundering Reporting Officer (MLRO).
When establishing the CO’s competencies and reporting structures, FIs should consider:
- Results of the National Risk Assessment (NRA) and topical risk assessments.
- Characteristics of their industries, businesses, products, services, and customer segments.
- Governance frameworks and management structures that support compliance functions.
- Specific responsibilities of the CO role.
Additionally, FIs may consult with Supervisory Authorities, professional associations, and industry peers to enhance the effectiveness of their compliance officer and overall AML/CFT program.
Tasks
The CO’s responsibilities can be categorized as follows:
- ML/FT reporting: The CO is responsible for reviewing, scrutinizing, and reporting Suspicious Transaction Reports. This includes detecting transactions related to money laundering, terrorist financing, and illegal organizations, as well as reporting suspicions to the FIU and cooperating with Competent Authorities in their AML/CFT duties.
- AML/CFT program management: The CO ensures the quality, strength, and effectiveness of the financial institution’s AML/CFT program. The CO plays a key role in the FI’s ML/FT business risk assessment and the overall AML/CFT risk mitigation framework, including policies, controls, and Customer Due Diligence measures. The CO is responsible for informing and reporting on compliance levels to senior management and the relevant Supervisory Authority.
- AML/CFT training and development: The CO works to establish and maintain a strong AML/CFT compliance culture within the FI. This includes collaborating with senior management and stakeholders to ensure that the FI’s staff are well-trained, equipped, and aware of their responsibilities in combating the threats posed by money laundering and terrorist financing.
Customer Identification Measures
The core components for customer identification remain consistent across cases and include:
- Personal data: This encompasses the customer’s name, passport or identity card number, issuing country, issuance and expiry dates, nationality, date and place of birth (or establishment/incorporation for legal entities).
- Principal address: This involves verifying the permanent residential address for individuals or the registered address for legal entities.
For natural persons:
- Identity verification: Verification should rely on original, government-issued documents. If not possible, use multiple independent sources. For UAE ID verification, FIs must utilize the Federal Authority for Identity & Citizenship’s online validation gateway and retain a copy of the ID along with its digital verification. Any lack of official documents should be noted as a risk factor in the customer’s ML/FT risk classification.
- Alternative verification: Digital identification systems may be used, provided they ensure accuracy through adequate governance and technology. The FATF Guidance on Digital Identity (March 2020) offers insights on assessing the reliability of such systems.
- Identification data: Should include name, nationality, date and place of birth, and national identification number.
- Foreign nationals: When verifying identities, FIs should only request legally valid identification documents from relevant jurisdictions. For high-risk foreign nationals, authenticity validation of identification documents is crucial, which may involve:
- Consulting the relevant embassy or issuing authority.
- Utilizing applications to validate machine-readable zones (MRZs) or biometric data on foreign ID documents.
- Address verification: Acceptable documentation includes:
- Utility bills or account statements (electricity, water, gas, telephone).
- Government-issued documents (municipal tax records).
- Property agreements (purchase, lease, rental).
- Documents from supervised financial institutions (bank statements, credit/debit card statements, insurance policies).
In cases where natural persons lack documentation in their name (e.g., shared accommodation), reasonable evidence may be accepted. This could include letters from employers or educational institutions confirming the address.
For legal persons and arrangements:
- Verification of authorized representatives: Besides verifying customers, FIs must identify individuals legally empowered to act on behalf of customers, such as:
- Signatories or authorized personnel with remote access to accounts.
- Legal guardians of minors or incapacitated individuals.
- Legal representatives, including attorneys or liquidators.
- Acceptable authorization documents: These may include:
- Legally valid power of attorney.
- Board resolutions from the governing body.
- Documents from official registries evidencing ownership or authorization.
- Court orders or official decisions.
- Document certification procedures: FIs should implement procedures for certifying customer identification and address documentation, which may involve:
- Certification by FI employees, including their name, position, date, and signature on document copies.
- Third-party certifications stating the documents are true copies of the originals. For documents from Hague Apostille Convention countries, Apostille certification should be requested.
- Four-eyes principle: Whenever feasible, incorporate a review by at least two people in verifying customer identification and CDD information, as well as in data entry processes.
Obligations of designated non-financial businesses and professions (DNFBPs)
DNFBPs, including real estate agents, dealers in precious metals and stones, lawyers, accountants, and notaries, must also comply with AML/CFT requirements. Their obligations include:
- GoAML registration: Register with the UAE FIU using the GoAML system. This system facilitates the reporting of suspicious transactions and streamlines communication with the FIU.
- Customer due diligence: Similar to FIs, DNFBPs must perform CDD by verifying the identities of clients and assessing the risk associated with the business relationship.
- Record keeping: Maintain comprehensive records of transactions and client identification documents for at least five years.
- Reporting obligations:
- Submit STRs/SARs to the FIU if there are suspicions of money laundering or terrorist financing.
- Dealers in Precious Metals and Stones Report (DPMMSR) to be submitted to report transactions equal to or exceeding AED 55,000 in cash or wire transfer along with identification documents.
- Real Estate Activity Report (REAR) to be submitted by lawyers and real estate brokers/agents about the purchase and sale of freehold real estate above the specified amount involving cash or virtual assets.
- Ensure that any reporting is done without alerting the client or involved parties to the report.
- Risk assessment: Conduct a risk assessment of the business and its clients to identify potential vulnerabilities related to AML/CFT.
- Policies and procedures: Establish and implement internal policies, controls, and procedures to comply with AML/CFT regulations and ensure staff training on these policies.
- Independent audit: DNFBPs may also be required to appoint an independent auditor to evaluate their compliance with AML/CFT regulations and submit findings to the authorities.
What is the goAML System?
- Development and purpose: The goAML system was developed by the United Nations Office on Drugs and Crime (UNODC) to enhance efforts in combatting money laundering and terrorism financing.
- Functionality: It serves as an integrated platform for the FIU to efficiently receive, analyze, and distribute suspicious transaction reports (STRs).
- Global use: Many financial intelligence units worldwide utilize the goAML system, and the UAE is the first Gulf country to adopt this modern tool.
- Who should register on the goAML: goAML registration us mandatory for financial institutions, DNFBPs, and virtual asset service providers.
- Documentation requirements: Authorization letter for appointment of the AML Compliance Officer; a copy of the passport, Resident visa, or Emirates ID of the person filing the registration application; and a copy of the Commercial/Trade License of the entity.
AML supervisory authorities in the UAE
AML Supervisory Authorities in the UAE |
||
Area or nature of operations | Supervisory authority | Reporting authority |
Entities based in the UAE mainland (not FIs) | Ministry of Economy | Financial Intelligence Unit
(FIU) |
Financial institutions | Central Bank of UAE | |
UAE capital market
Virtual asset service providers other than in Dubai and Abu Dhabi Global Market (ADGM) |
Securities & Commodities Authority | |
Entities based in the Dubai International Financial Center (DIFC) | Dubai Financial Services Authority (DFSA) | |
Entities operating in ADGM | ADGM Financial Services Authority (FSRA) or ADGM Regulatory Authority (ADGMRA) | |
Lawyers and legal consultants | Ministry of Justice
|
|
Virtual asset service providers operating in Dubai (except in DIFC) | Dubai’s Virtual Asset Regulatory Authority (VARA) |
Money laundering phases
Understanding the three phases of money laundering is critical for compliance:
- Placement: Introduction of illicit funds into the financial system using various methods, such as blending funds, currency smuggling, and breaking up amounts.
- Layering: Disguising the origin of funds through transactions, including electronically moving funds, converting cash, and using shell companies.
- Integration: Returning laundered funds into the economy through seemingly legitimate transactions.
Key ML/FT typologies
FIs and DNFBPs should be aware of various money laundering and terrorist financing typologies, including:
Currency exchanges / cash conversion
- Used to smuggle money or exploit low reporting requirements to minimize detection risks (e.g., purchasing travelers’ cheques for value transport).
Cash couriers / currency smuggling
- Concealed movement of currency to avoid transaction reporting.
Structuring (Smurfing)
- Involves numerous small transactions to evade detection thresholds (e.g., multiple deposits across various accounts).
Use of credit instruments
- Accessing funds through credit cards, cheques, or promissory notes in different jurisdictions.
Purchase of portable commodities
- Buying items like gems or precious metals to conceal ownership and move value without detection.
Purchase of high-value assets
- Investing criminal proceeds in real estate, vehicles, or other negotiable goods to obscure the source of funds.
Commodity exchanges (Barter)
- Direct exchanges (e.g., heroin for gold) to avoid using money, thus evading AML/CFT measures.
Use of wire transfers
- Electronic transfers to move funds across jurisdictions and evade detection.
Underground banking / Unlicensed remittance services
- Illegal networks that remit money without proper licenses, enabling money laundering and terrorist financing.
Trade-based money laundering
- Involves invoice manipulation and trade finance routes to circumvent financial transparency regulations.
Abuse of non-profit organizations (NPOs)
- NPOs can obscure the source of funds and raise money for terrorist activities.
Investment in capital markets
- Purchasing negotiable instruments to disguise the source of crime proceeds.
Mingling (Business investment)
- Combining criminal proceeds with legitimate business funds to obscure the illegal source.
Use of shell companies
- Hiding the identity of fund controllers and exploiting low reporting requirements.
Offshore banks/Businesses
- Using offshore entities to obscure identities and move money away from domestic authorities.
Use of nominees and trusts
- Employing third parties to disguise the identity of those controlling illicit funds.
Identity fraud / False identification
- Obscuring identities involved in money laundering or terrorist financing.
Gatekeepers (Professional services)
- Professionals like lawyers or accountants can obscure beneficiaries’ identities and illicit fund sources.
New payment technologies
- Using emerging payment systems (e.g., mobile payments) for laundering and terrorist financing.
Virtual assets (VA) and Virtual asset service providers (VASPs)
- The distinct features of VAs can create opportunities for money laundering. FIs should refer to FATF guidelines regarding VAs and VASPs.
Life insurance products
- Policies with investment features can be used for laundering, especially with withdrawal options.
General insurance products
- Early policy cancellations with premium returns have been misused for money laundering (e.g., simultaneous cancellations of multiple small policies).
Overpayment of premiums
- Excessive insurance reimbursements via cheque or wire transfer to launder funds, such as by intentionally overpaying premiums for refunds.
Sanctions for non-compliance
The AML-CFT Law imposes severe sanctions for failing to report suspicious activities:
For financial institutions, managers, and employees:
- Imprisonment: Minimum of 6 months and up to 1 year.
- Fines: AED 100,000 to AED 1,000,000.
- Combination of sanctions.
For disclosure violations:
Individuals who don’t disclose or warn about suspicious transactions face:
- Imprisonment: Minimum of 6 months.
- Fines: AED 100,000 to AED 500,000.
- Combination of sanctions.
Conclusion
Compliance with AML/CFT regulations is crucial for maintaining the integrity of the financial system in the UAE. Financial Institutions and Designated Non-Financial Businesses and Professions must implement robust compliance programs, remain vigilant against potential risks, and adhere to reporting obligations to avoid severe penalties. By fostering a culture of compliance and awareness, organizations can contribute to the effective prevention of money laundering and terrorist financing activities.
About Us
Middle East Briefing is one of five regional publications under the Asia Briefing brand. It is supported by Dezan Shira & Associates, a pan-Asia, multi-disciplinary professional services firm that assists foreign investors throughout Asia, including through offices in Dubai (UAE), China, India, Vietnam, Singapore, Indonesia, Italy, Germany, and USA. We also have partner firms in Malaysia, Bangladesh, the Philippines, Thailand, and Australia.
For support with establishing a business in the Middle East, or for assistance in analyzing and entering markets elsewhere in Asia, please contact us at dubai@dezshira.com or visit us at www.dezshira.com. To subscribe for content products from the Middle East Briefing, please click here.