UAE Tightens Anti-Money Laundering Rules for Financial Companies

The UAE's AML framework changed substantially in late 2025. Federal Decree-Law No. 10 of 2025 took effect on 14 October 2025, replacing the 2018 law. Cabinet Resolution No. 134 of 2025 followed on 14 December 2025 with implementing regulations. Together, they create a stricter regime with higher penalties, broader liability, and no statute of limitations for money laundering offences.

This matters now because the FATF's 5th round mutual evaluation of the UAE begins in 2026. Regulators will be looking for enforcement outcomes, not just policies on paper. Financial institutions that treat this as a box-ticking exercise will find themselves exposed.

Here is what changed and what financial companies need to do about it.

The Legal Framework

Three pieces of legislation now govern AML compliance for UAE financial institutions:

What Actually Changed

Proliferation Financing Is Now a Standalone Offence

Article 3(3) of the new law makes proliferation financing a distinct criminal offence for the first time in UAE legislation. Previously, the framework addressed money laundering and terrorist financing. Now it covers CPF - the financing of weapons of mass destruction and their delivery systems.

This is not theoretical. Financial institutions must now integrate proliferation financing risk into their enterprise-wide risk assessments, customer due diligence procedures, transaction monitoring, and suspicious transaction reporting. The implementing regulations make this explicit.

The Evidentiary Threshold Is Lower

Under the 2018 law, prosecutors needed to prove actual knowledge of illicit funds. Article 2 of the new law changes this. Knowledge can now be inferred from "factual and objective circumstances" or "circumstantial evidence."

This aligns the UAE with jurisdictions like the UK, where wilful blindness is sufficient for liability. For compliance officers, it means that ignoring red flags is no longer just a regulatory failure - it can form the basis of a criminal case.

The law also clarifies that conviction of the predicate offence is not required to establish the illegitimate source of proceeds. Prosecutors can pursue money laundering charges even where the underlying crime cannot be proven to criminal standards.

Virtual Assets Are Explicitly Covered

The 2018 law was ambiguous about digital assets. The 2025 law removes any doubt. Article 1 and Article 2(1) expressly cover:

• Digital systems
• Virtual assets
• Cryptographic technologies

There is also a new offence for promoting, selling, or using privacy-enhancing virtual asset products and services that fully conceal identity or impede transaction tracing. This targets privacy coins and mixing services.

For VASPs operating in the UAE, the compliance burden has increased. Full AML/CFT/CPF obligations now apply, including travel rule compliance and enhanced transaction monitoring for cryptocurrency flows.

Penalties Have Doubled

The financial consequences of non-compliance are now severe:

The CBUAE has already demonstrated willingness to use these powers. In recent months, the Central Bank issued approximately AED 350 million in fines against financial institutions for AML/CFT breaches.

Directors Face Personal Criminal Liability

Article 27(5) introduces personal criminal liability for managers and directors. If a person responsible for the actual management of a legal entity was aware of an offence and its commission resulted from their breach of duty, they face imprisonment, a fine, or both.

This is a significant shift. Previously, corporate liability shielded individuals. Now, directors who fail to ensure adequate AML/CFT/CPF procedures can be prosecuted personally. The standard is not negligence - it requires awareness and breach of duty - but the combination of lower evidentiary thresholds and circumstantial evidence means the practical risk is real.

Board members at UAE-licensed financial institutions should ensure that AML governance is documented, that policies are approved at board level, and that compliance failures are escalated and addressed.

The FIU Has Expanded Powers

The Financial Intelligence Unit can now:

• Suspend transactions for up to 10 working days (previously 7 days under Central Bank Governor authority)
• Freeze assets for up to 30 days, extendable by the Public Prosecutor
• Coordinate directly with international FIUs for intelligence sharing

These powers previously rested with the Central Bank Governor. The shift to the FIU centralises financial intelligence and signals a more active enforcement posture.

No Statute of Limitations

Article 37 eliminates any limitation period for money laundering, terrorist financing, and proliferation financing offences. Perpetrators remain liable indefinitely.

For financial institutions, this creates long-term exposure. A compliance failure in 2026 can result in enforcement action in 2036 or later, particularly if new evidence emerges through cross-border cooperation or whistleblower disclosures.

Sector-Specific Implications

CBUAE-Licensed Institutions

Banks, insurers, exchange houses, and payment service providers licensed by the Central Bank face the most direct regulatory scrutiny. The CBUAE's Anti-Money Laundering Department (AMLD) conducts both scheduled and unannounced examinations.

Key obligations:

• Enterprise-Wide Risk Assessment incorporating CPF
• Customer Due Diligence and Enhanced Due Diligence
• Transaction monitoring and sanctions screening
• STR/SAR filing via the goAML portal
• Record retention for at least 5 years
• Semi-annual reporting to the supervisory authority

The CBUAE Rulebook contains detailed guidance on implementation, including sector-specific red flag indicators for payments, insurance, and correspondent banking.

DIFC-Regulated Firms

Firms authorised by the DFSA in the DIFC operate under a dual regime: federal AML law applies directly, and the DFSA's AML Module sets additional requirements.

Notable differences:

• Record retention is 6 years (longer than the federal 5-year requirement)
• Annual AML Return due by 30 September each year
• Compliance Officer must be UAE resident
• STR notification to DFSA required immediately after FIU submission

The DFSA's 2025-2026 business plan emphasises collaboration with other regulators to prepare for the FATF evaluation and announces targeted inspections of firms dealing in digital assets.

ADGM-Regulated Firms

The FSRA in ADGM has similarly updated its framework. Cabinet Resolution 134/2025 supersedes previous implementing regulations. The FSRA demonstrated its enforcement posture in 2024 by fining a regulated firm USD 500,000 for inadequate AML systems over a six-year period.

Gaming Operators

Cabinet Resolution 134/2025 adds gaming operators to the definition of Designated Non-Financial Businesses and Professions (DNFBPs). AML obligations are triggered for transactions of AED 11,000 or more, whether single or linked.

This reflects the UAE's recent regulatory framework for commercial gaming and aligns with FATF recommendations on casino and gaming sector oversight.

FATF 2026: What Assessors Will Look For

The UAE assumed the presidency of MENAFATF for 2026. The FATF's 5th round mutual evaluation uses a revised methodology that places greater weight on effectiveness - actual outcomes rather than technical compliance.

Assessors will examine:

Enforcement results: Convictions, asset confiscations, and administrative penalties. The UAE reported a 92.1% conviction rate and AED 1.309 billion in confiscated assets in 2023. Continued momentum is expected.

Beneficial ownership transparency: Whether authorities can obtain accurate and timely beneficial ownership information. The new law imposes penalties for providing false or misleading beneficial ownership data.

STR quality and volume: Not just the number of suspicious transaction reports, but whether they lead to actionable intelligence. The FIU's expanded powers support this objective.

Sanctions implementation: Compliance with UN Security Council resolutions and targeted financial sanctions. The UAE chairs MENAFATF's Technical Committee on TFS for 2026-2027.

Cross-border cooperation: Mutual legal assistance, information sharing with foreign FIUs, and enforcement of foreign confiscation orders. Article 22 of the new law facilitates enforcement of foreign judgments even without a ratified convention.

Financial institutions should expect heightened regulatory attention throughout 2026. Supervisory authorities will want to demonstrate effective oversight to assessors.

Compliance Priorities for 2026

Immediate

1. Update your Enterprise-Wide Risk Assessment to include proliferation financing. This is now a mandatory component under Cabinet Resolution 134/2025.
2. Review customer due diligence procedures for high-risk categories, including VASPs, correspondent banks, and PEPs. The lower evidentiary threshold means red flags cannot be ignored.
3. Check beneficial ownership records for accuracy. False or incomplete information is now a specific offence with personal liability implications.
4. Verify goAML registration and reporting workflows are functioning. STR filing obligations remain unchanged but enforcement is intensifying.

Medium-Term

5. Board and senior management training on personal liability under Article 27(5). Directors need to understand their exposure and ensure adequate oversight mechanisms.
6. Policy and procedure manual update to reflect the new legislative references and CPF integration.
7. Independent compliance health check before the FATF evaluation period. External validation of your AML framework is valuable evidence of effective oversight.
8. Transaction monitoring enhancement for virtual assets if your institution has exposure to crypto-related clients or counterparties.

‍