What internal AML policies must accounting firms establish under UAE AML law?
Accounting firms classified as DNFBPs in the UAE must establish a comprehensive set of written internal AML/CFT policies, controls, and procedures under Article 19(d) of Federal Decree-Law No. 10 of 2025. These policies must be approved by senior management and reviewed and updated on a continuous basis.
At a minimum, the internal AML programme of an accounting firm must address: a firm-wide risk assessment covering client types, services, delivery channels, and geographic exposure; risk-based customer due diligence procedures for client onboarding and ongoing monitoring; a process for identifying and escalating suspicious transactions to the MLRO and, where necessary, to the FIU via goAML; a record-keeping policy ensuring all relevant documents are retained for at least five years; staff screening and training on AML/CFT; appointment and responsibilities of the MLRO; and an independent audit function to test the adequacy of the controls.
The policies must be consistent with the UAE’s national risk assessment outcomes and must be applied across all branches of the firm. The Ministry of Economy’s Supplemental Guidance for Auditors recommends that the AML programme be risk-sensitive, with enhanced measures applied to higher-risk clients. Regulators expect evidence that policies are genuinely implemented, not merely documented on paper.
Legal Reference (UAE):
- Federal Decree-Law No. 10 of 2025, Article 19(d), Requirement for internal policies, controls, and procedures approved by senior management
- Ministry of Economy, Supplemental Guidance for Auditors (UAE DNFBP Guidelines), Section 11.7.2, Summary of AML/CFT governance obligations for auditors
For more details, consult the full text of Federal Decree-Law No. 10 of 2025
AML Compliance Requirements for Auditors and Accountants in the UAE