1. The principle AML/CFT legislation applicable is the Federal Decree-Law No. (20) of 2018 On Anti-Money Laundering and Combating the Financing of Terrorism and Financing of Illegal Organisations (the “AML-CFT Law” or “the Law”) and implementing regulation, Cabinet Decision No. (10) of 2019 Concerning the Implementing Regulation of Decree Law No. (20) of 2018 On Anti-Money Laundering and Combating the Financing of Terrorism and Illegal Organisations (the “AML-CFT Decision” or “the Cabinet Decision”).

The Anti-Money Laundering Law in UAE requires the FIs and DNFBPs to establish a comprehensive AML/CFT Program including AML Policy for KYC, Screening, Risk Profiling, Governance, STR Filing, and more. The AML Law in UAE requires that the Anti-Money Laundering Policy and AML procedures and guidelines have to be commensurate with the nature and size of the business. The AML Compliance Officer has to ensure that the provisions of the UAE AML Law are complied with.

The principal federal anti-money laundering (AML) laws include, inter alia:

• Federal Decree Law No. (20) of 2018 on Anti-Money Laundering, Combating the Financing of Terrorism and Financing of Illegal Organisations (as amended) (AML Law);
• Cabinet Resolution No. (10) of 2019 Concerning the Implementing Regulation of Decree Law No. (20) of 2018 on Anti-Money Laundering, Combating the Financing of Terrorism and Financing of Illegal Organisations (Cabinet Resolution); and
• Federal Penal Law No. 31 of 2021 (Penal Code).

Federal and local regulatory and supervisory authorities implement and enforce the AML laws and issue supplementary laws, regulations, rules, guidance, circulars, notifications and other forms of guidance, which can have the force of law.

To establish the criminal offence of money laundering (ML), the government must prove that a person wilfully commits one of the following acts with knowledge that the funds are derived from a predicate offence:

• transferring or moving the proceeds or conducting any related transaction with the intention of concealing or disguising their illicit source;
• concealing or disguising the true nature, source or location of the proceeds or the manner of their disposal, movement, ownership or rights;
• acquiring, possessing or using the proceeds; and
• assisting the perpetrator of the predicate offence to escape punishment.

„Funds” includes (in summary) assets and economic resources of every kind that may be used to obtain any funding, goods or services, whatever the method of acquisition or form, whether tangible or intangible, movable or immovable, electronic, digital or crypto, such as natural resources, legal documents and instruments, bonds, shares, equities, deeds, bills of exchange, letters of credit and benefits, profits or incomes received or generated from such assets.

„Proceeds” means funds generated, directly or indirectly, from a misdemeanour or felony, including profits, privileges and economic interests, or any similar funds converted wholly or partly into funds.

„Transaction” means „any disposal or use of the funds or proceeds”.

A criminal conviction for the predicate offence is not required for the offence of ML to be established.

The threshold for conviction is knowledge that the funds are the proceeds of crime (ie, suspicion regarding the provenance of the funds is not generally sufficient).

Intention to commit a ML offence may be inferred if a person handles funds with the requisite knowledge.

A „Predicate Offence” is a felony or misdemeanour (crime) that is punishable in the UAE irrespective of whether the crime occurred there. As criminal consequences may arise for certain tax offences, including tax evasion, some tax offences constitute Predicate Offences in the UAE.

The UAE’s 2021 National Risk Assessment found that fraud, counterfeiting and piracy of goods, illicit tracking in narcotics, and professional third-party ML are the most common Predicate Offences connected to ML in the UAE. Tax crimes (related to direct and indirect taxes), insider trading and market manipulation, robbery or theft, illicit arms, forgery and smuggling (including in relation to customs and excise duties and taxes) are also ML threats.

There is extraterritorial jurisdiction for ML offences if any of the acts are committed in the UAE, or if the result is realised or intended to be realised in the UAE.

Similarly, the Predicate Offences may be committed outside of the UAE if the act is punishable in the UAE and the country in which it is committed.

Individuals and corporates can be criminally liable for ML offences. An entity will be liable if the act is intentionally committed in its name or for its account (ie, by those acting for or on its behalf).

At the federal level, the police, public prosecution and Financial Intelligence Unit (FIU) of the Central Bank of the UAE (CBUAE) work together to investigate ML crimes. The law enforcement authorities search, investigate and collect evidence related to ML.

The public prosecution has a range of investigatory powers, including ordering the monitoring and review of accounts, records and documents held by third parties, and accessing information or documentary evidence including information stored on computer systems or IT devices.

The public prosecution or the competent court may seize or freeze suspicious Proceeds or Funds without notifying the owner until the investigation or trial is complete.

The police and public prosecution also collaborate with the FIU and seek its opinion on reports of possible ML. The FIU refers suspicious transactions to the relevant law enforcement authorities for the police and public prosecution to investigate further and gather evidence.

The public prosecution is charged with prosecuting ML offences and administering or enforcing judgments delivered by the UAE Courts. A number of specialist federal ML courts have been or are being established in the UAE, including in Abu Dhabi, Dubai, Sharjah and Fujairah, to improve judicial expertise and facilitate enforcement of ML offences.

There is no limitation period for the prosecution of ML offences in the UAE.

The penalty for individuals (assuming there are no aggravating factors) is between one and 10 years imprisonment and/or a fine between AED100,000 and AED5 million. The penalty for companies is a fine of AED500,000 to AED50 million. A court may also prohibit the entity from operating for a specific period or revoke its licence, entry or registration.

A penalty of temporary imprisonment and a fine between AED300,000 and AED10 million may be imposed if the perpetrator:

• abuses their influence or power vested in them by virtue of their profession or their professional activity;
• commits the crime through non-profit organisations (NPOs);
• commits the crime through an organised criminal group; or
• has reoffended.

Foreign nationals who receive a custodial sentence for committing a ML offence or other felony stipulated in the AML Law will be deported. If the foreign national receives a custodial sentence for a misdemeanour (crimes that carry a custodial sentence of less than three years), the court may decide to order the foreign national's deportation in lieu of the custodial sentence.

Any failure (whether intentionally or by gross negligence) to make a suspicious transaction report (STR) is punishable by imprisonment or a fine of between AED100,000 and AED1 million, or both.

Any person who warns or „tips off” or reveals that suspicious transactions are under review may be sentenced to imprisonment for at least one year and a fine of between AED100,000 and AED500,000.

Upon conviction, the court shall confiscate (i) the funds, proceeds and instrumentalities used or intended to be used in the crime; or (ii) an amount equivalent to the funds from funds owned by the perpetrator if it fails to confiscate the proceeds of crime.

There are no civil penalties prescribed under the AML Law. However, a civil claim for compensation for damages may be brought following a final and binding criminal judgment. Additionally, there may be civil liability for individuals and entities that are subject to AML compliance requirements if they fail to comply with AML obligations.

UAE criminal laws provide several mechanisms by which proceeds of crime may be seized. For example, the AML Law requires the court to confiscate the funds, proceeds and instrumentalities used or intended to be used in the crime.

The public prosecution or relevant competent authority can:

• identify, track, seize or freeze assets suspected of being involved in ML activities (ie, the proceeds and instrumentalities of ML);
• prohibit trading or disposing of such funds, proceeds and instrumentalities;
• prevent the evasion of freezing or seizure orders; or
• impose a travel ban on any persons holding such assets.

The freezing of funds held by a financial institution (FI) licensed by the CBUAE may only be requested or executed by the Governor of the CBUAE. The freezing of funds cannot exceed seven business days, unless extended by the competent court or public prosecution that issued the freezing order.

The public prosecution has broad powers to search and seize, for example, criminal proceeds in an accused's dwelling, under the Penal Code.

Local judicial authorities are empowered to cooperate with their foreign counterparts to confiscate assets (principally based on reciprocity or where a relevant treaty is in place).

Generally, a conviction for the underlying offence is required before asset forfeiture takes place. However, the public prosecution or competent court may seize or freeze suspicious proceeds or funds until the investigation or trial is complete.

In certain circumstances, the public prosecution or competent court may appoint a third party to manage the funds, proceeds or instrumentalities seized, and sell or dispose of such funds prior to a court judgment. In this case, the sale proceeds would be transferred to the UAE Treasury and the relevant funds earmarked to any rights awarded legally to any party acting in good faith, proportionately to its value.

The Governor of the CBUAE also has a right to freeze suspicious funds deposited at financial institutions for up to seven days (this period can be extended by order of the public prosecution).

At the federal level, the Cabinet Resolution sets out AML compliance obligations on all FIs, designated non-financial businesses and professionals (DNFBPs), virtual asset service providers (VASPs) and NPOs (regulated entities).

UAE criminal laws (including the AML Law, Penal Code and Cabinet Resolution) and international treaties apply in each of the Emirates and free zones. Federal and local regulatory and supervisory authorities also issue rules, regulations, circulars and guidance or feedback, some of which also have the force of law.

For example, in the financial free zones (the Dubai International Financial Centre (DIFC) and the Abu Dhabi Global Market (ADGM)), regulated entities are supervised by the Dubai Financial Services Authority (DFSA) and Financial Services Regulatory Authority (FSRA). In addition to administering federal AML legislation and supervising regulated entities, the DFSA and FSRA issue Rules, which must be complied with alongside federal law, including:

• The Anti-Money Laundering, Counter-Terrorist Financing and Sanctions Module of the DSFA Rulebook (the DFSA AML Module).
• The ADGM Anti-Money Laundering and Sanctions Rules and Guidance Rulebook (the ADGM AML Rulebook).

Other regulatory and supervisory authorities impose AML compliance requirements on the institutions they regulate, including the Ministry of Economy (MOE), the CBUAE, the Securities and Commodities Authority (SCA), the Ministry of Justice (MOJ) and the Dubai Virtual Assets Regulation Authority (VARA).

FIs, DNFBPs, VASPs and NPOs have additional obligations to detect and deter ML or TF. As per the Anti-Money Laundering and Combatting the Financing of Terrorism and Illegal Organisations - Guidance for FIs and Guidance for DNFBPs, issued by the Competent Authorities in the UAE (together, the Guidances):

An FI is anyone conducting one or more financial activities or operations for or on behalf of a customer, and includes:

• banks, finance companies, exchange houses and money service businesses

(including hawaladar and other monetary value transfer services);

• insurance companies, agencies and brokers;
• fund or portfolio managers;
• securities and commodities brokers, dealers, advisers and investment managers; or
• providers of virtual banking services.

DNFBPs include:

• auditors and accountants;
• lawyers, notaries and other legal professionals and practitioners when conducting certain transactions;
• company and trust service providers;

dealers in precious metals and stones, when carrying out any single cash transaction or several transactions that appear to be interrelated or equal to more than AED55,000; and

• real estate agents and brokers.

VASPs include individuals and entities who are engaged in the following activities:

• exchange between virtual assets or flat currencies, or both;
• transfer of virtual assets;
• safekeeping and/or administration of virtual assets or instruments enabling control over virtual assets; or
• providing or participating in financial services or other activities related to an issuer's offer or sale of virtual assets.

Stored value services, electronic payments for retail and digital cash, retail payment services and card schemes are all regulated activities, which require a licence in the UAE. Individuals and entities offering these services must be licensed by the CBUAE and comply with the Cabinet Resolution and AML requirements.

The Cabinet Resolution also extends to providers of money or value transfer services (MVTS) established in the UAE. Providers of MVTS must be licensed or registered with the competent supervisory authority. The supervisory authority must ensure the provider's compliance with AML/CTF controls under section 2, article 26 of the Cabinet Resolution.

VASPs are required to comply with the federal AML law and the rules and requirements imposed on them by their regulatory and supervisory authorities.

For example, the SCA's Decision No. 23 of 2020 concerning the Crypto Assets Activities Regulation applies to any person who:

• promotes, offers or issues crypto assets in the UAE;
• provides crypto asset custody services, operates an exchange for crypto assets or operates a crypto fundraising platform in the UAE; or
• undertakes financial activities in the UAE in relation to crypto assets, including distribution, fundraising and operating an exchange.

In March 2022, Law No. 4 of 2022 Concerning the Regulation of virtual assets (VAL) became effective in Dubai. VAL introduced a legal framework to regulate virtual assets in Dubai and establishes the Dubai VARA, which is linked to the Dubai World Trade Centre (DWTC). VAL applies throughout Dubai, including the special development zones and commercial free zones (except the DIFC).

VARA is responsible for licensing and regulating virtual assets and VASPs across Dubai's mainland and free zone territories (except the DIFC). VARA is mandated to set rules for conducting virtual asset-related activities including management services, clearing and settlement services, and classifying and specifying types of virtual assets.

The ADGM has published binding guidance on the Regulation of Virtual Asset Activities in the ADGM. The guidance sets out the FSRA's approach to regulating the use of virtual assets in the ADGM, including activities conducted by multilateral trading facilities, authorised persons that are providing custody (virtual asset custodians) and intermediary-type authorised persons.

In October 2022, the DFSA published feedback on a consultation paper issued in March 2022, which codified the DFSA's proposals for a framework regulating crypto tokens. Pursuant to the feedback, issuers of non-fungible tokens and utility tokens will constitute DNFBPs and are subject to the UAE AML laws and regulations.

As per the AML Law, Cabinet Resolution and Guidances, regulated entities are subject to wide-ranging AML compliance obligations, including those relating to:

• identifying, assessing and understanding ML and TF risks, including conducting customer and enterprise-wide risk assessments;
• identifying and verifying customer identities and conducting customer due diligence (CDD) (including simplified, enhanced and ongoing due diligence);
• appointing a compliance officer with relevant qualifications and expertise;
• developing and implementing risk-based compliance policies, procedures, systems and controls and monitoring the implementation, effectiveness and adequacy of the measures;
• adopting a risk-based approach to identifying and managing ML risk and conducting enhanced risk mitigation measures where higher ML risks are identified;
• implementing indicators to identify suspicious transactions, reporting suspicious transactions, and cooperating with the competent authorities;
• promptly applying the directives of competent authorities for implementing United Nations Security Council decisions;
• maintaining accurate records; and
• screening and monitoring transactions to identify any suspicious transactions.

Similar obligations apply to all regulated entities in the UAE as all AML laws have been developed in accordance with global best practice and guidance issued by the Financial Action Task Force. However, there are some variations.

For example, the Cabinet Resolution imposes specific obligations on MVTS, including requirements to maintain up-to-date lists of their agents and make them available to the relevant competent authorities.

Article 33 of the Cabinet Resolution requires NPOs to:

• apply the best practices adopted by the relevant regulatory authority;
• develop clear policies to promote transparency, integrity and public confidence; and
• conduct operations through official financial channels, taking into account the different capacities of financial sectors in different countries.

In addition to complying with the obligations on FIs and DNFBPs, VASPs are required to:

• perform CDD measures when carrying out incidental transactions equal to or exceeding AED3,500;
• obtain and retain accurate data of the transferor (where the VASP is the originator), request the data of the beneficiary, and submit such information to the beneficiary VASP or the IT; and
• obtain and retain accurate information of the transferor and beneficiary of the required transfer (where the VASP is the beneficiary).

FIs must also comply with these obligations where they are carrying out a transaction involving the sending or receiving of a transfer of virtual assets on behalf of the customer.

There are also variations between federal and local laws and obligations imposed by federal and local regulatory and supervisory authorities, for example, the specific requirements set out under the Cabinet Resolution and AML Rules in the DIFC and ADGM.

The financial and capital markets in the UAE are regulated by the CBUAE and the SCA. The CBUAE regulates banks, finance companies, insurance companies and payment service providers. The SCA regulates markets, listed companies and securities brokers, among other entities.

In 2020, the CBUAE established an AML and Combatting the Financing of Terrorism Supervision Department with three objectives:

• examining licensed FIs;
• ensuring compliance with the UAE AML legal and regulatory framework (including CBUAE guidance for specific FIs on regulatory expectations and how to comply with statutory obligations under UAE laws and regulations); and
• identifying „threats, vulnerabilities and emerging risks” relevant to the UAE financial sector.

The MOE is the supervisory authority for DNFBPs at Federal level and within the commercial free zones (with the exception of lawyers and public notaries, which are supervised by the MOJ). The MOE is responsible for developing the regulatory framework and ensuring DNFBPs act in accordance with best practices. The MOE has set up an AML Department, which is responsible for implementing operational strategy for the supervision of DNFBPs.

In the financial free zones, the FSRA is the competent authority for AML/CFT compliance within the ADGM. The DFSA is the competent authority for the administration of federal AML/CTF legislation in the DIFC. The FSRA and DFSA have sole administrative oversight and direct supervision of all regulated entities and their officers, employees and agents for AML compliance in the ADGM and DIFC, respectively.

VARA, which sits in the DWTC as an independent body, operates in coordination with the CBUAE and SCA, to regulate and license the Virtual Asset sector in Dubai and the free zones (except for the DIFC).

FIs, DNFBPs and VASPs are required to inform the FIU (through detailed reports on the transactions) if they suspect or have „reasonable grounds to suspect that a transaction or funds fully or partially constitute proceeds, or that such transaction or funds are related to a crime or that they will be used for a crime regardless of their value”. Failure to inform (either intentionally or by gross negligence) is punishable by imprisonment or a fine, or both.

Regulated entities are required to register on the UAE's reporting system for STRs to the FIU of CBUAE. STRs are then made directly to the FIU via the goAML platform. An entity must separately register in each jurisdiction in which the entity operates. For example, if an entity is registered in both the DIFC and ADGM, the entity must register on the goAML platform twice.

STRs and suspicious activity reports (SARs) (ie, transactions or attempted transactions, activity or funds which constitute in whole or in part the proceeds of a crime, are related to a crime or are intended to be used in a crime) can be filed through the goAML system.

The FIU has published detailed guidance on how to make reports and what information should be included. Every report should include, at a minimum, the reasons for reporting, the transaction details, relevant parties and other information required by the FIU.

The CBUAE requires FIs to file STR within 35 days. Specifically, FIs must complete their internal investigation within 20 days and file the STR with the FIU within a further 15 days.

Reports must be filed whenever FIs reasonably suspect ML or the provenance of goods or funds. The CBUAE has cautioned against using „defensive SARs” (ie, SARs filed solely to reduce the risk of penalties).

There is no process by which active consent can be sought from the authorities in the UAE to deal with suspected criminal proceeds.

The FIU is required to create a database or private register for the information obtained in STRs. Confidentiality and control of the database must be secured, including the processing, storage and reference of such data.

All information obtained in connection with a suspicious transaction or crime (including STRs) is confidential and must not be disclosed except where necessary for its use in investigations, lawsuits or cases involving a violation of the AML Law. Both the information being reported and the fact that a report has been made is confidential. Regulated entities must make reasonable efforts to ensure that the information and data is protected from access by unauthorised third parties.

Sharing information within an organisation or group (for example, between a parent, branch or subsidiary) is permitted provided the purpose is to prevent, detect or report a crime.

Directly or indirectly, warning or tipping off a customer or third party that a report has been made or suspicious transactions are under review is a crime.

Attorneys, the notary public and certain other legal professions and legal independent auditors are exempted from reporting suspicious transactions if the information was collected in circumstances where those persons are subject to professional confidentiality.

Regulated persons may not object to the statutory reporting of suspicions on the grounds of customer confidentiality or data privacy.

There are no specific requirements to report large currency transactions under the AML Law or Cabinet Resolution. However, large transactions may be a red flag for ML in the absence of a reasonable explanation and all suspicious transactions, including attempted transactions, must be reported by regulated entities regardless of the transaction amount.

Any person bringing in or taking out of the UAE any currency, bearer negotiable instruments or precious metals or stones valued over AED60,000 is required to declare it, and must provide honest and clear responses and adequate information to the relevant customs authority and its staff upon request.

Regulated entities must also report transactions to the FIU without delay if there are reasonable grounds to suspect that funds are related to a crime, or are for the purpose of committing, concealing, or benefitting from a crime.

If a transaction is made to a foreign individual or entity associated within a high-risk country, EDD on the client/transaction may also be necessary.

The FIU in the CBUAE is the independent body responsible for analysing information related to ML/TF crimes. The FIU actively encourages collaboration and strategic partnerships with local, regional and international stakeholders (ie, similar bodies in other jurisdictions).

The FIU has multiple responsibilities including:

• receiving and reviewing STRs from FIs and DNFBPs;
• requiring FIs, DNFBPs and the relevant authority to provide any further information or documentation as required;
• exchanging information relating to STRs with other similar bodies across the globe; and
• providing information and data to law enforcement authorities.

There are both civil and criminal penalties for failing to comply with AML compliance obligations in the UAE.

For example, under Federal law, the Competent or Supervisory Authorities may impose administrative penalties on regulated entities in the UAE, including:

• a written warning.
• fines of between AED50,000 and AED5 million per violation;
• restrictions on working in the regulated sector;
• arresting managers, board members or members of the executive or supervisory management of the entity who are found to be responsible for the failure to comply (this can include the appointment of a temporary controller);
• restricting the powers of board members or members of the executive or supervisory management of the entity; and
• revocation of an organisation'slicence to practise.

The Supervisory Authority can also request regular reports on the measures taken to correct the violation.

Cabinet Resolution No. 16 of 2021 introduced 26 additional administrative penalties for DNFBPs for violations of the Cabinet Resolution, including a fine of AED200,000 for failure to provide additional information requested by the FIU and a fine of AED50,000 for a failure to provide training to employees on combatting ML and TF.

Criminal consequences for failing to comply include if:

• the perpetrator abuses their influence or power vested in them by virtue of their profession or their professional activity;
• the crime is committed through an NPO;
• the crime is committed through an organised criminal group; or
• reoffending has taken place.

Failing (intentionally or by gross negligence) to make a STR is punishable by imprisonment and/or a fine of AED100,000 to AED1 million.

Any person who warns or tips off a person or reveals that suspicious transactions are under review may be sentenced to imprisonment for at least one year and a fine of AED100,000 to AED500,000.

As per federal law and the Guidances, FIs and DNFBPs must appoint a compliance officer with responsibility for several areas, including:

• reviewing and analysing suspicious transactions and deciding whether to make an STR;
• developing, implementing and documenting an internal AML/CTF programme;
• informing senior management of the level of compliance achieved and reporting this to the Supervisory Authority;
• developing an effective compliance culture to ensure staff are well qualified and well trained to combat ML threats; or
• cooperating with the Supervisory Authority and FIU, providing them with copies of any documents requested and access to any registers or databases.

In the DIFC and ADGM, Relevant Persons are required to appoint a money laundering reporting officer (MLRO) who performs a similar function to compliance officers in the onshore UAE.

The UAE AML framework provides for personal liability including in the event that a compliance officer or MLRO fails to comply with their duties specified above. Enforcement action against individuals can include written warnings, fines, imprisonment and a ban from working in the sector in which the violation occurred for a particular period.

There is no applicable statute of limitations in the Cabinet Resolution.

At federal level, Cabinet Resolution No. 58 of 2020 Concerning the Regulation of Beneficial Owner Procedure requires entities to take reasonable measures to obtain and maintain appropriate, accurate and updated information, on an ongoing basis, related to ultimate beneficial owners (UBOs). Such information must be provided to the relevant licensing authority within 15 days of a change to the initial information provided. This applies to all entities registered or licensed in the UAE, including the commercial free zones but excluding the financial free zones (ie, the DIFC and ADGM).

Local licensing authorities are responsible for maintaining such information including but not limited to International Freezone Authority, Dubai Department of Economic Development and Dubai Internet City.

Article 15 of Cabinet Resolution No. 58 of 2020 states that the MOE and relevant Registrar shall not disclose the information on the register without written approval from the beneficiary or their nominee unless certain, limited exceptions are met (eg, if the disclosure is required by law). Hence, information is not made publicly available.

There are separate obligations relating to the registration of UBOs in the DIFC and ADGM under the 2018 DIFC UBO Regulations and ADGM Beneficial Ownership and Control Regulations.

The information provided above is part of Global Investigation Reviews „Anti-Money Laundering” Know how 2022 guide that provided anti-money laundering regulations and enforcement guidance across 10 jurisdictions.