What internal AML controls must DNFBPs implement under UAE AML law?
DNFBPs must implement a documented internal control framework approved by senior management that addresses ML, TF and proliferation financing risks. The framework must include written AML/CFT/CPF policies, a risk-based customer due diligence procedure, screening protocols for sanctions and PEPs, transaction monitoring rules calibrated to the entity’s risk profile, suspicious activity escalation channels, an MLRO with direct access to senior management, an independent audit function, and a continuous staff training programme.
The controls must apply to all branches and majority-owned subsidiaries, including those operating outside the UAE where local law does not preclude application. Smaller DNFBPs can scale the framework while still meeting each minimum requirement, but cannot omit core elements such as the MLRO, screening, STR procedure or record retention. Supervisors expect controls to be tested, results reported to senior management at least annually, and remediation actions tracked to closure.
The framework should also cover beneficial ownership identification under Cabinet Resolution 109/2023, source of funds and source of wealth verification for high-risk customers, response procedures for sanctions hits and Notification Alert System matches, and a breach register that captures both regulatory and internal policy breaches with associated remediation. Boards or owner-managers must receive periodic compliance reports describing programme effectiveness and any open enforcement issues. Failure to maintain adequate controls is a stand-alone breach attracting penalties under Cabinet Resolution 71/2024 even where no ML or TF event has occurred.
Legal Reference (UAE):
- Cabinet Resolution No. 134 of 2025, Article 21 — internal policies and procedures
- Federal Decree-Law No. 10 of 2025, Article 16 — DNFBP compliance programme
For more details, consult the full text of FDL 10/2025