IPR & AML Compliance · AML / CFT Services
Setup of AML Software
Setup of AML Software is the engagement through which PNPC selects, configures, and operationalises the sanctions/PEP screening, transaction-monitoring, and case-management technology that sits underneath a UAE entity's AML/CFT programme required under Federal Decree-Law No.
Chartered Accountants · Dubai · Since 1986
Setup of AML Software is the technical implementation layer of a UAE entity's anti-money laundering and counter-terrorist financing (AML/CFT) compliance function — the sanctions and Politically Exposed Person (PEP) screening tool, the transaction-monitoring system, and the case-management workflow that a Designated Non-Financial Business and Profession (DNFBP) or regulated financial entity uses to actually execute the customer due diligence, ongoing monitoring, and suspicious-activity escalation obligations set out in Federal Decree-Law No. 20 of 2018 on Anti-Money Laundering and Combating the Financing of Terrorism and Cabinet Decision No. 10 of 2019 (as amended). The law itself is technology-neutral — it does not mandate a specific vendor or platform — but it does require that screening and monitoring actually happen, that they happen consistently and at an appropriate frequency, and that the entity can produce evidence of what was screened, when, and with what outcome. For most entities beyond a handful of customers, that evidence trail is not realistically achievable through manual, spreadsheet-based checks; it requires software.
An AML software setup engagement typically covers three connected layers. The first is sanctions and PEP screening — configuring the tool to check customers, beneficial owners, and transaction counterparties against the UN Security Council Consolidated Sanctions List, the UAE Local Terrorist List, and any other lists relevant to the entity's cross-border exposure, both at onboarding and on a recurring basis thereafter, since a name that screens clean today can be listed tomorrow. The second is transaction monitoring — where relevant to the entity's activity (higher transaction volumes, financial institutions, exchange houses, or DNFBPs handling client funds), configuring rules and thresholds that flag activity inconsistent with a customer's expected profile, so unusual patterns surface for review rather than passing unnoticed inside routine volume. The third is case management and audit trail — ensuring that every screening hit, monitoring alert, and its disposition (cleared, escalated, filed as a Suspicious Transaction Report through the FIU's goAML platform) is logged, timestamped, and retrievable, because the record of how an alert was handled is often what a supervisory authority tests most closely.
The practical failure mode PNPC sees most often is not the absence of software — many entities have purchased a screening tool — but misconfiguration that leaves the tool doing far less than the entity believes. A subscription screening against only one list source when the entity's exposure calls for several; screening run once at onboarding with no periodic re-screening scheduled, so a customer sanctioned eighteen months into the relationship is never caught; monitoring thresholds copied from a vendor's generic template that bear no relationship to the entity's actual transaction sizes; or an alert queue that accumulates unreviewed because no one owns triage. Each of these leaves the entity with a screening tool that exists on paper and a written AML policy that claims a monitoring cadence the software is not actually running — precisely the mismatch between documented procedure and operating reality that Ministry of Economy and Central Bank inspections are designed to surface.
The regulatory backdrop differs by where the entity sits inside the UAE's layered supervisory structure, and that difference matters for how AML software should be configured, not just who inspects it. A mainland DNFBP — a real estate brokerage, a precious-metals dealer, a corporate service provider licensed through a Department of Economic Development — answers to the Ministry of Economy for AML/CFT supervision and reports through the FIU's goAML platform regardless of emirate. An entity licensed in the Dubai International Financial Centre answers to the Dubai Financial Services Authority, and one in Abu Dhabi Global Market answers to the Financial Services Regulatory Authority, each of which operates its own AML rulebook layered on top of the federal Decree-Law, with its own expectations for how supervised entities document and evidence their screening and monitoring technology. A general free zone such as JAFZA, DMCC, RAKEZ, IFZA, Meydan, RAK ICC, or Ajman does not carry a separate financial-services AML rulebook the way DIFC or ADGM does — an entity licensed there that meets the DNFBP definition still sits under the same federal AML/CFT Law and Ministry of Economy supervision as a mainland entity, so its software configuration expectations track the mainland approach rather than a free-zone-specific variant. A Virtual Asset Service Provider licensed by VARA in Dubai, or by another emirate's VASP framework, sits under AML expectations that are generally more stringent again, often including specific technology requirements around transaction traceability that a standard DNFBP's screening tool was never built to handle. None of this changes the substance of what AML software setup is trying to achieve — reliable screening, proportionate monitoring, and a retrievable audit trail — but it changes which supervisor tests the configuration and which rulebook the documentation should track. PNPC confirms which regulatory layer an entity sits under before finalising a configuration, since a DIFC-regulated entity presenting evidence in Ministry-of-Economy terms, or vice versa, creates friction at inspection a correctly framed file avoids.
Under Federal Decree-Law No. 47 of 2022 on Corporate Tax and the broader Federal Tax Authority compliance landscape, AML software setup is a separate obligation from tax registration and filing, but the underlying discipline is related: both require the entity to maintain systems and records that can be produced to a regulator on request, in the format and timeframe the regulator specifies. PNPC treats AML software setup as inseparable from the policy and risk-assessment work that defines what the software should actually be configured to do — a tool is only as good as the risk methodology behind its settings, and a risk methodology with no operating tool behind it is a document, not a control.
When Setup of AML Software is the right engagement
Your business is a DNFBP or regulated financial entity under UAE AML/CFT law and does not yet have a sanctions/PEP screening tool in place, or is currently relying on manual, ad hoc name checks
You have a screening subscription already but have never had its list sources, screening frequency, and match-handling workflow reviewed against your actual risk assessment and written policy
Your customer or transaction volume has grown to the point where manual review is no longer defensible, and screening or monitoring alerts are accumulating faster than they can be triaged
You are newly licensed in a regulated sector — financial services, a Virtual Asset Service Provider, or a DNFBP category — and need the screening infrastructure built before you can lawfully onboard customers at scale
A Ministry of Economy, Central Bank, DFSA, FSRA, or VARA inspection has flagged that your screening tool's configuration does not match your documented AML/CFT policy or risk assessment
You need transaction-monitoring rules and thresholds calibrated to your actual customer base and transaction sizes rather than a vendor's generic out-of-the-box template
Your existing screening tool only checks at onboarding with no periodic re-screening scheduled, leaving customers who screened clean initially unmonitored against subsequent sanctions-list updates
You need a case-management and audit-trail workflow so that every alert, its investigation, and its disposition (cleared or escalated to an STR/SAR filed through goAML) is logged and retrievable on request
You are evaluating multiple screening or transaction-monitoring vendors and need independent advisory input on selection criteria matched to your transaction volume, budget, and risk profile before committing to a subscription
Your entity is a Virtual Asset Service Provider, or otherwise has virtual-asset transaction exposure, and your existing screening tool was never configured to handle the wallet and counterparty-VASP screening that category typically requires
You operate across a DIFC, ADGM, or mainland/general-free-zone structure and need your screening and monitoring configuration documented in terms that map correctly to whichever specific supervisor — DFSA, FSRA, or the Ministry of Economy — actually inspects that entity
Where a different engagement may fit better
You do not yet have a documented AML/CFT risk assessment or written policy — configuring screening software before that foundation exists means the tool has nothing calibrated to configure against; a KYC & CDD Advisory engagement to build the policy and risk methodology should come first or alongside
You have not yet confirmed whether your business actually falls within a DNFBP or regulated category under UAE AML law — an applicability assessment should precede any technology purchase
You need standalone goAML portal registration completed with no wider screening or monitoring technology decision in scope — that is a narrower registration engagement
You are looking for PNPC to act as the ongoing designated Compliance Officer or MLRO who reviews and dispositions alerts day to day — PNPC configures and advises on the system; the entity's own empowered Compliance Officer must own live alert triage
You want a specific vendor product guaranteed or endorsed without an independent needs assessment — PNPC advises on selection criteria matched to your risk profile and is not tied to a single vendor
You are seeking a guarantee that a configured tool will catch every future suspicious relationship — no screening or monitoring system eliminates risk; it reduces the chance that a red flag passes unnoticed, and a documented, well-configured system is judged on whether it was reasonably designed and operated, not on a guaranteed outcome
Your requirement is limited to general company incorporation or trade licensing with no AML/CFT compliance dimension currently in scope
You already have a fully configured, independently reviewed screening and monitoring system and simply want ongoing subscription renewal — that is a vendor-management matter, not an implementation engagement
You need only a single, narrow technology decision — for example, adding a transaction-monitoring module to a screening tool that already runs onboarding and periodic re-screening correctly — and prefer a scoped augmentation rather than a full requirements-through-recalibration engagement; PNPC can scope narrower supplementary work, but the requirements review still starts from the existing configuration
AML software components compared — what each layer actually does
| Component | What It Screens or Monitors | Typical Trigger Point | Who Uses the Output | Left Unconfigured, the Risk Is |
|---|---|---|---|---|
| Sanctions list screening | Customer and beneficial-owner names against the UN Consolidated Sanctions List and UAE Local Terrorist List | Onboarding, plus periodic re-screening on a defined cadence | Compliance Officer / MLRO reviewing hits before onboarding proceeds | A customer who was clean at onboarding but is later listed goes undetected until the next manual check, if any |
| PEP screening | Customers and beneficial owners against Politically Exposed Person reference data, domestic and foreign | Onboarding, plus periodic re-screening | Senior management approving or declining enhanced due diligence onboarding | A PEP relationship is onboarded under standard rather than enhanced due diligence, missing the mandatory extra scrutiny |
| Adverse media / negative news screening | Customers and beneficial owners against publicly reported adverse media relevant to financial crime, fraud, or sanctions evasion | Onboarding, plus periodic re-screening | Compliance Officer assessing whether reported allegations affect the risk rating | Reputationally and legally significant public information about a customer is never surfaced through the formal process |
| Transaction monitoring | Transaction patterns against rules and thresholds calibrated to the customer's expected profile | Continuously, as transactions occur | Compliance Officer triaging generated alerts for investigation | Structuring, rapid movement of funds, or activity inconsistent with the stated business purpose passes unnoticed inside routine volume |
| Case management / audit trail | Every screening hit and monitoring alert, its investigation notes, and its final disposition | Generated automatically whenever a hit or alert occurs | Compliance Officer for day-to-day work; inspectors and auditors for evidence review | The entity cannot produce evidence of how a specific hit was handled, which reads on inspection as if the check never happened |
| goAML integration / escalation workflow | The handoff point where an investigated alert is assessed against the STR/SAR threshold | Whenever an alert investigation concludes suspicion is reasonably founded | Compliance Officer preparing and submitting the report through the FIU's goAML platform | A genuinely suspicious alert sits in the case-management queue without a clear path to filing, delaying the 'without delay' reporting obligation |
| Wallet / virtual-asset counterparty screening (VASP entities) | Wallet addresses and counterparty VASP names against sanctions exposure and jurisdictional risk indicators | At transaction initiation, for entities with virtual-asset exposure | Compliance Officer assessing counterparty risk before a virtual-asset transfer proceeds | Virtual-asset transfers move outside the standard screening layer entirely, leaving a category of activity the rest of the programme cannot see |
| List-source currency check | Whether the active sanctions, PEP, and adverse-media sources the tool screens against remain current and complete | Periodic, tied to vendor update cycles and internal review | Compliance Officer confirming the tool has not silently fallen behind a list update | A stale or discontinued list source keeps generating clean results against data that stopped being current months earlier |
Not every entity needs every component at the same intensity — a small corporate service provider's screening needs differ from a financial institution's transaction-monitoring needs. PNPC scopes which components apply, and at what depth, based on the entity's actual risk assessment rather than installing a uniform package regardless of size.
| # | Stage & What PNPC Does | What a Default Vendor Install Misses | Timeline |
|---|---|---|---|
| 1 | Requirements & Risk-Profile Review — confirming what the entity's existing risk assessment and AML policy actually require the software to do | A vendor sales process typically starts from what the product does, not from what your documented risk methodology requires it to screen and how often — we start from the policy, not the product brochure. | Week 1 |
| 2 | Vendor / Tool Selection Support (where no tool exists) — matching screening and monitoring needs to appropriate options by transaction volume, budget, and list-source coverage | Entities frequently select a tool based on price or a peer recommendation without checking whether its list sources and update frequency actually cover their specific exposure (for example, cross-border customers requiring broader sanctions-list coverage than a single-jurisdiction tool provides). | Week 1–2 |
| 3 | List Source & Screening Cadence Configuration — setting which sanctions, PEP, and adverse-media sources are checked, and how often re-screening runs | Default installs commonly screen only at onboarding with no periodic re-screening scheduled — the single most common gap PNPC finds when reviewing an existing tool. | Week 2 |
| 4 | Transaction-Monitoring Rule & Threshold Calibration (where applicable) — setting alert triggers to the entity's actual transaction sizes and customer profile mix | Generic out-of-the-box thresholds either generate an unmanageable volume of false-positive alerts that staff learn to ignore, or are set so high that genuinely unusual activity never triggers a review. | Week 2–3 |
| 5 | Alert-Triage Workflow Design — defining who reviews an alert, within what timeframe, and how the decision (clear, escalate, or file) is recorded | A tool with no defined triage ownership accumulates an unreviewed alert backlog — the alerts exist, but no one is accountable for actioning them. | Week 3 |
| 6 | Case-Management & Documentation Setup — ensuring every hit, investigation note, and disposition is logged, timestamped, and retrievable | Entities that can show a screening hit occurred but cannot show how it was investigated or resolved face the same inspection outcome as if the screening never ran. | Week 3–4 |
| 7 | goAML Escalation Path Integration — defining the handoff from a confirmed suspicious alert to STR/SAR preparation and submission through the FIU's goAML platform | Software and the goAML reporting obligation are frequently treated as unconnected — the alert sits investigated but with no clear procedural bridge to the actual filing. | Week 4 |
| 8 | Staff Training on the Configured System — training the Compliance Officer and front-line staff on how to use the tool as configured, not the vendor's generic manual | Vendor-provided generic training covers the software's features; it does not cover how your specific risk assessment maps onto your specific configuration — staff need both. | Week 4–5 |
| 9 | Test Run & Calibration Review — running a sample of existing or test customer data through the configured system to confirm outputs are sensible before full go-live | Going live without a test pass risks discovering miscalibration (excessive false positives, or worse, missed genuine hits) only after real customer data has already gone unreviewed. | Week 5 |
| 10 | Go-Live and Documentation Close-Out — configuration document, screening/monitoring policy annex, and training records compiled into the AML programme file | A configured tool with no written record of what was configured and why leaves the next reviewer, or an inspector, unable to verify the setup matches the policy without reverse-engineering the settings. | Week 5–6 |
| 11 | Post-Go-Live Support & Periodic Recalibration — reviewing alert volumes, false-positive rates, and list-source currency after the system has been live for a period, and adjusting thresholds | Thresholds set correctly at launch drift out of calibration as transaction volumes and customer mix change; a system never revisited after go-live degrades quietly over time. | Scheduled review at 60–90 days, then periodic thereafter |
| 12 | VASP-Specific Configuration (Where Virtual-Asset Exposure Exists) — adding wallet and counterparty-VASP screening elements to the core screening and monitoring build | A standard DNFBP screening configuration, applied unchanged to an entity handling virtual-asset transfers, misses wallet-level and counterparty-VASP risk entirely — this layer needs its own explicit configuration decision, not an assumption that core screening already covers it. | Week 5–6, where applicable |
| 13 | Group / Multi-Entity Configuration Alignment (Where Applicable) — reconciling the UAE entity's configuration against any group-wide AML technology standard or shared subscription | A UAE entity configured in isolation from a wider group's AML technology standard can end up either duplicating controls the group already runs centrally, or missing a control the group assumed the local entity had built independently. | Week 5–6, where applicable |
| 14 | Documentation Handover to the Entity's Own Compliance Officer — walking the designated Compliance Officer through the full configuration file so the entity is not dependent on PNPC to interpret its own settings | A configuration built by an external adviser but never properly handed over leaves the entity's own Compliance Officer unable to explain the settings confidently if asked directly during an inspection. | Week 6 |
Realistic timeline for a full sanctions/PEP screening and transaction-monitoring configuration, from requirements review to a documented, staff-trained go-live: roughly 4–6 weeks, depending on whether a tool already exists (reconfiguration) or needs to be selected and onboarded from scratch, and on the complexity of the entity's transaction-monitoring needs. A screening-only setup for a lower-volume DNFBP can move faster; a full transaction-monitoring build for a financial institution or exchange house typically takes longer.
Current AML/CFT risk assessment and written policy — the software configuration must map to what this document already says the entity does
Existing goAML registration confirmation and Compliance Officer / MLRO designation details
Any prior Ministry of Economy, Central Bank, DFSA, FSRA, or VARA inspection findings relating to screening or monitoring gaps
Current screening/monitoring vendor name, subscription tier, and list of sources it screens against
Screening frequency currently configured (onboarding only, or periodic re-screening, and at what interval)
Sample export of recent alerts and how they were resolved, to assess current triage practice
Administrator access or a designated point of contact who can implement configuration changes
Customer base breakdown — individual versus corporate, resident versus non-resident, and approximate volumes in each category
Typical transaction value ranges and frequency, to calibrate monitoring thresholds realistically
Geographic spread of customers and counterparties, including any exposure to higher-risk jurisdictions
Payment and delivery channel details — cash, bank transfer, third-party payment, or virtual assets — since each affects which monitoring rules are relevant
Name and role of the individual(s) who will own day-to-day alert triage under the configured system
Escalation authority — who approves onboarding a flagged higher-risk customer, and who signs off filing an STR/SAR
Existing staff training records relevant to any current screening tool, if applicable
Indicative budget range for subscription and implementation cost
Any procurement or IT security requirements the entity's own policies impose on new software vendors
Data residency or data protection considerations relevant to where customer screening data will be processed and stored
Business risk assessment and customer-risk methodology
AML/CFT policies, procedures and MLRO appointment records
Sanctions/PEP screening settings and evidence
Staff training logs and board/management approvals
VARA or relevant emirate VASP licence and any existing technology-compliance conditions attached to it
Details of blockchain analytics or transaction-traceability tooling already in use, if any, and how it currently connects (or does not connect) to the sanctions/PEP screening layer
Wallet-address screening and counterparty-VASP due-diligence practice currently followed, where applicable
Confirmation of which UAE entities in the group share a single screening/monitoring subscription versus operate independent tools
Any group-level AML policy or technology standard the UAE entity's configuration needs to align with, or deviate from with documented reason
Details of shared or centralised alert-triage resourcing across group entities, if any, and how UAE entity-specific escalation authority is preserved within that structure
| Phase | Triggered By | PNPC Guidance | Risk If Ignored |
|---|---|---|---|
| Requirements & Selection | New DNFBP licence, growth beyond manual-check capacity, or an existing tool review | Match screening and monitoring needs to the entity's documented risk assessment before evaluating vendor options, rather than starting from a product feature list. | A tool selected on price or convenience alone may not cover the list sources or monitoring depth the entity's actual risk profile requires. |
| Configuration & Calibration | Tool selected, or existing tool flagged for reconfiguration | Set list sources, screening cadence, and monitoring thresholds to reflect the written AML policy and the entity's real transaction profile, not vendor defaults. | Default settings commonly under-screen (onboarding-only checks) or generate unmanageable false-positive volumes that staff learn to ignore. |
| Go-Live & Staff Training | Configuration complete and tested | Train the Compliance Officer and relevant staff on the system as configured, and document attendance and content as evidence. | Untrained staff either misuse the tool or bypass it in practice, leaving the documented procedure disconnected from daily operations. |
| Ongoing Alert Triage | Every screening hit or monitoring alert generated | Alerts reviewed and dispositioned within a defined timeframe by an accountable individual, with the decision and reasoning logged. | An unreviewed alert backlog is functionally identical, on inspection, to having no screening system at all. |
| Suspicious Alert Confirmed | Investigation concludes reasonable grounds for suspicion exist | Escalate promptly to STR/SAR preparation and filing through the FIU's goAML platform, maintaining the no-tipping-off discipline throughout. | A confirmed alert that sits uninvestigated or unfiled is a standalone breach of the 'without delay' reporting obligation under the AML/CFT Law. |
| Periodic Recalibration | 60–90 days post-go-live, then on a recurring cycle or after a material change in business activity | Review alert volumes, false-positive rates, and list-source currency; adjust thresholds and list sources so the system tracks the entity's current profile rather than the profile it had at go-live. | Thresholds set once and never revisited drift out of alignment with actual transaction patterns as the business grows or changes. |
| List-Source & Vendor Currency Review | Annual review, vendor contract renewal, or a Cabinet Decision / FIU guidance update affecting screening expectations | Confirm the screening tool's list sources remain current and complete, and that the vendor relationship still matches the entity's needs as it has grown. | A stale list source or an outgrown tool is a recognised inspection finding — 'is this still fit for purpose' is a standard supervisory question. |
| Regulatory Inspection | Scheduled or unannounced supervisory visit | Produce the configuration documentation, alert logs, and training records demonstrating the software operates as the written policy describes. | A mismatch between the documented AML policy and the actual software configuration is treated as evidence the programme is not genuinely operative. |
| System Change or Migration | Vendor discontinuation, contract renewal decision, or a business need for expanded capability | Plan data migration, reconfiguration, and staff retraining so there is no gap in screening or monitoring coverage during the transition. | A poorly planned migration can leave a screening gap during the changeover, exactly when continuity of coverage matters most. |
| VASP-Specific Technology Review | Entity obtains or expands virtual-asset licensing (VARA or another emirate's VASP framework) | Extend the existing screening/monitoring configuration with wallet and counterparty-VASP screening calibrated to the new licence's specific technology expectations. | A screening tool configured only for traditional fiat transactions leaves virtual-asset activity effectively unmonitored, precisely the gap a VASP-focused inspection is designed to find. |
| Group Technology Standard Change | Parent company or group adopts, changes, or centralises its AML technology standard | Reconcile the UAE entity's local configuration against the revised group standard, documenting any UAE-specific deviation and the regulatory reason for it. | An unreconciled local configuration can silently diverge from a group standard the UAE entity is assumed to be following, creating an inconsistency a group-wide audit would flag. |
Configuring screening software before the AML/CFT risk assessment and written policy exist, so the tool has nothing calibrated to configure against and typically ends up running vendor-default settings dressed up as a bespoke build
Treating goAML portal registration and AML software setup as the same task — registration opens the reporting channel; software setup is the detection layer that feeds it, and completing one without the other leaves a real gap
Selecting a vendor based on price or a peer recommendation before confirming the tool's list-source coverage actually matches the entity's cross-border customer exposure
Leaving screening at onboarding-only with no periodic re-screening cadence configured, so a customer who was clean at onboarding is never re-checked against later sanctions-list updates
Copying transaction-monitoring thresholds from a vendor's generic template rather than calibrating them to the entity's actual transaction sizes, producing either an unmanageable false-positive queue or a threshold set so high genuine anomalies never trigger a review
Applying the same screening depth uniformly across all customers regardless of the entity's own documented risk tiers, rather than reserving enhanced screening frequency for higher-risk relationships
Generating alerts with no named owner or defined triage timeframe, so alerts accumulate in a queue nobody is accountable for actioning
Failing to log the investigation and disposition behind a cleared screening hit, leaving no evidence the hit was ever reviewed rather than simply ignored
Never revisiting the configuration after go-live, so thresholds and list sources drift out of alignment with the entity's growing transaction volumes and changing customer mix
Does UAE AML law require us to use a specific software product?
No. Federal Decree-Law No. 20 of 2018 and its Cabinet Decision implementing regulations are technology-neutral — they require that screening, monitoring, and record-keeping obligations are actually met, not that a specific vendor's product is used. In practice, meeting those obligations consistently and at scale is very difficult without software once an entity has more than a handful of customers, but the choice of tool is the entity's own, subject to it actually covering the entity's risk profile.
We already have a screening subscription — why would we need a setup engagement?
Having a subscription and having a correctly configured tool are different things. The most common gap PNPC finds when reviewing an existing screening tool is that it only checks at onboarding with no periodic re-screening scheduled, or that its thresholds were left at generic vendor defaults never calibrated to the entity's actual customer base and transaction sizes. A setup or reconfiguration engagement reviews what the tool is actually doing against what your written AML policy says it should be doing.
What is the difference between sanctions screening and transaction monitoring?
Sanctions and PEP screening checks a customer's or counterparty's identity against reference lists — the UN Consolidated Sanctions List, the UAE Local Terrorist List, and PEP databases — typically at onboarding and periodically thereafter, to confirm you are not dealing with a designated or high-risk individual. Transaction monitoring is a separate, ongoing function that watches the pattern of a customer's actual activity — transaction size, frequency, and structuring — against their expected profile, to flag behaviour inconsistent with what was expected at onboarding, regardless of whether the customer's identity screens clean.
How often should sanctions and PEP screening actually run?
At minimum, screening should run at onboarding and then on a periodic re-screening cycle thereafter, since sanctions and PEP designations change and a name that was clean at onboarding can be listed later. The appropriate cadence depends on the entity's risk assessment — higher-risk customer categories may warrant more frequent re-screening than lower-risk ones — but onboarding-only screening with no ongoing cycle is a recognised gap.
Do smaller DNFBPs with few customers really need transaction-monitoring software, or is screening enough?
It depends on the entity's activity and risk profile rather than headcount alone. A corporate service provider with a modest customer base may reasonably rely on sanctions/PEP screening plus manual review of the limited transaction volume it actually sees, while a financial institution, exchange house, or high-volume DNFBP handling client funds typically needs configured transaction-monitoring rules because manual review of volume at that scale is not realistically consistent. PNPC scopes this based on the entity's documented risk assessment, not a fixed rule.
What happens to a screening hit once it is generated — does the software resolve it automatically?
No. Screening and monitoring software generates alerts — potential matches or unusual patterns — but a human, typically the Compliance Officer or a delegated reviewer, must investigate each alert, determine whether it is a genuine match or a false positive, and record the disposition. Software flags; it does not decide. The investigation and documented decision are what a supervisory authority actually reviews.
How do we avoid being overwhelmed by false-positive alerts?
False-positive volume is usually a calibration problem, not an inherent feature of screening software — overly broad name-matching thresholds, screening against irrelevant list categories, or monitoring rules set without reference to actual transaction sizes all inflate false positives. Proper calibration to the entity's real customer base and transaction profile, combined with periodic recalibration as volumes and patterns change, keeps the alert queue manageable enough that genuine reviews actually happen.
Does the software file the Suspicious Transaction Report (STR) for us?
No. Screening and monitoring software identifies and helps investigate potential concerns, but the actual STR or SAR filing is submitted through the FIU's goAML platform by the entity's designated Compliance Officer, based on a human judgement that reasonable grounds for suspicion exist. PNPC configures the internal workflow so that a confirmed suspicious alert has a clear, documented path to goAML filing, but the filing decision and submission remain the Compliance Officer's responsibility.
What list sources should our screening tool cover at a minimum?
At minimum, the UN Security Council Consolidated Sanctions List and the UAE Local Terrorist List. Depending on the entity's cross-border customer or transaction exposure, additional coverage of other major international sanctions regimes may form part of a properly risk-calibrated setup. The right combination depends on the entity's actual customer geography, not a fixed universal list.
Can PNPC recommend a specific screening or monitoring vendor?
PNPC advises on selection criteria — list-source coverage, screening cadence capability, monitoring rule flexibility, case-management and audit-trail functionality, and cost proportionate to the entity's volume — and can coordinate with vendors during implementation, but final vendor selection and contracting is the entity's own commercial decision. We are not a technology reseller and do not receive vendor commissions on any recommendation.
How does the software configuration connect to our written AML policy?
The written AML/CFT policy states, in narrative form, what screening and monitoring the entity performs, at what frequency, and how alerts are escalated. The software configuration is the technical implementation of that same narrative. When the two are built together, an inspector reviewing the policy document and then testing the actual system finds them consistent; when they are built separately — often because the policy was drafted by one adviser and the software configured independently, or years apart — the mismatch is a recurring and easily identified inspection finding.
What documentation should we retain specifically around the software setup?
Keep a configuration record describing which list sources are active, the screening cadence, the transaction-monitoring rules and thresholds applied and why, staff training records on the configured system, and a sample of alert investigation logs demonstrating the triage workflow in practice. This sits alongside, and should cross-reference, the broader AML risk assessment and policy documentation.
How often should the software configuration be reviewed and recalibrated?
PNPC recommends an initial review at 60–90 days post-go-live to catch early miscalibration (excessive false positives or an unexpectedly quiet alert queue), followed by at least an annual review aligned with the broader AML/CFT risk assessment refresh, and an ad hoc review whenever there is a material change in transaction volume, customer mix, or applicable list-source guidance.
Is a spreadsheet-based manual screening process ever acceptable instead of software?
For a genuinely very small entity with a small, stable, low-risk customer base, a documented manual process can be defensible if it is actually followed consistently, evidenced, and re-run at an appropriate cadence — the law does not mandate software specifically. In practice, manual processes degrade quickly as volume grows or staff turn over, and the evidentiary burden of proving consistent manual checks were performed is harder to satisfy on inspection than a system-generated log.
Does PNPC provide the software itself, or only the configuration and advisory work?
PNPC's engagement is the advisory, selection-support, and configuration work — assessing needs, advising on vendor options, calibrating settings to the entity's risk profile, designing the alert-triage and goAML escalation workflow, and training staff. The software subscription itself is contracted directly between the entity and the chosen vendor; PNPC is not the software provider.
Does a DIFC or ADGM entity need a different AML software configuration than a mainland or general-free-zone entity?
The core technology substance is the same — reliable screening, proportionate monitoring, a retrievable audit trail — but the documentation has to speak the right supervisor's language. A DIFC entity is supervised by the DFSA and an ADGM entity by the FSRA, each with its own AML rulebook layered on top of the federal AML/CFT Law, while a mainland or general-free-zone (JAFZA, DMCC, RAKEZ, IFZA, and similar) DNFBP is supervised by the Ministry of Economy under the same federal law. The configuration file's language and cross-referencing should track whichever rulebook actually governs the entity.
Does a Virtual Asset Service Provider need different screening technology than a standard DNFBP?
Generally yes. Beyond standard sanctions, PEP, and adverse-media screening of customers and beneficial owners, a VASP typically needs wallet-address and counterparty-VASP screening capability so that virtual-asset transfers are assessed for sanctions exposure and jurisdictional risk before they proceed, not just the identity of the account holder at onboarding.
If we switch AML software vendors mid-year, do we lose our historical alert and screening history?
Not necessarily, but it has to be planned rather than assumed. Most vendors allow export of historical screening and alert records, but the format, completeness, and ease of migrating that history into a new system's case-management module varies considerably by vendor. A migration undertaken without a data-continuity plan risks a visible gap in the audit trail exactly where an inspector might later ask to see it.
Can one screening subscription cover multiple UAE entities in the same group?
It can, depending on the vendor's licensing terms, but a shared subscription does not remove the need for each entity to have its own accountable alert-triage arrangement and its own documented configuration decisions. A group sharing a tool centrally still needs each UAE entity's Compliance Officer to retain real triage authority and a clear, entity-specific record of how alerts touching that entity were handled.
What should we do when a screening hit turns out to be a common-name false positive?
Investigate it, record the reasoning that distinguishes the customer from the listed match (date of birth, nationality, additional identifiers), and log the disposition as cleared with the supporting rationale — the same as any genuine hit. A false positive that is dismissed without a documented investigation trail looks, on inspection, identical to a hit that was never reviewed at all.
Does the AML software need to integrate with our accounting or CRM system?
Integration is not a legal requirement — a standalone screening and monitoring tool with its own case-management module can satisfy the underlying obligations on its own. Where it is available and affordable, integration with a CRM or accounting platform reduces manual re-entry and the risk that a customer added in one system is never mirrored into the screening tool, but a well-run standalone process is a legitimate and common setup, particularly for smaller entities.
Should the AML/CFT risk assessment be finished before software configuration starts, or can they run in parallel?
The risk assessment should exist, at least in substantially complete draft form, before final calibration of screening cadence and monitoring thresholds, because those settings are supposed to reflect the risk assessment's conclusions rather than the other way around. Requirements-gathering and vendor selection can reasonably run in parallel with the final stages of the risk assessment, but the calibration step itself should follow, not precede, a settled risk methodology.
Our screening tool is flagging an unusually high volume of PEP matches against a common local surname — is that normal?
It can be, particularly where PEP reference databases match on name similarity rather than a full identity profile, and a common surname within a limited PEP-relevant population generates a high raw match rate. This is a calibration and disambiguation issue — refining the matching logic and adding secondary identifiers (nationality, date of birth, known role) to the review process reduces the noise without weakening genuine PEP detection.
If our transaction volumes are genuinely small, is a paid transaction-monitoring module worth the added cost?
It depends on the entity's actual activity and risk profile rather than volume alone — a lower-volume DNFBP with straightforward, low-risk transactions may reasonably rely on sanctions/PEP screening plus manual review of the limited activity it sees, while an entity handling client funds, cash-intensive transactions, or cross-border payments may need configured monitoring even at modest volumes because the risk profile, not the headcount, is what drives the requirement.
How do we prove to an inspector that periodic re-screening actually ran, rather than just being configured to run?
The screening tool's own system logs — timestamped records of each screening run, the list sources checked, and the outcome — are the evidence. A configuration setting showing re-screening is scheduled is not, on its own, proof it executed; the run log for the relevant period is what an inspector actually wants to see.
Can we configure the screening software ourselves using the vendor's manual, without PNPC's involvement?
Mechanically, most vendors provide a setup manual that a reasonably technical staff member can follow to switch settings on. What that manual does not provide is the calibration decisions — which list sources your specific exposure actually requires, what re-screening cadence your risk tiers justify, what thresholds fit your real transaction sizes — which come from the entity's own risk assessment and policy, not the vendor's documentation.
If the FTA raises a query during a Corporate Tax audit, does our AML software configuration become relevant?
Generally no, directly — Corporate Tax under Federal Decree-Law No. 47 of 2022 and AML/CFT under Federal Decree-Law No. 20 of 2018 are separate regimes administered by different authorities (the Federal Tax Authority and the Ministry of Economy/Central Bank/FIU respectively), and an FTA audit does not typically examine AML screening configuration. Where an entity's underlying transaction records are relevant to both a tax audit and an AML review, keeping consistent, well-organised records across both functions avoids inconsistencies surfacing awkwardly if both are ever reviewed close together.
Is there a UAE government-mandated or approved list of AML screening software vendors?
No. UAE AML/CFT law is technology-neutral and does not maintain an approved-vendor list or certify specific screening products. The obligation is that screening, monitoring, and record-keeping actually happen at an appropriate standard — the entity chooses the tool that achieves that, subject to it genuinely covering the entity's risk profile.
Do we need to screen a walk-in or one-off customer who will never become an ongoing relationship?
Yes, where that single transaction is itself a specified activity that brings CDD and screening obligations into play — for example, a one-off high-value real estate transaction or precious-metals sale above the relevant threshold. The screening obligation attaches to the transaction and the customer's identity at that point, not to whether the relationship continues afterward.
If we upgrade our screening tool but our AML policy hasn't changed, do staff still need retraining?
Yes. Even where the underlying policy and risk methodology remain the same, a new tool typically changes the screen layout, the alert workflow, and how staff record a disposition — all of which affect how consistently and correctly the policy is actually executed day to day. Training on the system as configured, not just the policy in the abstract, is what makes the two line up in practice.
What is the risk if two staff members handle similar alerts inconsistently on the same tool?
Inconsistent disposition of similar alerts is itself a recognised inspection finding — it suggests the triage workflow is not genuinely following a documented standard but instead depends on whoever happens to review a given alert. A defined triage procedure, with clear criteria for what counts as cleared versus escalated, reduces this variation and gives the entity a consistent, defensible standard to point to.
Should adverse-media screening cover only the customer, or also the directors and beneficial owners of a corporate customer?
For a properly risk-calibrated setup, adverse-media and sanctions/PEP screening should extend to the beneficial owners and, for higher-risk relationships, key directors and controllers of a corporate customer — not just the corporate entity's registered name. Screening only the company name while ignoring the individuals who actually control it misses exactly the risk the underlying due-diligence obligation is designed to catch.
Can our AML screening software also help satisfy Economic Substance Regulations or Corporate Tax record-keeping requirements?
No, they are unrelated obligations. Economic Substance Regulations notification and reporting was discontinued for financial years starting on or after 1 June 2023 under Cabinet Decision No. 98 of 2024, and Corporate Tax record-keeping under Federal Decree-Law No. 47 of 2022 is a separate FTA-administered requirement covering financial and tax records. AML screening software addresses sanctions, PEP, and transaction-monitoring obligations under the AML/CFT Law specifically and does not substitute for either.
We inherited a screening tool from an acquired company — what should we check first?
Confirm the current list-source coverage and whether it matches the combined entity's actual exposure, the screening cadence actually configured (not just what the vendor's default settings claim), the history of alerts and how they were dispositioned, and whether the Compliance Officer registered on the tool is still the correct, active individual post-acquisition. An inherited configuration built for a different risk profile is a common source of undetected gaps after a deal closes.
What happens if our vendor discontinues support for the screening tool we currently use?
Plan the migration to a new tool before support actually ends, with a clear timeline for data continuity and staff retraining, so there is no gap in screening or monitoring coverage during the changeover. Continuing to run an unsupported tool past its discontinuation risks stale list sources and unpatched issues that a supported product would not have.
How do we decide the right balance between false positives and the risk of missing a genuine hit when calibrating thresholds?
There is no fixed formula — calibration is a risk-based judgement that should err toward catching genuine risk while keeping the alert queue manageable enough that staff can genuinely review every alert rather than clearing them in bulk out of volume fatigue. A threshold set purely to minimise false positives risks missing genuine anomalies; one set purely to maximise sensitivity risks an unmanageable queue that degrades review quality across the board.
Does a general free zone company (JAFZA, DMCC, RAKEZ, IFZA, and similar) face different AML software expectations than a mainland company?
No — these are Ministry of Economy-supervised free zones for AML/CFT purposes, not separate financial-services free zones with their own AML rulebook the way DIFC and ADGM are. A DNFBP licensed in JAFZA or DMCC sits under the same federal AML/CFT Law and the same Ministry of Economy supervision as a mainland entity, so its screening and monitoring configuration expectations track the mainland approach rather than a free-zone-specific variant.
If our Compliance Officer changes roles, does the screening software configuration need to change?
The configuration itself does not need to change on a Compliance Officer transition, but the tool's administrator access, alert-notification routing, and any named-owner fields in the triage workflow do need to be updated promptly so the new Compliance Officer has genuine, active control of the system rather than a predecessor's access lingering unused or, worse, still receiving alerts nobody is monitoring.
PNPC-configured AML software vs a default vendor install
| Dimension | Default Vendor Install | PNPC Engagement |
|---|---|---|
| Starting point | Product feature list and vendor sales demo | The entity's own written AML risk assessment and policy |
| List-source coverage | Whatever the default subscription tier includes | Matched specifically to the entity's actual cross-border customer exposure |
| Screening cadence | Often onboarding-only by default | Periodic re-screening cadence set and diarised |
| Monitoring thresholds | Generic out-of-the-box settings | Calibrated to the entity's real transaction sizes and customer mix |
| Alert triage ownership | Undefined — alerts accumulate unreviewed | Named owner, defined timeframe, and logged disposition for every alert |
| Connection to written policy | Configured independently of any AML policy document | Built to match the entity's documented risk assessment and policy line for line |
| goAML escalation path | Not defined — alert investigation and STR filing are disconnected | Documented handoff from confirmed alert to STR/SAR preparation and filing |
| Post-launch review | Rarely revisited after initial setup | Scheduled 60–90 day review, then annual recalibration tied to the risk-assessment refresh |
| VASP / virtual-asset technology scope | Not considered unless specifically requested | Assessed explicitly where the entity's licence or activity brings virtual-asset exposure into scope |
| Group / multi-entity alignment | Configured entity by entity with no cross-check | Reconciled against any group-wide AML technology standard, with deviations documented and justified |
| Staff handover | Configuration knowledge stays with the vendor's implementation team | Configuration walked through with the entity's own Compliance Officer so the entity is not dependent on an outside party to explain its own settings |
- 01
Requirements review against the entity's existing AML/CFT risk assessment and written policy
- 02
Vendor-neutral selection support for sanctions/PEP screening and, where relevant, transaction-monitoring tools
- 03
List-source configuration covering the UN Consolidated Sanctions List, UAE Local Terrorist List, and other relevant sources
- 04
Screening-cadence setup including periodic re-screening, not just onboarding-only checks
- 05
Transaction-monitoring rule and threshold calibration matched to actual transaction sizes and customer mix, where applicable
- 06
Alert-triage workflow design with a named owner, review timeframe, and documented disposition process
- 07
Case-management and audit-trail configuration so every hit and its resolution is logged and retrievable
- 08
goAML escalation-path design connecting confirmed alerts to STR/SAR preparation and filing
- 09
Staff training on the system as configured, with attendance and content records maintained
- 10
Test-run and calibration review before full go-live
- 11
60–90 day post-go-live review and adjustment of thresholds and list sources
- 12
Annual recalibration aligned with the broader AML/CFT risk-assessment refresh
- 13
Configuration documentation compiled into the entity's AML programme file for inspection readiness
- 14
Coordination with the entity's Compliance Officer / MLRO on live alert triage responsibilities
- 15
Support reconfiguring an existing screening or monitoring tool found to be misaligned with the written AML policy
- 16
VASP-specific wallet and counterparty-VASP screening configuration, where virtual-asset exposure brings this into scope
- 17
Group-technology-standard reconciliation for UAE entities operating inside a wider multi-entity or international group structure
Get your AML screening and monitoring software configured to match your actual risk profile, not the vendor's defaults — talk to PNPC's Dubai compliance team.
Jurisdiction
Free zone, mainland & offshore
Ready to get started?
Tell us about your requirement — a UAE specialist responds within 24 hours.