UAE Cabinet Resolution No. 134 of 2025: At a Glance
| Topic | Practical takeaway for regulated entities |
|---|---|
| What it is | Cabinet Resolution No. 134 of 2025 is the executive regulation implementing Federal Decree Law No. 10 of 2025 |
| Effective date | In force from 14 December 2025 |
| What it replaced | Repeals the older implementing framework under Cabinet Resolution No. 10 of 2019 |
| Coverage | Applies across financial institutions, DNFBPs, and VASPs with expanded PF focus |
| Key compliance shift | Stronger expectations for risk based AML/CFT systems, governance, monitoring, and reporting quality |
| Important expansion | Explicit inclusion of proliferation financing and broader sector application, including gaming-related DNFBP touchpoints in scope described by market commentary |
| Regulatory context | Must be implemented with jurisdiction-aware alignment for DIFC, ADGM, VARA, CMA, MOET, and MOJ environments |
Why Cabinet Resolution No. 134 of 2025 matters now:
If Federal Decree Law No. 10 of 2025 is the legal foundation of the UAE new AML law regime, then Cabinet Resolution No. 134 of 2025 is the operational instruction manual.
In simple terms, the Decree Law sets the “what,” while Cabinet Resolution 134 sets the “how.”
For compliance teams, this means immediate focus on implementation quality. The question is no longer whether policies exist. The question is whether controls are proportionate, working, and evidence-based.
Get in touch with us to avail GRC Services in UAE.
Relationship between Federal Decree Law No. 10 of 2025 and Cabinet Resolution No. 134 of 2025
The structure of the AML Laws in the UAE is clear:
- Federal Decree Law No. 10 of 2025 establishes the principal AML/CFT/CPF legal obligations in the UAE.
- Cabinet Resolution No. 134 of 2025 provides executive regulations that regulated entities must apply in practice.
- The new resolution supersedes the previous 2019 executive framework.
For boards and senior management, this creates a direct responsibility to ensure that internal AML/CFT operating models are updated end-to-end, not just legally reworded.
Scope and coverage under Cabinet Resolution No. 134 of 2025
From a practical standpoint, entities should assume broad application across regulated sectors, including:
- Financial institutions
- Designated Non-Financial Businesses and Professions (DNFBPs)
- Virtual Asset Service Providers (VASPs)
Market-facing guidance on the resolution also highlights scope-expansion dynamics, including explicit proliferation-financing integration and DNFBP perimeter developments relevant to gaming activities. This should trigger careful applicability checks across business lines and licence classes.
Key compliance themes introduced or reinforced by Cabinet Resolution 134 of 2025
Risk-based AML/CFT and PF control design
The resolution should be approached as a risk-based framework rather than a checklist exercise. Controls need to be designed around:
- customer risk
- product and service risk
- transaction behaviour
- delivery channel exposure
- geography and sanctions exposure
- PF vulnerabilities
A standard template copied from another sector will rarely satisfy real supervisory expectations.
Governance, accountability and senior oversight
Under the new framework, accountability needs to be visible and documented. Senior management should be able to evidence:
- clear ownership of AML/CFT and PF controls
- periodic review of control effectiveness
- risk-prioritised remediation decisions
- timely escalation of high-risk findings
Stronger CDD, EDD, and beneficial ownership defensibility
The new UAE AML compliance environment requires institutions to demonstrate not only that checks were performed, but why risk conclusions were reached. UBO logic, customer risk scoring, and EDD triggers should be coherent and auditable.
Ongoing monitoring of quality over alert quantity
Cabinet Resolution 134 should prompt firms to move from alert-heavy models to intelligence-led models. Proper monitoring means better detection outcomes, lower noise, and stronger case narratives.
STR decision quality and documentation discipline
Suspicious reporting quality remains a primary control outcome. Investigations should be chronology-led, fact-based, and supported by a clear rationale and approval history.
PF and sanctions integration into day-to-day operations
Proliferation financing and sanctions are no longer peripheral modules. They must be integrated across onboarding, screening, transaction review, escalation, and governance reporting.
Regulatory mapping: DIFC, ADGM, VARA, CMA, MOET, and MOJ relevance
A recurring implementation mistake is treating UAE AML obligations as jurisdiction-neutral. In reality, firms often operate across federal and specialised regulatory contexts.
Depending on business activity, the compliance model may need alignment with:
- DIFC requirements and governance expectations
- ADGM rulebook-linked compliance expectations
- VARA context for VASP and virtual asset operations
- CMA expectations for capital market participants
- MOET supervisory relevance for DNFBPs
- MOJ obligations for legal and related professional services
The best practice is a unified AML/CFT architecture with tailored procedures and evidence standards for each legal entity and regulator touchpoint.
What firms should do immediately under Cabinet Resolution No. 134 of 2025
Step 1: Perform a legal-to-control mapping exercise
Map each obligation to policy, procedure, system control, owner, and evidence.
Step 2: Run a focused AML/CFT/PF gap assessment
Test effectiveness across EWRA, CDD/EDD, UBO, monitoring, sanctions, PF, and STR workflows.
Step 3: Recalibrate monitoring and screening frameworks
Tune rules using actual business behaviour and investigation outcomes.
Step 4: Upgrade investigation and reporting standards
Standardise case documentation, escalation logic, and management approvals.
Step 5: Strengthen the board and senior management
Deliver concise dashboards on risk concentration, control reliability, and remediation progress.
Step 6: Deliver role-based training
Train frontline, operations, compliance, and leadership on practical decision-making and evidence quality.
Common implementation errors under UAE Cabinet Resolution 134 of 2025
- Treating implementation as a legal drafting project
Fix: Run it as a control transformation programme.
- Using generic procedures across all sectors
Fix: Tailor by business model, risk profile, and supervisory context.
- High alert volumes with weak analytical value
Fix: Measure monitoring performance and tune continuously.
4: Weak ownership of remediation actions
Fix: Assign accountable owners, set target dates, and define escalation triggers.
5: Limited management visibility
Fix: Build board-level reporting tied to risk, trends, and unresolved critical items.
Boardroom questions for Cabinet Resolution 134 readiness
Senior leadership should challenge management with direct questions:
- Which AML/CFT and PF risks have increased since the new framework came into effect?
- Which controls are least adequate according to testing evidence?
- Are CDD/EDD and UBO decisions consistent across business units?
- Do STR investigations meet the expected quality and timeliness standards?
- Are sanctions and PF controls fully integrated across onboarding and monitoring?
- Can we evidence closure of high-risk findings with a clear audit trail?
These questions improve governance quality and reduce blind spots before supervisory reviews.
How GRC Advisors can support implementation
At GRC Advisors (grcadvisors.ae), we help regulated firms convert legal obligations into operationally effective AML/CFT programmes under Federal Decree Law No. 10 of 2025 and Cabinet Resolution No. 134 of 2025.
Our support includes:
- UAE AML/CFT/PF readiness diagnostics
- Legal obligation mapping and implementation roadmaps
- EWRA and customer risk methodology uplift
- CDD, EDD, and beneficial ownership framework enhancement
- Ongoing monitoring optimisation
- STR governance and investigation quality improvement
- Sanctions and PF integration
- Board and senior management reporting frameworks
- Role-based AML/CFT capability development
Our delivery model is practical, evidence-led, and aligned with real supervisory expectations.
Final perspective on Cabinet Resolution No. 134 of 2025
Cabinet Resolution No. 134 of 2025 is the implementation engine of the UAE’s new AML law regime. Firms that respond with structured, risk-based, and evidence-backed implementation will be better positioned across regulatory, operational, and reputational dimensions.
For businesses active across DIFC, ADGM, VARA, CMA, MOET, and MOJ environments, this is the right time to move from fragmented compliance efforts to an integrated AML/CFT/PF control architecture.
FAQs: UAE Cabinet Resolution No. 134 of 2025 under Federal Decree Law No. 10 of 2025
What is UAE Cabinet Resolution No. 134 of 2025?
Cabinet Resolution No. 134 of 2025 is the executive regulation that implements the UAE New AML Law under Federal Decree Law No. 10 of 2025. It sets practical AML/CFT and PF compliance expectations for regulated entities.
How is Cabinet Resolution No. 134 of 2025 linked to Federal Decree Law No. 10 of 2025?
Federal Decree Law No. 10 of 2025 establishes the legal framework, while Cabinet Resolution No. 134 of 2025 provides operational detail on how those legal obligations should be implemented in practice.
When did Cabinet Resolution No. 134 of 2025 come into force?
Cabinet Resolution No. 134 of 2025 came into force on 14 December 2025.
Did Cabinet Resolution No. 134 of 2025 replace the previous AML implementing framework?
Yes. It replaced the earlier executive regulations under Cabinet Resolution No. 10 of 2019, signalling an updated compliance baseline under the new UAE AML law framework.
Who must comply with Cabinet Resolution No. 134 of 2025?
It applies to regulated entities in scope of UAE AML/CFT obligations, including financial institutions, DNFBPs, and VASPs, depending on licensing and activity profile.
What are the key compliance priorities under Cabinet Resolution 134?
Key priorities include:
-
enterprise-wide risk assessment quality
-
risk-based CDD and EDD
-
beneficial ownership transparency
-
ongoing monitoring effectiveness
-
sanctions and proliferation financing controls
-
suspicious transaction reporting quality
Does Cabinet Resolution No. 134 of 2025 increase focus on proliferation financing?
Yes. The framework places stronger emphasis on PF risk integration, so firms should align sanctions, screening, escalation, and governance workflows accordingly.
What does a risk based approach mean in practice under the new UAE AML framework?
It means controls should be calibrated to real risk exposure, including customer type, product, geography, delivery channel, and transaction behaviour. A generic one size fits all framework is unlikely to be sufficient.
How should firms handle CDD and EDD under Cabinet Resolution 134?
CDD and EDD should be evidence-led and clearly documented. Firms should be able to show why a customer risk rating was assigned, what enhanced checks were triggered, and how decisions were approved.
Why is beneficial ownership still a major area of scrutiny?
Because beneficial ownership opacity can hide ML/TF/PF risk. Firms need clear, defensible methods to identify and verify ultimate ownership and control, with documented rationale.
What is expected for ongoing monitoring under Cabinet Resolution No. 134 of 2025?
Ongoing monitoring should generate meaningful intelligence, not just high alert volumes. Scenario design, calibration, case handling, and closure quality are all important.
What makes a high-quality STR process under the new regime?
A strong STR process is fact-based, chronology-led, timely, and consistently documented. Case files should clearly show trigger, analysis, decision rationale, reviewer challenge, and final reporting outcome.
How should firms map obligations across DIFC, ADGM, VARA, CMA, MOET, and MOJ contexts?
Firms should maintain a unified AML/CFT framework at enterprise level, then tailor procedures, governance routes, and evidence standards to each applicable supervisory environment and licence type.
What are common mistakes organisations should avoid?
Frequent mistakes include:
-
treating implementation as policy editing only
-
applying generic controls across different sectors
-
poor quality documentation and audit trail
-
unclear ownership of remediation actions
-
limited board visibility on control effectiveness
What should boards and senior management ask to test readiness?
Leadership should ask:
-
where current ML/TF/PF risk concentration is highest
-
which controls are weakest based on testing
-
whether CDD/EDD outcomes are consistent
-
whether STR quality is robust and timely
-
whether high-risk findings are remediated with evidence
How can GRC Advisors support Cabinet Resolution 134 implementation?
GRC Advisors can support with readiness diagnostics, legal-to-control mapping, EWRA uplift, CDD/EDD and UBO framework strengthening, monitoring optimisation, STR governance improvement, PF and sanctions integration, and board-level AML/CFT reporting.
