UAEServicesIPR & AML ComplianceAML / CFT ServicesAML Risk Assessment

IPR & AML Compliance · AML / CFT Services

AML Risk Assessment

AML Risk Assessment is the foundation document every other piece of a UAE AML/CFT programme is built on — the written, entity-specific evaluation of customer risk, geographic risk, product/service risk, and delivery-channel risk that Federal Decree-Law No.

Speak with a specialist →Chat on WhatsApp

Chartered Accountants · Dubai · Since 1986

What AML Risk Assessment is

An AML/CFT risk assessment is the documented process by which a UAE entity identifies, analyses, and rates its exposure to money laundering, terrorist financing, and proliferation financing risk, and uses that rating to calibrate the rest of its compliance programme. The obligation is set out in Federal Decree-Law No. 20 of 2018 on Anti-Money Laundering and Combating the Financing of Terrorism, as amended, together with Cabinet Decision No. 10 of 2019 and its subsequent amendments, which require regulated entities — Designated Non-Financial Businesses and Professions (DNFBPs) under Ministry of Economy supervision, financial institutions under the UAE Central Bank, securities firms under the Securities and Commodities Authority, and Virtual Asset Service Providers under VARA or the relevant emirate regulator — to understand and document their own risk profile rather than apply a uniform, undifferentiated level of due diligence to every customer and transaction. A risk assessment is not a one-time compliance artefact produced to satisfy a registration checkbox; it is the analytical basis that determines which customers get standard due diligence, which get simplified treatment, and which require enhanced scrutiny.

The assessment is built across four recognised risk dimensions. Customer risk considers the nature of the customer — individual versus corporate, complexity of ownership structure, cash-intensive business activity, and whether the customer or its beneficial owners are Politically Exposed Persons (PEPs). Geographic risk considers the jurisdictions a customer, its beneficial owners, or its transaction counterparties are connected to, weighed against countries the Financial Action Task Force (FATF) has identified as having strategic AML/CFT deficiencies, and against the UAE's own designated high-risk jurisdiction guidance. Product and service risk considers which of the entity's own offerings carry elevated laundering potential — real estate transactions, company formation and nominee services, dealing in precious metals and stones, and other activities the AML/CFT Law specifically flags. Delivery-channel risk considers how the relationship is established and conducted — face-to-face onboarding with document verification carries different risk than fully remote, non-face-to-face onboarding, and cash-heavy delivery channels carry different risk than bank-transfer-only relationships.

For entities operating from the Dubai International Financial Centre or Abu Dhabi Global Market, the risk assessment obligation sits under the Dubai Financial Services Authority's or the Financial Services Regulatory Authority's own AML rulebook rather than directly under Ministry of Economy DNFBP supervision, even though both regimes are built on the same underlying Financial Action Task Force principles and both trace back to the UAE's national AML/CFT framework under Federal Decree-Law No. 20 of 2018. A risk assessment built to satisfy Ministry of Economy expectations for a mainland DNFBP will not automatically satisfy a DFSA or FSRA reviewer, because the specific documentation format, supervisory reporting cadence, and sector guidance differ by regulator even where the substantive risk dimensions are the same. Virtual Asset Service Providers add a further layer — an entity accepting or facilitating cryptocurrency or other virtual asset transactions may fall within VARA's regulatory scope in Dubai, or an equivalent VASP framework in another emirate, which generally expects a more granular treatment of virtual-asset-specific risk factors than a traditional cash-and-bank-transfer risk assessment would capture. Confirming which regulator's rulebook actually governs the entity, before the risk assessment is drafted, is therefore not a procedural footnote — it determines the standard the finished document is measured against.

The output of a properly built risk assessment is not a single number or a pass/fail label. It is a risk rating methodology — a defined, documented basis for classifying individual customers as standard, simplified, or enhanced risk — plus an entity-level risk statement that supervisory authorities and, increasingly, correspondent banks reviewing a business customer's compliance posture will expect to see. The methodology then drives the rest of the CDD programme: which customers require senior management sign-off before onboarding, how frequently a relationship is re-screened, what triggers a file refresh, and what evidence a Compliance Officer needs before escalating a concern toward a Suspicious Transaction Report filed through goAML, the reporting platform operated by the UAE's Financial Intelligence Unit.

What regulators actually test on inspection is not whether a risk assessment document exists in a folder — it is whether the document describes the business that is actually operating. A risk assessment written once at company formation, describing an intended customer base that the business subsequently outgrew or pivoted away from, is treated on inspection almost the same as having no risk assessment at all, because the document no longer reflects reality. Equally common is a risk assessment copied from an industry template with the company name substituted in, where the stated risk factors bear no relationship to the entity's actual geography, customer mix, or transaction pattern. PNPC's approach starts from your licensed activity, your real customer categories, your actual jurisdiction exposure, and your delivery channels, and produces a risk methodology your own staff can apply consistently — because a risk assessment that only the compliance consultant who wrote it understands is not one the business can actually run day to day.

A risk assessment also increasingly functions as evidence a business produces outside a supervisory inspection context entirely. UAE banks conducting their own periodic AML review of business customers — a standard part of correspondent banking and account-maintenance due diligence — routinely ask commercial customers to demonstrate their own AML/CFT posture, and a DNFBP or regulated entity that can produce a current, coherent risk assessment on request is in a materially stronger position during that review than one that has to explain why no such document exists. PNPC therefore treats the risk assessment as a document that needs to be presentable on short notice, not filed away until a Ministry of Economy visit is announced — carrying a visible version history and date of last review so whoever is asked to produce it can show at a glance that it reflects the business as it operates today, not as it operated at the point of company formation.

When an AML Risk Assessment engagement is the right starting point

Your business is a newly licensed DNFBP — real estate brokerage or development, dealing in precious metals and stones above the prescribed cash threshold, corporate service provision, independent legal or accounting practice — and has not yet documented a risk assessment ahead of onboarding its first customers

You are registering, or preparing to register, on the goAML platform and need the risk assessment that should sit behind (or alongside) that registration, not a bare portal sign-up with nothing supporting it

Your existing risk assessment was written at incorporation and has never been revisited, while your customer base, product mix, or jurisdiction exposure has since changed materially

You have received a Ministry of Economy, Central Bank, DFSA, FSRA, or VARA inspection notice or finding that specifically flags an absent, outdated, or generic risk assessment

You are onboarding at growing volume and no longer have a defensible basis for deciding which customers get standard, simplified, or enhanced due diligence — decisions are being made ad hoc rather than against a documented methodology

You handle customers, beneficial owners, or counterparties connected to jurisdictions the Financial Action Task Force has flagged, or to politically exposed persons, and need the risk rating that determines when enhanced due diligence is triggered

A correspondent bank or banking partner has asked to see your AML risk assessment as part of its own periodic review of your business account, and you need a document that will actually satisfy that request

You are acquiring or merging with another regulated entity and need its historical risk assessment methodology diligenced before completion, since a weak or absent assessment is inherited exposure

Your annual review cycle is due, or overdue, and the risk assessment needs to be refreshed against the current customer base, current FATF guidance, and any recent Cabinet Decision updates

You are expanding into a new product line, customer segment, or jurisdiction and need the risk assessment updated before the new activity goes live, not retrofitted after exposure has already been taken on

Your business operates from DIFC or ADGM and needs the risk assessment built against the DFSA or FSRA rulebook specifically, rather than a mainland Ministry of Economy template that will not satisfy your actual supervisor

You have started accepting or facilitating virtual asset payments and need the risk assessment revisited to capture the distinct risk factors that exposure introduces, including any resulting VASP regulatory scope

Where a different engagement fits better

You already have a current, well-documented risk assessment and specifically need the CDD onboarding procedures, screening design, or staff training built around it — that sits under KYC & Customer Due Diligence Advisory rather than a fresh risk assessment

You need the goAML portal registration itself completed with credentials issued — that is the mechanical registration step, though PNPC generally recommends the risk assessment accompany or precede it rather than standing alone

Your business does not fall within any DNFBP, financial institution, or VASP category under UAE AML law — confirm applicability first through a scoping call before commissioning a formal risk assessment

You have already identified a specific suspicious transaction and need to file an STR/SAR now — that is an urgent reporting matter to escalate immediately, with the risk assessment review following afterward, not before

You are under active investigation for money laundering or terrorist financing offences — that requires criminal defence legal representation as the primary engagement

You want a risk assessment produced without sharing your actual customer base, ownership structure, or transaction data — a document built on assumptions rather than your real business will not satisfy the risk-based standard the law requires and will not survive inspection

You are looking for a one-page generic risk statement to satisfy a box on a form, with no intention of using the methodology to actually differentiate customer treatment — that approach is precisely what supervisory authorities flag as compliance theatre on inspection

You need only sanctions/PEP screening software configured, with the underlying risk methodology already settled elsewhere — that is closer to a screening implementation engagement

You need an independent AML/CFT audit or internal testing of an already-built risk assessment and CDD programme — that is a separate assurance engagement that tests what PNPC or another adviser has already built, not the initial risk assessment itself

Structure Comparison

AML Risk Assessment vs related UAE AML/CFT engagements

FeatureAML Risk AssessmentKYC & CDD AdvisorygoAML Portal RegistrationAML Training & Capacity BuildingTransaction Monitoring & Reporting
Primary purposeIdentify, analyse, and document entity-wide money laundering and terrorist financing risk across customer, geographic, product, and delivery-channel dimensionsDesign and implement the full onboarding, screening, and monitoring programme built on top of the risk assessmentRegister the entity and its Compliance Officer on the FIU's goAML platform to enable STR/SAR filingBuild staff capability to execute the risk assessment and CDD programme correctly day to dayOperate ongoing screening and escalation once onboarding and the risk methodology are in place
Legal basisFederal Decree-Law No. 20 of 2018 and Cabinet Decision No. 10 of 2019 (as amended) — risk-based approach requirementSame law — the CDD procedures the risk assessment feeds intoSame AML/CFT framework — the reporting mechanism specificallyAML/CFT Law's requirement for competent, trained staff able to execute the programmeAML/CFT Law's ongoing monitoring and reporting obligation
OutputA written, entity-specific risk assessment document plus a documented customer risk-rating methodologyOnboarding forms, CDD/EDD procedures, screening workflow, policy manualRegistered organisation and Compliance Officer profile with FIU filing accessTrained staff with attendance and competency recordsScreening alerts adjudicated, transaction anomalies escalated, STRs/SARs filed where warranted
SequencingFirst — everything else in the programme is calibrated against itFollows the risk assessment; cannot be properly built without itCan run in parallel, but registration without a risk assessment behind it is incomplete on inspectionFollows once the risk assessment and CDD procedures exist to train staff onOngoing, continuous — depends on the risk assessment's triggers being correctly set
Who typically needs it firstAny DNFBP, financial institution, or VASP without a current, documented risk assessmentEntities with a risk assessment but no operational CDD programme built on itEntities that have a risk assessment and CDD programme but lack platform accessEntities with policies and procedures that staff have not yet been trained to executeEntities with a live onboarding book that needs ongoing screening and escalation discipline
Regulatory inspection focusWhether the document reflects the business's actual customer base, geography, and activity todayWhether onboarding files match what the risk assessment and policy say should happenWhether the organisation and Compliance Officer profiles are both active and correctly linkedWhether staff can answer specific questions about red flags and escalation procedureWhether alerts were adjudicated and suspicious activity reported without delay
Applicable to free zone entities?Yes — but must be built against the entity's actual governing rulebook (Ministry of Economy for mainland DNFBPs, DFSA for DIFC, FSRA for ADGM)Same rulebook dependency — CDD procedures follow whichever risk assessment methodology was usedRegistration mechanics are broadly consistent across mainland and free zone once applicability is confirmedTraining content should reflect which rulebook the entity actually sits underMonitoring thresholds and escalation routes should track the same governing rulebook
Typical review triggerAnnual anniversary, or any material change in customer base, product mix, geography, or delivery channelFollows the risk assessment's review cycle plus any CDD-specific findingPeriodic profile confirmation cycle on the goAML portal itselfRefresher training cadence, typically annualContinuous — every new alert and every periodic file refresh
Primary audience beyond the regulatorCorrespondent banks and banking partners reviewing the entity's own AML posture during account maintenanceOnboarding staff applying the CDD procedure day to dayThe FIU, as the recipient of any filed STR/SARThe entity's own staff and managementThe Compliance Officer adjudicating alerts and escalations

These engagements are almost always sequential rather than alternative — a risk assessment with no CDD programme built on it, or a CDD programme with no risk assessment behind it, both read as incomplete on inspection. PNPC typically scopes the risk assessment first, then the CDD/screening/training build, either as one combined engagement or as a phased sequence depending on how much of the surrounding programme already exists.

How it works
#Stage & What PNPC DoesWhat Generic Risk Templates MissTimeline
1Applicability & Scoping Call — confirm DNFBP, financial institution, or VASP status and the correct supervisory authorityA template risk assessment does not ask which specific DNFBP category you fall under, whether you are mainland (Ministry of Economy) or free zone (DFSA in DIFC, FSRA in ADGM), or whether virtual asset exposure brings VARA into scope. These answers change which rulebook the assessment is measured against.1–2 working days
2Customer Base Profiling — categorising the actual customer mix by type, structure complexity, and typical transaction sizeGeneric templates assume a customer profile; we document the real one — individual versus corporate, direct versus layered ownership, cash-intensive versus bank-transfer-only relationships — because the risk rating methodology has to be built from what actually walks through the door.2–4 working days
3Geographic Risk Mapping — assessing exposure to customer, beneficial owner, and counterparty jurisdictions against current FATF and UAE high-risk jurisdiction guidanceA template's list of 'high-risk countries' is often stale by the time it is downloaded — FATF's own lists are updated periodically. We map your actual jurisdiction exposure against current guidance at the time of the assessment, not a remembered list.2–3 working days
4Product & Service Risk Analysis — rating each offering the entity provides against known laundering typologies for that activityA real estate brokerage, a corporate service provider, and a precious metals dealer face materially different product-risk profiles even though all three are DNFBPs — we analyse the specific services rendered, not a category label.2–4 working days
5Delivery Channel Risk Assessment — evaluating how relationships are established (face-to-face, remote, intermediary-introduced) and how funds move (cash, bank transfer, third-party payment, virtual asset)Remote and cash-heavy delivery channels carry meaningfully higher risk than face-to-face, bank-transfer-only relationships — a template that does not differentiate these misses a core input into the overall rating.1–3 working days
6Risk Rating Methodology Design — building the defined basis for classifying individual customers as standard, simplified, or enhanced riskThis is the step most templates skip entirely, leaving the entity with a risk narrative but no actual mechanism for rating a new customer walking in the door tomorrow. We build the scoring or classification logic your onboarding staff can apply consistently.3–5 working days
7Entity-Wide Risk Statement Drafting — the documented conclusion on overall inherent risk, residual risk after controls, and the rationale behind bothA one-line risk conclusion with no supporting analysis does not survive a supervisor's question of 'how did you arrive at this.' We document the reasoning chain from raw risk factors to final rating.2–3 working days
8Alignment with CDD/EDD Triggers — mapping the risk rating output directly to standard, simplified, and enhanced due diligence requirements the entity will applyA risk assessment that does not connect to a concrete due-diligence action for each rating band is an academic exercise, not an operating tool — we tie the rating directly to what onboarding staff do differently for each category.2–3 working days
9Management/Board Review and Sign-OffAML/CFT governance expects senior management or board ownership of the risk assessment, not just a compliance officer's private working document — we prepare the assessment for formal review and documented approval.1–2 working days, subject to internal availability
10Integration with goAML Registration and Wider ProgrammeA risk assessment produced in isolation from the goAML registration and the broader CDD build is a missed opportunity for consistency — we hand the finished assessment directly into the registration and policy-drafting workstream where those are also engaged.Concurrent with registration where both are in scope
11Annual Review Scheduling — the risk assessment is diarised for at least an annual refresh, or sooner on material business changeA risk assessment that is filed away and never revisited is the single most common inspection finding on this specific document — we build the review date into the client's compliance calendar from day one.Ongoing — annual, or on material change
12Correspondent Banking / Bank Review Readiness — preparing a version of the risk assessment suitable to produce if a banking partner requests evidence of AML posture during its own account reviewBusinesses that have never been asked to show their risk assessment to a bank are frequently unprepared when the request comes mid-relationship, during what is otherwise a routine account review — we prepare the document to be produced on short notice, not assembled under pressure.Concurrent with the main build
13VASP / Virtual Asset Applicability Cross-Check — confirming whether any current or planned virtual asset acceptance brings the entity within VARA or another emirate's VASP regulatory scopeA risk assessment that does not ask this question at all can miss an entire additional regulatory layer — we check virtual asset exposure explicitly rather than assuming it does not apply.1–2 working days, where relevant
14Version-Controlled Document Handover — the finished assessment is delivered with a visible version number and date of last review, ready to be produced to a supervisor, a bank, or an acquiring counterparty on requestA risk assessment with no version history invites the question 'how do we know this is current' — we build the currency evidence into the document itself rather than leaving it to institutional memory.At delivery

Realistic timeline for a complete, entity-specific risk assessment from scoping call to board-approved document: typically 2–4 weeks depending on the complexity of the customer base and how readily existing customer and transaction data can be pulled together. Entities with clean, accessible records move faster; those needing to reconstruct customer categorisation from scratch will take longer. This timeline runs independently of, but is often scoped alongside, goAML registration and the wider CDD programme build.

Document Checklist
Entity & Licensing Information

Trade licence copy — mainland DED licence or free zone licence, showing licensed activities in full, since risk exposure follows actual licensed activity

Organisational chart identifying who will own and approve the risk assessment (senior management, board, or designated Compliance Officer)

Details of all UAE and overseas branches, subsidiaries, or related entities sharing a customer base or referral relationship

Any existing risk assessment or risk-related documentation, however outdated, for gap review against current requirements

Customer Base Data

A representative sample or full listing of current customer categories — individual, corporate, trust, government — with indicative transaction value ranges and frequency

Breakdown of customer ownership structures — direct individual ownership versus layered corporate, trust, or nominee arrangements

Any existing customer segmentation, tiering, or informal risk categorisation currently in use

Volume and growth trend of onboarding over recent periods, to gauge whether manual risk judgement is still practical at current scale

Geographic & Counterparty Exposure

List of jurisdictions where customers, beneficial owners, or transaction counterparties are based or connected

Details of any dealings with jurisdictions the business is aware may carry elevated AML/CFT risk under FATF or UAE guidance

Cross-border transaction patterns, including frequency and typical routing, where relevant to the business activity

Product, Service & Delivery Channel Detail

Full description of products and services offered, including any that involve cash handling, real estate, precious metals, company formation, or nominee arrangements

Description of onboarding channels used — face-to-face, remote/digital, intermediary-introduced — and the proportion of business conducted through each

Payment methods accepted — bank transfer, cash, cryptocurrency/virtual assets, third-party payment — since each carries different risk weighting

Details of any outsourced or intermediary-based customer introduction arrangements

Existing Compliance Infrastructure

Details of any sanctions or PEP screening tool currently in use, including vendor and configuration

Records of any prior Suspicious Transaction Reports filed, or internal escalations raised, relevant to understanding realised risk

Correspondence from the Ministry of Economy, Central Bank, DFSA, FSRA, or VARA relating to any prior inspection, finding, or guidance specific to risk assessment expectations

Existing goAML registration status and reference details, where already registered

Governance & Sign-Off Materials

Designated Compliance Officer or MLRO details, or confirmation that this role is still to be assigned

Prior board or management meeting minutes referencing AML/CFT risk, if any exist

Confirmation of who within the business holds authority to approve the finished risk assessment on behalf of senior management or the board

For Virtual Asset / VASP-Adjacent Businesses (Additional)

Description of any cryptocurrency or virtual asset acceptance, facilitation, or exchange activity currently underway or planned

Details of any wallet, custody, or virtual asset payment processor arrangements in use

Confirmation of whether VARA or another emirate-level VASP regulator has been engaged or notified, if applicable

For Bank / Correspondent Banking Review Support (Additional)

Copy of any bank or correspondent banking AML questionnaire the entity has already received, to align the risk assessment's presentation with what the bank is actually asking for

History of any account restriction, review, or query previously raised by a banking partner relating to AML posture

Ongoing obligations
PhaseTriggered ByPNPC GuidanceRisk If Ignored
Initial Risk Assessment BuildNew DNFBP licence, first formal AML/CFT programme build, or discovery of an absent/outdated assessmentCustomer, geographic, product, and delivery-channel risk analysed from actual business data and documented into a formal risk statement and rating methodology, presented for management/board sign-off.Onboarding without a documented risk basis means every due-diligence decision is effectively ad hoc, and the entity cannot demonstrate a risk-based approach if challenged on inspection.
Integration into CDD ProgrammeRisk assessment completed or nearing completionThe risk rating methodology is wired directly into onboarding procedures — determining which customers get standard, simplified, or enhanced due diligence, and what triggers senior management approval.A risk assessment that sits unused, disconnected from actual onboarding decisions, is functionally indistinguishable from not having one when a supervisor tests real customer files against it.
Ongoing ApplicationEvery new customer onboardedThe risk rating is applied consistently to classify each new relationship, with the classification driving the depth of due diligence performed and documented.Inconsistent application — the same customer type rated differently depending on who onboarded them — is a recurring, easily-spotted inspection finding.
Periodic Monitoring for Rating DriftOngoing relationship activity that deviates from the customer's original risk profileTransaction patterns and customer information are periodically checked against the original risk rating; a customer whose activity no longer matches their stated profile is flagged for re-rating.A customer onboarded as low-risk who has since begun exhibiting higher-risk activity, with no re-rating trigger in place, represents undetected exposure the original assessment cannot catch on its own.
Annual ReviewAnniversary of the risk assessment, or sooner on material business changeThe full assessment is refreshed against the current customer base, current FATF and UAE guidance, and any relevant Cabinet Decision updates, with changes documented and re-approved by management.A stale risk assessment is one of the most commonly cited findings in DNFBP inspections — 'when was this last updated' is a standard question with an easy pass or fail answer.
Business Change TriggerNew product line, new customer segment, new jurisdiction exposure, M&A, or ownership changeThe risk assessment is revisited and updated before the new activity goes live, incorporating the new risk factors rather than retrofitting the assessment after exposure has already been taken on.A new business line onboarded under an unrevised risk assessment is effectively unassessed activity — the document on file no longer describes what the business actually does.
Regulatory InspectionScheduled or unannounced supervisory visit from the Ministry of Economy, Central Bank, DFSA, FSRA, or VARAPNPC supports document production and can walk the inspecting officer through the risk assessment's methodology and how it connects to actual onboarding files.An entity unable to explain how its risk rating was derived, or whose files do not match the stated methodology, faces findings that typically escalate from a corrective directive to administrative fines.
Finding or Remediation DirectiveInspection outcome specifically citing the risk assessment as deficientPNPC rebuilds or substantially revises the assessment against the specific finding, with a documented corrective action plan and timeline for supervisor follow-up.An unaddressed finding on the risk assessment — the foundation document — tends to cascade into follow-on findings across CDD, screening, and training, since those all depend on it.
Correspondent Banking / Account Review RequestA banking partner's own periodic AML review of the business account, or a new bank relationship being openedThe current, version-dated risk assessment is produced on request, positioning the entity as a lower-friction customer for the bank's own review.A business unable to produce a current risk assessment on a bank's request risks account restriction or closure, independent of any Ministry of Economy inspection.
Change of Compliance Officer or Senior Management Sign-Off HolderA change in the individual who holds authority to approve or own the risk assessmentThe new Compliance Officer or approving manager formally reviews and re-affirms the current risk assessment, or triggers an update if their own knowledge of the business surfaces gaps.A risk assessment nominally 'approved' by someone no longer with the business reads, on inspection, as unowned — undermining the governance evidence the sign-off was meant to provide.
Virtual Asset Activity IntroducedThe business begins accepting or facilitating cryptocurrency or other virtual asset paymentsThe risk assessment is revisited specifically for virtual-asset risk factors and any resulting VASP regulatory scope, rather than treated as a minor addition to an existing traditional-payment assessment.Virtual asset acceptance introduced without reassessing regulatory scope can leave the entity operating outside a licensing framework it did not realise applied.
Common mistakes to avoid
Sequencing and scope errors

Registering on goAML before the risk assessment exists, leaving a registered organisation with no documented basis for the due-diligence decisions its Compliance Officer is expected to make

Confirming DNFBP or VASP applicability from the trade licence wording alone, rather than from the services actually rendered — a licence labelled 'business consultancy' does not exempt an entity that in practice forms companies or handles client funds

Building the risk assessment for a mainland Ministry of Economy audience when the entity is actually DIFC- or ADGM-regulated, producing a document that does not match what the entity's real supervisor expects

Treating the risk assessment as complete once drafted, without the follow-on step of wiring the rating methodology into actual CDD/EDD triggers used at onboarding

Content and methodology gaps

Copying a downloaded or industry-generic risk assessment template with the company name substituted in, without populating it from the entity's real customer base, geography, and product mix

Producing a risk narrative with no defined rating mechanism — no documented basis for classifying a new customer as standard, simplified, or enhanced risk on day one of the relationship

Referencing a fixed or remembered list of high-risk jurisdictions instead of checking current FATF and UAE guidance at the time the assessment is prepared

Omitting delivery-channel risk entirely, or failing to update it after the business shifts from face-to-face to remote or intermediary-introduced onboarding

Describing only inherent risk with no residual-risk analysis, leaving no documented basis for why current controls are considered sufficient

Governance and currency failures

Leaving the risk assessment unsigned, or signed only by a compliance officer with no evidenced senior management or board approval

Filing the finished assessment away and never revisiting it — the single most common inspection finding on this specific document

Failing to update the assessment after a material business change (new product, new customer segment, new jurisdiction, ownership change, or introduction of virtual asset payments) before the new activity goes live

Leaving a departed Compliance Officer or approving manager as the nominal owner of record, with no re-affirmation by whoever actually holds the role today

Frequently asked
What exactly is an AML risk assessment, and how is it different from an AML policy?

The risk assessment is the analytical document that identifies and rates the entity's exposure to money laundering and terrorist financing risk across customer, geographic, product, and delivery-channel dimensions. The AML policy is the procedural document that sets out what the entity does in response to that risk — CDD steps, screening cadence, escalation procedures. The risk assessment answers 'what is our risk profile'; the policy answers 'what do we do about it.' A policy without a risk assessment behind it is not properly risk-based, since there is no documented analysis driving its calibration.

Practitioner noteWe are frequently asked to review an existing 'AML policy' that turns out to be a procedures document with no underlying risk assessment at all — the procedures exist, but nobody can explain why they were set at that level. We build the risk assessment first specifically to answer that question.
Is having a documented risk assessment legally mandatory, or is it just good practice?

It is a legal requirement, not a discretionary best practice, for entities within scope of Federal Decree-Law No. 20 of 2018 and its implementing Cabinet Decisions. The risk-based approach is a core structural expectation of the UAE's AML/CFT framework — regulated entities are expected to understand and document their own risk exposure rather than applying uniform treatment to every customer regardless of actual risk.

Practitioner noteClients sometimes assume the risk assessment is an optional add-on to the 'real' requirement of goAML registration. In practice, supervisors treat the absence of a documented risk assessment as seriously as an absent registration — arguably more so, because it undermines the credibility of everything else in the file.
How is customer risk actually assessed — what factors go into the rating?

Customer risk considers factors including whether the customer is an individual or corporate entity, the complexity and transparency of its ownership structure, whether it or its beneficial owners are Politically Exposed Persons, the nature and cash-intensity of its business activity, and how long and how transparently the relationship has operated. These factors are combined into a documented rating — typically standard, simplified, or enhanced — that then determines the depth of due diligence applied.

Practitioner noteWe push clients to move beyond a gut-feel rating to a documented scoring or classification logic — not because a number is magic, but because a documented methodology is defensible on inspection in a way that 'we just knew' is not.
What does geographic risk mean in practice, and which jurisdictions count as higher-risk?

Geographic risk considers the jurisdictions connected to a customer, its beneficial owners, or its transaction counterparties, weighed against countries the Financial Action Task Force (FATF) has identified as having strategic AML/CFT deficiencies, and against any UAE-specific high-risk jurisdiction guidance. Because FATF's own list is periodically updated, a risk assessment needs to reference current guidance at the time it is prepared rather than a fixed list assumed to still be accurate.

Practitioner noteWe verify the current FATF list status at the point of each engagement rather than relying on a remembered or previously-downloaded list — this is exactly the kind of detail that goes stale silently if nobody checks it.
Why does the delivery channel — how a customer is onboarded — affect the risk rating?

Face-to-face onboarding with original document verification allows more direct identity confirmation than fully remote or non-face-to-face onboarding, which carries a higher inherent risk of impersonation or misrepresentation absent additional controls. Similarly, cash-heavy relationships carry different risk than relationships conducted entirely through traceable bank transfers. The delivery-channel dimension captures these differences so the risk rating reflects not just who the customer is, but how the relationship is actually conducted.

Practitioner noteBusinesses that shifted from in-person to remote onboarding during any period of disrupted operations sometimes never revisited their risk assessment to reflect that channel change — we specifically ask how onboarding actually happens today, not how it happened when the last assessment was written.
What is the difference between inherent risk and residual risk in a risk assessment?

Inherent risk is the level of money laundering and terrorist financing risk a business faces before any mitigating controls are applied — essentially the raw exposure created by its customer base, geography, products, and delivery channels. Residual risk is what remains after the entity's actual controls — CDD procedures, screening, monitoring, staff training — are factored in. A properly built risk assessment documents both, because residual risk is what should actually drive ongoing due-diligence decisions, while inherent risk shows why those controls are necessary in the first place.

Practitioner noteWe deliberately show both figures in the assessments we build, because a business that only sees a 'low residual risk' conclusion can lose sight of why the controls producing that low residual figure need to keep running — the controls are doing the work, not the business's inherent nature.
How does the risk assessment connect to enhanced due diligence triggers?

The risk rating methodology defines, in advance, which combinations of customer, geographic, product, and delivery-channel factors push a relationship into the enhanced due diligence category — for example, a Politically Exposed Person connected to a FATF-flagged jurisdiction transacting through a complex offshore ownership structure. Building this connection explicitly means onboarding staff have a documented, consistent basis for escalating a relationship to enhanced treatment, rather than relying on individual judgement case by case.

Practitioner noteThe single most valuable output of a good risk assessment, in our experience, is a clear, written answer to 'what specifically triggers enhanced due diligence here' — vague assessments that never define this leave staff guessing exactly when it matters most.
How often does the risk assessment need to be updated?

At minimum annually, and additionally whenever there is a material change in the business — a new product or service line, entry into a new customer segment or geographic market, a change in ownership or control, a shift in onboarding channels, or a relevant new Cabinet Decision, Ministerial Decision, or FATF guidance update. An assessment that has not been revisited in several years, however well-drafted originally, no longer reflects the business as it currently operates.

Practitioner noteWe build the annual review into the ongoing advisory relationship rather than leaving it to the client to remember — a calendar-driven review catches drift in the customer base before a supervisor does.
Can we use a downloaded or generic risk assessment template instead of a bespoke one?

A template can be a useful starting structure, but it must be populated with the entity's actual customer, geographic, product, and delivery-channel data to function as a genuine risk-based assessment. A template with the company name substituted in, describing risk factors that do not match the entity's real business, is a recognised inspection finding — supervisors test whether the document reflects the business operating under it, not whether a document exists.

Practitioner noteWe ask new clients to send any existing risk assessment first — nine times out of ten it was adapted from a template and never actually calibrated to the specific customer base and geography the business deals with.
Who inside the business should own and sign off the risk assessment?

AML/CFT governance expects the risk assessment to be reviewed and formally approved by senior management or the board, not treated as a private working document maintained solely by a compliance officer with no wider organisational buy-in. The sign-off matters because it evidences that the entity's leadership has actually engaged with and accepted the documented risk profile, rather than delegating the entire question downward with no oversight.

Practitioner noteWe build a formal sign-off step into every engagement — a risk assessment with no evidenced management approval reads, on inspection, as a document nobody with real authority has actually reviewed.
Does having a risk assessment protect the business if a customer later turns out to be involved in money laundering?

A properly built and consistently applied risk assessment is the standard against which a business's conduct is judged — it demonstrates the entity took a documented, risk-based approach in good faith. It does not guarantee that criminal activity will never occur through the business, but an entity that can show it followed its documented methodology is in a materially different position, from a regulatory and reputational standpoint, than one with no risk basis for its decisions at all.

Practitioner noteWe are candid with clients: the assessment's purpose is defensible, demonstrable good-faith compliance, not a guarantee against ever encountering a bad actor. Understanding that distinction shapes how seriously the document needs to be built and maintained.
What happens if a Ministry of Economy inspector asks how a specific customer's risk rating was determined and we cannot explain it?

An inability to explain the basis for a specific customer's rating — beyond 'that's what the system said' or 'that felt right' — signals that the documented methodology either does not exist in enough detail or is not actually being applied consistently by staff. This is one of the most direct tests an inspector can run, walking through a handful of actual files and asking staff to justify the rating against the written methodology.

Practitioner noteWe run exactly this test internally before a client goes live — pulling sample files and asking staff to explain the rating using only the documented methodology, no outside knowledge — because it surfaces gaps between the written policy and what people actually understand faster than anything else.
How does the risk assessment differ for a real estate broker versus a corporate service provider versus a precious metals dealer?

All three are DNFBP categories under UAE AML law, but their product and delivery-channel risk profiles differ substantially — a real estate broker's risk centres on high-value, sometimes cash-adjacent transactions and layered purchasing vehicles; a corporate service provider's risk centres on undisclosed beneficial ownership behind formed entities and nominee arrangements; a precious metals dealer's risk centres on cash-transaction thresholds and portability of value. A generic risk assessment that does not differentiate these activity-specific risk factors misses what actually drives exposure in each sector.

Practitioner noteWe build sector-specific risk factor libraries into each assessment rather than a one-size-fits-all DNFBP checklist — the typologies that matter for a jeweller are not the ones that matter for a company formation agent, even though both are DNFBPs on paper.
Do free zone entities in DIFC or ADGM need a different risk assessment approach than mainland entities?

DIFC entities regulated by the Dubai Financial Services Authority and ADGM entities regulated by the Financial Services Regulatory Authority operate under their own AML rulebooks, which sit alongside and are generally aligned in substance with the federal AML/CFT framework, but the specific expectations and any sector-specific guidance can differ from the Ministry of Economy's approach for mainland DNFBPs. The risk assessment methodology should be built against the entity's actual governing rulebook.

Practitioner noteWe scope this explicitly at the outset — a risk assessment built against Ministry of Economy expectations for a DIFC-regulated entity may not fully satisfy its actual DFSA supervisor, even though the underlying AML principles are broadly similar.
How does accepting cryptocurrency or virtual asset payments change the risk assessment?

Accepting or facilitating virtual asset transactions introduces a distinct risk dimension — pseudonymity, cross-border speed, and potential exposure to unregulated counterparties — that a traditional-payment risk assessment does not capture, and can also bring the entity within Virtual Asset Service Provider (VASP) regulatory scope, which carries its own generally more stringent AML/CFT expectations. A risk assessment needs to be revisited, not just amended, when virtual asset acceptance is introduced.

Practitioner noteWe treat any mention of virtual asset acceptance as a trigger for reassessing regulatory scope entirely, not just adding a line item to an existing risk assessment — the VASP framework is materially different and still evolving.
Can a small business with only a handful of customers use a simplified, shorter risk assessment?

The depth and formality of the risk assessment can reasonably scale to the size and complexity of the business — a sole practitioner's assessment will be shorter and less elaborate than a large real estate developer's — but every regulated entity, regardless of size, needs a documented assessment covering the same substantive dimensions: customer, geographic, product, and delivery-channel risk, with a defined rating methodology. 'Too small to need one' is not a recognised exemption.

Practitioner noteWe right-size the document to the client's actual scale rather than imposing an enterprise-length assessment on a small business — a proportionate, well-reasoned two-page assessment for a small firm passes inspection; an unused fifty-page document copied from elsewhere does not.
What is the relationship between the risk assessment and goAML registration — do we need both, and in what order?

goAML registration is the mechanical step that gives an entity access to file Suspicious Transaction Reports and Suspicious Activity Reports; the risk assessment is the analytical foundation that determines when a customer relationship or transaction should raise concern in the first place. Both are required, and PNPC generally recommends the risk assessment be built alongside or ahead of registration, since a registered entity with no documented risk basis for its due-diligence decisions presents an incomplete file on inspection even though the portal registration itself is technically complete.

Practitioner noteWe have taken on clients who registered on goAML themselves years ago and never built a risk assessment behind it — the registration was fine; the absence of everything that should sit behind it was the actual finding on their last inspection.
What does PNPC actually deliver in an AML Risk Assessment engagement?

A typical engagement covers: applicability and scoping confirmation; customer base profiling; geographic risk mapping against current FATF and UAE guidance; product and service risk analysis specific to the entity's activities; delivery-channel risk assessment; a documented risk rating methodology classifying customers as standard, simplified, or enhanced risk; an entity-wide risk statement covering inherent and residual risk; and a management/board sign-off package. The finished assessment is handed off ready to integrate into CDD procedures, goAML registration, and staff training where those are also in scope.

Practitioner noteWe scope every engagement in writing before starting, so clients know exactly what the deliverable includes and how it is meant to plug into the wider AML/CFT programme, whether PNPC is building that programme too or the client's own team is.
How much does an AML Risk Assessment engagement cost?

PNPC agrees a fixed, written fee before work begins, scoped to the complexity of the business — a single-office corporate service provider with a narrow customer base requires materially less analytical work than a multi-branch real estate brokerage with diverse geographic exposure. Ongoing annual review pricing is quoted separately and is also fixed and agreed in writing.

Practitioner noteWe do not publish a single number here because risk assessment complexity varies significantly by customer base size, geographic spread, and product mix — a fixed generic price would either overcharge simple businesses or undercharge complex ones. Ask us for a scoped, written quote.
Why engage PNPC rather than writing the risk assessment ourselves using a free template?

Writing a risk assessment mechanically is straightforward once a template exists — the harder, higher-stakes work is building a rating methodology that actually reflects your real customer base and that your own staff can apply consistently, referencing current FATF and UAE guidance rather than a stale downloaded list, and producing a document that will hold up when a supervisor tests it against your actual files rather than just reading it in isolation. A self-written assessment with no connection to real onboarding decisions is the pattern we most often see corrected after an inspection finding.

Practitioner noteWe have rebuilt multiple clients' risk assessments after a Ministry of Economy inspection flagged the existing document as generic or disconnected from actual practice — rebuilding under a remediation deadline costs materially more in time and stress than building it correctly the first time.
What is the relationship between the AML risk assessment and Ultimate Beneficial Owner (UBO) declaration?

UBO declaration, made under Cabinet Decision No. 58 of 2020 (as amended), identifies and records the natural person(s) who ultimately own or control an entity. The risk assessment uses that beneficial ownership picture as a direct input into customer risk — a customer with a transparent, single-layer ownership structure rates differently than one with layered corporate or nominee ownership obscuring the ultimate individual. The two obligations are separate but feed into each other: a risk assessment cannot properly rate customer risk without accurate underlying UBO information, and UBO gaps discovered while building the risk assessment often need their own remediation.

Practitioner noteWe routinely find that a client's UBO register and their risk assessment were built by different people at different times and quietly disagree with each other — we reconcile the two rather than letting the risk assessment simply repeat whatever the UBO file happened to say.
Is there a specific, mandated government template for the risk assessment that DNFBPs must use?

No single mandated form is prescribed for the risk assessment document itself — the AML/CFT Law and Cabinet Decisions set out the risk-based approach requirement and the dimensions that must be considered, but do not issue a fixed template every DNFBP must complete verbatim. This is precisely why a document format that looks credible is not the same as one that has actually been substantively populated with the entity's real risk factors — the absence of a mandated form places the burden on the entity, and its adviser, to demonstrate genuine analysis rather than checkbox completion.

Practitioner noteClients sometimes ask us for 'the official form' expecting a government-issued questionnaire. There isn't one — which is exactly why supervisors focus so heavily on substance over form when they review whatever document an entity does produce.
Does the risk assessment need to be produced in Arabic for a Ministry of Economy submission?

Requirements on language can vary by submission context and the specific supervisory authority's expectations at the time; PNPC confirms the applicable language requirement for the specific filing or inspection context at hand rather than assuming a fixed rule, and can prepare or arrange translation where the authority's process requires it.

Practitioner noteWe check this at the point a specific submission or inspection is actually happening, since practice can differ depending on the reviewing officer and the nature of the request, rather than building an assumption about language requirements into every engagement upfront.
If our business has multiple licensed activities under one trade licence, do we need separate risk assessments for each?

Generally one entity-wide risk assessment can cover multiple licensed activities, provided it genuinely analyses the risk profile of each activity separately within the document rather than blending them into a single generic statement — a corporate service provider that also deals in precious metals, for example, needs both activity-specific risk analyses represented, because the typologies differ materially between the two.

Practitioner noteWe build activity-specific sub-sections within a single risk assessment for multi-activity entities rather than either forcing everything into one undifferentiated narrative or unnecessarily multiplying separate documents that then drift out of sync with each other.
We are a group with several UAE entities under common ownership — do we need one risk assessment or several?

Each regulated entity within the group generally needs its own risk assessment reflecting its own specific customer base, licensed activity, and jurisdiction exposure, since these can differ materially between entities even under common ownership — a group's real estate arm and its corporate services arm face different typologies. A shared group AML framework can provide common governance and methodology standards, but the entity-specific analysis should not simply be copied across sister companies.

Practitioner noteWe have seen groups copy one entity's risk assessment across three sister companies with only the name changed — on inspection this reads exactly like the generic-template problem, just generated internally rather than downloaded.
Does an independent AML/CFT audit test the risk assessment specifically, and is that the same engagement as building it?

No — an independent AML/CFT audit is a separate assurance engagement, typically required periodically or expected as good practice, that tests whether the entity's existing risk assessment, policies, and CDD files are being applied consistently in practice. Building the risk assessment is the first engagement; the independent audit is a later, distinct check on whether the resulting programme is actually working, and for genuine independence should not be performed by the same team that built the original document without appropriate safeguards.

Practitioner noteWe flag this distinction clearly to clients — if PNPC built your risk assessment, we discuss openly how independent testing should be structured so the review carries real assurance value rather than marking our own work.
Can our risk assessment be relied upon by another regulated entity we work with, such as an introducing broker?

The UAE AML/CFT framework permits reliance on another regulated entity's customer due diligence in defined, conditional circumstances, but reliance generally concerns CDD performed on a shared customer, not the risk assessment document itself, which is an entity-specific analysis of your own business's exposure. Another entity cannot simply adopt your risk assessment as its own — each regulated entity needs its own analysis of its own risk profile.

Practitioner noteWe are asked this most often by corporate groups hoping one entity's risk assessment can cover an affiliated but separately regulated entity. It cannot — the analysis has to be specific to the entity actually applying it.
Does the risk assessment need to reference our AML staff training records, or are those tracked separately?

Training records are typically tracked as a separate compliance artefact, but a well-built risk assessment or the programme surrounding it should reference that staff have been, or will be, trained to apply the specific rating methodology it describes — a risk assessment describing a sophisticated classification system that onboarding staff have never been trained to use is a document unlikely to be consistently applied.

Practitioner noteWe deliberately connect the two in the handoff conversation with clients — the finished risk assessment is only as good as whether the people onboarding customers tomorrow morning actually understand how to apply it.
How does the risk assessment address business introduced through intermediaries or referral partners?

Intermediary-introduced business is a specific delivery-channel risk factor, since the entity onboarding the customer may have less direct visibility into the customer relationship than in a directly-sourced onboarding. A properly built risk assessment documents how much of the customer base arrives through intermediaries, whether those intermediaries are themselves regulated and subject to their own CDD obligations, and what additional verification the entity applies rather than relying solely on the intermediary's introduction.

Practitioner noteWe ask this question explicitly during profiling because businesses sometimes underestimate how much of their book actually arrives through referral relationships rather than direct approach, which materially changes the delivery-channel risk picture.
If a beneficial owner changes after the risk assessment is completed, does the whole document need to be rebuilt?

Not necessarily the whole document, but the change should be reflected — a change in the entity's own beneficial ownership, or a specific customer's beneficial ownership discovered during the relationship, is exactly the kind of material change that triggers a targeted update to the relevant section of the risk assessment rather than waiting for the next scheduled annual review.

Practitioner noteWe build the assessment in a modular structure specifically so a single ownership change can be updated without a full rewrite — a document that requires a complete redraft for every minor change tends not to get updated promptly in practice.
Does a dormant or currently inactive DNFBP still need to maintain a current risk assessment?

If the entity retains its licence and DNFBP status, the underlying obligation to maintain a risk assessment continues even during a period of reduced or paused activity, though the depth and detail can reasonably reflect the lower current activity level. A DNFBP that has gone dormant should still be able to produce a risk assessment describing its status and any residual exposure from prior activity, rather than having none at all.

Practitioner noteWe right-size the document for genuinely dormant entities rather than insisting on the same depth as an active business, but we do not recommend having nothing on file — an inspector does not distinguish between 'dormant' and 'never built one' if asked to see the document.
How should the risk assessment treat related-party or inter-company transactions within the same corporate group?

Related-party and inter-company transactions still fall within the scope of the risk assessment's analysis, even though the counterparty is affiliated — ownership affiliation reduces certain risk factors (such as identity uncertainty) but does not eliminate others, including geographic risk if the related entity sits in a different jurisdiction, or product risk depending on the nature of the transaction. A risk assessment that exempts related-party dealings entirely from analysis leaves a documented gap.

Practitioner noteWe ask clients directly whether their own group entities are treated as customers under their CDD procedures — it is a genuinely easy category to overlook because the relationship feels internal rather than customer-facing.
Our business only recently crossed the cash-transaction threshold that brings dealers in precious metals and stones into DNFBP scope — what happens to our risk assessment obligation now?

Once an entity's activity crosses the prescribed threshold and brings it within DNFBP scope, the risk assessment obligation applies from that point forward — the entity should build its risk assessment promptly rather than waiting for a future inspection to prompt it, since operating in scope without one is treated the same as any other DNFBP failing to hold a documented risk basis for its due diligence.

Practitioner noteWe advise precious-metals clients to build the aggregation logic for threshold-crossing transactions into their own record-keeping specifically so they know, in real time, when they have crossed into scope rather than discovering it retrospectively.
Can PNPC set up alerts so our risk assessment gets flagged for review whenever FATF updates its high-risk jurisdiction guidance?

Yes — this is typically built into the ongoing annual review relationship rather than offered as a standalone alert service: PNPC tracks FATF list updates and relevant Cabinet Decision changes as part of retained AML advisory work and flags when a client's existing geographic risk mapping needs revisiting as a result, rather than waiting for the next scheduled annual review to surface the gap.

Practitioner noteWe treat FATF list monitoring as a standing item on the client's compliance calendar rather than a one-off task completed at the original engagement — lists are periodically revised, and a static geographic risk section is one of the fastest parts of a risk assessment to go stale.
Does a change in the entity's external accountant or auditor trigger a need to revisit the risk assessment?

Not automatically, but if the change in accountant or auditor coincides with, or reveals, a broader change in the business's financial profile, customer base, or transaction patterns, that underlying business change — not the adviser change itself — is what should trigger a risk assessment review. The adviser relationship itself is not typically a risk-assessment input.

Practitioner noteWe ask new clients whether anything about their actual business changed around the time they switched advisers, since sometimes the adviser change is incidental and sometimes it coincides with a genuine shift worth reflecting in the risk assessment.
How does PNPC keep the risk assessment 'living' in practice rather than a document that quietly goes stale after sign-off?

PNPC builds the annual review date, and any business-change triggers, directly into the client's compliance calendar as part of the engagement, rather than leaving currency to depend on the client remembering to ask for a refresh. The finished document also carries a visible version number and date of last review, so both the client and any external party asked to see it can immediately tell how current it is.

Practitioner noteThe single biggest predictor of a stale risk assessment we see across clients is the absence of any calendar-driven trigger — a document that is only revisited 'when we think of it' predictably does not get revisited until an inspection forces the question.
What is the difference between a risk assessment and a risk register, and do we need both?

The risk assessment is the analytical document identifying, rating, and explaining the entity's overall AML/CFT risk exposure across the four core dimensions. A risk register, where one is maintained, is typically an operational tracking tool listing specific identified risks, their current status, mitigating actions, and owners — closer to a live working document than a formal statement. Some entities maintain both; a risk assessment alone, without an operational register, is common and generally sufficient provided the assessment's conclusions are actually applied through the CDD programme.

Practitioner noteWe do not insist every client maintain a separate risk register — for many DNFBPs the risk assessment plus the CDD procedure it drives is sufficient operational coverage without adding a third document to maintain.
If our risk assessment concludes overall inherent risk is low, does that reduce our obligation to maintain it?

No — a low inherent-risk conclusion is itself a documented finding that still needs to be maintained, reviewed annually, and revisited on material change, in exactly the same way a higher-risk conclusion would be. A low-risk rating changes the depth of due diligence applied to customers; it does not exempt the entity from the underlying obligation to hold and refresh a documented risk assessment.

Practitioner noteWe occasionally see businesses treat a favourable, low-risk conclusion as a reason to deprioritise the annual review. The obligation to keep the document current does not scale down with the risk rating itself.
How does the risk assessment interact with international correspondent banking standards, such as Wolfsberg Group principles, for larger entities?

Larger UAE entities with cross-border banking relationships may find their banks applying due diligence expectations informed by international standards such as the Wolfsberg Group's correspondent banking principles, which broadly align with — but can go beyond in specificity — the baseline UAE AML/CFT requirement. For these entities, PNPC builds the risk assessment to a standard that anticipates this heightened bank-facing scrutiny, rather than only the minimum needed to satisfy a Ministry of Economy inspection.

Practitioner noteWe scope this explicitly for clients with significant cross-border banking exposure — the document that satisfies a domestic DNFBP inspection is not always the same depth a correspondent bank's own compliance team expects to see.
What is the realistic first deliverable we should expect at the end of the initial risk assessment engagement, versus what comes later?

The initial engagement delivers the board-approved, entity-specific risk assessment document and its rating methodology. What typically follows, either in the same engagement or a phased next step, is wiring that methodology into actual onboarding forms and CDD/EDD procedures, staff training on how to apply it, and — where in scope — goAML registration. A client should expect the risk assessment itself as the first concrete deliverable, with the operational build following.

Practitioner noteWe set this expectation explicitly at scoping so clients understand the risk assessment is the foundation document, not the finished compliance programme — some clients arrive expecting one engagement to deliver everything and we clarify the sequencing upfront.
Does PNPC provide the risk assessment as a standalone PDF, or is it delivered with any supporting working papers?

PNPC delivers the finished, board-ready risk assessment document itself, along with the underlying analysis and data used to reach its conclusions — the customer profiling notes, geographic exposure mapping, and product/delivery-channel analysis — so the entity has a defensible working-paper trail behind the final conclusions, not just the polished output.

Practitioner noteWe keep the working papers specifically because a supervisor or bank occasionally asks not just for the conclusion but for the reasoning behind it — having that trail ready is far better than reconstructing it after the fact.
Why PNPC Global

PNPC AML Risk Assessment vs generic template providers

DimensionGeneric Template / Downloaded DocumentPNPC Global
Risk assessment basisGeneric industry boilerplate with the company name substituted in, not specific to your customer base or jurisdiction exposureBuilt from your actual licensed activity, customer categories, transaction profile, and geographic exposure
Rating methodologyOften a narrative statement with no defined mechanism for classifying an individual new customerA documented, applicable classification logic staff can use to rate standard, simplified, and enhanced-risk customers consistently
Geographic risk dataA fixed list, frequently stale by the time it is downloadedMapped against current FATF and UAE high-risk jurisdiction guidance at the time of the engagement
Connection to CDD triggersRarely wired to concrete due-diligence actions — the rating exists but nothing follows from itExplicitly linked to standard, simplified, and enhanced due diligence triggers your onboarding team applies
Management sign-offNo formal approval step — a compliance officer's private working documentBuilt for and presented at formal senior management or board review and sign-off
Inspection readinessNot tested before the actual inspection is the first testReviewed against how a supervisor would test it — asking staff to justify a real file's rating from the documented methodology
Ongoing currencyStatic document, not updated as FATF guidance or Cabinet Decisions evolveAnnual review built into the relationship, refreshed on material business change
Cross-disciplinary contextRisk assessment in isolation from tax, accounting, and corporate structureIntegrated view across UAE tax, accounting, corporate structuring, and AML — inconsistencies more likely caught internally
Presence beyond deliveryDocument handed over; engagement ends therePNPC Dubai office, practising CA firm since 1986, available for the CDD build, goAML registration, and ongoing advisory that follows
Free zone / VASP rulebook alignmentOne generic document regardless of whether the entity is mainland, DIFC, ADGM, or virtual-asset-adjacentBuilt against the entity's actual governing rulebook — Ministry of Economy, DFSA, FSRA, or VARA scope as applicable
Readiness for bank-facing requestsNot designed to be produced outside a regulator inspection — assembled under pressure when a bank asksVersion-dated and presentable on short notice for a correspondent banking or account-review request
Governance continuitySign-off tied to whoever happened to approve it once, with no process for what happens when they leaveRe-affirmation built into the process whenever the Compliance Officer or approving manager changes

What the PNPC package includes

  1. 01

    Applicability scoping to confirm DNFBP, financial institution, or VASP status and the correct supervisory authority

  2. 02

    Customer base profiling across ownership complexity, transaction size, and relationship type

  3. 03

    Geographic risk mapping against current FATF and UAE high-risk jurisdiction guidance

  4. 04

    Product and service risk analysis specific to your actual licensed activities

  5. 05

    Delivery-channel risk assessment covering onboarding method and payment/fund-movement patterns

  6. 06

    Documented customer risk-rating methodology (standard, simplified, enhanced) staff can apply consistently

  7. 07

    Entity-wide risk statement covering both inherent and residual risk with supporting rationale

  8. 08

    Explicit linkage between the risk rating and CDD/EDD triggers used in onboarding

  9. 09

    Management/board review package and formal sign-off support

  10. 10

    Integration hand-off into goAML registration and the wider CDD/screening/training build where in scope

  11. 11

    Annual review scheduling built into the compliance calendar

  12. 12

    Direct support drafting corrective updates if a supervisory finding specifically cites the risk assessment

Talk to PNPC's Dubai team before your onboarding decisions rest on assumptions rather than a documented, defensible risk assessment.

Jurisdiction

🇦🇪
United Arab Emirates

Free zone, mainland & offshore

Ready to get started?

Tell us about your requirement — a UAE specialist responds within 24 hours.

← Back to AML / CFT Services