UAE AML law 2025

The UAE’s AML Framework Just Changed Completely. Here Is Everything You Need to Know

On 14 October 2025, the United Arab Emirates entered a new era of financial crime regulation. Federal Decree-Law No. 10 of 2025 the new UAE AML law 2025 came into force, replacing Federal Decree-Law No. 20 of 2018 and fundamentally transforming the country’s anti money laundering, countering the financing of terrorism, and counter-proliferation financing framework.

Table of Contents

This is not a routine update. The UAE money laundering law 2025 does not merely refine the 2018 legislation, it rebuilds it. It introduces personal criminal liability for managers and directors, lowers the evidentiary threshold for prosecution, expands the scope of regulated entities to include virtual asset service providers and non-profit organisations for the first time, and establishes fines that can reach AED 100 million at the corporate level and result in business dissolution.

Its implementing regulations, Cabinet Resolution 134 of 2025 came into force on 14 December 2025, comprising 71 articles and nearly 300 enforceable requirements. Together, these two instruments define the most comprehensive and operationally detailed AML/CFT/CPF framework the UAE has ever introduced.

For businesses across the UAE, whether you are a real estate agent in Dubai, a gold trader in Sharjah, an accountant in Abu Dhabi, a fintech startup in DIFC, or a corporate service provider in DMCC, understanding exactly what the UAE AML law 2025 requires of you is now a matter of urgent, practical necessity.

This guide explains Federal Decree-Law No. 10 of 2025 in plain language, what changed, who it applies to, what the key obligations are, what the penalties look like, and exactly how to comply.

What Is the UAE AML Law 2025? The Foundation You Need to Understand

Federal Decree-Law No. 10 of 2025 is the UAE’s current primary legislation governing Anti-Money Laundering (AML), Combating the Financing of Terrorism (CFT), and Countering the Financing of Proliferation (CPF), collectively referred to as AML/CFT/CPF. It was issued on 30 September 2025, published in the UAE Official Gazette, and came into force on 14 October 2025.

The law is the result of a multi-year legislative reform process that began with the UAE’s FATF grey-listing in 2022 and accelerated through the country’s successful exit from the FATF grey list in February 2024 and the EU high-risk country list in August 2025. With the FATF Fifth Round Mutual Evaluation of the UAE anticipated in mid-2026, Federal Decree-Law No. 10 of 2025 represents the UAE’s most ambitious statement yet that its AML/CFT/CPF framework meets and in several areas exceeds international standards.

The UAE AML regulations 2025 sit within a broader legislative ecosystem that includes:

  • Federal Decree-Law No. 10 of 2025: the primary law
  • Cabinet Resolution 134 of 2025: the implementing regulations (71 articles, nearly 300 enforceable requirements)
  • CBUAE April 2026 Guidance Package: six guidance documents for licensed financial institutions
  • DFSA AML Module Update, March 2026: for DIFC-regulated entities
  • Sector-specific guidance: from CBUAE, Ministry of Economy, DFSA, and FSRA

UAE AML Law 2025 vs 2018: What Actually Changed

The most important starting point for any UAE business reviewing its compliance framework is understanding the precise differences between the old and new law. Here is a direct comparison of the key changes in UAE AML law 2025:

Area

Federal Decree-Law No. 20 of 2018

Federal Decree-Law No. 10 of 2025

Proliferation Financing

Not a standalone offence treated as a subset of AML/CFT

Standalone criminal offence with dedicated obligations, risk assessments, and penalties

Virtual Assets (VASPs)

Not explicitly regulated under the AML law

Explicitly and directly regulated VASPs have the same obligations as financial institutions

Non-Profit Organisations

Outside the regulatory perimeter

Brought into scope, NPOs and legal arrangements (trusts) now have defined AML/CFT obligations

Personal Liability

Corporate-level fines are rarely prosecuted directly

Personal criminal liability for managers, directors, and compliance officers, and imprisonment is possible

Knowledge Threshold

Required actual knowledge that funds derived from crime

Lowered the circumstantial evidence or reasonable inference of knowledge now sufficient

Tax Evasion

Not listed as a predicate offence

Explicitly defined as a predicate offence for money laundering

Statute of Limitations

Standard civil/commercial limitation periods applied

Removed for AML financial crimes a crime in 2026 can be prosecuted in 2046

Corporate Fines

Maximum fine AED 5 million

Maximum fine AED 100 million plus potential business dissolution

FIU Freezing Powers

Up to 7 working days only for CBUAE-licensed FIs

Extended to 10 working days applies to all regulated entities

International Cooperation

Limited bank secrecy grounds could block cooperation

UAE cannot refuse international cooperation solely on financial, tax, or secrecy grounds

Cash/Precious Metals Disclosure

Regulatory not in primary legislation

Statutory obligation under Article 10 of the law itself

Supreme Committee

National Committee existed with limited mandate

New Supreme Committee for Supervising the National AML/CFT/CPF Strategy elevated to the national security level

Licensing Requirement

Conducting activities without licence was a violation

Now, an explicit criminal offence, unlicensed financial, non-financial, or virtual asset activity, is a crime

Who Does UAE AML Law 2025 Apply To? The Complete Scope

One of the most significant aspects of the new UAE AML regulations 2025 is the expanded scope of who must comply. The law applies to the following categories of regulated entity:

Financial Institutions

Any person or entity engaged in one or more financial activities or operations on behalf of or for the benefit of a customer. This includes:

  • Commercial banks, Islamic banks, and foreign bank branches
  • Exchange houses and money service businesses
  • Finance companies providing credit, leasing, and financial products
  • Insurance companies, insurance agents, and takaful operators
  • Investment firms and asset managers
  • Payment service providers (PSPs) and stored value facility operators
  • Registered Hawala Providers (RHPs)

Designated Non-Financial Businesses and Professions (DNFBPs)

The DNFBP category remains unchanged in terms of the types of business included, but the new law explicitly lists them and strengthens the obligations attached to each:

  • Real estate agents and brokers, including developers involved in buying and selling
  • Dealers in precious metals and precious stones, gold traders, jewellers, diamond dealers
  • Auditors, accounting firms, and independent accountants
  • Legal consultants and law firms advising on transactions, corporate structuring, or real estate
  • Company formation agents and corporate service providers (CSPs)
  • Trust service providers

Virtual Asset Service Providers (VASPs) New in 2025

For the first time in UAE AML law history, virtual asset service providers are explicitly and directly regulated under the primary legislation. VASPs, including cryptocurrency exchanges, digital asset platforms, NFT marketplaces, and virtual asset custodians, are now subject to the same AML/CFT/CPF obligations as conventional financial institutions. Operating a virtual asset business without a licence from the appropriate authority is now a standalone criminal offence.

See also  CBUAE AML Guidelines 2026: What UAE Financial Institutions Must Know After the April Update

Non-Profit Organisations and Legal Arrangements New in 2025

Non-profit organisations (NPOs), including charities, religious organisations, cultural associations, and educational bodies that collect, receive, or disburse funds, are now within the regulatory perimeter of UAE AML law. Similarly, legal arrangements such as trusts are explicitly regulated, with registrars, trustees, and persons holding similar positions having defined AML/CFT obligations.

Free Zone Companies Not Exempt

A common misconception is that free zone companies operate outside the scope of the UAE AML regulations 2025. This is incorrect. Federal Decree-Law No. 10 of 2025 applies to all businesses operating in the UAE regardless of free zone registration. The distinction is regulatory authority, not regulatory obligation:

  • DIFC companies supervised by the DFSA, whose AML Module was updated in March 2026 to align with Federal Decree-Law No. 10 of 2025
  • ADGM companies supervised by the FSRA under the ADGM AML Rulebook
  • All other free zones (JAFZA, DMCC, Meydan, etc.) are subject to Ministry of Economy supervision for DNFBP obligations and CBUAE supervision for financial institutions

The 10 Most Important Changes in UAE AML Law 2025 Explained

1. Proliferation Financing Becomes a Standalone Criminal Offence

The most structurally significant addition in Federal Decree-Law No. 10 of 2025 is the elevation of proliferation financing (PF) from a subset of AML/CFT to a standalone criminal offence with its own dedicated chapter in the law. Proliferation financing, the financial support of the development, manufacture, acquisition, or transfer of weapons of mass destruction (WMDs) and their delivery systems, is now the third principal offence under UAE AML law, alongside money laundering and terrorist financing.

For businesses, this creates new practical obligations: a dedicated proliferation financing risk assessment must now be conducted as part of the business-wide risk assessment, targeted financial sanctions (TFS) screening must be calibrated to capture PF-specific risks, and staff training must cover proliferation financing red flags in addition to standard AML/CFT awareness.

2. Virtual Assets and VASPs Directly Regulated

Federal Decree-Law No. 10 of 2025 introduces a comprehensive framework for virtual asset service providers reflecting the UAE’s ambition to become a leading global hub for regulated digital asset activity. VASPs operating in the UAE must now:

  • Obtain a licence from the appropriate authority before conducting any virtual asset activity. Operating without a licence is a criminal offence
  • Implement full AML/CFT/CPF compliance programmes equivalent to those required of financial institutions, including CDD, EDD, transaction monitoring, STR filing, and sanctions screening UAE
  • Comply with the Travel Rule for cross-border virtual asset transfers
  • Apply targeted financial sanctions screening in real-time
  • Register on the goAML portal and file STRs and SARs through the FIU

The 2025 law also expands the definition of money laundering to explicitly include “commission through digital systems, virtual assets, or encryption technologies”, directly addressing crypto-based financial crime typologies.

3. Personal Criminal Liability for Managers and Directors

This is the change that has the most immediate, practical impact on senior management across all regulated entities in the UAE. Under the old 2018 framework, AML enforcement was primarily directed at corporate entities individuals were rarely prosecuted directly. Federal Decree-Law No. 10 of 2025 changes this fundamentally.

Under the UAE AML law 2025, individual managers, directors, and compliance officers can face:

  • Personal criminal prosecution: independent of whether the corporate entity is also prosecuted
  • Imprisonment: for serious or willful AML/CFT/CPF violations
  • Personal fines: separate from and in addition to corporate fines
  • Disqualification: from holding management positions

The law introduces independent corporate criminal liability, meaning the corporate entity and individual managers can each be prosecuted separately and simultaneously. A company being fined does not shield its directors from personal prosecution.

Critically, the threshold for personal liability is not limited to deliberate misconduct. The UAE AML law 2025 personal liability for managers can be established through negligence failure to implement adequate controls, or wilful blindness, choosing not to investigate obvious red flags. Senior management across all regulated entities must now treat AML compliance as a personal legal obligation, not just a corporate governance exercise.

4. Lower Knowledge Threshold for Money Laundering Prosecution

Article 2 of Federal Decree-Law No. 10 of 2025 lowers the threshold for establishing a money laundering offence. Under the 2018 law, prosecutors were required to demonstrate actual knowledge that funds were derived from a predicate crime. The new UAE money laundering law 2025 allows liability to be established where a person “knows, or has sufficient evidence or circumstantial evidence to support their knowledge” that funds are derived from a predicate crime.

In practical terms, this means:

  • Reasonable inference is now sufficient for prosecution, not just proven knowledge
  • Wilful blindness, deliberately choosing not to investigate obvious red flags, can constitute sufficient knowledge
  • Failure to conduct adequate CDD that would have revealed criminal origins can be treated as constructive knowledge

This change directly increases the personal liability risk for compliance officers, MLROs, and senior managers who fail to implement effective due diligence processes.

5. Tax Evasion as a Predicate Offence UAE AML

One of the most commercially significant additions in the UAE AML law 2025 is the explicit inclusion of tax evasion as a predicate offence for money laundering. Under Federal Decree-Law No. 10 of 2025, “direct and indirect tax evasion” is now listed in the definition of a predicate crime, meaning that funds derived from tax evasion can constitute criminal proceeds for the purposes of a money laundering charge.

The practical implications of the UAE AML law 2025 tax evasion predicate offence are significant:

  • Businesses that facilitate tax evasion, even unknowingly, can now face money laundering charges
  • Financial institutions and DNFBPs must consider tax evasion risk as part of their AML/CFT risk assessments
  • CDD and EDD processes should include consideration of clients’ tax compliance status where relevant
  • Tax advisors, accounting firms, and corporate service providers face heightened exposure under this provision

This change is particularly relevant given the introduction of UAE Corporate Tax in June 2023, creating a new domestic tax framework for which non-compliance now carries AML implications.

6. The Statute of Limitations Is Effectively Removed for AML Crimes

This is the change that most UAE businesses are completely unaware of, and it is one of the most consequential in the entire legislation. Under standard UAE civil and commercial law, limitation periods for legal claims typically range from 3 to 10 years. Federal Decree-Law No. 10 of 2025 overrides this for AML financial crimes.

Under the UAE AML law 2025 statute of limitations provisions, standard limitation periods are displaced for money laundering, terrorist financing, and proliferation financing offences. In practical terms, this means a financial crime committed today could be prosecuted decades later. A crime committed in 2026 could be prosecuted in 2046.

The implications for record retention are profound. The standard minimum record retention period of 5 years may be wholly insufficient to defend against a prosecution initiated 15 or 20 years later. Businesses should urgently review their AML record retention UAE policies in light of this change and consider extending retention periods well beyond the regulatory minimum for higher-risk transactions and relationships.

7. Escalated Corporate Fines and Business Dissolution

The UAE AML law 2025 dramatically escalates the financial consequences of non-compliance at the corporate level. Under the 2018 framework, maximum corporate fines were capped at AED 5 million per violation. Under Federal Decree-Law No. 10 of 2025:

  • Maximum administrative fines reach AED 100 million for the most serious violations
  • Fines are assessed per violation. Multiple simultaneous violations carry cumulative fines
  • Business dissolution is available as a penalty for persistent or severe non-compliance, the ultimate enforcement consequence for a UAE-registered company
  • Asset confiscation: permanent deprivation of criminal property is available by court judgment
  • Asset freezing: an interim prohibition on the transfer or disposal of funds can now be imposed by the FIU Head for up to 10 working days without a court order

8. Expanded FIU Powers and Independence

Federal Decree-Law No. 10 of 2025 significantly strengthens the role and powers of the Financial Intelligence Unit UAE (FIU). Key changes include:

  • The FIU Head can now order immediate asset suspensions for up to 10 working days, extended from 7 working days under the 2018 law, and now applicable to all regulated entities rather than just CBUAE-licensed financial institutions
  • The FIU’s operational independence is formally codified, including specific information security, clearance, and secure channel requirements
  • The FIU can now request additional information not just from financial institutions and DNFBPs but also from VASPs and other authorities, including customs, tax authorities, geospatial data sources, and beneficial ownership registries
  • The FIU takes a leading role in the UAE National Risk Assessment with a specific focus on terrorist financing typologies
  • International cooperation has strengthened the FIU, which can now coordinate with international FIUs and digital platforms for intelligence sharing

9. Non-Profit Organisations and Legal Arrangements Brought Into Scope

The UAE AML law 2025 non-profit organisations provisions bring a significant new category of entity into the AML/CFT regulatory perimeter for the first time. Non-profit organisations, charities, religious bodies, cultural organisations, educational institutions, and any organised group that collects, receives, or disburses funds for benevolent purposes must now implement AML/CFT controls proportionate to their risk exposure.

See also  AML Regulations for Real Estate Agents in UAE: The Complete Compliance Guide

Legal arrangements, trusts, foundations, and similar structures are also explicitly regulated. Registrars, trustees, and persons in equivalent positions have defined obligations including CDD on settlors and beneficiaries, record-keeping, and STR filing where suspicious activity is identified.

For NPOs and trusts operating in the UAE, this is a new compliance landscape that requires an AML/CFT risk assessment, written policies and procedures, and registration on the goAML portal where applicable.

10. International Cooperation Without Secrecy Barriers

Chapter 9 of Federal Decree-Law No. 10 of 2025 establishes a comprehensive framework for international cooperation in AML/CFT/CPF enforcement. The UAE cannot refuse international cooperation requests solely on the basis of financial confidentiality, bank secrecy, or tax grounds, with the only permitted exception being legal professional privilege.

UAE courts can now enforce foreign orders for asset freezing or confiscation directly without requiring a parallel local investigation. This represents a fundamental shift in the UAE’s posture as an international financial centre, aligning it with the most cooperative jurisdictions globally and directly supporting the FATF mutual evaluation assessment.

Cabinet Resolution 134 of 2025 UAE Explained: The Implementing Regulations

Federal Decree-Law No. 10 of 2025 sets the legislative framework. Cabinet Resolution 134 of 2025 issued on 15 November 2025 and entering into force on 14 December 2025 puts it into operational practice. Comprising 71 articles and nearly 300 enforceable requirements, it is the most detailed AML implementing regulation the UAE has ever produced.

Cabinet Resolution 134 of 2025 covers:

CDD and EDD Requirements: prescribing detailed procedures for customer identification, verification, risk categorisation, enhanced due diligence triggers, and the specific documentation required for different client types including PEPs, correspondent banks, and high-risk jurisdiction clients.

UBO Identification: detailing how Ultimate Beneficial Owners must be identified, verified, and kept current, including for complex multi-layered ownership structures and nominee arrangements.

STR Filing Obligations: specifying the timeframes, quality standards, and content requirements for Suspicious Transaction Reports filed through the goAML portal.

Record Retention: establishes minimum retention periods (five years) and the format, accessibility, and security standards for retained records.

MLRO Obligations: defining the qualifications, authority, independence, and responsibilities required of the Money Laundering Reporting Officer.

Risk Assessment Methodology: prescribing how business-wide risk assessments must be structured, documented, reviewed, and reported to senior management.

Targeted Financial Sanctions: specify the procedures for implementing TFS, the frequency of screening, and the response obligations when a match is identified.

VASP-Specific Obligations: dedicated articles covering the compliance requirements for virtual asset service providers, including the Travel Rule for cross-border transfers.

NPO Framework: articles governing the AML/CFT obligations of non-profit organisations and legal arrangements.

Key Compliance Obligations Under UAE AML Law 2025: What Every Business Must Do

Understanding the UAE AML law for businesses 2025 requires translating the legislative framework into practical operational obligations. Here is what every regulated entity must have in place:

AML/CFT/CPF Risk Assessment

Every regulated entity must conduct, document, and maintain a current business-wide AML/CFT/CPF risk assessment. Under Cabinet Resolution 134 of 2025, this must now include a dedicated proliferation financing risk component. The risk assessment must be reviewed whenever significant business changes occur or new risk indicators emerge, and findings must be reported to and acknowledged by senior management.

AML Policy and Procedures UAE

Every regulated entity must maintain a written AML/CFT/CPF policy and procedures document tailored to their specific business, updated for Federal Decree-Law No. 10 of 2025 and Cabinet Resolution 134 of 2025, signed by senior management, and covering all mandatory elements including CDD/EDD procedures, UBO identification, STR filing, record retention, MLRO responsibilities, and targeted financial sanctions screening.

Customer Due Diligence (CDD) and Enhanced Due Diligence (EDD)

CDD must be conducted for all clients, verifying identity, understanding the nature of the business relationship, and assessing risk. CDD is an ongoing obligation, not a one-time onboarding check. EDD must be applied for PEPs, high-risk jurisdiction clients, correspondent banking relationships, and complex or unusual transactions. Under Cabinet Resolution 134 of 2025, CDD documentation requirements are significantly more detailed than under the 2019 regulations.

Ultimate Beneficial Owner (UBO) Identification

Every regulated entity must identify and verify the UBO of all corporate clients the natural person or persons who ultimately own or control the entity. UBO information must be maintained, kept current, and made available to supervisory authorities upon request. UBO identification failures are among the most commonly cited violations in Ministry of Economy inspections.

goAML Registration and STR Filing

All regulated entities, financial institutions, DNFBPs, VASPs, and eligible NPOs must register on the goAML portal operated by the Financial Intelligence Unit UAE. When suspicious activity is identified, a Suspicious Transaction Report (STR) must be filed through the goAML portal without delay. There is no monetary threshold for filing suspicion; alone is sufficient and legally required.

Targeted Financial Sanctions (TFS) Screening

All regulated entities must screen clients and transactions against UAE, UN Security Council, and other applicable international sanctions lists in real-time. A match requires immediate action assets must be frozen and the supervisory authority notified. The sanctions screening UAE obligation applies at onboarding and on an ongoing basis throughout the business relationship.

MLRO Appointment

Every regulated entity must appoint a qualified Money Laundering Reporting Officer (MLRO) with the authority, independence, seniority, and competence to fulfil the role. The MLRO is responsible for overseeing the AML/CFT/CPF compliance framework, evaluating internal suspicious activity reports, making STR filing decisions, and serving as the primary regulatory contact.
 Outsourced MLRO services are permitted, see our In-House AML Compliance Setup service.

AML Training UAE

All staff with AML/CFT/CPF responsibilities must receive regular, role-appropriate training. Under the CBUAE’s April 2026 guidance, which reinforces the training obligations in Cabinet Resolution 134 of 2025, generic annual e-learning is no longer sufficient. Training must be tailored to each role’s specific compliance exposure, cover the new 2025 law changes, and be documented with dated attendance records and assessment outcomes.

AML Record Retention UAE 2025

All CDD documents, transaction records, risk assessments, training records, and STR filings must be retained for a minimum of five years. In light of the statute of limitations removal discussed above, businesses should consider extending retention periods for higher-risk transactions well beyond the minimum. Records must be organised for rapid retrieval during regulatory inspections.

Tipping Off What You Cannot Do

Federal Decree-Law No. 10 of 2025 maintains and strengthens the tipping off offence UAE AML prohibition. A regulated entity that has filed, or is considering filing, an STR must not disclose this to the subject of the report or any associated party. Tipping off a warning to a client that they are under suspicion is a criminal offence regardless of intent.

Penalties Under UAE AML Law 2025: The Full Picture

The UAE AML law 2025 penalties represent the most significant escalation in financial crime enforcement consequences in the country’s history.

Administrative Fines:

  • Minimum fine per violation: AED 50,000
  • Maximum fine per violation: AED 5,000,000
  • Maximum aggregate corporate fine: AED 100,000,000
  • Fines are cumulative for multiple violations in a single inspection and carry compounded penalties

Criminal Penalties for Individuals:

  • Imprisonment for money laundering offences
  • Personal fines for managers and directors, independently of corporate fines
  • Disqualification from holding management positions
  • Liability established through negligence or wilful blindness, not just deliberate conduct

Structural Penalties:

  • Business dissolution available for persistent or severe non-compliance
  • Asset freezing imposed by the FIU Head without a court order for up to 10 working days
  • Asset confiscation permanent, by court judgment
  • Licence suspension or cancellation imposed by supervisory authorities

Reputational Consequences:

  • Public disclosure of enforcement actions by the Ministry of Economy and other supervisory authorities
  • Banking restrictions require banks to conduct AML due diligence on their own business clients
  • Exclusion from government contracts and institutional partnerships

Has your business updated its AML framework for Federal Decree-Law No. 10 of 2025?

AMLUAE’s AML/CFT Health Check assesses your entire compliance framework against the new law, identifying every gap before a regulator or inspector does.

 Book Your Free AML/CFT Health Check

How UAE AML Law 2025 Affects Specific Business Types

Real Estate Agents and Brokers

Real estate agents and brokers remain one of the highest-risk DNFBP categories under the new UAE AML regulations 2025. The Ministry of Economy recorded 495 violations from real estate businesses in H1 2025 alone. Under Federal Decree-Law No. 10 of 2025, real estate agencies must conduct full CDD on all parties to a transaction buyers, sellers, and intermediaries, verify UBO for all corporate purchasers, file STRs for suspicious transactions through goAML, maintain transaction records for a minimum of five years, and deliver annual AML training UAE to all staff. The personal liability provisions mean that estate agency owners and managers now face individual criminal exposure if their business fails to meet these obligations.

Gold Traders and Dealers in Precious Metals and Stones

Dealers in precious metals and precious stones (DPMS) are explicitly regulated as DNFBPs under the AML law UAE for businesses 2025. Cash-intensive transactions, cross-border supply chains, and complex counterparty networks make DPMS businesses among the most scrutinised in the UAE. Under the new law, the proliferation financing risk assessment obligation is particularly relevant to dual-use goods exposure, and certain cross-border commodity flows must now be assessed for PF risk as well as standard AML/CFT risk.

See also  AML Compliance for Lawyers in UAE: A Complete Guide for Legal Professionals and Law Firms

Auditors and Accounting Firms

Accounting and auditing firms that provide services involving client funds, corporate structuring, or business advisory are DNFBPs with full AML/CFT/CPF obligations. The tax evasion predicate offence provision is directly relevant to accounting firms that advise clients on transactions that later prove to involve tax evasion, face heightened exposure under the new UAE money laundering law 2025. The professional obligation to file STRs exists regardless of client confidentiality obligations.

Corporate Service Providers and Company Formation Agents

Corporate service providers (CSPs) and company formation agents face some of the most demanding obligations under Federal Decree-Law No. 10 of 2025 because of their role in establishing and managing corporate structures. UBO identification is the central compliance challenge. Complex, multi-layered ownership structures involving nominee directors, bearer shares, and offshore holding companies are a known money laundering typology. The new law’s personal liability provisions mean that CSP directors and managers who fail to adequately identify UBOs face individual criminal exposure.

Virtual Asset Service Providers (VASPs)

For VASPs, Federal Decree-Law No. 10 of 2025 represents the most significant regulatory development in the UAE digital asset market. Operating without a licence is now a standalone criminal offence. Full AML/CFT/CPF compliance equivalent to financial institutions is mandatory. The Travel Rule for cross-border virtual asset transfers is legally enforceable. Real-time sanctions screening UAE is required for all transactions. For VASPs in the UAE whether operating under VARA, ADGM, or DIFC frameworks, 2026 is the year compliance infrastructure must be operationally complete.

Non-Profit Organisations

For NPOs, the UAE AML law 2025 non-profit organisations provisions create an entirely new compliance reality. Charities, religious organisations, cultural bodies, and educational institutions that collect, receive, or disburse funds must now assess their AML/CFT risk exposure, implement proportionate controls, and register on the goAML portal where applicable. The practical compliance steps depend on the specific risk profile of the NPO; those operating cross-border, handling large cash donations, or distributing funds to higher-risk jurisdictions face the most demanding obligations.

Free Zone Companies (DIFC, ADGM, JAFZA, DMCC, Meydan)

All free zone companies in the UAE are subject to UAE AML regulations 2025 without exception. DIFC-regulated entities are subject to the DFSA’s updated AML Module (effective 2 March 2026), which aligns with Federal Decree-Law No. 10 of 2025 and Cabinet Resolution 134 of 2025. ADGM companies follow the FSRA’s AML Rulebook under equivalent standards. All other free zone businesses follow the federal framework under the Ministry of Economy or CBUAE supervision. The misconception that free zone registration provides AML exemption is not only incorrect, but it is also one of the most dangerous assumptions a UAE business owner can make in 2026.

How to Comply with UAE AML Law 2025: A 10-Step Action Guide

Here is a practical, step-by-step guide on how to comply with UAE AML law 2025 for any regulated entity:

Step 1: Confirm your regulatory category

Determine whether your business is a financial institution, a DNFBP, a VASP, or an NPO under Federal Decree-Law No. 10 of 2025. If you are uncertain, book an AML/CFT Health Check with a qualified AML compliance consultant Dubai.

Step 2: Conduct or update your AML/CFT/CPF risk assessment

Your risk assessment must now include a dedicated proliferation financing component. If your existing risk assessment was conducted under the 2018 framework, it requires a complete update. Commission a formal AML/CFT Risk Assessment Report if you do not have a current one.

Step 3: Update your AML policy and procedures document

Your policy must reflect Federal Decree-Law No. 10 of 2025 and Cabinet Resolution 134 of 2025. Generic templates and documents written for the 2018 law do not meet current requirements. AMLUAE’s AML/CFT Policy Documentation UAE service produces a fully customised, regulator-ready document.

Step 4: Register on the goAML portal

If your business is not yet registered on the goAML portal, this is the most urgent action you can take. Registration is mandatory, and operating without it is an immediate violation. AMLUAE’s In-House AML Compliance Setup covers goAML registration as part of the full compliance setup.

Step 5: Implement CDD and UBO procedures

Put your CDD framework into operation for all new client onboarding and conduct a retrospective review of existing high-risk client files. Ensure UBO documentation is complete for all corporate clients.

Step 6: Appoint your MLRO

Formally appoint a qualified Money Laundering Reporting Officer or engage an outsourced AML compliance officer UAE. Ensure the appointment is documented with a formal letter and role description.

Step 7: Integrate targeted financial sanctions screening

Implement real-time TFS screening against UAE, UN, OFAC, and EU sanctions lists for all client onboarding and transaction processing. AMLUAE’s AML Software solutions automate this process.

Step 8: Deliver role-based AML training UAE

Train all relevant staff on their obligations under Federal Decree-Law No. 10 of 2025 including the new proliferation financing offence, personal liability provisions, and the tax evasion predicate offence. Document all training with attendance records. AMLUAE’s AML Training Program covers all 2025 law requirements.

Step 9: Establish your STR filing process

Ensure your MLRO and relevant staff understand the STR filing obligation, what constitutes suspicion, how to escalate internally, and how to file through the goAML portal. AMLUAE’s Regulatory Reporting Services manage this end-to-end.

Step 10: Review your record retention policy

In light of the statute of limitations removal, assess whether your current five-year retention policy is adequate for higher-risk transactions. Update your policy and document the rationale.

Why AMLUAE for AML Compliance UAE in 2026

At AMLUAE, AML compliance is our sole focus, not a department within a larger accounting or advisory firm. Our team has direct, current knowledge of the CBUAE AML guidelines 2026, Federal Decree-Law No. 10 of 2025, Cabinet Resolution 134 of 2025, and the full UAE Central Bank AML regulations framework.

We help licensed financial institutions across the UAE navigate every aspect of the April 2026 update, from policy documentation and risk assessments to role-based training, regulatory reporting, and MLRO support.

Our services for financial institutions include:

How AMLUAE Helps You Comply with UAE AML Law 2025

At AMLUAE, we are a specialist AML compliance consultancy, not a general accounting firm with a compliance department. Our entire focus is on helping UAE businesses navigate the AML/CFT/CPF regulatory landscape, and every service we provide is aligned with the requirements of Federal Decree-Law No. 10 of 2025 and Cabinet Resolution 134 of 2025.

Our services for regulated entities navigating the new UAE AML regulations 2025 include:

We serve financial institutions, DNFBPs, VASPs, NPOs, and corporate service providers across Dubai, Abu Dhabi, Sharjah, Ras Al Khaimah, Fujairah, and all UAE free zones, including DIFC, ADGM, JAFZA, DMCC, and Meydan.

Whether you are starting your anti money laundering in UAE compliance journey from scratch under the new 2025 law, updating an existing framework that was built for the 2018 legislation, or preparing for a Ministry of Economy inspection or CBUAE supervisory review, AMLUAE has the service that fits exactly where you are.

We serve businesses across Dubai, Abu Dhabi, Sharjah, Ras Al Khaimah, Fujairah, and all UAE free zones, including DIFC, ADGM, JAFZA, DMCC, and Meydan.

 Book a Free AML Compliance Consultation

Frequently Asked Questions About UAE AML Law 2025

What is Federal Decree-Law No. 10 of 2025 UAE?

Federal Decree-Law No. 10 of 2025 is the UAE's primary AML legislation governing anti-money laundering, countering the financing of terrorism, and countering proliferation financing. It came into force on 14 October 2025, replacing Federal Decree-Law No. 20 of 2018. Its implementing regulations are Cabinet Resolution 134 of 2025, followed on 14 December 2025, comprising 71 articles and nearly 300 enforceable requirements for all regulated entities.

What changed in UAE AML law 2025 compared to 2018?

UAE AML law 2025 introduced ten major changes from the 2018 framework: proliferation financing as a standalone criminal offence, direct regulation of virtual asset service providers, personal criminal liability for managers and directors, a lower knowledge threshold for prosecution, tax evasion as a predicate offence, removal of the statute of limitations for AML crimes, corporate fines up to AED 100 million, expanded FIU freezing powers, inclusion of non-profit organisations, and strengthened international cooperation.

Who does UAE AML law 2025 apply to?

UAE AML law 2025 applies to all regulated entities in the UAE, including financial institutions, including banks, exchange houses, insurance companies, and payment service providers; DNFBPs, including real estate agents, gold traders, auditors, legal consultants, and corporate service providers; virtual asset service providers; and, for the first time, non-profit organisations and legal arrangements. Free zone companies are not exempt; they are supervised by the DFSA, FSRA, or Ministry of Economy, depending on their registration.

What are the penalties under UAE AML law 2025?

Penalties under UAE AML law 2025 include administrative fines from AED 50,000 to AED 5 million per violation, maximum aggregate corporate fines of AED 100 million, and personal criminal prosecution and imprisonment for individual managers and directors. Additional penalties include business dissolution, asset freezing by the FIU without a court order for up to 10 working days, permanent asset confiscation by court judgment, and trade licence suspension or cancellation.

What are the personal liability risks for managers under UAE AML law 2025?

Under UAE AML law 2025, managers and directors face personal criminal prosecution and imprisonment for AML failures independently of corporate liability. Personal liability can be established through deliberate misconduct, negligence, or wilful blindness failure to investigate obvious red flags is sufficient. Managers do not need to have personally committed a financial crime. Failure to implement adequate AML controls is enough for individual prosecution under Federal Decree-Law No. 10 of 2025.

Does UAE AML law 2025 apply to free zone companies?

Yes, UAE AML law 2025 applies to all free zone companies without exception. Federal Decree-Law No. 10 of 2025 covers all businesses operating in the UAE, regardless of free zone registration. DIFC companies are supervised by the DFSA under its updated AML Module, effective March 2026. ADGM companies follow the FSRA AML Rulebook. All other free zone businesses in JAFZA, DMCC, Meydan, and elsewhere follow the federal AML framework no free zone provides exemption.

How do I comply with UAE AML law 2025?

o comply with UAE AML law 2025, regulated entities must complete seven core actions: confirm their regulatory category under Federal Decree-Law No. 10 of 2025, conduct an updated AML/CFT/CPF risk assessment, including a proliferation financing component, update their AML policy for the new law and Cabinet Resolution 134 of 2025, register on the goAML portal, implement CDD and UBO procedures, appoint a qualified MLRO, and deliver role-based AML training to all relevant staff.