If you run a business in the UAE, anti-money laundering compliance is not something you can ignore. The penalties are real, the inspections are increasing, and the consequences go beyond fines. Banks are freezing accounts of non-compliant businesses, and the Ministry of Economy imposed over AED 130 million in fines on regulated companies between late 2022 and mid-2025.
The problem? Most AML guidance is written by law firms charging AED 2,000 an hour or by compliance software companies trying to sell you a subscription. Neither tells you, in plain language, exactly what you need to do and how much it costs.
This guide covers everything a UAE business owner needs to know about AML compliance in 2026: whether your business must register, how to set up goAML, what KYC and due diligence actually look like in practice, and how to avoid the most common mistakes that trigger fines.
What Anti-Money Laundering Compliance Means in the UAE
Anti-money laundering (AML) compliance in the UAE is a set of legal obligations requiring certain businesses to identify, prevent, and report financial crime. As of 2026, these obligations are governed by Federal Decree-Law No. 10 of 2025, which replaced the previous 2018 law on 14 October 2025.
Why the UAE Takes AML Seriously
The UAE spent years on the Financial Action Task Force (FATF) grey list before exiting in early 2024. Staying off that list requires demonstrating active enforcement, which is why regulators have shifted from warnings to heavy fines. In a single enforcement action in 2024, the Ministry of Economy fined 29 companies a combined AED 22.6 million for AML violations. The pace is accelerating: AED 42 million in fines in just the first half of 2025 (Source: Ministry of Economy).
What Changed Under the New Law
Federal Decree-Law No. 10 of 2025, supported by Cabinet Resolution No. 134 of 2025, introduced several major changes that affect business owners directly.
1. The knowledge threshold dropped. Prosecutors no longer need to prove you knowingly facilitated money laundering. "Sufficient circumstantial evidence" that you should have known is enough.
2. Maximum fines for companies increased from AED 50 million to AED 100 million.
3. There is no longer a statute of limitations for AML offences. Regulators can pursue cases from years ago.
4. The Financial Intelligence Unit (FIU) can now freeze your funds for up to 30 days (previously 7 days) and suspend transactions for 10 working days without prior notice.
5. Virtual assets and digital transactions are now explicitly covered, closing a gap that existed under the old law.
Which Businesses Must Comply
Not every UAE business is required to register on goAML or run a full AML compliance programme. The obligations apply to two main categories: Financial Institutions (FIs) and Designated Non-Financial Businesses and Professions (DNFBPs).
Financial Institutions
Banks, insurance companies, money exchanges, financing companies, and any entity licensed by the Central Bank of the UAE (CBUAE), the Securities and Commodities Authority (SCA), or the Dubai Financial Services Authority (DFSA) fall under the FI category. If you hold a financial services license, your regulator will have specific AML guidance for your sector.
DNFBPs: The Five Categories
Most small and medium business owners encounter AML compliance through the DNFBP framework. The Ministry of Economy supervises five DNFBP categories on the mainland and in commercial free zones.
1. Real estate agents and brokers involved in buying, selling, or leasing property.
2. Dealers in precious metals and precious stones, including jewellers, gold traders, and gemstone dealers.
3. Auditors and accountants providing audit, accounting, or tax advisory services.
4. Company service providers (also called corporate service providers or CSPs), including business setup consultancies that help form companies, act as registered agents, or provide nominee services.
5. Legal consultants, excluding lawyers and notary publics who are supervised separately by the Ministry of Justice.
If your business falls into any of these five categories, you are a DNFBP and must register on goAML, appoint a compliance officer, and maintain a functioning AML compliance programme.
What If You Are Not Sure
Some businesses operate in grey areas. A management consultancy that occasionally assists with company formation might qualify as a company service provider. A property management firm might fall under the real estate agent category. If there is any doubt, check with the Ministry of Economy directly. Operating in a DNFBP category without goAML registration has real consequences: banks increasingly freeze accounts and block remittances for non-registered businesses until compliance is proven.
Free Zone Companies
DNFBP rules apply to companies in commercial free zones, not just mainland businesses. ADGM and DIFC have their own AML supervisory frameworks through the FSRA and DFSA respectively, but the underlying obligations are similar. Free zone authorities are increasingly coordinating with the Ministry of Economy on enforcement.
How to Register on goAML
goAML is the UAE Financial Intelligence Unit's online portal for AML compliance. Every DNFBP must register here before conducting any regulated activity.
Step-by-Step Registration Process
1. Go to services.uaefiu.gov.ae/goaml and click "Register as a New Organization."
2. Fill in your company details: legal name, trade license number, registered address, business activities (select the DNFBP category that applies), and the number of employees.
3. Enter your Compliance Officer's information: full name, passport number, Emirates ID, job title, email address, and mobile number. This person becomes the primary point of contact with the FIU.
4. Upload the required documents: a valid trade license, the Compliance Officer's passport copy, Emirates ID copy, and residence visa copy, plus an authorization letter signed by the company's authorized signatory.
5. Submit the application. You will receive login credentials by email, typically within 5 to 10 business days.
6. Once approved, log in using your credentials and set up two-factor authentication via Google Authenticator or a similar app.
7. Complete your organizational profile, including your risk assessment questionnaire.
Common Registration Mistakes
The most common mistake is entering the wrong DNFBP category. If you operate across multiple categories (for example, an accounting firm that also provides company formation services), you may need to register under multiple DNFBP categories.
Another frequent error is nominating a Compliance Officer who is not UAE-resident. The officer must be based in the UAE, must be sufficiently senior (ideally a partner or director, not a junior staff member), and must have direct access to the board or senior management.
Timeline and Costs
goAML registration itself is free. There is no government fee for creating your account. The costs come from setting up your compliance programme: appointing an officer, creating policies, training staff, and potentially hiring external consultants.
Your AML Compliance Programme: What You Actually Need
Registration on goAML is just the starting point. You need a functioning compliance programme that covers five core areas.
1. Compliance Officer or MLRO
Every registered DNFBP must appoint a Money Laundering Reporting Officer (MLRO), also called a Compliance Officer. This person is responsible for overseeing your entire AML programme, training staff, monitoring transactions, and filing reports with the FIU.
For small businesses with fewer than 10 employees, the owner or a senior partner typically takes on this role. For larger firms, it should be a dedicated position. The MLRO must be UAE-resident and must have direct reporting access to the company's senior management.
2. Risk Assessment
You must conduct and document a business risk assessment covering the types of clients you serve, the jurisdictions you deal with, the products or services you offer, and the delivery channels you use. This is not a one-time exercise. Your risk assessment should be reviewed and updated at least annually, or whenever your business model changes significantly.
The Ministry of Economy publishes sector-specific risk indicators. For real estate agents, high-risk factors include cash transactions above AED 55,000, clients from sanctioned jurisdictions, and transactions involving shell companies. For accountants, red flags include clients who resist providing identification or who structure transactions to avoid reporting thresholds.
3. Customer Due Diligence and KYC
Customer due diligence (CDD) is the core of AML compliance. For every client relationship, you must complete three levels of verification.
Standard CDD requires collecting and verifying the client's identity (passport, Emirates ID, or equivalent for non-residents), understanding the purpose of the business relationship, and identifying the ultimate beneficial owner (UBO) if the client is a company (anyone owning 25% or more).
Enhanced due diligence (EDD) applies to higher-risk situations: clients from high-risk jurisdictions, politically exposed persons (PEPs), complex ownership structures, or unusually large transactions. EDD means deeper verification, more documentation, and ongoing monitoring.
Simplified due diligence (SDD) is allowed only where you have documented evidence that the risk is genuinely low. This is the exception, not the rule, and regulators are sceptical of businesses that rely on SDD too broadly.
4. Record Keeping
All CDD records, transaction records, and correspondence must be retained for a minimum of five years after the business relationship ends. This includes copies of identification documents, transaction records, internal reports, and any suspicious transaction reports filed.
Store records in a way that allows you to retrieve them quickly if a regulator requests them. Digital storage is acceptable, but the records must be complete, accurate, and readily accessible.
5. Suspicious Transaction Reporting
If you identify a transaction that appears unusual or suspicious, you must file a Suspicious Transaction Report (STR) through the goAML portal. You must do this without tipping off the client that a report has been filed (this is called the "tipping off" prohibition, and violating it is a criminal offence).
Common triggers for STRs include transactions that are unusually large or complex for the client's profile, clients who provide false or inconsistent identification, transactions involving sanctioned countries or individuals, and attempts to structure transactions to avoid reporting thresholds.
There is no minimum transaction value for filing an STR. If something looks suspicious, report it. Filing a report that turns out to be a false alarm has no negative consequences for your business. Failing to file a report when you should have is a violation.
Penalties and Enforcement: What Is Actually Happening
The penalty framework under the new law is severe, and regulators are actively enforcing it.
Administrative Fines
| Violation | Fine Range |
|---|---|
| Failure to register on goAML | AED 50,000 starting penalty |
| Failure to implement internal AML policies | Up to AED 1,000,000 per violation |
| Failure to file an STR | Up to AED 5,000,000 |
| Failure to conduct CDD or KYC | Up to AED 1,000,000 per violation |
| Multiple violations in single inspection | Fines stack across each finding |
Criminal Penalties
For money laundering offences, individuals face up to 10 years imprisonment and fines of AED 500,000 to AED 50 million. Companies face fines of AED 5 million to AED 100 million (Source: Federal Decree-Law No. 10 of 2025).
How Inspections Work
The Ministry of Economy conducts both on-site and desk-based reviews. During an inspection, they typically request your goAML registration confirmation and login evidence, your written AML policies and procedures manual, evidence of staff AML training (dates, attendees, materials), sample CDD files for recent clients, your business risk assessment document, and any STRs filed during the review period.
The 225 violations found across 29 companies in the 2024 enforcement round focused on three main areas: failure to adopt internal policies and procedures, inadequate beneficial ownership verification, and incomplete risk identification processes (Source: Ministry of Economy enforcement announcement).
Banking Consequences
Beyond government fines, non-compliance has practical banking consequences. UAE banks run their own compliance checks on business customers. If a bank identifies that your business operates in a DNFBP category without goAML registration, the typical response includes freezing your business account, blocking outbound remittances, and declining to open new accounts. Getting your account unfrozen usually requires proving goAML registration plus submitting your compliance documentation to the bank's own AML team.
AML Compliance Costs for Small Businesses
Setting up an AML compliance programme does not have to be expensive, but it is not free either.
DIY vs Outsourced Compliance
| Cost Component | DIY Approach | Outsourced |
|---|---|---|
| goAML registration | Free | Free |
| AML policy manual | 10 to 20 hours of your time | AED 5,000 to 15,000 |
| Staff training | Self-study using MoE guides | AED 2,000 to 5,000 per session |
| CDD/KYC templates | Free templates available online | Included in outsourced package |
| Annual compliance review | 5 to 10 hours annually | AED 3,000 to 8,000 |
| Full outsourced MLRO service | N/A | AED 15,000 to 40,000 per year |
| AML compliance software | Free basic tools | AED 5,000 to 20,000 per year |
For a small business with fewer than 10 employees and low-risk client profile, the realistic cost is AED 5,000 to AED 15,000 for initial setup (policies, training, templates) and AED 3,000 to AED 8,000 per year for ongoing compliance. Larger or higher-risk businesses should budget AED 20,000 to AED 50,000 per year.
Where to Find Free Resources
The Ministry of Economy publishes implementation guides for DNFBPs on its website, including sector-specific CDD guidance (updated November 2024). The goAML portal itself includes reporting templates. Several professional bodies, including the UAE Accountants and Auditors Association, offer AML training resources.
Common Mistakes That Trigger Fines
Based on enforcement data from 2024 and 2025, these are the most frequent compliance failures.
1. Treating Registration as Compliance
Registering on goAML and then doing nothing else is the single most common mistake. Registration is step one. Without written policies, staff training, and active CDD on clients, you will fail an inspection.
2. Paper-Only Policies
Having a beautifully formatted AML manual that nobody in your company has read or follows is almost as bad as having no manual at all. Inspectors test whether staff actually understand the procedures, not just whether the document exists.
3. Skipping Beneficial Ownership Verification
For corporate clients, you must identify the ultimate beneficial owner (anyone holding 25% or more). Many businesses collect the company trade license and stop there. Inspectors specifically check whether you have verified ownership beyond the surface level.
4. Not Updating the Risk Assessment
Your initial risk assessment from two years ago is not sufficient. The business environment changes, your client mix changes, and regulatory expectations evolve. Update your risk assessment at least annually.
5. Ignoring the Tipping Off Rule
If you suspect a client of money laundering and you file an STR, you must not inform the client. Some business owners, especially in service-based industries, feel uncomfortable continuing a relationship with a client they have reported. But tipping off the client is a criminal offence, and handling it incorrectly can expose you to prosecution.
How AML Compliance Connects to Your Other Obligations
AML compliance does not exist in isolation. It intersects with several other regulatory requirements that UAE business owners must manage.
Corporate Tax
If your business is subject to UAE corporate tax, your financial record-keeping for AML purposes overlaps significantly with your tax documentation requirements. Maintaining clean, organized financial records serves both purposes simultaneously.
Business Compliance Calendar
Your annual compliance checklist should include AML obligations: annual risk assessment review, staff training renewal, goAML account verification, and policy updates. Many businesses schedule their AML review alongside their trade license renewal to ensure nothing falls through the cracks.
Banking Relationships
When you open a business bank account in the UAE, the bank will ask whether your business falls into a DNFBP category and whether you are registered on goAML. Having your compliance documentation ready at account opening stage makes the process significantly smoother, especially for free zone companies where banking can already be challenging.
Company Setup
If you are setting up a new business in a DNFBP category, build AML compliance into your company formation process from day one. Register on goAML within your first month of operations, appoint your MLRO before you take on clients, and have your CDD templates ready before your first customer engagement.