UAE New AML Law: Federal Decree Law No. 10 of 2025: At a Glance
Area | What it means under the UAE New AML Law |
Legal position | Federal Decree Law No. 10 of 2025 is the new UAE AML law framework baseline |
Implementing layer | Cabinet Resolution No. 134 of 2025 sets detailed implementation expectations |
Effective dates | Federal Decree Law No. 10 of 2025 is effective from 14 October 2025 and Cabinet Resolution No. 134 of 2025 from 14 December 2025 |
Compliance impact | Higher expectations for governance, risk based controls, documentation quality, and accountability |
Priority controls | EWRA, CDD, EDD, ongoing monitoring, sanctions and PF controls, STR quality |
Regulated landscape | Relevance spans multiple supervisory contexts, including DIFC, ADGM, VARA, CMA, MOET, and MOJ |
Leadership message | This is a full AML/CFT operating model upgrade, not a policy wording exercise |
What the UAE New AML Law changes for regulated entities:
The UAE New AML Law, Federal Decree Law No. 10 of 2025, represents a structural reset for AML/CFT compliance expectations. For regulated entities, this is not a minor legal refresh. It is a shift towards measurable compliance effectiveness.
In practical terms, organisations are now expected to demonstrate:
- stronger governance and control
- Higher quality risk assessment and risk decisions
- clearer beneficial ownership and customer due diligence logic
- better ongoing monitoring outcomes
- stronger suspicious transaction reporting discipline
- reliable audit trails that show how decisions were made
The direction is clear. Supervisors increasingly expect firms to prove that controls work in day-to-day operations, not only in policy documents.
Federal Decree Law No. 10 of 2025 and Cabinet Resolution No. 134 of 2025 in practice
Under the UAE new AML law, the legal framework and the implementing framework should be read together:
- Federal Decree Law No. 10 of 2025 establishes the core legal obligations and enforcement posture.
- Cabinet Resolution No. 134 of 2025 provides implementation depth and practical compliance direction.
For AML/CFT teams, this means the focus should move beyond drafting and into control performance. Policies, procedures, systems, and governance forums should all align to the same compliance objective: risk-based prevention, detection, escalation, and reporting.
Get in touch with us to avail GRC Services in UAE.
UAE AML compliance context across DIFC, ADGM, VARA, CMA, MOET, and MOJ
A strong implementation plan under Federal Decree Law No. 10 of 2025 must account for the supervisory context. Many firms operate across multiple licensing environments or serve customer segments that create overlapping obligations.
Depending on the business model and activity type, compliance design may need to reflect expectations linked to:
- DIFC context
- ADGM context
- VARA context for virtual asset activities
- CMA context for capital market participants
- MOET context for DNFBP-facing obligations
- MOJ context for lawyers and other legal professionals obligations
The practical approach is to maintain a single, coherent AML/CFT control architecture while tailoring procedures, governance pathways, and evidence files to each relevant regulatory context.
Core AML/CFT priorities under the UAE New AML Law
1. Enterprise-wide risk assessment must drive real decisions
Under UAE AML law 2025, EWRA is not a static document. It should drive how onboarding, monitoring, review frequency, and escalation thresholds are set.
A robust EWRA should clearly connect:
- customer and product risk
- delivery channel risk
- geography and cross-border exposure
- sanctions and proliferation financing touchpoints
- control effectiveness findings
2. CDD and EDD should be risk-led and defensible
Customer due diligence UAE and enhanced due diligence UAE expectations are best met when decision logic is explicit. Teams should be able to explain why a profile is low, medium, or high risk and what enhanced controls follow from that conclusion.
3. Beneficial ownership analysis must be clear and auditable
Beneficial ownership remains central to UAE AML/CFT compliance. Files should show the ownership journey clearly, including how information was validated and how unresolved issues were escalated.
4. Ongoing monitoring should reflect sector reality
Ongoing monitoring AML UAE should be calibrated to actual business behaviour. Generic thresholds copied from unrelated sectors usually create weak outcomes.
Good monitoring design balances:
- meaningful alerts
- manageable volumes
- quality investigation
- timely decisioning
5. STR quality should be treated as a control outcome
Suspicious transaction reporting UAE quality depends on structured case handling, coherent narratives, and clear rationale. It should be possible for an independent reviewer to follow the facts from trigger to decision without ambiguity.
6. PF and sanctions controls need deeper integration
Proliferation financing controls and sanctions screening should be embedded across onboarding, transaction review, case escalation, and governance reporting. These areas should not be siloed from core AML operations.
Implementation blueprint for FIs, DNFBPs, and VASPs
At GRC Advisors, we recommend a phased implementation model for Federal Decree Law No. 10 of 2025 and Cabinet Resolution No. 134 of 2025.
Phase 1: Legal obligation mapping
Map each obligation from the UAE’s new AML law to:
- business activity
- jurisdiction or authority context
- policy clause
- control owner
- evidence requirement
Phase 2: Risk-based gap assessment
Assess both design and effectiveness across:
- EWRA
- customer risk rating
- CDD and EDD
- beneficial ownership review
- ongoing monitoring
- sanctions and PF controls
- STR workflow and governance
Phase 3: Policy to procedure to control traceability
Create a clear chain of connection between legal requirements, internal policy, operational steps, system logic, and supervisory evidence.
Phase 4: Targeted execution and training
Deploy role-specific guidance for frontline, compliance, operations, and management. Training should focus on judgment, escalation, and documentation quality.
Phase 5: Assurance and board-level reporting
Run quality assurance reviews and control testing. Provide risk-ranked dashboards to senior management, with ownership, timelines, and evidence of closure.
Common AML compliance gaps under Federal Decree Law No. 10 of 2025
Gap 1: Legal updates without operational redesign
Fix: Convert legal obligations into measurable control outcomes.
Gap 2: One-size-fits-all procedure design
Fix: Tailor procedures to business model and supervisory context, including DIFC, ADGM, VARA, CMA, MOET, and MOJ relevance where applicable.
Gap 3: High alert volumes with low intelligence value
Fix: Tune monitoring scenarios using outcomes and investigator feedback.
Gap 4: Weak case documentation
Fix: Standardise investigation notes, chronology, rationale, and closure criteria.
Gap 5: Limited senior oversight of control health
Fix: Present concise board MI with trend movement, unresolved high-risk issues, and remediation status.
Board and senior management questions to ask now
Leadership teams should test readiness under the UAE New AML Law with practical questions:
- Where is our highest ML/TF/PF concentration by customer, product, and geography?
- Which AML/CFT controls are currently least reliable based on testing evidence?
- Are CDD and EDD outcomes consistent across business units?
- Are sanctions and PF governance integrated into daily AML operations?
- Are STR decisions timely, consistent, and well-documented?
- Can we evidence prompt remediation of material findings?
These questions help move the organisation from compliance activity to compliance effectiveness.
How GRC Advisors supports UAE New AML Law readiness
GRC Advisors (grcadvisors.ae) supports regulated entities with practical delivery aligned to Federal Decree Law No. 10 of 2025 and Cabinet Resolution No. 134 of 2025.
Our support includes:
- UAE AML law readiness diagnostics
- EWRA uplift and risk methodology refinement
- CDD, EDD, and beneficial ownership framework enhancement
- Ongoing monitoring, design and calibration
- STR quality and case governance improvement
- Sanctions and PF integration across control frameworks
- Management and board reporting improvement
- Role-based AML/CFT capability building
Our approach is execution-focused. We help firms build AML/CFT systems that are clear, defensible, and effective in real business conditions.
Conclusion: from policy compliance to control effectiveness
The UAE New AML Law: Federal Decree Law No. 10 of 2025 sets a higher standard for regulated entities. Read with Cabinet Resolution No. 134 of 2025, it signals a clear expectation that firms demonstrate genuine control performance.
Organisations that act early and methodically will be in a stronger position to manage regulatory, operational, and reputational risks. The right implementation strategy is not more paperwork. It is clearer accountability, sharper risk intelligence, stronger documentation, and consistent execution.
For firms operating in or connected to DIFC, ADGM, VARA, CMA, MOET, and MOJ environments, this is the right moment to strengthen AML/CFT architecture end-to-end.
FAQs on Federal Decree Law No. 10 of 2025
What is the UAE New AML Law?
The UAE New AML Law refers to Federal Decree Law No. 10 of 2025, which establishes the updated legal framework for anti-money laundering, counter-terrorism financing, and related compliance obligations in the UAE. It establishes a stronger enforcement and governance baseline for regulated entities.
When did Federal Decree Law No. 10 of 2025 come into effect?
Federal Decree Law No. 10 of 2025 came into force on 14 October 2025.
What is Cabinet Resolution No. 134 of 2025?
Cabinet Resolution No. 134 of 2025 is the implementing framework that operationalises key compliance expectations under the UAE New AML Law. It is critical for translating legal obligations into day to day AML/CFT controls.
Who should comply with the UAE New AML Law?
The law applies to regulated entities across the UAE, including financial institutions, DNFBPs, and VASPs, depending on their licensing and activity type. Firms should assess scope based on their business model, customer base, delivery channels, and jurisdictional footprint.
Is this just a legal update or a full compliance reset?
For most firms, it is a full compliance reset. The practical expectation is not only policy updates but demonstrable control effectiveness across risk assessment, CDD, EDD, ongoing monitoring, sanctions and PF controls, and suspicious transaction reporting.
What are the top AML/CFT priorities under Federal Decree Law No. 10 of 2025?
Priority areas generally include:
enterprise-wide risk assessment quality
customer due diligence and enhanced due diligence effectiveness
beneficial ownership transparency
ongoing monitoring calibration
sanctions and proliferation financing control integration
suspicious transaction reporting quality and escalation discipline
How should firms approach CDD and EDD under the UAE New AML Law?
CDD and EDD should be risk based and evidence led. Firms should clearly document customer risk rationale, trigger points for enhanced checks, source information reviewed, and final approval logic.
What does effective ongoing monitoring look like in UAE AML compliance?
Effective ongoing monitoring means scenarios aligned to actual business behaviour, not generic templates. Monitoring should produce meaningful alerts, support timely investigations, and enable clear, defensible outcomes.
Why is beneficial ownership still a major AML focus?
Sanctions and proliferation financing controls should be integrated into onboarding, screening, ongoing monitoring, and escalation workflows. They should operate as part of the core AML/CFT framework, not as isolated checks.
What is the role of sanctions and proliferation financing controls?
Beneficial ownership remains central because opaque ownership structures can conceal ML/TF/PF risk. Firms are expected to identify and verify ownership and control relationships with sufficient clarity to support risk decisions and reporting.
How do DIFC, ADGM, VARA, CMA, MOET, and MOJ fit into compliance planning?
These authorities matter depending on your licence type and operating context. Firms should map legal obligations under the UAE New AML Law to their specific supervisory environment and ensure procedures, governance routes, and evidence standards are aligned accordingly.
What are common implementation mistakes firms should avoid?
Common mistakes include:
treating the law as a document update exercise
copying generic monitoring rules
weak documentation of investigation rationale
fragmented ownership of remediation
limited senior management visibility on AML control effectiveness
What should boards and senior management ask first?
Leadership should ask:
where the highest ML/TF/PF risks sit today
which controls are least effective based on testing
whether CDD and EDD decisions are consistent
whether STR quality is reliable and timely
whether high risk findings are remediated with evidence
How can a firm test readiness for Federal Decree Law No. 10 of 2025?
A practical readiness review usually includes:
legal obligation mapping
AML/CFT gap assessment
policy and procedure traceability testing
control effectiveness testing
management information and governance review
remediation roadmap with accountable owners and timelines
How can GRC Advisors help with UAE New AML Law implementation?
GRC Advisors (grcadvisors.ae) can support with readiness assessments, AML/CFT framework enhancement, EWRA uplift, CDD/EDD tuning, ongoing monitoring optimisation, STR quality improvement, sanctions and PF integration, and board-level governance reporting.
