Last week, the CBUAE issued a significant AML/CFT/CPF regulatory update — a package of four guidance documents and two best-practice manuals, anchored in the new Federal Decree by Law No. (10) of 2025 and Cabinet Resolution No. (134) of 2025. The consistent message across all six documents is unambiguous: compliance frameworks must be documented, risk-proportionate, and demonstrably effective — not merely existent on paper.
Proliferation Financing (PF)
For the first time, LFIs must conduct a standalone, documented PF Institutional Risk Assessment — separate from the general ML/TF assessment — covering customers, products, channels, geography, and operating structure. PF-specific red flag scenarios must now be embedded into transaction monitoring systems, including rules targeting dual-use goods and sanctions evasion patterns. EDD obligations are extended to correspondent relationships assessed as high-risk for PF, and AI/analytics tools are explicitly encouraged for detecting proliferation network patterns. Free Trade Zones, insurance products, real estate, and precious metals dealers are now designated elevated-risk vectors requiring tailored controls.
Trade-Based Money Laundering (TBML) & Transshipment
The UAE's first standalone TBML guidance raises expectations well beyond payment processing. LFIs must now actively scrutinise trade documentation — applying risk-based sampling to detect over/under-invoicing, phantom shipments, and misrepresented goods. Open-account trade transactions, where SWIFT messages carry minimal detail, are flagged as high-risk and require enhanced monitoring. Transshipment through UAE ports and Free Trade Zones now carries explicit risk indicators that LFIs must address in policy and in their transaction monitoring rule sets.
Correspondent Banking
A structured, formal due diligence framework now applies to all correspondent relationships. LFIs must assess each respondent's AML/CFT/CPF program quality — including CPF controls — and identify nested or downstream relationships that grant third parties access through a respondent's account. Written correspondent banking policies, documented risk appetite, and mandatory senior management approval for high-risk respondents are now required. Periodic relationship reviews must be risk-rated and documented, with transaction monitoring calibrated specifically to correspondent account activity.
Customer Due Diligence (CDD), KYC & Record-Keeping
LFIs must now maintain a written, institution-specific CDD/KYC program — not just generic policies. Customer risk profiles must integrate ML/TF and PF risk factors into a single methodology, ending siloed assessments. Simplified Due Diligence criteria are more narrowly defined, EDD scope is expanded, and beneficial ownership verification must apply risk-sensitive ownership thresholds. Records must be structured to enable rapid reconstruction of individual transactions and immediate response to Competent Authority requests — demanding a review of data governance and document retention architecture.
Best Practice: Risk-Based Approach & Institutional Risk Assessments
The IRA is reframed from a periodic compliance exercise to an ongoing, strategically integrated management tool. LFIs must document their risk assessment methodology, validate it against TM and investigation outcomes, and update it continuously. PF risk must now be structurally embedded in the IRA alongside ML/TF risk. Senior management and Board-level ownership of the risk assessment process — including regular governance reporting — is now an explicit supervisory expectation.
Best Practice: Role-Based AML/CFT/CPF Training
Generic annual e-learning is no longer sufficient. LFIs must design role-based training programmes tailored to the specific risk exposure of each function — from front-line staff and trade finance officers to compliance analysts and the Board. Training is now mandatory for active owners, partners, and shareholders, and Board-level training must be substantive, not merely awareness-level. Training design decisions must be documented, attendance records maintained, and curriculum effectiveness periodically assessed against evolving typologies.
Conclusion
This guidance package is a recalibration of the UAE's financial crime compliance standard. Across all six documents — the CBUAE has set a higher bar that touches every pillar of an LFI's AML/CFT/CPF framework: risk assessment, customer due diligence, transaction monitoring, correspondent banking, training, and governance. Those that treat it as a prompt to comprehensively review and strengthen their compliance architecture will be best positioned to meet supervisory expectations — and to protect the integrity of the UAE's financial system.
How We Can Help
Navigating a guidance package of this breadth requires more than a policy review. We help licensed financial institutions to conduct structured gap assessments against the new CBUAE expectations, evaluate the adequacy of existing AML/CFT/CPF frameworks, and identify areas where policies, controls, and risk methodologies may need to be strengthened or redesigned.
