AML/CFT Law No. 20 of 2021 (Qatar)

What is Qatar's AML/CFT Law No. 20 of 2021?

Law No. (20) of 2021 is Qatar's primary anti-money-laundering and counter-terrorist-financing statute. It replaced the earlier Law No. (20) of 2019 following Qatar's FATF Mutual Evaluation, refining the statutory framework to address evaluation findings and align Qatar more closely with the FATF 40 Recommendations. The law criminalises money laundering, terrorism financing, and the financing of weapons of mass destruction proliferation; defines obliged-entity categories; establishes customer due diligence, beneficial-ownership, recordkeeping, and reporting obligations; and creates the supervisory architecture for enforcement.

The law is the apex of Qatar's onshore AML/CFT framework. It is enforced through the Qatar Financial Information Unit (QFIU) in coordination with the Qatar Central Bank, the Ministry of Commerce and Industry, and other sectoral regulators. The Qatar Financial Centre (QFC) operates a parallel but aligned AML/CFT regime under its own rulebook, and the Qatar Financial Markets Authority (QFMA) supervises capital-markets firms.

Why the law matters

Qatar's 2021 update was driven by FATF-aligned reform priorities. The earlier Law No. 20 of 2019 had already brought the regime broadly in line with FATF standards; the 2021 law tightened beneficial-ownership transparency, expanded the perimeter to include virtual asset service providers (VASPs) more explicitly, strengthened the powers of the QFIU, and refined the penalty regime. For any institution operating in Qatar — onshore, in the QFC, or as a foreign counterparty serving Qatari customers — Law No. 20 of 2021 is the legal baseline against which all sectoral guidance and enforcement actions are measured.

Who must comply

The law applies to a broad set of obliged entities across the Qatari financial system and beyond. Financial Institutions include banks, finance companies, exchange houses, money services businesses, payment service providers, insurers and reinsurers, brokers, asset managers, investment firms, and licensed virtual asset service providers. Designated Non-Financial Businesses and Professions (DNFBPs) include real-estate brokers and agents, dealers in precious metals and stones, lawyers and other independent legal professionals, accountants and auditors, and trust and corporate service providers. The law applies onshore through the QCB, MOCI, and QFMA, and is mirrored by the QFC AML rulebook for QFC-licensed firms.

Core obligations

The law mandates a risk-based AML/CFT framework for every obliged entity. A documented business-wide risk assessment must identify ML, TF, and proliferation-financing risks across customers, products, services, geographies, and delivery channels, and must drive the depth of customer due diligence, transaction monitoring, training, and independent testing applied across the business.

Know Your Customer (KYC) checks must be applied before establishing the business relationship — verifying customer identity using reliable, independent sources, identifying beneficial owners (typically the natural person owning or controlling 25% or more of a legal entity), and understanding the nature and purpose of the relationship. Enhanced Due Diligence applies in higher-risk situations: politically exposed persons, customers from FATF-listed high-risk jurisdictions, complex ownership structures, and unusually large or unexplained transactions. Sanctions screening is mandatory at onboarding and on an ongoing basis, covering UN Security Council lists, Qatar's national lists, and other applicable lists, with positive matches frozen without delay. Transaction monitoring must be calibrated to the entity's risk profile, and any suspicion of money laundering or terrorist financing must be escalated to the MLRO and reported to the QFIU through Suspicious Transaction Reports. Records must be retained for at least five years from the end of the customer relationship or completion of the transaction, and ongoing AML/CFT training must be delivered to staff in proportion to their role. Many Qatari obliged entities operationalise these checks through a unified AML screening platform that combines sanctions, PEP, and adverse-media coverage with continuous monitoring.

MLRO and Compliance Officer requirements

Every obliged entity must appoint a Compliance Officer / Money Laundering Reporting Officer (MLRO) of sufficient seniority to act independently of commercial functions, with direct access to senior management and the governing body. The MLRO must have the authority to file Suspicious Transaction Reports without management approval, and the entity must designate a Deputy MLRO for continuity. The MLRO is responsible for the entity's AML/CFT framework, STR escalations, training oversight, and an annual report to senior management on the operation and effectiveness of the framework.

Suspicious transaction reporting to the QFIU

When an obliged entity knows, suspects, or has reasonable grounds to suspect money laundering, terrorism financing, or a predicate offence, the MLRO must file a Suspicious Transaction Report (STR) with the Qatar Financial Information Unit (QFIU) as soon as practicable. The law imposes strict tipping-off prohibitions — disclosing the existence or content of an STR to the customer or any unauthorised third party is a separate offence punishable by imprisonment and significant fines. The QFIU also receives funds-freeze reports under Qatar's Targeted Financial Sanctions framework and may request additional information from the obliged entity in connection with any filing.

Beneficial ownership and transparency

Law No. 20 of 2021 reinforces beneficial-ownership transparency, requiring obliged entities to identify any natural person who ultimately owns or controls 25% or more of a legal-entity customer (or otherwise exercises control), and to verify their identity on a risk-based basis. The law operates alongside Qatar's broader corporate-transparency framework, which requires Qatari legal entities to maintain accurate beneficial-ownership records and submit them to the relevant authority. Inconsistencies between the entity-level beneficial-ownership data and the customer's declared ownership must be addressed during CDD.

How the 2021 law differs from Law No. 20 of 2019

The 2021 law is best understood as a refinement rather than a replacement of the 2019 law. Both establish the same core architecture — obliged-entity coverage, risk-based approach, CDD, EDD, beneficial ownership, sanctions, transaction monitoring, STR filing, recordkeeping, MLRO appointment, and training. The 2021 update tightened beneficial-ownership requirements, more explicitly covered virtual asset service providers and crypto-asset activity, refined the powers and procedures of the QFIU, expanded the penalty schedule, and addressed FATF Mutual Evaluation findings on effectiveness. Institutions that had built their compliance frameworks around the 2019 law generally needed to refresh policies, beneficial-ownership procedures, and VASP-related controls — but the foundational architecture remained consistent.

Enforcement and penalties

Penalties under Law No. 20 of 2021 are graduated and depend on the nature and severity of the breach. Administrative penalties imposed by sectoral supervisors range from formal warnings and corrective orders to fines that can reach several million Qatari riyals per breach for serious or repeat violations. Supervisors can also restrict licensed activities, suspend new product approvals, mandate independent third-party reviews, and ultimately revoke licences. Senior managers can be sanctioned individually, and serious cases can result in criminal prosecution under the law itself, with potential imprisonment for the principal money-laundering offence.