What is AML and why is it important in the UAE?

AML refers to laws preventing criminals from legitimizing illicit funds. It's essential in the UAE to protect financial systems and comply with global standards.

Who must comply with AML laws in the UAE?

All financial institutions and DNFBPs, including real estate brokers, auditors, and dealers in precious metals.

What are the key UAE AML regulations I should be aware of?

Federal Decree-Law No. (20) of 2018 and Cabinet Decision No. (10) of 2019 are the main AML laws.

What is the role of the Financial Intelligence Unit (FIU)?

The FIU analyzes suspicious activity reports (SARs) and forwards critical cases to relevant authorities.

What is goAML and how does it work?

goAML is the UAE’s FIU reporting platform used to submit suspicious transaction reports (STRs).

Why are real estate companies required to comply with AML?

They are considered DNFBPs due to high exposure to money laundering through property transactions.

How do I register my company with goAML?

Register via the SACM portal and complete goAML setup with business documents.

What documents are needed for goAML registration?

Trade license, Emirates ID, passport copy, authorization letter, and valid email.

What are the consequences of non-compliance?

Penalties from AED 50,000 to AED 1,000,000 depending on the violation.

How often should we update our AML policy?

Review your AML policy annually or when regulations/business processes change.

What is Customer Due Diligence (CDD)?

CDD means verifying a client’s identity and assessing their risk profile.

When is Enhanced Due Diligence (EDD) required?

For high-risk clients like PEPs or those from high-risk countries.

What documents are required for verifying clients?

ID, proof of address, trade license, and ownership info for entities.

How do we identify Ultimate Beneficial Owners (UBOs)?

By analyzing the ownership structure and requesting UBO declarations.

What is risk-based customer categorization?

Assigning risk levels (low/medium/high) based on client activity and profile.

What qualifies as a Suspicious Transaction?

Transactions inconsistent with a customer’s known profile or with no clear purpose.

What is a Suspicious Activity Report (SAR)?

A SAR reports suspicious behavior or transactions to the UAE FIU.

How do I file a SAR via goAML?

Log in to goAML, complete the SAR form, and submit it securely.

What is the deadline for submitting a report?

Submit SARs promptly upon identification of suspicious activity.

What happens after a SAR is submitted?

The FIU reviews it and may take further investigative or legal action.

What must an AML policy include?

Risk assessment, CDD, transaction monitoring, reporting, training, and audit processes.

Who should be designated as the Compliance Officer?

A senior employee with authority and AML knowledge to oversee implementation.

How often should we conduct AML training?

At least once a year and when there are regulatory or process changes.

What is an internal AML audit?

A structured review to check AML policy effectiveness and compliance gaps.

How do I create an AML risk assessment?

Identify, assess, and mitigate AML risks across clients, transactions, and processes.

What are sanctions lists and how do I screen against them?

They include names of restricted persons/entities. Screen clients against updated lists.

What is a Politically Exposed Person (PEP)?

Someone in a prominent public role, posing higher AML risk.

Do I have to report all PEP matches?

Not all, but apply EDD. Report if behavior appears suspicious.

How often should I update my screening database?

At least monthly or whenever there are updates to official sanctions/PEP lists.

Can screening be automated?

Yes. AML systems can automate name matching, reducing manual effort and false positives.

The Complete AML Compliance Checklist for UAE Businesses: Built from Real RAP and Inspection Findings

A comprehensive, inspection-ready framework based on real deficiencies identified in UAE AML reviews.

Introduction

AML compliance in the UAE is often misunderstood as a documentation exercise.

Many businesses believe that having a policy, performing screening, and registering on goAML is sufficient.

In practice, regulators assess something very different:

Whether your AML framework is complete, operational, and consistently applied across all areas of your business.

This guide provides a complete AML compliance checklist for UAE DNFBPs, built from real deficiencies identified during Remedial Action Plans (RAPs) and regulatory inspections.

This is not a theoretical checklist, it reflects what businesses are actually required to fix in practice.

What Does AML Compliance Mean in Practice?

AML compliance is not a single requirement.

It is a connected system of controls, including:

Risk assessment and classification
Customer verification and monitoring
Sanctions screening and alert handling
Transaction monitoring
Reporting (STR/SAR)
Documentation and audit
Governance and oversight

Failure in one area often exposes weaknesses in others, and this is exactly what regulators look for during inspections.

AML Compliance Checklist (Based on RAP and Inspection Findings)

The following checklist reflects the areas most commonly reviewed, and most frequently found lacking, during AML inspections and RAP assessments in the UAE.

1. AML Policy & Procedures

☐ AML/CFT policy is approved by senior management

☐ Policy is aligned with UAE regulations

☐ Policy reflects actual business activities

☐ Version control is maintained

☐ Supporting procedures are documented

Why This Matters

Regulators assess whether your AML framework is formally approved, regularly updated, and aligned with your business risk, not just documented.

2. Risk Assessment (Risk-Based Approach – RBA)

☐ Business-wide risk assessment is documented

☐ Risk factors include:

Customer type
Geography
Transaction type
Delivery channels

☐ Risk scoring methodology is defined

☐ Risk levels are assigned (Low / Medium / High)

☐ Risk assessment is periodically reviewed

Why This Matters

All AML controls must be proportionate to risk. Weak risk assessment leads to weak compliance across the entire framework.

3. Customer Due Diligence (CDD / KYC)

☐ Customer identity is collected and verified

☐ UBO is identified and documented

☐ Source of Funds / Wealth assessed where required

☐ Risk classification applied at onboarding

☐ Enhanced Due Diligence applied for high-risk customers

☐ Ongoing CDD is implemented

Why This Matters

CDD forms the foundation of AML compliance. Without proper identification, all downstream controls become unreliable.

4. Sanctions & TFS Screening

☐ Screening performed against:

UAE Local Terrorist List
UN Consolidated List

☐ Screening includes customers, UBOs, and related parties

☐ Screening occurs at onboarding and periodically

☐ Screening results are documented

Why This Matters

Sanctions compliance is a strict obligation. Failure to screen, or act on matches, can result in serious regulatory consequences.

5. Screening Methodology & Reliability

☐ Matching logic considers multiple identifiers

☐ Confidence thresholds are defined

☐ Name variations and multilingual matching are handled

☐ False positives are reviewed and documented

Why This Matters

Regulators assess not only whether screening is performed, but whether it is reliable, consistent, and defensible.

6. Alert Handling & Escalation

☐ Alerts are generated from screening and monitoring

☐ Alert classification is defined

☐ Review workflow is documented

☐ False positives are justified

☐ Escalation to MLRO is clearly defined

☐ Audit trail is maintained

Why This Matters

Alert handling is one of the most scrutinized areas during inspections, it shows how your AML controls operate in practice.

7. Transaction Monitoring

☐ Transactions are recorded and categorized

☐ Monitoring includes behavioral and threshold-based checks

☐ Red flags are defined

☐ Suspicious patterns are identified and escalated

☐ Customer risk is reassessed based on activity

Why This Matters

AML compliance is ongoing. Monitoring ensures that risk is managed throughout the customer lifecycle.

8. STR / SAR Reporting (goAML)

☐ Business is registered on goAML

☐ Reporting procedures are documented

☐ Internal escalation workflow is defined

☐ MLRO reviews and approves reports

☐ Reporting timelines are followed

☐ Supporting evidence is retained

Why This Matters

Regulators assess your ability to identify and report suspicious activity, not just your registration status.

9. Record Keeping & Data Retention

☐ Customer and transaction records are retained

☐ Retention meets UAE requirements (minimum 5 years)

☐ Records are secure and retrievable

☐ Evidence and decisions are documented

Why This Matters

Failure to produce records during inspection is treated as a compliance failure.

10. Data Protection & Confidentiality

☐ Access to AML data is restricted

☐ Data is securely stored and protected

☐ STR/SAR information is confidential

☐ Tipping-off prohibition is enforced

Why This Matters

AML compliance includes protecting sensitive information and ensuring confidentiality of investigations.

11. AML Training & Awareness

☐ Staff receive AML training regularly

☐ Training covers red flags and reporting obligations

☐ Attendance is documented

☐ Training materials are maintained

Why This Matters

Training ensures that AML controls are applied in practice, not just written in policy.

12. Roles, Responsibilities & Governance

☐ MLRO is appointed with clear authority

☐ Compliance roles are defined

☐ Reporting lines are clear

☐ Senior management oversight is documented

Why This Matters

AML compliance is a governance responsibility. Clear accountability is essential.

13. Independent AML Audit

☐ Audit is conducted periodically

☐ Scope covers all AML areas

☐ Findings and recommendations are documented

☐ Management response is recorded

☐ Remedial actions are tracked

Why This Matters

Audit provides independent validation that your AML framework is functioning effectively.

14. Policy Governance & Review

☐ Policy is reviewed regularly

☐ Updates reflect regulatory changes

☐ Version control is maintained

☐ Changes are communicated internally

Why This Matters

AML frameworks must evolve with risk and regulation. Static policies are considered ineffective.

Common Gaps Identified During RAPs and AML Inspections

Based on real RAP cases and inspection feedback, regulators frequently identify:

Generic or outdated AML policies
Weak risk assessment frameworks
Lack of structured alert handling
Inconsistent screening practices
Missing audit or training evidence
Poor documentation and record retrieval

These gaps often lead to Remedial Action Plans (RAPs) requiring corrective action.

How to Stay Inspection-Ready

AML compliance should not be reactive.

To maintain readiness:

Ensure consistency between policy and practice
Maintain structured documentation
Keep evidence readily available
Define operational workflows clearly
Review controls regularly

If you are responding to a RAP, you may find it useful to review common mistakes businesses make when responding to AML remedial action plans.

How InfoAML Supports Complete AML Compliance

Managing AML compliance across multiple areas requires structure.

InfoAML helps UAE businesses:

Centralize policies, procedures, and documentation
Perform and document screening
Manage alerts and escalation workflows
Maintain audit trails and evidence
Support STR/SAR reporting processes
Stay prepared for inspections

Compliance is not about having documents, it is about being able to prove, at any time, that your controls are effective.

You might find the following related blogs helpful:

→ Received a Remedial Action Plan (RAP) in the UAE? What It Really Means and What to Do Next

→ 5 Real Mistakes UAE Businesses Make When Responding to AML Remedial Action Plans (RAP)

→ Inside the Mind of an AML Inspector: What They Look For (But Never Tell You)

Looking for a structured way to manage AML compliance and stay inspection-ready?

👉 Explore our AML Compliance Solution for UAE

in Compliance Insights

Share this post

Our blogs

5 Real Mistakes UAE Businesses Make When Responding to AML Remedial Action Plans (RAP)

Real cases, real gaps, and what regulators actually expect from your response.