How to Conduct an AML Risk Assessment in UAE

Introduction

An Anti-Money Laundering (AML) Risk Assessment is the cornerstone of an effective compliance framework for Designated Non-Financial Businesses and Professions (DNFBPs) in the UAE. It helps entities identify, understand, and mitigate the risks of money laundering and terrorist financing (ML/TF) associated with their business activities.

Under Federal Decree-Law No. (20) of 2018 and Cabinet Decision No. (10) of 2019, every DNFBP — including gold and jewellery dealers, real estate brokers, auditors, lawyers, and corporate service providers — is required to conduct periodic AML risk assessments and maintain documentation for regulatory review.

It provides a step-by-step guide to conducting an AML Risk Assessment in line with UAE regulatory expectations and FATF standards.

________________________________________

1. Understand the Regulatory Framework

Before beginning the risk assessment, DNFBPs must familiarize themselves with the UAE AML/CFT regulations, including:

• Federal Decree-Law No. 20 of 2018 (AML/CFT Law)

• Cabinet Decision No. 10 of 2019 (Implementing Regulation)

• Cabinet Decision No. 109 of 2023 (Recent amendments)

• Ministry of Economy DNFBP AML Guidelines

• goAML system requirements

Understanding these rules ensures your assessment aligns with both local obligations and international FATF recommendations.

________________________________________

2. Define the Scope and Objectives

The risk assessment must clearly define:

• The business areas and activities covered (e.g., trading, consulting, real estate brokerage)

• The customer base (e.g., individuals, corporates, high-net-worth clients)

• The geographic markets (domestic, international)

• The products and services offered (cash-intensive, online, cross-border)

The delivery channels (face-to-face, online, intermediaries)

This helps in determining the exposure level of each activity to ML/TF risks.

________________________________________

3. Identify Risk Factors

The next step is to identify the four key categories of risk factors as per FATF and UAE guidelines:

a. Customer Risk

Evaluate customer types that may pose higher risks:

• Politically Exposed Persons (PEPs)

• Non-resident clients

• Clients dealing in high-value goods or cash transactions

• Complex ownership structures (shell companies, offshore setups)

b. Product/Service Risk

Certain products and services attract higher ML/TF risk:

• High-value transactions (gold, diamond, real estate)

• Company formation or trust services

• Third-party payments

• Virtual asset dealings

c. Geographic Risk

Assess risks linked to countries:

• Subject to FATF grey/black lists

• With weak AML enforcement

• Under UN sanctions

• High corruption index or offshore tax havens

d. Delivery Channel Risk

How the service is delivered matters:

• Non face-to-face onboarding

• Agents, brokers, or intermediaries

• Online transactions without digital KYC

• Outsourced or cross-border operations

________________________________________

4. Analyze and Assess Risks

Once risk factors are identified, evaluate the likelihood and impact of ML/TF occurring in each category.

A Risk Matrix can be used:

Risk Factor Likelihood Impact Risk Rating

PEP Customer High High High

Domestic Retail Client Low Low Low

Offshore Company Medium High High

Assign numerical or descriptive ratings (e.g., Low, Medium, High) to each risk category.

________________________________________

5. Evaluate Existing Controls

Review and assess the effectiveness of your current controls such as:

• Customer Due Diligence (CDD) and Enhanced Due Diligence (EDD)

• Ongoing transaction monitoring

• Record keeping and reporting systems

• Internal AML policies and procedures

• Staff training programs

Determine whether these controls sufficiently mitigate the identified risks or if additional measures are needed.

________________________________________

6. Determine the Residual Risk

After applying mitigation controls, calculate the residual risk — the remaining risk level after control measures.

This step ensures management understands the true exposure even after implementing preventive mechanisms.

If residual risks remain high, enhanced monitoring and additional controls must be introduced.

________________________________________

7. Document the Risk Assessment

Every DNFBP must maintain a comprehensive written risk assessment report covering:

• Methodology used

• Identified risk factors

• Assessment results

• Mitigation controls

• Residual risks

• Approval by senior management

The report should be reviewed at least annually or whenever there is a major business or regulatory change.

Authorities (like the Ministry of Economy or Free Zone AML Departments) may request this document during inspections.

________________________________________

8. Implement Risk-Based Controls

Based on the findings, the DNFBP should design and apply risk-based AML controls, such as:

• Applying EDD for high-risk clients and transactions

• Increasing monitoring frequency for high-risk sectors

• Automating sanctions and PEP screening

• Restricting cash-intensive or offshore dealings

• Conducting independent AML audits

________________________________________

9. Continuous Monitoring and Review

AML risk assessment is a dynamic process. As the business grows or client profiles change, new risks emerge.

Therefore, DNFBPs should:

• Reassess risks periodically

• Monitor regulatory updates and FATF lists

• Review goAML filing records for red flags

• Train staff regularly to maintain awareness

________________________________________

10. Use of Technology in Risk Assessment

To ensure consistency and accuracy, DNFBPs can leverage AML technology tools such as:

• MyAML.io for risk profiling and customer scoring

• Finabooks.com for transaction monitoring integration

• Automated KYC screening systems linked to UAE watchlists

Using digital platforms not only simplifies compliance but also enhances transparency and reporting efficiency.

________________________________________

Conclusion

An effective AML Risk Assessment is not just a regulatory requirement — it’s a strategic compliance tool that safeguards your business reputation and prevents exposure to financial crime.

By following a structured, risk-based approach aligned with UAE regulations, DNFBPs can demonstrate a strong compliance culture and readiness for AML inspections.

For professional assistance in preparing or reviewing your AML Risk Assessment, contact the experts at:

________________________________________

Sheikh Anwar Accounting & Auditing LLC

Licensed Auditor – Ministry of Economy (Entry No. 5817)

📍 Dubai Creek Tower, Office M35, Dubai, UAE

🌐 www.sa-auditors.com

✉️ info@sa-auditors.com