How UAE Business Owners Can Self-Audit AML/CFT Controls Before an Inspection

Share
How UAE Business Owners Can Self-Audit AML/CFT Controls Before an Inspection
Photo by Markus Winkler / Unsplash

Many UAE business owners treat AML/CFT compliance as a setup task: prepare the policy, appoint a compliance officer, file the required documents, and move on. That is a risky assumption.

Recent enforcement shows the UAE’s regulators are actively examining firms and acting on the gaps they find. In June 2026, the Central Bank of the UAE (CBUAE) fined a branch of a foreign bank AED 20 million for repeated AML/CFT failures, and The National reported an additional AED 300,000 personal fine on the branch’s head of compliance. In May 2025, the CBUAE imposed a AED 200 million sanction on an exchange house. The regulator has also used suspensions, revocations, and bans in serious cases.

This guide offers a practical self-audit framework for UAE business owners and compliance leads, so you can identify weaknesses, document remediation, and reduce the chance of being caught unprepared.

The UAE’s current AML/CFT framework is built around Federal Decree-Law No. 10 of 2025 and Cabinet Resolution No. 134 of 2025, which replaced the earlier 2018 regime. The law’s scope covers financial institutions, designated non-financial businesses and professions (DNFBPs), virtual asset service providers (VASPs), and other persons and entities brought within its application.

Under that framework, administrative sanctions can range from a warning to an administrative fine of AED 10,000 to AED 5,000,000 per violation. Depending on the entity and the legal basis used, regulators may also impose stronger supervisory measures, including restrictions, suspensions, bans, and licence action. For CBUAE-licensed firms, enforcement can also arise under the Central Bank’s broader supervisory powers, which helps explain why some headline penalties are much larger than the standard administrative range under the AML law alone.

In April 2026, the CBUAE also issued a six-document AML/CFT/CPF guidance package for licensed financial institutions and registered hawala providers. It included four guidance documents and two best-practice manuals covering proliferation financing, trade-based money laundering and transshipment, correspondent banking, customer due diligence and record keeping, risk-based institutional assessments, and role-based training.

If your entity is licensed or supervised by the CBUAE, this is the framework your controls are being measured against.

What regulators actually look for

The CBUAE uses a risk-based supervisory approach. In practice, that means regulators are not only checking whether your business has AML/CFT documents on file. They want evidence that your framework works in day-to-day operations, reflects your actual risks, and is understood by staff.

In a self-audit, focus on the issues that most often create exposure:

  • Customer due diligence gaps: missing identification records, incomplete beneficial ownership details, weak source-of-funds support, or outdated customer files
  • Weak transaction monitoring: alerts are generated, but no one properly reviews, escalates, or documents the outcome
  • Poor suspicious reporting controls: internal escalation channels are unclear, or decisions not to file an STR are undocumented
  • Weak remediation discipline: earlier findings were noted but not fixed, or fixes were never evidenced
  • Generic training: staff complete training, but it is not tailored to the roles that actually carry AML/CFT risk

The self-audit framework: six control areas

Run this review before any scheduled or surprise inspection. Record the results in writing and keep the supporting documents.

1. Governance and accountability
Confirm that a qualified MLRO or Compliance Officer is formally appointed and that the role is supported with enough authority, independence, and access to decision-makers. The CBUAE’s joint guidance expects the compliance function to have direct access to the board or equivalent governing body and to operate without conflicts that undermine judgment. Also confirm that your AML/CFT policies and procedures have been formally approved by senior management and are kept current rather than left untouched after onboarding.

2. Business risk assessment (BRA)
Your business-wide risk assessment should reflect your actual products, customers, geographies, transaction patterns, delivery channels, and exposure to higher-risk sectors. If your business model changed, your BRA should have changed too. The April 2026 guidance package also makes clear that institutions are expected to think more seriously about proliferation financing, TBML, and related emerging risks where relevant.

3. Customer due diligence and onboarding records
Pull a sample of 10 to 15 client files across low-, medium-, and high-risk categories. Check whether each file includes verified identity information, beneficial ownership details where applicable, a documented risk rating, the rationale for that rating, and review dates. For higher-risk customers and PEPs, confirm that enhanced due diligence is documented and that the required management approval is visible on file.

4. Transaction monitoring
Review your monitoring logs for at least the last three to six months. You should be able to show that alerts were generated, reviewed by a named person, and either escalated or closed with clear reasoning. If your monitoring process relies heavily on manual review, test whether staff are applying the same standard consistently.

5. Suspicious transaction reporting (STR)
Check whether staff know how to escalate internal concerns and whether the MLRO can demonstrate how decisions were made. Review filed STRs and any internal cases that were not escalated to the FIU. For each non-filing decision, there should be a written justification. If you cannot show the reasoning, you may struggle to defend the decision later.

6. Training records
Confirm that all relevant staff received AML/CFT training within the last 12 months and that records are complete. More importantly, test whether the content matched the role. Front-line onboarding staff, operations staff, compliance teams, and senior management should not all be receiving the exact same generic session. The CBUAE’s April 2026 package specifically included best practices on role-based training.

After the audit: build a remediation log

A self-audit only matters if it leads to action. For each gap, create a remediation entry that includes:

  • the issue identified
  • the risk level
  • the responsible owner
  • the deadline
  • the current status
  • the evidence of completion

This becomes your compliance trail. If a regulator later identifies a weakness, it is far better to show that you identified it internally, assigned responsibility, and fixed it than to appear unaware of it.

A note on independent reviews

Do not assume that one standard applies to every UAE entity. For many CBUAE-regulated businesses, an independent audit or independent review function is part of the expected AML/CFT control framework. The exact requirement, timing, and scope depend on your licence type, rulebook section, and supervisory expectations. If you are unsure, check the rulebook and confirm the requirement for your specific sector before an inspection does it for you.

Pre-inspection checklist

Use this before a filing, a licence renewal process, or any inspection cycle:

  • MLRO or Compliance Officer formally appointed and documented
  • AML/CFT policies and procedures approved by senior management and kept current
  • Business Risk Assessment updated for current operations
  • CDD files complete, including beneficial ownership and enhanced due diligence where needed
  • Transaction monitoring alerts reviewed, documented, and resolved or escalated
  • STR escalation and filing records accessible and traceable
  • Role-based training completed and documented for relevant staff
  • Earlier findings remediated with evidence of closure
  • Independent review or audit requirement checked against your licence type

Key Takeaways

  • UAE AML/CFT enforcement is active, and recent penalties show that both firms and individual compliance function holders can face serious consequences for weak controls.
  • Federal Decree-Law No. 10 of 2025, Cabinet Resolution No. 134 of 2025, and the CBUAE’s April 2026 guidance package set the current compliance baseline for supervised firms.
  • A documented self-audit, followed by a clear remediation log, is one of the most practical ways to strengthen controls before an inspection.

Sources: Central Bank of the UAE – AML/CFT Supervision, Federal Decree-Law No. 10 of 2025 – CBUAE Rulebook, Cabinet Resolution No. 134 of 2025 – UAE FIU, CBUAE Updates AML/CFT/CPF Guidance for Licensed Financial Institutions, Joint Guidance on the AML/CFT/CPF Compliance Officer/MLRO Function, CBUAE Imposes a Financial Sanction of AED 200 million on an Exchange House, The National – UAE Central Bank fines foreign bank Dh20m for breaching money laundering rules


Disclaimer: This content is for educational and informational purposes only. It is not legal, financial, investment, cybersecurity, medical, business, career, or other professional advice. Verify important information with official sources or qualified professionals before acting.

Read more