In a Nutshell
- Beneficial ownership manipulation is a governance failure before it is a compliance failure: it occurs when the institution’s control architecture does not surface the true owner of assets or transactions under management.
- Regulatory liability for UBO control deficiencies in the UAE lands at the level of senior management and, where oversight accountability is established, at the board level.
- Cabinet Resolution No. 109 of 2023 creates legally binding UBO identification obligations that must be reflected in enterprise-level policy, not left to operational discretion.
- The three-lines-of-defence model must assign clear ownership of UBO controls, with first-line accountability for execution, second-line responsibility for standard-setting and oversight, and third-line audit coverage of the full cycle.
- Federal Decree-Law No. 10 of 2025 places the STR obligation on the regulated entity as an institution, and senior management accountability frameworks determine who answers when it is not met.
When a regulated entity in the UAE fails to identify the natural person who ultimately owns or controls a legal person customer, the problem is not primarily a compliance process failure. It is a governance failure, and the consequences are borne by those at the top of the institution.
Why Beneficial Ownership Manipulation Is an Enterprise Risk, Not Just an Operational One
Beneficial ownership manipulation occurs when a legal entity is used to place distance between illicit funds and the natural person who controls or benefits from them. Shell companies, nominee shareholders, layered holding structures, bearer instruments, and trust vehicles are the most common mechanisms. In the UAE, the combination of an internationally active business environment, significant free zone activity, and cross-border capital flows makes the jurisdiction a high-value target for this form of obfuscation.
At the enterprise level, the risk is not simply that a single transaction will pass through undetected. The risk is that the institution will be found to have maintained a systematic inability to identify beneficial owners, and that finding will be attributed to a failure of governance rather than an isolated operational lapse. The difference between the two is significant in terms of regulatory response, reputational consequence, and personal liability.
The Regulatory Framework That Boards Must Understand
Beneficial Owner Definition and the 25 Per Cent Rule
Cabinet Resolution No. 109 of 2023 defines the beneficial owner in Article 1 as the natural person who ultimately owns or exercises control over a legal person, directly or through a chain of ownership.
Article 5 sets the operative threshold: a natural person who owns 25 per cent or more of the capital, or who holds voting rights of 25 per cent or more, or who has the power to appoint or remove the majority of the board of directors, is the beneficial owner for regulatory purposes.
Article 6 imposes the obligation to maintain accurate and updated records of beneficial owners, and Article 8 requires registration with the relevant authority. Article 7 provides a mechanism by which competent authorities can issue notices to compel data updates where records are found to be deficient.
For boards, the significance of this framework is that these are not aspirational standards. They are legally binding obligations that create measurable compliance states. An institution is either meeting them or it is not, and the adequacy of the governance architecture that supports compliance is what determines which of those two states the institution occupies.
The STR Obligation and Institutional Accountability
Federal Decree-Law No. 10 of 2025, Article 18 imposes the obligation on regulated entities to report to the Financial Intelligence Unit immediately upon forming reasonable grounds for suspicion of a connection to money laundering, terrorist financing, or the financing of illegal organisations. The obligation rests on the institution, and the institution’s senior management is accountable for ensuring it is met.
Federal Decree-Law No. 10 of 2025 is the governing primary legislation, entering into force on 14 October 2025 and repealing Federal Decree-Law No. 20 of 2018 and its subsequent amendments. The 2025 law represents a comprehensive overhaul rather than a simple update: it extends the statutory framework to cover proliferation financing as a distinct category, and brings VASPs within the primary legislative framework. Together with Cabinet Resolution No. 134 of 2025, which replaced Cabinet Resolution No. 10 of 2019 as the executive regulation from 14 December 2025, this forms the current legislative basis for AML/CFT obligations and the source of the institutional liabilities that boards are responsible for managing.
Record Retention as a Governance Obligation
Cabinet Resolution No. 134 of 2025, Article 25 requires regulated entities to retain all transaction records and customer due diligence documentation for a minimum of five years. For beneficial ownership, this means retaining the evidence gathered to identify the UBO, the verification steps applied, any EDD measures taken, and the documented rationale where identification was incomplete or where a reporting decision was made. Retention governance, including who is responsible for it, how it is indexed, and how it survives personnel changes, is a board-level concern.
How Control Failures at the Operational Level Become Board-Level Liability
The path from an operational UBO control failure to a board-level liability finding typically follows a predictable pattern. A regulated entity onboards a legal person customer. The front-line relationship manager completes the available documentation but does not probe the ownership structure adequately. The second-line compliance function either does not review the file in sufficient depth or lacks the tools to identify the ownership anomaly. No EDD is triggered. No escalation occurs. The relationship continues.
At some later point, the customer or a related entity is identified by a supervisory authority or law enforcement as connected to money laundering or sanctions evasion. The supervisor conducts a review and finds that the institution maintained no adequate UBO identification for the customer throughout the relationship. The finding is not limited to the front-line relationship manager or the compliance officer who reviewed the file. It extends to the adequacy of the policy that governed their behaviour, the oversight that should have caught the deficiency, and the governance framework that was responsible for ensuring both were fit for purpose.
Three Lines of Defence: Assigning Beneficial Ownership Accountability
First Line: Business and Relationship Management
The first line of defence owns the primary obligation to collect, verify, and maintain UBO information for each customer that is a legal person. This includes the onboarding review, the ongoing monitoring of ownership changes, and the escalation of any indicators that suggest the declared ownership structure is inaccurate or incomplete.
Good practice in this area involves ensuring that first-line staff have explicit, written guidance on when a UBO verification is required, what evidence is acceptable, and what steps to take when a customer resists or is unable to provide adequate information. The quality of first-line UBO controls directly determines the institution’s exposure, since deficiencies at this level are not reliably caught at later stages.
Second Line: Compliance and Risk
The compliance function is responsible for setting the UBO identification standard, maintaining the policy and procedure framework that governs it, and providing oversight of first-line execution. The risk function contributes by ensuring that UBO risk is appropriately reflected in the enterprise risk assessment and that the customer risk rating methodology captures ownership opacity as a risk indicator.
A sound approach for the second line involves conducting periodic thematic reviews of UBO files, particularly for legal person customers rated as medium or high risk. Pattern detection, where the same UBO is connected to multiple customers or the same nominal structure appears across unrelated relationships, supports the monitoring obligation and is consistent with the requirements.
Third Line: Internal Audit
Internal audit is required to cover UBO controls as part of its AML/CFT audit cycle. Audit coverage should assess not only whether documentation is present but whether the identification process was substantive: whether the declared UBO was verified against independent sources, whether the ownership structure was tested against the 25 per cent threshold in Cabinet Resolution No. 109 of 2023, and whether any anomalies in the onboarding or monitoring process were escalated appropriately.
Audit findings on UBO controls should be reported to the board or the board-level audit committee with sufficient specificity to enable a meaningful governance response. Findings framed purely in terms of documentation rates without reference to the risk significance of the gaps identified are not adequate for board-level governance purposes.
Board-Level Reporting on Beneficial Ownership Risk
Senior management and boards of regulated UAE entities require visibility of beneficial ownership risk as a distinct line item in AML/CFT governance reporting. Good governance practice in this area involves regular management information that covers the volume and profile of legal person customers, the completion rate and quality of UBO verification across the portfolio, the number and nature of EDD cases triggered by ownership opacity, escalations and STR filings connected to beneficial ownership concerns, and audit findings and their remediation status.
The format and frequency of board reporting on this topic are not prescribed by a specific regulatory article, but the obligation for senior management to maintain oversight of the AML/CFT framework, and for the board to receive adequate assurance of its effectiveness.
Typologies with Enterprise Risk Implications
Cross-Border Ownership Chains and Correspondent Relationships
Regulated entities that maintain correspondent or counterpart relationships with foreign financial institutions face beneficial ownership risk at two levels: the direct customer and the counterpart institution’s own customers whose transactions flow through the correspondent arrangement. An institution that cannot demonstrate it has assessed the adequacy of its counterpart’s UBO controls faces a governance gap that extends well beyond its own onboarding procedures.
Real Estate Investment Structures
UAE real estate investment vehicles, including special-purpose vehicles and investment funds structured for specific properties, regularly present layered beneficial ownership profiles. Where an institution finances or services such vehicles, the ability to identify the UBO is not a courtesy: it is a regulatory obligation under Cabinet Resolution No. 109 of 2023. Governance frameworks that treat property vehicles as low-complexity customers based on asset value alone, without probing the ownership layer, create systematic exposure.
Virtual Asset Custody and Institutional Portfolios
Institutions that provide custody, exchange, or settlement services for virtual asset portfolios held by legal persons face a version of the beneficial ownership problem that is technically more demanding than in traditional finance. Pseudonymous wallet addresses and decentralised structures can obscure the natural person controller in ways that standard document review does not resolve. Governance frameworks must address this explicitly, including the escalation path when wallet-level analysis raises concerns that standard CDD cannot resolve.
Sanctions Intersection and Designated Person Risk
Beneficial ownership manipulation is a primary mechanism for sanctions evasion. An individual or entity subject to a UAE, UN, or other applicable sanctions designation may use a nominee-owned shell company to access the financial system. At GRC Advisors, we help businesses understand that the regulatory consequence of servicing a sanctioned person through an inadequately verified corporate vehicle is severe, regardless of whether the institution was aware. Ignorance arising from inadequate UBO controls is not a mitigating factor under applicable sanctions frameworks, making robust beneficial ownership verification essential.
FAQs on Beneficial Ownership Manipulation
Who in the organisation is personally liable if a UBO control failure leads to a regulatory finding?
Personal liability under UAE AML law attaches to the institution and, where the regulatory framework establishes individual accountability, to the designated compliance officer and senior management. The extent of personal liability depends on the applicable supervisory regime. Board members who are found to have failed in their oversight duties may also face consequences under corporate governance frameworks. The key factor is whether the individual concerned had responsibility for the control that failed and whether they exercised that responsibility adequately.
How should the board respond when the internal audit finds systemic UBO documentation gaps?
A systemic finding requires a structured remediation response, not simply a commitment to improve documentation rates. The board should require management to identify the root cause, whether that is a policy gap, a training deficiency, a tooling limitation, or a risk culture issue, and to produce a time-bound remediation plan. Progress against that plan should be reported to the board at defined intervals until closure is confirmed.
At what threshold does a complex ownership structure require EDD rather than standard CDD?
There is no single regulatory threshold that automatically triggers EDD for complexity. The obligation to apply EDD arises when the risk assessment indicates that enhanced measures are warranted, given the customer’s profile, the ownership structure, the jurisdiction of incorporation, or the nature of the transactions. A complex multi-jurisdictional structure involving jurisdictions on the FATF grey or blacklist would ordinarily require EDD as a matter of sound practice, even in the absence of other red flags.
Does the five-year retention requirement apply to UBO records as well as transaction records?
Yes. Cabinet Resolution No. 134 of 2025, Article 25 applies to all records relevant to the customer due diligence process, which includes UBO identification documentation, verification evidence, EDD measures, and the rationale for any decisions made in connection with the ownership assessment. The five-year period runs from the end of the business relationship or the date of the transaction, whichever is later.
What is the governance implication if a UAE entity operates across multiple free zones with different supervisory bodies?
Each operating entity within a regulated free zone is subject to the supervisory authority of that zone, and each must meet the applicable AML/CFT requirements independently. At the group level, governance frameworks should ensure consistent UBO identification standards are applied across all entities, with group-level oversight capable of identifying weaknesses in any part of the structure. Regulatory arbitrage, whether deliberate or inadvertent, carries significant reputational and enforcement risk.
