UAE AML Law: Complete Guide to Federal Decree-Law No. 10 of 2025

Table of Contents

Federal UAE AML Law 2025 illustrating Federal Decree-Law No. 10 of 2025, UAE AML compliance framework, financial crime prevention, regulatory authorities, and AML obligations for businesses.

The UAE’s anti-money laundering landscape underwent its most significant transformation in years when Federal Decree-Law No. 10 of 2025 came into force. For compliance officers, MLROs, and senior management at regulated entities across the country, this is not an incremental update. It is a full overhaul that demands concrete changes to governance, operations, and technology. This guide breaks down what changed, who is affected, and what your organisation needs to do now.

What is the UAE AML Law?

The UAE AML Law is Federal Decree-Law No. 10 of 2025, governing anti-money laundering, counter-terrorist financing, and counter-proliferation financing obligations for financial institutions, DNFBPs, and VASPs.

The UAE’s anti-money laundering landscape underwent its most significant transformation in years when Federal Decree-Law No. 10 of 2025 came into force. For compliance officers, MLROs, and senior management at regulated entities across the country, this is not an incremental update. It is a full overhaul that demands concrete changes to governance, operations, and technology. This guide breaks down what changed, who is affected, and what your organisation needs to do now.

Overview of the New Federal AML Law in the UAE (2025)

Federal Decree-Law No. 10 of 2025 on combating money laundering crimes, combating financing of terrorism, and the financing of proliferation of weapons is the UAE’s new core AML law. The New AML Law came into effect on 14 October 2025, following publication in the Official Gazette on 30 September 2025. Federal Law No. 10 of 2025 replaces Federal Law No. 20 of 2018, which had served as the primary AML/CTF statute for seven years. Federal Law No. 10 of 2025 repeals the previous AML law in its entirety.

The law expands the AML CFT regulatory framework to explicitly cover proliferation financing, virtual assets, and digital systems including encryption technologies. The new law specifically covers proliferation financing and virtual assets, creating a unified federal decree law framework for combating financial crime.

Here is what changed at a glance:

  • Proliferation financing offences are now included in the New AML Law as standalone crimes

  • The legal threshold for establishing Principal Offences has been lowered to a “knew or should have known” standard

  • Predicate offences now include direct and indirect tax evasion

  • Enhanced penalties under the new law include fines up to AED 100 million and imprisonment

  • Virtual asset service providers are explicitly brought into the federal AML regime

Legislative Background and Key UAE AML Milestones

The UAE’s journey toward a comprehensive AML regime began decades ago. The Penal Code (federal law no. 3 of 1987) first criminalised possession and concealment of criminal proceeds. In 2002, Federal Law No. (4) became the country’s first dedicated anti money laundering statute. UAE Federal Law No. 20 of 2018 governs AML and CTF as the next major milestone, broadening scope to include terrorism financing and financing of illegal organisations.

The UAE’s AML framework includes Cabinet Decision No. 10 of 2019, which served as the executive regulations for the 2018 law, later updated by Cabinet Decision No. (24) of 2022 to align further with financial action task force recommendations. In 2024, Federal Decree-Law No. (7) established national coordination structures, including the National Committee for combating money laundering and the Higher Committee overseeing the UAE’s national strategy.

These cumulative reforms set the stage for the full overhaul enacted through federal decree law no. 10 of 2025.

Core Objectives and Scope of Federal Decree-Law No. 10 of 2025

The law’s overarching goals are preventing and detecting money laundering, terrorist financing, and proliferation financing while protecting the integrity of the UAE’s financial system and aligning with international best practices. The 2025 AML law enhances compliance obligations on regulated entities across every sector.

Offences covered include predicate offences (with a significant expansion of predicate offenses including tax evasion), money laundering, terrorism financing, proliferation financing, financing of illegal organisations, and attempts or complicity in any of these. The law applies to licensed financial institutions, designated non financial businesses and professions (DNFBPs such as real estate brokers, independent legal professionals, auditors, and precious metal dealers), and virtual asset service providers.

Main subject areas include:

  • Customer due diligence and beneficial ownership transparency

  • Record-keeping and documentation standards

  • Reporting suspicious transactions and attempted transactions

  • Targeted financial sanctions and UN security council resolutions compliance

  • Supervisory and law enforcement authorities’ powers

  • Virtual asset obligations including the virtual assets travel rule

Key Changes Compared to Federal Decree-Law No. 20 of 2018

The federal decree law replaces federal law No. 20 of 2018 with several material shifts. First, the explicit inclusion of proliferation financing-covering weapons of mass destruction, arms, and dual-use goods-creates standalone offences rather than relying on general “illegal organisations” provisions.

Second, the definition of funds and property now encompasses digital systems, virtual assets, and encryption technologies, reflecting the reality of modern financial crime.

Third, the mental element for money laundering crimes has shifted. The law now captures situations where someone “knew or should have known” that funds derived from criminal activity, lowering the evidentiary bar from the previous standard. Penalties for Principal Offences have significantly increased, with legal persons facing fines tied to the value of criminal property or up to AED 100 million.

Fourth, criminal liability extends to managers, directors, and beneficial owners of legal entities when violations occur with their knowledge or due to gross negligence. The law mandates stronger enforcement and personal liability for senior management.

Finally, the UAE Financial Intelligence Unit and law enforcement agencies receive expanded powers, including rapid freezing of funds for up to 30 days and broader information-sharing abilities with domestic and international counterparts.

Definitions: Regulated Entities, Reporting Entities, and Virtual Assets

Under the 2025 AML law, regulated entities and reporting entities encompass banks, exchange houses, insurers, securities brokers, real estate brokers, precious metal dealers, lawyers, company service providers, and VASPs. Any entity crossing multiple categories may face overlapping obligations.

Virtual assets are defined in line with UAE practice, including Dubai’s Law No. (4) of 2022, and are now formalised at the federal level. Virtual asset service providers must hold valid licences or registration under the relevant supervisory authority-VARA in Dubai, FSRA in ADGM, or DFSA in the Dubai International Financial Centre-and must comply with AML/CTF/CPF obligations identical to those of financial institutions. Unlicensed VASP activity is specifically criminalised.

These definitions impact business obligations in concrete ways:

  • Entities dealing in virtual assets must conduct AML name screening, enhanced due diligence, and sanctions screening at the same standard as banks

  • Beneficial ownership registers must be maintained and updated within fifteen working days of any change

  • Bearer shares and warrants must be converted to registered form under cabinet resolution no. 134 of 2025

Regulatory Framework and Institutional Roles

The main supervisory authorities implementing the federal decree law include the UAE Central Bank (CBUAE), the Securities and Commodities Authority, the DFSA in the Dubai International Financial Centre, the FSRA in ADGM, and the Ministry of Economy. The AML Module of the DFSA Rulebook outlines compliance requirements for relevant persons in that jurisdiction, and the DFSA requires annual AML returns from relevant persons by September.

Cabinet Decision No. 134 of 2025 serves as the implementing regulation for Law No. 10/2025, published 15 November 2025, effective 14 December 2025. This cabinet decision replaces Cabinet Decision No. 10 of 2019 and codifies detailed obligations for all reporting entities.

The National Committee for combating money laundering and the financing of terrorism and illegal organisations, chaired by the Governor of CBUAE, coordinates policy direction and the national strategy. It interacts with all supervisory authorities, law enforcement authorities, and the General Secretariat that operationalises strategy execution.

The UAE’s AML framework dovetails with sector-specific rules: the CBUAE Rulebook for AML/CFT applies to licensed financial institutions, while free zone regulators maintain their own modules aligned with the federal law. Entities operating in commercial free zones must comply with both federal and zone-level regulatory requirements.

Risk-Based Approach Under the 2025 Law

The 2025 law reinforces the risk based approach as the foundation of AML compliance. The risk-based approach is mandated for all relevant persons in the UAE, requiring entities to identify, assess, and mitigate risks of money laundering, terrorist financing, and proliferation financing across customers, products, channels, geographies, and emerging typologies.

The law requires firms to conduct robust Enterprise-Wide Risk Assessments and Customer Due Diligence. The UAE conducts sectoral and national risk assessments regularly, and entities must incorporate findings from the national risk assessment into their own frameworks. Senior management accountability is paramount-boards must approve risk assessments, set risk appetite, and ensure adequate resources.

Consider a UAE-based fintech offering virtual asset exchange services. Under the new law, it must expand its risk assessment to include proliferation risk, screen counterparties for dual-use goods exposure, apply enhanced due diligence to PEPs from high risk countries, and use blockchain analytics to detect suspicious patterns.

Key RBA steps:

  • Document enterprise-wide ML/TF/PF risk assessment including risks identified across all channels

  • Map customers, products, and geographies to risk categories

  • Apply proportionate diligence measures based on risk levels

  • Review and update risk assessments at least annually or upon material change

  • Ensure senior management sign-off and resource allocation

Customer Due Diligence and Enhanced Due Diligence Requirements

Standard CDD obligations require entities to identify and verify customers and beneficial owners, understand the purpose and intended nature of the business relationship, and conduct ongoing monitoring of financial transactions. Beneficial ownership transparency requirements under cabinet resolution no. 134 of 2025 mandate that companies maintain shareholder registers and declare beneficial owners to registrars.

Simplified CDD is permitted in lower-risk scenarios, but only with strict safeguards and documented rationale as defined in the executive regulations and relevant guidance from supervisory authorities.

Enhanced due diligence triggers include:

  • Transactions involving countries subject to FATF countermeasures or high risk countries

  • Politically exposed persons and their associates

  • Complex or opaque ownership structures

  • Virtual asset transactions and cross-border transfers

  • High-value or unusual transactions

  • Cross-border correspondent banking relationships

For banks, this means deeper source-of-funds verification for PEP customers. For DNFBPs such as real estate brokers, it means verifying beneficial ownership and source of funds for property transactions above thresholds. For VASPs, it means validating wallet ownership and applying the travel rule.

Obligations on Licensed Financial Institutions and Other Reporting Entities

All reporting entities must maintain internal AML/CFT/CPF policies and procedures, implement internal controls, and ensure independent testing. Regulated entities must enhance training and governance regarding AML policies. The Central Bank enforces AML compliance through systematic assessments, and the CBUAE monitors ML/TF/PF risks continuously for effective compliance.

Record-keeping requires a minimum of five years retention after the end of the business relationship or transaction completion. Entities must screen customers and financial transactions against targeted financial sanctions lists under Cabinet Decision No. (74) of 2020 and guidance from the Executive Office for Control and Non-Proliferation (EOCN), ensuring compliance with UN security council resolutions and relevant resolutions from the security council resolutions lists, including the terrorism lists regulation.

Key obligations by entity type:

  • Banks and licensed financial institutions: full transaction monitoring, travel rule for virtual asset transfers, sanctions screening, internal audit, correspondent banking due diligence, and prohibition of shell bank relationships

  • DNFBPs (including real estate brokers, independent legal professionals, auditors, corporate service providers): CDD/EDD, beneficial ownership verification, suspicious transaction reporting, sanctions screening

  • VASPs: licensing or registration, same standard of CDD/EDD as banks, blockchain analytics, travel rule compliance, restriction on anonymity-enhanced services, cooperation with the FIU

Virtual Assets, VASPs, and the UAE Virtual Assets Travel Rule

Federal Decree-Law No. 10 of 2025 interacts with existing virtual asset rules-including Dubai’s Law No. (4) of 2022 and VARA’s regulations-by bringing VASPs explicitly under the federal AML regime. Virtual Asset Service Providers are now subject to AML compliance requirements at the same level as traditional financial institutions.

The virtual assets travel rule requires VASPs and financial institutions to collect, verify, and transmit originator and beneficiary information for virtual asset transfers above defined thresholds. This aligns with joint guidance from supervisory authorities and FATF Recommendation 16.

Entities must deploy blockchain analytics and wallet screening tools, screen virtual asset flows against sanctions and watchlists, and apply risk-based monitoring. For example, a UAE-based crypto exchange must ensure that any transfer above the threshold includes verified originator and beneficiary identity, validate wallets via chain analysis, check EOCN and UN sanctions lists, and block transactions routed through mixers or anonymity tools. Failing to do so exposes the entity to criminal or administrative penalties imposed under the 2025 law.

Reporting of Suspicious Transactions and Cooperation with Authorities

Entities have statutory obligations to file Suspicious Transaction Reports (STRs) and Suspicious Activity Reports (SARs) through the goAML platform without delay and without tipping off the customer. This extends to attempted transactions, suspected terrorist financing, and suspected proliferation financing.

The UAE Financial Intelligence Unit can issue asset freezing orders, and entities must comply with FIU and law enforcement agencies’ information requests, freezing orders, and asset tracing measures. Stronger cooperation with international authorities for asset freezing is included in the 2025 law.

Supervisory authorities including the CBUAE and FIU conduct sector-specific outreach-workshops, typologies reports, and relevant guidance-to support reporting entities in improving STR quality.

Internal escalation checklist:

  • Detect unusual activity through monitoring systems

  • Escalate to the AML/compliance officer for internal assessment

  • Conduct internal investigation and document findings

  • File STR/SAR via goAML without delay

  • Preserve all records and cooperate with authorities on follow-up

  • Remediate identified control weaknesses

Enforcement Powers, Sanctions, and Personal Liability

Penalties for AML violations have significantly increased under the new law. The range of administrative and criminal sanctions under law no. 10 of 2025 includes administrative fines, administrative penalties, licence restrictions, suspension, revocation, and criminal penalties including imprisonment. Legal persons face fines up to AED 100 million or the value of the criminal property-whichever is greater. For terrorism financing offences, fines can reach AED 10 million or double the value of the property involved. UAE’s AML enforcement includes penalties for deliberate or reckless breaches.

Managers can face personal liability for AML breaches where violations result from wilful misconduct, gross negligence, or failure to implement adequate controls. Misleading or providing incorrect beneficial ownership information carries a minimum fine of AED 20,000 and potential imprisonment.

Supervisory authorities apply a risk based approach to enforcement, weighing severity, duration, cooperation, remediation efforts, and previous compliance history. While enforcement under the 2025 law is still building, regulators have signalled an upward trajectory, building on fines and actions taken under the 2018 law.

Alignment with FATF Recommendations and International Standards

The UAE’s AML framework is aligned with FATF recommendations. Federal Decree-Law No. 10 of 2025 directly addresses issues raised in the FATF Mutual Evaluation, reflecting Recommendations 1 (risk-based approach), 10–21 (preventive measures), 24–25 (beneficial ownership), and 35–40 (sanctions and international cooperation). The UAE was removed from the FATF grey list in February 2024, and Law 10/2025 continues that reform trajectory in preparation for the upcoming mutual evaluation expected in 2026.

The law enhances international cooperation mechanisms: mutual legal assistance, information exchange between FIUs, joint investigations, and asset recovery. Foreign provisional and confiscation orders may now be executed without requiring parallel national investigations under certain conditions, and traditional refusal grounds have been narrowed.

Ongoing FATF follow-up will likely trigger further cabinet decisions and guidance affecting the regulatory framework, particularly around virtual asset and proliferation financing obligations.

Implications for Compliance Programs and Technology Adoption

The 2025 law pushes regulated entities to modernise their financial crime compliance infrastructure, data management, transaction monitoring, sanctions screening, case management, and adverse media monitoring, all of which require upgrades. The scope expansion to VASPs, proliferation financing, and new predicate offences means broader risk coverage and higher reporting volumes.

Scalable, AI-enabled tools are essential to manage these demands. Firms should perform gap analyses comparing existing AML policies and systems against the new legal and regulatory requirements, prioritising high-risk gaps such as VASP compliance, the virtual assets travel rule, proliferation financing controls, and beneficial ownership transparency.

RegTech providers play a critical role in automating KYC, name screening, transaction monitoring, adverse media checks, and entity risk assessment to meet the risk-based approach expectations of UAE regulatory bodies.

ZIGRAM's Complete AML System for UAE-Regulated Entities

ZIGRAM is a RegTech provider supporting banks, fintechs, insurers, capital markets firms, and virtual asset platforms operating in or with the UAE. ZIGRAM’s The Complete AML System is an integrated platform combining name screening (PreScreening.io), transaction monitoring (Transact Comply), and entity risk assessment (Entity Hero). Along with this, we have our own Risk App Ecosystem for the needs of any financial and non-financial institutions.

These tools can be configured to align with Federal Decree-Law No. 10 of 2025, Cabinet Decision No. 134/2025, CBUAE Rulebook requirements, DFSA/FSRA AML rules, and the UAE virtual assets travel rule. ZIGRAM supports UAE-specific watchlists, targeted financial sanctions from the EOCN, UN and key partner jurisdictions, as well as virtual asset risk indicators for blockchain analytics and wallet screening.

Whether you need to mitigate risks across regulated sectors, automate screening against sanctions lists, or build audit-ready compliance workflows, ZIGRAM’s platform is purpose-built for the demands of the 2025 federal AML law.

Book a Demo to map your current AML framework to UAE 2025 requirements using ZIGRAM’s Complete AML System.

Practical Roadmap to Implement the 2025 Federal AML Law

Compliance officers and MLROs should treat Law 10/2025 as a sweeping change requiring structured implementation. UAE Federal legislation is subject to updates by relevant authorities, making a phased approach essential.

  • Months 0–3: Regulatory mapping and gap analysis. Inventory existing AML/CTF controls. Compare against Law 10/2025 and executive regulations. Identify gaps in VASP coverage, beneficial ownership, enhanced due diligence, and proliferation financing controls.

  • Months 3–6: Risk assessment refresh. Conduct enterprise-wide ML/TF/PF risk assessments covering virtual assets, proliferation risks, customers, countries subject to sanctions, products, and channels. Incorporate findings from the national risk assessment.

  • Months 6–9: Policy and governance updates. Update AML policies, CDD/EDD thresholds, sanctions policies, travel rule procedures. Assign board and senior management oversight. Address business risks from new predicate offences.

  • Months 6–12: Technology and systems upgrade. Integrate or procure AML software for screening, transaction monitoring, blockchain analytics. Ensure audit trails and alignment with regulatory requirements.

  • Ongoing from month 1: Training and awareness. Train staff across all business lines-legal, operations, front-office, compliance, risk-on virtual assets, travel rule, beneficial ownership, and proliferation risk detection.

  • Months 9–12: Testing and supervisory readiness. Conduct independent reviews. Strengthen internal audit. Prepare for supervisory examinations. Document compliance and remediation status.

Cross-functional collaboration between legal, compliance, operations, IT, and business lines is essential. Use dashboards tracking STR volumes, alert quality, training completion, and remediation status to evidence effectiveness to supervisory authorities.

Looking Ahead: Future Developments in UAE AML/CFT/CPF Regulation

Expect further cabinet decisions, sectoral guidance, and thematic reviews refining implementation of Federal Decree-Law No. 10 of 2025-particularly for virtual assets and high-risk regulated sectors. Ongoing updates from the CBUAE, VARA, DFSA, FSRA, and the Ministry of Economy should be monitored through official rulebooks and circulars.

Businesses should view AML, counter terrorist financing, and counter-proliferation financing (combating terrorism offences and confronting money laundering) as continuous improvement programs rather than one-off compliance projects. The upcoming FATF mutual evaluation will scrutinise effectiveness, not just laws on paper.

The path forward is clear: combine expert legal advice, strong internal governance, and modern RegTech solutions-such as ZIGRAM’s Complete AML System-to stay ahead of the 2025 federal AML law requirements and protect your organisation from escalating regulatory and financial risk.

Enhance Your AML Compliance Efforts

Empower your organization with ZIGRAM's integrated RegTech solutions

Financial Crime Prevention Image

Articles

Explore insightful articles on cutting-edge topics like regulations, technological advancements, and critical insights into AML and financial crime risks
https://d2g4ubq4o0ypu0.cloudfront.net/wp-content/uploads/2026/07/UAE-Federal-Decree-Law-300x200.webp

UAE AML Law: Complete Guide to Federal...

13 Min
https://d2g4ubq4o0ypu0.cloudfront.net/wp-content/uploads/2026/07/OFAC-vs-UN-vs-EU-Sanctions-300x200.webp

OFAC vs UN vs EU Sanctions: Key...

15 Min
https://d2g4ubq4o0ypu0.cloudfront.net/wp-content/uploads/2026/07/Top-10-AML-Challenges-in-South-Africa-300x200.webp

Top 10 AML Challenges in South Africa:...

11 Min
https://d2g4ubq4o0ypu0.cloudfront.net/wp-content/uploads/2026/06/Transaction-Monitoring-In-AML-1-300x200.webp

Transaction Monitoring in AML: Practical Guide for...

13 Min
https://d2g4ubq4o0ypu0.cloudfront.net/wp-content/uploads/2026/06/Top-10-AML-Challenges-in-Indonesia-300x200.webp

Top 10 AML Challenges in Indonesia and...

11 Min
https://d2g4ubq4o0ypu0.cloudfront.net/wp-content/uploads/2026/06/FATF-Plenary-300x200.webp

FATF June 2026 Plenary: Grey List Changes,...

9 Min