The UAE’s Federal Decree-Law No. (10) of 2025 on Anti-Money Laundering (AML), Combating the Financing of Terrorism (CFT), and Proliferation Financing (PF) came into effect on 14 October 2025. Replacing the 2018 AML framework, the law expands compliance obligations for DNFBPs, virtual asset service providers (VASPs), financial institutions, and other high-risk sectors, reflecting the UAE’s commitment to international standards and financial integrity.
This guide is designed to apprise businesses of their responsibilities and provide practical steps for compliance.
- Entities Covered
The law applies to:
- Designated Non-Financial Businesses and Professions (DNFBPs) – The definitions remain but the new law explicitly lists financial institutions, designated non‑financial businesses and professions (DNFBPs) and virtual‑asset providers/service providers as covered entities. DNFBPs continue to include lawyers, accountants, real‑estate agents, dealers in precious metals and stones, and trust/company service providers including lawyers, accountants, real estate agents, dealers in precious metals and stones and trust or company service providers.
- Virtual Asset Service Providers (VASPs) – The law now defines virtual assets as a “digital representation of value that can be digitally traded or transferred” and includes VASPs within the scope of regulated entities. Businesses dealing in cryptocurrencies or similar assets must obtain a license or registration.
- Non‑profit organisations and legal arrangements – The 2025 law brings non‑profit organisations and legal arrangements (such as trusts) into the regulatory perimeter. Registrars, trustees and persons holding similar positions have specified obligations.
- License requirement – It is now an offense for any person to conduct a financial activity, non‑financial business or virtual‑asset activity without the appropriate license, registration or authorisation from the competent authority.
2. Key Compliance Obligations (Enhanced and Clarified)
A. Risk assessment and Customer Due Diligence (CDD)
- Regulated entities must identify, understand and manage AML/CFT/PF risks in their field of work and document/update their risk assessments taking into account the national risk assessment.
- The law emphasises a risk‑based approach: the scope of due‑diligence and ongoing monitoring measures must be proportionate to the level of risk and align with the national risk assessment.
- Entities are prohibited from opening or maintaining anonymous, fictitious or numbered accounts and must verify the identities of customers and beneficial owners.
- Enhanced due diligence measures remain required for higher‑risk clients or sectors (e.g. politically exposed persons, high‑risk jurisdictions, cross‑border transactions), but details will be set out in the executive regulations.
B. Suspicious‑transaction reporting
- If a financial institution, DNFBP or VASP suspects that funds are proceeds of crime or may be used for money laundering, terrorist financing or proliferation financing, it must promptly report suspicious or unusual transactions to the Financial Intelligence Unit (FIU). The reporting obligation is transaction‑value‑
- Lawyers, notaries and other legal professionals are exempt from reporting where the information is covered by professional confidentiality.
C. Internal controls and record‑keeping
- Senior management must approve internal policies, procedures and controls to mitigate identified risks, update them regularly and apply them to all branches and majority‑owned subsidiaries.
- Entities must retain records, documents and data for all transactions (local or international) and make them available to competent authorities upon request.
- Immediate implementation of targeted financial sanctions ordered by the Executive Office or other competent authorities is mandated.
3. Enforcement and Penalties (Tougher Sanctions)
- Administrative penalties – Supervisory authorities can issue warnings, impose fines ranging from AED 10,000 to AED 5 million, suspend or cancel licenses, restrict powers of responsible individuals and publish penalties.
- Criminal penalties – Operating without a license attracts imprisonment and a fine between AED 200,000 and AED 10 million. Providing false or misleading beneficial‑owner information to authorities is a criminal offence.
- Safe‑harbour provision – Persons who report suspicious transactions or provide information to authorities in good faith are shielded from criminal, civil or administrative liability.
- No limitation period – Criminal proceedings for money‑laundering, terrorist‑financing or proliferation‑financing offences do not expire with time.
- Foreign nationals – Foreigners convicted of money laundering must be deported; deportation may be ordered for other offences.
4. Practical Steps for Businesses
To ensure compliance under the 2025 Decree-Law, entities should:
- Review and update policies – Align AML/CFT/PF policies with the new law and upcoming executive regulations.
- Conduct and document risk assessments, considering national risk findings and implement appropriate risk‑based customer due‑diligence and monitoring.
- Verify and record beneficial ownership and avoid anonymous or pseudonymous accounts.
- Train employees on identifying suspicious activities related to money laundering, terrorist financing and proliferation financing and on reporting obligations.
- Implement targeted financial sanction screening and respond promptly to instructions from the relevant authorities.
- Document all compliance activities – Maintain records of CDD, monitoring, and reports.
- Monitor developments, as executive regulations will clarify enhanced due‑diligence procedures, record‑retention periods, and obligations for NPOs, registrars, legal arrangements and trustees.
5. Benefits of Compliance
- Reduces regulatory and reputational risk.
- Enhances client confidence in your operations.
- Positions your business to operate securely within the UAE’s evolving financial landscape, aligned with international standards.
Summary:
The 2025 Decree-Law repeals the 2018 framework and introduces broader coverage and stricter compliance requirements. It extends regulation to virtual‑asset service providers and non‑profit organisations, strengthens risk‑based due‑diligence obligations, mandates licensing for all covered activities, requires immediate implementation of targeted financial sanctions and imposes higher administrative and criminal penalties for non‑compliance. Businesses should update their compliance frameworks accordingly to meet these new obligations and to avoid the significant fines and other sanctions prescribed by the law.
For practical guidance on implementing AML/CFT measures under the Federal Decree‑Law No. (10) of 2025, please feel free to contact Suneer Kumar at suneer@alsuwaidi.ae, Vida Grace Serrano, at vida@alsuwaidi.ae or Mamdouh Tawfik at m.tawfik@alsuwaidi.ae