AML Risk Assessment UAE – Last Updated: June 2026

Article about AML Risk Assessment UAE : – Reviewed by: Abraham, Senior Chartered Accountant at ProAct — Expert in Auditing, Accounting, Corporate Tax, VAT, AML, UAE Company Formation & Free Zone Compliance.

As of 2025–2026, the UAE’s anti-money laundering enforcement landscape has changed fundamentally — and not in a quiet, gradual way. Federal Decree-Law No. 10 of 2025 came into force on 14 October 2025, replacing the entire AML/CFT legal framework that businesses had operated under since 2018. The Ministry of Economy and Tourism issued sector-specific guidance for independent accountants and auditors as recently as April 2026. If you run a business in Dubai, Abu Dhabi, or any UAE free zone and you haven’t reviewed your AML risk assessment this year, you’re already behind.

Here’s a question worth sitting with for a moment: if a Ministry of Economy inspector walked into your office tomorrow and asked to see your documented AML business risk assessment, could you hand one over — one that reflects your actual clients, current services, and transaction volumes — or would you be reaching for a template that hasn’t been touched since you registered? We’ve seen the second scenario play out many times, and the consequences are never minor.

ProAct Chartered Accountants is a UAE-based financial advisory firm specialising in accounting, corporate tax, auditing, VAT compliance, AML compliance, and business setup services — supporting businesses across Dubai, Abu Dhabi, and all UAE free zones including DMCC (Dubai Multi Commodities Centre), JAFZA, Meydan, RAKEZ and IFZA. This guide covers everything your business needs to know about the AML risk assessment UAE requirement, who is affected, what the law now demands, and how to get compliant before an inspection finds you first. You can also explore our AML Compliance Services for a full picture of how we support businesses.

An AML risk assessment UAE is a documented, structured analysis that every regulated business must produce to identify, rate, and manage its exposure to money laundering, terrorist financing, and proliferation financing risks. Under Federal Decree-Law No. 10 of 2025, the requirement applies to financial institutions, DNFBPs, and virtual asset service providers. Failure to maintain a current, business-specific assessment carries administrative fines starting at AED 50,000.

What Is an AML Risk Assessment? (كيف يعمل تقييم مخاطر غسل الأموال؟ / Что такое оценка рисков ПОД?)

An AML risk assessment is the structured process through which a regulated business identifies, evaluates, and documents its exposure to money laundering and terrorist financing risks. In the UAE context, this means the assessment is not a theoretical exercise — it must reflect your actual client base, service lines, transaction patterns, and geographic exposures. It applies to financial institutions, Designated Non-Financial Businesses and Professions (DNFBPs), and virtual asset service providers operating in any UAE jurisdiction including mainland, free zones, and offshore.

AML Business Risk Assessment (تقييم مخاطر الأعمال لمكافحة غسل الأموال / Оценка бизнес-рисков ПОД) is a written, documented analysis of the money laundering, terrorist financing, and proliferation financing risks specific to a regulated entity. In the UAE context, this means the assessment must be aligned with the UAE National Risk Assessment 2024 findings and updated whenever business circumstances materially change. It applies to all businesses regulated under Federal Decree-Law No. 10 of 2025, including accounting firms, real estate brokers, corporate service providers, precious metals dealers, and financial institutions.

A business risk assessment is not the same as a customer risk assessment, though the two are closely linked. Your business-wide assessment sets the risk appetite and tolerance thresholds that then flow down into how you screen individual clients and transactions. Get the business-level document wrong, and every other part of your AML programme sits on unstable ground.

An AML risk assessment in the UAE must be documented, entity-specific, and aligned with the UAE National Risk Assessment 2024 — generic templates copied from the internet are not compliant and are actively flagged by Ministry of Economy inspectors.

Who Is Required to Conduct an AML Risk Assessment in the UAE?

The Central Bank of UAE (CBUAE), and the Ministry of Economy and Tourism (MoET) each supervise different categories of regulated entities, and every supervised business must maintain a current AML risk assessment. Understanding which regulator supervises your firm is the first step.

DNFBP (Designated Non-Financial Business or Profession — الأعمال والمهن غير المالية المحددة) is a category of regulated entity defined by UAE law as presenting elevated money laundering risk despite not being a bank or financial institution. In the UAE context, this means accountants, auditors, real estate agents and brokers, corporate service providers, lawyers, notaries, and dealers in precious metals and stones are all subject to full AML compliance requirements. It applies to businesses operating across all UAE jurisdictions — mainland, free zones, and offshore — and is regulated primarily by the Ministry of Economy and Tourism.

If you’re running an accounting firm, corporate service company, or real estate business in a UAE free zone, the obligation is identical to mainland businesses — your AML risk assessment requirement does not diminish because you operate within DMCC, JAFZA, RAKEZ, Meydan or IFZA. The federal law applies in every jurisdiction without exception.

The Ministry of Economy and Tourism (MoET) is the designated AML/CFT supervisory authority for DNFBPs operating in UAE mainland and commercial free zones. DNFBPs include independent accountants and auditors, real estate brokers and agents, corporate service providers, lawyers and notaries, and dealers in precious metals and stones. The Central Bank of UAE (CBUAE) regulates banks, exchange houses, insurance companies, and licensed financial intermediaries. The Securities and Commodities Authority (SCA) oversees investment managers and broker-dealers, while the Virtual Assets Regulatory Authority (VARA) supervises virtual asset service providers in Dubai.

DMCC (Dubai Multi Commodities Centre), regulated by the Dubai government, requires all member companies that fall within DNFBP categories to maintain AML compliance programmes, including documented risk assessments. JAFZA, Meydan, Rakez and IFZA member businesses in regulated categories face the same federal-level obligation, regardless of their free zone registration. The obligation is federal — no free zone exempts its members from UAE AML law.

“Abraham, our Senior Chartered Accountant, puts it directly to new clients: ‘The question is never whether you need an AML risk assessment — the law is unambiguous on that. The question is whether the one you have would survive fifteen minutes of inspector scrutiny. Most don’t, and that’s fixable — but only before the inspection notice arrives.'”

Every UAE accounting firm, real estate broker, corporate service provider, precious metals dealer, and financial institution must maintain a documented AML risk assessment — the obligation is federal and applies in all emirates and free zones without exception.

What Did Federal Decree-Law No. 10 of 2025 Change for AML Risk Assessments?

Businesses must now meet significantly higher standards than under the previous law. The Federal Decree-Law No. 10 of 2025 — which came into force on 14 October 2025 alongside Cabinet Resolution No. 134 of 2025 — replaced Federal Law No. 20 of 2018 in its entirety. The Federal Tax Authority, Ministry of Economy, and CBUAE enforce the new requirements across their respective supervised sectors.

The most significant change affecting risk assessments is the explicit requirement to incorporate proliferation financing (PF) risk — the risk that your business could be used to finance the development of weapons of mass destruction. The 2018 law focused primarily on money laundering and terrorist financing. The 2025 law adds proliferation financing as a named, standalone risk category that must appear in every regulated entity’s assessment. If your current risk assessment doesn’t address PF risk, it is incomplete under the new law.

The 2025 law also strengthened the requirement to align your business-level risk assessment with the UAE National Risk Assessment (NRA) findings. Following the release of the UAE NRA 2024, Circular No. (4) of 2025 required all supervised entities to read the NRA findings into their own assessments. As of Q1 2026, the Ministry of Economy and Tourism’s supplemental guidance for independent accountants and auditors (April 2026) makes clear that inspectors will specifically check whether the NRA’s high-risk findings for the accounting sector are reflected in the firm’s documented assessment. Non-profit organisations and certain legal arrangements such as trusts were also brought inside the regulatory perimeter by the 2025 law — an extension that catches many entities that previously operated outside formal AML oversight.

As of October 2025, every AML risk assessment in the UAE must address money laundering, terrorist financing, AND proliferation financing as distinct risk categories — assessments that omit proliferation financing are non-compliant under Federal Decree-Law No. 10 of 2025.

How Do You Conduct an AML Risk Assessment in the UAE? (Step by Step)

Conducting a compliant AML risk assessment in the UAE requires more than filling in a template. The assessment must be tailored to your business — and it must be defensible in front of an inspector who has reviewed hundreds of them. Here are the six steps every regulated entity needs to follow.

The 6 Steps to a Compliant AML Risk Assessment in the UAE

Time needed: 20 days

Steps to conduct a compliant AML risk assessment for a UAE-regulated business under Federal Decree-Law No. 10 of 2025.

  1. Read the UAE National Risk Assessment 2024.

    The Ministry of Economy published the NRA 2024 with a practical guide for DNFBPs. Your business assessment must explicitly reference the NRA’s findings that are relevant to your sector. Inspectors check for this cross-reference. The NRA identifies real estate, gold and precious metals, and professional services as sectors carrying elevated ML/TF risk in 2024–2025.

  2. Identify your inherent risk factors.

    Map your exposure across four dimensions: customer risk (who are your clients?), product and services risk (what do you offer?), transactional risk (what volumes, cash payments, cross-border flows do you process?), and geographic risk (do your clients operate in high-risk or sanctioned jurisdictions?). Each dimension must be assessed separately and then combined into an overall inherent risk rating.

  3. Assess your existing controls.

    Document the AML controls currently in place — CDD procedures, sanctions screening processes, STR filing workflows, staff training records, and monitoring systems. Rate the effectiveness of each control. A strong control environment reduces your inherent risk to arrive at a residual risk score.

  4. Produce a residual risk rating and risk appetite statement.

    Your residual risk is what remains after controls are applied. This rating drives your compliance programme — a high-risk firm needs more frequent monitoring, enhanced due diligence on clients, and more comprehensive staff training than a low-risk firm. Your risk appetite statement defines the types of clients and transactions your business will and will not accept.

  5. Document everything in a written assessment report.

    The report must be signed off by senior management or the AML Compliance Officer. It must include the date of preparation, the methodology used, the data sources consulted (including the NRA 2024), and a clear articulation of findings and planned remediation actions where gaps were identified.

  6. Schedule annual reviews and trigger-based updates.

    The Federal Decree-Law No. 10 of 2025 requires assessments to be updated at least annually and whenever material business changes occur — for example, launching a new service line, onboarding a significantly different client profile, or entering a new geographic market.

A compliant AML risk assessment in UAE must cover customer, product, transactional, and geographic risk dimensions — and must explicitly reference the UAE National Risk Assessment 2024 findings relevant to your industry sector.

AML Risk Assessment Requirements — DNFBPs vs. Financial Institutions in the UAE (2025–2026)
RequirementDNFBPs (Accountants, Real Estate, CSPs, DPMS)Financial Institutions (Banks, Exchange Houses, Insurers)
Supervising AuthorityMinistry of Economy and Tourism (MoET)Central Bank of UAE (CBUAE) / SCA
Legal BasisFederal Decree-Law No. 10 of 2025; Cabinet Resolution No. 134 of 2025Federal Decree-Law No. 10 of 2025; CBUAE AML/CFT Standards
Written Business Risk Assessment RequiredYes — mandatory, entity-specificYes — mandatory, includes group-wide risk view
Proliferation Financing (PF) Risk CategoryYes — must be addressed explicitly (2025 Law)Yes — must be addressed explicitly (2025 Law)
NRA 2024 Alignment RequiredYes — Circular No. (4) of 2025Yes — CBUAE supervisory guidance
goAML Platform RegistrationMandatory for STR/SAR and threshold reportingMandatory for STR/SAR and threshold reporting
Review FrequencyAnnual minimum; event-triggered updatesAnnual minimum; event-triggered updates
Minimum Record Retention5 years from end of business relationship5 years from end of business relationship

Source: Federal Decree-Law No. 10 of 2025; Cabinet Resolution No. 134 of 2025; MoET DNFBP Guidelines (September 2025); MoET Supplemental Guidance for Independent Accountants and Auditors (April 2026).

ProAct’s AML Risk Assessment Compliance Workflow
  1. Data Gathering: We collect your existing AML policies, client registers, transaction logs, current risk assessment (if any), and goAML platform history. We review your business activities, service lines, and geographic client footprint in detail.
  2. 4-Layer Review: We assess risk exposure across all four dimensions required by the MoET framework — customer, product/service, transactional, and geographic — benchmarked against the UAE NRA 2024 sector-specific findings for your industry.
  3. Issue Flagging: We produce a gap analysis report identifying every area where your current documentation is non-compliant, incomplete, or misaligned with Federal Decree-Law No. 10 of 2025 and the April 2026 guidance for your sector.
  4. Documentation & Filing: We draft your updated business risk assessment, align your AML policies and procedures, prepare your risk appetite statement, and ensure your goAML profile and reporting workflows are consistent with your documented risk profile.

Request an AML risk assessment review from ProAct before your next Ministry of Economy inspection. Our compliance team works with DNFBPs, financial businesses, and professional service firms across all UAE free zones and mainland jurisdictions. Contact ProAct today →

What Happens When You Contact ProAct About Your AML Risk Assessment?

We respond to every AML enquiry within 24 hours — no sales pitch, no generic proposal. Our first conversation with you is diagnostic: we ask about your business type, your regulator, your current documentation, and whether you have an upcoming inspection. From there, we tell you clearly what needs to change, what’s already compliant, and what a realistic timeline looks like. You leave that first conversation knowing exactly where you stand — not wondering whether you need to spend money.

ProAct Chartered Accountants provides AML risk assessment, compliance programme review, goAML registration, and inspection preparation services across mainland Dubai and all major UAE free zones, including DMCC, JAFZA, and IFZA.

Get your AML risk assessment reviewed by ProAct’s compliance team. We work with DNFBPs, accounting firms, real estate businesses, and corporate service providers across all UAE jurisdictions. Inspection notices move fast — your response should too. Request a compliance review →

Frequently Asked Questions: AML Risk Assessment UAE

What is an AML risk assessment and why is it required in the UAE?

An AML risk assessment is a documented, structured analysis of a business’s exposure to money laundering, terrorist financing, and proliferation financing risks. In the UAE, it is mandatory under Federal Decree-Law No. 10 of 2025 for all regulated businesses — including financial institutions, DNFBPs, and virtual asset service providers. The Federal Tax Authority, Central Bank of UAE (CBUAE), and Ministry of Economy and Tourism enforce this requirement across their respective regulated sectors. Failure to maintain a current, entity-specific assessment carries administrative fines starting at AED 50,000 per violation.

How often does an AML risk assessment need to be updated in the UAE?

Businesses must review and update their AML risk assessment at least annually. The Federal Decree-Law No. 10 of 2025 and Cabinet Resolution No. 134 of 2025 also require event-triggered updates — any time there is a material change in your business, such as launching a new service, onboarding a significantly different client type, or expanding into a new geographic market. Assessments not updated to incorporate the UAE National Risk Assessment 2024 findings and the October 2025 legislative changes are currently non-compliant.

Which businesses in UAE must conduct an AML risk assessment?

All regulated entities under Federal Decree-Law No. 10 of 2025 must conduct a documented AML risk assessment. This includes banks, exchange houses, and insurers regulated by the CBUAE; accountants, auditors, real estate agents, corporate service providers, and precious metals dealers (DNFBPs) supervised by the Ministry of Economy and Tourism; investment firms regulated by the SCA; and virtual asset service providers regulated by VARA. The obligation applies in all UAE jurisdictions — mainland, free zones, and offshore — without exception.

What happens during a Ministry of Economy AML inspection in the UAE?

Ministry of Economy inspectors review the business’s written AML risk assessment, CDD files for a sample of clients, goAML registration and filing history, staff training records, and AML policies and procedures. Inspectors cross-check whether the risk assessment reflects actual client and transaction data — not just stated policy — and specifically verify that the UAE National Risk Assessment 2024 findings have been incorporated. As of Q1 2026, inspectors also check that proliferation financing risk is addressed as a standalone category under the 2025 law.

Can a free zone company in UAE use a group-level AML risk assessment?

A group-level assessment can form part of the compliance framework, but it does not replace the requirement for a UAE-specific, entity-level AML risk assessment. Each UAE-regulated entity must produce its own documented assessment that reflects its specific client base, services, transactions, and geographic exposures in the UAE context. The Ministry of Economy and Tourism and CBUAE both require entity-level documentation. A group assessment prepared for a different jurisdiction is not sufficient on its own.

What are the goAML registration requirements for DNFBPs in the UAE?

All DNFBPs regulated by the Ministry of Economy and Tourism must be registered on the UAE Financial Intelligence Unit’s goAML platform. Registration is required before a business can submit Suspicious Transaction Reports (STRs), Suspicious Activity Reports (SARs), or threshold transaction reports. Operating as a DNFBP without goAML registration is a standalone AML violation. The goAML platform requires businesses to submit accurate, narrative-quality STRs — late or inaccurate submissions attract separate supervisory action from the FIU.

What are the penalties for AML non-compliance in the UAE in 2026?

Administrative fines under Federal Decree-Law No. 10 of 2025 range from AED 50,000 to AED 1,000,000 per violation, and multiple violations identified in a single inspection each attract a separate fine. Beyond fines, regulators may suspend or cancel licences, issue public regulatory notices, and refer egregious cases for criminal prosecution.


Disclaimer: This article is for general information purposes only and does not constitute formal financial, legal, or compliance advice. AML regulations in the UAE are subject to change and vary by business type and supervisory authority. Please consult a qualified compliance professional for advice specific to your business circumstances.

Author Bio:

Written By,