In a Nutshell
- SDD is permitted only where documented risk assessment demonstrates low ML/TF/PF risk. The decision to apply it is grounded in the board-approved risk appetite.
- Applying SDD without adequate justification, or continuing it after circumstances change, is a regulatory failure that carries penalties under Federal Decree-Law No. 10 of 2025.
- Three lines of defence govern SDD differently from standard CDD because the risk is not the customer but the classification decision itself.
- Boards protect themselves through evidence that SDD criteria are defined, applied consistently, and reviewed periodically.
The regulatory risk in SDD is not that a low-risk customer turns out to be dangerous. The risk is that the entity cannot demonstrate it had adequate justification for the reduced scrutiny. That is a documentation and governance failure, and it sits with the board and senior management.
Board role in SDD: the risk appetite question
The board’s contribution to a sound SDD programme is the risk appetite statement that defines which customer types and product combinations qualify as demonstrably low risk. That statement flows into the Customer Risk Assessment criteria and determines where SDD is ever available. A board that has not considered SDD as a formal risk appetite decision leaves the classification criteria implicit, which means they are either over-inclusive (too much SDD applied where it should not be) or under-inclusive (SDD denied where it would be appropriate and efficient).
Good practice is for the board to approve the SDD eligibility criteria explicitly as part of the AML policy and to receive periodic reporting on how the SDD portfolio is performing. Those criteria should align with the EWRA findings that support the broader risk-based approach.
Three lines of defence in an SDD programme
First line: customer-facing and onboarding
The first line applies the SDD criteria, completes the Customer Risk Assessment, and obtains compliance approval before applying simplified measures. Its governance risk is two-sided: applying SDD where the assessment does not support it or applying standard CDD where SDD would have been adequate. Both represent misjudgements that the second line should catch.
Second line: compliance and MLRO
The second line sets the SDD eligibility criteria, trains the first line, reviews SDD approval decisions, and monitors the SDD portfolio for changes in customer behaviour that should trigger escalation. A sound approach is to establish escalation thresholds in the monitoring configuration so that an SDD customer whose activity changes is flagged automatically rather than relying on manual detection.
Third line: internal audit
The third line audits the documentation behind SDD decisions: whether the Customer Risk Assessment was completed before SDD was applied, whether compliance approval was obtained, and whether reassessment occurred when circumstances changed. Audit findings on SDD quality are an early warning of a programme that may not withstand supervisory review.
Audit and inspection readiness for SDD
UAE regulators examine the rationale behind SDD classifications during inspections. The documentation they look for includes: the EWRA findings that establish the broader risk environment, the Customer Risk Assessment for individual customers with a written rationale for low-risk classification, evidence of compliance approval before SDD was applied, ongoing monitoring records showing the customer’s activity remained within low-risk parameters, and evidence that reassessment occurred when relevant changes were identified.
Where any of those documents are missing or incomplete, the SDD decision is exposed as a possible governance failure. A risk score alone, without a written rationale, satisfies none of those requirements.
Liability when SDD is misapplied
Federal Decree-Law No. 10 of 2025 governs AML compliance failures in the UAE. Penalties apply where SDD is applied without adequate justification, where it continues despite changed risk indicators, or where the required documentation is absent. UAE enforcement outcomes have cited weaknesses in the application of simplified measures as part of broader AML control failures. The board’s protection is evidence of a policy designed and governed at the appropriate level, with controls that were tested and found to be working.
← scroll to see full table →
| Governance dimension | The board question | Evidence of an effective SDD programme |
|---|---|---|
| Risk appetite | Have we defined which customers qualify for SDD? | Board-approved SDD eligibility criteria embedded in AML policy. |
| Assessment quality | Is each SDD decision supported by a documented CRA? | CRA records with written rationale are retained per customer file. |
| Monitoring | Do we track whether SDD customers remain low risk? | Automated alerts when activity breaches classification parameters. |
| Audit readiness | Can we show regulators our SDD decisions were sound? | Scheduled internal audit of SDD portfolio with findings actioned. |
How GRC Advisors Can Help
At GRC Advisors, we help organisations establish simplified due diligence frameworks that are practical, risk-based, and aligned with UAE AML regulations. Our experts support businesses with AML risk assessments, customer due diligence framework design, AML policy development, governance reviews, and regulatory compliance advisory services. By ensuring that SDD decisions are properly documented, monitored, and governed, we help boards and compliance teams strengthen their AML controls while maintaining operational efficiency.
Frequently Asked Questions
Why is SDD a governance decision rather than a compliance routine?
Because the decision to apply reduced scrutiny rests on the board-approved risk appetite. Getting it wrong results in a regulatory finding, not a compliance difference of opinion.
What does the board need to see about the SDD portfolio?
The size of the SDD portfolio as a proportion of the total customer base, the frequency of reassessments triggered, any escalations from SDD to standard CDD or EDD, and the findings of internal audit testing of SDD documentation.
Can SDD be applied permanently to a customer category?
The classification must be maintained through ongoing monitoring and periodic review. A customer category that qualified as low risk when the policy was written may not qualify if the risk environment changes. Static classifications are a common audit finding.
What is the consequence of applying SDD without documenting the rationale?
During a regulatory inspection, an undocumented SDD decision may be treated as indistinguishable from no assessment at all. The entity must demonstrate that low risk was proven, not assumed. Penalties under Federal Decree-Law No. 10 of 2025 may be imposed where that demonstration cannot be made.
How does SDD fit a broader governance and risk framework?
SDD is one application of the risk-based approach within the broader AML/CFT framework. When it is governed explicitly, with defined criteria, board-approved risk appetite, and audit oversight, it functions as evidence of a proportionate and defensible compliance programme.
