When most business owners think about Anti-Money Laundering (AML) compliance, they think of banks and financial institutions. In the UAE, this perception is dangerously incomplete. A broad category of non-financial businesses — known as Designated Non-Financial Businesses and Professions (DNFBPs) — are subject to the same core AML obligations as banks.

If your business falls into this category and you do not have an AML compliance programme, you are exposed to significant penalties and, in severe cases, criminal liability.

Quick answers

  • Who must comply? UAE DNFBPs: real estate brokers, dealers in precious metals and gemstones, corporate service providers, auditors, accountants, tax advisors, lawyers, and notaries when carrying out specified transactions.
  • What are the core obligations? A documented Business Risk Assessment, written AML policies, Customer Due Diligence (CDD), ongoing monitoring, Suspicious Transaction Reporting via goAML, and five-year record keeping.
  • Where do I file STRs? Through the UAE Financial Intelligence Unit’s goAML portal. Registration on goAML is itself mandatory for all DNFBPs.
  • What are the penalties? Administrative fines from AED 50,000 to AED 5 million per violation, licence suspension, and in serious cases criminal prosecution.
  • How big does my programme need to be? Proportionate to your risk profile. A small DNFBP can run a credible programme on a documented BRA, simple CDD checklists, and consistent monitoring.

The UAE’s AML framework is anchored in:

  • Federal Decree-Law No. 20 of 2018 on Anti-Money Laundering and Combating the Financing of Terrorism and Illegal Organisations.
  • Cabinet Decision No. 10 of 2019 on the Implementing Regulation.
  • Guidance from the UAE Financial Intelligence Unit (UAE FIU) and sector-specific supervisory authorities.

The UAE has made substantial commitments to the Financial Action Task Force (FATF), the global AML standard-setter, and was removed from the FATF “Grey List” in February 2024 after demonstrating significant improvements to its AML regime. The obligations on DNFBPs are a key part of this framework.

Who is a DNFBP?

DNFBPs are businesses in specific sectors that are considered vulnerable to money laundering due to the nature of their transactions. Under UAE law, DNFBPs include:

  • Real estate agents and brokers: When acting in transactions involving the purchase or sale of real estate.
  • Dealers in precious metals and gemstones: Including gold, diamonds, and jewellery traders, when engaging in cash transactions above AED 55,000.
  • Corporate service providers: Firms that help with UAE business setup and ongoing compliance, manage trusts, provide registered office services, or act as directors/shareholders.
  • Auditors, accountants, and tax advisors: When carrying out certain financial transactions or providing advice on asset structuring, business transactions, or tax matters on behalf of a client.
  • Lawyers and notaries: When participating in financial or real estate transactions for clients.

If your business falls into any of these categories, AML compliance obligations apply to you.

Core AML Obligations for DNFBPs

1. Risk Assessment

DNFBPs must conduct and document a Business Risk Assessment (BRA) that identifies and evaluates the money laundering and terrorist financing risks inherent to their business, clients, products, and geographies. This is not a one-time exercise — it must be reviewed and updated regularly (typically annually or when significant changes occur).

2. AML Policies, Procedures, and Controls

You must establish written AML policies and procedures that are proportionate to your risk profile and that address:

  • How you identify and assess risks.
  • How you conduct Customer Due Diligence (CDD).
  • How you monitor ongoing business relationships.
  • How you detect, escalate, and report suspicious transactions.
  • How you maintain records.

3. Customer Due Diligence (CDD)

CDD — also called “Know Your Customer” (KYC) — is the process of identifying and verifying the identity of your clients before and during a business relationship. At minimum, CDD requires:

  • Collecting and verifying the identity of the customer (passport, Emirates ID).
  • Identifying the Ultimate Beneficial Owner (UBO) of any legal entity client. This often dovetails with your client’s own UBO compliance obligations.
  • Understanding the purpose and nature of the business relationship.
  • Obtaining information on the source of funds for significant transactions.

For higher-risk clients (e.g., politically exposed persons, non-resident clients, clients from high-risk jurisdictions), Enhanced Due Diligence (EDD) is required — a deeper level of scrutiny and ongoing monitoring.

4. Ongoing Monitoring

AML compliance is not a one-time onboarding exercise. You must continuously monitor existing client relationships and transactions for unusual or suspicious patterns, including:

  • Transactions inconsistent with the client’s stated business or financial profile.
  • Unusually large cash payments.
  • Requests to receive or send funds to unrelated third parties.
  • Clients who are evasive about the source of their funds.

5. Suspicious Transaction Reporting (STR)

If you detect or have reasonable grounds to suspect that a transaction or attempted transaction involves proceeds of crime or terrorist financing, you are legally obligated to file a Suspicious Transaction Report (STR) with the UAE Financial Intelligence Unit (UAE FIU) through their goAML platform.

Failing to file a required STR is a criminal offence. Equally, “tipping off” a client that a report has been filed is prohibited.

6. Record Keeping

All AML-related records — including CDD documentation, transaction records, and STRs — must be maintained for a minimum of five years from the date of the transaction or the end of the business relationship (whichever is later).

7. AML Compliance Officer

Larger DNFBPs, and those with higher-risk profiles, are expected to appoint a designated AML Compliance Officer responsible for overseeing the AML programme, maintaining records, and filing STRs.

8. Registration with the UAE FIU

All DNFBPs must be registered on the goAML portal operated by the UAE Financial Intelligence Unit. goAML is the platform through which STRs are filed and official AML guidance is communicated.

Penalties for AML Non-Compliance

The UAE takes AML violations extremely seriously. Penalties can include:

  • Administrative fines ranging from AED 50,000 to AED 5,000,000 per violation.
  • Business licence suspension or cancellation.
  • Criminal prosecution for serious offences, including money laundering itself (which carries imprisonment of up to 10 years and fines of up to AED 5,000,000).

Regulatory inspections by supervisory authorities (such as the relevant DED, free zone authority, or CBUAE) are increasing in frequency. Many DNFBPs underestimate this risk because they think of themselves as small operators rather than regulated firms, which is exactly why a proportionate AML programme matters even for an outsourced accounting and tax practice.

Building a Proportionate AML Programme

The good news for SMEs is that AML compliance does not need to be an expensive, complex undertaking. A risk-based approach means that your programme should be proportionate to your actual risk exposure. For most SMEs, a well-structured programme can be built around:

  1. A documented Business Risk Assessment.
  2. Clear written AML policies appropriate to your sector.
  3. Simple but consistent CDD checklists for new clients.
  4. A transaction monitoring process — even a basic spreadsheet-based one.
  5. Registration on goAML.
  6. Staff training so that everyone in the business understands their obligations.

Frequently Asked Questions

Is my UAE SME a DNFBP? If your business is in real estate brokerage, dealing in precious metals or gemstones, corporate services, audit, accounting, tax advice, law, or notary work, and you carry out the specified transactions, you are almost certainly a DNFBP. A formal classification assessment removes the doubt.

Do I need to register on goAML even if I have nothing to report? Yes. Registration on the UAE FIU’s goAML portal is mandatory for all DNFBPs, independent of whether you ever file a Suspicious Transaction Report. Operating without it is itself a violation.

What is the threshold for cash transactions in precious metals and gemstones? AED 55,000. Cash transactions at or above this level trigger DNFBP obligations, including CDD on the customer.

How long do I need to keep AML records? At least five years from the date of the transaction or the end of the business relationship, whichever is later.

What happens if I tip off a client about an STR? Tipping off is a criminal offence under UAE AML law. The STR process is strictly confidential, and you should not communicate the existence or content of a report to the client or any unauthorised third party.

Do I need a dedicated AML Compliance Officer? Larger or higher-risk DNFBPs are expected to appoint one. Smaller firms can assign the role to an existing senior person, but the responsibility must be formal and documented. See our note on UBO compliance for the related governance picture.

Will the FTA or my licensing authority actually inspect me? Yes. Sector supervisors and free zone authorities run inspections, and these have been stepping up since the UAE’s FATF reforms. Walking into an inspection with no documented BRA is a fast route to penalties.

How we can help

We classify your DNFBP status, draft a proportionate AML programme, and handle goAML registration and ongoing CDD design so the regulator finds what it expects to find. Book a confidential AML review and we will scope your obligations in 30 minutes.