AML Compliance in the UAE (2026): Guide for Fintechs and Regulated Businesses

The UAE removed itself from the FATF grey list in 2024 — and almost immediately raised the compliance bar. The federal AML framework was materially updated in 2025, a new FATF mutual evaluation is scheduled for 2026, and regulators are actively scrutinising whether businesses treat AML as an operational system or a policy document.

For fintechs, payment platforms, and regulated businesses, the question in 2026 is not whether AML compliance is required. It's whether your onboarding, monitoring, and reporting infrastructure can actually operate under Central Bank of the UAE expectations from day one.

This guide covers the UAE-specific AML layer: the updated legal framework, regulatory authorities, sector obligations, and what a compliant AML program looks like in practice. For the underlying AML system architecture, see our AML Requirements guide.

The Legal Framework

Federal Decree-Law No. 10 of 2025 on anti-money laundering and counter-terrorist financing took effect on October 14, 2025, replacing the previous Decree-Law No. 20 of 2018. Cabinet Resolution No. 134 of 2025 serves as the executive regulation.

Together they establish a risk-based framework that requires institutions to:

• Identify, assess, and continuously update ML, TF, and proliferation financing risk
• Apply customer due diligence and ongoing monitoring throughout the relationship
• Report suspicious activity to the UAE Financial Intelligence Unit without delay
• Maintain controls for targeted financial sanctions compliance

The practical implication: AML in the UAE is continuous, not event-based. It connects onboarding, transaction behaviour, and regulatory reporting into a single lifecycle. Institutions that treat it as a one-time onboarding check will not meet the standard.

Regulatory Authorities

CBUAE (Central Bank of the UAE) supervises banks, payment institutions, exchange houses, fintechs, and e-money providers on the mainland. It sets the baseline AML standard for the majority of regulated entities and conducts inspections. In 2023 alone, total fines for AML and KYC violations across the UAE exceeded AED 339 million.

DFSA governs financial services firms in the DIFC under its own AML Rulebook. DFSA compliance requirements align with federal law but include DIFC-specific guidance on high-risk client categories and beneficial ownership.

FSRA governs entities in ADGM under its AML/CFT Rulebook, similarly aligned with but distinct from the federal framework.

VARA (Virtual Assets Regulatory Authority, Dubai) and SCA (Securities and Commodities Authority, federal) regulate VASPs and apply AML/CFT obligations specific to virtual asset activity.

FIU (Financial Intelligence Unit) receives and analyses suspicious transaction reports submitted via the goAML platform, coordinates with law enforcement, and drives national AML strategy.

Ministry of Economy supervises DNFBPs — real estate agents, lawyers, accountants, dealers in precious metals and stones.

Non-compliance carries fines up to AED 5 million per violation under CBUAE powers, and up to AED 50 million under federal law for the most serious breaches.

FATF Status and 2026 Evaluation

The UAE exited the FATF grey list in February 2024 following significant regulatory reform — expanded CBUAE supervisory powers, strengthened UBO transparency requirements, and increased FIU operational capacity.

The 2026 FATF mutual evaluation is the next major milestone. Regulators are actively using the period leading up to it to close remaining gaps, particularly in DNFBP supervision and monitoring consistency. For regulated businesses, this translates into heightened inspection activity and lower tolerance for systematic compliance gaps.

What a UAE AML Program Must Cover

A compliant AML program under the 2025 federal framework and CBUAE expectations requires five operational layers.

1. Risk Assessment

Institutions must identify and continuously update their risk exposure at both business and customer level. CBUAE guidance requires risk-based alignment between customer types, products, geographies, and transaction patterns.

In practice, this means AML design must reflect the actual business model — domestic vs cross-border exposure, merchant vs consumer vs B2B flows, high-risk corridors, transaction velocity. Without this mapping, downstream controls become inconsistent and indefensible.

2. Customer Due Diligence

CDD in the UAE is not limited to identity verification. It includes:

• Identification and verification of the customer
• Understanding the purpose and intended nature of the relationship
• Risk-based classification — standard, simplified, or enhanced
• Evidence collection and retention

For business customers, this extends into KYB-level analysis: ownership structure, UBO identification, and expected activity must be understood before activation. The full business verification workflow is covered in our KYB Compliance in UAE guide.

EDD is mandatory for:

• PEPs and their close associates and family members
• Clients from high-risk jurisdictions on the UAE or FATF watchlists
• Non-face-to-face onboarding with additional risk indicators
• Virtual asset-related relationships
• Complex ownership structures or offshore entities

3. Ongoing Transaction Monitoring

The 2025 framework explicitly requires continuous monitoring — not periodic review. A compliant system links onboarding assumptions to live behaviour:

• Expected transaction volumes and corridors defined at onboarding
• Deviation from baseline triggers review
• Changes in risk profile trigger re-classification
• Periodic re-evaluation for higher-risk clients

Many UAE-based platforms build adequate CDD at onboarding but fail to connect it to lifecycle monitoring. This is a specific gap FATF identified in its 2024 follow-up review and is expected to be a focus area in the 2026 evaluation.

4. Sanctions and Targeted Financial Sanctions Controls

Sanctions compliance is a core pillar of UAE AML — not a separate function. CBUAE requires institutions to:

• Screen customers and counterparties against UAE, UN, EU, and OFAC lists
• Escalate potential and confirmed matches with documented decision logic
• Report freezing actions and attempted transactions to the FIU
• Maintain audit-ready records of all screening decisions

Sanctions handling is an operational workflow — detection, decisioning, escalation, and reporting — not just a name-matching exercise.

5. Suspicious Transaction Reporting via goAML

All regulated entities must report suspicious transactions and activity to the FIU via the goAML platform. A complete reporting workflow includes:

• Internal detection and review process
• Case documentation and evidence collection
• Decision criteria for escalation vs. dismissal
• Filing via goAML within required timeframes
• Post-report handling and FIU follow-up management

If a team cannot reliably move from alert to goAML submission, the AML system is incomplete regardless of how strong onboarding is.

Sector-Specific Obligations

Fintechs and Payment Providers

CBUAE's Retail Payment Services framework covers payment account issuance, merchant acquiring, payment initiation, domestic and cross-border transfers, and payment token services. For fintechs in this space, AML controls must be designed around the actual risk profile of the payment model — not a generic checklist.

Payment token services carry elevated risk under CBUAE guidance due to speed, cross-border nature, and potential anonymity characteristics. This requires stronger onboarding and monitoring controls from the outset.

Cross-border activity increases baseline risk exposure. Many UAE fintechs serve Gulf, Africa, and South Asia corridors by design. Monitoring must incorporate geography and corridor logic, not just transaction thresholds.

VASPs and Crypto

VASPs face the most layered AML environment in the UAE — subject to VARA (Dubai), SCA (federal), or DFSA (DIFC) depending on where they operate, each with specific AML/CFT obligations. Crypto-specific monitoring typologies include mixing service usage, rapid layering through multiple wallets, and privacy coin transactions. For VASP KYB and onboarding requirements specifically, see our KYB Compliance in UAE guide.

Real Estate and DNFBPs

Real estate is one of the sectors FATF specifically flagged during the grey list period. Enhanced Ministry of Economy supervision of real estate agents, lawyers, and accountants is ongoing. Source of funds verification for high-value transactions is mandatory, and these sectors face higher scrutiny than historically.

AML Checklist for Fintech Teams

Before launching or scaling in the UAE, teams should be able to clearly answer:

• Which regulatory framework (CBUAE, DFSA, FSRA, VARA, SCA) applies to the product?
• What are the highest-risk customer types and corridors for this business model?
• How is customer purpose and expected activity defined and documented at onboarding?
• What triggers enhanced due diligence — and is it automated or manual?
• How is transaction monitoring connected to onboarding baseline assumptions?
• How are sanctions alerts escalated, documented, and resolved?
• Who owns goAML reporting and how is the evidence structured?
• Can every approval and escalation decision be reconstructed for a regulator?

Weak answers here indicate implementation gaps, not documentation gaps.

Getting AML Right in the UAE

UAE AML compliance in 2026 is a system design problem. The 2025 federal framework and CBUAE payment regulations require fintechs to integrate risk-based onboarding, continuous monitoring, sanctions controls, and goAML reporting into a single operational model. Firms that treat AML as part of product architecture scale more predictably; those that treat it as a post-launch function encounter friction during licensing, banking partnerships, and regulatory review.

VOVE ID is used by fintechs and regulated businesses in the UAE to structure onboarding and KYB workflows — identity verification, sanctions screening, and audit-ready documentation aligned with CBUAE, DFSA, and FSRA standards.

This article is intended for general informational purposes only and does not constitute legal, financial, or regulatory advice. KYC requirements may vary depending on jurisdiction, industry, and specific business circumstances. For up-to-date and binding compliance obligations, readers should refer to the relevant regulatory authorities or consult qualified professionals.