The UAE has firmly established itself as one of the world’s most ambitious financial hubs. For Asset Managers and Investment Firms operating within its borders, this ambition translates into an increasingly complex and rigorously enforced regulatory environment.
From the sweeping overhaul of the federal capital markets framework in January 2026 to the introduction of the new Anti-Money Laundering (AML) law in late 2025, the pace of regulatory change demands more than good intentions. It demands structured governance, proactive risk management, and airtight compliance.
This guide is written for compliance officers, senior managers, risk professionals, and founders of Asset Managers and Investment Firms who want a clear, current, and actionable understanding of what UAE regulators expect and how to meet those expectations without losing operational momentum.
The UAE Regulatory Landscape for Asset Managers and Investment Firms in 2026
Understanding who regulates what is the first pillar of effective governance. In 2026, the UAE regulatory map for Asset Managers and Investment Firms has shifted significantly, with new federal laws and new authority names entering the picture.
The Capital Market Authority (CMA): The New Federal Regulator
On 1 January 2026, Federal Decree-Law No. 32 of 2025 came into force, establishing the Capital Market Authority (CMA) as the successor to the Securities and Commodities Authority (SCA). Federal Decree-Law No. 33 of 2025 simultaneously introduced a comprehensive statutory framework for onshore capital markets, covering fund management, asset management, brokerage, intermediation, valuation, and alternative finance.
This is not a cosmetic name change. The CMA represents a structural shift from a rulebook-driven, interpretive regime to one that is statutory, consolidated, and enforcement-oriented. For Asset Managers and Investment Firms operating onshore on the UAE mainland (outside DIFC and ADGM), the CMA is now the primary licensing and supervisory authority.
- Key CMA obligations include: obtaining a fund management licence, maintaining enhanced governance arrangements, satisfying capital adequacy requirements, and adhering to expanded conduct of business rules.
- Systemically important licensed persons now face additional requirements, including higher capital buffers, enhanced risk management, and the obligation to develop CMA-approved recovery plans.
- The CMA’s jurisdiction has been extended to cover certain activities conducted outside the UAE where those activities have an impact on UAE markets a significant development for cross-border fund managers.
DFSA: Regulating Investment Firms in the DIFC
The Dubai Financial Services Authority (DFSA) regulates all investment firms, asset managers, hedge funds, brokers, and financial advisers operating within the Dubai International Financial Centre (DIFC). The DFSA operates under common law principles and maintains its own independent rulebook. Any Asset Managers and Investment Firms operating from or through the DIFC must hold a DFSA licence appropriate to their regulated activities.
As of early 2024, DIFC hosted over 410 wealth and asset management firms, including 75 hedge funds, with AUM surging 58% to $700 billion a clear signal of DIFC’s growing prominence as an asset management domicile.
FSRA: Regulating Investment Firms in ADGM
The Financial Services Regulatory Authority (FSRA) of the Abu Dhabi Global Market (ADGM) regulates investment firms, asset managers, and fund managers based in ADGM. In the first half of 2024, ADGM recorded a 226% increase in AUM, with 112 asset and fund managers overseeing 141 funds underscoring its rapid growth as a competitive hub for Asset Managers and Investment Firms.
ADGM fund managers require a Financial Services Permission (FSP) authorising the regulated activity of ‘Managing a Collective Investment Fund,’ with a base capital requirement of USD 50,000 for managers of Exempt or Qualified Investor Funds.
Fund Marketing Rules: The April 2024 SCA Update
Since April 2024, the promotion of foreign fund units inside the UAE has been limited to private offerings to professional investors. As a result, retail funds must be domiciled in the UAE to offer units to retail investors. Asset Managers and Investment Firms distributing foreign funds to retail investors must now either establish UAE domiciled feeder structures or operate under DIFC/ADGM passporting arrangements.
Governance Framework Requirements for Asset Managers and Investment Firms in UAE
Governance is the permission structure through which regulated firms demonstrate control. For Asset Managers and Investment Firms, regulators across the CMA, DFSA, and FSRA assess governance not through stated intentions but through documented evidence.
Board Oversight and Senior Management Accountability
UAE regulators expect Asset Managers and Investment Firms to maintain a governance structure that clearly defines authority, decision-making, and accountability at board and executive level. Key governance requirements include:
- Board composition: The board must include sufficient independent members with appropriate financial services expertise. Chairperson and governance reporting lines must be clearly documented.
- Delegated authority frameworks: Investment mandates, risk limits, compliance approvals, and operational authorities must be codified in a delegated authority matrix that regulators can review.
- Committee mandates: Audit, risk, and compliance committees must have written terms of reference, meeting cadences, and documented outputs including minutes, actions, and escalation records.
- Policy hierarchies: Firms must maintain a policy framework aligned with regulatory requirements covering investment policy, conflicts of interest, best execution, remuneration, and outsourcing.
Fit and Proper Requirements
All approved persons including CEOs, compliance officers, risk officers, and board members at Asset Managers and Investment Firms are subject to fit and proper assessments. Regulators will examine criminal records, regulatory history, financial soundness, and professional competence. The CMA, DFSA, and FSRA each maintain their own approved persons registers and conduct ongoing assessments post-appointment.
Conflicts of Interest Management
Asset Managers and Investment Firms face inherent conflicts of interest between managing client assets and proprietary positions, between different classes of investors, and between fee structures and fiduciary obligations. UAE regulators require firms to maintain a conflicts of interest policy, a conflicts register, and documented procedures for managing, disclosing, or avoiding material conflicts.
To build a governance framework that satisfies UAE regulatory expectations and supports operational efficiency, many firms partner with specialists offering GRC services designed to integrate governance, risk, and compliance into a single operating model.
Risk Management Obligations for Asset Managers and Investment Firms in UAE
Risk management for Asset Managers and Investment Firms in the UAE operates across multiple dimensions: market risk, liquidity risk, operational risk, regulatory risk, and increasingly, financial crime risk. Regulators expect risk to be structured, visible, and framed to support informed decision-making at board and executive level.
Enterprise Risk Management (ERM) Framework
Asset Managers and Investment Firms regulated by the CMA, DFSA, or FSRA are expected to maintain a documented Enterprise Risk Management framework that covers:
- Risk appetite statement: Board-approved articulation of the types and quantum of risk the firm is willing to accept in pursuit of its objectives.
- Risk register: A regularly updated record of all identified risks, their likelihood, impact, controls, owners, and residual risk ratings.
- Risk and Control Self-Assessments (RCSAs): Periodic exercises mapping key operational risks to existing controls and identifying control gaps.
- Risk reporting: Regular reporting to the board and risk committee with dashboards, exception reports, and breach escalations.
Liquidity and Capital Risk
For Asset Managers and Investment Firms, liquidity risk management is a core supervisory focus particularly in the context of open-ended funds offering daily or periodic redemptions. The CMA, DFSA, and FSRA each have requirements around liquidity stress testing, redemption gates, side pockets, and minimum liquidity buffers. Capital adequacy requirements must be monitored on an ongoing basis, with prompt notification to regulators if thresholds are breached.
Technology and Cyber Risk
Digital infrastructure underpins modern asset management, but it also creates exposure. UAE regulators increasingly expect Asset Managers and Investment Firms to maintain documented cybersecurity policies, conduct regular vulnerability assessments, implement access controls and encryption, and have tested incident response plans. Third-party technology vendors including cloud providers, portfolio management systems, and trading platforms must be subject to robust third party risk management oversight.
AML/CFT Compliance for Asset Managers and Investment Firms in UAE
AML/CFT compliance is one of the most operationally demanding and regulatorily scrutinised areas for Asset Managers and Investment Firms in the UAE. The legal framework has undergone significant modernisation in 2025, introducing new obligations that require urgent attention.
The New AML Law: Federal Decree-Law No. 10 of 2025
Federal Decree-Law No. 10 of 2025, which came into effect on 14 October 2025, repeals and replaces the previous Federal Decree-Law No. 20 of 2018 as the UAE’s primary AML legislation. Cabinet Decision No. 134 of 2025, the accompanying executive regulations, came into force on 14 December 2025. This new framework introduces an expanded compliance model for Financial Institutions, including Asset Managers and Investment Firms, with sector-specific controls for high-risk products, technologies, jurisdictions, and business models.
Notably, the new AML Law now incorporates a framework for Combatting Proliferation Financing (CPF) aligning UAE law with the latest Financial Action Task Force (FATF) standards. All in-scope entities were required to conduct a comprehensive gap assessment to achieve full compliance by December 2025.
Core AML Obligations for Asset Managers and Investment Firms
- AML Policies and Procedures: Firms must maintain documented, board-approved AML/CFT policies and procedures aligned with the new December 2025 executive regulations and the CMA, DFSA, or FSRA AML rulebooks as applicable.
- ML/TF/PF Risk Assessment: A documented enterprise-wide risk assessment covering money laundering, terrorist financing, and proliferation financing risks must be maintained and updated regularly, reflecting the firm’s products, client base, geographies, and delivery channels.
- KYC and CDD Framework: Asset Managers and Investment Firms must apply Customer Due Diligence (CDD) to all clients, with enhanced due diligence for high-risk relationships. Know Your Customer (KYC) processes must verify identity, source of funds, source of wealth, and beneficial ownership.
- PEP and High-Risk Customer Management: Politically Exposed Persons (PEPs) and customers from high-risk jurisdictions must be subject to enhanced due diligence, senior management approval, and ongoing monitoring.
- STR and goAML Reporting: Suspicious Transaction Reports (STRs) must be filed with the UAE Financial Intelligence Unit (FIU) via the goAML platform. Firms must appoint a Money Laundering Reporting Officer (MLRO) with sufficient seniority, independence, and resources.
- Sanctions Screening and Name Screening: All clients, investors, counterparties, and transactions must be screened against UAE local lists, UN Security Council lists, and relevant international sanctions lists. Cabinet Decision No. 74 of 2020 governs the UAE’s domestic terrorist designations and sanctions implementation.
- AML Training: All relevant staff must receive regular AML/CFT training appropriate to their role. The training programme must be documented, tracked, and records retained.
- AML Internal Audit: An independent AML audit function must periodically assess the effectiveness of the AML programme, report findings to senior management, and track remediation actions.
The Placement Stage and Fund Investment Risk
A particular financial crime risk for Asset Managers and Investment Firms is the placement stage of money laundering where illicit funds are first introduced into the financial system through investment subscriptions. Robust subscription-stage KYC, source of funds verification, and transaction monitoring are essential to detect and prevent this risk.
Regulatory Inspection Readiness for Asset Managers and Investment Firms
Regulatory inspections are a reality for all licensed Asset Managers and Investment Firms in the UAE. The CMA, DFSA, and FSRA each conduct periodic supervisory reviews, thematic examinations, and targeted inspections and the consequences of unpreparedness can be severe, ranging from formal findings and remediation requirements to licence suspension or revocation.
What Regulators Test During Inspections
- Governance documentation: Board minutes, committee records, policy registers, and delegated authority frameworks.
- AML/CFT programme: KYC files, STR records, risk assessments, training logs, and screening evidence.
- Risk management: Risk register currency, RCSA outputs, breach escalation records, and risk appetite alignment.
- Compliance function: Compliance monitoring plans, surveillance outputs, breach logs, and reporting lines to the board.
- Internal audit: Audit universe, audit plan, completed reports, management actions, and follow-up evidence.
- Client files: Completeness of onboarding documentation, suitability assessments, investment mandates, and periodic review records.
Building an Inspection-Ready Culture
The difference between firms that pass regulatory inspections with minimal findings and those that receive significant remediation requirements is rarely technical knowledge it is preparation discipline. Regulatory inspection readiness requires ongoing maintenance of evidence packs, regular mock inspections, and a documented regulatory engagement protocol.
Internal Audit and Internal Controls for Investment Firms in UAE
For Asset Managers and Investment Firms, internal audit provides the independent assurance layer that confirms governance, risk management, and compliance are functioning as designed not merely as documented.
Internal Audit Function
UAE regulators expect Asset Managers and Investment Firms to maintain an internal audit function that is independent of the first and second lines of defence, operates to a risk-based audit plan approved by the audit committee, and reports findings directly to the board. For smaller firms, this function may be outsourced to a qualified third-party provider, but the independence requirement remains absolute.
Internal Controls Framework
The internal controls framework for Asset Managers and Investment Firms must embed authority limits, reconciliations, segregation of duties, and oversight mechanisms into daily operations. Key control areas include: investment decision authority, trade execution and settlement, fund valuation, NAV calculation oversight, client reporting accuracy, and regulatory filing completeness.
UAE Personal Data Protection Law (PDPL) Compliance for Asset Managers
Asset Managers and Investment Firms process significant volumes of personal data from investor onboarding documentation to trading history, beneficial ownership records, and communication logs. The UAE Personal Data Protection Law (PDPL), introduced under Federal Decree-Law No. 45 of 2021, imposes obligations on all data controllers and processors operating in the UAE.
PDPL compliance for investment firms requires documented data inventories, lawful basis assessments, data subject rights procedures, breach notification protocols, and data retention schedules aligned with both privacy law and regulatory record-keeping obligations.
Governance and Compliance Framework Design for UAE Investment Firms
Building a governance and compliance framework that satisfies UAE regulators is not a one-time project it is a continuously maintained operational system. For Asset Managers and Investment Firms, this means integrating governance, risk, and compliance into a unified operating model rather than treating them as separate siloed functions.
Compliance Monitoring and Surveillance
A governance and compliance framework for Asset Managers and Investment Firms must include a documented compliance monitoring programme covering: investment suitability, best execution, trade surveillance, regulatory reporting deadlines, and licence condition adherence. Monitoring activities must be risk-ranked, scheduled, documented, and escalated where breaches are identified.
Regulatory Reporting Obligations
Asset Managers and Investment Firms in the UAE face multiple regulatory reporting obligations, including: periodic financial reporting to the CMA/DFSA/FSRA, AML/CFT reports, suspicious transaction reports via goAML, fund performance and NAV reporting, and ad hoc notifications for material events such as senior personnel changes, regulatory breaches, or significant investor complaints.
Conclusion: Building a GRC Framework That Works for Asset Managers and Investment Firms
The UAE regulatory environment for Asset Managers and Investment Firms in 2026 is more demanding, more structured, and more enforcement-oriented than at any point in the country’s financial history. The transition from SCA to CMA, the introduction of the new AML Law, the expansion of the PDPL, and the continued evolution of DFSA and FSRA frameworks collectively raise the compliance bar for every firm operating in this space.
The firms that will thrive are those that invest in governance frameworks that hold weight, risk management systems that reflect genuine exposure, and compliance programmes that function daily not just during inspections. This is precisely the work that GRC Advisors delivers: practical, evidence-based GRC advisory designed for regulated entities operating at the intersection of ambition and accountability.
Whether you are a newly licensed fund manager seeking to build your framework from the ground up, an established investment firm preparing for a regulatory inspection, or a cross-border asset manager navigating overlapping CMA, DFSA, and FSRA obligations, the need for expert GRC guidance has never been more acute or the value of getting it right more significant.
FAQs: GRC for Asset Managers and Investment Firms in UAE
What licences do Asset Managers and Investment Firms need in the UAE?
Asset Managers and Investment Firms in the UAE require a licence from the regulator with jurisdiction over their operating location. Onshore mainland firms need a Capital Market Authority (CMA) licence under Federal Decree-Law No. 33 of 2025. Firms in DIFC require a DFSA licence, and firms in ADGM require an FSRA Financial Services Permission. Each regulator has its own capital requirements, governance standards, and conduct rules.
What AML obligations apply to Asset Managers and Investment Firms in UAE?
Under Federal Decree-Law No. 10 of 2025 and Cabinet Decision No. 134 of 2025 (in force from December 2025), Asset Managers and Investment Firms must maintain a comprehensive AML/CFT programme including KYC/CDD procedures, an ML/TF/PF risk assessment, sanctions screening, STR reporting via goAML, an appointed MLRO, regular AML training, and periodic AML internal audits.
What is the difference between DFSA, FSRA, and CMA regulation for investment firms?
The CMA regulates Asset Managers & Investment Firms on the UAE mainland under the new 2026 federal framework. The DFSA regulates firms within the DIFC free zone under English common law principles. The FSRA regulates firms within ADGM, also under English law. Each has distinct licensing categories, capital requirements, conduct rules, and supervisory approaches. Many firms with cross-border activity face obligations from more than one of these regulators.
How does the new UAE AML Law (2025) affect Asset Managers and Investment Firms?
The new AML Law (Federal Decree-Law No. 10 of 2025) introduces expanded obligations including a dedicated Combatting Proliferation Financing (CPF) framework, risk-based supervision aligned with updated FATF standards, and enhanced sector-specific controls for high-risk products and technologies. All Asset Managers and Investment Firms were required to complete a gap assessment of their existing AML frameworks against the new executive regulations by December 2025.
What governance documents do regulators inspect for Asset Managers and Investment Firms in UAE?
During regulatory inspections, examiners typically review board minutes and committee records, the compliance monitoring programme, the AML/CFT risk assessment, KYC client files, the risk register, internal audit reports, delegated authority frameworks, policies and procedures manuals, regulatory breach logs, and training records. Evidence completeness and quality of documentation are key inspection determinants.
Do Asset Managers and Investment Firms in UAE need to comply with the PDPL?
Yes. The UAE Personal Data Protection Law (Federal Decree-Law No. 45 of 2021) applies to all entities processing personal data in the UAE, including Asset Managers and Investment Firms. Obligations include maintaining a data processing register, implementing data subject rights procedures, establishing breach notification protocols, and aligning data retention practices with both PDPL requirements and regulatory record-keeping obligations under the CMA, DFSA, or FSRA.
