Anti-Money Laundering (AML) compliance is no longer optional for UAE businesses — it is a federal requirement with severe penalties for non-compliance, including fines up to AED 5 million and potential criminal prosecution. Since the UAE's inclusion on and subsequent removal from the FATF grey list, enforcement has intensified dramatically. Here is what every free zone company needs to do.
What Is AML Compliance in the UAE?
The UAE's AML framework is governed by Federal Decree-Law No. 20 of 2018 (as amended) on Anti-Money Laundering and Combating the Financing of Terrorism (AML/CFT). It requires all businesses — including free zone companies — to implement measures to prevent their services from being used for money laundering or terrorism financing.
Who Must Comply?
All Designated Non-Financial Businesses and Professions (DNFBPs) must comply with AML regulations:
| Category | Examples |
|---|---|
| Real estate agents/brokers | Property sales, leasing |
| Dealers in precious metals/stones | Gold, diamonds, jewelry |
| Auditors and accountants | Audit firms, accounting practices |
| Corporate service providers | Company formation agents, PRO services |
| Lawyers and notaries | Legal services involving transactions |
| Trust and company service providers | Managing client assets |
| All businesses | General AML awareness and basic compliance |
Even if your business is not a DNFBP, you still need a basic AML framework. All UAE companies must register with the relevant supervisory authority and maintain basic KYC records.
The goAML Registration Requirement
All UAE businesses must register on the goAML platform operated by the Financial Intelligence Unit (FIU) of the UAE Central Bank.
Who Must Register
- All DNFBPs (listed above)
- All financial institutions
- All free zone companies in regulated sectors
- Companies dealing with high-value transactions
Registration Process
- Visit the goAML portal (goaml.uaf.ae)
- Create an account with your trade license details
- Designate a Compliance Officer
- Receive your goAML registration confirmation
- Use the platform to file Suspicious Transaction Reports (STRs) if needed
Timeline: Registration takes 2–5 business days. Cost: Free.
AML Compliance Framework: What You Need
1. AML Policy and Procedures Manual
Every business needs a documented AML policy covering:
| Section | Content |
|---|---|
| Risk assessment | How you identify and assess ML/TF risks |
| Customer Due Diligence (CDD) | KYC procedures for onboarding clients |
| Enhanced Due Diligence (EDD) | Additional checks for high-risk clients |
| Ongoing monitoring | How you monitor ongoing relationships |
| Suspicious activity reporting | Internal escalation and external reporting |
| Record keeping | How long you keep records (minimum 5 years) |
| Staff training | AML awareness training program |
| Sanctions screening | Checking clients against sanctions lists |
Cost to prepare: AED 3,000–10,000 (through a consultant) or use templates and customize.
2. Customer Due Diligence (CDD)
When onboarding a new client, you must:
For Individual Clients:
- Verify identity (passport or Emirates ID)
- Verify address (utility bill or bank statement)
- Understand the nature and purpose of the business relationship
- Screen against sanctions lists (UN, UAE, OFAC)
For Corporate Clients:
- Verify company registration (trade license)
- Identify Ultimate Beneficial Owners (UBOs) — anyone holding 25%+ ownership
- Verify UBO identity documents
- Understand the company's business activities
- Screen the company and UBOs against sanctions lists
3. Enhanced Due Diligence (EDD)
Required for high-risk situations:
| High-Risk Indicator | EDD Measures |
|---|---|
| Politically Exposed Person (PEP) | Enhanced background checks, senior management approval |
| High-risk countries | Additional documentation, source of funds verification |
| Complex ownership structures | Full ownership chain verification |
| Cash-intensive businesses | Transaction monitoring, source of cash documentation |
| Unusual transaction patterns | Enhanced monitoring, reporting if suspicious |
4. Ongoing Monitoring
- Review client information periodically (annually for standard risk, every 6 months for high risk)
- Monitor transactions for unusual patterns
- Re-screen clients against updated sanctions lists
- Update CDD records when client information changes
5. Suspicious Transaction Reporting (STR)
If you suspect a transaction involves money laundering or terrorism financing:
- Do not tip off the client (this is a criminal offense)
- Document the suspicious activity internally
- File an STR through the goAML platform within the required timeframe
- Cooperate with any subsequent investigation by the FIU
6. Record Keeping
- Keep all CDD records for 5 years after the business relationship ends
- Keep transaction records for 5 years after the transaction date
- Records must be available for inspection by supervisory authorities
7. Staff Training
- All staff must receive AML awareness training
- Training must be documented and refreshed annually
- Content must cover: recognizing suspicious activities, reporting procedures, sanctions compliance
Cost: AED 500–2,000 per person for external training; free if done in-house.
Compliance by Free Zone
| Free Zone | AML Supervisory Body | Additional Requirements |
|---|---|---|
| DMCC | DMCC Authority | Annual compliance audit for DNFBPs |
| DIFC | DFSA | DIFC-specific AML rulebook |
| ADGM | FSRA | ADGM-specific AML framework |
| JAFZA | JAFZA Authority | Standard federal requirements |
| IFZA | Ministry of Economy | Standard federal requirements |
| Meydan | Ministry of Economy | Standard federal requirements |
| Shams | Ministry of Economy | Standard federal requirements |
| RAKEZ | Ministry of Economy | Standard federal requirements |
DIFC and ADGM have their own regulatory bodies (DFSA and FSRA) with additional AML requirements beyond the federal framework. Companies in these zones face stricter compliance but also benefit from clearer guidance.
Penalties for Non-Compliance
| Violation | Administrative Penalty (AED) | Criminal Penalty |
|---|---|---|
| Failure to register with goAML | Up to 100,000 | N/A |
| Inadequate CDD procedures | Up to 1,000,000 | N/A |
| Failure to file STR | Up to 5,000,000 | Imprisonment |
| Tipping off a suspect | Up to 500,000 | Up to 3 years imprisonment |
| Failure to maintain records | Up to 500,000 | N/A |
| No AML training | Up to 200,000 | N/A |
| Money laundering offense | Up to 5,000,000 | 7–10 years imprisonment |
The UAE has significantly increased enforcement since 2020. In 2023–2024, hundreds of fines were issued to non-compliant businesses.
Cost of AML Compliance
| Item | Cost (AED) | Frequency |
|---|---|---|
| AML policy manual | 3,000–10,000 | One-time (update annually) |
| goAML registration | Free | One-time |
| AML compliance officer training | 1,000–3,000 | Annual |
| Staff awareness training | 500–2,000/person | Annual |
| Sanctions screening software | 2,000–10,000/year | Annual |
| AML audit (if required) | 5,000–15,000 | Annual |
| Total Year 1 | 6,500–40,000 | |
| Annual ongoing | 3,500–25,000 |
For a small free zone company (non-DNFBP), basic compliance costs AED 3,000–5,000 in Year 1 and AED 1,000–3,000 annually.
Practical Steps for Small Free Zone Companies
If You Are NOT a DNFBP (Most Companies)
- Register on goAML — takes 15 minutes
- Create a basic AML policy — 2–3 pages covering your CDD procedures
- Implement basic KYC — collect identity documents from all clients
- Train yourself and any staff — even a 1-hour online course counts
- Screen clients against sanctions lists — free tools available (UN sanctions list is publicly available)
- Keep records for 5 years
Total time: Half a day Total cost: AED 0–2,000
If You ARE a DNFBP
- All of the above, plus:
- Hire or designate a Compliance Officer (can be the owner for small firms)
- Implement Enhanced Due Diligence for high-risk clients
- Use professional sanctions screening software
- Schedule annual AML training for all staff
- Conduct an annual internal AML review
- Prepare for supervisory inspections
Total time: 2–5 days of setup Total cost: AED 5,000–15,000 initially, AED 3,000–10,000 annually
Common Mistakes
1. Ignoring the goAML registration requirement. Even if you think AML does not apply to your business, registration is mandatory for DNFBPs and increasingly expected for all businesses.
2. Having a policy but not following it. Regulators test implementation, not just documentation. Your CDD files must match your policy.
3. Not screening against current sanctions lists. Sanctions lists change regularly. A client who was clean at onboarding may be sanctioned later.
4. Skipping staff training. Even for a one-person company, documented self-training is expected.
5. Poor record keeping. If you cannot produce CDD records during an inspection, you face penalties regardless of whether actual AML violations occurred.
Next Steps
- Register on goAML — do this immediately if you have not already
- Determine if you are a DNFBP — check the activity list against your license
- Create or update your AML policy — templates are available from industry associations
- Read related compliance guides: UBO reporting and annual audit requirements
- Compare free zone compliance requirements: Free zone comparison
Explore our tools