Key Aspects of Federal Decree Law No. 10 of 2025
- Federal Decree Law No. 10 of 2025 establishes the core AML/CFT legal framework in the UAE, strengthening regulatory expectations for financial institutions, DNFBPs, and virtual asset businesses.
- The law is supported by Cabinet Resolution No. 134 of 2025, which provides practical guidance on how organisations should implement AML controls and compliance procedures.
- A strong emphasis is placed on risk-based governance, CDD and EDD, beneficial ownership transparency, and effective transaction monitoring to prevent and detect financial crime.
- Regulated entities must demonstrate real compliance effectiveness, supported by clear documentation, strong internal controls, and evidence-based reporting to supervisory authorities.
What the UAE New AML Law Means for Regulated Entities
Federal Decree Law No. 10 of 2025 is more than a routine legal update. It represents a structural shift toward measurable compliance effectiveness. Regulators now expect firms to show that their AML controls work in real operations, not only on paper.
In practical terms, organisations are expected to demonstrate:
- Stronger governance and internal controls
- Higher quality risk assessments and decision making
- Clear beneficial ownership and CDD logic
- Improved ongoing monitoring outcomes
- Stronger discipline in suspicious transaction reporting
- Reliable audit trails showing how decisions were made
Supervisors increasingly focus on evidence of effectiveness, not just documented policies.
Federal Decree Law No. 10 of 2025: Key Points
Area |
Meaning Under the UAE New AML Law |
|---|---|
Legal Position
| |
Implementing Layer
|
Cabinet Resolution No. 134 of 2025 outlines detailed implementation requirements and practical compliance guidance.
|
Effective Dates
|
Federal Decree Law No. 10 of 2025 is effective from 14 October 2025, while Cabinet Resolution No. 134 of 2025 applies from 14 December 2025.
|
Compliance Impact
|
Organisations are expected to maintain stronger governance, risk-based controls, improved documentation standards, and clear accountability.
|
Priority Controls
|
Key focus areas include EWRA, CDD, EDD, ongoing monitoring, sanctions screening, proliferation financing (PF) controls, and STR quality.
|
Regulated Landscape
|
The framework applies across multiple supervisory authorities such as DIFC, ADGM, VARA, CMA, MOET, and MOJ.
|
Leadership Message
|
The change represents a complete upgrade of the AML/CFT operating model, not merely a policy wording revision.
|
Federal Decree Law No. 10 of 2025 and Cabinet Resolution No. 134 of 2025 in Practice
Both the legal and implementing frameworks should be read together:
- Federal Decree Law No. 10 of 2025 sets out the core legal obligations and enforcement direction.
- Cabinet Resolution No. 134 of 2025 provides practical implementation depth and compliance detail.
For AML/CFT teams, the emphasis moves from drafting policies to proving control performance. Policies, procedures, systems, and governance forums must all align with the same goal: risk-based prevention, detection, escalation, and reporting.
UAE AML Compliance Across DIFC, ADGM, VARA, CMA, MOET, and MOJ
A strong implementation plan must consider the relevant supervisory context. Many firms operate across multiple licensing laws or customer segments that create overlapping obligations.
Depending on business activities, compliance design may need to reflect expectations linked to:
- DIFC regulatory environment
- ADGM regulatory environment
- VARA for virtual asset activities
- CMA for capital market participants
- MOET for DNFBP-related obligations
- MOJ for lawyers and legal professionals
The practical approach is to maintain one unified AML/CFT control framework, while adjusting procedures, governance paths, and evidence files for each applicable authority.
Ready to schedule a consultation?
Most inspection findings trace back to execution gaps
Core AML/CFT Priorities Under the UAE New AML Law
1. Enterprise-Wide Risk Assessment (EWRA)
EWRA should not be a static document. It must actively influence onboarding rules, monitoring thresholds, review frequency, and escalation criteria.
A strong EWRA connects:
- Customer and product risk
- Delivery channel risk
- Geographic and cross-border exposure
- Sanctions and PF exposure
- Control effectiveness findings
2. CDD and EDD
Customer Due Diligence and Enhanced Due Diligence must be risk-driven and clearly justified. Teams should be able to explain why a customer is low, medium, or high risk and what additional controls apply.
3. Beneficial Ownership
Ownership analysis should be transparent and auditable, showing how information was verified and how unresolved concerns were escalated.
4. Ongoing Monitoring
Monitoring should match actual business behaviour. Generic thresholds copied from other industries often produce weak results.
Effective monitoring balances:
- Meaningful alerts
- Manageable volumes
- Quality investigations
- Timely decisions
5. STR Quality
Suspicious Transaction Reporting quality depends on structured case handling, clear narratives, and logical reasoning that an independent reviewer can easily follow.
6. Sanctions and PF Controls
Sanctions screening and proliferation financing controls should be fully integrated into onboarding, transaction reviews, escalations, and governance reporting — not treated as separate silos.
Core AML Obligations in the UAE
For most regulated organisations in the UAE, a sound AML/CFT framework is built on five key elements. While the underlying principles remain similar across industries, the way they are applied can differ depending on sector-specific risks and operations.
1. Risk-Based Governance:
Senior leadership is responsible for setting the compliance direction, assigning clear accountability, and overseeing the quality of implementation.
2. Customer Due Diligence (CDD) and Enhanced Due Diligence (EDD):
Businesses must properly identify and verify customers, determine beneficial ownership where relevant, and apply stricter checks when higher risks are identified.
3. Ongoing Monitoring:
Monitoring activities should align with the level of customer and transaction risk, supported by trigger-based review mechanisms.
4. Screening Controls:
Sanctions and related screenings must be conducted promptly, documented thoroughly, and supported by defined standards for handling potential matches.
5. Escalation and Reporting:
Internal escalation processes should enable timely and well-supported reporting whenever suspicious activity is detected.
6. Recordkeeping and Assurance:
Records must be detailed enough to recreate decisions, demonstrate how controls operated, and allow for independent verification and testing.
Implementation Blueprint for FIs, DNFBPs, and VASPs
Phase 1: Legal Obligation Mapping
Map each obligation from the new AML law to business activity, authority context, policy clauses, control owners, and evidence requirements.
Phase 2: Risk-Based Gap Assessment
Assess both design and effectiveness across EWRA, risk ratings, CDD/EDD, beneficial ownership, monitoring, sanctions/PF controls, and STR workflows.
Phase 3: Policy to Control Traceability
Create a clear link between legal requirements, policies, procedures, system logic, and supervisory evidence.
Phase 4: Execution and Training
Provide role-specific guidance and training focused on judgment, escalation, and documentation quality.
Phase 5: Assurance and Board Reporting
Conduct quality reviews and control testing and deliver risk-ranked dashboards to senior management.
Ready to schedule a consultation?
Most inspection findings trace back to execution gaps
Common AML Compliance Gaps
Gap 1: Legal Updates Without Operational Change
Fix: Translate legal obligations into measurable controls.
Gap 2: One-Size-Fits-All Procedures
Fix: Tailor processes to business model and supervisory context.
Gap 3: High Alert Volumes With Low Value
Fix: Calibrate monitoring scenarios using outcomes and investigator feedback.
Gap 4: Weak Case Documentation
Fix: Standardise investigation notes and decision rationale.
Gap 5: Limited Senior Oversight
Fix: Provide concise board MI with trends, risks, and remediation status.
Key Questions for Boards and Senior Management
- Where is our highest ML/TF/PF exposure by customer, product, and geography?
- Which AML controls are least reliable based on testing?
- Are CDD and EDD outcomes consistent across units?
- Are sanctions and PF controls integrated into daily operations?
- Are STR decisions timely and well-documented?
- Can we evidence quick remediation of major findings?
These questions shift focus from compliance activity to compliance effectiveness.
Conclusion: From Policy Compliance to Control Effectiveness
Federal Decree Law No. 10 of 2025, together with Cabinet Resolution No. 134 of 2025, raises the compliance standard for regulated entities. Firms are expected to prove that their AML/CFT controls perform effectively in real business environments.
Organisations that act early and take a structured approach will be better positioned to manage regulatory, operational, and reputational risks. The goal is not more paperwork, but clear accountability, sharper risk insight, stronger documentation, and consistent execution.
For businesses operating within or connected to DIFC, ADGM, VARA, CMA, MOET, and MOJ environments, this is the right time to strengthen AML/CFT architecture end-to-end.
FAQs on Federal Decree Law No. 10 of 2025
What is the UAE New AML Law?
The UAE New AML Law refers to Federal Decree Law No. 10 of 2025. It sets the updated legal framework for anti-money laundering (AML), counter-terrorism financing (CFT), and related compliance duties in the UAE. The law introduces a stronger governance and enforcement baseline for regulated organisations.
When did Federal Decree Law No. 10 of 2025 come into effect?
Federal Decree Law No. 10 of 2025 became effective on 14 October 2025.
What is Cabinet Resolution No. 134 of 2025?
Cabinet Resolution No. 134 of 2025 is the implementing regulation that turns the legal requirements of the UAE New AML Law into practical, day-to-day compliance expectations and operational controls.
Who must comply with the UAE New AML Law?
The law applies to regulated entities operating in the UAE, including financial institutions, DNFBPs, and VASPs, depending on their licence type and business activities. Each firm should assess applicability based on its services, customers, delivery channels, and jurisdictions of operation.
Is this only a legal update or a complete compliance reset?
For most organisations, it is a full compliance reset, not just a documentation update. Regulators expect visible control effectiveness across risk assessments, CDD, EDD, ongoing monitoring, sanctions and PF controls, and suspicious transaction reporting.
What is the main AML/CFT priorities under Federal Decree Law No. 10 of 2025?
Key priority areas include:
- Enterprise-wide risk assessment quality
- Customer Due Diligence (CDD) and Enhanced Due Diligence (EDD) effectiveness
- Beneficial ownership transparency
- Ongoing monitoring calibration
- Integration of sanctions and proliferation financing (PF) controls
- Suspicious Transaction Reporting (STR) quality and escalation discipline
How should firms handle CDD and EDD under the UAE New AML Law?
CDD and EDD processes should be risk-based and evidence-driven. Firms are expected to clearly record customer risk reasoning, triggers for enhanced checks, information sources reviewed, and the final approval logic.
What does effective ongoing monitoring look like?
Effective monitoring is aligned with actual business behaviour, not generic templates. It should generate meaningful alerts, allow timely investigations, and support clear and defensible compliance decisions.
Why is beneficial ownership still a key focus?
Beneficial ownership remains critical because complex or hidden ownership structures can conceal ML/TF/PF risks. Firms are expected to properly identify and verify ownership and control relationships to support accurate risk decisions and reporting.
What is the role of sanctions and proliferation financing controls?
Sanctions and PF controls should be fully integrated into onboarding, screening, transaction monitoring, and escalation workflows. They are expected to operate as part of the core AML/CFT system rather than as standalone checks.
How do DIFC, ADGM, VARA, CMA, MOET, and MOJ affect compliance planning?
These supervisory authorities become relevant depending on a firm’s licence type and operational scope. Organisations should map their AML obligations to the correct authority and ensure procedures, governance channels, and documentation standards match the applicable regulatory environment.
What common implementation mistakes should firms avoid?
Frequent mistakes include:
- Treating the law as only a documentation update
- Copying generic monitoring scenarios
- Poor investigation and decision documentation
- Unclear ownership of remediation actions
- Limited senior management visibility over AML control health
What should board and senior management ask first?
Leadership teams should focus on practical readiness questions such as:
- Where are the highest ML/TF/PF risks today?
- Which controls are least effective based on testing?
- Are CDD and EDD decisions consistent across teams?
- Is STR reporting timely and reliable?
- Are high-risk findings properly remediated with evidence?
How can a firm test readiness for Federal Decree Law No. 10 of 2025?
A practical readiness review typically includes:
- Legal obligation mapping
- AML/CFT gap assessment
- Policy-to-procedure traceability testing
- Control effectiveness testing
- Management information and governance review
- A remediation roadmap with clear owners and timelines
These steps help organisations move from basic compliance activity to demonstrable compliance effectiveness.
Expert Strategies, Industry Trends & Real Results
