What is a Politically Exposed Person (PEP)?
Under the CBUAE AML/CFT Rulebook and Federal Decree Law No. 10 of 2025, a PEP is defined as a natural person who is or has been entrusted with prominent public functions in the UAE or any foreign country. This includes heads of state or government, senior politicians, senior government officials, judicial or military officials, senior executive managers of state-owned corporations, and senior officials of political parties. Individuals entrusted with the management of international organisations or any prominent function within such organisations are also classified as PEPs under the 2025 regulations.
UAE law distinguishes three categories: foreign PEPs (individuals holding prominent public functions in another country), domestic PEPs (those holding such functions within the UAE), and heads of international organisations. Each category carries different due diligence thresholds under Federal Decree Law No. 10 of 2025.
Family members and close associates of PEPs are also subject to enhanced scrutiny. The obligation does not end when a person leaves public office — residual risk from their period in office requires continued assessment.
PEPs and high-risk customers — understanding the distinction
All PEPs are high-risk customers. Not all high-risk customers are PEPs. The distinction matters because the obligations differ.
A PEP triggers specific statutory requirements: mandatory senior management approval, enhanced source of wealth verification, and documented ongoing monitoring. These are not optional enhancements — they are prescribed by Federal Decree Law No. 10 of 2025.
A high-risk customer who is not a PEP may trigger enhanced measures for other reasons: connection to a FATF-listed jurisdiction, complex or opaque ownership structures, adverse media exposure, or transaction behaviour that does not align with declared business purpose. The enhanced measures are risk-based rather than automatically prescribed.
In practice, a firm’s high-risk customer population often includes PEPs, HIO-connected individuals, sanctioned-adjacent parties, and jurisdictionally exposed clients. Each sub-category requires its own documented rationale for classification and its own review cadence.
Give Your Board Clear Visibility of Elevated Risk
Demonstrate Disciplined PEP and High-Risk Customer Management
Supervisory Expectations Across UAE Jurisdictions
The legal requirements for PEP and High-Risk Customer Management are set out under the UAE AML Law, Federal Decree Law No. 10 of 2025 and Cabinet Resolution No. 134 of 2025. These obligations form an integral part of AML compliance and apply to all Financial Institutions and Designated Non-Financial Businesses and Professions operating in the UAE. Firms must demonstrate that their PEP and High-Risk Customer Management framework is active, documented and proportionate to risk.
In relation to Politically Exposed Persons, the law requires firms to:
- Implement appropriate risk management systems to determine whether a customer or beneficial owner is a PEP
- Obtain senior management approval before establishing or continuing a business relationship
- Take reasonable measures to establish source of wealth and source of funds
- Conduct enhanced ongoing monitoring of the relationship
These obligations apply to foreign PEPs. Domestic PEPs and individuals entrusted with prominent functions in international organisations must also be assessed and subject to risk-based measures.
Cabinet Resolution No. 134 of 2025 further requires that enhanced measures be applied where higher-risk factors are identified, including:
- Customers from high-risk jurisdictions
- Complex ownership structures
- Unusual transaction patterns
- Circumstances that increase exposure to financial crime
Where It Fails in Practice
In practice, weaknesses in PEP and High-Risk Customer Management rarely arise from policy gaps. They arise from operational inconsistency.
PEP Identification Without True Risk Assessment
Firms screen names against a database but fail to assess the nature of the public function, geographic exposure or corruption risk. A PEP is marked as “identified” yet not meaningfully evaluated.
Senior Management Approval as a Form Signature
The law requires approval prior to onboarding. In practice, approvals are sometimes mechanical, without documented rationale. During inspection, regulators ask why approval was granted. Silence is not a strategy.
Weak Source of Wealth
Verification
Declarations are accepted at face value. Supporting documentation is limited. For high-risk jurisdictions, the evidentiary threshold should be higher. It often is not.
Static Risk Ratings
A client classified as high-risk at onboarding remains untouched for years. There is no structured review cadence. No trigger-based reassessment. No documentation of periodic reconsideration.
Disconnected Monitoring Systems
Transaction monitoring operates separately from PEP classification. Changes in behaviour do not trigger enhanced review. For VASPs, blockchain analytics may screen wallets, yet beneficial ownership risk remains unchallenged.
Inconsistent Documentation
Decisions are made but not recorded. Escalations occur verbally. Review outcomes are not logged. Under VARA, CMA, ADGM FSRA or DIFC DFSA inspection, undocumented governance is treated as absent governance.
Across sectors, including VASPs, asset managers, securities brokers, insurers, payment firms, real estate entities, accountants, lawyers and TCSPs, the pattern is similar. The framework exists. The discipline does not.
High-Risk Classifications Should Not Be Static
Implement Dynamic PEP and High-Risk Monitoring Aligned with UAE AML Law
Our PEP and High-Risk Customer Management Process
Our approach to PEP and high-risk customer management through GRC services is designed to align fully with the UAE AML Law, Federal Decree Law No. 10 of 2025, Cabinet Resolution No. 134 of 2025 and supervisory expectations across VARA, CMA, ADGM FSRA, DIFC DFSA and the Central Bank of the UAE. Each stage of our PEP and High-Risk Customer Management process addresses a specific regulatory expectation.
Step 1: Risk Framework Calibration
Every effective high-risk customer management programme begins with the risk methodology itself.
We review your enterprise-wide risk assessment and customer risk scoring model, which includes:
- Clear classification of foreign, domestic and international organisation PEPs
- Defined criteria for high-risk jurisdiction exposure
- Documented Enhanced Due Diligence triggers
- Risk-weighted scoring logic that is internally consistent
We test whether your framework can justify its own conclusions. If a regulator asks why a PEP was rated medium rather than high, your methodology must answer before you do.
Step 2: PEP Identification and Screening
We assess your screening environment to ensure it includes:
- Reliable PEP and sanctions databases
- Ongoing automated rescreening
- Adverse media monitoring
- Beneficial ownership linkage screening
We evaluate false positive management and escalation procedures to confirm that alerts are investigated, not dismissed.
Step 3: Senior Management Approval Governance
UAE law requires senior management approval before establishing or continuing a relationship with a PEP. In practice, this is often reduced to a signature.
We formalise governance so that approval becomes a recorded decision.
We implement:
- Structured approval memoranda summarising risk factors
- Clear documentation of the source of wealth review
- Defined authority thresholds
- Escalation matrices for complex cases
Each approval records the reasoning.
Step 4: Source of Wealth and Source of Funds Verification
For elevated-risk relationships, declarations are insufficient.
We define evidentiary standards proportionate to jurisdictional and customer risk. This includes:
- Independent documentation requirements
- Jurisdiction-specific verification expectations
- Ongoing reassessment triggers
- Structured documentation checklists
We ensure that source of wealth analysis is analytical, not administrative.
Step 5: Enhanced Monitoring and Review Governance
Enhanced Due Diligence must continue throughout the relationship. It does not end at onboarding.
We implement:
- Defined enhanced review frequency based on risk tier
- Mandatory periodic PEP status reassessment
- Trigger-based reviews for changes in jurisdiction, ownership or transaction behaviour
- Alignment between customer risk rating and transaction monitoring scenarios
- Documented review outcomes and risk reclassification decisions
Step 6: Inspection Readiness and Regulatory Defence
GRC Advisors strengthen your framework by:
- Testing high-risk customer files for completeness
- Verifying documented senior management approval rationale
- Reviewing adherence to enhanced review cadence
- Validating source of wealth evidentiary standards
- Assessing escalation logs and adverse media handling
- Preparing management reporting on aggregate PEP exposure
Who is required to manage PEPs and high-risk customers in UAE?
Any entity subject to UAE AML obligations must implement PEP identification, enhanced due diligence, and ongoing monitoring. The obligation is not conditional on size, transaction volume, or the likelihood of encountering a PEP. It is conditional on the licence and the legal category of the business.
Financial institutions — banks, finance companies, exchange houses, insurance firms, and payment service providers licensed by the Central Bank of the UAE are subject to the full scope of Federal Decree Law No. 10 of 2025 and CBUAE AML standards.
Virtual asset service providers (VASPs) — entities regulated under the Virtual Assets Regulatory Authority (VARA) must apply PEP screening and EDD within their customer onboarding and ongoing monitoring frameworks. Beneficial ownership linkage screening is particularly important where wallet addresses connect to PEP-associated entities.
Securities and capital markets firms — entities licensed by the Securities and Commodities Authority (CMA) and firms operating within ADGM under FSRA regulation or DIFC under DFSA regulation are subject to equivalent PEP requirements under their respective rulebooks.
Designated Non-Financial Businesses and Professions (DNFBPs) — real estate brokers and developers, auditors and accountants, legal practitioners, company formation agents, and dealers in precious metals and stones are required to implement risk-based PEP and high-risk customer controls proportionate to their business model and customer base.
The obligation applies across free zones, onshore entities, and licensed professional firms. Regulatory inspection by the CBUAE, VARA, ADGM FSRA, DIFC DFSA, or relevant supervisory authority may include a direct review of PEP files, senior management approval records, and enhanced monitoring documentation.
What Our PEP and High-Risk Customer Management Services Deliver to Your Business
A well-designed PEP and High-Risk Customer Management framework does more than discharge a statutory obligation. It imposes order where risk might otherwise sprawl unchecked. It refines internal discipline, sharpens oversight and equips the firm to engage elevated-risk relationships with composure rather than apprehension, with the support of GRC Advisors.
The value is both immediate and long-term, reflected not only in regulatory compliance but in strengthened credibility.
When your PEP and high-risk files contain reasoned approvals, calibrated risk scoring and documented review logic, supervisory meetings move faster. Regulators spend less time probing and more time concluding.
Instead of guessing how many politically exposed or jurisdictionally sensitive clients sit within your portfolio, management receives structured visibility. Concentration risk becomes measurable.
Many firms hesitate when onboarding influential clients. A calibrated framework allows you to accept legitimate high-risk relationships confidently, without compromising UAE AML Compliance standards.
Static risk ratings and undocumented escalations create headlines. Dynamic reassessment and recorded rationale prevent them.
Ensure Your High-Risk Customer Controls Are Defensible
Strengthen Your PEP and High-Risk Customer Management Framework
FAQs: PEP and High-Risk Customer Management in UAE
How can GRC Advisors support PEP screening and high-risk customer management in UAE?
GRC Advisors provides end-to-end support, including PEP identification, enhanced due diligence (EDD), risk scoring, and ongoing monitoring. Our approach ensures your framework aligns with UAE AML regulations and is fully prepared for regulatory inspections.
What does your PEP screening process include?
Our PEP screening process includes identifying politically exposed persons, their associates, and beneficial owners using reliable global databases. We also assess risk exposure, validate customer profiles, and integrate screening into your onboarding and monitoring systems.
What are the key benefits of outsourcing PEP and high-risk customer management?
Outsourcing to GRC Advisors provides access to specialized expertise, structured frameworks, and regulatory insights, helping you reduce compliance risk, improve operational efficiency, and strengthen governance.
Who needs PEP and high-risk customer management?
PEP and high-risk customer management is required for financial institutions, virtual asset service providers (VASPs), real estate firms, auditors, law firms, corporate service providers, and other regulated entities operating in the UAE. Any business subject to AML compliance obligations must implement these controls.
What is the review frequency for PEP and high-risk customer files in the UAE?
UAE AML regulations require enhanced ongoing monitoring throughout the relationship. For high-risk customers, the standard expectation across CBUAE, VARA, ADGM FSRA, and DIFC DFSA supervision is at minimum an annual review, with high-risk PEP relationships often requiring biannual or quarterly reassessment depending on jurisdictional exposure and the nature of the public function. Any trigger event adverse media, change in public role, suspicious transaction, regulatory inquiry requires an immediate out-of-cycle review, regardless of when the last scheduled review occurred.