Skip to main content
Regulatory Update
Compliance June 2026 4 min read

UAE AML/CFT in 2026: your provider's compliance is now your exposure

Dubai, June 2026

UAE anti-money-laundering enforcement on Designated Non-Financial Businesses has risen since the FATF grey-list exit. If you run a UAE company, the weak link is rarely your file. It is whoever filed it for you.

The provider Cuts a corner on your due diligence at setup.
Your file Carries the gap into your record.
The bank Surfaces it in KYC. The cost lands on you.
Manish Kumar Pandey
Manish Kumar Pandey
Founder, DM Consultancy · Registered DNFBP-CSP
What actually changed

The grey-list exit lowered the headlines, not the scrutiny.

Federal Decree-Law No. 10 of 2025 sets defined obligations on Designated Non-Financial Businesses and Professions, the DNFBPs. The UAE left the FATF grey list in 2024, and inspection of these firms rose. The standard moved from registering once to proving the programme runs. The DNFBPs it covers:

  • Corporate service providers.
  • Accountants and auditors.
  • Lawyers.
  • Real estate brokers.
  • Dealers in precious metals and stones.
Before

The bar was registration.

Get listed, file the manual, move on.

Paperwork on hand counted as compliance.

Now

The bar is a programme that operates.

Inspections test whether the policy is followed.

What cannot be evidenced is treated as a gap.

A quieter consequence sits under the rule: you do not have to be a DNFBP to be exposed by one. The firm that filed your licence is, and its compliance posture is written into your file. A weak provider upstream becomes your problem downstream.

The standing obligations

What a DNFBP must be able to evidence at inspection.

Five ongoing obligations. Registration is the floor. A supervisor tests whether each one operates, not whether a manual exists.

01

An applied AML/CFT policy

A documented policy, programme, and procedures manual approved by senior management. The test is whether it is followed. An unused manual reads as a gap.

02

A registered Compliance Officer

Appointed and registered with the relevant supervisory authority. A name on paper is not enough. The role has to be live, reachable, and exercised.

03

Real customer due diligence

Complete CDD files, with enhanced diligence on high-risk clients, Politically Exposed Persons, and parties in high-risk jurisdictions. Incomplete files are the finding inspectors write up most.

04

goAML registration and reporting

Registration on the goAML system run by the UAE Financial Intelligence Unit, plus Suspicious Transaction Reports filed when the duty triggers. Registration without reporting is a hollow control.

Who decides here: the FIU, not the firm
05

Documented annual training

Staff training on spotting and reporting suspicious activity, run and recorded every year. The record matters as much as the session: what cannot be evidenced never happened.

Who this reaches

The obligation sits on one firm. The consequence travels.

It starts with the regulated provider, follows the file into the bank, and lands back on you.

01

The regulated DNFBP

A CSP, accountant, or broker carries the obligation, and the inspection.

02

Your file

Whatever they captured, or skipped, becomes your corporate record.

03

The bank's KYC

The same due-diligence questions return, and a gap stalls the account.

04

Back to you

The correction lands in your name, at the worst possible moment.

The part nobody tells you

The integrity of your company file is set by whoever built it, long before a bank or supervisor ever looks at it.

DNFBPs are supervised by sector. The Ministry of Economy oversees corporate service providers, accountants, auditors, and precious-metals dealers; land departments and RERA cover real estate. When supervision reaches a firm, it reaches the records that firm created: the beneficial-ownership data, the source-of-funds trail, the due diligence the file should have captured at the start. Where the provider cut corners, the founder inherits the corrections, usually when a bank declines to open and the same questions land again.

This is not abstract regulatory news. The cheapest filing is often the one assembled without the discipline a supervisor now expects, and that shortcut never shows on the setup invoice. It shows up later, in your name.

Where we stand

We are not explaining this from the outside.

DM Consultancy lives under the same framework it advises on. We hold the programme a supervisor expects to find, so your file survives both inspection and the bank.

Registered DNFBP-CSP

DET Trade Licence 1457744.

AML/CFT programme

Approved policy manual in force.

Compliance Officer

Appointed and registered.

goAML

Registered, with reporting discipline.

The standard we hold internally is the one we apply to your file. Read our wider work on AML/CFT compliance for UAE businesses and on corporate banking readiness, where the same due-diligence questions decide whether an account opens.

The questions behind the update

What this actually means for you.

Reviewed by Manish Kumar Pandey, Founder, DM Consultancy · Registered DNFBP-CSP · Last reviewed June 2026

Is my company exposed if my provider's AML compliance is weak?

Indirectly, yes. The firm that filed your company is the regulated party, but the records it created, your beneficial-ownership data, source-of-funds trail, and due-diligence file, become your corporate history. If those were assembled carelessly, the gaps surface when a bank runs KYC or supervision reaches the provider. Fixing it after the fact is slower than getting it right at the start.

Did the FATF grey-list exit make AML compliance easier?

No. Leaving the grey list in 2024 signalled that the framework works, not that it relaxed. Inspection of DNFBPs has increased since, and the obligations under Federal Decree-Law No. 10 of 2025 remain in full force. The emphasis moved from registering to proving the programme operates, a higher bar.

Does goAML registration mean my firm is compliant?

No. Registration is the entry point, not the finish line. A supervisor checks whether the policy is applied, CDD files are complete, the risk assessment is current, and annual training was run and documented. Registration with none of that behind it is treated as a gap.

How do I know where my own position stands?

Privately, and quickly. We read your policy, Compliance Officer registration, CDD files, and goAML position against what a supervisor inspects, and tell you plainly where the gaps are and what we would do in your place. A conversation, not a form, and you leave with a clearer view whether or not you engage us.
Continue reading

Related reading

Compliance AML/CFT compliance for UAE businesses, explained Banking Corporate banking and KYC readiness Advisory Speak with our compliance team
Your position, privately

Whether you carry the obligation or inherited the file,
we will tell you where you stand.

Thirty minutes with Manish directly, no pitch. If you are a DNFBP, we read your policy, Compliance Officer registration, CDD files, and goAML position against what a supervisor inspects. If someone else filed your company, we read the file the way a bank and a supervisor will. Either way you leave with a clear view of the gaps and what we would do in your place.

Schedule a Conversation → WhatsApp
info@dm-uae.com · Port Saeed, Deira, Dubai