Is an independent audit function mandatory for DNFBPs in the UAE?
Yes. The Executive Regulation to FDL 10/2025 requires DNFBPs to maintain an independent audit function to review the effectiveness of the AML/CFT/CPF programme. The function may be performed by an internal audit team or, for smaller DNFBPs that lack the capacity, by an external qualified auditor independent of the day-to-day compliance activity. The auditor must be free of conflicts of interest and report findings directly to senior management or the board.
The audit must test the design and operating effectiveness of policies, the customer due diligence process, sanctions screening, transaction monitoring, suspicious reporting, beneficial ownership identification, training delivery and record-keeping. The scope must be risk-based and informed by the enterprise-wide risk assessment outcomes, and the testing cadence should be at least annual with deeper-dive thematic reviews where the supervisor or recent typology reports identify elevated risk.
Findings must be reported in writing to senior management with remediation timelines, ownership and target dates, and the audit report must be retained for at least five years and made available to the supervisor on inspection. Repeat findings or unresolved issues should be escalated and tracked. Supervisors increasingly use the audit report as a starting point for their on-site inspection, so DNFBPs that treat the audit as a tick-box exercise expose themselves to penalty risk and potential personal accountability for the MLRO and senior management.
Legal Reference (UAE):
- Cabinet Resolution No. 134 of 2025, Article 21 — internal controls including independent audit
- Federal Decree-Law No. 10 of 2025, Article 16 — DNFBP duties
For more details, consult the full text of Cabinet Resolution 134/2025