What is AML and why is it important in the UAE?

AML refers to laws preventing criminals from legitimizing illicit funds. It's essential in the UAE to protect financial systems and comply with global standards.

Who must comply with AML laws in the UAE?

All financial institutions and DNFBPs, including real estate brokers, auditors, and dealers in precious metals.

What are the key UAE AML regulations I should be aware of?

Federal Decree-Law No. (20) of 2018 and Cabinet Decision No. (10) of 2019 are the main AML laws.

What is the role of the Financial Intelligence Unit (FIU)?

The FIU analyzes suspicious activity reports (SARs) and forwards critical cases to relevant authorities.

What is goAML and how does it work?

goAML is the UAE’s FIU reporting platform used to submit suspicious transaction reports (STRs).

Why are real estate companies required to comply with AML?

They are considered DNFBPs due to high exposure to money laundering through property transactions.

How do I register my company with goAML?

Register via the SACM portal and complete goAML setup with business documents.

What documents are needed for goAML registration?

Trade license, Emirates ID, passport copy, authorization letter, and valid email.

What are the consequences of non-compliance?

Penalties from AED 50,000 to AED 1,000,000 depending on the violation.

How often should we update our AML policy?

Review your AML policy annually or when regulations/business processes change.

What is Customer Due Diligence (CDD)?

CDD means verifying a client’s identity and assessing their risk profile.

When is Enhanced Due Diligence (EDD) required?

For high-risk clients like PEPs or those from high-risk countries.

What documents are required for verifying clients?

ID, proof of address, trade license, and ownership info for entities.

How do we identify Ultimate Beneficial Owners (UBOs)?

By analyzing the ownership structure and requesting UBO declarations.

What is risk-based customer categorization?

Assigning risk levels (low/medium/high) based on client activity and profile.

What qualifies as a Suspicious Transaction?

Transactions inconsistent with a customer’s known profile or with no clear purpose.

What is a Suspicious Activity Report (SAR)?

A SAR reports suspicious behavior or transactions to the UAE FIU.

How do I file a SAR via goAML?

Log in to goAML, complete the SAR form, and submit it securely.

What is the deadline for submitting a report?

Submit SARs promptly upon identification of suspicious activity.

What happens after a SAR is submitted?

The FIU reviews it and may take further investigative or legal action.

What must an AML policy include?

Risk assessment, CDD, transaction monitoring, reporting, training, and audit processes.

Who should be designated as the Compliance Officer?

A senior employee with authority and AML knowledge to oversee implementation.

How often should we conduct AML training?

At least once a year and when there are regulatory or process changes.

What is an internal AML audit?

A structured review to check AML policy effectiveness and compliance gaps.

How do I create an AML risk assessment?

Identify, assess, and mitigate AML risks across clients, transactions, and processes.

What are sanctions lists and how do I screen against them?

They include names of restricted persons/entities. Screen clients against updated lists.

What is a Politically Exposed Person (PEP)?

Someone in a prominent public role, posing higher AML risk.

Do I have to report all PEP matches?

Not all, but apply EDD. Report if behavior appears suspicious.

How often should I update my screening database?

At least monthly or whenever there are updates to official sanctions/PEP lists.

Can screening be automated?

Yes. AML systems can automate name matching, reducing manual effort and false positives.

Sample AML Inspection Checklist

Questions UAE Regulators May Ask Your Compliance Officer

Note: This is a representative set of questions based on real-world AML inspections in the UAE. Inspectors may ask additional or follow-up questions depending on your company’s risk profile, prior history, or findings during the audit.

This checklist contains 50+ essential questions inspectors may ask during an AML audit in the UAE. It is intended for compliance officers at real estate firms, but also useful for CEOs who want to ensure their AML framework is solid and inspection-ready.

A. Policy, Governance & Oversight

Can you provide the latest approved version of your AML policy?
Related Violation No. 1: Failure to set internal AML policies approved by top management.
When was the last time your AML policy was reviewed or updated?
Related Violation No. 2: Policies not aligned with risk or not continuously updated.
Does your AML policy address UAE Cabinet Resolution No. (74) of 2020 and other applicable laws?
Related Violation No. 4: Failure to include all required legal provisions in internal policies.
Who is responsible for approving updates to the AML policy?
While not tied to a specific violation, regulators may ask this to ensure accountability and oversight.
Is the compliance function independent of sales and operations?
Independence is not listed as a standalone violation, but a lack of it may lead to failures in control implementation and oversight.
Do you report directly to senior management or the board?
Direct reporting lines support effective governance and may reduce liability in case of breaches.
What measures are in place to prevent conflicts of interest in AML oversight?
While not explicitly listed in the 41 violations, conflicts of interest can compromise the integrity of compliance operations.
What is your procedure for identifying the beneficial owner of a legal entity?
Related Violation No. 13: Failure to identify and validate the beneficial owner of legal persons.
How do you verify the source of funds for high-value transactions?
Related Violation No. 6: Failure to consider relevant risk factors, such as customer, geographic, and product risk before determining mitigation measures.
Can you provide examples of clients where you applied EDD?
Related Violation No. 15: Failure to apply enhanced due diligence when high-risk situations are identified.

B. Customer Due Diligence (CDD) & Enhanced Due Diligence (EDD)

Do you conduct CDD before establishing a business relationship?
Related Violation No. 9: Failure to conduct customer due diligence before establishing the business relationship or performing high-value transactions.
What documents are collected for individuals vs. corporate customers?
Related Violation No. 11: Failure to verify the customer or real beneficiary identity using reliable sources.
How do you handle expired or incomplete KYC documents?
Related Violation No. 19: Failure to conduct ongoing monitoring to ensure customer documents and data are up to date.
Are there specific thresholds that trigger EDD in your process?
Related Violation No. 16: Failure to apply EDD for relationships or transactions with high-risk countries.
Do you accept cash transactions, and how are they monitored?
Related Violation No. 8: Failure to assess risks from new services or professional practices (e.g., high-value cash transactions).

C. Risk Assessment & Risk Scoring

Do you maintain a formal risk-based assessment for your customer base?
Related Violation No. 5: Failure to assess, understand, and document crime risks in the field.
Can you show your customer risk classification model or matrix?
Related Violation No. 6: Risk classification should factor in customer, product, service, and delivery channel risks.
How frequently are customer risk ratings reviewed?
Regular updates support compliance with Violation No. 19, which requires ongoing monitoring of customer information.
What risk categories do you apply (e.g., low, medium, high)?
Risk categorization supports implementation of proportionate due diligence and aligns with Violation No. 6.
How do you differentiate CDD procedures based on risk level?
Related Violation No. 6: Failure to consider customer and geographic risks before determining appropriate risk mitigation measures.
Is the risk scoring system manual, automated, or hybrid?
Systemization is not a violation by itself, but lack of consistency can lead to compliance failures tied to improper risk assessment.
How is geographic or sectoral risk factored into your scoring?
Related Violation No. 6: Failure to consider geographic or sectoral risk when assessing overall customer risk.

D. Sanctions & PEP Screening

What tool or system do you use for sanctions screening?
Related Violation No. 27: Failure to promptly apply UN Security Council sanctions decisions.
Which sanctions lists do you monitor (UAE, UN, OFAC, EU, etc.)?
Related Violation No. 34: Failure to verify client databases against designated sanctions lists.
How often are these lists updated?
Related Violation No. 34: Failure to constantly verify and compare customer data with updated sanctions lists.
Do you screen both at onboarding and during the customer lifecycle?
Related Violation No. 19: Failure to conduct ongoing monitoring to ensure documents and information remain accurate and relevant.
What is your process for handling a potential match?
Related Violation No. 35: Failure to freeze funds promptly upon confirming a match without prior warning.
How do you identify and manage Politically Exposed Persons (PEPs)?
Related Violation No. 18: Failure to determine whether the customer or beneficial owner is a PEP or similar high-risk profile.
Do you keep a record of PEP determinations and related actions?
Recordkeeping is critical for demonstrating compliance with Violation No. 18 and may be requested during inspections.
Have there been any confirmed matches in the last 12 months?
Inspectors may ask this to test response history and escalation practices, which relate to Violation No. 35 if matches were mishandled.

E. goAML Reporting & SAR/STRs

When did your firm register on goAML?
Related Violation No. 33: Failure to register with the Executive Office for Control and Non-Proliferation for notification purposes.
Can you show current login access or activity logs?
How many STRs/SARs have been filed in the last year?
Related Violation No. 28: Disclosure of reporting intention or contents of a suspicious transaction report is prohibited.
What triggers an internal escalation for a suspicious transaction?
How do you document cases where an STR is not filed?
Related Violation No. 28: Disclosure or mishandling of STR-related decisions is prohibited and must be documented confidentially.
Who authorizes STR submissions?
Related Violation No. 25: Failure to empower the compliance officer to carry out reporting duties may be penalized.
Do you maintain an internal STR/SAR log or register?

F. Staff Training & Awareness

When was your last AML training session conducted?
Related Violation No. 21: Failure to develop indicators to detect potential suspicious activity, often tied to lack of staff awareness.
Is training customized by department or role?
Can you provide attendance logs or certificates?
How do you evaluate the effectiveness of AML training?
Related Violation No. 21: Lack of performance-based AML indicators can expose procedural weakness and training gaps.
What is the onboarding AML training process for new hires?
Have you conducted any post-inspection retraining initiatives?

G. Internal Controls & Escalation Procedures

Can you describe your escalation path for reporting suspicious activity?
Related Violation No. 32: Failure to comply with supervisory authorities' instructions and forms related to AML controls.
Are employees trained on AML red flags?
Related Violation No. 21: Failure to develop and implement red flag indicators to detect suspicious transactions or activities, including failure to train staff accordingly.
Is there a way for staff to report concerns anonymously?
Do you conduct periodic internal AML audits or reviews?
Related Violation No. 7: Failure to implement measures aligned with National Risk Assessment and self-assessments.
How do you ensure that operational staff implement AML controls correctly?

H. Recordkeeping & Audit Trails

What is your data retention policy for AML-related records?
Related Violation No. 26: Failure to maintain records in a manner that allows analysis, re-tracing, or access on request.
Are your records stored securely and in a retrievable format?
Can you demonstrate audit trails for screening, CDD, and STR decisions?
Are logs or document histories version-controlled or timestamped?
Are your AML records regularly backed up and tested for accessibility?

Tip: Use this list during internal mock inspections or to prepare new compliance staff.

InfoAML clients can automate much of this documentation using our built-in audit trails, DAR/STR logs, risk scoring engine, and real-time screening tools.

Disclaimer: This checklist is provided for informational and educational purposes only. It does not constitute legal or regulatory advice. InfoAML and Infosoft Software Trading LLC shall not be held responsible for any actions taken or not taken based on this content. Entities are encouraged to consult directly with legal or regulatory professionals for advice specific to their compliance obligations.