In a Nutshell
- AML accountability for business bank accounts sits at the board level under Federal Decree-Law No. 10 of 2025; regulatory liability attaches to responsible persons, not only to the institution.
- The three lines of defence must be explicitly mapped to business account risk; ambiguity in ownership of KYC remediation and UBO verification creates audit exposure.
- Penalty exposure under the 2025 framework includes fines and imprisonment, with no statute of limitations for ML offences.
- Board reporting on business account AML performance should cover rejection rates, EDD triggers, STR volumes, and monitoring system effectiveness as minimum governance indicators.
- Proliferation financing is now a standalone criminal offence; entities with international trade clients holding business accounts must integrate PF risk into their governance frameworks.
The compliance question is straightforward: who in your organisation is accountable when a business bank account relationship facilitates money laundering and the regulator comes looking? Under Federal Decree-Law No. 10 of 2025, the answer is explicit and personal. This article addresses how boards and senior leadership should own business account AML risk and what governance structures are required to demonstrate that ownership is real, not ceremonial.
Why Business Bank Accounts Are a Board-Level Governance Issue
Business bank accounts are the primary channel through which regulated entities interact with corporate customers. The volume of those interactions, and the aggregate financial flows they process, means that AML failures at the business account level represent a systemic governance risk, not merely an operational one.
Federal Decree-Law No. 10 of 2025 imposes liability on responsible persons within institutions, not only on institutions as legal entities. Article 17 of the Decree-Law empowers supervisory authorities to impose administrative penalties that include the restriction of the powers of board members, executives, supervisors, managers, or owners proven responsible for a violation. Personal accountability means that the governance architecture for business account AML must be defensible on its own merits, not merely documented in a policy that no one has tested.
Who Owns AML Policy for Business Accounts: Three Lines of Defence
The governance framework for business account AML risk distributes accountability across three distinct lines, each with specific responsibilities that must be formally assigned and audited.
← scroll to see full table →
| Line | Function | Business Account AML Responsibility |
|---|---|---|
| First Line | Business / Relationship Management | Executing KYC, UBO verification, EDD referrals, and ongoing monitoring alerts for the accounts they manage |
| Second Line | Compliance and Risk | Setting AML policy, reviewing high-risk account decisions, overseeing STR quality, and reporting to the board on programme effectiveness |
| Third Line | Internal Audit | Independent testing of first- and second-line effectiveness, including sampling of UBO files, monitoring rule calibration, and STR narrative quality |
The board itself is responsible for approving the enterprise-wide risk assessment required under Article 5 of Cabinet Resolution No. 134 of 2025, which must incorporate channel-level risk from business account activity. That assessment cannot be delegated to the compliance team and left unsigned by the board.
What Boards Need to See in Management Reporting
Effective AML governance for business bank accounts requires management information that reaches the board in a form that enables meaningful oversight. The following metrics represent a minimum governance dashboard:
← scroll to see full table →
| Metric | Why It Matters at the Board Level |
|---|---|
| Business account rejection rate at onboarding | Measures whether CDD standards are being applied, not bypassed for revenue reasons |
| EDD completion rate and timeliness | Identifies whether high-risk accounts are receiving the deeper scrutiny required by law |
| STR volume by account type and sector | Provides early warning of emerging risk concentrations in the portfolio |
| Monitoring alert closure rate and average age | Indicates whether alert volumes are being processed within supervisory expectations |
| UBO verification completion for corporate accounts | Directly correlated with regulatory examination findings in this area |
| Staff training completion rates | Reflects the organisation’s investment in maintaining first-line competence |
Where Regulatory Liability Falls When Business Account Controls Are Inadequate
The 2025 framework introduces several structural changes that increase the personal exposure of board members and senior managers when business account AML controls are found to be deficient.
First, the removal of any statute of limitations for money laundering, terrorism financing, and proliferation financing offences under Article 37 of Federal Decree-Law No. 10 of 2025 means that historical failures in business account governance remain perpetually actionable. Decisions made several years ago about the design of KYC processes or the calibration of monitoring systems can be revisited in the context of an investigation that surfaces today.
Second, proliferation financing is now a standalone criminal offence under the 2025 framework. Entities whose business account portfolios include clients in international trade, dual-use goods, or technology sectors are required to integrate PF risk into their enterprise-wide risk assessments. A board that approved a risk assessment in 2024 that did not address proliferation financing will need to demonstrate that the framework has been updated.
Third, the UAE Financial Intelligence Unit has enhanced powers under Federal Decree-Law No. 10 of 2025 to freeze suspected funds for up to 30 days, extended from the prior seven-day period, with possible further extension by the Public Prosecutor.
Integrating Business Account AML into the Broader GRC Framework
AML compliance for business bank accounts does not operate in isolation from the broader governance, risk, and compliance framework. The risk taxonomy applied to business accounts should reflect the enterprise-wide risk assessment, so that a high-risk account rating in the AML framework is consistent with the credit risk and operational risk ratings applied by other functions.
The appointment of a Money Laundering Reporting Officer (MLRO) with direct board access and sufficient authority to act independently is a structural requirement of the UAE framework, not a cosmetic compliance role. The MLRO’s periodic reports on business account AML performance should be presented directly to the board, not filtered through executive management, to preserve the independence that the regulatory framework requires.
Entities that have experienced supervisory examination findings related to business account KYC or monitoring quality should treat those findings as board-level remediation priorities. A pattern of examination findings in the same area across successive supervisory cycles indicates that governance ownership has not been translated into operational change, which carries escalating regulatory consequences.
GRC Advisors: Integrating AML into Your Governance Framework
GRC Advisors works with boards, CFOs, and heads of risk to build AML governance frameworks that are integrated into the broader enterprise risk management structure rather than operating as a parallel compliance silo. Our advisory services cover enterprise-wide risk assessment design, MLRO function structuring, board reporting frameworks, and remediation support following supervisory examination findings. Contact GRC Advisors to discuss how AML accountability for your business bank account portfolio can be structured to withstand regulatory scrutiny.
Frequently Asked Questions
Can the board delegate AML accountability for business accounts entirely to the compliance function?
No. The board is responsible for approving the enterprise-wide risk assessment and overseeing the AML programme’s effectiveness. Delegation to the compliance function means that day-to-day execution is delegated, but accountability for the governance framework remains with the board. Article 17 of Federal Decree-Law No. 10 of 2025 explicitly provides for the restriction of board member powers where they are found responsible for a violation.
What is the board's specific obligation under Article 5 of Cabinet Resolution No. 134 of 2025?
Article 5 requires regulated entities to conduct an enterprise-wide risk assessment that addresses, among other things, the channel risks inherent in their business model. For entities with significant business bank account portfolios, this means the assessment must address cash-intensive business sector exposure, UBO complexity risk, and geographic concentration risk. The board must approve the completed assessment and review it whenever material changes occur.
How should liability be allocated when an STR is filed late because of a first-line failure to escalate?
Late STR filing is a breach of the obligation under Article 18 of Cabinet Resolution No. 134 of 2025 regardless of where in the three-line structure the delay originated. The institution bears the primary liability, and the second line is responsible for demonstrating whether its escalation procedures and monitoring capabilities were adequate. Board-level assessment of late-filing patterns is essential to determining whether the failure reflects an isolated operational issue or a systemic governance gap.
