AML Compliance in the UAE: DIFC, ADGM, and Onshore

The UAE's removal from the FATF grey list in February 2024 marked the formal recognition of a compliance regime that has been rebuilt substantially since 2022. The UAE was placed on the FATF grey list in March 2022 due to deficiencies in its AML, CFT, and sanctions regime, and was removed on February 23, 2024 after undertaking significant reforms, including a new specialist court for financial crimes and new AML guidelines for financial institutions and DNFBPs. For FinTechs and crypto firms choosing where to license, the post-grey-list landscape presents a jurisdiction that has moved materially toward international standards but retains the complexity of three distinct regulatory environments sitting alongside each other: onshore under the Central Bank of the UAE, the DIFC under the Dubai Financial Services Authority, and the ADGM under the Financial Services Regulatory Authority. 

Understanding which framework applies, what it requires, and how enforcement feels in practice is foundational to licensing strategy in the UAE.

The Three Regulatory Environments

Onshore: Central Bank of the UAE (CBUAE)

The primary legal foundation for AML in the UAE is Federal Decree-Law No. 10 of 2025, which replaced the 2018 AML framework entirely and came into force on 14 October 2025. Cabinet Resolution No. 134 of 2025 provides the implementing detail across 71 articles and nearly 300 enforceable requirements, covering risk-based CDD, EDD, beneficial owner identification and verification, PEP procedures, wire transfer Travel Rule compliance, and record-keeping obligations for at least five years. 

The 2025 law introduced two material changes relevant to compliance teams. First, under the 2018 law, prosecutors had to prove actual knowledge that funds derived from a predicate crime. Under the 2025 law, knowledge can be inferred from objective circumstances. A firm that should have known funds were illicit, given available warning signs, can be liable even without proof of actual knowledge. This raises the standard for what constitutes "reasonable steps" significantly. Second, the FIU's enforcement powers have been expanded, including the ability to order immediate asset suspensions and 30-day freezes, and to request data from VASPs, customs, and beneficial ownership databases. 

The CBUAE published updated guidance in October 2025 on KYC, CDD, record-keeping, risk-based institutional assessments, and role-based staff training. Compliance teams should treat this guidance as setting the examination standard for CBUAE-supervised entities. 

DIFC: Dubai Financial Services Authority (DFSA)

The DIFC operates as an independent common-law jurisdiction within Dubai, regulated by the DFSA. Firms licensed in the DIFC must comply with both the DFSA's AML rulebook and the federal UAE AML framework. The DFSA's regulated population grew by 14% in 2024 to over 900 authorized firms, driven partly by a 75% increase in wealth management licences. 

The DFSA regime closely mirrors the standards of major international AML jurisdictions, with requirements for documented risk-based approaches, written AML programs, designated MLROs, transaction monitoring, STR reporting to the UAE FIU via goAML, and ongoing customer screening against sanctions lists including UAE local terrorist designations and the UN Security Council Consolidated List. The DFSA's enforcement philosophy has historically been described as principles-based, with a relatively light supervisory touch compared to more directive regulators, but the direction since grey-list removal has been toward more active examination. 

Firms in the DIFC must also comply with the mandatory National KYC Digital Platform established under Federal Decree-Law No. 30 of 2024, requiring biometric verification with liveness detection for onboarding.

ADGM: Financial Services Regulatory Authority (FSRA)

The Abu Dhabi Global Market operates under Abu Dhabi jurisdiction and is regulated by the FSRA. The ADGM has positioned itself as a fintech and virtual asset hub, with a regulatory philosophy that emphasizes proportionality and engagement with emerging business models. In December 2023, the FSRA announced revisions to its AML sanctions rules and guidance, and in July 2024 enhanced whistleblower protections came into force. 

The FSRA's AML framework runs parallel to the federal regime rather than replacing it. ADGM-licensed firms must comply with FSRA AML rules and also maintain awareness of federal law obligations, particularly under the 2025 Decree-Law. The ADGM has been active in developing a virtual asset framework, and VASPs licensed in the ADGM are subject to the same AML, CFT, and Travel Rule obligations as conventional financial institutions under the 2025 law.

{{snippets-guide}}

Regulatory Comparison

goAML: Mandatory for All

All regulated entities must register on the goAML platform and file STRs via it. Registration is mandatory even where no suspicious transactions have ever occurred. Failure to register is treated as an automatic internal controls failure. 

The STR filing obligation is triggered by suspicion, with no minimum transaction value. Banks in the UAE actively screen corporate customers for DNFBP status, and firms operating without goAML registration are a flagged counterparty from the bank's perspective, often resulting in account freezes, blocked remittances, and declined account openings ahead of any regulatory fine. 

Sanctions Screening Requirements

All UAE-regulated entities must screen against UAE local terrorist designations and the UN Security Council Consolidated List as a minimum. Circular No. 3 of 2025 requires screening processes to be updated whenever these lists change, and screening must occur at onboarding and on a continuous real-time basis thereafter. 

In practice, firms with international operations should maintain broader screening coverage, including OFAC's SDN list where US-dollar transactions or US-counterparty exposure is present, the EU consolidated list where European counterparties are involved, and the UK OFSI list where relevant. The legal obligation under UAE law is the domestic and UN lists; the operational requirement for any firm with international banking or payments relationships is substantially broader.

UBO and Beneficial Ownership

UAE Cabinet Decision No. 58 of 2020 requires entities to disclose their ultimate beneficial owners and maintain updated registers. The 2025 Decree-Law criminalizes false UBO reporting. For FinTechs and crypto firms with complex ownership structures, ensuring that UBO records are accurate, maintained, and available for inspection is a compliance obligation with personal liability attached to senior management. 

MLRO Requirements

Every regulated entity must appoint a dedicated MLRO who is UAE-resident, holds sufficient seniority to act independently, and has direct access to senior management and the board. Under the 2025 law, accountability attaches personally to the MLRO as well as institutionally to the firm. For smaller FinTechs and SaaS businesses without a local compliance function, this requirement to have a UAE-resident MLRO is a meaningful operational commitment that affects the licensing strategy. 

{{snippets-case}}

Day-to-Day Compliance: What Differs Across Jurisdictions

In practice, compliance teams operating under the CBUAE regime experience the most prescriptive examination environment, with regular supervisory visits, sector-wide thematic reviews, and the highest volume of regulatory guidance to track. The DFSA presents a more dialogue-oriented supervisory relationship but has intensified its financial crime focus since grey-list removal. The ADGM offers the most engagement-oriented environment and is most likely to be responsive to fintech-specific compliance questions, making it attractive for early-stage firms building programs for the first time.

The practical differences center on three things: the volume of regulatory correspondence, the frequency of supervisory visits, and the speed of enforcement when problems are identified. All three regulators have demonstrated willingness to act in 2024 and 2025. Licenses of 32 local gold refineries were suspended between July and October 2024, and the refineries were charged with 256 violations relating to failures to address money laundering risks, including failing to notify the FIU of suspicious transactions and not implementing satisfactory systems and controls. 

Conclusion

The UAE offers three distinct regulatory pathways, each with different supervisory cultures and different strengths for different business models. What all three share is a post-grey-list compliance environment where AML is treated as a substantive operational requirement, not a licensing formality. Firms that invest in documented programs, real-time screening, qualified MLROs, and goAML registration before they need them are better positioned than those that build retrospectively under supervisory pressure.

sanctions.io is a highly reliable and cost-effective solution for real-time screening. AI-powered and with an enterprise-grade API with 99.99% uptime are reasons why customers globally trust us with their compliance efforts and sanctions screening needs. To learn more about how our sanctions, PEP, and criminal watchlist screening service can support your organisation's compliance program: Book a free Discovery Call. We also encourage you to take advantage of our free 7-day trial to get started with your sanctions and AML screening (no credit card is required).

‍