UAE 2025 AML Reforms

The UAE’s financial crime regulatory landscape has entered a decisive new phase. On Sunday, Cabinet Resolution No. 134 of 2025, which implements Federal Decree-Law No. 10 of 2025 on AML/CFT, came into effect. Together, the Decree-Law and Resolution marks a far-reaching overhaul of the country’s AML/CFT framework to date, replacing Federal Law No. 20 of 2018 and significantly expanding the UAE’s regulatory framework for combating financial crime.

What does this mean for businesses in the UAE?

For businesses, the new law signals a clear shift toward stricter compliance expectations, more assertive enforcement, and heightened accountability at both institutional and individual levels. The reforms move decisively beyond policy alignment and into practical, enforceable obligations.

Key Changes at a Glance

Business Impact

The 2025 law expands the scope of primary offences to expressly include proliferation financing, in addition to money laundering and terrorist financing.

Risk assessments, controls, and transaction monitoring must now explicitly address proliferation-related risks.

Maximum penalties have doubled, with a single violation now attracting fines of up to AED 100 million, significantly increasing corporate financial exposure.

AML/CFT failures now represent a more substantial financial and reputational risk.

The law introduces an objective liability test, under which liability may arise where a person knew or ought reasonably to have known that funds were illicit, even without actual knowledge.

“Lack of awareness” is no longer a safe defence; weak controls and poor oversight can themselves create liability.

Managers and senior officers can face fines and imprisonment if offences occur with their knowledge or due to breaches of their duties.

Directors and senior management must actively oversee AML compliance, not merely delegate it.

Providing false Beneficial Ownership information is now punishable by imprisonment and fines starting from AED 20,000.

Companies must ensure BO registers are accurate, current, and defensible.

The 2025 law formally regulates virtual assets, classifying VASPs as regulated entities and subjecting them to Suspicious Transaction Reporting (STR) obligations.

Crypto-related businesses must align with bank-level AML standards; traditional businesses interacting with VASPs must reassess counterparty risk.

‍

Taken together, these reforms reflect the UAE’s continued commitment to strengthening alignment with the FATF Recommendations and demonstrating measurable progress ahead of its next mutual evaluation cycle.

By broadening the scope of regulated activities, sharpening enforcement tools, and directly addressing emerging risks such as virtual assets and proliferation financing, the UAE is signaling a clear expectation: compliance standards must evolve in step with the sophistication of financial crime risks.

The new law also restructures national AML coordination by introducing a dual oversight framework, strengthening governance and enforcement. For businesses, this means Increased regulatory scrutiny, higher compliance expectations, dual reporting lines, and greater exposure to penalties.

We’ve broken down the key differences between the 2018 and 2025 AML laws below to provide businesses with a clear understanding of how their anti-financial crime efforts will have to evolve in 2026. See here for the full law.

Old Federal Law No. 20 of 2018

New Federal Decree-Law No. 10 of 2025

New Primary Offence and Refined Predicate Offences

The 2018 law covered money laundering and terrorist financing as primary offences but did not extend to proliferation financing.
It defined a predicate offence broadly as any act constituting a felony or misdemeanor, whether committed within or outside the UAE.

The 2025 law expands the scope of primary offences to expressly cover proliferation financing offences in addition to money laundering and terrorist financing.
This means that the new law explicitly criminalises providing funds for weapons of mass destruction, including nuclear, biological, chemical or radiological.
The definition of a 'predicate offence' for the purpose of establishing a money laundering offence now also specifically includes the crimes of terrorist financing, arms proliferation financing and indirect and direct tax evasion.

Direct Regulation of Virtual Assets

The 2018 law did not specifically address virtual assets or virtual asset service providers (VASPs).

The 2025 law brings virtual assets into the fold, defining VASPs as regulated entities, and subjecting them to Suspicious Transaction Reporting (STR) requirements.
The new law introduces a specific and severe penalty for operating without a valid license or registration, including potential imprisonment.
VASPs, including cryptocurrency exchanges and blockchain service providers, are now required to implement the same stringent AML/CFT compliance measures as those applied to banks and designated non-financial businesses and professions (DNFBPs).

DNFBPs Definition Expanded

The 2018 law defined DNFBPs as anyone who practiced commercial or professional activities across specific sectors – namely real estate, dealers of precious metals and stones, legal professionals, auditors and accountants, and company and trust service providers (TCSPs).

The new law has expanded the definition of DNFBPs to now capture commercial gaming - include persons who operate commercial gaming halls, operate commercial gaming online, operate sports betting, or operate lottery games (“Gaming Operators”).
Gaming Operators will need to comply with a host of new legal and regulatory obligations which did not apply to them beforehand, which will be a significant shift for the gaming industry.

Lower Legal Threshold for Offences

The 2018 AML law imposed a higher threshold for establishing liability for the primary offences of money laundering and terrorist financing, requiring proof that the person had actual knowledge of the illicit nature of the funds—commonly referred to as a subjective test.

The new law lowers this threshold by introducing an objective test, under which liability may arise where a person knew or ought reasonably to have known that the funds were illicit, even in the absence of actual knowledge.

Increased Penalties and Personal Criminal Liability

Under the previous AML law, legal entities could be subject to fines of AED 500,000–50 million for committing an offence or AED 200,000–5 million for failure to have the requisite licensing.
Dissolution or closure of a legal entity was only possible for terrorist financing or financing illegal organisations.
The original law also did not impose criminal liability on managers or representatives for knowingly committing offences or for breaches of their duties.

Under the new AML law, penalties have increased so legal entities can now be fined between AED 5 million to 100 million for principal offences, creating a much higher risk exposure. Failure of licensing remains the same at AED 200,000 and 5 million.
The new law also provides that courts can now also order the dissolution of legal entities for money laundering.
The new law also includes personal criminal liability, meaning that managers of legal entities can now face a fine or imprison if they have knowledge of an offence and breached employment duties.

Greater Emphasis on Beneficial Ownership

Under the 2018 UAE AML Law, beneficial ownership was addressed in a more limited and indirect manner.

Under the 2025 law, greater emphasis is placed on establishing Beneficial Ownership across corporate and legal arrangements.
Providing false Beneficial Ownership information now carries imprisonment plus fines starting at AED 20,000.
UBO requirements are more prescriptive under the new law, including companies having to update UBO details more often, and registrars having to verify and publish core company data.

Enhanced EDD Measures

The 2018 law requires customer due diligence (CDD) using a risk-based approach, but enhanced due diligence (EDD) was not strongly articulated.
EDD triggers were narrower, mainly focusing on PEPs and high-risk countries.

The new law reinforces a risk-based approach and enhanced measures for higher-risk relationships. A failure to apply appropriate EDD measures can now more clearly constitute a statutory breach.
Under the new law, FIs, DNFBPs, and VASPs must apply EDD whenever there is a higher risk of money laundering, terrorist financing, or proliferation financing. Institutions must justify why EDD was or was not applied.

‍

The UAE’s continued evolution of its anti-financial crime framework signals a more coordinated and deliberate enforcement environment in the year ahead. Enforcement activity was already intensifying prior to the 2025 AML law, alongside sustained government investment in enhanced FIU powers and stronger domestic and international coordination, including cross-border information sharing and mutual legal assistance.

Taken together, these reforms underscore the UAE’s ongoing commitment to strengthening its anti-financial crime framework and aligning with the FATF Recommendations. This represents a key national priority as the country prepares for its next MENAFATF mutual evaluation cycle in 2026. For firms, this heightens the need to demonstrate the effective implementation of AML controls in practice. Further guidance for the private sector is set out in our briefing note on the UAE’s 2026 mutual evaluation, available here.

If you require support in understanding or implementing any aspect of the new Decree-Law or Cabinet Resolution, Themis can assist. We work closely with regulated firms to assess and strengthen AML frameworks, enhance the effectiveness of controls, and address regulatory expectations in practice. Our support also helps firms prepare for increased supervisory scrutiny, including through tool implementation and policy and procedure reviews.

Go to page