Federal Decree Law No. 10 of 2025: Explained UAE New AML Law
Federal Decree Law No. 10 of 2025: Key Points
Area | What it means under the UAE New AML Law |
Legal framework | Federal Decree Law No. 10 of 2025 establishes the baseline UAE AML/CFT legal framework |
Implementing regulation | Cabinet Resolution No. 134 of 2025 sets out detailed implementation requirements |
Effective dates | Federal Decree Law No. 10 of 2025: 14 October 2025 |
Compliance impact | Increased expectations for governance, risk-based controls, documentation quality, and accountability |
Priority controls | EWRA, CDD, EDD, ongoing monitoring, sanctions and PF controls, STR quality |
Regulatory scope | Applies across DIFC, ADGM, VARA, CMA, MOET, and MOJ supervisory contexts |
Leadership focus | Represents a full AML/CFT operating model upgrade, not a policy-only update |
Put an AML Policy in Place That Meets UAE Standards
Custom AML policies and procedures aligned with UAE AML law and supervisory expectations for auditors and accountants.
What Federal Decree Law No. 10 of 2025 Means for Regulated Entities
Federal Decree Law No. 10 of 2025 introduces a fundamental shift in UAE AML/CFT expectations. This is not a routine legislative refresh. It represents a move toward demonstrable and measurable compliance effectiveness.
Regulated entities are now expected to evidence:
- Stronger governance and internal controls
- Higher-quality risk assessments and risk-based decisions
- Clear and defensible customer due diligence and beneficial ownership analysis
- Effective ongoing monitoring aligned to business activity
- Improved quality and consistency of suspicious transaction reporting
- Robust audit trails showing how AML/CFT decisions were reached
Supervisory authorities are increasingly focused on whether AML/CFT controls operate effectively in day-to-day practice, rather than whether policies exist on paper.
Federal Decree Law No. 10 of 2025 and Cabinet Resolution No. 134 of 2025 in Practice
The UAE AML framework must be read as a combined structure:
- Federal Decree Law No. 10 of 2025 sets out core legal obligations and enforcement standards.
- Cabinet Resolution No. 134 of 2025 provides implementation depth and operational guidance.
For AML/CFT teams, this means shifting the focus from drafting policies to demonstrating control performance. Policies, procedures, systems, and governance forums must align to a single objective: risk-based prevention, detection, escalation, and reporting.
Supervisory Context Across UAE Authorities
Implementation under the UAE New AML Law must reflect the relevant supervisory environment. Many organisations operate across multiple licensing regimes or customer segments, creating overlapping regulatory obligations.
Depending on business activities, AML/CFT frameworks may need to address expectations linked to:
- DIFC
- ADGM
- VARA (virtual asset activities)
- CMA (capital market participants)
- MOET (DNFBP-related obligations)
- MOJ (lawyers and legal professionals)
A practical approach is to maintain a single, coherent AML/CFT control architecture, while tailoring procedures, governance pathways, and evidence packs to each applicable regulatory context.
Core AML/CFT Priorities Under the UAE New AML Law
1. Enterprise-Wide Risk Assessment Must Drive Decisions
Under UAE AML law 2025, the EWRA is not a static document. It should directly inform onboarding standards, monitoring thresholds, review frequency, and escalation triggers.
An effective EWRA should clearly link:
- Customer and product risk
- Delivery channel risk
- Geographic and cross-border exposure
- Sanctions and proliferation financing risks
- Control effectiveness outcomes
2. CDD and EDD Must Be Risk-Led and Defensible
Customer due diligence and enhanced due diligence expectations require transparent decision logic. Firms should be able to clearly explain:
- Why a customer is rated low, medium, or high risk
- What enhanced controls apply as a result of that risk rating
Consistency and defensibility are key supervisory expectations.
3. Beneficial Ownership Must Be Clear and Auditable
Beneficial ownership remains a core pillar of UAE AML/CFT compliance. Customer files should clearly document:
- Ownership structures and control relationships
- Validation steps taken
- Escalation of unresolved or complex ownership issues
The ownership determination process should be traceable and review ready.
4. Ongoing Monitoring Must Reflect Business Reality
Ongoing monitoring under UAE AML requirements should be calibrated to actual customer and transaction behaviour. Generic or imported thresholds often result in poor outcomes.
Effective monitoring achieves a balance between:
- Meaningful alerts
- Manageable alert volumes
- High-quality investigations
- Timely and consistent decisions
5. STR Quality Is a Key Control Outcome
Suspicious transaction reporting quality depends on structured case handling and coherent narratives. An independent reviewer should be able to follow the full decision path from trigger to conclusion without ambiguity.
6. Sanctions and PF Controls Must Be Fully Integrated
Sanctions screening and proliferation financing controls should be embedded across onboarding, transaction monitoring, investigations, escalation, and governance reporting. These controls should not operate in isolation from core AML processes.
Train Your Team on UAE AML Obligations
Role-based AML training for partners, staff, and MLROs with practical, regulator-ready, and audit-proof.
Implementation Blueprint for FIs, DNFBPs, and VASPs
Advisors recommend a phased implementation approach aligned to Federal Decree Law No. 10 of 2025 and Cabinet Resolution No. 134 of 2025.
Phase 1: Legal Obligation Mapping
Map each legal requirement to:
- Business activity
- Relevant authority or jurisdiction
- Policy references
- Control ownership
- Evidence requirements
Phase 2: Risk-Based Gap Assessment
Assess design and effectiveness across:
- EWRA
- Customer risk rating methodology
- CDD and EDD processes
- Beneficial ownership reviews
- Ongoing monitoring
- Sanctions and PF controls
- STR governance and workflow
Phase 3: Policy-to-Control Traceability
Establish a clear line of sight between legal obligations, internal policies, operational procedures, system logic, and supervisory evidence.
Phase 4: Targeted Execution and Training
Deliver role-specific guidance for frontline staff, compliance teams, operations, and senior management. Training should emphasise judgement, escalation, and documentation quality.
Phase 5: Assurance and Board Reporting
Conduct quality assurance and control testing. Provide senior management with risk-ranked dashboards showing ownership, remediation timelines, and closure evidence.
Common AML Compliance Gaps and Practical Fixes
Gap: Legal updates without operational redesign
Fix: Translate legal obligations into measurable control outcomes
Gap: One-size-fits-all procedures
Fix: Tailor controls to business model and supervisory context
Gap: High alert volumes with low intelligence value
Fix: Refine monitoring scenarios using investigation outcomes
Gap: Weak case documentation
Fix: Standardise investigation structure, rationale, and closure criteria
Gap: Limited senior oversight
Fix: Provide concise board MI with trends, key risks, and remediation status
Key Questions for Boards and Senior Management
Senior leadership should assess readiness under the UAE New AML Law by asking:
- Where are our highest ML, TF, and PF risk concentrations?
- Which AML/CFT controls show the weakest performance evidence?
- Are CDD and EDD outcomes consistent across business units?
- Are sanctions and PF controls integrated into daily AML operations?
- Are STR decisions timely, consistent, and well-documented?
- Can we evidence prompt remediation of material findings?
These questions help shift focus from compliance activity to compliance effectiveness.
Conclusion: From Policy Compliance to Control Effectiveness
Federal Decree Law No. 10 of 2025, together with Cabinet Resolution No. 134 of 2025, establishes a higher standard for AML/CFT compliance in the UAE. The expectation is clear: firms must demonstrate that controls work in practice.
Early, structured implementation enables organisations to strengthen accountability, risk intelligence, documentation quality, and execution consistency. For firms operating across DIFC, ADGM, VARA, CMA, MOET, and MOJ environments, this is the right moment to reinforce AML/CFT architecture end to end.
FAQs on Federal Decree Law No. 10 of 2025
The UAE New AML Law refers to Federal Decree Law No. 10 of 2025. It sets out the updated rules for anti-money laundering (AML), counter-terrorism financing (CTF), and related compliance requirements in the UAE. The law raises expectations around governance, enforcement, and how firms manage financial crime risks.
Federal Decree Law No. 10 of 2025 became effective on 14 October 2025.
Cabinet Resolution No. 134 of 2025 explains how firms should apply the law in practice. It turns the legal requirements of the UAE New AML Law into clear, day-to-day AML/CFT controls and operational expectations.
The law applies to regulated entities across the UAE, including:
- Financial institutions
- Designated Non-Financial Businesses and Professions (DNFBPs)
- Virtual Asset Service Providers (VASPs)
Whether the law applies depends on a firm’s licence, business activities, customers, delivery channels, and where it operates.
For most firms, this is a full compliance reset, not just a legal update. Regulators expect firms to show that AML/CFT controls work in practice, not just that policies exist.
Key focus areas include:
- Quality of enterprise-wide risk assessments
- Effective customer due diligence (CDD) and enhanced due diligence (EDD)
- Clear and transparent beneficial ownership identification
- Well-calibrated ongoing monitoring
- Strong sanctions and proliferation financing controls
- High-quality suspicious transaction reporting (STR)
CDD and EDD should be risk-based and well documented. Firms should clearly record:
- Why a customer is rated low, medium, or high risk
- When enhanced checks are required
- What information and documents were reviewed
- Who approved the final decision and why
Effective ongoing monitoring is tailored to how the business operates. Monitoring scenarios should generate useful alerts, support timely investigations, and lead to clear and defensible outcomes.
Beneficial ownership remains critical because complex or unclear ownership structures can hide money laundering, terrorism financing, or proliferation financing risks. Firms must be able to clearly identify and verify who ultimately owns or controls a customer.
Sanctions and proliferation financing controls should be built into:
- Customer onboarding
- Screening processes
- Ongoing monitoring
- Investigation and escalation workflows
They should operate as part of the core AML/CFT framework, not as separate or standalone checks.
These authorities are relevant depending on a firm’s licence and activities. Firms should map the UAE New AML Law requirements to their specific supervisory environment and ensure procedures, governance, and evidence meet the expectations of each relevant regulator.
Common implementation mistakes include:
- Treating the law as a paperwork exercise
- Using generic monitoring rules that do not fit the business
- Poor documentation of investigation decisions
- Unclear ownership of remediation actions
- Limited visibility for senior management on AML control performance
A typical readiness review includes:
- Mapping legal requirements to business activities
- Identifying gaps in AML/CFT controls
- Testing links between policies, procedures, and operations
- Reviewing how well controls work in practice
- Assessing governance and management reporting
- Creating a clear remediation plan with owners and timelines
Strengthen AML Compliance Beyond goAML Registration
Implement AML software, managed KYC services, and ongoing compliance support tailored for accounting and audit firms in the UAE.