AML Risk-Based Approach for Banks vs DNFBPs

Introduction

The United Arab Emirates (UAE) has emerged as a global financial hub, hosting both regulated financial institutions and Designated Non-Financial Businesses and Professions (DNFBPs). To combat money laundering (ML) and terrorist financing (TF), the UAE mandates that both sectors adopt a Risk-Based Approach (RBA) to Anti-Money Laundering and Countering the Financing of Terrorism (AML/CFT).

However, the implementation of the RBA differs significantly between banks and DNFBPs, primarily due to their nature, size, risk exposure, and regulatory oversight. Understanding these differences is critical for developing effective compliance programs.

________________________________________

1. Understanding the Risk-Based Approach (RBA)

The Risk-Based Approach is a fundamental principle of AML compliance under FATF Recommendation 1 and the UAE’s Cabinet Decision No. (10) of 2019.

It requires institutions to:

• Identify ML/TF risks inherent in their business model.

• Assess and categorize those risks (Low, Medium, High).

• Apply proportionate control measures.

• Continuously monitor and update the assessment.

The key objective of RBA is to ensure that resources are allocated efficiently, focusing on higher-risk customers and transactions, thereby improving the overall effectiveness of AML frameworks.

________________________________________

2. Supervisory Authorities in the UAE

Sector Supervisory Authority

Banks and Financial Institutions Central Bank of the UAE (CBUAE)

Securities and Investment Firms Securities and Commodities Authority (SCA)

Insurance Companies Insurance Authority (now under Central Bank)

DNFBPs (Gold & Jewellery, Real Estate, Law Firms, Accountants, Corporate Service Providers) Ministry of Economy (MOE)

Each regulator has issued its own AML/CFT guidelines and expectations on how RBA should be implemented.

________________________________________

3. Risk-Based Approach for Banks

a. Nature of Risks

Banks handle large volumes of domestic and cross-border financial transactions, making them prime targets for money laundering and terrorism financing.

Their risk profile includes:

• High-value wire transfers.

• Cross-border correspondent banking.

• Private banking for high-net-worth individuals.

• Trade finance and foreign currency transactions.

b. Core Elements of RBA for Banks

1. Customer Due Diligence (CDD): Identify and verify customer identity, beneficial ownership, and purpose of the account.

2. Enhanced Due Diligence (EDD): For PEPs, high-risk jurisdictions, or unusual activity.

3. Ongoing Monitoring: Continuous scrutiny of transactions and account behavior using automated systems.

4. Transaction Monitoring & Reporting: Integration with goAML for STR/SAR filings.

5. Governance and MLRO Oversight: Banks must appoint a Money Laundering Reporting Officer (MLRO) and ensure board-level involvement in AML governance.

c. Use of Technology

Banks are required to deploy RegTech and AI-driven systems for transaction monitoring, sanctions screening, and behavioral analytics.

Examples:

• Automated name matching for sanctions and PEPs.

• AI-based anomaly detection.

• Blockchain analytics for trade and digital asset monitoring.

________________________________________

4. Risk-Based Approach for DNFBPs

a. Nature of Risks

DNFBPs face different types of exposure, often related to cash-intensive operations or service-based interactions.

Sectors include:

• Gold & Jewellery Traders

• Real Estate Brokers

• Law Firms and Notaries

• Auditors and Accountants

• Company Service Providers

Risks arise from:

• Cash transactions exceeding AED 55,000.

• Use of intermediaries or agents.

• Complex ownership structures.

• Cross-border deals or offshore clients.

b. Core Elements of RBA for DNFBPs

1. Business Risk Assessment: Identify and evaluate exposure based on customer type, service, geography, and transaction volume.

2. Customer Due Diligence (CDD): Collect trade license, ID, beneficial ownership, and purpose of business relationship.

3. Enhanced Due Diligence (EDD): Required for PEPs, foreign clients, or high-risk sectors.

4. Record Keeping: Maintain CDD and transaction records for at least five years.

5. Reporting: Register on the goAML portal and submit STRs, SARs, and DPMSRs as required.

6. Training & Awareness: Ensure employees understand red flags, typologies, and escalation procedures.

c. Practical Differences

Unlike banks, DNFBPs typically lack complex IT infrastructure or large compliance departments. Hence, a proportionate RBA—manual or semi-automated—may be sufficient.

The focus should be on risk understanding, documentation, and periodic reassessment.

________________________________________

5. Comparative Summary: Banks vs DNFBPs

Aspect Banks DNFBPs

Regulator Central Bank of UAE Ministry of Economy

Nature of Risk Transactional, cross-border, systemic Business & service-based

Transaction Type Electronic, large volume Cash, trade, or service-based

Monitoring System Automated & AI-driven Manual or semi-automated

Regulatory Expectations Very high Moderate but evolving

Reporting Obligations STR, SAR, CTR, TF reports STR, SAR, DPMSR

Frequency of Review Continuous Annual or event-driven

Governance MLRO + Compliance Department Compliance Officer or MLRO

________________________________________

6. Building an Effective RBA Framework

Regardless of the sector, both banks and DNFBPs should:

• Conduct enterprise-wide risk assessments (EWRA).

• Define risk appetite and tolerance limits.

• Use a risk matrix to rank customer, product, and geography risks.

• Apply technology and training to ensure consistency.

• Periodically review and update the risk framework.

________________________________________

Conclusion

The UAE’s AML ecosystem emphasizes risk-based compliance as the cornerstone of an effective AML program. While banks implement highly automated systems under direct Central Bank oversight, DNFBPs are expected to adopt scalable and proportionate measures suited to their size and business model.

Both sectors, however, share a common objective: to prevent the misuse of the UAE’s financial and commercial ecosystem for illicit activities.

By adopting a structured, well-documented, and dynamic Risk-Based Approach, entities not only ensure compliance but also build credibility and trust with regulators and customers alike.

________________________________________

About Sheikh Anwar Accounting & Auditing LLC

Sheikh Anwar Accounting & Auditing LLC is a Ministry of Economy–licensed auditing and compliance advisory firm (MOE Entry No. 5817) specializing in Audit, AML/CFT Compliance, Corporate Tax, and Risk Advisory Services across the UAE.

Our expertise spans across banking, gold trading, real estate, and professional service sectors, helping businesses implement risk-based AML frameworks, conduct enterprise-wide risk assessments, and prepare goAML compliance documentation.

📍 Office: Dubai Creek Tower, M-35, Dubai, UAE

Introduction

The United Arab Emirates (UAE) has emerged as a global financial hub, hosting both regulated financial institutions and Designated Non-Financial Businesses and Professions (DNFBPs). To combat money laundering (ML) and terrorist financing (TF), the UAE mandates that both sectors adopt a Risk-Based Approach (RBA) to Anti-Money Laundering and Countering the Financing of Terrorism (AML/CFT).

However, the implementation of the RBA differs significantly between banks and DNFBPs, primarily due to their nature, size, risk exposure, and regulatory oversight. Understanding these differences is critical for developing effective compliance programs.

________________________________________

1. Understanding the Risk-Based Approach (RBA)

The Risk-Based Approach is a fundamental principle of AML compliance under FATF Recommendation 1 and the UAE’s Cabinet Decision No. (10) of 2019.

It requires institutions to:

• Identify ML/TF risks inherent in their business model.

• Assess and categorize those risks (Low, Medium, High).

• Apply proportionate control measures.

• Continuously monitor and update the assessment.

The key objective of RBA is to ensure that resources are allocated efficiently, focusing on higher-risk customers and transactions, thereby improving the overall effectiveness of AML frameworks.

________________________________________

2. Supervisory Authorities in the UAE

Sector Supervisory Authority

Banks and Financial Institutions Central Bank of the UAE (CBUAE)

Securities and Investment Firms Securities and Commodities Authority (SCA)

Insurance Companies Insurance Authority (now under Central Bank)

DNFBPs (Gold & Jewellery, Real Estate, Law Firms, Accountants, Corporate Service Providers) Ministry of Economy (MOE)

Each regulator has issued its own AML/CFT guidelines and expectations on how RBA should be implemented.

________________________________________

3. Risk-Based Approach for Banks

a. Nature of Risks

Banks handle large volumes of domestic and cross-border financial transactions, making them prime targets for money laundering and terrorism financing.

Their risk profile includes:

• High-value wire transfers.

• Cross-border correspondent banking.

• Private banking for high-net-worth individuals.

• Trade finance and foreign currency transactions.

b. Core Elements of RBA for Banks

1. Customer Due Diligence (CDD): Identify and verify customer identity, beneficial ownership, and purpose of the account.

2. Enhanced Due Diligence (EDD): For PEPs, high-risk jurisdictions, or unusual activity.

3. Ongoing Monitoring: Continuous scrutiny of transactions and account behavior using automated systems.

4. Transaction Monitoring & Reporting: Integration with goAML for STR/SAR filings.

5. Governance and MLRO Oversight: Banks must appoint a Money Laundering Reporting Officer (MLRO) and ensure board-level involvement in AML governance.

c. Use of Technology

Banks are required to deploy RegTech and AI-driven systems for transaction monitoring, sanctions screening, and behavioral analytics.

Examples:

• Automated name matching for sanctions and PEPs.

• AI-based anomaly detection.

• Blockchain analytics for trade and digital asset monitoring.

________________________________________

4. Risk-Based Approach for DNFBPs

a. Nature of Risks

DNFBPs face different types of exposure, often related to cash-intensive operations or service-based interactions.

Sectors include:

• Gold & Jewellery Traders

• Real Estate Brokers

• Law Firms and Notaries

• Auditors and Accountants

• Company Service Providers

Risks arise from:

• Cash transactions exceeding AED 55,000.

• Use of intermediaries or agents.

• Complex ownership structures.

• Cross-border deals or offshore clients.

b. Core Elements of RBA for DNFBPs

1. Business Risk Assessment: Identify and evaluate exposure based on customer type, service, geography, and transaction volume.

2. Customer Due Diligence (CDD): Collect trade license, ID, beneficial ownership, and purpose of business relationship.

3. Enhanced Due Diligence (EDD): Required for PEPs, foreign clients, or high-risk sectors.

4. Record Keeping: Maintain CDD and transaction records for at least five years.

5. Reporting: Register on the goAML portal and submit STRs, SARs, and DPMSRs as required.

6. Training & Awareness: Ensure employees understand red flags, typologies, and escalation procedures.

c. Practical Differences

Unlike banks, DNFBPs typically lack complex IT infrastructure or large compliance departments. Hence, a proportionate RBA—manual or semi-automated—may be sufficient.

The focus should be on risk understanding, documentation, and periodic reassessment.

________________________________________

5. Comparative Summary: Banks vs DNFBPs

Aspect Banks DNFBPs

Regulator Central Bank of UAE Ministry of Economy

Nature of Risk Transactional, cross-border, systemic Business & service-based

Transaction Type Electronic, large volume Cash, trade, or service-based

Monitoring System Automated & AI-driven Manual or semi-automated

Regulatory Expectations Very high Moderate but evolving

Reporting Obligations STR, SAR, CTR, TF reports STR, SAR, DPMSR

Frequency of Review Continuous Annual or event-driven

Governance MLRO + Compliance Department Compliance Officer or MLRO

________________________________________

6. Building an Effective RBA Framework

Regardless of the sector, both banks and DNFBPs should:

• Conduct enterprise-wide risk assessments (EWRA).

• Define risk appetite and tolerance limits.

• Use a risk matrix to rank customer, product, and geography risks.

• Apply technology and training to ensure consistency.

• Periodically review and update the risk framework.

________________________________________

Conclusion

The UAE’s AML ecosystem emphasizes risk-based compliance as the cornerstone of an effective AML program. While banks implement highly automated systems under direct Central Bank oversight, DNFBPs are expected to adopt scalable and proportionate measures suited to their size and business model.

Both sectors, however, share a common objective: to prevent the misuse of the UAE’s financial and commercial ecosystem for illicit activities.

By adopting a structured, well-documented, and dynamic Risk-Based Approach, entities not only ensure compliance but also build credibility and trust with regulators and customers alike.

________________________________________

About Sheikh Anwar Accounting & Auditing LLC

Sheikh Anwar Accounting & Auditing LLC is a Ministry of Economy–licensed auditing and compliance advisory firm (MOE Entry No. 5817) specializing in Audit, AML/CFT Compliance, Corporate Tax, and Risk Advisory Services across the UAE.

Our expertise spans across banking, gold trading, real estate, and professional service sectors, helping businesses implement risk-based AML frameworks, conduct enterprise-wide risk assessments, and prepare goAML compliance documentation.

📍 Office: Dubai Creek Tower, M-35, Dubai, UAE

📞 Contact: +971 4 000 0000

📧 Email: info@sa-auditors.com

🌐 Website: www.sa-auditors.com