ATB LEGAL
Dispute Resolution Employment Corporate & Commercial Personal Status Intellectual Property Regulatory & Compliance International Trade Insights People About Contact Us

Anti-Money Laundering & Financial Crime in the UAE

The UAE’s anti-money-laundering framework is federal and applies across the whole country – onshore and in the financial free zones. Its principal statute is now Federal Decree-Law No. 10 of 2025 (in force 14 October 2025), which replaced the 2018 AML Law. It binds financial institutions, designated non-financial businesses and professions (DNFBPs) and virtual-asset service providers (VASPs), with supervision divided by sector – the Central Bank (CBUAE) onshore, the DFSA in the DIFC, the FSRA in the ADGM, the CMA and VARA in their perimeters, and the Ministries for many DNFBPs. The core duties – a risk assessment, customer due diligence and beneficial ownership, sanctions screening, a Money Laundering Reporting Officer, monitoring and reporting to the UAE Financial Intelligence Unit via goAML – are common throughout. The 2025 law brought VASPs fully into scope, made proliferation financing a standalone offence and raised penalties. (The India-side GIFT City AML regime is separate – see that page.) Verify the current position at the time of use.

The one federal regime, its sector supervisors, and how the DIFC and ADGM rulebooks sit over it.

At a glance

  • Principal law: Federal Decree-Law No. 10 of 2025, in force 14 October 2025 – replaced the 2018 AML Law
  • Applies to: financial institutions, DNFBPs and VASPs – across the whole UAE
  • Supervisors (one law, by sector): CBUAE · DFSA (DIFC) · FSRA (ADGM) · CMA · VARA · the Ministries (DNFBPs)
  • Core duties: risk assessment · CDD & beneficial ownership · sanctions screening · MLRO · monitoring · reporting
  • Reporting: to the UAE Financial Intelligence Unit via the federal goAML portal
  • Context: UAE left the FATF grey list (Feb 2024); next mutual evaluation due 2026

1. The federal AML law

Anti-money laundering in the UAE is governed by a single federal regime that applies throughout the country. Its principal statute is now Federal Decree-Law No. 10 of 2025 – its title extending to the financing of terrorism and the financing of proliferation – which came into force on 14 October 2025, replacing Federal Decree-Law No. 20 of 2018 as the country’s principal AML/CFT statute. Implementing regulations made under the 2018 law generally continue on an interim basis until replaced, so the working position is a new primary law over a body of existing regulations being progressively updated. The reform aligns the UAE more closely with the Financial Action Task Force (FATF) standards and is the reference point against which every AML obligation in the UAE – onshore and in the free zones – should now be read.

2. Who must comply

The regime casts a wide net across three groups. Financial institutions – banks, finance companies, exchange houses, payment providers and insurers. Designated non-financial businesses and professions (DNFBPs) – the group most often caught by surprise – including real-estate agents and brokers, dealers in precious metals and stones, auditors and accountants, corporate service providers, and independent legal professionals in defined situations. And virtual-asset service providers (VASPs), brought fully within the statutory perimeter by the 2025 law. These obligations apply onshore and in the free zones alike – a mainland real-estate brokerage, a DIFC asset manager and an ADGM corporate service provider all carry core AML duties, scaled to their risk. The first question for any UAE business is therefore whether it falls into one of these categories; many that do not think of themselves as “regulated” nonetheless do.

3. One law, many supervisors

A defining feature of the UAE regime is that the substantive law is federal and uniform, but supervision is divided by sector. Each regulator enforces the federal obligations within its own perimeter:

Sector / perimeterAML supervisor
Banks, finance companies, exchange houses, payments, insuranceCBUAE (the Central Bank)
Firms in the DIFC (financial firms and DNFBPs)DFSA
Firms in the ADGM (financial firms and DNFBPs)FSRA
Securities and capital-markets participants (onshore)CMA (formerly the SCA)
Virtual-asset activity in DubaiVARA
Many onshore DNFBPs (real estate, dealers, auditors, corporate service providers)Ministry of Economy / Ministry of Justice

Whichever supervisor a business answers to, the substantive law, the sanctions lists and the goAML reporting channel are all federal. The free-zone regimes – the DFSA’s and the FSRA’s, addressed below – are, in substance, the zone-level implementation of this same federal law.

4. Core obligations

Whatever the sector, the federal regime imposes a familiar, risk-based set of obligations:

  • a documented business (enterprise) risk assessment, and an AML programme proportionate to it;
  • customer due diligence (CDD) – identifying and verifying customers, their representatives and their beneficial owners;
  • enhanced due diligence for higher-risk relationships, including politically exposed persons and high-risk jurisdictions;
  • sanctions screening against the UAE (Cabinet) list, the UNSC Consolidated List and other applicable lists, acting immediately on a match;
  • an MLRO (Money Laundering Reporting Officer), resident in the UAE, responsible for the programme and for reporting;
  • ongoing transaction monitoring, record-keeping, periodic training, and registration on the relevant federal systems.

The obligation most often done poorly – and the one supervisors scrutinise most closely – is beneficial ownership: seeing through layered or opaque structures to the natural person who ultimately owns or controls the customer.

5. Sanctions and targeted financial measures

Sanctions compliance sits alongside AML as a distinct, strict obligation. Firms must screen customers, beneficial owners and senior managers against the UAE (Cabinet) sanctions list, the UNSC Consolidated List and other applicable lists, and act immediately on a match – freezing without delay and reporting to the competent authority. Unlike the risk-based AML duties, a sanctions breach can arise from a single missed match, and the consequences are severe. The 2025 law’s counter-proliferation-financing focus sharpens the expectation here, and screening must be kept current as lists are updated – which is why automated, regularly refreshed screening is effectively a baseline.

6. Reporting through goAML

Reporting runs through a single federal channel. Where a business knows or suspects money laundering, terrorist financing or proliferation financing, it must file a suspicious-activity or suspicious-transaction report with the UAE Financial Intelligence Unit (FIU) – hosted at the CBUAE – through the federal goAML portal, as soon as the suspicion arises. Registration on goAML is mandatory for reporting entities across the country, including onshore DNFBPs. Two duties travel with every report: the business must not tip off the customer, and it must keep the report confidential. Filing a report does not, by itself, freeze a transaction; freezing follows where a sanctions match or a legal direction requires it.

7. AML in the DIFC – the DFSA AML Rulebook

A firm in the DIFC runs on two layers: the DFSA’s AML Rulebook (the AML module) and the federal regime above. The DFSA is the AML/CFT and sanctions supervisor for DIFC “Relevant Persons” – financial firms and DNFBPs alike – and its Rulebook translates the federal law and the FATF standards into firm-level obligations the DFSA examines and enforces: the business risk assessment, CDD and beneficial ownership, enhanced due diligence and PEP handling, sanctions screening, an MLRO, monitoring, record-keeping and training. Substantively the obligations track the federal regime; what is DIFC-specific is the supervisor and the rulebook. AML is a priority DFSA enforcement area, and a control failure – weak CDD, poor monitoring, or late reporting – can lead to fines, restrictions and individual accountability for the MLRO and senior managers.

8. AML in the ADGM – the FSRA AML & Sanctions Rulebook

The position in the ADGM mirrors the DIFC, with the FSRA as supervisor under its AML and Sanctions Rulebook. It applies both to ADGM-licensed financial institutions and to DNFBPs in the ADGM (real-estate firms, law firms, accountants, corporate service providers) – which carry materially the same core obligations as a bank, scaled to risk. The duties are the familiar set: a business risk assessment, CDD and beneficial ownership, enhanced due diligence, sanctions screening, an FSRA-approved UAE-resident MLRO, monitoring, suspicious-activity reporting to the UAE FIU via goAML, training and an annual AML return. As in the DIFC, the substantive law is federal while the FSRA supplies the supervision and the rulebook – and AML and sanctions failings are a sustained FSRA enforcement focus, with significant penalties.

9. The 2025 changes, the FATF context and the national architecture

The 2025 statute is a tightening, not merely a restatement. Among the most significant changes: VASPs gain full statutory AML status; proliferation financing becomes a standalone offence; tax evasion is treated as a predicate offence; the evidentiary threshold is eased (knowledge can be inferred from circumstances); the FIU’s powers to suspend and freeze are strengthened; the governance structure is reinforced; and penalties are raised – fines for legal persons reported up to AED 100 million, alongside the imprisonment and confiscation that attach to the underlying offences. The external driver is the FATF: the UAE was on the FATF “grey list” from March 2022 and removed in February 2024, with the EU later removing it from its own high-risk list. The effort is coordinated nationally by a National Committee and a dedicated Executive Office for AML/CTF, with the FIU and goAML within that architecture. With the UAE’s next FATF mutual evaluation due in 2026, supervisory expectations are rising, not plateauing.

10. The India and cross-border dimension

For India-facing businesses the regime matters in cross-border situations as much as day-to-day compliance. The 2025 law strengthens international cooperation – facilitating the enforcement of foreign confiscation and freezing orders and expanding FIU-to-FIU information exchange – both directly relevant to asset-tracing and investigations spanning the UAE and India, and the treatment of tax evasion as a predicate offence bears on flows between the two countries. The inclusion of VASPs brings cross-border crypto activity squarely within scope. Note that the India-side GIFT City AML and CFT regime is separate – it runs on India’s Prevention of Money-Laundering Act and the IFSCA’s AML/CFT/KYC framework, reporting to FIU-IND, and is covered on the dedicated GIFT City AML page, not here.

Frequently asked questions

What is the UAE’s main anti-money-laundering law?

Federal Decree-Law No. 10 of 2025, in force from 14 October 2025, which replaced the 2018 AML Law as the principal AML/CFT statute. Implementing regulations under the earlier law continue on an interim basis until replaced.

Does the federal AML law apply in the DIFC and ADGM?

Yes. The AML law is federal and applies across the whole UAE. The DFSA (DIFC) and the FSRA (ADGM) supervise it within their zones through their own rulebooks; the substantive law, the sanctions lists and the goAML reporting channel are federal.

Who must comply?

Financial institutions; DNFBPs – including real-estate agents, dealers in precious metals and stones, auditors and accountants, corporate service providers, and independent legal professionals in defined situations; and virtual-asset service providers.

Who supervises AML compliance?

Supervision is divided by sector: the CBUAE for its institutions; the DFSA and FSRA in the DIFC and ADGM; the CMA for securities; VARA for Dubai virtual assets; and the Ministry of Economy and Ministry of Justice for many DNFBPs. The underlying law is federal and uniform.

How do I report suspicious activity?

Through the UAE Financial Intelligence Unit’s goAML portal, as soon as suspicion arises, without tipping off the customer. Registration on goAML is mandatory for reporting entities, including onshore DNFBPs.

What changed under the 2025 law?

VASPs were brought fully into scope; proliferation financing became a standalone offence; tax evasion was added as a predicate; the evidentiary threshold was eased; the FIU’s suspend-and-freeze powers were strengthened; and penalties were raised, with fines for legal persons reported up to AED 100 million.

What AML rules apply to a DIFC firm specifically?

The DFSA AML Rulebook (the AML module), over the federal law. The DFSA is the AML/CFT and sanctions supervisor for DIFC Relevant Persons, examining and enforcing the firm-level obligations.

What AML rules apply to an ADGM firm specifically?

The FSRA’s AML and Sanctions Rulebook, over the federal law. It applies to ADGM financial firms and DNFBPs, with an FSRA-approved UAE-resident MLRO, goAML reporting and an annual AML return.

What are the penalties?

Substantial – fines for legal persons reported up to AED 100 million and tougher consequences for unlicensed virtual-asset activity, alongside the imprisonment and confiscation that attach to the underlying offences. The current figures should be confirmed against the law in force.

Is the UAE on the FATF grey list?

No. The UAE was added in March 2022 and removed in February 2024. Its next FATF mutual evaluation is due in 2026, which is one reason the regime continues to tighten.

How does the UAE regime affect cross-border matters with India?

It strengthens international cooperation – the enforcement of foreign confiscation orders and FIU-to-FIU information exchange – and makes tax evasion a predicate offence, all relevant to India-facing asset-tracing and investigations. The India-side GIFT City AML regime is separate and covered on its own page.