In a Nutshell
- Bribery risk is not solely an operational compliance matter: inadequate governance around bribery controls exposes boards, CFOs, and senior management to direct regulatory and criminal liability under Federal Decree-Law No. 10 of 2025.
- The three-lines-of-defence model places anti-bribery policy ownership with first-line business functions, with independent oversight from compliance (second line) and audit (third line); failure at any line can be traced back to governance accountability.
- Foreign PEPs require mandatory Enhanced Due Diligence, senior management approval, and enhanced monitoring under Cabinet Resolution No. 134 of 2025; these are board-reportable controls, not just operational procedures.
- An anti-bribery and corruption framework that is not explicitly integrated into the enterprise risk management structure represents a material governance gap under current regulatory expectations.
When a regulated entity in the UAE is found to have facilitated the laundering of bribery proceeds, the regulatory and criminal liability does not stop at the compliance function. Under Federal Decree-Law No. 10 of 2025, accountability reaches into senior management and, in the most serious cases, the board itself.
This article addresses bribery risk from the perspective of those who own governance: the CEO, CFO, Head of Risk, and board members who set the tone, approve the frameworks, and bear ultimate responsibility for the adequacy of controls.
Bribery as an Institutional Risk: The Governance Framing
Bribery is a predicate offence as defined under the FATF recommendations. Under Article 2 of Federal Decree-Law No. 10 of 2025, any predicate offence, such as profit derived from bribery that is subsequently concealed, converted, transferred, acquired, possessed, or used, constitutes a money laundering offence. Corporate entities found to have inadequate controls face fines and senior management individuals face imprisonment for principal ML offences.
What makes bribery risk distinct from many other governance challenges is its intersection with politically exposed persons, cross-border transactions, and complex ownership structures. These are exactly the features that stress-test governance frameworks and expose the gaps between policy on paper and practice in the organisation.
Why Bribery Risk Belongs on the Board Agenda
The UAE’s post-grey list supervisory environment is materially more assertive than it was before the FATF mutual evaluation process. Supervisors, including the Ministry of Economy and Tourism, the Central Bank of the UAE, and the financial free zone regulators, have moved from a guidance-and-reminder posture to one of active inspection and enforcement. In this environment, boards that cannot demonstrate active oversight of AML/CFT controls, including anti-bribery provisions, are exposed.
The Three-Lines-of-Defence Model Applied to Bribery Risk
The three-lines-of-defence model provides the structural framework for distributing accountability across an organisation. Applying it to bribery risk requires boards and senior management to be specific about where ownership sits at each line and what failure at each line looks like.
First Line: Business Functions and Process Owners
The first line carries bribery risk because it is the source of the transactions and relationships that generate it. Business development teams, relationship managers, procurement functions, and the individuals who onboard clients and approve transactions are the points at which bribery exposure is created or controlled.
First-line accountability for bribery risk requires that these functions understand what bribery looks like in their own context: which client types, transaction structures, and jurisdictions carry elevated risk; how to escalate a concern without fear of commercial consequence; and what the CDD requirements are for their specific activities. A sound approach is to embed bribery-specific training and red-flag guidance into first-line induction and annual refresher programmes, rather than treating it as a generic AML topic delegated entirely to the compliance function.
Second Line: Compliance and Risk Functions
The second line owns the policy framework, the monitoring programme, and the MLRO function. In the context of bribery risk, this means that the compliance function is responsible for designing the anti-bribery and corruption (ABC) policy, calibrating transaction monitoring for bribery-related patterns, managing the STR filing process, and providing the board and senior management with visibility over bribery-related risk indicators.
For senior management, the MLRO role must be appropriately resourced, empowered to escalate without commercial interference, and supported by adequate technology and documentation frameworks. An under-resourced MLRO function is not just an operational problem; it is a governance failure that creates personal liability for those who approved the resourcing decision.
Third Line: Internal Audit
Internal audit provides independent assurance that the first and second lines are functioning as intended. In a bribery risk context, a competent third-line review will assess whether the EWRA treats bribery as a standalone risk category, whether EDD is being applied correctly to PEPs and high-risk relationships, whether the STR filing process is functioning and documented, and whether board-level reporting on bribery risk is accurate and complete.
Where internal audit identifies gaps in anti-bribery controls, the findings should be reported directly to the board’s audit or risk committee, not filtered through management. The independence of this reporting line is the mechanism by which the board obtains genuine visibility rather than a curated picture.
Policy Ownership and the Anti-Bribery Framework
An effective anti-bribery framework is not a single document. It is a connected set of policies, procedures, controls, and accountability assignments that together create the institutional conditions under which bribery risk is identified and managed. Boards are expected to approve the framework and to review it at defined intervals.
Core Policy Components
The anti-bribery and corruption policy should define what bribery and corruption mean in the context of the organisation’s activities, specify the sectors and transaction types that carry elevated risk, set out the specific controls applied, assign responsibility for policy compliance, and provide the escalation and reporting pathway for suspected breaches.
Under Cabinet Resolution No. 134 of 2025, regulated entities are required to maintain AML/CFT/CPF policies and procedures that address all relevant predicate offences, including bribery. Good practice is for anti-bribery provisions to appear as an explicit, demarcated section of the AML/CFT policy rather than as a generic reference to predicate offences. Supervisory expectations from the Ministry of Economy and Tourism are moving in this direction.
Gifts, Hospitality, and the Risk Threshold
One area where policy ownership is frequently unclear is the management of gifts and hospitality. The distinction between legitimate hospitality and a bribe in the context of business development is a policy question that requires board-level guidance, not just operational discretion. A sound approach is to maintain a gifts and hospitality register with a defined value threshold above which senior management approval is required, and to ensure that the threshold and approval process are reviewed annually.
Whistle-Blower Mechanisms and No-Disclosure Obligations
Protected internal reporting is a governance requirement, not just a cultural preference. Staff who observe potential bribery within the organisation or its client relationships must have a clear, accessible, and genuinely protected route to escalate the matter without fear of retaliation. The design and effectiveness of that route is a governance question that belongs to the board.
The confidentiality and no-disclosure obligations under Article 24 of Federal Decree-Law No. 10 of 2025 and Article 19 of Cabinet Resolution No. 134 of 2025 apply after an STR is filed. The board should be aware that these obligations exist and that any failure to comply, whether intentional or grossly negligent, attracts criminal penalties under Article 29. Governance structures that allow customer-facing staff to discuss regulatory reporting with clients are structurally inadequate.
Regulatory Liability at the Senior Management Level
The 2025 Law creates explicit individual liability for senior management. The following table summarises the principal consequences of a governance failure that results in bribery-related money laundering going undetected or unreported.
← scroll to see full table →
| Liability Category | Legal Basis | Who Bears It | Consequence |
|---|---|---|---|
| Failure to file STR | Federal Decree-Law No. 10 of 2025 | MLRO and, where deliberate, senior management | Criminal liability and imprisonment |
| Corporate AML fine | Federal Decree-Law No. 10 of 2025 | The regulated entity | Up to AED 100 million |
| Administrative penalty per violation | Cabinet Resolution No. 16 of 2021 | The regulated entity | AED 50,000 to AED 1,000,000 |
| Tipping off | Article 29, Federal Decree-Law No. 10 of 2025 | Individual who disclosed; senior management if systemic | Criminal penalty; both intentional and grossly negligent disclosures |
The Autonomous ML Offence
A feature of the 2025 Law with significant governance implications is the autonomy of the money laundering offence. A conviction for the underlying bribery is no longer required to prosecute money laundering of bribery proceeds. This means that a regulated entity does not need to have been involved in the bribery itself to face ML liability: it is sufficient that it handled the proceeds and the controls were inadequate to detect the risk.
For boards, this shifts the governance question from ‘are we involved in bribery?’ to ‘are our controls adequate to identify when bribery proceeds are flowing through our business?’ These are materially different questions, and the second is harder to answer confidently without a robust EWRA, calibrated monitoring, and an active third-line review programme.
PEP Risk, Senior Management Approval, and Board-Level Reporting
Politically exposed persons are the single most consistent feature of bribery typologies. Their positions of authority make them both the typical recipients of bribes and the individuals through whom corrupt proceeds enter the financial system. Under Cabinet Resolution No. 134 of 2025, foreign PEPs require mandatory EDD, source of funds and source of wealth verification, senior management approval for the relationship, and enhanced ongoing monitoring.
Domestic PEPs and persons entrusted with a prominent function in an international organisation require these enhanced measures where a high-risk business relationship exists.
The Senior Management Approval Requirement
The requirement for senior management approval of foreign PEP relationships under Cabinet Resolution No. 134 of 2025 is a direct governance obligation, not a discretionary process. It places a named individual in the approval chain for every such relationship. Where that approval is granted without adequate documentation of the EDD completed, the source of funds assessed, and the risk rationale recorded, the approver is personally exposed if the relationship later generates a suspicious activity finding.
A sound approach for organisations managing significant PEP exposure is to maintain a senior management approval register for all foreign PEP relationships, with records of the EDD completed, the source of wealth verified, and the monitoring applied. This register should be reportable to the board on a defined periodic basis.
Board-Level Reporting on Bribery Risk
Boards require accurate, concise reporting on bribery risk to exercise meaningful governance oversight. Good practice in this area involves establishing a standardised bribery risk report that is presented to the board or risk committee at least quarterly, covering the number and nature of bribery-related escalations, STR filing activity, EDD reviews completed for PEP relationships, transaction monitoring alerts and disposals, and findings from the most recent AML/CFT health check or internal audit review.
The specific format of this reporting is not prescribed by any single regulatory article, but the obligation to maintain effective oversight is implicit in the governance and controls requirements of Federal Decree-Law No. 10 of 2025 and Cabinet Resolution No. 134 of 2025. Boards that cannot demonstrate they received and acted on bribery risk reporting are in a weaker position in any regulatory investigation.
Integrating Anti-Bribery into the Enterprise Risk Framework
Anti-bribery risk management is most effective when it is integrated into the broader enterprise risk management (ERM) framework rather than managed as a standalone compliance programme. This integration requires three things.
First: A Risk Taxonomy That Names Bribery Explicitly
The EWRA must treat bribery and corruption as a standalone risk category, not as a generic footnote under predicate offences. The NRA and relevant sectoral risk assessments should be explicitly referenced as the baseline risk inputs. The risk rating assigned to bribery exposure should drive the intensity of controls, the frequency of monitoring, and the escalation thresholds applied.
Second: Control Adequacy Assessment Against the Bribery Risk Profile
The control framework must be assessed for adequacy against the specific bribery risk profile of the organisation. A real estate-focused entity faces different bribery exposure from a corporate services provider or a VASP. Controls that are adequate for one profile may be materially insufficient for another. The board should receive a periodic assessment of control adequacy, not just a status report on whether controls are in place.
Third: Escalation Paths That Reach the Board
Material bribery risk events, including high-value PEP onboardings, significant STR filings, and findings from AML/CFT inspections, should have an escalation path that reaches board level. The compliance function should not be the final owner of bribery risk information that is material to the institution’s regulatory standing. A governance structure that allows material AML findings to be managed below board level is not consistent with the supervisory expectations of MoET, the CBUAE, or the financial free zone regulators.
Governance Advisory and Enterprise Risk Integration
Bribery risk that is not explicitly embedded in the enterprise risk framework is a governance gap. Boards and senior management who have not reviewed their AML/CFT programme through a governance lens are carrying a risk that is larger than it needs to be.
GRC Advisors works with boards, CFOs, and heads of risk to align anti-bribery controls with enterprise governance frameworks and regulatory expectations. Our advisory services cover governance framework design and board-level AML accountability structures, EWRA development with bribery as a standalone risk category, three-lines-of-defence mapping for AML/CFT programmes, senior management approval register design for PEP relationships, board reporting framework development for bribery and AML risk, and AML/CFT health checks conducted at the governance and operational level against Federal Decree-Law No. 10 of 2025 and Cabinet Resolution No. 134 of 2025. Contact GRC Advisors to discuss how anti-bribery governance can be integrated into your enterprise risk management structure.
FAQs on Bribery
Where does personal liability for AML governance failures sit in a UAE corporate structure?
Under Federal Decree-Law No. 10 of 2025, personal liability for principal money laundering offences can attach to both the MLRO and to individuals in senior management where the failure is deliberate or grossly negligent. The legislation does not limit liability to the compliance function. Board members who approved inadequate frameworks, or who received warning signs and failed to act, are within the scope of that liability.
Is the board required to approve the AML/CFT policy, or is this a management decision?
The governance expectation is that the AML/CFT policy, including its anti-bribery provisions, is approved at the board level, not solely by management. Cabinet Resolution No. 134 of 2025 requires regulated entities to maintain AML/CFT/CPF policies and procedures, and the adequacy of those policies is subject to supervisory review. Supervisors will examine both the content of the policy and the governance process by which it was adopted and reviewed.
How should boards approach the senior management approval requirement for foreign PEPs?
The requirement under Cabinet Resolution No. 134 of 2025 for senior management approval of foreign PEP relationships is a control obligation, not a formality. Good practice is to maintain a documented approval register that records the EDD completed, the risk rationale, and the monitoring plan for each approved PEP relationship. This register should be subject to periodic board review and third-line audit.
