FATF Guidance on Risk-Based Approach in UAE
Introduction
The Financial Action Task Force (FATF) sets the global standards for combating money laundering (ML), terrorist financing (TF), and proliferation financing (PF). Its recommendations form the backbone of AML/CFT frameworks implemented by governments, regulators, and private entities worldwide.
In the United Arab Emirates (UAE), the FATF’s principles—particularly the Risk-Based Approach (RBA)—are embedded within Federal Decree-Law No. 20 of 2018 and Cabinet Decision No. 10 of 2019. These laws require all financial institutions and Designated Non-Financial Businesses and Professions (DNFBPs) to adopt a risk-based AML program aligned with FATF’s guidance.
This explains the FATF’s RBA concept, its practical application in the UAE, and what it means for DNFBPs, including gold traders, real estate brokers, auditors, and corporate service providers.
________________________________________
1. Understanding the FATF’s Risk-Based Approach
The FATF’s Risk-Based Approach (RBA) is centered on the principle that not all customers, transactions, or products present the same level of money laundering or terrorist financing risk.
Hence, entities should:
• Identify and understand their ML/TF risks.
• Apply resources proportionately.
• Implement stronger controls where the risk is higher, and simplified measures where the risk is lower.
This approach ensures efficiency, proportionality, and effectiveness in compliance programs.
________________________________________
2. FATF Recommendations Supporting the Risk-Based Approach
The RBA is woven throughout multiple FATF Recommendations, but it is most explicitly reflected in:
• Recommendation 1: Countries, financial institutions, and DNFBPs should identify, assess, and understand ML/TF risks and apply a risk-based approach to mitigate them.
• Recommendation 10: Customer Due Diligence (CDD) should be proportionate to risk.
• Recommendation 26: Supervision of entities should be based on their risk level.
• Recommendation 34: Guidance and feedback should help entities implement the RBA effectively.
Together, these recommendations emphasize the principle that compliance should be risk-driven, not rule-driven.
________________________________________
3. UAE’s Implementation of the Risk-Based Approach
The UAE has adopted FATF’s RBA framework within its national AML/CFT strategy. All entities regulated by the Ministry of Economy (MOE), Central Bank, Securities and Commodities Authority (SCA), Insurance Authority, and Free Zone Regulators (DMCC, ADGM, DIFC, RAKEZ, etc.) are mandated to apply the RBA.
Key UAE Provisions Reflecting RBA
• Cabinet Decision No. 10 of 2019, Article 6: Requires the identification, assessment, and documentation of ML/TF risks.
• Article 7: Obligates entities to apply proportionate risk mitigation controls.
• Article 8: Mandates Enhanced Due Diligence (EDD) for high-risk clients.
• Article 9: Allows Simplified Due Diligence (SDD) for low-risk clients.
These provisions ensure that AML efforts are balanced and evidence-based.
________________________________________
4. Core Steps in Implementing the RBA
The FATF outlines several key steps for implementing the Risk-Based Approach effectively:
Step 1: Risk Identification
Identify risks arising from:
• Customers and their beneficial ownership structures.
• Products and services offered.
• Delivery channels (face-to-face, online, intermediaries).
• Geographic exposure (high-risk jurisdictions).
Step 2: Risk Assessment
Assess inherent risks before applying controls. Classify each as Low, Medium, or High based on likelihood and potential impact.
Step 3: Risk Mitigation
Design control measures to mitigate identified risks:
• Implement Customer Due Diligence (CDD) procedures.
• Conduct Enhanced Due Diligence (EDD) for high-risk cases.
• Apply transaction monitoring and record-keeping protocols.
• Strengthen governance and training.
Step 4: Ongoing Monitoring
Continuously monitor relationships and transactions to detect unusual or suspicious patterns.
Step 5: Documentation and Reporting
Document every risk assessment and retain evidence to demonstrate compliance to regulators during AML inspections or audits.
________________________________________
5. FATF’s RBA for DNFBPs (Non-Financial Businesses)
The FATF provides sector-specific guidance to DNFBPs, including:
• Real Estate Agents: Focus on high-value property transactions and foreign buyers.
• Dealers in Precious Metals and Stones (DPMS): Monitor cash transactions and cross-border trade.
• Accountants and Auditors: Identify suspicious structuring or client ownership concealment.
• Lawyers and Corporate Service Providers: Verify beneficial ownership and prevent misuse of legal entities.
These sectors play a critical gatekeeping role in preventing financial crimes in the UAE economy.
________________________________________
6. Benefits of a Risk-Based Approach
The RBA helps both regulators and entities operate more effectively:
For Businesses
• Focus compliance efforts on genuine threats.
• Avoid unnecessary administrative burden.
• Build strong relationships with banks and regulators.
• Demonstrate proactive compliance during inspections.
For Regulators
• Improve supervision efficiency.
• Encourage innovation in AML systems.
• Allocate oversight resources based on actual risk.
________________________________________
7. Common Challenges in Applying the RBA
Despite its importance, many UAE DNFBPs face challenges implementing RBA effectively:
• Lack of internal expertise in risk scoring and control testing.
• Limited use of automated AML technology.
• Outdated or incomplete risk registers.
• Overreliance on generic templates instead of entity-specific assessments.
To overcome these issues, companies should conduct Enterprise-Wide AML Risk Assessments (EWRA) and periodically review and update risk matrices in line with changing business models and regulatory updates.
________________________________________
8. Role of Technology in Supporting the RBA
The FATF encourages the use of RegTech and SupTech solutions to enhance AML effectiveness.
UAE firms are increasingly adopting:
• AI-driven risk profiling systems.
• Automated sanctions and PEP screening tools.
• Digital onboarding (e-KYC) solutions.
• goAML reporting integrations for STR and DPMSR filings.
Technology allows SMEs and large institutions alike to manage compliance efficiently and maintain an audit-ready risk framework.
________________________________________
9. Linking the RBA with UAE’s National Risk Assessment (NRA)
UAE businesses must align their internal risk assessments with the National Risk Assessment (NRA) findings, which identify national-level threats and vulnerabilities.
For example:
• Higher ML risk in precious metals trade.
• TF risk linked to non-profit sectors.
• Geographic risks from cross-border trade routes.
Mapping your company’s risks to the NRA ensures your AML framework remains consistent with national priorities.
________________________________________
10. Best Practices for UAE Businesses
✅ Conduct an annual AML Risk Assessment and update it with FATF and UAE MOE guidance.
✅ Apply EDD for high-risk jurisdictions, customers, and products.
✅ Maintain detailed documentation and evidence of decisions.
✅ Train staff on the RBA concept and risk scoring methods.
✅ Periodically review control effectiveness through internal or external AML audits.
________________________________________
Conclusion
The Risk-Based Approach is the cornerstone of FATF’s AML framework and the foundation of UAE’s regulatory model. It promotes flexibility, efficiency, and accountability, allowing companies to direct their compliance resources where they are needed most.
By adopting FATF’s RBA principles and integrating them into daily operations, UAE businesses not only ensure regulatory compliance but also strengthen their reputation and operational resilience in a globally connected economy.
________________________________________
By Sheikh Anwar Accounting & Auditing LLC
AML & Compliance Experts in the UAE
📞 +971 4 876 9890 | ✉️ info@sa-auditors.com | 🌐 www.sa-auditors.com
