In a Nutshell
- TFS compliance for the UAE Local Terrorist List is not an operational matter that can be fully delegated; board oversight of the TFS governance framework is required.
- Criminal penalties under Article 33 of Federal Decree-Law No. 10 of 2025 apply to persons who violate TFS instructions; board members and executives proven responsible face personal exposure.
- Three lines of defence must each play a documented role in TFS screening, freeze execution, and goAML reporting governance.
- Tipping off a designated customer is a criminal offence; board-level governance must ensure that knowledge of freezing decisions and TFS filings is strictly controlled.
The UAE Local Terrorist List is a national security instrument implemented through a financial compliance framework. For boards, CFOs, and heads of risk, that means TFS compliance is not simply an operational procedure maintained by the compliance team; it is a governance responsibility with personal liability consequences. This article addresses how senior decision-makers should structure oversight of the TFS framework.
Why TFS Governance Requires Board-Level Ownership
Cabinet Decision No. 74 of 2020 imposes legally binding obligations on all regulated entities in the UAE, with a specific 24-hour freeze deadline and a five-business-day goAML filing requirement. These are not targets; they are legal deadlines. An institution that misses them, for any reason, including governance structures that did not provide the compliance team with sufficient authority, technology, or resources, is in breach.
Federal Decree-Law No. 10 of 2025, Article 33 imposes criminal penalties on persons who violate TFS instructions from the Executive Office or a Competent Authority. The personal exposure extends to board members and executives proven responsible for the failure. A board that approved a TFS compliance budget insufficient to maintain real-time screening, or that failed to review whether the TFS programme was effective during supervisory examination cycles, has a governance ownership stake in any resulting violation.
Penalty Architecture: What the Board Must Understand
← scroll to see full table →
| Penalty Type | Provision | Exposure Level |
|---|---|---|
| Criminal penalty for TFS violations | FDL 10/2025, Article 33 | Imprisonment and fine of not less than AED 20,000 per person; applies to natural persons responsible |
| Administrative penalties | FDL 10/2025, Article 17 | Warning through to AED 5,000,000 per violation maximum; licence suspension; management power restrictions |
| Corporate liability for ML/TF/PF offences | FDL 10/2025, Article 27 | AED 5,000,000 to AED 100,000,000, or the value of criminal property if greater |
| Terrorist offence penalties | Federal Law No. 7 of 2014 (as amended 2024) | Long-term and life imprisonment for the underlying terrorist offences |
| Tipping-off offence | FDL 10/2025, Article 29 | Criminal liability for both intentional and grossly negligent disclosure to designated persons |
Three Lines of Defence for TFS Governance
← scroll to see full table →
| Line | Specific TFS Responsibilities |
|---|---|
| First Line (Operations and Relationship Management) | Executing daily screening runs against the UAE Local Terrorist List and UN Consolidated List; responding to EOCN NAS alerts with immediate customer base re-screening; initiating the 24-hour freeze protocol on confirmed matches; escalating partial matches to the second line without delay; maintaining tipping-off controls at the operational level |
| Second Line (Compliance, Risk, and Legal) | Owning the TFS policy and match-handling playbooks; overseeing CNMR and PNMR filing quality and timeliness; managing the supervisory authority notification process; reporting TFS programme effectiveness to the board; advising on ownership and control analysis for complex beneficial ownership structures |
| Third Line (Internal Audit) | Independently testing screening coverage, including beneficial owners and connected parties; sampling CNMR and PNMR filings for completeness and timeliness; reviewing EOCN NAS registration and update re-screening procedures; testing weekend and public holiday screening continuity; reporting governance gaps to the board audit committee |
Tipping-Off: A Board-Level Governance Control
The prohibition on tipping off a designated customer, or any third party, about a freeze measure or a goAML filing is a criminal liability issue that requires board-level governance attention. The risk is not primarily at the operational level, where compliance teams are trained on the prohibition; it is at the level of relationship managers who have client-facing roles and may communicate with customers about account restrictions before being informed that the restriction is TFS-related.
Governance must ensure that the chain of information about TFS freezes and CNMR/PNMR filings is controlled at every organisational level. The first action on a confirmed match is not to inform the client; it is to freeze, notify the supervisory authority, and file. Communications with the client are managed through a strictly controlled process that does not disclose the TFS basis for the action.
What Board Reporting on TFS Performance Should Cover
Board-level TFS reporting should include, at a minimum:
- CNMR and PNMR filing volumes and average time from match identification to filing, to demonstrate compliance with the five-business-day deadline.
- EOCN NAS registration status and any gap periods during which the institution was not receiving list update notifications.
- Re-screening completion rates and timing following EOCN list updates, to demonstrate that the 24-hour freeze requirement is operationally achievable.
- Staff training completion rates on CNMR, PNMR, STR/SAR workflows and tipping-off avoidance.
- Results of any EOCN or supervisory authority engagement on the TFS programme effectiveness.
- Status of any ongoing CNMR or PNMR matters, including frozen accounts and the timeline for their resolution.
Integrating TFS Governance into the Enterprise Risk Framework
TFS obligations are not an isolated compliance function; they intersect with credit risk management (when a customer relationship is frozen), liquidity risk (when assets held on behalf of third parties are frozen), and reputational risk (when an enforcement action becomes public). Boards should require that TFS events are reported through the enterprise risk management framework, not only through the compliance reporting channel, so that the full cross-functional impact is visible at the senior management level.
The enterprise-wide risk assessment required under Cabinet Resolution No. 134 of 2025 should explicitly address TFS-related risks within the institution’s geographic exposure profile, correspondent banking network, and customer sectors with elevated risk of terrorist designation activity. A risk assessment that does not address TFS exposure is incomplete for board approval purposes.
GRC Advisors: TFS Governance Integration
GRC Advisors works with boards and senior management to integrate TFS compliance into the enterprise risk management framework. Our advisory services cover TFS policy design, board reporting framework development, governance gap analysis following supervisory examination findings, and training for board members on TFS obligations under the UAE legal framework. Contact GRC Advisors to discuss how your board can take effective governance ownership of the UAE Local Terrorist List compliance.
Frequently Asked Questions
Can the board delegate TFS governance entirely to the MLRO?
The MLRO has operational responsibility for TFS procedures and goAML filings. Board-level governance responsibility cannot be fully delegated, however. The board must approve the TFS policy, receive periodic reporting on TFS programme effectiveness, and satisfy itself that resources and authority are sufficient for the compliance function to meet the 24-hour freeze and five-business-day filing deadlines. Personal liability attaches to persons proven responsible, which may include board members who failed to exercise their governance responsibilities.
What governance documentation demonstrates that the board has fulfilled its TFS obligations?
Board minutes recording approval of the TFS policy, review of management reporting on TFS performance, and consideration of supervisory examination findings related to TFS all demonstrate board-level governance engagement. The absence of this documentation is itself a governance finding. An internal audit report that reviewed TFS procedures and was presented to the board audit committee provides additional governance evidence.
How should the board respond when an EOCN inspection identifies TFS compliance failures?
The board should require a root-cause analysis that identifies whether the failure was operational (a first-line procedure failure), a second-line oversight failure, or a governance failure (insufficient resources, policy gaps, or absence of board reporting). The remediation plan should be approved at the board level with measurable milestones, reported against on a defined frequency, and reviewed by internal audit within six months of implementation. Proactive engagement with the supervisory authority on the remediation plan is a governance posture that supervisors view positively.
