Every real estate broker, auditor, accountant, corporate service provider, and precious metals dealer operating in the UAE mainland or a commercial free zone must be registered on the Financial Intelligence Unit's goAML platform and must run a functioning AML compliance programme behind it. The regulatory framework was overhauled by Federal Decree-Law No. 10 of 2025, which came into force on 14 October 2025, and the supporting Cabinet Resolution No. 134 of 2025, which came into force on 14 December 2025. Enforcement has accelerated ahead of the Financial Action Task Force's 2026 mutual evaluation of the UAE.

  • The Ministry of Economy has imposed over AED 130 million in administrative fines on DNFBPs since late 2022, with AED 42 million in the first half of 2025 alone.
  • Administrative fines for goAML and AML violations run from AED 50,000 to AED 1,000,000 per violation, stacking across multiple findings in a single inspection.
  • Providing false or misleading beneficial ownership information is now a criminal offence under the 2025 law, and the tipping-off offence has been broadened to capture grossly negligent disclosure, not only intentional disclosure.
  • Operating any DNFBP activity without the required licence, registration, or enrolment carries a criminal penalty of imprisonment and a fine of AED 200,000 to AED 10,000,000 under Article 20 of the 2025 law.

Who this applies to

A DNFBP is a designated non-financial business or profession. Cabinet Resolution No. 134 of 2025 and its predecessor Cabinet Decision No. 10 of 2019 identify the categories of business that the UAE treats as high-risk gateways for money laundering, terrorist financing, and, since October 2025, proliferation financing. The categories are:

  • Real estate brokers and agents involved in the buying or selling of real property
  • Auditors and accountants providing professional assurance to third parties
  • Corporate and trust service providers, including firms that arrange nominee shareholders, company directors, or registered office services
  • Dealers in precious metals and precious stones (including jewellery retailers) that handle cash transactions above AED 55,000
  • Lawyers, notaries, and independent legal professionals when involved in specified financial transactions
  • Operators of commercial gaming activities (new under Cabinet Resolution 134/2025, in force from 14 December 2025)
  • Virtual asset service providers (brought explicitly within the AML perimeter by Federal Decree-Law 10/2025)

The scope covers mainland and commercial free zone licensees. Firms regulated in the DIFC or ADGM financial free zones sit under the separate DFSA and FSRA AML rulebooks, which run parallel to the federal regime rather than replacing it. For the DIFC-specific framework, see our DIFC AML compliance guide for fintech.

What the 2025 law changed for DNFBPs

Federal Decree-Law 10/2025 repealed the 2018 AML framework entirely. It is not a patch on the old law. Four changes are material for every DNFBP.

The evidentiary threshold for money laundering was lowered

Under the 2018 law, prosecutors had to prove that the defendant had actual knowledge that funds derived from a predicate crime. Under the 2025 law, knowledge can be inferred from objective circumstances. A DNFBP that should have known the funds were illicit, given the warning signs available, can be liable even without direct proof of actual knowledge. This brings the UAE into line with the UK and other comparable jurisdictions and raises the bar on what a defensible compliance programme has to demonstrate.

The tipping-off offence was broadened

Under the 2018 law, tipping off required an intentional disclosure to the customer or a third party about a suspicious transaction report or investigation. Under Article 29 of the 2025 law, tipping off now covers intentional and grossly negligent acts, applies to a broader range of disclosures, and carries aggravated penalties where the offence results in the loss or destruction of criminal proceeds. In practice this means informal conversations with clients during onboarding can create exposure if any content of a suspicion is leaked.

False beneficial ownership information is now a criminal offence

Providing false or misleading UBO information is a distinct offence under the 2025 law. For corporate service providers arranging structures for clients, the exposure runs in both directions: from the CSP's own records and filings, and from its obligation to diligence client-provided UBO information. For the broader UBO framework, see our UAE UBO disclosure rules guide.

Sanctions for legal persons scale with the value of the criminal property involved

Administrative fines under the executive regulations remain in the AED 50,000 to AED 1,000,000 range per violation. Criminal penalties for legal persons under the 2025 law itself run from AED 5 million to AED 100 million, and in cases where the fine is linked to the value of the criminal property involved, the ceiling can be higher. Courts can order the dissolution of an entity or the closure of premises in serious cases. There is no statute of limitations on money laundering, terrorist financing, or proliferation financing offences.

The goAML obligation — what registration actually means

goAML is the United Nations Office on Drugs and Crime platform operated by the UAE Financial Intelligence Unit. Every DNFBP must be registered on the platform. Registration gives the firm the operational channel through which it can file:

  • Suspicious Transaction Reports (STRs) when it suspects funds are proceeds of crime
  • Suspicious Activity Reports (SARs) for broader suspicions that fall short of a specific transaction
  • Sanctions-related reports to the Executive Office for Control and Non-Proliferation (EOCN)
  • Mandatory high-risk country activity reports
  • Funds Freeze Reports where a client hits a UN or UAE terror sanctions list

Registration is not an optional convenience. Failure to register is treated as an automatic internal controls failure by inspectors, because a firm without goAML access cannot discharge its statutory reporting duty. The registration process runs in two stages: SACM authentication using Google Authenticator, followed by organisation registration on the goAML portal itself. A Compliance Officer or MLRO must be appointed and named in the authorisation letter submitted with the registration.

Once registered, the firm takes on continuous obligations. STRs must be filed promptly when suspicion arises. There is no minimum value threshold. The duty is triggered by suspicion, not certainty, and the firm must not tip off the customer that a report has been made. Records must be retained for a minimum of five years.

What an adequate AML programme looks like under the 2025 framework

The Ministry of Economy has published guidance setting out what inspectors expect to see during a DNFBP inspection. The programme rests on six pillars.

Enterprise-wide risk assessment

A documented assessment of money laundering, terrorist financing, and proliferation financing risks specific to the firm. Inspectors actively identify copy-paste assessments from templates and treat them as a red flag. The assessment must reflect the firm's actual clients, services, transaction volumes, geographic exposures, and delivery channels, and has to be updated at least annually.

Customer due diligence and enhanced due diligence

Verification of customer identity using reliable, independent documentation before establishing a business relationship. Enhanced due diligence is mandatory for politically exposed persons and their associates, customers connected to FATF Grey or Black List jurisdictions, complex corporate structures with multiple ownership layers, and unusually large or complex transactions without an obvious legitimate purpose.

Sanctions screening

Ongoing screening of customers and transactions against UAE local terrorist designations, UN Security Council sanctions lists, and FATF high-risk and monitored jurisdictions. Circular No. 3 of 2025 requires processes to be updated whenever these lists change. Screening must occur at onboarding and on a continuous basis thereafter.

MLRO appointment

A UAE-resident Money Laundering Reporting Officer with sufficient seniority to act independently and direct access to senior management. Under the 2025 law, accountability attaches personally to the MLRO as well as institutionally to the firm.

Record-keeping

Minimum five-year retention of customer records, transaction records, STRs, risk assessments, and training logs. Records must be produced on demand during an inspection.

Training

Annual AML training for all staff, with role-based modules for client-facing staff, compliance staff, and senior management. Training records form part of the inspection pack.

Talk to us

Facing a goAML registration gap or an imminent Ministry of Economy inspection?

We advise accountants, auditors, corporate service providers, and real estate firms on DNFBP status assessments, goAML registration, AML framework drafting, and responses to Ministry of Economy enforcement action.

Speak with an AML compliance lawyer

Enforcement data — what a non-compliance penalty actually looks like

The Ministry of Economy has published enforcement statistics that show where the inspection focus sits. The data below covers the period from late 2022 to H1 2025 and illustrates the sectoral distribution of penalties.

Enforcement round Firms fined Aggregate fines (AED) Primary sector focus
December 2022 6 companies 3.2 million Internal AML policy failures
Q1 2023 137 firms (out of 840 inspected) 65.9 million DNFBPs across all categories
2024 29 firms 22.6 million DNFBPs (targeted inspections)
H1 2025 Multi-sector 42 million Precious metals (AED 20M, 473 violations); real estate (AED 18.5M, 495 violations); CSPs and auditors (AED 4M+, 95+ cases)

Note: Figures drawn from Ministry of Economy announcements and industry reporting. Cumulative total of DNFBP fines since late 2022 now exceeds AED 130 million.

Three patterns emerge from the data. First, inspection volumes are rising, not falling. Second, the penalty severity per violation is growing. Third, the sectoral focus correlates with the national risk assessment — precious metals and real estate remain the top-tagged sectors because of their exposure to cash-intensive transactions, opaque ownership chains, and cross-border flows.

A senior Ministry of Economy official, Assistant Undersecretary Abdullah Sultan Al Fann Al Shamsi, stated publicly in early 2026 that enforcement volume is directly tied to sectoral risk classification rather than uniform coverage. Firms in high-risk categories should expect to be inspected.

The collateral risk — bank account freezes

The primary enforcement exposure is administrative or criminal fines. The faster-acting consequence is banking exposure. UAE banks face their own AML obligations under the CBUAE regime, and they actively screen corporate customers for DNFBP status. A firm that operates in a DNFBP category without goAML registration is a flagged counterparty from the bank's perspective.

The practical outcome is that banks increasingly freeze business accounts of non-registered DNFBPs pending evidence of goAML compliance, block outbound remittances, and decline to open new accounts. For a firm with payroll obligations, supplier payments, or trade finance requirements, the bank freeze is a more immediate operational crisis than the Ministry of Economy fine that may follow months later.

The FATF 2026 evaluation and why enforcement will not ease off

The UAE exited the FATF grey list in February 2024 after completing 15 FATF action points. The next mutual evaluation cycle is due in 2026. The fifth-round FATF methodology focuses on effectiveness of implementation rather than adoption of rules. FATF evaluators will look at the quality of suspicious transaction reports, the coordination between supervisory authorities, the rate of successful prosecutions, and the proportionality of penalties — not at whether the UAE has the right laws on the books.

The legislative reset in October 2025 and the executive regulations in December 2025 gave the UAE an updated framework to show the evaluators. The enforcement data gives them a track record to point to. Every DNFBP fine issued in 2025 and 2026 is, from the Ministry of Economy's perspective, evidence that the regime is working. That means enforcement will continue at least through the evaluation period and is unlikely to soften in its immediate aftermath.

For the wider 2026 compliance calendar across tax, UBO, AML, and e-invoicing deadlines, see our UAE business compliance 2026 guide.

What DNFBPs should do now

The remediation sequence for a firm that has fallen behind is well-worn. Work through it in order, not in parallel.

  1. Confirm DNFBP status. Check whether the firm's licensed activities bring it within one of the scheduled categories. Some activities straddle the line — a company secretarial service that also provides nominee directorship is a CSP; an accounting firm that also provides tax agent services carries dual obligations.
  2. Register on goAML. Complete the two-stage registration. If the firm is already registered but the Compliance Officer details are stale, update them immediately.
  3. Appoint a qualified MLRO. UAE-resident, sufficiently senior, and with direct board access. For smaller firms, this is often the partner or founder rather than a junior staff member.
  4. Run the enterprise-wide risk assessment. Document it against the firm's actual business. Avoid generic templates.
  5. Draft or refresh the AML manual. Customer due diligence, enhanced due diligence, sanctions screening, STR and SAR filing, record-keeping, and training should each be addressed in the manual with specific procedures.
  6. Run staff training and retain evidence. Certificates and training logs are inspected.
  7. File any outstanding STRs. Retrospective filing of identified suspicions is far better than an inspector discovering an unreported suspicion in the file.
  8. Prepare the inspection pack. Assume an inspection is coming. Have the risk assessment, manual, MLRO appointment letter, training records, screening evidence, and STR log ready in a single folder.

How should UAE DNFBPs approach AML compliance in 2026?

For accountants, auditors, real estate brokers, corporate service providers, and precious metals dealers in the UAE, the AML framework has moved from a paperwork exercise to a board-level operational risk. Federal Decree-Law 10/2025 lowered the evidentiary threshold for money laundering, expanded the tipping-off offence, criminalised false UBO reporting, and raised the penalty ceiling for legal persons to AED 100 million. The Ministry of Economy has demonstrated that it will inspect and fine, and banks will freeze accounts faster than inspectors will arrive.

The firms that treat goAML registration as the starting point for a functioning compliance programme, rather than the end point of a one-off form-filling exercise, are the ones that will get through the FATF 2026 cycle without a material penalty. The firms that copy a template manual, miss the risk assessment update, or leave the MLRO appointment dormant are the ones that will appear in the next enforcement statistics.

For DNFBPs facing a registration gap, an imminent inspection, an administrative fine, or a question about status, our AML and financial crime team advises on registration, programme design, inspection response, and penalty mitigation.

Let’s talk

Your success starts with the right guidance.

Whether it’s business or personal, our team provides the insight and guidance you need to succeed.

contact us