Home / Regulatory Compliance / AML/CFT Programme
Regulatory Compliance

A working AML
programme, built right.

Risk assessments, policy updates, transaction monitoring rules and ongoing training for all staff.

← Back to Regulatory Compliance

What a real AML programme looks like

An AML/CFT programme isn't a policy document on a shelf. It's a working set of controls — risk assessment, customer due diligence, transaction monitoring, sanctions screening, suspicious activity reporting, training and governance — that actually function in your business, every day.

We build, refresh and operate AML programmes for regulated firms in the UAE.

What we cover

  • Enterprise-wide AML risk assessment — annual, updated for new products, customers and geographies
  • AML/CFT policies and procedures — written, reviewed and maintained current
  • Customer due diligence framework — standard, simplified and enhanced CDD procedures
  • Transaction monitoring rules — design, calibration and ongoing optimisation
  • Sanctions screening setup — pre-transaction and ongoing screening, list maintenance
  • Suspicious activity escalation — internal escalation protocols and STR/SAR workflows
  • Training — onboarding training plus annual refresher for all relevant staff
  • Governance — committee structure, reporting lines and oversight responsibilities
  • Independent testing — annual independent review of programme effectiveness

Build vs refresh

For new firms we build the full programme from scratch as part of authorisation. For existing firms we typically come in for a refresh — gap analysis against current regulator expectations, remediation roadmap and updated documentation.

AML programme framework

What a UAE AML
programme must cover.

UAE AML/CFT requirements are set out in Federal Decree-Law No. 20 of 2018, Cabinet Resolution No. 10 of 2019, and individual regulator rulebooks. Whether you're a DFSA-regulated DIFC firm, an FSRA-regulated ADGM firm, an SCA-licensed broker, a CBUAE-regulated entity or a Ministry of Economy DNFBP — the core AML programme components are the same.

The eight pillars of a UAE AML programme

  • Business risk assessment — annual identification of your firm's ML/TF risks by product, customer, geography and channel
  • Customer due diligence (CDD) — initial CDD, enhanced CDD for high-risk customers, simplified CDD for low-risk, ongoing CDD review
  • Sanctions screening — UN, OFAC, UAE local sanctions list, EU and other applicable lists
  • Transaction monitoring — rules-based detection of suspicious patterns, with thresholds calibrated to your business
  • Suspicious activity reporting — internal escalation process and external STR/SAR filing via goAML
  • Recordkeeping — five-year minimum retention of all CDD records and transaction records
  • Training — initial onboarding training for all relevant staff, plus annual refresher
  • Governance — board oversight, MLRO role, audit committee reporting
How we build it

From kick-off
to regulator-ready.

Risk assessment

Workshop with your team to identify ML/TF risks across products, customers, geographies and channels. Output: documented business risk assessment.

Policy and procedure drafting

AML manual covering CDD, sanctions screening, transaction monitoring, STR reporting, recordkeeping, training and governance — tailored to your risk profile and rulebook.

Systems and tooling

Selection and configuration of sanctions screening and transaction monitoring tools. Calibration of monitoring rules to your business.

Training rollout

Initial AML training for all relevant staff. Tailored content for front-office, ops, finance and senior management. Annual refresher built into the programme.

First-year review

After 12 months we conduct an independent review to confirm the programme is operating effectively — and refresh as your business evolves.

FAQ

Frequently asked.

What does a UAE AML/CFT programme cover?+
A compliant UAE AML/CFT programme covers eight pillars: business risk assessment, customer due diligence (CDD), sanctions screening, transaction monitoring, suspicious activity reporting, recordkeeping, training, and governance. The detailed expectations come from Federal Decree-Law No. 20 of 2018, Cabinet Resolution No. 10 of 2019, and individual regulator rulebooks.
How often must the AML risk assessment be updated?+
At least annually, or whenever there is a material change in business activities, customers, products, geography or regulatory environment. We refresh client risk assessments annually with quarterly mini-reviews.
What is enhanced due diligence (EDD)?+
EDD is the stricter CDD applied to higher-risk customers — politically exposed persons (PEPs), customers from high-risk jurisdictions, complex ownership structures, and certain industry categories. EDD typically includes additional documentation, source-of-wealth checks, and senior approval.
What sanctions lists must UAE firms screen against?+
At minimum: the UN Security Council Consolidated Sanctions List, the UAE Local Sanctions List (as maintained by the Cabinet Office), and any sanctions lists applicable to the firm's business or counterparties (OFAC, EU, UK). Most firms run all major lists through a screening tool.
What records must be kept and for how long?+
Minimum five-year retention of all CDD records (identification documents, beneficial ownership records, source of funds evidence) and transaction records. Some regulators may require longer retention in specific cases.
Let's Talk

Ready to discuss?

Book a free consultation +971 4 570 6603
30-min call · no obligation Senior partner on every engagement 2 business hours response time
✉️ inquiry@ecovisjrb.ae
📞 Call 💬 WhatsApp Free Consultation
JRBUAE
Main
About Services Industries Tools Insights Case Studies Careers Contact
Services
Audit & Assurance Tax Services Accounting & CFO Compliance & MLRO Authorisations Transaction Advisory Internal Audit Corporate Tax E-Invoicing R&D Tax Credit
Book a free consultation → 📞 +971 4 570 6603