UAE goAML Reporting Platform

What is the UAE goAML Platform?

The UAE goAML Reporting Platform is the official web-based system through which financial institutions and DNFBPs in the United Arab Emirates submit suspicious activity, suspicious transaction, and other AML/CFT regulatory reports to the UAE Financial Intelligence Unit (FIU). The platform itself was developed by the United Nations Office on Drugs and Crime (UNODC) and is used by FIUs in more than 60 jurisdictions worldwide; the UAE adopted it as its national reporting system to centralise AML intelligence, accelerate analysis, and support cross-border cooperation between FIUs.

For UAE-regulated entities, registration on goAML is mandatory, not optional. The platform is the single channel for filing Suspicious Transaction Reports (STRs), Suspicious Activity Reports (SARs), and other prescribed reports under the UAE Federal Decree-Law No. (20) of 2018. Non-registration — or late, incomplete, or rejected filings — exposes the entity to administrative fines and regulatory action. For the broader compliance-architecture view, see our AML compliance complete guide.

Why goAML matters

goAML is the operational backbone of the UAE's AML/CFT supervisory model. It standardises reporting formats across thousands of regulated entities, enables the FIU to triage and analyse intelligence at scale, and feeds enforcement actions taken by the Central Bank of the UAE, the FSRA (ADGM), the DFSA (DIFC), the Securities and Commodities Authority, the Ministry of Economy (for DNFBPs), and the UAE Public Prosecution. The data submitted through goAML directly shapes the supervisory profile of the reporting entity — light, late, or low-quality reporting is itself a red flag and a frequent driver of inspection.

Who must register and report on goAML

The goAML obligation reaches every category of regulated entity in the UAE. Within financial institutions, this includes onshore banks, exchange houses, finance companies, insurance and reinsurance firms, payment service providers, stored-value facility operators, brokers, asset managers, and investment firms — together with DIFC- and ADGM-licensed Authorised Persons supervised by the DFSA and FSRA respectively. Within DNFBPs, the rules cover real-estate brokers and agents, dealers in precious metals and stones, lawyers and independent legal professionals, accountants and auditors, trust and corporate service providers, and (in defined circumstances) virtual asset service providers. Each entity must designate a UAE-resident Compliance Officer / MLRO as the primary user on goAML, with appropriate delegate users for filing and analysis.

Reports filed through goAML

The UAE FIU uses goAML to receive several distinct report types. The table below summarises the most common report categories and when each applies.

Report	Acronym	Triggered by
Suspicious Transaction Report	STR	A transaction suspected of involving proceeds of crime, money laundering, or terrorist financing.
Suspicious Activity Report	SAR	Suspicious behaviour or patterns not yet tied to a specific transaction.
Funds Freeze Report	FFR	Application of targeted financial sanctions and freezing of designated funds.
Partial Name Match Report	PNMR	A partial sanctions-list match the entity is unable to fully resolve.
Dealers in Precious Metals and Stones Report	DPMSR	Qualifying high-value transactions in the DPMS sector.
Real Estate Activity Report	REAR	Qualifying property transactions in the real-estate sector.
High-Risk Country Report	HRCR	Activity involving customers or counterparties from high-risk jurisdictions.

Additional report types may apply depending on the entity's licence category and activities; the FIU updates the catalogue periodically.

goAML registration process

Registration on goAML follows a structured sequence. The reporting entity first creates a goAML account on the FIU's website, providing trade-licence details, regulator information, and a designated Compliance Officer / MLRO contact. The FIU validates the entity's credentials against the relevant regulator's records and approves the registration. The Compliance Officer then becomes the primary user, with the ability to add delegate users (typically AML team members) under defined permission levels for drafting, reviewing, and submitting reports. Each user must complete identity verification and accept the platform's user agreement. Once approved, the entity can begin filing reports immediately. Step-by-step guidance for new firms is covered in Signzy's AML registration in UAE process guide.

How STRs and SARs are filed on goAML

When the entity's MLRO concludes that a transaction or activity warrants reporting, an STR or SAR is drafted directly in goAML using the platform's standardised XML schema or the web form. The report captures the customer and counterparty profile, the transaction details, the basis for suspicion, supporting evidence (account history, screening hits, behavioural anomalies), and the reporting officer's narrative analysis. Submissions are made as soon as practicable after the suspicion arises — UAE law does not specify a fixed time limit, but late or delayed reporting is one of the most common findings in supervisory inspections. Once submitted, the FIU may request additional information through the goAML message board, which the entity must respond to within the timeframe specified.

Tipping-off prohibitions apply at all times. Disclosing the existence or content of a goAML report to the customer or any unauthorised third party is a separate criminal offence under UAE law.

Common goAML rejection rules and data quality issues

The FIU rejects goAML submissions for a recurring set of reasons that every reporting entity should engineer against. The most frequent issues include:

• Missing or invalid Emirates ID, passport, or trade-licence numbers for parties.
• Incomplete beneficial-ownership information for legal-entity counterparties.
• Transaction amounts inconsistent with supporting documentation.
• Narrative sections that describe the activity but do not articulate a reason for suspicion.
• Incorrect report type (for example, an STR filed where an SAR is appropriate).
• Schema or formatting errors in XML uploads, particularly for high-volume filers.

Rejected reports must be corrected and resubmitted, and a pattern of rejections itself becomes a supervisory concern. Mature reporting entities feed goAML rejection feedback back into their case-management and transaction monitoring systems so that data-quality issues are addressed at source rather than at submission.

Internal controls required to support goAML reporting

Reporting on goAML is the visible output of a much larger internal AML/CFT framework. To meet the FIU's expectations, every entity should operate a documented Business Risk Assessment, customer due-diligence and enhanced due-diligence procedures, real-time and ongoing sanctions and PEP screening, transaction monitoring calibrated to the entity's risk profile, an alert-clearance and escalation workflow that produces auditable case files, and ongoing AML/CFT training for staff. Many UAE entities deploy unified AML screening and monitoring platforms specifically to generate the audit trail and analytical depth that goAML reports require, plus dedicated UBO identification for legal-entity reporting.

Penalties for non-compliance

Failure to register, late or non-submission of STRs, missing FFRs, tipping-off, or filing materially incomplete reports can attract administrative fines from the relevant supervisor — the Central Bank of the UAE for FIs, the DFSA for DIFC firms, the FSRA for ADGM firms, the SCA for capital-markets firms, and the Ministry of Economy for DNFBPs. Penalties for individual breaches frequently run into hundreds of thousands of dirhams, with materially higher fines for repeat or systemic failures. Senior managers can also be personally sanctioned, and licences can be suspended or withdrawn for serious non-compliance.