Article about UAE AML/CFT Law – Federal Decree-Law No. 10 of 2025 – Reviewed by: Abraham, Senior Chartered Accountant at ProAct – Expert in Auditing, Corporate Tax, VAT, AML, UAE Company Formation & Free Zone Compliance

1. What Is Federal Decree-Law No. 10 of 2025?

The UAE Federal Decree-Law No. 10 of 2025 is the country’s latest and most comprehensive law governing:

  • Anti-Money Laundering (AML)
  • Counter-Terrorism Financing (CTF)
  • Counter-Proliferation Financing (CPF)

It replaces and strengthens earlier AML laws and brings the UAE fully in line with FATF (Financial Action Task Force) global standards.

This law applies across:

  • ✅ Mainland UAE
  • ✅ All Free Zones (DMCC, IFZA, JAFZA, SPC, DIFC, etc.)
  • ✅ Offshore structures
  • ✅ Digital and virtual asset activity

Its key purpose is to prevent illegal funds from entering, moving within, or leaving the UAE financial system.

2. What Is New or Stronger Under the 2025 Law?

This is not just a small update. The 2025 law introduces three major upgrades:

✅ 1. Proliferation Financing Is Now Explicitly Covered

Earlier laws focused mainly on money laundering and terrorism financing. The 2025 law now also includes:

  • Financing of weapons of mass destruction
  • Dual-use trade (items that can be used for both civilian and military purposes)

Example:
A UAE trading company exports electronic components that can be used in weapons manufacturing. Even if the trade is legal, it now falls under proliferation-financing risk screening.

✅ 2. Virtual Assets Are Fully Recognised

The law now formally includes:

  • Crypto exchanges
  • Wallet providers
  • Token platforms
  • NFT marketplaces
  • Blockchain-based transfers

These are now treated similar to financial institutions for AML purposes.

Virtual Asset activity requires licensing/registration with the competent authority. Unlicensed VASP activity is a specific criminal offence. Anonymity‑enhanced or non‑traceable virtual assets are restricted and firms must avoid anonymous or fictitious accounts and wallets.

Example:
A crypto exchange in DMCC must:

  • Verify customer identity (KYC)
  • Monitor transactions
  • Report suspicious crypto transfers just like a bank

✅ 3. Wider Definition of “Proceeds of Crime”

Money laundering is now linked not only to drugs, fraud, or trafficking — but also to:

  • Tax evasion
  • Sanctions breaches
  • Serious regulatory crimes
  • Cross-border financial manipulation

This means dirty money is not limited to criminal gangs anymore — it can also come from sophisticated corporate offences.

3. Who Is Legally Required to Follow the AML Law?

This is where many create confusion.
Not every business is automatically a “regulated AML entity.”

The law applies directly and mandatorily to the following categories:

✅ 1. Financial Institutions (FIs)

  • Banks
  • Exchange houses
  • Payment service providers
  • Finance companies
  • Insurance companies
  • Investment firms

✅ 2. DNFBPs – Designated Non-Financial Businesses & Professions

These are non-bank businesses that still handle high-value transactions:

  • Real estate brokers & developers
  • Gold & precious metal traders
  • Auditors & accounting firms
  • Corporate service providers
  • Trust & nominee providers
  • Lawyers involved in financial transactions

✅ 3. Virtual Asset Service Providers (VASPs)

  • Crypto exchanges
  • Custody wallets
  • Crypto brokers
  • Token issuance platforms

✅ 4. Non-Profit Organisations (NPOs) With Risk Exposure

Some charities and associations fall under AML supervision where cross-border funding risks exist.

4. What About “Normal” Trading, Logistics, or Consulting Companies?

This is where many misunderstandings happen.

Not every company is supervised as an FI, DNFBP, VASP or NPO, but many trading, logistics, manufacturing and service businesses can fall within scope depending on their activities (e.g., dealing in precious metals, corporate services, virtual assets, gaming, etc.).

However…

They still become “AML-sensitive” under the UAE’s risk-based banking framework.

This means:

  • ✅ Their banks will apply enhanced due diligence
  • ✅ Large international payments will be screened
  • ✅ Source of funds and business justification may be requested
  • ✅ Transactions may be delayed or frozen
  • ✅ STRs (Suspicious Transaction Reports) may be filed by the bank

Any business that conducts cross‑border transactions or operates in high‑risk trade or digital‑asset sectors may be treated as high‑risk by banks and supervisors and therefore subject to enhanced due diligence and possible reporting, even if it is not itself licensed as an FI, DNFBP, VASP or NPO.

Businesses that are not clearly classified as FIs, DNFBPs, VASPs or specified NPOs may still attract direct or indirect AML/CPF obligations under sectoral rules and will definitely face enhanced scrutiny from banks and regulators where their risk profile is high.

✅ Practical Example

Business TypeDirectly Regulated by AML Law?Bank AML Scrutiny?
Grocery shop❌ No✅ Low
Local IT services firm❌ No✅ Medium
International gold trader✅ Yes (DNFBP)✅ Very High
Crypto exchange✅ Yes (VASP)✅ Very High
Import-export trading company❌ Usually No (unless it performs regulated activities such as dealing in precious metals/stones or corporate services)✅ High
5. What Are Businesses Legally Required to Do Under the Law?

For regulated entities (FIs, DNFBPs, VASPs), the obligations are mandatory and enforceable:

✅ Core AML Obligations

  1. Enterprise-Wide Risk Assessment (EWRA)
  2. Customer Due Diligence (KYC, CDD, EDD)
  3. Ultimate Beneficial Owner (UBO) verification
  4. Ongoing transaction monitoring
  5. Suspicious Transaction Reporting (STR) via GoAML
  6. AML policy & internal controls
  7. Staff AML training
  8. Independent AML audit
  9. Record retention
  10. Regulatory inspection readiness

Failure to implement these is a direct legal violation, not just a best practice issue.

For regulated entities, there is now an explicit obligation to implement a documented risk‑based approach and to execute targeted financial sanctions (TFS) screening in line with UN and UAE lists. STRs must be filed without delay and regardless of the transaction amount when suspicion exists.

6. Penalties Under the 2025 Law

The law introduces strict civil and criminal penalties:

✅ Administrative Fines

  • Administrative and criminal fines can reach very high multi‑million‑dirham levels, in serious cases up to AED 100 million in addition to imprisonment for individuals, travel bans, and confiscation. Natural persons can face fines up to AED 10 million or amounts linked to the value of the criminal property, plus imprisonment. Legal persons can face fines between AED 5 million and AED 100 million, or amounts linked to the criminal property, and may be dissolved or closed in FT/PF cases.
  • Authorities and the FIU can now suspend transactions and freeze assets for up to 30 days (extendable), which is a material strengthening compared with the old regime.
  • There is no limitation period for AML/CTF/CPF offences under the new law, which significantly extends enforcement risk over time.

✅ Criminal Liability

  • Senior management can face:
    • Personal prosecution
    • Travel bans
    • Asset freezing
    • Imprisonment in extreme cases

✅ License Consequences

  • Suspension
  • Cancellation
  • Banking blacklisting
7. Other important points from the law.
  • Mandatory disclosure at the border: Article 10 requires any person entering or leaving the UAE to disclose cash, bearer negotiable instruments, precious metals or stones in line with the disclosure system.​
  • Scope of STR obligation: Article 18 requires STRs “regardless of their value” and “without delay”
  • Ban on anonymous/fictitious accounts: Article 19(1)(c) expressly prohibits anonymous, fictitious, alias or numbered accounts or transactions;
  • Licensing prohibition: Article 20 clearly criminalises operating FI/DNFBP/VASP activities without license or registration;
  • Tipping‑off offence: Article 29 criminalises disclosure that a STR or investigation is underway (tipping‑off);
  • Virtual assets with total anonymity: Article 30(2) makes dealing in virtual assets “characterized by total anonymity” or that prevent tracing a punishable offence;
8. What the Law Means in Real Business Situations

✅ Example 1 – Real Estate Broker

A real estate brokerage fails to document the source of funds of a foreign buyer.
This is a direct AML violation under DNFBP rules.

✅ Example 2 – Trading Company With Global Clients

A trading company frequently receives USD payments from sanctioned-risk regions.
– The company is not regulated directly
– But the bank will flag, investigate, and may freeze funds

✅ Example 3 – Crypto Firm

A crypto exchange allows anonymous wallets without verification.
This is a major criminal AML breach

9. What Businesses Must Do Now (Action Plan)

✅ If You Are a Regulated Entity (FI, DNFBP, VASP)

You must immediately:

  • Implement full AML framework
  • Register with GoAML
  • Train staff
  • Conduct annual AML audit
  • Appoint a compliance officer

✅ If You Are a Normal Trading or Service Company

You should:

  • Maintain strong accounting records
  • Keep proper contracts & invoices
  • Justify all international transfers
  • Maintain UBO and ownership clarity
  • Be prepared for bank AML reviews
10. Why Professional AML Support Is Now Critical

The 2025 law is highly technical and enforcement-focused. Most SMEs:

  • Do not have in-house AML expertise
  • Do not track STR thresholds
  • Do not understand EWRA methodology
  • Do not know how inspections are conducted

This is why professional AML advisory is now a risk-control necessity, not a luxury.

✅ Final Key Takeaways
  • ✅ The 2025 law strengthens AML, CTF, and adds CPF
  • FIs, DNFBPs, VASPs, and certain NPOs are directly regulated
  • ✅ Other businesses are affected through bank-driven risk scrutiny
  • ✅ Crypto, real estate, gold, and cross-border trade face the highest risk
  • ✅ Penalties now include multi-million dirham fines and criminal liability
  • ✅ Early compliance protects banking, licensing, and reputation
Frequently Asked Questions (FAQs)
  1. What is UAE Federal Decree-Law No. 10 of 2025 on Anti-Money Laundering and Counter-Terrorism Financing?
    It is the UAE’s most comprehensive law regulating AML, CTF, and counter-proliferation financing, replacing the 2018 law and aligning the country with FATF global standards.
  2. When did the new UAE AML/CFT Law (Federal Decree-Law 10 of 2025) come into force and which law did it replace?
    It came into effect in 2025, repealing Federal Decree-Law No. 20 of 2018, strengthening AML/CFT rules nationwide.
  3. Which businesses in the UAE are directly regulated under Federal Decree-Law 10 of 2025?
    Financial institutions, designated non-financial businesses and professions (DNFBPs), virtual asset service providers (VASPs), and some non-profit organisations (NPOs) with cross-border funding risks.
  4. How does the 2025 UAE AML law define “money laundering” and what has changed?
    Money laundering includes concealing illicit origins of funds connected to a wider range of crimes including tax evasion and sanctions breaches, extending beyond traditional criminal offences.
  5. What is “proliferation financing” under UAE Federal Decree-Law 10 of 2025?
    It involves financing weapons of mass destruction, dual-use goods, and related illicit trade, with specific obligations on entities involved in such transactions to screen and report risks.
  6. How does the new UAE AML law treat virtual assets and virtual asset service providers (VASPs)?
    VASPs like crypto exchanges must be licensed, conduct full KYC, monitor transactions, and report suspicious activity. Unlicensed activity is a criminal offense.
  7. What counts as “criminal property” or “proceeds of crime” under the 2025 UAE AML/CFT framework?
    It includes assets of any form derived from any predicate offence, including profits, privileges, or economic interests tied to illegal activities.
  8. Are normal trading, logistics or consulting companies subject to UAE AML/CFT obligations?
    They are not directly regulated unless engaging in specified activities but face enhanced scrutiny by banks under the UAE’s risk-based framework.
  9. What customer due diligence steps are required under the UAE AML Law 10 of 2025?
    Entities must verify customer identity, beneficial ownership, purpose of business relationships, perform ongoing monitoring, and implement enhanced due diligence for higher-risk clients.
  10. When must a Suspicious Transaction Report (STR) be filed, and what are tipping-off risks?
    STRs must be filed without delay regardless of amount when suspicious activity is detected. Disclosing such reporting or investigations is a criminal offense.
  11. What does the UAE AML Law say about anonymous or fictitious accounts and crypto wallets?
    Anonymous, fictitious, alias, or numbered accounts and wallets are prohibited to prevent misuse for money laundering or terrorism financing.
  12. What are the licensing and registration requirements for FIs, DNFBPs, and VASPs?
    They must obtain appropriate licenses or registrations from competent authorities before conducting regulated financial or virtual asset activities.
  13. What are the administrative fines and criminal penalties for breaching the UAE AML/CFT Law?
    Fines for natural persons reach up to AED 10 million; for legal entities, fines range between AED 5 million and AED 100 million, alongside imprisonment, travel bans, and possible business dissolution.
  14. What personal liabilities do senior management face under the 2025 UAE AML law?
    Senior officers can face personal prosecution, asset freezing, travel bans, and imprisonment for failure to comply with AML obligations.
  15. How long can the UAE FIU and prosecutors suspend transactions or freeze funds?
    Suspensions and freezes can last up to 30 days, with possible extensions, to prevent illicit fund movement while investigations proceed.
  16. Is there a limitation period for money laundering, terrorism financing, or proliferation financing offences?
    There is no limitation period; investigations and prosecutions can be initiated regardless of how much time has passed.
  17. What are the border cash and precious metal disclosure requirements?
    Any person entering or leaving the UAE must declare cash, bearer negotiable instruments, precious metals, or stones in compliance with federal disclosure systems.
  18. What internal AML policies and training are required?
    Regulated entities must maintain AML policies, train staff regularly, conduct independent AML audits, and keep detailed records for regulatory inspections.
  19. How does Federal Decree-Law 10 of 2025 affect international cooperation and asset recovery?
    It enhances the UAE’s ability to cooperate with foreign jurisdictions, freeze and confiscate criminal assets, and recover illicit funds under mutual legal assistance frameworks.
  20. What practical steps should UAE companies take now to comply with the new AML/CFT/CPF law?
    Implement comprehensive AML policies, register with GoAML for STR reporting, train employees, conduct risk assessments, maintain clear ownership records, and prepare for regulator and bank scrutiny.
⚠️ Disclaimer

This article is for general informational purposes only and does not constitute legal advice. AML obligations vary by activity and risk profile. You should always consult a qualified AML professional before implementing compliance measures.

Author Bio:

Written By,