The DNFBP Framework
DNFBPs must implement a risk-based AML compliance programme covering customer due diligence (CDD and enhanced due diligence for high-risk customers), ongoing monitoring of business relationships, suspicious transaction reporting through goAML, record keeping for a minimum of five years, appointment of a dedicated compliance officer, and regular AML training for all staff.
The requirements apply regardless of company size. A small consultancy with three employees faces the same fundamental obligations as a multinational — the difference is in the scale and sophistication of the programme, not whether one is needed.
Enforcement Reality
Repeated AML failures, false UBO declarations and tax non-compliance can lead to penalties, licence suspension and, in serious cases, criminal prosecution. The UAE's inclusion on and subsequent removal from the FATF grey list created institutional momentum for enforcement that has not diminished — if anything, the country's desire to maintain its improved standing is driving even more vigorous oversight.
Practical Compliance
For companies registered through Polaris, AML compliance is built into the onboarding process. We conduct CDD on all clients, maintain records for the mandatory retention period, and ensure that corporate governance structures support rather than complicate AML compliance. For clients establishing their own AML programmes, Polaris provides programme design, staff training, goAML registration and ongoing compliance monitoring.
Related Insights
Mandatory Employee Health Insurance in the UAE: Employer Obligations and ComplianceHealth insurance for employees is mandatory across all UAE emirates. We outline the current regulatory requirements, emp... The GCC Board Gender Index 2026: What 15% Women on UAE Boards Means for Corporate GovernanceThe GCC Board Gender Index 2026 confirms the UAE leads the Gulf with 15% women on listed boards — up from 3.5% in 2020. ... Choosing the Right Corporate Structure in the UAE: A Legal Framework GuideLLC, free zone company, branch, SPV, holding company — the UAE offers numerous entity types across multiple jurisdiction...Who Is a DNFBP — and Why It Matters
Designated Non-Financial Businesses and Professions (DNFBPs) sit outside the regulated banking sector but inside the UAE's anti-money-laundering regime. The category captures real-estate brokers, dealers in precious metals and stones, auditors, lawyers and notaries handling client funds, corporate service providers and trust service providers — the last two of which include every licensed TCSP, Polaris included. The label is consequential: DNFBPs carry the same supervisory obligations as banks under Federal Decree-Law 20 of 2018 and its implementing regulations, but typically with materially smaller compliance teams.
| DNFBP category | Trigger threshold | Supervising authority |
|---|---|---|
| Real-estate brokers / agents | Any transaction ≥AED 55,000 in cash | Ministry of Economy |
| Dealers in precious metals and stones | Cash transaction ≥AED 55,000 | Ministry of Economy |
| Auditors | All audit engagements | Ministry of Economy |
| Lawyers and notaries | Specified activities involving client money/property | Ministry of Justice |
| Corporate service providers / TCSPs | All client engagements | Ministry of Economy |
| Trust service providers | All trust engagements | Ministry of Economy / SCA where in scope |
The Six Obligations Every DNFBP Must Meet
The obligations stack consists of: (1) register and remain registered on the goAML portal; (2) appoint a Compliance Officer with documented seniority and independence; (3) conduct a documented enterprise-wide risk assessment, refreshed annually; (4) apply customer due diligence and enhanced due diligence to politically-exposed persons, high-risk jurisdictions and complex structures; (5) screen against UN, OFAC, EU, UAE Local Targeted Financial Sanctions and Cabinet Decision 74/2020 lists at onboarding and on a continuing basis; and (6) file Suspicious Transaction Reports (STRs) and Suspicious Activity Reports (SARs) within 35 days of forming a suspicion. A 2024 Ministry of Economy guidance note also clarified that DNFBPs are expected to report attempted transactions — not only those that completed.
Enforcement Wave: What Changed in 2024–2026
The UAE's removal from the FATF grey list in February 2024 did not relax enforcement — it intensified it. The Ministry of Economy in 2024 published fines exceeding AED 250 million against DNFBPs for AML failings, with the bulk concentrated in real-estate, dealers in precious metals, and corporate service providers operating from low-cost free zones. The Ministry has since shifted from periodic supervisory inspections to a permanent risk-based supervisory model: high-risk DNFBPs (large client books, complex structures, exposure to high-risk jurisdictions) are inspected annually, mid-risk every two years, low-risk on a thematic-review basis. The clearest pattern in 2025–2026 fines is that paperwork failures — missing risk assessments, undated CDD files, absent ongoing monitoring records — drive higher penalties than the underlying transactional risk would suggest.
| Failure type | Indicative fine band | Aggravating factors |
|---|---|---|
| Missing or generic risk assessment | AED 50,000 – 200,000 | Multi-year absence; large client book |
| Inadequate CDD on a single client | AED 50,000 – 100,000 | PEP undetected; sanctioned-jurisdiction nexus |
| Late STR (filed >35 days) | AED 100,000 – 500,000 | Pattern of delay; material transaction |
| Failure to register on goAML | AED 50,000 – 100,000 | Repeat; supervisory directive ignored |
| Failure to maintain records (5 yr) | AED 100,000 – 500,000 | Records destroyed; obstruction |
| Tipping off (informing a client of an STR) | AED 500,000+, possible criminal referral | Deliberate disclosure |
Practical Control Set That Polaris Operates
The operating posture for a licensed TCSP is built around five things: a written risk-assessment that names each client risk factor and the mitigant applied; CDD files refreshed on a documented periodicity (annually for low-risk, every six months for high-risk, on any material change); a sanctions screening engine that captures Local Targeted Financial Sanctions in addition to UN/OFAC/EU; an independent Compliance Officer with sign-off authority over onboarding; and a single immutable record of every red-flag review — even the ones that resulted in no STR. The most damaging finding in any AML inspection is a transaction that was reviewed informally but not documented. Where Polaris acts as corporate structuring adviser or fiduciary service provider, the audit trail is engineered to survive inspection, not just to satisfy onboarding.
- TCSPs, real-estate brokers, dealers in precious metals, lawyers, auditors and notaries are all DNFBPs.
- goAML registration is non-negotiable; failure to register attracts a base fine of AED 50,000+ and a presumption of non-compliance.
- Enterprise-wide risk assessments must be written, dated, and refreshed annually — generic templates draw the highest fines.
- STRs must be filed within 35 days of forming a suspicion; attempted transactions count.
- The most expensive failure mode is not the transaction itself but the absence of a documented review of it.
Polaris Perspective
Polaris is a licensed TCSP with AML compliance built into every client relationship. We design and implement AML programmes, conduct CDD/EDD, manage goAML reporting and prepare businesses for regulatory inspection.
Arrange a Consultation →