The United Arab Emirates (UAE) has consistently strengthened its Anti-Money Laundering (AML), Counter-Terrorism Financing (CFT), and Counter-Proliferation Financing (CPF) framework in line with international standards. A significant milestone in this journey is the issuance of the Revised Guidelines for Designated Non-Financial Businesses and Professions (DNFBPs) in September 2025 by the Ministry of Economy and Tourism.
While the earlier framework established foundational compliance obligations, the revised Guidelines reflect a mature, risk-driven, and outcomes-focused regulatory approach, responding to evolving financial crime risks, FATF recommendations, and the UAE’s updated National Risk Assessment.
Broader Scope: From AML/CFT to AML/CFT/CPF
Earlier framework
Previous DNFBP guidance primarily focused on money laundering and terrorist financing risks. Proliferation financing (PF) was acknowledged but not systematically embedded into DNFBP compliance obligations.
Revised Guidelines
The 2025 Guidelines formally integrate Counter-Proliferation Financing (CPF) as a core compliance pillar. DNFBPs are now explicitly required to:
- Identify and assess PF risks alongside ML and TF risks
- Incorporate PF considerations into their Business Risk Assessments (BRA)
- Align internal controls with national and international CPF expectations
This shift reflects global regulatory emphasis on preventing the financing of weapons of mass destruction and aligns DNFBPs with UAE-wide CPF obligations.
Stronger Emphasis on Risk-Based Approach (RBA)
Earlier framework
The risk-based approach was referenced, but guidance on practical implementation, especially for smaller DNFBPs was limited and often high-level.
Revised Guidelines
The updated document provides detailed, actionable guidance on applying the RBA. DNFBPs must now:
- Conduct structured, documented Business-wide Risk Assessments
- Consider customer, geographic, product, delivery channel, and transaction risk factors
- Demonstrate how identified risks are mitigated through proportionate controls
Importantly, DNFBPs are required to actively align their internal risk assessments with findings from the UAE National Risk Assessment (NRA) and Sectoral Risk Assessments (SRA), a requirement that was not clearly articulated in earlier guidance.
Enhanced Governance and Senior Management Accountability
Earlier framework
Governance obligations existed, but responsibility was often perceived as resting primarily with the Compliance Officer.
Revised Guidelines
The new guidelines place explicit accountability on boards, owners, and senior management. Key updates include:
- Clear expectation that senior management approves AML/CFT/CPF policies and risk appetite
- Mandatory regular reporting to senior management on STRs, risk exposure, audit findings, and remediation
- Requirement to ensure adequate financial, technical, and human resources for compliance functions
This represents a shift from compliance as a functional task to compliance as a strategic governance responsibility.
Expanded Role and Independence of the Compliance Officer
Earlier framework
The requirement to appoint a Compliance Officer (MLRO) existed, but expectations around independence, authority, and escalation were less prescriptive.
Revised Guidelines
The 2025 Guidelines significantly strengthen this role by requiring:
- Appointment at management level with direct access to senior leadership
- Prior approval from the relevant Supervisory Authority
- Protection from interference or undue influence
- Mandatory escalation to Supervisory Authorities if independence is compromised
The revised framework also formally recognizes the use of third-party Compliance Officers, subject to strict conditions and ongoing oversight providing flexibility for smaller DNFBPs without diluting accountability.
Clearer and Stricter Customer Due Diligence (CDD) Expectations
Earlier framework
CDD obligations were defined but left room for inconsistent interpretation, particularly in low-risk or one-off transactions.
Revised Guidelines
CDD requirements are now more explicit and structured:
- DNFBPs must complete CDD before establishing any business relationship
- Anonymous, fictitious, or incomplete customer relationships are strictly prohibited
- Enhanced Due Diligence (EDD) is clearly linked to higher-risk scenarios, including complex ownership structures and high-risk jurisdictions
The Guidelines also reinforce the obligation to identify and verify beneficial ownership, aligning DNFBP practices with Cabinet Decision No. (109) of 2023 on Real Beneficiary Procedures.
Improved Guidance on Suspicious Transaction Reporting (STR)
Earlier framework
While reporting obligations existed, DNFBPs often struggled with defining suspicion thresholds and post-reporting conduct.
Revised Guidelines
The new Guidelines provide:
- Clear definitions of suspicious transactions and activities
- Detailed indicators and typologies relevant to DNFBP sectors
- Clarified timelines for STR/SAR submission
- Explicit prohibition of “tipping-off,” with reinforced sanctions
Additionally, DNFBPs are guided on how to handle ongoing relationships after filing an STR, an area previously lacking clarity.
Stronger Record-Keeping and Audit Expectations
Earlier framework
Record-keeping obligations were defined mainly in terms of minimum retention periods.
Revised Guidelines
The updated guidance expands expectations by requiring:
- Comprehensive documentation of risk assessments, CDD decisions, and mitigation measures
- Retention of records for at least five years in an accessible and auditable format
- Independent audit or quality assurance reviews of AML/CFT/CPF programmes, proportionate to the DNFBP’s size and risk profile
This reflects a regulatory shift toward evidence-based supervision.
Explicit Integration with National and International Frameworks
Earlier framework
International alignment was acknowledged but not deeply embedded.
Revised Guidelines
The 2025 version systematically aligns DNFBP obligations with:
- FATF Recommendations
- MENAFATF assessments
- UAE’s 2024–2027 National AML/CFT/CPF Strategy
DNFBPs are now expected to remain informed of evolving typologies, FIU advisories, and international best practices, reinforcing their role as gatekeepers within the financial system.
The revised UAE DNFBP Guidelines represent a substantial evolution rather than a simple update. Compared to earlier guidance, the 2025 framework is more comprehensive, prescriptive, and risk-focused, reflecting the UAE’s transition from regulatory development to regulatory maturity.
Key changes include the full integration of proliferation financing, stronger governance and compliance officer independence, deeper application of the risk-based approach, and clearer operational expectations for CDD, STR reporting, and record-keeping.
For DNFBPs, compliance is no longer limited to meeting minimum legal requirements, it now demands demonstrable effectiveness, accountability, and continuous adaptation. Entities that proactively align with the revised guidelines will not only reduce regulatory risk but also contribute meaningfully to safeguarding the integrity of the UAE’s economic and financial ecosystem.
