In a Nutshell
- Federal Decree Law No. 10 of 2025, Article 19, requires Senior Management approval of AML policies, controls, and procedures. This is a legal obligation, not an administrative convention.
- Legal persons convicted of money laundering face fines of AED 5,000,000 to AED 100,000,000 under Federal Decree Law No. 10 of 2025, Article 27. This liability attaches to the institution, not only to individuals.
- Structures such as three-lines-of-defence, documented risk appetite statements for cash, and board-level MI on deposit activity are governance practices that support the entity’s legal obligations, even where they are not individually prescribed by a specific article.
- A Compliance Officer at management level with sufficient independence is required by Cabinet Resolution No. 134 of 2025, Article 22.
- Record retention for a minimum of five years is required under Cabinet Resolution No. 134 of 2025, Article 25, for all cash transaction records and related CDD documentation.
Cash deposit risk sits within the governance framework because the legal obligations that govern it are imposed on the institution, not only on the compliance function. Federal Decree Law No. 10 of 2025 and Cabinet Resolution No. 134 of 2025 place obligations on regulated entities as a whole, with Senior Management approval of the control framework as an explicit requirement. When those controls fail, the exposure reaches beyond the compliance team. This article examines cash deposit risk from the perspective of boards and senior management, distinguishing between what the law requires and what sound governance practice additionally supports.
Why Cash Deposits Belong on the Board’s Risk Agenda
Cash deposits represent the placement stage of money laundering: the point at which criminal proceeds in physical form enter the regulated financial system. Once deposited and converted to an electronic balance, funds can be moved, layered, and transferred in ways that rapidly obscure their origin. The institution that allowed the placement to occur becomes a vehicle for criminal finance, regardless of whether it was aware of the purpose.
Federal Decree Law No. 10 of 2025, Article 19, requires all regulated entities to establish Senior Management-approved internal policies, controls, and procedures that manage and mitigate identified money laundering risks. The law names Senior Management approval as a condition, not a formality. Article 2 criminalises the deposit of funds known to be proceeds of a predicate offence, and the institution’s failure to detect such activity because of inadequate governance creates regulatory exposure at the institutional level.
The UAE 2024 National Risk Assessment identified cash as a high-risk instrument for money laundering. This finding matters at the board level because it makes cash a documented national priority risk. An institution whose governance framework has not engaged with cash deposit monitoring in light of that finding is less well placed to demonstrate awareness and management of risk to a supervisory authority.
Legal Obligations That Sit at the Governance Level
Senior Management Approval of AML Policies
Cabinet Resolution No. 134 of 2025, Article 21, requires regulated entities to establish internal AML/CFT policies, controls, and procedures that are approved by Senior Management, designed to manage and mitigate the specific risks the entity faces, and reviewed and updated continuously. The approval requirement is an express legal condition and is not satisfied by delegation to the compliance function without board or senior management engagement.
For cash deposit risk, the approved policy should address cash transaction monitoring in terms that reflect the entity’s own risk profile. A policy that covers AML typologies only at a general level may not reflect the specific risks the entity faces, which is the standard Article 21 requires. Policies that still reference the superseded 2018 legislative framework carry a documentation gap that may be apparent in a supervisory inspection.
Compliance Officer at Management Level
Cabinet Resolution No. 134 of 2025, Article 22, requires all regulated entities to appoint a Compliance Officer at the management level. The Compliance Officer should have sufficient independence to perform the function. The specific reporting line is not prescribed, but any arrangement that constrains the Compliance Officer’s ability to escalate concerns to senior management without commercial filtering should be reviewed against the independence requirement. Good practice is for the Compliance Officer to have a clear escalation pathway to senior management and, where necessary, to the board.
Enterprise-Wide Risk Assessment
Cabinet Resolution No. 134 of 2025, Article 5, requires regulated entities to identify, assess, manage, and document their money laundering and terrorism financing risks, taking into account the results of the National Risk Assessment. Cash is identified as high risk in the 2024 NRA. The entity’s own risk assessment should reflect this and inform the calibration of its cash deposit monitoring controls. The specific methodology or format of the risk assessment is not prescribed; the obligation is to conduct it, document it, and use it to shape the entity’s controls.
Record Retention
Cabinet Resolution No. 134 of 2025, Article 25, requires all records related to cash transactions, associated CDD, and any STRs filed to be retained for a minimum of five years from the transaction date or the end of the business relationship. Records must be organised to allow full reconstruction of the transaction and must be immediately available to competent authorities on request. This is an institutional obligation that the governance framework must ensure is met in practice.
Enterprise Risk Exposure When Cash Deposit Controls Fail
Criminal Liability for the Institution
Federal Decree Law No. 10 of 2025, Article 27, establishes criminal liability for legal persons found responsible for money laundering. The fine for a legal person convicted of money laundering is a minimum of AED 5,000,000, a maximum of AED 100,000,000, or the equivalent of the criminal property value, whichever is greater. This liability attaches to the institution as a legal person and is not contingent on an individual within the institution being separately prosecuted.
Criminal Liability for Individuals
Federal Decree Law No. 10 of 2025, Article 28, imposes criminal liability on individuals who fail to file an STR where grounds for suspicion exist. The penalty is imprisonment plus a fine of AED 100,000 to AED 1,000,000. The law does not identify a specific role title in every scenario. Where a failure to file results from a structural deficiency in the AML framework, the question of who owned and approved that deficiency is a factual one that may be relevant to any enforcement outcome.
Administrative Penalties and Supervisory Sanctions
Federal Decree Law No. 10 of 2025, Article 17, empowers supervisory authorities to impose a graduated range of administrative sanctions: written warnings; fines of AED 10,000 to AED 5,000,000 per violation; prohibition from sector engagement; restriction of board or management powers; appointment of a temporary supervisor; suspension of directors or officers; suspension or restriction of the entity’s activities; and licence revocation. Penalties such as restriction of board powers and appointment of a temporary supervisor operate at the institutional governance level. Administrative penalty schedules for CDD deficiencies and record-keeping failures are established under Cabinet Resolution No. 71 of 2024.
Reputational and Correspondent Banking Risk
A supervisory action for cash deposit monitoring failures carries reputational consequences beyond the formal penalty. Correspondent banking relationships, on which financial institutions depend for international transfers, are sensitive to adverse regulatory findings. A public sanction for cash monitoring failures can trigger correspondent due diligence reviews and, in serious cases, termination of correspondent relationships. This commercial risk sits alongside the formal regulatory exposure and is a governance consideration in its own right.
Governance Practices That Support the Legal Obligations
The following practices are not individually prescribed by specific articles in the 2025 framework, but each one supports the entity’s ability to meet its legal obligations and to demonstrate that support to a supervisory authority.
A Documented Risk Appetite for Cash
Defining the institution’s tolerance for cash transaction volume relative to its total business mix, the conditions under which the entity would decline or exit a cash-heavy customer relationship, and the escalation pathway when deposit patterns exceed defined parameters give the compliance function a clear governance mandate for the decisions it makes. It also provides a documented basis for those decisions if they are ever reviewed by a supervisory authority.
Three Lines of Defence for Cash Deposit Risk
Allocating clear accountability across the first line (identifying red flags at the point of transaction), the second line (setting the monitoring framework and overseeing the first line), and the third line (independently testing whether the first and second lines are functioning as designed) is a sound structural approach. An internal audit that tests cash deposit monitoring controls specifically, against a defined standard, gives the board more credible assurance than general AML audit coverage.
Board-Level Management Information on Cash Deposit Activity
No specific article prescribes the content or frequency of board-level reporting on cash deposit risk. However, a board that cannot point to specific, quantified information about cash deposit volumes, STR filings, monitoring alert dispositions, and relevant supervisory developments has a practical difficulty demonstrating meaningful governance oversight of a documented high-risk area. Good practice in this area involves a regular MI report that covers these metrics and flags material changes in the entity’s cash deposit risk profile.
Unified Customer View Across Deposit Channels
FIs receive cash deposits through multiple channels: branch tellers, ATMs, and cash deposit machines. A monitoring approach that integrates data from all channels into a single customer-level view is better placed to detect structuring behaviour that is spread across channels than one that reviews each channel separately. This is consistent with the ongoing monitoring obligation in Cabinet Resolution No. 134 of 2025, Article 8, even though no specific article prescribes the technical architecture of the monitoring system.
What Boards Should Be Able to Confirm
← scroll to see full table →
| What Boards Should Confirm | Type | Board-Level Question |
|---|---|---|
| Enterprise-wide risk assessment reflecting the NRA and cash as high risk | Legal obligation | Does the EWRA identify cash as high risk and inform monitoring calibration? |
| Record retention for five years; immediately available to authorities | Legal obligation | Are records retained for the required period and retrievable on request? |
| STR filing process that allows immediate submission upon forming suspicion | Legal obligation | Is there a clear internal STR pathway that does not introduce unnecessary delay? |
| Documented risk appetite for cash | Good practice | Has the board defined its tolerance for cash transaction volume and escalation triggers? |
| Three-lines-of-defence accountability for cash deposit risk | Good practice | Are first, second, and third line responsibilities for cash clearly allocated? |
| Board MI on cash deposit volumes, STR counts, and alert dispositions | Good practice | Does the board receive specific, quantified information on cash deposit risk? |
How GRC Advisors Can Help
GRC Advisors works with boards, senior management teams, and risk committees to build governance frameworks that position AML risk, including cash deposit risk, within the broader enterprise risk structure. Work includes board and senior management AML advisory, AML policy development and review aligned to Federal Decree Law No. 10 of 2025 and Cabinet Resolution No. 134 of 2025, governance gap assessments, internal audit programme design for AML controls, and management information framework development for board-level financial crime oversight. Contact GRC Advisors to discuss your institution’s governance position.
FAQs: Cash Deposits
Who carries legal responsibility if our institution fails to file an STR for a suspicious cash deposit?
Federal Decree Law No. 10 of 2025, Article 28, imposes criminal liability on the person or persons responsible for the failure. The law does not prescribe a specific role title for every scenario. Where the failure results from a structural deficiency in the AML framework, the question of who owned and approved that deficiency is a factual matter that may be relevant to any enforcement outcome. This is a question for legal advice in each entity’s specific context.
How often should the board review the cash deposit monitoring framework?
Cabinet Resolution No. 134 of 2025, Article 21, requires the internal AML programme to be reviewed and updated continuously. Good governance practice suggests a specific board-level review at a minimum when the National Risk Assessment is updated, when supervisory guidance identifies cash as a priority inspection area, and as part of the annual AML policy review cycle.
Our AML policy was recently updated. Does it need to address cash deposits specifically?
Cabinet Resolution No. 134 of 2025, Article 21, requires the policy to be designed to manage and mitigate the specific risks the entity faces. If cash deposits are a feature of the entity’s business, a policy that addresses typologies only at a general level may not fully reflect those specific risks. Cash-specific monitoring controls are worth documenting within the policy or in a dedicated supporting document.
Our Compliance Officer reports to the CFO. Does that create a governance risk?
Cabinet Resolution No. 134 of 2025, Article 22, requires the Compliance Officer to have sufficient independence to perform the function. A reporting line to the CFO is not automatically non-compliant, but if it constrains the Compliance Officer’s ability to escalate AML concerns to senior management or the board without commercial filtering, the independence requirement may not be met in practice. This is a governance design question worth reviewing with legal advisers.
What does a supervisory inspection on cash deposit monitoring typically look at?
Inspections tend to examine the existence and adequacy of the written cash monitoring policy and whether it is Senior Management-approved as required by Cabinet Resolution No. 134 of 2025, Article 21; whether the monitoring framework detects suspicious patterns and not only individual threshold transactions, consistent with Article 17; whether STRs filed in the period reflect the entity’s cash deposit risk profile under Article 18; whether records are being retained as required by Article 25; and whether staff have been trained on cash-specific indicators. A board that has commissioned an internal audit to cover these same areas is in a stronger position to evidence governance oversight.
