UAE Federal Decree-Law No. (20) of 2018 (AML/CFT)

What is UAE Federal Decree-Law No. (20) of 2018?

Federal Decree-Law No. (20) of 2018 is the United Arab Emirates' core anti-money-laundering and counter-terrorist-financing statute. Enacted in October 2018 and operationalised through Cabinet Decision No. (10) of 2019 and supervisor-issued guidance (CBUAE, DFSA, FSRA, SCA, Ministry of Economy), it replaced the earlier Federal Law No. (4) of 2002 and brought the UAE's AML/CFT framework into closer alignment with FATF 40 Recommendations. The law criminalises money laundering, terrorist financing, and the financing of illegal organisations; defines obliged-entity categories; sets out customer due diligence, beneficial-ownership, recordkeeping, and reporting obligations; and establishes the supervisory architecture for enforcement.

The Decree-Law is the apex of UAE AML/CFT law. Sectoral rulebooks — the DFSA AML Rulebook for DIFC, the FSRA AML Rulebook for ADGM, the CBUAE AML Payments Guidance for onshore PSPs, and similar instruments from SCA and the Ministry of Economy — all derive their authority from it and operationalise it for specific sectors.

Why Federal Decree-Law 20/2018 matters

The Decree-Law sits at the centre of the UAE's post-2018 AML/CFT reform programme. Its enactment, together with Cabinet Decision 10/2019, formed the legal foundation for the country's response to FATF Mutual Evaluation findings and the subsequent grey-listing in March 2022. The intensive enforcement and reform activity that followed — culminating in the UAE's removal from the FATF grey list in February 2024 — was conducted entirely within the framework established by this law. For any entity operating in or doing business with the UAE, Federal Decree-Law 20/2018 is the legal baseline that all sectoral guidance, supervisory expectations, and enforcement actions ultimately reference.

Who must comply

The Decree-Law applies to two broad categories of obliged entity. Financial Institutions include banks, finance companies, exchange houses, money services businesses, payment service providers, stored-value facility operators, insurers and reinsurers (for life products), brokers, asset managers, fund managers, custodians, and other licensees of CBUAE, SCA, the Insurance Authority, and the free-zone regulators. Designated Non-Financial Businesses and Professions (DNFBPs) include real-estate brokers and agents, dealers in precious metals and stones, lawyers and other independent legal professionals, accountants and auditors, trust and corporate service providers, and (in defined circumstances) virtual asset service providers and crypto-asset firms.

The law applies on a federal basis across mainland UAE and reaches the free zones (DIFC, ADGM) where free-zone rulebooks are aligned to it. In practice, every regulated entity operating anywhere in the UAE is governed by the Decree-Law as transposed through its primary supervisor's rulebook.

Core obligations

The law sets out a risk-based AML/CFT framework that every obliged entity must operationalise. A documented Business Risk Assessment must identify ML, TF, and proliferation-financing risks across customers, products, services, geographies, and delivery channels, and drive the depth of customer due diligence, transaction monitoring, training, and independent testing applied across the business.

Customer Due Diligence must be applied before establishing the business relationship — verifying the customer's identity using reliable, independent sources, identifying any beneficial owner (typically the natural person owning or controlling 25% or more of a legal entity), and understanding the nature and purpose of the relationship. Enhanced Due Diligence applies in higher-risk situations: politically exposed persons, customers from FATF-listed high-risk jurisdictions, complex ownership structures, non-face-to-face onboarding without strong identity assurance, and unusually large or unexplained transactions.

Sanctions screening is mandatory at onboarding and on an ongoing basis, covering UN Security Council lists, the UAE Cabinet Local Terrorist List, and any other applicable lists. Positive matches must be frozen without delay and reported to the UAE Executive Office for Control and Non-Proliferation. Transaction monitoring must be calibrated to the entity's risk profile, and any suspicion of money laundering or terrorist financing must be escalated to the MLRO and reported to the UAE Financial Intelligence Unit through goAML. Records must be retained for at least five years from the end of the customer relationship or completion of the transaction, and ongoing AML/CFT training must be delivered to staff in proportion to their role.

Money laundering, terrorist financing, and predicate offences

The Decree-Law criminalises money laundering (Article 2), terrorist financing (Article 29 of the Counter-Terrorism Law as amended), and the financing of illegal organisations. Money laundering is defined to include the conversion, transfer, concealment, acquisition, possession, or use of proceeds derived from a predicate offence. The list of predicate offences is broad — drawn from UAE penal law and aligned to FATF — covering corruption, fraud, drug trafficking, human trafficking, terrorism, organised crime, environmental crime, tax evasion, cybercrime, and other serious offences. Conviction for the principal money-laundering offence can carry imprisonment of up to 10 years and fines of up to AED 5 million for individuals, with corporate fines reaching AED 50 million for serious offences. Aggravated penalties apply where the offence is committed in the context of organised crime or by an obliged entity in the course of its professional activity.

MLRO requirements

Every obliged entity must appoint a Compliance Officer / Money Laundering Reporting Officer (MLRO) based in the UAE, of sufficient seniority to act independently of commercial functions, and with direct access to senior management and the governing body. The MLRO must have the authority to file Suspicious Transaction Reports (STRs) without management approval. A Deputy MLRO must be designated for continuity. The MLRO is responsible for the entity's AML/CFT framework, STR escalations, training oversight, and an annual report to senior management.

Suspicious transaction reporting

When an obliged entity knows, suspects, or has reasonable grounds to suspect money laundering, terrorist financing, or a predicate offence, the MLRO must file an STR with the UAE Financial Intelligence Unit through goAML as soon as practicable. The Decree-Law imposes strict tipping-off prohibitions — disclosing the existence or content of an STR to the customer or any unauthorised third party is itself a criminal offence punishable by imprisonment and significant fines. Other report types — Funds Freeze Reports, Partial Name Match Reports, High-Risk Country Reports, and sector-specific reports for real estate and precious metals — are filed through the same goAML platform.

Enforcement and penalties

Cabinet Decision No. (10) of 2019 (as amended) sets out the administrative penalty schedule for non-compliance. Penalties range from formal warnings and individual fines (typically AED 50,000–500,000 per breach) to corporate fines reaching AED 5 million per breach for serious or repeat violations, with materially higher exposure for systemic failures. Supervisors may also restrict licensed activities, suspend new product approvals, mandate independent third-party reviews, and ultimately revoke licences. Senior managers can be sanctioned individually, and serious cases can result in criminal prosecution under the Decree-Law itself. CBUAE, DFSA, FSRA, and the Ministry of Economy have all imposed multi-million-dirham fines under this framework since 2022.

Relationship with FATF and sectoral rulebooks

The Decree-Law is the UAE's primary implementation of the FATF 40 Recommendations. It is operationalised by Cabinet Decision 10/2019 and supplemented by sectoral rulebooks issued by each supervisor — the CBUAE Payments Guidance, the DFSA AML Rulebook, the FSRA AML Rulebook, the SCA AML Rules, and the Ministry of Economy's DNFBP guidance. Step-by-step guidance for newly licensed firms is covered in Signzy's AML registration in UAE process guide. Reading the framework as a stack: the Decree-Law sets the substantive obligations, Cabinet Decision 10/2019 elaborates them, sectoral rulebooks operationalise them for specific licence categories, and goAML is the channel through which reporting flows.