When most business owners think about Anti-Money Laundering (AML) compliance, they think of banks and financial institutions. In the UAE, this perception is dangerously incomplete. A broad category of non-financial businesses — known as Designated Non-Financial Businesses and Professions (DNFBPs) — are subject to the same core AML obligations as banks.

If your business falls into this category and you do not have an AML compliance programme, you are exposed to significant penalties and, in severe cases, criminal liability.

The UAE’s AML framework is anchored in:

  • Federal Decree-Law No. 20 of 2018 on Anti-Money Laundering and Combating the Financing of Terrorism and Illegal Organisations.
  • Cabinet Decision No. 10 of 2019 on the Implementing Regulation.
  • Guidance from the UAE Financial Intelligence Unit (UAE FIU) and sector-specific supervisory authorities.

The UAE has made substantial commitments to the Financial Action Task Force (FATF), the global AML standard-setter, and was removed from the FATF “Grey List” in February 2024 after demonstrating significant improvements to its AML regime. The obligations on DNFBPs are a key part of this framework.

Who is a DNFBP?

DNFBPs are businesses in specific sectors that are considered vulnerable to money laundering due to the nature of their transactions. Under UAE law, DNFBPs include:

  • Real estate agents and brokers: When acting in transactions involving the purchase or sale of real estate.
  • Dealers in precious metals and gemstones: Including gold, diamonds, and jewellery traders, when engaging in cash transactions above AED 55,000.
  • Corporate service providers: Firms that help form companies, manage trusts, provide registered office services, or act as directors/shareholders.
  • Auditors, accountants, and tax advisors: When carrying out certain financial transactions or providing advice on asset structuring, business transactions, or tax matters on behalf of a client.
  • Lawyers and notaries: When participating in financial or real estate transactions for clients.

If your business falls into any of these categories, AML compliance obligations apply to you.

Core AML Obligations for DNFBPs

1. Risk Assessment

DNFBPs must conduct and document a Business Risk Assessment (BRA) that identifies and evaluates the money laundering and terrorist financing risks inherent to their business, clients, products, and geographies. This is not a one-time exercise — it must be reviewed and updated regularly (typically annually or when significant changes occur).

2. AML Policies, Procedures, and Controls

You must establish written AML policies and procedures that are proportionate to your risk profile and that address:

  • How you identify and assess risks.
  • How you conduct Customer Due Diligence (CDD).
  • How you monitor ongoing business relationships.
  • How you detect, escalate, and report suspicious transactions.
  • How you maintain records.

3. Customer Due Diligence (CDD)

CDD — also called “Know Your Customer” (KYC) — is the process of identifying and verifying the identity of your clients before and during a business relationship. At minimum, CDD requires:

  • Collecting and verifying the identity of the customer (passport, Emirates ID).
  • Identifying the Ultimate Beneficial Owner (UBO) of any legal entity client.
  • Understanding the purpose and nature of the business relationship.
  • Obtaining information on the source of funds for significant transactions.

For higher-risk clients (e.g., politically exposed persons, non-resident clients, clients from high-risk jurisdictions), Enhanced Due Diligence (EDD) is required — a deeper level of scrutiny and ongoing monitoring.

4. Ongoing Monitoring

AML compliance is not a one-time onboarding exercise. You must continuously monitor existing client relationships and transactions for unusual or suspicious patterns, including:

  • Transactions inconsistent with the client’s stated business or financial profile.
  • Unusually large cash payments.
  • Requests to receive or send funds to unrelated third parties.
  • Clients who are evasive about the source of their funds.

5. Suspicious Transaction Reporting (STR)

If you detect or have reasonable grounds to suspect that a transaction or attempted transaction involves proceeds of crime or terrorist financing, you are legally obligated to file a Suspicious Transaction Report (STR) with the UAE Financial Intelligence Unit (UAE FIU) through their goAML platform.

Failing to file a required STR is a criminal offence. Equally, “tipping off” a client that a report has been filed is prohibited.

6. Record Keeping

All AML-related records — including CDD documentation, transaction records, and STRs — must be maintained for a minimum of five years from the date of the transaction or the end of the business relationship (whichever is later).

7. AML Compliance Officer

Larger DNFBPs, and those with higher-risk profiles, are expected to appoint a designated AML Compliance Officer responsible for overseeing the AML programme, maintaining records, and filing STRs.

8. Registration with the UAE FIU

All DNFBPs must be registered on the goAML portal operated by the UAE Financial Intelligence Unit. goAML is the platform through which STRs are filed and official AML guidance is communicated.

Penalties for AML Non-Compliance

The UAE takes AML violations extremely seriously. Penalties can include:

  • Administrative fines ranging from AED 50,000 to AED 5,000,000 per violation.
  • Business licence suspension or cancellation.
  • Criminal prosecution for serious offences, including money laundering itself (which carries imprisonment of up to 10 years and fines of up to AED 5,000,000).

Regulatory inspections by supervisory authorities (such as the relevant DED, free zone authority, or CBUAE) are increasing in frequency.

Building a Proportionate AML Programme

The good news for SMEs is that AML compliance does not need to be an expensive, complex undertaking. A risk-based approach means that your programme should be proportionate to your actual risk exposure. For most SMEs, a well-structured programme can be built around:

  1. A documented Business Risk Assessment.
  2. Clear written AML policies appropriate to your sector.
  3. Simple but consistent CDD checklists for new clients.
  4. A transaction monitoring process — even a basic spreadsheet-based one.
  5. Registration on goAML.
  6. Staff training so that everyone in the business understands their obligations.

How Success Business Advisors Can Help

At Success Business Advisors, we help UAE DNFBPs build practical, proportionate AML compliance programmes. Our services include:

  • DNFBP classification assessment — determining whether and how AML obligations apply to your business.
  • Business Risk Assessment preparation.
  • AML policy and procedure drafting.
  • CDD framework and client onboarding template design.
  • goAML registration support.
  • Staff AML awareness training.

Protect your business, your licence, and your reputation. Contact Success Business Advisors for a confidential AML compliance review today.