The UAE has built one of the most rigorous governance, risk, and compliance ecosystems in the world and accountants and auditors sit right at its centre. As Designated Non-Financial Businesses and Professions (DNFBPs), accounting and audit professionals occupy a uniquely sensitive position: they have direct access to financial records, legal structures, governance frameworks, and transaction histories of the clients they serve.
This privileged access is precisely why regulators treat accountants and auditors not merely as service providers, but as active gatekeepers of financial integrity. With the enactment of Federal Decree-Law No. 10 of 2025 and its executive regulation, Cabinet Resolution No. 134 of 2025, the UAE has significantly strengthened obligations across the entire DNFBP spectrum and accounting professionals are firmly in scope.
This guide breaks down, step by step, every compliance obligation that accountants and auditors in the UAE must understand, implement, and maintain from AML programme design to goAML reporting, KYC frameworks, sanctions screening, and governance accountability.
What Makes Accountants and Auditors DNFBPs Under UAE Law?
The Legal Classification of Accountants and Auditors
Under UAE law, the term DNFBP (Designated Non-Financial Business or Profession) refers to entities operating outside the traditional financial sector that are nonetheless exposed to money laundering and terrorism financing risks due to the nature of their work. Federal Decree-Law No. 10 of 2025 which replaced and significantly upgraded the 2018 AML law explicitly includes independent accountants and auditors within the DNFBP category.
This classification applies to:
- Sole practitioners providing accounting or audit services
- Partners and employed professionals within accounting or audit firms
- External auditors serving corporate clients
Importantly, this classification does not extend to in-house accountants employed within a company for internal purposes. The DNFBP status applies specifically to those offering services externally to clients.
Activities That Trigger DNFBP Obligations for Accountants and Auditors
Not every accounting task triggers AML obligations. The Ministry of Economy’s supplemental guidance clarifies that the following client-facing activities are in scope:
- Preparation and examination of financial statements
- Auditing accounts and financial records
- Management of client funds or accounts
- Organizing the creation, operation, or management of companies
- Buying and selling of business entities on behalf of clients
- Tax advisory services linked to financial structuring
When accountants and auditors carry out these activities for clients, the full weight of UAE AML/CFT compliance obligations applies regardless of the firm’s size or the client’s sector.
The Regulatory Framework Governing Accountants and Auditors in the UAE
Federal Decree-Law No. 10 of 2025 The New AML Architecture
The most significant legal development for accountants and auditors in recent years is the enactment of Federal Decree-Law No. 10 of 2025 on Anti-Money Laundering, Combating the Financing of Terrorism, and Proliferation Financing. This law supersedes the 2018 legislation and introduces a substantially more demanding compliance environment. Key changes directly affecting accountants and auditors include:
- Expanded scope to include proliferation financing (PF) as a separate and distinct obligation
- Strengthened beneficial ownership identification requirements, including for complex structures and nominee arrangements
- Higher standards for Enhanced Due Diligence (EDD) in high-risk client scenarios
- Stricter goAML reporting expectations with clearer thresholds for Suspicious Transaction Reports (STRs) and Suspicious Activity Reports (SARs)
- Increased enforcement powers granted to supervisory authorities, including the Ministry of Economy (MoET), which supervises accountants and auditors on the UAE mainland
Cabinet Resolution No. 134 of 2025 Operational Detail
Cabinet Resolution No. 134 of 2025 functions as the operational manual for the 2025 AML law. For accountants and auditors, this resolution defines:
- How risk-based assessments must be documented and applied
- Reporting timelines and quality standards for STR/SAR submissions
- The administrative framework for supervisory inspections (both on-site and off-site)
- Record retention schedules (minimum five years for all client documentation and transaction records)
Ministry of Economy Circulars and Sector-Specific Guidance
In addition to the primary legislation, accountants and auditors are subject to a series of Ministry of Economy circulars and guidance documents that are legally binding in application:
- Circular No. 3/2021: Sets out the AML/CFT obligations of accountants and auditors and defines supervisory inspection procedures
- AML/CFT Guidelines for DNFBPs September 2025: The most current consolidated guidance document providing a structured methodology for risk identification, mitigation, and reporting
- Circular No. 3 of 2025: Emphasises mandatory sanctions and terrorist list screening procedures
- Circular No. 4 of 2025: Highlights the importance of the UAE 2024 National Risk Assessment (NRA) for sector-specific calibration
- Circular No. 6 of 2025: Provides direction on risk-based Customer Due Diligence (CDD), including Simplified Due Diligence (SDD) criteria
- Implementation Guide for DNFBPs on Customer Risk Assessment (CRA) November 2024
- Implementation Guide for DNFBPs on Customer Due Diligence (CDD) November 2024
- Supplemental Guidance for Auditors June 2019 (to be read in conjunction with current DNFBP guidelines)
Accountants and auditors operating in the ADGM and DIFC free zones must additionally comply with the respective AML rules of the Abu Dhabi Global Market (ADGM) and the Dubai Financial Services Authority (DFSA).
The Risk Exposure of Accountants and Auditors to Money Laundering
Why the Accounting and Audit Profession Is a High-Risk DNFBP Category
Accountants and auditors carry inherently elevated money laundering risk because of the nature of their professional access. They examine the accounts, records, governance structures, internal controls, and ownership arrangements of their clients. This privileged position is exactly what makes their services attractive to those seeking to legitimise illicit funds or obscure criminal ownership.
Common exploitation methods include:
- Using accounting firms to prepare financial statements for shell companies concealing criminal proceeds
- Engaging auditors to provide apparent legitimacy to entities involved in layering schemes
- Manipulating transaction records during audit engagements to suppress evidence of suspicious activity
- Using accountant-client relationships to transfer funds under the guise of legitimate service fees
The UAE’s 2024 National Risk Assessment (NRA) underscores the elevated ML/TF risk profile of the accounting sector, and Circular No. 4 of 2025 requires all accountants and auditors to align their internal risk assessments with the findings of that NRA.
Red Flags Specific to the Accounting and Audit Sector
Accountants and auditors in the UAE should be alert to the following red flags during client onboarding and ongoing service delivery:
- Clients who are reluctant to provide full UBO information or offer evasive answers about the purpose of the engagement
- Complex corporate structures with no clear commercial rationale
- Requests to manage or transfer large sums of client funds with unusual urgency
- Clients linked to FATF high-risk or grey-listed jurisdictions, particularly where no legitimate business reason is evident
- Unusual ownership changes in client entities (for example, the re-KYC trigger in FATF grey list update scenarios)
- Transactions that are inconsistent with the client’s stated industry, scale, or geography
Step-by-Step AML Compliance Obligations for Accountants and Auditors in the UAE
Step 1: Register on the goAML Platform
Registration on the goAML platform operated by the UAE Financial Intelligence Unit (FIU) is a mandatory first step for all accountants and auditors classified as DNFBPs. This requirement exists under Federal Decree-Law No. 10 of 2025 and applies regardless of whether any suspicious transactions have been identified.
Failure to register on goAML is treated by the Ministry of Economy as an automatic internal controls failure and can result in administrative penalties of up to AED 1 million.
Registration involves two parallel processes:
- Registration with the Ministry of Economy as the supervising authority
- Registration on the goAML portal of the UAE FIU for STR/SAR submissions
Step 2: Appoint a Compliance Officer (MLRO)
Every accounting or audit firm operating as a DNFBP must appoint a qualified Money Laundering Reporting Officer (MLRO) or compliance officer with formal authority over the AML programme. The MoET’s 2025 DNFBP guidelines specify that this officer must have:
- Sufficient seniority to make independent decisions
- Direct access to senior management and the board
- Dedicated time and resources for compliance activities
- Documented terms of reference setting out their authority
For sole practitioners, this role may be self-held, provided the individual meets competency requirements.
Step 3: Develop a Written AML/CFT/CPF Programme
Accountants and auditors are required to maintain a written, documented AML/CFT/CPF programme that covers all of the following:
- Risk appetite statement specific to the firm’s client base and services
- Policies and procedures for client onboarding, ongoing monitoring, and exit
- Customer Due Diligence (CDD) and Enhanced Due Diligence (EDD) frameworks
- Sanctions screening processes and escalation procedures
- STR/SAR reporting workflows and tipping-off protections
- Internal audit arrangements for periodic AML programme review
- Staff training schedules and competency assessments
- Record retention procedures aligned with the five-year minimum requirement
This programme must be reviewed and updated whenever regulations change, when the firm’s risk profile shifts, or when a supervisory circular mandates a response such as after a FATF grey list update.
Step 4: Conduct a Client Risk Assessment (CRA)
Before accepting any new client engagement, accountants and auditors must carry out a documented Client Risk Assessment (CRA). This assessment must evaluate the client across multiple risk dimensions:
- Country or geographic risk: Clients with links to FATF high-risk or monitored jurisdictions require Enhanced Due Diligence. Circular No. 8 of 2025 provides the updated list of such countries.
- Client type risk: Politically Exposed Persons (PEPs), high-net-worth individuals, and complex legal structures attract higher inherent risk.
- Product or service risk: Engagements involving company formation, fund management, or cross-border transactions carry elevated exposure.
- Delivery channel risk: Remote or non-face-to-face client onboarding increases verification risk.
The CRA output must be documented, assigned a risk rating (low, medium, or high), and reviewed periodically or when material changes occur in the client relationship.
Step 5: Implement Know Your Customer (KYC) and CDD Procedures
KYC and CDD are foundational to the AML compliance obligations of accountants and auditors. At a minimum, firms must:
- Verify the legal identity of every client using official, independent documentation
- Identify and verify Ultimate Beneficial Owners (UBOs) individuals who ultimately own or control a client entity (threshold: 25% ownership or effective control)
- Understand the purpose and nature of the business relationship
- Obtain information on the source of funds and source of wealth for higher-risk clients
For higher-risk clients, Enhanced Due Diligence (EDD) applies. EDD requires deeper verification, senior management approval for onboarding, more frequent review cycles, and enhanced ongoing monitoring. PEP relationships, clients from sanctioned or monitored jurisdictions, and complex ownership structures all require EDD.
For demonstrably lower-risk clients, Simplified Due Diligence (SDD) may be applied, as outlined in Circular No. 6 of 2025 but only where the firm can document the justification for the simplified approach.
Step 6: Perform Ongoing Monitoring and Sanctions Screening
Sanctions screening is a continuous obligation under UAE AML law. Accountants and auditors must screen clients and transactions against:
- UAE local terrorist designation lists
- UN Security Council sanctions lists
- FATF high-risk and increased monitoring jurisdiction lists (updated periodically via Ministry of Economy circulars)
Screening must occur at client onboarding and on an ongoing, real-time basis as these lists are updated. Circular No. 3 of 2025 explicitly requires that internal procedures be updated promptly whenever these lists change.
Beyond sanctions, ongoing transaction monitoring must flag activity that is inconsistent with the client’s known profile, business purpose, or risk rating. This is particularly relevant for accountants and auditors who manage client funds or who observe unusual financial activity during audit engagements.
Step 7: File Suspicious Transaction Reports (STRs) via goAML
If an accountant or auditor encounters a transaction or activity that they know, suspect, or have reasonable grounds to suspect is connected to money laundering, terrorism financing, or proliferation financing, they are legally required to file a Suspicious Transaction Report (STR) through the goAML platform.
Key points regarding STR obligations:
- There is no minimum value threshold the obligation is triggered by suspicion, not amount
- Reports must be submitted promptly unreasonable delays can constitute a regulatory breach
- The firm must not tip off the client that a report has been made. Doing so carries criminal sanctions including imprisonment and fines of no less than AED 50,000 under Federal Decree-Law No. 10 of 2025
- STR confidentiality cannot be overridden not even by professional secrecy provisions, except in limited circumstances for legal professionals under judicial privilege
The STR and goAML reporting process must be embedded in firm-wide procedures so that all relevant staff understand when and how to escalate.
Step 8: Provide Regular AML Training to Staff
All employees of an accounting or audit firm not just the MLRO must receive regular, documented AML training. Under the 2025 regulatory framework, training must cover:
- The nature of money laundering, terrorism financing, and proliferation financing risks
- Red flags relevant to the accounting and audit profession
- Client identification and verification procedures
- STR reporting obligations and the tipping-off prohibition
- The latest regulatory developments, including FATF grey list updates and new Ministry of Economy circulars
AML training programmes should be delivered at onboarding for new staff and refreshed at least annually, with documentation of attendance and assessment outcomes retained.
GRC Framework for Accounting and Audit Firms in the UAE
Governance Building Accountability Structures That Regulators Can Test
Governance is the foundation on which all AML compliance rests. For accounting and audit firms, governance means creating clear accountability structures that define who is responsible for compliance decisions, how those decisions are escalated, and how the board or senior management receives and acts on compliance information.
Under the GRC services framework applicable to DNFBPs, governance for accountants and auditors should include:
- A Board-level or senior management commitment to AML compliance documented in a formal policy
- Defined roles and responsibilities for the MLRO, senior partners, and client-facing staff
- A documented authority matrix showing who can approve high-risk client onboarding
- A governance calendar for periodic review of the AML programme, risk assessments, and training records
- Clear escalation pathways from client-facing staff to the MLRO and senior management
Governance failures such as the assumption that policies are understood simply because they exist are among the most common causes of regulatory enforcement action.
Risk Calibrating the ML/TF/PF Risk Assessment
The ML/TF/PF Risk Assessment is a living document that must reflect the firm’s actual client base, service portfolio, geographic exposure, and delivery channels. Under the 2025 regulatory framework, the Enterprise-Wide Risk Assessment (EWRA) must:
- Be reviewed and updated at least annually
- Directly inform onboarding standards, monitoring thresholds, and escalation triggers
- Reflect the findings of the UAE 2024 National Risk Assessment
- Account for FATF grey list changes and any new Ministry of Economy circulars issued during the review period
A static risk assessment one prepared once and filed away will not satisfy supervisory expectations. Regulators assess whether the risk framework functions in day-to-day practice, not merely whether a document exists.
Compliance Building Controls That Work Under Inspection
Compliance is the operational layer. For accountants and auditors, this means AML controls that function consistently not only during regulatory inspections, but on every client engagement, every onboarding, and every transaction review.
Regulatory inspection readiness for accounting firms requires that all of the following be evidenced clearly:
- goAML registration certificates and reporting logs
- CRA and CDD documentation for every active client
- STR submission records (where applicable)
- Training attendance records and assessment outcomes
- MLRO activity logs and escalation records
- AML policy version history and board/management sign-off
The Ministry of Economy conducts both on-site and off-site inspections of accountants and auditors under Circular No. 3/2021. Evidence packs should be maintained in a format that can be produced at short notice.
Penalties for Non-Compliance What Accountants and Auditors Risk
The penalty regime under Federal Decree-Law No. 10 of 2025 is significant. For accountants and auditors found to be non-compliant, consequences include:
- Administrative penalties ranging from AED 10,000 to AED 5 million per violation
- Criminal liability including imprisonment for individuals responsible for serious breaches
- Asset freezes applied to firms or individuals under investigation
- Licence revocations issued by the Ministry of Economy or relevant supervisory authority
- Reputational damage arising from public enforcement disclosures
The 2025 law has expanded enforcement powers granted to supervisory authorities, meaning inspections are more frequent, more detailed, and less forgiving of procedural gaps than in previous years.
How the FATF Grey List Affects Accountants and Auditors in the UAE
The FATF (Financial Action Task Force) grey list identifies jurisdictions with strategic deficiencies in their AML/CFT frameworks. When a country is added to or removed from the grey list, it directly impacts the risk profile of clients linked to that jurisdiction.
For accountants and auditors, a FATF grey list update triggers a mandatory review obligation. Where an existing client has Ultimate Beneficial Owners, parent entities, or significant business operations in a newly grey-listed country, the firm must:
- Conduct a re-KYC of the affected client
- Reassess the client’s risk rating (typically escalating to high risk)
- Apply Enhanced Due Diligence proportionate to the updated risk
- Consider whether continued engagement remains appropriate
- Document all decisions and the rationale behind them
This process is detailed in the UAE’s AML/CFT Guidelines for DNFBPs (September 2025) and is reinforced by Circular No. 4 of 2025 on the National Risk Assessment.
Accountants and Auditors Operating in ADGM and DIFC
Accountants and auditors operating within the Abu Dhabi Global Market (ADGM) and the Dubai International Financial Centre (DIFC) are subject to an additional layer of regulatory requirements beyond those applicable to mainland firms.
- ADGM requires all DNFBP firms, including accounting and audit practices, to register with the ADGM’s Financial Services Regulatory Authority (FSRA) and comply with the ADGM AML Rules, which align closely with FATF recommendations
- DIFC requires compliance with the DFSA rulebook, which includes detailed AML/CFT obligations specific to firms operating within the Centre
Firms operating across multiple jurisdictions for example, a firm licensed on the mainland and operating through an ADGM entity must maintain a coherent, single AML control architecture while tailoring their procedures, governance pathways, and evidence packs to each applicable regulatory context.
Internal audit functions within such firms should be designed to cover all jurisdictional requirements as a unified scope, rather than treating each licence as a separate silo.
Internal Controls and Internal Audit for Accounting Firms
The Role of Internal Control in AML Compliance
Internal control is the operational architecture through which AML governance translates into daily practice. For an accounting or audit firm, effective internal controls include:
- Segregation of duties in client onboarding and fund handling
- Four-eyes review for high-risk client approvals
- Automated transaction monitoring alerts linked to pre-defined thresholds
- Periodic client file reviews to ensure CDD remains current and complete
- Whistleblowing channels that allow staff to raise concerns without fear of reprisal
Independent AML Internal Audit
The MoET’s 2025 guidelines require that the AML programme be subject to periodic independent review. For larger firms, this typically means a dedicated AML internal audit function or engagement of an external specialist to assess:
- Whether controls are operating as designed
- Whether the risk assessment reflects the firm’s actual exposure
- Whether STR reporting is timely, complete, and appropriately documented
- Whether training outcomes are demonstrably improving staff competency
- Whether the governance framework meets current supervisory expectations
The findings of this review must be reported to senior management and documented, with a clear remediation plan for any gaps identified.
Third-Party Risk and Accountants Managing Client and Vendor Exposure
Accounting and audit firms often engage third-party data providers, software platforms, and sub-contractors in the delivery of their services. This introduces third-party risk that must be managed under a structured oversight framework.
Key third-party risks for accountants and auditors include:
- AML software providers with inadequate sanctions list coverage or update frequencies
- Sub-contracted accounting services where AML standards are lower than the firm’s own
- Cloud platforms hosting client data subject to PDPL obligations under the UAE Personal Data Protection Law
A robust third-party risk management approach requires due diligence at onboarding, contractual AML representations, and periodic re-assessment of each third party’s compliance posture.
GRC Advisors Expert Support for Accountants and Auditors in the UAE
Navigating the layered regulatory environment facing accountants and auditors in the UAE is demanding. Federal Decree-Law No. 10 of 2025, Cabinet Resolution No. 134 of 2025, the 2025 DNFBP guidelines, and a series of Ministry of Economy circulars together create a compliance architecture that requires not just awareness, but documented implementation.
GRC Advisors works with accounting and audit firms across the UAE mainland, ADGM, and DIFC to design, implement, and independently review AML/CFT compliance programmes that are built to operate under regulatory scrutiny not just to exist on paper.
Services delivered to accountants and auditors include:
- AML programme design and policy drafting aligned with 2025 legislation
- ML/TF/PF risk assessments calibrated to sector-specific exposure
- KYC and CDD framework development and implementation
- goAML registration support and STR/SAR reporting procedures
- Sanctions screening framework design and software selection guidance
- Staff AML training delivery and documentation
- Regulatory inspection readiness and mock inspection exercises
- Independent AML internal audit and gap assessment
Firms that prefer readiness over reassurance choose to build their compliance infrastructure before regulators ask the questions.
FAQs: Accountants and Auditors in UAE
Are all accountants and auditors in the UAE required to comply with AML laws?
Not all. AML/CFT obligations apply specifically to independent accountants and auditors who provide services externally to clients including audit services, financial statement preparation, and company management activities. Internal accountants employed within a single organisation are not classified as DNFBPs and are not subject to these obligations in their own right.
Who supervises accountants and auditors for AML compliance in the UAE?
On the UAE mainland, the Ministry of Economy (MoET) is the designated supervisory authority for accountants and auditors as DNFBPs. Firms operating within the ADGM are supervised by the ADGM FSRA, and those within the DIFC are supervised by the DFSA. Supervisory oversight includes both on-site and off-site inspections.
What is the penalty for not registering on goAML as an accountant or auditor?
Failure to register on the goAML platform is classified as an internal controls failure under UAE AML law. Administrative penalties can reach up to AED 1 million, and the firm’s licence may be subject to suspension or revocation by the supervisory authority. Registration is mandatory even if no suspicious transactions have been identified.
Do accountants and auditors need to report suspicious transactions even without a minimum threshold?
Yes. Under Federal Decree-Law No. 10 of 2025, there is no minimum value threshold for STR reporting. The obligation is triggered by suspicion or reasonable grounds for suspicion that a transaction is linked to money laundering, terrorism financing, or proliferation financing. The amount of the transaction is irrelevant to this duty.
What is Enhanced Due Diligence and when must accountants apply it?
Enhanced Due Diligence (EDD) is a higher level of client verification and ongoing monitoring applied to clients assessed as high risk. Accountants and auditors must apply EDD to clients who are Politically Exposed Persons (PEPs), clients from FATF high-risk or grey-listed jurisdictions, clients with complex or opaque ownership structures, and any client whose risk rating escalates following a re-KYC review. EDD requires senior management approval for onboarding, deeper verification of source of funds and source of wealth, and more frequent review cycles.
How often should accountants and auditors update their AML risk assessment?
The AML Enterprise-Wide Risk Assessment (EWRA) must be reviewed and updated at a minimum annually. Additionally, it must be updated whenever there is a material change in the firm’s client base, service offerings, or geographic exposure; whenever a new Ministry of Economy circular is issued; and whenever the FATF updates its grey list or the UAE issues a revised National Risk Assessment.
