Independent AML reviews are becoming an increasingly important component of AML/CFT governance and compliance oversight for regulated businesses in the UAE.
The United Arab Emirates has significantly strengthened its Anti-Money Laundering and Countering the Financing of Terrorism (AML/CFT) framework in recent years through legislative updates, enhanced supervisory expectations and increased enforcement activity. Regulatory developments introduced during 2025 expanded the compliance expectations applicable to financial institutions, DNFBPs and virtual asset businesses (VASPs). The accompanying Executive Regulations introduced more detailed compliance obligations relating to governance, risk assessment, customer due diligence, internal controls, reporting and ongoing monitoring.
For Designated Non-Financial Businesses and Professions (DNFBPs) and Virtual Asset Service Providers (VASPs), regulators increasingly expect businesses to maintain independent testing, review or audit mechanisms to assess the effectiveness of their AML/CFT controls. This article explains what an independent AML review in UAE entails, which businesses are required to undergo one, how frequently it must be conducted and how to prepare.
What is an independent AML review?
An independent AML review is a structured assessment of a business’s AML/CFT compliance program carried out by a qualified party that is functionally separate from the compliance team responsible for day-to-day operations. The purpose is to evaluate whether the business’s policies, procedures, controls and systems are adequate, effective and aligned with regulatory expectations.
The review differs from an internal compliance check. It provides the board of directors or senior management with an objective evaluation of the compliance program’s strengths and weaknesses, free from the bias of the team that built and operates it.
Depending on the sector, supervisory expectations and organizational structure, the review may be performed by an appropriately independent internal audit function or by an external party with relevant AML/CFT expertise.
The legal basis for independent AML reviews
The requirement for independent AML reviews in the UAE draws from multiple layers of legislation and regulatory guidance.
Federal Decree-Law No. 10 of 2025: The primary AML/CFT legislation establishes the obligations for all reporting entities, including financial institutions, DNFBPs and VASPs. The framework requires regulated businesses to maintain effective AML/CFT controls, governance arrangements and compliance monitoring mechanisms, including periodic assessment of the effectiveness of those controls.
Cabinet Resolution No. 134 of 2025 (Executive Regulations): The Executive Regulations detail the compliance program requirements. These cover governance, risk assessment, internal controls and independent audit or review. The regulations emphasize the need for effective monitoring, oversight and periodic assessment of AML/CFT controls.
CBUAE Guidance (Section 16.31): For entities supervised by the Central Bank of the UAE, CBUAE-supervised institutions are generally expected to maintain independent oversight and periodic testing of their AML/CFT compliance functions, including internal audit involvement and, in certain cases, external review or agreed-upon procedures engagements. External auditors must report findings directly to the Board of Directors and the report must be submitted to the Banking Supervision Department within four months of the financial year-end.
Ministry of Economy (MoE) Guidance: The Ministry of Economy has issued AML/CFT guidance and supervisory communications for DNFBPs outlining expectations relating to risk assessments, customer due diligence, internal controls and compliance oversight.
VARA and Other UAE Regulatory Frameworks for VASPs: Virtual Asset Service Providers face additional layers of regulation. Virtual Asset Service Providers in the UAE may be subject to supervision by authorities such as VARA, the Securities and Commodities Authority (SCA), ADGM FSRA or DIFC DFSA, depending on their licensing jurisdiction and business activities. VARA-regulated entities are generally expected to maintain dynamic and regularly updated Business Risk Assessments that reflect changes in products, customers, delivery channels and emerging risks.
Who needs an independent AML review?
The independent AML review requirement applies broadly across the UAE’s regulated landscape. The two main categories covered in this article are DNFBPs and VASPs.
DNFBPs (Designated Non-Financial Businesses and Professions)
The following categories of DNFBPs are expected to maintain risk-based AML/CFT compliance program with appropriate oversight, monitoring and periodic assessment mechanisms.
Dealers in Precious Metals and Precious Stones (DPMS): Jewellers, gold traders, bullion dealers, diamond dealers and any business that deals in precious metals or stones above the threshold of AED 55,000 in a single transaction or linked transactions.
Real Estate Brokers and Agents: Licensed real estate professionals involved in buying and selling property on behalf of clients. The real estate sector has been a particular area of focus in the UAE’s AML supervisory strategy.
Lawyers, Notaries and Legal Professionals: Legal practitioners who prepare, manage or carry out transactions involving the buying and selling of real estate, managing client funds, creating or managing legal entities or buying and selling business entities.
Independent Accountants and Auditors: Accounting and auditing professionals who prepare, manage, or carry out financial transactions for their clients, particularly those involving the creation, operation or management of legal persons.
Company and Trust Service Providers (TCSPs): Firms that provide corporate formation, nominee director, registered agent or trust administration services.
Commercial Gaming Operators: Entities operating within the UAE’s emerging commercial gaming framework, particularly where customer funds, gaming activity or cash-equivalent transactions are involved, may also face AML/CFT compliance obligations and supervisory oversight.
Each category is supervised by a designated authority: the Ministry of Economy (MoE) supervises accountants, auditors, TCSPs and real estate professionals; the Ministry of Justice (MoJ) supervises lawyers and notaries; and the General Commercial Gaming Regulatory Authority (GCGRA) supervises commercial gaming operators.
VASPs (Virtual Asset Service Providers)
Virtual Asset Service Providers are subject to extensive AML/CFT obligations under the UAE regulatory framework, including requirements relating to customer due diligence, transaction monitoring, sanctions screening, governance and risk assessment. VASPs include crypto exchanges, custodial wallet providers, token issuers, brokers and other intermediaries dealing in virtual assets.
VASPs face heightened scrutiny because of the inherent risks associated with virtual assets, including pseudonymity, cross-border transfer speed and the evolving nature of the technology. An independent AML review in the UAE helps VASPs demonstrate to regulators that their compliance controls keep pace with the risks.
VASPs are expected to maintain AML/CFT controls proportionate to their risk exposure and applicable supervisory requirements, including controls relating to customer due diligence, sanctions compliance, transaction monitoring, governance and risk assessment. Given the increasing regulatory focus on governance, risk assessments and financial crime controls within the virtual asset sector, VASPs should ensure that their Business Risk Assessment frameworks remain current, documented and operationally effective.
When is an independent AML review required?
The frequency of the independent AML review depends on the supervisory authority and the risk profile of the business.
CBUAE-supervised entities: Certain CBUAE-supervised entities may be required to undergo periodic external review or agreed-upon procedures engagements relating to AML/CFT controls, depending on applicable supervisory requirements. Certain supervisory reporting timelines may apply depending on the nature of the regulated entity and applicable regulatory requirements. In addition, the internal audit department must conduct regular audits of the compliance function throughout the year.
DNFBPs: The Executive Regulations and supervisory guidelines require DNFBPs to conduct periodic independent reviews of their AML/CFT compliance programs. The frequency should align with the risk profile of the business, but annual reviews are widely considered best practice. Supervisory authorities increasingly expect them. UAE supervisory authorities have continued to increase their focus on AML/CFT compliance monitoring, inspections and enforcement across higher-risk sectors, particularly among DNFBPs and virtual asset businesses.
VASPs: The frequency of independent review or testing should be determined using a risk-based approach that considers the nature, scale, complexity and risk exposure of the business. In practice, many regulated entities adopt annual review cycles. VARA-licensed VASPs should ensure that Business Risk Assessments are periodically reviewed, updated and appropriately documented.
Event-driven reviews: Beyond the regular cycle, an independent AML review should also be triggered by significant events such as the launch of new products or services, entry into new markets or jurisdictions, material changes to the customer base or delivery channels, regulatory findings or enforcement actions and changes in the ownership or governance structure of the business.
What does an independent AML review cover?
A comprehensive independent AML review in UAE typically covers the following areas.
Governance and Organisational Structure: Whether the business has appointed appropriately qualified personnel responsible for AML/CFT compliance oversight and suspicious transaction reporting responsibilities, in line with applicable regulatory expectations, whether the board is adequately involved in AML/CFT oversight and whether reporting lines ensure independence of the compliance function.
Risk Assessment: Whether the business has conducted a business-wide AML/CFT risk assessment that is current, comprehensive and aligned with the National Risk Assessment. The review evaluates whether the risk assessment covers products, services, customers, geographies and delivery channels.
Policies and Procedures: Whether the AML/CFT policy framework is documented, board-approved, regularly updated and aligned with legal obligations under Federal Decree-Law No. 10 of 2025 and Cabinet Resolution No. 134 of 2025.
Customer Due Diligence (CDD) and Enhanced Due Diligence (EDD): Whether the business applies appropriate CDD and EDD measures, including customer identification, beneficial ownership determination, source of funds verification and ongoing monitoring. The review tests a sample of customer files to assess compliance.
Transaction Monitoring: Whether the business has effective systems to detect unusual or suspicious activity, whether alerts are investigated and escalated appropriately and whether the monitoring rules and thresholds are calibrated to the business’s risk profile.
Sanctions and PEP Screening: Whether the business screens customers and transactions against applicable UAE and UN sanctions lists, as well as any additional sanctions frameworks relevant to its business activities, counterparties or cross-border exposure.
Reporting, Records and Training
Suspicious Transaction Reporting: Whether suspicious transactions or activities are identified, escalated and reported to the UAE Financial Intelligence Unit (UAE-FIU) through the applicable reporting mechanisms in a timely and properly documented manner.
Record-keeping: Whether the business maintains records for the required retention period (currently five years from the end of the business relationship or the completion of the transaction, whichever is later, under applicable UAE AML/CFT requirements).
Training: Whether staff and relevant third parties have received adequate AML/CFT training and whether training records are maintained.
Penalties for non-compliance
Federal Decree-Law No. 10 of 2025 introduced substantially higher penalties for AML/CFT non-compliance.
The UAE AML/CFT framework provides for significant criminal and administrative penalties for non-compliance, including substantial financial penalties, license restrictions, suspension of activities and potential personal liability for responsible individuals. Penalties may vary depending on the nature, severity and circumstances of the violation.
Administrative penalties are equally significant. Regulators can impose fines of up to AED 5 million, revoke licenses, suspend business activities and remove board members or executives involved in violations. The law also introduces personal criminal liability for managers and directors who were aware of an offense and whose breach of duty contributed to its commission.
The revised enforcement framework reflects a significantly tougher regulatory approach toward AML/CFT violations, including enhanced investigative and enforcement powers.
How to prepare for an independent AML review
Businesses can take several practical steps to prepare for an independent AML review.
Conduct a self-assessment: Before the formal review, carry out an internal gap analysis against applicable UAE AML/CFT laws, executive regulations, supervisory guidance and sector-specific regulatory expectations. Identify areas where policies, procedures or controls may be outdated or incomplete.
Organize documentation: Ensure that all key documents are current and accessible, including the AML/CFT policy, business risk assessment, CDD and EDD files, transaction monitoring records, STR filing logs, training records and board minutes related to compliance oversight.
Update the risk assessment: If the business risk assessment has not been reviewed since the new law came into force, update it to reflect the current regulatory environment, any changes in the business model and the latest National Risk Assessment findings.
Test controls independently: Before the external review, have your internal audit function (if independent from compliance) test a sample of controls to identify any issues that can be remediated in advance.
Engage qualified reviewers. Choose an external reviewer with deep expertise in UAE AML/CFT regulations and your specific sector. Businesses should consider engaging reviewers with demonstrable expertise in UAE AML/CFT regulations, sector-specific compliance requirements and risk-based control assessments. Compliance7 Consulting, for example, supports businesses across the UAE and APAC through independent AML reviews, compliance assessments and control validation engagements. For CBUAE-supervised entities, the reviewer must meet the qualifications set out in Section 16.31.
For businesses that also operate in India, see our guide to independent AML reviews in India for a comparison of the requirements across jurisdictions.
Key Takeaways
Independent AML reviews and control assessments should be viewed as an important component of an effective AML/CFT compliance framework rather than a purely procedural exercise. Federal Decree-Law No. 10 of 2025 and Cabinet Resolution No. 134 of 2025 have raised the bar for all reporting entities, with particular scrutiny on DNFBPs and VASPs.
Businesses should treat the independent review as an opportunity to identify and fix compliance gaps before regulators do. With supervisory scrutiny and enforcement activity continuing to increase across multiple sectors, the financial, operational and reputational consequences of AML/CFT non-compliance can be substantial. In many cases, the cost of inaction may exceed the cost of compliance.
Businesses preparing for independent AML reviews or broader AML/CFT compliance assessments may benefit from obtaining independent professional guidance tailored to their sector, regulatory exposure and risk profile. Compliance7 Consulting supports regulated businesses through AML reviews, compliance assessments and control validation engagements across the UAE and APAC region.
This article is intended for general informational purposes only and does not constitute legal, regulatory or professional advice. Regulatory expectations may vary depending on the nature of the business, licensing status, supervisory authority and jurisdiction. Businesses should obtain independent legal or compliance advice specific to their circumstances before making regulatory or operational decisions.
