IPR & AML Compliance · AML / CFT Services
Documentation
Documentation is the engagement through which PNPC builds, organises, and maintains the written record every UAE Designated Non-Financial Business and Profession and regulated financial entity must be able to produce on demand under Federal Decree-Law No.
Chartered Accountants · Dubai · Since 1986
AML/CFT Documentation is the discrete but essential discipline of converting a business's anti-money laundering obligations under Federal Decree-Law No. 20 of 2018 and its implementing Cabinet Decision No. 10 of 2019 (as amended) into a written, organised, and retrievable evidence file. The AML/CFT Law and its regulations do not merely require an entity to behave correctly — they require the entity to be able to prove, on request from the Ministry of Economy, the UAE Central Bank, or the relevant free zone financial regulator (DFSA in DIFC, FSRA in ADGM), that it behaved correctly, and to produce that proof within a stated timeframe. Documentation is the bridge between an AML/CFT programme that genuinely operates and a programme that can withstand a supervisory inspection, a bank's own AML due diligence request, or a court or regulator's after-the-fact review.
The documentation set spans several distinct categories that together form the entity's compliance record. At the governance level: the board-approved AML/CFT policy and procedures manual, the appointment record and authority delegation for the designated Compliance Officer or Money Laundering Reporting Officer (MLRO), and the business-wide risk assessment covering customer, geographic, product, and delivery-channel risk. At the customer level: Customer Due Diligence and Enhanced Due Diligence files, beneficial ownership identification and verification records maintained consistent with Cabinet Decision No. 58 of 2020 on beneficial ownership procedures, and evidence of sanctions and Politically Exposed Person (PEP) screening at onboarding and on an ongoing basis. At the operational level: staff training attendance and content records, transaction-monitoring logs and alert-disposition notes, and the internal escalation trail showing how a concern moved from a front-line observation to a Compliance Officer decision to, where warranted, a Suspicious Transaction Report (STR) or Suspicious Activity Report (SAR) filed through the goAML platform operated by the UAE's Financial Intelligence Unit.
What makes documentation its own discipline, rather than a byproduct of doing the underlying compliance work, is that a supervisory inspection tests the paper trail specifically — not the business's general good faith. An inspector reviewing a sample of customer files is checking whether the risk rating assigned matches the documented methodology, whether the beneficial ownership look-through was actually recorded and not just performed informally, whether screening was run at the frequency the policy states, and whether training that staff plainly received was ever logged with dates, content, and attendee names. A business that performed all of the underlying work correctly but never wrote it down is, from the inspector's vantage point, indistinguishable from a business that never did the work — because there is nothing to examine. This is the single most common gap PNPC finds when reviewing another firm's AML file: the compliance activity happened, but the record of it did not survive in a form a third party could verify.
Documentation also has a retention and retrievability dimension that is frequently underestimated. The AML/CFT Law requires customer identification records, CDD documentation, and transaction records to be retained for a minimum prescribed period following the end of the business relationship or the transaction date, and produced to the competent authority within the timeframe it sets. Retaining a record technically, in an unindexed folder or a departed employee's inbox, satisfies the retention obligation in name only if the entity cannot locate and produce it inside the window given — which, on inspection, reads almost identically to not having kept the record at all. A properly built documentation function therefore designs for retrieval from the outset: a consistent filing structure, a clear index by customer and by document category, and a named owner responsible for keeping the file current as roles, policies, and regulatory guidance change.
Finally, documentation is not a one-time deliverable. The AML/CFT Law and its Cabinet Decisions are periodically amended, the FIU and Ministry of Economy issue updated guidance, and a business's own customer base, products, and risk exposure change over time. A risk assessment or policy manual drafted once at the point of registration and never revisited drifts out of alignment with both the current regulatory text and the entity's actual current activity — and a stale document is one of the most reliably flagged inspection findings PNPC sees, because 'when was this last reviewed' is a question every inspector asks and every out-of-date file answers badly. PNPC's Documentation engagement is built to produce a file that is accurate on day one and stays defensible through the annual review cycle that follows.
The documentation obligation also varies in emphasis, though not in substance, depending on whether the entity sits under Ministry of Economy DNFBP supervision on the UAE mainland or in a non-financial free zone (JAFZA, DMCC, RAKEZ, IFZA, Meydan, RAK ICC, Ajman Free Zone), or under one of the two financial free zone AML supervisors — the DFSA in DIFC or the FSRA in ADGM. The underlying document categories are broadly the same across all three, but the specific submission channel, portal, and supervisory correspondence differ, and a documentation file built for a mainland DNFBP cannot simply be relabelled for a DIFC or ADGM entity without checking that free zone regulator's own rulebook requirements first. PNPC confirms which supervisory framework actually governs a given entity before finalising the documentation structure, since a complete, well-organised file built against the wrong framework still fails to satisfy the entity's actual regulator.
When a dedicated Documentation engagement is the right fit
You have a functioning AML/CFT compliance practice — CDD is performed, screening happens, staff are briefed — but none of it is written down in a form that could be produced to an inspector today
Your existing AML policy manual, risk assessment, or MLRO appointment record was drafted years ago, has never been reviewed, and no longer reflects your current business activity or the current Cabinet Decision text
You have received a Ministry of Economy, Central Bank, DFSA, FSRA, or VARA inspection notice and need your documentation set assembled, indexed, and inspection-ready on a compressed timeline
Your goAML registration is complete but the risk assessment, policies, and procedures behind it were never formally drafted or were built from an unadapted template
You need staff training records, screening evidence, and escalation logs reconstructed retrospectively because they were performed informally without being logged at the time
A correspondent bank or partner has asked to see your AML/CFT policy, beneficial ownership register, or risk assessment as part of its own AML due diligence on you as a business customer
Your Compliance Officer or MLRO has changed and the appointment record, authority delegation, and succession documentation need to be brought current on the goAML profile and internally
You are consolidating documentation across multiple UAE entities in a group structure and need a consistent filing methodology and index across all of them
You have completed remediation following an inspection finding and need the corrective documentation — updated policy, refreshed training log, closed-out action plan — formally compiled as evidence the finding was addressed
Your business operates across mainland and free zone UAE entities (or across DIFC/ADGM and Ministry of Economy-supervised structures) and you need documentation frameworks calibrated correctly to each entity's actual supervisor rather than one file copied across all of them
You are migrating from paper-based compliance records to a digital case-management or screening system and need the underlying documentation categories mapped correctly into the new system so nothing is lost in the transition
Your organisation is preparing for a bank, investor, or acquirer's AML due diligence ahead of a financing round, share sale, or acquisition, and needs its documentation file production-ready on a defined timeline
Where a different engagement fits better
You do not yet have any AML/CFT compliance activity to document — no risk assessment has been performed, no CDD methodology exists, and no Compliance Officer has been appointed; that is a full KYC & Customer Due Diligence Advisory build, not a documentation exercise layered on top of nothing
You have not yet confirmed whether your business falls within a DNFBP or regulated Financial Institution category at all — an applicability assessment should come first, since documenting an obligation that does not actually apply wastes effort
You need the goAML organisation and Compliance Officer portal registration itself completed and have not yet registered — that is the goAML Portal Registration & Reporting Assistance engagement, though it is frequently paired with documentation work
Your requirement is to design or redesign the underlying CDD/EDD risk methodology itself, not simply record an existing one in writing — that is advisory work, and documentation should follow it rather than substitute for it
You are under active investigation for a specific suspected money-laundering or terrorist-financing offence — that requires criminal defence legal representation as the lead engagement, with documentation support playing a secondary role
You want a template policy dropped into your file without any review of whether it reflects your actual business — a document that does not match reality is a liability on inspection, not an asset, regardless of how complete it looks
You are looking for a one-time document set with no plan to review or update it — documentation that is accurate today and never revisited again predictably drifts out of date within a year or two as guidance and the business itself change
You need the underlying sanctions/PEP screening tool itself selected, configured, or implemented — that is a technology/vendor selection exercise PNPC can advise around, but documentation assumes a screening process already exists to be recorded
Your business has already closed or is being formally liquidated and your only remaining question is how long closed-file AML records must be retained post-closure — that is a retention-period confirmation, narrower than a full documentation build
You are asking PNPC to backdate, alter, or fabricate a record to appear as though a compliance step occurred at an earlier date than it actually did — PNPC will not create records that misrepresent when an activity took place, and will instead build an honest reconstruction that is clearly dated as such
Documentation engagement vs adjacent UAE AML/CFT service scopes
| Feature | Documentation (this service) | KYC & CDD Advisory | goAML Portal Registration & Reporting | AML Risk Assessment (standalone) | AML Training and Capacity Building |
|---|---|---|---|---|---|
| Primary purpose | Build, organise, and maintain the written evidence file proving the AML/CFT programme operates as required | Design and implement the full risk-based CDD programme, of which documentation is one output | Register the entity and its Compliance Officer on the FIU goAML platform and support STR/SAR filing | Produce the entity-specific risk assessment document that documentation later indexes and maintains | Deliver staff training itself; documentation then records that it happened |
| Typical starting point | Compliance activity already happens informally; the paper trail is missing or disorganised | No CDD methodology yet exists and needs to be designed from the ground up | Entity is in scope and has not yet obtained goAML platform access | No documented risk methodology exists yet, or the existing one is out of date | Staff have not received formal, logged AML/CFT training |
| Core deliverable | Indexed, retrievable evidence file: policies, CDD/EDD records, screening logs, training records, escalation trail | Full programme — risk assessment, policy, CDD/EDD procedures, screening design, training, goAML registration | Active goAML organisation and Compliance Officer registration with filing access | A single written, entity-specific risk assessment document | Delivered training sessions with attendance and competency records |
| Inspection relevance | Directly what an inspector reviews file-by-file during a supervisory visit | Builds the substance the documentation later has to prove existed | Necessary precondition for reporting capability, not sufficient alone for inspection readiness | One required document within the larger file, not the whole file | One required record within the larger file, not the whole file |
| Who typically commissions it | Entities with an operating but unrecorded, or disorganised and stale, compliance practice | Entities building a compliance function from scratch or substantially rebuilding one | Entities that are in scope but have never registered, or whose registration lapsed | Entities that need the foundational risk document specifically, often as a first step | Entities with a written policy but no evidence staff were ever trained on it |
| Engagement cadence | Initial build plus scheduled annual refresh and event-driven updates | Initial build, typically 6–10 weeks, then ongoing advisory | One-time registration, ongoing platform use thereafter | One-time drafting, reviewed and refreshed at least annually | Initial delivery, refresher sessions on an annual or trigger-driven cadence |
| Mainland vs free zone calibration | Structure and index calibrated to whichever supervisor (Ministry of Economy, DFSA, or FSRA) actually governs the entity | Methodology itself does not change by supervisor, though registration route can | Registration channel and portal differ by supervisor and jurisdiction | Risk factors can include free zone/jurisdiction exposure as an input | Training content references the applicable supervisory framework |
| Role of digital systems | Reviews whether screening, case-management, or document-repository systems actually preserve a retrievable, tamper-evident record, not just paper files | May recommend a CDD workflow system as part of programme design | Platform itself is a digital reporting system | Not directly system-dependent | Training covers how staff use whatever system is in place |
| Typical file owner within the client organisation | Compliance Officer/MLRO with PNPC supporting build and maintenance | Compliance Officer with PNPC as design advisor | Compliance Officer as the registered goAML user | Senior management sign-off, Compliance Officer custody | HR/Compliance Officer jointly for training records |
These engagements are frequently combined and PNPC scopes them together where a client's need spans more than one — a documentation build is most effective when it sits on top of a genuinely functioning CDD programme, and PNPC will flag where the underlying substance needs building or repair before the paper trail can honestly reflect it.
| # | Stage & What PNPC Does | What a Self-Assembled File Typically Misses | Timeline |
|---|---|---|---|
| 1 | Documentation Scoping & Gap Assessment — review of what currently exists against the full required document set | Businesses often believe their file is more complete than it is because individual documents exist somewhere, but no one has checked the full set against what the AML/CFT Law and Cabinet Decision actually require category by category. | Week 1 |
| 2 | Governance Document Compilation — board/management approval records, AML/CFT policy and procedures manual, Compliance Officer/MLRO appointment and authority delegation | A policy manual with no recorded board or senior-management approval reads as an unadopted draft on inspection, regardless of how well it is written — approval evidence is a specific, separate document, not implied by the policy's existence. | Week 1–2 |
| 3 | Risk Assessment Indexing — the current business-wide risk assessment reviewed for currency and formally filed as the reference document the CDD procedures apply | A risk assessment that exists but is not clearly dated, versioned, and cross-referenced to the policies built on it creates ambiguity about which methodology was actually in force at a given point in time. | Week 1–2 |
| 4 | Customer File Structure & Indexing — a consistent CDD/EDD file format applied across the existing customer base, organised for retrieval by risk category | Customer files accumulated organically over time rarely share a consistent structure, making a sample review by an inspector slower and more likely to surface inconsistencies that a uniform format would have prevented. | Week 2–4 |
| 5 | Beneficial Ownership Register Reconciliation — the Register of Beneficial Owners checked for completeness and currency against Cabinet Decision No. 58 of 2020 requirements and formally filed | Beneficial ownership registers are frequently accurate at the point they were first compiled but never updated as ownership changes occur — an inspector testing the register against current shareholding finds a stale document. | Week 2–3 |
| 6 | Screening Evidence Compilation — sanctions and PEP screening records, including disposition notes for partial or possible matches, organised as retrievable evidence | Screening tools generate alerts, but without a documented disposition of each alert — cleared, escalated, or confirmed a false positive — the alert log shows activity happened without showing a decision was actually made. | Week 2–4 |
| 7 | Training Record Assembly — attendance, content, and date records for all delivered AML/CFT training, including any historical sessions that were run but never logged | Verbal or informal briefings that staff genuinely received are treated on inspection as if they never happened if there is no dated record of who attended and what was covered. | Week 3–4 |
| 8 | STR/SAR and Escalation Trail Documentation — the internal record of how any suspicion was raised, escalated to the Compliance Officer, assessed, and — where filed — submitted through goAML | A filed STR with no accompanying internal escalation log looks, on review, like an isolated event rather than evidence of a functioning escalation process staff can be expected to repeat. | Week 3–4 |
| 9 | Retention & Retrieval System Design — a filing structure and index that lets any document category be located and produced within a stated timeframe | Records that are technically retained but not indexed for retrieval fail the practical test of an inspection request with a deadline, even though the underlying obligation to keep the record was met. | Week 4–5 |
| 10 | Version Control & Review Cycle Set-Up — a documented schedule for when each category of document is next due for review, tied to the compliance calendar | A document set that is accurate at delivery but has no built-in review trigger drifts out of date exactly the way the original, unmanaged file did — the fix has to include a maintenance mechanism, not just a one-time refresh. | Week 4–5 |
| 11 | Inspection-Readiness Walkthrough — a mock review of the completed file as if a Ministry of Economy or Central Bank inspector were testing it | The gaps that surface in a genuine walkthrough — a missing signature, an undated training log, a beneficial owner never updated after a share transfer — are rarely visible from a checklist review alone. | Week 5–6 |
| 12 | Ongoing Documentation Maintenance — ongoing support keeping the file current as the business, its customers, and the regulatory text change | A completed file left untouched after handover begins the same drift it was built to correct; ongoing maintenance is what keeps it inspection-ready a year or two later, not just at the point of delivery. | Ongoing, retainer basis |
| 13 | Free Zone / Mainland Supervisory Calibration Check — confirming the documentation structure is built against the entity's actual governing supervisor (Ministry of Economy, DFSA, or FSRA) | Businesses with mixed mainland and free zone entities in a group sometimes apply one supervisor's expectations across all entities, creating a file that looks complete but is built against the wrong framework for at least one entity. | Week 1 |
| 14 | Digital Record System Review — assessing whether existing screening, case-management, or document-repository software actually preserves and can produce records on request | A system that logs activity but has no straightforward export process or access-continuity plan if a single staff member's account is disabled looks retrievable in theory and is not, in practice, when an inspector's deadline actually arrives. | Week 4–5 |
| 15 | Bank/Third-Party AML Due Diligence Response Pack — a condensed, appropriately scoped version of the documentation file prepared for banks, investors, or counterparties requesting AML assurance | Handing over the full internal file to an external party is rarely appropriate; businesses without a prepared summary pack either over-share sensitive internal material or under-deliver and stall the counterparty relationship. | Week 5–6, as needed |
Realistic timeline for a full documentation build on an existing but disorganised compliance practice: 4–6 weeks depending on customer base size and how much of the underlying record already exists in some form. A narrower engagement responding to a specific inspection notice on a compressed timeline can move faster, prioritising the categories most likely to be tested first.
Board or senior management resolution formally adopting the AML/CFT policy and procedures manual
Compliance Officer / MLRO appointment letter or resolution, evidencing seniority and delegated authority
Organisational chart showing the Compliance Officer's reporting line to senior management or the board
Record of any Compliance Officer succession, including handover documentation and updated goAML profile confirmation
Version history of the AML/CFT policy manual, showing dates of adoption and each subsequent revision
Current business-wide AML/CFT risk assessment covering customer, geographic, product/service, and delivery-channel risk
Risk-rating methodology applied to customers, cross-referenced to the CDD/EDD procedures it supports
Record of the most recent risk assessment review date and any changes made since the prior version
Documentation of any material business change (new product, new customer segment, new jurisdiction exposure) and the corresponding risk assessment update
Standard CDD files: identity verification documents, business relationship purpose, and risk rating assigned
Enhanced Due Diligence files for higher-risk customers: source-of-funds/wealth documentation and senior management approval records
Beneficial ownership identification records and the current Register of Beneficial Owners, reconciled to actual shareholding
Evidence of ongoing monitoring and periodic file refresh for higher-risk relationships, per the schedule the risk assessment sets
Sanctions and PEP screening logs, including screening date, list source, and result
Disposition notes for every partial or possible match, showing whether it was cleared, escalated, or confirmed
Evidence of periodic re-screening cadence, not just onboarding screening
Transaction-monitoring alert logs and the outcome of each alert reviewed
Staff training attendance sheets, content summaries, and dates for all delivered sessions
Refresher training records showing the annual or trigger-driven training cadence has been maintained
Internal escalation logs showing how a concern moved from initial observation to Compliance Officer review
STR/SAR filing records and the goAML submission confirmations for any reports actually filed
Any correspondence from the Ministry of Economy, Central Bank, DFSA, FSRA, or VARA relating to a prior inspection, query, or directive
Corrective action plans addressing any prior finding, with evidence of completion and sign-off
goAML organisation and Compliance Officer registration confirmations
Confirmation of the periodic goAML profile re-registration/confirmation cycle, where applicable
Entity-by-entity confirmation of which supervisory authority (Ministry of Economy, DFSA, or FSRA) governs each UAE entity in the group, filed alongside the documentation for that entity
Intercompany service or referral arrangements documented where customer introductions or shared compliance resources cross entity lines
Consolidated group index cross-referencing each entity's individual documentation file, without merging files that belong to legally distinct supervised entities
Record of any group-level policy adopted centrally and formally localised/adopted at each individual UAE entity level
Confirmation of which software or platform (screening tool, case-management system, document repository) holds each category of AML record
Export/extraction procedure documented for each system, confirming records can be produced in a reviewable format within the timeframe an inspector gives
Access-continuity record showing more than one authorised person can retrieve system records, so a single departed staff member's account does not become a single point of failure
Audit-log or version-history settings confirmed as enabled where the system supports it, so changes to a record over time are themselves traceable
| Phase | Triggered By | PNPC Guidance | Risk If Ignored |
|---|---|---|---|
| Initial File Assembly (Week 1–6) | First structured documentation build, or a gap assessment revealing a materially incomplete file | Governance records, risk assessment, CDD/EDD files, screening evidence, and training logs compiled, indexed, and cross-referenced into a single retrievable file structure. | An entity that performs the underlying AML work but cannot produce the paper trail is treated on inspection as if the work never happened, regardless of actual practice. |
| Ongoing Document Capture | Every new customer onboarded, screening run, or training session delivered | Each compliance activity logged at the point it occurs — onboarding decision, screening result, training attendance — rather than reconstructed retrospectively from memory. | Retrospective reconstruction is rarely as accurate or as credible on inspection as a contemporaneous record, and some detail is inevitably lost or disputed. |
| Annual Review Cycle | Anniversary of the documentation build, or a material change in the business or regulatory guidance | Risk assessment, policy manual, and beneficial ownership register formally reviewed and updated, with the review itself dated and recorded as evidence the cycle occurred. | A file that is accurate at delivery but never revisited becomes stale within a year or two, and 'when was this last reviewed' is a standard inspection question with an easy pass or fail answer. |
| Compliance Officer or Ownership Change | Change in the designated Compliance Officer, or a change in beneficial ownership | Updated appointment records, revised goAML profile, and a reconciled beneficial ownership register produced promptly, closing any gap in the documentation trail. | An outdated Compliance Officer record or an unreconciled beneficial ownership register is a governance gap an inspector identifies quickly and treats as an aggravating factor. |
| Bank or Partner AML Due Diligence Request | A correspondent bank, partner, or counterparty requests evidence of your AML/CFT programme as part of its own due diligence | The current, indexed documentation set produced promptly, without needing to be assembled from scratch under time pressure. | A slow or incomplete response to a bank's AML due diligence request can affect banking relationships independent of any regulatory inspection outcome. |
| Regulatory Inspection | Scheduled or unannounced visit from the Ministry of Economy, Central Bank, DFSA, FSRA, or VARA | PNPC supports document production against the inspector's specific requests, drawing on the indexed file built and maintained for exactly this purpose. | An entity unable to produce requested documentation within the given timeframe faces findings that typically escalate from a corrective action directive to administrative fines and, in serious or repeat cases, licence-level consequences. |
| Finding or Remediation Directive | Inspection outcome identifying a documentation gap | A corrective action plan drafted addressing the specific finding, with the remediation itself documented and formally closed out for the record. | An unaddressed or undocumented remediation response risks the same finding recurring at the next inspection cycle, now compounded as a repeat issue. |
| Retention Period Expiry Review | Approach of the minimum prescribed retention period for a given record following the end of a business relationship or transaction | Records reviewed before any disposal decision to confirm the minimum retention period has genuinely elapsed and no other reason (open query, litigation hold) requires continued retention. | Premature disposal of a record still within its required retention period is itself a compliance breach, separate from any underlying transaction issue. |
| New Product, Customer Segment, or Free Zone Entity Launch | Business expands into a new product line, customer type, or adds a new mainland/free zone entity | Documentation structure extended to cover the new scope, checked against whichever supervisor governs the new entity or activity, rather than assumed to already be covered by the existing file. | A new business line or entity onboarded under an unextended documentation file leaves a genuine gap that looks, on inspection, exactly like the file was simply never built for that scope. |
| System Migration or Compliance Software Change | Entity moves from one screening/case-management system to another, or from paper to digital records | Historical records confirmed as migrated completely and remain retrievable and unaltered after transition, with the migration itself documented as evidence nothing was lost in the switch. | Records left behind in a decommissioned system, or not verified as intact after migration, effectively disappear from the retrievable file even though they were never formally destroyed. |
| Business Closure or Liquidation | Entity ceases operations, is acquired, or is formally liquidated | AML/CFT records retained for the applicable minimum period post-closure per current retention requirements, with a named responsible party and location confirmed even after the entity itself winds down. | Records that become effectively orphaned when a business closes and no one remains responsible for them cannot be produced if a regulator or successor entity later needs them within the still-live retention period. |
Starting a documentation build before the underlying CDD methodology, risk assessment, or goAML registration actually exists, and ending up with a beautifully organised file describing a compliance process that is not genuinely operating
Waiting until an inspection notice arrives to begin assembling documentation, rather than treating documentation as a continuous discipline that runs alongside every onboarding, screening, and training activity
Assuming a Compliance Officer/MLRO change is complete once the internal handover happens, without also updating the goAML profile and the documented appointment record — leaving a governance gap an inspector identifies quickly
Extending an existing entity's documentation file to a newly formed mainland or free zone entity without first confirming which supervisor actually governs the new entity, producing a file built against the wrong framework
Adopting a template AML policy without adapting it to the entity's actual customers, products, and transaction patterns, producing a document that describes a generic business rather than the one operating under it
Recording a customer's risk rating without cross-referencing it to the documented methodology behind it, so the rating cannot be explained or defended when an inspector asks how it was reached
Logging only flagged screening alerts and leaving clean screening results unrecorded, so the file cannot show that screening ran systematically rather than only when something happened to trigger a match
Leaving partial or possible sanctions/PEP matches without a documented disposition note, so the alert log shows activity happened but not that a human being actually reviewed and decided what to do about it
Building a complete file once and never scheduling a review, letting the risk assessment, policy, and beneficial ownership register drift out of date within a year or two as the business and the regulatory text both change
Storing records in a way that is technically retained but practically unretrievable — scattered across individual staff members' inboxes or folders with no consistent index by customer or document category
Hosting compliance records on a system only one person can access, so a departed staff member's disabled login becomes the reason a record cannot be produced within an inspector's stated timeframe
Treating the goAML platform's periodic re-registration or confirmation cycle as a purely mechanical portal task, rather than as a trigger to also check whether the wider documentation file behind it is still current
Why do I need a separate Documentation engagement if we already do our AML compliance work properly?
Because UAE supervisory authorities inspect the written record, not your general good-faith conduct. An inspector reviewing a customer file checks whether the risk rating, beneficial ownership look-through, and screening result were actually recorded — not whether you personally believe the work was done well. A business that performs CDD correctly but never documents it is, from the inspector's perspective, indistinguishable from a business that skipped CDD altogether, because there is no evidence to examine either way.
What is the minimum document set every DNFBP needs to be able to produce?
At minimum: a board-approved AML/CFT policy and procedures manual, a documented business-wide risk assessment, the Compliance Officer/MLRO appointment record, CDD files for customers with beneficial ownership identification, sanctions/PEP screening evidence, staff training attendance records, and — where applicable — the internal escalation trail and goAML submission confirmation for any STR/SAR filed. The exact depth expected scales with the size and complexity of the business, but every category above should exist in some form for any in-scope entity.
How is documentation different from the risk assessment or the CDD advisory work itself?
The risk assessment and CDD advisory engagements design and implement the underlying methodology — what risk factors matter, how customers are categorised, what triggers enhanced due diligence. Documentation is the discipline of capturing, organising, and maintaining the written evidence that this methodology was actually applied to real customers and real decisions, in a form that can be retrieved and produced on request. You can have a well-designed methodology and a poorly documented file, or vice versa — the two are related but distinct pieces of work.
We have all our AML records, just not organised — is that enough for an inspection?
Not necessarily. Retention alone does not satisfy the obligation if the entity cannot locate and produce the relevant record within the timeframe a supervisory authority gives during an inspection. A record technically kept somewhere — in an unindexed folder, a departed employee's inbox, or scattered across different staff members' files — that cannot be retrieved on request reads, on inspection, almost identically to a record that was never kept.
How long do we need to retain AML/CFT records under UAE law?
UAE AML law requires customer identification records, CDD documentation, and transaction records to be retained for a minimum prescribed period following the end of the business relationship or the date of the transaction, and produced to the competent authority on request. The precise retention period and any sector-specific variation should be confirmed against the current Cabinet Decision text and any applicable sector-regulator rulebook, since retention requirements are refined periodically through amendments.
What happens if our beneficial ownership register is out of date when an inspector reviews it?
An outdated Register of Beneficial Owners — one that does not reflect a share transfer, new investor, or change in control that has already happened — is a common and specifically-tested inspection finding under Cabinet Decision No. 58 of 2020 and the AML/CFT framework more broadly. It signals that the entity's documentation is not being maintained in step with actual business events, which supervisors treat as a governance gap in its own right, separate from any issue with the underlying transaction record.
Do we need to document sanctions screening even when there is never a match?
Yes. The absence of a match is itself something that needs to be recorded — the fact that screening was run, on what date, against which list, and with what result — because an inspector cannot distinguish 'screening happened and found nothing' from 'screening never happened' unless the negative result is logged as clearly as a positive one would be.
What is a disposition note and why does every screening alert need one?
A disposition note is the documented decision made about a specific sanctions or PEP screening alert — whether it was cleared as a false positive, escalated for further review, or confirmed as a genuine match requiring action. Without it, an alert log shows that the screening tool generated a warning but does not show that a human being actually reviewed and decided what to do about it, which is the substantive step an inspector is testing for.
How do we document staff training that happened but was never formally logged?
Where genuine training occurred without contemporaneous documentation, PNPC works with the entity to reconstruct as accurate a record as possible — confirmed dates, content covered, and attendee names based on available evidence such as calendar invites, presentation materials, or attendee recollection — while being transparent that a reconstructed record is weaker evidence than a contemporaneous one, and building a forward process so this gap does not recur.
Does PNPC draft our AML policies from scratch, or only organise documents we already have?
Both, depending on scope. Where a genuine policy and methodology already exist but the supporting paper trail is missing or disorganised, the engagement focuses on capture, indexing, and retrieval design. Where the underlying policy itself is missing, outdated, or was copied from an unadapted template, PNPC drafts or substantially revises it as part of the same engagement — documentation and the substance behind it are scoped together where the gap analysis shows both are needed.
What does an inspector actually do with our documentation during a visit?
A typical inspection involves reviewing the policy and risk assessment documents for currency and completeness, then pulling a sample of individual customer files to test whether the documented procedure was actually followed — checking the risk rating assigned, the beneficial ownership look-through, the screening evidence, and any escalation trail. Inconsistency between the written policy and what the sampled files actually show is the most common and most damaging type of finding.
How quickly can PNPC assemble documentation if we've already received an inspection notice?
PNPC prioritises the document categories most likely to be tested first — the policy manual, risk assessment, MLRO appointment record, and a representative sample of customer files — and can typically produce an inspection-ready core file within one to two weeks on a compressed timeline, with the fuller file (complete customer base indexing, full training history reconstruction) continuing in parallel.
Is documentation a one-time deliverable or an ongoing service?
Both models exist. A one-time build is appropriate where a business needs its current gap closed and is confident it can maintain the file going forward. Most PNPC clients, however, take the ongoing retainer option, since the annual review cycle, event-driven updates (Compliance Officer changes, ownership changes, new Cabinet Decisions), and continuous capture of new customer files and screening results are what keep a documentation set from drifting back into disorganisation within a year or two of the initial build.
Does having complete documentation guarantee we will pass a Ministry of Economy inspection?
No. Complete, accurate, and current documentation materially improves the entity's position on inspection and is the strongest evidence a business can offer that its programme actually operates, but the inspecting authority retains full discretion over its findings, and even well-documented programmes can receive observations or findings based on the specific facts reviewed. No adviser can guarantee a regulatory outcome that depends on the supervisor's own judgment.
How does documentation work connect to our goAML registration?
goAML registration and Compliance Officer activation give the entity the ability to file reports; documentation is the separate record proving the risk assessment, policies, CDD, screening, and training that should sit behind that registration actually exist and are current. The two are commonly engaged together, since a goAML registration with no documented programme behind it is precisely the 'registered but hollow' pattern supervisory authorities flag most often on inspection.
What does PNPC's Chennai/Bangalore/Hyderabad/Dubai presence add to a documentation engagement?
For clients with entities spanning both India and the UAE, our Dubai team leads the UAE AML/CFT documentation build directly, while our India offices coordinate any parallel India-side compliance record-keeping under the same engagement — so a group operating in both jurisdictions maintains a consistent documentation methodology rather than two disconnected filing systems built by unrelated advisers.
Do our AML records need to be in Arabic, English, or both?
There is no absolute requirement that internal AML/CFT documentation be maintained in Arabic specifically — many UAE DNFBPs, particularly free zone entities and those with international customer bases, maintain their compliance file in English. What matters more than the language chosen is that the record is genuinely accessible and translatable on request: if a Ministry of Economy or Central Bank inspector needs a document explained or translated, the entity should be able to provide that promptly. Where any specific document has already been submitted to a UAE authority in Arabic (such as certain licensing or governmental correspondence), PNPC keeps that original alongside any English working version rather than substituting one for the other.
Can our AML documentation be maintained entirely digitally, or do we need physical paper files?
UAE AML/CFT law does not require physical paper storage specifically — a digital record is acceptable provided it is genuinely retrievable, accurate, and can be produced to a supervisory authority within the timeframe requested. What matters is not the medium but whether the entity can actually locate and produce the record on demand. PNPC increasingly builds documentation files as structured digital repositories rather than physical binders, since digital indexing generally makes retrieval faster and more consistent than a paper-based system.
How does documentation differ for a mainland DNFBP versus a DIFC or ADGM-regulated entity?
The underlying document categories are broadly the same — policy, risk assessment, CDD evidence, screening records, training logs, escalation trail — but the specific supervisory framework, submission channel, and correspondence process differ. A Ministry of Economy-supervised mainland or non-financial free zone DNFBP is inspected and reported to under the federal AML/CFT Law directly, while a DIFC entity sits under the DFSA's own AML rulebook and an ADGM entity under the FSRA's, each layered on top of, and generally aligned with, the same federal law but administered through that free zone's own regulator. Building a documentation file for the wrong framework — even a complete one — does not satisfy the entity's actual regulator.
We are a dormant or barely-active DNFBP with almost no customers — do we still need a full documentation file?
Yes, in substance, though the depth can reasonably scale to the size of the business. Even a dormant or low-activity DNFBP that remains licensed for a designated activity is expected to have a documented risk assessment, an adopted policy, a designated Compliance Officer, and a goAML registration — the absence of customer transactions reduces the volume of CDD files to maintain, but does not remove the governance-level documentation obligation. An inspector reviewing a dormant entity will still expect to see the governance file, even if the customer-file section is thin.
How does PNPC handle documentation across a group with multiple UAE entities?
PNPC builds each entity's documentation file correctly calibrated to its own governing supervisor, then layers a consolidated group index on top that cross-references each entity's individual file — rather than merging separate legally distinct entities' records into a single undifferentiated file, which creates confusion about which entity a given document actually belongs to. Any group-level policy adopted centrally is also formally localised and re-adopted at each individual entity, since a group policy that was never formally adopted by the specific UAE entity being inspected does not, on its own, satisfy that entity's obligation.
A bank or investor has asked to see our AML documentation as part of their own due diligence — should we hand over our full internal file?
Generally not the complete internal file as-is. PNPC typically prepares a condensed, appropriately scoped summary pack for external due diligence purposes — confirming the policy exists and is current, the risk assessment methodology, Compliance Officer designation, and screening practice — without necessarily sharing individual customer CDD files, which may themselves be confidential to those customers. The right level of disclosure depends on what the requesting party genuinely needs to see and any confidentiality obligations owed to the entity's own customers.
What happens to our AML documentation if our Compliance Officer leaves and the person who built the institutional knowledge is gone?
This is precisely why PNPC builds documentation to be self-explanatory and indexed for a new reader, not dependent on one person's memory of why a decision was made. A well-built file records the reasoning behind a risk rating or a screening disposition at the time it was made, so an incoming Compliance Officer — or PNPC, on an ongoing retainer — can pick up the file and understand it without needing the departed individual to explain it verbally.
Is it acceptable to use AI or automation tools to help generate our AML documentation?
Automation tools can reasonably support documentation work — generating a first-draft screening disposition template, organising a document index, or flagging inconsistencies for human review — but the substantive judgment calls (a customer's risk rating, whether an alert is a genuine match, whether a suspicion rises to STR/SAR level) need to remain a documented human decision by someone with actual authority, not an unreviewed automated output. An inspector testing a file is ultimately testing whether a person exercised and recorded genuine judgment, and a file that reads as entirely auto-generated with no evidence of human review invites exactly that question.
Can PNPC backdate a document to make it look like a compliance step happened earlier than it actually did?
No. Where a genuine compliance activity occurred without contemporaneous documentation, PNPC will help reconstruct an accurate record — clearly noting it as a reconstruction and the date it was actually compiled — but will not create a document dated to falsely suggest it existed at an earlier time. Backdating a record to misrepresent when it was created is a form of falsification that, if discovered on inspection, is treated far more seriously than an honest, dated gap ever would be.
How confidential is our AML documentation once PNPC is involved in building or holding it?
PNPC treats client AML/CFT documentation with the same confidentiality standard applied to all client records, accessible only to the engagement team working on it, and is not shared with any third party without the client's instruction or a valid legal requirement to disclose. The documentation itself, once built, remains the client's own record — PNPC's role is to build, organise, and where engaged on a retainer, help maintain it, not to hold it as PNPC's property.
How long do we need to keep AML documentation after our business closes or is liquidated?
The obligation to retain customer identification, CDD, and transaction records for the applicable minimum prescribed period does not automatically end when the business itself closes — the records need a responsible party and an accessible location for the remainder of that period, even after the entity has wound down. This is a detail businesses closing down frequently overlook, assuming that ceasing operations also ends the record-keeping obligation.
Does our AML documentation overlap with the records we keep for FTA VAT or Corporate Tax purposes?
There is a practical overlap in underlying source material — the same customer, invoice, and transaction records often support both an AML CDD file and a VAT or Corporate Tax filing position — but the two documentation obligations are legally separate, run under different laws, and are reviewed by different authorities (the FTA for tax, the Ministry of Economy or relevant AML supervisor for AML/CFT). PNPC's integrated view across tax, accounting, and AML advisory means an inconsistency between what a customer's AML file says and what the underlying transaction ledger shows is more likely to be caught internally before either regulator finds it separately.
Can our annual statutory audit and our AML documentation review be combined into one engagement?
They are separate exercises with different objectives — a statutory audit expresses an opinion on financial statements, while an AML documentation review tests inspection-readiness of the compliance file — but PNPC frequently schedules them in a coordinated cadence for clients using both services, since much of the same underlying customer and transaction detail is relevant to both, and coordinating timing avoids asking the client for the same source documents twice.
What documentation is specifically needed for the periodic goAML profile confirmation or re-registration cycle?
The goAML platform's periodic re-registration/confirmation cycle itself is largely a portal-level exercise, but the underlying documentation that should be current at that point includes the Compliance Officer's up-to-date appointment record, any change in authorised contact details, and confirmation that the organisation profile still accurately reflects the entity's current licensing and ownership status. PNPC treats the re-registration date as a natural trigger to also check the wider documentation file for currency, rather than treating it as a purely mechanical portal task.
Does documentation differ meaningfully between a real estate brokerage, a precious metals dealer, and a corporate service provider?
The core document categories are the same across DNFBP types, but the specific content within each category differs with the business — a real estate brokerage's CDD files emphasise source-of-funds evidence for high-value property transactions and buyer/seller beneficial ownership, a precious metals dealer's documentation centres on cash-transaction threshold monitoring, and a corporate service provider's file emphasises beneficial ownership look-through for the entities it forms and any nominee arrangements it provides. PNPC calibrates the documentation depth and emphasis to the entity's actual DNFBP category rather than applying a single generic template across all three.
Where should our AML documentation actually be stored — does it need to stay physically or digitally within the UAE?
UAE AML/CFT law focuses on the entity's ability to produce records to the competent authority within the requested timeframe rather than mandating a specific storage location, though practical retrievability is easier when records (whether physical or cloud-hosted) are accessible to the UAE-based Compliance Officer without unnecessary delay caused by cross-border access restrictions or a parent company's unrelated data-residency policy. PNPC advises confirming with the entity's specific IT/data setup that whoever needs to produce a record in the UAE can actually retrieve it promptly, regardless of where it is technically hosted.
Do policy approvals and appointment letters need a wet-ink signature, or is a digital signature acceptable?
A properly executed digital signature is generally acceptable evidence of approval, provided the signing process itself is genuinely attributable to the signatory and the platform used preserves an audit trail of who signed and when. What matters to an inspector is clear, verifiable evidence that senior management or the board actually approved the document — the exact signing mechanism matters less than whether that evidence is credible and traceable.
What if a document in our file is only available in a foreign language, such as a foreign parent company's board resolution?
The original foreign-language document should be retained as the authoritative record, with an English (or, where relevant, Arabic) translation or summary attached so the document is usable during a UAE inspection without unnecessary delay. PNPC does not discard or replace the original — the translation supplements it rather than substituting for it, since the original remains the legally operative document.
How does PNPC make sure our documentation system does not depend on a single person's access?
Part of PNPC's documentation build now includes a specific access-continuity check — confirming that more than one authorised person (typically the Compliance Officer and a deputy, or PNPC on a retainer basis) can retrieve records from whatever system or repository holds them, so that a single departed staff member's disabled login does not become the reason a record cannot be produced on an inspector's timeline.
What typically triggers a business to need its AML documentation urgently outside of a regulatory inspection?
The most common non-inspection triggers PNPC sees are a bank's periodic AML due diligence review of a business customer, an investor or acquirer's due diligence ahead of a financing round or sale, a correspondent banking relationship review, and internal escalation following a Compliance Officer's own discovery that the file is thinner than assumed. Each of these can arrive with a compressed timeline similar in pressure to an actual inspection notice, even though no regulator is directly involved.
If PNPC finds that a previous adviser's documentation contains an inaccurate or overstated record, what does PNPC do?
PNPC flags the specific inaccuracy to the client directly and corrects the record honestly — noting what the file previously stated, what is actually accurate, and the date of correction — rather than silently overwriting it or leaving it uncorrected. An inaccurate record discovered and honestly corrected before an inspection is a materially different, and much better, position than the same inaccuracy being discovered by an inspector first.
Does building AML documentation with PNPC create any obligation for PNPC to report our business if something looks wrong?
PNPC, as a professional services firm advising the entity, operates under its own professional and regulatory obligations, which can include reporting duties in specific circumstances under the AML/CFT framework, separate from the client's own reporting obligation as the DNFBP. This is not a reason to avoid documentation work — quite the opposite, a business that documents honestly and addresses genuine issues transparently is in a fundamentally different position than one that conceals them, and PNPC's role is to help build a defensible, honest programme, not to manage around any adviser's own professional obligations.
How does PNPC price a documentation engagement, and does the fee vary by DNFBP category?
PNPC agrees a fixed, written fee for a documentation engagement before work begins, scoped to the actual size of the customer base, the number of entities involved, and how much of the underlying record already exists in some usable form versus needing to be reconstructed from scratch. A single-office corporate service provider with a small customer base and a multi-branch real estate brokerage with years of historical files require materially different depth of work, so PNPC does not publish a single flat figure that would either overcharge simple engagements or undercharge complex ones.
If we launch a new product, customer segment, or open a new UAE entity, does our existing documentation automatically cover it?
No, not automatically. A new product, a materially different customer segment, or a newly formed mainland or free zone entity needs its own documentation coverage — checked against whichever supervisory framework actually governs the new activity or entity — rather than being assumed to already fall within the scope of an existing file built for a different business activity or entity. PNPC treats each of these expansions as a trigger to extend, not just re-use, the documentation file.
PNPC Documentation build vs a self-assembled or unmaintained AML file
| Dimension | Self-Assembled / Unmaintained File | PNPC Global |
|---|---|---|
| Document set completeness | Individual documents exist, but no one has checked them against the full required category list | Structured gap assessment against every governance, risk, CDD, screening, and training category required under the AML/CFT Law |
| Retrievability | Records technically kept, scattered across folders, inboxes, and individual staff members | Consistent index by customer and document category, designed to be produced within the timeframe an inspector gives |
| Screening evidence | Alerts logged by the tool; no record of what was decided about each one | Every partial or possible match adjudicated and recorded with a documented disposition |
| Beneficial ownership currency | Register compiled once at onboarding, not reconciled against later ownership changes | Register reconciled to current shareholding and updated on every triggering change |
| Training evidence | Sessions delivered informally with no attendance, content, or date record | Attendance, content, and date logged for every session, with a scheduled refresher cadence |
| Currency of policy documents | Drafted once at registration and never revisited as Cabinet Decisions or guidance evolve | Annual review cycle built into the engagement, updated as regulatory text and business activity change |
| Inspection response readiness | File assembled reactively once an inspection notice arrives | Maintained continuously so production on request is a retrieval exercise, not a scramble |
| Cross-disciplinary consistency | AML file built in isolation from tax, accounting, and corporate records | Coordinated with PNPC's tax, accounting, and corporate structuring work so records are internally consistent |
| Presence beyond delivery | Document handed over once, no further support | PNPC Dubai office, practising CA firm since 1986, available for live inspection support and ongoing maintenance |
| Multi-entity / free zone coordination | Each entity's file built independently, often by different advisers with inconsistent conventions | One coordinated methodology across mainland, free zone, and financial free zone entities in the same group, each correctly calibrated to its own supervisor |
| Digital record integrity | Records exist inside whatever software was purchased, with no review of whether it is actually retrievable or access-continuous | System retrievability, export capability, and access continuity reviewed as part of the documentation build, not assumed |
| Honesty about reconstructed records | Backdated or fabricated records sometimes created under time pressure to appear contemporaneous | Reconstructed records built transparently, dated as reconstructions, and paired with a forward process so the gap does not recur — PNPC will not misrepresent when a record was actually created |
- 01
Full documentation gap assessment against the required AML/CFT governance, risk, CDD, screening, and training categories
- 02
Board/management approval record and Compliance Officer/MLRO appointment documentation compiled or reconciled
- 03
Risk assessment reviewed, dated, and formally indexed as the reference document behind the CDD procedures
- 04
Consistent CDD/EDD customer file structure applied across the existing customer base
- 05
Beneficial ownership register reconciled to current shareholding and aligned to Cabinet Decision No. 58 of 2020
- 06
Sanctions/PEP screening evidence compiled with disposition notes for every partial or possible match
- 07
Staff training records assembled or reconstructed, including attendee, date, and content detail
- 08
Internal escalation and STR/SAR filing trail organised and cross-referenced to goAML submission confirmations
- 09
Retention and retrieval system designed for production within an inspector's stated timeframe
- 10
Documented annual review schedule tied to PNPC's ongoing compliance calendar
- 11
Mock inspection walkthrough of the completed file before it is relied upon in a live inspection
- 12
Direct support producing documentation during an actual Ministry of Economy, Central Bank, DFSA, FSRA, or VARA inspection
- 13
Coordination with PNPC's tax, accounting, and corporate secretarial teams for cross-referential consistency
Talk to PNPC's Dubai AML/CFT team before an inspector asks for a file you cannot produce.
Jurisdiction
Free zone, mainland & offshore
Ready to get started?
Tell us about your requirement — a UAE specialist responds within 24 hours.