UAEServicesIPR & AML ComplianceAML / CFT ServicesDocumentation

IPR & AML Compliance · AML / CFT Services

Documentation

Documentation is the engagement through which PNPC builds, organises, and maintains the written record every UAE Designated Non-Financial Business and Profession and regulated financial entity must be able to produce on demand under Federal Decree-Law No.

Speak with a specialist →Chat on WhatsApp

Chartered Accountants · Dubai · Since 1986

What Documentation is

AML/CFT Documentation is the discrete but essential discipline of converting a business's anti-money laundering obligations under Federal Decree-Law No. 20 of 2018 and its implementing Cabinet Decision No. 10 of 2019 (as amended) into a written, organised, and retrievable evidence file. The AML/CFT Law and its regulations do not merely require an entity to behave correctly — they require the entity to be able to prove, on request from the Ministry of Economy, the UAE Central Bank, or the relevant free zone financial regulator (DFSA in DIFC, FSRA in ADGM), that it behaved correctly, and to produce that proof within a stated timeframe. Documentation is the bridge between an AML/CFT programme that genuinely operates and a programme that can withstand a supervisory inspection, a bank's own AML due diligence request, or a court or regulator's after-the-fact review.

The documentation set spans several distinct categories that together form the entity's compliance record. At the governance level: the board-approved AML/CFT policy and procedures manual, the appointment record and authority delegation for the designated Compliance Officer or Money Laundering Reporting Officer (MLRO), and the business-wide risk assessment covering customer, geographic, product, and delivery-channel risk. At the customer level: Customer Due Diligence and Enhanced Due Diligence files, beneficial ownership identification and verification records maintained consistent with Cabinet Decision No. 58 of 2020 on beneficial ownership procedures, and evidence of sanctions and Politically Exposed Person (PEP) screening at onboarding and on an ongoing basis. At the operational level: staff training attendance and content records, transaction-monitoring logs and alert-disposition notes, and the internal escalation trail showing how a concern moved from a front-line observation to a Compliance Officer decision to, where warranted, a Suspicious Transaction Report (STR) or Suspicious Activity Report (SAR) filed through the goAML platform operated by the UAE's Financial Intelligence Unit.

What makes documentation its own discipline, rather than a byproduct of doing the underlying compliance work, is that a supervisory inspection tests the paper trail specifically — not the business's general good faith. An inspector reviewing a sample of customer files is checking whether the risk rating assigned matches the documented methodology, whether the beneficial ownership look-through was actually recorded and not just performed informally, whether screening was run at the frequency the policy states, and whether training that staff plainly received was ever logged with dates, content, and attendee names. A business that performed all of the underlying work correctly but never wrote it down is, from the inspector's vantage point, indistinguishable from a business that never did the work — because there is nothing to examine. This is the single most common gap PNPC finds when reviewing another firm's AML file: the compliance activity happened, but the record of it did not survive in a form a third party could verify.

Documentation also has a retention and retrievability dimension that is frequently underestimated. The AML/CFT Law requires customer identification records, CDD documentation, and transaction records to be retained for a minimum prescribed period following the end of the business relationship or the transaction date, and produced to the competent authority within the timeframe it sets. Retaining a record technically, in an unindexed folder or a departed employee's inbox, satisfies the retention obligation in name only if the entity cannot locate and produce it inside the window given — which, on inspection, reads almost identically to not having kept the record at all. A properly built documentation function therefore designs for retrieval from the outset: a consistent filing structure, a clear index by customer and by document category, and a named owner responsible for keeping the file current as roles, policies, and regulatory guidance change.

Finally, documentation is not a one-time deliverable. The AML/CFT Law and its Cabinet Decisions are periodically amended, the FIU and Ministry of Economy issue updated guidance, and a business's own customer base, products, and risk exposure change over time. A risk assessment or policy manual drafted once at the point of registration and never revisited drifts out of alignment with both the current regulatory text and the entity's actual current activity — and a stale document is one of the most reliably flagged inspection findings PNPC sees, because 'when was this last reviewed' is a question every inspector asks and every out-of-date file answers badly. PNPC's Documentation engagement is built to produce a file that is accurate on day one and stays defensible through the annual review cycle that follows.

The documentation obligation also varies in emphasis, though not in substance, depending on whether the entity sits under Ministry of Economy DNFBP supervision on the UAE mainland or in a non-financial free zone (JAFZA, DMCC, RAKEZ, IFZA, Meydan, RAK ICC, Ajman Free Zone), or under one of the two financial free zone AML supervisors — the DFSA in DIFC or the FSRA in ADGM. The underlying document categories are broadly the same across all three, but the specific submission channel, portal, and supervisory correspondence differ, and a documentation file built for a mainland DNFBP cannot simply be relabelled for a DIFC or ADGM entity without checking that free zone regulator's own rulebook requirements first. PNPC confirms which supervisory framework actually governs a given entity before finalising the documentation structure, since a complete, well-organised file built against the wrong framework still fails to satisfy the entity's actual regulator.

When a dedicated Documentation engagement is the right fit

You have a functioning AML/CFT compliance practice — CDD is performed, screening happens, staff are briefed — but none of it is written down in a form that could be produced to an inspector today

Your existing AML policy manual, risk assessment, or MLRO appointment record was drafted years ago, has never been reviewed, and no longer reflects your current business activity or the current Cabinet Decision text

You have received a Ministry of Economy, Central Bank, DFSA, FSRA, or VARA inspection notice and need your documentation set assembled, indexed, and inspection-ready on a compressed timeline

Your goAML registration is complete but the risk assessment, policies, and procedures behind it were never formally drafted or were built from an unadapted template

You need staff training records, screening evidence, and escalation logs reconstructed retrospectively because they were performed informally without being logged at the time

A correspondent bank or partner has asked to see your AML/CFT policy, beneficial ownership register, or risk assessment as part of its own AML due diligence on you as a business customer

Your Compliance Officer or MLRO has changed and the appointment record, authority delegation, and succession documentation need to be brought current on the goAML profile and internally

You are consolidating documentation across multiple UAE entities in a group structure and need a consistent filing methodology and index across all of them

You have completed remediation following an inspection finding and need the corrective documentation — updated policy, refreshed training log, closed-out action plan — formally compiled as evidence the finding was addressed

Your business operates across mainland and free zone UAE entities (or across DIFC/ADGM and Ministry of Economy-supervised structures) and you need documentation frameworks calibrated correctly to each entity's actual supervisor rather than one file copied across all of them

You are migrating from paper-based compliance records to a digital case-management or screening system and need the underlying documentation categories mapped correctly into the new system so nothing is lost in the transition

Your organisation is preparing for a bank, investor, or acquirer's AML due diligence ahead of a financing round, share sale, or acquisition, and needs its documentation file production-ready on a defined timeline

Where a different engagement fits better

You do not yet have any AML/CFT compliance activity to document — no risk assessment has been performed, no CDD methodology exists, and no Compliance Officer has been appointed; that is a full KYC & Customer Due Diligence Advisory build, not a documentation exercise layered on top of nothing

You have not yet confirmed whether your business falls within a DNFBP or regulated Financial Institution category at all — an applicability assessment should come first, since documenting an obligation that does not actually apply wastes effort

You need the goAML organisation and Compliance Officer portal registration itself completed and have not yet registered — that is the goAML Portal Registration & Reporting Assistance engagement, though it is frequently paired with documentation work

Your requirement is to design or redesign the underlying CDD/EDD risk methodology itself, not simply record an existing one in writing — that is advisory work, and documentation should follow it rather than substitute for it

You are under active investigation for a specific suspected money-laundering or terrorist-financing offence — that requires criminal defence legal representation as the lead engagement, with documentation support playing a secondary role

You want a template policy dropped into your file without any review of whether it reflects your actual business — a document that does not match reality is a liability on inspection, not an asset, regardless of how complete it looks

You are looking for a one-time document set with no plan to review or update it — documentation that is accurate today and never revisited again predictably drifts out of date within a year or two as guidance and the business itself change

You need the underlying sanctions/PEP screening tool itself selected, configured, or implemented — that is a technology/vendor selection exercise PNPC can advise around, but documentation assumes a screening process already exists to be recorded

Your business has already closed or is being formally liquidated and your only remaining question is how long closed-file AML records must be retained post-closure — that is a retention-period confirmation, narrower than a full documentation build

You are asking PNPC to backdate, alter, or fabricate a record to appear as though a compliance step occurred at an earlier date than it actually did — PNPC will not create records that misrepresent when an activity took place, and will instead build an honest reconstruction that is clearly dated as such

Structure Comparison

Documentation engagement vs adjacent UAE AML/CFT service scopes

FeatureDocumentation (this service)KYC & CDD AdvisorygoAML Portal Registration & ReportingAML Risk Assessment (standalone)AML Training and Capacity Building
Primary purposeBuild, organise, and maintain the written evidence file proving the AML/CFT programme operates as requiredDesign and implement the full risk-based CDD programme, of which documentation is one outputRegister the entity and its Compliance Officer on the FIU goAML platform and support STR/SAR filingProduce the entity-specific risk assessment document that documentation later indexes and maintainsDeliver staff training itself; documentation then records that it happened
Typical starting pointCompliance activity already happens informally; the paper trail is missing or disorganisedNo CDD methodology yet exists and needs to be designed from the ground upEntity is in scope and has not yet obtained goAML platform accessNo documented risk methodology exists yet, or the existing one is out of dateStaff have not received formal, logged AML/CFT training
Core deliverableIndexed, retrievable evidence file: policies, CDD/EDD records, screening logs, training records, escalation trailFull programme — risk assessment, policy, CDD/EDD procedures, screening design, training, goAML registrationActive goAML organisation and Compliance Officer registration with filing accessA single written, entity-specific risk assessment documentDelivered training sessions with attendance and competency records
Inspection relevanceDirectly what an inspector reviews file-by-file during a supervisory visitBuilds the substance the documentation later has to prove existedNecessary precondition for reporting capability, not sufficient alone for inspection readinessOne required document within the larger file, not the whole fileOne required record within the larger file, not the whole file
Who typically commissions itEntities with an operating but unrecorded, or disorganised and stale, compliance practiceEntities building a compliance function from scratch or substantially rebuilding oneEntities that are in scope but have never registered, or whose registration lapsedEntities that need the foundational risk document specifically, often as a first stepEntities with a written policy but no evidence staff were ever trained on it
Engagement cadenceInitial build plus scheduled annual refresh and event-driven updatesInitial build, typically 6–10 weeks, then ongoing advisoryOne-time registration, ongoing platform use thereafterOne-time drafting, reviewed and refreshed at least annuallyInitial delivery, refresher sessions on an annual or trigger-driven cadence
Mainland vs free zone calibrationStructure and index calibrated to whichever supervisor (Ministry of Economy, DFSA, or FSRA) actually governs the entityMethodology itself does not change by supervisor, though registration route canRegistration channel and portal differ by supervisor and jurisdictionRisk factors can include free zone/jurisdiction exposure as an inputTraining content references the applicable supervisory framework
Role of digital systemsReviews whether screening, case-management, or document-repository systems actually preserve a retrievable, tamper-evident record, not just paper filesMay recommend a CDD workflow system as part of programme designPlatform itself is a digital reporting systemNot directly system-dependentTraining covers how staff use whatever system is in place
Typical file owner within the client organisationCompliance Officer/MLRO with PNPC supporting build and maintenanceCompliance Officer with PNPC as design advisorCompliance Officer as the registered goAML userSenior management sign-off, Compliance Officer custodyHR/Compliance Officer jointly for training records

These engagements are frequently combined and PNPC scopes them together where a client's need spans more than one — a documentation build is most effective when it sits on top of a genuinely functioning CDD programme, and PNPC will flag where the underlying substance needs building or repair before the paper trail can honestly reflect it.

How it works
#Stage & What PNPC DoesWhat a Self-Assembled File Typically MissesTimeline
1Documentation Scoping & Gap Assessment — review of what currently exists against the full required document setBusinesses often believe their file is more complete than it is because individual documents exist somewhere, but no one has checked the full set against what the AML/CFT Law and Cabinet Decision actually require category by category.Week 1
2Governance Document Compilation — board/management approval records, AML/CFT policy and procedures manual, Compliance Officer/MLRO appointment and authority delegationA policy manual with no recorded board or senior-management approval reads as an unadopted draft on inspection, regardless of how well it is written — approval evidence is a specific, separate document, not implied by the policy's existence.Week 1–2
3Risk Assessment Indexing — the current business-wide risk assessment reviewed for currency and formally filed as the reference document the CDD procedures applyA risk assessment that exists but is not clearly dated, versioned, and cross-referenced to the policies built on it creates ambiguity about which methodology was actually in force at a given point in time.Week 1–2
4Customer File Structure & Indexing — a consistent CDD/EDD file format applied across the existing customer base, organised for retrieval by risk categoryCustomer files accumulated organically over time rarely share a consistent structure, making a sample review by an inspector slower and more likely to surface inconsistencies that a uniform format would have prevented.Week 2–4
5Beneficial Ownership Register Reconciliation — the Register of Beneficial Owners checked for completeness and currency against Cabinet Decision No. 58 of 2020 requirements and formally filedBeneficial ownership registers are frequently accurate at the point they were first compiled but never updated as ownership changes occur — an inspector testing the register against current shareholding finds a stale document.Week 2–3
6Screening Evidence Compilation — sanctions and PEP screening records, including disposition notes for partial or possible matches, organised as retrievable evidenceScreening tools generate alerts, but without a documented disposition of each alert — cleared, escalated, or confirmed a false positive — the alert log shows activity happened without showing a decision was actually made.Week 2–4
7Training Record Assembly — attendance, content, and date records for all delivered AML/CFT training, including any historical sessions that were run but never loggedVerbal or informal briefings that staff genuinely received are treated on inspection as if they never happened if there is no dated record of who attended and what was covered.Week 3–4
8STR/SAR and Escalation Trail Documentation — the internal record of how any suspicion was raised, escalated to the Compliance Officer, assessed, and — where filed — submitted through goAMLA filed STR with no accompanying internal escalation log looks, on review, like an isolated event rather than evidence of a functioning escalation process staff can be expected to repeat.Week 3–4
9Retention & Retrieval System Design — a filing structure and index that lets any document category be located and produced within a stated timeframeRecords that are technically retained but not indexed for retrieval fail the practical test of an inspection request with a deadline, even though the underlying obligation to keep the record was met.Week 4–5
10Version Control & Review Cycle Set-Up — a documented schedule for when each category of document is next due for review, tied to the compliance calendarA document set that is accurate at delivery but has no built-in review trigger drifts out of date exactly the way the original, unmanaged file did — the fix has to include a maintenance mechanism, not just a one-time refresh.Week 4–5
11Inspection-Readiness Walkthrough — a mock review of the completed file as if a Ministry of Economy or Central Bank inspector were testing itThe gaps that surface in a genuine walkthrough — a missing signature, an undated training log, a beneficial owner never updated after a share transfer — are rarely visible from a checklist review alone.Week 5–6
12Ongoing Documentation Maintenance — ongoing support keeping the file current as the business, its customers, and the regulatory text changeA completed file left untouched after handover begins the same drift it was built to correct; ongoing maintenance is what keeps it inspection-ready a year or two later, not just at the point of delivery.Ongoing, retainer basis
13Free Zone / Mainland Supervisory Calibration Check — confirming the documentation structure is built against the entity's actual governing supervisor (Ministry of Economy, DFSA, or FSRA)Businesses with mixed mainland and free zone entities in a group sometimes apply one supervisor's expectations across all entities, creating a file that looks complete but is built against the wrong framework for at least one entity.Week 1
14Digital Record System Review — assessing whether existing screening, case-management, or document-repository software actually preserves and can produce records on requestA system that logs activity but has no straightforward export process or access-continuity plan if a single staff member's account is disabled looks retrievable in theory and is not, in practice, when an inspector's deadline actually arrives.Week 4–5
15Bank/Third-Party AML Due Diligence Response Pack — a condensed, appropriately scoped version of the documentation file prepared for banks, investors, or counterparties requesting AML assuranceHanding over the full internal file to an external party is rarely appropriate; businesses without a prepared summary pack either over-share sensitive internal material or under-deliver and stall the counterparty relationship.Week 5–6, as needed

Realistic timeline for a full documentation build on an existing but disorganised compliance practice: 4–6 weeks depending on customer base size and how much of the underlying record already exists in some form. A narrower engagement responding to a specific inspection notice on a compressed timeline can move faster, prioritising the categories most likely to be tested first.

Document Checklist
Governance & Appointment Records

Board or senior management resolution formally adopting the AML/CFT policy and procedures manual

Compliance Officer / MLRO appointment letter or resolution, evidencing seniority and delegated authority

Organisational chart showing the Compliance Officer's reporting line to senior management or the board

Record of any Compliance Officer succession, including handover documentation and updated goAML profile confirmation

Version history of the AML/CFT policy manual, showing dates of adoption and each subsequent revision

Risk Assessment & Methodology

Current business-wide AML/CFT risk assessment covering customer, geographic, product/service, and delivery-channel risk

Risk-rating methodology applied to customers, cross-referenced to the CDD/EDD procedures it supports

Record of the most recent risk assessment review date and any changes made since the prior version

Documentation of any material business change (new product, new customer segment, new jurisdiction exposure) and the corresponding risk assessment update

Customer Due Diligence Evidence

Standard CDD files: identity verification documents, business relationship purpose, and risk rating assigned

Enhanced Due Diligence files for higher-risk customers: source-of-funds/wealth documentation and senior management approval records

Beneficial ownership identification records and the current Register of Beneficial Owners, reconciled to actual shareholding

Evidence of ongoing monitoring and periodic file refresh for higher-risk relationships, per the schedule the risk assessment sets

Screening & Monitoring Records

Sanctions and PEP screening logs, including screening date, list source, and result

Disposition notes for every partial or possible match, showing whether it was cleared, escalated, or confirmed

Evidence of periodic re-screening cadence, not just onboarding screening

Transaction-monitoring alert logs and the outcome of each alert reviewed

Training & Escalation Records

Staff training attendance sheets, content summaries, and dates for all delivered sessions

Refresher training records showing the annual or trigger-driven training cadence has been maintained

Internal escalation logs showing how a concern moved from initial observation to Compliance Officer review

STR/SAR filing records and the goAML submission confirmations for any reports actually filed

Regulatory Correspondence & Remediation

Any correspondence from the Ministry of Economy, Central Bank, DFSA, FSRA, or VARA relating to a prior inspection, query, or directive

Corrective action plans addressing any prior finding, with evidence of completion and sign-off

goAML organisation and Compliance Officer registration confirmations

Confirmation of the periodic goAML profile re-registration/confirmation cycle, where applicable

Free Zone / Multi-Entity & Group Documentation

Entity-by-entity confirmation of which supervisory authority (Ministry of Economy, DFSA, or FSRA) governs each UAE entity in the group, filed alongside the documentation for that entity

Intercompany service or referral arrangements documented where customer introductions or shared compliance resources cross entity lines

Consolidated group index cross-referencing each entity's individual documentation file, without merging files that belong to legally distinct supervised entities

Record of any group-level policy adopted centrally and formally localised/adopted at each individual UAE entity level

Digital System & Access Continuity Records

Confirmation of which software or platform (screening tool, case-management system, document repository) holds each category of AML record

Export/extraction procedure documented for each system, confirming records can be produced in a reviewable format within the timeframe an inspector gives

Access-continuity record showing more than one authorised person can retrieve system records, so a single departed staff member's account does not become a single point of failure

Audit-log or version-history settings confirmed as enabled where the system supports it, so changes to a record over time are themselves traceable

Ongoing obligations
PhaseTriggered ByPNPC GuidanceRisk If Ignored
Initial File Assembly (Week 1–6)First structured documentation build, or a gap assessment revealing a materially incomplete fileGovernance records, risk assessment, CDD/EDD files, screening evidence, and training logs compiled, indexed, and cross-referenced into a single retrievable file structure.An entity that performs the underlying AML work but cannot produce the paper trail is treated on inspection as if the work never happened, regardless of actual practice.
Ongoing Document CaptureEvery new customer onboarded, screening run, or training session deliveredEach compliance activity logged at the point it occurs — onboarding decision, screening result, training attendance — rather than reconstructed retrospectively from memory.Retrospective reconstruction is rarely as accurate or as credible on inspection as a contemporaneous record, and some detail is inevitably lost or disputed.
Annual Review CycleAnniversary of the documentation build, or a material change in the business or regulatory guidanceRisk assessment, policy manual, and beneficial ownership register formally reviewed and updated, with the review itself dated and recorded as evidence the cycle occurred.A file that is accurate at delivery but never revisited becomes stale within a year or two, and 'when was this last reviewed' is a standard inspection question with an easy pass or fail answer.
Compliance Officer or Ownership ChangeChange in the designated Compliance Officer, or a change in beneficial ownershipUpdated appointment records, revised goAML profile, and a reconciled beneficial ownership register produced promptly, closing any gap in the documentation trail.An outdated Compliance Officer record or an unreconciled beneficial ownership register is a governance gap an inspector identifies quickly and treats as an aggravating factor.
Bank or Partner AML Due Diligence RequestA correspondent bank, partner, or counterparty requests evidence of your AML/CFT programme as part of its own due diligenceThe current, indexed documentation set produced promptly, without needing to be assembled from scratch under time pressure.A slow or incomplete response to a bank's AML due diligence request can affect banking relationships independent of any regulatory inspection outcome.
Regulatory InspectionScheduled or unannounced visit from the Ministry of Economy, Central Bank, DFSA, FSRA, or VARAPNPC supports document production against the inspector's specific requests, drawing on the indexed file built and maintained for exactly this purpose.An entity unable to produce requested documentation within the given timeframe faces findings that typically escalate from a corrective action directive to administrative fines and, in serious or repeat cases, licence-level consequences.
Finding or Remediation DirectiveInspection outcome identifying a documentation gapA corrective action plan drafted addressing the specific finding, with the remediation itself documented and formally closed out for the record.An unaddressed or undocumented remediation response risks the same finding recurring at the next inspection cycle, now compounded as a repeat issue.
Retention Period Expiry ReviewApproach of the minimum prescribed retention period for a given record following the end of a business relationship or transactionRecords reviewed before any disposal decision to confirm the minimum retention period has genuinely elapsed and no other reason (open query, litigation hold) requires continued retention.Premature disposal of a record still within its required retention period is itself a compliance breach, separate from any underlying transaction issue.
New Product, Customer Segment, or Free Zone Entity LaunchBusiness expands into a new product line, customer type, or adds a new mainland/free zone entityDocumentation structure extended to cover the new scope, checked against whichever supervisor governs the new entity or activity, rather than assumed to already be covered by the existing file.A new business line or entity onboarded under an unextended documentation file leaves a genuine gap that looks, on inspection, exactly like the file was simply never built for that scope.
System Migration or Compliance Software ChangeEntity moves from one screening/case-management system to another, or from paper to digital recordsHistorical records confirmed as migrated completely and remain retrievable and unaltered after transition, with the migration itself documented as evidence nothing was lost in the switch.Records left behind in a decommissioned system, or not verified as intact after migration, effectively disappear from the retrievable file even though they were never formally destroyed.
Business Closure or LiquidationEntity ceases operations, is acquired, or is formally liquidatedAML/CFT records retained for the applicable minimum period post-closure per current retention requirements, with a named responsible party and location confirmed even after the entity itself winds down.Records that become effectively orphaned when a business closes and no one remains responsible for them cannot be produced if a regulator or successor entity later needs them within the still-live retention period.
Common mistakes to avoid
Sequencing & Prerequisite Mistakes

Starting a documentation build before the underlying CDD methodology, risk assessment, or goAML registration actually exists, and ending up with a beautifully organised file describing a compliance process that is not genuinely operating

Waiting until an inspection notice arrives to begin assembling documentation, rather than treating documentation as a continuous discipline that runs alongside every onboarding, screening, and training activity

Assuming a Compliance Officer/MLRO change is complete once the internal handover happens, without also updating the goAML profile and the documented appointment record — leaving a governance gap an inspector identifies quickly

Extending an existing entity's documentation file to a newly formed mainland or free zone entity without first confirming which supervisor actually governs the new entity, producing a file built against the wrong framework

Content & Accuracy Mistakes

Adopting a template AML policy without adapting it to the entity's actual customers, products, and transaction patterns, producing a document that describes a generic business rather than the one operating under it

Recording a customer's risk rating without cross-referencing it to the documented methodology behind it, so the rating cannot be explained or defended when an inspector asks how it was reached

Logging only flagged screening alerts and leaving clean screening results unrecorded, so the file cannot show that screening ran systematically rather than only when something happened to trigger a match

Leaving partial or possible sanctions/PEP matches without a documented disposition note, so the alert log shows activity happened but not that a human being actually reviewed and decided what to do about it

Maintenance & Retrieval Mistakes

Building a complete file once and never scheduling a review, letting the risk assessment, policy, and beneficial ownership register drift out of date within a year or two as the business and the regulatory text both change

Storing records in a way that is technically retained but practically unretrievable — scattered across individual staff members' inboxes or folders with no consistent index by customer or document category

Hosting compliance records on a system only one person can access, so a departed staff member's disabled login becomes the reason a record cannot be produced within an inspector's stated timeframe

Treating the goAML platform's periodic re-registration or confirmation cycle as a purely mechanical portal task, rather than as a trigger to also check whether the wider documentation file behind it is still current

Frequently asked
Why do I need a separate Documentation engagement if we already do our AML compliance work properly?

Because UAE supervisory authorities inspect the written record, not your general good-faith conduct. An inspector reviewing a customer file checks whether the risk rating, beneficial ownership look-through, and screening result were actually recorded — not whether you personally believe the work was done well. A business that performs CDD correctly but never documents it is, from the inspector's perspective, indistinguishable from a business that skipped CDD altogether, because there is no evidence to examine either way.

Practitioner noteThis is the single most common reason clients come to us after a first inspection finding — the work was genuinely being done, but nothing survived on paper that an outsider could verify. We treat documentation as equally important to the underlying compliance activity, not as an afterthought.
What is the minimum document set every DNFBP needs to be able to produce?

At minimum: a board-approved AML/CFT policy and procedures manual, a documented business-wide risk assessment, the Compliance Officer/MLRO appointment record, CDD files for customers with beneficial ownership identification, sanctions/PEP screening evidence, staff training attendance records, and — where applicable — the internal escalation trail and goAML submission confirmation for any STR/SAR filed. The exact depth expected scales with the size and complexity of the business, but every category above should exist in some form for any in-scope entity.

Practitioner noteWe run every new documentation client through this exact checklist first, category by category, before drafting anything — it is faster to identify the true gaps up front than to discover them mid-inspection.
How is documentation different from the risk assessment or the CDD advisory work itself?

The risk assessment and CDD advisory engagements design and implement the underlying methodology — what risk factors matter, how customers are categorised, what triggers enhanced due diligence. Documentation is the discipline of capturing, organising, and maintaining the written evidence that this methodology was actually applied to real customers and real decisions, in a form that can be retrieved and produced on request. You can have a well-designed methodology and a poorly documented file, or vice versa — the two are related but distinct pieces of work.

Practitioner noteWe are occasionally asked to 'just do the documentation' for a business that, on closer look, has no real underlying methodology to document. In that situation we say so directly — documenting a gap does not close it, and a beautifully organised file describing an inadequate process fails inspection just as surely as no file at all.
We have all our AML records, just not organised — is that enough for an inspection?

Not necessarily. Retention alone does not satisfy the obligation if the entity cannot locate and produce the relevant record within the timeframe a supervisory authority gives during an inspection. A record technically kept somewhere — in an unindexed folder, a departed employee's inbox, or scattered across different staff members' files — that cannot be retrieved on request reads, on inspection, almost identically to a record that was never kept.

Practitioner noteWe design every documentation build around retrievability specifically, not just storage — a consistent index by customer and document category, with a named internal owner, so a request can be answered in hours rather than days of searching.
How long do we need to retain AML/CFT records under UAE law?

UAE AML law requires customer identification records, CDD documentation, and transaction records to be retained for a minimum prescribed period following the end of the business relationship or the date of the transaction, and produced to the competent authority on request. The precise retention period and any sector-specific variation should be confirmed against the current Cabinet Decision text and any applicable sector-regulator rulebook, since retention requirements are refined periodically through amendments.

Practitioner noteWe deliberately avoid quoting a fixed number of years without checking the current text at the time of engagement — retention periods are exactly the kind of regulatory detail that should be verified fresh, not recalled from memory.
What happens if our beneficial ownership register is out of date when an inspector reviews it?

An outdated Register of Beneficial Owners — one that does not reflect a share transfer, new investor, or change in control that has already happened — is a common and specifically-tested inspection finding under Cabinet Decision No. 58 of 2020 and the AML/CFT framework more broadly. It signals that the entity's documentation is not being maintained in step with actual business events, which supervisors treat as a governance gap in its own right, separate from any issue with the underlying transaction record.

Practitioner noteWe tie beneficial ownership register updates to a specific trigger — any share transfer or control change — rather than relying on an annual review alone to catch it, since a year is a long time for a register to drift from reality.
Do we need to document sanctions screening even when there is never a match?

Yes. The absence of a match is itself something that needs to be recorded — the fact that screening was run, on what date, against which list, and with what result — because an inspector cannot distinguish 'screening happened and found nothing' from 'screening never happened' unless the negative result is logged as clearly as a positive one would be.

Practitioner noteWe build screening logs to capture clean results by default, not just flagged matches — clients sometimes assume only alerts need recording, but a complete audit trail requires evidence of every screening run, not only the exceptions.
What is a disposition note and why does every screening alert need one?

A disposition note is the documented decision made about a specific sanctions or PEP screening alert — whether it was cleared as a false positive, escalated for further review, or confirmed as a genuine match requiring action. Without it, an alert log shows that the screening tool generated a warning but does not show that a human being actually reviewed and decided what to do about it, which is the substantive step an inspector is testing for.

Practitioner noteWe have reviewed screening logs with hundreds of alerts and zero disposition notes — the tool was working, but nobody could tell us, or an inspector, what happened to any individual alert. We treat disposition-note completeness as a specific line item in every documentation review.
How do we document staff training that happened but was never formally logged?

Where genuine training occurred without contemporaneous documentation, PNPC works with the entity to reconstruct as accurate a record as possible — confirmed dates, content covered, and attendee names based on available evidence such as calendar invites, presentation materials, or attendee recollection — while being transparent that a reconstructed record is weaker evidence than a contemporaneous one, and building a forward process so this gap does not recur.

Practitioner noteWe are candid with clients that reconstruction is a repair, not a substitute for logging training at the time it happens going forward — we always pair a reconstruction exercise with a simple, low-friction logging process so the next session is captured properly from the outset.
Does PNPC draft our AML policies from scratch, or only organise documents we already have?

Both, depending on scope. Where a genuine policy and methodology already exist but the supporting paper trail is missing or disorganised, the engagement focuses on capture, indexing, and retrieval design. Where the underlying policy itself is missing, outdated, or was copied from an unadapted template, PNPC drafts or substantially revises it as part of the same engagement — documentation and the substance behind it are scoped together where the gap analysis shows both are needed.

Practitioner noteWe scope this explicitly at the outset so there is no ambiguity about whether we are organising your existing work or building new policy content — clients sometimes assume it is purely an organisational task until the gap assessment shows otherwise.
What does an inspector actually do with our documentation during a visit?

A typical inspection involves reviewing the policy and risk assessment documents for currency and completeness, then pulling a sample of individual customer files to test whether the documented procedure was actually followed — checking the risk rating assigned, the beneficial ownership look-through, the screening evidence, and any escalation trail. Inconsistency between the written policy and what the sampled files actually show is the most common and most damaging type of finding.

Practitioner noteWe run an internal mock walkthrough using this same sample-file methodology before any client goes live or faces a real inspection — it is far better to find the inconsistency ourselves than to have an inspector find it first.
How quickly can PNPC assemble documentation if we've already received an inspection notice?

PNPC prioritises the document categories most likely to be tested first — the policy manual, risk assessment, MLRO appointment record, and a representative sample of customer files — and can typically produce an inspection-ready core file within one to two weeks on a compressed timeline, with the fuller file (complete customer base indexing, full training history reconstruction) continuing in parallel.

Practitioner noteWe tell clients who arrive after a notice has already landed exactly what is realistically achievable before the inspection date and what will need to be flagged honestly as in-progress remediation — overpromising completeness on a compressed timeline does more harm than a candid, prioritised plan.
Is documentation a one-time deliverable or an ongoing service?

Both models exist. A one-time build is appropriate where a business needs its current gap closed and is confident it can maintain the file going forward. Most PNPC clients, however, take the ongoing retainer option, since the annual review cycle, event-driven updates (Compliance Officer changes, ownership changes, new Cabinet Decisions), and continuous capture of new customer files and screening results are what keep a documentation set from drifting back into disorganisation within a year or two of the initial build.

Practitioner noteWe are transparent that a one-time build, left entirely unmaintained, tends to look very similar to the original gap within twelve to eighteen months — the ongoing option is not an upsell so much as an acknowledgment of how documentation actually decays without a maintenance mechanism.
Does having complete documentation guarantee we will pass a Ministry of Economy inspection?

No. Complete, accurate, and current documentation materially improves the entity's position on inspection and is the strongest evidence a business can offer that its programme actually operates, but the inspecting authority retains full discretion over its findings, and even well-documented programmes can receive observations or findings based on the specific facts reviewed. No adviser can guarantee a regulatory outcome that depends on the supervisor's own judgment.

Practitioner noteWe are candid with every client on this point — our role is to make the file as strong and defensible as it can genuinely be, not to promise a result that is ultimately the inspector's call, not ours.
How does documentation work connect to our goAML registration?

goAML registration and Compliance Officer activation give the entity the ability to file reports; documentation is the separate record proving the risk assessment, policies, CDD, screening, and training that should sit behind that registration actually exist and are current. The two are commonly engaged together, since a goAML registration with no documented programme behind it is precisely the 'registered but hollow' pattern supervisory authorities flag most often on inspection.

Practitioner noteWe routinely find clients whose goAML portal shows as fully registered while the documentation file behind it is close to empty — the registration and the paper trail need to be built, or at least reviewed, together.
What does PNPC's Chennai/Bangalore/Hyderabad/Dubai presence add to a documentation engagement?

For clients with entities spanning both India and the UAE, our Dubai team leads the UAE AML/CFT documentation build directly, while our India offices coordinate any parallel India-side compliance record-keeping under the same engagement — so a group operating in both jurisdictions maintains a consistent documentation methodology rather than two disconnected filing systems built by unrelated advisers.

Practitioner noteCross-border groups often discover their India and UAE compliance files were built years apart by different advisers with different filing conventions — bringing them under one coordinated methodology makes both files easier to maintain and easier for either regulator to review.
Do our AML records need to be in Arabic, English, or both?

There is no absolute requirement that internal AML/CFT documentation be maintained in Arabic specifically — many UAE DNFBPs, particularly free zone entities and those with international customer bases, maintain their compliance file in English. What matters more than the language chosen is that the record is genuinely accessible and translatable on request: if a Ministry of Economy or Central Bank inspector needs a document explained or translated, the entity should be able to provide that promptly. Where any specific document has already been submitted to a UAE authority in Arabic (such as certain licensing or governmental correspondence), PNPC keeps that original alongside any English working version rather than substituting one for the other.

Practitioner noteWe build most DNFBP compliance files in English by default, since that is how the underlying customer and transaction data is usually already recorded, but we flag early if a client's specific supervisor or customer base makes an Arabic-first file the more practical choice.
Can our AML documentation be maintained entirely digitally, or do we need physical paper files?

UAE AML/CFT law does not require physical paper storage specifically — a digital record is acceptable provided it is genuinely retrievable, accurate, and can be produced to a supervisory authority within the timeframe requested. What matters is not the medium but whether the entity can actually locate and produce the record on demand. PNPC increasingly builds documentation files as structured digital repositories rather than physical binders, since digital indexing generally makes retrieval faster and more consistent than a paper-based system.

Practitioner noteWe do still recommend keeping signed originals of specific governance documents — board resolutions, appointment letters — in a durable form even within an otherwise digital file, simply because a signature's authenticity is sometimes tested more easily from an original than a scan.
How does documentation differ for a mainland DNFBP versus a DIFC or ADGM-regulated entity?

The underlying document categories are broadly the same — policy, risk assessment, CDD evidence, screening records, training logs, escalation trail — but the specific supervisory framework, submission channel, and correspondence process differ. A Ministry of Economy-supervised mainland or non-financial free zone DNFBP is inspected and reported to under the federal AML/CFT Law directly, while a DIFC entity sits under the DFSA's own AML rulebook and an ADGM entity under the FSRA's, each layered on top of, and generally aligned with, the same federal law but administered through that free zone's own regulator. Building a documentation file for the wrong framework — even a complete one — does not satisfy the entity's actual regulator.

Practitioner noteWe confirm the governing supervisor for every entity at the very start of a documentation engagement, and for clients with both a DIFC or ADGM entity and a mainland entity in the same group, we build two correctly calibrated files rather than one file stretched across both.
We are a dormant or barely-active DNFBP with almost no customers — do we still need a full documentation file?

Yes, in substance, though the depth can reasonably scale to the size of the business. Even a dormant or low-activity DNFBP that remains licensed for a designated activity is expected to have a documented risk assessment, an adopted policy, a designated Compliance Officer, and a goAML registration — the absence of customer transactions reduces the volume of CDD files to maintain, but does not remove the governance-level documentation obligation. An inspector reviewing a dormant entity will still expect to see the governance file, even if the customer-file section is thin.

Practitioner noteWe have documented several near-dormant entities that assumed low activity meant low obligation — the governance layer (policy, risk assessment, MLRO appointment) still needs to exist and stay current even when there is little to nothing happening at the customer level.
How does PNPC handle documentation across a group with multiple UAE entities?

PNPC builds each entity's documentation file correctly calibrated to its own governing supervisor, then layers a consolidated group index on top that cross-references each entity's individual file — rather than merging separate legally distinct entities' records into a single undifferentiated file, which creates confusion about which entity a given document actually belongs to. Any group-level policy adopted centrally is also formally localised and re-adopted at each individual entity, since a group policy that was never formally adopted by the specific UAE entity being inspected does not, on its own, satisfy that entity's obligation.

Practitioner noteGroup clients sometimes assume a single group-wide AML policy file is sufficient across every entity — we explain early that each licensed entity generally needs its own formally adopted record, even where the underlying policy content is shared.
A bank or investor has asked to see our AML documentation as part of their own due diligence — should we hand over our full internal file?

Generally not the complete internal file as-is. PNPC typically prepares a condensed, appropriately scoped summary pack for external due diligence purposes — confirming the policy exists and is current, the risk assessment methodology, Compliance Officer designation, and screening practice — without necessarily sharing individual customer CDD files, which may themselves be confidential to those customers. The right level of disclosure depends on what the requesting party genuinely needs to see and any confidentiality obligations owed to the entity's own customers.

Practitioner noteWe scope this specifically with each client — a bank's own AML due diligence team usually just needs assurance the programme exists and operates, not a file-by-file audit of the entity's customer base.
What happens to our AML documentation if our Compliance Officer leaves and the person who built the institutional knowledge is gone?

This is precisely why PNPC builds documentation to be self-explanatory and indexed for a new reader, not dependent on one person's memory of why a decision was made. A well-built file records the reasoning behind a risk rating or a screening disposition at the time it was made, so an incoming Compliance Officer — or PNPC, on an ongoing retainer — can pick up the file and understand it without needing the departed individual to explain it verbally.

Practitioner noteWe treat 'would this file still make sense if the person who built it left tomorrow' as an actual design test during every documentation build, precisely because Compliance Officer turnover is common and the file needs to survive it.
Is it acceptable to use AI or automation tools to help generate our AML documentation?

Automation tools can reasonably support documentation work — generating a first-draft screening disposition template, organising a document index, or flagging inconsistencies for human review — but the substantive judgment calls (a customer's risk rating, whether an alert is a genuine match, whether a suspicion rises to STR/SAR level) need to remain a documented human decision by someone with actual authority, not an unreviewed automated output. An inspector testing a file is ultimately testing whether a person exercised and recorded genuine judgment, and a file that reads as entirely auto-generated with no evidence of human review invites exactly that question.

Practitioner noteWe are comfortable using structured tools to speed up drafting and indexing, but every substantive compliance decision in a client's file needs a named human decision-maker behind it — that distinction is one we are explicit about with clients using their own automation tools as well.
Can PNPC backdate a document to make it look like a compliance step happened earlier than it actually did?

No. Where a genuine compliance activity occurred without contemporaneous documentation, PNPC will help reconstruct an accurate record — clearly noting it as a reconstruction and the date it was actually compiled — but will not create a document dated to falsely suggest it existed at an earlier time. Backdating a record to misrepresent when it was created is a form of falsification that, if discovered on inspection, is treated far more seriously than an honest, dated gap ever would be.

Practitioner noteWe are direct with every client on this point at the outset — an honestly dated reconstruction with a clear forward fix is a normal and defensible part of a documentation build; a document dressed up to look contemporaneous when it was not is not something we will produce, under any client pressure.
How confidential is our AML documentation once PNPC is involved in building or holding it?

PNPC treats client AML/CFT documentation with the same confidentiality standard applied to all client records, accessible only to the engagement team working on it, and is not shared with any third party without the client's instruction or a valid legal requirement to disclose. The documentation itself, once built, remains the client's own record — PNPC's role is to build, organise, and where engaged on a retainer, help maintain it, not to hold it as PNPC's property.

Practitioner noteClients are sometimes understandably cautious about a third party handling sensitive customer and beneficial-ownership data — we are explicit about our confidentiality practices and access controls before any documentation work begins.
How long do we need to keep AML documentation after our business closes or is liquidated?

The obligation to retain customer identification, CDD, and transaction records for the applicable minimum prescribed period does not automatically end when the business itself closes — the records need a responsible party and an accessible location for the remainder of that period, even after the entity has wound down. This is a detail businesses closing down frequently overlook, assuming that ceasing operations also ends the record-keeping obligation.

Practitioner noteWe build a specific closure-stage instruction into documentation for any client anticipating liquidation or a strike-off — naming who retains the records, where, and until when, so the obligation does not become an orphaned loose end.
Does our AML documentation overlap with the records we keep for FTA VAT or Corporate Tax purposes?

There is a practical overlap in underlying source material — the same customer, invoice, and transaction records often support both an AML CDD file and a VAT or Corporate Tax filing position — but the two documentation obligations are legally separate, run under different laws, and are reviewed by different authorities (the FTA for tax, the Ministry of Economy or relevant AML supervisor for AML/CFT). PNPC's integrated view across tax, accounting, and AML advisory means an inconsistency between what a customer's AML file says and what the underlying transaction ledger shows is more likely to be caught internally before either regulator finds it separately.

Practitioner noteWe flag this overlap specifically for clients working with PNPC across both functions — a beneficial ownership discrepancy or an unusual transaction pattern visible in the accounting records is exactly the kind of detail that should feed back into the AML file, not sit disconnected from it.
Can our annual statutory audit and our AML documentation review be combined into one engagement?

They are separate exercises with different objectives — a statutory audit expresses an opinion on financial statements, while an AML documentation review tests inspection-readiness of the compliance file — but PNPC frequently schedules them in a coordinated cadence for clients using both services, since much of the same underlying customer and transaction detail is relevant to both, and coordinating timing avoids asking the client for the same source documents twice.

Practitioner noteWe do not merge the two into a single deliverable, since conflating an audit opinion with a compliance file review would blur two genuinely distinct professional judgments — but scheduling them together saves clients real time and duplicated document requests.
What documentation is specifically needed for the periodic goAML profile confirmation or re-registration cycle?

The goAML platform's periodic re-registration/confirmation cycle itself is largely a portal-level exercise, but the underlying documentation that should be current at that point includes the Compliance Officer's up-to-date appointment record, any change in authorised contact details, and confirmation that the organisation profile still accurately reflects the entity's current licensing and ownership status. PNPC treats the re-registration date as a natural trigger to also check the wider documentation file for currency, rather than treating it as a purely mechanical portal task.

Practitioner noteWe diarise goAML re-registration dates for retainer clients alongside the annual documentation review, since the two naturally reinforce each other — a lapsed portal confirmation is often an early warning sign that the wider file has also gone unreviewed.
Does documentation differ meaningfully between a real estate brokerage, a precious metals dealer, and a corporate service provider?

The core document categories are the same across DNFBP types, but the specific content within each category differs with the business — a real estate brokerage's CDD files emphasise source-of-funds evidence for high-value property transactions and buyer/seller beneficial ownership, a precious metals dealer's documentation centres on cash-transaction threshold monitoring, and a corporate service provider's file emphasises beneficial ownership look-through for the entities it forms and any nominee arrangements it provides. PNPC calibrates the documentation depth and emphasis to the entity's actual DNFBP category rather than applying a single generic template across all three.

Practitioner noteWe have built documentation files across all three of these DNFBP categories, and the biggest single differentiator, in practice, is which document category an inspector is most likely to test first for that specific business type — we prioritise accordingly.
Where should our AML documentation actually be stored — does it need to stay physically or digitally within the UAE?

UAE AML/CFT law focuses on the entity's ability to produce records to the competent authority within the requested timeframe rather than mandating a specific storage location, though practical retrievability is easier when records (whether physical or cloud-hosted) are accessible to the UAE-based Compliance Officer without unnecessary delay caused by cross-border access restrictions or a parent company's unrelated data-residency policy. PNPC advises confirming with the entity's specific IT/data setup that whoever needs to produce a record in the UAE can actually retrieve it promptly, regardless of where it is technically hosted.

Practitioner noteWe have seen entities where the compliance file was technically complete but hosted on a parent company's overseas system that took days to access — which reads, on a live inspection timeline, uncomfortably close to not having the record at all.
Do policy approvals and appointment letters need a wet-ink signature, or is a digital signature acceptable?

A properly executed digital signature is generally acceptable evidence of approval, provided the signing process itself is genuinely attributable to the signatory and the platform used preserves an audit trail of who signed and when. What matters to an inspector is clear, verifiable evidence that senior management or the board actually approved the document — the exact signing mechanism matters less than whether that evidence is credible and traceable.

Practitioner noteWe are comfortable with digital signature platforms for most governance documents, provided the platform's own audit trail is preserved as part of the record — a scanned signature image with no underlying audit trail is weaker evidence and we flag that distinction to clients.
What if a document in our file is only available in a foreign language, such as a foreign parent company's board resolution?

The original foreign-language document should be retained as the authoritative record, with an English (or, where relevant, Arabic) translation or summary attached so the document is usable during a UAE inspection without unnecessary delay. PNPC does not discard or replace the original — the translation supplements it rather than substituting for it, since the original remains the legally operative document.

Practitioner noteGroup clients with overseas parent-level governance documents frequently have this exact situation — we build the file to keep both the original and a working translation together, indexed as a pair, rather than filing only the translated version.
How does PNPC make sure our documentation system does not depend on a single person's access?

Part of PNPC's documentation build now includes a specific access-continuity check — confirming that more than one authorised person (typically the Compliance Officer and a deputy, or PNPC on a retainer basis) can retrieve records from whatever system or repository holds them, so that a single departed staff member's disabled login does not become the reason a record cannot be produced on an inspector's timeline.

Practitioner noteWe ask a blunt question during every build: if the person who normally pulls up this file were unreachable tomorrow, could someone else still get to it within the hour? If the honest answer is no, we treat that as a finding in its own right, not a hypothetical.
What typically triggers a business to need its AML documentation urgently outside of a regulatory inspection?

The most common non-inspection triggers PNPC sees are a bank's periodic AML due diligence review of a business customer, an investor or acquirer's due diligence ahead of a financing round or sale, a correspondent banking relationship review, and internal escalation following a Compliance Officer's own discovery that the file is thinner than assumed. Each of these can arrive with a compressed timeline similar in pressure to an actual inspection notice, even though no regulator is directly involved.

Practitioner noteWe treat these non-regulatory triggers with the same urgency as an inspection notice — a bank that is unsatisfied with a business customer's AML documentation can affect the banking relationship just as materially as a regulatory finding, even without any Ministry of Economy involvement.
If PNPC finds that a previous adviser's documentation contains an inaccurate or overstated record, what does PNPC do?

PNPC flags the specific inaccuracy to the client directly and corrects the record honestly — noting what the file previously stated, what is actually accurate, and the date of correction — rather than silently overwriting it or leaving it uncorrected. An inaccurate record discovered and honestly corrected before an inspection is a materially different, and much better, position than the same inaccuracy being discovered by an inspector first.

Practitioner noteWe have inherited files from other advisers with risk ratings that did not match the underlying customer facts, or training records for sessions that on closer questioning were never actually delivered — in every case, the right response is a documented, honest correction, not a quiet edit.
Does building AML documentation with PNPC create any obligation for PNPC to report our business if something looks wrong?

PNPC, as a professional services firm advising the entity, operates under its own professional and regulatory obligations, which can include reporting duties in specific circumstances under the AML/CFT framework, separate from the client's own reporting obligation as the DNFBP. This is not a reason to avoid documentation work — quite the opposite, a business that documents honestly and addresses genuine issues transparently is in a fundamentally different position than one that conceals them, and PNPC's role is to help build a defensible, honest programme, not to manage around any adviser's own professional obligations.

Practitioner noteWe are upfront about this with every client at the outset, because it shapes the relationship in a healthy way — our advisory role is to help you build and maintain a genuinely compliant programme, not to help conceal a genuine gap.
How does PNPC price a documentation engagement, and does the fee vary by DNFBP category?

PNPC agrees a fixed, written fee for a documentation engagement before work begins, scoped to the actual size of the customer base, the number of entities involved, and how much of the underlying record already exists in some usable form versus needing to be reconstructed from scratch. A single-office corporate service provider with a small customer base and a multi-branch real estate brokerage with years of historical files require materially different depth of work, so PNPC does not publish a single flat figure that would either overcharge simple engagements or undercharge complex ones.

Practitioner noteWe scope every documentation engagement with a short gap assessment first, specifically so the fee quoted reflects the real work involved rather than a generic estimate that turns out to be wrong once the actual state of the file becomes clear.
If we launch a new product, customer segment, or open a new UAE entity, does our existing documentation automatically cover it?

No, not automatically. A new product, a materially different customer segment, or a newly formed mainland or free zone entity needs its own documentation coverage — checked against whichever supervisory framework actually governs the new activity or entity — rather than being assumed to already fall within the scope of an existing file built for a different business activity or entity. PNPC treats each of these expansions as a trigger to extend, not just re-use, the documentation file.

Practitioner noteThis is one of the more easily missed gaps we find — a business assumes its existing, well-built AML file automatically extends to a new entity or product line it launched eighteen months ago, when in fact no one ever formally checked whether it did.
Why PNPC Global

PNPC Documentation build vs a self-assembled or unmaintained AML file

DimensionSelf-Assembled / Unmaintained FilePNPC Global
Document set completenessIndividual documents exist, but no one has checked them against the full required category listStructured gap assessment against every governance, risk, CDD, screening, and training category required under the AML/CFT Law
RetrievabilityRecords technically kept, scattered across folders, inboxes, and individual staff membersConsistent index by customer and document category, designed to be produced within the timeframe an inspector gives
Screening evidenceAlerts logged by the tool; no record of what was decided about each oneEvery partial or possible match adjudicated and recorded with a documented disposition
Beneficial ownership currencyRegister compiled once at onboarding, not reconciled against later ownership changesRegister reconciled to current shareholding and updated on every triggering change
Training evidenceSessions delivered informally with no attendance, content, or date recordAttendance, content, and date logged for every session, with a scheduled refresher cadence
Currency of policy documentsDrafted once at registration and never revisited as Cabinet Decisions or guidance evolveAnnual review cycle built into the engagement, updated as regulatory text and business activity change
Inspection response readinessFile assembled reactively once an inspection notice arrivesMaintained continuously so production on request is a retrieval exercise, not a scramble
Cross-disciplinary consistencyAML file built in isolation from tax, accounting, and corporate recordsCoordinated with PNPC's tax, accounting, and corporate structuring work so records are internally consistent
Presence beyond deliveryDocument handed over once, no further supportPNPC Dubai office, practising CA firm since 1986, available for live inspection support and ongoing maintenance
Multi-entity / free zone coordinationEach entity's file built independently, often by different advisers with inconsistent conventionsOne coordinated methodology across mainland, free zone, and financial free zone entities in the same group, each correctly calibrated to its own supervisor
Digital record integrityRecords exist inside whatever software was purchased, with no review of whether it is actually retrievable or access-continuousSystem retrievability, export capability, and access continuity reviewed as part of the documentation build, not assumed
Honesty about reconstructed recordsBackdated or fabricated records sometimes created under time pressure to appear contemporaneousReconstructed records built transparently, dated as reconstructions, and paired with a forward process so the gap does not recur — PNPC will not misrepresent when a record was actually created

What the PNPC package includes

  1. 01

    Full documentation gap assessment against the required AML/CFT governance, risk, CDD, screening, and training categories

  2. 02

    Board/management approval record and Compliance Officer/MLRO appointment documentation compiled or reconciled

  3. 03

    Risk assessment reviewed, dated, and formally indexed as the reference document behind the CDD procedures

  4. 04

    Consistent CDD/EDD customer file structure applied across the existing customer base

  5. 05

    Beneficial ownership register reconciled to current shareholding and aligned to Cabinet Decision No. 58 of 2020

  6. 06

    Sanctions/PEP screening evidence compiled with disposition notes for every partial or possible match

  7. 07

    Staff training records assembled or reconstructed, including attendee, date, and content detail

  8. 08

    Internal escalation and STR/SAR filing trail organised and cross-referenced to goAML submission confirmations

  9. 09

    Retention and retrieval system designed for production within an inspector's stated timeframe

  10. 10

    Documented annual review schedule tied to PNPC's ongoing compliance calendar

  11. 11

    Mock inspection walkthrough of the completed file before it is relied upon in a live inspection

  12. 12

    Direct support producing documentation during an actual Ministry of Economy, Central Bank, DFSA, FSRA, or VARA inspection

  13. 13

    Coordination with PNPC's tax, accounting, and corporate secretarial teams for cross-referential consistency

Talk to PNPC's Dubai AML/CFT team before an inspector asks for a file you cannot produce.

Jurisdiction

🇦🇪
United Arab Emirates

Free zone, mainland & offshore

Ready to get started?

Tell us about your requirement — a UAE specialist responds within 24 hours.

← Back to AML / CFT Services