On April 16, 2026, the Central Bank of the United Arab Emirates (CBUAE) published a comprehensive update to its AML/CFT/CPF guidance for licensed financial institutions. The CBUAE AML guidance 2026 package introduces new supervisory expectations across four critical areas: proliferation financing, trade-based money laundering, correspondent banking, and customer due diligence. For compliance teams at banks, exchange houses, finance companies, and registered hawala providers operating in the UAE, these updates demand immediate attention.
The timing is deliberate. The UAE’s National Strategy (2024 to 2027) calls for stronger financial crime defences, closer alignment with FATF standards, and a measurable shift from procedural compliance toward effective risk management. The guidance provides additional supervisory expectations and operational direction aligned with the UAE National Strategy.
Here is what has changed, why it matters, and what your institution should do next.
Proliferation financing gets dedicated regulatory focus
The most significant addition in the CBUAE AML guidance 2026 package is a standalone framework for countering proliferation financing (CPF). Until now, proliferation financing sat in the shadow of broader sanctions screening. The new guidance elevates it to a distinct compliance priority.
The CBUAE expects licensed financial institutions (LFIs) and registered hawala providers (RHPs) to build their CPF framework around three pillars. First, institutions must assess their inherent exposure to proliferation financing risks. This goes beyond checking customer names against sanctions lists. It requires understanding the products, geographies, and transaction types that create PF exposure.
Second, institutions should evaluate whether their existing policies, procedures, and controls adequately address those risks. Where gaps or weaknesses exist, remediation plans must follow.
Third, the guidance introduces a continuous monitoring expectation. Institutions are expected to maintain processes to monitor emerging PF typologies, new actors, and evolving sanctions regimes. The guidance indicates increasing supervisory focus on dynamic and risk-responsive review mechanisms.
For compliance teams, this means traditional AML systems may need upgrades. Effective CPF compliance requires enhanced entity resolution, network analysis capabilities, and the ability to integrate geopolitical intelligence into screening workflows.
Trade-based money laundering: Breaking down compliance silos
Trade-based money laundering (TBML) remains one of the most difficult financial crime typologies to detect. The CBUAE’s updated guidance provides a structured framework that addresses this challenge directly.
The guidance focuses on helping institutions understand money laundering, terrorism financing, and proliferation financing risks embedded in trade and transshipment activities. This is particularly relevant for the UAE, where cross-border trade volumes are substantial and the country serves as a major transshipment hub.
Key expectations include identifying risks within trade finance portfolios, monitoring trade anomalies and misinvoicing patterns, and strengthening controls around transshipment activities. Institutions should record and retain trade-related documents in a structured database that supports both record-keeping obligations and suspicious transaction reporting.
The practical challenge here is significant. TBML detection requires compliance teams to work alongside trade finance units, operations teams, and relationship managers. The guidance effectively calls for breaking down the traditional separation between compliance functions and core business operations.
Institutions involved in trade finance, supply chain financing, and import-export facilitation should treat this as a priority. Institutions should consider filing a Suspicious Transaction Report (STR) where transactions or funds appear suspicious or linked to potential TBML activity.
Correspondent banking: Active risk ownership required
Correspondent banking has long been flagged as a high-risk channel for financial crime. The CBUAE AML guidance 2026 package reinforces and expands the compliance expectations for institutions providing or using these services.
The guidance highlights the importance of enhanced due diligence on respondent banks, clear risk-based policies and procedures tailored to correspondent relationships, and ongoing transaction monitoring aligned with each relationship’s specific risk profile.
What stands out in this update is the emphasis on active risk ownership. Regulators expect institutions to demonstrate that they assess and manage correspondent banking risks independently, rather than relying primarily on the controls maintained by their counterparties. Institutions are expected to assess their inherent exposure to proliferation financing risks.
For institutions with extensive correspondent networks, this will likely require more granular risk assessments for each relationship, regular reassessments as risk profiles evolve, and documented evidence of independent oversight.
Customer due diligence: From onboarding exercise to continuous process
The updated CDD and KYC guidance clarifies expectations that many compliance professionals already suspected were coming. Customer due diligence is no longer a one-time onboarding task. The CBUAE now explicitly frames it as a continuous process that spans the entire customer lifecycle.
The guidance covers three dimensions. First, identity verification should follow documented risk-based procedures at onboarding and throughout the relationship. Second, institutions must apply risk-based decisions about whether simplified or enhanced due diligence applies to each customer. Third, the guidance provides additional clarity regarding customer data and documentation retention expectations.
The underlying message is that customer risk profiles are not static. As customers’ activities, transaction patterns, and circumstances change, so must the level of due diligence applied to them. Institutions that rely solely on onboarding checks without ongoing review may face increased supervisory attention.
For practical implementation, this means compliance teams need systems that flag material changes in customer behaviour or profile, trigger review workflows when risk indicators shift, and maintain complete, accessible records that demonstrate ongoing diligence.
Best practices: risk assessment and role-based training
Beyond the four guidance documents, the CBUAE also released two best practice manuals that deserve close attention.
The first manual addresses risk-based institutional risk assessments. Institutions must develop structured methodologies for assessing money laundering, terrorism financing, and proliferation financing risks at the institutional level. Controls should be proportionate to the scale and nature of identified risks, and risk models must be updated regularly based on emerging threats.
The second manual focuses on role-based AML/CFT/CPF training. The guidance indicates increasing supervisory emphasis on role-specific AML/CFT/CPF training. Institutions are encouraged to align AML/CFT/CPF training with specific functional roles and responsibilities.
This training guidance reflects a growing regulatory consensus globally. Human intelligence remains a critical layer in detecting complex typologies, particularly TBML and proliferation financing schemes that automated systems may not catch on their own.
How this fits the bigger regulatory picture
The CBUAE AML guidance 2026 update does not exist in isolation. Globally, regulators are moving in the same direction. The Financial Action Task Force (FATF) continues to push for effectiveness-based evaluations rather than technical compliance checklists. The EU’s new Anti-Money Laundering Authority (AMLA) is developing harmonised CDD standards through its own regulatory consultations. In the United States, FinCEN recently proposed sweeping reforms to BSA compliance requirements that similarly prioritise measurable program effectiveness.
The UAE’s approach aligns closely with these international trends. Institutions operating across multiple jurisdictions will recognise familiar themes: risk-based resource allocation, technology-enabled monitoring, continuous customer assessment, and documented evidence of program effectiveness.
For firms with operations in the UAE and other jurisdictions, the convergence creates an opportunity. Building compliance frameworks that satisfy the CBUAE’s updated expectations will put institutions in a stronger position to meet regulatory requirements elsewhere.
Practical steps for your compliance team
Institutions should consider taking practical steps to assess alignment with the updated guidance. Here are the priority areas to address.
Start with a gap assessment. Compare your current AML/CFT/CPF controls against each of the four guidance documents. Pay particular attention to proliferation financing, where many institutions currently have limited frameworks in place.
Review your risk assessment methodology. Confirm it appropriately addresses the risk dimensions highlighted in the updated guidance: products, services, customers, geographies, trade activities, and correspondent relationships. Update it to incorporate emerging typologies and align with the UAE’s National Risk Assessment.
Evaluate your technology stack. The shift toward continuous monitoring, dynamic CDD, and TBML detection may require investment in AI-driven transaction monitoring, entity resolution tools, and enhanced screening capabilities.
Redesign your training programme. Map each role in your organisation to the specific AML/CFT/CPF knowledge and skills it requires. Build training modules that address real-world scenarios and current typologies rather than generic regulatory overviews.
Document everything. The emphasis on effectiveness means regulators will want to see evidence that your programme works, not just that it exists. Maintain records of risk assessments, CDD reviews, training completion, and remediation actions.
Key takeaways
The CBUAE’s April 2026 guidance package raises the compliance bar for every licensed financial institution and registered hawala provider in the UAE. Proliferation financing has moved from the margins to the centre of regulatory expectations. Institutions are increasingly expected to integrate TBML controls with broader business operations. Correspondent banking oversight requires independent risk ownership. The guidance reinforces the importance of ongoing customer due diligence throughout the customer lifecycle.
The guidance documents should be read alongside the UAE’s broader AML/CFT legislative and regulatory framework, including Federal Decree Law No. 20 of 2018, its implementing regulations, and applicable CBUAE regulations and notices.
Institutions that adapt quickly will meet supervisory expectations and strengthen their defences against genuine financial crime risks. Those that treat this as another document to file will find themselves exposed during examinations.
If you need support with gap assessments, risk framework design, CPF programme development, or AML training, book a free consultation with the Compliance7 team.
This article is for informational purposes only and does not constitute legal or regulatory advice. For guidance specific to your business, consult a qualified compliance professional.
