IPR & AML Compliance · AML / CFT Services
Drafting of AML policies and procedures
Drafting of AML policies and procedures is the engagement through which PNPC produces the written, board-approved AML/CFT policy manual and operating procedures that every UAE Designated Non-Financial Business and Profession, financial institution, and Virtual Asset Service Provider must maintain under Federal Decree-Law No.
Chartered Accountants · Dubai · Since 1986
Drafting of AML policies and procedures is the production of the written compliance framework that Federal Decree-Law No. 20 of 2018 on Anti-Money Laundering and Combating the Financing of Terrorism (the AML/CFT Law), together with Cabinet Decision No. 10 of 2019 and its subsequent amendments, requires every regulated entity to hold and to actually operate under. The obligation applies to Designated Non-Financial Businesses and Professions (DNFBPs) — real estate brokers and developers, dealers in precious metals and stones above prescribed cash thresholds, corporate and trust service providers, independent legal professionals, and independent accountants and auditors carrying out specified services — supervised primarily by the Ministry of Economy, as well as to financial institutions under the UAE Central Bank, securities firms under the Securities and Commodities Authority, and Virtual Asset Service Providers under VARA or the relevant emirate-level regulator. Financial free zone entities in DIFC and ADGM sit under their own AML supervisors, the Dubai Financial Services Authority and the Financial Services Regulatory Authority respectively, each with its own rulebook layered on top of the federal law.
A compliant AML policy manual is not a single document; it is a coordinated set of written procedures that together operationalise the risk-based approach the law requires. At its core sits the business-wide AML/CFT risk assessment, which drives everything that follows — the risk assessment identifies the entity's exposure across customer type, geography, product/service, and delivery channel, and the policy manual then sets out exactly how the business responds to that exposure: standard, simplified, or enhanced Customer Due Diligence triggers; beneficial ownership identification and verification procedures aligned to Cabinet Decision No. 58 of 2020; sanctions and Politically Exposed Persons (PEP) screening cadence and escalation; ongoing transaction monitoring thresholds; record-retention rules; the internal escalation pathway from front-line observation to the Compliance Officer's decision on whether to file; and the mechanics of filing a Suspicious Transaction Report (STR) or Suspicious Activity Report (SAR) through the goAML platform operated by the UAE's Financial Intelligence Unit, together with the strict no-tipping-off discipline that governs any such filing.
The drafting exercise is where most AML programmes succeed or fail on inspection, because the difference between a policy that passes scrutiny and one that does not is rarely the presence or absence of a section heading — most template policies cover the same headings. The difference is whether the content under each heading describes what this specific business actually does. A policy that states simplified due diligence applies to 'low-risk customers' without defining, in terms specific to the entity's own customer base, exactly which customer profile qualifies, is not operable by front-line staff and will not withstand a supervisor asking a nominated Compliance Officer to justify a specific onboarding decision against the written procedure. Equally, a policy copied from a foreign parent group's global template, with UAE-specific references to the AML/CFT Law, goAML, and local sanctions lists never inserted, reads on inspection as evidence the entity has not actually engaged with its UAE obligation.
Policies must also be board-approved or approved by equivalent senior management, since the AML/CFT Law expects governance ownership of the compliance function, not a document produced by a junior staff member and left unsigned. The manual should name the designated Compliance Officer or Money Laundering Reporting Officer (MLRO), describe their authority to escalate and pause transactions independently, and set out the record-keeping and periodic review discipline — at minimum an annual refresh, and sooner if the business, its customer base, or the underlying regulations change materially.
PNPC's approach to drafting starts from the risk assessment and the entity's real operating detail — actual customer categories, actual payment channels, actual jurisdictions dealt with — rather than a headings checklist, and produces a manual that a front-line member of staff can follow under time pressure and that a Compliance Officer can defend, clause by clause, against an actual customer file during an inspection.
The specific supervisory rulebook also varies by structure. A mainland DNFBP answers to the Ministry of Economy under the federal AML/CFT Law directly; a DIFC-licensed entity's policy must additionally reference the Dubai Financial Services Authority's own AML rulebook, and an ADGM-licensed entity's must reference the Financial Services Regulatory Authority's equivalent framework — both free zones run AML regimes aligned in substance with federal law but distinct in specific provisions and reporting mechanics. Entities accepting or facilitating virtual asset transfers carry a further layer, since Virtual Asset Service Provider status under VARA in Dubai, or the relevant regulator elsewhere, attracts more stringent CDD and screening expectations — including travel-rule-style identifying-information requirements — that a standard DNFBP template will not address. A policy drafted without first confirming which rulebook actually governs the entity risks citing the wrong supervisor entirely, a more fundamental defect than any single under-specified clause.
This engagement is also distinct from VAT and Corporate Tax compliance administered by the Federal Tax Authority under Federal Decree-Law No. 8 of 2017 and Federal Decree-Law No. 47 of 2022 — a business can be fully FTA-compliant while having no AML/CFT policy, and vice versa, since the two sit under different legal frameworks and supervisors. It is equally distinct from the Economic Substance Regulations notification cycle, discontinued for financial years starting on or after 1 January 2023 under Cabinet Decision No. 98 of 2024 — a historical ESR position does not substitute for a current AML/CFT policy, and an AML/CFT policy does not resolve any outstanding historical ESR matter. PNPC treats these as separate workstreams, even where the same transaction records support more than one of them.
When Drafting of AML Policies and Procedures is the right engagement
Your business falls within the DNFBP categories under UAE AML law — real estate brokerage or development, dealing in precious metals and stones above the prescribed cash threshold, corporate service provision, independent legal or accounting practice — and has no written, board-approved AML/CFT policy at all
You are a newly licensed regulated entity (financial institution, VASP, DNFBP) and need the AML/CFT policy manual and CDD procedures drafted before you can lawfully begin onboarding customers
Your existing policy was purchased or copied as a generic template and has never been calibrated to your actual customer base, products, geography, or delivery channels
Your existing policy predates the current Cabinet Decision amendments, FATF guidance updates, or a material change in your business (new product line, new customer segment, new jurisdiction exposure) and is due for a substantive rewrite rather than a light edit
You have received a Ministry of Economy, Central Bank, DFSA, FSRA, or VARA inspection finding specifically citing an inadequate, outdated, or unimplemented AML/CFT policy
A group parent company has a global AML policy that needs to be localised into a UAE-specific manual referencing the AML/CFT Law, goAML, and UAE sanctions lists rather than adopted as-is
Your risk assessment has recently been completed or updated and the policy manual now needs to be drafted, or redrafted, to align with its findings
You need the policy translated into operable escalation scripts, onboarding checklists, and approval-authority matrices that front-line staff can actually follow, not just a narrative compliance statement
Your designated Compliance Officer or MLRO needs a documented procedure that gives the role genuine operating substance and a defensible basis for decisions taken
You are acquiring or merging with a regulated entity and need its existing AML policy diligenced and, where necessary, rebuilt as part of integration
You are a Virtual Asset Service Provider onboarding under VARA or an emirate-level VASP regulator and need a policy that reflects the additional AML expectations attached to virtual-asset activity, not a generic DNFBP template
Your business has recently crossed into a newly DNFBP-relevant activity — for example a management consultancy that has started forming companies for clients, or an accounting practice that has begun managing client funds — and needs a policy drafted for the newly triggered obligation
Where a different engagement fits better
You do not yet have a completed AML/CFT risk assessment — the policy should be drafted from the risk assessment's findings, not written in parallel or ahead of it; PNPC generally recommends the risk assessment as the first deliverable, often within the same engagement
You are not a DNFBP, financial institution, or VASP and your business activity does not fall within any AML/CFT-regulated category under UAE law — confirm applicability first through a scoping call before commissioning a policy drafting engagement
You need only the goAML portal registration completed with no policy drafting involved — that is a narrower, standalone registration engagement, though PNPC recommends the risk assessment and policy accompany or precede registration
Your requirement is limited to sanctions screening software selection and configuration with no policy-drafting component — that sits closer to a technology/vendor selection engagement
You already have a properly drafted, board-approved, and implemented policy and need ongoing training delivery, KYC file remediation, or goAML reporting support instead — those are distinct engagements PNPC also provides
You are seeking a signed-off policy overnight with no scoping call and no willingness to share your actual customer base, ownership structure, or transaction profile — a defensible, risk-based policy cannot be drafted from assumptions
You want a guarantee that a drafted policy will prevent any future inspection finding — no advisor can offer that; what a properly drafted policy buys is a defensible, evidenced position and a materially faster remediation path if a finding does arise
You have an active investigation or enforcement matter already underway relating to money laundering or terrorist financing — that requires criminal defence legal representation as the primary engagement, with policy drafting playing a secondary, supporting role
You need the substantive AML risk methodology itself built from scratch with no drafting output required yet — that is the AML Risk Assessment engagement in isolation, distinct from turning its findings into a written policy
Your only outstanding item is confirming historical Economic Substance Regulations (ESR) status for a financial year before that regime was discontinued — ESR and AML/CFT policy drafting are separate regimes with separate triggers and the ESR question does not require a policy-drafting engagement
AML Policy Drafting vs related UAE AML/CFT compliance engagements
| Feature | Drafting of AML Policies & Procedures | AML Risk Assessment | KYC & CDD Advisory | goAML Portal Registration | AML Training & Capacity Building |
|---|---|---|---|---|---|
| Primary output | Board-approved written policy manual and operating procedures covering the full AML/CFT programme | A documented risk rating methodology across customer, geography, product/service, and delivery-channel risk | The onboarding, screening, and monitoring discipline built and run day to day, of which the policy is one component | Registration and activation on the FIU's goAML reporting platform | Staff competency in executing the policy correctly, evidenced by attendance and assessment records |
| Legal basis | Federal Decree-Law No. 20 of 2018 and Cabinet Decision No. 10 of 2019, as amended | Same legal framework — the risk-based approach the law mandates as the foundation of any AML programme | Same framework, operational layer | AML/CFT Law's reporting-channel requirement | AML/CFT Law's expectation that staff can execute the documented procedure |
| Sequencing | Drafted from a completed or concurrently produced risk assessment; precedes or accompanies staff training | Should exist before, or be produced alongside, the policy — the policy operationalises the risk assessment's findings | Runs on top of the policy once drafted and approved — the policy tells staff what to do; CDD advisory is the doing | Can run in parallel with policy drafting; registration alone does not satisfy the policy requirement | Follows policy drafting — staff cannot be trained on a document that does not yet exist |
| Typical deliverable form | Board-approved AML/CFT policy manual, CDD/EDD procedures, escalation matrix, screening cadence, record-retention schedule | Written risk assessment report with a risk-rating methodology and supporting rationale | Onboarding forms, CDD/EDD checklists, ongoing monitoring workflow, file remediation | FIU portal credentials for the organisation and the designated Compliance Officer | Training materials, attendance records, competency sign-off |
| Who typically commissions it | Any DNFBP, financial institution, or VASP without a current, board-approved, entity-specific policy | Entities building or refreshing their AML programme, or responding to a materially changed business | Entities with a policy already in place needing the operational layer built or fixed | Entities that have a policy and risk assessment but lack platform access | Entities with an approved policy that staff have not yet been formally trained against |
| Inspection relevance | The document a Ministry of Economy or Central Bank inspector reviews first and tests customer files against | The foundation an inspector checks the policy actually reflects | What an inspector samples to see if the policy is being followed in practice | Necessary but not sufficient on its own — registration without a policy behind it is an early and common finding | Absence of training records is a standard, easily identified inspection finding |
| Coverage of VASP-specific obligations | Included where the entity is a Virtual Asset Service Provider, referencing VARA or the relevant emirate regulator's specific rulebook | Risk assessment identifies virtual-asset exposure as a distinct risk category | CDD advisory builds the travel-rule-style onboarding checks the policy describes | Registration mechanics are regulator-neutral; VASP status does not change how goAML itself is used | Training covers VASP-specific red flags where relevant |
| Beneficial ownership look-through methodology | Sets out the explicit look-through procedure under Cabinet Decision No. 58 of 2020 | Risk assessment flags layered or offshore ownership as an elevated risk factor | CDD advisory executes the look-through at onboarding and keeps it current | Not addressed by registration itself | Training covers applying the look-through consistently across files |
| What is retained as the primary record | The signed, version-controlled policy manual itself, plus the internal stress-test record | The written risk assessment report and its rating methodology | Onboarding files and CDD/EDD evidence | FIU portal registration confirmation | Attendance and competency sign-off records |
These engagements are frequently bundled — PNPC typically produces the risk assessment and the policy manual as a single coordinated deliverable, then follows with goAML registration, CDD implementation support, and staff training, so the written policy and the operating programme are built to match from day one rather than reconciled after the fact.
| # | Stage & What PNPC Does | What Generic Templates Miss | Timeline |
|---|---|---|---|
| 1 | Scoping call and applicability confirmation — confirming the entity's DNFBP or regulated category and which supervisory rulebook governs it | A template drafted before applicability is confirmed risks citing the wrong supervisory authority or omitting sector-specific requirements — mainland DED, DIFC/DFSA, ADGM/FSRA, and VARA/VASP entities each sit under a different specific rulebook layered on the federal AML/CFT Law. | Week 1 |
| 2 | Risk assessment review or production — confirming an existing risk assessment is current, or producing one where none exists, since the policy is drafted from its findings | A policy drafted without a current risk assessment behind it has no defensible basis for its due diligence tiers, EDD triggers, or monitoring thresholds — an inspector's first question is usually 'what risk assessment supports this clause.' | Week 1–2 (if risk assessment already current) or Week 1–3 (if produced concurrently) |
| 3 | Entity fact-finding — actual customer categories, transaction patterns, payment channels, geographies, and existing controls documented in detail | Generic templates skip this step entirely, which is exactly why they read as generic — the specific customer mix and payment channel detail is what turns a section heading into an operable clause. | Week 1–2 |
| 4 | CDD/EDD procedure drafting — standard, simplified, and enhanced due diligence triggers defined against the entity's actual risk tiers | Templates state that EDD applies to 'high-risk customers' without defining, for this specific business, what actually triggers that classification — leaving front-line staff to guess and creating inconsistent files. | Week 2–3 |
| 5 | Beneficial ownership identification procedure — the look-through methodology for corporate and trust customer structures, aligned to Cabinet Decision No. 58 of 2020 | Layered or offshore ownership structures need an explicit look-through rule; a generic clause that stops at the first corporate layer is a recurring inspection gap. | Week 2–3 |
| 6 | Sanctions and PEP screening procedure — screening cadence, list sources, and escalation on a match, integrated into onboarding and ongoing monitoring | Templates often describe screening as a one-time onboarding check; the actual obligation includes periodic re-screening against updated lists, which a generic document rarely specifies with a defined cadence. | Week 2–4 |
| 7 | Escalation and STR/SAR filing procedure — the internal pathway from a front-line observation to the Compliance Officer's decision and a goAML filing, with the no-tipping-off rule built in explicitly | A policy that does not name who decides, within what timeframe, and how the no-tipping-off obligation is protected leaves staff exposed to making that judgment call alone under pressure. | Week 3–4 |
| 8 | Record-keeping and retention schedule — what is retained, in what format, for how long, and how it is retrieved on a supervisory request | Retention clauses in generic templates rarely address retrievability — a retained-but-unlocatable file reads on inspection almost the same as an unretained one. | Week 3–4 |
| 9 | Governance and Compliance Officer authority clause — naming the designated Compliance Officer/MLRO, their reporting line, and their independent authority to pause or escalate | A policy naming a Compliance Officer with no described authority to actually act independently is a recognised inspection red flag — the clause needs to describe real, exercisable authority, not a title. | Week 3–4 |
| 10 | Internal review and stress-test — a sample walkthrough of how the drafted procedure would apply to a handful of real (anonymised) customer scenarios from the entity's own book | This step catches clauses that read well on paper but do not actually work against a real file — a gap that only surfaces, otherwise, during an actual inspection. | Week 4 |
| 11 | Board or senior management approval — the manual is formally adopted, dated, and signed off at the appropriate governance level | An unsigned, undated policy — even a well-drafted one — does not evidence the governance ownership the AML/CFT Law expects. | Week 4–5 |
| 12 | Handover, training briefing, and next-review scheduling — the approved manual is issued, a training session is scoped, and the annual review date is diarised | A policy issued without a scheduled review date is the policy most likely to still be in use, unrevised, three years later when a supervisor tests it against a business that has since changed. | Week 5 |
| 13 | Cross-reference against any concurrent goAML registration or CDD implementation workstream — confirming the policy's screening cadence and escalation pathway matches what is actually being registered and operated on the ground | Templates are drafted in isolation from the registration and CDD build, producing a document that describes a screening process different from the one actually configured on the goAML profile or the onboarding checklist in use. | Week 3–5 |
| 14 | VASP-specific clause insertion, where applicable — travel-rule-style identifying-information requirements for virtual asset transfers and any VARA or emirate-level VASP regulator expectations | A DNFBP template applied to a VASP without this clause leaves the policy silent on an obligation that is materially more stringent than the standard DNFBP baseline. | Week 2–4 (VASP entities only) |
| 15 | Free-zone localisation check — confirming DIFC/DFSA or ADGM/FSRA rulebook references are used in place of, or alongside, the Ministry of Economy framework where the entity sits in a financial free zone | A mainland-drafted policy applied to a DIFC or ADGM entity, or vice versa, references the wrong supervisor and the wrong specific rulebook provisions. | Week 1–2 (confirmed at scoping) |
| 16 | Group-policy localisation, where a parent company's global AML policy exists — every clause needing UAE-specific adaptation is flagged and rewritten rather than adopted as-is | A global template with UAE-specific references to the AML/CFT Law, goAML, and local sanctions lists never inserted reads on inspection as evidence the entity has not actually engaged with its UAE obligation. | Week 2–4 (where applicable) |
Realistic timeline from scoping call to a board-approved, issued policy manual: 4–6 weeks where the risk assessment is already current, or 5–8 weeks where the risk assessment is produced concurrently. Complex entities with multiple customer categories, cross-border exposure, or a materially incomplete starting risk assessment take longer. PNPC does not shortcut the fact-finding stage regardless of timeline pressure, since a policy drafted without it is the generic-template problem in a new form.
Trade licence copy — mainland DED licence or free zone licence — showing licensed activities in full, since DNFBP status and policy scope follow actual licensed activity
Memorandum and Articles of Association or equivalent constitutional documents
Organisational chart identifying the proposed or existing Compliance Officer/MLRO and their reporting line to senior management or the board
Details of any UAE or overseas branches, subsidiaries, or related entities sharing customer data or referral relationships
Any existing AML/CFT policy or procedure documents, for gap assessment rather than discarding outright
Current AML/CFT risk assessment, if one exists, or the underlying data to produce one — customer categories, transaction value ranges and frequency, geographic spread
Description of payment methods accepted — bank transfer, cash, third-party payment, cryptocurrency/virtual assets — since each carries different CDD implications
Any FATF-flagged or otherwise higher-risk jurisdiction exposure in the current customer or counterparty base
Any existing customer onboarding forms, KYC intake templates, or informal checklists currently in use
Shareholder register and, for corporate shareholders, their own ownership structure down to the natural person level
Existing Register of Beneficial Owners, if maintained, for accuracy review against Cabinet Decision No. 58 of 2020
Trust deeds, nominee arrangements, or power-of-attorney documents where ownership or control involves anything other than direct individual shareholding
Details of any sanctions or PEP screening tool currently used, including vendor, list sources, and screening frequency
Existing goAML platform registration details, if the entity is already registered
Records of any prior STR/SAR filings or internal escalations raised, with outcome
Correspondence from the Ministry of Economy, Central Bank, DFSA, FSRA, VARA, or any other supervisor relating to a prior inspection, finding, or directive
Staff training records relating to AML/CFT, if any prior training has been delivered
Board or senior management structure and the appropriate approval authority for adopting a compliance policy
Any group-level or parent-company AML policy that needs to be localised rather than adopted as-is
Confirmation of who holds, or will hold, the designated Compliance Officer/MLRO role and their CV or role description
Board resolution or management sign-off record formally adopting the policy manual
Version-control record showing the effective date and the review-cycle schedule
Distribution and acknowledgement record confirming relevant staff have received and reviewed the approved policy
VARA or relevant emirate-level VASP licence and any sector-specific compliance guidance already issued to the entity
Description of virtual asset transfer flows and any existing travel-rule-style data-sharing arrangement with counterparty VASPs
Details of the wallet/custody infrastructure and how transaction data is captured for AML purposes
DFSA or FSRA licence and any existing free-zone-specific AML rulebook compliance documentation
Correspondence with the DFSA or FSRA relating to AML supervision, if any
Confirmation of which free-zone-specific AML forms or notifications the entity is separately required to file
| Phase | Triggered By | PNPC Guidance | Risk If Ignored |
|---|---|---|---|
| Initial Drafting (Week 1–5) | New licence issuance, absence of a current policy, or a material change requiring a full rewrite | Fact-finding, risk assessment alignment, and drafting of the full policy suite — CDD/EDD, beneficial ownership, screening, escalation, retention, governance — as one coordinated document set. | Onboarding or continuing to operate without a current, board-approved policy leaves the entity unable to demonstrate compliance on first inspection and leaves front-line staff without a documented standard to follow. |
| Board Approval & Issuance | Completion of drafting and internal review | The manual is formally adopted at board or senior management level, dated, version-controlled, and distributed to relevant staff with an acknowledgement record kept. | An unsigned or informally circulated policy does not evidence the governance ownership supervisors expect, regardless of how well the content itself is drafted. |
| Staff Training Rollout | Policy issuance | The approved manual is the basis for role-specific staff training — front-line onboarding staff, the Compliance Officer, and senior management — with attendance and competency records maintained. | A policy that staff have not been trained on is close to worthless on inspection, since supervisors test whether procedures are actually followed, not just documented. |
| Live Operation | Ongoing customer onboarding and transaction activity | The policy's CDD/EDD tiers, screening cadence, and escalation pathway are applied consistently across every customer file, with the Compliance Officer exercising the documented authority. | Inconsistent application — some files following the policy, others not — is the single most common inspection finding and signals the document is not actually operative. |
| Annual Review | Anniversary of adoption, or a material change in business or regulation | The policy is reviewed against the current risk assessment, any Cabinet Decision or FATF guidance updates, and any change in the entity's customer base, products, or geographic exposure, with a formal re-approval. | A stale, unrevised policy is a first-line inspection question — 'when was this last reviewed and approved' has an easy pass or fail answer. |
| Material Business Change | New product line, new customer segment, new jurisdiction exposure, M&A, or crypto/virtual-asset acceptance | The policy is reassessed and updated before the change goes live — new risk exposure is incorporated into the CDD tiers and screening procedure proactively rather than retrofitted after exposure has already been taken on. | A new business line onboarded under an unrevised policy is effectively unassessed, creating exactly the gap an inspection is designed to find. |
| Regulatory Update | New Cabinet Decision, Ministerial Decision, or FATF mutual evaluation follow-up guidance affecting AML/CFT obligations | The policy manual is updated to reflect the change, with the update dated and the revision history maintained. | A policy that does not track regulatory amendments drifts out of alignment with current requirements within a year or two, even if it was correctly drafted at issuance. |
| Regulatory Inspection | Scheduled or unannounced supervisory visit | PNPC supports document production and file walkthroughs, drawing on the same policy and its supporting records built at drafting stage. | An entity unable to produce a current, approved policy and matching customer files faces findings that typically escalate from a corrective directive to administrative fines and, in serious cases, licence-level consequences. |
| Remediation (If a Gap Is Found) | Inspection finding or self-identified gap in the policy or its application | The specific clause or procedural gap is corrected, re-approved, and the correction evidenced for the next inspection cycle. | Unaddressed policy gaps compound at the next inspection and are viewed as an aggravating factor reflecting a pattern rather than an isolated lapse. |
| VASP / Free-Zone Regulatory Update | New VARA guidance, DFSA/FSRA rulebook amendment, or emirate-level VASP regulation change | The policy's VASP or free-zone-specific clauses are reviewed and updated separately from the core federal AML/CFT Law update cycle, since these sit under a different rulebook with its own amendment pace. | A policy that tracks only federal AML/CFT Law changes and ignores sector or free-zone-specific rulebook updates drifts out of alignment with the supervisor that actually inspects the entity. |
| Group Policy Localisation Refresh | Parent company issues an updated global AML policy | The updated group policy is re-localised into the UAE-specific manual rather than assumed to already be reflected, since global updates rarely include UAE-specific clause changes automatically. | Adopting an updated global policy without re-localising it can silently remove or dilute the UAE-specific clauses the previous localisation had added. |
Drafting the policy before the risk assessment exists, so the CDD/EDD tiers and screening thresholds have no documented basis an inspector can be shown
Copying a template and only changing the company name and licence number, leaving clauses that describe a different business model entirely
Adopting a parent company's global AML policy without localising the UAE-specific legal references, the goAML reporting channel, and the Compliance Officer's UAE-specific authority
Drafting the beneficial ownership clause to stop at the first corporate layer instead of building an explicit look-through methodology for layered or offshore structures
Leaving the policy unsigned, undated, or approved informally by a manager rather than at board or senior management level
Naming a Compliance Officer or MLRO in the document without describing real, independent authority to pause a transaction or escalate — a title with no substance
Failing to fix a firm annual review date at issuance, so the policy has no built-in trigger to be revisited before it drifts out of alignment with the business or the regulations
Skipping the internal stress-test against real, anonymised customer files before finalising the document, so clauses that read well on paper are never checked against an actual scenario
Issuing the policy without a documented staff training session, leaving a well-drafted document that front-line staff have never actually been walked through
Applying simplified due diligence inconsistently across customer files instead of against the specific, entity-defined criteria the policy sets out
Treating the policy as static after a material business change — a new product line, new customer segment, or new jurisdiction exposure — rather than reassessing and updating it before the change goes live
Not updating the goAML-registered Compliance Officer promptly when the role holder changes, leaving a governance gap between what the policy says and who is actually registered to act
What exactly does 'drafting of AML policies and procedures' include, separate from the risk assessment or the CDD advisory work?
This engagement is the production of the written, board-approved policy manual and operating procedures themselves — the document set covering CDD/EDD tiers, beneficial ownership identification, sanctions/PEP screening, escalation, record-keeping, and STR/SAR filing procedure. It is drafted from a risk assessment (existing or produced alongside) and precedes the day-to-day CDD advisory and staff training work, which apply the policy in practice.
Can we just use a template AML policy and change the company name and logo?
Doing so leaves a document that describes a generic business, not yours — and supervisory authorities specifically test whether the policy's content matches the entity's actual customer base, transaction patterns, and controls. A template with the name changed is a recognised, recurring inspection finding, not a shortcut that saves time in the long run.
Does the policy need to be board-approved, or can a manager just sign off on it?
UAE AML/CFT expectations are that the policy is adopted at the appropriate senior governance level — typically the board of directors or equivalent senior management for smaller entities — reflecting genuine institutional ownership of the compliance function, not a document produced and filed away by a junior staff member without formal sign-off.
How long does it take to draft a complete AML policy manual?
Where a current risk assessment already exists, a complete, board-approved policy manual typically takes around 4–6 weeks from the initial scoping call, covering fact-finding, drafting, internal review, and formal approval. Where the risk assessment needs to be produced concurrently, the realistic window extends to roughly 5–8 weeks. More complex entities with multiple customer categories or cross-border exposure take longer.
What sections does a properly drafted AML/CFT policy manual need to cover?
At minimum: the business-wide risk assessment methodology and its findings; standard, simplified, and enhanced Customer Due Diligence procedures with entity-specific triggers; beneficial ownership identification and verification; sanctions and PEP screening cadence; ongoing transaction monitoring; the internal escalation pathway to the Compliance Officer; the goAML STR/SAR filing procedure and the no-tipping-off rule; record-keeping and retention; and the designated Compliance Officer's authority and the annual review cycle.
How is a policy for simplified due diligence customers actually written so it is not misused?
The policy needs to define, in terms specific to the entity's own customer base and risk assessment, exactly which customer profile qualifies for simplified treatment — not a generic reference to 'low-risk customers.' It must also state explicitly that simplified due diligence can never apply automatically as a default, and can never apply to a customer or jurisdiction carrying elevated risk indicators regardless of how the relationship is otherwise structured.
Our parent company has a global AML policy — can we just adopt it for our UAE entity?
A global group policy is a useful starting reference but rarely satisfies UAE requirements on its own. It needs to be localised to reference the specific provisions of the AML/CFT Law, the goAML reporting channel, the UAE Compliance Officer's specific authority and portal registration, and any UAE-specific risk factors such as local sanctions lists and DNFBP activity thresholds that a global template will not capture.
What is the difference between the policy and the procedures — aren't they the same document?
In practice they are usually issued as one coordinated manual, but conceptually the policy states the entity's principles and risk appetite (for example, the categories of customer requiring enhanced due diligence), while the procedures set out the specific operational steps staff follow to give effect to that policy (for example, the exact documents collected and the approval sign-off required for an enhanced due diligence onboarding). Both need to be present and aligned for the document to be operable.
How often does the policy need to be reviewed and re-approved?
At minimum annually, and additionally whenever there is a material change in the business — a new product or service line, a new customer segment or geographic market, a change in ownership or control, or a relevant new Cabinet Decision, Ministerial Decision, or FATF guidance update. A policy that has not been revisited in several years is itself a common and easily identified inspection finding.
Does having a well-drafted policy protect us if a customer turns out to be involved in money laundering?
A properly drafted and consistently implemented policy is the standard against which a business's conduct is judged on inspection — it does not guarantee that criminal activity will never occur through the business, but a business that can demonstrate it followed a documented, board-approved, risk-based programme in good faith is in a materially different position than one with no policy or one that ignored its own documented red flags.
What happens if the policy exists but staff aren't actually following it?
A written policy that is not being followed in practice is treated on inspection as close to equivalent to having no policy at all, since supervisors sample customer files to test whether the documented procedure matches what staff actually did — a strong policy with inconsistent underlying files is a standard, easily identified finding.
Do free zone entities in DIFC or ADGM need a different policy structure than mainland entities?
Yes. DIFC entities regulated by the DFSA and ADGM entities regulated by the FSRA operate under their own AML rulebooks specific to those financial free zones, layered on the federal AML/CFT Law. A policy drafted against the mainland Ministry of Economy framework will not directly satisfy a DIFC or ADGM entity's specific supervisor, even though the underlying AML principles are broadly aligned.
Who should be named as the Compliance Officer or MLRO in the policy, and what authority does the document need to give them?
The nominee should be sufficiently senior and empowered within the organisation to act independently — able to escalate concerns, request further information, and where necessary pause a transaction pending review, without needing case-by-case sign-off from someone whose interests might conflict with reporting. The policy document needs to describe that authority explicitly, not just assign a title.
How much does drafting a full AML policy manual cost?
PNPC agrees a fixed, written fee before work begins, scoped to the complexity of the business — a single-office corporate service provider and a multi-branch real estate brokerage require materially different depth of drafting. Fees also depend on whether the risk assessment is produced concurrently or already exists.
Can PNPC draft the policy and also act as our Compliance Officer?
PNPC drafts the policy and can provide ongoing advisory support to a designated internal Compliance Officer, but the statutory Compliance Officer/MLRO role must generally be held by a suitably senior individual within the regulated entity itself, since the role requires day-to-day authority an external adviser cannot exercise. Some sector rulebooks have specific requirements on who can hold the designation, which we scope precisely rather than assuming one model fits every client.
Does the policy need a specific clause for Virtual Asset Service Provider (VASP) activity, or is the standard DNFBP template enough?
If the entity is licensed or otherwise falls within VASP regulation under VARA or another emirate-level VASP regulator, the policy needs a dedicated section addressing the additional, generally more stringent expectations attached to virtual-asset activity — including identifying-information requirements that travel with a virtual asset transfer (a travel-rule-style obligation), wallet/custody-related risk factors, and screening considerations specific to virtual asset counterparties. A standard DNFBP template that treats virtual assets as just another payment method under-serves this risk.
What actually changes in the document for a DIFC or ADGM entity compared with a mainland one, beyond just naming a different regulator?
Beyond naming the DFSA or FSRA as the applicable supervisor instead of the Ministry of Economy, the specific rulebook provisions each regulator has issued — on CDD thresholds, reporting mechanics, and record-keeping — need to be reflected in the substantive clauses themselves, not just the cover page. A DIFC or ADGM entity's policy also typically needs to reference that regulator's own AML rulebook by name and section, since a generic reference to 'UAE AML law' without the free-zone-specific rulebook citation reads as incomplete to that regulator on inspection.
Is there a different policy content requirement for real estate brokers versus corporate service providers, or is one template used for every DNFBP?
The core structure — CDD/EDD, beneficial ownership, screening, escalation, record-keeping, governance — is common across DNFBP categories, but the specific risk indicators, transaction-level red flags, and documentation standards differ materially by sector. A real estate broker's policy needs source-of-funds documentation standards calibrated to high-value, sometimes cash-adjacent property transactions and buyer/seller-side CDD; a corporate service provider's policy needs a look-through methodology for the client on whose behalf a company is being formed, including where an intermediary is instructing on behalf of an undisclosed end client.
Our precious metals and stones business only deals in cash occasionally — do we still need a full policy, or only once we cross the threshold?
The DNFBP obligation for dealers in precious metals and stones attaches to cash transactions (or connected transactions) at or above the threshold prescribed by the Ministry of Economy. A business that only occasionally approaches that threshold still needs a documented policy and a monitoring process to actually identify when a transaction or a connected series of transactions crosses it — the obligation is not avoided simply because most individual transactions fall below the line, since connected transactions structured to stay under the threshold are themselves a recognised red flag.
What happens if the risk assessment and the drafted policy end up disagreeing on something — which one governs?
The policy should always be drafted to reflect the risk assessment's findings, not the other way around — if a drafting-stage discussion reveals the policy needs to say something the risk assessment does not support (for example, a broader simplified due diligence category than the risk assessment justifies), the correct fix is to revisit and, if warranted, update the risk assessment first, then draft the policy to match it, rather than drafting a clause the underlying risk analysis does not actually support.
We have several UAE entities under one group — do we need a separate AML policy for each, or can one group-wide policy cover them all?
Each entity that independently meets the DNFBP or regulated-entity definition generally needs its own board-approved, entity-specific policy reflecting its own licence, customer base, and supervisory authority — a holding company does not typically operate the policy for a licensed operating subsidiary. Where entities share genuinely common customer bases, systems, and governance, a coordinated group framework with entity-specific annexes can be efficient, but each entity's board or senior management still needs to formally adopt its own applicable version.
Does the policy need to be issued in Arabic, English, or both?
UAE regulatory correspondence and inspections are conducted with Arabic as the official language, though English-language policy documents are commonly accepted in practice by the Ministry of Economy and most sector regulators, particularly for internationally staffed businesses, provided the entity can produce an accurate Arabic version or translation if specifically requested. PNPC confirms the specific expectation with the entity's applicable supervisor during scoping rather than assuming one language is always sufficient.
How does the drafted policy handle third-party introduced business — for example, customers referred by an intermediary who has already done some due diligence?
The policy needs to state explicitly whether, and under what conditions, the entity can place any reliance on due diligence already performed by a third party (such as an introducing broker or another regulated entity), and if so, what evidence of that third party's own compliance standing must be obtained and retained before any reliance is placed. Reliance on a third party does not remove the entity's own ultimate responsibility for the adequacy of the CDD performed on its own customer.
Does the policy need to specify whether records are kept digitally, physically, or both?
Yes — the record-keeping and retention section should specify the format records are held in, how they are backed up or protected against loss, and how they can be retrieved and produced to a supervisory authority within the timeframe requested. A retention clause that is silent on format and retrievability leaves ambiguity about whether a scanned copy is acceptable, how long backups are retained, and who is responsible for retrieval when a request arrives.
If we onboard customers through a digital or app-based process, does the policy need a separate section for that?
Yes. Digital or remote onboarding (sometimes referred to as e-KYC) carries its own delivery-channel risk considerations under the AML/CFT Law's risk-based approach — identity verification without an in-person document check typically needs a specific method (video verification, certified digital identity checks, or equivalent) described in the policy, along with how that method satisfies the same underlying verification standard as an in-person check.
Is Economic Substance Regulations (ESR) compliance part of this engagement, or a separate matter?
ESR and AML/CFT policy drafting are separate regimes with separate legal triggers and separate supervisors, and the Ministry of Finance discontinued the ESR notification and report filing requirement for financial years starting on or after 1 January 2023, under Cabinet Decision No. 98 of 2024 — so for most entities today ESR is, at most, a closed historical-period question rather than a live ongoing obligation. An AML/CFT policy drafting engagement does not cover ESR, and an ESR filing from the years it was live never satisfied any AML/CFT policy requirement.
Is this the same as, or does it include, an independent AML/CFT audit of our compliance function?
No — drafting produces the written policy and procedures; an independent AML/CFT audit is a separate, subsequent exercise that tests whether the operating programme (onboarding files, screening records, escalation decisions) actually matches what the policy describes. Many entities commission drafting first and an independent audit some months into live operation, once there is enough operating history to test.
What happens if our Compliance Officer nominee changes partway through the drafting engagement?
The governance and authority clause is finalised against whoever is actually confirmed as the Compliance Officer/MLRO at sign-off, since the document needs to name a real, currently accountable individual for the clause to be credible on inspection — if the nominee changes mid-engagement, PNPC updates the relevant clause and any associated goAML registration before the policy is issued, rather than issuing a document naming someone who has since left the role.
Can we get the policy fast-tracked if we have an imminent inspection or a new licence activation deadline?
PNPC can prioritise a drafting engagement and compress the calendar-time elements (scheduling, review turnaround) where there is a genuine deadline, but the substantive fact-finding, risk assessment alignment, and internal stress-test stages are not steps we skip under time pressure, since a policy drafted without them recreates the generic-template problem in a compressed timeframe rather than solving it.
Does the policy need to reference specific sanctions list sources by name, or can it just say 'applicable sanctions lists'?
The policy should name the specific list sources the entity screens against — at minimum the UAE Local Terrorist List and the UN Consolidated Sanctions List, plus any additional lists relevant to the entity's specific customer or transaction profile — rather than a vague reference to 'applicable sanctions lists' that gives front-line staff no way to confirm they are screening against the right sources.
How quickly does the policy need to be updated after a new Cabinet Decision or Ministry of Economy guidance is issued?
There is no single fixed statutory countdown for every possible regulatory update, but the expectation under the AML/CFT Law's risk-based approach is that a material change in the legal or regulatory framework is reflected in the policy within a reasonable period, and certainly before the next scheduled annual review if the change affects a substantive obligation the entity is currently operating under. Waiting for the next annual review cycle to incorporate a change that already affects live customer relationships is not advisable.
If two group entities in the UAE fall under different DNFBP categories — say, one is a corporate service provider and another is a real estate broker — do they need entirely separate policies?
Generally yes, in substance if not necessarily in a single combined binder — each entity's policy needs to reflect its own actual licensed activity, DNFBP category, and specific risk indicators, since a corporate service provider's beneficial-ownership look-through obligations and a real estate broker's source-of-funds documentation standards are materially different in application even though both sit under the same overarching AML/CFT Law.
Does PNPC benchmark the policy against FATF guidance specifically, or only against UAE Cabinet Decisions?
Both. The UAE's AML/CFT Law and its Cabinet Decisions are themselves shaped by, and periodically updated to reflect, the Financial Action Task Force's international standards and any UAE-specific follow-up actions from FATF mutual evaluation processes, so a policy drafted with only the letter of the Cabinet Decision in mind, without an eye to the FATF standard it implements, can miss the direction the regulation is evolving in.
We are a pre-revenue or dormant DNFBP-category entity with a licence but no live customers yet — do we still need a full policy now?
If the entity holds a licence for an activity that falls within a DNFBP category, the obligation to have a board-approved policy in place attaches once the entity is licensed and positioned to begin operating, not only once it has active customers — a business that intends to start onboarding customers imminently should have its policy drafted and approved before the first customer relationship begins, not retrospectively once one already exists.
How does an M&A due diligence review of a target's AML policy differ from a standard drafting engagement?
An M&A-context review starts by assessing the target's existing policy and its actual operating history — inconsistencies between the document and the customer files, any unresolved inspection findings, undisclosed prior STR/SAR filings — before deciding whether the existing policy can be adopted, needs targeted remediation, or needs a full rebuild post-completion. The output is a risk report for the acquirer's decision-making as much as a drafting deliverable.
Can the same policy document also satisfy a bank's request to see our AML controls when they conduct their own AML due diligence on us as a business customer?
A properly drafted, board-approved AML/CFT policy is generally the document a bank's own AML due diligence team wants to see when assessing a business customer, and having one ready — rather than assembling something in response to the bank's specific request — materially speeds up that process. The policy does not need separate content for a bank's request specifically; the same document that satisfies your own regulator generally satisfies a bank's diligence question as well.
What is the practical difference between a policy drafted for a company with 5 staff and one drafted for a company with 200 staff?
The substantive obligations are the same regardless of headcount, but the depth of the escalation hierarchy, the number of approval layers for enhanced due diligence, and the granularity of role-specific procedures scale with organisational complexity — a 5-person business may have a single escalation step to one Compliance Officer, while a 200-person business needs a documented multi-tier escalation path across branches or departments before a matter reaches the Compliance Officer's desk.
Do we need PNPC involved every time we make a small wording change to the policy after issuance, or can we edit it ourselves?
Minor administrative updates (a change of registered office address, an updated internal phone extension) do not require PNPC's involvement, but any change to a substantive clause — CDD/EDD triggers, screening cadence, escalation authority, retention periods — should go through the same review discipline as the original drafting, since an informally edited substantive clause can drift out of alignment with the risk assessment or the underlying legal requirement without anyone noticing until an inspection tests it.
PNPC-drafted AML policy vs a generic template or DIY approach
| Dimension | Generic Template / DIY Policy | PNPC-Drafted Policy |
|---|---|---|
| Basis for the document | Downloaded headings with the company name inserted | Drafted from the entity's own risk assessment, actual customer base, and transaction patterns |
| CDD/EDD triggers | Generic references to 'high-risk' and 'low-risk' customers with no entity-specific definition | Specific, defensible triggers calibrated to this business's own risk tiers |
| Beneficial ownership look-through | Often stops at the first corporate layer | Explicit look-through methodology for layered or offshore structures, aligned to Cabinet Decision No. 58 of 2020 |
| Governance and approval | Frequently unsigned, undated, or approved informally | Board or senior management approval built into the drafting process, with version control |
| UAE-specific grounding | Global group templates often left unlocalised, with no goAML or local sanctions-list references | Localised to the AML/CFT Law, goAML, and current UAE sanctions/PEP list sources |
| Operability for front-line staff | Principles stated without a step-by-step procedure to follow | Policy and procedure paired, tested against realistic (anonymised) customer scenarios before sign-off |
| Inspection readiness | Reads as generic on a file-by-file review, a common and recurring inspection finding | Drafted to withstand a supervisor testing the document against an actual customer file |
| Review discipline | Left unrevised for years until a finding forces a rewrite | Annual review scheduled into the engagement from day one, updated as regulations and the business evolve |
| VASP and free-zone-specific clauses | Absent, or a single generic DNFBP clause applied regardless of regulator | Drafted specifically for VARA/emirate VASP or DFSA/ADGM rulebooks where applicable, not bolted on afterward |
| Coordination with concurrent registration/CDD work | Policy, goAML registration, and CDD checklist built by different parties, describing different processes | Policy, registration, and CDD implementation coordinated so the written document matches what is actually configured and operated |
| Group policy localisation | Adopted wholesale, or localised once and never revisited when the group template changes | Localised at drafting and re-checked against subsequent group policy updates |
| Stress-test before sign-off | Rarely performed; the first real test of the policy is an actual inspection | Walked through against real, anonymised customer scenarios before the document is finalised |
- 01
Applicability and scoping confirmation against the entity's actual DNFBP or regulated category
- 02
Risk assessment review, or production, as the foundation the policy is drafted from
- 03
Entity fact-finding on actual customer categories, payment channels, and geographic exposure
- 04
Standard, simplified, and enhanced Customer Due Diligence procedures with entity-specific triggers
- 05
Beneficial ownership identification and verification procedure aligned to Cabinet Decision No. 58 of 2020
- 06
Sanctions and PEP screening procedure with a defined cadence and escalation path
- 07
Internal escalation pathway and goAML STR/SAR filing procedure, including the no-tipping-off discipline
- 08
Record-keeping and retention schedule designed for retrievability, not just storage
- 09
Designated Compliance Officer/MLRO authority clause and governance structure
- 10
Internal stress-test against realistic, anonymised customer scenarios before finalisation
- 11
Board or senior management approval process and version-control record
- 12
Post-issuance training briefing scoping and annual review date scheduling
- 13
Coordination with any concurrent goAML registration or CDD implementation engagement
- 14
Ongoing advisory access for policy interpretation questions after issuance
Get an AML/CFT policy manual built from your actual business, not a template — speak to PNPC's UAE compliance team.
Jurisdiction
Free zone, mainland & offshore
Ready to get started?
Tell us about your requirement — a UAE specialist responds within 24 hours.