Talk to usGet Pricing
For businessesFor tax firmsHow it worksE-Invoicing UAEUAE Corporate TaxUAE VATFTA ComplianceAuditing UAEBookkeeping UAEAccounting SoftwareFree ZonesGet Pricing
Auditing in the UAE

AML audit requirements in the UAE: what businesses must do

By Daniel Carter, Senior Tax and Compliance WriterUpdated 5 June 20269 min read

What are AML audit requirements in the UAE?

AML audit requirements UAE refer to the independent review obligations placed on financial institutions and designated non-financial businesses and professions (DNFBPs) under Federal Decree-Law 20 of 2018 and Cabinet Decision 10 of 2019. The audit checks that anti-money laundering controls, customer due diligence, transaction monitoring, and suspicious activity reporting work as designed.

The UAE has tightened its AML (anti-money laundering) and CFT (combating the financing of terrorism) regime since 2018. Regulators expect firms to prove, with evidence, that their policies are not just on paper. An independent AML audit is one of the main ways to show that proof. This guide walks UAE business owners and finance teams through who must comply, what auditors examine, how often the audit runs, and what penalties apply.

For broader context on assurance work in the country, see our hub on Auditing in the UAE.

Who must arrange an AML audit in the UAE?

The duty to maintain an AML compliance program, and to subject it to independent testing, applies to two broad groups.

Financial institutions

Banks, finance companies, exchange houses, insurance firms, brokers, and payment service providers fall under the Central Bank of the UAE or the Securities and Commodities Authority. They must run a full AML/CFT program and arrange independent audit testing.

Designated non-financial businesses and professions (DNFBPs)

The DNFBP category covers four sectors under Ministry of Economy supervision:

  • Real estate brokers and agents handling cash transactions of AED 55,000 or more.
  • Dealers in precious metals and stones for cash transactions of AED 55,000 or more.
  • Auditors and accountants providing services to clients.
  • Corporate service providers and trust providers.

Virtual asset service providers (VASPs)

Crypto exchanges, custodians, and token issuers licensed in the UAE, including those under the Virtual Assets Regulatory Authority (VARA) in Dubai, must follow VASP-specific AML rules and arrange independent testing.

Free zone entities

Companies in financial free zones such as the DIFC and ADGM follow their own regulator's AML rulebook, but the underlying obligations mirror the federal regime. A free zone licence does not exempt a business from AML audit duties.

The framework rests on several layers of law and regulation.

InstrumentWhat it covers
Federal Decree-Law 20 of 2018Core AML/CFT law, criminalises money laundering, sets reporting duties.
Cabinet Decision 10 of 2019Implementing regulation, details customer due diligence and record-keeping rules.
Cabinet Decision 109 of 2023Updates regulatory measures and beneficial ownership obligations.
Ministry of Economy guidance for DNFBPsSector-specific rules, registration on the goAML portal, reporting templates.
Central Bank AML/CFT rulebookDetailed rules for licensed financial institutions.
VARA rulebookAML controls specific to virtual asset service providers.

An AML audit measures the firm's controls against this combined rulebook. The auditor also benchmarks against international standards from the Financial Action Task Force (FATF), since the UAE aligns its regime with FATF recommendations.

What does an AML audit actually examine?

An AML audit is a structured review of design and operating effectiveness. It is not the same as a financial statement audit, though both may run in parallel.

Governance and policy

The auditor reads the firm's AML policy, board minutes, and committee charters. They check that a money laundering reporting officer (MLRO) is appointed in writing and that the board reviews AML matters at least annually.

Risk assessment

Every regulated entity must complete a documented enterprise-wide risk assessment (EWRA). The auditor reviews how the firm scores risk across customers, products, geographies, and delivery channels. They test whether the methodology is up to date and approved.

Customer due diligence (CDD) and KYC

This is the largest sample-tested area. The auditor pulls a sample of customer files and checks:

  • Identity verification documents for natural persons and legal entities.
  • Beneficial ownership records, with thresholds set in line with Cabinet Decision 109 of 2023.
  • Politically exposed persons (PEP) screening evidence.
  • Source of funds and source of wealth documentation for higher-risk clients.
  • Enhanced due diligence for high-risk relationships.

Transaction monitoring

The auditor reviews the rules, thresholds, and alerts in the transaction monitoring system. They test a sample of alerts to confirm investigators close them with reasoned conclusions, not blanket dismissals.

Sanctions screening

The firm must screen customers and counterparties against the UAE local terrorist list, UN consolidated list, and any other applicable lists. The auditor checks list update frequency, match handling, and escalation.

Suspicious transaction reporting (STR and SAR)

The auditor checks goAML portal submissions, the time taken from detection to filing, and the quality of narrative descriptions. Tipping-off controls are also tested.

Training and awareness

Staff training records, attendance logs, and test results are reviewed. The auditor confirms that role-specific training reaches front-line staff, the MLRO, and the board.

Record keeping

UAE rules require records to be kept for at least five years after the end of the business relationship or transaction. The auditor verifies retention, retrievability, and protection of these records.

How often must the AML audit run?

The regime expects independent testing on a risk-based frequency. In practice:

  • Larger financial institutions run a full AML audit every 12 to 18 months.
  • DNFBPs typically run it annually, often aligned to the financial year-end.
  • Higher-risk businesses, such as exchange houses and VASPs, may need more frequent thematic reviews on top of the annual audit.

The audit can be performed by an external firm or by a qualified internal audit function that is independent from the AML compliance team. Many SMEs in the DNFBP category outsource the work because they lack an in-house audit team. Our guide to Internal Control Audit UAE explains the design and operating effectiveness model that AML auditors borrow from.

AML findings can affect the statutory audit. If a customer transaction looks like it has not been properly reviewed for AML purposes, the financial auditor may flag it as a control weakness under International Standards on Auditing. Our overview of UAE Audit Standards ISA shows how external auditors document such findings.

Companies preparing financial statements under IFRS UAE Companies Must Follow should also remember that fines and provisions for AML breaches need disclosure when material. The legal framework for the underlying audit duty sits in the UAE Commercial Companies Law Audit Clauses.

The AML audit process step by step

  1. Planning. The auditor agrees scope, sample size, and timing with the MLRO and management.
  2. Risk assessment review. The EWRA is the first document examined.
  3. Walkthroughs. The auditor walks one transaction of each major type from onboarding to monitoring to reporting.
  4. Sample testing. Customer files, alerts, and STRs are tested against the rulebook.
  5. Interviews. The auditor speaks with the MLRO, compliance staff, and front-office leaders.
  6. Reporting. A written report sets out findings rated as high, medium, or low risk.
  7. Remediation tracking. Management agrees action plans with target dates. The audit committee or board signs off.

For more on how testing is documented, see Audit Evidence UAE Requirements. The type of opinion or conclusion issued depends on findings, and the categories used line up with those discussed in Audit Opinion Types.

Penalties for AML non-compliance in the UAE

Penalties under the federal AML regime are significant and have grown since 2021. Cabinet Decision 16 of 2021 sets administrative fines for DNFBPs.

ViolationIndicative fine range
Failure to register on the goAML portalAED 50,000 to AED 1,000,000
Failure to apply CDD measuresAED 50,000 per violation
Failure to file a suspicious transaction reportAED 50,000 to AED 1,000,000
Failure to keep records for at least 5 yearsAED 50,000 to AED 100,000
Failure to provide information to supervisorsAED 50,000 to AED 200,000
Failure to appoint an MLROAED 50,000 to AED 100,000

For financial institutions, the Central Bank can impose much larger fines and has done so publicly. Criminal penalties under Federal Decree-Law 20 of 2018 include imprisonment and fines of up to AED 50,000,000 in the most serious cases involving organised laundering. Licences can also be suspended or withdrawn.

The audit itself is not a fine source, but auditors flag the same gaps that supervisors fine. Acting on audit findings is the cheapest way to avoid enforcement.

A practical readiness checklist

Use this checklist before the auditor arrives.

  • Board-approved AML/CFT policy, last reviewed within the past 12 months.
  • Written MLRO appointment letter and deputy appointment.
  • Current enterprise-wide risk assessment with a documented methodology.
  • Customer risk rating model applied to every active customer.
  • CDD files complete for a sample of 25 to 50 customers, including identification, beneficial ownership, and PEP checks.
  • Transaction monitoring rules documented, with tuning notes.
  • Sanctions list update logs, ideally daily.
  • goAML registration confirmed and STR filings logged.
  • Staff training records for the last 12 months, including the board.
  • Independent audit reports from the last cycle and remediation status.

Common findings and how to fix them

Out-of-date risk assessment

Many DNFBPs prepare an EWRA once and then leave it. Refresh it at least annually and after any major change in customers, products, or geography.

Weak beneficial ownership records

Auditors often find legal-entity files with no ultimate beneficial owner (UBO) declaration or expired identity documents for UBOs. Set a 12-month refresh cycle.

Alert backlogs

Transaction monitoring alerts left open for more than 30 days are a red flag. Set a service level for alert closure and report it to the board.

Training gaps for the board

Front-line staff usually get training, but boards often do not. Run a short annual board briefing and keep the attendance log.

Tipping-off risk

Staff sometimes tell customers their account is being reviewed. Reinforce the rule in every training session, since tipping-off is a criminal offence under Article 25 of the AML law.

How AML audits intersect with tax compliance

An AML audit and a tax compliance review are separate, but they share data. Customer due diligence records help establish the substance of transactions for VAT and corporate tax. Where the Federal Tax Authority (FTA) audits VAT or corporate tax positions, weak AML documentation can also weaken the tax defence file. For background on FTA rules, see the Federal Tax Authority... actually the official source is the UAE Federal Tax Authority. The wider policy framework sits with the UAE Ministry of Finance.

What to expect from a good AML audit report

A useful audit report is short, specific, and actionable. It should contain:

  • Executive summary with an overall opinion on the AML control environment.
  • Scope statement listing periods, locations, and exclusions.
  • Detailed findings, each with risk rating, root cause, and recommendation.
  • Management response and target completion date for every finding.
  • An appendix listing documents reviewed and people interviewed.

If your audit report is generic or copy-pasted from a template, ask for a re-performance. Supervisors expect tailored work.

Preparing for a Ministry of Economy inspection

DNFBPs may receive on-site or off-site inspections from the Ministry of Economy. Inspectors typically request:

  • Last AML risk assessment.
  • Customer file samples.
  • STR log and copies of any reports filed.
  • Training records.
  • The last independent AML audit report and remediation tracker.

A clean and current audit file is the fastest way to close an inspection without findings.

If your tax firm helps clients with AML compliance reviews alongside statutory audits and tax filings, get UAE e-invoicing pricing from EInvoice Direct so you can offer one connected compliance stack with an accredited service provider included at no extra charge.

Questions, answered

Is an AML audit mandatory for all UAE companies?

No. AML audit requirements apply to financial institutions, designated non-financial businesses and professions (DNFBPs), and virtual asset service providers. A regular trading company that does not handle cash above set thresholds or provide regulated services usually does not need an AML audit. Free zone status does not exempt a business from the duty if it falls within a regulated category.

How often should a UAE business run an AML audit?

The federal rules use a risk-based approach. Most DNFBPs run an independent AML audit once a year, aligned to the financial year. Financial institutions usually audit every 12 to 18 months, with thematic reviews in between. Higher-risk firms such as exchange houses and crypto service providers should expect more frequent testing. The frequency must be justified by the documented risk assessment.

Who can perform an AML audit in the UAE?

The audit must be independent from the AML compliance team. It can be done by an external audit firm, a specialist compliance consultancy, or an internal audit function that reports to the audit committee rather than to compliance. The reviewer needs experience with UAE AML law, FATF standards, and the relevant sector rulebook from the Central Bank, Ministry of Economy, or VARA.

What is the goAML portal and who must register?

goAML is the reporting system run by the UAE Financial Intelligence Unit. All financial institutions, DNFBPs, and VASPs must register on goAML and use it to file suspicious transaction reports and other notifications. Failure to register can trigger fines starting at AED 50,000. Registration is one of the first items every AML auditor checks during planning.

What records must be kept for AML purposes in the UAE?

Records of customer identification, transactions, internal and external suspicious reports, training, and risk assessments must be kept for at least five years after the end of the business relationship or the date of the transaction. Records must be retrievable on request from supervisors and law enforcement. Many firms keep records for longer to support tax and contractual claims.

What is the difference between an AML audit and a financial audit?

A financial audit gives an opinion on whether financial statements present a true and fair view under IFRS. An AML audit gives an opinion on whether the firm's anti-money laundering controls meet the legal rulebook. The two can run in parallel and share evidence, but the scope, standards, and reporting are different. Most UAE firms commission them separately.

What penalties apply if AML obligations are ignored?

Administrative fines for DNFBPs range from AED 50,000 to AED 1,000,000 per violation under Cabinet Decision 16 of 2021. The Central Bank can impose larger fines on licensed financial institutions. Federal Decree-Law 20 of 2018 also creates criminal offences with fines up to AED 50,000,000 and imprisonment in serious cases. Licences can be suspended or revoked.

How does e-invoicing affect AML compliance in the UAE?

Mandatory e-invoicing from January 1, 2027 under the Peppol 5-corner DCTCE (Decentralized Continuous Transaction Control and Exchange) model will give regulators structured transaction data in near real time. That data makes it easier to spot unusual patterns. Firms with strong AML controls and clean customer records will find the transition smoother, since the same source documents support both regimes.

Keep reading

Auditing in the UAE

UAE audit standards and the ISA framework explained

UAE audit standards ISA explained: which standards apply, who must comply, key reports, and how auditors plan and execute work.

Read the guide →Auditing in the UAE

IFRS standards UAE companies must follow for financial reporting

IFRS UAE companies must follow covers full IFRS for mainland firms, IFRS for SMEs options, and free zone rules.

Read the guide →Auditing in the UAE

UAE Commercial Companies Law audit clauses: a plain English guide

UAE Commercial Companies Law audit clauses cover auditor appointment, records, reports, and shareholder rights.

Read the guide →

This content is informational and does not constitute tax, legal, or financial advice. Consult an FTA-registered tax agent or a licensed UAE audit firm before acting on this information.

Get UAE e-invoicing pricing for your business

Tell us about your setup and we reply with clear pricing within one UAE business day. Accredited ASP included at no extra charge.

Get Pricing
Accredited ASP included PEPPOL PINT AE Live in days