Case Study: AML Gaps in Company Service Providers

1. Introduction

Company Service Providers (CSPs) play a crucial role in the UAE’s business ecosystem, offering company formation, nominee, and administrative services to clients worldwide. However, due to their involvement in business structuring and cross-border financial arrangements, CSPs are exposed to a high risk of being misused for money laundering (ML) and terrorism financing (TF).

Under Federal Decree-Law No. 20 of 2018 and Cabinet Decision No. 10 of 2019, CSPs fall under the category of Designated Non-Financial Businesses and Professions (DNFBPs) and must comply with the UAE’s AML/CFT regulatory framework.

It highlights common AML gaps identified in CSPs during regulatory inspections by the Ministry of Economy (MoE) and Financial Intelligence Unit (FIU), along with lessons for practitioners to strengthen compliance.

________________________________________

2. Background of the Case

A Dubai-based Company Service Provider (CSP) registered with the MoE offered incorporation and nominee director services to multiple offshore and mainland clients. The MoE initiated an inspection in 2024 to review the CSP’s compliance with AML/CFT requirements.

The inspection focused on the following areas:

• Customer Due Diligence (CDD) and KYC records

• Verification of Ultimate Beneficial Ownership (UBO)

• Risk-based assessment and classification of clients

• Suspicious Transaction Reporting (STR)

• Policies, procedures, and staff training

Despite the CSP’s extensive client portfolio, the firm’s AML framework was found to have significant compliance gaps.

________________________________________

3. Key AML Gaps Identified

a. Weak UBO Identification

The CSP failed to properly verify the ultimate beneficial owners of several entities incorporated through its platform. The company relied solely on documents submitted by clients, without performing independent verification through reliable sources or beneficial ownership registries.

This posed a risk of concealing real ownership structures — a red flag for potential money laundering schemes.

b. Lack of Risk-Based Approach

The firm classified most clients as “low risk” without applying the risk-based methodology required under Article 8 of Cabinet Decision No. 10 of 2019. No documented Enterprise-Wide Risk Assessment (EWRA) existed to evaluate the inherent ML/TF risks associated with jurisdictions, business models, or client activities.

c. Failure to Conduct Ongoing Monitoring

The CSP had not established systems for ongoing monitoring of client transactions, business changes, or ownership modifications. Periodic reviews of KYC records were either missing or outdated, especially for clients incorporated several years earlier.

d. No Suspicious Transaction Reports (STRs) Filed

Despite handling numerous high-risk clients from offshore jurisdictions, no STRs were submitted to the goAML platform. The firm claimed it had “no suspicious transactions,” yet internal records showed multiple high-value transfers and complex ownership layers, which should have triggered internal escalation.

e. Inadequate Staff Training

AML training sessions were neither documented nor role-specific. Employees were unaware of red flags, STR procedures, or the deadlines for reporting suspicious activities. The MLRO lacked updated FIU credentials and formal AML certification.

f. Policy and Governance Weaknesses

The CSP’s AML policy document was generic and outdated, not reflecting current UAE legislation or its business model. It lacked defined procedures for enhanced due diligence (EDD), record retention, and sanctions screening.

________________________________________

4. Regulatory Action Taken

Based on these findings, the Ministry of Economy imposed the following actions:

• Administrative Fine: AED 300,000 for multiple AML violations.

• Compliance Remediation Order: Mandatory update of AML policies and risk assessments.

• Training Requirement: The firm’s MLRO and staff were required to complete MoE-approved AML training.

• Enhanced Monitoring: The company was placed under supervisory watch for 12 months, with follow-up audits scheduled.

These actions reflected the MoE’s zero-tolerance approach toward DNFBPs that fail to maintain an effective AML control framework.

________________________________________

5. Lessons Learned

a. UBO Verification Is Mandatory

CSPs must go beyond client declarations — verifying beneficial ownership structures using registries, passports, and official corporate documents. Reliance solely on client-provided information is non-compliant.

b. Apply Risk-Based AML Controls

A one-size-fits-all approach to risk classification is insufficient. CSPs must implement Enterprise-Wide Risk Assessments (EWRA) and client-level risk scoring based on geography, services, and ownership complexity.

c. Ongoing Monitoring Is Not Optional

AML compliance is a continuous obligation. Firms should review client files annually or upon trigger events, such as change of ownership or business expansion.

d. Training and MLRO Competence

All employees — especially front-facing staff — must undergo regular AML training. The MLRO should hold recognized qualifications and be empowered to act independently.

e. Record Keeping and Audit Trail

CSPs must retain client identification, due diligence, and transaction data for at least five years post-relationship, as required under Article 16 of Cabinet Decision No. 10 of 2019.

________________________________________

6. Best Practices for CSPs

1. Develop a Comprehensive AML Policy tailored to the company’s business model and risk exposure.

2. Conduct Initial and Ongoing Risk Assessments at both entity and client levels.

3. Register and actively use goAML for filing STRs and DPMSRs.

4. Screen clients and UBOs against international sanctions and PEP databases.

5. Appoint a qualified MLRO and ensure escalation protocols are clearly defined.

6. Maintain training logs and annual refreshers for all staff.

7. Engage independent auditors or consultants for annual AML reviews and system testing.

________________________________________

7. Conclusion

The case of AML gaps in Company Service Providers illustrates the increasing regulatory scrutiny over DNFBPs in the UAE. CSPs must recognize that AML compliance is not a documentation exercise — it is an operational necessity.

Strong AML frameworks, timely STR filing, and proactive governance not only ensure regulatory compliance but also enhance a firm’s credibility and safeguard the UAE’s financial integrity.

________________________________________

8. About Sheikh Anwar Accounting & Auditing LLC

Sheikh Anwar Accounting & Auditing LLC is a UAE-based professional firm specializing in AML/CFT compliance, audit, and corporate tax advisory. Our team assists DNFBPs, CSPs, real estate brokers, and gold traders in achieving full AML compliance in line with UAE Cabinet Decisions and FATF recommendations.

Our core AML services include:

• AML Policy and Risk Assessment Development

• MLRO Outsourcing and goAML Registration

• STR/DPMSR Filing Support

• AML Training and Awareness Programs

• AML Compliance Health Check and Audit

📞 Phone: +971 4 876 9890

📧 Email: info@sa-auditors.com

🌐 Website: www.sa-auditors.com

🏢 Office: Sheikh Anwar Accounting & Auditing LLC, Dubai Creek Tower, Office M-35, Dubai, United Arab Emirates