How DNFBPs Can Conduct Effective AML Risk Assessments in the UAE

In the UAE, the government has taken a strong stance against financial crime. Under Cabinet Decision No. 10 of 2019 and Federal Decree-Law No. 20 of 2018, Designated Non-Financial Businesses and Professions (DNFBPs) are required to implement robust Anti-Money Laundering (AML) practices and at the heart of this is the Annual AML Risk Assessment.

But many DNFBPs like real estate agents, auditors, dealers in precious metals, law firms, and company formation service providers still struggle with what exactly this means in practice. This blog provides simple, clear guidance and a step-by-step checklist to help your business stay compliant, especially ahead of audits or inspections by regulatory authorities.

What is an AML Risk Assessment — and Why Is It Mandatory?

An AML Risk Assessment is a structured process through which a business:

  • Identifies and categorizes potential risks of money laundering or terrorist financing (ML/TF).
  • Evaluates the likelihood and impact of those risks.
  • Implements controls and monitoring procedures to mitigate them.
  • Documents everything in a formal risk assessment report, which must be updated annually or when business operations change.

The UAE expects DNFBPs to move away from a “one-size-fits-all” approach and adopt a Risk-Based Approach (RBA). This means putting more effort and scrutiny into high-risk areas while applying simpler controls to low-risk ones. Failing to do so may result in:

  • Fines ranging from AED 50,000 to AED 1 million.
  • Rejection or delay of your GoAML registration.
  • Reputational damage or increased scrutiny by authorities.
  • In extreme cases, license suspension or blacklisting.

Annual AML Risk Assessment Checklist for DNFBPs

Use the following expanded checklist to structure your risk assessment process:

1. Understand Your Business Activities and Risk Exposure

Start by analyzing your core operations:

  • What services do you offer?
  • Who are your clients (e.g., local individuals, foreign companies, offshore trusts)?
  • Are your services cash-intensive, cross-border, or involve third parties?

Example: A real estate broker dealing with international buyers and accepting large cash deposits faces higher AML risk than a local property consultant working with salaried UAE residents.

2. Categorize and Profile Your Customers (KYC)

Know Your Customer (KYC) is your first line of defense. Categorize clients into low, medium, or high-risk profiles based on:

  • Nationality and country of residence.
  • Nature of their business or profession.
  • Source of funds and wealth.
  • Links to Politically Exposed Persons (PEPs) or sanctioned countries.

Example: A client from a FATF-greylisted country who wants to register a company in a Free Zone could be flagged as high-risk, even if their documentation appears legitimate.

3. Assess the Risk of the Products and Services You Offer

Different services carry different levels of ML/TF risk.

  • Services that involve high cash turnover, luxury assets, or cross-border flows are riskier.
  • Services that allow anonymity or layered ownership structures (e.g., nominee shareholders) are especially vulnerable.

Example: A gold dealer offering large transactions without proper ID checks exposes the business to placement-stage laundering.

Consider which services could be misused and assign each a risk score (Low/Medium/High).

4. Identify Geographic Risk

Money laundering risks increase significantly when dealing with clients or partners in certain countries. Consider:

  • Is the client from a country on the FATF greylist or blacklist?
  • Do they operate in conflict zones or secrecy jurisdictions?
  • Do you have exposure to high-risk Free Zones?

Example: A company incorporation service dealing with clients from sanctioned regions must apply enhanced due diligence (EDD)

5. Analyze Delivery Channels

How are your services delivered?

  • Face-to-face onboarding offers more control than remote/digital onboarding.
  • Use of agents, referrals, or unregulated third parties increases the risk of spoofing or fraud.

Example: A law firm accepting clients only via online form submissions without verifying documents introduces risk.

Implement robust identity verification tools for remote channels.

6. Evaluate Your Internal Controls

Now check your existing policies and procedures. Ask:

  • Do you have an AML Policy Manual?
  • Do your onboarding and transaction processes have risk-based controls?
  • Are escalation procedures documented?
  • Is there a designated Compliance Officer or MLRO?

Example: A small audit firm without a written AML policy or designated compliance officer is not compliant even if it has low-risk clients.

Use audit checklists to evaluate compliance gaps and address them proactively.

Need help with your annual risk assessment? Explore our AML compliance services for DNFBPs in the UAE.

7. Establish Ongoing Monitoring Protocols

A proper AML setup includes real-time and post-transaction monitoring to identify:

  • Unusual activity (sudden increase in transactions).
  • Structuring or “smurfing” (breaking transactions into smaller parts).
  • Use of offshore accounts or shell companies.

8. Be Ready to Report via GoAML

Make sure your business is registered with the GoAML portal, and that you can submit:

  • STRs (Suspicious Transaction Reports) — when a suspicious transaction takes place.
  • SARs (Suspicious Activity Reports) — when behavior is suspicious but no transaction occurs.

A strong internal workflow should guide staff on how to detect, when to report, and who is responsible for filing the report.

9. Train Staff Regularly

Staff must be able to:

  • Recognize red flags in real estate transactions, company formation, gold trading, etc.
  • Understand their role in the AML framework.
  • Know how and when to escalate cases internally.

AML/CTF training should be delivered at least once a year and customized to each staff member’s role.

10. Maintain Accurate Records for 5+ Years

All documents related to onboarding, risk assessments, STRs/SARs, beneficial ownership, and customer due diligence must be:

  • Stored securely.
  • Easily retrievable.
  • Retained for at least five years after the end of the business relationship or transaction.

Consider cloud-based compliance software to ensure retention and quick access during auditsFinal Thoughts

An AML Risk Assessment isn’t just a regulatory checkbox it’s your first defense against financial crime. By taking a structured, risk-based approach, DNFBPs can protect their business, clients, and reputation.

Whether you’re an auditor, real estate consultant, legal advisor, or service provider AML compliance is not optional in today’s UAE business climate.

Ready to Get Compliant?

We help DNFBPs in the UAE:

  1. Conduct annual risk assessments.
  2. Prepare GoAML submissions.
  3. Train staff and design AML policies.
  4. Implement AI-based compliance tools.

At Excellent Accountants, we specialize in helping DNFBPs meet their AML obligations — from GoAML registration to risk assessment documentation, MLRO reporting, and staff training.
👉 Learn more about our AML services

Final Thoughts

An AML Risk Assessment isn’t just a regulatory checkbox it’s your first defense against financial crime. By taking a structured, risk-based approach, DNFBPs can protect their business, clients, and reputation.

Whether you’re an auditor, real estate consultant, legal advisor, or service provider AML compliance is not optional in today’s UAE business climate.

Related Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Get quote
Get quote