AML/CFT: Senior Management Responsibilities in the UAE

The Governance Shift

Federal Decree-Law No. 10 of 2025 Concerning Combating Money Laundering, Terrorist Financing and Financing of Proliferation (“AML Law 2025”) entered into force on 14 October 2025, followed by its Executive Regulations under Cabinet Resolution No. 134 of 2025 (“Executive Regulations”) on 14 December 2025 — wholly repealing Cabinet Resolution No. 10 of 2019. Together with the FATF Recommendations published in the FATF Recommendations Notes section of the Central Bank of the UAE (CBUAE) official website, and the Securities and Commodities Authority AML/CFT Rulebook Chapter Five, these instruments constitute the operative regulatory framework today.

What distinguishes this framework from its predecessors is not its text but its philosophy. The supervisory question is no longer “do policies exist?” — it is “can senior management demonstrate that it understands what it has approved?” This shift from formal compliance to substantive governance is the measure UAE supervisory authorities now apply, consistent with FATF Recommendation 26, which requires that the effectiveness of supervision be assessed — not merely its existence.

Core Obligations

The Executive Regulations broaden the definition of “senior management” to encompass any person exercising direct operational influence, irrespective of formal job title, and render personal accountability applicable even in the absence of direct criminal intent. AML Law 2025 requires senior management to approve policies and controls with substantive understanding of their underlying risk assumptions — not by procedural sign-off — and to embed AML/CFT and Counter-Proliferation Financing (CPF) considerations within enterprise-wide governance structures rather than confining them to an isolated compliance function. (FATF Recommendation 18; Executive Regulations, Cabinet Resolution No. 134 of 2025)

On the Risk-Based Approach, a static risk assessment — reviewed annually and not translated into operational decisions — does not satisfy FATF Recommendation 1. The Executive Regulations have also expressly expanded the scope of institutional risk assessment to include proliferation financing risks as a distinct and separately addressed category, alongside traditional AML/CFT risks. (Cabinet Resolution No. 134 of 2025; FATF Recommendation 19)

High-Risk Relationships & Enhanced Due Diligence

This is the area that most clearly exposes the gap between what senior management formally approves and what it genuinely understands. The Executive Regulations introduce a substantive expansion: senior management approval is now required for all high-risk business relationships without exception — no longer exclusively for Politically Exposed Persons as under the prior framework. Two wholly new EDD requirements have also been introduced: identification of source of wealth — not merely source of funds — and a requirement that the first payment originate from an account in the customer’s name at a CDD-comparable institution. (Executive Regulations, Cabinet Resolution No. 134 of 2025; FATF Recommendation 12)

High-risk relationship approval requests must be treated as analytical documents, not administrative notifications. A relationship formally approved by senior management, then left without ongoing EDD review, is a relationship that has not been managed in any meaningful regulatory sense — and this specific pattern is precisely what UAE supervisory authorities scrutinise in field reviews under the AML Law 2025 framework. (FATF Recommendation 10; SCA AML/CFT Rulebook, Chapter Five).

Sanctions, Reporting & Institutional Culture

AML Law 2025 has granted the Financial Intelligence Unit (FIU) new powers to suspend transactions for up to ten working days and freeze assets for up to thirty days — requiring senior management to review internal escalation protocols in light of this expansion. FATF Recommendations 6 and 7, published in the FATF Recommendations Notes section of the CBUAE website, confirm that implementation of Targeted Financial Sanctions (TFS) requires immediate freezing procedures that admit no operational delay under any justification. (Cabinet Resolution No. 74 of 2020; SCA AML/CFT Rulebook, Chapter Five, Part Four)

On reporting, the defining question is no longer “are Suspicious Transaction Reports submitted on time?” — it is whether senior management generates a reporting culture or merely a reporting system. An institution in which the Money Laundering Reporting Officer hesitates before escalating — not because information is incomplete, but because institutional culture does not encourage it — carries compliance risks far deeper than its formal records reveal. (FATF Recommendation 18(2); Executive Regulations, Cabinet Resolution No. 134 of 2025)

Regulatory Consequences

AML Law 2025 establishes a consequence framework covering both regulated entities and senior management individually: administrative fines reaching AED 100 million or the equivalent value of funds subject to the offence — whichever is higher — licence restrictions, supervisory measures, and personal criminal liability in more serious contexts. Critically, UAE supervisory authorities increasingly distinguish between isolated operational errors and systemic governance failures — a distinction mandated by FATF Recommendation 35, which requires sanctions to be effective, proportionate and dissuasive. Repeated control deficiencies, ineffective escalation mechanisms and passive oversight are no longer read as technical shortcomings. They are classified as governance failures warranting graduated supervisory intervention.