UAEServicesIPR & AML ComplianceAML / CFT ServicesDrafting of AML policies and procedures

IPR & AML Compliance · AML / CFT Services

Drafting of AML policies and procedures

Drafting of AML policies and procedures is the engagement through which PNPC produces the written, board-approved AML/CFT policy manual and operating procedures that every UAE Designated Non-Financial Business and Profession, financial institution, and Virtual Asset Service Provider must maintain under Federal Decree-Law No.

Speak with a specialist →Chat on WhatsApp

Chartered Accountants · Dubai · Since 1986

What Drafting of AML policies and procedures is

Drafting of AML policies and procedures is the production of the written compliance framework that Federal Decree-Law No. 20 of 2018 on Anti-Money Laundering and Combating the Financing of Terrorism (the AML/CFT Law), together with Cabinet Decision No. 10 of 2019 and its subsequent amendments, requires every regulated entity to hold and to actually operate under. The obligation applies to Designated Non-Financial Businesses and Professions (DNFBPs) — real estate brokers and developers, dealers in precious metals and stones above prescribed cash thresholds, corporate and trust service providers, independent legal professionals, and independent accountants and auditors carrying out specified services — supervised primarily by the Ministry of Economy, as well as to financial institutions under the UAE Central Bank, securities firms under the Securities and Commodities Authority, and Virtual Asset Service Providers under VARA or the relevant emirate-level regulator. Financial free zone entities in DIFC and ADGM sit under their own AML supervisors, the Dubai Financial Services Authority and the Financial Services Regulatory Authority respectively, each with its own rulebook layered on top of the federal law.

A compliant AML policy manual is not a single document; it is a coordinated set of written procedures that together operationalise the risk-based approach the law requires. At its core sits the business-wide AML/CFT risk assessment, which drives everything that follows — the risk assessment identifies the entity's exposure across customer type, geography, product/service, and delivery channel, and the policy manual then sets out exactly how the business responds to that exposure: standard, simplified, or enhanced Customer Due Diligence triggers; beneficial ownership identification and verification procedures aligned to Cabinet Decision No. 58 of 2020; sanctions and Politically Exposed Persons (PEP) screening cadence and escalation; ongoing transaction monitoring thresholds; record-retention rules; the internal escalation pathway from front-line observation to the Compliance Officer's decision on whether to file; and the mechanics of filing a Suspicious Transaction Report (STR) or Suspicious Activity Report (SAR) through the goAML platform operated by the UAE's Financial Intelligence Unit, together with the strict no-tipping-off discipline that governs any such filing.

The drafting exercise is where most AML programmes succeed or fail on inspection, because the difference between a policy that passes scrutiny and one that does not is rarely the presence or absence of a section heading — most template policies cover the same headings. The difference is whether the content under each heading describes what this specific business actually does. A policy that states simplified due diligence applies to 'low-risk customers' without defining, in terms specific to the entity's own customer base, exactly which customer profile qualifies, is not operable by front-line staff and will not withstand a supervisor asking a nominated Compliance Officer to justify a specific onboarding decision against the written procedure. Equally, a policy copied from a foreign parent group's global template, with UAE-specific references to the AML/CFT Law, goAML, and local sanctions lists never inserted, reads on inspection as evidence the entity has not actually engaged with its UAE obligation.

Policies must also be board-approved or approved by equivalent senior management, since the AML/CFT Law expects governance ownership of the compliance function, not a document produced by a junior staff member and left unsigned. The manual should name the designated Compliance Officer or Money Laundering Reporting Officer (MLRO), describe their authority to escalate and pause transactions independently, and set out the record-keeping and periodic review discipline — at minimum an annual refresh, and sooner if the business, its customer base, or the underlying regulations change materially.

PNPC's approach to drafting starts from the risk assessment and the entity's real operating detail — actual customer categories, actual payment channels, actual jurisdictions dealt with — rather than a headings checklist, and produces a manual that a front-line member of staff can follow under time pressure and that a Compliance Officer can defend, clause by clause, against an actual customer file during an inspection.

The specific supervisory rulebook also varies by structure. A mainland DNFBP answers to the Ministry of Economy under the federal AML/CFT Law directly; a DIFC-licensed entity's policy must additionally reference the Dubai Financial Services Authority's own AML rulebook, and an ADGM-licensed entity's must reference the Financial Services Regulatory Authority's equivalent framework — both free zones run AML regimes aligned in substance with federal law but distinct in specific provisions and reporting mechanics. Entities accepting or facilitating virtual asset transfers carry a further layer, since Virtual Asset Service Provider status under VARA in Dubai, or the relevant regulator elsewhere, attracts more stringent CDD and screening expectations — including travel-rule-style identifying-information requirements — that a standard DNFBP template will not address. A policy drafted without first confirming which rulebook actually governs the entity risks citing the wrong supervisor entirely, a more fundamental defect than any single under-specified clause.

This engagement is also distinct from VAT and Corporate Tax compliance administered by the Federal Tax Authority under Federal Decree-Law No. 8 of 2017 and Federal Decree-Law No. 47 of 2022 — a business can be fully FTA-compliant while having no AML/CFT policy, and vice versa, since the two sit under different legal frameworks and supervisors. It is equally distinct from the Economic Substance Regulations notification cycle, discontinued for financial years starting on or after 1 January 2023 under Cabinet Decision No. 98 of 2024 — a historical ESR position does not substitute for a current AML/CFT policy, and an AML/CFT policy does not resolve any outstanding historical ESR matter. PNPC treats these as separate workstreams, even where the same transaction records support more than one of them.

When Drafting of AML Policies and Procedures is the right engagement

Your business falls within the DNFBP categories under UAE AML law — real estate brokerage or development, dealing in precious metals and stones above the prescribed cash threshold, corporate service provision, independent legal or accounting practice — and has no written, board-approved AML/CFT policy at all

You are a newly licensed regulated entity (financial institution, VASP, DNFBP) and need the AML/CFT policy manual and CDD procedures drafted before you can lawfully begin onboarding customers

Your existing policy was purchased or copied as a generic template and has never been calibrated to your actual customer base, products, geography, or delivery channels

Your existing policy predates the current Cabinet Decision amendments, FATF guidance updates, or a material change in your business (new product line, new customer segment, new jurisdiction exposure) and is due for a substantive rewrite rather than a light edit

You have received a Ministry of Economy, Central Bank, DFSA, FSRA, or VARA inspection finding specifically citing an inadequate, outdated, or unimplemented AML/CFT policy

A group parent company has a global AML policy that needs to be localised into a UAE-specific manual referencing the AML/CFT Law, goAML, and UAE sanctions lists rather than adopted as-is

Your risk assessment has recently been completed or updated and the policy manual now needs to be drafted, or redrafted, to align with its findings

You need the policy translated into operable escalation scripts, onboarding checklists, and approval-authority matrices that front-line staff can actually follow, not just a narrative compliance statement

Your designated Compliance Officer or MLRO needs a documented procedure that gives the role genuine operating substance and a defensible basis for decisions taken

You are acquiring or merging with a regulated entity and need its existing AML policy diligenced and, where necessary, rebuilt as part of integration

You are a Virtual Asset Service Provider onboarding under VARA or an emirate-level VASP regulator and need a policy that reflects the additional AML expectations attached to virtual-asset activity, not a generic DNFBP template

Your business has recently crossed into a newly DNFBP-relevant activity — for example a management consultancy that has started forming companies for clients, or an accounting practice that has begun managing client funds — and needs a policy drafted for the newly triggered obligation

Where a different engagement fits better

You do not yet have a completed AML/CFT risk assessment — the policy should be drafted from the risk assessment's findings, not written in parallel or ahead of it; PNPC generally recommends the risk assessment as the first deliverable, often within the same engagement

You are not a DNFBP, financial institution, or VASP and your business activity does not fall within any AML/CFT-regulated category under UAE law — confirm applicability first through a scoping call before commissioning a policy drafting engagement

You need only the goAML portal registration completed with no policy drafting involved — that is a narrower, standalone registration engagement, though PNPC recommends the risk assessment and policy accompany or precede registration

Your requirement is limited to sanctions screening software selection and configuration with no policy-drafting component — that sits closer to a technology/vendor selection engagement

You already have a properly drafted, board-approved, and implemented policy and need ongoing training delivery, KYC file remediation, or goAML reporting support instead — those are distinct engagements PNPC also provides

You are seeking a signed-off policy overnight with no scoping call and no willingness to share your actual customer base, ownership structure, or transaction profile — a defensible, risk-based policy cannot be drafted from assumptions

You want a guarantee that a drafted policy will prevent any future inspection finding — no advisor can offer that; what a properly drafted policy buys is a defensible, evidenced position and a materially faster remediation path if a finding does arise

You have an active investigation or enforcement matter already underway relating to money laundering or terrorist financing — that requires criminal defence legal representation as the primary engagement, with policy drafting playing a secondary, supporting role

You need the substantive AML risk methodology itself built from scratch with no drafting output required yet — that is the AML Risk Assessment engagement in isolation, distinct from turning its findings into a written policy

Your only outstanding item is confirming historical Economic Substance Regulations (ESR) status for a financial year before that regime was discontinued — ESR and AML/CFT policy drafting are separate regimes with separate triggers and the ESR question does not require a policy-drafting engagement

Structure Comparison

AML Policy Drafting vs related UAE AML/CFT compliance engagements

FeatureDrafting of AML Policies & ProceduresAML Risk AssessmentKYC & CDD AdvisorygoAML Portal RegistrationAML Training & Capacity Building
Primary outputBoard-approved written policy manual and operating procedures covering the full AML/CFT programmeA documented risk rating methodology across customer, geography, product/service, and delivery-channel riskThe onboarding, screening, and monitoring discipline built and run day to day, of which the policy is one componentRegistration and activation on the FIU's goAML reporting platformStaff competency in executing the policy correctly, evidenced by attendance and assessment records
Legal basisFederal Decree-Law No. 20 of 2018 and Cabinet Decision No. 10 of 2019, as amendedSame legal framework — the risk-based approach the law mandates as the foundation of any AML programmeSame framework, operational layerAML/CFT Law's reporting-channel requirementAML/CFT Law's expectation that staff can execute the documented procedure
SequencingDrafted from a completed or concurrently produced risk assessment; precedes or accompanies staff trainingShould exist before, or be produced alongside, the policy — the policy operationalises the risk assessment's findingsRuns on top of the policy once drafted and approved — the policy tells staff what to do; CDD advisory is the doingCan run in parallel with policy drafting; registration alone does not satisfy the policy requirementFollows policy drafting — staff cannot be trained on a document that does not yet exist
Typical deliverable formBoard-approved AML/CFT policy manual, CDD/EDD procedures, escalation matrix, screening cadence, record-retention scheduleWritten risk assessment report with a risk-rating methodology and supporting rationaleOnboarding forms, CDD/EDD checklists, ongoing monitoring workflow, file remediationFIU portal credentials for the organisation and the designated Compliance OfficerTraining materials, attendance records, competency sign-off
Who typically commissions itAny DNFBP, financial institution, or VASP without a current, board-approved, entity-specific policyEntities building or refreshing their AML programme, or responding to a materially changed businessEntities with a policy already in place needing the operational layer built or fixedEntities that have a policy and risk assessment but lack platform accessEntities with an approved policy that staff have not yet been formally trained against
Inspection relevanceThe document a Ministry of Economy or Central Bank inspector reviews first and tests customer files againstThe foundation an inspector checks the policy actually reflectsWhat an inspector samples to see if the policy is being followed in practiceNecessary but not sufficient on its own — registration without a policy behind it is an early and common findingAbsence of training records is a standard, easily identified inspection finding
Coverage of VASP-specific obligationsIncluded where the entity is a Virtual Asset Service Provider, referencing VARA or the relevant emirate regulator's specific rulebookRisk assessment identifies virtual-asset exposure as a distinct risk categoryCDD advisory builds the travel-rule-style onboarding checks the policy describesRegistration mechanics are regulator-neutral; VASP status does not change how goAML itself is usedTraining covers VASP-specific red flags where relevant
Beneficial ownership look-through methodologySets out the explicit look-through procedure under Cabinet Decision No. 58 of 2020Risk assessment flags layered or offshore ownership as an elevated risk factorCDD advisory executes the look-through at onboarding and keeps it currentNot addressed by registration itselfTraining covers applying the look-through consistently across files
What is retained as the primary recordThe signed, version-controlled policy manual itself, plus the internal stress-test recordThe written risk assessment report and its rating methodologyOnboarding files and CDD/EDD evidenceFIU portal registration confirmationAttendance and competency sign-off records

These engagements are frequently bundled — PNPC typically produces the risk assessment and the policy manual as a single coordinated deliverable, then follows with goAML registration, CDD implementation support, and staff training, so the written policy and the operating programme are built to match from day one rather than reconciled after the fact.

How it works
#Stage & What PNPC DoesWhat Generic Templates MissTimeline
1Scoping call and applicability confirmation — confirming the entity's DNFBP or regulated category and which supervisory rulebook governs itA template drafted before applicability is confirmed risks citing the wrong supervisory authority or omitting sector-specific requirements — mainland DED, DIFC/DFSA, ADGM/FSRA, and VARA/VASP entities each sit under a different specific rulebook layered on the federal AML/CFT Law.Week 1
2Risk assessment review or production — confirming an existing risk assessment is current, or producing one where none exists, since the policy is drafted from its findingsA policy drafted without a current risk assessment behind it has no defensible basis for its due diligence tiers, EDD triggers, or monitoring thresholds — an inspector's first question is usually 'what risk assessment supports this clause.'Week 1–2 (if risk assessment already current) or Week 1–3 (if produced concurrently)
3Entity fact-finding — actual customer categories, transaction patterns, payment channels, geographies, and existing controls documented in detailGeneric templates skip this step entirely, which is exactly why they read as generic — the specific customer mix and payment channel detail is what turns a section heading into an operable clause.Week 1–2
4CDD/EDD procedure drafting — standard, simplified, and enhanced due diligence triggers defined against the entity's actual risk tiersTemplates state that EDD applies to 'high-risk customers' without defining, for this specific business, what actually triggers that classification — leaving front-line staff to guess and creating inconsistent files.Week 2–3
5Beneficial ownership identification procedure — the look-through methodology for corporate and trust customer structures, aligned to Cabinet Decision No. 58 of 2020Layered or offshore ownership structures need an explicit look-through rule; a generic clause that stops at the first corporate layer is a recurring inspection gap.Week 2–3
6Sanctions and PEP screening procedure — screening cadence, list sources, and escalation on a match, integrated into onboarding and ongoing monitoringTemplates often describe screening as a one-time onboarding check; the actual obligation includes periodic re-screening against updated lists, which a generic document rarely specifies with a defined cadence.Week 2–4
7Escalation and STR/SAR filing procedure — the internal pathway from a front-line observation to the Compliance Officer's decision and a goAML filing, with the no-tipping-off rule built in explicitlyA policy that does not name who decides, within what timeframe, and how the no-tipping-off obligation is protected leaves staff exposed to making that judgment call alone under pressure.Week 3–4
8Record-keeping and retention schedule — what is retained, in what format, for how long, and how it is retrieved on a supervisory requestRetention clauses in generic templates rarely address retrievability — a retained-but-unlocatable file reads on inspection almost the same as an unretained one.Week 3–4
9Governance and Compliance Officer authority clause — naming the designated Compliance Officer/MLRO, their reporting line, and their independent authority to pause or escalateA policy naming a Compliance Officer with no described authority to actually act independently is a recognised inspection red flag — the clause needs to describe real, exercisable authority, not a title.Week 3–4
10Internal review and stress-test — a sample walkthrough of how the drafted procedure would apply to a handful of real (anonymised) customer scenarios from the entity's own bookThis step catches clauses that read well on paper but do not actually work against a real file — a gap that only surfaces, otherwise, during an actual inspection.Week 4
11Board or senior management approval — the manual is formally adopted, dated, and signed off at the appropriate governance levelAn unsigned, undated policy — even a well-drafted one — does not evidence the governance ownership the AML/CFT Law expects.Week 4–5
12Handover, training briefing, and next-review scheduling — the approved manual is issued, a training session is scoped, and the annual review date is diarisedA policy issued without a scheduled review date is the policy most likely to still be in use, unrevised, three years later when a supervisor tests it against a business that has since changed.Week 5
13Cross-reference against any concurrent goAML registration or CDD implementation workstream — confirming the policy's screening cadence and escalation pathway matches what is actually being registered and operated on the groundTemplates are drafted in isolation from the registration and CDD build, producing a document that describes a screening process different from the one actually configured on the goAML profile or the onboarding checklist in use.Week 3–5
14VASP-specific clause insertion, where applicable — travel-rule-style identifying-information requirements for virtual asset transfers and any VARA or emirate-level VASP regulator expectationsA DNFBP template applied to a VASP without this clause leaves the policy silent on an obligation that is materially more stringent than the standard DNFBP baseline.Week 2–4 (VASP entities only)
15Free-zone localisation check — confirming DIFC/DFSA or ADGM/FSRA rulebook references are used in place of, or alongside, the Ministry of Economy framework where the entity sits in a financial free zoneA mainland-drafted policy applied to a DIFC or ADGM entity, or vice versa, references the wrong supervisor and the wrong specific rulebook provisions.Week 1–2 (confirmed at scoping)
16Group-policy localisation, where a parent company's global AML policy exists — every clause needing UAE-specific adaptation is flagged and rewritten rather than adopted as-isA global template with UAE-specific references to the AML/CFT Law, goAML, and local sanctions lists never inserted reads on inspection as evidence the entity has not actually engaged with its UAE obligation.Week 2–4 (where applicable)

Realistic timeline from scoping call to a board-approved, issued policy manual: 4–6 weeks where the risk assessment is already current, or 5–8 weeks where the risk assessment is produced concurrently. Complex entities with multiple customer categories, cross-border exposure, or a materially incomplete starting risk assessment take longer. PNPC does not shortcut the fact-finding stage regardless of timeline pressure, since a policy drafted without it is the generic-template problem in a new form.

Document Checklist
Entity & Licensing Information

Trade licence copy — mainland DED licence or free zone licence — showing licensed activities in full, since DNFBP status and policy scope follow actual licensed activity

Memorandum and Articles of Association or equivalent constitutional documents

Organisational chart identifying the proposed or existing Compliance Officer/MLRO and their reporting line to senior management or the board

Details of any UAE or overseas branches, subsidiaries, or related entities sharing customer data or referral relationships

Any existing AML/CFT policy or procedure documents, for gap assessment rather than discarding outright

Risk Assessment & Customer Profile Inputs

Current AML/CFT risk assessment, if one exists, or the underlying data to produce one — customer categories, transaction value ranges and frequency, geographic spread

Description of payment methods accepted — bank transfer, cash, third-party payment, cryptocurrency/virtual assets — since each carries different CDD implications

Any FATF-flagged or otherwise higher-risk jurisdiction exposure in the current customer or counterparty base

Any existing customer onboarding forms, KYC intake templates, or informal checklists currently in use

Beneficial Ownership & Corporate Structure

Shareholder register and, for corporate shareholders, their own ownership structure down to the natural person level

Existing Register of Beneficial Owners, if maintained, for accuracy review against Cabinet Decision No. 58 of 2020

Trust deeds, nominee arrangements, or power-of-attorney documents where ownership or control involves anything other than direct individual shareholding

Existing Compliance Infrastructure

Details of any sanctions or PEP screening tool currently used, including vendor, list sources, and screening frequency

Existing goAML platform registration details, if the entity is already registered

Records of any prior STR/SAR filings or internal escalations raised, with outcome

Correspondence from the Ministry of Economy, Central Bank, DFSA, FSRA, VARA, or any other supervisor relating to a prior inspection, finding, or directive

Staff training records relating to AML/CFT, if any prior training has been delivered

Governance Materials

Board or senior management structure and the appropriate approval authority for adopting a compliance policy

Any group-level or parent-company AML policy that needs to be localised rather than adopted as-is

Confirmation of who holds, or will hold, the designated Compliance Officer/MLRO role and their CV or role description

Post-Draft Sign-Off Pack

Board resolution or management sign-off record formally adopting the policy manual

Version-control record showing the effective date and the review-cycle schedule

Distribution and acknowledgement record confirming relevant staff have received and reviewed the approved policy

VASP-Specific Materials (Where Applicable)

VARA or relevant emirate-level VASP licence and any sector-specific compliance guidance already issued to the entity

Description of virtual asset transfer flows and any existing travel-rule-style data-sharing arrangement with counterparty VASPs

Details of the wallet/custody infrastructure and how transaction data is captured for AML purposes

Free Zone Supervisory Materials (DIFC/ADGM, Where Applicable)

DFSA or FSRA licence and any existing free-zone-specific AML rulebook compliance documentation

Correspondence with the DFSA or FSRA relating to AML supervision, if any

Confirmation of which free-zone-specific AML forms or notifications the entity is separately required to file

Ongoing obligations
PhaseTriggered ByPNPC GuidanceRisk If Ignored
Initial Drafting (Week 1–5)New licence issuance, absence of a current policy, or a material change requiring a full rewriteFact-finding, risk assessment alignment, and drafting of the full policy suite — CDD/EDD, beneficial ownership, screening, escalation, retention, governance — as one coordinated document set.Onboarding or continuing to operate without a current, board-approved policy leaves the entity unable to demonstrate compliance on first inspection and leaves front-line staff without a documented standard to follow.
Board Approval & IssuanceCompletion of drafting and internal reviewThe manual is formally adopted at board or senior management level, dated, version-controlled, and distributed to relevant staff with an acknowledgement record kept.An unsigned or informally circulated policy does not evidence the governance ownership supervisors expect, regardless of how well the content itself is drafted.
Staff Training RolloutPolicy issuanceThe approved manual is the basis for role-specific staff training — front-line onboarding staff, the Compliance Officer, and senior management — with attendance and competency records maintained.A policy that staff have not been trained on is close to worthless on inspection, since supervisors test whether procedures are actually followed, not just documented.
Live OperationOngoing customer onboarding and transaction activityThe policy's CDD/EDD tiers, screening cadence, and escalation pathway are applied consistently across every customer file, with the Compliance Officer exercising the documented authority.Inconsistent application — some files following the policy, others not — is the single most common inspection finding and signals the document is not actually operative.
Annual ReviewAnniversary of adoption, or a material change in business or regulationThe policy is reviewed against the current risk assessment, any Cabinet Decision or FATF guidance updates, and any change in the entity's customer base, products, or geographic exposure, with a formal re-approval.A stale, unrevised policy is a first-line inspection question — 'when was this last reviewed and approved' has an easy pass or fail answer.
Material Business ChangeNew product line, new customer segment, new jurisdiction exposure, M&A, or crypto/virtual-asset acceptanceThe policy is reassessed and updated before the change goes live — new risk exposure is incorporated into the CDD tiers and screening procedure proactively rather than retrofitted after exposure has already been taken on.A new business line onboarded under an unrevised policy is effectively unassessed, creating exactly the gap an inspection is designed to find.
Regulatory UpdateNew Cabinet Decision, Ministerial Decision, or FATF mutual evaluation follow-up guidance affecting AML/CFT obligationsThe policy manual is updated to reflect the change, with the update dated and the revision history maintained.A policy that does not track regulatory amendments drifts out of alignment with current requirements within a year or two, even if it was correctly drafted at issuance.
Regulatory InspectionScheduled or unannounced supervisory visitPNPC supports document production and file walkthroughs, drawing on the same policy and its supporting records built at drafting stage.An entity unable to produce a current, approved policy and matching customer files faces findings that typically escalate from a corrective directive to administrative fines and, in serious cases, licence-level consequences.
Remediation (If a Gap Is Found)Inspection finding or self-identified gap in the policy or its applicationThe specific clause or procedural gap is corrected, re-approved, and the correction evidenced for the next inspection cycle.Unaddressed policy gaps compound at the next inspection and are viewed as an aggravating factor reflecting a pattern rather than an isolated lapse.
VASP / Free-Zone Regulatory UpdateNew VARA guidance, DFSA/FSRA rulebook amendment, or emirate-level VASP regulation changeThe policy's VASP or free-zone-specific clauses are reviewed and updated separately from the core federal AML/CFT Law update cycle, since these sit under a different rulebook with its own amendment pace.A policy that tracks only federal AML/CFT Law changes and ignores sector or free-zone-specific rulebook updates drifts out of alignment with the supervisor that actually inspects the entity.
Group Policy Localisation RefreshParent company issues an updated global AML policyThe updated group policy is re-localised into the UAE-specific manual rather than assumed to already be reflected, since global updates rarely include UAE-specific clause changes automatically.Adopting an updated global policy without re-localising it can silently remove or dilute the UAE-specific clauses the previous localisation had added.
Common mistakes to avoid
Sequencing and Drafting-Stage Mistakes

Drafting the policy before the risk assessment exists, so the CDD/EDD tiers and screening thresholds have no documented basis an inspector can be shown

Copying a template and only changing the company name and licence number, leaving clauses that describe a different business model entirely

Adopting a parent company's global AML policy without localising the UAE-specific legal references, the goAML reporting channel, and the Compliance Officer's UAE-specific authority

Drafting the beneficial ownership clause to stop at the first corporate layer instead of building an explicit look-through methodology for layered or offshore structures

Governance and Sign-Off Mistakes

Leaving the policy unsigned, undated, or approved informally by a manager rather than at board or senior management level

Naming a Compliance Officer or MLRO in the document without describing real, independent authority to pause a transaction or escalate — a title with no substance

Failing to fix a firm annual review date at issuance, so the policy has no built-in trigger to be revisited before it drifts out of alignment with the business or the regulations

Skipping the internal stress-test against real, anonymised customer files before finalising the document, so clauses that read well on paper are never checked against an actual scenario

Post-Issuance Mistakes That Undermine an Otherwise Good Policy

Issuing the policy without a documented staff training session, leaving a well-drafted document that front-line staff have never actually been walked through

Applying simplified due diligence inconsistently across customer files instead of against the specific, entity-defined criteria the policy sets out

Treating the policy as static after a material business change — a new product line, new customer segment, or new jurisdiction exposure — rather than reassessing and updating it before the change goes live

Not updating the goAML-registered Compliance Officer promptly when the role holder changes, leaving a governance gap between what the policy says and who is actually registered to act

Frequently asked
What exactly does 'drafting of AML policies and procedures' include, separate from the risk assessment or the CDD advisory work?

This engagement is the production of the written, board-approved policy manual and operating procedures themselves — the document set covering CDD/EDD tiers, beneficial ownership identification, sanctions/PEP screening, escalation, record-keeping, and STR/SAR filing procedure. It is drafted from a risk assessment (existing or produced alongside) and precedes the day-to-day CDD advisory and staff training work, which apply the policy in practice.

Practitioner noteWe are often asked to draft a policy where no risk assessment exists yet. We can produce both together, but we do not draft the policy first and backfill the risk assessment afterwards — the sequencing matters for a defensible document.
Can we just use a template AML policy and change the company name and logo?

Doing so leaves a document that describes a generic business, not yours — and supervisory authorities specifically test whether the policy's content matches the entity's actual customer base, transaction patterns, and controls. A template with the name changed is a recognised, recurring inspection finding, not a shortcut that saves time in the long run.

Practitioner noteWe ask new clients to send their existing template first, if they have one. Nine times out of ten it was copied from elsewhere and has clauses that plainly do not describe how the business actually operates — those are the first things we flag.
Does the policy need to be board-approved, or can a manager just sign off on it?

UAE AML/CFT expectations are that the policy is adopted at the appropriate senior governance level — typically the board of directors or equivalent senior management for smaller entities — reflecting genuine institutional ownership of the compliance function, not a document produced and filed away by a junior staff member without formal sign-off.

Practitioner noteWe build a formal approval and version-control step into every drafting engagement specifically because an unsigned, undated policy — even a well-written one — does not evidence the governance ownership a supervisor is looking for.
How long does it take to draft a complete AML policy manual?

Where a current risk assessment already exists, a complete, board-approved policy manual typically takes around 4–6 weeks from the initial scoping call, covering fact-finding, drafting, internal review, and formal approval. Where the risk assessment needs to be produced concurrently, the realistic window extends to roughly 5–8 weeks. More complex entities with multiple customer categories or cross-border exposure take longer.

Practitioner noteWe do not shortcut the entity fact-finding stage to compress the timeline — that stage is exactly what turns a generic document into an operable one, and skipping it produces the template problem in a new form.
What sections does a properly drafted AML/CFT policy manual need to cover?

At minimum: the business-wide risk assessment methodology and its findings; standard, simplified, and enhanced Customer Due Diligence procedures with entity-specific triggers; beneficial ownership identification and verification; sanctions and PEP screening cadence; ongoing transaction monitoring; the internal escalation pathway to the Compliance Officer; the goAML STR/SAR filing procedure and the no-tipping-off rule; record-keeping and retention; and the designated Compliance Officer's authority and the annual review cycle.

Practitioner noteSection headings alone do not make a policy defensible. We test every section by asking whether a front-line staff member could actually follow it without calling us — if the answer is no, the clause needs more specificity, not more length.
How is a policy for simplified due diligence customers actually written so it is not misused?

The policy needs to define, in terms specific to the entity's own customer base and risk assessment, exactly which customer profile qualifies for simplified treatment — not a generic reference to 'low-risk customers.' It must also state explicitly that simplified due diligence can never apply automatically as a default, and can never apply to a customer or jurisdiction carrying elevated risk indicators regardless of how the relationship is otherwise structured.

Practitioner noteWe deliberately draft this clause narrowly rather than broadly, because a pattern of unjustified simplified treatment across a customer file sample is a common and easily identified inspection finding.
Our parent company has a global AML policy — can we just adopt it for our UAE entity?

A global group policy is a useful starting reference but rarely satisfies UAE requirements on its own. It needs to be localised to reference the specific provisions of the AML/CFT Law, the goAML reporting channel, the UAE Compliance Officer's specific authority and portal registration, and any UAE-specific risk factors such as local sanctions lists and DNFBP activity thresholds that a global template will not capture.

Practitioner noteWe regularly localise group policies for UAE subsidiaries of international clients. It is faster than drafting from a blank page, but it is not a copy-paste exercise — every clause needing UAE-specific adaptation gets flagged and rewritten.
What is the difference between the policy and the procedures — aren't they the same document?

In practice they are usually issued as one coordinated manual, but conceptually the policy states the entity's principles and risk appetite (for example, the categories of customer requiring enhanced due diligence), while the procedures set out the specific operational steps staff follow to give effect to that policy (for example, the exact documents collected and the approval sign-off required for an enhanced due diligence onboarding). Both need to be present and aligned for the document to be operable.

Practitioner noteWe see policies that state a principle clearly but never translate it into an operable procedure — leaving staff to interpret intent case by case, which produces exactly the file inconsistency an inspection tests for.
How often does the policy need to be reviewed and re-approved?

At minimum annually, and additionally whenever there is a material change in the business — a new product or service line, a new customer segment or geographic market, a change in ownership or control, or a relevant new Cabinet Decision, Ministerial Decision, or FATF guidance update. A policy that has not been revisited in several years is itself a common and easily identified inspection finding.

Practitioner noteWe build the annual review into the ongoing advisory relationship rather than leaving it to the client to remember — a calendar-driven review catches drift in the business before a supervisor does.
Does having a well-drafted policy protect us if a customer turns out to be involved in money laundering?

A properly drafted and consistently implemented policy is the standard against which a business's conduct is judged on inspection — it does not guarantee that criminal activity will never occur through the business, but a business that can demonstrate it followed a documented, board-approved, risk-based programme in good faith is in a materially different position than one with no policy or one that ignored its own documented red flags.

Practitioner noteWe are candid with clients that the goal is defensible, demonstrable good-faith compliance, not a guarantee that no bad actor will ever attempt to use the business — those are different standards and understanding the difference shapes how the policy should be written.
What happens if the policy exists but staff aren't actually following it?

A written policy that is not being followed in practice is treated on inspection as close to equivalent to having no policy at all, since supervisors sample customer files to test whether the documented procedure matches what staff actually did — a strong policy with inconsistent underlying files is a standard, easily identified finding.

Practitioner noteThis is precisely why we recommend staff training and an internal file walkthrough immediately after policy approval — a policy that exists only on paper is the single most common gap we find when reviewing another firm's earlier drafting work.
Do free zone entities in DIFC or ADGM need a different policy structure than mainland entities?

Yes. DIFC entities regulated by the DFSA and ADGM entities regulated by the FSRA operate under their own AML rulebooks specific to those financial free zones, layered on the federal AML/CFT Law. A policy drafted against the mainland Ministry of Economy framework will not directly satisfy a DIFC or ADGM entity's specific supervisor, even though the underlying AML principles are broadly aligned.

Practitioner noteWe scope this explicitly at the start of every drafting engagement — building a mainland-style policy for a DIFC or ADGM entity, or vice versa, produces a document that will not satisfy the entity's actual supervisor.
Who should be named as the Compliance Officer or MLRO in the policy, and what authority does the document need to give them?

The nominee should be sufficiently senior and empowered within the organisation to act independently — able to escalate concerns, request further information, and where necessary pause a transaction pending review, without needing case-by-case sign-off from someone whose interests might conflict with reporting. The policy document needs to describe that authority explicitly, not just assign a title.

Practitioner noteWe ask clients directly during drafting: if this person wanted to stop a transaction tomorrow because they were uneasy about it, could they actually do that without needing three layers of sign-off? If the honest answer is no, the authority clause — or the nomination itself — needs rethinking before the policy is finalised.
How much does drafting a full AML policy manual cost?

PNPC agrees a fixed, written fee before work begins, scoped to the complexity of the business — a single-office corporate service provider and a multi-branch real estate brokerage require materially different depth of drafting. Fees also depend on whether the risk assessment is produced concurrently or already exists.

Practitioner noteWe deliberately do not publish a single number here because policy complexity varies enormously by business type and existing documentation — ask us for a scoped, written quote after the initial call.
Can PNPC draft the policy and also act as our Compliance Officer?

PNPC drafts the policy and can provide ongoing advisory support to a designated internal Compliance Officer, but the statutory Compliance Officer/MLRO role must generally be held by a suitably senior individual within the regulated entity itself, since the role requires day-to-day authority an external adviser cannot exercise. Some sector rulebooks have specific requirements on who can hold the designation, which we scope precisely rather than assuming one model fits every client.

Practitioner noteWe are explicit with clients about this boundary at the drafting stage, since the policy document itself needs to name a real, internally accountable Compliance Officer for the governance clause to be credible on inspection.
Does the policy need a specific clause for Virtual Asset Service Provider (VASP) activity, or is the standard DNFBP template enough?

If the entity is licensed or otherwise falls within VASP regulation under VARA or another emirate-level VASP regulator, the policy needs a dedicated section addressing the additional, generally more stringent expectations attached to virtual-asset activity — including identifying-information requirements that travel with a virtual asset transfer (a travel-rule-style obligation), wallet/custody-related risk factors, and screening considerations specific to virtual asset counterparties. A standard DNFBP template that treats virtual assets as just another payment method under-serves this risk.

Practitioner noteWe flag VASP status as a specific scoping question at the very first call, because a policy drafted against the standard DNFBP baseline and later found to also need VASP-specific content is effectively a rewrite, not an edit.
What actually changes in the document for a DIFC or ADGM entity compared with a mainland one, beyond just naming a different regulator?

Beyond naming the DFSA or FSRA as the applicable supervisor instead of the Ministry of Economy, the specific rulebook provisions each regulator has issued — on CDD thresholds, reporting mechanics, and record-keeping — need to be reflected in the substantive clauses themselves, not just the cover page. A DIFC or ADGM entity's policy also typically needs to reference that regulator's own AML rulebook by name and section, since a generic reference to 'UAE AML law' without the free-zone-specific rulebook citation reads as incomplete to that regulator on inspection.

Practitioner noteWe treat the DFSA and FSRA rulebooks as primary source documents during drafting for these entities, not as an afterthought layered on top of a mainland-style manual.
Is there a different policy content requirement for real estate brokers versus corporate service providers, or is one template used for every DNFBP?

The core structure — CDD/EDD, beneficial ownership, screening, escalation, record-keeping, governance — is common across DNFBP categories, but the specific risk indicators, transaction-level red flags, and documentation standards differ materially by sector. A real estate broker's policy needs source-of-funds documentation standards calibrated to high-value, sometimes cash-adjacent property transactions and buyer/seller-side CDD; a corporate service provider's policy needs a look-through methodology for the client on whose behalf a company is being formed, including where an intermediary is instructing on behalf of an undisclosed end client.

Practitioner noteWe draft the sector-specific risk indicators into the policy rather than leaving them as a generic reference to 'red flags,' because a front-line broker or company formation officer needs the indicator written in terms of their own transaction type to actually recognise it.
Our precious metals and stones business only deals in cash occasionally — do we still need a full policy, or only once we cross the threshold?

The DNFBP obligation for dealers in precious metals and stones attaches to cash transactions (or connected transactions) at or above the threshold prescribed by the Ministry of Economy. A business that only occasionally approaches that threshold still needs a documented policy and a monitoring process to actually identify when a transaction or a connected series of transactions crosses it — the obligation is not avoided simply because most individual transactions fall below the line, since connected transactions structured to stay under the threshold are themselves a recognised red flag.

Practitioner noteWe build a threshold-monitoring mechanism into the policy for occasional-cash DPMS businesses specifically, because the risk in practice is usually not a single large transaction but a pattern of smaller ones that, taken together, cross it.
What happens if the risk assessment and the drafted policy end up disagreeing on something — which one governs?

The policy should always be drafted to reflect the risk assessment's findings, not the other way around — if a drafting-stage discussion reveals the policy needs to say something the risk assessment does not support (for example, a broader simplified due diligence category than the risk assessment justifies), the correct fix is to revisit and, if warranted, update the risk assessment first, then draft the policy to match it, rather than drafting a clause the underlying risk analysis does not actually support.

Practitioner noteWe treat this disagreement as a useful signal, not a nuisance — it usually means either the risk assessment missed something about the business, or the policy drafter is reaching for a shortcut the risk profile does not justify. Either way, it needs resolving before sign-off.
We have several UAE entities under one group — do we need a separate AML policy for each, or can one group-wide policy cover them all?

Each entity that independently meets the DNFBP or regulated-entity definition generally needs its own board-approved, entity-specific policy reflecting its own licence, customer base, and supervisory authority — a holding company does not typically operate the policy for a licensed operating subsidiary. Where entities share genuinely common customer bases, systems, and governance, a coordinated group framework with entity-specific annexes can be efficient, but each entity's board or senior management still needs to formally adopt its own applicable version.

Practitioner noteWe sometimes produce these as annexed sections within one coordinated group document set for administrative convenience, but each entity's specific, substantive content is drafted separately — a shared cover page does not mean shared substance.
Does the policy need to be issued in Arabic, English, or both?

UAE regulatory correspondence and inspections are conducted with Arabic as the official language, though English-language policy documents are commonly accepted in practice by the Ministry of Economy and most sector regulators, particularly for internationally staffed businesses, provided the entity can produce an accurate Arabic version or translation if specifically requested. PNPC confirms the specific expectation with the entity's applicable supervisor during scoping rather than assuming one language is always sufficient.

Practitioner noteWe advise clients not to assume English alone is always sufficient — while it is broadly accepted in practice, having a certified Arabic translation ready to produce on request avoids a scramble if a specific inspector asks for one.
How does the drafted policy handle third-party introduced business — for example, customers referred by an intermediary who has already done some due diligence?

The policy needs to state explicitly whether, and under what conditions, the entity can place any reliance on due diligence already performed by a third party (such as an introducing broker or another regulated entity), and if so, what evidence of that third party's own compliance standing must be obtained and retained before any reliance is placed. Reliance on a third party does not remove the entity's own ultimate responsibility for the adequacy of the CDD performed on its own customer.

Practitioner noteWe draft this clause narrowly and specifically, because 'the introducer already checked them' is one of the more common informal justifications we hear for skipping a step the policy actually needs to require independently.
Does the policy need to specify whether records are kept digitally, physically, or both?

Yes — the record-keeping and retention section should specify the format records are held in, how they are backed up or protected against loss, and how they can be retrieved and produced to a supervisory authority within the timeframe requested. A retention clause that is silent on format and retrievability leaves ambiguity about whether a scanned copy is acceptable, how long backups are retained, and who is responsible for retrieval when a request arrives.

Practitioner noteRetrievability, not just retention, is the practical test — a business that technically kept every file but cannot locate the right one within the timeframe given is treated on inspection almost the same as one that did not keep it at all.
If we onboard customers through a digital or app-based process, does the policy need a separate section for that?

Yes. Digital or remote onboarding (sometimes referred to as e-KYC) carries its own delivery-channel risk considerations under the AML/CFT Law's risk-based approach — identity verification without an in-person document check typically needs a specific method (video verification, certified digital identity checks, or equivalent) described in the policy, along with how that method satisfies the same underlying verification standard as an in-person check.

Practitioner noteWe ask specifically about onboarding channel mix at the fact-finding stage, because a policy written assuming face-to-face onboarding will not actually describe what happens when a customer is onboarded remotely — an increasingly common gap in older policies.
Is Economic Substance Regulations (ESR) compliance part of this engagement, or a separate matter?

ESR and AML/CFT policy drafting are separate regimes with separate legal triggers and separate supervisors, and the Ministry of Finance discontinued the ESR notification and report filing requirement for financial years starting on or after 1 January 2023, under Cabinet Decision No. 98 of 2024 — so for most entities today ESR is, at most, a closed historical-period question rather than a live ongoing obligation. An AML/CFT policy drafting engagement does not cover ESR, and an ESR filing from the years it was live never satisfied any AML/CFT policy requirement.

Practitioner noteWe flag this distinction proactively because clients who dealt with ESR filings in earlier years sometimes assume the same document, or the same annual rhythm, covers their AML obligation too. It does not — the two have always been independent requirements.
Is this the same as, or does it include, an independent AML/CFT audit of our compliance function?

No — drafting produces the written policy and procedures; an independent AML/CFT audit is a separate, subsequent exercise that tests whether the operating programme (onboarding files, screening records, escalation decisions) actually matches what the policy describes. Many entities commission drafting first and an independent audit some months into live operation, once there is enough operating history to test.

Practitioner noteWe are sometimes asked to draft the policy and also perform the independent audit of the same programme — where independence rules or a specific regulator's expectations require separation between the drafter and the auditor, we flag that conflict and recommend a different reviewer for the audit stage.
What happens if our Compliance Officer nominee changes partway through the drafting engagement?

The governance and authority clause is finalised against whoever is actually confirmed as the Compliance Officer/MLRO at sign-off, since the document needs to name a real, currently accountable individual for the clause to be credible on inspection — if the nominee changes mid-engagement, PNPC updates the relevant clause and any associated goAML registration before the policy is issued, rather than issuing a document naming someone who has since left the role.

Practitioner noteWe treat a mid-drafting Compliance Officer change as a routine update, not a problem — the bigger risk is a policy issued naming someone who has already moved on, which we specifically check for at the pre-issuance stress-test stage.
Can we get the policy fast-tracked if we have an imminent inspection or a new licence activation deadline?

PNPC can prioritise a drafting engagement and compress the calendar-time elements (scheduling, review turnaround) where there is a genuine deadline, but the substantive fact-finding, risk assessment alignment, and internal stress-test stages are not steps we skip under time pressure, since a policy drafted without them recreates the generic-template problem in a compressed timeframe rather than solving it.

Practitioner noteWe are candid with clients under deadline pressure: we will move faster on our side, but we cannot compress the client's own side of fact-finding — the depth of the answers we get about the actual business is what determines how defensible the final document is.
Does the policy need to reference specific sanctions list sources by name, or can it just say 'applicable sanctions lists'?

The policy should name the specific list sources the entity screens against — at minimum the UAE Local Terrorist List and the UN Consolidated Sanctions List, plus any additional lists relevant to the entity's specific customer or transaction profile — rather than a vague reference to 'applicable sanctions lists' that gives front-line staff no way to confirm they are screening against the right sources.

Practitioner noteA vague sanctions-list reference is one of the more common gaps we find reviewing another firm's earlier drafting — it reads fine at a glance but gives a front-line staff member nothing concrete to actually check against.
How quickly does the policy need to be updated after a new Cabinet Decision or Ministry of Economy guidance is issued?

There is no single fixed statutory countdown for every possible regulatory update, but the expectation under the AML/CFT Law's risk-based approach is that a material change in the legal or regulatory framework is reflected in the policy within a reasonable period, and certainly before the next scheduled annual review if the change affects a substantive obligation the entity is currently operating under. Waiting for the next annual review cycle to incorporate a change that already affects live customer relationships is not advisable.

Practitioner noteWe track regulatory updates for retainer clients specifically so a material Cabinet Decision change triggers an out-of-cycle policy update rather than sitting until the next scheduled annual review.
If two group entities in the UAE fall under different DNFBP categories — say, one is a corporate service provider and another is a real estate broker — do they need entirely separate policies?

Generally yes, in substance if not necessarily in a single combined binder — each entity's policy needs to reflect its own actual licensed activity, DNFBP category, and specific risk indicators, since a corporate service provider's beneficial-ownership look-through obligations and a real estate broker's source-of-funds documentation standards are materially different in application even though both sit under the same overarching AML/CFT Law.

Practitioner noteWe sometimes produce these as annexed sections within one coordinated group document set for administrative convenience, but each entity's specific, substantive content is drafted separately.
Does PNPC benchmark the policy against FATF guidance specifically, or only against UAE Cabinet Decisions?

Both. The UAE's AML/CFT Law and its Cabinet Decisions are themselves shaped by, and periodically updated to reflect, the Financial Action Task Force's international standards and any UAE-specific follow-up actions from FATF mutual evaluation processes, so a policy drafted with only the letter of the Cabinet Decision in mind, without an eye to the FATF standard it implements, can miss the direction the regulation is evolving in.

Practitioner noteWe reference FATF guidance as context for interpreting ambiguous areas of the domestic regulation, not as a substitute for it — the UAE's own Cabinet Decisions and Ministry of Economy guidance remain the operative legal text the policy is drafted against.
We are a pre-revenue or dormant DNFBP-category entity with a licence but no live customers yet — do we still need a full policy now?

If the entity holds a licence for an activity that falls within a DNFBP category, the obligation to have a board-approved policy in place attaches once the entity is licensed and positioned to begin operating, not only once it has active customers — a business that intends to start onboarding customers imminently should have its policy drafted and approved before the first customer relationship begins, not retrospectively once one already exists.

Practitioner noteWe do occasionally right-size the initial policy for a genuinely pre-revenue entity, focusing on getting the governance and framework correct, with detailed operational calibration refined once real customer data exists — but we do not recommend delaying the policy itself until customers arrive.
How does an M&A due diligence review of a target's AML policy differ from a standard drafting engagement?

An M&A-context review starts by assessing the target's existing policy and its actual operating history — inconsistencies between the document and the customer files, any unresolved inspection findings, undisclosed prior STR/SAR filings — before deciding whether the existing policy can be adopted, needs targeted remediation, or needs a full rebuild post-completion. The output is a risk report for the acquirer's decision-making as much as a drafting deliverable.

Practitioner noteWe have found that a target's AML policy is sometimes the cleanest-looking document in an otherwise messy diligence file, precisely because it was purchased as a template and never tested against real files — which is exactly why we do not rely on the document alone in an M&A context.
Can the same policy document also satisfy a bank's request to see our AML controls when they conduct their own AML due diligence on us as a business customer?

A properly drafted, board-approved AML/CFT policy is generally the document a bank's own AML due diligence team wants to see when assessing a business customer, and having one ready — rather than assembling something in response to the bank's specific request — materially speeds up that process. The policy does not need separate content for a bank's request specifically; the same document that satisfies your own regulator generally satisfies a bank's diligence question as well.

Practitioner noteWe have had clients whose account opening or account review with a bank stalled specifically because they had no policy to produce on request — having one ready in advance avoids that delay entirely.
What is the practical difference between a policy drafted for a company with 5 staff and one drafted for a company with 200 staff?

The substantive obligations are the same regardless of headcount, but the depth of the escalation hierarchy, the number of approval layers for enhanced due diligence, and the granularity of role-specific procedures scale with organisational complexity — a 5-person business may have a single escalation step to one Compliance Officer, while a 200-person business needs a documented multi-tier escalation path across branches or departments before a matter reaches the Compliance Officer's desk.

Practitioner noteWe right-size the document to the organisation rather than imposing an enterprise-scale escalation hierarchy on a small team, or an under-specified one on a large, multi-branch business — both are common mistakes when a template is used instead of a business-specific draft.
Do we need PNPC involved every time we make a small wording change to the policy after issuance, or can we edit it ourselves?

Minor administrative updates (a change of registered office address, an updated internal phone extension) do not require PNPC's involvement, but any change to a substantive clause — CDD/EDD triggers, screening cadence, escalation authority, retention periods — should go through the same review discipline as the original drafting, since an informally edited substantive clause can drift out of alignment with the risk assessment or the underlying legal requirement without anyone noticing until an inspection tests it.

Practitioner noteWe ask clients to route any substantive edit through us, even briefly, because we have seen well-intentioned internal edits — made to solve a specific operational friction — inadvertently create a compliance gap the original drafting had been careful to avoid.
Why PNPC Global

PNPC-drafted AML policy vs a generic template or DIY approach

DimensionGeneric Template / DIY PolicyPNPC-Drafted Policy
Basis for the documentDownloaded headings with the company name insertedDrafted from the entity's own risk assessment, actual customer base, and transaction patterns
CDD/EDD triggersGeneric references to 'high-risk' and 'low-risk' customers with no entity-specific definitionSpecific, defensible triggers calibrated to this business's own risk tiers
Beneficial ownership look-throughOften stops at the first corporate layerExplicit look-through methodology for layered or offshore structures, aligned to Cabinet Decision No. 58 of 2020
Governance and approvalFrequently unsigned, undated, or approved informallyBoard or senior management approval built into the drafting process, with version control
UAE-specific groundingGlobal group templates often left unlocalised, with no goAML or local sanctions-list referencesLocalised to the AML/CFT Law, goAML, and current UAE sanctions/PEP list sources
Operability for front-line staffPrinciples stated without a step-by-step procedure to followPolicy and procedure paired, tested against realistic (anonymised) customer scenarios before sign-off
Inspection readinessReads as generic on a file-by-file review, a common and recurring inspection findingDrafted to withstand a supervisor testing the document against an actual customer file
Review disciplineLeft unrevised for years until a finding forces a rewriteAnnual review scheduled into the engagement from day one, updated as regulations and the business evolve
VASP and free-zone-specific clausesAbsent, or a single generic DNFBP clause applied regardless of regulatorDrafted specifically for VARA/emirate VASP or DFSA/ADGM rulebooks where applicable, not bolted on afterward
Coordination with concurrent registration/CDD workPolicy, goAML registration, and CDD checklist built by different parties, describing different processesPolicy, registration, and CDD implementation coordinated so the written document matches what is actually configured and operated
Group policy localisationAdopted wholesale, or localised once and never revisited when the group template changesLocalised at drafting and re-checked against subsequent group policy updates
Stress-test before sign-offRarely performed; the first real test of the policy is an actual inspectionWalked through against real, anonymised customer scenarios before the document is finalised

What the PNPC package includes

  1. 01

    Applicability and scoping confirmation against the entity's actual DNFBP or regulated category

  2. 02

    Risk assessment review, or production, as the foundation the policy is drafted from

  3. 03

    Entity fact-finding on actual customer categories, payment channels, and geographic exposure

  4. 04

    Standard, simplified, and enhanced Customer Due Diligence procedures with entity-specific triggers

  5. 05

    Beneficial ownership identification and verification procedure aligned to Cabinet Decision No. 58 of 2020

  6. 06

    Sanctions and PEP screening procedure with a defined cadence and escalation path

  7. 07

    Internal escalation pathway and goAML STR/SAR filing procedure, including the no-tipping-off discipline

  8. 08

    Record-keeping and retention schedule designed for retrievability, not just storage

  9. 09

    Designated Compliance Officer/MLRO authority clause and governance structure

  10. 10

    Internal stress-test against realistic, anonymised customer scenarios before finalisation

  11. 11

    Board or senior management approval process and version-control record

  12. 12

    Post-issuance training briefing scoping and annual review date scheduling

  13. 13

    Coordination with any concurrent goAML registration or CDD implementation engagement

  14. 14

    Ongoing advisory access for policy interpretation questions after issuance

Get an AML/CFT policy manual built from your actual business, not a template — speak to PNPC's UAE compliance team.

Jurisdiction

🇦🇪
United Arab Emirates

Free zone, mainland & offshore

Ready to get started?

Tell us about your requirement — a UAE specialist responds within 24 hours.

← Back to AML / CFT Services