Introduction: Why Every DNFBP in the UAE Must Master AML/TF Risk Assessment
For Designated Non-Financial Businesses and Professions (DNFBPs) in the UAE, conducting a thorough Money Laundering and Terrorism Financing (ML/TF) Risk Assessment and Enterprise-Wide Risk Assessment (EWRA) is not just best practice—it is a non-negotiable legal requirement under Cabinet Decision No. 10 of 2019.
Real estate firms, gold and jewellery dealers, accounting practices, law firms, and corporate service providers are all DNFBPs. Each must demonstrate a risk-based approach (RBA) that identifies, evaluates, and mitigates ML/TF risks as required by Federal Decree Law No. 20 of 2018 on AML/CFT and Ministry of Economy (MOE) AML Guidelines.
At ProAct Chartered Accountants, we help DNFBPs stay compliant with our 4-Layer EWRA Framework and compliance dashboards to align with the latest 2025 regulations.
What is an Enterprise-Wide Risk Assessment (EWRA)?
An Enterprise-Wide Risk Assessment (EWRA) is a systematic process used by DNFBPs to identify, assess, and mitigate money laundering and terrorism financing risks across their entire business.
A proper EWRA ensures that compliance controls are proportionate to the level of risk exposure, as mandated under Cabinet Decision No. 10 of 2019 and Federal Decree Law No. 20 of 2018.
How DNFBPs Conduct a Proper ML/TF Risk Assessment and EWRA in the UAE
A DNFBP in the UAE conducts a compliant ML/TF Risk Assessment and EWRA through four essential steps, aligned with Cabinet Decision No. 10 of 2019:
- Identify the Risk Universe: Classify potential ML/TF risks across four pillars—Customer, Product/Service, Geographic, and Delivery Channel.
- Assign Risk Weights & Scoring: Quantify the inherent risk using a scoring matrix (typically 1–5 scale).
- Evaluate & Document Residual Risk: Determine residual risk by subtracting the effectiveness of existing controls from inherent risk.
- Approve & Monitor: Have senior management and the MLRO approve the assessment, review it at least annually, and update after any regulatory or business changes.
The Mandatory DNFBP EWRA Framework in the UAE
An EWRA is the foundation of every AML/CFT compliance program. It integrates insights from your business, customers, and transactions to identify ML/TF threats before they occur.
Legal Basis
- Federal Decree Law No. 20 of 2018 on AML/CFT
- Cabinet Decision No. 10 of 2019 (Implementing Regulation)
- UAE National Risk Assessment.
- FATF Recommendations
The ProAct 4-Layer EWRA Framework
ProAct’s proprietary 4-Layer Framework ensures depth, structure, and defensibility during inspections.
| Layer | Focus Area | Purpose |
|---|---|---|
| 1 | Data Collection & Profiling | Collect client data, business activity profiles, and transaction patterns. |
| 2 | Risk Identification | Identify inherent ML/TF risks across all business lines. |
| 3 | Risk Scoring & Evaluation | Score each factor (1–5) and assign overall inherent risk levels. |
| 4 | Mitigation & Monitoring | Apply internal controls and schedule periodic reviews. |
ProAct’s Step-by-Step ML/TF Risk Assessment Process for DNFBPs
Step 1: Identify Risk Categories
Categorize all ML/TF risks under:
- Customer Risk: PEPs, high-net-worth clients, offshore entities.
- Product/Service Risk: Real estate, gold, formation services.
- Geographic Risk: FATF-listed or high-corruption jurisdictions.
- Delivery Channel Risk: Non-face-to-face clients or agents.
Step 2: Assign Risk Weights & Scoring
Example shown below:
| Risk Factor | Low (1) | Medium (3) | High (5) |
|---|---|---|---|
| Customer Type | UAE resident individual | SME | PEP/offshore entity |
| Geography | UAE | GCC | FATF-listed country |
| Channel | Face-to-face | Online | Third-party intermediary |
Step 3: Evaluate Residual Risk
Residual Risk = Inherent Risk – Control Effectiveness
Controls include:
- Customer Due Diligence (CDD) & Enhanced Due Diligence (EDD)
- Sanctions Screening
- AML Staff Training
- Transaction Monitoring
Each risk rating should be justified with documented evidence.
Step 4: Approve, Implement & Review
- Obtain senior management & MLRO approval.
- Review annually or upon regulatory updates.
- Retain EWRA documents for seven years, per MOE AML guidelines.
Real Example: Jewellery DNFBP Case Study (DPMS – Dubai)
Scenario:
A gold retailer in Dubai’s Gold Souk handles large cash sales from international customers.
Identified Risks:
- Cash-intensive operations.
- Clients from FATF-flagged countries.
- Weak beneficial ownership data.
ProAct Solution:
- goAML registration & STR / DPMSR workflow setup.
- Automated client screening and periodic risk review.
- Implementation of EDD for high-risk clients.
Result:
Risk downgraded from High to Medium after applying control process.
Common EWRA Mistakes DNFBPs Make
❌ Using generic, copy-paste EWRA templates.
❌ Ignoring non-financial risk (e.g., sanctions, reputational).
❌ No management sign-off or update schedule.
❌ Failing to link EWRA with CDD/EDD frameworks.
ProAct Fix:
Our experts customize EWRA to your operations—ensuring compliance, accuracy, and traceability in audits.
ProAct’s AML Support Suite for DNFBPs
- 4-Layer Review System – Ensures comprehensive control coverage.
- AML Grievance Assistance – Respond to MOE inspection queries seamlessly.
- Custom EWRA Documentation – MOE-ready templates & scoring sheets.
- AML Training & Certification – Mandatory staff and MLRO programs.
- Coverage: All over UAE including Dubai, Abu Dhabi, Sharjah, IFZA, DMCC, JAFZA, RAKEZ.
Key Takeaways
- EWRA is legally mandatory for all DNFBPs under UAE AML law.
- Use the four-pillar risk framework (Customer, Product, Geography, Channel).
- Update EWRA annually or upon any major change.
- Ensure management approval and documented scoring methodology.
- Partner with ProAct Chartered Accountants for MOE-compliant AML implementation.
Frequently Asked Questions (FAQs)
What is an Enterprise-Wide Risk Assessment (EWRA)?
An EWRA is a comprehensive review of all money-laundering and terrorism-financing risks faced by a DNFBP at an organizational level.
Is EWRA mandatory for all DNFBPs in the UAE?
Yes. Cabinet Decision No. 10 of 2019 and MOE guidelines require all DNFBPs to perform annual EWRA.
How often should the EWRA be updated?
At least once per year or whenever there is a significant change in products, services, or clients.
What is the difference between ML/TF Risk Assessment and EWRA?
An ML/TF Risk Assessment can be departmental; EWRA is enterprise-wide and aggregates all risks across the business.
Who approves the EWRA?
Senior management and the MLRO must review and approve the final EWRA report.
What factors are included in EWRA?
Customer, Product/Service, Geography, Delivery Channel, and Regulatory Factors.
What are the penalties for non-compliance?
Fines can range from AED 50,000 to AED 5 million and may include license suspension.
Does EWRA apply to small DNFBPs?
Yes — the scope is proportionate / risk based, but still mandatory.
What is the role of the MLRO in EWRA?
The MLRO oversees risk assessment, validation of scoring, and submission to MOE when requested.
Can ProAct assist with EWRA template creation?
Yes — ProAct provides custom MOE-aligned EWRA templates.
What data is required for risk assessment?
Client lists, transactions, geographies, and delivery channel details over the past 12 months.
Is there a link between EWRA and CDD policies?
Yes — EWRA outcomes should guide CDD and EDD levels.
Do I need a consultant for EWRA?
While you can do it internally, consultants like ProAct ensure regulatory accuracy and defensible documentation.
How does technology help EWRA?
AI tools reduce manual errors, improve data analytics, and enhance reporting accuracy.
What is a residual risk score?
It shows the remaining risk after existing controls are applied.
What is the MOE’s expectation for EWRA format?
It must be structured, dated, signed, and kept for 7 years.
Should DNFBPs include third-party risks?
Yes — especially if agents or suppliers handle client money or transactions.
How do you score risk objectively?
Use a quantitative matrix (1–5) for each factor and aggregate overall risk.
Can EWRA be outsourced to ProAct?
Absolutely — ProAct offers turnkey EWRA implementation and training packages.
How can I get started?
Contact ProAct for a free consultation and custom quote today.
About ProAct Chartered Accountants
ProActChartered Accountants is a UAE-based advisory firm providing Auditing, Accounting, AML Compliance, Corporate Tax, and Business Setup services.
We serve clients across Dubai, Abu Dhabi, and Sharjah, with deep expertise in DNFBP compliance across DMCC, IFZA, JAFZA, and RAKEZ.
Disclaimer
This article is for informational purposes only and should not be considered legal advice. For customized AML/EWRA implementation support, contact ProAct Chartered Accountants.
Author Bio:
Written By,
