overview
This guide provides practical steps for implementing AML/CFT compliance programs that meet the requirements of all UAE regulatory authorities. The AML/CFT federal requirements analysis provides the regulatory framework detail; this guide translates those requirements into implementation steps.
step 1: conduct a risk assessment
Federal Decree-Law No. 20 of 2018 mandates a risk-based approach to AML/CFT compliance. Begin by identifying and assessing the ML/TF risks specific to your virtual asset activities, customer base, geographic exposure, and product offering. The risk assessment should consider the types of virtual assets handled, the customer segments served (retail, institutional, high-net-worth), the geographic regions from which customers originate, the transaction types and volumes processed, and the delivery channels used (exchange, OTC, peer-to-peer).
Document the risk assessment and update it at least annually or when material changes occur. The risk assessment drives all subsequent compliance program design decisions.
step 2: design customer due diligence procedures
Based on the risk assessment, design CDD procedures that address identity verification using reliable, independent sources. For individual customers, this typically requires government-issued identification and proof of address. For corporate customers, this requires corporate registration documents, beneficial ownership declarations, and director identification.
Design enhanced due diligence (EDD) procedures for higher-risk scenarios including politically exposed persons, customers from high-risk jurisdictions (per FATF lists), complex or unusual transactions, and new business relationships with entities in sectors associated with higher ML/TF risk.
The UAE FIU and EOCN provide guidance on risk factors relevant to CDD design.
step 3: implement transaction monitoring
Deploy transaction monitoring systems capable of detecting suspicious patterns in virtual asset transactions. Monitoring should address structuring (splitting transactions to avoid thresholds), unusual transaction patterns inconsistent with customer profile, transactions involving addresses associated with illicit activity, rapid movement of assets through multiple wallets or exchanges, and interaction with mixing services, privacy coins, or decentralized protocols.
Blockchain analytics tools are essential for effective transaction monitoring in the virtual asset context. Select tools that provide address clustering, risk scoring, and real-time alerting capabilities.
step 4: implement the travel rule
The FATF Travel Rule requires transmission of originator and beneficiary information for virtual asset transfers above applicable thresholds. Implementation requires selecting a Travel Rule compliance solution (protocol and technology provider), establishing connectivity with counterparty VASPs, building workflows for obtaining and verifying required information, and implementing procedures for handling transfers where counterparty information is incomplete.
Travel Rule implementation is a specific compliance requirement under all UAE regulatory authorities and was a key element of the UAE’s FATF grey list remediation.
step 5: establish suspicious transaction reporting
Implement procedures for identifying and reporting suspicious transactions to the UAE FIU through the goAML system. Train compliance staff on STR identification criteria specific to virtual asset transactions. Establish escalation procedures from front-line staff to the compliance function. Document all STR decisions including cases where suspicion was investigated but an STR was not filed.
The tipping-off prohibition applies — do not inform the customer that an STR has been filed.
step 6: implement sanctions screening
Deploy sanctions screening systems that screen customers and transactions against UAE domestic sanctions lists, UN Security Council sanctions, and other applicable international sanctions. For virtual asset operations, implement wallet address screening against known sanctioned addresses maintained by blockchain analytics providers.
The EOCN coordinates the UAE sanctions compliance framework. Sanctions screening must be conducted at customer onboarding, at regular intervals for existing customers, and in real-time for transactions.
step 7: maintain records
Maintain all CDD documentation and transaction records for a minimum of five years. Records must be sufficient to permit reconstruction of individual transactions and must be accessible to the relevant regulatory authority and the UAE FIU upon request.
step 8: appoint a compliance officer and train staff
Appoint a Money Laundering Reporting Officer (MLRO) with appropriate seniority and independence. Conduct regular AML/CFT training for all staff, with enhanced training for front-line staff and management. The ADGM Academy and NAFIS compliance programme provide relevant training resources.
ongoing requirements
AML/CFT compliance is not a one-time implementation. Ongoing requirements include regular updates to the risk assessment, periodic review of CDD and monitoring effectiveness, annual independent audit of the AML/CFT program, and continuous monitoring of regulatory developments.
The multi-authority compliance map dashboard provides a reference for compliance requirements across jurisdictions. The regulatory framework tracker dashboard monitors regulatory developments.
For official AML/CFT guidance, consult the SCA, CBUAE, VARA, ADGM, DFSA, and the FATF.