CBUAE AML Payments Guidance

What is the CBUAE AML Payments Guidance?

The CBUAE AML Payments Guidance is the sector-specific anti-money-laundering and counter-terrorist-financing guidance issued by the Central Bank of the United Arab Emirates to banks, payment service providers, exchange houses, fintechs, and other licensed entities involved in domestic and cross-border payments. It complements the broader UAE federal AML/CFT framework — anchored in Federal Decree-Law No. (20) of 2018 and Cabinet Decision No. 10 of 2019 — by translating those statutory obligations into operational expectations for the payments ecosystem.

The guidance is non-statutory but supervisory: the CBUAE uses it as the benchmark against which it assesses regulated entities during inspection and as the reference point in enforcement actions. For licensees, alignment with the guidance is effectively a compliance obligation, and material gaps consistently surface as findings, fines, or restrictions on cross-border activity.

Why the guidance matters

The UAE has placed payments at the centre of its post-FATF-grey-list reform programme. Cross-border payment flows, exchange-house remittance corridors, and the rapid growth of fintech-issued wallets and stored-value instruments all create concentrated AML risk that generic banking rules do not fully address. The CBUAE Payments Guidance fills that gap: it sets out how a payments-focused entity should operationalise CDD, sanctions screening, transaction monitoring, recordkeeping, and STR reporting in ways that reflect the realities of high-velocity, low-friction payment products. CBUAE enforcement activity in this sector has grown sharply since the guidance was issued, with multiple multi-million-dirham fines against banks and exchange houses for monitoring and screening failures.

Who must comply

The guidance applies to all CBUAE-licensed entities engaged in payment activity, including national and foreign banks, finance companies, exchange houses, money services businesses, payment service providers (Retail Payment Services and Card Schemes Regulation), stored-value facility operators, and licensed fintechs offering payment products. The guidance does not directly bind DFSA-licensed firms in the DIFC or FSRA-licensed firms in ADGM — those entities are governed by their own free-zone rulebooks — but the substantive expectations are closely aligned, and groups operating across onshore and free-zone perimeters typically apply the highest applicable standard.

Core obligations

Every covered entity must operate a risk-based AML/CFT framework tailored to the specific characteristics of its payment products, customer segments, and corridors. The framework should be anchored in a documented Business Risk Assessment that explicitly considers product risk (low-friction wallets, real-time domestic transfers, cross-border remittance), customer risk (PEPs, high-risk jurisdictions, money-service-business counterparties), corridor risk (sanctioned or grey-listed corridors, FATF high-risk third countries), and channel risk (agent networks, online onboarding, third-party introducers).

CDD must be applied before establishing the business relationship and before processing any non-trivial payment, with EDD applied to higher-risk customers, PEPs, and exposures to high-risk jurisdictions. Beneficial-ownership identification follows the federal 25% threshold with senior-management approval for higher-risk relationships. Real-time and ongoing sanctions screening must cover UN Security Council lists, the UAE Cabinet Local Terrorist List, and any other applicable lists, with positive matches frozen without delay and reported. Transaction monitoring must be calibrated to payment-specific typologies — structuring across multiple wallets, mule networks, corridor-specific layering, money-service-business consolidation patterns — and tuned regularly (see our primer on transaction monitoring in AML). Suspicious activity must be escalated to the MLRO and reported to the UAE FIU through goAML; many CBUAE-licensed entities run a unified transaction monitoring platform alongside AML screening.

Records must be retained for at least five years from the end of the customer relationship or completion of the transaction, and ongoing AML/CFT training must be delivered to staff in proportion to their role.

Specific expectations for cross-border payments

Cross-border payment flows — including UAE bank account verification at onboarding — attract particularly close CBUAE attention. The guidance reinforces FATF Recommendation 16 (the Travel Rule) — both originator and beneficiary information must accompany cross-border transfers, with defensive measures applied where information is missing or inadequate. Correspondent-banking and money-service-business relationships require enhanced due diligence at onboarding and recurring review, with documented assessment of the counterparty's AML/CFT controls. Corridor-level risk assessment is expected to drive monitoring rules — high-risk corridors should produce more granular monitoring and faster STR turnaround. Many UAE entities deploy unified AML screening across customers, beneficiaries, and counterparties to satisfy these layered expectations in a single workflow. The CBUAE registration and onboarding process for AML compliance outlines the licensing-stage requirements that precede day-to-day supervisory expectations.

Sanctions screening and targeted financial sanctions

The guidance reinforces obligations under the UAE's Targeted Financial Sanctions framework. Payments licensees must screen all customers, beneficial owners, and transaction counterparties at onboarding, periodically thereafter, and immediately upon list updates. Positive matches against UN or UAE Cabinet lists must be frozen without delay, with no funds transferred and no notification to the customer beyond what is permitted. Reports must be filed with the UAE Executive Office for Control and Non-Proliferation, and the freeze documented through the appropriate goAML report type. Late freezes, mis-dispositioned matches, and pattern-of-screening failures are among the most heavily penalised areas in CBUAE enforcement. For screening-architecture detail, see our sanctions screening AML guide.

Suspicious transaction reporting

When a covered entity knows, suspects, or has reasonable grounds to suspect money laundering, terrorist financing, or a predicate offence, the MLRO must file a Suspicious Transaction Report (STR) with the UAE FIU through goAML as soon as practicable. The guidance reinforces strict tipping-off prohibitions — the existence and content of an STR must not be disclosed to the customer or any unauthorised third party. Where transactions involve cross-border payments to or from high-risk jurisdictions, the guidance also points to specific report types (such as Funds Freeze Reports for sanctions matches and High-Risk Country Reports where applicable).

Internal controls and governance

The guidance places clear governance expectations on senior management. A UAE-resident MLRO must be appointed with sufficient seniority and independence to file STRs without management approval, with a Deputy MLRO for continuity. Internal audit must independently test the AML/CFT programme on a risk-based cycle. The board or its designated committee must receive regular AML/CFT reporting and approve material changes to the framework. For groups operating across multiple licences (CBUAE plus DFSA or FSRA), the guidance expects coherent group-level governance with clearly defined accountabilities at each licensed entity.

Enforcement and penalties

Failure to comply with the guidance — particularly weaknesses in screening, transaction monitoring, STR reporting, and recordkeeping — can result in administrative fines from the CBUAE under the federal AML penalty framework. Fines for individual breaches in the payments sector frequently exceed AED 1 million, with materially higher penalties for systemic failures or repeat offences. The CBUAE can also restrict licensed activities, freeze new product approvals, require independent third-party reviews, and ultimately revoke licences. Senior managers can be sanctioned individually, and in serious cases criminal liability can follow under federal AML law.